Vulnhub靶机Funbox：1 writeup

下载地址：https://www.vulnhub.com/entry/funbox-1,518/

信息搜集
获取IP地址

扫描端口

这里看到一共开放了四个端口21：ftp，22：ssh，88：http，3306：mysql
21端口
登录ftp的时候需要用户名密码，先放着

80端口
访问80端口发现会跳转到funbox.fritz.box

修改hosts为：

再次访问80端口

这里看到使用了wordpress管理系统

可以使用wpscan尝试枚举下用户和插件：
wpscan --url http://funbox.fritz.box/ --enumerate u

这里看到有两个用户admin和joe
接着尝试爆破密码
wpscan --url http://funbox.fritz.box/ -P /usr/share/wordlists/rockyou.txt --max-threads 100

成功爆出密码joe：12345 admin：iubire
接着登录WordPress后台,直接admin登录，看看能不能模板插入shell
注意修改插件前需要先停用该插件

反弹shell
code1
使用weevely生成一个php木马

将木马上传到插件里面

使用weevely连接
weevely http://192.168.1.152/wp-content/plugins/akismet/index.php x

code2
将php-reverse-shell.php里面的内容直接上传到插件里面

kali开启监听

访问：http://192.168.1.152/wp-content/plugins/akismet/index.php

成功拿到shell

code3
也可以直接写入一句话使用菜刀或者蚁剑连接
这里就不作演示了
提权
这里看到家目录一共有两个用户

之前在登录wordpress看到过joe的用户密码是12345，这里也有joe用户，尝试使用ssh连接

连接成功
查看joe用户文件的时候发现rbash，shell被限制了

绕过方法其实很多，直接bash -I 切换shell

查看用户文件没有任何发现，joe的用户家目录里面有一份邮件，奈何英语水平不高看不懂
看一下另一个用户的家目录里面有啥东西

经一番查看，这个.backup.sh脚本会持续性间隔时间执行。重点是告诉我们，每隔一段时间，backup.sh都会以管理员权限运行一次。这里也看到了.backup.sh权限也是777

更改.backup.sh里面的内容

kali开启监听，等待一会

监听成功

这一步有时会弹出funny的shell，后来发现，funny和root个用户都是用了定时任务，funny用户每两分钟执行一次 .backup.sh，root用户每五分钟执行一次。所以就会导致这一步有时弹出funny的shell，有时弹出root的shell。
看一下定时任务

funny的定时任务，每隔两分钟执行一下/home/funny/.backup.sh
root@funbox:/var/spool/cron/crontabs# cat funny 
cat funny
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.n8Fr20/crontab installed on Fri Jun 19 14:33:06 2020)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
*/2 * * * * /home/funny/.backup.sh

root的定时任务，每隔五分钟执行一下/home/funny/.backup.sh
root@funbox:/var/spool/cron/crontabs# cat root
cat root
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.gcHh7z/crontab installed on Fri Jun 19 13:57:00 2020)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
*/5 * * * * /home/funny/.backup.sh

成功拿到flag

本文所有用到的工具都可以关注微信公众号“网络安全学习爱好者”联系公众客服免费领取！