Does penetration testing spark joy? If it does, this machine is for you.
This machine is full of services, full of fun, but how many ways are there to align the stars? Perhaps, just like the child in all of us, we may find joy in a playground such as this.
This is somewhat OSCP-like for learning value, but is nowhere as easy to complete with an OSCP exam timeframe. But if you found this box because of preparation for the OSCP, you might as well try harder. 😃
If you MUST have hints for this machine (even though they will probably not help you very much until you root the box!): Joy is (#1): https://www.youtube.com/watch?v=9AvWs2X-bEA, (#2): something that should be replicated, (#3): what happens when you clean out seemingly “hidden” closets.
Note: There are at least two reliable ways of obtaining user privileges and rooting this machine. Have fun. 😃
Feel free to contact the author at https://donavan.sg/blog if you would like to drop a comment.
Download Link:https://www.vulnhub.com/entry/digitalworldlocal-joy,298/
Scanning
Enumeration
Exploit
Privilege Escalation
扫描网段,发现靶机IP地址192.168.0.108
:
扫描靶机端口:
发现FTP是可以匿名登录的,直接使用FileZilla工具登录站点查看文件
一路看下来发现directory文件列出了/home/patrick
目录下的所有文件,剔除一些常见的和随机生成的文件之外,就剩下verison_control
值得看一看,用下面的命令把文件复制到FTP站点目录:
telnet和ftp命令的区别:
telnet连接后,用户主机实际成为远程TELNET服务器的一个虚拟终端(或称是哑终端),一切服务完全在远程服务器上执行,但用户决不能从远程服务器中下载或上传文件,或拷贝文件到用户主机中来。
ftp则不同,它是采用客户机/服务器模式,用户能够操作FTP服务器中的目录,上传或下载文件,但用户不能请求服务器执行某个文件。
version_control
文件如下:
1 | Version Control of External-Facing Services: |
提示我们ProFTP
需要升级,我们先从这入手:
直接上Metasploit:
返回一个标准Shell:
查看当前目录下有哪些文件:
有一个L37ISF8.php
文件是刚刚exp生成的,接着看ossec目录:
有一个比较可疑的文件patricksecretsofjoy
:
有patrick用户的登录密码,root的密码算是作者的恶搞吧。直接登录patrick用户,尝试提权:
到这里就有两种思路用来提权:
利用/home/patrick/script/test
的脚本文件来更改/etc/passwd
的权限,进而修改patrick用户的权限;
上传自己编写的脚本至相同的目录。这里就文字叙述一下具体过程:
a) 首先在本机上编写Shell脚本echo "awk 'BEGIN {system(\"/bin/bash\")}'" > test
;
b) 再使用ftp上传到upload
目录:
1 | ftp 192.168.0.108 |
c) 再使用telnet传入到/home/patrick/script
1 | telnet 192.168.0.108 21 |
d) 再执行test
文件sudo /home/patrick/script/test
相对而言第一个思路会比较简单,修改权限:
修改Patrick用户的uid和gid:
这里可以直接登录靶机用nano修改,但是如何在主机上的反弹shell修改呢?因为反弹shell不支持vim, vi, nano等交互式窗口,但是别忘了还有一个
sed
命令可以用来编辑文件,sed '36,36s/1000:1000/0:0/g' /etc/passwd
,上面这个命令表示修改/etc/passwd
文件中的第36行,把1000:1000
替换成0:0
重新登录一下就可以获得root权限了:
1 | ## |