Vulnhub target machine Emplre: Lupinone penetration test detailed explanation
Vulnhub target drone introduction:
Vulnhub is a comprehensive shooting range that provides a variety of vulnerability platforms. It can be downloaded from a variety of virtual machines, and the local VM can be opened. It is like playing a game to complete interesting combats such as penetration testing, privilege escalation, vulnerability exploitation, and code auditing.
This is a vulnerability target drone, just need to find the flag as usual.
Difficulty:Medium
Vulnhub target machine download:
Official website download: https://download.vulnhub.com/empire/01-Empire-Lupin-One.zip
Vulnhub target machine installation:
After downloading, unzip the installation package and open it with VMware.
Detailed Explanation of Vulnhub Target Machine Vulnerabilities:
①: Information collection:
kaliuse arp-scan -lor netdiscoverdiscover hosts
PS: In fact, the ip is given when it is opened. If it is not given, you need to scan
the penetration machine: kali IP: 172.16.5.140 target machine IP: 172.16.5.179
Use the command:
nmap -sS -sV -T4 -n -p- 172.16.5.179
Use the command:
nmap -p22,80 -sC -sV 172.16.5.179#You can try script scanning
Visit 80the port. There is a picture, and 80the port is scanned as usual: dirb、dirsearch、whatweb、gobusterwait for robots.txtthe file to be found
There is no information to use, perform a deep scan and use wfuzzblur to detect it
wfuzz -z file,/usr/share/wordlists/wfuzz/general/big.txt --hc 404,403 http://172.16.5.179/\~FUZZ
You can get an account name: icex64then you need the private key to log in and it's hidden somewhere!
Then continue to scan to find /~secret/.mysecret.txtthe file, you can know that this string isBase58编码
Online Base58decoding: http://www.hiencode.com/base58w.html
②: SSH private key blasting login:
Here you know the account number but don’t know the password, you can use it ssh2johnto crack it. Use fasttrackthis dictionary to get the password:P@55w0rd!
Then give permission 600, otherwise you will not be able to log in chomd 600 key, then try to log in and log in successfully! !
、
③: pip rights promotion:
sudo -lDisplay the commands that the current sudouser can execute
witharseneheist.py
python3.9Find webbrowser.py vithe editor webbrowser.py(with write permission) in the directory to add, os.system("/bin/bash")save and exit
sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
Now that you have got arsenethe user permission, check the command that can execute the permission sudo -lagain sudo, and found that pipthe permission is raised (the first time you don’t know how to use it, just learn it)
GTFOBinsFind it directly : https://gtfobins.github.io/gtfobins/pip/
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip install $TF
So far, the flag has been obtained, and the penetration of this article is over. Thank you for watching! !
Vulnhub target penetration summary:
The difficulty of this target machine is moderate
1. Information collection arp-scan -lObtain ip address and port information webScanning tool: nikto,dirb,dirbuster,whatwebwait to view F12the source code information'
2. Base58Encoding ssh2johntools must use blasting sshpasswords
3. SSHPrivate key login permissions must be given 600, otherwise an error will be reported
4. pipPrivilege escalation ( first use)
EmplreThe two articles are over! In the end, it is not easy to create. I hope it will be helpful to everyone. If you like it, please give me a one-click triple link. Your happiness is my greatest happiness! !