Vulnhub-Funbox: Rookie（funbox2） Penetration test

One . About the target

Running on the Vmware The target cannot be obtained in IP, Try bridging 、NAT、 Only the three modes of the host are fruitless , No choice but to use it VirtualBox, but NAT And bridge mode IP, Only in host-only The target machine can only be obtained in mode IP.

Two . IP And port detection

Found only open 21,22,80 port

3、 ... and . 21 Port information collection

View above 2 Script , Found to be CVE-2015-3306 Any file copy


It cannot be directly used after trying , Try another port **

Four . 80 Port information collection

Scan the directory , Find out robots.txt, However, it cannot be used



There seems to be a deadlock , Can we go back to 21 Port to try ？

5、 ... and . FTP Anonymous logins

It suddenly occurred to me whether I forgot to try anonymous login just now …
user name :anonymous, The password is empty

Check the directory , I found a bunch of compressed packages with file names very similar to user names , Download to the local decompression try

It is found that the content of the file is id_rsa, But you need a password to decompress , Start using john Crack , Crack to tom.zip The password for iubire
notes ： If you ask me why I don't use fcrackzip Crack , Because currently in host-only Pattern , and fcrackzip Not kali Bring their own , It needs to be installed by hand

decompression tom.zip obtain id_rsa, Is a private key

6、 ... and . ssh Key login

Log in with the key obtained above

Discovery is a limited rbash,ls -la Check the directory

View history command , It is found that data is written to the database , Much like user name and password （tom/xx11yy22!）

sudo Have a try , Password input xx11yy22!

found sudo Improper configuration , You can execute commands with all user permissions , Try switching root, You don't need a password ~
meaning , Unexpectedly, it's so right …

** summary ：**ftp Anonymous logins —— File download —— Password cracking ——ssh Sign in ——sudo Improper allocation of rights