FunboxEasyEnum writeup walkthrough

Funbox： EasyEnum ~ VulnHub

Enumeration

Brute-force the web server’s files and directories. Be sure to check for common file extensions.

Remote Code Execution

Leverage the file upload vulnerability to obtain RCE.

Privilege Escalation

Enumerate system users. One of them has an easy to guess password that you can use to SSH in. Then, check your sudo permissions.

端口扫描

nmap 192.168.221.132
PORT   STATE SERVICE    
22/tcp open  ssh  
80/tcp open  http

访问80端口，是默认的 Apache 网页

nmap -sV -sC -T4 -p- IP

nmap -p- -sC -sV IPnmap -p- -sC -sV 192.168.221.132
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-12 08:08 CST
Stats: 0:07:47 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 21.54% done; ETC: 08:44 (0:28:17 remaining)
Nmap scan report for 192.168.221.132 (192.168.221.132)
Host is up (0.26s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9c52325b8bf638c77fa1b704854954f3 (RSA)
|   256 d6135606153624ad655e7aa18ce564f4 (ECDSA)
|_  256 1ba9f35ad05183183a23ddc4a9be59f0 (ED25519)
80/tcp    open     http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
42569/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2086.94 seconds

nmap IP -sCV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

当涉及到 nmap 中的参数时，有一些参数可能会被多次使用，因为它们在不同的命令中有不同的用途。下面是这些参数的含义，其中重复的参数只显示一次：-sCV:-s: 指定扫描类型。C 表示连接扫描，即使用 TCP Connect 扫描。
-V: 启用版本探测，nmap将尝试确定目标主机上运行的服务的版本信息。
-p-:-p: 指定要扫描的端口范围。- 表示扫描所有可能的端口（从端口1到65535）。
-sC:-s: 指定扫描类型。C 表示连接扫描，即使用 TCP Connect 扫描。
-C: 启用默认脚本扫描。nmap将运行一些默认的脚本来获取更多关于目标的信息。
-sV:-s: 指定扫描类型。V 表示版本探测扫描。
-V: 启用版本探测，nmap将尝试确定目标主机上运行的服务的版本信息。
-T4:-T: 设置扫描速度/时间模式。4 表示 "Aggressive" 模式，即较快的扫描速度。

目录扫描

扫不出结果

gobuster dir -u http://192.168.221.132 -w /usr/share/dirb/wordlists/common.txt[+] Url:                     http://192.168.221.132
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s/.hta                 (Status: 403) [Size: 280]
/.htaccess            (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/index.html           (Status: 200) [Size: 10918]
/javascript           (Status: 301) [Size: 323] [--> http://192.168.221.132/javascript/]
/phpmyadmin           (Status: 301) [Size: 323] [--> http://192.168.221.132/phpmyadmin/]
/robots.txt           (Status: 200) [Size: 21]
/server-status        (Status: 403) [Size: 280]

必须要加上后缀 -x php,txt,html

gobuster dir -u http://192.168.221.132 -w /usr/share/dirb/wordlists/common.txt -x php,txt,html//搜索 PHP、文本和 HTML 文件/.php                 (Status: 403) [Size: 280]
/.html                (Status: 403) [Size: 280]
/.hta                 (Status: 403) [Size: 280]
/.hta.php             (Status: 403) [Size: 280]
/.hta.txt             (Status: 403) [Size: 280]
/.htaccess.php        (Status: 403) [Size: 280]
/.htaccess            (Status: 403) [Size: 280]
/.htaccess.txt        (Status: 403) [Size: 280]
/.htpasswd.php        (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/.htaccess.html       (Status: 403) [Size: 280]
/.htpasswd.html       (Status: 403) [Size: 280]
/.htpasswd.txt        (Status: 403) [Size: 280]
/.hta.html            (Status: 403) [Size: 280]
/index.html           (Status: 200) [Size: 10918]
/index.html           (Status: 200) [Size: 10918]
/javascript           (Status: 301) [Size: 323] [--> http://192.168.221.132/javascript/]
/mini.php             (Status: 200) [Size: 3828]
/phpmyadmin           (Status: 301) [Size: 323] [--> http://192.168.221.132/phpmyadmin/]
/robots.txt           (Status: 200) [Size: 21]
/robots.txt           (Status: 200) [Size: 21]
/server-status        (Status: 403) [Size: 280]

gobuster dir -u http://10.0.2.26/ -w /opt/secLists/Discovery/web
-Content/directory-list-2.3-medium.txt
-t 100
-x php,txt

或

dirb http://ip

dirsearch -u http://192.168.221.132 -w /usr/share/wordlists/dirb/common.txtpython dirsearch.py -u 192.168.221.132 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --suffix=.php,.html,.aspx,.jsp,.js

curl 192.168.221.132/robots.txt   #和访问这个网址效果一样
Allow: Enum_this_Box

或
kali搜索dirbuster