靶机下载地址
外围信息收集
靶机界面
网卡信息
网卡信息 | 说明 |
网卡模式 | 桥接模式 |
MAC地址 | 08:00:27:CD:DD:58 |
主动信息收集
主机发现
udo arp-scan -l
sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:8f:79:1b, IPv4: 10.9.23.16
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
10.9.23.1 50:6f:77:89:ad:99 HUAWEI TECHNOLOGIES CO.,LTD
10.9.23.21 c0:3e:ba:81:a6:49 Dell Inc.
10.9.23.32 00:e0:4c:28:00:74 REALTEK SEMICONDUCTOR CORP.
10.9.23.33 54:05:db:47:13:1d LCFC(HeFei) Electronics Technology co., ltd
10.9.23.36 f8:e4:3b:e9:88:42 ASIX Electronics Corporation
10.9.23.37 3c:7c:3f:2d:d9:83 ASUSTek COMPUTER INC.
10.9.23.38 50:eb:f6:59:47:e3 ASUSTek COMPUTER INC.
10.9.23.44 3c:7c:3f:1b:02:ae ASUSTek COMPUTER INC.
10.9.23.45 68:da:73:aa:bc:2f (Unknown)
10.9.23.65 00:0c:29:17:c1:67 VMware, Inc.
10.9.23.67 54:05:db:50:f8:c5 LCFC(HeFei) Electronics Technology co., ltd
10.9.23.103 7c:d3:0a:92:2e:f4 INVENTEC CORPORATION
10.9.23.119 00:0c:29:e8:74:0f VMware, Inc.
10.9.23.123 00:0c:29:9c:bf:20 VMware, Inc.
10.9.23.125 68:da:73:a9:5c:57 (Unknown)
10.9.23.128 00:0c:29:47:ec:96 VMware, Inc.
10.9.23.129 c0:18:50:d1:40:9b Quanta Computer Inc.
10.9.23.136 00:e0:4c:28:00:64 REALTEK SEMICONDUCTOR CORP.
10.9.23.140 90:2e:16:67:63:d9 LCFC(HeFei) Electronics Technology co., ltd
10.9.23.167 04:7c:16:3c:f3:9d Micro-Star INTL CO., LTD.
10.9.23.186 74:5d:22:ce:27:2e (Unknown)
10.9.23.199 54:bf:64:54:bb:69 Dell Inc.
10.9.23.200 98:fa:9b:d9:f1:65 LCFC(HeFei) Electronics Technology co., ltd
10.9.23.201 b4:a9:fc:a3:91:79 Quanta Computer Inc.
10.9.23.203 80:fa:5b:47:85:a0 CLEVO CO.
10.9.23.205 bc:ec:a0:22:89:9d COMPAL INFORMATION (KUNSHAN) CO., LTD.
10.9.23.209 74:5d:22:cd:e0:8d (Unknown)
10.9.23.218 f8:75:a4:3d:69:53 LCFC(HeFei) Electronics Technology co., ltd
10.9.23.219 8c:8c:aa:4f:61:b8 LCFC(HeFei) Electronics Technology co., ltd
10.9.23.222 08:00:27:cd:dd:58 PCS Systemtechnik GmbH
10.9.23.223 00:e0:4c:60:05:ad REALTEK SEMICONDUCTOR CORP.
10.9.23.225 84:a9:38:c7:5f:51 LCFC(HeFei) Electronics Technology co., ltd
10.9.23.226 8c:ec:4b:30:8b:69 Dell Inc.
10.9.23.230 00:0c:29:59:f1:8f VMware, Inc.
10.9.23.232 7c:8a:e1:50:f4:81 COMPAL INFORMATION (KUNSHAN) CO., LTD.
0.9.23.233 7c:57:58:67:3c:15 HP Inc.
10.9.23.238 00:2b:67:39:76:66 LCFC(HeFei) Electronics Technology co., ltd
10.9.23.254 a0:b3:cc:25:7a:0c Hewlett Packard
54 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.028 seconds (126.23 hosts/sec). 38 responded
根据MAC地址可以确定靶机IP地址为10.9.23.222
端口扫描
nmap参数说明
参数 | 说明 |
-A | 全面扫描,获取更多信息 |
-p- | 全端口扫描 |
-sS | SYN半连接扫描(非必须) |
-sC | --script=default |
-T4 | 挂上4档 |
sudo nmap -A -p- -sS -sC -T4 10.9.23.222
sudo nmap -A -p- -sS -sC -T4 10.9.23.222
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-04 16:38 CST
Nmap scan report for bogon (10.9.23.222)
Host is up (0.00063s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 59d4c0fd6245978315c015b2ac256099 (RSA)
| 256 7e37f011638015a3d39d43c609befbda (ECDSA)
|_ 256 52e94f71bc14dc0034f2a7b358b50dce (ED25519)
80/tcp open http Apache httpd 2.4.29
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2020-10-29 21:07 site/
|_
|_http-title: Index of /
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:CD:DD:58 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6, Linux 5.0 - 5.4
Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.63 ms bogon (10.9.23.222)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.69 seconds
端口详情
PORT(端口) | STATE(状态) | SERVICE(服务) | VERSION(版本) |
22 | open | ssh | OpenSSH 7.6p1 |
80 | open | http | Apache httpd 2.4.29 |
网站信息
网站首页
点击site进入新页面
渗透过程
查看网页源代码,并没有发现有用信息
敏感目录扫描
尝试一下敏感目录扫描
使用dirb扫描到了三个目录
访问http://10.9.23.222/site/css/
发现了一些css文件
在webflow.css文件中发现了一串base64编码
AAEAAAALAIAAAwAwT1MvMg8SBiUAAAC8AAAAYGNtYXDpP+a4AAABHAAAAFxnYXNwAAAAEAAAAXgAAAAIZ2x5ZmhS2XEAAAGAAAADHGhlYWQTFw3HAAAEnAAAADZoaGVhCXYFgQAABNQAAAAkaG10eCe4A1oAAAT4AAAAMGxvY2EDtALGAAAFKAAAABptYXhwABAAPgAABUQAAAAgbmFtZSoCsMsAAAVkAAABznBvc3QAAwAAAAAHNAAAACAAAwP4AZAABQAAApkCzAAAAI8CmQLMAAAB6wAzAQkAAAAAAAAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAABAAADpAwPA/8AAQAPAAEAAAAABAAAAAAAAAAAAAAAgAAAAAAADAAAAAwAAABwAAQADAAAAHAADAAEAAAAcAAQAQAAAAAwACAACAAQAAQAg5gPpA//9//8AAAAAACDmAOkA//3//wAB/+MaBBcIAAMAAQAAAAAAAAAAAAAAAAABAAH//wAPAAEAAAAAAAAAAAACAAA3OQEAAAAAAQAAAAAAAAAAAAIAADc5AQAAAAABAAAAAAAAAAAAAgAANzkBAAAAAAEBIAAAAyADgAAFAAAJAQcJARcDIP5AQAGA/oBAAcABwED+gP6AQAABAOAAAALgA4AABQAAEwEXCQEH4AHAQP6AAYBAAcABwED+gP6AQAAAAwDAAOADQALAAA8AHwAvAAABISIGHQEUFjMhMjY9ATQmByEiBh0BFBYzITI2PQE0JgchIgYdARQWMyEyNj0BNCYDIP3ADRMTDQJADRMTDf3ADRMTDQJADRMTDf3ADRMTDQJADRMTAsATDSANExMNIA0TwBMNIA0TEw0gDRPAEw0gDRMTDSANEwAAAAABAJ0AtAOBApUABQAACQIHCQEDJP7r/upcAXEBcgKU/usBFVz+fAGEAAAAAAL//f+9BAMDwwAEAAkAABcBJwEXAwE3AQdpA5ps/GZsbAOabPxmbEMDmmz8ZmwDmvxmbAOabAAAAgAA/8AEAAPAAB0AOwAABSInLgEnJjU0Nz4BNzYzMTIXHgEXFhUUBw4BBwYjNTI3PgE3NjU0Jy4BJyYjMSIHDgEHBhUUFx4BFxYzAgBqXV6LKCgoKIteXWpqXV6LKCgoKIteXWpVSktvICEhIG9LSlVVSktvICEhIG9LSlVAKCiLXl1qal1eiygoKCiLXl1qal1eiygoZiEgb0tKVVVKS28gISEgb0tKVVVKS28gIQABAAABwAIAA8AAEgAAEzQ3PgE3NjMxFSIHDgEHBhUxIwAoKIteXWpVSktvICFmAcBqXV6LKChmISBvS0pVAAAAAgAA/8AFtgPAADIAOgAAARYXHgEXFhUUBw4BBwYHIxUhIicuAScmNTQ3PgE3NjMxOAExNDc+ATc2MzIXHgEXFhcVATMJATMVMzUEjD83NlAXFxYXTjU1PQL8kz01Nk8XFxcXTzY1PSIjd1BQWlJJSXInJw3+mdv+2/7c25MCUQYcHFg5OUA/ODlXHBwIAhcXTzY1PTw1Nk8XF1tQUHcjIhwcYUNDTgL+3QFt/pOTkwABAAAAAQAAmM7nP18PPPUACwQAAAAAANciZKUAAAAA1yJkpf/9/70FtgPDAAAACAACAAAAAAAAAAEAAAPA/8AAAAW3//3//QW2AAEAAAAAAAAAAAAAAAAAAAAMBAAAAAAAAAAAAAAAAgAAAAQAASAEAADgBAAAwAQAAJ0EAP/9BAAAAAQAAAAFtwAAAAAAAAAKABQAHgAyAEYAjACiAL4BFgE2AY4AAAABAAAADAA8AAMAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAADgCuAAEAAAAAAAEADQAAAAEAAAAAAAIABwCWAAEAAAAAAAMADQBIAAEAAAAAAAQADQCrAAEAAAAAAAUACwAnAAEAAAAAAAYADQBvAAEAAAAAAAoAGgDSAAMAAQQJAAEAGgANAAMAAQQJAAIADgCdAAMAAQQJAAMAGgBVAAMAAQQJAAQAGgC4AAMAAQQJAAUAFgAyAAMAAQQJAAYAGgB8AAMAAQQJAAoANADsd2ViZmxvdy1pY29ucwB3AGUAYgBmAGwAbwB3AC0AaQBjAG8AbgBzVmVyc2lvbiAxLjAAVgBlAHIAcwBpAG8AbgAgADEALgAwd2ViZmxvdy1pY29ucwB3AGUAYgBmAGwAbwB3AC0AaQBjAG8AbgBzd2ViZmxvdy1pY29ucwB3AGUAYgBmAGwAbwB3AC0AaQBjAG8AbgBzUmVndWxhcgBSAGUAZwB1AGwAYQByd2ViZmxvdy1pY29ucwB3AGUAYgBmAGwAbwB3AC0AaQBjAG8AbgBzRm9udCBnZW5lcmF0ZWQgYnkgSWNvTW9vbi4ARgBvAG4AdAAgAGcAZQBuAGUAcgBhAHQAZQBkACAAYgB5ACAASQBjAG8ATQBvAG8AbgAuAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
好像也没有什么用
可能是姿势不对,使用gobuster试一下
这里发现了一个war.txt进去看看
应该是个目录,访问一下试试
没猜到是个啥,可以尝试下载下来看看
这里卡壳了,看了一下教程
说可能是个文件,下载下来看看
使用file查看文件发现是个压缩包
修改文件名后缀,尝试解压,发现需要密码才能查看
破解压缩包密码
这里了解了一个新工具fcrackzip,fcrack 是kali中自带的压缩包密码破解工具,如果没有,使用下面这条命令安装即可
sudo apt install fcrackzip
很可惜使用这个工具没有爆破出来,可能是我不太会使用这个工具
使用john来破解试试
先将压缩文件的密码信息提取出来
使用命令
zip2john warisover.zip > passwd.txt
然后破解出来一个密码:ragnarok123
使用密码打开发现了一张图片
把图片另存一份,查看一下有没有隐写内容,使用binwalk
图片隐写
还真有,提取出来看看
发现了类似账号密码的内容
//FamousBoatbuilder_floki@vikings
//f@m0usboatbuilde7
前期信息收集到还开放了22端口,尝试一下进行ssh远程登录
ssh远程登录
用户名:floki
密码:f@m0usboatbuilde7
进来之后灵魂三问
查看当前目录发现了一个readme.txt
_______________________________________________________________________Floki-Creation____________________________________________________________________________________________________
I am the famous boat builder Floki. We raided Paris this with our all might yet we failed. We don't know where Ragnar is after the war. He is in so grief right now. I want to apologise to him.
Because it was I who was leading all the Vikings. I need to find him. He can be anywhere.
I need to create this `boat` to find Ragnar
我是著名的造船师弗洛基。我们竭尽全力袭击了巴黎,但我们失败了。我们不知道战后拉格纳在哪里。他现在很悲伤。我想向他道歉。
因为是我领导着所有的维京人。我要找到他。他可以去任何地方。
我需要造一艘船来找到拉格纳
我们发现当前目录还有一个叫boat的文件
#Printable chars are your ally.
#num = 29th prime-number.
collatz-conjecture(num)
提权过程
不知道有什么用,先看看能不能sudo提权
发现不行,再试试能不能进行suid提权
find / -perm -u=s -type f 2>/dev/null
查询了一些常用的suid提权命令
https://www.cnblogs.com/hgschool/p/17030085.html
https://www.cnblogs.com/zlgxzswjy/p/10083959.html
打到现在暂时没有头绪了,需要看网上的教程才能继续了,所以还是沉淀一阵再来搞定他吧