Warzone: 3 (Exogen) vulnhub walkthrough

Warzone: 3 (Exogen)

vulnhub地址：http://www.vulnhub.com/entry/warzone-3-exogen,606/

0x01 信息收集到获取shell

PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        vsftpd 3.0.3
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
4444/tcp open  tcpwrapped

ftp以anonymous登录，下载文件note.txt和alienclient.jar，其中note中含有登录用户名alienum和密码exogenesis。

接着反编译jar包，来到感兴趣的地方。

在Starter.java的actionPerformed方法中，判断用户权限时，由于存在本地鉴权问题（在idea调试过程中验证），所以在判断用户权限前添加一句role = "astronaut";来提升权限。

  public void actionPerformed(ActionEvent e) {
   
    if (e.getSource() == this.loginButton) {
   
      String username = this.userTextField.getText();
      String password = this.passwordField.getText();
      try {
   
        this.socket = new Socket("warzone.local", 4444);
        this.os = new ObjectOutputStream(this.socket.getOutputStream());
        RE login = new RE();
        login.setToken(null);
        login.setOption("LOGIN");
        login.setCmd(null);
        login.setValue(String.valueOf(username) + "@" + password);
        this.os.writeObject(login);
        this.is = new ObjectInputStream(this.socket.getInputStream());
        RE response = (RE)this.is.readObject();
        token = response.getToken();
        role = token.getRole();
        this.os.close();
        this.socket.close();
        if (response.getValue().equals("TRUE")) {
   
          dashboard();
        } else {
   
          JOptionPane.showMessageDialog(this, "Invalid Username or Password");
        } 
      } catch (IOException|ClassNotFoundException e1) {
   
        e1.printStackTrace();
      } 
    } 
    if (e.getSource() == this.resetButton) {
   
      this.userTextField.setText("");
      this.passwordField.setText("");
    } 
    if (e.getSource() == this.showPassword)
      if (this.showPassword.isSelected()) {
   
        this.passwordField.setEchoChar('0')