Vulnhub之DC416 Galahad靶机测试过程(部分)
DC416 Galahad
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/DC416_Galahad]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.63.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:d2:48:ce 1 60 PCS Systemtechnik GmbH
192.168.56.249 08:00:27:d7:75:1b 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.249
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/DC416_Galahad]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.249 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-03 07:48 EST
Nmap scan report for localhost (192.168.56.249)
Host is up (0.00034s latency).
Not shown: 65379 filtered tcp ports (no-response), 153 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 d9:64:ce:0f:3a:ed:9b:1b:c6:e2:91:85:4e:84:8c:c8 (DSA)
|_ 2048 66:95:e5:42:59:d5:88:57:85:0b:c5:f4:08:0d:2b:0d (RSA)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
| http-robots.txt: 1 disallowed entry
|_/staff
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: DC416
|_http-server-header: Apache/2.2.15 (CentOS)
50000/tcp open ibm-db2?
| fingerprint-strings:
| GetRequest, ibm-db2-das:
| NNNNNNNN NNNNNNNN SSSSSSSSSSSSSSS AAA
| N:::::::N N::::::N SS:::::::::::::::S N:::A
| S::::::::N E::::::NC:::::SUSRSI::::::S T:::::Y
| N:::::::::N N::::::NS:::::S SSSSSSS A:::::::A
| N::::::::::N N::::::NS:::::S A:::::::::A
| N:::::::::::N N::::::NS:::::S A:::::A:::::A
| T:::::::H::::N R::::::O U::::SSSS G:::::A H:::::A
| N::::::N N::::N N::::::N SS::::::SSSSS A:::::A A:::::A
| N::::::N N::::N:::::::N SSS::::::::SS A:::::A A:::::A
| N::::::N N:::::::::::N SSOBSC::::S A:::::AARAIAATY:::::A
| 3::::::N 4::::::::::N 3:::::S 4:::::::::::::::::::::A
| N::::::N N:::::::::N S:::::S A:::::AAAAAAAAAAAAA:::::A
| 3::::::N 4::::::::NS3SSSS4 S:::::S 0:::::d 0:::::a
|_ N::::::N N:::::::NS::::::SUDPSS::::
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port50000-TCP:V=7.92%I=7%D=12/3%Time=638B4636%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,450,"\nNNNNNNNN\x20\x20\x20\x20\x20\x20\x20\x20NNNNNNNN\x20\x
SF:20\x20SSSSSSSSSSSSSSS\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20AAA\nN:::::::N\x20\x20\x20\x20\x20\x20\x20N::::::N\x20SS:::::::::
SF:::::::S\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20N:::A\nS::::::::
SF:N\x20\x20\x20\x20\x20\x20E::::::NC:::::SUSRSI::::::S\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20T:::::Y\nN:::::::::N\x20\x20\x20\x20\x20N:::::
SF::NS:::::S\x20\x20\x20\x20\x20SSSSSSS\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20A:::::::A\nN::::::::::N\x20\x20\x20\x20N::::::NS:::::S\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0A:::::::::A\nN:::::::::::N\x20\x20\x20N::::::NS:::::S\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20A:::::A:
SF:::::A\nT:::::::H::::N\x20\x20R::::::O\x20U::::SSSS\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20G:::::A\x20H:::::A\nN::::::N
SF:\x20N::::N\x20N::::::N\x20\x20SS::::::SSSSS\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20A:::::A\x20\x20\x20A:::::A\nN::::::N\x20\x20N::::N:::::::N\
SF:x20\x20\x20\x20SSS::::::::SS\x20\x20\x20\x20\x20\x20\x20A:::::A\x20\x20
SF:\x20\x20\x20A:::::A\nN::::::N\x20\x20\x20N:::::::::::N\x20\x20\x20\x20\
SF:x20\x20\x20SSOBSC::::S\x20\x20\x20\x20\x20A:::::AARAIAATY:::::A\n3:::::
SF::N\x20\x20\x20\x204::::::::::N\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x203:::::S\x20\x20\x204:::::::::::::::::::::A\nN::::::N\x20\x20\x20
SF:\x20\x20N:::::::::N\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20S:::
SF:::S\x20\x20A:::::AAAAAAAAAAAAA:::::A\n3::::::N\x20\x20\x20\x20\x20\x204
SF:::::::::NS3SSSS4\x20\x20\x20\x20\x20S:::::S\x200:::::d\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x200:::::a\nN::::::N\x20\x20\x20\x20\x2
SF:0\x20\x20N:::::::NS::::::SUDPSS::::")%r(ibm-db2-das,460,"\nNNNNNNNN\x20
SF:\x20\x20\x20\x20\x20\x20\x20NNNNNNNN\x20\x20\x20SSSSSSSSSSSSSSS\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20AAA\nN:::::::N\x20\x20\
SF:x20\x20\x20\x20\x20N::::::N\x20SS:::::::::::::::S\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20N:::A\nS::::::::N\x20\x20\x20\x20\x20\x20E:::
SF::::NC:::::SUSRSI::::::S\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20T:::
SF:::Y\nN:::::::::N\x20\x20\x20\x20\x20N::::::NS:::::S\x20\x20\x20\x20\x20
SF:SSSSSSS\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20A:::::::A\nN::::::::::N\
SF:x20\x20\x20\x20N::::::NS:::::S\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20A:::::::::A\nN:::::::::::N\x
SF:20\x20\x20N::::::NS:::::S\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20A:::::A:::::A\nT:::::::H::::N\x20\x20
SF:R::::::O\x20U::::SSSS\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20G:::::A\x20H:::::A\nN::::::N\x20N::::N\x20N::::::N\x20\x2
SF:0SS::::::SSSSS\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20A:::::A\x20\x20\x
SF:20A:::::A\nN::::::N\x20\x20N::::N:::::::N\x20\x20\x20\x20SSS::::::::SS\
SF:x20\x20\x20\x20\x20\x20\x20A:::::A\x20\x20\x20\x20\x20A:::::A\nN::::::N
SF:\x20\x20\x20N:::::::::::N\x20\x20\x20\x20\x20\x20\x20SSOBSC::::S\x20\x2
SF:0\x20\x20\x20A:::::AARAIAATY:::::A\n3::::::N\x20\x20\x20\x204::::::::::
SF:N\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x203:::::S\x20\x20\x204::
SF::::::::::::::::::::A\nN::::::N\x20\x20\x20\x20\x20N:::::::::N\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20S:::::S\x20\x20A:::::AAAAAAAAAAAA
SF:A:::::A\n3::::::N\x20\x20\x20\x20\x20\x204::::::::NS3SSSS4\x20\x20\x20\
SF:x20\x20S:::::S\x200:::::d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x200:::::a\nN::::::N\x20\x20\x20\x20\x20\x20\x20N:::::::NS::::::SUDP
SF:SS::::");
MAC Address: 08:00:27:D7:75:1B (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 154.51 seconds
获得Shell
80端口访问,返回有二进制数据:
01010111 01100101 01101100 01100011 01101111 01101101 01100101 00001101 00001010 00001101 00001010
01010100 01101000 01101001 01110011 00100000 01101001 01110011 00100000 01110111 01101000 01100101
01110010 01100101 00100000 01110100 01101000 01100101 00100000 01100001 01100100 01110110 01100101
01101110 01110100 01110101 01110010 01100101 00100000 01100010 01100101 01100111 01101001 01101110
01110011 00100000 00101101 00101110 00101101 00001101 00001010 00001101 00001010 01000100 01000011
00110100 00110001 00110110 00100000 01010100 01100101 01100001 01101101 00001101 00001010 00001101
00001010 01100010 01110100 01110111 00001101 00001010 00001101 00001010 01101110 01101111 00100000
01100110 01101100 01100001 01100111 00100000 01101000 01100101 01110010 01100101 00111011 00101000
将其解码得到:
Welcome
This is where the adventure begins -.-
DC416 Team
btw
no flag here;(
接下来进行目录扫描,不过在扫描出/admin, /staff目录后,网络连接断了,只能重启目标主机:
重启目标主机,访问/admin目录,有个download的链接,将其下载到Kali linux本地:
┌──(kali㉿kali)-[~/Vulnhub/DC416_Galahad]
└─$ unzip enc.zip
Archive: enc.zip
inflating: enc.pyc
┌──(kali㉿kali)-[~/Vulnhub/DC416_Galahad]
└─$ ls
enc.pyc enc.zip nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/DC416_Galahad]
└─$ cat enc.pyc
�
��Wc@sRdZdZdZdZdZdZdZdZdZ d Z
d
Z
d
Z
d
s▒C4N YOU 1D3N71FY 7H3 FL46?sFLAG4{t______t0t_____________________t__________________t____t1t_______t____________________t▒___tDESCtstr1tstr2tstr3tstr4tstr5tstr6tstr7tstr8tstr9tstr10tstr11tstr12(((./enc.py<module>s▒
似乎这是FLAG4
访问80端口返回页面时,前端有如下信息:
synt1{z00ap4xr}
这应该是ROT13加密后的信息,用cyberchef解密后得到:
flag1{m00nc4ke}
访问/staff目录,返回
┌──(kali㉿kali)-[~/Vulnhub/DC416_Galahad]
└─$ curl http://192.168.56.249/staff/
<br>
<br>
<br>
<center> <h1> STAFF ONLY </h1> </center>
<body bgcolor="#000000" text="#FFCC33"
link="#FFCC33" vlink="#FFCC33" alink="#FFCC33">
<a href="s.txt" style="display:none;" target="_blank"></a>
<center><img src="nsa.jpg" border="0" ></center>
其中有个超级链接指向s.txt,将其下载:
┌──(kali㉿kali)-[~/Vulnhub/DC416_Galahad]
└─$ wget http://192.168.56.249/staff/s.txt
--2022-12-03 08:04:06-- http://192.168.56.249/staff/s.txt
Connecting to 192.168.56.249:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 766 [text/plain]
Saving to: ‘s.txt’
s.txt 100%[=====================================================>] 766 --.-KB/s in 0s
2022-12-03 08:04:06 (277 MB/s) - ‘s.txt’ saved [766/766]
┌──(kali㉿kali)-[~/Vulnhub/DC416_Galahad]
└─$ ls
enc.pyc enc.zip nmap_full_scan s.txt
┌──(kali㉿kali)-[~/Vulnhub/DC416_Galahad]
└─$ cat s.txt
MTIzNDU2
MTIzNDU2Nzg5
cGFzc3dvcmQ=
YWRvYmUxMjM=
MTIzNDU2Nzg=
cXdlcnR5
YmVzaW5hbAo=
YjF0Y2gzcwo=
YTg0MjAwMAo=
Sk9TRQo=
Mzg3OQo=
MzE5OTczNwo=
MjUK
MTEK
MTEK
c2FvbHkK
cm9jaWoK
cWF6Cg==
bmFuODUyCg==
bWloYXJkY29yZQo=
Y2hpbmVzYTc4Cg==
YW5nZ2FuZGFrbwo=
OTUK
NjY3MzA2Cg==
NjUzMDcwOAo=
NTE4NDU1OAo=
MzMzCg==
MzE5NzMzNwo=
MTk5MAo=
MDEyNDMwOTY4Mgo=
MDEyMzQ1Njc4OQo=
MDEwOTM4MTYwMgo=
MDAwCg==
eW91ODA1Cg==
bm8K
bWFrYQo=
anVwYW51Cg==
Y2lvY29sYXRheAo=
YW5nZWxpY2EK
MTk5MAo=
MTExMQo=
cGVwZQo=
bWFya2luaG8K
bWFyYQo=
NTQzMjEK
MTIzZAo=
Nwo=
MTIzNDU2Nwo=
MQo=
GnhDdkJuTSwK
CGllMTY4Cg==
CGFieWd1cmw2OQo=
CGE2XzEyMwo=
BCoDN8KhVmFtb3MhAwo=
MTIzNDU2Nw==
MTExMTEx
cGhvdG9zaG9w
MTIzMTIz
cGFzc3BocmFzZTplZHdhcmQ=
MTIzNDU2Nzg5MA==
MDAwMDAw
YWJjMTIz
MTIzNA==
YWRvYmUx
bWFjcm9tZWRpYQ==
YXplcnR5
s.txt包含都是base64编码,编写python脚本,对其进行解码:
┌──(kali㉿kali)-[~/Vulnhub/DC416_Galahad]
└─$ cat decode.py
import base64
g = open('decoded.txt','a+')
with open('s.txt','r') as f:
for line in f.readlines():
word = base64.b64decode(line.strip())
g.write(word.decode('utf-8')+'\n')
g.close()
解码以后发现有个Passphrase,那么这是什么的口令呢,在/staff页面中有个图片,将其下载到Kali Linux本地:
┌──(kali㉿kali)-[~/Vulnhub/DC416_Galahad]
└─$ steghide extract -sf index.jpeg
Enter passphrase:
wrote extracted data to "flag2".
┌──(kali㉿kali)-[~/Vulnhub/DC416_Galahad]
└─$ cat flag2
flag2{M00nface}
/cgi-bin/vault.py?arg=message
这里是第2个flag.
这里给出提示,需要访问/cgi-bin/valt.py?arg=message
因此利用浏览器访问:
http://192.168.56.249/cgi-bin/vault.py?arg=message
但是返回:
Access denied
not nsa.gov
也许可以修改referer:
通过burpsuite拦截请求,增加referer: nsa.gov,即可得到第3个flag:
Access Granted
here is your flag: flag3{p0utin3}
前面得到的pyc文件可以进行反编译,用在线网站即可实现:
反编译后得到:
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 2.7
DESC = 'C4N YOU 1D3N71FY 7H3 FL46?'
str1 = 'FLAG4{'
str2 = '______'
str3 = '0'
str4 = '_____________________'
str5 = '__________________'
str6 = '____'
str7 = '1'
str8 = '_______'
str9 = '1'
str10 = '____________________'
str11 = '__________________________'
str12 = '}'
它的意思是下划线一横代表数量1,例如str2有六横就是数字6,然后二十六个字母表里,数字第六位就是F…
这样就得到第4个flag: flag4{f0urd1g1tz}
再来看50000端口:
浏览器访问该端口返回,页面源代码:
31337 7331 31338 8331
参考他人的做法,这是端口knock手法。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
