Vulbhub之Kuya



测试环境

攻击IP 说明 靶机IP
172.17.135.44 pc 172.17.135.43
172.17.135.75 VM-kali 172.17.135.43

测试前准备

根据习惯,首先使用Kali对该地址的端口进行全面的扫描,这里使用nmap

nmap -T4 -A -sS -p 1-65535 -v 172.17.135.43

image.png-146.3kB

根据nmap扫描结果发现该靶机开放了2280端口,首先我们对80端口进行访问


flag 1

访问80端口:

image.png-127.9kB

发现是一个海绵宝宝的图片,啧啧啧,猜测该图片是否存在隐写,看一下源代码

image.png-8.6kB

发现注释:

<!-- Hey Kuya, Did you actually think it would be this easy ? Keep on looking, it's not here-->
<!-- Jokes apart, see deeper, there are friendly bots hidden-->

同时发现/loot/image.jpeg目录,访问该页面

下载图片,同时,我们在访问loot目录时发现其他信息:

image.png-24.5kB

把这几个图片一一下载并且使用steghide隐写工具查看

image.png-53.9kB

分别发现:

robots.txt
secret.txt
loot.pcapng
emb.txt
四个文件,一一打开获取信息:

robots.txt

打开查看,内容就是这几个图片的目录…完全没用好吗

1.jpg
2."
3."
4."
5."
image.jpeg

继续查看下一个文件

secret.txt

查看发现该文档内容使用base64编码

WW91IHJlYWxseSB0aG91Z2h0IGl0IHdvdWxkIGJlIHRoaXMgZWFzeSA/IEtlZXAgZGlnZ2luZyAhIExvdHMgb2YgdHJvbGxzIHRvIGRlZmVhdC4=

解码得到:

You really thought it would be this easy ? Keep digging ! Lots of trolls to defeat.

大体意思就是不要让我们觉得太简单了,下面的内容会越来越难

emb.txt

打开发现文件是brainfuck加密

+[--->++<]>+.++[->++++<]>+.+++++++..[++>---<]>--.++[->++<]>.[--->+<]>+++.-.---------.--[--->+<]>-.+.-.--[->+++<]>-.[->+++++++<]>.++++++.---.[-->+++++<]>+++.+++[->++<]>.[-->+++<]>.+++++++++.+.+.[---->+<]>+++.+++[->++<]>.--[--->+<]>.-----------.++++++.-[--->+<]>--.-[--->++<]>-.++++++++++.+[---->+<]>+++.>+[--->++<]>.>-[----->+<]>-.++[->++<]>..----.-[--->++<]>+.-.--[++++>---<]>.-------------.-[--->+<]>+++.+[-->+<]>+++++.+.++[->+++++<]>.--.+[----->+<]>.--[++>---<]>.+[->++<]>.-[--->++<]>+.--.-[---->+++<]>-.

使用在线brainfuck在线解密网站进行解码:

image.png-74.1kB

得到了第一个flag

Well Done ! Your First Flag is V2hhdCBpcyBCYWx1dCA/

flag 2

loot.pcapng

隐写获得的流量包使用wireshark打开

在查看http流中发现了可疑信息:

image.png-22.5kB

通过追踪流导出loot.7z并且使用7-Zip查看压缩包中信息

image.png-27.8kB

但在打开文件时需要我们输入密码

image.png-27.3kB

原本是想使用工具ARCHPR进行解密,结果发现不支持,所以更换方式,尝试使用john进行解码:

./7z2john.pl loot.7z > crackme_7z
john crackme_7z
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip [SHA256 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 524288 for all loaded hashes
Cost 2 (padding size) is 0 for all loaded hashes
Cost 3 (compression type) is 2 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Wordlist
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any
Warning: Only 30 candidates buffered for the current salt, minimum 32
needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
manchester       (loot.7z)
1g 0:00:06:47 DONE 2/3 (2019-03-03 17:04) 0.002453g/s 25.59p/s 25.59c/s 25.59C/s katrina..hermosa
Use the "--show" option to display all of the cracked passwords reliably
Session completed
~ john crackme --show
loot.7z:manchester

获取到打开文件的password=manchester

打开文件发现用户:test@mini 以及私钥

image.png-9.2kB

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,5202EE2DD871DFB00DF566C68F7026CF

YC95ceXK2yDf5hqJi8RrwWq+n/umz+3b4P8VmnvyItzJezJ+G4ZAyMx6fxztogVm
dpTNTewk4DZUMSHH/Yxrdh+29nWyZkt1etwqKzp3XooQPXVed15PgfzY9dazUeyr
uxItpeQ/Q2DZxKis3/7s1JfI+M2oo1ODdCnrhYMZkwJy9cEEYNkcRcKhP+t9+IIg
GrISP3wlssxoLXwsHOW+mJmeccBgRKhuQy3koPb1bMUz/TocUJl9o/rUQ/3pQHsT
fD88g5WNPm/HOPJz2Ockyl9UtuGhYYmF/34nJKJsMCQSozPSXu+/YWOooZll4C7r
HydYD1MZ3NVK267qlfVtwySefVRq7xxluJVcLVfQ2HyjFBJadZMOzM8dgVNPiPXj
4pRmU5Wk6B7QN8seCRo2wRNgENFLvc/BVJ2vL2Xvto7mdQocVTjpzPc/YnoBTNvM
NzxJoLqoiVJ8ftnLIRPkL7N+WevuOSBHnVHBQb3Bi+AdREmt+c8fLC6C8ODfLFjf
lcnpL8C1uJhjJf63tG08eR9fOqRWvoET7NHNK6UYJ7kk4+/vgnAlASET5RN0w+Kb
WcHxUDN/ddJgU/Ir2Gz42ZsBJIfAKQC+vaout3dfv/TOJyAFPn3ZkoXIQwkHKY2B
F/dASwQIQ960yBc9sJMDtcMnsKSa/Q+DyXWcoUzkm34UeSdijn1yn+lcTKNHPrMo
Tf0q9ufTtXyLeSdHc/D6qriauIcMxgrSagP2jGMmTodDQZBpF2KYYkun7fUDnQUN
FbWtBQwalsGICk4wBCZuRTfaLlmWrT6oUNESknpVBDiHY8uL6dTCpF5QRqLSQHdS
JQddp4MpsNYu0iV8vmlU6RFxzyxtIhgn2NEAqGOC1UF41nf5OO5wuAPszaiKtLIq
Tk9s8PsWwJeakfl7eEBi+8mHpdNBupeYkSeuMOilX1RAS3dgiEDt7bQ7afiGlr6/
6MMBaxOodrj+PvcsyAD5GGRl0DjTuWS2Wx0XDXXeIFhSgMCTSfucLHzKUgRH8aYc
dhU1IFD0qf8U6FE6GIjCBK3irgV+gNALjQzhN8WrBWP9mcFt/7JHFsSS1bbVBzJU
MeqYOwVsZU0WSOUogL1l937UmwSWgRB+TNihe/vCpom88jSxEcEoHdcvRwaQeEcT
EXGHH0zFETvGzzxmSyV+36CGfsKpM9yHnUCpA7YsqV8bCRV0i3bYiETC9sg/m7/t
q+B6A9yyKajHgSlrE1eGTrfr5IuKO06qaOz4f9YwKacySBau2xD7qmTb7M+54ARm
mGApcCQdvfamxAgBewUq5Xuux0ueC9+uluiR33pBeaOXpaOaI24IlT4gMSSVn+LC
S+G/Fj5hiZ4uhabWUmNoj1abkIcVDxMwH66q77m4bivhe+9KlmEEAtFF0jE71qTH
Zs9pn8vvczo0rdiels9bQqTxljh8YPxaJOKoB7UPEl/oqnfx9BmtkLgV73exJk+m
zi8gg4gh2yZUR3byZVSmFiNDHaYu4R6aJTNC1h2zXJ6iuV3/Ggl4Gr2RJSfDHGCt
JNIG5MXDEyIqFRa/EcazXsAZ5p9u8UGe6fYPCBM0WSmY5VJh2me4hT2FkQagwUMv
-----END RSA PRIVATE KEY-----

好的,下一步自然就是使用ssh进行连接

image.png-10.5kB

可以发现由于私钥的权限太大无法进行连接,我们在kali下使用chmod命令进行连接

chmod -m 700 id_rsa

image.png-14kB

可以看到仍然要输入id_rsa的密码
到目前为止未发现和密码有关的信息,所以到这步卡了一下,不过忽然想到,既然是ssh连接,再次尝试使用john工具破解

ssh -i id_rsa test@172.17.135.43
 ~ john crackme_ssh
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Proceeding with single, rules:Wordlist
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 8
needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any
Warning: Only 5 candidates buffered for the current salt, minimum 8
needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
hello            (/root/Downloads/id_rsa)
Proceeding with incremental:ASCII
hello            (/root/Downloads/id_rsa)
3g 0:00:00:46  3/3 (2019-03-03 18:01) 0.06518g/s 1800Kp/s 1800Kc/s 1800KC/s cpodso..cpop1.
Session aborted
~ john crackme_ssh --show 
/root/Downloads/id_rsa:hello
1 password hash cracked, 0 left

获取到password=hello
输入密码,成功登陆ssh

image.png-84.6kB

下一步就是获取flag和提权了,此时在目录下发现如下内容

image.png-42.6kB

进入可疑目录.ssh,查看目录下文件,我们发现了第二个flag

image.png-39kB

FInally you got a shell ! Here's a flag for you  5256247262. Let's see  where you go from here

flag 3

之后我们查看目录和文件发现可疑的信息和文件,访问/var/www/html目录
发现wordpress通过查看配置文件获取其他人员的信息

image.png-73.5kB

获取到另一用户的信息

image.png-62.6kB

username=kuya
password=Chrepia##@@!!

切换用户kuya登陆

image.png-9.2kB

在根目录下发现who_dis.txt
查看:

image.png-27.1kB

获取到第三个flag

Well Done ! 

BTW this was too easy :D

Here is something for you IL0v3C@f3HaV@nA

flag 4

根据目前获取到的信息,我们对目录下的.bash_history进行查看

image.png-50.2kB

发现了可疑目录/etc/shadow

同时在根目录下发现了shadow.tar文件,猜测是否将信息存入压缩包中,尝试解压查看

tar -cvf shadow.tar / etc / shadow 

image.png-31.3kB

image.png-56.9kB

此时获取到了最后一个flag,测试结束

You did it !!!!

COngratulations :D 

I just hope you had the same fun as I had while making this box.

As this is my first box, please send in your reviews to me on syed.ashhad72@gmail.com (DOn't hack this please Mr Leet)

If you are still reading, you are wasting your time

THere is no flag here.

Seriously Stop


Well I can't help so here is the last one WeasleyIsOurKing

#PeaceOut


发表评论

电子邮件地址不会被公开。 必填项已用*标注