Skip to main content

One Piece

端口扫描

root@ip-10-10-194-237:~/ctfonepiece65# nmap -sTCV -p 21,22,80 --min-rate 1000 10.10.172.74

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-06 13:58 BST
Nmap scan report for ip-10-10-172-74.eu-west-1.compute.internal (10.10.172.74)
Host is up (0.00017s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             187 Jul 26  2020 welcome.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.194.237
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 01:18:18:f9:b7:8a:c3:6c:7f:92:2d:93:90:55:a1:29 (RSA)
|   256 cc:02:18:a9:b5:2b:49:e4:5b:77:f9:6e:c2:db:c9:0d (ECDSA)
|_  256 b8:52:72:e6:2a:d5:7e:56:3d:16:7b:bc:51:8c:7b:2a (EdDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: New World
MAC Address: 02:F5:35:F3:28:25 (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

21

我们可以使用匿名身份登陆我们的 FTP 服务, 在其中我们一共可以得到三个文件:

  • welcome.txt
  • .road_poneglyph.jpeg : 感觉存在文件隐写术
  • .secret_room.txt : 告诉我们关于房间的构成信息
root@ip-10-10-194-237:~/ctfonepiece65# ftp 10.10.172.74
Connected to 10.10.172.74.
220 (vsFTPd 3.0.3)
Name (10.10.172.74:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 0        0            4096 Jul 26  2020 .
drwxr-xr-x    3 0        0            4096 Jul 26  2020 ..
drwxr-xr-x    2 0        0            4096 Jul 26  2020 .the_whale_tree
-rw-r--r--    1 0        0             187 Jul 26  2020 welcome.txt

对下载下来的照片进行二次分析, 发现其存在文件隐写术 (没有密码)

root@ip-10-10-194-237:~/ctfonepiece65# steghide extract -sf  .road_poneglyph.jpeg 
Enter passphrase: 
wrote extracted data to "road_poneglyphe1.txt".
root@ip-10-10-194-237:~/ctfonepiece65# cat road_poneglyphe1.txt 
FUWS2LJNEAWS2LJNFUQC4LJNFUWSALRNFUWS2IBNFUWS2LJAFUWS2LJNEAXC2LJNFUQC4LJNFUWQULJNFUWS2IBNFUWS2LJAFYWS2LJNEAXC2LJNFUQC2LJNFUWSALJNFUWS2IBOFUWS2LJAFYWS2LJNBIWS2LJNFUQC2LJNFUWSALRNFUWS2IBNFUWS2LJAFUWS2LJNEAWS2LJNFUQC2LJNFUWSALJNFUWS2CRNFUWS2LJAFUWS2LJNEAXC2LJNFUQC4LJNFUWSALJNFUWS2IBOFUWS2LJAFUWS2LJNEAWS2LJNFUFC2LJNFUWSALJNFUWS2IBOFUWS2LJAFYWS2LJNEAXC2LJNFUQC2LJNFUWSALJNFUWS2IBNFUWS2LIKFUWS2LJNEAWS2LJNFUQC4LJNFUWSALJNFUWS2IBNFUWS2LJAFUWS2LJNEAWS2LJNFUQC2LJNFUWQULJNFUWS2IBNFUWS2LJAFYWS2LJNEAXC2LJNFUQC2LJNFUWSALRNFUWS2IBNFUWS2LJAFYWS2LJNBIWS2LJNFUQC2LJNFUWSALRNFUWS2IBOFUWS2LJAFUWS2LJNEAXC2LJNFUQC2LJNFUWSALJNFUWS2CRNFUWS2LJAFUWS2LJNEAXC2LJNFUQC2LJNFUWSALJNFUWS2IBNFUWS2LJAFUWS2LJNEAWS2LJNFUFC2LJNFUWSALJNFUWS2IBOFUWS2LJAFYWS2LJNEAWS2LJNFUQC4LJNFUWSALJNFUWS2IBOFUWS2LIKFUWS2LJNEAWS2LJNFUQC4LJNFUWSALRNFUWS2IBOFUWS2LJAFUWS2LJNEAWS2LJNFUQC2LJNFUWQULJNFUWS2IBNFUWS2LJAFYWS2LJNEAWS2LJNFUQC2LJNFUWSALJNFUWS2IBNFUWS2LJAFUWS2LJNBIWS2LJNFUQC2LJNFUWSALRNFUWS2IBOFUWS2LJAFUWS2LJNEAXC2LJNFUQC4LJNFUWSALJNFUWS2CRNFUWS2LJAFUWS2LJNEAXC2LJNFUQC4LJNFUWSALRNFUWS2IBNFUWS2LJAFUWS2LJNEAXC2LJNFUFC2LJNFUWSALJNFUWS2IBOFUWS2LJAFUWS2LJNEAWS2LJNFUQC2LJNFUWSALJNFUWS2IBNFUWS2LIKFUWS2LJNEAWS2LJNFUQC4LJNFUWSALRNFUWS2IBNFUWS2LJAFUWS2LJNEAXC2LJNFUQC4LJNFUWQULJNFUWS2IBNFUWS2LJAFYWS2LJNEAXC2LJNFUQC4LJNFUWSALJNFUWS2IBNFUWS2LJAFYWS2LJNBIWS2LJNFUQC2LJNFUWSALRNFUWS2IBNFUWS2LJAFUWS2LJNEAWS2LJNFUQC2LJNFUWSALJNFUWS2CRNFUWS2LJAFUWS2LJNEAXC2LJNFUQC4LJNFUWSALJNFUWS2IBOFUWS2LJAFYWS2LJNEAWS2LJNFUFC2LJNFUWSALJNFUWS2IBOFUWS2LJAFYWS2LJNEAXC2LJNFUQC2LJNFUWSALJNFUWS2IBOFUWS2LIKFUWS2LJNEAWS2LJNFUQC4LJNFUWSALJNFUWS2IBNFUWS2LJAFUWS2LJNEAWS2LJNFUQC2LJNFUWQULJNFUWS2IBNFUWS2LJAFYWS2LJNEAXC2LJNFUQC2LJNFUWSALJNFUWS2IBOFUWS2LJAFYWS2LJNBIWS2LJNFUQC2LJNFUWSALRNFUWS2IBOFUWS2LJAFUWS2LJNEAWS2LJNFUQC4LJNFUWSALJNFUWS2CRNFUWS2LJAFUWS2LJNEAXC2LJNFUQC2LJNFUWSALJNFUWS2IBNFUWS2LJAFUWS2LJNEAWS2LJNFUFC2LJNFUWSALJNFUWS2IBOFUWS2LJAFYWS2LJNEAWS2LJNFUQC4LJNFUWSALJNFUWS2IBOFUWS2LIKFUWS2LJNEAWS2LJNFUQC4LJNFUWSALRNFUWS2IBNFUWS2LJAFYWS2LJNEAWS2LJNFUQC2LJNFUWQULJNFUWS2IBNFUWS2LJAFYWS2LJNEAWS2LJNFUQC2LJNFUWSALJNFUWS2IBNFUWS2LJAFUWS2LJNBIWS2LJNFUQC2LJNFUWSALRNFUWS2IBOFUWS2LJAFUWS2LJNEAWS2LJNFUQC4LJNFUWSALRNFUWS2CRNFUWS2LJAFUWS2LJNEAXC2LJNFUQC4LJNFUWSALJNFUWS2IBNFUWS2LJAFYWS2LJNEAWS2LJNFUFC2LJNFUWSALJNFUWS2IBOFUWS2LJAFUWS2LJNEAWS2LJNFUQC2LJNFUWSALJNFUWS2IBNFUWS2LIK

80

image-20240709185238627

访问网页查看网页源代码我们可以发现一些加密信息CyberChef

image-20240709185251393

解密之后得到一段明文 , 可惜看不出来有什么用

Nami ensures there are precisely 3472 possible places where she could have lost it.

看了 WP 之后, 提示 OSINT 操作, 寻找 Github 项目 https://github.com/1FreyR/LogPose 使用新发现的字典进行扫描

root@ip-10-10-194-237:~/ctfonepiece65# gobuster dir -u http://10.10.172.74/ -w ./LogPose.txt -x php,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.172.74/
[+] Threads:        10
[+] Wordlist:       ./LogPose.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,php,txt
[+] Timeout:        10s
===============================================================
2023/10/06 14:14:59 Starting gobuster
===============================================================
/dr3ssr0s4.html (Status: 200)
===============================================================
2023/10/06 14:15:00 Finished
===============================================================

访问新发现的网站, 你可以发现其下面的图片进行了遮挡但是我们可以直接从源代码中进行查看原文件

image-20240709185310044

此时查看源代码你会发现在 css 中存在一个隐藏的图片

image-20240709185315308

将对应的图片下载到本地发现存在,发现存在文件隐写的操作,通过查看元数据信息我们可以发现一个照片的位置

image-20240709185320452

对应的文件估计还存在文件隐写的操作, 我们在此将其下载下来, 进行查看发现其中存在一段话

root@ip-10-10-231-42:~/ctfonepiece65# strings ko.jpg
......
Congratulations, this is the Log Pose that should lead you to the next island: /wh0l3_c4k3.php

访问新发现的网页 /wh0l3_c4k3.php , 网页内容告诉我们需要逃避它,并且给了我们一个输入框, 并却网页中提示我们, 对应的用户喜欢 cake

image-20240709185635230

但是在你输入 cake 后你会发现只会显示信息, 所以我们可能需要其他措施, 查看流量你会发现 cookie 非常有意思, 所以我们可以将其改为 cake 进行查看

image-20240709185642619

之后你就会得到第二个密文以及下一个位置

image-20240709185649744

访问新发现的网页可以发现是让我们做游戏, 但是我们可以直接看源代码直接跳过的, 在魔方游戏中你可以直接从 JS 中读取到对应的下一个路径

image-20240709185656694

继续访问 /0n1g4sh1m4.php , 你会发现其提供了两种路径:

  • 上传文件 : 好像是假的,因为连最基本的位置都不告诉你, 你也枚举不出来
  • 登陆: 不存在 sqli 注入, 只能尝试暴力破解, 但是我们要先获取用户名

image-20240709185702653

对应的应该又是文件隐写, 查看两张图片, 一般是在 Jpg 文件中, 所以进行破解 (破解时间有点长)一会之后我们就可以获取到一个用户名并利用此来进行暴力破解

root@ip-10-10-165-240:~/ctfonepiece65# stegcracker kaido.jpeg `locate rockyou.txt`
StegCracker 2.0.9 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2023 - Luke Paris (Paradoxis)

Counting lines in wordlist..
Attacking file 'kaido.jpeg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: imabeast1
Tried 106371 passwords
Your file has been written to: kaido.jpeg.out
imabeast
root@ip-10-10-165-240:~/ctfonepiece65# cat kaido.jpeg.out 
Username:K1ng_0f_th3_B3@sts

image-20240709185708825

破解之后我们进行登陆,很荣幸我们得到了第三个密文, 但是对于下一个的路径告诉我们是 unspecified

image-20240709185716976

访问 /unspecified 网页我们就可以得到最后一个密文, 将其结合起来进行解密

Base32 —> Morse —> Binary —> Hex —> base58 —> base64

M0nk3y_D_7uffy:1_w1ll_b3_th3_p1r@t3_k1ng!

后渗透

M0nk3y_D_7uffy

使用上面得到的账号进行登陆

image-20240709185732049

M0nk3y_D_7uffy —> 7uffy_vs_T3@ch

在用户 7uffy_vs_T3@ch 家目录枚举时我发现一些特殊的文件,

(remote) M0nk3y_D_7uffy@Laugh-Tale:/home/teach$ ls -al
total 56
drwxr-xr-x  7 7uffy_vs_T3@ch teach 4096 Jul 26  2020 .
drwxr-xr-x  4 root           root  4096 Jul 26  2020 ..
-r--------  1 7uffy_vs_T3@ch teach  479 Jul 26  2020 luffy_vs_teach.txt
-r--------  1 7uffy_vs_T3@ch teach   37 Jul 26  2020 .password.txt  # 应该存储的用户密码

但是这权限给的很死, 所以无法读取

image-20240709185743391

接着我在枚举的时候发现一个特殊的程序属于 7uffy_vs_T3@ch , 当我执行的时候我发现其就是 Python 的交互 Shell, 所以可以借此来进行读取文件

(remote) M0nk3y_D_7uffy@Laugh-Tale:/home/teach$ /usr/bin/gomugomunooo_king_kobraaa
Python 3.6.9 (default, Jul 17 2020, 12:50:27) 
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> file_path = "/home/teach/.password.txt"
>>> file = open(file_path, 'r')
>>> content = file.read()
>>> print(content)
7uffy_vs_T3@ch:Wh0_w1ll_b3_th3_k1ng?

7uffy_vs_T3@ch —> root

我发现用户存在 SUDO 特权不妨利用此来进行攻击

image-20240709185752361

但是执行它你会发现他只会输出一句话, 什么用也没有了查看其权限, 我们没有办法进行读取以及覆盖

7uffy_vs_T3@ch@Laugh-Tale:~$ ls -al  /usr/local/bin/less
-rwxrwx-wx 1 root root 87 Oct  7 10:26 /usr/local/bin/less
7uffy_vs_T3@ch@Laugh-Tale:~$ ls -al  /usr/local/bin/
total 12
drwxr-xr-x  2 root root 4096 Aug 14  2020 .
drwxr-xr-x 10 root root 4096 Feb  3  2020 ..
-rwxrwx-wx  1 root root   87 Oct  7 10:26 less

然后我发现存在一个 w 的权限所以我进行了添加的操作

image-20240709185759373