Skip to main content

Anonymous Playground

端口扫描

root@ip-10-10-148-104:~/anonymousplayground# nmap -sT -p- --min-rate 1000 10.10.37.42

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-31 14:21 GMT
Nmap scan report for ip-10-10-37-42.eu-west-1.compute.internal (10.10.37.42)
Host is up (0.00033s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:42:28:06:AA:E5 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds
root@ip-10-10-148-104:~/anonymousplayground# nmap -sTCV -p 22,80 --min-rate 1000 10.10.37.42

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-31 14:22 GMT
Nmap scan report for ip-10-10-37-42.eu-west-1.compute.internal (10.10.37.42)
Host is up (0.0014s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 60:b6:ad:4c:3e:f9:d2:ec:8b:cd:3b:45:a5:ac:5f:83 (RSA)
|   256 6f:9a:be:df:fc:95:a2:31:8f:db:e5:a2:da:8a:0c:3c (ECDSA)
|_  256 e6:98:52:49:cf:f2:b8:65:d7:41:1c:83:2e:94:24:88 (EdDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/zYdHuAKjP
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Proving Grounds
MAC Address: 02:42:28:06:AA:E5 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds

80

root@ip-10-10-148-104:~/anonymousplayground# feroxbuster -u http://10.10.37.42/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html

404      GET        9l       31w      273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      314c http://10.10.37.42/zYdHuAKjP => http://10.10.37.42/zYdHuAKjP/
200      GET       28l       46w      495c http://10.10.37.42/css/main.css
200      GET        7l     2102w   160403c http://10.10.37.42/css/bootstrap.min.css
200      GET      136l      344w    13691c http://10.10.37.42/
301      GET        9l       28w      311c http://10.10.37.42/images => http://10.10.37.42/images/
301      GET        9l       28w      308c http://10.10.37.42/css => http://10.10.37.42/css/
301      GET        9l       28w      307c http://10.10.37.42/js => http://10.10.37.42/js/
200      GET        7l      687w    60174c http://10.10.37.42/js/bootstrap.min.js
200      GET       14l       48w     2945c http://10.10.37.42/favicon.png
200      GET       57l      108w     1755c http://10.10.37.42/operatives.php
200      GET      136l      344w    13691c http://10.10.37.42/index.php
200      GET       40l       88w     1206c http://10.10.37.42/zYdHuAKjP/index.php
200      GET        2l        4w       35c http://10.10.37.42/robots.txt
301      GET        9l       28w      310c http://10.10.37.42/fonts => http://10.10.37.42/fonts/
200      GET     1063l     5031w   164067c http://10.10.37.42/fonts/VT323-Regular.ttf
200      GET      140l      776w    68016c http://10.10.37.42/fonts/vt323-regular-webfont.woff
[####################] - 18m  1764480/1764480 0s      found:16      errors:0      
[####################] - 18m   882184/882184  820/s   http://10.10.37.42/ 
[####################] - 18m   882184/882184  805/s   http://10.10.37.42/zYdHuAKjP/ 
[####################] - 0s    882184/882184  5920698/s http://10.10.37.42/css/ => Directory listing
[####################] - 0s    882184/882184  441092000/s http://10.10.37.42/images/ => Directory listing
[####################] - 0s    882184/882184  13784125/s http://10.10.37.42/js/ => Directory listing
[####################] - 1s    882184/882184  792618/s http://10.10.37.42/fonts/ => Directory listing

根据扫描的结果访问我们的网页, 首先根据端口扫描的结果我早已将目光锁定在 /zYdHuAKjP/ 目录, 查看该目录, 但是显示权限拒绝, 并且查看 cookie 之后我知道了这是基于 cookie 的验证

image-20240709203153740

之后我尝试了一系列单词最终发现 granted 可以使用, 并且得到一个提示内容

image-20240709203136203

之后查看题目的提示, 其告诉我们内容如下:

image-20240709203144004

这边我猜测解密出来估计就是用户的 SSH 密码, 之后我尝试里几种猜测但是都是错误的, 查看 WP 之后发现其思路为 :

a 是第一个字母表示数字 1, z 是第二十六个字母表示数字 26, (1+26)%26 对应的值为1 表示a

str1 = 'hEzAdCfHzA'.lower()
str2 = 'hEzAdCfHzAhAiJzAeIaDjBcBhHgAzAfHfN'.lower()
result = ""

for i in range(0, len(str1), 2):
    result += chr((((ord(str1[i:i+1]) + ord(str1[i+1: i+2])) - 192) % 26) + 96)
print(result)
for i in range(0, len(str2), 2):
    result += chr((((ord(str2[i:i+1]) + ord(str2[i+1: i+2])) - 192) % 26) + 96)
print(result)

# magna::magnamagnaisanelephant

后渗透

magna

使用得到的账号进行访问密码为 : magnaisanelephant

image-20240709203220568

magna —> root

进入之后可以很明显的查看到一个 SUID 程序, 需要我们进行逆向操作, 后面学了补

magna@anonymous-playground:~$ ls -al hacktheworld 
-rwsr-xr-x 1 root root 8528 Jul 10  2020 hacktheworld
magna@anonymous-playground:~$