Vulnhub-GROTESQUE:2-WriteUp
本文最后更新于1225天前,其中的信息可能已经有所发展或是发生改变。

探测主机地址

PS:
有点像CTF的题
┌──(kali㉿kali)-[~/Downloads/site]
└─$ nmap -sP 192.168.5.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-01 11:02 EDT
Nmap scan report for OpenWrt.lan (192.168.5.1)
Host is up (0.016s latency).
Nmap scan report for kali.lan (192.168.5.122)
Host is up (0.00011s latency).
Nmap scan report for Moonsec.lan (192.168.5.185)
Host is up (0.063s latency).
Nmap scan report for grotesque.lan (192.168.5.205)
Host is up (0.00047s latency).
Nmap scan report for ESP_4A6E4B.lan (192.168.5.229)
Host is up (0.0054s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.94 seconds
┌──(kali㉿kali)-[~/Downloads/site]
└─$ sudo arp-scan --interface=eth0 192.168.5.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:9a:68:bd, IPv4: 192.168.5.122
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.5.1     a0:3e:6b:a1:16:85       IEEE Registration Authority
192.168.5.205   00:0c:29:69:e2:26       VMware, Inc.
192.168.5.207   5c:5f:67:6d:6c:d0       Intel Corporate
192.168.5.185   92:a4:db:ae:2f:4b       (Unknown: locally administered)
192.168.5.151   c8:14:51:37:fb:b3       HUAWEI TECHNOLOGIES CO.,LTD
192.168.5.229   7c:49:eb:4a:6e:4b       XIAOMI Electronics,CO.,LTD
​
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.922 seconds (133.19 hosts/sec). 6 responded

目标主机IP:192.168.5.205 MAC: 00:0c:29:69:e2:26

kali攻击机: 192.168.5.122

探测主机端口和服务

sudo ./nmapAutomator.sh 192.168.5.205 All 

结果:

┌──(kali㉿kali)-[~/Documents/nmapAutomator]
└─$ sudo ./nmapAutomator.sh 192.168.5.205 All                                                                                                                                                                   
​
Running all scans on 192.168.5.205
​
Host is likely running Linux
                                                                                                                                                                                                                    
                                                                                                                                                                                                                    
---------------------Starting Port Scan-----------------------                                                                                                                                                      
                                                                                                                                                                                                                    
​
​
PORT    STATE SERVICE
22/tcp  open  ssh
32/tcp  open  unknown
33/tcp  open  dsp
37/tcp  open  time
42/tcp  open  nameserver
43/tcp  open  whois
49/tcp  open  tacacs
53/tcp  open  domain
70/tcp  open  gopher
79/tcp  open  finger
80/tcp  open  http
81/tcp  open  hosts2-ns
82/tcp  open  xfer
83/tcp  open  mit-ml-dev
84/tcp  open  ctf
85/tcp  open  mit-ml-dev
88/tcp  open  kerberos-sec
89/tcp  open  su-mit-tg
90/tcp  open  dnsix
99/tcp  open  metagram
100/tcp open  newacct
106/tcp open  pop3pw
109/tcp open  pop2
110/tcp open  pop3
111/tcp open  rpcbind
113/tcp open  ident
119/tcp open  nntp
125/tcp open  locus-map
135/tcp open  msrpc
139/tcp open  netbios-ssn
143/tcp open  imap
144/tcp open  news
146/tcp open  iso-tp0
161/tcp open  snmp
163/tcp open  cmip-man
179/tcp open  bgp
199/tcp open  smux
211/tcp open  914c-g
212/tcp open  anet
222/tcp open  rsh-spx
254/tcp open  unknown
255/tcp open  unknown
256/tcp open  fw1-secureremote
259/tcp open  esro-gen
264/tcp open  bgmp
280/tcp open  http-mgmt
301/tcp open  unknown
306/tcp open  unknown
311/tcp open  asip-webadmin
340/tcp open  unknown
366/tcp open  odmr
389/tcp open  ldap
406/tcp open  imsp
407/tcp open  timbuktu
416/tcp open  silverplatter
417/tcp open  onmux
425/tcp open  icad-el
427/tcp open  svrloc
443/tcp open  https
444/tcp open  snpp
445/tcp open  microsoft-ds
458/tcp open  appleqtc
464/tcp open  kpasswd5
465/tcp open  smtps
481/tcp open  dvs
497/tcp open  retrospect
500/tcp open  isakmp
512/tcp open  exec
513/tcp open  login
514/tcp open  shell
515/tcp open  printer
524/tcp open  ncp
541/tcp open  uucp-rlogin
543/tcp open  klogin
544/tcp open  kshell
545/tcp open  ekshell
548/tcp open  afp
554/tcp open  rtsp
555/tcp open  dsf
MAC Address: 00:0C:29:69:E2:26 (VMware)

存在大量的开放端口。

访问端口:

80:

image-20210601233708400

443:

image-20210601233923759

探测服务

运行的服务似乎一样

image-20210601234015160

唉,一个一个下载查看吧

for i in {23..600}; do wget 192.168.5.205:$i -O index$i; done
image-20210601234630281
image-20210601234829544

使用

ls -la | sort

查看文件大小先选出最大的查看即:192.168.5.205:258

image-20210601235247678
image-20210601235429280

得到SSH用户名

satan, raphael, angel, distress, greed,lust

接下来寻找SSH密码

SSH

查看页面源码

<!DOCTYPE html>
<html>
<body>
<style>
body {
background-image: url('angel.png');
background-repeat: no-repeat;
background-size: cover; }
​
@font-face {
    font-family: Segoe;
    src: url('segoeui.ttf');
}
​
.mainfo {
  text-align: center;
  border: 1px solid #000000;
  font-family: 'Segoe';
  padding: 5px;
  background-color: #ffffff;
  margin-top: 300px;
}
​
.emoji {
    width: 32px;
    }
</style>
<div class="mainfo">
<br>congratulations, my child.<br>
<br>clap clap <img class="emoji" src="emoji/hand.png"><img class="emoji" src="emoji/eksi.png"><img class="emoji" src="emoji/100.png"><br>
<br>do you heard of markov chain?<br>
<br>whatever. ssh username is: satan, raphael, angel, distress, greed or lust<br>
</body>
</html>

emoji其实是图片下载查看

img

OK表情手指似乎有文字放大查看

image-20210602000626522
b6e705ea1249e2bb7b0fd7dac9fcd1b3

SSH爆破

得到SSH密码

b6e705ea1249e2bb7b0fd7dac9fcd1b3 MD5无解

有个-100试试

b6e705ea1249e2bb7b0fd7dac9fcd0b3
solomon1

Hydra爆破

hydra -L use.txt -p solomon1 ssh://192.168.5.205
image-20210603225246426

SSH连接

发现user.txt,打开如下:

image-20210603225559587

继续

发现qiute进入发现大量数字命名文件,打开后是文件夹名字。

image-20210603230933901

使用pspy64s监控进程

image-20210603230822944

发现定时任务读写检查,

image-20210603231355661

进一步查看

ls -al /
image-20210603231652860

发现flag文件打开

image-20210603232008497

Flag

root creds
​
root
sweetchild

点击数:185

    暂无评论

    发送评论 编辑评论

    
    				
    |´・ω・)ノ
    ヾ(≧∇≦*)ゝ
    (☆ω☆)
    (╯‵□′)╯︵┴─┴
     ̄﹃ ̄
    (/ω\)
    ∠( ᐛ 」∠)_
    (๑•̀ㅁ•́ฅ)
    →_→
    ୧(๑•̀⌄•́๑)૭
    ٩(ˊᗜˋ*)و
    (ノ°ο°)ノ
    (´இ皿இ`)
    ⌇●﹏●⌇
    (ฅ´ω`ฅ)
    (╯°A°)╯︵○○○
    φ( ̄∇ ̄o)
    ヾ(´・ ・`。)ノ"
    ( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
    (ó﹏ò。)
    Σ(っ °Д °;)っ
    ( ,,´・ω・)ノ"(´っω・`。)
    ╮(╯▽╰)╭
    o(*////▽////*)q
    >﹏<
    ( ๑´•ω•) "(ㆆᴗㆆ)
    😂
    😀
    😅
    😊
    🙂
    🙃
    😌
    😍
    😘
    😜
    😝
    😏
    😒
    🙄
    😳
    😡
    😔
    😫
    😱
    😭
    💩
    👻
    🙌
    🖕
    👍
    👫
    👬
    👭
    🌚
    🌝
    🙈
    💊
    😶
    🙏
    🍦
    🍉
    😣
    Source: github.com/k4yt3x/flowerhd
    颜文字
    Emoji
    小恐龙
    花!
    上一篇
    下一篇