首页 > 其他分享 >Vulnhub之Doomsday Device靶机解题过程(部分)

Vulnhub之Doomsday Device靶机解题过程(部分)

时间:2022-11-18 16:48:16浏览次数:48  
标签:56.187 kali 192.168 Doomsday Vulnhub Device

Doomsday Device

识别目标主机IP地址

──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.177.0/16   |   Screen View: Unique Hosts                                                                                                                                                            
                                                                                                                                                                                                                                 
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                                                                                                 
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                                                                                                                                
 192.168.56.100  08:00:27:2b:cc:72      1      60  PCS Systemtechnik GmbH                                                                                                                                                        
 192.168.56.187  08:00:27:ce:3c:0e      1      60  PCS Systemtechnik GmbH           

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.187

NMAP扫描

──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.187 -oN nmap_full_scan
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-18 02:23 EST
Nmap scan report for bogon (192.168.56.187)
Host is up (0.00020s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE    SERVICE VERSION
21/tcp    open     ftp     vsftpd 3.0.3
22/tcp    filtered ssh
80/tcp    open     http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry 
|_/nothingtoseehere
|_http-server-header: Apache/2.4.29 (Ubuntu)
18888/tcp open     http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Koken API error
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: Apache/2.4.29 (Ubuntu)
65533/tcp open     http    Apache httpd 2.4.29
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:CE:3C:0E (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.1.1; OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.79 seconds
                                                               

NMAP扫描结果表明目标主机有4个开放端口。

Get Access

┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ ftp 192.168.56.187               
Connected to 192.168.56.187.
220 (vsFTPd 3.0.3)
Name (192.168.56.187:kali): anonymous
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed
ftp> 
ftp> quit
221 Goodbye.

FTP不支持匿名访问,FTP服务: vsftpd3.0.3, 没有可利用的漏洞。

┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ curl http://192.168.56.187/ 
<!DOCTYPE html>
<html>
<head>
<style>
body {
  background-image: url('background.png');
  background-repeat: no-repeat;
  background-attachment: fixed;  
  background-size: cover;
}
</style>
</head>
<body>

</body>
</html>


 <!-- Li0tLSAuLiAtLSAvIC4tIC0uIC0uLiAvIC4tLS4gLi0gLS0gLyAuLi4uIC4tIC4uLi0gLiAvIC0gLi0gLi0uLiAtLi0gLiAtLi4gLyAuLSAtLi4uIC0tLSAuLi0gLSAvIC0tIC4gLyAuLiAtLiAvIC0tIC0tLSAuLS4gLi4uIC4gLyAtLi0uIC0tLSAtLi4gLiAvIC4uLiAuIC4uLi0gLiAuLS4gLi0gLi0uLiAvIC0gLi4gLS0gLiAuLi4gLi0uLS4tIC8gLS4uLiAuLi0gLSAvIC4tLS0gLS0tIC0uLSAuIC4tLS0tLiAuLi4gLyAtLS0gLS4gLyAtIC4uLi4gLiAtLSAvIC0uLi4gLiAtLi0uIC4tIC4uLSAuLi4gLiAvIC4uIC8gLS4tIC0uIC0tLSAuLS0gLyAtLSAtLS0gLi0uIC4uLiAuIC8gLS4tLiAtLS0gLS4uIC4gLi0uLS4tIC8gLi4uIC4uIC0uIC0uLS4gLiAvIC0uLS0gLS0tIC4uLSAvIC0uLS4gLS0tIC4uLSAuLS4uIC0uLiAvIC4tLiAuIC4tIC0uLiAvIC0gLi4uLiAuLiAuLi4gLyAuLiAvIC4tIC4uLiAuLi4gLi4tIC0tIC4gLyAtLi0tIC0tLSAuLi0gLyAtLi0gLS4gLS0tIC4tLSAvIC4uIC0gLyAtIC0tLSAtLS0gLi0uLS4tIC8gLi0gLS4gLS4tLSAuLS0gLi0gLS4tLSAuLi4gLyAtIC4uLi4gLi4gLi4uIC8gLi4gLi4uIC8gLi0tLSAuLi0gLi4uIC0gLyAtIC4uLi4gLiAvIC4uLS4gLi4gLi0uIC4uLiAtIC8gLi4tLiAuLS4uIC4tIC0tLiAtLS4uLS0gLyAtLi0tIC0tLSAuLi0gLyAuLS0gLi4gLi0uLiAuLS4uIC8gLS4gLiAuLi4tIC4gLi0uIC8gLS4tLiAuLS4gLi0gLS4tLiAtLi0gLyAtLSAtLi0tIC8gLi4gLS4gLS0uIC4gLS4gLi4gLS0tIC4uLSAuLi4gLyAtLSAuLSAtLi0uIC4uLi4gLi4gLS4gLiAtLS4uLS0gLyAtLi4gLS0tIC0uIC4tLS0tLiAtIC8gLi4tLiAtLS0gLi0uIC0tLiAuIC0gLyAuLiAvIC4tIC0tIC8gLS4uLiAuIC0gLSAuIC4tLiAvIC0gLi4uLiAuLSAtLiAvIC0uLS0gLS0tIC4uLSAvIC4uLi4gLi0gLi4uLSAuIC8gLiAuLi4tIC4gLi0uIC8gLS4uLiAuIC4gLS4gLyAtLS0gLi0uIC8gLiAuLi4tIC4gLi0uIC8gLi0tIC4uIC4tLi4gLi0uLiAvIC0uLi4gLiAtLi0uLS0gLyAtLi4gLi0tIC4uIC0tLiAuLi4uIC0gLyAuLi0uIC4tLi4gLi0gLS0uIC4tLS0tIC0tLS4uLiAvIC0tLS4uIC0uLS4gLi0gLi4tLiAtLS0tLiAtLi0uIC0uLi4uIC4uLi4tIC4uLS4gLS0tLS4gLS4uIC4tLS0tIC4tLS0tIC0tLS4uIC4tLS0tIC4uLS0tIC0tLS0tIC0uLi4uIC4uLS4gLiAtLi0uIC0tLi4uIC4uLS4gLi4uLi0gLS0tLS0gLi0gLS0uLi4gLi4uLi4gLi4tLS0gLi4uLi0gLS4uLiAuLi4tLQ== -->


访问80端口,返回页面源代码中有注释,经base64解码后为:

┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ echo "Li0tLSAuLiAtLSAvIC4tIC0uIC0uLiAvIC4tLS4gLi0gLS0gLyAuLi4uIC4tIC4uLi0gLiAvIC0gLi0gLi0uLiAtLi0gLiAtLi4gLyAuLSAtLi4uIC0tLSAuLi0gLSAvIC0tIC4gLyAuLiAtLiAvIC0tIC0tLSAuLS4gLi4uIC4gLyAtLi0uIC0tLSAtLi4gLiAvIC4uLiAuIC4uLi0gLiAuLS4gLi0gLi0uLiAvIC0gLi4gLS0gLiAuLi4gLi0uLS4tIC8gLS4uLiAuLi0gLSAvIC4tLS0gLS0tIC0uLSAuIC4tLS0tLiAuLi4gLyAtLS0gLS4gLyAtIC4uLi4gLiAtLSAvIC0uLi4gLiAtLi0uIC4tIC4uLSAuLi4gLiAvIC4uIC8gLS4tIC0uIC0tLSAuLS0gLyAtLSAtLS0gLi0uIC4uLiAuIC8gLS4tLiAtLS0gLS4uIC4gLi0uLS4tIC8gLi4uIC4uIC0uIC0uLS4gLiAvIC0uLS0gLS0tIC4uLSAvIC0uLS4gLS0tIC4uLSAuLS4uIC0uLiAvIC4tLiAuIC4tIC0uLiAvIC0gLi4uLiAuLiAuLi4gLyAuLiAvIC4tIC4uLiAuLi4gLi4tIC0tIC4gLyAtLi0tIC0tLSAuLi0gLyAtLi0gLS4gLS0tIC4tLSAvIC4uIC0gLyAtIC0tLSAtLS0gLi0uLS4tIC8gLi0gLS4gLS4tLSAuLS0gLi0gLS4tLSAuLi4gLyAtIC4uLi4gLi4gLi4uIC8gLi4gLi4uIC8gLi0tLSAuLi0gLi4uIC0gLyAtIC4uLi4gLiAvIC4uLS4gLi4gLi0uIC4uLiAtIC8gLi4tLiAuLS4uIC4tIC0tLiAtLS4uLS0gLyAtLi0tIC0tLSAuLi0gLyAuLS0gLi4gLi0uLiAuLS4uIC8gLS4gLiAuLi4tIC4gLi0uIC8gLS4tLiAuLS4gLi0gLS4tLiAtLi0gLyAtLSAtLi0tIC8gLi4gLS4gLS0uIC4gLS4gLi4gLS0tIC4uLSAuLi4gLyAtLSAuLSAtLi0uIC4uLi4gLi4gLS4gLiAtLS4uLS0gLyAtLi4gLS0tIC0uIC4tLS0tLiAtIC8gLi4tLiAtLS0gLi0uIC0tLiAuIC0gLyAuLiAvIC4tIC0tIC8gLS4uLiAuIC0gLSAuIC4tLiAvIC0gLi4uLiAuLSAtLiAvIC0uLS0gLS0tIC4uLSAvIC4uLi4gLi0gLi4uLSAuIC8gLiAuLi4tIC4gLi0uIC8gLS4uLiAuIC4gLS4gLyAtLS0gLi0uIC8gLiAuLi4tIC4gLi0uIC8gLi0tIC4uIC4tLi4gLi0uLiAvIC0uLi4gLiAtLi0uLS0gLyAtLi4gLi0tIC4uIC0tLiAuLi4uIC0gLyAuLi0uIC4tLi4gLi0gLS0uIC4tLS0tIC0tLS4uLiAvIC0tLS4uIC0uLS4gLi0gLi4tLiAtLS0tLiAtLi0uIC0uLi4uIC4uLi4tIC4uLS4gLS0tLS4gLS4uIC4tLS0tIC4tLS0tIC0tLS4uIC4tLS0tIC4uLS0tIC0tLS0tIC0uLi4uIC4uLS4gLiAtLi0uIC0tLi4uIC4uLS4gLi4uLi0gLS0tLS0gLi0gLS0uLi4gLi4uLi4gLi4tLS0gLi4uLi0gLS4uLiAuLi4tLQ==" | base64 -d
.--- .. -- / .- -. -.. / .--. .- -- / .... .- ...- . / - .- .-.. -.- . -.. / .- -... --- ..- - / -- . / .. -. / -- --- .-. ... . / -.-. --- -.. . / ... . ...- . .-. .- .-.. / - .. -- . ... .-.-.- / -... ..- - / .--- --- -.- . .----. ... / --- -. / - .... . -- / -... . -.-. .- ..- ... . / .. / -.- -. --- .-- / -- --- .-. ... . / -.-. --- -.. . .-.-.- / ... .. -. -.-. . / -.-- --- ..- / -.-. --- ..- .-.. -.. / .-. . .- -.. / - .... .. ... / .. / .- ... ... ..- -- . / -.-- --- ..- / -.- -. --- .-- / .. - / - --- --- .-.-.- / .- -. -.-- .-- .- -.-- ... / - .... .. ... / .. ... / .--- ..- ... - / - .... . / ..-. .. .-. ... - / ..-. .-.. .- --. --..-- / -.-- --- ..- / .-- .. .-.. .-.. / -. . ...- . .-. / -.-. .-. .- -.-. -.- / -- -.-- / .. -. --. . -. .. --- ..- ... / -- .- -.-. .... .. -. . --..-- / -.. --- -. .----. - / ..-. --- .-. --. . - / .. / .- -- / -... . - - . .-. / - .... .- -. / -.-- --- ..- / .... .- ...- . / . ...- . .-. / -... . . -. / --- .-. / . ...- . .-. / .-- .. .-.. .-.. / -... . -.-.-- / -.. .-- .. --. .... - / ..-. .-.. .- --. .---- ---... / ---.. -.-. .- ..-. ----. -.-. -.... ....- ..-. ----. -.. .---- .---- ---.. .---- ..--- ----- -.... ..-. . -.-. --... ..-. ....- ----- .- --... ..... ..--- ....- -... ...--     

得到的数据可能是莫尔斯电码,进一步解码(用cyberchef网站):

JIMANDPAMHAVETALKEDABOUTMEINMORSECODESEVERALTIMES.BUTJOKE'SONTHEMBECAUSEIKNOWMORSECODE.SINCEYOUCOULDREADTHISIASSUMEYOUKNOWITTOO.ANYWAYSTHISISJUSTTHEFIRSTFLAG,YOUWILLNEVERCRACKMYINGENIOUSMACHINE,DON'TFORGETIAMBETTERTHANYOUHAVEEVERBEENOREVERWILLBE!DWIGHTFLAG1:8CAF9C64F9D1181206FEC7F40A7524B3

这里就得到第一个flag: FLAG1:8CAF9C64F9D1181206FEC7F40A7524B3

┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ gobuster dir -u http://192.168.56.187 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.187
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2022/11/18 02:43:40 Starting gobuster in directory enumeration mode
===============================================================
/nick                 (Status: 301) [Size: 315] [--> http://192.168.56.187/nick/]
/staffblog            (Status: 301) [Size: 320] [--> http://192.168.56.187/staffblog/]
/server-status        (Status: 403) [Size: 279]
Progress: 218827 / 220561 (99.21%)===============================================================
2022/11/18 02:44:07 Finished
===============================================================

扫描出来两个目录/nick, /staffblog,分别用浏览器看一下是什么内容?

┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ curl http://192.168.56.187/robots.txt
User-agent: *
Disallow: /nothingtoseehere
                                
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ curl http://192.168.56.187/nick/     
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /nick</title>
 </head>
 <body>
<h1>Index of /nick</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="farewell.txt">farewell.txt</a></td><td align="right">2020-11-30 08:58  </td><td align="right">399 </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="nick.pcap">nick.pcap</a></td><td align="right">2020-10-19 07:58  </td><td align="right">7.6K</td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.187 Port 80</address>
</body></html>
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ wget http://192.168.56.187/nick/farewell.txt          
--2022-11-18 02:46:37--  http://192.168.56.187/nick/farewell.txt
Connecting to 192.168.56.187:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 399 [text/plain]
Saving to: ‘farewell.txt’

farewell.txt                                             100%[================================================================================================================================>]     399  --.-KB/s    in 0s      

2022-11-18 02:46:37 (94.4 MB/s) - ‘farewell.txt’ saved [399/399]

                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ cat farewell.txt                
Hey Michael!

I just wanted to say goodbye. Through Teach for America, I'm gonna go down to Detroit and teach inner-city kids about computers. You know, I'm the lame IT guy and probably you don't even know my name so, who cares. But I just wanted you to know that the old creepy guy uses a pretty weak password. You know, the one who smells like death. You should do something about it. 

Nick
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ mv ~/Downloads/nick.pcap                     
mv: missing destination file operand after '/home/kali/Downloads/nick.pcap'
Try 'mv --help' for more information.
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ mv ~/Downloads/nick.pcap .
                                                      

这里得到一个抓包文件,同时Farewell.txt告诉我们有个用户的密码很弱。

/staffblog目录下有个文档,将该文档下载到Kali Linux本地查看,得到了第3个flag:

┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ ls
CreedThoughts.doc  farewell.txt  nick.pcap  nmap_full_scan
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ cat CreedThoughts.doc 
��ࡱ▒�;��        ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������


▒����▒������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������Root Entry������������������������������������������������������������������������


▒▒����"#����%������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
����    �F▒Microsoft Word-Dokument
MSWordDocWord.Document.8�9�q
[^��^Normal
���x$▒OJQJCJPJ^JaJ8B8JQJCJ▒mHsHKHPJnt^JaJ▒_H9D�DC�msor
�x�x                 Sz�vegt�rzsd���"/"Lista^@""@Felirat
    $CJ▒^aJ▒2�22
                T�rgymutat�
                           $^>�B>
Listatartalom^�7]�`�6�R6         Id�zetblokk^�7]�7`����R:
\tP     G�Times New Roman5�Symbol3&�Ariali��Liberation SerifTimes New Roman7��NSimSun3&��ArialS&��Liberation SansArialG��Microsoft YaHei3$�Arial�▒�hi��Ei��Ei��E����g 0 0��������Oh�+'��0|8     @
L
 X
�����^^^r@v�#0��@��Iw��@@�p.�������՜.+,��D��՜.+,��\▒��▒����M    ��tCaolan80     5 ��
         ~�\�b��
Creed Thoughts! �www.creedthoughts.gov.www/creedthoughts
Today in my office where I work as Director of Quality Assurance, we went to the beach for some reason that was never adequately explained. When we were there, our manager told us to eat hot coals. I thought that was a little bit untoward so I ate a fish. Then a woman I have literally never seen before in my entire life started talking very loudly about something involving Halpert. She was agitated, I,d say. From what I could guess, she was definitely on drugs of some kind, perhaps cocaine, or maybe ▒ drines. Also, she is a knock-out. She reminds me of a young Daphne Du Maurier. Also, I stupidly ate the fishbones. I told myself  never again � after the last time, but th�FLAG3: �0f1ff7bt��>p24c0082be83a8b8c497rd is not safe enough. I wonder how he found out. Anyways, I added 3 digits to the end so it s supersafe now. Nobody's gonna crack that, baby!
�
4
▒FP��\����������{o
                  ^�]�`���
                          �]�`���
                                 �]�`���
                                        �]�`���
                                               �]�`���
                                                      �]�`���
                                                             �]�`���
                                                                    �]�`���
                                                                           �]�`����]�7`�^�]�7`�^�]�7`���DM�
��
  \�"t���
         ^�]�`���
                 �]�`���
                        �]�`���<0��. ��A!�n"�i#�n$�n2P1�h0p3P(20Root Entry��������      �F�     CompObj����jOle
��������1Table������������qSummaryInformation(����!�WordDocument▒�����������5 DocumentSummaryInformation8������������$t����������������                                                                                                                                                                                                                                  

FLAG3: 0f1ff7btp24c0082be83a8b8c497rd

但是其实我们还没看到第2个flag

对了,还有个抓包文件没有查看:

这里看到了用户名和密码: creed creed

登录FTP,看一下有什么东东?但是很奇怪,并不能让我们登录。

前面的creedthoughts.doc文档中有句话: I wonder how he found out. Anyways, I added 3 digits to the end so it s supersafe now. Nobody's gonna crack that, baby

也就是说作者在creed后面加了3位数字形成新的密码,因此需要我们需要自己生成一个wordlist然后来破解

──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ cat wordlist_generator.py 
f = open('password_list','w')
for i in range(1000):
    password = 'creed'+str(i)
    f.write(password+'\n')

f.close()

运行这个python脚本,生成密码字典,然后利用hydra工具进行破解:

┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ hydra -l creed -P password_list ftp://192.168.56.187                    
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-18 03:02:36
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000 login tries (l:1/p:1000), ~63 tries per task
[DATA] attacking ftp://192.168.56.187:21/
[21][ftp] host: 192.168.56.187   login: creed   password: creed223
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-18 03:03:26
                                                                                      

此时得到FTP用户名creed 和密码: creed223, 登录目标主机的FTP服务:

──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ ftp 192.168.56.187
Connected to 192.168.56.187.
220 (vsFTPd 3.0.3)
Name (192.168.56.187:kali): creed
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||40081|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0            2026 Nov 12  2020 archive.zip
-rw-r--r--    1 0        0             176 Nov 30  2020 reminder.txt
226 Directory send OK.
ftp> get reminder.txt
local: reminder.txt remote: reminder.txt
229 Entering Extended Passive Mode (|||40004|)
150 Opening BINARY mode data connection for reminder.txt (176 bytes).
100% |*************************************************************************************************************************************************************************************|   176      126.19 KiB/s    00:00 ETA
226 Transfer complete.
176 bytes received in 00:00 (98.89 KiB/s)
ftp> get archive.zip
local: archive.zip remote: archive.zip
229 Entering Extended Passive Mode (|||40086|)
150 Opening BINARY mode data connection for archive.zip (2026 bytes).
100% |*************************************************************************************************************************************************************************************|  2026        3.84 MiB/s    00:00 ETA
226 Transfer complete.
2026 bytes received in 00:00 (1.97 MiB/s)
ftp> quit
221 Goodbye.
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ ls
archive.zip  CreedThoughts.doc  farewell.txt  nick.pcap  nmap_full_scan  password_list  reminder.txt  wordlist_generator.py
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ cat reminder.txt         
Oh snap, I forgot the password for this zip file. I remember, it made Michael laugh when he heard it, but Pam got really offended.

#FLAG4: 4955cbee5a6a5a48ce79624932bd1374

此时得到了第4个flag,同时作者提示说要破解这个zip文件。

但是破解失败

──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ zip2john archive.zip > hashes
ver 2.0 efh 5455 efh 7875 archive.zip/email PKZIP Encr: TS_chk, cmplen=320, decmplen=460, crc=535FE2E6 ts=4A59 cs=4a59 type=8
ver 2.0 efh 5455 efh 7875 archive.zip/michael PKZIP Encr: TS_chk, cmplen=1372, decmplen=1766, crc=3B8FD23B ts=68CA cs=68ca type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ ls
archive.zip  CreedThoughts.doc  farewell.txt  hashes  nick.pcap  nmap_full_scan  password_list  reminder.txt  wordlist_generator.py
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2022-11-18 03:06) 0g/s 11033Kp/s 11033Kc/s 11033KC/s !LUVDKR!..*7¡Vamos!
Session completed. 
                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ unzip archive.zip 
Archive:  archive.zip
[archive.zip] email password:                                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2022-11-18 03:07) 0g/s 13925Kp/s 13925Kc/s 13925KC/s !LUVDKR!..*7¡Vamos!
Session completed. 

参考其他人的做法是说作者给的提示密码在season 7 episode 9.(真是完全不知道)

密码是: bigboobz

┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ cat email       
To: [email protected]
Subject: Costume Party
From: [email protected]
Content-Type: text/html; charset="utf8"

Hey Oscar!

Angela is out sick so she couldn't manage the costume party gallery right now. Dwight showed up as a jamaican zombie woman AGAIN. It's gross. Please remove the picture from the gallery. Oh yeah, you don't have access to it, so just use Angela's profile. The password is most probably one of her cats name. 

Michael                                                                                                                                                                                                                                  
┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ cat michael        
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,CF1CA7F9558B5637B0C9F66B972B6AB6

GlAt2Uhi+zBOMhGrASR0ica1YTk7BTBNzKAkqLGzyTy1eplEKiTou7LdW5hV7Khf
ZU+9X9Cg5L9KHT+w0OFQeVghzYOwZ+aeyzoii1Wo/pFx460eUj5oFTJnsN/UvHfi
sjGX8bLp4RT+HjTZr7b2+XiDww33xdskdnXeHBc9CsDRA+59x8+bszto+X3zaIVF
LaJ4nIx2nTVtn9DKEItfmsL3iCn4BKKT1kQ94K8R3Cx11Hdb49buByRYcICJhoT6
j416LKNUnH9F53dLyHrY6VoxjrckZWQC05DhiNgva6TxBqoX8XMEVWNf9UBoqsbl
MYVY5p2nbvM6u6pyViX6hSqLLxMe9kcyvYeC51irASXIlGZW6fQEieGesRm4uKG4
HeFtT57TXh7XIjqscqsR/swFMF9FGRRro0fCDTza3q+lKrmGWSQT6zM4F4iH0oOu
6K8cpe2JBfBQTHIXG136Xu4IF/4FVzXFfP4B920ecwTjRdxpeCZIKcItqp6dQ50f
HomaBFr0Bka/UfyJADDaDJ1oC78Vgg31y6QQwQsfKpiL0GDYwmCYFEk2/WBF8uyf
ZwTh0CnyUcIyXxv996ZLfX9RSRcrKXhMjw2YLz43cP5bkwUrBZ1/OnnCsxzaZWBX
r+NZEWkFIfFGat6RWmregVwR58oQg4s07fIIN+VFWTdCl9HGFlMGBrpUrly5PIzF
5hEIxDiuL6LEcW5kMYwtrPCo4QK+++KikySBpNaVxuY0Fy1E07AKyFl+7DMu82eH
hI29O4ebO0J15jxIX8Ta9dXCspqKbYeL6RMB6/uZEd61cP2Mh0Kd8K7rUuCdyOIF
7RXF61whnhy4YB7Um+O3iTABQjsR2T0+IKxasYEriuQNMrqMwtQXPIfxJ/wAcViA
mLKh/HoCUCfoC8+ksWwycYuEde06OxRH9zn0HITt5pgs+gtkBgGG25xSUbE9rGMC
iQGd/wDIcad0tjT9WnxoSPvlYRHSWLy5KjyGGShWRcXbMM4lhZbvHHktr6pD35rn
XMWdsLTKn5xr0IDF+iBNpd/cUKGO1Wi4TjZkZf6aTZZCzumrf3/A1ZH6pf32vRdg
9fA4eEHgwwn/qLJRYo33mj96+gBdRleYBaIxUmxm4VbJ8qkD0kthPI32LzvVgKOM
8q2J1cC7pJN5BVM1nmMPxz29MUZXvf4RU75p9fE1lBaX/5aBp+J7HUHREBg0cod6
6NHJ+u/WgGhrUGITi2V+4SL7Xi5F1ig2goA8EL5MYlnv4tU39Bihw6AOfqmGza9H
cQr9vsF1ryFXqAD7IxwjjTYgcTWxEj2P/LBzeC6rfLzgPeulPkPHVBaiB2lzIGEB
uExO3CjF9cqZMRyRo8XhOmrZw5vE2eO43uqpWFIwb4PUoG3uVcKEVqpuZ6bSYPvI
L59nw0ONv+1G4t4BG/WSHGKBq1hcpOpNIFGASFR8eVVchpK9OtMTwGvSp/M7diRR
/EjSLFhcBhKgjInCHgyRnQa5X3B6z9/HIGkwdH381CuXl5MYxDAt3S3IvJ6prolz
0lpnN5PD4wHHDdvVSntdV5w4rdJSdWaVcHohLLj/elYvPkjor8MARqeLatyYUL2y
-----END RSA PRIVATE KEY-----
                                   

作者提示说这个密钥是angela, 而口令是她一个猫的名字,

再来看18888端口,值得注意的是gobuster和dirb失效,需要用ffuf工具或者wfuzz工具,可以扫描出目录:

┌──(kali㉿kali)-[~/Vulnhub/Doomsday_Device]
└─$ wfuzz -c -u http://192.168.56.187:18888/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.187:18888/FUZZ
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                          
=====================================================================

000000001:   200        50 L     181 W      2991 Ch     "# directory-list-2.3-medium.txt"                                                                                                                                
000000003:   200        50 L     181 W      2991 Ch     "# Copyright 2007 James Fisher"                                                                                                                                  
000000007:   200        50 L     181 W      2991 Ch     "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"                                                                                                
000000006:   200        50 L     181 W      2991 Ch     "# Attribution-Share Alike 3.0 License. To view a copy of this"                                                                                                  
000000010:   200        50 L     181 W      2991 Ch     "#"                                                                                                                                                              
000000014:   200        50 L     181 W      2991 Ch     "http://192.168.56.187:18888/"                                                                                                                                   
000000009:   200        50 L     181 W      2991 Ch     "# Suite 300, San Francisco, California, 94105, USA."                                                                                                            
000000002:   200        50 L     181 W      2991 Ch     "#"                                                                                                                                                              
000000013:   200        50 L     181 W      2991 Ch     "#"                                                                                                                                                              
000000012:   200        50 L     181 W      2991 Ch     "# on atleast 2 different hosts"                                                                                                                                 
000000011:   200        50 L     181 W      2991 Ch     "# Priority ordered case sensative list, where entries were found"                                                                                               
000000008:   200        50 L     181 W      2991 Ch     "# or send a letter to Creative Commons, 171 Second Street,"                                                                                                     
000000004:   200        50 L     181 W      2991 Ch     "#"                                                                                                                                                              
000000005:   200        50 L     181 W      2991 Ch     "# This work is licensed under the Creative Commons"                                                                                                             
000000259:   301        9 L      28 W       325 Ch      "admin"                                                                                                                                                          
000000482:   301        9 L      28 W       327 Ch      "storage"                                                                                                                                                        
000000909:   301        9 L      28 W       323 Ch      "app"                                                                                                                                                            
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending

标签:56.187,kali,192.168,Doomsday,Vulnhub,Device
From: https://www.cnblogs.com/jason-huawen/p/16903713.html

相关文章

  • Vulnhub 之Dobby靶机详细解题过程
    Dobby识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/Dobby]└─$sudonetdiscover-ieth1利用KaliLinux自带的netdiscover工具识别目标主机IP地址为192.168.56......
  • vulnhub靶场OS-ByteSec
    0x000靶场描述难度:中级flag:2个flag第一个用户和第二个root学习:利用|中小企业|枚举|速记|权限提升联系:https://www.linkedin.com/in/rahulgehlaut/0x001靶场下载......
  • vulnhub靶场Trollcave
    0x000靶场描述Trollcave是一个易受攻击的VM,在Vulnhub和信息安全战争游戏的传统中。你从一个你一无所知的虚拟机开始-没有用户名,没有密码,只是你可以在网络上看到的东西......
  • Vulnhub之DevContainer 1靶机解题详细过程
    DevContainer1识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/DevContainer1]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.59.0/16|ScreenVi......
  • vulnhub靶场DomDom
    0x000靶场描述你对PHP程序的理解程度如何?您对Linux错误配置有多熟悉?此图像将涵盖高级Web攻击、开箱即用的思维和最新的安全漏洞。此靶场没有flag,获取到root权限即......
  • vulnhub靶场CyNix
    0x000靶场描述级别:中级描述:这是一台Boot2Root机器。该机器与VirtualBox兼容,DHCP将自动分配一个IP。您必须查找并读取两个flag(user和root),它们分别存在于user.txt和......
  • vulnhub靶场Os-hackNos-2
    0x000靶场描述难度:简单到中级flag:2个flag第一个用户和第二个根学习:Web应用程序|枚举|密码破解0x001靶场下载https://www.vulnhub.com/entry/hacknos-os-hac......
  • vulnhub靶场Os-hackNos-3
    0x000靶场描述难度:中级flag:2个flag第一个用户和第二个root学习:Web应用程序|枚举|权限提升网站:www.hacknos.com联系我们:@rahul_gehlaut0x001靶场下载https......
  • vulnhub靶场之DEATHNOTE: 1
    准备:攻击机:虚拟机kali、本机win10。靶机:DEATHNOTE:1,网段地址我这里设置的桥接,所以与本机电脑在同一网段,下载地址:https://download.vulnhub.com/deathnote/Deathnote.ova......
  • Vulnhub Crossroads靶机解题详细过程
    Crossroads识别目标主机IP地址......