Replay
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Replay]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.64.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:0a:e5:fc 1 60 PCS Systemtechnik GmbH
192.168.56.102 08:00:27:9b:9b:7a 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.102
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.102 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-16 05:05 EST
Nmap scan report for bogon (192.168.56.102)
Host is up (0.00036s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey:
| 2048 54:35:aa:49:eb:90:09:a1:28:f3:0c:9a:fb:01:52:0d (RSA)
| 256 e7:0b:6e:52:00:51:74:11:b6:cd:c6:cf:25:3a:1b:84 (ECDSA)
|_ 256 3b:38:da:d7:16:23:64:68:8f:52:12:8a:14:07:6a:53 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/bob_bd.zip
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.25 (Debian)
1337/tcp open waste?
| fingerprint-strings:
| DNSStatusRequestTCP, HTTPOptions, Kerberos, TerminalServerCookie, X11Probe:
| CH1:
| Auth Failed Closing Connection... =-
| Auth Failed Closing Connection... =-
| DNSVersionBindReqTCP, RPCCheck:
| Auth Failed Closing Connection... =-
| CH1:
| Auth Failed Closing Connection... =-
| FourOhFourRequest, GetRequest, Help, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq:
| CH1:
| Auth Failed Closing Connection... =-
| GenericLines, NULL:
|_ CH1:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.92%I=7%D=12/16%Time=639C42DB%P=x86_64-pc-linux-gnu%r(N
SF:ULL,6,"\nCH1:\n")%r(GenericLines,6,"\nCH1:\n")%r(GetRequest,34,"\nCH1:\
SF:n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\
SF:n\n\n")%r(HTTPOptions,62,"\nCH1:\n\n\x20-=\x20Auth\x20Failed\x20Closing
SF:\x20Connection\.\.\.\x20=-\x20\n\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20C
SF:losing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(RTSPRequest,34,"\nCH1:\n
SF:\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n
SF:\n\n")%r(RPCCheck,62,"\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connec
SF:tion\.\.\.\x20=-\x20\n\n\n\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closi
SF:ng\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(DNSVersionBindReqTCP,62,"\n\
SF:n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\
SF:n\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x2
SF:0=-\x20\n\n\n")%r(DNSStatusRequestTCP,62,"\nCH1:\n\n\n\x20-=\x20Auth\x2
SF:0Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n\n\n\x20-=\x20Aut
SF:h\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(Help,34,
SF:"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x2
SF:0=-\x20\n\n\n")%r(SSLSessionReq,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20Faile
SF:d\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(TerminalServerCook
SF:ie,62,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\
SF:.\.\x20=-\x20\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connectio
SF:n\.\.\.\x20=-\x20\n\n\n")%r(TLSSessionReq,34,"\nCH1:\n\n\n\x20-=\x20Aut
SF:h\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(Kerberos
SF:,62,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\
SF:.\x20=-\x20\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\
SF:.\.\.\x20=-\x20\n\n\n")%r(SMBProgNeg,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20
SF:Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(X11Probe,62,"
SF:\nCH1:\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-
SF:\x20\n\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.
SF:\x20=-\x20\n\n\n")%r(FourOhFourRequest,34,"\nCH1:\n\n\n\x20-=\x20Auth\x
SF:20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n");
MAC Address: 08:00:27:9B:9B:7A (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.89 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、80(HTTP)、1337(?)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ curl http://192.168.56.102
<!-- P1:qGQjwO4h6g -->
<style>
body{
background-color: coral;
}
@font-face{
font-family: "cool";
src: url('/files/cool.ttf')
}
body{
font-family: cool;
}
.color_txt{
color:purple;
}
.color_title{
color:pink
}
</style>
<body>
<span class="color_title">
<h1>
<img src="/media/welcome.gif"></img>
Bob's Website
</h1>
</span>
<img src="/media/palm.gif"></img>
<img src="/media/palm.gif"></img>
<img src="/media/bob.png"></img>
<img src="/media/palm.gif"></img>
<img src="/media/palm.gi"></img>
<img src="/media/palm.gif"></img>
<img src="/media/palm.gf"></img>
<img src="/media/palm.gf"></img>
<img src="/media/palm.gf"></img>
<img src="/media/palm.gf"></img>
<br>
<span class="color_txt">
<p>
This is my website that I made by myself. I have several years of experience managing and creating IT systems. If you are interested in hiring
me you can find <a href="/files/CV.odt"> my CV here.</a> If after reading my CV you are still interested in hiring me then you can contact me
on my email: [email protected]
</p>
</span>
<img src="/files/myITTeam.png"> </img>
</body>
里面有文件CV.odt,将其下载,并有句注释:
P1:qGQjwO4h6g
但不知道这是什么意思?
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ curl http://192.168.56.102/robots.txt
User-agent: *
Disallow: /bob_bd.zip
将该文件下载:
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ wget http://192.168.56.102/bob_bd.zip
--2022-12-16 05:13:30-- http://192.168.56.102/bob_bd.zip
Connecting to 192.168.56.102:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 63784 (62K) [application/zip]
Saving to: ‘bob_bd.zip’
bob_bd.zip 100%[====================================================>] 62.29K --.-KB/s in 0s
2022-12-16 05:13:30 (258 MB/s) - ‘bob_bd.zip’ saved [63784/63784]
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ ls
bob_bd.zip CV.odt nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ unzip bob_bd.zip
Archive: bob_bd.zip
inflating: changelog.txt
inflating: client.bin
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ ls
bob_bd.zip changelog.txt client.bin CV.odt nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ cat changelog.txt
Changelog:
RG9uJ3QgZm9yZ2V0CgpQClMtPkItPkMtPkQtPlMKQy0+Qi0+UwpDLT5FLT5T
Next Update:
+ Add ASCII art
+ Fix bug where sometimes the backdoor fails to connect (fixed by reopening client.bin)
+ Add ablilty to be able to send more than hardcoded commands again (removed because of beefing up of security)
V4 [*clink* *clink* You will never be able to penetrate my defenses!]:
+ Backdoor will execute any command, too bad it only sends one hardcoded command :P (gonna have to add an input onto client)
+ Security beefed up bet no one can get through this, XOR and b64 is king
RW5kIG9mIGxvZw==
V3 [All wrapped up in a neat bow]:
+ Added a cool security challenge system to stop hackers
+ I am now compiling the python file into .bins
+ Added b64 system to improve security
Ti5ULlMgQWRkZWQgMm5kIGhhbGYgb2YgcGFzc3dvcmQgaW50byB0aGUgYmFja2Rvb3Igc28gaWYgeW91IGZvcmdldCB0aGF0J3Mgd2hlcmUgaXQgaXMgZnVydHVyZSBtZS4gRW5kIG9mIGxvZw==
V2 [The no go zone]:
+ Added b64 support
+ Added password check (validated by server)
RW5kIG9mIGxvZw==
V1 [And then there was light]:
+ I made a backdoor :D
+ Now I can access my server from anywhere without using ssh
RW5kIG9mIGxvZw==
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ echo 'Ti5ULlMgQWRkZWQgMm5kIGhhbGYgb2YgcGFzc3dvcmQgaW50byB0aGUgYmFja2Rvb3Igc28gaWYgeW91IGZvcmdldCB0aGF0J3Mgd2hlcmUgaXQgaXMgZnVydHVyZSBtZS4gRW5kIG9mIGxvZw==' | base64 -d
N.T.S Added 2nd half of password into the backdoor so if you forget that's where it is furture me. End of log
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ echo 'RW5kIG9mIGxvZw==' | base64 -d
End of log
用命令:
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ strings client.bin
发现:
2nd half of password is: h0TAIRNXuQcDu9Lqsyul
而前面发现的页面源代码中的注释应该是密码的1st half
所以密码为:qGQjwO4h6gh0TAIRNXuQcDu9Lqsyul
此时运行client.bin,发现报错:
loading shared libraries: libpython2.7.so.1.0: cannot open shared object file: No such file or directory
可安装相应的包来解决该问题:
─(kali㉿kali)-[~/Vulnhub/Replay]
└─$ sudo apt install libpython2.7
此时再运行:
sudo ./client.bin
这是一个shell,但是很不稳定:
分析client.bin,把命令;whoami硬编码了,所以无法执行其他命令,需要设法替换,以生成shell
标签:x20Auth,kali,x20,x20Closing,Replay,Vulnhub,x20Connection,靶机,SF From: https://www.cnblogs.com/jason-huawen/p/16988104.html