首页 > 其他分享 >Vulnhub之Replay靶机测试过程(部分)

Vulnhub之Replay靶机测试过程(部分)

时间:2022-12-16 19:00:30浏览次数:41  
标签:x20Auth kali x20 x20Closing Replay Vulnhub x20Connection 靶机 SF

Replay

识别目标主机IP地址

(kali㉿kali)-[~/Vulnhub/Replay]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.64.0/16   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:0a:e5:fc      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.102  08:00:27:9b:9b:7a      1      60  PCS Systemtechnik GmbH      

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.102

NMAP扫描

──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.102 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-16 05:05 EST
Nmap scan report for bogon (192.168.56.102)
Host is up (0.00036s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey: 
|   2048 54:35:aa:49:eb:90:09:a1:28:f3:0c:9a:fb:01:52:0d (RSA)
|   256 e7:0b:6e:52:00:51:74:11:b6:cd:c6:cf:25:3a:1b:84 (ECDSA)
|_  256 3b:38:da:d7:16:23:64:68:8f:52:12:8a:14:07:6a:53 (ED25519)
80/tcp   open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/bob_bd.zip
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.25 (Debian)
1337/tcp open  waste?
| fingerprint-strings: 
|   DNSStatusRequestTCP, HTTPOptions, Kerberos, TerminalServerCookie, X11Probe: 
|     CH1:
|     Auth Failed Closing Connection... =- 
|     Auth Failed Closing Connection... =-
|   DNSVersionBindReqTCP, RPCCheck: 
|     Auth Failed Closing Connection... =- 
|     CH1:
|     Auth Failed Closing Connection... =-
|   FourOhFourRequest, GetRequest, Help, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq: 
|     CH1:
|     Auth Failed Closing Connection... =-
|   GenericLines, NULL: 
|_    CH1:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.92%I=7%D=12/16%Time=639C42DB%P=x86_64-pc-linux-gnu%r(N
SF:ULL,6,"\nCH1:\n")%r(GenericLines,6,"\nCH1:\n")%r(GetRequest,34,"\nCH1:\
SF:n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\
SF:n\n\n")%r(HTTPOptions,62,"\nCH1:\n\n\x20-=\x20Auth\x20Failed\x20Closing
SF:\x20Connection\.\.\.\x20=-\x20\n\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20C
SF:losing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(RTSPRequest,34,"\nCH1:\n
SF:\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n
SF:\n\n")%r(RPCCheck,62,"\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connec
SF:tion\.\.\.\x20=-\x20\n\n\n\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closi
SF:ng\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(DNSVersionBindReqTCP,62,"\n\
SF:n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\
SF:n\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x2
SF:0=-\x20\n\n\n")%r(DNSStatusRequestTCP,62,"\nCH1:\n\n\n\x20-=\x20Auth\x2
SF:0Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n\n\n\x20-=\x20Aut
SF:h\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(Help,34,
SF:"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x2
SF:0=-\x20\n\n\n")%r(SSLSessionReq,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20Faile
SF:d\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(TerminalServerCook
SF:ie,62,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\
SF:.\.\x20=-\x20\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connectio
SF:n\.\.\.\x20=-\x20\n\n\n")%r(TLSSessionReq,34,"\nCH1:\n\n\n\x20-=\x20Aut
SF:h\x20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(Kerberos
SF:,62,"\nCH1:\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\
SF:.\x20=-\x20\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\
SF:.\.\.\x20=-\x20\n\n\n")%r(SMBProgNeg,34,"\nCH1:\n\n\n\x20-=\x20Auth\x20
SF:Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n")%r(X11Probe,62,"
SF:\nCH1:\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.\x20=-
SF:\x20\n\n\n\n\n\n\x20-=\x20Auth\x20Failed\x20Closing\x20Connection\.\.\.
SF:\x20=-\x20\n\n\n")%r(FourOhFourRequest,34,"\nCH1:\n\n\n\x20-=\x20Auth\x
SF:20Failed\x20Closing\x20Connection\.\.\.\x20=-\x20\n\n\n");
MAC Address: 08:00:27:9B:9B:7A (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.89 seconds

NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、80(HTTP)、1337(?)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ curl http://192.168.56.102                         
<!-- P1:qGQjwO4h6g  -->
<style>
body{
background-color: coral;
}
@font-face{
font-family: "cool";
src: url('/files/cool.ttf')
}
body{
font-family: cool;
}
.color_txt{
color:purple;
}
.color_title{
color:pink
}
</style>
<body>
<span class="color_title">
<h1>
<img src="/media/welcome.gif"></img>
Bob's Website
</h1>
</span>
<img src="/media/palm.gif"></img>
<img src="/media/palm.gif"></img>
<img src="/media/bob.png"></img>
<img src="/media/palm.gif"></img>
<img src="/media/palm.gi"></img>
<img src="/media/palm.gif"></img>
<img src="/media/palm.gf"></img>
<img src="/media/palm.gf"></img>
<img src="/media/palm.gf"></img>
<img src="/media/palm.gf"></img>
<br>
<span class="color_txt">
<p>
This is my website that I made by myself. I have several years of experience managing and creating IT systems. If you are interested in hiring
me you can find <a href="/files/CV.odt"> my CV here.</a> If after reading my CV you are still interested in hiring me then you can contact me
on my email: [email protected]
</p>
</span>
<img src="/files/myITTeam.png"> </img>
</body>

里面有文件CV.odt,将其下载,并有句注释:

P1:qGQjwO4h6g

但不知道这是什么意思?

┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ curl http://192.168.56.102/robots.txt
User-agent: *
Disallow: /bob_bd.zip

将该文件下载:

┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ wget http://192.168.56.102/bob_bd.zip            
--2022-12-16 05:13:30--  http://192.168.56.102/bob_bd.zip
Connecting to 192.168.56.102:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 63784 (62K) [application/zip]
Saving to: ‘bob_bd.zip’

bob_bd.zip                      100%[====================================================>]  62.29K  --.-KB/s    in 0s      

2022-12-16 05:13:30 (258 MB/s) - ‘bob_bd.zip’ saved [63784/63784]

                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ ls
bob_bd.zip  CV.odt  nmap_full_scan
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ unzip bob_bd.zip 
Archive:  bob_bd.zip
  inflating: changelog.txt           
  inflating: client.bin              
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ ls
bob_bd.zip  changelog.txt  client.bin  CV.odt  nmap_full_scan
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ cat changelog.txt                    
Changelog:

RG9uJ3QgZm9yZ2V0CgpQClMtPkItPkMtPkQtPlMKQy0+Qi0+UwpDLT5FLT5T

Next Update:
+ Add ASCII art
+ Fix bug where sometimes the backdoor fails to connect (fixed by reopening client.bin)
+ Add ablilty to be able to send more than hardcoded commands again (removed because of beefing up of security)


V4 [*clink* *clink* You will never be able to penetrate my defenses!]:
+ Backdoor will execute any command, too bad it only sends one hardcoded command :P (gonna have to add an input onto client)
+ Security beefed up bet no one can get through this, XOR and b64 is king

RW5kIG9mIGxvZw==

V3 [All wrapped up in a neat bow]:
+ Added a cool security challenge system to stop hackers
+ I am now compiling the python file into .bins
+ Added b64 system to improve security
Ti5ULlMgQWRkZWQgMm5kIGhhbGYgb2YgcGFzc3dvcmQgaW50byB0aGUgYmFja2Rvb3Igc28gaWYgeW91IGZvcmdldCB0aGF0J3Mgd2hlcmUgaXQgaXMgZnVydHVyZSBtZS4gRW5kIG9mIGxvZw==

V2 [The no go zone]:
+ Added b64 support
+ Added password check (validated by server)
RW5kIG9mIGxvZw==

V1 [And then there was light]:
+ I made a backdoor :D
+ Now I can access my server from anywhere without using ssh
RW5kIG9mIGxvZw==
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ echo 'Ti5ULlMgQWRkZWQgMm5kIGhhbGYgb2YgcGFzc3dvcmQgaW50byB0aGUgYmFja2Rvb3Igc28gaWYgeW91IGZvcmdldCB0aGF0J3Mgd2hlcmUgaXQgaXMgZnVydHVyZSBtZS4gRW5kIG9mIGxvZw==' | base64 -d
N.T.S Added 2nd half of password into the backdoor so if you forget that's where it is furture me. End of log                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ echo 'RW5kIG9mIGxvZw==' | base64 -d
End of log                                                                                                                             

用命令:

                                                                                                                          
┌──(kali㉿kali)-[~/Vulnhub/Replay]
└─$ strings client.bin

发现:

2nd half of password is: h0TAIRNXuQcDu9Lqsyul

而前面发现的页面源代码中的注释应该是密码的1st half

所以密码为:qGQjwO4h6gh0TAIRNXuQcDu9Lqsyul

此时运行client.bin,发现报错:

loading shared libraries: libpython2.7.so.1.0: cannot open shared object file: No such file or directory

可安装相应的包来解决该问题:

─(kali㉿kali)-[~/Vulnhub/Replay]
└─$ sudo apt install libpython2.7


此时再运行:

sudo ./client.bin

这是一个shell,但是很不稳定:

分析client.bin,把命令;whoami硬编码了,所以无法执行其他命令,需要设法替换,以生成shell

标签:x20Auth,kali,x20,x20Closing,Replay,Vulnhub,x20Connection,靶机,SF
From: https://www.cnblogs.com/jason-huawen/p/16988104.html

相关文章

  • Vulnhub之Ripper靶机详细测试过程
    Ripper识别目标主机IP地址──(kali㉿kali)-[~/Vulnhub/ripper]└─$sudonetdiscover-ieth1Currentlyscanning:172.16.173.0/16|ScreenView:UniqueHost......
  • 利用木马钓鱼渗透浏览器漏洞靶机
    1准备环境win7虚拟机:192.168.225.140cn_windows_7_ultimate_x64_dvd_x15-66043.isokali2020.4:192.168.225.138kali-linux-2020.4-vmware-amd64.7z如果ssh连接不到kal......
  • Vulnhub之Shuriken 1 靶机测试过程
    Shuriken识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Shuriken]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.62.0/16|ScreenView:UniqueHo......
  • vulnhub-Tr0ll
    本机ip:192.168.10.7靶机ip:192.168.10.8扫描nmap-sn192.168.10.7/24nmap-sS-sV-A-p-192.168.10.8Nmapscanreportfor192.168.10.8Hostisup(0.0017slate......
  • Vulnhub之So Simple靶机详细测试过程
    SoSimple作者:jason_huawen靶机基本信息名称:SoSimple:1地址:https://www.vulnhub.com/entry/so-simple-1,515/识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/So_s......
  • vulnhub-Raven2
    搜集信息kaliip:192.168.56.109/24发现目标:nmap-sn192.168.56.109/24或nmap-sP192.168.56.109/24靶机ip:192.168.56.114扫描端口nmap-A-p-192.168.56.114No......
  • Vulnhub之TBBT FunWithFlags靶机详细测试过程
    TBBTFunWithFlags作者:jason_huawen靶机基本信息名称:TBBT:FunWithFlags地址:https://www.vulnhub.com/entry/tbbt-funwithflags,437/其他说明:靶机配置静态IP地址,因......
  • Vulnhub之Temple of Doom靶机详细测试过程
    TempleofDoom1靶机基本信息作者:jason_huawen名称:TempleofDoom:1地址:https://www.vulnhub.com/entry/temple-of-doom-1,243/识别目标主机IP地址─(kali㉿kal......
  • Vulnhub之Thales 1靶机测试过程
    Thales1识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/Thales_1]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.60.0/16|ScreenView:UniqueHo......
  • Vulnhub之The Planets Earth靶机测试过程
    ThePlanetsEarth识别目标主机IP地址─(kali㉿kali)-[~/Vulnhub/The_Planets_Earth]└─$sudonetdiscover-ieth1Currentlyscanning:192.168.134.0/16|Scr......