Vulnhub之Noob详细测试过程
Noob
作者: jason huawen
靶机信息
名称:Noob: 1
地址:
https://www.vulnhub.com/entry/noob-1,746/
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/noob]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:ad:87:83 1 60 PCS Systemtechnik GmbH
192.168.56.235 08:00:27:f5:f4:51 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机IP地址为192.168.56.235
NMAP扫描
──(kali㉿kali)-[~/Desktop/Vulnhub/noob]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.235 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-28 01:50 EDT
Nmap scan report for bogon (192.168.56.235)
Host is up (0.00014s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 21 Sep 21 2021 cred.txt
|_-rw-r--r-- 1 0 0 86 Jun 11 2021 welcome
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.230
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Login
|_http-server-header: Apache/2.4.29 (Ubuntu)
55077/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:e8:ad:80:35:81:c4:29:7e:cf:e4:70:f2:69:d9:96 (RSA)
| 256 46:20:20:03:9c:97:35:f6:2d:5d:62:4a:be:6c:95:8e (ECDSA)
|_ 256 ae:90:88:f6:63:8d:dc:60:fa:ff:fc:70:12:e4:f4:1f (ED25519)
MAC Address: 08:00:27:F5:F4:51 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.84 seconds
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob]
└─$ cat welcome
🙏 WELCOME 🙏
We're glad to see you here.
💪 All The Best 👍
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob]
└─$ cat cred.txt
Y2hhbXA6cGFzc3dvcmQ=
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob]
└─$ echo 'Y2hhbXA6cGFzc3dvcmQ=' | base64 -d
champ:password
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob]
└─$ unrar x downloads.rar
UNRAR 6.12 freeware Copyright (c) 1993-2022 Alexander Roshal
Extracting from downloads.rar
Creating downloads OK
Extracting downloads/funny.jpg OK
Extracting downloads/funny.bmp OK
Extracting downloads/sudo OK
All OK
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob]
└─$ ls -alh
total 120K
drwxr-xr-x 3 kali kali 4.0K Mar 28 01:57 .
drwxr-xr-x 7 kali kali 4.0K Mar 28 01:40 ..
-rw-r--r-- 1 kali kali 21 Sep 21 2021 cred.txt
drwxr-xr-x 2 kali kali 4.0K Mar 28 01:57 downloads
-rw-r--r-- 1 kali kali 91K Mar 28 01:53 downloads.rar
-rw-r--r-- 1 root root 1.6K Mar 28 01:50 nmap_full_scan
-rw-r--r-- 1 kali kali 12 Mar 28 01:51 test.txt
-rw-r--r-- 1 kali kali 86 Jun 11 2021 welcome
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob]
└─$ cd downloads
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob/downloads]
└─$ ls -alh
total 108K
drwxr-xr-x 2 kali kali 4.0K Mar 28 01:57 .
drwxr-xr-x 3 kali kali 4.0K Mar 28 01:57 ..
-rw-r--r-- 1 kali kali 46K Jun 12 2021 funny.bmp
-rw-r--r-- 1 kali kali 46K Jun 12 2021 funny.jpg
-rw-r--r-- 1 kali kali 52 Aug 5 2021 sudo
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob/downloads]
└─$ steghide extract -sf funny.jpg
Enter passphrase:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob/downloads]
└─$ stegseek funny.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "hint.py".
[i] Extracting to "funny.jpg.out".
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob/downloads]
└─$ ls -alh
total 112K
drwxr-xr-x 2 kali kali 4.0K Mar 28 01:57 .
drwxr-xr-x 3 kali kali 4.0K Mar 28 01:57 ..
-rw-r--r-- 1 kali kali 46K Jun 12 2021 funny.bmp
-rw-r--r-- 1 kali kali 46K Jun 12 2021 funny.jpg
-rw-r--r-- 1 kali kali 93 Mar 28 01:57 funny.jpg.out
-rw-r--r-- 1 kali kali 52 Aug 5 2021 sudo
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob/downloads]
└─$ cat funny.jpg.out
This is_not a python file but you are revolving around.
well, try_ to rotate some words too.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob/downloads]
└─$ cat sudo
Did you notice the file name? Isn't is interesting?
funny.bmp这个文件的密码就是sudo,而且查看这个funny.bmp文件其实是jpeg格式,所以有古怪,但是用stegseek解密失败,其实就是sudo
──(kali㉿kali)-[~/Desktop/Vulnhub/noob/downloads]
└─$ steghide extract -sf funny.bmp
Enter passphrase:
wrote extracted data to "user.txt".
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob/downloads]
└─$ ls -alh
total 116K
drwxr-xr-x 2 kali kali 4.0K Mar 28 02:04 .
drwxr-xr-x 3 kali kali 4.0K Mar 28 01:57 ..
-rw-r--r-- 1 kali kali 46K Jun 12 2021 funny.bmp
-rw-r--r-- 1 kali kali 46K Jun 12 2021 funny.jpg
-rw-r--r-- 1 kali kali 93 Mar 28 01:57 funny.jpg.out
-rw-r--r-- 1 kali kali 52 Aug 5 2021 sudo
-rw-r--r-- 1 kali kali 29 Mar 28 02:04 user.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/noob/downloads]
└─$ cat user.txt
jgs:guvf bar vf n fvzcyr bar
user.txt明显是加密的,是某种rotating的加密
发现是rot13,解密后得到:wtf:this one is a simple one
可以成功登陆ssh
──(kali㉿kali)-[~/Desktop/Vulnhub/noob/downloads]
└─$ ssh wtf@192.168.56.235 -p 55077
The authenticity of host '[192.168.56.235]:55077 ([192.168.56.235]:55077)' can't be established.
ED25519 key fingerprint is SHA256:7llosBA8c0IhGD0Q/MfctQSSVRtzJrF8OOBmRA58IyE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.235]:55077' (ED25519) to the list of known hosts.
wtf@192.168.56.235's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-156-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Mar 28 14:07:36 UTC 2023
System load: 0.23 Processes: 174
Usage of /: 53.5% of 8.79GB Users logged in: 0
Memory usage: 19% IP address for enp0s17: 192.168.56.235
Swap usage: 0%
77 packages can be updated.
1 update is a security update.
Last login: Tue Sep 21 19:59:59 2021 from 192.168.169.1
_______________________________________
< Are you sure the back door is locked? >
---------------------------------------
\
\
.--.
|o_o |
|:_/ |
// \ \
(| | )
/'\_ _/`\
\___)=(___/
wtf@wtf:~$ id
uid=1000(wtf) gid=1000(wtf) groups=1000(wtf),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
wtf@wtf:~$ sudo -l
[sudo] password for wtf:
Matching Defaults entries for wtf on wtf:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wtf may run the following commands on wtf:
(ALL : ALL) ALL
wtf@wtf:~$ sudo /bin/bash
cCommand 'fortune' is available in '/usr/games/fortune'
The command could not be located because '/usr/games' is not included in the PATH environment variable.
fortune: command not found
Command 'cowsay' is available in '/usr/games/cowsay'
The command could not be located because '/usr/games' is not included in the PATH environment variable.
cowsay: command not found
root@wtf:~# cd /root
root@wtf:/root# ls -alh
total 52K
drwx------ 7 root root 4.0K Sep 21 2021 .
drwxr-xr-x 24 root root 4.0K Sep 21 2021 ..
-rw------- 1 root root 4.3K Sep 21 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 2 root root 4.0K Jul 3 2021 .cache
drwx------ 3 root root 4.0K Jul 3 2021 .gnupg
drwxr-xr-x 3 root root 4.0K Jul 3 2021 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 353 Sep 21 2021 root.txt
drwxr-xr-x 3 root root 4.0K Jun 23 2021 snap
drwx------ 2 root root 4.0K Jul 22 2021 .ssh
-rw------- 1 root root 821 Sep 21 2021 .viminfo
root@wtf:/root# cat root.txt
RW5kb3JzZSBtZSBvbiBsaW5rZWRpbiA9PiBodHRwczovL3d3dy5saW5rZWRpbi5jb20vaW4vZGVlcGFrLWFoZWVyCg==
Follow me on Twitter https://www.twitter.com/Deepakhr9
TryHackMe --> https://www.tryhackme.com/p/Malwre99
Github --> https://www.github.com/Deepak-Aheer
(the flag is my LinkedIn username)
THANK YOU for PLAYING THIS CTF
But REMEMBER we're still N00bs ;)
root@wtf:/root#
STRIVE FOR PROGRESS,NOT FOR PERFECTION
浙公网安备 33010602011771号