freebuf
本文来源:
下载地址
下载地址
http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso
任务信息
Encrypted salary file Broken FTP service
实战演练
新建一个虚拟机,类型选择其他,其他,其余都是下一步下一步,然后导入镜像就可以启动
它设置了静态IP192.168.1.100,所以kali也要设置到同一个网段
信息收集
root@kali:~# nmap -sV -p1-65535 192.168.1.100 Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-26 06:47 EST mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for 192.168.1.100 Host is up (0.00024s latency). Not shown: 65527 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd (broken: could not bind listening IPv4 socket) 22/tcp open ssh OpenSSH 4.3 (protocol 1.99) 25/tcp open smtp Sendmail 8.13.7/8.13.7 80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2) 110/tcp open pop3 Openwall popa3d 143/tcp open imap UW imapd 2004.357 443/tcp closed https MAC Address: 00:0C:29:E0:C2:37 (VMware) Service Info: Host: slax.example.net; OS: Unix
扫描目录
root@kali:~# dirb http://192.168.1.100 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue Feb 26 07:04:32 2019 URL_BASE: http://192.168.1.100/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.1.100/ ---- + http://192.168.1.100/~ftp (CODE:403|SIZE:412) + http://192.168.1.100/cgi-bin/ (CODE:403|SIZE:297) + http://192.168.1.100/index.php (CODE:200|SIZE:1983) + http://192.168.1.100/info.php (CODE:200|SIZE:37924) ----------------- END_TIME: Tue Feb 26 07:04:34 2019 DOWNLOADED: 4612 - FOUND: 4
使用sparta进行扫描探测
提示
SPOILER Are you stuck? I have included the tools needed, and the order to use them, below. I have hidden them by matching the text color to the background.(Highlight white-space below each section to find the "hidden" answers.) TOOLS REQUIRED (in order of use): nmap Firefox ssh hydra john (the ripper) openssl OTHER HINTS - Interns tend to know nothing of security - The ftp server is broken; it's supposed to be - Even though the ftp server is broken, there may be residual files of interest; read the /etc/passwd file first, though - If you get the CEO's bank account information, you've defeated this challenge. Congratulations!
看来按照提示和看了一下扫描出来的东西,只能爆破用户和密码
根据查看页面的源代码找到用户的邮箱
marym@herot.net patrickp@herot.net thompsont@herot.net benedictb@herot.net genniege@herot.net michaelp@herot.net longe@herot.net adamsa@herot.net banterb@herot.net coffeec@herot.net
做成用户字典
webmaster postmaster admin administrator guest root marym mmary mary patrickp ppatrick patrick thompsont tthompson thompson benedictb bbenedict benedict genniege egennieg gennieg michaelp pmichael michael longe elong long adamsa aadams adams banterb bbanter banter coffeec ccoffee coffee
使用hydra进行爆破
使用bbanter登录
看到passwd和group猜测aadams的权限比较大,于是爆破这个账号,爆破时间有点久。。。
[22][ssh] host: 192.168.1.100 login: aadams password: nostradamus
sodo输入密码再输入nostradamus
查看shadow文件
接下来就彩虹表爆破明文密码
找到了root的密码,用root登录,发现被限制了,那就只能通过aadams账号进行su到root
nc传输加密文件
分析加密文件
原本打算在kali本机解密这个文件,发现加密不了,后来就干脆在靶机上面直接加密
转载请注明来自网盾网络安全培训,本文标题:《CTF靶场系列-De-ICE:_S1.100》
标签:CTF
