CTF靶场系列-De-ICE:_S1.110 – 作者:陌度

下载地址

http://hackingdojo.com/downloads/iso/De-ICE_S1.110.iso

任务信息

解密客户信息

实战演练

原文再续,书接上文s1.100的系统

信息收集

netdiscover发现IP是192.168.1.110

image.png嗯。。。开了ssh,用上一次获取到的密码登录一下

image.png

登录bbanter失败,看来是密码不对

image.png
那就只能从FTP入手了,使用ftp的anonymous扫描,发现存在anonymous账号

image.png
登录

image.png下载shadow和core文件

image.png查看文件

image.png将core的内容提取出来保存为passwd,然后爆破

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::
aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::
bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::
ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::
image.png后来发现root密码不是这个,再找了另外一个字典爆破
#字典
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkc0de.txt
image.png
使用root账号进行远程登录,失败
image.png那就只能使用bbanter账号登录,然后再提权
image.png找到加密文件
root@slax:~# find / -iname *.enc
/mnt/live/mnt/hdc/rootcopy/home/ftp/download/opt/cygwin/usr/share/groff/1.18.1/font/devps/text.enc
/mnt/live/mnt/hdc/rootcopy/home/root/.save/customer_account.csv.enc
find: WARNING: Hard link count is wrong for /mnt/live/proc/8564: this may be a bug in your filesystem driver.  Automatically turning on find's -noleaf option.  Earlier results may have failed to include directories that should have been searched.
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/IsoLatin1.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/IsoLatin2.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/IsoLatin9.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/PSLatin1.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/dc.enc
/mnt/live/memory/images/05_common.mo/usr/share/t1lib/Fonts/enc/dvips.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/big5.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/euc-kr.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-2.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-3.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-4.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-5.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-7.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-8.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-9.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/windows-1250.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/windows-1252.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-euc-jp-jisx0221.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-euc-jp-unicode.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-cp932.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-jdk117.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-jisx0221.enc
/mnt/live/memory/images/02_core.mo/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-unicode.enc
/mnt/live/memory/images/02_core.mo/usr/share/groff/1.19.2/font/devps/text.enc
/mnt/live/memory/changes/home/root/.save/customer_account.csv.enc
/mnt/live/memory/changes/home/ftp/download/opt/cygwin/usr/share/groff/1.18.1/font/devps/text.enc
/usr/share/t1lib/Fonts/enc/IsoLatin1.enc
/usr/share/t1lib/Fonts/enc/IsoLatin2.enc
/usr/share/t1lib/Fonts/enc/IsoLatin9.enc
/usr/share/t1lib/Fonts/enc/PSLatin1.enc
/usr/share/t1lib/Fonts/enc/dc.enc
/usr/share/t1lib/Fonts/enc/dvips.enc
/usr/share/groff/1.19.2/font/devps/text.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/big5.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/euc-kr.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-2.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-3.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-4.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-5.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-7.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-8.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/iso-8859-9.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/windows-1250.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/windows-1252.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-euc-jp-jisx0221.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-euc-jp-unicode.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-cp932.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-jdk117.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-jisx0221.enc
/usr/lib/perl5/site_perl/5.8.8/i486-linux/XML/Parser/Encodings/x-sjis-unicode.enc
/home/root/.save/customer_account.csv.enc
/home/ftp/download/opt/cygwin/usr/share/groff/1.18.1/font/devps/text.enc

找到openssl的加密方式

image.png

来源:freebuf.com 2019-02-28 23:42:23 by: 陌度

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论