下载地址
https://download.vulnhub.com/deice/De-ICE_S2.100_%28de-ice.net-2.100-1.0%29.iso
实战演练
原文再续,书接上文s1.100的系统
任务信息
寻找用户信息
信息收集
netdiscover发现有两个IP,看来有点东西啊
看看FTP有没有anonymous账号,发现没有东西
只有一个显示信息的PHP
web目录也没啥信息
看看192.168.2.101的web系统有什么信息
没啥东西
找到邮箱信息,还有服务器开放smtp,我们枚举一下smtp账号
Samuel Pickwick pickwick@herot.net Nathaniel Winkle winkle@herot.net Augustus Snodgrass snodgrass@herot.net Tracy Tupman tupman@herot.net Sam Weller weller@herot.net Tony Weller tweller@herot.net Estella Havisham havisham@herot.net Abel Magwitch magwitch@herot.net Philip Pirrip pirrip@herot.net Nicholas Nickleby nickleby@herot.net Ralph Nickleby rnickleby@herot.net Newman Noggs noggs@herot.net Wackford Squeers squeers@herot.net Thomas Pinch pinch@herot.net Mark Tapley tapley@herot.net Sarah Gamp gamp@herot.net Jacob Marley marley@herot.net Ebenezer Scrooge scrooge@herot.net Bob Cratchit cratchit@herot.net Bill Sikes sikes@herot.net Jack Dawkins dawkins@herot.net Noah Claypole claypole@herot.net
#用户表
Pickwick Winkle Snodgrass Tupman Weller Weller Havisham Magwitch Pirrip Nickleby Nickleby Noggs Squeers Pinch Tapley Gamp Marley Scrooge Cratchit Sikes Dawkins Claypole Samuel Nathaniel Augustus Tracy Sam Tony Estella Abel Philip Nicholas Ralph Newman Wackford Thomas Mark Sarah Jacob Ebenezer Bob Bill Jack Noah spickwick nwinkle asnodgrass ttupman sweller tweller ehavisham amagwitch ppirrip nnickleby rnickleby nnoggs wsqueers tpinch mtapley sgamp jmarley escrooge bcratchit bsikes jdawkins nclaypole
找到三个账号
按照社会工程学的思想,加上上面扫描到~root目录,试试~+用户名爆破web的方式
100的web服务器
101服务器上找到ssh的认证文件,下载下来
修改证书权限,就可以登录
找信息
查看邮件信息,第七封邮件有信息
pirrip@slax:~$ mail mailx version nail 11.25 7/29/05. Type ? for help. "/var/mail/pirrip": 7 messages 7 new >N 1 Abel Magwitch Sun Jan 13 23:53 20/748 Estella N 2 Estella Havisham Sun Jan 13 23:53 20/780 welcome to the team N 3 Abel Magwitch Sun Jan 13 23:53 20/875 havisham N 4 Estella Havisham Mon Jan 14 00:05 20/861 next month N 5 Abel Magwitch Mon Jan 14 00:05 20/868 vacation N 6 Abel Magwitch Mon Jan 14 00:05 20/915 vacation N 7 noreply@fermion.he Mon Jan 14 00:05 29/983 Fermion Account Login Reminder ? Message 1: From magwitch@slax.example.net Sun Jan 13 23:53:37 2008 Return-Path: magwitch@slax.example.net> From: Abel Magwitch magwitch@slax.example.net> Date: Sun, 13 Jan 2008 23:47:48 +0000 To: pirrip@slax.example.net Subject: Estella User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R Will do. ? Message 2: From havisham@slax.example.net Sun Jan 13 23:53:37 2008 Return-Path: havisham@slax.example.net> From: Estella Havisham havisham@slax.example.net> Date: Sun, 13 Jan 2008 23:50:33 +0000 To: pirrip@slax.example.net Subject: welcome to the team User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R Thanks! Glad to be here. ? Message 3: From magwitch@slax.example.net Sun Jan 13 23:53:37 2008 Return-Path: magwitch@slax.example.net> From: Abel Magwitch magwitch@slax.example.net> Date: Sun, 13 Jan 2008 23:48:57 +0000 To: pirrip@slax.example.net Subject: havisham User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R I set her up with an accountus servers. I set her password to "changeme" and will swing by tomorrow and make sure she changes her pw. ? Message 4: From havisham@slax.example.net Mon Jan 14 00:05:15 2008 Return-Path: havisham@slax.example.net> From: Estella Havisham havisham@slax.example.net> Date: Mon, 14 Jan 2008 00:03:56 +0000 To: pirrip@slax.example.net Subject: next month User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R Abel filled me in about next month. I wanted to ask you if I can grab the week you get back for vacation? Thanks. ? Message 5: From magwitch@slax.example.net Mon Jan 14 00:05:15 2008 Return-Path: magwitch@slax.example.net> From: Abel Magwitch magwitch@slax.example.net> Date: Sun, 13 Jan 2008 23:55:41 +0000 To: pirrip@slax.example.net Subject: vacation User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R Hey, I'll be taking vacation the second week of next month. Have any additional tasks that need to be taen care of in advance? ? Message 6: From magwitch@slax.example.net Mon Jan 14 00:05:15 2008 Return-Path: magwitch@slax.example.net> From: Abel Magwitch magwitch@slax.example.net> Date: Sun, 13 Jan 2008 23:58:28 +0000 To: pirrip@slax.example.net Subject: vacation User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R Sure - so far, she's doing just fine. I have assigned her a couple web issues and the ftp installation for 2.100. She seems to be very comfortable, even with the new stuff. ? Message 7: From noreply@fermion.herot.net Mon Jan 14 00:05:15 2008 Return-Path: noreply@fermion.herot.net> From: noreply@fermion.herot.net Date: Sun, 13 Jan 2008 23:54:42 +0000 To: pirrip@slax.example.net Subject: Fermion Account Login Reminder User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R Fermion Account Login Reminder Listed below are your Fermion Account login credentials. Please let us know if you have any questions or problems. Regards, Fermion Support E-Mail: pirrip@slax.example.net Password: 0l1v3rTw1st
使用上面这个密码进行登录,再使用vi查看shadow文件
使用vi启动sh,shift键+:出来输入!/bin/sh
找到文件
由于空间不足,无法解压,干脆拉到kali上面来看看
找到了最后的key
标签: CTF
版权声明:除非特别标注,否则均为本站原创文章,转载时请以链接形式注明文章出处。
![BUUCTF--[MRCTF2020]套娃](https://www.konghaidashi.com/zb_users/cache/thumbs/f413817764db18b197576430b366a79b-320-200-1.png)
还木有评论哦,快来抢沙发吧~