CTF靶场系列-De-ICE:_S2.100

下载地址

https://download.vulnhub.com/deice/De-ICE_S2.100_%28de-ice.net-2.100-1.0%29.iso

实战演练

原文再续，书接上文s1.100的系统

任务信息

寻找用户信息

信息收集

netdiscover发现有两个IP，看来有点东西啊

看看FTP有没有anonymous账号，发现没有东西

只有一个显示信息的PHP

web目录也没啥信息

看看192.168.2.101的web系统有什么信息

没啥东西

找到邮箱信息，还有服务器开放smtp，我们枚举一下smtp账号

Samuel Pickwick	pickwick@herot.net Nathaniel Winkle	winkle@herot.net Augustus Snodgrass	snodgrass@herot.net Tracy	Tupman	tupman@herot.net Sam	Weller	weller@herot.net Tony	Weller	tweller@herot.net Estella Havisham	havisham@herot.net Abel Magwitch	magwitch@herot.net Philip Pirrip	pirrip@herot.net Nicholas Nickleby	nickleby@herot.net Ralph Nickleby	rnickleby@herot.net Newman Noggs	noggs@herot.net Wackford Squeers	squeers@herot.net Thomas Pinch	pinch@herot.net Mark Tapley	tapley@herot.net Sarah Gamp	gamp@herot.net Jacob Marley	marley@herot.net Ebenezer Scrooge	scrooge@herot.net Bob Cratchit	cratchit@herot.net Bill Sikes	sikes@herot.net Jack Dawkins	dawkins@herot.net Noah Claypole	claypole@herot.net

#用户表

Pickwick Winkle Snodgrass Tupman Weller Weller Havisham Magwitch Pirrip Nickleby Nickleby Noggs Squeers Pinch Tapley Gamp Marley Scrooge Cratchit Sikes Dawkins Claypole Samuel Nathaniel Augustus Tracy Sam Tony Estella Abel Philip Nicholas Ralph Newman Wackford Thomas Mark Sarah Jacob Ebenezer Bob Bill Jack Noah spickwick nwinkle asnodgrass ttupman sweller tweller ehavisham amagwitch ppirrip nnickleby rnickleby nnoggs wsqueers tpinch mtapley sgamp jmarley escrooge bcratchit bsikes jdawkins nclaypole

找到三个账号

按照社会工程学的思想，加上上面扫描到~root目录，试试~+用户名爆破web的方式

100的web服务器

101服务器上找到ssh的认证文件，下载下来

修改证书权限，就可以登录

找信息

查看邮件信息，第七封邮件有信息

pirrip@slax:~$ mail mailx version nail 11.25 7/29/05.  Type ? for help. "/var/mail/pirrip": 7 messages 7 new >N  1 Abel Magwitch      Sun Jan 13 23:53   20/748   Estella  N  2 Estella Havisham   Sun Jan 13 23:53   20/780   welcome to the team  N  3 Abel Magwitch      Sun Jan 13 23:53   20/875   havisham  N  4 Estella Havisham   Mon Jan 14 00:05   20/861   next month  N  5 Abel Magwitch      Mon Jan 14 00:05   20/868   vacation  N  6 Abel Magwitch      Mon Jan 14 00:05   20/915   vacation  N  7 noreply@fermion.he Mon Jan 14 00:05   29/983   Fermion Account Login Reminder ?  Message  1: From magwitch@slax.example.net  Sun Jan 13 23:53:37 2008 Return-Path: magwitch@slax.example.net> From: Abel Magwitch magwitch@slax.example.net> Date: Sun, 13 Jan 2008 23:47:48 +0000 To: pirrip@slax.example.net Subject: Estella User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R  Will do.  ?  Message  2: From havisham@slax.example.net  Sun Jan 13 23:53:37 2008 Return-Path: havisham@slax.example.net> From: Estella Havisham havisham@slax.example.net> Date: Sun, 13 Jan 2008 23:50:33 +0000 To: pirrip@slax.example.net Subject: welcome to the team User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R  Thanks!  Glad to be here.  ?  Message  3: From magwitch@slax.example.net  Sun Jan 13 23:53:37 2008 Return-Path: magwitch@slax.example.net> From: Abel Magwitch magwitch@slax.example.net> Date: Sun, 13 Jan 2008 23:48:57 +0000 To: pirrip@slax.example.net Subject: havisham User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R  I set her up with an accountus servers.  I set her password to "changeme" and will swing by tomorrow and make sure she changes her pw.  ?  Message  4: From havisham@slax.example.net  Mon Jan 14 00:05:15 2008 Return-Path: havisham@slax.example.net> From: Estella Havisham havisham@slax.example.net> Date: Mon, 14 Jan 2008 00:03:56 +0000 To: pirrip@slax.example.net Subject: next month User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R  Abel filled me in about next month.  I wanted to ask you if I can grab the week you get back for vacation?  Thanks.  ?  Message  5: From magwitch@slax.example.net  Mon Jan 14 00:05:15 2008 Return-Path: magwitch@slax.example.net> From: Abel Magwitch magwitch@slax.example.net> Date: Sun, 13 Jan 2008 23:55:41 +0000 To: pirrip@slax.example.net Subject: vacation User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R  Hey, I'll be taking vacation the second week of next month.  Have any additional tasks that need to be taen care of in advance?  ?  Message  6: From magwitch@slax.example.net  Mon Jan 14 00:05:15 2008 Return-Path: magwitch@slax.example.net> From: Abel Magwitch magwitch@slax.example.net> Date: Sun, 13 Jan 2008 23:58:28 +0000 To: pirrip@slax.example.net Subject: vacation User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R  Sure - so far, she's doing just fine.  I have assigned her a couple web issues and the ftp installation for 2.100.  She seems to be very comfortable, even with the new stuff.  ?  Message  7: From noreply@fermion.herot.net  Mon Jan 14 00:05:15 2008 Return-Path: noreply@fermion.herot.net> From: noreply@fermion.herot.net Date: Sun, 13 Jan 2008 23:54:42 +0000 To: pirrip@slax.example.net Subject: Fermion Account Login Reminder User-Agent: nail 11.25 7/29/05 Content-Type: text/plain; charset=us-ascii Status: R  Fermion Account Login Reminder  Listed below are your Fermion Account login credentials.  Please let us know if you have any questions or problems.  Regards, Fermion Support   E-Mail: pirrip@slax.example.net Password: 0l1v3rTw1st 

使用上面这个密码进行登录，再使用vi查看shadow文件

使用vi启动sh，shift键+:出来输入!/bin/sh

找到文件

由于空间不足，无法解压，干脆拉到kali上面来看看

找到了最后的key

转载请注明来自网盾网络安全培训，本文标题：《CTF靶场系列-De-ICE:_S2.100》

标签：CTF