v2ish1yan`s blog

Adventure Time

flag1
flag2
flag3
flag4
flag5

难度：hard

Time to go on an adventure. Do you have what it takes to help Finn and Jake find BMO’s reset code?
Help solve puzzles and try harder to the max….

This is not a real world challenge, but fun and game only (and maybe learn a thing or two along the way).

flag1

┌──(kali㉿kali)-[~/Desktop]
└─$ rustscan -a 10.10.108.114 -r 1-65535                
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.108.114:21
Open 10.10.108.114:22
Open 10.10.108.114:80
Open 10.10.108.114:443
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-16 02:33 EDT
Initiating Ping Scan at 02:33
Scanning 10.10.108.114 [2 ports]
Completed Ping Scan at 02:33, 0.34s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:33
Completed Parallel DNS resolution of 1 host. at 02:33, 2.01s elapsed
DNS resolution of 1 IPs took 2.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 02:33
Scanning 10.10.108.114 [4 ports]
Discovered open port 443/tcp on 10.10.108.114
Discovered open port 80/tcp on 10.10.108.114
Discovered open port 21/tcp on 10.10.108.114
Discovered open port 22/tcp on 10.10.108.114
Completed Connect Scan at 02:33, 0.29s elapsed (4 total ports)
Nmap scan report for 10.10.108.114
Host is up, received syn-ack (0.31s latency).
Scanned at 2024-04-16 02:33:58 EDT for 0s

PORT    STATE SERVICE REASON
21/tcp  open  ftp     syn-ack
22/tcp  open  ssh     syn-ack
80/tcp  open  http    syn-ack
443/tcp open  https   syn-ack

有个ftp端口，先尝试访问ftp服务

可以发现能够匿名访问，并且包含了6个图片，将其都下载下来，但是没啥可用的，能用来当壁纸

开启了80端，先对web端进行探测

使用dirsearch进行漫长的爆破（vpn太慢了）

1	python dirsearch.py -u 10.10.108.114 -x 400,500 -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

扫出了一个/candybar目录

访问

将这段密文，base32解密，再用随波逐流进行凯撒爆破，得到下面的话

Always check the SSL certificate for clues.

那就去看看ssl证书信息

可以看到，这里存在两个域名

1 2	adventure-time.com land-of-ooo.com

将这两个域名添加到/etc/hosts

1	10.10.108.114 adventure-time.com land-of-ooo.com

然后访问https://land-of-ooo.com/(这里同一ip不同域名访问的内容不一样，应该是用来反向代理之类的方法实现的)

他说我找到了，但是还得需要找BMO重置码，在B的电脑桌面上

这里没啥东西，那就只能再扫一下目录了

1	python dirsearch.py -u https://land-of-ooo.com/ -x 400,500 -r -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

先扫到了个https://land-of-ooo.com/yellowdog/

没东西，还得继续扫

扫出来了https://land-of-ooo.com/yellowdog/bananastock/

查看源码，复制字符串，看起来是摩斯电码

1	_/..../.\_.../._/_./._/_./._/...\._/._./.\_/..../.\_..././.../_/_._.__/_._.__/_._.__

使用这个网站来进行解密https://www.dcode.fr/morse-code

得到密码THEBANANASARETHEBEST!!!

从前面的端口扫描可以知道，他开启了22端口，所以可以尝试用这个密码登录

但是还不知道用户名，所以还得继续扫(他的题目提示就是目录遍历爆破)

1	python dirsearch.py -u https://land-of-ooo.com/yellowdog/bananastock/ -x 400,500 -r -t 50 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

扫了半天，终于扫出了

https://land-of-ooo.com/yellowdog/bananastock/princess/

查看网站源码发现了加密文本

Secrettext = 0008f1a92d287b48dccb5079eac18ad2a0c59c22fbc7827295842f670cdb3cb645de3de794320af132ab341fe0d667a85368d0df5a3b731122ef97299acc3849cc9d8aac8c3acb647483103b5ee44166
Key = my cool password
IV = abcdefghijklmanopqrstuvwxyz
Mode = CBC
Input = hex
Output = raw

使用在线工具进行AES解密

1	the magic safe is accessibel at port 31337. the magic word is: ricardio

这个端口之前用rustscan没发现，这里再使用nmap扫描一下

这里貌似是会有内容回显，用nc连接一下

1	nc 10.10.190.110 31337

得到一个用户名，再开一个终端用这个用户名和密码THE BANANAS ARE THE BEST!!!进行ssh登录

1	ssh apple-guards@10.10.190.110

得到flag1tryhackme{Th1s1sJustTh3St4rt}

flag2

这里还有个文件

apple-guards@at:~$ cat mbox
From marceline@at  Fri Sep 20 16:39:54 2019
Return-Path: <marceline@at>
X-Original-To: apple-guards@at
Delivered-To: apple-guards@at
Received: by at.localdomain (Postfix, from userid 1004)
        id 6737B24261C; Fri, 20 Sep 2019 16:39:54 +0200 (CEST)
Subject: Need help???
To: <apple-guards@at>
X-Mailer: mail (GNU Mailutils 3.4)
Message-Id: <20190920143954.6737B24261C@at.localdomain>
Date: Fri, 20 Sep 2019 16:39:54 +0200 (CEST)
From: marceline@at

Hi there bananaheads!!!
I heard Princess B revoked your access to the system. Bummer!
But I'll help you guys out.....doesn't cost you a thing.....well almost nothing.

I hid a file for you guys. If you get the answer right, you'll get better access.
Good luck!!!!

这里让我找一个归属于marceline用户的文件，使用命令

1	find / -user marceline 2>/dev/null

找到一个可执行文件/etc/fonts/helper

执行后

=====================================
      BananaHead Access Pass          
       created by Marceline           
======================================

Hi there bananaheads!!!
So you found my file?
But it won't help you if you can't answer this question correct.
What? I told you guys I would help and that it wouldn't cost you a thing....
Well I lied hahahaha

Ready for the question?

The key to solve this puzzle is gone
And you need the key to get this readable: Gpnhkse

Did you solve the puzzle?

这里说gone是key，然后解密这个字符串，可能是维吉尼亚加密

Abadeer

获得密码My friend Finn

然后使用这个密码，换到marceline用户

1	su marceline

得到flag2tryhackme{N1c30n3Sp0rt}

flag3

查看I-got-a-secret.txt文件

Hello Finn,

I heard that you pulled a fast one over the banana guards.
B was very upset hahahahaha.
I also heard you guys are looking for BMO's resetcode.
You guys broke him again with those silly games?

You know I like you Finn, but I don't want to anger B too much.
So I will help you a little bit...

But you have to solve my little puzzle. Think you're up for it?
Hahahahaha....I know you are.

111111111100100010101011101011111110101111111111011011011011000001101001001011111111111111001010010111100101000000000000101001101111001010010010111111110010100000000000000000000000000000000000000010101111110010101100101000000000000000000000101001101100101001001011111111111111111111001010000000000000000000000000001010111001010000000000000000000000000000000000000000000001010011011001010010010111111111111111111111001010000000000000000000000000000000001010111111001010011011001010010111111111111100101001000000000000101001111110010100110010100100100000000000000000000010101110010100010100000000000000010100000000010101111100101001111001010011001010010000001010010100101011100101001101100101001011100101001010010100110110010101111111111111111111111111111111110010100100100000000000010100010100111110010100000000000000000000000010100111111111111111110010100101111001010000000000000001010

这里使用https://www.dcode.fr/cipher-identifier来识别，然后通过左边的工具一个个试

试到Spoon的时候，成功解密：The magic word you are looking for is ApplePie

然后再连接之前的端口，输入magic word获得密码

┌──(kali㉿kali)-[~]
└─$ nc  10.10.190.110 31337
Hello Princess Bubblegum. What is the magic word?
ApplePie
The password of peppermint-butler is: That Black Magic

切换到指定用户，获得flag3tryhackme{N0Bl4ckM4g1cH3r3}

flag4

然后使用scp来下载文件

1	scp peppermint-butler@10.10.190.110:/home/peppermint-butler/butler-1.jpg .

没啥用，再搜一下peppermint-butler用户的文件

1	find / -user peppermint-butler 2>/dev/null

看到一个/usr/share/xml/steg.txt文件

I need to keep my secrets safe.
There are people in this castle who can't be trusted.
Those banana guards are not the smartest of guards.
And that Marceline is a friend of princess Bubblegum,
but I don't trust her.

So I need to keep this safe.

The password of my secret file is 'ToKeepASecretSafe'

和一个/etc/php/zip.txt文件

I need to keep my secrets safe.
There are people in this castle who can't be trusted.
Those banana guards are not the smartest of guards.
And that Marceline is a friend of princess Bubblegum,
but I don't trust her.

So I need to keep this safe.

The password of my secret file is 'ThisIsReallySave'

这里是进行了图片隐写，密码为ToKeepASecretSafe

1
2
3

steghide extract -sf butler-1.jpg 
Enter passphrase: 
wrote extracted data to "secrets.zip".

得到一个加密的压缩文件，使用密码ThisIsReallySave解压缩

得到以下内容

[0200 hours][upper stairs]
I was looking for my arch nemesis Peace Master, 
but instead I saw that cowering little puppet from the Ice King.....gunter.
What was he up to, I don't know.
But I saw him sneaking in the secret lab of Princess Bubblegum.
To be able to see what he was doing I used my spell 'the evil eye' and saw him.
He was hacking the secret laptop with something small like a duck of rubber.
I had to look closely, but I think I saw him type in something.
It was unclear, but it was something like 'The Ice King s????'.
The last 4 letters where a blur.

Should I tell princess Bubblegum or see how this all plays out?
I don't know.......

这里说用户gunter的密码为The Ice King s????，后面4个字符看不清楚，所以得自己生成字典，然后用hydra进行爆破

在kali上可以使用以下命令来生成后面四位为小写字母的字典

1	crunch 18 18 -t 'The Ice King s@@@@'' > p.txt

然后使用hydra来进行爆破

1	hydra -l gunter -P p.txt ssh://10.10.190.110

经过漫长的爆破，最后得到密码The Ice King sucks

切换到gunter

得到flag4tryhackme{P1ngu1nsRul3!}

flag5

最后的flag一个可能就在/root了，查找有suid位的文件

1	find / -user root -perm -4000 -print 2>/dev/null

这里的exim4存在命令执行漏洞CVE-2019-10149

gunter@at:/home$ exim4 --version
Exim version 4.90_1 #4 built 14-Feb-2018 16:01:14
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated

从CVE-2019-10149下载payload

然后查看exim配置文件 /etc/exim4/update-exim4.conf.conf

gunter@at:~$ cat  /etc/exim4/update-exim4.conf.conf
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='local'
dc_other_hostnames='at'
dc_local_interfaces='127.0.0.1.60000'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

得到监听的接口为6000，所以修改payload里的port参数为60000

然后执行payload

再执行生成的/tmp/s文件，获得root权限

最后发现flag在/home/bubblegum/Secrets/bmo.txt

flag5tryhackme{Th1s1s4c0d3F0rBM0}

2024-04-16 该篇文章被 v2ish1yan 打上标签: Linux 归为分类: Tryhackme