• The following hashes were cracked:
  • The following hashes were cracked:

    • https://www.vulnhub.com/entry/skydog-2016-catch-me-if-you-can,166/ https://www.abatchy.com/2017/02/oscp-like-vulnhub-vms.html

    信息搜集

    nmap -T4 -sn 192.168.56.0/23

Nmap scan report for 10.211.55.1
Host is up (0.00042s latency).
MAC Address: 00:1C:42:00:00:18 (Parallels)
Nmap scan report for 10.211.55.2
Host is up (0.00036s latency).
MAC Address: 00:1C:42:00:00:08 (Parallels)
Nmap scan report for skydogconctf2016vbox.shared (10.211.55.21)
Host is up (-0.088s latency).
MAC Address: 00:1C:42:76:B4:88 (Parallels)
Nmap scan report for yyy-offsecvm-2017.1-i686-1.shared (10.211.55.8)
Host is up.


$ sudo screen -S SkyDog -L -d -m nmap -oN nmap_SkyDog.txt -T5 -O -sV -sC 10.211.55.21 -p1-65535
Password:
happytree:exploit yanyan$ screen -ls
There is a screen on:
        2379.SkyDog     (Detached)
1 Socket in /var/folders/zt/1bs7vxkx24g5n631vx5ws0rm0000gn/T/.screen.

$ cat nmap_SkyDog.txt 
# Nmap 7.12 scan initiated Wed Apr 11 19:22:56 2018 as: nmap -oN nmap_SkyDog.txt -T5 -O -sV -sC 10.211.55.21 -p1-65535
Nmap scan report for 10.211.55.21
Host is up (0.0036s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
443/tcp open   ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
| ssl-cert: Subject: commonName=Network Solutions EV Server CA 2/organizationName=Network Solutions L.L.C./stateOrProvinceName=VA/countryName=US
| Not valid before: 2016-09-21T14:51:57
|_Not valid after:  2017-09-21T14:51:57
|_ssl-date: TLS randomness does not represent time
22222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:64:7c:d1:55:46:4e:50:e3:ba:cf:4c:1e:81:f9:db (RSA)
|   256 ef:17:df:cc:db:2e:c5:24:e3:9e:25:16:3d:25:68:35 (ECDSA)
|_  256 0e:1b:3f:c3:4a:56:a0:ef:4d:2a:af:a1:7e:94:d2:06 (EdDSA)
MAC Address: 08:00:27:D3:70:74 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.1
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 11 19:23:16 2018 -- 1 IP address (1 host up) scanned in 20.45 seconds

    OS & Port & Service

    • IP: 10.211.55.21
    • OS details: Linux 3.10 - 4.1
    • 80 Apache httpd 2.4.18
    • 443 Apache httpd 2.4.18

    80 Apache httpd 2.4.18

    # nikto -h 10.211.55.21
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.211.55.21
+ Target Hostname:    10.211.55.21
+ Target Port:        80
+ Start Time:         2018-04-11 20:49:46 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x47b5 0x53e97541b87ac 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ 7536 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2018-04-11 20:49:56 (GMT8) (10 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


    $ python
Python 2.7.10 (default, Oct  6 2017, 22:29:07)
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.31)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> '666c61677b37633031333230373061306566373164353432363633653964633166356465657d'.decode('hex')
'flag{7c0132070a0ef71d542663e9dc1f5dee}'

Analyzing with my-addr (http://md5.my-addr.com)...
***** HASH CRACKED!! *****
The original string is: nmap
The following hashes were cracked:
----------------------------------
7c0132070a0ef71d542663e9dc1f5dee -> nmap

    443 Apache httpd 2.4.18

    # nikto -h 10.211.55.21 -p 443
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.211.55.21
+ Target Hostname:    10.211.55.21
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./OU=flag3{f82366a9ddc064585d54e3f78bde3221}/CN=Network Solutions EV Server CA 2
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./OU=flag3{f82366a9ddc064585d54e3f78bde3221}/CN=Network Solutions EV Server CA 2
+ Start Time:         2018-04-11 20:50:05 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x47b5 0x53e97541b87ac 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Hostname '10.211.55.21' does not match certificate's names: Network
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ 7536 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2018-04-11 20:51:15 (GMT8) (70 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
    • flag3{f82366a9ddc064585d54e3f78bde3221} 
    ***** HASH CRACKED!! *****
The original string is: personnel
The following hashes were cracked:
----------------------------------
f82366a9ddc064585d54e3f78bde3221 -> personnel

    22222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

    root@kali:~# ssh root@10.211.55.21 -p 22222
The authenticity of host '[10.211.55.21]:22222 ([10.211.55.21]:22222)' can't be established.
ECDSA key fingerprint is SHA256:DeCMZ74o5wesBHFLyaVY7UTCA7mW+bx6WroHm6AgMqU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.211.55.21]:22222' (ECDSA) to the list of known hosts.
###############################################################
#                         WARNING                             #
#       FBI - Authorized access only!                 # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#   Flag{53c82eba31f6d416f331de9162ebe997}            #
###############################################################

# findmyhash MD5 -h 53c82eba31f6d416f331de9162ebe997
Cracking hash: 53c82eba31f6d416f331de9162ebe997
Analyzing with my-addr (http://md5.my-addr.com)...
***** HASH CRACKED!! *****
The original string is: encrypt
The following hashes were cracked:
----------------------------------
53c82eba31f6d416f331de9162ebe997 -> encrypt
    • 53c82eba31f6d416f331de9162ebe997,md5解密为encrypt。

    OldIE查看网站

    ***** HASH CRACKED!! *****
The original string is: evidence
The following hashes were cracked:
----------------------------------
14e10d570047667f904261e6d08f520f -> evidence

    new evidence

    根据提示:The Devil is in the Details — Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices
     使用cewl生成密码字典, 

    # cewl http://www.imdb.com/title/tt0264464/quotes -e -d 1 -m 3 -w skydog.dict

    carl.hanratty/Grace

    用burp暴力破解。

    http://10.211.55.21/newevidence/Evidence.txt
     flag{117c240d49f54096413dd64280399ea9}
     *** HASH CRACKED!! ***
     The original string is: panam

    The following hashes were cracked:

    117c240d49f54096413dd64280399ea9 -> panam 

    steghide --info image.jpg -p panam
"image.jpg":
  format: jpeg
  capacity: 230.1 KB
  embedded file "flag.txt":
    size: 71.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

# steghide --extract -sf image.jpg -p panam
wrote extracted data to "flag.txt".

# cat flag.txt 
flag{d1e5146b171928731385eb7ea38c37b8}
=ILoveFrance

clue=iheartbrenda

    root@kali:~/Desktop/hitbxctf2018# echo -n 'ILoveFrance' | md5sum
     d1e5146b171928731385eb7ea38c37b8 -
     root@kali:~/Desktop/hitbxctf2018# findmyhash MD5 -h d1e5146b171928731385eb7ea38c37b8

    The following hashes were cracked:

    NO HASH WAS CRACKED.

    barryallen@10.211.55.21's password:
    Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)

    • Documentation: https://help.ubuntu.com
    • Management: https://landscape.canonical.com
    • Support: https://ubuntu.com/advantage

    14 packages can be updated.
     7 updates are security updates.

    barryallen@skydogconctf2016:~$

    本地

    barryallen@skydogconctf2016:~$ ls -la
total 73044
drwxr-xr-x 3 barryallen barryallen     4096 Oct 11  2016 .
drwxr-xr-x 4 root       root           4096 Oct 12  2016 ..
-rw------- 1 barryallen barryallen       13 Oct 11  2016 .bash_history
-rw-r--r-- 1 barryallen barryallen      220 Sep 21  2016 .bash_logout
-rw-r--r-- 1 barryallen barryallen     3771 Sep 21  2016 .bashrc
drwx------ 2 barryallen barryallen     4096 Oct 10  2016 .cache
-rw-r--r-- 1 barryallen barryallen       39 Oct 10  2016 flag.txt
-rw-r--r-- 1 barryallen barryallen      655 Sep 21  2016 .profile
-rw-r--r-- 1 barryallen barryallen 74762682 Oct 10  2016 security-system.data
barryallen@skydogconctf2016:~$ cat flag.txt 
flag{bd2f6a1d5242c962a05619c56fa47ba6}

***** HASH CRACKED!! *****
The original string is: theflash
The following hashes were cracked:
----------------------------------
bd2f6a1d5242c962a05619c56fa47ba6 -> theflash

    barryallen@skydogconctf2016:~$ file security-system.data
    security-system.data: Zip archive data, at least v2.0 to extract 

    barryallen@skydogconctf2016:~$ scp -P 22 security-system.data root@10.211.55.8:/root/Desktop/root-me/3/security-system.data

# binwalk security-system.zip 
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, name: security-system.data
46172415      0x2C088FF       MySQL MISAM index file Version 2
74762660      0x474C9A4       End of Zip archive
    # volatility -f security-system.data imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/Desktop/root-me/3/security-system.data)
                      PAE type : PAE
                           DTB : 0x33e000L
                          KDBG : 0x80545b60L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-10-10 22:00:50 UTC+0000
     Image local date and time : 2016-10-10 18:00:50 -0400

volatility -f security-system.data --profile=WinXPSP2x86 iehistory
Volatility Foundation Volatility Framework 2.6
**************************************************
Process: 1540 explorer.exe
Cache type "DEST" at 0x159d0f
Last modified: 2016-10-10 18:00:41 UTC+0000
Last accessed: 2016-10-10 22:00:42 UTC+0000
URL: test@file:///C:/Documents%20and%20Settings/test/Desktop/code.txt

volatility -f security-system.data --profile=WinXPSP2x86 filescan | less
0x0000000006640bc8      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\test\Desktop\code.txt

volatility -f security-system.data --profile=WinXPSP2x86 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: csrss.exe Pid: 560
CommandHistory: 0x10186f8 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x2d4
Cmd #0 @ 0x1024400: cd Desktop
Cmd #1 @ 0x4f2660: echo 66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d > code.txt
    >>> '66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d'.replace(' ', '').decode('hex')
'flag{841dd3db29b0fbbd89c7b5be768cdc81}'