VulnHub靶场学习_HA:Forensics
HA:Forensics
Vulnhub靶场
下载地址://www.vulnhub.com/entry/ha-forensics,570/
背景:
HA: Forensics is an intermediate level of the lab, which gives you a hand on real-life experience in Cyber Forensic Investigation. This lab is completely dedicated to methods and tools of Cyber Forensic Investigation and there is evidence that can be found with various techniques. As it is a Capture-the-Flag, it is very important to note that it is not a root challenge, and comes with a primary motive to find all the flags.
No. of Flags: 4
Objective: Find all 4 flags (Getting Root is NOT the objective)
获取4个Flag
端口扫描
SSH连接192.168.139.148
无提示
//192.168.139.148/style2/design.gif
查看每帧未发现隐藏图层
目录扫描
//192.168.139.148/images/
存在两张首页未显示的照片
使用十六进制查看器查看fingerprint.jpg
Flag:1 {bc02d4ffbeeab9f57c5e03de1098ff31}
//192.168.139.148/style/ 为Css文件
通过扫描查看有无备份文件等文件。
发现存在flag.zip和tips.txt
查看//192.168.139.148/igolder/
//192.168.139.148/igolder/clue.txt
PGP生成的私钥及使用公钥加密的信息
PGP加密了的信息
通过在线解密PGP,密码为空
//youritmate.us/pgp/
获得提示:
In case the forensic investigator forgets his password, this hint can help him, where the password is of 6 characters long , starting 3 characters is the word “for” and the ending 3 characters are numeric
如果法医调查员忘记了密码,这个提示可以帮助他,密码长度为6个字符,起始的3个字符是单词“for”,结束的3个字符是数字
直接生成字典跑。
密码为for007
成功解压压缩包
打开flag.pdf
Flag:2 {4a3232c59ecda21ac71bebe3b329bf36}
压缩包里面还存在lsass.DMP,为转存文件。
生成的文件就为lsass.DMP
可以通过mimikatz来获取信息
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords full
NTLM :64fbae31cc352fc26af97cbdef151e03
SHA1 :c220d333379050d852f3e65b010a817712b8c176
对NTLM进行解密
使用该账号登陆jasoos/Password@1
查看/var/www/html,未遗漏信息。
在forensic的主目录下发现有docker-ftp的文件夹
查看ifconfig
存在docker0网卡,还存在另一个网段。
没有安装nmap,使用shell扫网段
发现172.17.0.2存活,运行ftp服务
匿名登陆anonymous
下载saboot.001,使用压缩包打开
Flag:3 {8442460f48338fe60a9497b8e0e9022f}
另一个creds.txt
amVlbmFsaWlzYWdvb2RnaXJs
Base64解密:jeenaliisagoodgirl
尝试使用jeenaliisagoodgirl 登陆用户forensic
成功登陆,且sudo -l拥有root权限
查看root目录,读取root.txt
Root Flag: {9440aee508b6215995219c58c8ba4b45}
