Pepster'Blog
HackMyVM-method靶机WP
城南花已开 Lv5
  2024-08-14 13:17:32   2025-01-22 19:49:12    1.6k 字  7 分钟  

信息收集

常规arp扫一下ip

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l                                 
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c2:9e:68, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0c       (Unknown: locally administered)
192.168.56.100  08:00:27:1f:9a:d0       (Unknown)
192.168.56.112  08:00:27:4e:2c:59       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.870 seconds (136.90 hosts/sec). 3 responded

服务探测

nmap全网段扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -p- -A 192.168.56.112 -oN .method  
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-19 09:53 EDT
Nmap scan report for 192.168.56.112
Host is up (0.00054s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 4b:24:34:1f:41:10:88:b7:5a:6a:63:d9:f6:75:26:6f (RSA)
|   256 52:46:e7:20:68:c1:6f:90:2f:a6:ad:ee:6d:87:e7:28 (ECDSA)
|_  256 3f:ce:97:a9:1e:f4:60:f4:0e:71:e7:46:58:28:71:f0 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Test Page for the Nginx HTTP Server on Fedora
MAC Address: 08:00:27:4E:2C:59 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 192.168.56.112

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.05 seconds

发现有个80端口,就是一个常规的nginx刚安装好的的初始测试页面

1
2
3
┌──(kali㉿kali)-[~]
└─$ whatweb 192.168.56.112      
http://192.168.56.112 [200 OK] Country[RESERVED][ZZ], HTTPServer[nginx/1.18.0], IP[192.168.56.112], PoweredBy[Debian,nginx], Title[Test Page for the Nginx HTTP Server on Fedora], nginx[1.18.0]

没啥突破点扫一下目录吧,或者根据靶机名字来针对后续操作

目录扫描

用feroxbuster扫不出来啥可能是文件名后缀包含太少了,后面加了个txt后缀扫到了个note

1
2
3
4
┌──(kali㉿kali)-[~]
└─$ feroxbuster -u http://192.168.56.112 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .php,.txt,.zip,.html,.png,.txt
200      GET        1l        4w       23c http://192.168.56.112/note.txt
[>-------------------] - 4m     27342/1543822 4h      found:1907    errors:0

这个note给了个提示枚举是关键

image

那就继续扫多加点文件后缀zip、htm、php、c继续扫,发现上面有个index.htm访问看一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali㉿kali)-[~]
└─$ feroxbuster -u http://192.168.56.112 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.zip,.html,.png,.xml,.htm
                                                                                                               
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.112
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, txt, zip, html, png, xml, htm]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET      116l      281w     3690c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET      116l      281w     3690c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        9l       12w      285c http://192.168.56.112/sitemap.xml
200      GET    11738l    65910w  3639918c http://192.168.56.112/office.gif
302      GET        0l        0w        0c http://192.168.56.112/secret.php => https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg ##这个表单跳转
200      GET    30724l   182233w  9306127c http://192.168.56.112/hacker.gif
200      GET        7l       27w      344c http://192.168.56.112/index.htm ##this
[>-------------------] - 20s     5225/1764392 2h      found:5       errors:0      
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_192_168_56_112-1721398723.state ...
[>-------------------] - 20s     5227/1764392 2h      found:5       errors:0      
[>-------------------] - 20s     4992/1764368 253/s   http://192.168.56.112/

是一张动图使用ctrl+u看了下源代码发现有个表单没有在页面显示出来image

这个也在上面扫出来过访问之后跳转到aws上的一个图片连接image

Burpsuite拦截

发现并没有什么信息,但回想起来这个表单用的方法method是GET并且name是HackMyVM那就使用burpsuite访问一下

image

提示我们尝试其他method那就使用POST在burpsuit直接修改方法

image

找到了,那就尝试将1改成命令试试能不能命令注入image

发现是可以的

image

因为上面访问这个secret.php会直接跳转到图片连接上,所以直接cat secret.php文件看一下,从这个文件内容中发现了用户名和密码,直接ssh登录一下

image

登入进去就拿到了user.txt的flag了

提权prakasaka用户

那就想办法提权到root先看看有没有sudo权限

1
2
3
4
5
6
7
prakasaka@method:~$ sudo -l
Matching Defaults entries for prakasaka on method:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User prakasaka may run the following commands on method:
    (!root) NOPASSWD: /bin/bash
    (root) /bin/ip

提权Root

Sudo提权

发现这个用户不能作为root执行/bin/bash

但是可以执行/bin/ip,在GTFBions上找到了ip的sudo提权方案

image

我尝试使用a方案但是不知道root目录下的文件名,遂放弃,使用b

执行到第二行就拿到了root,总的来说后面都还是挺顺的,比较easy,只不过前面扫目录扫了好久

顺便我询问了一下GPT这三行代码的作用

这段代码的作用是使用Linux内核提供的网络命名空间功能来创建一个名为"foo"的网络命名空间,并在这个命名空间中执行一个/bin/sh的shell(即一个新的Shell会话)。在这个命名空间中,可以单独配置网络环境,相互隔离与主机的网络环境,从而实现网络隔离或测试网络配置的目的。

具体来说,命令的功能如下:

  1. sudo ip netns add foo:创建一个名为"foo"的网络命名空间。
  2. sudo ip netns exec foo /bin/sh:在"foo"命名空间中执行一个新的shell会话(/bin/sh)。
  3. sudo ip netns delete foo:删除名为"foo"的网络命名空间。

总的来说,这段代码可以帮助用户在Linux系统上进行网络隔离、网络调试、测试网络配置等操作,使得不同网络环境之间互相独立,有利于管理和调试网络应用程序。

  1. 信息收集
    1. 服务探测
    2. 目录扫描
    3. Burpsuite拦截
  2. 提权prakasaka用户
  3. 提权Root
    1. Sudo提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k
  1. 信息收集
    1. 服务探测
    2. 目录扫描
    3. Burpsuite拦截
  2. 提权prakasaka用户
  3. 提权Root
    1. Sudo提权