Post

hackmyvm Devguru靶机复盘

难度-Medium

Posted
By
9 min read
hackmyvm Devguru靶机复盘

网段扫描

1
2
3
4
5
6
7
8
9
10
11

└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:df:e2:a7, IPv4: 192.168.56.110
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:12       (Unknown: locally administered)
192.168.56.100  08:00:27:b9:9d:24       (Unknown)
192.168.56.118  08:00:27:0a:d1:c6       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.945 seconds (131.62 hosts/sec). 3 responded

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

└─# nmap -p- -sC -sV 192.168.56.118
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-26 06:04 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.118
Host is up (0.0012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA)
|   256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA)
|_  256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: DevGuru
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-git: 
|   192.168.56.118:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Last commit message: first commit 
|     Remotes:
|       http://devguru.local:8585/frank/devguru-website.git
|_    Project type: PHP application (guessed from .gitignore)
|_http-title: Corp - DevGuru
8585/tcp open  unknown
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=ff09e94694095e13; Path=/; HttpOnly
|     Set-Cookie: _csrf=IpwCeQIqzROZZReRwVnMFMJg63k6MTczNzkxODM1MzY4NDAxMzUzNw; Path=/; Expires=Mon, 27 Jan 2025 19:05:53 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 26 Jan 2025 19:05:53 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title> Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|     <meta name="description" content="Gitea (Git with a cup of tea) is a painless
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=4a06887fd403dbac; Path=/; HttpOnly
|     Set-Cookie: _csrf=IPSaNR6_pk_SVYZMBOdSYJ8bPxw6MTczNzkxODM1NDgzMTU3Mzk0OA; Path=/; Expires=Mon, 27 Jan 2025 19:05:54 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 26 Jan 2025 19:05:55 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Page Not Found - Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|_    <meta name="description" content="Gitea (Git with a c
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8585-TCP:V=7.94SVN%I=7%D=1/26%Time=67961713%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nContent-Typ
SF:e:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path
SF:=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=ff09e94694095e
SF:13;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=IpwCeQIqzROZZReRwVnM
SF:FMJg63k6MTczNzkxODM1MzY4NDAxMzUzNw;\x20Path=/;\x20Expires=Mon,\x2027\x2
SF:0Jan\x202025\x2019:05:53\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x20SAM
SF:EORIGIN\r\nDate:\x20Sun,\x2026\x20Jan\x202025\x2019:05:53\x20GMT\r\n\r\
SF:n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\">\n<hea
SF:d\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x20name=
SF:\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\t
SF:<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\t<tit
SF:le>\x20Gitea:\x20Git\x20with\x20a\x20cup\x20of\x20tea\x20</title>\n\t<l
SF:ink\x20rel=\"manifest\"\x20href=\"/manifest\.json\"\x20crossorigin=\"us
SF:e-credentials\">\n\t<meta\x20name=\"theme-color\"\x20content=\"#6cc644\
SF:">\n\t<meta\x20name=\"author\"\x20content=\"Gitea\x20-\x20Git\x20with\x
SF:20a\x20cup\x20of\x20tea\"\x20/>\n\t<meta\x20name=\"description\"\x20con
SF:tent=\"Gitea\x20\(Git\x20with\x20a\x20cup\x20of\x20tea\)\x20is\x20a\x20
SF:painless")%r(HTTPOptions,212E,"HTTP/1\.0\x20404\x20Not\x20Found\r\nCont
SF:ent-Type:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\
SF:x20Path=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=4a06887
SF:fd403dbac;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=IPSaNR6_pk_SV
SF:YZMBOdSYJ8bPxw6MTczNzkxODM1NDgzMTU3Mzk0OA;\x20Path=/;\x20Expires=Mon,\x
SF:2027\x20Jan\x202025\x2019:05:54\x20GMT;\x20HttpOnly\r\nX-Frame-Options:
SF:\x20SAMEORIGIN\r\nDate:\x20Sun,\x2026\x20Jan\x202025\x2019:05:55\x20GMT
SF:\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\"
SF:>\n<head\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x
SF:20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1
SF:\">\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\
SF:n\t<title>Page\x20Not\x20Found\x20-\x20\x20Gitea:\x20Git\x20with\x20a\x
SF:20cup\x20of\x20tea\x20</title>\n\t<link\x20rel=\"manifest\"\x20href=\"/
SF:manifest\.json\"\x20crossorigin=\"use-credentials\">\n\t<meta\x20name=\
SF:"theme-color\"\x20content=\"#6cc644\">\n\t<meta\x20name=\"author\"\x20c
SF:ontent=\"Gitea\x20-\x20Git\x20with\x20a\x20cup\x20of\x20tea\"\x20/>\n\t
SF:<meta\x20name=\"description\"\x20content=\"Gitea\x20\(Git\x20with\x20a\
SF:x20c");
MAC Address: 08:00:27:0A:D1:C6 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.50 seconds

获取webshell

图 0

有一些线索,可以操作一手

图 1
图 2

目前没有hmv的域名,有local

图 3
图 4

有版本,可以查一手,gitea是1.12.5,go是1.14.9

图 6
图 7

试gitea

图 8

这里需要用户和密码

图 9

先做目录爆破,一伙再进行

图 10

没啥东西,一个一个看

图 11

豁又一个登录,可以尝试一下

图 12
图 13

爆破无果,看看漏洞了

图 14

这是作者的提示,一开始我给了这个东西有git的,去测试一下了

图 15
图 16
图 17
图 18

没有账号密码,但是我们git下来了可以自己找

图 19
图 20
图 21
图 22
图 23

有说明加密方案,爆破不出可以利用一下。

图 24
图 25

找到一个生成器

图 26

如果爆破不出直接用来修改,因为上面存在修改的按钮

好像没成功直接改了 图 27
图 28
图 29

图 30

靶机有点久,找漏洞的话时间可能会不太能找到,看看网页里面

图 34

图 31
图 32

网页可以修改,这里使用上面有的{}框架注入,只有十年前的东西

图 33

发现存在这个注入,直接进行操作

图 35
图 36

这是python没成功,尝试php的

图 38

图 37

搞崩了,换一换思路

图 39
图 40

终于成功了,试了很多方案了

不过我直接用nc没成功,但是可以wget 图 41
图 42
图 43
图 44
图 45

提权

1
2
3
4
5
6
7
8
9
10
11
12

ww-data@devguru:/var/www/html$ cd /home/
www-data@devguru:/home$ ls -al
total 12
drwxr-xr-x  3 root  root  4096 Nov 18  2020 .
drwxr-xr-x 25 root  root  4096 Nov 19  2020 ..
drwxr-x---  7 frank frank 4096 Nov 19  2020 frank
www-data@devguru:/home$ cd frank/
bash: cd: frank/: Permission denied
www-data@devguru:/home$ sudo -l
[sudo] password for www-data: 
www-data@devguru:/home$ ^C
www-data@devguru:/home$ 

1
2
3
4
5
6
7
8
9
10
11
12
13

www-data@devguru:/home$ cd /opt/
www-data@devguru:/opt$ ls -al
total 16
drwxr-xr-x  4 root  root  4096 Nov 18  2020 .
drwxr-xr-x 25 root  root  4096 Nov 19  2020 ..
drwx--x--x  4 root  root  4096 Nov 18  2020 containerd
drwxr-x---  3 frank frank 4096 Jan 26 13:00 gitea
www-data@devguru:/opt$ cd gitea/
bash: cd: gitea/: Permission denied
www-data@devguru:/opt$ cd containerd/
www-data@devguru:/opt/containerd$ ls -al
ls: cannot open directory '.': Permission denied
www-data@devguru:/opt/containerd$

图 47

有线索了

图 48
图 49
图 50
图 51

就发现这个,其他啥也没发现,用工具把

图 52
图 53

1
2
3
4
5
6

www-data@devguru:/tmp$ ls -al /etc/gitea/app.ini
ls: cannot access '/etc/gitea/app.ini': Permission denied
www-data@devguru:/tmp$ cd /usr/local/bin/gitea
bash: cd: /usr/local/bin/gitea: Not a directory
www-data@devguru:/tmp$ ls -al /usr/local/bin/gitea
-rwxrwxr-x 1 frank frank 107443064 Nov 19  2020 /usr/local/bin/gitea

图 54

无定时任务,得对另外一个端口进程操作

图 55
图 56
图 57

更懵了,回到/var/backup/下面的app.ini.bak,这个是这个app.ini的备份把

图 58

继续重头开始看能发现点东西

图 59
图 60

又有一个密码

图 61

不是爆破

图 62

给了一点线索把,进行的加密方式,rands,salt都有

图 63

算了像,第一个一样改一下密码,我们利用网站的mysql好改 图 64
图 65

128有点短奥

图 66
图 67

明显长度不够

图 68

这样又长了 图 69

迭代那个没看懂但是这样有一个提示,可以用之前的密码进行操作。

图 70

ok,可以登录上去,我们还可以利用之前的poc

图 71
图 72

好像是域名的事情,尝试的加一下

图 73
图 74

不见shell,弹回来

图 75
图 76

还是不见

图 77

手动创建一下,先创建,再到setting里面找git hooks,继续进行post那个的操作,粘贴代码然后就有提升怎么git了

图 78
图 79

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

www-data@devguru:/var/backups$ cd /tmp/
www-data@devguru:/tmp$ mkdir reverse
www-data@devguru:/tmp$ cd reverse/
www-data@devguru:/tmp/reverse$ touch README.md
www-data@devguru:/tmp/reverse$ git init
Initialized empty Git repository in /tmp/reverse/.git/
www-data@devguru:/tmp/reverse$ git add .
www-data@devguru:/tmp/reverse$ git commit -m "first commit"
[master (root-commit) 6938a07] first commit
 Committer: www-data <www-data@devguru.local>
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly. Run the
following command and follow the instructions in your editor to edit
your configuration file:

    git config --global --edit

After doing this, you may fix the identity used for this commit with:

    git commit --amend --reset-author

 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 README.md
www-data@devguru:/tmp/reverse$ git remote add origin http://devguru.local:8585/frank/revrse.git
www-data@devguru:/tmp/reverse$ git push -u origin master
Username for 'http://devguru.local:8585': frank
Password for 'http://frank@devguru.local:8585': 
Counting objects: 3, done.
Writing objects: 100% (3/3), 210 bytes | 26.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0)

图 80

1
2
3
4
5
6

frank@devguru:/home/frank$ sudo -l
Matching Defaults entries for frank on devguru:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User frank may run the following commands on devguru:
    (ALL, !root) NOPASSWD: /usr/bin/sqlite3

这里新出了一个东西关于sudo的,直接问gtp

图 81 图 83

图 82

版本小于可以使用

图 84
图 85

好了到这里结束了

userflag:22854d0aec6ba776f9d35bf7b0e00217

rootflag:96440606fb88aa7497cde5a8e68daf8f

hackmyvm
bcrypt gitea sudo-version
This post is licensed under CC BY 4.0 by the author.