hackmyvm Influencer靶机复盘
难度-Medium
hackmyvm Influencer靶机复盘
网段扫描
1
2
3
4
5
6
7
8
9
10
11
root@LingMj:/home/lingmj# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:df:e2:a7, IPv4: 192.168.56.110
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:13 (Unknown: locally administered)
192.168.56.100 08:00:27:11:42:18 (Unknown)
192.168.56.147 08:00:27:55:e1:25 (Unknown)
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.863 seconds (137.41 hosts/sec). 3 responded
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root@LingMj:/home/lingmj# nmap -p- -sC -sV 192.168.56.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 07:03 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.147
Host is up (0.0052s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
2121/tcp open ftp vsftpd 3.0.5
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.56.110
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.5 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11113 Jun 09 2023 facebook.jpg
| -rw-r--r-- 1 0 0 35427 Jun 09 2023 github.jpg
| -rw-r--r-- 1 0 0 88816 Jun 09 2023 instagram.jpg
| -rw-r--r-- 1 0 0 27159 Jun 09 2023 linkedin.jpg
| -rw-r--r-- 1 0 0 28 Jun 08 2023 note.txt
|_-rw-r--r-- 1 0 0 124263 Jun 09 2023 snapchat.jpg
MAC Address: 08:00:27:55:E1:25 (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.79 seconds
获取webshell
wordpress的靶机,先看ftp吧
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
root@LingMj:/home/lingmj/xxoo# exiftool instagram.jpg
ExifTool Version Number : 12.76
File Name : instagram.jpg
Directory : .
File Size : 89 kB
File Modification Date/Time : 2023:06:09 06:49:22-04:00
File Access Date/Time : 2025:02:08 07:09:08-05:00
File Inode Change Date/Time : 2025:02:08 07:09:08-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Little-endian (Intel, II)
Photometric Interpretation : RGB
Orientation : Horizontal (normal)
Samples Per Pixel : 3
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Software : Adobe Photoshop CC 2015 (Macintosh)
Modify Date : 2016:05:11 21:23:06
Exif Version : 0221
Color Space : Uncalibrated
Exif Image Width : 924
Exif Image Height : 764
Compression : JPEG (old-style)
Thumbnail Offset : 398
Thumbnail Length : 3876
Current IPTC Digest : cdcffa7da8c7be09057076aeaf05c34e
Coded Character Set : UTF8
Application Record Version : 0
IPTC Digest : cdcffa7da8c7be09057076aeaf05c34e
Displayed Units X : inches
Displayed Units Y : inches
Print Style : Centered
Print Position : 0 0
Print Scale : 1
Global Angle : 30
Global Altitude : 30
URL List :
Slices Group Name : instagram_2016_icon
Num Slices : 1
Pixel Aspect Ratio : 1
Photoshop Thumbnail : (Binary data 3876 bytes, use -b option to extract)
Has Real Merged Data : Yes
Writer Name : Adobe Photoshop
Reader Name : Adobe Photoshop CC 2015
Photoshop Quality : 10
Photoshop Format : Standard
XMP Toolkit : Adobe XMP Core 5.6-c067 79.157747, 2015/03/30-23:40:42
Original Document ID : xmp.did:28c63ca7-9ca2-4996-84a5-7ef15c7e2f26
Document ID : xmp.did:87344C950EC411E6A514AEBCFA4BC85B
Instance ID : xmp.iid:49e71cba-93b4-4312-a915-b1db326d6638
Creator Tool : Adobe Photoshop CC 2015 (Macintosh)
Create Date : 2016:05:11 18:04:19+02:00
Metadata Date : 2016:05:11 21:23:06+02:00
Format : image/jpeg
Color Mode : RGB
ICC Profile Name : Adobe RGB (1998)
Derived From Instance ID : xmp.iid:d9d82c5c-1417-48b9-a7d0-a64b1e0c2fad
Derived From Document ID : adobe:docid:photoshop:3b018f21-570f-1179-bd1b-ae993c068af8
History Action : saved
History Instance ID : xmp.iid:49e71cba-93b4-4312-a915-b1db326d6638
History When : 2016:05:11 21:23:06+02:00
History Software Agent : Adobe Photoshop CC 2015 (Macintosh)
History Changed : /
Profile CMM Type : Adobe Systems Inc.
Profile Version : 2.1.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 1999:06:03 00:00:00
Profile File Signature : acsp
Primary Platform : Apple Computer Inc.
CMM Flags : Not Embedded, Independent
Device Manufacturer : none
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Adobe Systems Inc.
Profile ID : 0
Profile Copyright : Copyright 1999 Adobe Systems Incorporated
Profile Description : Adobe RGB (1998)
Media White Point : 0.95045 1 1.08905
Media Black Point : 0 0 0
Red Tone Reproduction Curve : (Binary data 14 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 14 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 14 bytes, use -b option to extract)
Red Matrix Column : 0.60974 0.31111 0.01947
Green Matrix Column : 0.20528 0.62567 0.06087
Blue Matrix Column : 0.14919 0.06322 0.74457
DCT Encode Version : 100
APP14 Flags 0 : [14]
APP14 Flags 1 : (none)
Color Transform : YCbCr
Image Width : 924
Image Height : 764
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 924x764
Megapixels : 0.706
Thumbnail Image : (Binary data 3876 bytes, use -b option to extract)
root@LingMj:/home/lingmj/xxoo# strings -n 9 instagram.jpg
Adobe Photoshop CC 2015 (Macintosh)
2016:05:11 21:23:06
VPhotoshop 3.0
printOutput
printSixteenBitbool
printerNameTEXT
printProofSetupObjc
proofSetup
builtinProof
proofCMYK
printOutputOptions
Rd doub@o
Grn doub@o
Bl doub@o
BrdTUntF#Rlt
Bld UntF#Rlt
RsltUntF#Pxl@R
vectorDatabool
LeftUntF#Rlt
Top UntF#Rlt
Scl UntF#Prc@Y
cropWhenPrintingbool
cropRectBottomlong
cropRectLeftlong
cropRectRightlong
cropRectToplong
boundsObjc
slicesVlLs
sliceIDlong
groupIDlong
originenum
ESliceOrigin
autoGenerated
ESliceType
boundsObjc
altTagTEXT
cellTextIsHTMLbool
cellTextTEXT
horzAlignenum
ESliceHorzAlign
vertAlignenum
ESliceVertAlign
bgColorTypeenum
ESliceBGColorType
topOutsetlong
leftOutsetlong
bottomOutsetlong
rightOutsetlong
http://ns.adobe.com/xap/1.0/
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c067 79.157747, 2015/03/30-23:40:42 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmpMM:OriginalDocumentID="xmp.did:28c63ca7-9ca2-4996-84a5-7ef15c7e2f26" xmpMM:DocumentID="xmp.did:87344C950EC411E6A514AEBCFA4BC85B" xmpMM:InstanceID="xmp.iid:49e71cba-93b4-4312-a915-b1db326d6638" xmp:CreatorTool="Adobe Photoshop CC 2015 (Macintosh)" xmp:CreateDate="2016-05-11T18:04:19+02:00" xmp:ModifyDate="2016-05-11T21:23:06+02:00" xmp:MetadataDate="2016-05-11T21:23:06+02:00" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="Adobe RGB (1998)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:d9d82c5c-1417-48b9-a7d0-a64b1e0c2fad" stRef:documentID="adobe:docid:photoshop:3b018f21-570f-1179-bd1b-ae993c068af8"/> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:49e71cba-93b4-4312-a915-b1db326d6638" stEvt:when="2016-05-11T21:23:06+02:00" stEvt:softwareAgent="Adobe Photoshop CC 2015 (Macintosh)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
@ICC_PROFILE
mntrRGB XYZ
Copyright 1999 Adobe Systems Incorporated
Adobe RGB (1998)
qUP|1ULUx?~*
|>.cr?LG9
v90PCt9;aMb
,Yb' }Q?x
LxYq-(hpp
<,mpOl<+m
UYGLUUG|UT
root@LingMj:/home/lingmj/xxoo# stegseek instagram.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.95% (133.4 MB)
[!] error: Could not find a valid passphrase.
密码不对,算了尝试ftp爆破
ftp没啥,太久了不跑了,跑wpscan了,不行的话我就找插件漏洞
把能测的都测了,看UDP了或者ipv6
应该还有什么信息没有,扫目录了
用一下生成密码工具
没看到地址在那
好像只能改一次,确实是成功执行,但是算了插件这个后面报错看看主题
突然忘了咋做了,看看直接注入
终于成功了,没nc,是busybox
提权
mysql 不对,但是我们有2个密码尝试登录user
要我安装,我拿来网和权限,肯定不是这样登录了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
www-data@influencer:/home$ cd /opt/
www-data@influencer:/opt$ ls -al
total 8
drwxr-xr-x 2 root root 4096 Feb 17 2023 .
drwxr-xr-x 19 root root 4096 Jun 8 2023 ..
www-data@influencer:/opt$ cd /var/backups/
www-data@influencer:/var/backups$ ls -al
total 48
drwxr-xr-x 2 root root 4096 Feb 8 12:44 .
drwxr-xr-x 14 root root 4096 Jun 8 2023 ..
-rw-r--r-- 1 root root 39940 Jun 10 2023 apt.extended_states.0
www-data@influencer:/var/backups$ ss -lnput
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 192.168.56.147%enp0s3:68 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:1212 0.0.0.0:*
tcp LISTEN 0 32 0.0.0.0:2121 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 511 *:80 *:*
豁突破口
一切计划之中果然是密码和找ssh端口
我有一个问题他里面有lxd能不能直接提root,先常规把
有点无语
研究研究,思考一下,好像明白了一直写错东西
果然是路径问题,他是利用juan的用户找我们注入的文件,所以得去tmp
太easy了直接王炸就行了,ok结束
userflag:goodjobbro
rootflag:19283712487912
This post is licensed under CC BY 4.0 by the author.