MazeSec badbox设计流程

发布于: 2026-07-03 01:00

模板说明

本次靶机使用alpine模板,靶机自带php84 apache2

换源

项目推荐https://github.com/SuperManito/LinuxMirrors

GNU/Linux 更换系统软件源

bash <(curl -sSL https://linuxmirrors.cn/main.sh)

安装mysql及扩展

WordPress 需要 mysqli、pdo_mysql等扩展,否则连数据库会失败。

apk add php84-mysqli php84-pdo_mysql php84-session php84-curl php84-xml php84-mbstring php84-zip php84-gd php84-opcache

重启 Apache:

rc-service apache2 restart

验证扩展是否加载成功:

php -m | grep mysqli

初始化 MariaDB

安装 MariaDB:

apk add mariadb mariadb-client

启动并设置开机自启

rc-update add mariadb default
/etc/init.d/mariadb setup
rc-service mariadb start

进入 MariaDB:

mariadb -u root

设置 root 密码:

FLUSH PRIVILEGES;
ALTER USER 'root'@'localhost' IDENTIFIED BY 'M!aR1aDB#2026$xYz';
FLUSH PRIVILEGES;
EXIT;

创建 WordPress 数据库和用户

root:M!aR1aDB#2026$xYz

yepian:11111111

mariadb -u root --password='M!aR1aDB#2026$xYz' <<'EOF'
CREATE DATABASE wordpress DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'yepian'@'localhost' IDENTIFIED BY '11111111';
GRANT ALL PRIVILEGES ON wordpress.* TO 'yepian'@'localhost';
FLUSH PRIVILEGES;
EOF

安装wordpress

获取wordpress

cd /tmp
wget 192.168.1.6/a.zip
unzip a.zip
cp -r wordpress/* /var/www/html
rm -rf a.zip wordpress

手动创建 wp-config.php

cd /var/www/html
cp wp-config-sample.php wp-config.php
cat > /var/www/html/wp-config.php <<'PHPEOF'
<?php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'yepian' );
define( 'DB_PASSWORD', '11111111' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );

define( 'WP_HOME', 'http://badbox.dsz' );
define( 'WP_SITEURL', 'http://badbox.dsz' );

$table_prefix = 'wp_';

define( 'WP_DEBUG', false );

define( 'AUTH_KEY',         'G^w5V&K5zq8T%u9Lp2@Xm7Qr4Jh6Yn1W' );
define( 'SECURE_AUTH_KEY',  'Bc3sE!fH7dR0tYpL9oK2mN5qX8wZ1vA4' );
define( 'LOGGED_IN_KEY',    'P7uY3tC6vB9nM2kX0jR5sT8wQ1eF4hJ7' );
define( 'NONCE_KEY',        'Lk9mN3bV6cX0zA2sD5fG8hJ1kL4pQ7wE' );
define( 'AUTH_SALT',        'Rt5yU8iO2pL9aS3dF6gH1jK4lZ7xC0vB' );
define( 'SECURE_AUTH_SALT', 'Mn4bV7nC0xZ3aQ6wE9rT2yU5iO8pL1kS' );
define( 'LOGGED_IN_SALT',   'Df6Gh9Jk2Lm4nP7qR0sT3vW5xY8zA1bB' );
define( 'NONCE_SALT',       'Hj3Kl6Mn9pQ2rS5tU8vW1xY4zA7bB0cE' );

require_once ABSPATH . 'wp-settings.php';
PHPEOF

配置 Apache + 域名

# 消除 ServerName 警告
echo "ServerName badbox.dsz" >> /etc/apache2/httpd.conf

# 加载 rewrite 模块
echo "LoadModule rewrite_module /usr/lib/apache2/mod_rewrite.so" >> /etc/apache2/httpd.conf

# 把 AllowOverride None 改成 All
sed -i '/<Directory "\/var\/www\/html">/,/<\/Directory>/ s/AllowOverride None/AllowOverride All/' /etc/apache2/httpd.conf

# 验证 AllowOverride All
sed -n '/<Directory "\/var\/www\/html">/,/<\/Directory>/p' /etc/apache2/httpd.conf

# 本地 hosts
echo "127.0.0.1 badbox.dsz" >> /etc/hosts

# 重启
rc-service apache2 restart

通过wp-cli 完成 WordPress 安装


apk add php84-phar
cd /var/www/html
wget https://gh-proxy.com/https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp

wp core install \
  --url=badbox.dsz \
  --title="BadBox Site" \
  --admin_user=yepian \
  --admin_password='11111111' \
  --admin_email=admin@badbox.dsz

权限修复

chown -R apache:apache /var/www/html
chmod -R 755 /var/www/html

修改主机名

hostname="badbox"
echo "$hostname" > /etc/hostname
echo "127.0.0.1 localhost badbox badbox.dsz" > /etc/hosts
echo "::1       localhost" >> /etc/hosts
hostname -F /etc/hostname

添加用户

创建用户 yepian 并设置密码

adduser -D -s /bin/bash yepian
echo "yepian:2026-07-02build" | chpasswd

修改root密码

echo 'root:2026-07-02build!@#' | chpasswd

注意如果双引号里有 !、$、反引号、空格这些特殊字符,在shell里会进行解析,如无实意,建议使用单引号包裹

放置flag

生成flag

#!/bin/bash

flag_root=$(echo "root-$(date)" | md5sum | awk '{print $1}')
flag_user=$(echo "user-$(date)" | md5sum | awk '{print $1}')

echo "flag{root-$flag_root}"
echo "flag{user-$flag_user}"

放置flag

echo 'flag{root-c1c1a07c7fd6cc391464faa7625d7900}' > /root/root.txt
echo 'flag{user-20d5d73042f640282afa479ef40e63a4}' > /home/yepian/user.txt

安装工具包

安装util-linux包,方便使用script反弹shell优化

apk add util-linux

安装vim

apk add vim

配置suid工具

通过定时任务,在nosuid的tmp目录放置suid bash,避免重启消失

echo '* * * * * /bin/bash -c "cp /bin/bash /tmp/bash; chmod +s /tmp/bash"' >> /etc/crontabs/root

在 /var/tmp 目录下放置 suid bash

cp $(which bash) /var/tmp/bash
chmod +s /var/tmp/bash

清理痕迹

# 清理 /tmp(注意别把自己踢出去)
rm -rf /tmp/*

# 清理 root 家目录临时文件
rm -f /root/.lesshst /root/.viminfo /root/.mysql_history

# Alpine 没有 apt,清 apk 缓存
apk cache clean
rm -rf /var/cache/apk/*

# 清理日志
find /var/log -type f -name "*.log" -exec truncate -s 0 {} \;
find /var/log -type f \( -name "*.gz" -o -name "*.old" \) -delete

# Alpine 没有 journalctl,跳过
# 清除 shell 历史
truncate -s 0 /root/.bash_history
truncate -s 0 /home/yepian/.bash_history

# 清除登录记录
truncate -s 0 /var/log/wtmp /var/log/btmp /var/log/lastlog

# 清除当前 shell 历史(内存里的)
history -c

压缩镜像

# 用零填充空闲空间,便于压缩
dd if=/dev/zero of=/zero bs=1M || true; rm -f /zero