MazeSec badbox设计流程
模板说明
本次靶机使用alpine模板,靶机自带php84 apache2
换源
项目推荐https://github.com/SuperManito/LinuxMirrors
GNU/Linux 更换系统软件源
bash <(curl -sSL https://linuxmirrors.cn/main.sh)
安装mysql及扩展
WordPress 需要 mysqli、pdo_mysql等扩展,否则连数据库会失败。
apk add php84-mysqli php84-pdo_mysql php84-session php84-curl php84-xml php84-mbstring php84-zip php84-gd php84-opcache
重启 Apache:
rc-service apache2 restart
验证扩展是否加载成功:
php -m | grep mysqli
初始化 MariaDB
安装 MariaDB:
apk add mariadb mariadb-client
启动并设置开机自启
rc-update add mariadb default
/etc/init.d/mariadb setup
rc-service mariadb start
进入 MariaDB:
mariadb -u root
设置 root 密码:
FLUSH PRIVILEGES;
ALTER USER 'root'@'localhost' IDENTIFIED BY 'M!aR1aDB#2026$xYz';
FLUSH PRIVILEGES;
EXIT;
创建 WordPress 数据库和用户
root:M!aR1aDB#2026$xYz
yepian:11111111
mariadb -u root --password='M!aR1aDB#2026$xYz' <<'EOF'
CREATE DATABASE wordpress DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'yepian'@'localhost' IDENTIFIED BY '11111111';
GRANT ALL PRIVILEGES ON wordpress.* TO 'yepian'@'localhost';
FLUSH PRIVILEGES;
EOF
安装wordpress
获取wordpress
cd /tmp
wget 192.168.1.6/a.zip
unzip a.zip
cp -r wordpress/* /var/www/html
rm -rf a.zip wordpress
手动创建 wp-config.php
cd /var/www/html
cp wp-config-sample.php wp-config.php
cat > /var/www/html/wp-config.php <<'PHPEOF'
<?php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'yepian' );
define( 'DB_PASSWORD', '11111111' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );
define( 'WP_HOME', 'http://badbox.dsz' );
define( 'WP_SITEURL', 'http://badbox.dsz' );
$table_prefix = 'wp_';
define( 'WP_DEBUG', false );
define( 'AUTH_KEY', 'G^w5V&K5zq8T%u9Lp2@Xm7Qr4Jh6Yn1W' );
define( 'SECURE_AUTH_KEY', 'Bc3sE!fH7dR0tYpL9oK2mN5qX8wZ1vA4' );
define( 'LOGGED_IN_KEY', 'P7uY3tC6vB9nM2kX0jR5sT8wQ1eF4hJ7' );
define( 'NONCE_KEY', 'Lk9mN3bV6cX0zA2sD5fG8hJ1kL4pQ7wE' );
define( 'AUTH_SALT', 'Rt5yU8iO2pL9aS3dF6gH1jK4lZ7xC0vB' );
define( 'SECURE_AUTH_SALT', 'Mn4bV7nC0xZ3aQ6wE9rT2yU5iO8pL1kS' );
define( 'LOGGED_IN_SALT', 'Df6Gh9Jk2Lm4nP7qR0sT3vW5xY8zA1bB' );
define( 'NONCE_SALT', 'Hj3Kl6Mn9pQ2rS5tU8vW1xY4zA7bB0cE' );
require_once ABSPATH . 'wp-settings.php';
PHPEOF
配置 Apache + 域名
# 消除 ServerName 警告
echo "ServerName badbox.dsz" >> /etc/apache2/httpd.conf
# 加载 rewrite 模块
echo "LoadModule rewrite_module /usr/lib/apache2/mod_rewrite.so" >> /etc/apache2/httpd.conf
# 把 AllowOverride None 改成 All
sed -i '/<Directory "\/var\/www\/html">/,/<\/Directory>/ s/AllowOverride None/AllowOverride All/' /etc/apache2/httpd.conf
# 验证 AllowOverride All
sed -n '/<Directory "\/var\/www\/html">/,/<\/Directory>/p' /etc/apache2/httpd.conf
# 本地 hosts
echo "127.0.0.1 badbox.dsz" >> /etc/hosts
# 重启
rc-service apache2 restart
通过wp-cli 完成 WordPress 安装
apk add php84-phar
cd /var/www/html
wget https://gh-proxy.com/https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp
wp core install \
--url=badbox.dsz \
--title="BadBox Site" \
--admin_user=yepian \
--admin_password='11111111' \
--admin_email=admin@badbox.dsz
权限修复
chown -R apache:apache /var/www/html
chmod -R 755 /var/www/html
修改主机名
hostname="badbox"
echo "$hostname" > /etc/hostname
echo "127.0.0.1 localhost badbox badbox.dsz" > /etc/hosts
echo "::1 localhost" >> /etc/hosts
hostname -F /etc/hostname
添加用户
创建用户 yepian 并设置密码
adduser -D -s /bin/bash yepian
echo "yepian:2026-07-02build" | chpasswd
修改root密码
echo 'root:2026-07-02build!@#' | chpasswd
注意如果双引号里有 !、$、反引号、空格这些特殊字符,在shell里会进行解析,如无实意,建议使用单引号包裹
放置flag
生成flag
#!/bin/bash
flag_root=$(echo "root-$(date)" | md5sum | awk '{print $1}')
flag_user=$(echo "user-$(date)" | md5sum | awk '{print $1}')
echo "flag{root-$flag_root}"
echo "flag{user-$flag_user}"
放置flag
echo 'flag{root-c1c1a07c7fd6cc391464faa7625d7900}' > /root/root.txt
echo 'flag{user-20d5d73042f640282afa479ef40e63a4}' > /home/yepian/user.txt
安装工具包
安装util-linux包,方便使用script反弹shell优化
apk add util-linux
安装vim
apk add vim
配置suid工具
通过定时任务,在nosuid的tmp目录放置suid bash,避免重启消失
echo '* * * * * /bin/bash -c "cp /bin/bash /tmp/bash; chmod +s /tmp/bash"' >> /etc/crontabs/root
在 /var/tmp 目录下放置 suid bash
cp $(which bash) /var/tmp/bash
chmod +s /var/tmp/bash
清理痕迹
# 清理 /tmp(注意别把自己踢出去)
rm -rf /tmp/*
# 清理 root 家目录临时文件
rm -f /root/.lesshst /root/.viminfo /root/.mysql_history
# Alpine 没有 apt,清 apk 缓存
apk cache clean
rm -rf /var/cache/apk/*
# 清理日志
find /var/log -type f -name "*.log" -exec truncate -s 0 {} \;
find /var/log -type f \( -name "*.gz" -o -name "*.old" \) -delete
# Alpine 没有 journalctl,跳过
# 清除 shell 历史
truncate -s 0 /root/.bash_history
truncate -s 0 /home/yepian/.bash_history
# 清除登录记录
truncate -s 0 /var/log/wtmp /var/log/btmp /var/log/lastlog
# 清除当前 shell 历史(内存里的)
history -c
压缩镜像
# 用零填充空闲空间,便于压缩
dd if=/dev/zero of=/zero bs=1M || true; rm -f /zero