Nyx

usershell

目标IP:192.168.205.138

服务探测:

22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))

Web目录扫描

+ http://192.168.205.138/index.html (CODE:200|SIZE:965)                                                     + http://192.168.205.138/server-status (CODE:403|SIZE:280) 

未发现有用的信息

nmap进行枚举

┌──(kali㉿kali)-[~]
└─$ nmap -p 80 --script=http-enum 192.168.205.138
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-13 09:26 EDT
Nmap scan report for 192.168.205.138
Host is up (0.00044s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|_  /d41d8cd98f00b204e9800998ecf8427e.php: Seagate BlackArmorNAS 110/220/440 Administrator Password Reset Vulnerability

发现这个文件是一个SSH的私钥，用户名应该是mpampis

ssh连接，获得userFlag

注：ssh私钥的文件权限应该是600，不然不能连接

rootshell

sudo -l发现gcc文件可利用

(root) NOPASSWD: /usr/bin/gcc

https://gtfobins.github.io/gtfobins/gcc/

获得rootshell