1442 words
7 minutes
THM Zeno
Reocn
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -Pn 10.10.168.125
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-10 08:53 EDT
Nmap scan report for 10.10.168.125
Host is up (0.40s latency).
Not shown: 976 filtered tcp ports (no-response), 23 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 09:23:62:a2:18:62:83:69:04:40:62:32:97:ff:3c:cd (RSA)
| 256 33:66:35:36:b0:68:06:32:c1:8a:f6:01:bc:43:38:ce (ECDSA)
|_ 256 14:98:e3:84:70:55:e6:60:0c:c2:09:77:f8:b7:a6:1c (ED25519)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.93 seconds
nmap 掃全部 port 太慢,又用 rustscan 掃一次
┌──(kali㉿kali)-[~]
└─$ rustscan -a 10.10.168.125 -r 1-65535 --ulimit 5000 -- -sC -sV -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Scanning ports faster than you can say 'SYN ACK'
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.168.125:22
Open 10.10.168.125:12340
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -sV -Pn" on ip 10.10.168.125
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-10 08:54 EDT
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 08:54
Completed Parallel DNS resolution of 1 host. at 08:54, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:54
Scanning 10.10.168.125 [2 ports]
Discovered open port 12340/tcp on 10.10.168.125
Discovered open port 22/tcp on 10.10.168.125
Completed SYN Stealth Scan at 08:54, 0.42s elapsed (2 total ports)
Initiating Service scan at 08:54
Scanning 2 services on 10.10.168.125
Completed Service scan at 08:54, 12.32s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.168.125.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 11.87s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 1.56s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
Nmap scan report for 10.10.168.125
Host is up, received user-set (0.38s latency).
Scanned at 2025-07-10 08:54:17 EDT for 26s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 60 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 09:23:62:a2:18:62:83:69:04:40:62:32:97:ff:3c:cd (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDakZyfnq0JzwuM1SD3YZ4zyizbtc9AOvhk2qCaTwJHEKyyqIjBaElNv4LpSdtV7y/C6vwUfPS34IO/mAmNtAFquBDjIuoKdw9TjjPrVBVjzFxD/9tDSe+cu6ELPHMyWOQFAYtg1CV1TQlm3p6WIID2IfYBffpfSz54wRhkTJd/+9wgYdOwfe+VRuzV8EgKq4D2cbUTjYjl0dv2f2Th8WtiRksEeaqI1fvPvk6RwyiLdV5mSD/h8HCTZgYVvrjPShW9XPE/wws82/wmVFtOPfY7WAMhtx5kiPB11H+tZSAV/xpEjXQQ9V3Pi6o4vZdUvYSbNuiN4HI4gAWnp/uqPsoR
| 256 33:66:35:36:b0:68:06:32:c1:8a:f6:01:bc:43:38:ce (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEMyTtxVAKcLy5u87ws+h8WY+GHWg8IZI4c11KX7bOSt85IgCxox7YzOCZbUA56QOlryozIFyhzcwOeCKWtzEsA=
| 256 14:98:e3:84:70:55:e6:60:0c:c2:09:77:f8:b7:a6:1c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOKY0jLSRkYg0+fTDrwGOaGW442T5k1qBt7l8iAkcuCk
12340/tcp open http syn-ack ttl 60 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: We've got some trouble | 404 - Resource not found
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.54 seconds
Raw packets sent: 2 (88B) | Rcvd: 2 (88B)
Exploit
連上去長這樣
gobsuter
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 'http://10.10.168.125:12340' -w /usr/share/wordlists/dirb/big.txt -t 100
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.168.125:12340
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 211]
/.htpasswd (Status: 403) [Size: 211]
/rms (Status: 301) [Size: 239] [--> http://10.10.168.125:12340/rms/]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================
連上去 /rms,看起來沒東西,所以繼續用 gobuster 掃看看
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 'http://10.10.168.125:12340/rms' -w /usr/share/wordlists/dirb/big.txt -t 100
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.168.125:12340/rms
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 215]
/.htpasswd (Status: 403) [Size: 215]
/admin (Status: 301) [Size: 245] [--> http://10.10.168.125:12340/rms/admin/]
/connection (Status: 301) [Size: 250] [--> http://10.10.168.125:12340/rms/connection/]
/css (Status: 301) [Size: 243] [--> http://10.10.168.125:12340/rms/css/]
/fonts (Status: 301) [Size: 245] [--> http://10.10.168.125:12340/rms/fonts/]
/images (Status: 301) [Size: 246] [--> http://10.10.168.125:12340/rms/images/]
/stylesheets (Status: 301) [Size: 251] [--> http://10.10.168.125:12340/rms/stylesheets/]
/swf (Status: 301) [Size: 243] [--> http://10.10.168.125:12340/rms/swf/]
/validation (Status: 301) [Size: 250] [--> http://10.10.168.125:12340/rms/validation/]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================
點進去先註冊,註冊完之後點到 inbox[1] 可以看到 administrator 點了餐,然後用 administrator 去登入下面的 administrator 登入頁面
這邊用 hydra 試試看,發現根本不能,然後去看 wp 跟我說這個東西居然他媽是一個 Framework ,我以為他是手刻的… 真他媽牛逼
發現有 SQLI 的問題,所以用 sqlmap 去爆,找到 db
sqlmap -u 'http://10.10.177.108:12340/rms/delete-order.php?id=122' --dbs --random-agent --batch --cookie "PHPSSID=7l2m0qq9qk26muvopausu5b1c6"
這題要爆好久,等了一小時 table 還沒完= = ,轉換跑道去用另一個可以 RCE 的 CVE,把裡面的 proxxy 刪掉
Get shell
把它串成 reversed shell,那這邊因為 bash -i .. 用下去就會 ping 不到靶機
所以去 https://www.revshells.com/ 看到有沒有其他可以用的 reversed shell (因為我們的一句話木馬是 shell_exec,可能導致他的一些特殊符號被吃掉
找到這個
但後面想一想他也有用到特殊字元,再去看看有哪些可以用,有 python3
看起來沒有啥特殊字元 ( ”>” 、& etc…)
成功!
進來之後找到一個 db ,但他有加密
進來之後找到一個使用者叫做 edward,用 hydra 去爆破看看
這邊想不到想法去看 wp ,發現他上傳 ./linpeas 去看資料
這邊上傳 linpeas 的方式跟以前不太一樣,雖然一樣都是在 attack server 上面架了短暫的 python server,因為這邊沒有 wget,所以用 curl 試試看
成功!
在這邊撈到了 local admin 的密碼跟帳號
這邊我用猜說 Zeno 已經被改名成 edward ,所以才沒辦法成功登入,然後也撈到了 restaurant system 的 admin pwd
Get Flag1 : THM{070cab2c9dc622e5d25c0709f6cb0510}
let’s 提權,sudo 大法看到 reboot
suid 看起來也沒啥東西
但在 /home/edward/.ssh 有看到一個 authorized_keys
決定再用 ./linPeas 看一次,因為 /home/edward/.ssh 權限不夠,於是跑去 dev/shm 載
使用之後看到 /etc/systemd/system/zeno-monitoring.service 可以讓我們有寫入的權限,嘗試用這個提權
把它改成開機的時候會把 /bin/bash 加上 suid
接著重新開機
連上之後用 GTFOBins 上的這坨
Get Root!
Get root Flag : THM{b187ce4b85232599ca72708ebde71791}
Pwned!
