基本信息

端口扫描

22,53,80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ nmap -sC -sV 10.10.10.48
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-05 11:06 CST
Nmap scan report for 10.10.10.48
Host is up (0.069s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open  domain  dnsmasq 2.76
| dns-nsid:
|_  bind.version: dnsmasq-2.76
80/tcp open  http    lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.27 seconds

80

直接访问是空白页面:

目录扫描

很容易扫到一个admin目录,访问是pi-hole,看起来是个树莓派:

1
2
3
4
➜  ~ gobuster dir -u http://10.10.10.48/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50

/admin (Status: 301)
/swfobject.js (Status: 200)

raspberrypi & user flag

然后就是树莓派默认用户名密码直接登录进去,桌面得到user.txt:

1
pi : raspberry

提权信息

sudo没有限制,root目录的root.txt提示backup在USB stick里:

df -h

df可以看到usbstick是/dev/sdb:

damnit.txt

直接查看usbstick里面只有一个txt,内容是最近删掉了文件内容,需要恢复:

root flag

可以把sdb整个下载下来做恢复:

1
sudo dcfldd if=/dev/sdb of=/home/pi/usb.dd

也可以简单的直接strings查看sdb,得到root flag:

参考资料